Normal view

There are new articles available, click to refresh the page.
Before yesterdayAvast Threat Labs

Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day

28 February 2024 at 13:14

Key Points

  • Avast discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver. 
  • Thanks to Avast’s prompt report, Microsoft addressed this vulnerability as CVE-2024-21338 in the February Patch Tuesday update. 
  • The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive. 
  • This primitive enabled Lazarus to perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit, a previous version of which was analyzed by ESET and AhnLab
  • After completely reverse engineering this updated rootkit variant, Avast identified substantial advancements in terms of both functionality and stealth, with four new – and three updated – rootkit techniques. 
  • In a key advancement, the rootkit now employs a new handle table entry manipulation technique in an attempt to suspend PPL (Protected Process Light) protected processes associated with Microsoft Defender, CrowdStrike Falcon, and HitmanPro. 
  • Another significant step up is exploiting the zero-day vulnerability, where Lazarus previously utilized much noisier BYOVD (Bring Your Own Vulnerable Driver) techniques to cross the admin-to-kernel boundary. 
  • Avast’s investigation also recovered large parts of the infection chain leading up to the deployment of the rootkit, resulting in the discovery of a new RAT (Remote Access Trojan) attributed to Lazarus. 
  • Technical details concerning the RAT and the initial infection vector will be published in a follow-up blog post, scheduled for release along with our Black Hat Asia 2024 briefing

Introduction 

When it comes to Windows security, there is a thin line between admin and kernel. Microsoft’s security servicing criteria have long asserted that “[a]dministrator-to-kernel is not a security boundary”, meaning that Microsoft reserves the right to patch admin-to-kernel vulnerabilities at its own discretion. As a result, the Windows security model does not guarantee that it will prevent an admin-level attacker from directly accessing the kernel. This isn’t just a theoretical concern. In practice, attackers with admin privileges frequently achieve kernel-level access by exploiting known vulnerable drivers, in a technique called BYOVD (Bring Your Own Vulnerable Driver). 

Microsoft hasn’t given up on securing the admin-to-kernel boundary though. Quite the opposite, it has made a great deal of progress in making this boundary harder to cross. Defense-in-depth protections, such as DSE (Driver Signature Enforcement) or HVCI (Hypervisor-Protected Code Integrity), have made it increasingly difficult for attackers to execute custom code in the kernel, forcing most to resort to data-only attacks (where they achieve their malicious objectives solely by reading and writing kernel memory). Other defenses, such as driver blocklisting, are pushing attackers to move to exploiting less-known vulnerable drivers, resulting in an increase in attack complexity. Although these defenses haven’t yet reached the point where we can officially call admin-to-kernel a security boundary (BYOVD attacks are still feasible, so calling it one would just mislead users into a false sense of security), they clearly represent steps in the right direction. 

From the attacker’s perspective, crossing from admin to kernel opens a whole new realm of possibilities. With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes, etc.), disable kernel-mode telemetry, turn off mitigations, and more. Additionally, as the security of PPL (Protected Process Light) relies on the admin-to-kernel boundary, our hypothetical attacker also gains the ability to tamper with protected processes or add protection to an arbitrary process. This can be especially powerful if lsass is protected with RunAsPPL as bypassing PPL could enable the attacker to dump otherwise unreachable credentials.  

For more specific examples of what an attacker might want to achieve with kernel-level access, keep reading this blog – in the latter half, we will dive into all the techniques implemented in the FudModule rootkit. 

Living Off the Land: Vulnerable Drivers Edition 

With a seemingly growing number of attackers seeking to abuse some of the previously mentioned kernel capabilities, defenders have no choice but to hunt heavily for driver exploits. Consequently, attackers wishing to target well-defended networks must also step up their game if they wish to avoid detection. We can broadly break down admin-to-kernel driver exploits into three categories, each representing a trade-off between attack difficulty and stealth. 

N-Day BYOVD Exploits 

In the simplest case, an attacker can leverage BYOVD to exploit a publicly known n-day vulnerability. This is very easy to pull off, as there are plenty of public proof-of-concept exploits for various vulnerabilities. However, it’s also relatively straightforward to detect since the attacker must first drop a known vulnerable driver to the file system and then load it into the kernel, resulting in two great detection opportunities. What’s more, some systems may have Microsoft’s vulnerable driver blocklist enabled, which would block some of the most common vulnerable drivers from loading. Previous versions of the FudModule rootkit could be placed in this category, initially exploiting a known vulnerability in dbutil_2_3.sys and then moving on to targeting ene.sys in later versions. 

Zero-Day BYOVD Exploits 

In more sophisticated scenarios, an attacker would use BYOVD to exploit a zero-day vulnerability within a signed third-party driver. Naturally, this requires the attacker to first discover such a zero-day vulnerability, which might initially seem like a daunting task. However, note that any exploitable vulnerability in any signed driver will do, and there is unfortunately no shortage of low-quality third-party drivers. Therefore, the difficulty level of discovering such a vulnerability might not be as high as it would initially seem. It might suffice to scan a collection of drivers for known vulnerability patterns, as demonstrated by Carbon Black researchers who recently used bulk static analysis to uncover 34 unique vulnerabilities across more than 200 signed drivers. Such zero-day BYOVD attacks are notably stealthier than n-day attacks since defenders can no longer rely on hashes of known vulnerable drivers for detection. However, some detection opportunities still remain, as loading a random driver represents a suspicious event that might warrant deeper investigation. For an example of an attack belonging to this category, consider the spyware vendor Candiru, which we caught exploiting a zero-day vulnerability in hw.sys for the final privilege escalation stage of their browser exploit chain. 

Beyond BYOVD 

Finally, the holy grail of admin-to-kernel is going beyond BYOVD by exploiting a zero-day in a driver that’s known to be already installed on the target machine. To make the attack as universal as possible, the most obvious target here would be a built-in Windows driver that’s already a part of the operating system.  

Discovering an exploitable vulnerability in such a driver is significantly more challenging than in the previous BYOVD scenarios for two reasons. First, the number of possible target drivers is vastly smaller, resulting in a much-reduced attack surface. Second, the code quality of built-in drivers is arguably higher than that of random third-party drivers, making vulnerabilities much more difficult to find. It’s also worth noting that – while patching tends to be ineffective at stopping BYOVD attacks (even if a vendor patches their driver, the attacker can still abuse the older, unpatched version of the driver) – patching a built-in driver will make the vulnerability no longer usable for this kind of zero-day attacks. 

If an attacker, despite all of these hurdles, manages to exploit a zero-day vulnerability in a built-in driver, they will be rewarded with a level of stealth that cannot be matched by standard BYOVD exploitation. By exploiting such a vulnerability, the attacker is in a sense living off the land with no need to bring, drop, or load any custom drivers, making it possible for a kernel attack to be truly fileless. This not only evades most detection mechanisms but also enables the attack on systems where driver allowlisting is in place (which might seem a bit ironic, given that CVE-2024-21338 concerns an AppLocker driver).  

While we can only speculate on Lazarus’ motivation for choosing this third approach for crossing the admin-to-kernel boundary, we believe that stealth was their primary motivation. Given their level of notoriety, they would have to swap vulnerabilities any time someone burned their currently used BYOVD technique. Perhaps they also reasoned that, by going beyond BYOVD, they could minimize the need for swapping by staying undetected for longer. 

CVE-2024-21338 

As far as zero-days go, CVE-2024-21338 is relatively straightforward to both understand and exploit. The vulnerability resides within the IOCTL (Input and Output Control) dispatcher in appid.sys, which is the central driver behind AppLocker, the application whitelisting technology built into Windows. The vulnerable control code 0x22A018 is designed to compute a smart hash of an executable image file. This IOCTL offers some flexibility by allowing the caller to specify how the driver should query and read the hashed file. The problem is, this flexibility is achieved by expecting two kernel function pointers referenced from the IOCTL’s input buffer: one containing a callback pointer to query the hashed file’s size and the other a callback pointer to read the data to be hashed.  

Since user mode would typically not be handling kernel function pointers, this design suggests the IOCTL may have been initially designed to be invoked from the kernel. Indeed, while we did not find any legitimate user-mode callers, the IOCTL does get invoked by other AppLocker drivers. For instance, there is a ZwDeviceIoControlFile call in applockerfltr.sys, passing SmpQueryFile and SmpReadFile for the callback pointers. Aside from that, appid.sys itself also uses this functionality, passing AipQueryFileHandle and AipReadFileHandle (which are basically just wrappers over ZwQueryInformationFile and ZwReadFile, respectively). 

Despite this design, the vulnerable IOCTL remained accessible from user space, meaning that a user-space attacker could abuse it to essentially trick the kernel into calling an arbitrary pointer. What’s more, the attacker also partially controlled the data referenced by the first argument passed to the invoked callback function. This presented an ideal exploitation scenario, allowing the attacker to call an arbitrary kernel function with a high degree of control over the first argument. 

A WinDbg session with the triggered vulnerability, traced to the arbitrary callback invocation. Note that the attacker controls both the function pointer to be called (0xdeadbeefdeadbeef in this session) and the data pointed to by the first argument (0xbaadf00dbaadf00d). 

If exploitation sounds trivial, note that there are some constraints on what pointers this vulnerability allows an attacker to call. Of course, in the presence of SMEP (Supervisor Mode Execution Prevention), the attacker cannot just supply a user-mode shellcode pointer. What’s more, the callback invocation is an indirect call that may be safeguarded by kCFG (Kernel Control Flow Guard), requiring that the supplied kernel pointers represent valid kCFG call targets. In practice, this does not prevent exploitation, as the attacker can just find some kCFG-compliant gadget function that would turn this into another primitive, such as a (limited) read/write. There are also a few other constraints on the IOCTL input buffer that must be solved in order to reach the vulnerable callback invocation. However, these too are relatively straightforward to satisfy, as the attacker only needs to fake some kernel objects and supply the right values so that the IOCTL handler passes all the necessary checks while at the same time not crashing the kernel. 

The vulnerable IOCTL is exposed through a device object named \Device\AppId. Breaking down the 0x22A018 control code and extracting the RequiredAccess field reveals that a handle with write access is required to call it. Inspecting the device’s ACL (Access Control List; see the screenshot below), there are entries for local service, administrators, and appidsvc. While the entry for administrators does not grant write access, the entry for local service does. Therefore, to describe CVE-2024-21338 more accurately, we should label it local service-to-kernel rather than admin-to-kernel. It’s also noteworthy that appid.sys might create two additional device objects, namely \Device\AppidEDPPlugin and \Device\SrpDevice. Although these come with more permissive ACLs, the vulnerable IOCTL handler is unreachable through them, rendering them irrelevant for exploitation purposes. 

Access control entries of \Device\AppId, revealing that while local service is allowed write access, administrators are not. 

As the local service account has reduced privileges compared to administrators, this also gives the vulnerability a somewhat higher impact than standard admin-to-kernel. This might be the reason Microsoft characterized the CVE as Privileges Required: Low, taking into account that local service processes do not always necessarily have to run at higher integrity levels. However, for the purposes of this blog, we still chose to refer to CVE-2024-21338 mainly as an admin-to-kernel vulnerability because we find it better reflects how it was used in the wild – Lazarus was already running with elevated privileges and then impersonated the local service account just prior to calling the IOCTL. 

The vulnerability was introduced in Win10 1703 (RS2/15063) when the 0x22A018 IOCTL handler was first implemented. Older builds are not affected as they lack support for the vulnerable IOCTL. Interestingly, the Lazarus exploit bails out if it encounters a build older than Win10 1809 (RS5/17763), completely disregarding three perfectly vulnerable Windows versions. As for the later versions, the vulnerability extended all the way up to the most recent builds, including Win11 23H2. There have been some slight changes to the IOCTL, including an extra argument expected in the input buffer, but nothing that would prevent exploitation.  

We developed a custom PoC (Proof of Concept) exploit and submitted it in August 2023 as part of a vulnerability report to Microsoft, leading to an advisory for CVE-2024-21338 in the February Patch Tuesday update. The update addressed the vulnerability by adding an ExGetPreviousMode check to the IOCTL handler (see the patch below). This aims to prevent user-mode initiated IOCTLs from triggering the arbitrary callbacks. 

The patched IOCTL handler. If feature 2959575357 is enabled, attempts to call the IOCTL with PreviousMode==UserMode should immediately result in STATUS_INVALID_DEVICE_REQUEST, failing to even reach AipSmartHashImageFile

Though the vulnerability may only barely meet Microsoft’s security servicing criteria, we believe patching was the right choice and would like to thank Microsoft for eventually addressing this issue. Patching will undoubtedly disrupt Lazarus’ offensive operations, forcing them to either find a new admin-to-kernel zero-day or revert to using BYOVD techniques. While discovering an admin-to-kernel zero-day may not be as challenging as discovering a zero-day in a more attractive attack surface (such as standard user-to-kernel, or even sandbox-to-kernel), we believe that finding one would still require Lazarus to invest significant resources, potentially diverting their focus from attacking some other unfortunate targets. 

Exploitation 

The Lazarus exploit begins with an initialization stage, which performs a one-time setup for both the exploit and the rootkit (both have been compiled into the same module). This initialization starts by dynamically resolving all necessary Windows API functions, followed by a low-effort anti-debug check on PEB.BeingDebugged. Then, the exploit inspects the build number to see if it’s running on a supported Windows version. If so, it loads hardcoded constants tailored to the current build. Interestingly, the choice of constants sometimes comes down to the update build revision (UBR), showcasing a high degree of dedication towards ensuring that the code runs cleanly across a wide range of target machines.  

A decompiled code snippet, loading version-specific hardcoded constants. This particular example contains offsets and syscall numbers for Win10 1809. 

The initialization process then continues with leaking the base addresses of three kernel modules: ntoskrnl, netio, and fltmgr. This is achieved by calling NtQuerySystemInformation using the SystemModuleInformation class. The KTHREAD address of the currently executing thread is also leaked in a similar fashion, by duplicating the current thread pseudohandle and then finding the corresponding kernel object address using the SystemExtendedHandleInformation system information class. Finally, the exploit manually loads the ntoskrnl image into the user address space, only to scan for relative virtual addresses (RVAs) of some functions of interest. 

Since the appid.sys driver does not have to be already loaded on the target machine, the exploit may first have to load it itself. It chooses to accomplish this in an indirect way, by writing an event to one specific AppLocker-related ETW (Event Tracing for Windows) provider. Once appid.sys is loaded, the exploit impersonates the local service account using a direct syscall to NtSetInformationThread with the ThreadImpersonationToken thread information class. By impersonating local service, it can now obtain a read/write handle to \Device\AppId. With this handle, the exploit finally prepares the IOCTL input buffer and triggers the vulnerability using the NtDeviceIoControlFile syscall.  

Direct syscalls are heavily used throughout the exploit. 

The exploit crafts the IOCTL input buffer in such a way that the vulnerable callback is essentially a gadget that performs a 64-bit copy from the IOCTL input buffer to an arbitrary target address. This address was chosen to corrupt the PreviousMode of the current thread. By ensuring the corresponding source byte in the IOCTL input buffer is zero, the copy will clear the PreviousMode field, effectively resulting in its value being interpreted as KernelMode. Targeting PreviousMode like this is a widely popular exploitation technique, as corrupting this one byte in the KTHREAD structure bypasses kernel-mode checks inside syscalls such as NtReadVirtualMemory or NtWriteVirtualMemory, allowing a user-mode attacker to read and write arbitrary kernel memory. Note that while this technique was mitigated on some Windows Insider Builds, this mitigation has yet to reach general availability at the time of writing. 

Interestingly, the exploit may attempt to trigger the vulnerable IOCTL twice. This is due to an extra argument that was added in Win11 22H2. As a result, the IOCTL handler on newer builds expects the input buffer to be 0x20 bytes in size while, previously, the expected size was only 0x18. Rather than selecting the proper input buffer size for the current build, the exploit just tries calling the IOCTL twice: first with an input buffer size 0x18 then – if not successful – with 0x20. This is a valid approach since the IOCTL handler’s first action is to check the input buffer size, and if it doesn’t match the expected size, it would just immediately return STATUS_INVALID_PARAMETER.  

To check if it was successful, the exploit employs the NtWriteVirtualMemory syscall, attempting to read the current thread’s PreviousMode (Lazarus avoids using NtReadVirtualMemory, more on this later). If the exploit succeeded, the syscall should return STATUS_SUCCESS, and the leaked PreviousMode byte should equal 0 (meaning KernelMode). Otherwise, the syscall should return an error status code, as it should be impossible to read kernel memory without a corrupted PreviousMode.  

In our exploit analysis, we deliberately chose to omit some key details, such as the choice of the callback gadget function. This decision was made to strike the right balance between helping defenders with detection but not making exploitation too widely accessible. For those requiring more information for defensive purposes, we may be able to share additional details on a case-by-case basis. 

The FudModule Rootkit

The entire goal of the admin-to-kernel exploit was to corrupt the current thread’s PreviousMode. This allows for a powerful kernel read/write primitive, where the affected user-mode thread can read and write arbitrary kernel memory using the Nt(Read|Write)VirtualMemory syscalls. Armed with this primitive, the FudModule rootkit employs direct kernel object manipulation (DKOM) techniques to disrupt various kernel security mechanisms. It’s worth reiterating that FudModule is a data-only rootkit, meaning it executes entirely from user space and all the kernel tampering is performed through the read/write primitive.  

The first variants of the FudModule rootkit were independently discovered by AhnLab and ESET research teams, with both publishing detailed analyses in September 2022. The rootkit was named after the FudModule.dll string used as the name in its export table. While this artifact is not present anymore, there is no doubt that what we found is an updated version of the same rootkit. AhnLab’s report documented a sample from early 2022, which incorporated seven data-only rootkit techniques and was enabled through a BYOVD exploit for ene.sys. ESET’s report examined a slightly earlier variant from late 2021, also featuring seven rootkit techniques but exploiting a different BYOVD vulnerability in dbutil_2_3.sys. In contrast, our discovery concerns a sample featuring nine rootkit techniques and exploiting a previously unknown admin-to-kernel vulnerability. Out of these nine techniques, four are new, three are improved, and two remain unchanged from the previous variants. This leaves two of the original seven techniques, which have been deprecated and are no longer present in the latest variant. 

Each rootkit technique is assigned a bit, ranging from 0x1 to 0x200 (the 0x20 bit is left unused in the current variant). FudModule executes the techniques sequentially, in an ascending order of the assigned bits. The bits are used to report on the success of the individual techniques. During execution, FudModule will construct an integer value (named bitfield_techniques in the decompilation below), where only the bits corresponding to successfully executed techniques will be set. This integer is ultimately written to a file named tem1245.tmp, reporting on the rootkit’s success. Interestingly, we did not find this filename referenced in any other Lazarus sample, suggesting the dropped file is only inspected through hands-on-keyboard activity, presumably through a RAT (Remote Access Trojan) command. This supports our beliefs that FudModule is only loosely integrated into the rest of Lazarus’ malware ecosystem and that Lazarus is very careful about using the rootkit, only deploying it on demand under the right circumstances. 

The rootkit’s “main” function, executing the individual rootkit techniques. Note the missing 0x20 technique. 

Based on the large number of updates, it seems that FudModule remains under active development. The latest variant appears more robust, avoiding some potentially problematic practices from the earlier variants. Since some techniques target undocumented kernel internals in a way that we have not previously encountered, we believe that Lazarus must be conducting their own kernel research. Further, though the rootkit is certainly technically sophisticated, we still identified a few bugs here and there. These may either limit the rootkit’s intended functionality or even cause kernel bug checks under the right conditions. While we find some of these bugs very interesting and would love to share the details, we do not enjoy the idea of providing free bug reports to threat actors, so we will hold onto them for now and potentially share some information later if the bugs get fixed. 

Interestingly, FudModule utilizes the NtWriteVirtualMemory syscall for both reading and writing kernel memory, eliminating the need to call NtReadVirtualMemory. This leverages the property that, when limited to a single virtual address space, NtReadVirtualMemory and NtWriteVirtualMemory are basically inverse operations with respect to the values of the source Buffer and the destination BaseAddress arguments. In other words, writing to kernel memory can be thought of as writing from a user-mode Buffer to a kernel-mode BaseAddress, while reading from kernel memory could be conversely achieved by swapping arguments, that is writing from a kernel-mode Buffer to a user-mode BaseAddress. Lazarus’ implementation takes advantage of this, which seems to be an intentional design decision since most developers would likely prefer the more straightforward way of using NtReadVirtualMemory for reading kernel memory and NtWriteVirtualMemory for writing kernel memory. We can only guess why Lazarus chose this approach, but this might be yet another stealth-enhancing feature. With their implementation, they only must use one suspicious syscall instead of two, potentially reducing the number detection opportunities. 

Debug Prints 

Before we delve into the actual rootkit techniques, there is one last thing worth discussing. To our initial surprise, Lazarus left a handful of plaintext debug prints in the compiled code. Such prints are typically one of the best things that can happen to a malware researcher, because they tend to accelerate the reverse engineering process significantly. In this instance, however, some of the prints had the opposite effect, sometimes even making us question if we understood the code correctly.  

As an example, let us mention the string get rop function addresses failed. Assuming rop stands for return-oriented programming, this string would make perfect sense in the context of exploitation, if not for the fact that not a single return address was corrupted in the exploit.  

Plaintext debug strings found in the rootkit. The term vaccine is used to refer to security software. 

While written in English, the debug strings suggest their authors are not native speakers, occasionally even pointing to their supposed Korean origin. This is best seen on the frequent usage of the term vaccine throughout the rootkit. This had us scratching our heads at first, because it was unclear how vaccines would relate to the rootkit functionality. However, it soon became apparent that the term was used to refer to security software. This might originate from a common Korean translation of antivirus (바이러스 백신), a compound word with the literal meaning virus vaccine. Note that even North Korea’s “own” antivirus was called SiliVaccine, and to the best of our knowledge, the term vaccine would not be used like this in other languages such as Japanese. Additionally, this is not the first time Korean-speaking threat actors have used this term. For instance, AhnLab’s recent report on Kimsuky mentions the following telltale command: 
 
cmd.exe /U /c wmic /namespace:\\root\securitycenter2 path antivirusproduct get displayname > vaccine.txt

Another puzzle is the abbreviation pvmode, which we believe refers to PreviousMode. A Google search for pvmode yields exactly zero relevant results, and we suspect most English speakers would choose different abbreviations, such as prvmode or prevmode. However, after consulting this with language experts, we learned that using the abbreviation pvmode would be unusual for Korean speakers too. 

Finally, there is also the debug message disableV3Protection passed. Judging from the context, the rather generic term V3 here refers to AhnLab V3 Endpoint Security. Considering the geopolitical situation, North Korean hacker groups are likely well-acquainted with South Korean AhnLab, so it would make perfect sense that they internally refer to them using such a non-specific shorthand. 

0x01 – Registry Callbacks 

The first rootkit technique is designed to address registry callbacks. This is a documented Windows mechanism which allows security solutions to monitor registry operations. A security solution’s kernel-mode component can call the CmRegisterCallbackEx routine to register a callback, which gets notified whenever a registry operation is performed on the system. What’s more, since the callback is invoked synchronously, before (or after) the actual operation is performed, the callback can even block or modify forbidden/malicious operations. FudModule’s goal here is to remove existing registry callbacks and thus disrupt security solutions that rely on this mechanism. 

The callback removal itself is performed by directly modifying some internal data structures managed by the kernel. This was also the case in the previous version, as documented by ESET and AhnLab. There, the rootkit found the address of nt!CallbackListHead (which contains a doubly linked, circular list of all existing registry callbacks) and simply emptied it by pointing it to itself. 

In the current version of FudModule, this technique was improved to leave some selected callbacks behind, perhaps making the rootkit stealthier. This updated version starts the same as the previous one: by finding the address of nt!CallbackListHead. This is done by resolving CmUnRegisterCallback (this resolution is performed by name, through iterating over the export table of ntoskrnl in memory), scanning its function body for the lea rcx,[nt!CallbackListHead] instruction, and then calculating the final address from the offset extracted from the instruction’s opcodes. 

With the nt!CallbackListHead address, FudModule can iterate over the registry callback linked list. It inspects each entry and determines if the callback routine is implemented in ntoskrnl.exe, applockerfltr.sys, or bfs.sys. If it is, the callback is left untouched. Otherwise, the rootkit replaces the callback routine pointer with a pointer to ObIsKernelHandle and then proceeds to unlink the callback entry. 

0x02 – Object Callbacks 

Object callbacks allow drivers to execute custom code in response to thread, process, and desktop handle operations. They are often used in self-defense, as they represent a convenient way to protect critical processes from being tampered with. Since the protection is enforced at the kernel level, this should protect even against elevated attackers, as long as they stay in user mode. Alternatively, object callbacks are also useful for monitoring and detecting suspicious activity.  

Whatever the use case, object callbacks can be set up using the ObRegisterCallbacks routine. FudModule naturally attempts to do the exact opposite: that is to remove all registered object callbacks. This could let it bypass self-defense mechanisms and evade object callback-based detection/telemetry. 

The implementation of this rootkit technique has stayed the same since the previous version, so there is no need to go into too much detail. First, the rootkit scans the body of the ObGetObjectType routine to obtain the address of nt!ObTypeIndexTable. This contains an array of pointers to _OBJECT_TYPE structures, each of which represents a distinct object type, such as Process, Token, or SymbolicLink. FudModule iterates over this array (skipping the first two special-meaning elements) and inspects each _OBJECT_TYPE.CallbackList, which contains a doubly linked list of object callbacks registered for the particular object type. The rootkit then empties the CallbackList by making each node’s forward and backward pointer point to itself. 

0x04 – Process, Thread, and Image Kernel Callbacks 

This next rootkit technique is designed to disable three more types of kernel callbacks: process, thread, and image callbacks. As their names suggest, these are used to execute custom kernel code whenever a new process is created, a new thread spawned, or a new image loaded (e.g. a DLL loaded into a process). These callbacks are extremely useful for detecting malicious activity. For instance, process callbacks allow AVs and EDRs to perform various checks on each new process that is to be created. Registering these callbacks is very straightforward. All that is needed is to pass the new callback routine as an argument to PsSetCreateProcessNotifyRoutine, PsSetCreateThreadNotifyRoutine, or PsSetLoadImageNotifyRoutine. These routines also come in their updated Ex variants, or even Ex2 in the case of PsSetCreateProcessNotifyRoutineEx2

Process, thread, and image callbacks are managed by the kernel in an almost identical way, which allows FudModule to use essentially the same code to disable all three of them. We find that this code has not changed much since the previous version, with the main difference being new additions to the list of drivers whose callbacks are left untouched.  

FudModule first finds the addresses of nt!PspNotifyEnableMask, nt!PspLoadImageNotifyRoutine, nt!PspCreateThreadNotifyRoutine, and nt!PspCreateProcessNotifyRoutine. These are once again obtained by scanning the code of exported routines, with the exact scanning method subject to some variation based on the Windows build number. Before any modification is performed, the rootkit clears nt!PspNotifyEnableMask and sleeps for a brief amount of time. This mask contains a bit field of currently enabled callback types, so clearing it disables all callbacks. While some EDR bypasses would stop here, FudModule’s goal is not to disable all callbacks indiscriminately, so the modification of nt!PspNotifyEnableMask is only temporary, and FudModule eventually restores it back to its original value. We believe the idea behind this temporary modification is to decrease the chance of a race condition that could potentially result in a bug check. 

All three of the above nt!Psp(LoadImage|CreateThread|CreateProcess)NotifyRoutine globals are organized as an array of _EX_FAST_REF pointers to _EX_CALLBACK_ROUTINE_BLOCK structures (at least that’s the name used in ReactOS, Microsoft does not share a symbol name here). FudModule iterates over all these structures and checks if _EX_CALLBACK_ROUTINE_BLOCK.Function (the actual callback routine pointer) is implemented in one of the below-whitelisted modules. If it is, the pointer will get appended to a new array that will be used to replace the original one. This effectively removes all callbacks except for those implemented in one of the below-listed modules. 

ntoskrnl.exe ahcache.sys mmcss.sys cng.sys 
ksecdd.sys tcpip.sys iorate.sys ci.dll 
dxgkrnl.sys peauth.sys wtd.sys
Kernel modules that are allowed during the removal of process, thread, and image callbacks. 

0x08 – Minifilter Drivers 

File system minifilters provide a mechanism for drivers to intercept file system operations. They are used in a wide range of scenarios, including encryption, compression, replication, monitoring, antivirus scanning, or file system virtualization. For instance, an encryption minifilter would encrypt the data before it is written to the storage device and, conversely, decrypt the data after it is read. FudModule is trying to get rid of all the monitoring and antivirus minifilters while leaving the rest untouched (after all, some minifilters are crucial to keep the system running). The choice about which minifilters to keep and which to remove is based mainly on the minifilter’s altitude, an integer value that is used to decide the processing order in case there are multiple minifilters attached to the same operation. Microsoft defines altitude ranges that should be followed by well-behaved minifilters. Unfortunately, these ranges also represent a very convenient way for FudModule to distinguish anti-malware minifilters from the rest. 

In its previous version, FudModule disabled minifilters by directly patching their filter functions’ prologues. This would be considered very unusual today, with HVCI (Hypervisor-Protected Code Integrity) becoming more prevalent, even turned on by default on Windows 11. Since HVCI is a security feature designed to prevent the execution of arbitrary code in the kernel, it would stand in the way of FudModule trying to patch the filter function. This forced Lazarus to completely reimplement this rootkit technique, so the current version of FudModule disables file system minifilters in a brand-new data-only attack. 

This attack starts by resolving FltEnumerateFilters and using it to find FltGlobals.FrameList.rList. This is a linked list of FLTMGR!_FLTP_FRAME structures, each representing a single filter manager frame. From here, FudModule follows another linked list at _FLTP_FRAME.AttachedVolumes.rList. This linked list consists of FLTMGR!_FLT_VOLUME structures, describing minifilters attached to a particular file system volume. Interestingly, the rootkit performs a sanity check to make sure that the pool tag associated with the _FLT_VOLUME allocation is equal to FMvo. With the sanity check satisfied, FudModule iterates over _FLT_VOLUME.Callbacks.OperationsLists, which is an array of linked lists of FLTMGR!_CALLBACK_NODE structures, indexed by IRP major function codes. For instance, OperationsLists[IRP_MJ_READ] is a linked list describing all filters attached to the read operation on a particular volume. 

FudModule making sure the pool tag of a _FLT_VOLUME chunk is equal to FMvo

For each _CALLBACK_NODE, FudModule obtains the corresponding FLTMGR!_FLT_INSTANCE and FLTMGR!_FLT_FILTER structures and uses them to decide whether to unlink the callback node. The first check is based on the name of the driver behind the filter. If it is hmpalert.sys (associated with the HitmanPro anti-malware solution), the callback will get immediately unlinked. Conversely, the callback is preserved if the driver’s name matches an entry in the following list: 

bindflt.sys storqosflt.sys wcifs.sys cldflt.sys 
filecrypt.sys luafv.sys npsvctrig.sys wof.sys 
fileinfo.sys applockerfltr.sys bfs.sys 
Kernel modules that are allowlisted to preserve their file system minifilters.

If there was no driver name match, FudModule uses _FLT_FILTER.DefaultAltitude to make its ultimate decision. Callbacks are unlinked if the default altitude belongs either to the range [320000, 329999] (defined as FSFilter Anti-Virus by Microsoft) or the range [360000, 389999] (FSFilter Activity Monitor). Besides unlinking the callback nodes, FudModule also wipes the whole _FLT_INSTANCE.CallbackNodes array in the corresponding _FLT_INSTANCE structures. 

0x10 – Windows Filtering Platform 

Windows Filtering Platform (WFP) is a documented set of APIs designed for host-based network traffic filtering. The WFP API offers capabilities for deep packet inspection as well as for modification or dropping of packets at various layers of the network stack. This is very useful functionality, so it serves as a foundation for a lot of Windows network security software, including intrusion detection/prevention systems, firewalls, and network monitoring tools. The WFP API is accessible both in user and kernel space, with the kernel part offering more powerful functionality. Specifically, the kernel API allows for installing so-called callout drivers, which can essentially hook into the network stack and perform arbitrary actions on the processed network traffic. FudModule is trying to interfere with the installed callout routines in an attempt to disrupt the security they provide.  

This rootkit technique is executed only when Kaspersky drivers (klam.sys, klif.sys, klwfp.sys, klwtp.sys, klboot.sys) are present on the targeted system and at the same time Symantec/Broadcom drivers (symevnt.sys, bhdrvx64.sys, srtsp64.sys) are absent. This check appears to be a new addition in the current version of FudModule. In other aspects, our analysis revealed that the core idea of this technique matches the findings described by ESET researchers during their analysis of the previous version. 

Initially, FudModule resolves netio!WfpProcessFlowDelete to locate the address of netio!gWfpGlobal. As the name suggests, this is designed to store WFP-related global variables. Although its exact layout is undocumented, it is not hard to find the build-specific offset where a pointer to an array of WFP callout structures is stored (with the length of this array stored at an offset immediately preceding the pointer). FudModule follows this pointer and iterates over the array, skipping all callouts implemented in ndu.sys, tcpip.sys, mpsdrv.sys, or wtd.sys. For the remaining callouts, FudModule accesses the callout structure’s flags and sets the flag stored in the least significant bit. While the callout structure itself is undocumented, this particular 0x01 flag is documented in another structure, where it is called FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW. The documentation reads “if this flag is specified, the filter engine calls the callout driver’s classifyFn2 callout function only if there is a context associated with the data flow”. In other words, setting this flag will conditionally disable the callout in cases where no flow context is available (see the implementation of netio!IsActiveCallout below). 

The meaning of the FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW flag can be nicely seen in netio!IsActiveCallout. If this flag is set and no flow context can be obtained, IsActiveCallout will return false (see the highlighted part of the condition). 

While this rootkit technique has the potential to interfere with some WFP callouts, it will not be powerful enough to disrupt all of them. Many WFP callouts registered by security vendors already have the FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW flag set by design, so they will not be affected by this technique at all. Given the initial driver check, it seems like this technique might be targeted directly at Kaspersky. While Kaspersky does install dozens of WFP callouts, about half of those are designed for processing flows and already have the FWP_CALLOUT_FLAG_CONDITIONAL_ON_FLOW flag set. Since we refrained from reverse engineering our competitor’s products, the actual impact of this rootkit technique remains unclear. 

0x20 – Missing 

So far, the rootkit techniques we analyzed were similar to those detailed by ESET in their paper on the earlier rootkit variant. But starting from now, we are getting into a whole new territory. The 0x20 technique, which used to deal with Event Tracing for Windows (ETW), has been deprecated, leaving the 0x20 bit unused. Instead, there are two new replacement techniques that target ETW, indexed with the bits 0x40 and 0x80. The indexing used to end at 0x40, which was a technique to obstruct forensic analysis by disabling prefetch file creation. However, now the bits go all the way up to 0x200, with two additional new techniques that we will delve into later in this blog. 

0x40 – Event Tracing for Windows: System Loggers

Event Tracing for Windows (ETW) serves as a high-performance mechanism dedicated to tracing and logging events. In a nutshell, its main purpose is to connect providers (who generate some log events) with consumers (who process the generated events). Consumers can define which events they would like to consume, for instance, by selecting some specific providers of interest. There are providers built into the operating system, like Microsoft-Windows-Kernel-Process which generates process-related events, such as process creation or termination. However, third-party applications can also define their custom providers.  

While many built-in providers are not security-related, some generate events useful for detection purposes. For instance, the Microsoft-Windows-Threat-Intelligence provider makes it possible to watch for suspicious events, such as writing another process’ memory. Furthermore, various security products take advantage of ETW by defining their custom providers and consumers. FudModule tampers with ETW internals in an attempt to intercept suspicious events and thus evade detection. 

The main idea behind this rootkit technique is to disable system loggers by zeroing out EtwpActiveSystemLoggers. The specific implementation of how this address is found varies based on the target Windows version. On newer builds, the nt!EtwSendTraceBuffer routine is resolved first and used to find nt!EtwpHostSiloState. This points to an _ETW_SILODRIVERSTATE structure, and using a hardcoded build-specific offset, the rootkit can access _ETW_SILODRIVERSTATE.SystemLoggerSettings.EtwpActiveSystemLoggers. On older builds, the rootkit first scans the entire ntoskrnl .text section, searching for opcode bytes specific to the EtwTraceKernelEvent prologue. The rootkit then extracts the target address from the mov ebx, cs:EtwpActiveSystemLoggers instruction that immediately follows. 

To understand the technique’s impact, we can take a look at how EtwpActiveSystemLoggers is used in the kernel. Accessed on a bit-by-bit basis, its least significant eight bits might be set in the EtwpStartLogger routine. This indicates that the value itself is a bit field, with each bit signifying whether a particular system logger is active. Looking at the other references to EtwpActiveSystemLoggers, a clear pattern emerges. After its value is read, there tends to be a loop guarded by a bsf instruction (bit scan forward). Inside the loop tends to be a call to an ETW-related routine that might generate a log event. The purpose of this loop is to iterate over the set bits of EtwpActiveSystemLoggers. When the rootkit clears all the bits, the body of the loop will never get executed, meaning the event will not get logged. 

Example decompilation of EtwpTraceKernelEventWithFilter. After the rootkit zeroes out EtwpActiveSystemLoggers, EtwpLogKernelEvent will never get called from inside the loop since the condition guarding the loop will always evaluate to zero. 

0x80 – Event Tracing for Windows: Provider GUIDs 

Complementing the previous technique, the 0x80 technique is also designed to blind ETW, however using a different approach. While the 0x40 technique was quite generic – aiming to disable all system loggers – this technique operates in a more surgical fashion. It contains a hardcoded list of 95 GUIDs, each representing an identifier for some specific ETW provider. The rootkit iterates over all these GUIDs and attempts to disable the respective providers. While this approach requires the attackers to invest some effort into assembling the list of GUIDs, it also offers them a finer degree of control over which ETW providers they will eventually disrupt. This allows them to selectively target providers that pose a higher detection risk and ignore the rest to minimize the rootkit’s impact on the target system. 

This technique starts by obtaining the address of EtwpHostSiloState (or EtwSiloState on older builds). If EtwpHostSiloState was already resolved during the previous technique, the rootkit just reuses the address. If not, the rootkit follows the reference chain PsGetCurrentServerSiloName -> PsGetCurrentServerSiloGlobals -> PspHostSiloGlobals -> EtwSiloState. In both scenarios, the result is that the rootkit just obtained a pointer to an _ETW_SILODRIVERSTATE structure, which contains a member named EtwpGuidHashTable. As the name suggests, this is a hash table holding ETW GUIDs (_ETW_GUID_ENTRY).  

FudModule then iterates over its hardcoded list of GUIDs and attempts to locate each of them in the hash table. Although the hash table internals are officially undocumented, Yarden Shafir provided a nice description in her blog on exploiting an ETW vulnerability. In a nutshell, the hash is computed by just splitting the 128-bit GUID into four 32-bit parts and XORing them together. By ANDing the hash with 0x3F, an index of the relevant hash bucket (_ETW_HASH_BUCKET) can be obtained. The bucket contains three linked lists of _ETW_GUID_ENTRY structures, each designated for a different type of GUIDs. FudModule always opts for the first one (EtwTraceGuidType) and traverses it, looking for the relevant _ETW_GUID_ENTRY structure. 

With a pointer to _ETW_GUID_ENTRY corresponding to a GUID of interest, FudModule proceeds to clear _ETW_GUID_ENTRY.ProviderEnableInfo.IsEnabled. The purpose of this modification seems self-explanatory: FudModule is trying to disable the ETW provider. To better understand how this works, let’s examine nt!EtwEventEnabled (see the decompiled code below). This is a routine that often serves as an if condition before nt!EtwWrite (or nt!EtwWriteEx) gets called.  

Looking at the decompilation, there are two return 1 statements. Setting ProviderEnableInfo.IsEnabled to zero ensures that the first one is never reached. However, the second return statement could still potentially execute. To make sure this doesn’t happen, the rootkit also iterates over all _ETW_REG_ENTRY structures from the _ETW_GUID_ENTRY.RegListHead linked list. For each of them, it makes a single doubleword write to zero out four masks, namely EnableMask, GroupEnableMask, HostEnableMask, and HostGroupEnableMask (or only EnableMask and GroupEnableMask on older builds, where the latter two masks were not yet introduced).  

Decompilation of nt!EtwEventEnabled. After the rootkit has finished its job, this routine will always return false for events related to the targeted GUIDs. This is because the rootkit cleared both _ETW_GUID_ENTRY.ProviderEnableInfo.IsEnabled and _ETW_REG_ENTRY.GroupEnableMask, forcing the highlighted conditions to fail. 

Clearing these masks also has an additional effect beyond making EtwEventEnabled always return false. These four are all also checked in EtwWriteEx and this modification effectively neutralizes this routine, as when no mask is set for a particular event registration object, execution will never proceed to a lower-level routine (nt!EtwpEventWriteFull) where the bulk of the actual event writing logic is implemented. 

0x100 – Image Verification Callbacks 

Image verification callbacks are yet another callback mechanism disrupted by FudModule. Designed similarly to process/thread/image callbacks, image verification callbacks are supposed to get invoked whenever a new driver image is loaded into kernel memory. This represents useful functionality for anti-malware software, which can leverage them to blocklist known malicious or vulnerable drivers (though there might be some problems with this blocking approach as the callbacks get invoked asynchronously). Furthermore, image verification callbacks also offer a valuable source of telemetry, providing visibility into suspicious driver load events. The callbacks can be registered using the SeRegisterImageVerificationCallback routine, which is publicly undocumented. As a result of this undocumented nature, the usage here is limited mainly to deep-rooted anti-malware software. For instance, Windows Defender registers a callback named WdFilter!MpImageVerificationCallback

As the kernel internally manages image verification callbacks in a similar fashion to some of the other callbacks we already explored, the rootkit’s removal implementation will undoubtedly seem familiar. First, the rootkit resolves the nt!SeRegisterImageVerificationCallback routine and scans its body to locate nt!ExCbSeImageVerificationDriverInfo. Dereferencing this, it obtains a pointer to a _CALLBACK_OBJECT structure, which holds the callbacks in the _CALLBACK_OBJECT.RegisteredCallbacks linked list. This list consists of _CALLBACK_REGISTRATION structures, where the actual callback function pointer can be found in _CALLBACK_REGISTRATION.CallbackFunction. FudModule clears the entire list by making the RegisteredCallbacks head LIST_ENTRY point directly to itself. Additionally, it also walks the original linked list and similarly short-circuits each individual _CALLBACK_REGISTRATION entry in the list. 

This rootkit technique is newly implemented in the current version of FudModule, and we can only speculate on the motivation here. It seems to be designed to help avoid detection when loading either a vulnerable or a malicious driver. However, it might be hard to understand why Lazarus should want to load an additional driver if they already have control over the kernel. It would make little sense for them to load a vulnerable driver, as they already established their kernel read/write primitive by exploiting a zero-day in a preinstalled Windows driver. Further, even if they were exploiting a vulnerable driver in the first place (as was the case in the previous version of FudModule), it would be simply too late to unlink the callback now. By the time this rootkit technique executes, the image verification callback for the vulnerable driver would have already been invoked. Therefore, we believe the most likely explanation is that the threat actors are preparing the grounds for loading some malicious driver later. Perhaps the idea is that they just want to be covered in case they decide to deploy some additional kernel-mode payload in the future. 

0x200 – Direct Attacks on Security Software 

The rootkit techniques we explored up to this point were all somewhat generic. Each targeted some security-related system component and, through it, indirectly interfered with all security software that relied on the component. In contrast, this final technique goes straight to the point and aims to directly disable specific security software. In particular, the targeted security solutions are AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon, and HitmanPro. 

The attack starts with the rootkit obtaining the address of its own _EPROCESS structure. This is done using NtDuplicateHandle to duplicate the current process pseudohandle and then calling NtQuerySystemInformation to get SystemExtendedHandleInformation. With the extended handle information, the rootkit looks for an entry corresponding to the duplicated handle and obtains the _EPROCESS pointer from there. Using NtQuerySystemInformation to leak kernel pointers is a well-known technique that Microsoft aims to restrict by gradually building up mitigations. However, attackers capable of enabling SeDebugPrivilege at high integrity levels are out of scope of these mitigations, so FudModule can keep using this technique, even on the upcoming 24H2 builds. With the _EPROCESS pointer, FudModule disables mitigations by zeroing out _EPROCESS.MitigationFlags. Then, it also clears the EnableHandleExceptions flag from _EPROCESS.ObjectTable.Flags. We believe this is meant to increase stability in case something goes wrong later during the handle table entry manipulation technique that we will describe shortly.  

Regarding the specific technique used to attack the security solutions, AhnLab is handled differently than the other three targets. FudModule first checks if AhnLab is even running, by traversing the ActiveProcessLinks linked list and looking for a process named asdsvc.exe (AhnLab Smart Defense Service) with _EPROCESS.Token.AuthenticationId set to SYSTEM_LUID. If such a process is found, FudModule clears its _EPROCESS.Protection byte, effectively toggling off PPL protection for the process. While this asdsvc.exe process is under usual circumstances meant to be protected at the standard PsProtectedSignerAntimalware level, this modification makes it just a regular non-protected process. This opens it up to further attacks from user mode, where now even other privileged, yet non-protected processes could be able to tamper with it. However, we suspect the main idea behind this technique might be to disrupt the link between AhnLab’s user-mode and kernel-mode components. By removing the service’s PPL protection, the kernel-mode component might no longer recognize it as a legitimate AhnLab component. However, this is just a speculation as we didn’t test the real impact of this technique. 

Handle Table Entry Manipulation 

The technique employed to attack Defender, CrowdStrike, and HitmanPro is much more intriguing: FudModule attempts to suspend them using a new handle table entry manipulation technique. To better understand this technique, let’s begin with a brief background on handle tables. When user-mode code interacts with kernel objects such as processes, files, or mutexes, it typically doesn’t work with the objects directly. Instead, it references them indirectly through handles. Internally, the kernel must be able to translate the handle to the corresponding object, and this is where the handle table comes in. This per-process table, available at _EPROCESS.ObjectTable.TableCode, serves as a mapping from handles to the underlying objects. Organized as an array, it is indexed by the integer value of the handle. Each element is of type _HANDLE_TABLE_ENTRY and contains two crucial pieces of information: a (compressed) pointer to the object’s header (nt!_OBJECT_HEADER) and access bits associated with the handle. 

Due to this handle design, kernel object access checks are typically split into two separate logical steps. The first step happens when a process attempts to acquire a handle (such as opening a file with CreateFile). During this step, the current thread’s token is typically checked against the target object’s security descriptor to ensure that the thread is allowed to obtain a handle with the desired access mask. The second check takes place when a process performs an operation using an already acquired handle (such as writing to a file with WriteFile). This typically only involves verifying that the handle is powerful enough (meaning it has the right access bits) for the requested operation.  

FudModule executes as a non-protected process, so it theoretically shouldn’t be able to obtain a powerful handle to a PPL-protected process such as the CrowdStrike Falcon Service. However, leveraging the kernel read/write primitive, FudModule has the ability to access the handle table directly. This allows it to craft a custom handle table entry with control over both the referenced object and the access bits. This way, it can conjure an arbitrary handle to any object, completely bypassing the check typically needed for handle acquisition. What’s more, if it sets the handle’s access bits appropriately, it will also satisfy the subsequent handle checks when performing its desired operations. 

To prepare for the handle table entry manipulation technique, FudModule creates a dummy thread that just puts itself to sleep immediately. The thread itself is not important. What is important is that by calling CreateThread, the rootkit just obtained a thread handle with THREAD_ALL_ACCESS rights. This handle is the one that will have its handle table entry manipulated. Since it already has very powerful access bits, the rootkit will not even have to touch its _HANDLE_TABLE_ENTRY.GrantedAccessBits. All it needs to do is overwrite _HANDLE_TABLE_ENTRY.ObjectPointerBits to redirect the handle to an arbitrary object of its choice. This will make the handle reference that object and enable the rootkit to perform privileged operations on it. Note that ObjectPointerBits is not the whole pointer to the object: it only represents 44 bits of the 64-bit pointer. But since the _OBJECT_HEADER pointed to by ObjectPointerBits is guaranteed to be aligned (meaning the least significant four bits must be zero) and in kernel address space (meaning the most significant sixteen bits must be 0xFFFF), the remaining 20 bits can be easily inferred. 

A dummy thread whose handle will be the subject of handle table entry manipulation. 

The specific processes targeted by this technique are MsSense.exe, MsMpEng.exe, CSFalconService.exe, and hmpalert.exe. FudModule first finds their respective _EPROCESS structures, employing the same algorithm as it did to find the AhnLab service. Then, it performs a sanity check to ensure that the dummy thread handle is not too high by comparing it with _EPROCESS.ObjectTable.NextHandleNeedingPool (which holds information on the maximum possible handle value given the current handle table allocation size). With the sanity check satisfied, FudModule accesses the handle table itself (EPROCESS.ObjectTable.TableCode) and modifies the dummy thread’s _HANDLE_TABLE_ENTRY so that it points to the _OBJECT_HEADER of the target _EPROCESS. Finally, the rootkit uses the redirected handle to call NtSuspendProcess, which will suspend the targeted process.  

It might seem odd that the manipulated handle used to be a thread handle, but now it’s being used as a process handle. In practice, there is nothing wrong with this since the handle table itself holds no object type information. The object type is stored in _OBJECT_HEADER.TypeIndex so when the rootkit redirected the handle, it also effectively changed the handle object type. As for the access bits, the original THREAD_ALL_ACCESS gets reinterpreted in the new context as PROCESS_ALL_ACCESS since both constants share the same underlying value. 

The manipulated dummy thread handle (0x168), now referencing a process object. 

Though suspending the target process might initially appear to be a completed job, FudModule doesn’t stop here. After taking five seconds of sleep, it also attempts to iterate over all the threads in the target process, suspending them one by one. When all threads are suspended, FudModule uses NtResumeProcess to resume the suspended process. At this point, while the process itself is technically resumed, its individual threads remain suspended, meaning the process is still effectively in a suspended state. We can only speculate why Lazarus implemented process suspension this way, but it seems like an attempt to make the technique stealthier. After all, a suspended process is much more conspicuous than just several threads with increased suspend counts. 

To enumerate threads, FudModule calls NtQuerySystemInformation with the SystemExtendedHandleInformation class. Iterating over the returned handle information, FudModule searches for thread handles from the target process. The owner process is checked by comparing the PID of the target process with SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX.UniqueProcessId and the type is checked by comparing SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX.ObjectTypeIndex with the thread type index, which was previously obtained using NtQueryObject to get ObjectTypesInformation. For each enumerated thread (which might include some threads multiple times, as there might be more than one open handle to the same thread), FudModule manipulates the dummy thread handle so that it points to the enumerated thread and suspends it by calling SuspendThread on the manipulated handle. Finally, after all threads are suspended and the process resumed, FudModule restores the manipulated handle to its original state, once again referencing the dummy sleep thread. 

Conclusion 

The Lazarus Group remains among the most prolific and long-standing advanced persistent threat actors. Though their signature tactics and techniques are well-recognized by now, they still occasionally manage to surprise us with an unexpected level of technical sophistication. The FudModule rootkit serves as the latest example, representing one of the most complex tools Lazarus holds in their arsenal. Recent updates examined in this blog show Lazarus’ commitment to keep actively developing this rootkit, focusing on improvements in both stealth and functionality. 

With their admin-to-kernel zero-day now burned, Lazarus is confronted with a significant challenge. They can either discover a new zero-day exploit or revert to their old BYOVD techniques. Regardless of their choice, we will continue closely monitoring their activity, eager to see how they will cope with these new circumstances. 

Indicators of Compromise (IoCs) 

A YARA rule for the latest FudModule variant is available at https://github.com/avast/ioc/tree/master/FudModule#yara.

The post Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day appeared first on Avast Threat Labs.

Decrypted: HomuWitch Ransomware

20 February 2024 at 14:30

HomuWitch is a ransomware strain that initially emerged in July 2023. Unlike the majority of current ransomware strains, HomuWitch targets end-users – individuals – rather than institutions and companies. Its prevalence isn’t remarkably large, nor is the requested ransom payment amount, which has allowed the strain to stay relatively under the radar thus far.

During our investigation of the threat, we found a vulnerability, which allowed us to create a free decryption tool for all the HomuWitch victims. We are now sharing this tool publicly to help impacted individuals decrypt their files, free of charge.

Despite a decrease in HomuWitch activity recently, we will continue to closely monitor this threat.

Skip to how to use the HomuWitch ransomware decryptor.

About HomuWitch

HomuWitch is a ransomware written in C# .NET. Its name comes from the file version information of the binary. Victims are usually infected via a SmokeLoader backdoor, masked as pirated software, which later installs a malicious dropper that executes the HomuWitch ransomware. Cases of infection are primarily found in two locations – Poland and Indonesia.

Overview of the dropper responsible for HomuWitch ransomware

HomuWitch Behavior

After the execution begins, drive letters are enumerated and those with a size smaller than 3,500 MB – as well as current user’s directories for Pictures, Downloads, and Documents – are considered in the encryption process. Then, only files with specific extensions with size less than 55 MB are chosen to be encrypted. The list of the extensions contains following:

.pdf, .doc, .docx, .ppt, .pptx, .xls, .py, .rar, .zip, .7z, .txt, .mp4, .JPG, .PNG, .HEIC, .csv, .bbbbbbbbb

HomuWitch transforms the files with combination of Deflate algorithm for compression and AES-CBC algorithm for encryption, appending .homuencrypted extension to the filename. Most ransomware strains perform file encryption; HomuWitch also adds file compression. This causes the encrypted files to be smaller than originals.

HomuWitch file-encryption routine

HomuWitch contains a vulnerability present during the encryption process that allows the victims to retrieve all their files without paying the ransom. New or previously unknown samples may make use of different encryption schema, so they may not be decryptable without further analysis.

It is also using command-and-control (CnC) infrastructure for its operation, mostly located in Europe. Before encryption, HomuWitch sends the following personal information to its CnC servers:

Computer name, Country code, Keyboard layout, Device ID

HomuWitch CnC communication

After encryption, a ransom note is either retrieved from the CnC server or (in some samples) is stored in the sample resources. The ransom typically varies $25 to $70, demanding the payment to be made with Monero cryptocurrency. Here is an example of HomuWitch ransom note:

How to use the Avast HomuWitch ransomware decryption tool to decrypt files encrypted by the ransomware

Follow these steps to decrypt your files:

  1. Download the free decryptor here.
  2. Run the executable file. It starts as a wizard, leading you through the configuration of the decryption process.
  3. On the initial page, you can read the license information if you want, but you only need to click “Next”
  1. On the following page, select the list of locations you want to be searched for and decrypted. By default, it contains a list of all local drives:
  1. On the third page, you need to provide a file in its original form and one which was encrypted by the HomuWitch ransomware. Enter both names of the files. If you have an encryption password created by a previous run of the decryptor, you can select “I know the password for decrypting files” option:
  1. The next page is where the password cracking process takes place. Click “Start” when you are ready to start the process. The password cracking process uses all known HomuWitch passwords to determine the correct one.
  1. Once the password is found, you can proceed to decrypt all the encrypted files on your PC by clicking “Next”.
  1. On the final page, you can opt-in to back up your encrypted files. These backups may help if anything goes wrong during the decryption process. This option is on by default, which we recommend. After clicking “Decrypt” the decryption process begins. Let the decryptor work and wait until it finishes decrypting all of your files.
Indicators of Compromise (IoCs)

Samples (SHA256)

03e4f770157c11d86d462cc4e9ebeddee3130565221700841a7239e68409accf
0e42c452b5795a974061712928d5005169126ad1201bd2b9490f377827528e5d
16c3eea8ed3a44ee22dad8e8aec0c8c6b43c23741498f11337779e6621d1fe4e
33dd6dfd51b79dad25357f07a8fb4da47cec010e0f8e6d164c546a18ad2a762c
3546b2dd517a99249ef5fd8dfd2a8fd80cb89dfdc9e38602e1f3115634789316
4ea00f1ffe2bbbf5476c0eb677ac75cf1a765fe5c8ce899f47eb8b344da878ed
6252cda4786396ebd7e9baf8ff0454d6af038aed48a7e4ec33cd9249816db2f4
9343a0714a0e159b1d49b591f0835398076af8c8e2da56cbb8c9b7a15c9707c8
bd90468f50629728d717c53cd7806ba59d6ad9377163d0d3328d6db4db6a3826
cd4c3db443dbfd768c59575ede3b1e26002277c109d39ea020d1bc307374e309
fd32a8c5cd211b057fdf3e7cc27167296c71e3fb42daa488649cdf81f58f6848

Command-and-Control Servers

IP AddressOrigin
78.142.0.42US
79.137.207.233Germany
185.216.68.97Netherlands
193.164.150.225Russia

IoCs are available at https://github.com/avast/ioc/tree/master/HomuWitch

The post Decrypted: HomuWitch Ransomware appeared first on Avast Threat Labs.

Decrypted: Rhysida Ransomware

13 February 2024 at 11:44

In October 2023, we published a blog post containing technical analysis of the Rhysida ransomware. What we intentionally omitted in the blog post was that we had been aware of a cryptographic vulnerability in this ransomware for several months and, since August 2023, we had covertly provided victims with our decryption tool. Thanks to our collaboration with law enforcement units, we were able to quietly assist numerous organizations by decrypting their files for free, enabling them to regain functionality. Given the weakness in Rhysida ransomware was publicly disclosed recently, we are now publicly releasing our decryptor for download to all victims of the Rhysida ransomware.

The Rhysida ransomware has been active since May 2023. As of Feb 2024, their TOR site lists 78 attacked companies, including IT (Information Technology) sector, healthcare, universities, and government organizations.

Usage of the Decryptor

Please, read the following instructions carefully. The rate of success depends on them.

Several parameters of the infected PC affect the encryption (and decryption) of the files:

  • Set of the drive letters
  • Order of files
  • Number of CPU cores
  • Bitness of the executed ransomware sample
  • Format of files before encryption

For these reasons, the following rules must be obeyed while decrypting files:

  • The decryptor must be executed on the same machine where the files were encrypted
  • Password cracking process must be executed on the same machine where the files were encrypted
  • No files from another machine can be copied to the machine where the decryption process is performed
  • Text files (source files, INI files, XML, HTML, …) must have certain minimal size to be decryptable

64-bit samples of the Rhysida encryptors are far more common. For that reason, default configuration of the decryptor assumes 64-bit encryptor. If you are sure that it was 32-bit version (for example, if you have 32-bit operating system), the decryptor can be switched to 32-bit mode by using the following command line parameter:

avast_decryptor_rhysida.exe /ptr:32

If you want to verify whether the decryption process will work without changing the files, you may use the “testing mode” of the decryptor. This mode is activated by the following command line parameter:

avast_decryptor_rhysida.exe /nodecrypt

The Rhysida decryptor also relies on the known file format. Common file formats, such as Office documents, archives, pictures, and multimedia files are already covered. If your encrypted data includes valuable documents in less common or proprietary formats, please, contact us at [email protected]. We can analyze the file format and if possible, we add its support to the decryptor.

Steps to Use the Decryptor

  1. Download the decryptor here.
  2. Run the decryptor. Unless you need one or more command line modifications, you can simply run it by clicking on the downloaded file.
  3. On the initial page, you must confirm that you are running the decryptor on the same PC where the files were encrypted. Click Yes, then the Next button when you are ready to start.
  1. Next page shows the list of drive letters on the PC. You may notice that it is in reverse order. Please, keep it as it is and click “Next.”
  1. The next screen requires you to enter an example of an encrypted file. In most cases, the decryptor picks the best file available for the password cracking process.
  1. The next page is where the password cracking process takes place. Click Start when you are ready to begin. This process usually only takes a few seconds but will require a large amount of system memory.
  1. Once the password is found, you can continue to decrypt all the encrypted files on your PC by clicking Next:
  1. On the final page, you can opt-in to back up your encrypted files. These backups may help if anything goes wrong during the decryption process. This choice is selected by default, which we recommend. After clicking Decrypt the decryption process begins. Let the decryptor work and wait until it finishes decrypting all of your files.

For questions or comments about the Avast decryptor, email [email protected].

The post Decrypted: Rhysida Ransomware appeared first on Avast Threat Labs.

Avast Q4/2023 Threat Report

7 February 2024 at 14:00

10 Billion Attacks Blocked in 2023, Qakbot’s Resurrection, and Google API Abused

Foreword

Welcome to the new edition of our report. As we bid farewell to the year 2023, let’s briefly revisit the threat landscape that defined the past year. In 2023, the overall number of unique blocked attacks surged, reaching an unprecedented milestone of more than 10 billion attacks and a remarkable 49% increase year-over-year. This staggering figure, once considered unimaginable, now reflects the harsh reality of our digital landscape. The intensity of these attacks peaked in the final quarter, with a 17% quarter-on-quarter increase, and a monthly average exceeding 1.2 billion attacks.

Q4/2023 was an exceptionally eventful period marked by a myriad of cyber threat developments. Our featured story navigates the intricate PDF threat landscape, unveiling the surge in digital document deception. Threat actors capitalized on PDF files, weaving a complex web of attacks ranging from dating scams and phishing attempts to sophisticated password stealers exemplified by AgentTesla.

In a notable turn of events, this quarter marked the (predicted by many) reappearance of Qakbot, previously dismantled by the FBI. Despite law enforcement efforts, Qakbot resurfaced in December, revealing intriguing overlaps in distribution with Pikabot. Additionally, the sextortion bot Twizt expanded its repertoire by incorporating brute forcing of VNC endpoints.

In a quarter filled with significant developments, a noteworthy trend emerged in the realm of info-stealers. While these threats experienced a slight uptick, what sets this period apart is the

inventive abuse of the Google OAuth API for recovering authentication cookies by Lumma, Rhadamanthys, and other stealers. This novel approach significantly amplifies the impact of their malicious activities.

While there was an overall decline in coinminers, a staggering 250% quarter-on-quarter surge in malicious coinmining in the USA, propelled by the widespread dissemination of XMRig, stood out. Furthermore, adware on desktop maintained a heightened activity level, employing new tricks such as swift DNS record switches for ad servers.

We also observed a subtle uptick in ransomware attacks, featuring prominent groups like LockBit and ALPHV/BlackCat in the headlines. Meanwhile, law enforcement and cybersecurity entities counteracted, exemplified by the release of free decryption tools for Babuk-Tortilla and BlackCat.

Notably, a year after the takedown of the NetWire RAT, its eradication was affirmed. However, it was swiftly replaced by prominent RATs, but also new ones such as zgRAT, Krasue, or SugarGh0st.

Web threats continued to dominate, with scams, phishing, and malvertising ranking as the top threat types overall. The use of malicious browser push notifications escalated, becoming a preferred tool for scammers across various domains, from adult content sites to technical support scams, and financial frauds. Deepfake videos, especially those endorsing investment scams, displayed a heightened level of sophistication, challenging the ability to distinguish between real and fabricated content. Dating and romance scams, affecting approximately one in 20 of our users every month, showcased a global reach, expanding beyond western countries to target the Arab states and Asia. With Valentine’s Day approaching, an upward trend in these scams is anticipated. Furthermore, the conclusion of the year saw a surge in fake e-shops masquerading as renowned brands, leading unsuspecting victims into phishing traps.

Furthermore, the mobile threat landscape continued to evolve, witnessing the resurgence of the Chameleon banker and the insidious spread of SpyLoans on the PlayStore, posing serious threats, including physical violence blackmail.

Finally, as we venture into 2024, we anticipate a dynamic year ahead. Our team has ventured into the realm of predictions for 2024, foreseeing the evolving trends in cyber threats. While we hope our predictions do not come to fruition, and the digital space becomes safer than the close of 2023, your safety remains our top priority. Thank you for your trust in Avast. Enjoy the rest of the report.

Jakub Křoustek, Malware Research Director

Methodology

This report is structured into two main sections: Desktop-related threats, where we describe our intelligence around attacks targeting the Windows, Linux, and Mac operating systems, with a specific emphasis on web-related threats, and Mobile-related threats, where we describe the attacks focusing on Android and iOS operating systems.

We use the term “risk ratio” in this report to denote the severity of specific threats. It is calculated as a monthly average of “Number of attacked users / Number of active users in a given country.” Unless stated otherwise, calculated risks are only available for countries with more than 10,000 active users per month.

A blocked attack is defined as a unique combination of the protected user and a blocked threat identifier within the specified time frame.

Featured Story: The PDF Threat Landscape

In recent times, the cybersecurity landscape has seen a surge in sophisticated malware attacks, with cybercriminals exploiting various vectors to compromise systems and networks. One particularly concerning trend has been the expansion of malware threats through PDF files, a widely used format for document sharing and collaboration.

PDF files have long been a favored medium for sharing documents due to their platform-agnostic nature and consistent formatting across different devices and operating systems. However, this ubiquity has made them an attractive vector for cybercriminals seeking to deliver malware discreetly. Furthermore, PDF attachments are often allowed by default by spam gateways, adding another layer of vulnerability. What’s more, PDF files can be seamlessly opened on both PCs and mobile devices, making them the ultimate delivery payload, further amplifying their appeal as a method for delivering malicious payloads (for example embedding a malicious Word file into a PDF file). Additionally, attackers have begun using bogus URLs, often disguising them through services like the sLinks link shortener, in an effort to bypass antivirus scanners and heighten their chances of successful deployment.

Social engineering is always present in the work of cyberthreats, and we can analyze the typical behaviors used to fool users. One common example is a message that supposedly come from a known company, such as Amazon or some financial entity, with a clearly defined message, such as:

  1. Your account has been blocked.
  2. You are given the means to unblock it.
  3. If you don’t do it in 24 hours, you’ll lose access to your account forever.

The sense of urgency is key in most scams, encouraging victims to act fast and not think twice about the situation. Some other scams are more subtle. The below example poses as Netflix, describing problems with your payment. The simple message – utilizing Netflix branding – indicates an issue with your payment and asks you to update your details:

Phishing PDF – Netflix

Once you click the link, you are brought through the steps to enter your financial information, which is then taken by the malicious actors.

Another common scam is the good old lottery scam. In this scam, you’ve been awarded with some lottery prize (without even participating, how lucky!) and you are asked to send some personal details to receive the money. Of course, if you contact the scammers, they will ask you for some money in advance to pay the transfer fees.

Many types of attacks are suitable in PDF format – we have even seen dating scams, because… why not? But PDF-based attacks can also include malware, where the final payload will infect your device, as shown in the following example:

Malware PDF – final payload: AgentTesla

In recent malware campaigns, we have observed a spectrum of threats and scams, ranging from simple ones like lottery and dating scams, through phishing PDFs containing deceptive

information and a link to a phishing page, to complex campaigns delivering more sophisticated threats in JavaScript or embedded objects, culminating in strains such as AgentTesla, DarkGate, GuLoader, IcedID, RemcosRat, Ursnif, Qakbot or various APT groups. We have blocked more than 10 million PDF-based attacks, protecting more than 4 million users worldwide:

Pdf threats blocked in the last 6 months

The proliferation of PDF-based cyber threats underscores a significant shift in the tactics of cybercriminals. These attacks, ranging from simple scams to complex malware deliveries, demonstrate the adaptability and cunning of attackers in exploiting trusted digital mediums. PDF files, due to their ubiquity and inherent trust, have become a prime vector for a variety of malicious activities. This trend not only reflects the innovative methods of cybercriminals but also highlights the vulnerabilities inherent in everyday digital interactions.

The examples provided reveal a common thread: the exploitation of human psychology. The sense of urgency, the promise of rewards, and the fear of loss are leveraged to manipulate victims. Moreover, the transition from simple deception to sophisticated malware payloads like AgentTesla, DarkGate, and others, indicates a disturbing escalation in the severity of these threats.

Our analysis shows that, despite the diversity of these attacks, they share a reliance on social engineering and the exploitation of trusted channels. As we have successfully blocked a sizeable number of these attacks, it’s clear that robust cybersecurity measures can be highly effective. However, the battle is not solely technological. Education and awareness play a crucial role. Users must be vigilant, question the authenticity of unsolicited communications, and be aware of the signs of phishing and scams.

Luis Corrons, Security Evangelist
Branislav Kramár, Malware Analyst

Desktop-Related Threats

Advanced Persistent Threats (APTs)

An Advanced Persistent Threat (APT) is a type of cyberattack that is conducted by highly skilled and determined hackers who have the resources and expertise to penetrate a target’s network and maintain a long-term presence undetected.

The final quarter of 2023 has been marked by a series of sophisticated cyberattacks, underlining the persistent and evolving threats posed by Advanced Persistent Threat (APT) groups worldwide. These threat actors have demonstrated their capability and intent to target governmental and military entities, employing a range of techniques from spear-phishing to complex malware.

Spyware Campaign Against Government Entities in the Philippines

In the Philippines, government entities became the focus of a spyware campaign in Q4 2023. This operation utilized an infection chain that incorporated various techniques including spyware, PowerShell and .NET stealers, and spear-phishing as an infection vector. The complexity of this campaign was notable, with each stage employing different methods to infiltrate, monitor, and extract sensitive information from targeted systems. This demonstrates a high level of sophistication and resource investment.

MustangPanda’s Diverse Geographic Targets

MustangPanda, a well-known APT group, extended its operations across several countries, including Vietnam, Australia, the Philippines, Myanmar, and Taiwan. Their operations are marked using the well-known Korplug malware, demonstrating their preference for proven and effective tools in their cyber arsenal. Additionally, this group has been observed utilizing malware written in the Nim programming language. A key technique in their arsenal is the frequent use of sideloading, a method where they load malware by exploiting legitimate software processes.

Attacks on the Pakistani Military

Pakistan’s military was the target of multiple APT groups including groups like Donot and Bitter, signifying the critical importance of military institutions as high-value targets in cyberspace. The attackers employed a combination of spear-phishing as an infection vector, LNK files, and custom backdoors. These attacks underscore the need for heightened cybersecurity measures within military networks, given their attractiveness to a wide range of threat actors.

Lebanese Government Entities Under Siege

The Lebanese government also faced cyber threats, with a threat actor employing a similar range of techniques seen in other attacks, including spear-phishing, LNK files. The infection chain in these attacks was complex, starting with LNK files and moving through various stages including VBScript, BAT files, AutoIT scripts, and eventually leading to the deployment of a custom backdoor. This layered approach to infiltration reflects a strategic methodology designed to evade detection at multiple points, illustrating the lengths to which attackers are willing to go to maintain persistence and control within a targeted network.

Gamaredon’s Aggressive Cyber Campaign in Ukraine

Ukraine has been the target of Gamaredon group’s prolonged and aggressive cyber campaign, marked by a range of intrusive techniques. Their approach includes spear-phishing to gain initial access, followed by the deployment of obfuscated VBScripts and PowerShell scripts, complicating detection efforts. They also use document stealers to illicitly gather sensitive data. Uniquely, the group employs Telegram for disseminating Command and Control (CnC) IPs, a tactic aimed at evading traditional communication surveillance. Further, they spread malware through infected documents and LNK files. In their operations, they also utilize DNS services to acquire IP addresses directly, a technique intended to reduce detection by avoiding the use of domain names. This campaign has resulted in numerous victims, demonstrating Gamaredon’s persistent threat to Ukrainian cybersecurity.

Lazarus

In this quarter, we were monitoring increased activity from the Lazarus group. From our telemetry, it was evident that they continued to utilize ISO files combined with LNK files as an initialization loader for delivering payloads into systems.

In early October, Microsoft observed Lazarus exploiting CVE-2023-42793, a remote-code execution vulnerability impacting various versions of JetBrains, to deploy payloads. Following a successful compromise, they utilized PowerShell to download two payloads from legitimate infrastructure.

We also identified the same toolset being employed to our customers, predominantly those located in Europe.

In December, Cisco Talos reported on a new campaign by Lazarus. In this instance, they were employing a new Dlang-based malware, featuring two Remote Access Trojans (RATs). One of these RATs utilized Telegram bots and channels as a means of communication with the Command-and-Control servers.

This campaign targeted enterprises globally, focusing on those publicly hosting and exposing vulnerable infrastructure to n-day vulnerabilities such as CVE-2021-44228 (Log4j). The sectors primarily under attack included manufacturing, agriculture, and physical security companies.

Luigino Camastra, Malware Researcher
Igor Morgenstern, Malware Researcher

Adware

Adware is considered unwanted if installed without the user’s consent, tracks browsing behavior, redirects web traffic, or collects personal information for malicious purposes such as identity theft.

The rise in popularity of adware can be attributed to its potential for monetization and the dissemination of potentially unwanted programs (PUP) and malware. Moreover, advertisements promoting legal software also employ deceptive adware practices, which verge on the boundaries of scam-like activities. We classify these techniques as annoying and protect our users against this approach. While spreading malware through adware is not the predominant method for infecting victims’ machines overall, our attention in Q4/2023 has been directed toward detecting adware to monitor this potential threat closely.

Adware actors exhibit high flexibility, continuously adjusting their techniques to evade antivirus detection. As a result, it becomes imperative to remain dynamic and consistently adapt to the evolving strategies employed by these actors. The below graph illustrates adware blocks over Q3 and Q4 of 2023. These blocks consist of a diverse array of techniques we actively block and respond to effectively counter the evolving threat of adware – the ongoing cat-and-mouse game.

Global Avast risk ratio from adware for Q3/2023 and Q4/2023

The global risk ratio of adware in Q4 2023 was similar to the previous quartile. Nevertheless, the prevalence of desktop adware remains significantly elevated. The most affected regions remain South America, Africa, Southeast Asia, and Southeast Europe, as the map below illustrates

Map showing the global risk ratio for Adware in Q4/2023
Adware Share

One of the more sophisticated adware techniques is switching DNS records for ad servers characterized by remarkably short TTL. Therefore, it is impossible to pinpoint the precise strain of adware. The most prevalent DNS records of ad servers in Q4/2023:

  • agriculturalpraise[.]com
  • formationwallet[.]com
  • plundertentative[.]com
  • supportedbushesimpenetrable[.]com
  • nutsmargaret[.]com
  • facilitypestilent[.]com
  • suchbasementdarn[.]com
  • usetalentedpunk[.]com

Consequently, a substantial percentage, 54% of adware strains, falls under the category of unknowns. The remaining shares are distributed among other adware strains in the following manner:

  • SocialBar (38%)
  • DealPly (2%)
  • Neoreklami (1%)

Martin Chlumecký, Malware Researcher

Bots

Bots are threats mainly interested in securing long-term access to devices with the aim of utilizing their resources, be it remote control, spam distribution, or denial-of-service (DoS) attacks.

In comparison to the previous quarters, this quarter was roller-coaster with many changes in the landscape. The dust hadn’t even settled on Qakbot’s former infrastructure following its FBI takedown in August 2023 before we witnessed its resurgence in December. The number of our users that have been targeted by Qakbot has doubled in Q4 2023 compared to the previous quarter. While this seems to be a significant increase, it is still dwarfed by its activity before the takedown. Its binaries also went through some overhaul, embracing 64-bit architecture and relying on AES instead of XOR for string encryption. Interestingly, a rather new strain Pikabot exhibited overlaps in distribution related TTPs (thread hijacking and second-stage retrieval) with Qakbot and it was, incidentally, also gaining traction in the landscape, doubling the number of affected users compared to the previous quarter.

Phorpiex’s successor, dubbed Twizt, expanded on its payloads this quarter. Aside from spam/sextortion payloads, we’ve seen previously unseen payloads that have featured code for brute-forcing credentials to VNC (remote desktop sharing protocol) endpoints in both local network and randomly generated IP address for potential publicly accessible endpoints.

The overall risk ratio of bots increased at the end of 2023, partially fueled by Qakbot’s resurgence in December. As for other notable changes in the strain prevalence, we’ve seen a huge drop (-48%) in Amadey infections and a steady increase in Emotet (+14%) and Twizt (+27%) infections.

Global risk ratio in Avast’s user base regarding bots in Q4/2023

The last mention of bots goes to NoName056(16) and their DDosia project, which had a rather turbulent quarter. Presumably to hinder tracking attempts by malware researchers, the group has reworked their configuration distribution protocol, including its client authentication. Nevertheless, the first implementation was unstable and ridden with software bugs for both server and client implementations. This has dramatically reduced the project’s efficacy in the short term until these blocking issues were resolved. Shortly after the deployment, the authentication protocol was simplified, and the encryption mechanism was changed shortly due to reported problems with client-attribution statistics. These resulted in reduced rewards for the project’s participants.

A moving average of DDosia’s cadence of announcements of new victims on their Telegram
channel.

As for their general operations, there were not many changes. Attacks on various European and Ukrainian banks were attempted throughout the whole quarter. While the first wave of attacks was met with some success, successive attacks rarely succeeded despite the group’s claims on their Telegram channel. The choice of targets still follows the usual modus operandi, meaning that new configurations were usually spurred by various politicians’ statements directed against Russia and their invasion of Ukraine. Unfortunately, the trend reversal in the number of DDosia project participants still holds with the number of participants linearly increasing throughout the quarter to a little over 16,000 participants. This quarter, the most affected TLDs were .cz, .de, and .fr, each having more than 10% of targeted domains.

Number or participants in the DDosia project
Share of TLDs targeted by DDosia project

Adolf Středa, Malware Researcher
Martin Chlumecký, Malware Researcher

Coinminers

Coinminers are programs that use a device’s hardware resources to verify cryptocurrency transactions and earn cryptocurrency as compensation. However, in the world of malware, coinminers silently hijack a victim’s computer resources to generate cryptocurrency for an attacker. Regardless of whether a coinminer is legitimate or malware, it’s important to follow our guidelines.

When compared to the previous quarter, we observed another decrease in the prevalence of coinminers in Q4/2023, with the risk ratio dropping by 14%. However, even though it is a rather significant drop, we note that it doesn’t mean coinminers are a lesser threat, unfortunately. This is because we also observed rather significant shift in the market share with a decline in web miners giving way to an extensive rise of XMRig and other executable coinminers which are, in general, more dangerous forms of coinmining.

Geographically, we also observed a shift during Q4/2023 where the attacks were more prevalent in specific countries, lowering the global spread with relations to risk ratio.

Map showing global risk ratio for coinminers in Q4/2023

First and foremost, we measured two huge increases in risk ratio in United States and Turkey by almost 250% and 200%, respectively. We measure another more significant surge in Hungary, Poland, India, and Egypt were the risk ratio increased by 85%, 52%, 50%, and 40%, respectively. On the other hand, users in France and Belgium were less prone to getting infected with coinminers the risk ratio decreased by 80% and 78%, respectively.

In the graph below, we can observe the numbers skyrocket with regards to risk ratio of getting a coinminers in the United States.

Daily risk ratio in our user base in US regarding coinminers in Q4/2023

As we mentioned before, this quarter shifted more towards traditional executable coinmining instead of web miners. This resulted in XMRig having a significant dominance of a total 64% malware share with a huge 169% increase this quarter. Web miners lost their malware share by 68%, holding a malware share of 19% which is a long-time lowest.

In general, we denote this as a more dangerous threat opposed to the web miners since XMRig and other executable strains usually run on the background of the whole system, not only on the visited webpage. Furthermore, coinminers tend to be bundled with other malware types as well, meaning the scope of the infection might be even bigger in these cases.

The most common coinminers with their malware share in Q4/2023 were:

  • XMRig (63.69%)
  • Web miners (19.20%)
  • CoinBitMiner (2.14%)
  • SilentCryptoMiner (2.04%)
  • FakeKMSminer (1.47%)
  • NeoScrypt (1.20%)
  • CoinHelper (0.86%)

Jan Rubín, Malware Researcher

Information Stealers

Information stealers are dedicated to stealing anything of value from the victim’s device. Typically, they focus on stored credentials, cryptocurrencies, browser sessions/cookies, browser passwords and private documents.

Q4/2023 brought a new and interesting stealing capability which was rapidly adapted by information stealers – abusing Google OAuth endpoint for recovering authentication cookies. Lumma for example, a rapidly rising malware-as-a-service (MaaS) stealer, was supposedly the first to advertise and adapt the technique.

Lumma info-stealer changelog (Source: BleepingComputer)

Many big information stealer groups, including MaaS players, have already jumped on this new threat. This includes (but is not limited to) Rhadamanthys, Stealc, Meduza, and MetaStealer.

The technique is abusing a Google OAuth “MultiLogin” API endpoint. This endpoint is used for synchronizing accounts across Google services. When the malware decrypts a session token and Gaia ID from the local browser files on the infected device, it is further able to perform a request to the “MultiLogin” API endpoint, recovering the authentication cookie. Note that when this “token and ID” pair is exfiltrated rather than directly used from the victim’s system, the malware authors may use this information on backends instead, trying to avoid AV and EDR monitoring.

Currently, the mitigation is rather limited. According to CloudSEK researchers, the authentication cookie survives even a (sole) reset of the user’s password. In fact, if a user was affected, they need to firstly log out of their Google account to revoke the synchronization OAuth cookie (or sign-out from/kill all active sessions: http://g.co/mydevices), change the password, and log back in.

Unfortunately, these are all reactive steps in a sense that the user needs to know that they were affected. The problem is further underlined by the fact that Google currently doesn’t plan to rework the “MultiLogin” endpoint, or mitigate the API abuse by proactive means.

DNS-based threats

The Domain Name System (DNS) is a decentralized naming system that translates user-friendly domain names into numerical IP addresses for network devices to identify each other. However, this system is now becoming popular for carrying out attacks. Usually, threat actors misuse DNS for these reasons:

  • The malware can receive commands and instructions, enabling two-way communication
  • The threat actor can deploy an additional payload onto the infected device
  • Information stealers can exfiltrate sensitive data from the infected device
  • The communication is more obfuscated, rendering it more difficult to track properly
  • The communication is usually enabled by default, since the traffic operates on a common port 53
  • The traffic may bypass traditional AVs and gateways due to the possible lack of monitoring and scanning

Attackers can use many techniques to achieve this, for example performing DNS tunneling, DNS cache poisoning, DNS fast fluxing, or using rogue/malicious DNS servers, to name a few.

We see threat actors adapting DNS-based techniques already, including notorious malware strains. This includes information stealers like ViperSoftX or DarkGate (also known as Meh) for more obfuscated payload delivery, multi-modular backdoor DirtyMoe for obfuscated communication, or Crackonosh for its update routine.

For further information about DNS-based threats and how we protect our users against them, read our dedicated blog post on Decoded.

Statistics

In Q4/2023, we observed a 6% increase in information stealer activity in comparison with the previous quarter. This increase is mostly due to  the rise of Lumma stealer as well as Stealc and by an increase in activity of various online JavaScript scrapers.

Daily risk ratio in our user base regarding information stealers in Q4/2023

The highest risk of information stealer infections currently exists in:

  • Turkey (3.01%) with 46% Q/Q increase
  • Pakistan (2.32%) with 6% Q/Q decrease
  • Egypt (1.98%) with 3% Q/Q increase

Thankfully, we observed a significant 12% decrease of information stealers’ activity in the United States.

Map showing global risk ratio for information stealers in Q4/2023

Unsurprisingly, AgentTesla still holds its place  as the most popular information stealer, capturing 26% of the global information stealers market share. However, this malware share is lower when compared to the previous quarter due to the 11% decrease. Formbook also experienced a decrease in market share by 10%, having 10% market share now. Unfortunately, various JavaScript scrapers/exfilware were also far more active this quarter, marking 6.08% market share now.

According to our data, Raccoon stealer had another rough couple of months, losing its market share by additional 21%, for a current total of 1.54% market share.

The most common information stealers with their malware shares in Q4/2023 were:

  • AgentTesla (26%)
  • FormBook (10%)
  • Fareit (6%)
  • RedLine (4%)
  • Lokibot (3%)
  • Lumma (3%)
  • Stealc (2%)
  • OutSteel (2%)
  • ViperSoftX (2%)
  • Raccoon (2%)

Jan Rubín, Malware Researcher

Ransomware 

Ransomware is any type of extorting malware. The most common subtype is the one that encrypts documents, photos, videos, databases, and other files on the victim’s PC. Those files become unusable without decrypting them first. To decrypt the files, attackers demand money, “ransom”, hence the term ransomware.

Hacks, breaches, stolen data. Almost every day, we can read about a new data breach or data extortion campaign from one of the many ransomware gangs. The intensity and frequency are stunning; for example, the LockBit data leak site showed 65 new attacked companies in 15 days (from Oct 23 to Nov 7, 2023). That is more than 4 new companies attacked each day!

List of companies attacked by LockBit in 15 days (Oct 23-Nov 7, 2023)

As of the time of writing this article, the site lists 217 companies that were allegedly attacked, which makes LockBit the most active ransomware gang worldwide.

However, law enforcement organizations do not sleep either. In a joint operation, the Dutch Police and Cisco Talos recovered a decryption tool of the Babuk ransomware used in the Tortilla malicious campaign. Avast added the recovered private key into its Babuk decryptor, which is now available for download.

Furthermore, several ransomware operations were disrupted in the previous quarter, such as BlackCat / ALPHV, which is the world’s second most active gang.

On Dec 7, 2023, information appeared that BlackCat’s leak site is down. Even though BlackCat operators looked like they were repairing the site, one day later, it appeared that the FBI was behind the outage of the data site:

Tweet informing about possible FBI operation on BlackCat gang

Ten days later, the Department of Justice officially confirmed that the ransomware gang operation was disrupted, and the site was seized. The leak site now shows information about successful law enforcement operation done by the FBI:

Seized website of the BlackCat / ALPHV ransomware

Good employees are a scarce resource; that applies to the dark side employers as well. Hence, as soon as the rumors about BlackCat began, LockBit operators started to recruit the members of the BlackCat gang.

The disruption operation did not stop BlackCat, however. New organizations have been attacked by the gang already in 2024.

Statistics

The following stats show the most prevalent ransomware strains among our userbase. Percentages show the malware share of each strain:

  • STOP (17%)
  • WannaCry (16%)
  • Enigma (9%)
  • TargetCompany (4%)
  • Cryptonite (2%)
  • LockBit (1%)

This quarter, Enigma is the highest jumper, going up from 1% to over 9%. The complete world map with risk ratios is as follows:

Ransomware risk ratio in our userbase in Q4/2023

Since the previous quarter, the risk ratio in our user base shows a slight increase:

Comparation of the ransomware risk ratio in Q3/2023 and Q4/2023

Ladislav Zezula, Malware Researcher
Jakub Křoustek, Malware Research Director

Remote Access Trojans (RATs) 

A Remote Access Trojan (RAT) is a type of malicious software that allows unauthorized individuals to gain remote control over a victim’s computer or device. RATs are typically spread through social engineering techniques, such as phishing emails or infected file downloads. Once installed, RATs grant the attacker complete access to the victim’s device, enabling them to execute various malicious activities, such as spying, data theft, remote surveillance, and even taking control of the victim’s webcam and microphone.

Things in the realm of remote access trojans did not change much in Q4/2023. Regarding the daily activity of RATs, the statistics show a slightly decreasing trend when compared to Q3/2023 but this might be due to the holiday season when targeted users and RAT operators alike enjoy the time off.

An exciting event this year was the takedown of NetWire RAT at the beginning in Q1/2023. Let us look at what effect this takedown had on one of the bigger players at that time. Before the takedown in Q4/2022, NetWire RAT was number 7 on the most prevalent list, taking up over 4% of the malware share among RATs. In Q1/2023 its malware share went down to 3%. The takedown happened at the beginning of March, so it has not yet resulted in much impact. In Q2/2023 the share dropped further to 1.2%, and in the second half of 2023 the malware share stayed at 1% rendering NetWire RAT nearly irrelevant. We do not expect this strain to return to its earlier status.

Daily risk ratio in our user base on RATs in Q4/2023

According to our data, Remcos seems to be the deciding factor in the risk ratio of each country while other strains have much smaller effects. The only exceptions are countries where HWorm is spread which is mainly the Middle East and Afghanistan, Pakistan, and India. As usual, the highest values of risk ratio are in Afghanistan, Iraq and Yemen and the factors are the activity of HWorm and to a far lesser extent the activity of njRAT. The largest increase in risk ratio in this quarter was seen in Romania (78%, Remcos and QuasarRAT), Lithuania (49%, Remcos, njRAT and Warzone) and Czechia (46%, Remcos and njRAT). North Macedonia, Uruguay and Portugal are countries with the largest decrease in risk ratio by -50% and it correlates to decreased activity of Remcos.

Map showing global risk ratio for RATs in Q4/2023

We have tweeted about one of the Remcos campaigns tricking users into installing fake Adobe Reader updates. Remcos was very active in October and then somewhat slowed down in November and December. We have also published a tweet about another campaign using fake updates, this time pushing zgRAT, which according to our data is not very spread otherwise.

AsyncRat, currently number 4 on the top prevalent list, has increased its malware share by 30%. There are also two strains which more than doubled their malware share. One of these is XWorm, which has entered the top 10 list in this quarter. The other is SectopRAT which isn’t as prevalent, however there are reports of it working together with the Lumma password stealer.

The most prevalent remote access trojan strains in our userbase:

  • HWorm
  • Remcos
  • njRAT
  • AsyncRat
  • QuasarRAT
  • Warzone
  • FlawedAmmyy
  • NanoCore
  • Gh0stCringe
  • XWorm

The discovery of Krasue was probably the most frequent news topic in December. Krasue is a new Linux RAT discovered by Group-IB. According to their report, this threat has been active since at least 2021 targeting organizations in Thailand. The malware holds a rootkit to hide its presence on a system, more specifically it contains 7 precompiled versions for various kernels. Another interesting feature is the use of the RTSP (Real Time Streaming Protocol) for C2 communication which is not very common.

Embedded rootkit versions in Krasue

The Cisco Talos team recently spotted a new customized variant of Gh0st RAT. They call this variant SugarGh0st. Gh0st RAT is an old RAT with code publicly released in 2008 and over the years it has been frequently used by Chinese-speaking actors. Talos argues that a Chinese-speaking group might be running the current campaign as well although with low confidence. Among the added features compared to the original Gh0st RAT is looking for specific ODBC (Open Database Connectivity) registry keys, loading library files and changes made to evade earlier detections as well as slight modification of the C2 communication protocol. This is interesting evidence that although there are frequent reports of new RATs, the old and reliable are here to stay.

Two more strains were reported by CYFIRMA namely the Millenium RAT and the SilverRAT. The Millenium RAT briefly appeared for sale on GitHub. It is interesting to note that the release on GitHub specified version 2.4 and version 2.5 followed shortly after. We were not able to find any reports or clues towards earlier versions. This might mean that 2.4 was the first version to go public or that it has been flying under the radar until now. CYFIRMA researchers said that this RAT is probably a derivative of the ToxicEye RAT. Regarding its features, it has the full package expected in a commodity RAT including keylogging, stealing sensitive data, and running commands.

SilverRAT seems to be a continuation of the S500 RAT since according to CYFIRMA it was developed by the same authors. This RAT is not new, it was first shared in 2022, but in Q4/2023 a cracked source code was leaked.

Ondřej Mokoš, Malware Researcher

Rootkits

Rootkits are malicious software specifically designed to gain unauthorized access to a system and obtain high-level privileges. Rootkits can operate at the kernel layer of a system, which grants them deep access and control including the ability to modify critical kernel structures. This could enable other malware to manipulate system behavior and evade detection.

The year-long analysis of rootkit activities reveals a persistent stagnation with a subtle descending trend. A minor peak was found in half of Q4/2024, although its significance is minimal.

Rootkit risk ratio in Q3/2023 – Q4/2023

Notably, China constantly keeps its prominent position as a leader in rootkit activities. 

Global risk ratio for rootkits in Q3 and Q4 2023

Despite a consistent overall trend, an expansion in affected states is seen, particularly in Europe and Russian regions. Furthermore, a noteworthy occurrence in the Russian territory during the middle of the third quarter extended into the fourth quarter.

Rootkit risk ratio in Q3/2023 – Q4/2023 in Russian territory

For several years, the dominant rootkit in the wild has been R77, a trend supported by comprehensive data displayed in a graph illustrating the prevalence of all rootkits, with a specific focus on R77.

Globally rootkit activities vs. R77Rootkit in Q4/2023

Projections indicate that R77 will continue to be the most widespread rootkit soon. Its popularity stems from its uncomplicated implementation, operating on a user layer and offering fundamental functions akin to a classic rootkit in layer 0, consequently mitigating the risk of frequent Blue Screen of Death (BSOD) occurrences.

Additionally, approximately 20% of rootkits are standard tools, often utilized as support tools for other malware:

  • R77Rootkit (48%)
  • Pucmeloun (7%)
  • Alureon (5%)
  • Bootkor (3%)
  • Perkesh (3%)
  • Cerbu (2%)

In terms of Linux kernel rootkits, we continue tracking the cyberweapons of APT groups. For instance, we efficiently detected new samples of Mélofée Linux kernel rootkit used by Chinese APT groups.

We want to highlight that we observed similar TTPs in other samples (e.g. Diamorphine kernel rootkit variant) implementing simple functionality (hiding the module and the directories with the malicious content) with its hooks based on KProbes (notice that KHook relies in KProbes), compiled in Amazon Linux distributions and impersonating popular hardware manufacturer modules (e.g. Intel and Realtek).

We will continue tracking lightweight Linux kernel rootkits used by APT groups in the next quarter.

Martin Chlumecký, Malware Researcher
David Álvarez, Malware Analyst

Vulnerabilities and Exploits

Exploits take advantage of flaws in legitimate software to perform actions that should not be allowed. They are typically categorized into remote code execution (RCE) exploits, which allow attackers to infect another machine, and local privilege escalation (LPE) exploits, which allow attackers to take more control of a partially infected machine.

In December 2023, Kaspersky researchers presented more details about Operation Triangulation at the 37th Chaos Communication Congress conference. This attack, targeted at Kaspersky and other entities, utilized several zero-day exploits, starting with an iMessage zero-click. As Kaspersky managed to recover the whole infection chain, this research provides fascinating insights into the techniques employed by highly sophisticated nation state attackers. We learned that the attack featured not one, but two separate validator stages. These were supposed to protect the exploits (and implants) using public-key encryption and ensure that they are only deployed in the targeted environment. 

Another interesting finding was that, when the attackers successfully exploited the kernel, they used their newfound privileges to just open Safari to run a browser exploit, essentially having to exploit the same device twice. At the first glance, dropping privileges like this doesn’t make much sense and it’s a bit of a mystery why the attack was designed like this. One theory is that the attackers had two chains and just wanted to take the best from both (the first one had the iMessage RCE, while the second one had the validators), so they decided to take the path of least resistance to connect them. However, we suspect this may also have been a deliberate attempt to protect the most expensive part of the attack: the zero-click iMessage exploit. If a victim discovered the malicious implant and attempted to trace back the infection, they would have most likely not found anything beyond the browser exploit, as no one would be crazy enough to suspect that a browser exploit chain would be initiated from the kernel. So, while the attackers would still get a lot of zero days burned, they would retain the most valuable one. Whatever the reason for the attack approach, one thing is for certain: this attacker must have no shortage of browser zero days if they are willing to risk burning one even when it’s unnecessary. 

MTE Support on Pixel 8

Another interesting development happened in October, when Google’s Pixel 8 was released with support for MTE (Memory Tagging Extensions). This represents a significant milestone, as this is the first commercially available device that supports this much-anticipated ARM mitigation. 

While it’s not enabled by default, MTE can be turned on as a developer option for testing purposes. This allows developers to test if their application behaves correctly and that MTE does not cause any unexpected errors. The main idea behind MTE is to assign 4-bit tags to allocated 16-byte memory regions. Pointers are then supposed to contain the tag so that the tag can be checked when the pointer is dereferenced. If the pointer tag does not match the expected value, an exception can be thrown. This could potentially mitigate a number of vulnerability classes, like use after frees, as the tag is supposed to be updated between allocations, so the stale pointer’s tag would be outdated at the time the vulnerability is triggered (there is still a good chance that the tag will be valid, though, since there are only 16 possible tag values). 

Currently, the actual impact of MTE on the difficulty of exploiting memory corruption vulnerabilities remains unclear; however, it seems like a promising mitigation, which might raise the bar for attackers. It’s also not clear if it will ever be enabled by default, as it will undoubtedly incur some performance overhead and the additional security might not be worth it for the average user. However, it might still come in handy for users who suspect they are targeted by zero-day capable attackers, since at a time when MTE is not widely enabled, its unexpected presence would likely catch most attackers off guard.

Jan Vojtěšek, Malware Reseracher

Web Threats

If we look at the detection statistics for the whole of last year, web threats were the most active category for 2023. Scams of different topics, and different quality thanks to the use of malvertising, have achieved a relatively large coverage worldwide. 

Due to this, it is not surprising that scams, phishing, and malvertising formed over 75% of all threats blocked by us during the year.

A powerful and dangerous combination is the scam coupled with malvertising. As we will describe in this section, scammers have started to use many innovations from the ever-developing world of AI in hopes of improving their rate of success.

Scams 

A scam is a type of threat that aims to trick users into giving an attacker their personal information or money. We track diverse types of scams which are listed below.

The malvertising business is booming thanks to the willingness of scammers to pay for delivery of their malicious content to victims. One could say that this willingness must come from the fact that scammers are getting their investments back from the money of the scammed users.

An interesting development is the increase in the activity of the scam threat, which started on 20 December and lasted until the end of the year.

General overview of Q4/2023 scam threat activity

The reason for this pre-holiday surge was an unfortunately successful push notification campaign. The campaign’s design, reminiscent of the famous CAPTCHA, encouraged users to allow push notifications to be sent from a given page.

Example of simple look of this landing page

Avast consistently draws attention to the issue of scam push notifications. Last quarter, we warned about a massive increase in malvertising threats, an increase which continued in the fourth quarter of the year.

Malvertising activity compared to the previous quarter

This promotion allows the scammer to take the user wherever he needs to go. From ordinary porn sites to financial scams, tech support scams, or even phishing sites.

A notable example is the phishing campaign shown below, which had its origin on a similar landing page where it convinced the user to allow sending push notifications. Typically, ads for adult content were then sent from this page. But then came a seemingly authentic ad campaign targeting Spotify users.

Example of scam push-notification

The phishing page continued to give the impression that it was a real Spotify page, as presented on the push notification pop-up, particularly the subscription renewal. It asked the user for a username and password, but also for credit card details including the verification code.

Phishing form page

Overall, the dividing line between phishing, scam and malvertising is very thin, and statistics are only confirming the common general growth of all these threats.

Financial scams

A big attraction in the world of scams for the fourth quarter was the massive deployment of AI-generated videos in ads for financial/investment scams, which we pointed out and described in more detail in our last report. These videos were initially relatively low quality, but their quality gradually rose to a quite impressive level. 

Scammers are still using known faces to lure users and entice people to click on the malicious links. Classics campaigns include the likes of Elon Musk, TV news reporters, and even presidents of countries. These advertisements use prestigious characters from the country where the advertisement is to be displayed. In the following examples, you can see a deepfake of the Czech President or Ursula von der Leyen introducing a new investment platform. 

Deep fake video of the Czech President Petr Pavel promoting registration on the investment portal
Deep fake video of Ursula von der Leyen introducing a new investment platform

We have also seen advertisements that used video images of famous characters that were embedded in an edited video to create the context for the introduction of a new product, but this is a different approach. Here, the overall impression created is much more believable, thanks to the fact that these generated videos explicitly speak certain text and mention specific names of fraudulent sites. 

Peak financial scam activity was observed in mid-November. Toward the end of the year, this activity slowly started to calm down.

Activity of financial scams in Q4

We have drawn attention to these ads many times. Typically, they lead to fraudulent sites that aim to promote information from ads and then redirect users to a registration form such as the one shown below.

Example of scam registration site

Dating Scams

Dating scams, also known as romance scams or online dating scams, involve fraudsters deceiving individuals into fake romantic relationships. Scammers adopt fake online identities to gain the victim’s trust, with the ultimate goal of obtaining money or enough personal information to commit identity theft.

In comparison to the previous quarter, a significant global increase in online dating fraud was seen in Q4 2023. However, intriguing shifts in attack patterns and targeted regions have come to light. Notably, despite a temporary decline in the number of scams during the holiday season, perhaps due to individuals being preoccupied with festive celebrations and spending time with loved ones, there are now emerging trends in how and where these scams are being deployed. Attackers have shifted their focus to different countries, marking a distinctive change in their strategies.

Heatmap showing risk-ratio for Q4/2023

The most substantial increase has been observed in the Arab states, including Saudi Arabia, Yemen, Oman, the United Arab Emirates, Kuwait, as well as in Indonesia, Cambodia, and Thailand. This shift in focus might be linked to a broader global trend of increased online interactions and digital connections. The evolving landscape of online socialization and communication has inadvertently created both challenges and opportunities for scammers. As people continue to engage more extensively in online platforms for various reasons, attackers are adapting their strategies and targeting different regions to exploit these shifting patterns of online activity.

Activity of DatingScam in Saudi Arabia

Countries in Central Europe and North America continue to face dating scams most, with approximately one in 20 users encountering these threats, on average. The observed decline during the holidays has piqued our interest, and we anticipate a resurgence in scam activities, particularly in the lead-up to Valentine’s Day. The romantic nature of this occasion may make individuals more susceptible to online connections, providing an opportune moment for attackers to exploit emotions and vulnerabilities.

DatingScam example from Saudi Arabia

Tech Support Scams

Tech support scam threats involve fraudsters posing as legitimate technical support representatives who attempt to gain remote access to victims’ devices or obtain sensitive personal information, such as credit card or banking details. These scams rely on confidence tricks to gain victims’ trust and often involve convincing them to pay for unnecessary services or purchase expensive gift cards. It’s important for internet users to be vigilant and to verify the credentials of anyone claiming to offer technical support services.

The fourth quarter showed tech support scam activity continued its downtrend that we observed all 2023. 

Graph illustrating a decline for 2 quarters

Several countries in which we typically observe significant tech support scam activity register significant declines in risk ratio. There are exceptions, one of which is Spain, which came third in our quarterly ranking. In Spain we see a 42% increase in the risk ratio in Q4 2023.

Heatmap showing risk-ratio for Q4/2023

Our ranking is traditionally dominated by Japan, together with the USA, followed by Spain. Interestingly, last quarter leader, Germany, has fallen back and rounds out our top 6, just behind France.

  • Japan 1.08%
  • United States 1.02%
  • Spain 0.81%
  • Australia 0.72%
  • France 0.68%
  • Germany 0.64%

If we look at the activity graph of Spain. We can see that the main source of activity comes at the end of November.

Tech Support Scam activity in Q4/2023 for Spain

The Tech Support scam landing pages changes very little. The same techniques are still used to block the user’s browser and force the user to dial the phone number offered. Therefore, the example of the most prevalent landing page shows only minor changes.

The Spanish variant of the most prevalent version of the TSS landing page

Refund and Invoice Scams

Invoice scams involve fraudsters sending false bills or invoices for goods or services that were never ordered or received. Scammers rely on invoices looking legitimate, often using company logos or other branding to trick unsuspecting victims into making payments. These scams can be especially effective when targeted at businesses, as employees may assume that a colleague made the purchase or simply overlook the details of the invoice. It’s important to carefully review all invoices and bills before making any payments and to verify the legitimacy of the sender if there are any suspicions of fraud.

Online Billing: New Frontier for Cybercriminals in 2024

It’s common for internet users to have approximately 80-90 passwords for various services, as reported by LastPass, and cybercriminals take advantage of a simple fact: users must keep track of an unimaginable number of subscription accounts. Additionally, many traditional companies that previously relied on manual service management processes are gradually transitioning their customers to paperless methods, such as online account billing. This shift, primarily a cost-saving measure, is likely to continue in the future, with most customer services moving to online accounts or mobile apps. Attackers are aware of this trend, which has opened new avenues for cybercrime.

One fruitful strategy employed by cybercriminals is to target digital services that have widespread usage. In Q4 2023, we observed a significant increase in one particular type of scam: subscription fraud. Among these, Netflix scams emerged prominently. With Netflix’s user base soaring to over 250 million in 2023, the likelihood of successfully attacking a random subscriber is quite high, especially in the US and Europe where the penetration of these services is generally higher.

The typical Netflix online billing scam attack generally arrives in the form of an email, which is a little more difficult to examine on a small screen. These messages are increasingly tailored to fit the small screens of mobile devices, a trend that aligns with the growing trend of using cell phones to manage one’s entire online presence. Let’s look at what these scams look like:

Netflix-based invoice scam spreading in Q4/2023

There are several red flags in the email that should raise alarms. A common thread is the language scammers use, which often create a sense of urgency and sometimes include spelling and grammar mistakes (though less with the increase of AI as a tool to support in scam message creation). The color scheme of such messages is frequently tailored to enhance the sense of urgency, with a strong use of red, yellow, or a combination thereof. For a company like Netflix – which spends enormous amounts on marketing – the design, if examined closely, is not very well-executed. Additionally, companies typically do not ask you to update payment details via a link in the email. These are just the main red flags in this particular example.

Geographically, the countries most affected by these online billing scams are predominantly located in Europe and North America. There are a few exceptions: Australia has the highest risk ratio of 1.52%, and New Zealand is close behind with 1.11%, ranking third. 

Refund and invoice scam spreading in Q4/2023

In Q4/2023, when we examine online billing scam data on a month-by-month basis, we can identify a significant spike during the last week of November. Even the period leading up to Christmas was higher than normal, which might be attributed to the fact that, for many people, Christmas is a time when they report higher-than-usual stress levels, according to the American Psychological Association. As we know, scammers take advantage of people’s vulnerable moments, and the holiday season can often be wrought with. Additionally, buying habits change during the holiday season, which might also contribute to the spike.

The trend line we see in the graph continues to climb throughout the fourth quarter, as seen below. 

Refund and invoice scam spreading in Q4/2023

As always, stay vigilant and pay close attention to the emails you receive, especially on your mobile device to help avoid these types of scams.

Phishing: Post-Holiday Phishing Alert in Online Shopping

Phishing is a type of online scam where fraudsters attempt to obtain sensitive information including passwords or credit card details by posing as a trustworthy entity in an electronic communication, such as an email, text message, or instant message. The fraudulent message usually contains a link to a fake website that looks like the real one, where the victim is asked to enter their sensitive information.

As far as phishing is concerned, attackers did not relent in their efforts in Q4/2023. The phishing graph below highlights the overall increase in web threats.

Phishing activity throughout 2023

Throughout 2023 we witnessed a wide array of phishing campaigns. During the fourth quarter, there was interesting activity in the category of fake online shops (also referred to as e-shops).

Following the holiday season, a surge of over 4,000 fake e-shops imitating popular brands posed a threat to online shoppers. Scammers exploited post-holiday bargain hunters, making vigilance crucial.

Fake TheNorthFace e-shop

The cyber criminals behind these fake e-shop attacks meticulously mimic renowned brands (including  Nike, Adidas, Pandora, Zara, Hilfiger, The North Face and many more) luring consumers with incredibly realistic-looking websites. Their process involves phishing for personal information during a fake login, and the sites often appear amongst the top search results.

Search top results including fake e-shop

In the final stages of the scam, users are coerced into providing personal and payment details, risking exposure of sensitive information. 

Tips for safety include verifying website credibility, cautious sale shopping, watching for fraud signals, and keeping security software updated.

Fake TheNorthFace e-shop – phishing login form
Fake TheNorthFace e-shop – phishing register form
Fake TheNorthFace e-shop – phishing payment form

Alexej Savčin, Malware Analyst
Branislav Kramár, Malware Analyst
Matěj Krčma, Malware Analyst

Mobile-Related Threats

As we enter the new year, we can look back on an interesting quarter in the mobile threat landscape. While adware continued its reign as one of the most prevalent threats facing mobile users in Q4 2023, we also observed the Chameleon banker making a comeback and taking aim at victim’s bank accounts with new HTML injection prompts, coupled with disabling biometric unlocks that allow it to extract victim PIN and passwords. A first for the mobile sphere, FakeRust remote desktop access applications were also used to make fraudulent payments on behalf of users, leaving them with little recourse in challenging these payments.

In the realm of mobile apps, a new spyware strain, coined Xamalicious, used the open-source framework Xamarin to stay undetected in the PlayStore and take over user devices to steal data and perform click fraud. We observed an unusual double SpyAgent targeting both Android and iOS users in Korea, aiming to extract sensitive information such as SMS messages and contacts. SpyLoans also continued to spread in the PlayStore and was used to extort victims, even threatening physical violence in some cases, breaching the digital and real-world divide. 

SpyLoan app reviews on the PlayStore tell a story of extreme interest rates, harassment of contacts stolen from the device and in some cases even threats of violence

Finally, another set of malicious WhatsApp spyware mods was distributed to users, interestingly using the Telegram platform.

Web-Threats Data in the Mobile Landscape

As with Q3 2023, we now include web-threat related data in our telemetry for mobile threats. Scams, phishing and malvertising were responsible for most blocked attacks on mobile devices in Q4 2023. We noted a decrease in the percentage share of scams and an increase in phishing and malvertising compared to the previous quarter. These are discussed in more detail in the web-threat sections of this report.

Graphs showing the most prevalent threats in the mobile sphere in Q4/2023

Web-based threats will continue to account for most blocked attacks on mobile devices going forward. For malware applications to initiate their intended malicious activity on Android or iOS, they must be installed by the user and activated by running the application. In most cases, additional permissions must be given to the application to allow full reign of the infected device.

Comparatively, web-based threats are much more likely to be encountered during regular browsing as most mobile device users browse the internet daily. These web threats can be contained in private messages, emails, and SMS but also in the form of malicious adverts, redirects, unwanted pop ups and via other avenues. Blocking web-threat based attacks is beneficial for the security of mobile devices, as malware actors often use them as an entry point to get the payload onto the mobile device of their victims.

Adware remains at the top

Adware threats on mobile phones refer to applications that display intrusive out-of-context adverts to users with the intent of gathering fraudulent advertising revenue. This malicious functionality is often delayed until sometime after installation and coupled with stealthy features such as hiding the adware app icon to prevent removal. Adware mimics popular apps such as games, camera filters, and wallpaper apps, to name a few.

Adware was yet again the most prevalent of the traditional on-device malware threats in the mobile sphere in Q4 2023. Raking in fraudulent advertising revenue while negatively affecting the user experience of victims, these apps use various methods of spread to continue to sneak onto victims’ devices and remain hidden for as long as possible.

HiddenAds was again at the top of the adware list, trailed by SocialBar, a web threat adware that displays aggressive push notifications. Further down the list are MobiDash and FakeAdBlockers that altogether make up the bulk of adware threats facing mobile users this quarter. 

On-device adware shares some similarities, with these strains often hiding their icons once installed on user devices to prolong their malicious activity. Some adware has been seen serving advertisements while the screen is off to avoid detection and generate fraudulent revenue. Others are more brazen, displaying full screen out-of-context ads to victims, greatly impacting their user experience as they struggle to identify the source of the annoying adverts. 

Methods of spread for adware include third party app stores, fake websites distributing adware games and malicious redirects coupled with false advertising that leads users to download these adware apps.

MobiDash requesting device administrator rights to impede its removal from the victim’s device

The risk ratio of adware increased in Q4 2023, and we observed an increase in overall protected users of 14%. This trend is largely due to SocialBar and its increased prevalence on mobile devices, as evidenced by the large spike in the graph, that subsides into the later part of the quarter. Conversely, HiddenAds risk ratio has decreased this quarter.

Global risk ratio of mobile adware in Q3/2023 and Q4/2023 

Brazil, India and Argentina again have the most protected users this quarter. Conversely, Indonesia, India and South Africa have the highest risk ratios, meaning users are most likely to encounter adware in these countries according to our telemetry.

Global risk ratio for mobile adware in Q4/2023

Chameleon banker’s re-emergence

Bankers are a sophisticated type of mobile malware that targets banking details, cryptocurrency wallets, and instant payments with the intent of extracting money. Generally distributed through phishing messages or fake websites, Bankers can take over a victim’s device by abusing the accessibility service. Once installed and enabled, they often monitor 2FA SMS messages and may display fake bank overlays to steal login information.

As is seemingly the trend most quarters, we once again observed a  comeback of a previously discovered strain of banker, this time with Chameleon coming back after a several month hiatus with new malicious features added. Remote desktop access applications are abused to perform fraudulent transactions on behalf of victims, followed by the introduction of malicious FakeRust bankers. Continuing the trend from last quarter and despite the new and updated entries, bankers are on the decline in terms of protected users yet again. Cerberus/Alien leads the pack followed by Coper, Bankbot and Hydra.

The Chameleon banker highlighted in the Q2/2023 report is making a comeback with newly added features that allow it more ways to take over and control victim devices. Previously targeting Australia and Poland, it disguised itself as tax or banking applications or crypto currency exchanges. With its re-emergence, Chameleon targets users in the UK and Italy as well and it appears to be primarily distributed by phishing pages disguised as legitimate websites distributing the malware. As with most bankers, Chameleon requires the Accessibility service to perform its full device take over. One of its upgrades allows it to display the Accessibility service prompt using an HTML based pop up on devices running Android 13, a step up from previously used in-app prompts. Once it has full device control, this banker can now disable biometric unlocks for the device and installed applications. This bypass means Chameleon can spy on user PIN codes or passwords that must be used in lieu of biometrics, potentially adding another layer of information theft to its repertoire. The implications of this could be severe if more bankers adopt a similar approach into the future.

Chameleon’s new HTML prompt that overlays on top of App info, prompting victims to enable Accessibility rights

In a new trend, remote desktop access applications have been used in attacks targeting mobile user bank accounts. Due to database leaks from popular banks, threat actors have been able to gain access to sensitive victim data that they used in communication with victims. Pretending to be the bank security teams, criminals con victims into downloading the legitimate RustDesk application. After the app is installed, the threat actors request a unique identifier from the victim, with which they took over the device and conducted fraudulent payments on the user’s behalf. 

To make the situation worse, this device takeover has made it more difficult for victims to prove fraudulent activity, as it came from their device. RustDesk was removed from the PlayStore as a result, even though the application is not harmful on its own. Following the removal, fake banking websites were used to distribute a continuation of this threat, dubbed FakeRust. Pretending to be bank support websites, they distributed fake support applications that allowed them remote access to devices to steal money as with RustDesk.

FakeRust using the RustDesk layout but changing the title to Support in Cyrillic

For several quarters, we have observed a decline in the prevalence of bankers. We suspect that difficulty in spreading updated and new banker strains is rising, hence the lowering numbers of victims in the past year. It is likely that phishing websites and direct messaging through WhatsApp and other messengers isn’t as effective as widespread SMS message campaigns of the past.

Global risk ratio of mobile bankers in Q1/2023-Q4/2023

Turkey has the highest risk ratio this quarter, followed by Spain and Singapore. The focus this quarter remained on Europe with less bankers spotted in Australia compared to last quarter.

Global risk ratio for mobile bankers in Q4/2023

SpyLoans and Malicious WhatsApp mods

Spyware is used to spy on unsuspecting victims with the intent of extracting personal information such as messages, photos, location, or login details. It uses fake adverts, phishing messages, and modifications of popular applications to spread and harvest user information. State backed commercial spyware is becoming more prevalent and is used to target individuals with 0-day exploits.

Spymax continues to be the most prevalent spyware strain quartering Q4 2023, trailed by SexInfoSteal, RealRAT and WAMods. Several new spyware strains enter the fray this quarter, one even attempting to infect iOS devices to steal user data. Malicious messenger mods for WhatsApp continue their spread as users are advised to refrain from installing messenger mods. Finally, SpyLoans continue to be a blackmailing menace that even threatens users with physical violence if they don’t pay excessive amounts of money to the threat actors.

A new backdoor spyware has also entered the market through the PlayStore. Called Xamalicious, it uses an open-source framework called Xamarin, which can be used to build Android and iOS apps with .NET and C#. The use of the Xamarin framework has aided malware authors in staying undetected and on the PlayStore for extended periods of time. While Xamalicious has been taken down from the PlayStore, many of these apps remain available on third-party marketplaces. Once installed on the victim’s device, it will try to obtain Accessibility privileges with which it downloads a second-stage payload assembly DLL that allows it to take full control of the device. It has been seen installing other malicious apps, clicking on adverts, and stealing sensitive user data. Specifically, it collects device details, location, lists of apps and may access messages as well. We observe Xamalicious mainly targeting Brazil, UK and the US.

Xamalicious requesting Accessibility privileges to take over the victim’s device

A new SpyAgent is also targeting South Korean users through direct messages and phishing websites that mimic legitimate services such as messengers or yoga training apps. Interestingly, this threat targets both Android and iOS. Once downloaded on Android, it tries to steal contact information and SMS messages and can monitor calls, all of which are sent to the malware authors. While on Android, the process for spread is as seen in other spywares, on iOS the threat actors use a third-party tool that allows installing of apps out with the AppStore called Scarlet. Users who already have Scarlet with a certificate set to ‘Trust’ expose their devices to this spyware that can run anytime once installed. Scarlet then collects contact info from iOS users that is likely used for further distribution of the malware or other fraudulent activities. 

Fake website that mimics the AppStore, prompting the victim to download and install the SpyAgent

Our telemetry shows a continued rise in the prevalence of SpyLoans in 2023, fake loan applications that harvest user data that is used to extort victims into sending money to the malware authors. Another round of these applications was present on the PlayStore as reported by ESET

Despite their removal, these applications are increasingly propagated through SMS messages but also on social media such as TikTok, Facebook and YouTube. Several of these malwares also had fake loan websites set up, giving them the appearance of legitimacy. In some cases, the threat actors also impersonate reputable loan providers. Once installed, the SpyLoan uses SMS verification to check that the user is from a specific country, followed by an extensive and invasive loan application that requires the victim to allow access to their contacts, messages, bank account information, ID cards and photos on their device. Social media reviews highlight the dismay of victims as the malware authors threaten to send sensitive information to their friends and relatives, in some cases even threatening physical harm.

SpyLoan malware directing the victim to upload photos of their ID card

As reported last quarter, we continued to observe malicious mods for popular messengers such as WhatsApp and Telegram in Q4 2023. In an interesting twist, spyware WhatsApp mods were seen distributed through Telegram. Once users install the malicious mod, it sets up monitoring of the device, such as what applications are used, when new messages come in or when new files are downloaded. These events trigger the spy module that starts listening and sends away any interesting information to the malware authors. It then listens for further commands, which may include sending files to a C2 server, recording sound, and uploading contacts and messages among others. It appears these spyware mods are targeting Arabic speaking countries, as the developers set up their C2 servers in Arabic. It is likely we will see more malicious spyware mods for these popular applications going forward.

WhatsApp mod monitoring information about the victim’s accounts and contacts, initiated every 5 minutes and sent to C2 server

Spyware has decreased in prevalence this quarter, despite the newly found strains of malicious mods, SpyLoans and others. With this, the risk ratio has also decreased compared to last quarter.

Global risk ratio of mobile spyware in Q3/2023 and Q4/2023

Brazil, Turkey, and the US have the highest numbers of protected users this quarter. However, the risk ratio in all 3 top countries has gone down this quarter. Yemen, Turkey, and Egypt have the highest risk ratios this quarter.

Global risk ratio for mobile spyware in Q4/2023

Jakub Vávra, Malware Analyst

Acknowledgements / Credits

Malware researchers

Adolf Středa
Alexej Savčin
Branislav Kramár
David Álvarez
David Jursa
Igor Morgenstern
Jakub Křoustek
Jakub Vávra
Jan Rubín
Jan Vojtěšek
Ladislav Zezula
Luigino Camastra
Luis Corrons
Martin Chlumecký
Matěj Krčma
Michal Salát
Ondřej Mokoš

Data analysts

Pavol Plaskoň
Filip Husák
Lukáš Zobal

Communications

Brittany Posey
Emma McGowan

The post Avast Q4/2023 Threat Report appeared first on Avast Threat Labs.

Avast Updates Babuk Ransomware Decryptor in Cooperation with Cisco Talos and Dutch Police

9 January 2024 at 09:00

Babuk, an advanced ransomware strain, was publicly discovered in 2021. Since then, Avast has blocked more than 5,600 targeted attacks, mostly in Brazil, Czech Republic, India, the United States, and Germany.

Today, in cooperation with Cisco Talos and Dutch Police, Avast is releasing an updated version of the Avast Babuk decryption tool, capable of restoring files encrypted by the Babuk variant called Tortilla. To download the tool, click here.

Babuk attacks blocked by Avast since 2021

Babuk Ransomware Decryptor 

In September 2021, the source code of the Babuk ransomware was released on a Russian-speaking hacking forum. The ZIP file also contained 14 private keys (one for each victim). Those keys were ECDH-25519 private keys needed for decryption of files encrypted by the Babuk ransomware. 

The Tortilla Campaign 

After brief examination of the provided sample (originally named tortilla.exe), we found out that the encryption schema had not changed since we analyzed Babuk samples 2 years ago. The process of extending the decryptor was therefore straightforward. 

The Babuk encryptor was likely created from the leaked sources using the build tool. According to Cisco Talos, a single private key is used for all victims of the Tortilla threat actor. This makes the update to the decryptor especially useful, as all victims of the campaign can use it to decrypt their files. As with all Avast decryptors, the Babuk Ransomware Decryptor is available for free. 

Babuk victims can find out whether they were part of the Tortilla campaign by looking at the extension of the encrypted files and the ransom note file. Files encrypted by the ransomware have the .babyk extension as shown in the following example:

The ransom note file is called How To Restore Your Files.txt and is dropped to every directory. This is how the ransom note looks like:

Babuk victims can download the Babuk Decryptor for free: https://files.avast.com/files/decryptor/avast_decryptor_babuk.exe. It is also available within the NoMoreRansom project. 

We would like to thank Cisco Talos and the Dutch Police for the cooperation.

IOCs (indicators of compromise) 

bd26b65807026a70909d38c48f2a9e0f8730b1126e80ef078e29e10379722b49 (tortilla.exe) 

The post Avast Updates Babuk Ransomware Decryptor in Cooperation with Cisco Talos and Dutch Police appeared first on Avast Threat Labs.

Opening a new front against DNS-based threats

14 December 2023 at 17:25

Domain Name System (DNS) is a hierarchical decentralized naming system for numerous network devices connected to the internet or a private network. Its primary function is to translate user-friendly domain names, such as www.avast.com, into numerical IP addresses that devices use to identify each other on a network.

When a domain name is entered into a web browser, the computer first checks its local cache to see if it already knows the corresponding IP address. If the IP address is not found locally, the computer queries a DNS resolver. This resolver could be an Internet Service Provider (ISP) or a third-party service like Google’s 8.8.8.8. The resolver then checks its cache. If the IP address is not found, it acts as a client and queries the root DNS servers (in case of recursive resolvers).

As with basically any other technology, however, this system can also become a target of malicious actors. Let’s look at how Avast can protect users against various DNS threats, showcasing a few notorious malware families.

How DNS threats work

There are multiple ways in which threat actors can leverage DNS to carry out attacks. It is also out of the scope of this text to describe all the existing techniques in detail. However, we will provide a brief introduction to DNS threat landscape so that the reader can imagine how attacks like these work and why the threat actors are interested in such vectors.

Rogue/malicious DNS servers are specifically set up by threat actors to intercept and manipulate DNS queries. When a device queries DNS, the rogue DNS server can then respond with incorrect or malicious IP addresses, redirecting legitimate traffic to malicious destinations.

DNS tunneling is a technique where attackers use DNS protocols to encapsulate non-DNS traffic. This communication can be two-way directional, meaning both requests as well as responses can be encapsulated. This communication is usually used (but is not limited) for exchanging malware commands with a Command & Control (C2) server, and/or exfiltrating data from the victims.

DNS cache poisoning, also known as DNS spoofing, is a technique where attackers manipulate the DNS cache of a resolver, introducing false mappings between domain names and IP addresses. By injecting false DNS records into the cache, attackers usually redirect users to malicious sites where they are then able to intercept sensitive information. With this ability, they can perform man-in-the-middle (MitM) attacks. This technique can be also particularly dangerous, since with a successful spoofing taking place, the domains look legitimate to the user – the domain names are the same as the user is used to – though they lead to a different server, using the different IP address.

DNS fast fluxing is based on rapidly and regularly changing the IP addresses for a domain in the DNS records, making it more difficult to track and block the attackers’ infrastructure. Usually, the attackers either have a set of compromised servers/botnet that they can use, or they use a specific approach for changing the IP addresses, behaving similarly to a more traditional domain generation algorithm (DGA).

Why do attackers do it?

The reasons why attackers do this type of attack vary based on their techniques, as well as their intents. However, we can sum up the malicious purposes into these short points:

  • The malware can receive commands and instructions, enabling two-way communication 
  • The threat actor can deploy an additional payload onto the infected device 
  • Information stealers can exfiltrate sensitive data from the infected device 
  • The communication is more obfuscated, rendering it more difficult to track properly 
  • The communication is usually enabled by default, since the traffic operates on a common port 53 
  • The traffic may bypass traditional AVs and gateways due to the possible lack of monitoring and scanning

Threats in the wild

The number of malware families leveraging DNS to carry out malicious activity is increasing. At Avast, we keep up with the current trends and, with our DNS scanning feature, we provide robust protection even against these kinds of attacks.

Let’s peek under the hood of a couple of advanced malware families that leverage DNS for distributing additional payloads and obfuscating the communication with Command & Control (C2) servers.

ViperSoftX

ViperSoftX is a long-standing information stealer. Reaching back at least to 2020, it is mostly bundled with software from unofficial sources and cracks, commonly distributed over torrents. Its wide capabilities, which are to this day intensively developed and improved, go from stealing cryptocurrencies, clipboard swapping, fingerprinting the infected device, downloading and executing additional payloads, to further deploying a malicious browser extension called VenomSoftX

One of the features the malware authors also implemented is querying the DNS database to retrieve a TXT response from a registered C2 domain. This TXT record contains an execution command to download further malware stages. We can demonstrate this behavior ourselves by using nslookup on the malicious domain. 

DNS TXT record containing a PowerShell command

This command, returned in the form of a DNS TXT response, downloads an additional payload from microsoft-analyse[.]com. The file last.txt contains an obfuscated PowerShell script, carrying further malware stage when executed.

Payload script downloaded from the DNS TXT response script

DarkGate

Also known as MehCrypter and Meh, DarkGate is another advanced information stealer. This stealer, these days weaponized as malware-as-a-service (MaaS), continues to add new features to its operations. 

Alongside features like keylogging, stealing clipboard contents as well as cryptocurrency wallets, and RAT capabilities, DarkGate can also make DNS requests to query DNS TXT responses. 

Currently, one of the distribution methods starts as phishing (e.g., in a form of a PDF), with the document stating it cannot be loaded properly and the user needs to click on an “Open this document” button. This action downloads a ZIP archive, containing a LNK file with an icon of a PDF (Adobe Reader). However, after opening this LNK file, the malware will instead execute a command making a DNS request, reading the TXT field from the response.

Command executed from a LNK file, performing a DNS query

After the Taste.cmd script is downloaded and executed, a further series of commands is executed, deploying the DarkGate information stealer on the infected machine.

Taste.cmd script (beautified), an intermediary that ensures the execution of DarkGate

DirtyMoe

Since 2016, the notorious DirtyMoe malware has been infecting victims all over the world, focusing the most on Asia and Africa. This multi-modular backdoor is equipped with a variety of functionalities, ranging from exploiting network protocols, cryptojacking, performing DDoS attack, leveraging rootkit capabilities, and much more. 

This is further underlined by DirtyMoe’s sophisticated network communication. The malware makes DNS queries using a predefined list of DNS servers and retrieves a list of IP addresses for a single domain in the A records fields. However, these IP addresses, even though semantically correct, are artificial and they either do not exist or they are not pointing to the actual addresses desired by the malware. The real IP addresses are instead derived from these A records by an additional algorithm. Each of these derived IP addresses is then tried, one of them being the real C2 server. 

Finally, the list of the A records also changes rapidly and regularly. This DNS fast fluxing technique further obfuscates the real C2 servers from the fake addresses, making the whole malware communication even more opaque for the defenders. 

In the example below, the malicious server rpc[.]1qw[.]us provides a list of IP addresses (A records). However, these IP addresses are artificial, and they are used for further derivation of the real IP addresses.

DNS records are changed rapidly and regularly

Crackonosh

Similar to ViperSoftX, Crackonosh is distributed along with illegal, cracked copies of popular software. If the unsuspecting victim installs such cracked software, they inadvertently deploy an XMRig coinminer onto their system, leveraging its resources to profit the attackers. 

Crackonosh contains a lot of advanced techniques, such as disabling antivirus software and Windows Update, as well as performing other anti-detection and anti-forensic actions. 

Additionally, Crackonosh also queries the DNS database as part of its update mechanism. To do so, Crackonosh reads a TXT record from the registered server’s response which contains a string like ajdbficadbbfC@@@FEpHw7Hn33. This string is then parsed and both an IP address as well as a port are derived from it. With this information, Crackonosh downloads a file wksprtcli.dll, containing the malware’s update routine.

Crackonosh decrypting the IP address from a string received in the TXT record

DNS protection in Avast

At Avast, both our free and paid versions protect users against DNS-based threat. This protection, available since version 23.8, includes:

  • Support for detecting C2 callbacks, data exfiltration, and payload delivery through the TXT records 
  • Support for detecting DNS C2 tunneling through the malicious NS servers 
  • Scanner supports scanning of A, AAAA, PTR, NX, TXT DNS records, in both directions

Our paid plan also contains an additional feature, called Real Site, which provides an encrypted connection between your web browser and Avast’s own DNS server to prevent hijacking. In other words, Real Site ensures that the displayed website is the authentic one.

Conclusion

Understanding DNS threats is crucial for defenders. We described how threat actors can leverage DNS to carry out specific attacks. We also provided examples of advanced malware families that use such techniques, distributing additional malware payloads, obfuscating the communication, tunneling their C2 commands through the network, and more. With Avast’s DNS scanning capabilities, we protect our users against these types of threats. 

The post Opening a new front against DNS-based threats appeared first on Avast Threat Labs.

Avast Q3/2023 Threat Report

16 November 2023 at 08:00

Stunning 50% Surge in Blocked Attacks, Resulting in 1 Billion Monthly Blocks

Foreword

As we delve into the Q3/2023 Threat Report, it is evident that the past quarter was not an ordinary one. Typically, vacation time ushers in a decrease in online activity, offering a brief respite from cyber threats. This year, however, the digital landscape took an unexpected turn. Despite reduced online presence, our detection systems recorded a jaw-dropping 50% increase in unique blocked attacks, leading to new all-time highs. On average, we blocked over one billion unique malware attacks each month during Q3/2023. The surge was driven by a substantial rise in web-based threats, particularly social engineering, and malvertising. Consequently, the overall risk ratio, representing the risk of being targeted and protected by us, now exceeds 30%. 

The adoption of AI by threat actors, particularly in deepfake financial scams, is accelerating. The nefarious use of deepfakes targeting TikTok users, often featuring public figures such as Elon Musk, has emerged as a growing concern. More on this can be found in our Featured story section. 

Furthermore, the threat landscape was marked by a doubling of the adware threat level, indicating a significant escalation in adware. South America, Africa, Southeast Europe, and East Asia bore the brunt of this surge. 

Apart from adware, there were significant developments in the realm of botnets. The FBI’s attempt to dismantle the Qakbot botnet led to a noticeable drop in activity. However, the operation does not appear to be entirely extinguished, as some associated threat actors have already begun to shift to alternative strains, such as DarkGate. 

In addition, information stealers recorded a substantial increase in risk ratio, with Ukraine (44%), the United States (21%), and India (16%) experiencing the most significant spikes. AgentTesla dominated this landscape, while the once-notorious Raccoon Stealer seems to be losing its momentum and receding from the forefront. 

Remote Access Trojans (RATs) also continue to be a growing trend. The increase of RATS, first observed in Q2/2023, continued in Q3/2023 primarily driven by the Remcos RAT and Warzone. Countries such as Portugal (148% increase), Poland (55%), and Slovakia (43%) have experienced a significant rise in attacks. The XWorm strain remains prolific, consistently releasing new versions and expanding its reach. 

Furthermore, the emergence of a new vulnerability, CVE-2023-38831, in the popular WinRAR software caught the attention of threat actors, including APTs, RATs, and malware downloaders. Given the software’s widespread use, these exploits are likely to persist, emphasizing the importance of keeping software updated. For more on these vulnerabilities, delve into our Exploits section. 

The domain of scams has undergone significant changes, with dating scams witnessing a 34% increase quarter-on-quarter. Belgium, Germany, Canada, and the United States are among the top targets for these scammers. To compound the challenge, our researchers uncovered a new threat, which we have named Love-GPT. This AI-driven tool assists threat actors in creating realistic personas, amplifying the success of their fraudulent activities. 

Phishing attacks have also experienced a 14% quarterly increase, with threat actors innovatively utilizing IPFS (InterPlanetary File System) to bypass conventional defense mechanisms. Australia, in particular, saw a substantial surge in targeted email scams. 

Finally, the mobile threat landscape remains dynamic, marked by espionage tactics. Spyware mimicking a missile warning application used in Israel emerged in response to escalating tensions between Israel and Palestine, with the aim of stealing victim data. Also, the introduction of Invisible Adware, with over two million downloads from the Google PlayStore, contributed to the rising risk of mobile adware. Brazil, India, and Argentina remain the top-affected countries. Also, the gap left by the takedown of FluBot in mobile banking trojans is gradually being filled. This quarter saw the detection of new and resurrected bankers, including Xenomorph, GoldDigger, and SpyNote. Turkey, Spain, and France continue to be the prime targets for attackers in this category. Popular messenger application mods, such as Telegram, Signal, and WhatsApp, continue to be exploited to serve spyware. Additionally, SpyLoans continues to spread on PlayStore, posing extortion threats to vulnerable victims. 

In conclusion, Q3/2023 has unveiled an unprecedented level of cyber threats. The surge in threat activity during a season that typically sees reduced online presence is a cause for concern. As we move into the winter season, traditionally marked by higher threat levels, we are watchful to see if this trend continues to escalate. 

Thank you for your continued trust in Avast. Stay safe and secure.

Jakub Křoustek, Malware Research Director

Methodology

This report is structured into two main sections: Desktop-related threats, where we describe our intelligence around attacks targeting the Windows, Linux, and Mac operating systems, with a specific emphasis on web-related threats, and Mobile-related threats, where we describe the attacks focusing on Android and iOS operating systems. 

We use the term “risk ratio” in this report to denote the severity of specific threats. It is calculated as a monthly average of “Number of attacked users / Number of active users in a given country.” Unless stated otherwise, calculated risks are only available for countries with more than 10,000 active users per month. 

A blocked attack is defined as a unique combination of the protected user and a blocked threat identifier within the specified period. 

In this Threat Report, we started with a more fine-grained labelling of various Scam threat types, which resulted in a separate tracking of e.g., malvertising compared to the previous reports. Furthermore, we have included some more threat data sources to provide even better threat landscape visibility. 

Featured Story: TikTok Finance Scams: An Escalating Threat Fueled by Artificial Intelligence

TikTok, known for its virality and rapidly circulating digital trends, has emerged as a fertile ground for financial scams, specifically those involving cryptocurrency. The platform’s wide reach, coupled with its appeal to younger audiences, presents an attractive prospect for malicious actors aiming to exploit unsuspecting users. 

The scams operate under a facade of legitimacy, often initiated with a deepfake video of a reputable figure endorsing a cryptocurrency exchange. Users are enticed to sign up on the purported exchange using a promo code, which allegedly credits their account with a significant amount of bitcoin. However, upon attempting to withdraw these funds, the platform mandates a preliminary transfer of bitcoin to “verify” the user’s account. Unwittingly, victims who comply with this requirement find that not only is the promised bitcoin unattainable, but also any transferred funds to the platform are irretrievably lost to the cybercriminals orchestrating the scam. 

At the heart of these scams is the illicit utilization of Artificial Intelligence (AI) to create deepfake videos. Notorious personalities such as Elon Musk, Mr. Beast, Sam Altman, Warren Buffet, Joe Rogan, Donald Trump, and Tucker Carlson are impersonated in fraudulent endorsements of cryptocurrency exchanges. These fabricated endorsements lure users with promises of substantial Bitcoin rewards, setting the stage for financial deception.

Samples of videos circulating on TikTok impersonating Elon Musk and Donald Trump

The malicious use of AI, particularly deepfake technology, underscores the escalating sophistication of cyber adversaries. By creating convincing counterfeit videos of reputable individuals, scammers successfully manipulate public trust. This exploitation not only exhibits a concerning trend of cyber threats on social media platforms but also exemplifies the potential of AI in augmenting the effectiveness of financial scams. Deepfake technology, once the domain of high-skilled individuals, is becoming increasingly accessible, making it all the more difficult to discern real endorsements from fabricated ones. 

Initially confined to English-speaking audiences, these scams have transcended linguistic barriers, making inroads into non-English speaking regions. Recent manifestations of these scams have been observed in various languages including Spanish, German, Italian and French, reflecting a broadening threat landscape. The multilingual expansion of these scams signifies a global threat and underscores the necessity for multinational cooperation in tackling these AI-driven scams. 

Screenshots of scam videos in Italian and French circulating on TikTok 

Though TikTok is the primary stage for these scams, evidence suggests a multi-platform approach by malicious actors. Platforms like YouTube have also been utilized to disseminate scam content, indicating a broader digital footprint and an extended reach of these deceptive practices. TikTok alone has more than 1 billion monthly active users, which makes the surface attack huge. When we started blocking access to these scam websites, we protected several thousand users in a matter of a few days. 

The TikTok scams are not isolated incidents but rather indicators of a growing trend of AI-driven cyber threats. The ease of spreading misinformation through deepfake technology, coupled with the allure of quick financial gains, is a potent combination that may pave the way for more sophisticated scams in the future. The potential ramifications extend beyond individual economic loss to a broader erosion of trust in digital platforms and notable personalities.

Luis Corrons, Security Evangelist

Desktop-Related Threats 

Advanced Persistent Threats (APTs)

An Advanced Persistent Threat (APT) is a type of cyberattack that is conducted by highly skilled and determined hackers who have the resources and expertise to penetrate a target’s network and maintain a long-term presence undetected. 

APT groups are getting increasingly abusing imperfect validation processes for acquiring a driver signature. Signed drivers, typically issued by reputable vendors, are presumed to be safe and authorized for use within an operating system. APTs, by subverting this trust, not only bypass detection mechanisms but also gain stealthy and privileged access to a targeted system, effectively rendering traditional security protocols obsolete. This daring approach challenges the very foundation of cybersecurity, highlighting the need for continuous innovation and vigilance in defending against evolving APT threats. 

In early June 2023, we discovered unknown signed drivers by Microsoft. These signed drivers had been distributed by the NSecRTS.exe signed binary, attributed to Shandong Anzai Information Technology Co., Ltd. It’s worth noting that NSecRTS is recognized as a regular monitoring software and has been mentioned by the QiAnXin Virus Response Center

Furthermore, we identified that the NSecRTS.exe was dropping a driver signed by Microsoft. Upon conducting an extensive investigation, we uncovered multiple malicious activities associated with this driver. One of them was injecting custom RAT in legitimate processes. 

Our observations led us to identify victims in the Philippines and Thailand. Despite gathering extensive information, we were unable to definitively attribute the attacks to a specific entity.  

Active geopolitical conflicts often attract the attention of APTs due to the volatile and chaotic nature of such environments. These groups, which are often state-sponsored and highly organized, see conflicts as opportunities to exploit the instability for their own strategic gains.  The fog of war provides a convenient cover for their activities, allowing them to leverage the chaos to further their agendas, be it political, economic, or military. Notably, APTs have continued to leverage the ongoing war in Ukraine, and additional conflicts, such as the one in Nagorno-Karabakh, have emerged on their radar. 

One of the go-to infection vectors for the APT groups this quarter was CVE-2023-38831 which is a vulnerability in WinRAR allowing an attacker to run arbitrary code on the victim’s machine. In many cases victims receive a malicious archive as an attachment to a phishing email. When opening the archive with a vulnerable version of WinRAR, the victim is unwillingly executing malicious code which might lead to an infection of the machine. We could see it being abused by multiple threat actors including attacks targeting Ukrainian government institutions, military, and governments in countries like Malasia, Vietnam, Philippines and more.  

Infamous entities such as Lazarus, MustangPanda, and APT41 remain relentless in their global campaigns, consistently refining their tactics and expanding their malware arsenal. These groups continually explore novel techniques, introducing fresh tools and incorporating languages like Nim and Rust into their toolkits.

Luigino Camastra, Malware Researcher
Igor Morgenstern, Malware Researcher

Adware

Adware is considered unwanted if installed without the user’s consent, tracks browsing behavior, redirects web traffic, or collects personal information for malicious purposes such as identity theft. 

Adware is becoming popular due to the possibilities of monetization and of spreading potentially unwanted programs (PUP) and malware. Although malware spreading via adware is not the primary method to infect victims’ machines, we have focused on adware detections in Q3/2023 to monitor this potential threat. 

The results of more precise adware detections can be seen in the chart below. This quartile shows an increase of adware activities that is caused by the SocialBar adware. 

Global Avast risk ratio from adware for Q2/2023 and Q3/2023

The new detections help us to specify a global overview. Our telemetry reports the four most active regions in point of adware threats; namely, South America, Africa, Southeast Europe, and East Asia. See the map below. 

Map showing the global risk ratio for Adware in Q3/2023 and Q2/2023

Adware Share 

The new detections reduced the ratio of unknown strains from 33% to 6%. The SocialBar is the adware market leader in Q3/2023 with 58%. The list below illustrates the most used ad servers with funny DNS records: 

  • hissedassessmentmistake[.]com 
  • trustworthyturnstileboyfriend[.]com 
  • happeningurinepomposity[.]com 
  • disgracefulforeword[.]com 
  • secondquaver[.]com 
  • usetalentedpunk[.]com 
  • lyricsgrand[.]com 

The rest of the shares are allocated to other adware strains as follows: 

  • MudOrange (7%) 
  • DealPly (3%) 
  • RelevantKnowledge (2%) 
  • Neoreklami (2%) 
  • MicroTag (2%) 

Martin Chlumecký, Malware Researcher

Bots 

Bots are threats mainly interested in securing long-term access to devices with the aim of utilizing their resources, be it remote control, spam distribution, or denial-of-service (DoS) attacks. 

Probably the most impactful change in the botnet landscape occurred at the end of August – the FBI-led attempt to take down and dismantle the Qakbot botnet. Interestingly, the target was not just its Command and Control (C&C) infrastructure, but they also attempted to disconnect infected clients from the botnet, effectively making it harder to resurrect the botnet under a new infrastructure. There is already an apparent drop in the number of clients attempted to be recruited into the botnet which has dropped to one fifth of the “usual” value during August. While this is good news from the botnet perspective, this has not eliminated Qakbot-associated spam delivery capabilities. The threat actor associated with Qakbot distribution (TA577) began to distribute DarkGate as one of their phishing payloads soon after Qakbot’s takedown. 

Number of users protected from Qakbot throughout Q3/2023

We are keeping our eye on the threat group NoName056(16) and their DDosia project. Its number of members has exceeded 13,000 users by the end of September. Based on the numbers from the previous quarter, they managed to gain some momentum with a steady increase of approximately 1,000 members every month. Their modus operandi remains the same – DDoS attacks, accusations of Russophobia and boasting about their accomplishments. It is quite unfortunate that the usage of misleading terminology by mainstream media, such as mislabeling DDoS attacks as hacks or labeling their perpetrators as hackers, sometimes unwittingly inflates the public perception of such attacks, providing much desired media coverage boost to the perpetrators. This is especially true for Internet activist groups where media coverage also boosts the group’s credit in the community, further fueling their potential recruitment pool.

Number of DDosia members in 2023

As for targets, most of the targeted top-level domains (TLDs) were .pl (Poland, 15%), .lt (Lithuania, 11%), and .it (Italy, 9%). The former two are not a shocking surprise as there are active involvements in these regions with the Ukraine-Russia conflict. In case of Italy, the group seemed to react to Joe Biden’s meeting with Italian PM Giorgia Meloni. 

NoName057(16)’s comment on Joe Biden’s meeting with Italian PM Georgia Meloni

Financial institutions were the most common target this quarter, presumably due to the potential financial damage and chance of getting significantly better press coverage. As a side-note – they seem to experiment with photo and graphic styles. They started to experiment with the replacement of a photo of a bear with a cartoonish image of a bear stylized as a hoodie-clad hacker (31st July) or a member of an army (from the end of September on). 

Despite the Qakbot’s takedown, the global risk ratio has slightly increased – partly due to it happening in the middle of the quarter and partly by increased activity of other botnets. We have seen a significant increase in the activity of Tofsee (+41%), Emotet (+25%), and Trickbot (+13%) botnets. As for other families, our telemetry indicates a decline in most of the other families. 

Global risk ratio in Avast’s user base regarding bots in Q3/2023

Adolf Středa, Malware Researcher

Coinminers

Coinminers are programs that use a device’s hardware resources to verify cryptocurrency transactions and earn cryptocurrency as compensation. However, in the world of malware, coinminers silently hijack a victim’s computer resources to generate cryptocurrency for an attacker. Regardless of whether a coinminer is legitimate or malware, it’s important to follow our guidelines. 

When compared to last quarter, in Q3/2023 we observed another 4% decrease in the risk ratio in the coinmining space. This is a continuing downward trend for coinmining threats.

Global risk ratio in Avast’s user base regarding coinminers in Q3/2023

During Q3/2023, users in Serbia again faced the highest risk of encountering a coinminer, a regional trend we have seen over the past few quarters. However, with a risk ratio of 4.28%, this is drop in risk by 26% and a record low. A similar situation is seen in other higher-risk countries, including Madagascar with 3.73% risk ratio, Montenegro with 3.29% risk ratio, and Bosnia and Herzegovina with 2.64% risk ratio.

Global risk ratio for information stealers in Q3/2023

Unfortunately, the market share increased for XMRig where we measured a 30% increase, now accounting for 23.65% of the total coinmining market share. CoinBitMiner also became more popular, increasing its malware market share by 10%, accounting for 2.02% of the share. Other web miners saw a slight decrease by 5%, now accounting for a combined 61.46% market share. Other strains, such as FakeKMSminer, VMiner, and CoinHelper, experienced rather big decrease in activity, with 27%, 62%, and 29% decrease respectively. 

The most common coinminers with their market share in Q2/2023 were: 

  • Web miners (61.46%) 
  • XMRig (23.65%) 
  • CoinBitMiner (2.02%) 
  • FakeKMSminer (1.58%) 
  • NeoScrypt (1.03%) 
  • CoinHelper (0.77%) 
  • VMiner (0.73%)

Jan Rubín, Malware Researcher

Information Stealers

Information stealers are dedicated to stealing anything of value from the victim’s device. Typically, they focus on stored credentials, cryptocurrencies, browser sessions/cookies, browser passwords and private documents. 

The common belief that “I have nothing to hide, I don’t need to protect my data” is fundamentally flawed. Even individuals who believe their data lacks value may find out that, at scale, everything may become valuable. This kind of data can be monetized via sales on underground forums, used for further attacks including more targeted scams and phishing (so called spear-phishing), leveraged for blackmailing, and more. Stay safe out there. 

In Q3/2023, we observed an overall 6% decrease in information stealers activity in comparison to the previous quarter, slowing down the decreasing trend we have been recently observing. 

The biggest change this quarter is that, according to our data, Raccoon Stealer experienced a huge decrease in activity this quarter with a 72% drop in market share. On the other hand, some other strains increased their presence significantly, namely AgentTesla, Fareit, and SnakeKeylogger, balancing the scales.

Global risk ratio in Avast’s user base regarding information stealers in Q3/2023

Geographical distribution stayed consistent between Q2 and Q3/2023. Countries where we have more significant userbase having the highest risk ratio are Pakistan (2.47%), Turkey (2.05%), and Egypt (1.90%). Thankfully, the risk ratio in these countries decreased compared to the previous quarter by 5%, 7%, and 14%, respectively. 

The biggest increase in risk ratio with regards to information stealers experienced Ukraine (44%), United States (21%), and India (16%).

AgentTesla still holds and further underlined the first place between the most popular information stealers, increasing its market share further by 9%. FormBook, the second-place holder, stayed consistent, increasing its market share by only 0.55%. Fareit, SnakeKeylogger, and Stealc, all experienced an increase in their market share by 11%, 68%, and 4%, respectively. 

Fortunately, Raccoon Stealer with its 72% drop in market share was not alone. RedLine and Arkei were both 10% less active in Q3/2023 with regards to market share, along with ViperSoftX dropping by another 7%. 

The most common information stealers with their market share in Q3/2023 were: 

  • AgentTesla (29.14%) 
  • FormBook (11.39%) 
  • RedLine (5.46%) 
  • Fareit (5.45%) 
  • Lokibot (4.51%) 
  • Arkei (3.96%) 
  • ViperSoftX (2.08%) 
  • Raccoon Stealer (1.95%) 

It is also worth mentioning new information stealers or their variants, which have displayed a notable surge in activity over the past couple of months. These malicious actors are constantly evolving their tactics to bypass security measures and exfiltrate sensitive data. These often include new techniques that exploit vulnerabilities in both software and human behavior, making it imperative for organizations and individuals to remain vigilant and adopt robust cybersecurity strategies to safeguard their valuable information. 

The new version of Rilide Stealer, targeting banking data, was seen to work around Google Chrome Manifest V3. One of the new features of the Manifest V3 is disabling remote code execution in browser extensions. As a workaround, Rilide Stealer is using inline events along with Declarative Net Requests rules to execute the code remotely and remove the Content Security Policy headers. Since Rilide is being distributed using local loaders on the infected machines, that is without the use of Chrome Web Store, there is no review process involved that would detect this practice. 

Furthermore, new connections between Rhadamanthys and Hidden Bee coinminer were discovered, providing new insights into the inner workings and implementation details. Another malware, called DarkGate, is a loader with further capabilities like keylogging, cryptocurrency mining, stealing information from browsers, and an overall remote access functionality. Even though the malware can be traced a couple of years back already, it is still undergoing active development, introducing new vectors how to infect victims such as using Microsoft Teams. 

Additionally, Lumma, a malware-as-a-service stealer, is also continually gaining in popularity. The malware’s capabilities range from cryptocurrency theft to targeting two-factor authentication (2FA) browser extensions, harvesting banking data, credentials, and more. 

Clippers are generally small malicious programs that are used to swap the victim’s clipboard content for content specified by the attacker – in this case, crypto wallet addresses.  Such clippers that have gained popularity in the previous months are, among others, Atlas Clipper, Keyzetsu Clipper, and KWN Clipper, which are usually leveraging Telegram for command and control communication and offers for purchase.

Jan Rubín, Malware Researcher

Ransomware

Ransomware is any type of extorting malware. The most common subtype is the one that encrypts documents, photos, videos, databases, and other files on the victim’s PC. Those files become unusable without decrypting them first. To decrypt the files, attackers demand money, “ransom”, hence the term ransomware. 

The prevalence of ransomware is certainly not diminishing. In fact, it is the opposite. According to the research of Chainalysis, the total sum of money extorted during the first half of 2023 is about $450 million (compared to $280 million in the first half of 2022). This is caused by a change of tactics of the ransomware operators – they tend to target bigger victims, which brings the possibility of bigger figures paid as ransom. The average payment size for the top strains is as high as $1.7 Million USD (Cl0p ransomware) and $1.5 Million (BlackCat ransomware). 

Vulnerabilities in popular third-party applications widely used in companies make attacker’s job easier. We wrote about SQL injection vulnerability in the Progress MOVEit transfer software in the previous Threat Report.  

In addition to encryption of the victim data, ransomware gangs increasingly perform data extortion. Data encryption may be solved if the company has a good data backup policy; data extortion and subsequent leakage of internal documents may be a problem regardless of it. Also, keep in mind that when the ransom is paid, they don’t always keep the promise of deleting the extorted data

One of the new ransomware strains that emerged this quarter was Rhysida. The first mention of the ransomware was in May 2023 and the ransomware leak site already lists about fifty successfully attacked organizations – government, healthcare, IT, municipalities.

Rhysida leak site on the dark web

The encryptor used by the Rhysida gang is a 32-bit or 64-bit EXE file, compiled with MinGW/GCC 6.3.0 and linked with GNU Linker 2.30. For cryptographic operations, LibTomCrypt v 1.18.1 is used as crypto library. Files are encrypted by AES cipher in counter mode, the file key and IV are encrypted by RSA-4096 with OAEP padding. 

Rhysida wants to be as fast as possible during file encryption: 

  • Intermittent Data Encryption. Not everything is encrypted. For larger files, Rhysida only encrypts a few distinct file blocks. 
  • Multi-threaded encryption. For every processor, Rhysida created one encryptor thread. All processors in the PC are busy during the encryption process. 

From the usage of pthreads library, we assume that authors of the Rhysida ransomware wanted to build an encryptor that is also easily portable to other platforms. 

Rhysida drops a ransom note file called “CriticalBreachDetected.pdf” into each folder. The following picture shows an example of the ransom note:

Content of the ransom note created by Rhysida

More information about this ransomware strain can be found in our blog post

As usual in every Thread Report, we bring the overview of the risk ratio in our userbase. The following picture shows the riskiest countries (regarding ransomware).

Ransomware risk ratio for Q3/2023

The list of countries most at risk of ransomware attacks: 

  • Mozambique (0.74%) 
  • Angola (0.44%) 
  • Ghana (0.35%) 
  • Pakistan (0.20%) 

The most prevalent ransomware strains that we saw and protected against in the list below: 

  • WannaCry (19% of ransomware share) 
  • STOP (15%) 
  • Thanatos (3%) 
  • TargetCompany (2%) 
  • LockBit (2%) 
  • Cryptonite (2%) 
  • Enigma (1%) 

The total risk ratio amongst our user base remains approximately the same:

Development of the ransomware threats in our user base

Ladislav Zezula, Malware Researcher
Jakub Křoustek, Malware Research Director

Remote Access Trojans (RATs)

A Remote Access Trojan (RAT) is a type of malicious software that allows unauthorized individuals to gain remote control over a victim’s computer or device. RATs are typically spread through social engineering techniques, such as phishing emails or infected file downloads. Once installed, RATs grant the attacker complete access to the victim’s device, enabling them to execute various malicious activities, such as spying, data theft, remote surveillance, and even taking control of the victim’s webcam and microphone. 

The growing trend of RATs observed in Q2/2023 continues in Q3/2023. Overall, we have seen a slight increase in the risk ratio. The substantial rise of Remcos we reported in Q1 and Q2/2023 seems to have slowed, with Remcos staying around the same numbers as in the previous quarter. However, we are observing a steady growth of the DBatLoader dropper which can deliver Remcos among other payloads.

Global risk ratio in Avast’s user base regarding RATs in Q3/2023

The countries with the highest risk ratio regarding RATs are, as usual, Afghanistan, Iraq and Yemen due to the worm-like behavior of HWorm which seems to be widely spread in these countries. Additionally, we also see njRAT quite active in Iraq and Yemen. Countries with the largest increase in risk ratio are Portugal (148% increase), Poland (55%) and Slovakia (43%) caused by Remcos and in the case of Slovakia also Warzone. The biggest decrease in risk ratio was observed in Czechia (42% decrease), Belgium (34%) and Japan (33%). This is again likely tied to the activity (or for the moment the lack of) of Remcos and Warzone in these countries.

Map showing global risk ratio for RATs in Q3/2023

The largest increase in market share and number of protected users among the most prevalent RATs in Q3/2023 belongs to NanoCore. Both numbers grew by nearly 100%. Greece, Turkey, and Hungary are the most at risk of this RAT, we have also observed a substantial increase in Brazil, Mexico, and Spain. 

Even bigger increase had XWorm which gained more than 400%. However, in total numbers, XWorm is not as widely spread to make it to the top 10 list. 

Warzone and AsyncRat had the largest drop in risk ratio among the most prevalent RATs we see. Warzone went down by 27% and AsyncRat by 14% according to our data. 

The most prevalent remote access trojan strains in our userbase are: 

  • HWorm 
  • Remcos 
  • njRAT 
  • AsyncRat 
  • Warzone 
  • NanoCore 
  • QuasarRAT 
  • Gh0stCringe 
  • DarkComet
  • Bifrost 

Uptycs Threat Research team discovered a new RAT named QwixxRAT, first noticed in early August. The QwixxRAT has a fairly standard set of features including keylogging, information theft (credit cards, browsing history and bookmarks, Steam related data, etc.), spying (webcam, microphone), running commands on infected system and more. It uses Telegram as the C&C channel. 

ZenRAT is another RAT which appeared in Q3/2023, reported by Proofpoint Emerging Threats. This RAT was found to be bundled with the legitimate password manager Bitwarden on the website bitwariden[.]com. According to the research, ZenRAT is designed to be modular, however according to Proofpoint they only saw one module which seems to be gathering system information. 

Ondřej Mokoš, Malware Researcher

Rootkits

Rootkits are malicious software specifically designed to gain unauthorized access to a system and obtain high-level privileges. Rootkits can operate at the kernel layer of a system, which grants them deep access and control including the ability to modify critical kernel structures. This could enable other malware to manipulate system behavior and evade detection. 

The trend of rootkit activity has been stable since the beginning of the year. We can also state that there is still a long-term downward trend. The chart below shows the rootkit activity for the previous three quarters.

Rootkit risk ratio in Q1/2023 – Q3/2023

When examining the risk ratio for individual countries, China maintains its leading position regarding the extent of rootkit activities. Although globally, we are observing a decrease in activity, we have seen a particular increase in Ukraine (62%) and in the Russian Federation (62%), specifically the activity increase of the R77RK rootkit.

Global risk ratio for rootkits in Q2 and Q3 2023

In September 2023, an updated version of R77Rootkit (1.5.0) was released, simplifying its deployment on victims’ machines. However, there was no increase in the activity of this rootkit despite the improvements. So, the R77RK is still the malware market leader with the same share (18%) as in the previous quarter. 

Around 17% of unidentified strain rootkits are also in the market share, serving as kernel proxies for various activities involving elevated system privileges, such as terminating processes, altering network communications, and registry operations, among others. Compared to the previous quarter, an interesting feature is the increased use of the VMProtect to obfuscate driver functionality. 

The third rootkit with the third-largest market share is the Pucmeloun rootkit, whose primary functionality is the modification of network traffic to redirect to different pages. It is a part of other adware that controls web requests on the kernel layer. Adware websites have primarily Chinese content. 

The following is the comprehensive list of distinctly recognized Windows rootkit strains, along with their respective market shares: 

  • R77Rootkit (18%) 
  • Pucmeloun (13%) 
  • Alureon (7%) 
  • Cerbu (6%) 
  • Perkesh (6%) 

In terms of Linux kernel rootkits, inspired by Syslogk, the threat actors continue hiding command line backdoors (or bots, depending on how the attacker controls the infected computers) with kernel rootkits that execute those via magic packets (e.g. AntiUnhide rootkit). We continue monitoring Linux kernel rootkits that reuse the code of open-source projects. For instance, Rocke reuses the code of Reptile Reptile and hides a secret protected shell that can be spawned via magic packets.  and hides a secret protected shell that can be spawned via magic packets.

Martin Chlumecký, Malware Researcher
David Álvarez, Malware Analyst

Vulnerabilities and Exploits 

Exploits take advantage of flaws in legitimate software to perform actions that should not be allowed. They are typically categorized into remote code execution (RCE) exploits, which allow attackers to infect another machine, and local privilege escalation (LPE) exploits, which allow attackers to take more control of a partially infected machine. 

WinRAR is not a frequent target of exploits, aside from the occasional path traversals. Our attention was therefore immediately captivated when we first heard about CVE-2023-38831, an easy-to-exploit WinRAR vulnerability, which allows an attacker to craft a malicious archive so that it contains both a benign lure (e.g., an image file) and a malicious payload. When an unsuspecting victim opens such a malicious archive in a vulnerable version of WinRAR and double clicks the lure file, the malicious payload will get executed instead. This is because opening files from inside WinRAR is internally implemented by extracting the target files into a temporary folder and then calling ShellExecute on them. Unfortunately, due to a buggy path normalization, it was possible to redirect the ShellExecute call to target a different file than the one the user clicked on. For a more in-depth look at the exploit, we recommend reading this SecureLayer7 analysis.  

This vulnerability was exploited as a zero-day in financially motivated attacks since at least April 2023. The attacks took place on trading forums and consisted of attackers posting exploit archives promising details of novel trading strategies. However, instead of exciting new trading strategies, the archives were used to spread the DarkMe malware (or the Guloader -> Remcos duo in some attacks). This campaign was initially discovered in July by the Group-IB Threat Intelligence unit. After reporting the vulnerability to RARLAB, a patched version of WinRAR was released in August.  

Since WinRAR must be updated manually by downloading and installing the patched version, we can expect there will continue to be many users with unpatched versions in the future. While the exploit does require a fair amount of user interaction (not every targeted user will open the archive in WinRAR and double click the lure file), it is quite easy to craft an exploit archive (there is even a public PoC builder on GitHub), so it is likely that there will be threat actors experimenting with this vulnerability. And indeed, just recently Google TAG reported on “multiple government-backed hacking groups” exploiting this vulnerability. Let us therefore use this opportunity to remind the reader not to delay applying the update.

An exploit archive opened in a vulnerable version of WinRAR. Double-clicking the PDF file here would execute a malicious batch file located in the folder of the same name. Note that the PDF file does not have its usual icon. This is because there is an extra space appended to the end of the “.pdf” extension.

In other news, Google’s Threat Analysis Group and Citizen Lab discovered a new in-the-wild zero-day exploit chain for iPhones. This chain started with a WebKit RCE (CVE-2023-41993) which was combined with a signature bypass (CVE-2023-41991) and ultimately ended with a kernel LPE (CVE-2023-41992). Post-exploitation, the chain deployed the Predator implant, known to be developed by the commercial spyware vendor Intellexa. The attackers also used a parallel exploit chain for Android devices, but unfortunately the full details of this chain remain unknown at the time. 

As reported by Citizen Lab, one of the targets was former Egyptian MP Ahmed Eltantawy who announced his run for president in 2024. He was targeted through a man-in-the-middle (MitM) injection on plaintext HTTP, through a middlebox located at an ISP-level privileged network position. This essentially allowed the attackers to use a browser exploit with no user interaction required, similarly to how a watering hole or malvertising attack would work. While it is extremely hard to defend against such government-backed attackers, using a secure VPN should mitigate the risk of ISP-level MitM injection. However, note that just a single HTTP request outside the VPN tunnel is all the attackers would need to still be able to inject the exploit. 

Finally, in Q3/2023 the BLASTPASS exploit chain that was actively used by the infamous NSO Group to compromise fully patched iPhones in a zero-click manner. BLASTPASS was discovered by the Citizen Lab, who found it while helping check the device of a potential mercenary spyware victim. The initial memory corruption vulnerability appears to go by three different CVEs (CVE-2023-41064, CVE-2023-4863, and CVE-2023-5129), as there was some confusion at first about who should actually assign the CVE. Nevertheless, the vulnerable code is located in libwebp, Google’s image rendering library for the WebP format. While this library is very widely used, it is not currently clear what conditions are needed for the vulnerability to be exploitable. There has been some great research into the root cause of the vulnerability and a public PoC to trigger a heap overflow. However, weaponizing this heap overflow seems like an absurdly difficult feat, so at least for the moment, we do not have to fear this vulnerability being exploited in the wild by less sophisticated attackers. 

Jan Vojtěšek, Malware Reseracher

Web Threats 

Users increasingly depend on the internet in their daily lives, exposing themselves to a growing array of potential risks, like stealing their personal data or financial losses. The rise in activities such as variations of financial scams, dating scams, fake push notifications and phishing threats in general underscores this trend.  

The third quarter of 2023 was a growing quarter for web threats in general. Many types of threats started their growth at the end of the holiday season and this growth only continued in the third quarter. But there are also some exceptions. Let us take a closer look at them. 

Scams  

A scam is a type of threat that aims to trick users into giving an attacker their personal information or money. We track diverse types of scams which are listed below. 

The significant increase in scam threats that we reported in Q2/2023 remained strong in the third quarter. As you can see in the following chart, we even saw a slight resumption of growth in mid-August.

Scam risk ratio over the last three quarters 

In line with the trends observed in Q2, malvertising continues to serve as very strong tools for scammers, thanks to which they spread various categories of scams. This includes popular dating scams, or financial scams for example. These threats have maintained their strong position, but this is not the case with technical support scams. However, we are seeing the use of false reports of viruses being found to exploit them for sales purposes. Additionally, extortion email scams and phishing threats have both witnessed an uptick in popularity.

Global risk ratio for scam in Q3/2023

The countries most at risk of the scam attacks were Serbia, Kosovo, Montenegro, Albania, Croatia. 

Countries where there was an increase in risk ratio are for example Japan +19%, Greece +17%, United States +14%, Austria +13%, or Germany +12% 

Malvertising 

Malvertising is a malicious online advertising technique that involves the distribution of malware through online ads or, in some cases, in conjunction with browser push notifications. Cybercriminals use these seemingly legitimate ads to deliver malware to unsuspecting users’ devices when they click on or interact with the compromised advertisements. 

Cybercriminals are smart enough to make their malvertising pop-ups look genuine. Frequently, these fraudulent pop-ups exploit the recognizable antivirus company’s logo. The goal is to convince users they are encountering a legitimate notification from an antivirus provider. These alerts typically display messages that a virus on a computer has been found and that the subscription plan has expired. 

Upon clicking these deceptive pop-ups, unsuspecting users may find themselves redirected to a fake website. These fraudulent sites often take the form of straightforward phishing pages, where users are asked to enter personal credit card information under the guise of providing antivirus services. The scam can take many forms.

Various pop-up leading to the same scam
A fake alert landing page with push notification pop-ups as an example

We have warned about malicious push notifications already in previous reports; this quarter is no exception. This method continues to remain popular with scammers as its effectiveness is still considerable, especially on mobile phones. 

As you can see in the below chart, the holiday season has ended not just for students but also for threat actors as there is a substantial surge in the volume of threat detections during September. The graph below represents detection of several types of malvertising. Within the month of September, we observed two prominent spikes in malvertising activity.

Graph illustrating a notable upswing in malvertising activity in Q3/2023

One of the most common examples of this malvertising was a page that fell into the push notification section that often appeared as part of a redirect chain. This page has multiple variations. The main purpose is to simply convince user to allow push notifications.

An instance of a website persuading users to grant permission for push notifications.

Push notifications can be especially effective on mobile devices, where they can also be disguised as system notifications, such as an unanswered call or a new text message.

Example of a scam campaign using push notifications

Push notifications are not the only powerful tool for scammers. We have reported many times that scammers like to use advertising space on popular social networks. This way of promotion is especially dangerous because many users consider their social platforms to be a safe and personal space. Scammers also design their ads to attract attention, often by using catchy text or the faces of famous personalities. Thanks to this, the success rate of these campaigns is quite high. 

Another big advantage for scammers utilising social media ads is their ability to precisely target and tailor content to vulnerable users. Consequently, users may find their social media feeds full of these types of ads over time.

One adware example leading to a financial scam, which was seen in multiple languages.
Some scam ads are also found in video form

These above ad examples are from Facebook. In this case, these ads are part of a single fraudulent financial scam where scammers are trying to trick users into investing in an Elon Musk/Tesla project. After clicking on the ad, the user is redirected to a web page where they are informed about the great benefits and the certainty that this project is profitable.

Landing page supporting claims from social media advertising

The aim of the scammers in this example is to give the impression of professionalism. Part of the scam is also an appeal to the unrealistic possibility of buying through an ‘automatic robot’ that invests itself and ‘automatically’ earns money. 

Fake BBC News article ad

These fake sites can take many forms. Often there are variations that mimic the world’s famous media such as BBC News and many others. These ads take advantage of the targeting of ads that social platforms allow them to do; the ads click through to websites that are created for users in individual countries that correspond to popular news sites in those countries. 

The landing pages in this campaign also contain a registration form that requires users to enter their contact information. This information is then sent to the scammer, who then contacts the user either by email or, more often, by phone. Then the actual scamming effort is done over the phone. 

Example registration form

After filling out these fraudulent forms, the user can expect a phone call from the fraudsters. The caller subjects the prospective buyer to a thorough questioning, giving the impression that the financial company is checking not only the solvency of the prospective buyer but also their professional and financial knowledge level. The prospective client is then persuaded to install a remote computer access application, in this case, usually AnyDesk. 

To help avoid such scams, we strongly advise the following: 

  • do not disclose your personal information to people you do not know or cannot authenticate 
  • do not send photocopied personal documents 
  • do not send any printed credit card information 
  • do not give a code that would allow someone to access your computer remotely 
  • if someone is remotely connected to your computer for any reason, do not log into your online banking 
  • do not forward or tell anyone SMS bank authorization codes 
  • do not authorize a payment to a stranger 
  • keep an antivirus program installed on your computer 
  • keep your online banking limits as low as possible and increase them only to the actual need to pay a specific payment 

Dating Scams 

Dating scams, also known as romance scams or online dating scams, involve fraudsters deceiving individuals into fake romantic relationships. Scammers adopt fake online identities to gain the victim’s trust, with the goal of obtaining money or enough personal information to commit identity theft. 

Dating scams have garnered increased attention from malicious actors due to the ever-growing popularity of online dating platforms. The accessibility and usual anonymity of these websites make them fertile ground for scammers seeking to exploit people’s emotions and vulnerabilities. Bad actors create fake profiles and engage in emotional manipulation, gaining the trust of unsuspecting users before exploiting them financially or emotionally. As people turn to online dating in greater numbers, scammers see a larger pool of potential victims, which encourages them to invest more time and effort into these deceptive schemes. 

We observed a significant increase in dating scams during Q3/2023. The risk ratio of becoming a target rose by 34%.

Global risk ratio in Avast’s user base regarding dating scams in Q3/2023

Dating scams are not confined to specific regions, but they do tend to be more prevalent in countries, such as those in Europe, the United States, Canada, and Australia. This can be attributed to a higher proportion of the population engaging in online dating due to increased internet accessibility and smartphone usage. 

As illustrated by the heat map below, the highest risk ratio of getting involved in a dating scam is in Belgium (4.97%), Luxembourg (4.86%), Germany (4.76%), Slovakia (4.74%), and Austria (4.66%). In Canada, the risk ratio is 2.74%, closely followed by the United States with the risk ratio of 2.17%. For Australia, the risk ratio is 2.33%.

Map showing global risk ratio for dating scams in Q3/2023

Love-GPT 

We have discovered a tool, which we call Love-GPT, that provides vast functionality over several different dating platforms, providing the capability to create fake accounts, interact with victims, bypass CAPTCHA, anonymize the access using proxies and browser anonymization tools, and more. The author is also experimenting with ChatGPT, the now-famous text-based generative AI, to provide them with more streamlined and believable texts. Because of that, we decided to name the tool Love-GPT. We have identified 13 different dating and social discovery platforms that the tool interacts with: 

  • Ashley Madison  
  • Badoo  
  • Bumble  
  • Craigslist  
  • DuyenSo  
  • Facebook Dating  
  • likeyou.vn  
  • MeetMe  
  • OkCupid  
  • Plenty of Fish (POF)
  • Tagged  
  • Tinder  
  • Zoosk 

The tool uses ChatGPT API in attempts to streamline the texts. Overall, the tool contains these functionalities leveraging ChatGPT (both finished and under development): 

  • Create a fake profile description to be used on the dating platforms 
  • Read the inbox on the dating platform and reply to messages  
  • Ask for a phone number  
  • Write a first contact message  
  • Chat from a template 

The tool uses “prompt” values in the API requests’ body to generate the output using ChatGPT. In some of the cases, the whole context is provided to guide ChatGPT for the more precise results:

Just for the sake of demonstration, this is what ChatGPT usually returns for similar prompts: 

This functionality provides an interesting insight into the upcoming trend of using highly believable texts leveraging generative AI and large language models (LLMs). We can already see that tools misusing the generative AI platforms are emerging and this is likely one of the first in-the-wild examples how the bad actors can misuse it. 

Love-GPT is written in VB6 and contains many control panels for its operations. In total, the tool contains 58 different application forms. One of such form, essential for the whole toolset, can be found below and it is called Account Control Center.

Account Control Center with a build-in browser

With this artillery, Love-GPT stays under the radar because no one can effectively distinguish connections coming from this specific tool and other regular users accessing the platforms. If you are interested in more technical details, check out our detailed analysis on Decoded

Tech Support Scams 

Tech support scam threats involve fraudsters posing as legitimate technical support representatives who attempt to gain remote access to victims’ devices or obtain sensitive personal information, such as credit card or banking details. These scams rely on confidence tricks to gain victims’ trust and often involve convincing them to pay for unnecessary services or purchase expensive gift cards. It is important for internet users to be vigilant and to verify the credentials of anyone claiming to offer technical support services. 

The graph below demonstrates that there was no change for Q3. The downward trend from Q2 continued in the following quarter. 

Graph illustrating a decline from the beginning of the year

Despite overall downward trend, a notable shift has been observed in the context of detection ratios among different countries. Compared to the previous quarter we have a change in terms of countries with the highest risk ratio. Japan came in second and was surpassed by Germany, Canada saw a big drop when it was surpassed by both the US and Switzerland. 

Country Risk ratio 
Germany 1.81% 
Japan 1.37% 
United States 1.33% 
Switzerland 1.19% 
Canada 0.99% 

Even though we have seen a decline for this threat since the beginning of the year, the tech support scam still remains a global threat. Which is very effective, especially for inexperienced users. 

Heatmap showing risk-ratio for Q3/2023

For all the years we have been monitoring tech support scams, the design of the site has barely changed. The main goal is to block the browser in such a way that the user is motivated to pick up the phone and call the provided phone number. 

On following example, you can see the German variant. At the same time, Germany had the highest risk ratio in the third quarter despite the overall general decline. 

The German variant of the most prevalent version of the TSS landing page

The appearance of the pages is not the only clearly recognizable sign. The URL composition of these scams is no less interesting. It is often possible to recognize the type of campaign and its focus. Sometimes they even contain scam phone numbers as seen in the following illustration. 

An example of URLs from a prevalent campaign containing scammer phone numbers

Refund and Invoice Scams 

Invoice scams involve fraudsters sending false bills or invoices for goods or services that were never ordered or received. Scammers rely on invoices looking legitimate, often using company logos or other branding to trick unsuspecting victims into making payments. These scams can be especially effective when targeted at businesses, as employees may assume that a colleague made the purchase or simply overlook the details of the invoice. It is important to carefully review all invoices and bills before making any payments and to verify the legitimacy of the sender if there are any suspicions of fraud. 

In Australia, the past quarter has been an exception to the otherwise consistent trend, with a significant spike and sudden rise in email-targeted scams. Notably, the rise in protected customers in Australia surpassed even that in the US, which is traditionally at the top of the list. The number of threats we monitored in other regions mainly stayed at very similar numbers compared to previous quarters.

Refund and Invoice Scam risk ratio in Q3/2023

The highest uptick we observed was primarily due to the rise in Australia. Additionally, we noticed that smaller peaks usually occur at the beginning of the working week. This is when people generally sift through their mailboxes, and their vigilance may be lowered because of the larger volume of data they have to process. Therefore, one takeaway is that it definitely helps to take your time and sift through your emails in a peaceful manner, as rushing may increase the chance of falling victim to a scam. 

Refund and Invoice Scam in Q2/2023 and Q3/2023

In this quarterly report, we have chosen to spotlight a sample predominantly prevalent in Australia, as it experienced a nearly 30% increase compared to the previous period. This example was selected for its demonstration of many features increasingly noticeable in various other types of scams. The points we will mention should improve your ability to spot similar scams. Below is a breakdown of this deceitful email: 

Example of a Refund and Invoice Scam seen in Q3/2023

This scam email contains a few typical scam traits: 

  • Attention-Grabbing Subject Line: “Dark Web Discovery: Your 30 Photos and 5 Emails Exposed!” By creating a sense of immediate danger, the sender aims to provoke curiosity and urgency. 
  • Impersonation of a Legitimate Entity: The email is supposedly from a “Support Team”, which sounds official and trustworthy. However, the domain ‘@canadialect.com‘ raises eyebrows. Always double-check the authenticity of the domain. 
  • Urgency and Fear: The email highlights that the recipient’s “subscription has expired,” implying prior engagement or services with them. It also claims a discovery of personal photos and email addresses on the Dark Web. 
  • Detailed Alarming Findings: The message dives deeper into the ‘findings’, mentioning “30 photos of you” and “2 email addresses” associated with the recipient found in dark web forums. Providing specifics makes the scam seem more credible. 
  • A Tempting Offer: Following the alarming statements, there is a solution offered – a “(80%) renewal discount Today” on their service. This discount plays on the human tendency to seek quick resolutions when faced with threats. 
  • Clear Call to Action: The bold “Renew Now!” button at the end of the email serves as a clear directive for the panicked reader. Clicking on such links often leads to phishing sites or direct financial scams. 

As a parting word of advice, always be skeptical of unsolicited emails, especially those that invoke fear and urgency. Verify claims independently and avoid clicking on links or downloading attachments from unknown senders. 

Phishing 

Phishing is a type of online scam where fraudsters attempt to obtain sensitive information including passwords or credit card details by posing as a trustworthy entity in an electronic communication, such as an email, text message, or instant message. The fraudulent message usually contains a link to a fake website that looks like the real one, where the victim is asked to enter their sensitive information. 

In the Q2/2023 Threat Report, we pointed out that phishing activity was picking up. Now we can confidently confirm that our estimates were correct and after a dip in mid-July, a wave of new samples arrived in August, which then represents a big jump on the chart. 

The following graph illustrates the activity of phishing threats across two quarters. 

Risk ratio for Q2-Q3/2023 of phishing threats

Furthermore, we have observed an emerging trend in phishing delivery methods. Over the past few months, there has been a notable uptick in the use of InterPlanetary File System (IPFS) to disseminate phishing content. This decentralized protocol, designed for storing and sharing files, has become an attractive avenue for cybercriminals.

IPFS-based attacks and the related risk ratio in Q3/2023

In addition to IPFS, we have also witnessed cybercriminals turning to the CAR file format, which poses a unique challenge for traditional HTML scanners, allowing it to potentially bypass detection. This exclusive preference for such hosting methods among hackers can be attributed to their ease of deployment and the added complexity in takedown procedures, providing an advantageous environment for malicious activities.

Example of a phishing page using IPFS

Campaigns that are running on IPFS infrastructure quite often use some type of obfuscation. In most cases these are very basic types and their deobfuscation is very simple. 

In this prevalent example you can see that the HTML code itself has been encoded to make it unreadable. Therefore, the JavaScript feature unescape() is used. Despite the fact that the use of this function is not recommended, because it has been deprecated, it often appears in IPFS samples. 

Source code is typically obfuscated

In decoded HTML source code, you can see that scammers are using submit-form.com endpoint for credentials submission.

Deobfuscated source code of IPFS phishing sample

Analyzing the data for Q3/2023 Argentina, Brazil, Mexico, and Spain are countries with a significant increase in Q/Q risk ratio for phishing. Countries with the highest overall risk ration are Macao with 19.47%, Angola with 13.14% or Pakistan with risk ratio of 12.8%.

Global risk ratio of phishing in Q3/2023

Phishing has long been the classic and primary way to steal valuable data from users. A growing trend points out that although this is a relatively old method, it is far from being obsolete.

Alexej Savčin, Malware Analyst
Martin Chlumecký, Malware Researcher
Branislav Kramár, Malware Analyst
Bohumír Fajt, Malware Analysis Team Lead
Jan Rubín, Malware Researcher

Mobile-Related Threats 

Another quarter, another set of varied and interesting developments hitting the mobile threat landscape. Related to the escalating situation between Israel and Palestine, a spyware mimics a missile warning application used in Israel with the intent of stealing victim data. Also of note is the Xenomorph banker that has added new features and is spreading alongside a Windows info-stealer.  

A new strain of Invisible Adware displays and clicks on adverts while the device screen is off, raking in fraudulent ad revenue and draining victim’s batteries and data allowances. We also observed several new versions of SpyNote this quarter, with one breaching the border between spyware and banker malware. 

Popular messenger application mods such as Telegram, Signal and WhatsApp continue to be abused to serve spyware. And finally, SpyLoans continue to spread on PlayStore and threaten vulnerable victims with extortion. 

Web-Threats Data in the Mobile Landscape 

Like on Desktop, we have introduced web-threat related data into our mobile threat report this quarter. This added data reflects a re-shuffle of the most prevalent threats facing mobile users today. As evidenced by the graphic below, scams, phishing and malvertising are responsible for the majority of blocked attacks on mobile.

Graphs showing the most prevalent threats in the mobile sphere in Q3/2023 

It makes sense that web-based threats will account for the majority of blocked attacks on mobile as well as desktop. With any malicious app on Android, user action is required to install it and, in most cases, the malware requires the user to enable some permissions for it to activate its malicious functionality. Contrary to this, web-based scams, phishing and malvertising can be encountered through normal browsing activity which most mobile users do every day. These web threats may also be contained in private messages, email, SMS, and others. 

Adware Becomes Nearly Invisible 

Adware threats on mobile phones refer to applications that display intrusive out-of-context adverts to users with the intent of gathering fraudulent advertising revenue. This malicious functionality is often delayed until sometime after installation and coupled with stealthy features such as hiding the adware app icon to prevent removal. Adware mimics popular apps such as games, camera filters, and wallpaper apps, to name a few. 

Despite the addition of web threats data, adware remains one of the most prevalent threats on mobile and retains its top spot among traditional malware apps. Serving intrusive advertisements to its victims with the intent of gathering fraudulent ad revenue, these apps pose a danger and annoyance to both users and advertisers alike. 

At the top of the adware list is HiddenAds, followed by MobiDash and FakeAdBlock strains. While both MobiDash and FakeAdBlock have seen over 40% decrease in protected users, HiddenAds is on the rise again with a bump of 15% in protected users. All three strains share some features such as hiding their icon and displaying out-of-context full screen ads that annoy victims. HiddenAds has historically relied on the PlayStore as a mode of spread, while the others generally rely on 3rd party app stores, malicious redirects, and advertisements. Of note is a recent addition to the stealth features of these adware apps; once installed, they display a fake error stating the app is not available in the victim’s region or country with an ‘installation failed’ message. Coupled with hiding its icon, the adware conducts its malicious behavior in the background while the victim remains unaware of the source of the fraudulent ads.

MobiDash adware tries to trick its victim by displaying a fake error message after install  

This quarter a new batch of adware dubbed Invisible Adware has snuck onto the PlayStore and gathered over two million downloads. True to their name, these applications try and display advertisements while the device screen is off. In essence, the victim would be unaware their phone is displaying ads while the malicious actors gather revenue through fake clicks and ad views. However, this will likely impact the device battery and potentially incur data charges, while at the same time contributing to ad fraud. The applications request permissions to run in background and ignore battery optimization to conduct their activity. While observed behavior is that of ad fraud, there is also potential for installing other malware or visiting malicious websites.  

The average daily protected users slightly increased when compared to last quarter. MobiDash and FakeAdBlock strains have gone down while HiddenAds continue to increase in popularity. Another campaign on PlayStore contributes to the steady numbers this quarter. 

Brazil, India, and Argentina are again at the top of the most affected users by adware this quarter. Argentina saw a 14% increase in monthly affected users. India, Indonesia, and Paraguay have the highest risk ratio this quarter, meaning users is these countries are most likely to encounter adware.

Global risk ratio for mobile adware in Q3/2023  

Bankers Welcome SpyNote into the Fold 

Bankers are a sophisticated type of mobile malware that targets banking details, cryptocurrency wallets, and instant payments with the intent of extracting money. Generally distributed through phishing messages or fake websites, Bankers can take over a victim’s device by abusing the accessibility service. Once installed and enabled, they often monitor 2FA SMS messages and may display fake bank overlays to steal login information. 

Banker evolution continues this quarter with several new strains alongside updates to existing ones. Xenomorph makes a return with some new features, GoldDigger makes an entrance and SpyNote breaches the divide between spyware and bankers. Despite the new arrivals and updates, bankers overall have been on a steady decline in terms of protected users in our telemetry for the last few quarters. Cerberus/Alien maintains its top spot this quarter, trailed by Coper and Hydra strains. We observe an over 20% decrease in monthly average protected users this quarter on all top three banker strains. 

Xenomorph is back after a few months hiatus and has evolved again with several added features and a new method of spread. It appears that this new campaign mainly targets bank users in Spain, US and Portugal as well as adding crypto wallets to its repertoire. Using tailored phishing websites disguised as chrome updates, Xenomorph tricks victims into downloading its malicious APK. Once installed, it uses the accessibility service to take over the device, monitoring 2FA messages and can display hundreds of fake bank overlays to its victim to steal login credentials. New features include keeping the device awake, a mimic mode that disguises the malware further and hides its icon, and lastly it can click anywhere on the device’s screen. Interestingly, Xenomorph was observed to be served alongside RisePro, a Windows based info stealer that also targets banking details and crypto wallets. This may point to a coordinated effort between various actors or a single actor behind multiple strains of malware. 

A ‘tooltip’ displayed to the victims of Xenomorph once it is installed on the device 

A banker targeting victims in Vietnam pretending to be a government portal or a local energy company has been discovered and codenamed GoldDigger. It uses Virbox Protector, a publicly available software that can obfuscate code and prevent both dynamic and static analysis. This appears to be a growing trend in Southeast Asia in recent years, as the use of advanced obfuscation can mean the malware goes undetected for longer. GoldDigger uses fake websites that imitate the PlayStore or phishing in private messages to spread itself. Once on the device, it can steal 2FA SMS as well as personal information and banking credentials. 

GoldDigger displays a fake splash screen to its victim (in Vietnamese), followed by a request to enable the Accessibility service 

In an unusual twist, SpyNote has further evolved to the point of breaching into the banking sphere. Recent samples that we have observed are starting to use the spy features of this strain to extract 2FA messages as well as banking credentials and logins. Spreading through smishing and actual phone calls, victims are encouraged to update to a latest version of their banking application, which unfortunately is the SpyNote malware. This version of SpyNote uses the Accessibility service to key log victim’s entries, record the screen and extract confidential information. It also features a defense module that is intended to prevent its removal. As mentioned in previous quarterly reports, we are seeing more spyware strains being re-used in the banking sphere and we anticipate this merging of strains will continue going forward. 

An unfinished SpyNote sample displays a fake update message that downloads further malicious APKs 

Despite continued activity, updated strains and new bankers entering the market, we observe a steady decline in attacked users for several quarters in a row. We estimate that this is due to threat actors using more tailored approaches as of late as we observe less widespread SMS campaigns that were signature of FluBot and others a few quarters ago.

Global risk ratio of mobile bankers in Q4/2022-Q3/2023

Turkey continues to hold top place with the most protected users, closely followed by Spain, France, and the UK. Most of the banker focus appears to be on Europe, with a few exceptions such as Brazil, Japan, and Australia.

Global risk ratio for mobile bankers in Q3/2023  

Spyware Telegram Mods Are on the Rise 

Spyware is used to spy on unsuspecting victims with the intent of extracting personal information such as messages, photos, location, or login details. It uses fake adverts, phishing messages, and modifications of popular applications to spread and harvest user information. State backed commercial spyware is becoming more prevalent and is used to target individuals with 0-day exploits. 

Spyware presence has slightly declined this quarter as Spymax maintains its top spot among the spyware strains with SexInfoSteal and FaceStealer trailing closely behind. New additions to the spyware family this quarter include several new trojanized modifications of popular messenger applications and SpyNote making another appearance. We note the spread of a fake spyware missile alert app in Israel and Spyloans continue their reign as several new samples have been spotted on the PlayStore.  

Another version of SpyNote/Spymax was used as part of a short campaign targeting users in Japan with fake SMS messages about unpaid utility or water bills. Containing a sense of urgency, these messages led victims to a series of phishing sites which downloaded the SpyNote onto their devices. Once installed, the malware would direct users to open settings and enable the accessibility service to allow it install further malware and hide itself on the device. It then spied on victim’s personal data and was able to access authenticator apps on the device and steal social media credentials.

The SpyNote config containing various settings and checks, such as having Accessibility enabled 

In relation to recent escalating situation between Israel and Palestine, it is worth highlighting a spyware Red Alert missile warning app that was distributed through a phishing website. The original app is used by many in Israel to monitor missile warnings. The fake Red Alert spyware app contained identical features with added abilities that allow it to spy on its victims. This included extracting the call log, SMS lists, location, and emails, among others. The malware also features anti-debugging and anti-emulation that attempts to prevent detection. While not documented, it is possible this malware could also be used to deliver fake warning messages, as has happened with other breached missile warning apps.

Phishing site impersonating the original RedAlert missile warning website that downloads the spyware payload

As noted in the past quarterly reports, mods for WhatsApp, Telegram and Signal are becoming a more popular target for threat actors. We observe another case of Trojanized Telegram mods discovered on the PlayStore, this time targeting Chinese speaking victims. This version appears like the Telegram app at face value, but harvests user information, messages, calls and contact lists in the background. These are then exfiltrated to a cloud service to be further used by malicious actors. Similarly, BadBazaar samples have been spread through trojanized Signal and Telegram apps. Using fake websites to lure victims in, this strain appears to be targeting the Uyghur population. It contains a similar spyware feature set as the trojanized telegram mods. These malicious modifications are around to stay, and users are advised to avoid modifications for popular messaging apps.

Splash screen of the fake FlyGram mod that contains BadBazaar spyware

Spyloan applications continue to spread on the PlayStore. As reported on by Zimperium, these apps remain mostly unchanged and offer loans to unsuspecting victims in various Asian and South American countries. Once the user installs the application, it requests various invasive permissions under the guise of a credit check. If the victim allows these, the actors behind the spy loans will harvest victim data such as messages, contact lists and photos to name a few. These are then used to extort victims into often paying more than the agreed amount and this harassment may continue even after the debt is paid. Users are advised to avoid unofficial sources of loans to avoid this type of extortion.  

This quarter brings a slight decrease in the prevalence of spyware in the mobile sector. While several strains of malicious mods snuck onto the PlayStore, we see an overall decrease in activity and spread of spyware this quarter.

Global risk ratio of mobile spyware in Q2/2023 and Q3/2023

Brazil continues to have the highest number of protected users this quarter, followed by Turkey, US, and India. Yemen has the highest risk of encountering mobile malware in comparison to the rest of the world.

Global risk ratio for mobile spyware in Q3/2023

Jakub Vávra, Malware Analyst

Acknowledgements / Credits

Malware researchers

Adolf Středa
Alexej Savčin
Bohumír Fajt
Branislav Kramár
David Álvarez
Igor Morgenstern
Jakub Křoustek
Jakub Vávra
Jan Rubín
Jan Vojtěšek
Ladislav Zezula
Luigino Camastra
Luis Corrons
Martin Chlumecký
Matěj Krčma
Michal Salát
Ondřej Mokoš 

Data analysts

Pavol Plaskoň
Filip Husák
Lukáš Zobal 

Communications

Brittany Posey
Emma McGowan 

The post Avast Q3/2023 Threat Report appeared first on Avast Threat Labs.

Rhysida Ransomware Technical Analysis

26 October 2023 at 11:31

Rhysida is a new ransomware strain that emerged in the second quarter of 2023. The first mention of the Rhysida ransomware was in May 2023 by MalwareHunterTeam (sample’s timestamp is May 16, 2023). As of Oct 12, the ransomware’s leak site contains a list of over 50 attacked organizations of all types, including government, healthcare, and IT.

Screenshot of the Rhysida data leak site as of Oct 16, 2023 

Victims of the Rhysida ransomware can contact Avast experts directly at decryptors-at-avast-dot-com for a free consultation about how to mitigate damage caused by the attack. 

Analysis of the Rhysida encryptor 

The Rhysida encryptor comes as a 32-bit or 64-bit Windows PE file, compiled by MinGW GNU version 6.3.0 and linked by the GNU linker v 2.30. The first public version comes as a debug version, which makes its analysis easier. 

For cryptographic operations, Rhysida uses the LibTomCrypt library version 1.18.1. For multi-threaded and synchronization operations, Rhysida uses the winpthreads library. Chacha20 pseudo-random number generator is used for generating random numbers, such as AES encryption key, AES initialization vector and random padding for RSA-OAEP encryption. The public RSA key is hard-coded in the binary (ASN1-encoded) and loaded using the rsa_import function. Each sample has different embedded RSA key. 

The encryptor executable supports the following command line arguments: 

  • -d Specifies a directory name to encrypt. If omitted, all drives (identified by letters) are encrypted 
  • -sr Enables self-remove after file encryption 
  • -nobg Disables setting desktop background 
  • -S When present, Rhysida will create a scheduled task, executing at OS startup under the System account 
  • -md5 When present, Rhysida will calculate MD5 hash of each file before it is encrypted. However, this feature is not fully implemented yet – the MD5 is calculated, but it’s not used anywhere later. 

When executed, the encryptor queries the number of processors in the system. This value serves for: 

  • Allocating random number generators (one per processor) 
  • Creating Encryptor threads (one per processor) 
Initialization for multi-threaded encryption 

Furthermore, Rhysida creates a File Enumerator thread, which searches all available disk drives by letter. Binaries prior July 2023 enumerate drives in normal order (from A: to Z:); binaries built after July 1st enumerate drives in reverse order (from Z: to A:). 

The File Enumerator thread searches for files to encrypt and puts them into a synchronized list, ready to be picked by one of the Encryptor threads. Files in system critical folders, and files necessary to run operating systems and programs, are excluded from encryption. 

List of skipped directories: 

  • /$Recycle.Bin 
  • /Boot 
  • /Documents and Settings 
  • /PerfLogs 
  • /Program Files 
  • /Program Files (x86)
  • /ProgramData 
  • /Recovery 
  • /System Volume Information  
  • /Windows 
  • /$RECYCLE.BIN

List of skipped file types:

  • .bat 
  • .bin 
  • .cab 
  • .cd 
  • .com 
  • .cur 
  • .dagaba 
  • .diagcfg 
  • .diagpkg 
  • .drv 
  • .dll 
  • .exe 
  • .hlp 
  • .hta 
  • .ico 
  • .lnk 
  • .msi 
  • .ocx
  • .ps1 
  • .psm1 
  • .scr 
  • .sys 
  • .ini 
  • Thumbs.db 
  • .url 
  • .iso 

Additionally, the ransom note file, usually named CriticalBreachDetected.pdf, is excluded from the list of encrypted files. The PDF content of the ransom note file is hard-coded in the binary and is dropped into each folder. The following picture shows an example of the ransom note from a September version of the ransomware:

In addition to dropping the ransom note, if enabled in the configuration, Rhysida generates a JPEG picture, which is stored into C:/Users/Public/bg.jpg. Earlier version of the ransomware generated the image with unwanted artifacts, which was fixed in later builds of Rhysida. The following picture shows an example of such JPEG pictures: 

The picture is set as the desktop background on the infected device. For that purpose, a set of calls to an external process via system (a C equivalent of CreateProcess) is used: 

Rhysida may or may not (depending on the configuration and binary version) execute additional actions, including: 
 

  • Delete shadow copies using: 
     
    cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet 
     
  • Delete the event logs with this command: 
     
    cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
  • Delete itself via Powershell command 
     
    cmd.exe /c start powershell.exe -WindowStyle Hidden -Command Sleep -Milliseconds 500; Remove-Item -Force -Path "%BINARY_NAME%” -ErrorAction SilentlyContinue; 
     
  • (Re-)create scheduled task on Windows startup: 
     
    cmd.exe /c start powershell.exe -WindowStyle Hidden -Command “Sleep -Milliseconds 1000; schtasks /end /tn Rhsd; schtasks /delete /tn Rhsd /f; schtasks /create /sc ONSTART /tn Rhsd /tr \” 
     
  • Remove scheduled task using: 
     
    cmd.exe /c start powershell.exe -WindowStyle Hidden -Command "Sleep -Milliseconds 1000; schtasks /delete /tn Rhsd /f;" 

How Rhysida encrypts files 

To achieve the highest possible encryption speed, Rhysida’s encryption is performed by multiple Encryptor threads. Files bigger than 1 MB (1048576 bytes) are divided to 2-4 blocks and only 1 MB of data is encrypted from each block. The following table shows an overview of the number of blocks, size of one block and length of the encrypted part: 

File SizeBlock CountBlock SizeEncrypted Length
0 – 1 MB1(whole file)(whole block)
1 – 2 MB 1(whole file)1048576
2 – 3 MB2File Size / 21048576
3 – 4 MB 3File Size / 31048576
> 4MB 4File Size / 41048576
Table 1: File sizes, block counts, block lengths and encrypted lengths. 

Multiple steps are performed to encrypt a file: 

  • The file is renamed to have the “.rhysida” extension. 
  • The file size is obtained by the sequence below. Note that earlier versions of the ransomware contain a bug, which causes the upper 32 bits of the file size to be ignored. In later versions of Rhysida, this bug is fixed. 
  • Based on the file size, Rhysida calculates counts and length shown in Table 1. 
  • 32-byte file encryption key and 16-byte initialization vector for AES-256 stream cipher is generated using the random number generator associated with the Encryptor thread.  
  • Files are encrypted using AES-256 in CTR mode
  • Both file encryption key and the IV are encrypted by RSA-4096 with OAEP padding and stored to the file tail structure. 
  • This file tail is appended to the end of the encrypted file: 

Conclusion 

Rhysida is a relatively new ransomware, but already has a long list of attacked organizations. As of October 2023, it is still in an active development.  

Victims of the Rhysida ransomware may contact us at decryptors-at-avast-dot-com for a consultation about how to mitigate damage caused by the attack. 

The post Rhysida Ransomware Technical Analysis appeared first on Avast Threat Labs.

Love-GPT: How “single ladies” looking for your data upped their game with ChatGPT 

4 October 2023 at 13:15

Have you ever wondered, looking at a profile of a potential dream match on a dating platform, who is actually sitting on the opposite side of the screen? Will they look the same when you meet? Did they change something in their bio to make them sound more impressive? Do they like the things they say they do? Or… do they even exist? 

Well, sometimes the answer is: No.  

We have discovered a tool (which is still being developed and improved) that provides vast functionality over several different dating platforms, providing the capability to create fake accounts, interact with victims, bypass CAPTCHA, anonymize the access using proxies and browser anonymization tools, and more. The author is also experimenting with ChatGPT, the now-famous text-based generative AI, to provide them with more streamlined and believable texts. Because of that, we decided to name the tool Love-GPT

Overview

According to our data, the history of the tool goes back at least a decade. Its functionality was iteratively improved over time, adding newer dating platforms as they became more popular, as well as anonymization techniques, and interaction methods. The program contains several Vietnam-related strings, functions, and other references, and we attribute the author to be Vietnamese. 

In this blogpost, we will describe a version from 2023-06-06 (compilation date) with the main module version 347. Note that the tool contains different modules: for example, this main version contains a 544th version of Account Control Center module. 

ChatGPT functionality was likely added to Love-GPT around March 2023 (likely 2023-03-30, main module version 326). 

All versions we’ve seen are programmed explicitly in VB6, provided as a form application. Historically, these variants of module names existed at least at some point in time: 

  • account_control_center_alive_monitor_START_HERE.exe 
  • pof_reload_monitor.exe 
  • ringtones_runas_launch.exe 
  • ringtones_runas_login.exe 
  • scan_phone.exe 
  • virtualbox_pof_reg_CONTROLER_MONITOR.exe 

The tool further requires several additional apps for the whole toolset to function properly. As we will demonstrate, all of these are used to support anonymization of the access to the dating platforms, using proxies, creating a large number of fake accounts, getting and writing emails, and interacting with users. 

We can peek into the main module of Love-GPT below. The module contains several functionalities for interacting with users, including reading inboxes (getting answers and emails), browsing information about matches (the platforms’ way of indicating interest in the other user), sending likes, storing active cookies in a database, changing used proxy, and much more. There are also three different ChatGPT buttons providing a ChatGPT text generation functionality to the interactions.

The main module of Love-GPT

In total, the tool contains 58 different application forms, and it is out of the scope of this blogpost to list and describe all of them. However, we would like to show an additional one below, since it is essential for the whole toolset: the Account Control Center module. 

This module serves as a main hub for creation of fake accounts for all the supported dating platforms. It also supports scraping photos from the platforms, downloading HTML content about any visited page, using PowerTCP to extract cookies, using Multilogin, ProxyRental, Luminati, MountProxy tools for anonymization, and more. The tool also has a (weak) random generator for the new fake accounts’ passwords, and a random selector from a list of 1000 common US names. The built-in browser allows the operator to visually check the tool’s behavior, as well as manually interact on the visited page, when necessary, in case the automation is not enough.

Account Control Center with a build-in browser

Note that the tool we are describing here is huge and we might have missed some important aspects in its functionality or omitted them since they are out of scope for a single blogpost. We are still investigating parts of the program and they might be the subject of a follow-up blogpost(s) in the future.

Fake profiles and data harvesting

Database

As we already mentioned, the main goal of the tool is to create fake profiles on several dating platforms and to store/scrape data from the interactions with the platforms’ users, including their profile pictures, profile body texts, dates of communication, etc. 

In order to be successful in this goal, the tool uses three large databases, called CL Harvest (CL_db_harvest_db), pof_db (as of Plenty of Fish database), and gmail_db, to store a huge variety of information. Since all the databases are intertwined, likely because of historical reasons, we will from now on refer to them as a single database to simplify the analysis. 

The tool uses a Microsoft SQL Server as a database, orchestrating the communication using SQL Server Native Client (provider SQLNCLI10) from inside the program.

Login screen to access the local database with author’s default credentials

Stored information

Currently, the database structure contains approximately 180 different database tables in total (note that the number differs depending on the versions of the tool). We would like to mention at least a few of them, providing interesting insights into what data is being collected or created. We believe none of them need further description.

Table name Note 
a_02_Okcupid_photo_db_scanned_from_okcupid  
a_02_Okcupid_photo_db_scanned_from_okcupid_age_group_1 Age groups are described later 
a_02_okcupid_about_text_db_age_group_3 Profile “about” description texts 
a_03_zoosk_replied_users  
a_07_ashley_accounts  
duyenso_create_fake_profile_current_setting DuyenSo is a Vietnamese dating platform 
email_addresses  
openai_chat_log  
openai_prompt_1st_contact_msg  
openai_prompt_ask_for_number  
openai_prompt_ask_for_number_for_OKCUPID  
openai_prompt_ask_for_number_INDIRECT_WAY  
openai_prompt_chat_template  
openai_prompt_profile_body_text  
pof_accounts_for_scan_new_users  
twilio_for_PVA_direct PVA states for “phone verified account” 
twilio_phone_for_dating_2018  
twilio_uk_mobile_number_database  
US_female_firstname_len_5 len” states for “length” 
US_male_firstname_len_5 len” states for “length” 
Table listing just a few table names from the database

Furthermore, the tool saves images from the dating platforms into several directories: 

  • C:\fb_dating_all_avartar_temp\ (mind the typo) 
  • C:\fb_photo_set_temp\ 
  • C:\PIC for POF\BIG STORE\
  • C:\twoo_scanned_photo\ 
  • E:\FB dating girls photo by city\ 
  • F:\5K Female photos by hair color\ 
  • E:\temp_okcupid_downloaded_photo\ 
  • G:\duyenso_pics_from_pof
  • G:\duyenso_pics_from_pof_girls\ 
  • G:\duyen so acc photo - ready to up - girls\ 
  • G:\duyen so acc photo - ready to up - man\

Age groups

The tool categorizes the users into four different age groups: 

Age group Age range 
30-37 years 
37-49 years 
49-60 years 
No group None of the above 

This serves as a filtering option, and it also shows what ages are interesting for the author/operator. We suppose this is due to the fact that the author is most likely using the stolen information to create further fake accounts. The age group might be an important aspect for setting up the fake age properly, especially with photos. 

Targeted dating platforms

We have identified 13 different dating and social discovery platforms that the tool interacts with, as of the 2023-06-06 analyzed version. The list of the dating platforms can be found below:

Dating platform Note 
Ashley Madison  
Badoo  
Bumble  
Craigslist Interested in “Personal” / “cas” section – “casual encounters” 
DuyenSo Vietnamese dating app 
Facebook Dating  
likeyou.vn Vietnamese social network and dating platform 
MeetMe  
OkCupid  
Plenty of Fish  
Tagged  
Tinder  
Zoosk  

The tool has several steps it takes in order to create the fake accounts, following the process of registering on the platforms. This often involves getting through CAPTCHA, verifying phone numbers (PVA), and creation of fake email addresses, usernames, and passwords. All these steps are performed by the tool, seeking the most automatic process possible. If any of the automations fail, the tool also contains a built-in browser that allows the operator to perform the steps manually. 

Note that Craigslist discontinued the “Personal” section during the FOSTA-SESTA acts in 2018 and we consider this functionality obsolete and not used in the program anymore. 

Historically, Love-GPT was interested in other dating sites/social platforms, too. For example, we could find traces of Twoo, Oodle, and Fetlife. These platforms, however, don’t have proper functionality incorporated in the tool anymore.

Using ChatGPT

During 2023, the author started to use ChatGPT to generate new profile descriptions as well as other prompts to interact with the dating platforms’ users. The author uses a ChatGPT API token which is hardcoded in the binary. 

We estimate that the ChatGPT functionality started to occur around March 2023 (likely 2023-03-30, main module version 326) and it is still under development. Some parts of the functionality seem still like proof-of-concept, and we suppose they are not fully functional yet, with some of them proving more potent already. 

The functionality provides an interesting insight into the upcoming trend of using highly believable texts leveraging generative AI and large language models (LLMs). We can already see that tools misusing the generative AI platforms are emerging and this is likely one of the first in-the-wild examples how it can be misused by the bad actors. 

Overall, the tool contains these functionalities leveraging ChatGPT (both finished and under development): 

  • Create a fake profile description to be used on the dating platforms
  • Read the inbox on the dating platform and reply to messages 
  • Ask for a phone number 
  • Write a first contact message 
  • Chat from a template

In the current implementation, the tool uses these two ChatGPT models: 

  • text-davinci-003 
  • gpt-3.5-turbo

Request parameters

The tool uses different set of parameters for the performed tasks, influencing ChatGPT via its API to perform as needed. For example, parameters for creating a profile body, ensuring diverse and short texts, are as follows: 

  • "temperature": "1"
  • "max_tokens": "60"
  • "top_p": "1"
  • "frequency_penalty": "0.5"
  • "presence_penalty": "0"

Note that for other prompts, temperature = 0.5 is usually used as well, scaling down the randomness. 

The tool uses “prompt” values in the API requests’ body to generate the output. In some of the cases, the whole context is provided to guide ChatGPT for the more precise results:

Just for the sake of demonstration, this is what ChatGPT usually returns for similar prompts:

The detailed description of the parameters available in the ChatGPT API can be found in the official documentation

They tool to win

Love-GPT uses a large set of additional tools and components to stay hidden/anonymize its interaction with the dating sites and their users. It also contains additional components for it to operate, using communication tools and protocols, Android emulator, and OCR for CAPTCHA bypass.

Staying anonymous

The tool needs to use real-looking, fake request fingerprints to reliably access the dating platforms. Otherwise, the platforms could detect such activity and suspend/ban the accounts or bombard the access with CAPTCHAs and other anti-crawler safeguards. 

Below, you can find a list of the anonymization tools being used, with a short description. 

Tool Short description 
AdsPower Anti-fingerprinting tool using virtual browser profiles 
FraudFox Virtual machine and a tool for user-agent and device spoofing 
Identory Anti-fingerprinting browser platform, creating unique identities for any site 
Kameleo Anti-fingerprinting browser platform using virtual browser profiles 
Luminati Proxy network, allowing anonymity for data collection and web scraping 
MountProxy Residential proxy provider 
Multilogin Anti-fingerprinting tool using virtual browser profiles 
ProxyRental Residential proxy and dynamic IP provider 

To summarize, with this artillery, Love-GPT stays under the radar because no one can effectively distinguish connections coming from this specific tool and other regular users accessing the platforms. 

Communication components

Love-GPT can communicate with the users directly on the dating platforms. Because the platforms usually need to verify its users using unique email addresses or even require a PVA accounts (phone verified accounts), the tool has a complete email and phone number management. To achieve this goal, it uses these services and tools: 

  • Email services – Gmail, Yahoo 
  • PowerTCP
  • Pinger 
  • SMSpva (smspva.com
  • TextFree 
  • TextNow 
  • Tropo
  • Twilio

SMSpva is a service for obtaining temporary phone numbers. Along with TextFree, TextNow, Twilio, and others, the toolset provides a convenient way how to enable receiving the SMS verification codes for PVA registration. 

The tool is also able to analyze and send emails from the created Gmail or Yahoo accounts’ inboxes, as well as forwarding emails to different addresses. 

Finally, Love-GPT also uses PowerTCP, or more specifically DartWeb.dll, to support network and communication-related traffic with the web.

Buying new domains

Love-GPT also has a system for buying new domains and making renewals of the already registered domains, including performing payments for the domains. Historically, this was being performed using Entropay. However, since Entropay’s consumer product was discontinued in 2019, we suppose the Love-GPT’s operator switched to some other similar consumer-based service, but that is not reflected in the code – virtual credit card information is stored on the author’s local database, not in the binary. 

The main purpose for this functionality is to set a domain forwarding through the registered domains. To achieve this, the tool uses an API to check the required domains availability, checking the auto-renewal options, as well as setting up the forwarding: 
https://api.name.com/v4/domains/ 

Android emulation

Since some of the platforms are mobile based, for example DuyenSo or the Facebook dating app, the tool uses LDPlayer to emulate a proper behavior on the supported dating platforms. 

The tool also uses a shared folder for exchanging files between the emulator and the local filesystem, mostly for transferring photos: 

  • E:\LDplayer_shared_folder_for_fbdating\

OCR and CAPTCHA

Quite an effort was made in Love-GPT to bypass CAPTCHAs. It uses two different Optic Character Recognition (OCR) tools for capturing texts: 

  • OmniPage 
  • DeCaptcher 

Love-GPT has a dedicated panel, a control center, to orchestrate the CAPTCHA bypassing functionality. 

CAPTCHA Control Center

Future work

During our research, we have discovered multiple additional tools with similar purposes, some of them even likely from the same author who is behind Love-GPT. These vary from more broad scrapers to highly specialized, for example just focusing on Tinder. This clearly shows the trend of automation in this field and ChatGPT can be useful in streamlining the interactions to harvest further data from the victims than they would share otherwise. 

Hashes

Hash Compilation date 
8071dc3dc1e7814f644f2745bbebab8c159763a3605b3615847772851b3960ce 2023-06-06 
cf809afcad7a2054a8c39a84443579d0c9d81ddf0233164bf2a4214a39b6206c 2023-03-30 

The post Love-GPT: How “single ladies” looking for your data upped their game with ChatGPT  appeared first on Avast Threat Labs.

Insights into the AI-based cyber threat landscape

5 September 2023 at 13:38

Executive summary

Both large language models (LLMs) and generative AI are undergoing a significant increase in their abilities and global utilization. While these tools offer undeniable utility to the general public, they also present potential risks of misuse. Furthermore, bad actors are also actively investigating tools like OpenAI’s ChatGPT. 

This document describes following aspects of an AI-based cyber threat landscape: 

  • How ChatGPT brand is misused for lures, scams, or other social engineering related threats 
  • How generative AI can be used to generate malware 
  • The potential pitfalls and changes it brings for security researchers and attackers 
  • How ChatGPT and generative AI can help security researchers in their daily struggles, providing insights, and bringing AI-based assistants to their toolset 

Generative AI and other forms of AI are going to play a key role in the cyber threat landscape. We expect that highly believable and multilingual texts misused for phishing and scams will be leveraged at scale, providing better opportunities for more advanced social engineering. 

On the other hand, we believe that generative AI as it stands now is unlikely to drastically alter the landscape of malware generation. Although many proofs of concept exist—mainly from security firms and nefarious actors testing the technology—it’s still a complex approach, especially when compared to existing, simpler methods. 

Despite the risks, it is important to recognize the value that generative AI brings to the table when used for legitimate purposes. We already see security and AI-based assistant tools with various levels of maturity and specialization emerging on the market.  

Given the rapid development of these tools and the widespread availability of open-source versions, we can reasonably anticipate a substantial improvement in their capabilities in the near future. 

This post can be also downloaded as a PDF here.

AI-generated lures and scams  

AI-generated lures and scams are having a moment. In the world of cybercriminals, AI now serves as the perfect use case for creating lures and carrying out phishing attempts and scams on victims. This is due to the fact that AI serves as a helping hand in writing various forms of texts–emails, social media content, e-shop reviews, SMS scams, and more. In general, AI also improves the credibility of social scams by providing trustworthy, authentic texts that eliminate the traditional phishing red flags, such as broken language and weird addressing. To our surprise, when we asked ChatGPT to make a lottery scam email more believable, it reduced the amount won, which can make the email slightly more believable.  

These threats, increasingly sophisticated and persistent, have begun to exploit advanced technologies, creating a new battlefield in the world of AI systems. In recent years, we’ve witnessed a number of societal issues and initiatives abused in a similar fashion—including (but not limited to) cryptocurrencies, Covid-19, and the war in Ukraine

In the case of ChatGPT, its popularity with hackers has less to do with their interest in AI than it does with the fact that ChatGPT has now become a household name. With the amount of attention ChatGPT receives these days, it would be surprising if attackers didn’t investigate how it can be used for their purposes. 

How is generative AI supporting the creation of lures and scams?

When examining the ChatGPT scams created by cybercriminals, it’s important to observe the language used in scams and how AI can support malware authors in creating more advanced texts than they’d otherwise be capable of writing. AI can easily improve grammatical mistakes, provide content in multiple languages, and create multiple variations of texts to improve their believability. 

ChatGPT can currently provide robust, well-written texts, but if an attacker wants to perform a sophisticated phishing attack, they’d need to insert the text into proper templates. This is because phishing attempts must appear to be credible and consist of more than just text. The attackers can choose from a plethora of existing phishing kits for sale where they obtain already functional and well-designed phishing webpages or emails. They can also use web archiving tools to create a copy of the web and change the appropriate URLs to phish the victims.  

For now, it’s necessary for attackers to build some aspects of their attempts manually and ChatGPT is not currently the ultimate “out of the box” solution for creating advanced malware. Users simply can’t ask for a copy of a website along with a code and styles to run it. That being said, we expect that multi-type models, allowing the combination of multiple LLM outputs, including images, audio, and video, will emerge in the near future. Furthermore, we can already see projects like LlamaIndex incorporating multiple sources of data, enhancing the capabilities even further. With that, we expect that multi-type LLMs will be able to create highly believable custom phishing and scam campaigns targeting a specific audience, including special offers, package deliveries, investment opportunities, scams during big events, and more. 

Malvertising

Malvertising—a portmanteau of “malicious advertising”—is a cybercrime tactic where malware is disseminated through online advertising. This technique cleverly exploits the extensive reach and interactive nature of digital ads to distribute harmful content. 

Unfortunately, attackers leverage ChatGPT’s name for these malicious vectors, with instances observed involving ads on popular platforms such as Facebook. For example, we have observed ads leading to articles and claiming massive income opportunities where all embedded links redirect to a fraudulent investment portal. 

People typically have to register or provide some kind of personal information. This serves as a first filter to lower the number of people who are not easily fooled by easy wins, get rich quick schemes, and so on. 

Once users provide their information, they become susceptible to a variety of malicious actions, such as identity theft, financial fraud, account takeovers, or being lured into further scams. The personal data collected can be misused or sold on the dark web, contributing to a broader ecosystem of cybercrime. Consequently, users who fall victim to malvertising may experience significant financial losses, compromised privacy, and emotional distress. 

The malvertising tactic is a good example of the ever-evolving strategies that cybercriminals employ to exploit trust and credibility. Recognizing such deceptive tactics is the first step towards mitigating the risks posed by these online threats. 

YouTube scams

YouTube, one of the world’s most popular online platforms, has not been spared from cybercrime. We have seen a significant increase in fake videos using prominent figures to trick users into harmful actions. What makes these scams especially insidious is their exploitation of trust, credibility, and human curiosity. 

The strategy often employed here is known as the “Appeal to authority” or “Argument from authority,” where cybercriminals use influential figures to supposedly validate the credibility of their message or investment opportunity. This manipulation can lead to the phishing of personal details, such as banking information, or directly coerce the victim into sending money to the attacker. 

In one particular instance, videos were created featuring Elon Musk to lure unsuspecting users. These videos often capitalize on Musk’s authority and influence in the tech and business world to legitimize the content. As we can see below, the motives of ChatGPT are often misused to lure users. 

The bad actors behind this case used a recording from an official stream discussing aspects of OpenAI and modified it to scam victims without the need of using voiceovers or deepfakes. At certain points in the video, a QR code is displayed that ostensibly offers access to exclusive content or rewards. In reality, this QR code redirects users to a scam page. These scam pages often take the form of cryptocurrency scams promising “easy” profits or elaborate phishing attempts that trick users into revealing sensitive information. 

The danger of these scams lies not only in the potential financial loss. Similarly to the malvertising, the theft of personal data can be used for further phishing attacks, account takeover, impersonation, or sold on the dark web

Although the use of AI was not necessary in this particular case, with increasing maturity of AI models like Midjourney, DALL-E or other purpose-built models we can only expect the use of artificially created fake images, videos, and audio, to increase over time both in quantity and quality. Tools like this can truly achieve remarkable results, even though they never actually happened. We are already seeing tools that allow users to quickly generate videos from a text script. It is still quite noticeable that the videos are not real, but that will become less visible in the future.

Typosquatting

Typosquatting usually involves minor changes in URLs to redirect users to a different website, potentially leading to phishing attacks. Furthermore, typosquatting is also used to encourage users to install applications that seem legitimate but aren’t. An Android app named “Open Chat GBT : AI Chat Bot”, which is shown in the screenshot below, is a prime example of this tactic. This subtle alteration can go unnoticed by users who aren’t paying close attention. 

Browser extensions

Following the introduction and surge in popularity of ChatGPT, we witnessed the emergence of myriad browser extensions. While there are a number of legitimate extensions that have gained popularity, other malicious versions have used that popularity to lure in victims. 

To trick unsuspecting users, attackers create an extension with an enticing title that contains or closely resembles ChatGPT. The attackers leverage this confusion to convince users that the browser extension is genuine when, in reality, it’s a malicious piece of software. These apps often disseminate adware or stealers/spyware, with some even tricking users into subscribing to services that periodically drain fees from the victim’s credit card (this is also known as fleeceware). 

One such case was documented by Guardio, where threat actors copied the design of a legitimate extension called “ChatGPT for Google”. The malicious version of the extension spread by these bad actors steals the Facebook sessions and cookies of its victims.

Image credit: Guardio 

Fortunately, in the case of this malicious extension copycat, Google removed it from the Chrome Web Store shortly after it was reported by Guardio. 

Installers and cracks

When trying to download a popular tool or application that you want to use, it’s not uncommon to come across installers that contain malware. These installers are designed to trick users into installing harmful software on their devices without even realizing it. They often appear to be legitimate installers, using the name and appearance of the real tool or application that you’re interested in. 

We can observe malicious installers like this misusing the name of ChatGPT that give users the promise to install and use ChatGPT on their device. One such example discovered by Meta’s engineering team is NodeStealer, malware that steals passwords and cookies from browsers. 

Cracks or unofficial versions of software can be risky, as it’s possible to hide malware inside them. Once installed, the malware may allow hackers to access your personal information, steal your passwords, or even take control of your computer. 

Fake updates

While browsing the web, users might come across an article that appears to be essential to read. But upon clicking the link, a page is displayed claiming that the browser is out of date and needs an update to show the content. One example is a SocGholish campaign where ChatGPT related articles are, among other topics, misused by attackers to lure people into downloading a browser update which is in fact typically a remote access trojan (RAT) giving the attacker complete control of the infected device. We see these pages often hosted on WordPress sites with vulnerable plugins or sites with weak admin credentials. 

AI as a tool for malicious purposes 

Recognizing AI-generated content is harder than you might think

Large language models (LLMs)—the AI tools that power tools like ChatGPT—have been creating a lot of buzz from their beginning. People have been amazed by their capabilities, and they’ve undeniably opened up a wide range of new possibilities. At the same time, LLMs have also brought some troubles. For example, schools have quickly needed to figure out how to approach these newly available tools while effectively communicating their pros and cons to students.  

As a result, the need for a tool able to recognize AI-generated content emerged. We have analyzed a couple of projects that claim to be able to identify such content. Some of them have good results on basic prompts, but each one of them fails once any type of change is introduced. More specifically, generated text that was properly detected as 100% AI-generated was suddenly 100% human once ChatGPT was asked to introduce a couple of mistakes.  

When it comes to detecting AI-generated code or even binaries compiled from AI-generated sources, the problem becomes even trickier. Similar to detecting more traditional malware, this is yet another never-ending cat and mouse game between AI generators and detectors: Once the first detectors started popping up, new generators were created to avoid them. 

LLMs and malware 

Time and time again, it has been proven that LLMs can be used to generate malicious code. However, it should be noted that while LLMs can significantly simplify the process, some degree of understanding of the malware development process is required to get the desired output. There are also many available malware builders, obfuscators, and packers that make the LLM approach more cumbersome as they provide a tailored solution designed to create malware in such a way there is no active protection from malicious inputs. 

Our team tested LLMs to generate simple malicious portions of code for testing our products, and in doing so, we’ve put together some key takeaways:

1. Proof of recognizing AI-generated content is hard, and protection techniques (such as packing and obfuscation) makes it even harder

As mentioned above, the cat and mouse game between AI generators and detectors continues to play out. Since AI vendors continuously improve their models, detection models can become obsolete quite quickly.  

It is important to mention that LLMs don’t change the behavior of code, just how the code was created. So far, we haven’t seen LLMs come up with a novel, previously unseen technique to infect machines. It can only use an arsenal of already known techniques.

2. Malware authors need to figure out much more than just source code

They need to verify the proper functionality of the code, testing environments, obfuscation, distribution methods, and the infrastructure of the vector. What’s more, they’re responsible for preventing takedowns–at the end of the day, it’s cybercriminals’ intent to have the threat working for the longest possible period of time.  

Testing of the generated code is important as our attempts showed a rather high amount of cases where the code didn’t work as intended on the first go and these errors can be hard to notice at first glance. 

The task of covering their tracks must also be included in a hackers’ scope of responsibility. This often amounts to money laundering, anonymization, and generally operational security.

3. Creating malware still requires a fair amount of technical knowledge

When it comes to creating prompts for LLM malware, the prompts themselves need to be quite precise–technical knowledge of how to write the code is still needed, although non-sophisticated components can be more straightforward to write. Many real-world examples only showcase short snippets of the malware creation process due to restrictions in both the prompt length as well as the security filters implemented in the LLM systems to avoid misuse for malicious purposes. Because of this, it can still be difficult to make a functional, more complex codebase. As an interesting consequence a whole new type of job has emerged where creating prompts for the model is the primary activity. 

It’s necessary for the attacker to test the results, tweak the queries, and know what the ideal (malicious) solution should look like. It is important to recognize that the attacker must possess knowledge of AV protections, anti-sandbox and anti-debugging tricks, as well as obfuscation techniques to overcome security measures. For these reasons, LLM malware isn’t the top choice for exercising the creativity required to write these kinds of malicious code. 

Spambots, social media, and fake reviews 

The rise of AI technology has inadvertently led to an evolution in spam tactics. Spambots have been observed exploiting OpenAI’s ChatGPT system, which has a filtering mechanism designed to avoid generating offensive or inappropriate responses. 

Instead of generating a substantive response, ChatGPT returns an error message when asked to generate inappropriate content, such as: “As an AI language model, I cannot generate inappropriate or offensive content,” or “I’m sorry, I cannot generate inappropriate or offensive content.” 

In many cases, spambots and fake social media bot accounts inadvertently publish these error messages. This is because spambots (both their algorithms and the people behind them) don’t validate output from ChatGPT—instead, they use the response from ChatGPT directly, resulting in self-incrimination of the bot as these messages can be used as a telltale sign of spambot activity.

Image credit: Twitter 

Interestingly, we have also noticed spambots manipulating user reviews. Some entities copy a response directly from ChatGPT in an attempt to gain positive feedback or inflate product ratings. This highlights the evolving sophistication of spam strategies and the importance of maintaining vigilance in digital interactions.

Image credit: VICE 

Spambots try to systematically flood product listings with deceptive reviews that exaggerate positive aspects, artificially inflate ratings, and create a false perception of popularity and quality. Users rely heavily on reviews to make informed buying choices, and when manipulated by spambots, they may unknowingly purchase subpar products based on misleading information. 

Each of these examples goes to show that ChatGPT is consistently being used for malicious purposes. The quality of the ChatGPT textual outputs as well as its capability to generate many different wordings will make the detection of fake reviews harder for both the e-shops as well as humans. 

Generating other inappropriate results 

ChatGPT has a filtering system in place, but bad actors are still able to find ways around this in order to generate content for malicious purposes. Although it’s possible to get around the tool’s safeguards, this proves to be a timely task for hackers, who can save time simply by searching for queries using a traditional search engine. After all, there is a lot of “educational-use-only” malware on GitHub anyways.

It is possible that tools able to bypass the security filters, which is also called “jailbreaking”, will make the use of ChatGPT for malicious purposes more convenient. We can already see efforts like WormGPT, which is based on open-source LLM models and trained with malware in mind. Unlike other AI models that have implemented restrictions to combat abuse, WormGPT operates without ethical boundaries, making it more accessible even to novice cybercriminals.

Deepfake

Deepfakes are a concerning and emerging form of technology that can pose serious threats to individuals and society as a whole. As a direct application of AI for malicious purposes, these convincing and highly realistic videos can make it seem like someone said or did something they never actually did. This is done by changing and manipulating the appearance and voice of the individual using AI. 

Deepfakes can have far-reaching consequences, leading to public outrage, damaged reputations, and even social or political instability. Moreover, deepfakes can be used for identity theft or fraud, as scammers can create videos or images that look like someone you know, tricking you into sharing sensitive information or inadvertently sending money to the attacker. 

An example of this was the case of the deepfake video depicting Ukrainian President Volodymyr Zelenskyy that appeared online not long after the onset of the war in Ukraine. This was a highly politically motivated deepfake that surfaced on various social media platforms. 

We’ve also observed attempts to use deepfakes as defense arguments. In this case, a lawsuit was filed against Tesla by a car accident victim’s family who claimed that Tesla’s automated driving software failed, while Tesla supposedly argued that the driver ignored warnings and was playing a video game while driving. The family’s attorneys aimed to depose Musk about his recorded statements from 2016, but Tesla opposed the request by suggesting the Musk statements were deepfakes and that, as a result, he can’t be held responsible. 

In the wild

While LLMs offer immense assistance to individuals seeking help with their everyday struggles, the same goes for the bad actors. Despite the safeguards put in place, we can already see attempts to create proof of concepts using a specific set of prompts, experimenting with the tools to create malware. 

In multiple examples, Check Point Research provides evidence that threat actors are investigating the use of ChatGPT for creating malware. For instance, a user on an underground hacking forum shared his efforts to create a functional information stealer, as well as claiming they were successful with creating multiple strains and techniques from publicly available write-ups. In another attempts, Check Point Research tried to prompt ChatGPT themselves to generate snippets of code which could be used in malware. 

Kaspersky, on the other hand, chose a different approach when they used ChatGPT to try to identify phishing based on a URL. Although the LLMs are not mature enough to do this yet, it shows the potential of the technology. With additional training and finetuning, it could become a viable detection method. 

The attackers don’t hesitate to try new tools and they will thoroughly test LLMs capabilities, including ChatGPT or other emerging models like WormGPT, in attempts to generate code (and text) for malicious purposes. Even though possible, the process of generating malware is still cumbersome and other development methods, like copying code directly from Github or StackOverflow, are still more straightforward and easier. 

We experimented with generative AI in our testing environment, aiming to simulate behaviors usually associated with malware. However, we faced similar challenges in the process. Many of our attempts led to a high error rate in the generated code, which demanded expertise in identifying and resolving these errors. Additionally, when a prompt that could potentially be perceived as suspicious was introduced, the security filter was triggered, essentially blocking further prompts. This necessitated initiating an entirely new chat, which significantly reduced the convenience of the overall experience. 

We agree that ChatGPT can save time while producing simpler techniques for the testing environment. It could be utilized by a skilled person to produce better results with the right prompts, but we also expect this person to be well-funded in the field, using obfuscation and other protection techniques anyway. 

At this point, less savvy users will likely get frustrated in their attempts to generate malware, resulting in copying codes from Github and StackOverflow anyway, always walking the simplest path. However, when tools without security filtering and restrictions occur, like WormGPT, this might change rather quickly. 

How ChatGPT can serve as a tool for helping researchers 

While we’ve explained how LLMs can be used for malicious purposes, they can also be used for good and to support researchers in their work. When using the services of AI tools, it’s important to verify the output and ensure that you’re not using any internal company data. After all, anything that is entered into an AI tool can be used for further training and potentially lead to a leak. Having a third-party agreement or NDA can help combat this risk, but this is definitely not the case with a public service like ChatGPT nor any other tool that is offered for free. 

Supporting analysts in understanding and writing detections 

Security analysts can use ChatGPT to prepare detection rules for them or, alternatively, to explain the existing rules when they’re in doubt about what exactly it is what they do. 

Detection languages that allow researchers to detect patterns (for example, in malware or its behavior), including Yara, Suricata, or Sigma, don’t reach the analyst-quality level of rules when created by LLMs. For junior analysts, however, the provided template can be useful–they can take it as a starting point and improve the detections from that baseline. 

Presented below is a pre-formatted Yara rule template. It’s prepared for an analyst to input malicious strings discovered in a Portable Executable (PE) file that’s less than 100 KB. Accompanying explanations are also included. It’s far from perfect, but a junior analyst can proceed from this point and try to further improve the ruleset by submitting additional queries and searching online. 

AI-based assistant tools 

Many new projects are emerging that incorporate LLM-based tools in the form of AI-based assistant tools that can assist users with basic or more complex tasks alongside other tools. In general, AI-based assistants promise to speed up work while the user focuses more on important problem solving, which ultimately delivers efficiency and increased productivity. 

There are AI-based assistant tools for office-style work, such as Microsoft 365 Copilot or Google Duet AI, as well as more technical projects for tech-savvy users. These tools often possess an extensive knowledge base and can provide instant access to documentation, libraries, and examples. This means the user gets better suggestions, autocompletion, instant access to documentation, and examples. 

For malware analysts, AI-based assistants can help with understanding the assembly, the disassembled code, or debugging. They can provide insights into function calls, data structures, and control flow, which saves time and effort in the reverse engineering process. 

It’s important to note that the more specific the field is, the more difficult it may be to create a helpful assistant. This is the case in a specialized field like reverse engineering; in this scenario, the functionalities provided by an AI-based assistant can be limiting. However, we can only expect the AI-based assistants to improve and be incorporated into more tools and applications as time goes on. 

Here’s a non-exhaustive list of some of today’s AI-based assistants and their proposed functions:

  • VulChatGPT: Helps with finding potential vulnerabilities in binaries. 
  • Windbg Copilot: Allows users to use ChatGPT capabilities directly in Windows Debugger. 
  • GitHub Copilot: Suggests code and entire functions in real-time using the OpenAI Codex. 
  • Microsoft Security Copilot: Designed to help defenders by assisting with breach identification, incident response, and understanding collected data. 
  • Google Cloud Security AI Workbench: This specialized LLM introduced by Google is a collection of AI tools that are designed to help with point-in-time incident analysis, threat detection, and analytics. 

We see a great potential in the AI-based assistant tools, especially when they get finetuned and specialized over time. Even though we didn’t study all the aforementioned tools in practice and detail, we were able to test the capabilities of two red-teaming tools, namely PentestGPT and BurpGPT

PentestGPT provides code snippets/tools syntax that the tester can use and it advises further actions based on the output provided by the tester. We’ve found the maturity of the tool is currently low, discovering many bugs and incompatibilities, and it provides generic suggestions. 

BurpGPT is an extension for Burpsuite which sends the requests/responses to a GPT model for evaluation and gives info about discovered vulnerabilities. While testing the tool and browsing an online service, the extension transmitted data to OpenAI. However, we didn’t receive any results, likely due to the absence of detected vulnerabilities. 

With the cloud-based tools, we quickly learned that due to the volume of data being transferred and used in the prompts, the costs of running such tools rendered them too expensive for everyday use, especially given the low quality of outputs. 

Furthermore, the users of AI-based assistant tools should carefully read the terms of use, privacy policies, and/or contracts of the services. For the tools to operate, users have to provide potentially sensitive information, possibly going against their interests or, in case of using the tools in the company environment, against the company security policies.

Explaining the functionality of code 

To better understand and defend against malicious threats, security analysts can use ChatGPT to request an explanation of a specific portion of code. Below, we can see an example–the code provided is that of a malicious SocGholish (FakeUpdate) landing page. When asked for an explanation of the code, ChatGPT was able to provide some insights into the function of the code’s specific fields.

This functionality can be useful both for analysts to learn new things and to point them in the appropriate direction in their studies.  

In a second example, ChatGPT delivered an explanation of a PowerShell script. The query attached to the code snippet was simply “explain”, which proved to be sufficient.

Image credit: Twitter
Image credit: Twitter 

In this scenario, ChatGPT didn’t provide a conclusion about what the script actually does. However, a junior researcher can use this output as a starting point to query for further details of what they don’t know. 

As with many evolving technologies, this approach isn’t bulletproof–while ChatGPT often can point analysts in the right direction, it can also do the complete opposite in certain cases. At the end of the day, analysts should maintain a critical eye of ChatGPT’s output and verify the content.  

It is important to mention that there is a limit to the size of the input, so defenders might need to analyze the code in parts. We can, however, expect this limitation will likely be much less noticeable in the future.

Deobfuscating and beautifying simpler scripts 

When prompted, ChatGPT can try to deobfuscate scripts that analysts provide. It can handle simpler obfuscators and beautify the output, making it more accessible to the analyst. 

For example, below is the deobfuscated script from the FakeUpdate example given in the previous subsection. 

The analyst can already see some artifacts that they might find useful–this can make the analysis much faster.

Pricing and privacy concerns 

These are two important aspects of using huge language models: Privacy and price. Privacy concerns stem from the fact that many online models use submitted data for further training, which can in some cases lead to internal company data leaks (as was the case with Samsung). For use cases in the security industry, one would often need to submit a part of code or an email for the AI to be able to provide insights. This could also lead to data leaks and isn’t acceptable. 

The second concern is price: According to estimates, running ChatGPT can cost the company as much as $700,000 each day. While this cost is likely quite high given the current popularity of LLMs and the resulting high volume of queries and inferences, it shows that running such models in-house to avoid privacy concerns is cost-prohibitive. Running these models requires high-performance graphics cards, which have recently been quite hard to come by and, in turn, significantly more expensive than their regular suggested price. 

Using an API access might not be cheap either. While testing several AI assistants, we’ve noticed that especially with larger inputs where additional data is provided (like pentesting assistants), the cost of operation raises very steeply, and the maturity of these tools just doesn’t balance the cost yet. 

Looking toward the foreseeable future, we expect to see significant cost reductions once tailor-made hardware has been developed and computational optimizations (like 8-bit matrix multiplication) are implemented to reduce the need for high-performance hardware. 

AI can hallucinate too! 

One big issue that we’ve encountered during our testing is that the models have the tendency to come up with responses that are simply untrue. This phenomenon is called hallucination.  

Take this example: In the following interaction, we asked for a vulnerability assessment. The model correctly identifies the type of vulnerability, but it points to a wrong function that causes it and makes up a couple of vulnerabilities that aren’t there at all. 

The same can be said for code generation–while code may look correct and run successfully, in some cases, it might not provide the correct results. For instance, we asked the model to generate code to pull articles from multiple subsites in WordPress. The model created a code that looked good at first sight and used the correct functions but didn’t work correctly. We only discovered the problems after putting the code into our staging environment and thoroughly testing it. This ended up being quite a tedious and time-consuming task, as finding bugs in somebody else’s code can become much harder than writing the code from the ground up. 

We expect more domain-specific LLMs to pop up in the future aiming at lowering hallucinations / false positives by being specifically trained for a particular use case. 

Staying safe

With the exponential growth of ChatGPT’s popularity, it’s no surprise that malicious actors have capitalized on its name to create scams or started using it with malicious intends in mind. However, there are a few tips to protect yourself and stay safer online: 

  • Beware of offers that are too good to be true: If an offer seems too good to be true, it most likely is.  
  • Verify the publisher and reviews: Always check the source and authenticity of the app or extension. Be suspicious of ratings that are only 5* and 1*, and reviews that look similar or are constructed in a similar way within a short period of time. 
  • Know the product you want to use: OpenAI offers the basic version of ChatGPT for free (after registration) on the official website. Any offer that contradicts this should be treated with caution. 
  • Avoid cracked software: Cracked or pirated software is a common method used by bad actors to distribute malware. 
  • Report suspicious activity: If you encounter a suspicious ad, application, or browser extension, use the report button to inform the provider. 
  • Keep your software updated: Make sure all your software, including your antivirus, is always up to date. 
  • Trust your cybersecurity provider: Avast is here to protect you no matter what you do online. We’re continuously working with our users to protect them against the latest threats. Report a malicious sample or false positive on our website. 
  • Educate yourself: There are many new articles every day about currently used and emerging cyber threats. 

The rise of AI technologies like ChatGPT has unfortunately brought with it an increase in scams and cybersecurity threats. However, with awareness, vigilance, and the right cybersecurity tools in place, users can protect themselves and continue to enjoy the benefits of these advanced technologies. Stay safe in the digital world! 

The post Insights into the AI-based cyber threat landscape appeared first on Avast Threat Labs.

Avast Q2/2023 Threat Report

10 August 2023 at 08:00

Unveiling the Dominance of Scams Amidst a 24% Surge in Blocked Attacks

Foreword 

This quarter has been nothing short of extraordinary, with cyber-threat activity reaching its highest point in the past three years. We take this opportunity to offer you insights into the challenges we encountered in safeguarding our users against all these malicious threats. 

In Q2/2023, our detection telemetry revealed a significant increase in overall cyber-threat risk. The risk ratio, reflecting the proportion of users protected from cyber threats out of all our protected users, rose by 13% quarter-on-quarter, reaching a concerning 27.6%. Moreover, the volume of unique blocked attacks surged by 24% over the same period, resulting in an average of close to 700 million unique blocked attacks each month. 

During the quarter, we observed a notable shift in threat trends. While traditional consumer-focused cyber threats saw a slight decline, there was a dramatic surge in social engineering and web-related threats, such as scams, phishing, and malvertising. These threats accounted for more than 75% of our overall detections on desktops during the quarter, with scams alone contributing to 51% of the total detections.

The prevalence of malvertising and malicious browser push notifications have also witnessed a dramatic increase, along with the proliferation of dating scams and extortion emails. More detailed information on these emerging threats can be found in the subsequent sections of this report. 

While adware exhibited a slight decline in prevalence, it continues to persist across desktop, mobile, and browser platforms. One notable example is the HiddenAds campaign, which resurfaced on the Google Play Store and amassed tens of millions of downloads during its reign. 

Another noteworthy observation was the discovery of the Mustang Panda APT group’s attempt to infiltrate and infect TP-Link routers through compromised firmware. We also closely monitored the progress of the DDosia project, witnessing participants of this threat group targeting the Wagner Group infrastructure in response of its ephemeral rebellion in Russia. 

Malicious coinminers, while experiencing a slight decline, posed unique challenges for its authors due to the shift from proof-of-work to proof-of-stake schema that recently happened in many cryptocurrencies. And some of the malware authors struggled to adapt, leading to the observed decrease in coinminer prevalence during this quarter. Our researchers also discovered HotRat in the wild, a .NET reimplementation of AsyncRat, featuring numerous new commands and features.  

In addition, I am pleased to highlight another significant achievement by our researchers. Avast’s discovery of CVE-2023-29336, a local privilege escalation vulnerability targeting win32k in the Windows kernel, led to a prompt patch in the May Patch Tuesday security update. While we shared a proof-of-concept exploit with Microsoft, we have responsibly withheld public disclosure of technical details to prioritize user safety. 

However, ransomware remains an ongoing concern. Despite a slight decline in prevalence, ransomware authors persist in targeting victims, relying increasingly on targeted attacks and exploits to penetrate company networks. Notably, successful attacks on widely used software, such as PaperCut and MOVEit, underscore the evolving tactics of ransomware operators, who more than ever experiment with encryption-less extortion techniques and doxing. 

On a positive note, we are pleased to share that our efforts have led to the development of a free decryption tool for Akira Ransomware. This tool has already assisted numerous victims of ransomware attacks in restoring their files and businesses, further solidifying our commitment to providing solutions and assistance to those in need. 

Thank you for reading and placing your trust in Avast. Stay safe and secure. 

Jakub Křoustek, Malware Research Director

Methodology 

This report is structured into two main sections: Desktop-related threats, where we describe our intelligence around attacks targeting the Windows, Linux, and Mac operating systems, with a specific emphasis on web-related threats, and Mobile-related threats, where we describe the attacks focusing on Android and iOS operating systems. 

We use the term “risk ratio” in this report to denote the severity of specific threats. It is calculated as a monthly average of “Number of attacked users / Number of active users in a given country.” Unless stated otherwise, calculated risks are only available for countries with more than 10,000 active users per month. 

A blocked attack is defined as a unique combination of the protected user and a blocked threat identifier within the specified time frame. 

In this report, we also slightly redefined the “Information Stealers” malware category. Moving forward, this category will encompass the following malware types: banking trojans, keylogger, password stealers (also known as pws), spyware, clipper, cryptostealer, exfilware, stalkerware, and webskimming. We also recalculated the related statistics so that we can provide you with the correct comparisons with the previous quarters. 

Featured Story: The Rise of Scams 

Scams, much like the many forms of deception and trickery that preceded them, have always been an inherent part of the human experience. In a digital era where information is largely exchanged through the Internet, these acts of deceit have found a fertile ground to evolve and proliferate, posing a significant threat to online safety. 

Scams have transitioned from the physical to the digital world with alarming ease, leveraging the anonymity and expansive reach provided by the Internet. Today’s scams employ a wide array of sophisticated tactics that range from financial and charity scams to online dating scams and deceptive advertising. The mechanisms may vary, but the end goal remains the same – to deceive unsuspecting individuals into revealing sensitive information or parting with their hard-earned money. 

Furthermore, a related threat type, Phishing, accounted for another 25% of all threats. Phishing attempts often masquerade as legitimate requests for information, typically from a well-known and trusted entity such as a bank or a government agency. They prey on human instincts of trust and urgency, compelling victims to divulge confidential information or engage in financial transactions under false pretenses. 

The rapid evolution of technology has led cybercriminals to adapt and innovate. They have harnessed AI tools to craft nearly flawless imitations of legitimate communication, making it increasingly difficult for individuals to differentiate between what is real and what isn’t. Furthermore, the adoption of smishing – or phishing through SMS – has capitalized on the high open rates and inherent trust individuals place in text messages. 

The data from Q2/2023 signifies a shift in the cybersecurity landscape. Threat actors are opting for the psychological manipulation afforded by scams and phishing rather than the technical exploits found in traditional malware attacks. As a result, our defense must adapt, focusing not just on improving technological measures but also on building awareness and promoting skepticism toward unsolicited communication. 

In March we uncovered a new Instagram scam using fake SHEIN gift cards as lure. During Q2, we have found that the scammers are widening their operations, covering more countries such as Israel. They have also evolved and moved on from fake SHEIN gift cards to a maybe more appealing iPhone 14 targeting users in Mexico and Spain, such as the example below. 

Recent scam utilizing Apple iPhones as lure in Spain and Mexico

The outcome remains the same: victims never receive the promised price; instead, they find themselves subscribed to an unfamiliar service they have no knowledge of. 

During these past three months, we have documented other scams as well. Avast Threat Labs identified a new data extortion scam targeting companies via email, seemingly from a ransomware or data extortion cyber gang. The emails, addressed to employees by their full names, claim a security breach has occurred, with a significant amount of company information stolen, including employee records and personal data. Senders purport to be from ransomware groups like “Silent Ransom” or “Lockffit.” The emails press employees to notify their managers about the situation, threatening to sell the stolen data if ignored, and remind the recipients about the regulatory penalties of data breaches. 

However, these communications appear to be more scare tactics than actual extortion campaigns following a data breach. It’s an effort to intimidate decision-makers into paying to prevent further consequences like having their data sold or facing potential regulatory fines. There’s no offered proof of the breach other than possession of the recipient’s email and name. Avast has captured identical scam messages targeting different organizations, merely changing details like the recipient’s name, the contact email, the supposed amount of stolen data, and even the alleged cybercriminal group. This modus operandi points to semi-automated attacks using a list of targets, akin to sextortion tactics. 

In fact, this quarter a new sextortion campaign was uncovered by Avast. Sextortion scams are email-based cyberattacks where the scammers claim to have taken control of your system, often saying they have recorded your activities through your device’s cameras and demanding payment to keep your privacy intact. The scammers capitalize on the victim’s fear and embarrassment, hoping for quick payment to avoid potential exposure. 

One of the nastiest scams we have detected is this disturbing crowdfunding scheme exploiting public generosity. The scam involves a series of emotionally charged video ads, narrating the story of a cancer-stricken child named “Semion,” soliciting urgent financial aid for his treatment. These videos, primarily in Russian with multilingual subtitles, have been shared on platforms like YouTube and Instagram, eliciting significant monetary donations from empathetic viewers directed towards a donation page offering multiple payment methods. 

Amidst these rising threats, it is essential to remember the fundamental rule of the Internet: trust, but verify. The shift towards a more scam-dominant threat landscape emphasizes the importance of digital literacy and security awareness for consumers. 

In conclusion, the surge in scams and phishing incidents during Q2/2023 underscores a shifting threat landscape that demands adaptable, well-informed, and proactive cybersecurity measures. The cornerstone of these measures must be comprehensive education and awareness initiatives designed to empower users in recognizing and effectively responding to these deceptive and damaging attacks. 

Luis Corrons, Security Evangelist

Desktop-Related Threats 

Advanced Persistent Threats (APTs) 

An Advanced Persistent Threat (APT) is a type of cyberattack that is carried out by highly skilled and determined hackers who have the resources and expertise to penetrate a target’s network and maintain a long-term presence undetected. 

Avast researchers have been diligently monitoring the activities of the notorious hacking group Mustang Panda and their exfiltration server. During our investigation, a significant development emerged when the researchers discovered several new binaries on the server, one of which being a malicious firmware image that was customized for targeting TP-Link routers. This firmware image turned out to be laden with malevolent components, among them a particularly troublesome custom MIPS32 ELF implant. 

Remote commands execution functionality found in Mustang Panda’s malicious firmware image 

The implications of this custom implant are unsettling, as it affords the attacker three key functionalities. First, the attackers can execute arbitrary shell commands remotely on the infected router, granting them substantial control over the device from a distance. Secondly, the implant facilitates file transfer to and from the infected router, providing a means for the attackers to upload and download files which could lead to data theft or the dissemination of harmful payloads. Finally, the implant enables SOCKS protocol tunnelling, serving as a communication relay between different clients, further masking the attacker’s identity and complicating their detection. The method used by the attacker to infect the router devices with the malevolent implant remains unknown. Overall, the threat group continues its operation in multiple countries including Hong Kong, Vietnam, Philippines continuously testing new techniques and malware. Simultaneously, they utilize well known tools such as Korplug and Cobalt Strike. 

Lazarus, another infamous group notorious for their involvement in numerous high-profile cyberattacks, has carried out a fresh social engineering campaign this quarter. Their targets are blockchain-related developers, enticed through deceptive job assessments as a means to introduce malware. This strategy aims to compromise developers, potentially leading to significant security breaches and data compromises. 

The Gamaredon APT group is demonstrating persistence in pursuing their malicious objectives, with Ukrainian institutions remaining a primary focus of their cyber-espionage operations. The group has a history of launching sophisticated attacks against government entities, military organizations, and critical infrastructure within Ukraine. Their modus operandi involves using spear-phishing emails, malicious documents, and social engineering techniques. 

DoNot APT remains actively engaged in targeting the Pakistan government and military. We have identified a series of phishing emails containing LNK files to deliver the payload. 

Luigino Camastra, Malware Researcher
Igor Morgenstern, Malware Researcher

Adware 

Adware is considered unwanted if installed without the user’s consent, tracks browsing behavior, redirects web traffic, or collects personal information for malicious purposes such as identity theft. 

Compared to last quarter, we have seen the beginning of a downward trend in desktop adware in Q2/2023, as the graph below illustrates. In the next quarter, we will see if this is a long-term trend or just a seasonal fluctuation since we did not notice any significant adware campaigns in this quarter. 

Global Avast risk ratio from desktop adware for Q1/2023 and Q2/2023

In the previous quarter, DealPly adware established itself as a leading force within the adware landscape with a 15% share. The map below shows that DealPly’s risk ratio has increased globally by almost twice as much compared to Q1/2023.

Map showing global risk ratio for DealPly adware in Q2/2023

In contrast to the rise of DealPly, the risk of all adware strains is about half as much as Q1/2023. The significant increase in adware activity we observed in East Asia, namely Japan, Taiwan, and China, in Q1/2023 has stabilized with the overall average of Q2/2023. The complete risk ratio is illustrated in the map below. 

Map showing the global risk ratio for Adware in Q2/2023

Adware Share 

DealPly remains the undisputed market leader, holding a substantial 31% share. Smaller shares are allocated to other adware strains as follows: 

  • RelevantKnowledge (7%) 
  • BrowserAssistant (3%) 
  • Neoreklami (2%) 

Nevertheless, lesser-known adware strains managed to capture a significant 32% market share in Q2/2023. The prevailing variant of these adware strains typically operates by intercepting user clicks on random hyperlinks and substituting them with redirects to advertising websites. 

The following table provides a distribution of ad domains observed in the wild during the current and previous quarters. It is evident that ad domains are rotated dynamically each quarter to evade detection by ad blockers and other detection systems. 

Q2/2023Q1/2023
oovaufty[.]com (30%)oovaufty[.]com (16%)
ptuvauthauxa[.]com (23%)ptuvauthauxa[.]com (19%)
saumeechoa[.]com (15%)saumeechoa[.]com (53%)
ninoglostoay[.]com (9%)ninoglostoay[.]com (7%)
caumausa[.]com (5%)
applabzzeydoo[.]com (3%)
ad2upapp[.]com (2%)ad2upapp[.]com (1%)
Representation of ad servers in the wild for Q2/2023 and Q1/2023

Adware tries to unobtrusively redirect users to websites that provide free software downloads or other products but also to dangerous content. In a separate section, we will overview the most common Web-based Adware in Q2/2023.

Martin Chlumecký, Malware Researcher

Bots

Bots are threats mainly interested in securing long-term access to devices with the aim of utilizing their resources, be it remote control, spam distribution, or denial-of-service (DoS) attacks.

We have continued to track the activities of notorious threat group NoName057(16), notably their DDosia project. The release of our latest blogpost on the threat coincided with an update of DDosia’s protocol. Just a day after the release, the protocol was updated to include encryption.  

The most notable bot attack of Q2/2023 was the one following the Wagner Group rebellion. Just hours after the start of the rebellion, DDosia released a configuration targeting Wagner Group webpages which were up for almost a day. In contrast to usual operations, this attack wasn’t announced on the project’s Telegram channel. It is also worth noting that this attack was unsuccessful, and the targeted webpages were accessible throughout the DDoS attack without restrictions.  

While it may seem unexpected for a Russian group to choose a Russian target, it seems to be well within their usual modus operandi which follows pro-government Russian interests. As for the group’s development, it seems that the project’s growth is slowly reaching its plateau with the current number of volunteers being around 11,500. 

The size of DDosia community over last 4 months.

The overall botnet landscape to be rather stable, with a slight decline in risk ratio and no significant changes in the family distribution in comparison to the previous quarter. The only significant outlier is the MyKings family that has increased in activity by circa 20%.

Global risk ratio in Avast’s user base regarding botnets in Q2/2023 

Adolf Středa, Malware Researcher

Coinminers

Coinminers are programs that use a device’s hardware resources to verify cryptocurrency transactions and earn cryptocurrency as compensation. However, in the world of malware, coinminers silently hijack a victim’s computer resources to generate cryptocurrency for an attacker. Regardless of whether a coinminer is legitimate or malware, it’s important to follow our guidelines.

In the ever-evolving landscape of cryptocurrency mining, coinminers have been facing a continuous decline in their activity, a trend that has persisted over time. When compared to Q1/2023, we observed a 4% decrease in the risk ratio.

This sustained decline can be largely attributed to the growing adoption of proof-of-stake (PoS) protocols by various cryptocurrencies. PoS is considered a more energy-efficient and environmentally friendly alternative to the traditional proof-of-work (PoW) consensus mechanism used in coinmining.

Global risk ratio in Avast’s user base in regard to coinminers in Q2/2023 

In Q2/2023, users in Serbia faced the highest risk of encountering a coinminer once again, with a risk ratio of 5.80%. Following closely were Montenegro with 4.58%, Madagascar with 3.76%, and Bosnia and Herzegovina with a risk ratio of 3.17%.

Global risk ratio for coinminers in Q2/2023 

Coinminer XMRig saw an increase in activity during Q2/2023, with its market share rising by 13% to reach 18.13%. Additionally, FakeKMSminer and VMiner became more prevalent, with their market shares increasing by 16% and 47% respectively, now holding 2.19% and 1.92% of the market each. Conversely, CoinBitMiner, CoinHelper, and NeoScrypt experienced declines of 7%, 13%, and 3% respectively, each holding roughly 1% of the market. Web miners also lost 2% of the market share, though they still dominate as the most prevalent form of coinmining, accounting for 65% of the market. 

The most common coinminers in Q2/2023 were: 

  • Web miners (various strains) 
  • XMRig 
  • FakeKMSminer 
  • VMiner 
  • CoinBitMiner 
  • CoinHelper 
  • NeoScrypt

Jan Rubín, Malware Researcher

Information Stealers 

Information stealers are dedicated to stealing anything of value from the victim’s device. Typically, they focus on stored credentials, cryptocurrencies, browser sessions/cookies, browser passwords and private documents. 

During Q2/2023, information stealers experienced a 14% decrease in activity, mainly due to Raccoon Stealer and RedLine. These two saw their market shares drop by 31% and 36%, respectively. 

Global risk ratio in Avast’s user base in regard to information stealers in Q2/2023 

Looking at the countries where we have more significant userbase, the highest risk of information stealer infections currently exists in Pakistan, Turkey, and Egypt, with risk ratios of 2.62%, 2.23%, and 2.22%, respectively. Surprisingly, during Q2/2023, there was a decrease in activity across almost every region, except for Switzerland (+7% risk ratio), Bulgaria (+2%), and Japan (+1%). 

Map showing global risk ratio for information stealers in Q2/2023 

Based on our data, AgentTesla holds the title of the most prevalent information stealer, with a market share of 27%. It experienced a noteworthy increase in activity during Q2/2023, boosting its market share by 26%. FormBook (11% market share), Fareit (5%), and Lokibot (5%) also saw their minor market shares rise. On the other hand, ViperSoftX maintained its levels with a slight 2% decrease in activity, now holding a 2.2% market share. As for Raccoon Stealer and RedLine, they currently hold market shares of 7% and 6%, respectively. 

The most common information stealers in Q2/2023 were: 

  • AgentTesla 
  • FormBook  
  • Raccoon Stealer 
  • RedLine  
  • Fareit 
  • Lokibot 
  • ViperSoftX 

Raccoon Stealer is constantly evolving. The malicious actors responsible for this threat have recently integrated Signal Desktop into their configuration, meaning they can now steal data from the popular communicator’s desktop clients, expanding their reach and potential impact on victims’ privacy and security. 

Additionally, new information stealers have entered the scene. One such stealer is Meduza Stealer used for data theft, compromising information such as login credentials, browsing history, bookmarks, crypto wallets, and more. Another stealer is Mystic Stealer that steals various information from infected systems, including computer details, user geolocation, web browser data, and cryptocurrency wallet information. 

Clippers – another type of information stealer – are malware designed for clipboard hijacking and manipulation, usually focusing on cryptocurrency theft. They operate by monitoring the victim’s clipboard for copied wallet addresses. When a clipper detects a cryptocurrency address being copied, the malicious code discreetly swaps it with the attacker’s address. As a result, unsuspecting victims end up sending their digital assets to the attacker’s wallet instead of the intended recipient, leading to financial losses. 

Laplas Clipper is one of the clippers that has gained popularity during Q2/2023. According to our data, it increased its market share by 224% compared to the previous quarter, now holding 1.49% of the entire information stealers market share. 

Jan Rubín, Malware Researcher

Ransomware  

Ransomware is any type of extorting malware. The most common subtype is the one that encrypts documents, photos, videos, databases, and other files on the victim’s PC. Those files become unusable without decrypting them first. In order to decrypt the files, attackers demand money, “ransom”, hence the term ransomware. 

The overall risk ratio in ransomware declined slightly in Q2/2023 compared to the previous quarter: 

Ransomware spreading in 2023

In Q2, countries with the highest prevalence of ransomware threats were:

  1. Mozambique
  2. Papua New Guinea
  3. Afghanistan
  4. Angola
  5. Ghana
  6. Republic of Korea
Map showing global risk ratio for ransomware in Q2/2023 

The most prevalent ransomware strain in our userbase for the quarter were: 

  1. WannaCry
  2. STOP
  3. Magniber
  4. GlobeImposter
  5. Hidden Tear
  6. Target Company
  7. LockBit

Vulnerabilities on the Rise 

A number of software vulnerabilities were used during the ransomware attacks in Q2/2023. Those included vulnerabilities in a widely used 3rd party software or leveraging of a vulnerable driver. 

The most havoc in the ransomware world was caused by the CVE-2023-34362 vulnerability in the Progress MOVEit Transfer software. Unpatched versions of the MOVEit Transfer suffer from an SQL-injection vulnerability that allowed for unauthorized access to the MOVEit database as stated by the security advisory from Progress. Progress has since issued a patch to fix the vulnerability. 

Another software vulnerability that was abused by threat actors to gain unprivileged access to the companies was in PaperCut, a print management software. As explained in the security advisory, there is a remote code execution (RCE) vulnerability, allowing to run a code on the PaperCut server without authentication. This vulnerability was abused by multiple ransomware gangs, such as Cl0p, LockBit and Bl00dy

Papercut has since fixed these vulnerabilities. Users running PaperCut MF and PaperCut NG versions lower than 20.1.7, 21.2.11, and 22.0.9 should update their systems immediately to close this attack surface. 

Additionally, the BlackCat ransomware was observed to be using a malicious driver to terminate running security software. A driver is a software component that runs in the very core of an operating system (in the kernel). As such, it needs to run with the highest permissions that are available in the operating system. 

The Windows operating system protects its eco-system by only allowing drivers that are signed by a trusted certificate. But there is a catch: the driver used by the BlackCat ransomware is signed by a stolen, valid certificate. Such driver, even if the certificate was revoked, can still be loaded by Windows 10 even with the latest updates: 

Akira Ransomware 

Akira is a strain of ransomware that emerged in March 2023. This ransomware is written in the modern C++, which promises an elevated level of compatibility across multiple operating systems. It is no surprise that a Linux version appeared soon after the initial launch. Apart from replacing MS CryptoAPI (which is Windows-specific) by Crypto++ (which is multi-platform), the code remained mostly unchanged, including the exclusion list that has no meaning on Linux operating system. The list is as follows: 

  • winnt 
  • temp  
  • thumb 
  • $Recycle.Bin  
  • $RECYCLE.BIN  
  • System Volume Information  
  • Boot  
  • Windows  
  • Trend Micro 

Avast discovered a flaw in the cryptography schema of Akira and published a decryptor that can help victims recover their data. However, Akira authors reacted swiftly and released an updated version of their encryptor that is no longer decryptable. Newer versions of the Akira ransomware use different extension for encrypted files; the Avast decryptor can only decrypt files that have the .akira extension. Nonetheless, many of the victims of the original version were able to recover their data and restore their businesses with the help of the Avast decryption tool. 

New trend: Encryption-less ransomware 

Encrypting user files is not a simple task. A typical computer may have gigabytes of potentially large data files – movies, music, ISO images, virtual machines. Those files’ encryption takes a lot of CPU work and raises red flags for security solutions.  

To help bypass these security solutions, a new trend was observed by ZScaler researchers – encryption-less ransomware. Instead of data encryption, such ransomware focuses on pure data extortion. Attackers then threaten to publish the data, which can severely damage the victim’s reputation or expose their intellectual properties. 

Ladislav Zezula, Malware Researcher
Jakub Křoustek, Malware Research Director

Remote Access Trojans (RATs)  

A Remote Access Trojan (RAT) is a type of malicious software that allows unauthorized individuals to gain remote control over a victim’s computer or device. RATs are typically spread through social engineering techniques, such as phishing emails or infected file downloads. Once installed, RATs grant the attacker complete access to the victim’s device, enabling them to execute various malicious activities, such as spying, data theft, remote surveillance, and even taking control of the victim’s webcam and microphone. 

In Q2/2023, Remcos continued to increase its share of attacks among other RATs. We saw the largest increase In Europe, Canada, South Africa, Vietnam and Indonesia where it gained a little over 30 %, while in the rest of the world its share slightly declined. In overall Remcos gained 22% compared to Q1/2023. The overall risk ratio of RATs slightly decreased compared to Q1/2023, however, looking solely at numbers for this quarter the trend seems to be going up with April being the calmest month. 

Global risk ratio in Avast’s user base regarding RATs in Q2/2023 compared to Q1/2023 
Global risk ratio in Avast’s user base regarding RATs in Q2/2023 

Countries with the highest risk ratio for RATs are Afghanistan, Iraq, and Algeria with the most prevalent threats being HWorm and njRAT. The countries with the highest increase in risk ratio are Bulgaria, Belgium and Serbia due to the activity of Remcos as mentioned above.

Map showing global risk ratio for information stealers in Q2/2023 

Another strain with considerable market share gain of 25% is Warzone which was mostly active in Greece, Bulgaria, Serbia and Croatia. Conversely, NetWire saw a drop of 60%, which is the largest decrease of all RAT Avast tracks. This may be related to the takedowns and arrests of cyber groups which happened in Q1/2023. 

The most prevalent remote access trojan strains in the Avast userbase are: 

  • HWorm 
  • Remcos 
  • njRAT 
  • Warzone 
  • AsyncRat 
  • QuasarRAT 
  • NanoCore 
  • Gh0stCringe 
  • DarkComet 
  • LimeRAT 

We have published a blog post detailing the workings and infection vector of HotRat. HotRat is a reimplementation of AsyncRat in .NET. This new rewritten version adds multiple new commands which are focused mostly on stealing data from victim machines. HotRat is being spread through pirated software such as products by Adobe and Microsoft, video games, and premium system and development tools like IObit Driver Booster, VMware Workstation or Revo Uninstaller Pro. 

Researchers from Avira also discovered a new RAT named ValleyFall which can log keyboard input, gather information from the victim’s system, download and execute other executables and more. According to their data, the United States is the most affected country. 

GobRAT is another RAT written in the programming language Go, capable of infecting Linux routers as reported by JPCERT/CC. It supports multiple architectures (ARM, MIPS, x86, x86-64). GobRAT has 22 commands available among them using reverse shell connection, running SOCKS5 proxy, attempting to log in to services running on other machines (sshd, Telnet, Redis, MYSQL, PostgreSQL) or carrying out DDOS attacks. 

Ondřej Mokoš, Malware Researcher

Rootkits

Rootkits are malicious software specifically designed to gain unauthorized access to a system and obtain high-level privileges. Rootkits can operate at the kernel layer of a system, which grants them deep access and control including the ability to modify critical kernel structures. This could enable other malware to manipulate system behavior and evade detection. 

As reported in Q1/2023, we observed a downward trend in rootkits beginning in Q4/2022. If we compare the previous and the current quarter, we continue to see a decline, with the rate slightly tapering off. The next quarter should show whether the downward trend of rootkits is long term. The chart below shows the rootkit activity for the previous three quarters. 

Rootkit risk ratio in Q4/2022 – Q2/2023 
Global risk ratio for rootkits in Q2/2023 

When considering the risk ratio on a country-by-country basis, China continues to hold the top position in terms of the magnitude of rootkit activities. 

For the first time, we monitored the downtrend trend of the R77RK rootkit activity, which dominated the landscape for nearly 5 quarters. In Q2/2023, the R77RK market share is only 18% whereas the share was 40% on average for the previous year. In addition, the last R77RK release was on June 6, 2023, but was only a minor bug fix. 

In Q1/2023, we noted a reduction in R77RK releases, which probably caused the drop in the prevalence of the R77RK activities in the wild. We therefore expect a gradual decrease in the activities of this rootkit in the next quarter based on the graph below, which shows a downward trend in activities from Q1/2023.

R77Rootkit risk ratio in Q4/2022 – Q2/2023 

The market share also includes approximately 25% of rootkits of unspecified strains which are used as kernel proxies for various activities with higher system privileges such as killing processes, modifying network communication, etc. 

Below you can see the complete list of clearly identified Windows rootkit strains, along with their corresponding market shares: 

  • Cerbu (7%) 
  • Alureon (7%) 
  • Perkesh (6%) 
  • ZeroAccess (3%) 

The market share for clearly identified rootkit strains is the same as the previous Q1/2023 quarter. 

In terms of Linux operating systems, we continue efficiently discovering and tracking new Linux Kernel rootkits, for instance, we were first detecting Chicken or NetHid. We saw an increase in rootkits using magic packets, for instance NetHid handles a UDP magic packet for executing a malicious user-mode application. 

As you already know from the Syslogk rootkit, we are tracking threat actors in the development stage allowing us to early detect advanced threats but also PoCs and tools that they use during development (e.g. kernel modules for testing). 

Martin Chlumecký, Malware Researcher
David Álvarez, Malware Analyst

Vulnerabilities and Exploits 

Exploits take advantage of flaws in legitimate software to perform actions that should not be allowed. They are typically categorized into remote code execution (RCE) exploits, which allow attackers to infect another machine, and local privilege escalation (LPE) exploits, which allow attackers to take more control of a partially infected machine. 

The May Patch Tuesday security update contained a patch for CVE-2023-29336, a local privilege escalation vulnerability discovered by Avast researchers in the wild. This is a kernel exploit that targets a vulnerability in win32k, a subsystem providing graphics functionality in the Windows kernel. We shared a proof-of-concept exploit with Microsoft along with our vulnerability report, but we did not make any technical details about this vulnerability public. However, fellow researchers from Numen Cyber analyzed the patch and published a great write-up and a proof-of-concept exploit

While the win32k subsystem has always been a frequent target of exploits, there are some encouraging signs that indicate this subsystem might be getting more secure. First of all, Microsoft developed a number of win32k-specific exploit mitigations and security improvements over the years. Many of these aimed to eliminate kernel address leaks and break known exploitation primitives. A less-known security improvement is that Microsoft turned many raw pointers into smart pointers. This effectively made the CVE-2023-29336 use-after-free condition not exploitable on Windows 11, as well as on the latest builds of Windows 10. Furthermore, browsers such as Chromium adopted a mitigation sometimes known as “win32k lockdown“, which reduces the browser sandbox attack surface and makes win32k exploits impossible for sandbox escape exploits. Last but not least, a small part of win32k got recently reimplemented in Rust. Since Rust is designed to be a memory-safe language, this should significantly reduce the number of memory corruption vulnerabilities in the reimplemented code. 

In our Q1/2023 threat report, we wrote about the Nokoyawa and Magniber ransomware groups using zero-day exploits to deploy ransomware. Q2/2023 continued this concerning trend, with the most notable event being the Cl0p ransomware group exploiting CVE-2023-34362, a remote code execution vulnerability in the MOVEit Transfer web application. This data theft-only attack hit an astounding number of organizations worldwide, with many of them getting their stolen data published on the Cl0p leak site. 

In June, Kaspersky reported it was impacted by an APT attacker exploiting iOS devices, dubbing the attack Operation Triangulation. The exploits were delivered through an iMessage attachment in a zero-click manner. Kaspersky managed to recover three vulnerabilities: CVE-2023-32434, CVE-2023-32435, and CVE-2023-38606. The former two got patched by Apple in June and the third one was patched on July 24. As Eugene Kaspersky discussed in a blog, discovering such attacks is currently extremely hard due to the lack of visibility resulting from the closed nature of iOS. 

On top of these three CVEs in early July, Apple released a rapid security fix for a remote code execution vulnerability CVE-2023-37450 in WebKit, the browser engine powering the Safari browser. The vulnerability was reported by an anonymous researcher and might have been actively exploited. Apple later mentioned that the fix might affect the display of certain pages. Redhat’s support portal suggests that the vulnerability is related to processing of WebAssembly code. It is important to note that other apps using WebKit might be also affected by this vulnerability. 

Just after the end of Q2/2023, US CISA and the FBI published a joint advisory regarding a serious espionage attack by Chinese APT group Storm-0558 which was able to access tens of Outlook enterprise accounts. The attackers were able to obtain inactive MSA consumer signing key which they used to forge Azure AD access tokens. While the MSA key had been expired since 2021, the system still accepted the tokens signed by it. Researchers from Wiz later speculated, that the key also was trusted to sign OpenID tokens which are used for other Microsoft services such as Teams, SharePoint and OneDrive. Microsoft revoked the compromised key which mitigated the issue. 

There was a lot of activity surrounding vulnerabilities and exploits in Q2/2023 and at the beginning of Q3/2023. While some would say that there were many more reported vulnerabilities or with higher impact, it seems to be only a professional bias as we were not able to gather hard data that would show a general surge.  

Jan Vojtěšek, Malware Reseracher
Michal Salát, Threat Intelligence Director

Web Threats 

Scams 

A scam is a type of threat that aims to trick users into giving an attacker their personal information or money. We track various types of scams which are listed below. 

The Q1/2023 Threat Report shared that scams were the most prevalent threat type with a significant overall risk ratio of 7.7% and a 33% share among the other malware types.  In Q2/2023, the situation has further escalated, and the risk ration has more than doubled as demonstrated in the following chart. 

Scam risk ratio over the last three quarters 

Our telemetry saw a massive surge in scam attacks which began in April and lasted the duration of the quarter. Attackers have focused mostly on malvertising and malicious browser push notifications as a delivery mechanism for these scams – those are described below. As a result – scam attacks now form more than a half of all the blocked attacks in the Avast userbase

When we focus on targets of these attacks, we can see that scammers are not picky and target users across the world: 

Global risk ratio for scam in Q2/2023 

The countries most at risk of the scam attacks were Kosovo, Serbia, Bulgaria, and Slovakia. Furthermore, we’ve monitored one of the largest increases in scam risks in Vietnam (more than threefold), Argentina (+117%), Spain (+112%), France (+97%), Brazil (+95%), Mexico (+87%), Czech Republic (+81%), and in UK (+78%). 

The second most prevalent subtype after malvertising was dating scams (AKA romance scam), which also increased significantly quarter over quarter.  

Technical support scams followed in terms of overall prevalence but actually decreased slightly in Q2/2023 compared to the previous quarter.  

Finally, though not as prevalent as the other scam types, the extortion email scams had the most dramatic boost in Q2/2023 with a severalfold increase. We warned consumers of these emails in April 2023 and expect to see more of these types of threats in the future. 

Malicious Browser Push Notifications 

These types of notifications are a common browser feature that allow websites to send users push notifications. They can be pretty handy so, of course, scammers have found a way to exploit them. Attackers trick users into enabling these notifications so they can then be exploited. 

A trendy tactic of scam and adware authors is exploiting “push notifications” on web browsers. The user is forced to enable notifications in order to continue to the desired page – sometimes, a simple miss-click. The result is that the user is then redirected to various scam sites or bombarded with notifications for various offers and services that lure the user into clicking, for example popups that say the user’s computer is infected, enticing dating sites or incredible “deals” on products.  

Example of a malicious browser push notification blocked by Avast in Q2/2023 
Another example of a malicious browser push notification blocked by Avast in Q2/2023 

As previously mentioned, malicious push notifications were very prevalent in Q2/2023. The risk ratio was extremely high in African countries, such as Congo (18% risk ratio), as well as Japan (12%), Slovakia (11%), Spain (10%), and India (9%). 

Risk ratio for malicious browser push notifications in Q2/2023 

Based on our detection telemetry, this particular wave of attacks started in the middle of April and lasted through the entire quarter. 

Risk ratio for malicious browser push notifications in Q2/2023 

Dating Scams 

Dating scams, also known as romance scams or online dating scams, involve fraudsters deceiving individuals into fake romantic relationships. Scammers adopt fake online identities to gain the victim’s trust, with the ultimate goal of obtaining money or enough personal information to commit identity theft. 

There was a concerning and substantial rise in dating scams in Q2/2023 compared to the previous quarter. The surge is evident with a 39% increase, posing a significant threat to individuals seeking romantic connections online. 

In Q2/2023, we observed yet another variation of this scam, as attackers employed various methods of initial infection including deceptive emails, push notifications, and misleading advertisements. Once targeted, victims were redirected to seemingly legitimate dating sites populated with fake bot profiles. When individuals attempted to engage in conversation with these profiles, they were coerced into paying for a subscription, falling prey to the scam. 

Example of a dating scam lure site blocked in Q2/2023 
Example of a dating scam blocked in Q2/2023 
Example of a dating scam blocked in Q2/2023 

Tech Support Scams 

Tech support scam threats involve fraudsters posing as legitimate technical support representatives who attempt to gain remote access to victims’ devices or obtain sensitive personal information, such as credit card or banking details. These scams rely on confidence tricks to gain victims’ trust and often involve convincing them to pay for unnecessary services or purchase expensive gift cards. It’s important for internet users to be vigilant and to verify the credentials of anyone claiming to offer technical support services. 

Luckily, one scam type was not on a rise in Q2/2023 – the technical support scam (TSS). The graph below demonstrates a notable decrease in TSS activity during this period compared to Q1/2023. This decline began at the end of April. 

Technical support scams in Q1/2023-Q2/2023 

Analyzing the data for Q2/2023, Japan emerges as the most active country with a TSS risk ratio of 3.63%, closely followed by Germany at 3.23%. The next top-performing countries are Canada with 2.60% and the USA with 2.51%, while Switzerland secures its place in the top five with a risk ratio of 2.18%. 

Refund and Invoice Scams 

Invoice scams involve fraudsters sending false bills or invoices for goods or services that were never ordered or received. Scammers rely on invoices looking legitimate, often using company logos or other branding to trick unsuspecting victims into making payments. These scams can be especially effective when targeted at businesses, as employees may assume that a colleague made the purchase or simply overlook the details of the invoice. It’s important to carefully review all invoices and bills before making any payments and to verify the legitimacy of the sender if there are any suspicions of fraud. 

In the digital world we live in, scam emails trying to trick us with fake invoices are becoming more common than ever. The people behind these scams are cunning – they play on our fears of forgetting to pay a bill, they use time pressure and talk about expired deadlines to make us panic, and they even tempt us with discounts to make the deal seem better. So, what’s the best way to avoid falling into this trap? Keep the lines of communication open with your accounting department. 

Example of an invoice scam – May 2023

Throughout Q2/2023, we observed a growing trend in the risk ratio of this threat type, with a notable peak in May.  

Invoice Scams in Q2/2023 

Looking at the map, we see that refund and invoice scams are mainly prevalent in the US and Australia, indicating a high level of activity in these regions. In contrast, Europe shows less activity. 

Global risk ratio for invoice scams in Q2/2023 

Phishing 

Phishing is a type of online scam where fraudsters attempt to obtain sensitive information including passwords or credit card details by posing as a trustworthy entity in an electronic communication, such as an email, text message, or instant message. The fraudulent message usually contains a link to a fake website that looks like the real one, where the victim is asked to enter their sensitive information. 

In Q2/2023, we observed a more stable, growing, trend in phishing compared to the previous quarter, with no drastic fluctuations. However, it is evident that activity has started to pick up again after experiencing a minor dip in April; this indicates the potential for an upward trajectory in the coming months. 

Phishing spreading in 2023 

Cybercriminals continuously refine their tactics and find new ways to exploit users. Vigilance and awareness are crucial to staying protected in the ever-evolving threat landscape. The increase in phishing incidents and the prevalence of smishing attacks serve as a reminder for consumers to be cautious of and skeptical about unsolicited messages and requests for personal information. 

Additionally, it’s noting that Google’s recent introduction of the “.zip” top-level domain (TLD) has led to an increase in domain registrations which can exploit strong similarities to a very popular archive file type. This development presents new challenges for organizations and cybersecurity professionals, emphasizing the need for continued vigilance and proactive cybersecurity measures. 

In conclusion, while the current quarter shows relative stability, the ever-present threat of cyber-attacks necessitates ongoing diligence and preparedness in safeguarding our digital presence.

One of the phishing campaigns blocked by Avast in Q2/2023 

Web-based Adware 

Web-based adware refers to malicious software or web pages that display unwanted advertisements in the form of pop-ups, banners, or redirects to third-party websites. Web-based adware can slow web browsing, potentially compromising user privacy and security. 

During Q2/2023, web-based adware continued to be widespread, featuring several noteworthy examples. Throughout this period, three primary adware types emerged as dominant – we will introduce each within this section. 

Fake Win 

One of the most popular ad types are “winning pages” with various winning prices. Adware authors often misuse the names of well-known brands to lure their victims. The modus operandi is always similar: the user spins the virtual roulette or clicks on some wheel of fortune. The first attempt is always unsuccessful, and the next attempt informs users about the win. However, the condition for the payment of the prize is registration and entering personal data, often including credit card data. The appearance of credibility is added by a chat on the same page, which declares that the processing of the information worked as expected. 

An example of a Fake win adware blocked by Avast in Q2/2023 

Adult Content 

One of the most significant forms of adware revolves around enticing users with adult content. Particularly prevalent within this category are adult chat rooms, which try to compel users to access an app or website where they can register and “enjoy flirting”. Victims ultimately end up on a website where most profiles are fake or even dangerous since attackers can use social engineering to extort money from users under the pretext of sending photos, paying travel expenses, etc. 

As shown in the animation below, even if the user indicates they are below the required legal age, they are still redirected to a site with adult content, which is always suspicious. 

An example of an adult-content adware blocked by Avast in Q2/2023 

Movies for “free” 

Web-based adware also hides under the promise of watching popular movies for free. The animation below shows that a hunting page plays a few seconds of intro and then asks for a click and registration, which usually leads to a page with some adware.

An example of a Fake free movie adware blocked by Avast in Q2/2023 

Alexej Savčin, Malware Analyst
Martin Chlumecký, Malware Researcher

Branislav Kramár, Malware Analyst
Matěj Krčma, Malware Analyst
Bohumír Fajt, Malware Analysis Team Lead
Jakub Křoustek, Malware Research Director

Mobile-Related Threats 

This quarter, we have witnessed several interesting developments in the mobile threat ecosystem. Notably, a spyware kit has surfaced on GitHub, adding to a series of spyware kits that have become publicly accessible in recent months.  Furthermore, there are indications of another spyware being utilized for state surveillance, boasting extensive access to victims’ personal information. 

In an interesting incident, a seemingly benign screen recorder in the Play Store turned malicious after an update delivered a spyware RAT. This technique of delayed malware delivery through updates was also used to drop banker malware under the guise of an AI text reader update.  

Finally, we observed a worrying trend of mobile loan applications with intrusive permissions using personal information to blackmail victims. 

Adware at the top again 

Adware threats on mobile phones refer to applications that display intrusive out-of-context adverts to users with the intent of gathering fraudulent advertising revenue. This malicious functionality is often delayed until sometime after installation and coupled with stealthy features such as hiding the adware app icon to prevent removal. Adware mimics popular apps such as games, camera filters, and wallpaper apps, to name a few. 

Mobile users had to contend with adware as the most prevalent threat in Q2/2023. Adware serves intrusive advertisements to the devices of its victims, raking in fraudulent advertising revenue. Hiding its presence is a core component in maintaining its ability to generate this revenue, hence adware generally hides its icon or otherwise masquerades itself. 

HiddenAds were the main strain of adware targeting users this quarter, closely followed by MobiDash and FakeAdBlockers. MobiDash continued its climb in popularity from last quarter with a 19% increase in targeted users, surpassing FakeAdBlockers which are down by 66%. All three strains have a similar modus operandi: displaying out-of-context full screen adverts to their victims while hiding their presence on the device. These are generally delivered through third-party app stores, pop-up messages on less reputable sites and malicious advertisements. Once installed, it may prove difficult to uninstall the apps due to their stealthy features. 

A repacked HiddenAds Minecraft clone app as seen on Play Store prior to its removal 

Of note is another HiddenAds campaign discovered on the Play Store that garnered tens of millions of downloads during its reign. This strain focused on abusing advertising SDKs to fake displaying adverts to users to gather revenue. Victims were able to play the Minecraft clone game while these malicious actions were going on in the background, without their knowledge.  

Threat actors continue to find new ways to sneak HiddenAds onto the Play Store, either through further obfuscation of malicious features or introducing said features in later updates.

Global risk ratio of mobile adware in Q1/2023-Q2/2023  

We see a decrease in adware targeted users compared to last quarter, which can likely be attributed to the sharp fall in FakeAdBlocker hits. This is balanced by the new HiddenAds campaign that snuck onto the Play Store this quarter.

Global risk ratio for mobile adware in Q2/2023  

Brazil, India and Argentina keep their top spots this quarter with the most affected users. This remains unchanged despite the decrease in overall users affected by adware and Brazil having 26% less affected users in Q2/2023. India, Indonesia and Pakistan have the highest risk ratio, meaning users are most likely to encounter adware in these countries. 

New Banker strains added to the fray 

Bankers are a sophisticated type of mobile malware that targets banking details, cryptocurrency wallets, and instant payments with the intent of extracting money. Generally distributed through phishing messages or fake websites, Bankers can take over a victim’s device by abusing the accessibility service. Once installed and enabled, they often monitor 2FA SMS messages and may display fake bank overlays to steal login information. 

This quarter brings with it continuations of established banker strains as well as some new strains that make use of established techniques with a few twists. A continuing trend, the overall prevalence of bankers is on the decline as observed over the last few quarters, even with new strains popping up every quarter. Cerberus/Alien maintains its top spot in our telemetry despite losing a significant 50% of its prevalence. Coper has moved up to 2nd place surpassing Hydra, another banker strain that lost over 50% of its victim base. 

Fake PDF editor app requesting file access permission, preparing the stage for the Anatsa banker delivery

Of note is a new dropper campaign on the Play Store which delivered the Anatsa banker. The US, UK, Germany and other European countries were the main targets of fake PDF reader applications that were used as droppers over the course of a few months. Initially benign, these apps were later updated to activate malicious components that delivered the banker in the form of an AI text reader ‘update’. With the ability to target and exfiltrate login information from over 600 financial institution apps, Anatsa also features full device takeover that allows it to perform transactions on behalf of the victim.  

Chameleon banker masquerading as the Crypto.com app requesting Accessibility permissions to initiate its malicious activity 

Another recent addition to the banker ecosphere is the Chameleon banker. Distributed through compromised websites and Discord servers, it appears to mainly target Poland and Australia. Disguised as ChatGPT, Bitcoin and Chrome among others, it uses keylogging and phishing HTML injection to steal credentials from its victims. Interestingly, it also features the ability to exfiltrate cookies when a victim attempts to access the popular Coinbase crypto exchange website, likely attempting to hijack the session to perform transactions on the victim’s behalf. Finally, the banker can detect uninstallation efforts by the victim and deletes itself if it anticipates the user getting suspicious about the banker app. 

Global risk ratio of mobile bankers in Q3/2022-Q2/2023  

We continue to observe a steady decline in the banker risk ratio in our telemetry for the last few quarters. This is despite new strains appearing in the banker ecosphere. It is likely that threat actors behind bankers are more focused on specific countries with more elaborate methods of banker delivery as well as tailored fake bank login pages. 

Global risk ratio for mobile bankers in Q2/2023  

Turkey holds its top place from last quarter with the most protected users and highest risk ratio while Spain, France, Brazil and Italy follow closely behind. We do observe a focus on EU countries and Australia through the newly discovered strains in the past few quarters. 

Spyware evolution & SpyLoans 

Spyware is used to spy on unsuspecting victims with the intent of extracting personal information such as messages, photos, location, or login details. It uses fake adverts, phishing messages, and modifications of popular applications to spread and harvest user information. State backed commercial spyware is becoming more prevalent and is used to target individuals with 0-day exploits. 

This quarter has witnessed a notable surge in the prevalence of spyware, with Spymax once again taking the lead. The landscape is further enriched by several new additions, including BouldSpy, which potentially has affiliations with state surveillance, an SDK titled SpinOK that features potential spyware functionalities, and DogeRAT, a spyware kit made accessible on GitHub.  

Alongside these new entries we observe an increased prevalence in SpyLoans, loan applications that extract personal information with intent to blackmail victims for money. 

DogeRAT’s promised features listed on its GitHub page 

Spymax remains the top spyware despite a slight decrease in its risk ratio this quarter. It continues to be used to extract personal information such as SMS messages, contact lists, location and more. DogeRAT, a spyware kit available on GitHub, appears to have taken inspiration from Spymax as we note similarities in its code and functionality.  A novel addition is the employment of a Telegram panel for spyware control and execution of various functions, notably encompassing microphone and camera capture. Dissemination occurs through SMS messages guiding users to download the application.

A benign request that can be mis-used by AhRAT with a later malicious update 

Spyware managed to sneak onto the Play Store this quarter when a screen recorder app turned malicious with a delayed update bringing AhRAT spyware with it. A tactic observed several times in recent years, users who installed the previously clean version of the app would automatically update to the malicious version without their knowledge. AhRAT’s C2 communication indicates it should be able to perform a variety of spying functions such as SMS extraction, location tracking, screen recording and others. However, it appears that it was only capable of extracting files from the device and recording with the device microphone. We speculate that future versions may have introduced further features, but the app was detected and removed from the Play Store before that could happen. 

 
Another Play Store campaign of note is the SpinOK spyware capable SDK that was present in highly prevalent applications. This spyware can gather file lists, telemetry from device data sensors and in some cases copy the clipboard contents and exfiltrate these to a remote server. Some applications were removed from the Play Store while others were allowed to stay after they removed the spyware SDK. 

 
An interesting strain called BouldSpy was discovered by Lookout, with possible links to Iranian state police. Labelled as a possible botnet, it also contains CryCrypt ransomware capability, although it appears this remains unused, potentially saved for future use. Often masking as the official Android phone app, it can record voice calls from popular messenger applications such as WhatsApp, Viber and others. It uses the Accessibility service to hide its presence and masquerade as an official app, even mimicking its look and functionality. Meanwhile, it extracts SMS messages, browser history, photos and more in the background. 

Invasive information collection under the guise of enabling loan processing as often stated in ToS of spy loan applications 

A worrying trend that has been ongoing for several quarters now is the prevalence of loan applications that promise fast cash distributed through the Play Store. Previously reported on by Zimperium, these loan applications request invasive permissions under the guise of a credit check or loan security. Once the user allows these permissions, the spy loan apps extract sensitive information such as messages, contact lists, photos or browsing history. These are then used to blackmail victims, oftentimes even if they pay the agreed loan repayments. Unfortunately, this trend is gaining popularity with blackmail loan apps appearing to focus on regions with limited bank loan access such as South America or Asia. Users are advised to avoid mobile loan applications that are not from a trusted financial institution.

Global risk ratio of mobile spyware in Q1/2023 and Q2/2023 

We see a slight uptick in the risk ratio of spyware this quarter, likely attributable to the high number of new strains entering the market. Freely available strains on GitHub such as DogeRAT can also contribute to the increased spread of spyware. 

Global risk ratio for mobile spyware in Q2/2023 

Brazil has the highest number of protected users, followed by India, Turkey and the US. Users in Yemen continue to be at higher risk of encountering mobile malware when compared to the rest of the world.

Jakub Vávra, Malware Analyst

Acknowledgements / Credits 

Malware researchers

Adolf Středa
Alexej Savčin
Bohumír Fajt
Branislav Kramár
David Álvarez
Igor Morgenstern
Jakub Křoustek
Jakub Vávra
Jan Rubín
Jan Vojtěšek
Ladislav Zezula
Luigino Camastra
Luis Corrons
Martin Chlumecký
Matěj Krčma
Michal Salát
Ondřej Mokoš

Data analysts

Pavol Plaskoň 
Filip Husák 
Lukáš Zobal

Communications

Brittany Posey
Emma McGowan
Marina Ziegler 

The post Avast Q2/2023 Threat Report appeared first on Avast Threat Labs.

Unpacking the Threats Within: The Hidden Dangers of .zip Domains

31 July 2023 at 12:38

There has been quite a discussion regarding Google’s recent introduction of .zip, .mov, .phd (and other variations) as top-level domains (TLDs). The opinions in the cybersecurity community can be distilled into two camps. A fair number of experts assume that this move from Google will likely cause even more confusion for non-tech savvy users navigating the internet. The second camp thinks otherwise. That it basically is a difficult realm to navigate in already and that users rarely pay attention to the URL and its components. When digging into this topic and our data, we identified that cybercriminals have already started abusing .zip domains to mislead users into thinking they are downloadable files, instead of URLs. Our research shows that out of the top 30 .zip domains blocked by our threat detection engines, one third abuses names of leading tech companies such as Microsoft, Google, Amazon and Paypal, to trick people into thinking that they are files of trusted companies.

In the early days of the internet, TLDs were introduced to streamline the process of browsing and sorting through online content. The main reason for using domain names and TLDs was to make navigation around the web more user friendly. Also, at the time geographical location was also important. The well.sf.ca.us, originally pointed out by Ars Technica, is a great example of using the TLD to denote its geographical location, in this case San Francisco, California, in the United States of America. It also helps us distinguish the basic nature of the server we are visiting. .com, associated with the commercial nature of a website, and .org, associated with nonprofits, are probably the most common TLDs used to denote the characteristics of a domain. According to Statista, .org and .com account for 50% of all TLDs worldwide.

The purpose of TLDs has become much more blurred recently (past several years). They can also serve as part of branding efforts now, such as the .lidl or .edeka TLD or other exotic TLDs that come to my mind. For example, .beer, .motorcycles, .plumbing, .soccer, .taxi, and so on. There’s little that isn’t achievable. When the Internet Corporation for Assigned Names and Numbers (ICANN), the non-profit which oversees and manages unique Internet identifiers, like IP addresses and domains, last expanded the scope of TLDs, they set the evaluation fee at $185,000, limiting applicants to only established entities, whether public or private. It’s undeniably a high-priced venture.

So, what issues could arise with a .zip TLD? Personally, I see a significant concern in the potential for file confusion and the consequent difficulty distinguishing between local and remote sources, which could pose a security threat. For educational purposes I crafted a prototype email that leverages the fact that the attachment and the link can point to completely different locations.

Email that the attacker might have crafted for use

It appears that using a .zip domain to deceive users can be remarkably easy. Moreover, the link preview can be manipulated to hide the protocol used, such as HTTP(S). This definitely helps the attacker to lure the user where they want.

It seems that we have reached a point where the original purpose of making URLs understandable to the public is gradually deteriorating over time. Which address seems more suspicious to you: https://52.144.44[.]169 or latestupdate[.]zip (which resolves to that IP)? I have my doubts as well. I do not imply that most of the .zip domains are or will be inherently malicious. However, I foresee a certain number of domains that, if not registered by entities closely related to their respective products, are very unlikely to be used for legitimate purposes. Looking at the top blocked domains by Avast with a .zip TLD we see that there are many mimicking legitimate companies. Also, there is a second group that tries to imitate files.

The most interesting domains are those that are closely related to large service providers, which are well known to the public. These include microsoft-office[.]zip, microsoft[.]zip, csgo[.]zip, google-drive[.]zip, microsoftonedrive[.]zip, googlechrome[.]zip, and amazons3[.]zip. Other perfect examples that I would describe as well designed are those with a pdf keyword combined with a subdomain. Namely 226x227.pdf[.]zip, 2023-05.pdf[.].zip, cv3.pdf[.]zip, temp1_rsbu_12m2021.pdf[.]zip. Checking on who.is yields expected results.

Whois record for attachment.zip

Most of the time, when a registrant’s information is redacted from the WHOIS database, it clearly raises suspicions. It’s definitely not the most important red flag, but it’s a piece of the puzzle. When combined with the domain name, we can be fairly certain that there might be some shady activities going on with a high degree of certainty.

Another perfect example of taking advantage of these domains is the usage of @ in a URL. The @ character is part of the authentication scheme (user:password@host), and it holds a special significance in the URL. Since this method is strongly discouraged nowadays and rarely used the chance of a user spotting a malicious URL is greatly diminished. Sending your username and password unencrypted over the internet is also not considered the best practice :-). As mentioned in RFC 3986, this technique can obscure the landing page from the user if utilized in a certain manner.

RFC mentioning the potential misuse of “@” in a URL

The URL will take user straight to 10.0.0.1 under a username of cnn.example.com&story=breaking_news for the ftp server to the /top_story.html path. This method can also be further refined by employing another technique, as highlighted in this article.

The / character, also known as the forward slash, plays a special role in defining path segments in a URL. If a URL contains a forward slash, all subsequent characters are considered part of the path segment. However, if the forward slash is replaced by a similar-looking character, everything before the @ is discarded. This is because browsers discourage this authentication method. Thus, an attacker’s goal is to use a character closely resembling the forward slash. This tactic ensures that everything before the @ is disregarded by the browser, directing the user to a potentially malicious domain after the @ character.

Let’s take an example from our most recent data and, for instance, let’s consider csgo.zip domain that showed up in our telemetry. We can modify it in a way that, while appearing legitimate, it leads the user straight to a malicious domain according to VirusTotal. The address segment before the @ character will be discarded.

Forward Slash (U+002F)
https://www.steampowered.com/downloads/latest/@csgo[.]zip

We have replaced the forward slash with the Fullwidth Solidus. If we had used a normal forward slash, we would have ended up with an incorrectly formatted URL, which would not have worked as expected. The Fullwidth Solidus is predominantly used in East Asian languages as a date separator, or in situations where a fixed-width separator is necessary.

It is almost indistinguishable from forward slash. And with the help of current AI, we can generate quite a lot of visually similar Unicode characters effortlessly.

URL Variations Using Different Slash Characters:

  1. Forward Slash (U+002F)
    https://www.steampowered.com/downloads/latest/@csgo[.]zip
  1. Fullwidth Solidus (U+FF0F)
    https:⁄⁄www.steampowered.com⁄downloads⁄latest⁄@csgo[.]zip
  1. Division Slash (U+2215)
    https:∕∕www.steampowered.com∕downloads∕latest∕@csgo[.]zip
  1. Fraction Slash (U+2044)
    https:⁄⁄www.steampowered.com⁄downloads⁄latest⁄@csgo[.]zip
  1. Mathematical Slash (U+27CB)
    https:⟋⟋www.steampowered.com⟋downloads⟋latest⟋@csgo[.]zip

All of these variants, with the exception of the forward slash, will direct us to csgo.zip. At the time of our research, the link found on the website leads to a benign zip file, which contains an image of a CS:GO player. However, since we don’t know who operates this domain, there’s no guarantee that the content will remain the same in the future.

To share some insights, we examined the three domains most frequently blocked by our systems to understand the dynamics of the threat. These domains, listed in alphabetical order, are 42.zip, attachments.zip, and download.zip. Each of them has a significantly high ‘score’ on VirusTotal, and all registrant information has been redacted. As can be seen in the graph below, the number of protected users skyrocketed at the beginning of June, only to fall sharply thereafter.

Another graph focused on the number of unique users and total submits daily paints the same picture.

What is the reasoning behind this? Even though the zip domains are appealing and certainly tempting for cybercriminals to use, they leave an audit trail and can be easily blocked. This is evident from the graph provided. It is definitely more elusive to take advantage of insecure webservers or outdated WordPress installations than to register a domain. This is also the reason why the number of blocked attacks was lower than I personally expected.

Last but not least, let’s put the threats posed by .zip domains into a broader context. I’ve aggregated the number of users protected under specific domains to evaluate the share of .zip compared to the rest. In short, the .zip domains didn’t make it to the list. The largest share blocked by our web shield belongs to .com, which is understandable given the high number of registered .com domains. However, when we examine the remainder, a few domains stand out.

As we can see, there is a certain discrepancy between the number of registered domains under certain TLDs (graph below) and the connections that we block under these TLDs every day (graph above). Threats are not evenly distributed among the TLDs. There are a few TLDs that I encounter almost daily that consistently raise some suspicion. These include .xyz, .online, .biz, .info, .ru, .life, .site, among others. While visiting these and many other domains, I would urge extra caution. However, this doesn’t mean that you are entirely safe when encountering a .com domain. It’s all part of a larger picture, and users need to be vigilant when opening emails or navigating through the vastness of the internet. To aid in this, we have prepared a list of points that should assist you. 

Statistics of most popular TLDs

What to do: 

  1. Be wary of .zip TLDs: Treat any .zip Top-Level Domains (TLDs) with caution, as they could potentially host malicious content. 
  1. Monitor company traffic: Keep a close eye on your company’s web traffic, specifically looking out for any unusual activities related to .zip TLDs. 
  1. Consider introducing special email filters: To further protect against potential threats, consider implementing special filters for emails that contain .zip TLDs in their content. 
  1. Keep your antivirus software updated: Always ensure your antivirus software is up to date to maximize its effectiveness against the latest threats. 
  1. Stay informed about new threats: Regularly read security bulletins and reports about emerging threats to stay ahead of potential dangers. 

The post Unpacking the Threats Within: The Hidden Dangers of .zip Domains appeared first on Avast Threat Labs.

HotRat: The Risks of Illegal Software Downloads and Hidden AutoHotkey Script Within

19 July 2023 at 13:46

Despite the substantial risks involved, the irresistible temptation to acquire high-quality software at no cost persists, leading many people to download illegal software. Therefore, distributing such software remains an effective method for widely spreading malware. This analysis reveals that cracked software often contains hidden scripts that deploy attackers’ malware on victims’ computers, sometimes even containing additional malware itself.

Our focus is on examining the usage of an AutoHotkey script attached to pre-hacked software. This script triggers the release of a variant of AsyncRAT malware that we’ve named HotRat. However, the first step of the deployment process requires administrative rights. Given that abused software often requires high privileges by default, victims do not find the request for additional permissions suspicious. Furthermore, the deployment process compromises system security by disabling antivirus protections before installing HotRat onto the victim’s machine.

HotRat malware equips attackers with a wide array of capabilities, such as stealing login credentials, cryptocurrency wallets, screen capturing, keylogging, installing more malware, and gaining access to or altering clipboard data. Our research underscores the importance of steering clear of unauthorized software downloads and emphasizes the vast risks tied to these actions, including multiple malware infections and the potential leak of sensitive information. We advise sourcing software from legitimate and approved providers as it ensures safety, legality, and continuous support. Users should also uphold system security measures, like antivirus programs, to safeguard against these evolving cyber threats.

Weaponization and Delivery

Threat actors are seizing cracks available online through torrent sites or suspicious web pages, and they craft a malicious AutoHotkey script, turning it into an executable that carries the same icon as the hijacked crack. The attackers accomplish this by compiling the script using the Ahk2Exe compiler (version 1.1.36.00). As a result, the executable involves several stages that ultimately deploy a .NET implementation of AsyncRAT, which we have named HotRat, and this includes the aspect of persistence.

This mode of infection has been seen in various types of cracked software, and it can theoretically be inserted into both illegal and legal software installers. The most commonly affected group is typically Adobe (Illustrator, Master Collection, Photoshop) and Microsoft (Office, Windows) software. The second group primarily consists of video games such as Battlefield 3, Age of Empires IV, Red Alert 2, and The Sims 4. Lastly, the final significant group is composed of premium software used as system and development tools (e.g., IObit Driver Booster, VMware Workstation, Revo Uninstaller Pro, etc.).

Installation

The installation process involves multiple stages, as depicted in Figure 1, to deploy the final HotRat malware and ensure its persistence on the infected system. It begins with a stripped-down version of an expected cracked software setup. The only function of this setup is to initiate a malicious AutoHotkey script. Interestingly, the setup shares the same icon and metadata as the expected software. There’s also a separate folder containing malicious materials alongside the expected software to be “cracked”.

Figure 1. Installation process of HotRat

The AutoHotkey script first launches the original setup of the targeted software, providing the illusion of a benign installation process. However, a PowerShell script concealed in PowerPoint.xml runs simultaneously, aiming to weaken system security, specifically by:

  1. Disabling the Consent Admin, enabling operations requiring elevation to be performed without consent or credentials.
  2. Uninstalling Avira AV.
  3. Altering Windows Defender settings.

More detailed information on these system security modifications can be found in the Anti-Detection and Bypass System Security section. Lastly, an Embedded PowerShell script is executed to ensure the persistence of the malware on the system.

Embedded PowerShell Script

The Task Scheduler is used to maintain the malware’s persistence on the infected system. The embedded script creates a new task with a deliberate typo in its name (“administartor”) that executes a VBS Loader every two minutes. An example of this scheduled task is:

schtasks.exe /create /tn administartor /SC minute /MO 2 /tr C:\ProgramData\Microsoft\IObitUnlocker\Loader.vbs /RL HIGHEST

Additionally, the embedded script adds the process name RegAsm.exe to the Windows Defender Exclusion list because this process is exploited for injecting the payload, as described later.

The final operation within the embedded script processing involves the activation of a .NET Extractor. This extractor unpacks malicious files – including the final HotRat payload and support files – into a persistence folder. The script utilizes the Reflection.Assembly method to trigger a UAC method, as exemplified here:

$bytes = [System.IO.File]::ReadAllBytes("'%A_WorkingDir%\Data\Library.dll'")
[Reflection.Assembly]::'Load'($bytes).GetType('Library.Class1').GetMethod('UAC').Invoke($null,$null)

The .NET Extractor has another crucial function beyond just unpacking malicious files. The malware authors detect the most frequently used antivirus software and attempt to deactivate them using IObit Unlocker. The persistence folder also contains IObit files capable of deleting system and protected files via the IObit driver. Finally, the extractor uses a straightforward command to remove folders of the detected antivirus software, as demonstrated here:

IObitUnlocker.exe /Delete <av_folder>

Once the embedded script is successfully executed, all necessary files are prepared for deploying the final HotRat payload. This is accomplished using the VBS Loader, which is run by the previously scheduled task.

HotRat Deployment

Once the scheduled task is set up and eventual AVs deactivated, the scheduled task periodically runs the VBS Loader, which gradually deobfuscates and injects the final HotRat payload, as Figure 2 demonstrates.

Figure 2. HotRat deploying using Task Scheduler
VBS Loader

The persistence folder usually contains a VBS script file enrolled in the scheduled task, an entry point for the deployment process. The folder has a few other files used to obfuscate the final payload. To cover every aspect, we include paths found so far list of the persistence folder:

  • C:\ProgramData\Microsoft\IObitUnlocker
  • $env:USERPROFILE\AppData\Roaming\IObitUnlocker
  • $env:USERPROFILE\AppData\Roaming\PerfLogs
  • C:\ProgramData\PerfLogs
  • C:\ProgramData\Data

The VBS Loader script only executes a PS1 script located in the same persistence folder; typically, with name Report.ps1. The PS1 script, called PS Loader, extracts two .NET executable files from PNG files located in the same persistence folder using the PNG Steganography. The PNG files do not contain any exciting content, and there is only a single pixel line with pixels in different shades of red.

The current steganography implements a simple method of extracting useful bytes from each red pixel as follows:

foreach ($x in 1..$img.Width ) { $File.Add(($img.GetPixel($x - 1, 0).R)) }

The first Image.png file contains the final HotRat payload injected into the host process (RegAsm.exe) via a .NET Injector hidden in the second pe.png file. The injector is a simple .NET application with a simple method:

void Execute(string processPath, byte[] payload)

and the host process path is hardcoded in PS Loader as follows:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Once the process is successfully injected, the HotRat is active, identified AVs are turned off, and persistence is established in the infected system.

HotRat Malware

The final payload that we call HotRat derives from the open-source implementation of AsyncRAT. The malware authors extended the AsyncRAT implementation with new functions to steal various personal information and credentials; it can deploy other malware. So, HotRat is a comprehensive RAT malware. We have identified around 20 newly implemented commands. Most of the commands are realized as a payload service. Specifically, the attackers send a command and zipped .NET payload, which is executed, and the results are sent back to C2. The entry point for each command is a method called PL, as Figure 3 shows.

Figure 3. Command execution of the .NET payload

We have captured no .NET payloads yet, so we just assess functions for each command by its name. On the other hand, there are direct implementations for other commands where we can describe the original functionality of the commands. The table below shows the identified commands and their purpose.

CommandDescription
anydeskSteal credential for AnyDesk – NOT CONFIRMED
AvastRemove Avast Antivirus – NOT CONFIRMED
backproxySetup the Backproxy – NOT CONFIRMED
DicordTokensSteal Discord tokens – NOT CONFIRMED
getscreenTake a screenshot – NOT CONFIRMED
gettxtSend a current clipper text
KillProxyKill Backproxy – NOT CONFIRMED
killpsKill a specific process
klgetSend keylogger log to C2 (stored in %Temp%\\Log.tmp)
Net35Install .NET Framework redistributable – NOT CONFIRMED
passloadUNKNOW
pongC2 server’s response to the ping command
ResetScaleReset display scaling
savePluginSave a plugin to the victim machine
setxtSet a specific text into the clipboard
uacoffSwitch UAC Off – NOT CONFIRMED
WalletsSteal crypto wallets – NOT CONFIRMED
WDExclusionAdd an exclusion into Windows Defender – NOT CONFIRMED
WebBrowserPassSteal stored passwords from web browsers – NOT CONFIRMED
weburlDownload an executable from a URL and execute
Table 1. HotRat command summarization
C2 Servers

There are several samples with hardcoded C2 servers and ports. However, most C2 servers are provided through free DNS servers. Moreover, the clients’ ports are different for each DNS record. So, it is sometimes impossible to track the final IP addresses.

We have identified two IP addresses and ports as follows:

  • 185.205.209.206:1114
  • 108.143.240.80:112

The list of captured DNS records is following:

  • fon1[.]sells-it.net
  • foxn1[.]sells-it.net
  • srxy123[.]is-a-geek.com
  • websites[.]theworkpc.com
  • dynsys[.]is-a-guru.com
  • rec[.]casacam.net
  • samaerx[.]ddnsfree.com

The communication protocol between clients and C2s is the same as the implementation of the AsyncRAT original one.

Anti-Detection and Bypass System Security

Since HotRat is run with admin privileges, it is very easy for attackers to make changes in security. As we noted before, the HotRat Installation process includes specific actions to evade security software for most antivirus software and weaken system security.

There are a few methods to remove antivirus software. The Avira AV is deactivated using a simple command to uninstall the Endpoint Protection SDK, as follows:

C:\"Program Files"\Avira\"Endpoint Protection SDK"\endpointprotection.exe uninstallSdk

Even when the Windows Defender is not deactivated, the installation process adds the whole C:\ path into the exclusion paths.

The rest of the AVs (Malwarebytes, Avast, AVG, and McAfee) detected by HotRat are deactivated through the IObit Unlocker tool that implements a kernel proxy driver to remove system-protected files. Therefore, HotRat can also delete AV files that are identified by a simple test of folder existence in these paths:

  • C:\Program Files\Avast Software
  • C:\Program Files\AVG
  • C:\Program Files\Common Files\McAfee
  • C:\Program Files\Malwarebytes\Anti-Malware

The HotRat malware also switches off the Consent Admin to perform an operation that requires elevation without consent or credentials because the AutoHotkey script executes other supporting executables that require higher permissions. Hence, the following registry update turns off the Consent Prompt:

Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0

Prevalence

The incidence of HotRat malware first started to rise significantly in mid-October 2022. Since then, we have been observing a stable trend of occurrence in the wild.

The most affected regions are Africa, south Asia, central and East Europa, and North America. The map below illustrates the detailed distribution and risk ration of HotRat malware in the wild.

HotRat malware distribution in the wild

Abused Software

The list of abused software is varied. As we mentioned above, the attackers focus on the most wanted software in the field of video games, image and sound editing, office applications, and system tools.

Unfortunately, due to its popularity, the brand name of one of our products, CCleaner, was also misused to spread HotRat via an illegal copy of the product. We encourage our users to ensure that CCleaner is downloaded directly from our server (ccleaner.com) to ensure they are installing an official (and thus secure) and copy of the software.

The list below summarizes the most frequently cracked software misused by the attackers utilizing HotRat malware.

  • Adobe Illustrator 2023 v27.1.0.189 (x64) Pre-Multilingual Pre-Activated
  • Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated
  • Adobe Photoshop 2021 v22.0.0.35 (x64) Multilingual (Pre-Activated)
  • Advanced System Care 16.1.0.106
  • Age of Empires IV Digital Deluxe Edition
  • Allavsoft Video Downloader Converter 3.25.3.8409 + keygen
  • Battlefield 3 Premium Edition + all DLC
  • CCleaner (All Editions) 6.08.10255 (x64) + Patch
  • Command & Conquer Red Alert 2 [ 3.3.1 direct play portable]
  • CyberLink Screen Recorder Deluxe 4.3.1.25422
  • Disk Drill Enterprise v50734
  • EaseUS Data Recovery Wizard Technician v15.8.1.0 Build 20221128 + Fix {Cracks}
  • Far Cry 4 gold edition – v1.10 + all dlcs
  • IDM 6.41 build 4 incl Patch 3.12.2022 [CrackingPatching]
  • IObit Driver Booster Pro v10.2.0.110 + Fix {Crack
  • IObit Uninstaller Pro v12.3.0.8 + Fix {CracksHash}
  • KMSpico 10.1.8 FINAL + Portable (Office and Windows 10 Activator)
  • Microsoft Office 2022 LTSC v3109(x64) Pre-Cracked [CrackingPatching]
  • Microsoft Office Professional Plus 2021 v2108 Build 14326.20144 (x86+x64) Incl. Activator
  • Nitro Pro Enterprise v13.70.2.40 (x64) + Fix {Crack}
  • PlayerFab v7.0.3.1 (x64) + Fix Crack
  • Proxima Photo Manager Pro 4.0 Release 7 Multilingual
  • ResumeMaker Professional Deluxe v20.2.0.4060 Pre-Cracked Crack
  • Revo Uninstaller Pro 5.0.8 Multilanguage
  • ScreenRecorder_4.3.1.25422_Deluxe
  • SkylumLuminarNeo1.6.1(10826)x64Sky
  • Sniper Elite 4 Deluxe Edition v1.5.0 All DLCs Multiplayer Dedicated Server
  • The Sims 4 (v1.94.147.1030 & ALL DLC’s)
  • Tiktok 18+ Plus PC Download (Latest Version) V1.3.5 For Pc
  • Topaz Video AI v3.0.5 (x64) + Fix {Crack}
  • Vmware Workstation pro v17.0.1 build 21139696 (x64) + fix {crackshash}
  • Wondershare Filmora X 3.0.6.3 (x64) Multilingual
  • Wondershare UniConverter v14.1.9.124 (x64) + Fix Crack

Malicious File Repositories

Infected files are usually stored on public repositories. Specifically, the most seen public share websites are krakenfiles[.]com, send[.]cm, easybytez[.]com, easyupload[.]io, wetransfer[.]com, and www.mediafire[.]com. On the other hand, some samples are located on dedicated servers; for example, 51-83-136-132[.]xyz, s1-filecr[.]xyz. So, there is no central C2 server hosting the malicious files.

When the malicious files are stored on various hosting serves, URLs leading to the files are distributed to the victim’s machines through multiple platforms such as social networks, torrents, forums, or public repositories with the possibility of searching. Figure 4 illustrates the example of Facebook and one forum posts.

Figure 4. Spreading of malicious URLs via Facebook and one forum

Attackers commonly employ a deceptive tactic of actively participating in online forums. Often, victims are searching these forums for assistance in downloading unauthorized software. However, the attackers mislead them by redirecting to alternative URLs where the HotRat malware is already waiting, as demonstrated in Figure 4.

Conclusion

Despite the known dangers, a persistent trend of software piracy exposes users to potential malware infections. In mid-October, we observed a spike in malware activity, wherein illegal software was bundled with a malicious AutoHotkey script that launched the HotRat malware on victims’ computers. The spread of this malware happens through public repositories, with links being disseminated on social networks and forums.

HotRat malware is an advanced version of AsyncRAT, armed with a multitude of spying and personal data theft capabilities. We examined the malware’s deployment process, which is straightforward and utilizes a basic form of encryption, PNG Steganography, for delivering the final payload. Furthermore, the malware exhibits persistence by leveraging scheduled tasks, enabling it to maintain a foothold on infected systems. It also can eliminate antivirus programs, thus endangering the system’s overall security. The blend of uncomplicated deployment and antivirus removal underscores the potential threats posed by this malware.

It is critical to re-emphasize the caution against downloading dubious software from unverified sources, especially those demanding the deactivation of antivirus programs, as it can help curb the risk of malware infections and data breaches.

The post HotRat: The Risks of Illegal Software Downloads and Hidden AutoHotkey Script Within appeared first on Avast Threat Labs.

Decrypted: Akira Ransomware

29 June 2023 at 16:03

Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download. The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance and real estate industries, amongst others.

Skip to how to use the Akira Ransomware Decryptor

Note that this ransomware is not related to the Akira ransomware discovered by Karsten Hahn in 2017 and our decryptor cannot be used to decrypt files from this old variant.

The Akira ransomware comes as a 64-bit Windows binary written for Windows operating system. It is written in C++ with heavy support from C++ libraries. Additionally, Boost library was used to implement the asynchronous encryption code. The binary is linked by Microsoft Linker version 14.35. 

In June 2023, a security researcher rivitna published a sample that is compiled for Linux. The Linux version is 64-bit and uses the Boost library. 

Akira Encryption Schema 

During the run, the ransomware generates a symmetric encryption key using CryptGenRandom(), which is the random number generator implemented by Windows CryptoAPI. Files are encrypted by Chacha 2008 (D. J. Bernstein’s implementation).  

The symmetric key is encrypted by the RSA-4096 cipher and appended to the end of the encrypted file. Public key is hardcoded in the ransomware binary and differs per sample. 

Exclusion List 

When searching files for encryption, Akira is not especially fussy. Whilst ransomware strains usually have a list of file types to encrypt, Akira has a list of files not to encrypt: 

  • .exe 
  • .dll 
  • .lnk 
  • .sys 
  • .msi 
  • akira_readme.txt 

Furthermore, there are folders that are always ignored by Akira: 

  • winnt 
  • temp 
  • thumb
  • $Recycle.Bin 
  • $RECYCLE.BIN 
  • System Volume Information 
  • Boot 
  • Windows 
  • Trend Micro 

There is even the legacy winnt folder, which was used as default folder for installation of Windows 2000. 

Encryption Schema for Small Files 

Files are encrypted depending on their size. For files of 2,000,000 bytes and smaller, the ransomware encrypts the first half of the file. The structure of such an encrypted file is as follows: 

Block typeSize
Encrypted BlockFile Size / 2
Plain Text BlockFile Size / 2
File Footer534 bytes

Encryption Schema for Large Files

For files sizes greater than 2,000,000 bytes, Akira encrypts four blocks. First, the size of a full block is calculated (see Figure 1).

Figure 1: Akira’s calculation of full encryption block size.

The size of the encrypted part of the block is then calculated (see Figure 2).

Figure 2: Akira’s calculation of the size of encryption portion of block.

The layout of an encrypted file is then created (see Figure 3).

Block typeSize
Encrypted Block #1EncryptedLength
Plain Text BlockBlockLength – EncryptedLength
Encrypted Block #2EncryptedLength
Plain Text BlockBlockLength – EncryptedLength
Encrypted Block #3EncryptedLength
Plain Text BlockBlockLength – EncryptedLength
Encrypted Block #4EncryptedLength
Plain Text BlockRest of the file
File Footer534 bytes
Figure 3: Layout of encrypted file.

The structure of the file footer can be described by the following structure in C language:

Figure 4: File footer structure.

Encrypted files can be recognized by the extension .akira. A file named akira_readme.txt – the ransom note – is dropped in each folder (see Figure 5).

Figure 5: Akira ransom note file.

The ransom note mentions two TOR sites. In the first one (Figure 6), the user can list the hacked companies; in the second, victims are instructed on how to make payment (Figure 7).

Figure 6: TOR site listing and describing victim company.
Figure 7: Akira TOR site instructing victim on how to pay ransom.

Linux Version of Akira

The Linux version of the Akira ransomware works identically like its Windows counterpart. Encrypted files have the same extension and the same encryption schema. Obviously, Windows CryptoAPI is not available on Linux, so the ransomware authors used Crypto++ library to cover the parts that are handled by CryptoAPI in Windows.

Our team is currently developing a Linux version of our decryptors. In the meantime, the Windows version of the decryptor can be used to decrypt files encrypted by the Linux version of the ransomware. Please use WINE layer to run the decryptor under Linux.

Similarities to Conti

Akira has a few similarities to the Conti v2 ransomware, which may indicate that the malware authors were at least inspired by the leaked Conti sources. Commonalities include:

  1. List of file type exclusions. Akira ignores files with the same extensions as Conti, except that there’s akira_readme.txt instead of R3ADM3.txt.
  2. List of directory exclusions. Again, Akira ignores the same folders as Conti, including winnt and Trend Micro, which makes Trend Micro’s default installation folder especially resilient against both ransomware strains.
  3. The structure of the Akira file tail is equal to the file tail appended by Conti (see Figure 8)
Figure 8: Conti ransomware file tail.

The member variable bEncryptType is set to 0x24, 0x25, 0x26 by Conti version 2, Akira uses 0x32.

  1. The implementation of ChaCha 2008 used by Akira ransomware is the same as the one used by Conti ransomware.
  2. The code for key generation (two calls to CryptGenRandom followed by CryptEncrypt) resembles Conti’s key generation function.

How to use the Avast decryption tool to decrypt files encrypted by the ransomware

Please, read the instructions carefully. The decryption success rate will depend on it. If you don’t like reading manuals, at least read the instructions about the file pair.

1. The first step is to download the decryptor binary. Avast provides a 64-bit decryptor, as the ransomware is also a 64-bit and can’t run on 32-bit Windows. If you have no choice but to use 32-bit applications, you may download 32-bit decryptor here.

2. Run the executable file, preferably as an administrator. It starts as a wizard, leading you through the configuration of the decryption process.

3. On the initial page, we have a link to the license information. Click the Next button when you are ready to start.

4. On the next page, select the list of locations you want to be searched for and decrypted. By default, it has a list of all local drives:

5. On the following page, you need to supply an example of a file in its original form and then one encrypted by Akira ransomware. Type both names of the files. You can also drag & drop files from Windows Explorer to the wizard page.

It is extremely important to pick a pair of files that are as big as you can find. Due to Akira’s block size calculation, there may be dramatic difference on the size limit even for files that differ by a size of 1 byte.

When you click Next, the decryption tool will carefully examine the file pair and tells you what the biggest decryptable file is. In general, the size limit should be the same as the size of the original file:

6. The next page is where the password cracking process takes place. Click Start when you are ready to begin. This process usually only takes a few seconds but will require a large amount of system memory. This is why we strongly recommend using the 64-bit version of the decryption tool.

Once the password is found, you can continue to decrypt all the encrypted files on your PC by clicking Next.

7. On the final page, you can opt-in to back up your encrypted files. These backups may help if anything goes wrong during the decryption process. This choice is selected by default, which we recommend. After clicking Decrypt the decryption process begins. Let the decryptor work and wait until it finishes decrypting all of your files.

For questions or comments about the Avast decryptor, email [email protected].

IOCs (indicators of compromise)

Windows versions

3c92bfc71004340ebc00146ced294bc94f49f6a5e212016ac05e7d10fcb3312c
5c62626731856fb5e669473b39ac3deb0052b32981863f8cf697ae01c80512e5
678ec8734367c7547794a604cc65e74a0f42320d85a6dce20c214e3b4536bb33
7b295a10d54c870d59fab3a83a8b983282f6250a0be9df581334eb93d53f3488
8631ac37f605daacf47095955837ec5abbd5e98c540ffd58bb9bf873b1685a50
1b6af2fbbc636180dd7bae825486ccc45e42aefbb304d5f83fafca4d637c13cc
9ca333b2e88ab35f608e447b0e3b821a6e04c4b0c76545177890fb16adcab163
d0510e1d89640c9650782e882fe3b9afba00303b126ec38fdc5f1c1484341959
6cadab96185dbe6f3a7b95cf2f97d6ac395785607baa6ed7bf363deeb59cc360

Linux version

1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296

The post Decrypted: Akira Ransomware appeared first on Avast Threat Labs.

Avast Q1/2023 Threat Report

4 May 2023 at 12:00

Foreword

I’m thrilled to present the Avast Q1/2023 Threat Report, which provides a comprehensive overview of the latest cyberthreats and emerging trends in the security landscape. Our Threat Labs team has analyzed extensive data to identify and block the most significant risks to people across the globe, including the growing threat of social engineering attacks. In fact, two out of three of our detections during this quarter were phishing, scams, or related online threats, as can be seen from the infographics below. 

In this edition of our Threat Report, our featured story presents the evolving tactics used by cybercriminals to infect users. We, for example, highlight the sharp increase in OneNote documents abuse by malware groups such as Qakbot, IcedID, Redline, and Emotet. These groups are continually adapting their tactics to evade detection and infect unsuspecting users with malware. Our analysis sheds light on this emerging threat landscape and provides insights on how users can protect themselves from these evolving tactics. 

Information stealers remain one of the top threats, with an overall risk of infection increasing significantly by 22% compared to Q4/2022. This trend is particularly evident in Japan, which experienced an 86% increase in such attacks. Our team has also protected 333% more users from Raccoon Stealer activity, and this information stealer is now on par with the most popular information stealers, such as AgentTesla. Additionally, we discovered a new malware called NeedleDropper that is primarily used for distribution of these stealers. 

East Asia, including Japan, Taiwan, and China, experienced a significant increase in adware activity this quarter. Additionally, the Russian DDosia project underwent a significant development, with 7,300 members now being involved in these malicious activities. Furthermore, coinminers continue to pose a threat in the Balkans, with a global shift from standalone miners like XMRig to webminers doing their dirty business in victims’ browsers. 

The report also includes our latest efforts in combating ransomware, which involved the release of two new free decryption tools for the BianLian and MeowCorp (Conti offspring) ransomware families. In addition, we’ve seen some positive news about cybercriminal busts, particularly in Europe, targeting groups such as NetWire, DoppelPaymer, and Hive. The more cybercriminals that we can bring to justice, the better. 

Moreover, several Remote Access Trojans (RATs) boosted their presence significantly, including Remcos, AsyncRat, and DarkComet, many of which had the help of the DBatLoader loader, particularly in the Czech Republic, Argentina, and Mexico, where the related risk ratio doubled this quarter. 

Our researchers have been actively identifying zero-day exploits employed by threat actors in the wild. One such exploit was discovered in the highly popular MOBA game, Dota 2. In addition, vulnerabilities previously reported by our team in the last Threat Report have been increasingly exploited for the delivery of ransomware and spyware, both on desktop and mobile devices. 

On mobile, adware continues its dominance, and it further grew in many countries, including India, Brazil, and Argentina, with MobiDash adware seeing over a 100% increase in protected users this quarter. Furthermore, mobile banking trojans continue to evolve and focus on instant payments, while machine learning is used to steal crypto wallet details.  

Overall, I encourage you to read the full report to gain a deeper understanding of the latest security threats and trends. Our team is committed to providing you with the most up-to-date information and protection from these threats. Thank you for trusting Avast to keep you safe online.

Jakub Křoustek, Malware Research Director

Methodology

This report is structured into two main sections: Desktop-related threats, in which we describe our intelligence around attacks targeting the Windows, Linux, and Mac operating systems and include a special focus on web-related threats, and Mobile-related threats, in which we describe the attacks focusing on Android and iOS operating systems. 

Furthermore, we use the term risk ratio in this report to describe the severity of particular threats, calculated as a monthly average of “Number of attacked users / Number of active users in a given country.” Unless stated otherwise, calculated risks are only available for countries with more than 10,000 active users per month. 

Featured Story

New Malware Distribution Tactics

As cybercrime continues to be a lucrative business, cybercriminals are constantly seeking new ways to distribute malware and infect users. The recent change by Microsoft to block macros from files coming from the internet has caused criminals to explore alternative infection methods. Two of these emerging methods are detailed here: 

New Attack Vector: Microsoft OneNote  

Microsoft OneNote, a note-taking application, has become a popular delivery method for malware. Cybercriminals attach disguised OneNote files to emails, and when a recipient opens the file, it can contain a script or code that downloads and installs malware onto their computer. Malware families spread via these campaigns include Qakbot, Raccoon, IcedID, AsyncRAT, and Redline, among others. The number of users that we’ve protected against these specific attacks has been increasing daily, highlighting the prevalence of this threat. We have protected more than 47,000 customers during Q1/2023 from this type of attacks, and the trend has only continued to increase over time: 

Innovative Technique: Abusing Adobe Acrobat Sign  

Another original way to distribute malware was discovered through the abuse of Adobe‘s cloud service, Acrobat Sign. Cybercriminals are exploiting the email notification system by adding text with a malicious link to a document, which is then sent to the intended recipient from a legitimate Adobe email address. When the victim clicks on the link, they are redirected to a site where they are asked to download a ZIP file containing a Redline Trojan variant designed to steal passwords, crypto wallets, and more. 

This abuse of Adobe Acrobat Sign to distribute malware is a targeted and novel technique that may become more popular among cybercriminals, as it can potentially bypass anti-malware filters and reach victims more effectively. 

The ever-changing landscape of cybercrime highlights the importance of staying up–to date on the latest threats and protection strategies. Both Microsoft OneNote attachments and the abuse of Adobe Acrobat Sign demonstrate how bad actors are constantly adapting to new tactics in their efforts to infect users with malware. 

Luis Corrons, Security Evangelist

Desktop-Related Threats

Advanced Persistent Threats (APTs) 

An Advanced Persistent Threat (APT) is a type of cyberattack that is carried out by highly skilled and determined hackers who have the resources and expertise to penetrate a target’s network and maintain a long-term presence undetected.

APT groups continue to pose a significant risk to organizations and governments worldwide. One such group is Gamaredon, which has been known to target Ukraine. Gamaredon is a sophisticated cyber-espionage group that has been active since at least 2013. The group primarily targets Ukrainian government and military entities, as well as other organizations in the country. The group utilizes spear-phishing to gain initial access to their victims, and the use of Telegram and Telegra.ph services as a distribution channel for Command-and-Control IPs is a common practice for the group. 

Another APT group that has been identified as operating across multiple regions is MustangPanda. This group primarily targets countries in the Asian region, including Myanmar and Cambodia. The group persists in utilizing the Korplug malware in conjunction with various other custom tools. 

The Lazarus Group is a threat actor with links to the North Korean government. The group has been responsible for a range of high-profile cyberattacks in the past. Recently, they made the news with a supply chain attack through 3CX Phone System, which leveraged malware called TxrLoader. Avast users are protected from the malware being spread in this campaign.

Luigino Camastra, Malware Researcher
Igor Morgenstern, Malware Researcher

Adware

Adware is considered unwanted if installed without the user’s consent, tracks browsing behavior, redirects web traffic, or collects personal information for nefarious purposes, such as identity theft. 

In Q1/2023, the trend of adware activities is stable, and we have observed no significant campaigns in this area, as the graph below illustrates. 

Global Avast risk ratio from desktop adware from Q1/2023

The DealPly adware has recently built a dominant position in the adware landscape. The map below shows that DealPly‘s risk ratio has increased all over the world.

Map showing global risk ratio for DealPly adware in Q1/2023 

The risk ratio for all adware strains is slightly higher than in Q4/2022. The significant increase that we observed is adware activity in East Asia, namely Japan, Taiwan, and China. The complete risk ratio is illustrated in the map below.

Map showing the global risk ratio for Adware in Q1/2023

Adware Market Share 

The clearly identified market leader is still DealPly, which has a 15% share. We assign orders of lower magnitude shares to other strains as follows: 

  • RelevantKnowledge (3%) 
  • DownloadAssistant (2%) 
  • BrowserAssistant (1%) 

However, other unknown strains covered up 58% of the market share in Q1/2023. The dominant type of adware strains typically waits for a user to click on an arbitrary hyperlink and replaces the original link with one redirecting the user to advertising websites. 

The table below illustrates a distribution of ad domains in the wild for this and the last quartiles. It is evident that the ad domains are dynamically rotated for each quarter to avoid detection by ad blockers. 

Q1/2023Q4/2022 
saumeechoa[.]com (53%) saumeechoa[.]com (2%) 
ptuvauthauxa[.]com (19%) ptuvauthauxa[.]com (35%) 
oovaufty[.]com (16%) oovaufty[.]com (8%) 
ninoglostoay[.]com (7%) — 
go.ad2upapp[.]com (1%) saumeechoa[.]com (2%) 
Representation of ad servers in the wild for Q1/2023 and Q4/2022 

Unfortunately, the ingenuity of adware authors is getting better every quarter. Adware is often found on websites offering free software downloads or other products, and it’s a common tactic used by online spammers. We’ll describe detailed information about Web-based Adware in a separate section

Adware has the potential to gain control over a system and execute malicious software like ransomware, spyware, RATs, and other threats. However, it should be noted that adware is generally more bothersome for users rather than truly dangerous.  

Martin Chlumecký, Malware Researcher

Bots

Bots are threats mainly interested in securing long-term access to infected devices with the aim of utilizing their resources, be it remote control, spam distribution, or denial-of-service (DoS) attacks. 

As the war in Ukraine progresses, hacker groups that are interested in the conflict continue to evolve. Notably, the DDosia project maintained by the NoName057(16) group underwent a significant development. Presumably as a reaction to various researchers tracking the project, the group implemented an authentication mechanism for the retrieval of targets. Moreover, we suspect that they started banning IP addresses that are suspected to be snooping on the network. The number of DDosia participants has progressed steadily, reaching around 8,500 members by the end of Q1/2023

As was already mentioned in the Featured story, since Microsoft announced its intention to curtail Microsoft Office macros, threat actors have been unusually creative in testing other payload types. We’ve seen them using ISO archives, Microsoft Office Template files, and HTML smuggling during the previous two quarters. This quarter’s new target is Microsoft OneNote, which has become rather popular with various threat actors – both distributors (such as Emotet) and “consumers” (Qakbot, IcedID, AsyncRAT and others) appear to be rather keen on it. 

In comparison to the previous quarter with a huge Emotet campaign, this quarter has been rather calm, showing a slight decline in the risk ratio (-13% q/q). While many prolific families (such as Amadey, Qakbot or Twizt) went through notable increase in their prevalence, Emotet surprisingly wasn’t among those as it went through a significant decline in its activity. The open-sourced botnet BlackNET, whose popularity soared in the previous quarter, went through a decline bringing its prevalence closer to the numbers we were seeing half a year ago.

Global risk ratio in Avast’s user base regarding botnets in Q1/2023 

Adolf Středa, Malware Researcher

Coinminers

Coinminers are programs that use a device’s hardware resources to verify cryptocurrency transactions and earn cryptocurrency as a reward. However, in the world of malware, coinminers silently hijack a victim’s computer resources to generate cryptocurrency for an attacker. Regardless of whether a coinminer is legitimate or malware, it’s important to follow our guidelines. 

After crashes of Silicon Valley Bank, Silvergate Bank, and Signature Bank in the US and Credit Suisse in Switzerland, cryptocurrencies experienced a slight resurrection in Q1/2023. Fortunately, the same cannot be said for coinminers that continue to decline in activity and even faster than previous quarters (-15% risk ratio).

Global risk ratio in Avast’s user base in regard to coinminers in Q1/2023 

Following the last quarter, users in Serbia were once again most at risk of encountering a coinminer in Q1/2023, with a 7.11% risk ratio. The risk ratio of users in Montenegro was 5.94%, followed by Bosnia and Herzegovina with a 3.84% risk ratio, and Madagascar with 3.73%. In Q1/2023, Avast saw a high increase of coinminer activity in North Macedonia and Egypt, resulting in 81% and 12% increases in protected users, respectively.

Global risk ratio for coinminers in Q1/2023 

Conversely, XMRig continues to drop. Its market share decreased by 13% in Q1/2023, now holding 16% in the total market. Similarly, VMiner lost 14% of its market share, making up 1.30% of the total market. On the other hand, other significant coinminers usurped more of the market – web miners (66.53% market share), CoinBitMiner (1.97%), FakeKMSminer (1.89%), and CoinHelper (1.27%). 

The most common coinminers in Q1/2023 were: 

  • Web miners (various strains) 
  • XMRig 
  • CoinBitMiner
  • FakeKMSminer 
  • VMiner 
  • CoinHelper

Jan Rubín, Malware Researcher

Information Stealers

Information stealers are dedicated to stealing anything of value from the victim’s device. Typically, they focus on stored credentials, cryptocurrencies, browser sessions and cookies, browser passwords, private documents, and more. 

Raccoon Stealer activity increased significantly in Q1/2023. We protected 333% more users compared to the previous quarter. Furthermore, according to our statistics, Raccoon is now on the similar activity levels as AgentTesla, RedLine, and FormBook, which are the most popular information stealers of all time. Due to this significant increase, the overall risk of getting infected by information stealers also increased quite significantly – by 22%.

Global risk ratio in Avast’s user base in regard to information stealers in Q1/2023 

Similar to coin miners, information stealers were also more prevalent in Egypt, increasing the risk ratio by 53% (4.08% risk ratio). Individuals located in Yemen are still the ones with the highest risk of getting infected by information stealers (4.66% risk ratio). We also protected 149% more users in Saudi Arabia (1.45% risk ratio). 

Map showing global risk ratio for information stealers in Q1/2023 

AgentTesla now holds 18.43% of the market share, increasing by 32% in comparison to the previous quarter. The activity of ViperSoftX also increased, as its market share rose by 69% and it now holds 2.21% of the information stealer market. On the other hand, FormBook and RedLine experienced a drop in activity, decreasing their market share by 40% and 28%, respectively. 

The most common information stealers in Q1/2023 were: 

  • AgentTesla
  • FormBook 
  • Raccoon 
  • RedLine 
  • Arkei 
  • Fareit
  • Lokibot 
  • ViperSoftX 

NeedleDropper was a newly discovered dropper malware, mostly used for distributing information stealers like FormBook or AgentTesla. To avoid detection, the malware tries to hide itself by dropping many unused, invalid files and stores important data between several MB of unimportant data, and it also utilizes legitimate applications to perform the malicious activity. 

MacStealer is a malware that targets MacOS users, primarily spreading through compromised .dmg packages. This malicious software collects personal information from various internet browsers, including passwords, cookies, credit card details, KeyChain database information, and cryptocurrency wallet data. The program stores this collected data in a ZIP file and sends it to remote servers, potentially exposing the victims to identity theft, financial loss, or other cyber threats.

Jan Rubín, Malware Researcher
Vladimír Žalud, Malware Analyst

Ransomware

Ransomware represents any type of extorting malware. The most common subtype is the one that encrypts documents, photos, videos, databases and other files on the victim’s PC. Those files become unusable without decrypting them first. For decryption tool, attackers demand money, “ransom”, hence the term ransomware. 

Unlike other threats, ransomware typically makes a point of letting the user know that they’ve been targeted by cybercriminals, often in a spectacular way – for example, by changing their desktop background or leaving ransom note text. Here is an example of such ransom note coming from BianLian ransomware: 

In some cases, it may be possible to decrypt files without paying a ransom. If you ever suffer a ransomware attack, the ransom note may identify the exact ransomware strain that’s behind the attack. For example, the above-mentioned ransomware called BianLian can be decrypted using decryption tool that Avast released in January of 2023

In case the ransomware cannot be decrypted, it’s important to archive all encrypted data, as there is always a chance that encryption keys will be published after the gang closes its business. Recently, this was the case with the MeowCorp ransomware, which is based on the leaked sources of Conti. Thus, we published it as Conti Decryptor in March 2023. 

Speaking of Conti, the leaked sources are now also being used by the LockBit gang. This is the second time that the LockBit gang changed their encryptor – first, they introduced LockBit Black (based on BlackMatter) and have now switched to LockBit Green, with an encryptor based on the Conti source

Sometimes, a ransomware gang closes their business, but not on their own volition; law enforcement may score in the battle against cybercriminals and seize the operation. As a recent example, Hive ransomware network was infiltrated by the FBI and Europol. Also, two members suspected to be members of the DoppelPaymer ransomware gang were arrested by joint forces of German Regional Police, Ukrainian National Police, and Europol

When examining the ransom note image above, one can notice instructions on how to contact the attackers and how to send the payment. Typically, it is done by sending cryptocurrency (such as Bitcoin, Monero, or Ethereum) to a cryptocurrency wallet that’s owned by attackers. While the wallets themselves are anonymous, it is possible to track money transfers wallet(s) known to be associated with ransomware actors. According to Chainalysis, ransomware gangs received $457 million in 2022, a 40% drop from 2021 likely due to the fact that more companies now refuse to pay ransom. 

Statistics 

Here, we present ransomware statistics based on what we see in our userbase. WannaCry maintains its top position (18% market share) and is followed by STOP ransomware (15%). Lower in the ladder are Thanatos (3%), Hidden Tear (1%), Magniber (1%), and LockBit (1%). Overall, the absolute number of ransomware attacks bounced by Avast is slowly declining, as the ransomware authors are switching to targeted attacks that are less frequent than the mass attacks that we’ve seen in the past: 

Ladislav Zezula, Malware Researcher
Jakub Křoustek, Malware Research Director

Remote Access Trojans (RATs)

A Remote Access Trojan (RAT) is a type of malicious software that allows unauthorized individuals to gain remote control over a victim’s computer or device. RATs are typically spread through social engineering techniques, such as phishing emails or infected file downloads. Once installed, RATs grant the attacker complete access to the victim’s device, enabling them to execute various malicious activities, such as spying, data theft, remote surveillance, and even taking control of the victim’s webcam and microphone. 

After the continuous decline in the overall risk ratio observed over the second half of 2022, Q1/2023 is on par with Q4/2022. This is largely due to the Remcos strain, which has been very active in this quarter. 

The increased activity of Remcos can be observed in most parts of the world. The overall increase in its market share among other RATs was by 60%. However, in the Czech Republic, Argentina, and Mexico, the increase was by more than 100%. We have frequently seen Remcos being spread by the DBatLoader loader. DBatLoader was also spreading Netwire RAT and FormBook information stealer, according to our data. 

AsyncRat, DarkComet, and QuasarRAT also increased their market share by more than 30%. We now see AsyncRat and QuasarRAT active all over the world. AsyncRat is a little bit more active in Southeast Europe, Afghanistan, Pakistan, and Australia, while QuasarRAT is active in Latin America, Africa, and Turkey. DarkComet, on the other hand, seems to be limited mostly to Europe and the Middle East.

The most common RATs in Q1/2023 include: 

  • HWorm 
  • Remcos 
  • njRAT 
  • AsyncRat 
  • Warzone 
  • QuasarRAT 
  • NanoCore 
  • NetWire 
  • LimeRAT 
  • DarkComet 

In an international law enforcement operation carried out by the FBI, the United States Attorney’s Office for the Central District of California, the Croatia Ministry of the Interior Criminal Police Directorate, Zurich Cantonal Police, Europol, and the Australian Federal Police took down the worldwiredlabs.com domain. A server hosting the NetWire RAT infrastructure was seized in Switzerland, and a suspected administrator of the website was arrested in Croatia. NetWire was sold through the website for prices ranging from $10 to $1,200.

Another arrest was made by law enforcement in Ukraine. The Khmelnychchyna Cybercrime Department, the regional police investigative department, and the SBU regional department arrested the developer of a RAT masked as an application for computer games. According to the report, this RAT infected more than 10,000 computers, and at the time of the search, the suspected developer had access to nearly 600 computers. 

The ASEC analysis team discovered that the RedEyes (APT37, ScarCruft) group has been distributing a new malware named M2RAT. M2RAT is able to log keystrokes, leak/upload data to the attacker’s server, run processes, and capture screenshots. The report also mentions an information stealer that can communicate with the M2RAT. This stealer’s task is to steal data saved on mobile phones. 

Researchers from Lumen discovered a campaign named Hiatus. One of the components delivered is the HiatusRAT which is similar to ZuoRAT (also previously discovered by Lumen) in that it also targets SOHO routers. Another component is a modified tcpdump tool. HiatusRAT can convert the infected router into a SOCKS5 proxy for the attacker as well as allow remote access to the device. 

Ondřej Mokoš, Malware Researcher

Rootkits

Rootkits are malicious software specifically designed to gain unauthorized access to a system and obtain high-level privileges. Rootkits can operate at the kernel layer of a system, which grants them deep access and control, including the ability to modify critical kernel structures. This could enable other malware to manipulate system behavior and evade detection. 

Rootkits are gradually being replaced by other and more effective tools to control systems. For this reason, we have also observed the downward trend of rootkit activities in Q1/2023, as is shown in the chart below. 

Rootkit risk ratio in Q1/2022 and Q1/2023 

If we look at the risk ratio from the point of view of individual countries, China remains the dominant country in which the rootkit activities are the greatest. 

Global risk ratio for rootkits in Q1/2023

Despite the downward trend in rootkit activities, the R77RK rootkit remains a dominant player in the rootkit market (28%) for its open-source policy and documentation. Although R77RK is not directly a rootkit that operates in the kernel mode, it provides the essential ability to modify the system behavior, typically hiding files, registries, processes, and so on. 

In Q1/2023, we noticed no new release of R77RK that would affect the R77RK’s spread, which could have caused the declining trend. We will see whether R77RK keeps the majority in the wild in the next quarter. 

R77Rootkit risk ratio in Q1/2023 

The market share of the remaining four rootkit strains is approximately 20%, but these strains are relatively insignificant. To provide a comprehensive overview, the rootkit strains and their corresponding market shares are listed below: 

  • Cerbu (7%) 
  • Alureon (7%) 
  • Perkesh (6%) 
  • ZeroAccess (3%) 

In Linux operating systems, our data also indicates that rootkits are not a prevalent threat. On the other hand, Linux kernel rootkits are increasing in complexity. We detected Linux kernel rootkits using kernel space packers that can efficiently pass under the radar. 

As presented at Botconf 2023, we keep tracking Syslogk Linux kernel rootkit and again found a new version that is integrated with a usermode bot. This is a bot that is not continuously running but stealthily started by the attacker via relatively complex magic packets. Such bot fakes a different service per sample allowing the attacker to connect to it and implements a proxy mode for sending magic packets to other infected machines faking legitimate Mozilla Firefox and Apache 2 network traffic. 

Even if not prevalent, we consider it important researching these threats to protect our users from advanced attacks. 

Martin Chlumecký, Malware Researcher
David Álvarez, Malware Analyst

Vulnerabilities and Exploits

Exploits take advantage of flaws in legitimate software to perform actions that should not be allowed. They are typically categorized into remote code execution (RCE) exploits, which allow attackers to infect another machine, and local privilege escalation (LPE) exploits, which allow attackers to take more control of a partially infected machine. 

Exploits continue to represent a threat that is exceedingly difficult to protect against, with the rate of newly discovered vulnerabilities showing no signs of slowing down in Q1/2023. The January Patch Tuesday update fixed CVE-2023-21674, a vulnerability in ALPC that we discovered in the wild when it was used in an attempt to escape from the Chromium sandbox straight into the Windows kernel. A whopping number of four in-the-wild zero-days were discovered by Clement Lecigne of Google's Threat Analysis Group. Two of these exploits were used by spyware vendors in sophisticated exploit chains targeting both Android and iOS devices. Interestingly, one of these chains also exploited CVE-2022-3723, a type confusion in V8 that we reported to Google back in October 2022. 

This quarter also showed that financially motivated cybercriminals do sometimes possess zero-day capabilities, once again disproving the common misconception that zero-days are a privilege of stealthy APT attackers. In February, a cybercriminal group attempted to deploy the Nokoyawa ransomware through a zero-day LPE exploit for CVE-2023-28252. One of the most interesting facts about this attack is that it was independently reported to Microsoft by three companies, indicating that there is perhaps a reason for why zero-days are not often used in such noisy attacks. Another example of financially motivated attackers stepping up their game are the Magniber ransomware threat actors using CVE-2023-24880 to bypass Microsoft SmartScreen. As we have researched Magniber and the Magnitude exploit kit extensively in the past, we were not in the least surprised that these attackers were able to devise such advanced bypass methods. 

Finally, our research highlighted that malware could spread even through seemingly innocent activities, such as playing video games. We discovered that Dota 2, a highly popular MOBA game, was vulnerable due to its use of an outdated version of the V8 JavaScript engine. We have also found that an attacker took advantage of this vulnerability and exploited a smaller number of players of certain custom game modes. We have reported this vulnerability and it was fixed on January 12, making the game once again safe to play. However, as we have shown in our research blog, such vulnerabilities could have much more dire consequences, potentially endangering the millions of active Dota players. 

Jan Vojtěšek, Malware Reseracher

Web Threats

Phishing

Phishing is a type of online scam where fraudsters attempt to obtain sensitive information including passwords or credit card details by posing as a trustworthy entity in an electronic communication, such as an email, text message, or instant message. The fraudulent message usually contains a link to a fake website that looks like the real one, where the victim is asked to enter their sensitive information. 

Phishing continues to be a significant threat to consumers, and 31.98% of all attacks blocked by Avast this quarter were phishing attempts. Besides phishing threats, scams are a major threat with a share of 33.64% out of all attacks. These numbers combined show that two out of three detections now relate to social engineering. When comparing the recent phishing attack trends over the past few quarters, we observe a consistent and concerning increase in the appearance of phishing incidents.

DatePhishing as % of all blocked threats
Q1/202222.85%
Q2/202222.54%
Q3/202224.44%
Q4/202225.91%
Q1/202331.98%

The most significant jump occurred between Q4/2022 and Q1/2023, where the rate increased by more than 6 percentage points, from 25.91% to 31.98%, making phishing almost one out of three of all blocked threats. This upward trend highlights the growing threat that phishing poses to consumers.  

Cybercriminals are continuously evolving their tactics and becoming more sophisticated in their methods, as Avast researchers have uncovered how cybercriminals are increasingly targeting users on secondhand shopping platforms like Vinted. In these cases, scammers posing as buyers exploit the excitement and urgency associated with making a sale to extract personal information, such as phone numbers or credit card details. They even interact in real time with their victims via WhatsApp posing as technical support agents.  

The prevalence of smishing attacks has also contributed to the rising rate of phishing incidents, and it is becoming increasingly popular among cybercriminals due to its high open rate and the sense of trust that people place in text messages from seemingly reliable sources, like banks or government agencies. Smishing attacks often involve urgent messages that prompt victims to click on a link or provide personal information. Common smishing attack themes include financial alerts, package delivery notifications, tax alerts, charity scams, and lottery scams.

Tech Support Scams 

Tech support scam threats involve fraudsters posing as legitimate technical support representatives who attempt to gain remote access to victims’ devices or obtain sensitive personal information, such as credit card or banking details. These scams rely on confidence tricks to gain victims’ trust and often involve convincing them to pay for unnecessary services or purchase expensive gift cards. It’s important for internet users to be vigilant and to verify the credentials of anyone claiming to offer technical support services. 

In the first quarter of this year, we have observed a significant decrease in the activity of technical support scams. This is good news for internet users who may have previously fallen victim to these types of scams. According to our data, the risk ratio of technical support scams has dropped considerably, indicating that scammers may be shifting their focus to other types of online fraud, such as refund and invoice scams, as is shown below. 

Technical support scams in Q4/2022-Q1/2023

Moreover, our data shows that the risk ratios for technical support scams in the following countries are as follows: Japan with 3.64%, Germany with 2.93%, the United States with 2.59%, Canada with 2.53%, and Switzerland with 2.18%. While these countries still have a higher risk ratio compared to other countries, the overall decrease in technical support scams is a positive development. 

Global risk ratio for technical support scams in Q4/2022-Q1/2023 

As always, it’s important for internet users to remain vigilant and be aware of potential online threats. By staying informed and taking precautions, such as not sharing personal information or downloading suspicious software, we can help keep ourselves and our personal data safe from cybercriminals. 

Refund and Invoice Scams 

Invoice scams involve fraudsters sending false bills or invoices for goods or services that were never ordered or received. Scammers rely on invoices looking legitimate, often using company logos or other branding to trick unsuspecting victims into making payments. These scams can be especially effective when targeted at businesses, as employees may assume that a colleague made the purchase or simply overlook the details of the invoice. It’s important to carefully review all invoices and bills before making any payments and to verify the legitimacy of the sender if there are any suspicions of fraud. 

In Q1/2023, there was a significant increase in activity for invoice and refund scams. Recent data shows a 50% increase of risk ratio in Japan quarter over quarter, 26% in the United Kingdom, 21% in Canada, and 19% in the United States. 

Refund and invoice scams in Q4/2022-Q1/2023 

It’s important to note that these risk ratios may not fully capture the scope of the problem, as many scams go unreported or undetected. It’s crucial for individuals and businesses to remain vigilant when it comes to unsolicited invoices or refund requests as well as to take steps to protect themselves from these types of scams. 

Global risk ratio for refund and invoice scam Q4/2022-Q1/2023 

In conclusion, the increase in activity for invoice and refund scams in Q1/2023 highlights the ongoing need for cybersecurity awareness and education as well as the importance of taking proactive measures to protect oneself against these types of scams. 

A typical example of a fake email invoice 

Web-based Adware 

Web-based adware refers to malicious software or web pages that display unwanted advertisements in the form of pop-ups, banners, or redirects to third-party websites. Web-based adware can slow web browsing, potentially compromising user privacy and security. 

In Q1/2023, web-based adware remained prevalent, with several notable examples. We have identified three basic adware types dominating this quarter. 

Adult Content 

The most significant adware type is an ad that entices users to click through video games with adult content where the users are guided via a few steps to “verify” their ages, select game characters, etc. If the user completes the verification process, the adware redirects the user to the ad server and displays questionable content. 

Text Injection 

Another non-negligible type is adware that injects a seemingly related text into specific paragraphs. A suspicious or infected webpage hides a simple JavaScript, injecting apparently related lines into the relevant section of the original text. The injected text contains a questionable URL and also waits for the user to click; see the example below. 

Fake Win 

The last dominant ad type is “winning pages” with different prices (cellphones, notebooks, etc.) conditioned by entering personal information, including payment cards, to “verify winners.” The victim usually has three attempts at an action like roulette or unwrapping packages. The victim always wins on the third attempt and is redirected to a page where they enter their personal data and possibly send a manipulation plot. 

Alexej Savčin, Malware Analyst
Martin Chlumecký, Malware Researcher
Luis Corrons, Security Evangelist

Mobile-Related Threats

With another turbulent quarter in the mobile threats sphere behind us, we dive into an overview of our data and interesting new discoveries from across the industry. Banking trojans continue to evolve and appear to be focusing on instant payments. We also see cybercriminals using machine learning to steal crypto wallet details. Several 0-day exploits were chained together in a series of spyware attacks on both iOS and Android and a SMS stealer was made available on GitHub and used to target victims in Indonesia.  

Here are the prevalent families of malware, coupled with insights based on our data to provide you with an overview of last quarter.  

Adware continues its dominance 

Adware threats on mobile refer to applications that display intrusive out-of-context adverts to users with the intent of gathering fraudulent advertising revenue. This malicious functionality is often delayed until some time after installation and coupled with stealth features such as hiding the adware app icon to prevent removal. Adware mimics popular apps such as games, camera filters, and wallpaper apps, to name a few. 

As has been the case for several years, adware continues to be the top threat facing mobile users in Q1/2023. The intent of adware is to serve intrusive advertisements to its victims with the aim of harvesting fraudulent advertising revenue. Stealth is often a key component in ensuring the adware remains on the victim’s device for as long as possible. This quarter we observed a continuation of previously used techniques, with some new strains with different approaches added into the mix. 

HiddenAds continues to be the top strain affecting users worldwide. As per its name, it uses stealth to masquerade as another app or to hide its icon. Once hidden, it often waits for a preset amount of time before displaying intrusive full screen adverts to its victims. This way, victims are less likely to suspect the HiddenAds app. Some previous campaigns snuck back on the Play Store again in small numbers but were taken down shortly after their release. Some third-party app stores continue to serve older strains, such as Scylla or versions of LiveClick

FakeAdBlockers takes the second spot in the adware category. Continuing to display adverts instead of blocking them, these adwares often disappear upon installation and waste no time in displaying advertisements. We observe FakeAdBlockers on third-party app stores and they’re also often served by pop-up messages from less reputable sites. These adwares often imitate games, wallpaper apps, utility apps, and others, with the aim of fooling the user into installing the app. 

A repacked Minecraft app with MobiDash requesting administrative privileges to aid its adware behavior and hide from the victim

Interestingly, we saw a significant rise in MobiDash adware this quarter, with over a 100% increase in protected users. Mobidash is an older strain of adware which started as an advert SDK that was added to repacked apps. Once the repacked app was installed, the MobiDash SDK would wait for a time and then display aggressive adverts throughout the device while in use.  

Since its creation, MobiDash has been used to repackage hundreds of thousands of apps that imitate a wide range of gaming, utility, and camera apps. These repackaged apps have been distributed through forums and third-party app stores. 

Global risk ratio of mobile adware in Q4/2022-Q1/2023 

Compared to the previous quarter, there has been a slight increase in the number of users protected from adware, with Mobidash‘s resurgence playing a role in this uptick. This comes even though no major adware campaigns have infiltrated the Play Store during the current quarter.

Global risk ratio for mobile adware in Q1/2023

Asia, Europe, and America are the most likely continents to be targeted by adware. Brazil, India, Argentina, and Indonesia continue to be the countries with the most protected users. We have noticed an increase in the number of protected users across most countries. However, it is worth highlighting that in the United States, there has been a significant decrease in both the risk ratio and protected users, with a drop of over 25%. 

Evolution of Bankers 

Bankers are a sophisticated type of mobile malware that targets banking details, cryptocurrency wallets, and instant payments with the intent of extracting money. Generally distributed through phishing messages or fake websites, Bankers can take over a victim’s device by abusing the accessibility service. Once installed and enabled, they often monitor 2FA SMS messages and may display fake bank overlays to steal login information. 

Bankers continue to thrive, as they introduce several evolutions and improvements to existing strains, along with some newcomers entering the market this quarter. Despite this ongoing activity, we have seen a decline in the number of users needing protection, continuing the trend observed over the past few quarters. Cerberus/Alien and Hydra maintain their top spots, while Coper climbs to 3rd place with a significant 67% increase in protected users, surpassing RoamingMantis and Flubot

Instant payment platforms remain a prime target for bankers this quarter, following their misuse by BrasDex last quarter. PixPirate, a new banker strain discovered by Cleafy, targets Brazil and utilizes the Pix instant payment platform to extract money from victims. Xenomorph has also updated its functionality to include instant payment extraction capabilities; combined with a cookie stealer, this allows the banker to automate the entire money extraction process without operator intervention. Given the growing popularity and availability of instant payment platforms, it is likely that other banker strains will adopt these techniques in the near future.

PixPirate using the pretense of a Bonus Authenticator to fool victims, however this early version was stopped by PlayProtect 

A new banker strain worth noting, discovered by TrendMicro, is TgToxic. This strain targets Asia through an elaborate phishing campaign that employs fake websites, compromised social media groups, and instant messages from the threat actors. TgToxic utilizes a gesture automation framework, enabling it to read and replicate user inputs. Combined with login extraction capabilities, the malware can send crypto payments using its hijack script without requiring user interaction. Victims may face difficulties in removing TgToxic, as it actively attempts to prevent removal via the accessibility service.

Global risk ratio of mobile bankers in Q2/2022-Q1/2023 

The long-term downward trend in the banker sphere continues according to our data. Similar to last quarter, we observe a 23% decline in protected users this quarter compared to last quarter. 

Global risk ratio for mobile bankers in Q1/2023

In this quarter, Turkey has moved into the top spot for the highest number of protected users, overtaking Spain, followed by France in third place and Brazil in fourth. Both Brazil and Turkey experienced a slight increase in protected users, while France saw a significant drop of over 50% and Spain lost more than 25% of protected users. 

Spyware and 0-days  

Spyware is used to spy on unsuspecting victims with the intent of extracting personal information such as messages, photos, location, or login details. It uses fake adverts, phishing messages, and modifications of popular applications to spread and harvest user information. State backed commercial spyware is becoming more prevalent and is used to target individuals with 0-day exploits. 

Spying on unsuspecting victims continues to be a prevalent issue, as our data indicates that spyware maintained its negative impact throughout this quarter. Spymax leads the pack over the last three months, accompanied by reports of trojanized messaging apps using machine learning to steal cryptocurrency, as well as multiple zero-day attacks targeting both Android and iOS devices. 

Spymax remains largely unaltered, primarily aiming to extract personal information such as SMS, contact lists, location, and even live streaming the screen in some newer versions. More recently, it has targeted bank details, login credentials, and even crypto wallet information, blurring the boundaries between spyware and banker families. Fake advertisements, malicious redirects, and various phishing methods continued to facilitate Spymax‘s distribution this quarter. Facestealer and malicious messenger mod apps followed closely behind Spymax in the spyware category 

ESET has discovered a new strain of trojanized messenger apps that target cryptocurrency wallets and related messages, affecting both Android and Windows devices. The messenger apps contain built-in clippers that allow for extraction of sensitive information such as crypto wallet recovery phrases, in some cases using machine learning to extract text from screenshots of recovery phrases.  

Additionally, the malware can swap cryptocurrency wallet addresses in sent messages, resulting in fraudulent transactions being redirected to a different wallet than intended. Some versions were also bundled with remote access trojans. The spyware was distributed through fake messenger advertisements, which directed users to copycat websites serving the malware. As advised in the previous quarter, users should download apps from official sources and avoid using mods for messenger apps to stay safe. 

Trojanized Telegram app prompting the user to download extra malicious components under the guise of an update, leading to a fake Telegram website 

In recent years, there has been growing awareness and coverage of government-backed attacks utilizing commercial spyware. Regrettably, this trend persists in the current quarter, as Google has reported multiple zero-day attacks targeting both iOS and Android users. One chain of exploits was disseminated through SMS package delivery phishing, using a malicious link to trigger the exploit. On iOS, this led to the delivery of the Predator spyware payload, while on Android, a zero-day discovered by Avast was used to deliver spyware onto victims’ devices. Subsequently, users were redirected to the official page, leaving them unaware of the events that had transpired. 

Another chain of exploits targeted UAE users via the Samsung mobile browser, delivering C++ written spyware that focused on popular messaging apps and browser activity extraction. Users are strongly encouraged to keep their devices updated with the latest patches to mitigate the risks posed by these exploit chains.

Global risk ratio for mobile spyware in Q1/2023 

In this quarter, Brazil had the highest number of protected users, while Turkey experienced a significant increase and secured second place. They are followed by India, the United States, and Egypt. According to the data visualized on the map, users in Yemen continue to be at the greatest risk of encountering spyware.

Global Avast risk ratio of mobile spyware in Q4/2022 and Q1/2023

Spyware is experiencing a gradual decline, similar to the trend observed last quarter. Although several new strains of spyware were discovered in the previous quarter, the overall numbers do not indicate an increase. Zero-day attacks are not expected to have a significant impact on the number of protected users, as they are often used sparingly and target specific individuals. 
 

TrojanSMS Steals the Show 

TrojanSMS is a type of malware that focuses on exploiting premium SMS or subscriptions to extract money from victims, some versions may also steal SMS messages. It usually comes with stealth features with the aim of hiding on victim devices and siphoning money unnoticed. Fake app stores and pop ups often distribute this type of malware. 

In this quarter, two primary strains, Darkherring and SMSFactory., affected the most users. Older strains of previously prevalent TrojanSMS disappeared entirely last quarter, while a new TrojanSMS emerged this quarter, poised to evolve and expand its reach. Generic SMS stealers or senders have also increased their presence. 

The TrojanSMS family comprises a diverse range of malware capable of stealing SMS messages, subscribing users to fraudulent premium services, or sending premium SMS. Often featuring stealth mechanisms to avoid detection and removal, these applications can wreak havoc on a victim’s mobile bill if not discovered promptly. 

Darkherring is on the rise again, similar to the previous quarter when its distribution increased through third-party stores and other methods. A few applications were spotted on the Play Store, but they were removed shortly after being reported. In contrast, SMSFactory lost 50% of its impact compared to last quarter, indicating a declining strain. No significant changes to its functions were observed this quarter. 

A TrojanSMS stealer called SMSEye is worth noting, as it has its own dedicated GitHub page, enabling other malicious actors to use it. The stealer initially emerged last quarter, with its second version appearing this quarter. Cyble reported that it was used to target an Indonesian bank through a phishing campaign to distribute the malware to users. SMSEye sends stolen SMS messages to a Telegram bot, in this case targeting user login credentials. Test versions of this malware have been observed featuring other bank and delivery service logos, suggesting the likelihood of more sophisticated uses for this stealer in the future.

SMSEye version 2 pretending to be a 2FA app for Bancolombia, so far only a test app without mode of spread 

This quarter, we observe intriguing shifts in the distribution of TrojanSMS by protected users among countries. Poland claims the top spot, followed by Egypt, Brazil, and Mexico. Poland experienced a significant increase in protected users, while both Egypt and Brazil saw a decrease in protected users this quarter. As illustrated in the map below, Iraq and Jordan have the highest risk ratios for TrojanSMS.

Global risk ratio for mobile TrojanSMS in Q1/2023 

Consistent with the previous quarter, we observe a steady decline in the number of affected users this quarter. The exit of UltimaSMS and Grifthorse, along with the gradual decline of SMSFactory, contribute to this decrease. However, the introduction of SMSEye may potentially help maintain these numbers in the upcoming quarter.

Global Avast risk ratio of mobile TrojanSMS in Q4/2022 and Q1/2023 

Jakub Vávra, Malware Analyst

Acknowledgements / Credits

Malware researchers

Adolf Středa
Alexej Savčin
David Álvarez
Igor Morgenstern
Jakub Křoustek
Jakub Vávra
Jan Rubín
Jan Vojtěšek
Ladislav Zezula
Luigino Camastra
Luis Corrons
Martin Chlumecký
Ondřej Mokoš
Vladimír Žalud

Data analysts

Filip Husák
Pavol Plaskoň

Communications

Emma McGowan
Grace Macej
Marina Ziegler

The post Avast Q1/2023 Threat Report appeared first on Avast Threat Labs.

DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks

18 April 2023 at 14:22

Through their DDosia project, pro-Russia hacktivist group NoName057(16) is still conducting DDoS attacks, mostly with the goal to take offline websites of institutions and companies in European countries. On its Telegram channels, the group openly communicates the fact that they perform their actions in support of Russia in the war against Ukraine, and it’s apparent that their activities will further continue during the war. The group has been offering payments in cryptocurrencies to people who install their DDosia tool in order to participate in their attacks. We want to create awareness that people who have NoName057(16)’s DDoS tool installed on their computer not only participate in cybercrime, but also support the groups’ warfare activities.

We detect and block DDosia to make the internet a safer place, and we continue to track DDoS victims and configurations of the DDosia botnet because such information helps to mitigate the impact of DDoS attacks.

Since the first Python version needed to be more efficient, the group released a new Go variant of bots in late 2022. SentinelLabs has described the first variant of the Go implementation, including the C2 servers at that time active. A few days later, Team Cymru published an investigation about the botnet architecture describing the DDoS attacks as a largely static infrastructure.

Given the above findings, it is apparent that the C2 structure is still evolving. The primary purpose of the following analysis is to explore the C2 architecture and current communication process between the botnet and C2 servers. Therefore, we have been actively monitoring the DDosia botnet and have found several innovations in the bot implementation and the botnet infrastructure. The C2 infrastructure is composed of one central server and two proxies forwarding bot requests. This, combined with an update mechanism, makes the botnet rather resilient to disruptions. The latest versions also include a bot authentication mechanism for all the C2 communication along with IP address blocklisting, presumably to hinder tracking of the project.

Implementation Overview

The first implementation of DDosia came into the world around July 2022. Being authored by the NoName057(16) group, there was interestingly a brief coexistence with the Bobik botnet before the botnet was dismantled, presumably in favor of DDosia. It was written in Python using threads as a means of parallelism; nevertheless, it was still lacking in terms of efficacy. Since the first version, DDosia relied on HTTP protocol for C2 communication, with JSON configs distributed by the servers.

The lack of efficacy presumably motivated changes in DDosia, namely the move from Python to Go that we saw in late 2022, with SentinelLabs describing the first Go variants. The main advantage of Go in comparison to Python is direct compilation into native code along with the absence of Python’s GIL that may severely affect the performance of threaded code in Python. Interestingly, these new versions are also multi-platform, as we’ve seen variants for all major operating systems (Windows, macOS, Linux, Android). Evidently, the bot development is still in progress, as we see new functionalities, such as HTTP authentication, being added to DDosia along with slight changes in the configuration file.

Console output of the Go-Stresser version 1.0 – variant 1

Go Implementation

Let’s take a closer look at the second variant of DDosia bot from March 6, 2023, that came up with the authentication mechanism, presumably to combat researchers snooping for lists of targets.

Console output of the Go-Stresser version 1.0 – variant 2
Build Package

The aforementioned variant has support for multiple architecture as well as multiple platforms; unsurprisingly, it is also written in Go. The builds are distributed via the Telegram channel “Project DDosia” in the form of a zip file with the builds as follows:

  • Windows x64 and arm64
  • Linux x64 and arm64
  • macOS x64 and arm64

The names of the executable are changed sometimes; there is a list of the captured names:

  • dosia_app_(windows|macos|linux)_(x64|arm64)
  • d_(win|mac|linux)_(x64|arm64)
  • pd_(win|mac|linux)_(x64|arm64)
  • dosia_(win|mac|linux)_(x64|arm64)
Execution Workflow

A working dir of the bot executable must contain a text file client_id.txt with the User-Hash of the registered user. The form of the User-Hash is a BCrypt hash with these parameters $2a$16$.

The first outcome communication is to use nordvpn.com to get detailed information about the bot IP address that is sent to the C2 server. The second outcome is to use C2 as a POST method to /login URL with data representing information about the bot IP, user ID, and bot identification.

Login to C2

The Client-Hash is the result of a library that returns the OS native machine UUID/GUID. It is an open-source implementation of Go MachineID by Denis Brodbeck. The Client-hash has a suffix representing the current PID (5481 in this case).

Login response from C2 during login

If the authentication is successful, C2 returns HTTP/1.1 200 OK with a token in the form of epoch/Unix timestamp, and the target configuration can then be downloaded via GET /client/get_targets. The first variant of the DDosia bot does not implement any authentication mechanism, but the valid token is necessary to get the target configuration successfully in the current C2 architecture; otherwise, 401 Unauthorized is returned.

Getting targets from C2

The returned JSON file is similar to the first variant, with the difference that the original JSON configuration is wrapped up in a data key. Additionally, the new key token is included in each response of GET /client/get_targets. The token is a fresh token for further communication.

The new form of returned configuration

The new configuration supports four attack types: http, http2, nginx_loris, and tcp. The rest of the items are the same as SentinelLabs, and we described previously; see C&C Communication and SentinelLabs.

When the login and get targets operation are successful, the bot creates approximately 20 working threads that perform the DDoS attack using a synchronized method since the bot counts the number of successful connections. Therefore, the bot waits for an attacked server response; if the response is 200, the attempt is counted as a successful attack. Subsequently, the newest bot implementation is eight times faster than the initial implementation in Python.

Continuous statistics are sent each ~four minutes back to the C2 server through POST /set_attack_count.

Sending the attacks’ statistics back to C2

These statistics help the attacker track the target configuration’s effectiveness and respond in time with a new configuration. If everything goes as expected, a new target configuration is requested every ~10 minutes. However, sometimes the C2 server is unable to handle requests, and a connection cannot be established. In this case, the bot continues on the latest target configuration and tries to contact C2 later. Figure 1 provides an overview of the communication between the C2 server and a bot.

Figure 1. C2 communication workflow

Bot Updater

One of the unknowns remains the question of the bot updates. Our investigations into this area are still in progress, and we are trying to confirm our hypothesis that there is an automatic bot updater.

We’ve observed a few takedowns of C2 servers and new build releases in the last months. We expected a delay of several days between the bot updates and further DDoS attacks. However, the time between the C2 takedown and the new DDoS attacks was several hours. Therefore, our hypothesis is that there is an automatic updater since it is improbable to manually update approximately 7,200 independent clients within several hours.

The count of new bot releases was considerable in the last four months, as Figure 2 illustrates. So, there should be some automatic updater.

Figure 2. DDosia executable hits

C2 Protection

All C2 servers have used HTTP protocol to communicate, which was unencrypted. So, it was only a matter of time before the DDosia authors tried to implement a mechanism to protect the target configurations.

Temporary DNS Records

The first attempt to implement the protection mechanism was around January 28, 2023. The main idea was to use temporary DNS records, which are rotated every midnight. The DNS record is then reconfigured to a non-existent record. As a result of the 24-hour period, the initial DNS record is not captured by any online monitoring services, so the history of DNS records includes only the non-existent or invalid records. Consequently, the valid IP address of C2 severe is not recorded anywhere, and it would not be easy to find them.

This mechanism has been seen in the cases on January 28-29, 2023. Two builds with hardcoded DNS records were set to non-existent IPs after midnight. The next day, the new builds with new DNS records were released.

For example, deac48f968269bb5e75ceb9417f6680d8787a03ba0768e25d8716f189a079574 build has two DNS records (pkcds2cas7.ignorelist.com, pqw2vsi21mx74.twilightparadox.com) that led to 212.73.134.208. However, the DNS records were reconfigured to 127.0.0.2 from midnight on January 27-28, 2023. So, if you resolve the DNS records today, you cannot resolve the initial IP since the address is already untraceable.

The same case was seen from midnight on January 28-29, 2023, on the 5c1be24a5fa75b70c50515a061d2d3ce911b785188328408edc0a79dfc5e3173 build. The other two DNS records (trafficsearch.ddns.net, trafficanalyzer.bounceme.net) led to 94.140.115.129. The DNS records were also reconfigured to invalid IP addresses; namely 0.0.0.0.

Implementing this mechanism was probably not successful because the count of reported targets on the group telegram was lower on January 28, as Figure 3 demonstrates. Moreover, there were reported taken-down domains from the previous target configuration. Finally, the build that was released on January 30 contained hard-coded IP addresses of the C2 server (94.140.114.239).

Request Authentication

The second attempt to implement the protection mechanism was on March 7, 2023. The communication with the C2 server is also via HTTP, but a token mechanism was designed and realized. Therefore, anybody cannot download the target configuration (list of attacked domains) freely without authentication as before.

Figure 4. Authentication mechanism

The first communication with the C2 server is the login request, as described above in Figure 4. First, the request must include the header User-Hash, which users obtain during the registration process in the DDosia Project Telegram channel. The other necessary condition is data about the GeoIP of the bot. If the IP address or ISP of the given bot is on the blocklist (e.g. Avast), the authentication process ends with 401 Unauthorized. However, if the authentication is successful, the login request reruns the token in the string form.

The token is valid for approximately 15 minutes, and the constant 0xF must be added each time the token is used for the following requests to the C2 servers. The adjusted token is included in the HTTP header as a Time entry, and each response then consists of a new fresh token value.

C2 Architecture

The C2 architecture is dynamically changing. We noticed four IP addresses related to the DDosia project since the beginning of 2023. Three addresses are active web servers run on Ubuntu using nginx/1.18.0. More importantly, these web servers return the same target configurations and provide the services like logging into the botnet as well as reporting statistics to the attackers. The currently discovered C2 architecture of the DDosia project is shown in Figure 5.

Figure 5. C2 architecture

Using HTTP, the central C2 server (M) is contacted by proxy C2 servers P1 and P2 throughout port 5001. The DDosia bots reach the proxy servers also using HTTP via port 80, where requests are forwarded to the central server. Any suspicious outcome from the primary server has not been detected yet. However, one suspicious server or client communicates, especially with the primary and P2 servers. We recorded the most network activity of a suspicious IP (161.35.199.2) around February 14, 2023. The purpose of this suspicious machine is still unknown, but it can be a testing or monitoring service.

Besides the bots’ communication over port 80, we detected connections on port 22 for both proxy servers. The transmission on port 22 is not implemented in the bot executables we analyze, but our telemetry indicates a higher communication volume. However, most captured IPs contacting port 22 are suspicious due to port scans or SSH brute force attacks.

In addition, the C2 infrastructure relies heavily on proxy servers which contributes to the resilience of DDosia’s infrastructure. Nevertheless, our monitoring revealed that outages indicated by 502 Bad Gateway error responses from the proxy servers. The first significant disruption occurred during the deployment of the authentication mechanism. The outage lasted for several hours – the duration and the timing indicates that development issues may have been responsible. The root of the problem seems to be partially fixed as recent outages were resolved within one hour.

DDosia Tracking

We still continue to monitor the DDosia project targets and the count of users that have joined the project. We will publish detailed information about the targets, configurations, and volunteers in a subsequent post. Figure 6 illustrates a quick overview.

Figure 6. Attacked countries and trend of the joined users

We’ve also observed that DDosia’s community is steadily growing, though there can be doubts about the capacity new members can contribute. Nevertheless, it seems that in this specific case, a volunteer-based model is rather efficient and easier to manage than a malware-based botnet; however, its availability is probably enabled by the political circumstances.

Conclusion

It is evident that the project is still in development, and NoName057(16) is trying to improve the efficiency of the DDoS attacks. They are trying to move to a more efficient Go platform because the pilot variant written in Python was lacking in performance.

Many of the changes seem to be motivated by protecting the target configuration and C2 architecture secrecy. Hence, the latest version of DDosia bots has realized the authentication mechanism for C2 communication.

Our most interesting observation was probably the implementation of an update mechanism in the client since previous updates caused only short-term disruptions to the project’s effectiveness. This has also increased the resilience of the C2 mechanism, as it is no longer necessary to do a manual update after a server takedown. The update mechanism is still under our investigation. In a future blog post, we plan to release a more detailed analysis of the tracker’s historical data.

References

The post DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks appeared first on Avast Threat Labs.

Avast Q4/2022 Threat Report

9 February 2023 at 13:00

Zero-day attacks discovered in-the-wild, Arkei Stealer and LimeRAT boosting their presence, and continuation of pro-russian DDoS attacks

Foreword

Welcome to the latest edition of the Avast Threat Report, which covers Q4/2022. As we’ve closed 2022 and have entered 2023, we look back at the challenges of the final quarter of last year and the many new threats and malware strains that emerged during it. 2022 was a challenging year for cybersecurity, and its last quarter was no exception. The threat landscape continued to evolve at a rapid pace, and individuals as well as organizations of all sizes were faced with new and increasingly sophisticated attacks. In this report, we will take a closer look at the trends and developments that took place during Q4, providing valuable insights into the current state of cybercrime.

From my point of view, one of the most interesting things from Q4/2022 wasn’t directly related to malware (at least for now). I’m referring to the launch of ChatGPT, a chatbot developed by OpenAI. Some people have already started using it as a virtual assistant for creating short code sequences, explanation of assembly code, or even writing a paragraph in a report foreword (wink-wink). No matter the tool’s inaccuracy or how many generic phrases or false things it produces,  ChatGPT is already being analyzed by cybercriminals with malicious intentions. The creation of phishing messages as well as generating simple code snippets for script-kiddies is low-hanging fruit, but it’s too early to say how the malicious uses of ChatGPT will continue in the upcoming year.

Within more traditional threat topics, this report will focus on awesome discoveries of my colleagues who discovered, blocked, and responsibly disclosed two zero-days used in the wild by advanced threat actors (CVE-2022-3723 and CVE-2023-21674). Of a similar importance was a great hunt for Mustang Panda in Myanmar that we reported on in depth.

Furthermore, we will focus on a flood of DealPly adware that took place in Brazil and Europe. Similarly, there was a quadruple growth of the Arkei Stealer prevalence worldwide and triple for LimeRAT, especially in Asia and Latin America. Next, as Bitcoin was hitting its local lows in Q4/2022, the situation was dramatically different with malicious coinmining activity, where the Balkan states were especially heavily targeted. Moreover, technical support scams (TSS) peaked in this quarter.

Threat actors also demonstrated their creativity when dealing with deprecation of their favorite infection vector: Office documents. We already touched this topic in the Q3 Report, but the malware authors continued with their effort and employed techniques such as HTML smuggling, SEO poisoning, and the injection of Office templates in their latest malware campaigns.

The situation on mobile was also thrilling with the new Bully Facestealer or the BrasDex banker that automates fraudulent payments. At the same time, adware won (by a landslide) its number one position as the most prevalent mobile threat.

Unfortunately, ransomware still has not been eradicated. However, the fight against it continues with particular successes; for example, one of the Netwalker ransomware affiliates will enjoy  well-deserved jail time and we also decrypted the MafiaWare666 ransomware and provided a free decryption tool for its victims.

And finally, I can also recommend the story about DDosia, an attack tool developed and used by a pro-russian group, which also resulted in trying to interfere with the Czech presidential election in early January 2023. We hope you enjoy reading the following deep dives into each of the aforementioned threats and findings.

Jakub Křoustek, Malware Research Director

Methodology

This report is structured into two main sections: Desktop-related threats, where we describe our intelligence around attacks targeting the Windows, Linux, and Mac operating systems, including a special focus on web-related threats, and mobile-related threats, where we describe the attacks focusing on the Android and iOS operating systems.

Furthermore, we use the term risk ratio in this report to describe the severity of particular threats, calculated as a monthly average of “Number of attacked users / Number of active users  in a given country.” Unless stated otherwise, calculated risks are only available for countries with more than 10,000 active users per month.

Desktop-Related Threats

Advanced Persistent Threats (APTs)

One of the most active APT campaigns was ShadowPad/ScatterBee, which spread in Pakistan during Q4/2022. Nevertheless, there was another APT campaign discovered by our team that was even more significant and impactful: A strong activity from Mustang Panda targeting Burmese government institutions and Burmese human rights activists. We gained new insights into their activities and campaigns, but their operations retain a similar modus operandi and targets. We recently presented our research on “Hitching a ride with Mustang Panda” at the AVAR conference.

Mustang Panda

We published a report on an espionage operation in Myanmar that we attributed to Mustang Panda. We also presented our findings on this operation at the AVAR conference for security researchers. According to our telemetry, we found that some of Myanmar government institutions were relentlessly attacked and breached. Mustang Panda was exfiltrating sensitive documents, recordings, and email dumps including scans of passports from Asian, American, and European citizens and diplomats applying for Burmese visas, from Burmese human rights activists Burmese government institutions.

The operation was identified when we discovered a distribution server linked to a malware infection in Myanmar. While the primary exfiltration path went through Google Drive, the files from Google Drive were later on moved to the distribution server. Once the threat actor retrieved the data from the distribution server, the data was deleted. This means that we could nevertheless access only a limited part of the data. Since the throughput was usually gigabytes of data per day, we have managed to establish a basic victimology to be able to inform affected parties.

While the used tooling contained Mustang Panda’s staples such as Korplug or Delphi USB installer, most of the discovered tools were rather simplistic and without sophisticated obfuscation. DLL side-loading has been a common theme for most of the tools found during the analysis.

Luigino Camastra, Malware Researcher
Igor Morgenstern, Malware Researcher

Adware

At the end of Q3/2022, we recorded the rapid rise of the adware activities that were continuing into the beginning of Q4/2022, as the graph below illustrates.

Global Avast  users protected from desktop adware from Q1/2022 to Q4/2022

The rise at the turn of the quarters is an effect of the DealPly adware that we introduced in the previous Q3/2022 Threat Report. The DealPly family is classified as an unwanted application because it can be installed silently with some other browser extensions and free software but also via malware.

In Q4/2022, DealPly’s risk ratio was higher in most countries compared to the previous quarter. The risk ratio for DealPly adware remained the same or slightly increased in Asia, but there are some outliers. The DealPly risk ratio increased in South and Southeast Asia; namely India, Myanmar, and Indonesia. A more significant increase in DealPly’s risk ratio was also observed in many European countries. As animated in the map below, we registered a most significant increase in South and North America, especially in Brazil.

Map showing global risk ratio for DealPly adware in Q3/2022 and Q4/2022

The risk ratio for all adware strains is slightly higher than in Q3/2022, although the map below visually demonstrates a considerable spread of adware. The extreme peak of the DealPly adware activity explains this phenomenon. However, there’s a downward year-round trend of adware activity.

Map showing the global risk ratio for Adware in Q3/2022 and Q4/2022

Adware Market Share

The clearly identified market leader in adware remains DealPly, which has a 30% share. We assign orders of lower magnitude shares to other strains as follows:

  • BrowserAssistant (5%)
  • RelevantKnowledge (4%)
  • DownloadAssistant (3%)
  • ICLoader (2%)

However, other unknown strains covered up 30% of the market share in Q4/2022. The strains have a common behavior that waits for a user to click on an arbitrary hyperlink and replaces the original link with one redirecting the user to advertising websites.

The list of the most-seen ad servers and their percentage representation in the wild is as follows:

  • naigristoa[.]com (48%)
  • ptuvauthauxa[.]com (35%)
  • oovaufty[.]com (8%)
  • go[.]ad2upapp[.]com (4%)
  • saumeechoa[.]com (2%)

Mostly, adware leads on websites to download free software or offer other products. It’s a business model of online spammers that isn’t particularly dangerous from a security point of view; however, it’s terribly annoying for users. What’s more, the theft of personal data, including payment cards, can be hazardous because some ads convince victims that they have won and require contact and payment information. Furthermore, there is still a not negligible group of adware loading inappropriate content with harmful scripts. Adware can then take control of the system and deploy malware, e.g., ransomware, spyware, RATs, etc. Therefore, the presence of adware is a reason to increase attention and secure one’s system with an antivirus program.

Martin Chlumecký, Malware Researcher

Bots

The story of the DDosia project still continues. DDosia is the project of the Russian NoName057(16) hacker group that recruits volunteers to carry out DDoS attacks. This project marked a change in the direction of the said group, as it eventually replaced the Bobik botnet with a project relying on volunteers. At the beginning of December, DDosia’s C&C server was taken down; nevertheless, the group still shares information about their attacks and promotes their project. For this reason, we presume that a new C&C server was set up. Since we started tracking the project on August 1, 2022, we have seen more than 2,200 DDoS targets (390 of which the group referred to as successful), yielding a 17% success rate with approximately 1,000 participants. 

If we account for the related, partially coexistent Bobik botnet,  we arrive at around 1,400 targets and 190 successful botnets, slashing the success rate to 13%. DDosia also targeted sites associated with the Czech presidential elections, which took place on January 13-14, 2023. Websites of presidential candidates and others presenting the election results were found among the targets being distributed within the DDosia project. Fortunately, given the way the election results are calculated and distributed, even long-term unavailability of the sites wouldn’t affect the election results, and media would be notified through special channels.

We’ve seen some new tricks in the world of malicious documents. If we look at Emotet as an example, the malware uses malicious documents to trick users into manually copying the document into a Microsoft Office Template folder and launching it from there. Since the folder is a trusted location, the usual execution protection is disabled; therefore, opening the document from this folder will trigger the execution of the macros contained within it.

Emotet has also been productive in the evasion technique development. It started to use timers to incrementally proceed in a payload’s execution. We have also observed changes in its communication protocol that are not backward compatible with the previous version of the protocol. As if that wasn’t enough, Emotet has been responsible for the significant peak (see graph below) in the botnet-related risk ratio in early November when it launched a massive spam campaign that mostly utilized variants of Microsoft Excel files (XLS).

Qakbot has also been busy this quarter. The botnet started to use so-called HTML smuggling to hide an encoded malicious script within email attachments. More specifically, they started to abuse SVG images to hide malicious payloads and the code used for their reassembly. Once the user opens the attachment in the browser, the browser launches the code hidden inside the SVG image which, in turn, reconstructs the payload hidden inside the SVG image. The user is then prompted to save a file by the browser and instructed by the “cover” data to open the file. Since the malicious payload is reconstructed on the device, this technique presumably aims to bypass security solutions relying on network traffic analysis.

Global risk ratio in Avast’s user base in regard to botnets

As for general trends, we’ve seen a significant increase in Qakbot and Amadey’s activity, which has more than doubled. In spite of its massive spam campaign, Emotet has gone through a slight decline. Interestingly, an older .NET open-source botnet, BlackNET, has also seen a significant rise in its activity, which has doubled in comparison to the previous quarter.

Adolf Středa, Malware Researcher

Coinminers

Cryptocurrencies experience difficult times. After turbulent events, such as the bankruptcy of FTX in November 2022, the prices are marking similar low values as at the end of 2020. The same goes for the coinminer activity, as we’ve observed a slight overall decrease (-4%) once again during Q4/2022.

Global risk ratio in Avast’s user base in regard to coinminers in Q4/2022

Following the last quarter, users in Serbia were once again most at risk of encountering a coinminer in Q4/2022, with a massive 7.44% risk ratio. The risk ratio of users in Montenegro was 5.99%, followed by Bosnia and Herzegovina with a 3.96% risk ratio, and Madagascar with 3.90%. In Q4/2022, Avast saw a high increase of coinminer activity in Indonesia, resulting in a 46% increase in protected users.

Global risk ratio for coinminers in Q4/2022

Traditionally, web miners are still on the top of the coinmining food chain with 66% market share, followed by XMRig with 18.42% market share, which increased by 18% compared to the previous quarter. KingMfcMiner continues to grow, having increased its market share by 47% in Q4/2022 (this resulted in a 44% increase of protected users).

The most common coinminers in Q4/2022 were:

  • Web miners (various strains)
  • XMRig
  • CoinBitMiner
  • VMiner
  • SilentCryptoMiner
  • CoinHelper
  • NeoScrypt

Jan Rubín, Malware Researcher

Information Stealers

Q4/2022 brought a significant increase in Arkei (also known as its fork Vidar) information stealer, where we protected a whopping 437% more of our users against this threat. We also noticed a respective 57% and 37% increase of users protected against AgentTesla and RedLine stealers. Thankfully, the overall activity of infostealers decreased by 6%, following the trend of the previous quarter, which was mostly due to a decrease in FormBook activity.

Global risk ratio in Avast’s user base in regard to information stealers in Q4/2022

Regarding the risk of being infected by information stealers, the most impacted countries are Yemen, Afghanistan, and Mali. We also protected 21% and 15% more users in Yemen and Afghanistan, respectively. The biggest increases of protected users happened in Mongolia (41%) and Poland (40%).

Global risk ratio for information stealers in Q4/2022

In Q4/2022, AgentTesla and RedLine were two highly prevalent strains that competed for the second and the third place regarding market share. AgentTesla came in at 15% market share, while RedLine recorded 13%. FormBook still holds the first place with 18% market share, which is a 28% decrease from the previous quarter. After its increase in activity, Arkei now holds 5.21% market share. Despite the ongoing popularity of Raccoon Stealer, which has a 6.26% market share, we noticed a decrease in its activity by 22% during this past quarter.

The most common information stealers in Q4/2022 were:

  • FormBook
  • AgentTesla
  • RedLine
  • Lokibot
  • Raccoon
  • SnakeKeylogger

ViperSoftX spreading VenomSoftX

ViperSoftX is a long-standing information stealer that is undergoing intensive development, providing further malicious functionality in each version.

This multi-stage stealer exhibits interesting hiding capabilities. It’s often concealed as small PowerShell scripts on a single line in the middle of otherwise innocent-looking log files. ViperSoftX focuses on stealing cryptocurrencies, clipboard swapping, and fingerprinting the infected machine as well as downloading and executing arbitrary additional payloads or executing commands.

One of the payloads that ViperSoftX distributes is a specific information stealer that comes in the form of a browser extension for Chromium-based browsers. Due to its standalone capabilities and uniqueness, we decided to give it its own name: VenomSoftX. The malicious extension is highly capable of carrying out  a broad range of malicious activity: It provides full access to every page the victim visits, carries out man-in-the-browser attacks to perform cryptocurrency address swapping by tampering with API requests’ data on popular cryptocurrency exchanges, steals credentials and clipboard content, tampers with crypto addresses on visited websites, reports events using MQTT to the C&C server, and more.

As of November 8, 2022, the wallet amounts that ViperSoftX and VenomSoftX redirect stolen cryptocurrencies to summed up to $130,421. This is only the amount sent to cryptocurrency wallets and doesn’t include additional potential profits from other activities.

In Q4/2022 alone, Avast protected more than 18,500 unique users from ViperSoftX, where the most impacted countries are India (more than 1,400 protected users), United States (1,200 protected users), and Italy (1,100 protected users).

Countries targeted by ViperSoftX in Q4/2022

Raccoon Stealer in the News

Throughout Q4/2022, we continued to closely monitor Raccoon Stealer, and it isn’t going away anytime soon. One of the news that circulated was the arrest of Mark Sokolovsky, a supposed core developer of Raccoon Stealer, which had happened during March, 2022, in the Netherlands. As we reported previously in Q2/2022, the actors behind Raccoon Stealer announced that their team member died during the war in Ukraine and, thus, they are pausing the development of this infamous malware. However, it is now apparent that the developer was in-fact arrested when he had fled Ukraine.

Funnily enough, as reported by many sources, the key to Sokolovsky’s arrest was actually his girlfriend, who published vacation pictures of the two of them on her Instagram channel.

However, as we described in Q2/2022, Raccoon Stealer authors resumed their activity in late June 2022 when they announced Raccoon Stealer 2.0. Their increased activity was reflected in the fact that the group’s popularity has grown in the underground scene as well – around the beginning of November 2022, Lockbit ransomware group expressed interest in buying source code of Raccoon Stealer.

Jan Rubín, Malware Researcher

Ransomware

Every quarter, we summarize a total number of users that we’ve protected against ransomware (and other threats, too). Continuing from Q3/2022, the number of daily ransomware attacks detected has been slowly declining. During Q4, the total number dropped by 17%.

Global Avast users protected from ransomware in Q3/2022 and Q4/2022

Have you ever wondered why the graph has the shape of a low-quality chainsaw? This effect comes down to ransomware’s weekly cycle – weekends are when activity is lowest. What’s more, fewer devices are used during weekends, so this also counts toward the Saturday and Sunday slowdowns.

Ransomware Overview

The list of countries with the highest risk ratio hasn’t significantly changed since Q3/2022. In most countries on the list, the number of attacks is declining. The only exception was Afghanistan, where the risk ratio is rising (this made Afghanistan an infamous victor of Q4/2022):

  • Afghanistan (+45% quarter to quarter)
  • Papua New Guinea (-18%)
  • Mozambique (-13%)
  • Ghana (-11%)
  • Angola (+6%)
  • Vietnam (-40%)

It’s worth noting that France also showed a 15% increase in risk ratio.

Ransomware Strains

STOP and WannaCry are the top two winners of the market share. Other ransomware strains show single-digit market share or lower:

  • STOP (21%)
  • WannaCry (20%)
  • Thanatos (2%)
  • HiddenTear (1%)
  • Magniber (<1%)
  • TargetCompany (<1%)

Stories

There’s no doubt that ransomware is a business. Ransomware gangs work as companies: They have their own managers, teams, websites, and blogs, and they even give interviews. But make no mistake – ransomware gangs are still very much illegal businesses. This was demonstrated by the court of Florida, who sentenced an affiliate of the Netwalker ransomware, Sebastien Vachon-Desjardins, to 20 years in prison for his attacks on an unspecified company in the state’s city of Tampa. Furthermore, $21.5 million were seized. We have no doubt that a 20-year sentence is a good warning to cybercriminals.

Although the Sodinokibi/REvil ransomware has been dead for almost a year, researchers from Palo Alto Networks suggested that it might have reincarnated as a different gang, called Ransom Cartel. This assumption is based on similarities between Ransom Cartel and Sodinokibi code. Also, some of Ransom Cartel’s file sharing links are the same as those previously used by the Sodinokibi gang. Because the source code of Sodinokibi never leaked, Ransom Cartel either tried to mimic Sodinokibi ransomware or they possessed the source code themselves.

LockBit ransomware keeps bringing news in Q4/2022. This gang stands behind many attacks:  Asian Reinsurance Corporation, Porto de Lisboa (Port of Lisbon Administration), the UK’s Royal Mail, German multinational automotive group Continental , U.S. rail giant Wabtec Corporation, and the UK car dealer Pendragon. The ransom demand spans from tens of thousands of dollars (Asian Reinsurance Corporation) to $1.5 million (Porto de Lisboa) all the way to $60 million (in the case of Pendragon).

The LockBit gang commonly extort internal data of attacked companies and threaten to publish them if the ransom is not paid. And Lockbit follows through on this – for every attacked company, the gang has an entry on their blog and publish the data to anyone who is willing to pay the requested amount.

There was one attack that was different from the others. On December 18, 2022, the SickKids hospital was breached and their data encrypted. Two days later, however, the ransomware gang apologized for attacking the hospital. As part of their apology, they fired the gang member responsible for the attack and released a decryptor for free. The hospital later confirmed that they restored almost 50% of their encrypted data.

Although this might have come across as a thoughtful gesture during the Christmas season, we still hope that one day, LockBit members will stand at a court, just like the Netwalker affiliate did.

Apart from LockBit itself, there are also clones that emerged from the leaked LockBit builder. One of them was a pair of gangs called TommyLeaks and SchoolBoys. Those two gangs are actually one ransomware gang, as they use the same style of the negotiation site (the reasons for which remain unclear). 

During Q4/2022, Avast helped victims of the MafiaWare666 ransomware by releasing a free decryptor for this strain.

Ladislav Zezula, Malware Researcher
Jakub Křoustek, Malware Research Director

Remote Access Trojans (RATs)

Compared to what we reported in Q3/2022, not much has changed in Q4/2022 in regards to remote access trojans (RATs). The most prevalent threats remain mostly the same as well as the list of countries with a high chance of RAT infection. The safest countries, according to our data, also changed only slightly.

Global risk ratio for remote access trojans in Q3-Q4/2022

In Q4/2022, France and the United States saw a large decrease in risk ratio, by 43% and 45% respectively, making them the safest countries in this quarter together with Switzerland and Japan. A similar level of decrease was observed in the Czech Republic (46%) and Austria (47%). New Zealand takes first place in this quarter with the risk ratio dropping by 56%.

On the other hand, the countries most in danger of RAT infection are Afghanistan, Iraq, and Yemen. The list is the same as in Q3/2022. The biggest increase in risk ratio happened in Algeria (22%), Iraq (13%), and China (11%). HWorm followed by njRAT are the most prevalent threats in Algeria and Iraq, while in China, it is Gh0stCringe and Havex.

Countries with the highest risk of RAT infection in Q4/2022

The most prevalent RATs in our user base in Q4/2022 were:

  • HWorm
  • Warzone
  • njRAT
  • Remcos
  • NanoCore
  • AsyncRat
  • NetWire
  • QuasarRAT
  • LimeRAT
  • DarkComet

The list of top strains that we saw in Q4/2022 is nearly identical to what we reported in the previous quarter. njRAT dropped by one place on the list since it lost a considerable amount of its market share. We are unsure what caused the drop overall, but we have seen a campaign targeting Italy, France, and the USA. Similarly to Q3/2022, we saw a Warzone campaign in Hungary and a NetWire campaign targeting South Africa. Furthermore, Brazil and Argentina were hit by a campaign distributing QuasarRAT.

Other RATs with a significant increase in prevalence in Q4/2022 include:

  • LimeRAT (299% increase)
  • Gh0stCringe (122%)
  • Nymeria (90%)

Based on our research, LimeRAT is still on the rise. Just as in Q3/2022, its prevalence was going up during Q4/2022. LimeRAT is mostly active in South and Southeast Asia as well as Latin America. Second on the list is Gh0stCringe, which was active almost exclusively in China with some infections in Taiwan and Hong Kong. Another strain with a big increase is Nymeria (also known as Loda). We see Nymeria spreading mainly in Turkey, Italy, and Mexico.

Our researchers discovered a new Nukesped RAT malware sample of The Lazarus group (APT38) for Linux operating systems and determined that the threat actor compiled the malware in a Red Hat 4.8.5-39 machine. This means that Nukesped RAT was not only written in Objective-C for MacOS (as found by previous investigations when analyzing similar samples) but also for infecting Linux machines.

Researchers from Zimperium zLabs discovered a new malicious browser extension called Cloud9, which acts like a RAT. This extension is quite capable and includes features ranging from stealing information like cookies, monitoring clipboard for passwords and credit card information, logging keystrokes, sending web requests, injecting ads, mining cryptocurrency to executing JavaScript code, and even exploiting browsers to take control of the entire device. The extension has exploits ready for Firefox, Internet Explorer, and Microsoft Edge. Although Cloud9 was not found in any of the official browser extension stores, it does spread via fraudulent Adobe Flash Player updates and by side-loading through malicious executables.

During Q4/2022, there may have been a shift in campaigns targeting Linux machines to mine cryptocurrency. The chain of events remains mostly the same (removing competition, deploying own mining malware, and setting persistence), but Trend Micro noticed a campaign which includes an unusual extra step in deploying a RAT. CHAOS RAT is a publicly available remote administration tool written in Go. The set of features allows for complete control of the infected device, as is common with RATs. CHAOS RAT itself isn’t new – it has been around for several years. However the shift from only mining cryptocurrencies to also possibly taking control of the whole device is both intriguing and concerning.

The Cyble Research and Intelligence Labs team spotted a new feature added to Venom RAT. According to them, the latest version of Venom RAT contains a stealer module which allows stealing information from various browsers. This means that it can now steal users’ cookies, passwords, and various other pieces of information that can be found in a browser. The malware is specifically interested in websites related to cryptocurrencies, banks, and adult content. Venom RAT can also steal credit card information. It can identify the most common types of credit cards by regular expressions.

RomCom is another threat actor which uses spoofed versions of popular software to distribute the RomCom RAT as reported by BlackBerry (and in a follow-up post). There are multiple known tools abused this way: Advanced IP Scanner, PDF Filler, SolarWinds Network Performance Monitor, KeePass, and PDF Reader Pro. The threat actor creates a fake website that offers a download of a trojanized version of the original tool. The website, including the domain where it’s hosted, looks nearly identical to the genuine one. The download bundle usually contains a RomCom RAT dropper and the original installer. According to BlackBerry’s research, features of the RomCom RAT include (but aren’t limited to) gathering information about local systems including taking screenshots and exfiltrating this data.

Ondřej Mokoš, Malware Researcher
David Álvarez, Malware Analyst

Rootkits

Rootkit activity continued to  decline in Q4/2022. It’s evident that the rootkit activity during all of 2022 took a downward trend, as is shown in the chart below.

Rootkit risk ratio in Q1-Q4/2022

The distribution trend of rootkit strains confirmed our expectation that the primary strain in Q4/2022 (as well as the entire year) was the R77RK rootkit developed by the bytecode77 group. The market share of R77RK increased by about 43% compared to Q3/2022. Thus, R77RK held 56% of the total market share in Q4/2022. The chart below confirms the majority of the R77RK rootkit in Q4/2022.

Global rootkits vs. R77Rootkit risk ratio in Q4/2022

The map below displays R77RK’s activities in Q3/2022 and Q4/2022. In short, the R77RK’s activities moved from Northern Asia to North America. More specifically, we observed a significant increase in protected users in Colombia, Malaysia, Spain, Italy, and Mexico. On the other hand, the decrease of protected users is considerable in Ukraine and Turkey.

Global distributions of R77Rootkit activities in Q3/2022 and Q4/2022

In detail, Avast Threat Labs monitors R77Rootkit as the dominant rootkit strain in 2022, including its open-source repository. In Q4/2022, two new R77RK releases affected the prevalence of this strain at the beginning of the quarter, as is illustrated in the chart above. The first of the releases reduced the size of the rootkit by 50% and fixed an important bug in the NtDeviceIoControlFile hook. Furthermore, the second release implemented code for the Windows Defender AMSI bypasses. These changes boosted the prestige of the rootkit, and the new features made the rootkit the most widespread and well-documented tool that can be easily abused for malicious activities. Fortunately, the open-source tools are highly detectable.

Global risk ratio for rootkits in Q4/2022

In Q4/2022, the global risk ratio of all rootkits is the same as in Q3/2022, and China remains the country where users have the highest risk of encountering a rootkit. This past quarter confirmed that R77RK is still 2022’s most popular open-source rootkit in the wild.

The remaining four identified strains of rootkits represent about 13% of the market share; however, these strains are on the decline. For completeness, the rootkit strains and their market shares are listed as follows:

  • Alureon (4.71%)
  • Perkesh (4.29%)
  • Vrbone (2.03%)
  • ZeroAccess (1.63%)

Martin Chlumecký, Malware Researcher

Vulnerabilities and Exploits

We discovered two sophisticated, zero-day exploits in the wild in Q4/2022. The first, CVE-2022-3723, was a type confusion in V8 and was used to carry out a remote code execution (RCE) attack against Google Chrome. On October 25, we reported this vulnerability to Google, who quickly rolled out a patch in just two days. The second zero-day was CVE-2023-21674, an LPE vulnerability in ALPC that allowed attackers to get from the browser sandbox all the way into the Windows kernel. Microsoft patched this one in the January Patch Tuesday update.

While these two vulnerabilities could have been chained together for a full RCE chain against Chromium-based browsers on Windows, we actually discovered them in two completely separate APT attacks. The CVE-2022-3723 exploit was chained with an n-day sandbox escape exploit for CVE-2020-0938. This attack was designed to target 32-bit Windows 7 and it would not work against later Windows versions because of mitigations such as win32k lockdown. CVE-2023-21674 was chained with an exploit for an unknown vulnerability. This was most likely a zero-day Chrome renderer RCE, which we unfortunately did not manage to recover because the exploit code was well protected by the attackers. We are still hunting for this and other exploits, and we hope we will be able to find it in the future so that we can better protect our users even against extremely well-resourced attackers.

When Blockchain is Not Truly Decentralized

One of the perks of cryptocurrencies is the fact that the blockchain they’re built on top of is decentralized and therefore can’t be stopped. Or can it? 

In early October, Binance announced that two million BNB coins were stolen thanks to a bug in a cross-chain bridge that allows transfers between different blockchains (BEP2 and BSC in this case) being exploited. The vulnerability allowed attackers to mint new coins; therefore, no user funds were lost. 

The fact that the attackers were able to create approximately $568 million in BNB coins for free isn’t the reason we mention this hack. What’s more significant is the fact that Binance was able to protect 80% of the coins by reaching out to all validators and requesting to stop the validation, effectively stopping the whole blockchain. This was quite an unprecedented move that demonstrated that blockchain technology on its own is not as resilient and secure as was declared and strongly depends on the distribution of validators/miners. 

Insekt/Alchimist

In October 2022, Talos discovered a new attack framework called Alchimist along with a new malware called Insekt with remote administration capabilities. This is a cross-platform attack framework written in Go. On MacOS systems, it can use the implementation of the privilege escalation vulnerability (CVE-2021-4034) and the malware can provide a backdoor into the victim’s system.

Jan Vojtěšek, Malware Reseracher
Michal Salát, Threat Intelligence Director

Web Threats

In recent months, the cyber threat landscape has expanded significantly. Technologies such as smart devices and high-speed mobile networks have allowed for an always-connected vector of malware, fraud, and other complications. Every day, users rely on the internet more and more, and with that, they have to deal with a variety of potential threats that can lead to compromised accounts, lost money, or deleted personal data. From simple scam emails to bothersome push notifications, we’ve seen increased activity in these areas.

Refund and Invoice Scams

Another type of web threat that our users have often encountered are refund and invoice scams. Refund fraud covers a broad range of possible scenarios, including fraudulent emails alerting users that they have been charged twice for the service or product. These emails also contain links for users to request a refund, or alternatively, a phone number is provided for users to call fake support.

Businesses are popular targets for invoice fraud. In these scams, criminals send bills for goods or services that the business never ordered or received. The scam succeeds mainly because the invoices look legitimate and unsuspecting employees don’t look closely to see it’s not real. They simply make the payment thinking that someone else in their company placed the order.

Refund and invoice scams during Q4/2022

Looking at the graph above, it’s clear that the overall trend of refund and invoice scams during the quarter was positive. November was 14% more active overall compared to October and in December, Avast protected 22% more users against these threats.

A typical example of a fake email invoice.

In general, our data shows that the invoice scam technique spread via spam emails is far from obsolete. In fact, the opposite is true. When a victim is on the phone, the attacker can use his social engineering skills to elicit the user’s trust, similar to the technique used in technical support scams (TSS).

Technical support scams

Since September 2022, when we saw increased activity of TSS, this trend continued until the end of December, when activity began to decline slightly. In comparison with the entire year, the activity of technical support scams during the last two months of the year was very high.

Global Avast users protected from tech support scams in Q3-Q4/2022

The top affected countries remained the same as in Q3/2022. These countries include the United States, Brazil, Japan, Canada, and France.

Global risk ratio for technical support scams in Q4/2022

Web-based Adware

The presence of web-based adware was also strong in Q4/2022. Here are some of the notorious examples seen during the quarter.

Personal and Payment Information

One example of how attackers effectively extort information from users is the promise of an easy win. The figure above shows one adware website. Here, the user spins roulette and wins, but it’s necessary for them to insert contact information and pay a symbolic handling fee using a credit card or Google/Apple Pay account. The website also includes a fake comments section to increase the credibility of this offer (see the figure below). Chat participants, including their names and photos, are entirely fictitious. Moreover, the discussion is often localized based on the geolocation of a victim’s IP.

Free Movies

Users also continue to search for free movies to watch online, and this is another excellent opportunity for adware action. In these attacks, the user is redirected to an adware website on which a “web player” starts to play the Universal Studios intro theme (see the example below).

The web player looks very realistic, but in reality, it’s a frame containing animation which creates the illusion that the movie has started playing – it even includes buffering in the progress bar. However, the movie gets frozen after a few seconds, which gives the impression that the film has stopped. At this point, the user is psychologically forced to click into the window, and they’ll be redirected to an unwanted or malicious page (see details above).

Security Warnings

This example is about spammers and attackers abusing the fear of fictitious security warnings to make users click and download a tool that “resolves” a security issue. It’s necessary to note that not all of the offered tools are dangerous, but they are located on the pages foisted by adware.

Alexej Savčin, Malware Analyst
Martin Chlumecký, Malware Researcher

Mobile-Related Threats

We have an interesting quarter behind us in the world of mobile threats, with several new discoveries of up-and-coming malware trying to pry a piece of the mobile pie. Whether it was a new Bully Facestealer grabbing victim logins through JavaScript browser injections or BrasDex, a banker that automates fraudulent payments and has links to a Windows banker, it’s evident that malware actors have been busy yet again. Alongside these discoveries are some insights on what established malware strains are up to, whether they are on the rise or decline and what their newest version brings.

We’ve picked the most prevalent families of malware on mobile devices according to our metrics and provide some hopefully useful and interesting insights based on those internal metrics coupled with pointers to the aforementioned new discoveries. Read on to find out more.

Adware

Q4/2022 was yet another quarter where adware continues to rule the mobile threat landscape, having the highest number of affected users. Using inventive ways to bring in advertising revenue, adware finds ways to sneak onto user devices and displays intrusive ads. The user is often unaware of the source of these ads, as adware uses several tricks to sneak onto the victim’s device and then proceeds to hide out of the victim’s sight.

HiddenAds rank at the top of the adware strains, utilizing victim’s devices to display out-of-context ads that often block the whole screen even when browsing or otherwise using the device. Of note is a new version of HiddenAds was discovered by Malwarebytes on the Play Store. It masquerades as a variety of Bluetooth utility apps, then proceeds to open up advertisements and even phishing sites in the background of Chrome browser. Victims open up their browser to be met with an unpleasant surprise. 

HiddenAds opening up phishing websites with push notifications that lead to further malware

Coming in at second place, FakeAdBlockers keep staying true to their name, bringing in extra unwanted adverts instead of blocking them. Upon installation, they tend to disappear from the home screen and start their malicious activity with a few hours delay. Contrary to HiddenAds, they keep spreading through unofficial channels, such as notification alerts from infected websites that attempt to coerce the victim into installing this adware. Both strains often imitate games, camera filters, and wallpaper apps, among others. Users are advised to avoid third-party stores and unknown websites for application downloads in order to avoid adware or even other malware.

A newcomer this quarter is LiveClick, discovered by McAfee. It comes disguised as a variety of utility apps such as notes or a flashlight app. Once installed, it delays its malicious activity until it senses that the device is not in use. Silently, in the background, it starts opening up specific websites and imitating user behavior to simulate clicks on adverts, bringing in advertising revenue to the malicious actors. While not directly affecting the user experience, this adware will lead to increased power use of the device as well as higher network traffic, which may be an issue for victims with a limited data plan. It also undermines the mobile advertising ecosystem with fake clicks.

Global risk ratio of mobile adware in Q3/2022-Q4/2022

We have observed a mild decline in the number of affected users since last quarter. While adware continues to dominate the mobile threat landscape, this likely points to a weakening of adware infrastructure and increased difficulty in accessing the Play Store with new strains of HiddenAds. It remains to be seen if this trend will continue into 2023.

Global risk ratio for mobile adware in Q4/2022

Users in both Americas, Asia, and newly, Europe, are most likely to face adware threats. Brazil and India maintain their top spots in the adware category, while the United States has gone down to sixth place. Of note is that Italy and Spain have also reached the top 10 most affected countries by adware. With Italy being the only outlier (a 16% increase), we see a drop in affected users for most countries, with a more than 30% drop in India, Brazil, and Mexico. Despite this, adware is still the most common threat that mobile phone users must contend with today.

Bankers

The banker sphere sees little change compared to last quarter. Cerberus/Alien keeps its top spot by protected users, followed by Hydra, RoamingMantis, and Flubot. Only Hydra maintained its numbers this quarter, while the rest lost over 25% on average (with Flubot ceding over 35% of its victim base, according to our metrics). The continued positive effect of the Flubot group disbanding by Europol can be clearly seen here; judging by the decreasing numbers, it is likely the general banker infrastructure has been affected as well.

Continued reliance on SMS phishing seems to have less effect, as the banker sphere is on a long-term downward trend in terms of affected users. While delivery methods haven’t really changed, some new techniques were used by BrasDex, a new banker targeting Brazil discovered by ThreatFabric that appears to share C2 dashboards with Windows banking malware, Casbaneiro. Using accessibility features of victim’s devices to take them over and monitor all inputs, the banker is able to automate fraudulent payments that can be sent in seconds through a popular payment platform. This potentially allows for a large scale of money extraction from the victim’s accounts. We’ll have to wait and see if Brazil will face more of these targeted bankers.

BrasDex banker attempting to gain accessibility privileges to initiate its malicious activity

Of note is the discovery of Vultur and Sharkbot bankers being delivered via droppers on the Play Store, gathering hundreds of thousands of downloads before being removed. Both bankers employed fairly novel methods of payload delivery or detection avoidance. In the case of Vultur, the Brunhilda dropper used steganography (hiding secret data within an ordinary file) to avoid detection. Some time after installation, it delivered its payload under the guise of an app update, allowing extensive access to the victim’s device. The dropper that delivered Sharkbot bankers would only send the payload to a limited number of victims in specific countries – and only if they had target bank apps installed. While limiting its reach, it’s less likely to be discovered this way, allowing it to stay on the Play Store longer.

According to our findings, there is an evident long-term downward trend in the banking sphere. We observed a drop of 20% in affected users in Q4/2022 compared to Q3/2022. We attribute this to Flubot’s demise as well as decreased effectiveness of established methods of banker payload delivery.

Global risk ratio of mobile bankers in Q1/2022-Q4/2022

Top affected countries stay the same this quarter: Spain, Turkey, and France have the most affected users by banker malware on mobile devices. On average, we’ve seen a 25% decrease in affected users in top countries. Of note is Brazil, where we saw an 84% increase in affected users, likely due to the new BrasDex banker.

Global risk ratio for mobile bankers in Q4/2022

TrojanSMS

Mirroring last quarter, UltimaSMS and GriftHorse have fully disappeared from the mobile sphere, while SMSFactory and Darkherring remain the top strains of the TrojanSMS family in Q4/2022. We’ve also seen some more generic and less sophisticated applications affecting increased numbers of users.

TrojanSMS generally relies on premium SMS subscriptions or sending SMS messages to premium numbers to rob victim’s of their money. Coupled with stealth features such as hiding their icon, deleting a sent SMS, or even simulating functionality, this malware can remain undetected or forgotten on victim’s devices and continue siphoning money to their creators. 

As mentioned last quarter, due to its method of spread, SMSFactory continues to be prevalent and keeps spreading to new devices. It has again gone through some minor adjustments and changes in delivery websites, but it remains the top TrojanSMS strain worldwide. Surprisingly, DarkHerring, which originally propagated on Play Store, appears to be resurging in numbers due some applications reappearing on third-party stores and fake app stores. We are possibly seeing some attempt at resurrecting the strain by adjusting its method of spread.

While this quarter has been reasonably quiet in terms of new discoveries, an interesting find by EvinaTech on the Play Store showcased a different type of TrojanSMS as compared to the previously mentioned strains. As a fake SMS messenger, in actuality it uses the victim’s device as an SMS relay for account creation on popular sites such as Google, Facebook, and Microsoft. It asks for the victim’s number, then shows a fake loading screen that leads nowhere. While the loading screen is up, the malware creates fake accounts for the aforementioned sites by using the device’s SMS functions. Users generally uninstall the application as it appears stuck on the loading screen, but its role is already fulfilled. It remains to be seen if this type of account creating malware will reappear in the future.

Fake screen displayed to the user while the malware sends SMS in the background

Brazil maintains its top spot in terms of protected users, followed by Russia, Egypt, the United States, and Ukraine. Only Egypt has seen a 12% increase, while the other top countries see a varied decrease in affected users. Iraq and Azerbaijan have the highest risk ratios, as can be seen in the map below.

Global risk ratio for mobile TrojanSMS in Q4/2022

We’ve observed a 32% decrease in protected users in Q4/2022, likely due to the lack of new entries into the TrojanSMS family coupled with the exit of UltimaSMS and Grifthorse that were widespread late last year and early this year.

Global Avast users protected from mobile TrojanSMS in Q3/2022-Q4/2022

Spyware

A persistent threat to users worldwide, Spyware continued its spread in Q4/2022 with a continuation of previously discovered variants such as Spymax, malicious WhatsApp mods, and FaceStealer.

As evident from its name, Spyware spies on its victims, invading their digital privacy with the intent to misuse their details, activity, photos, messages, location, and other personal information. Login credentials, banking details, and crypto wallet addresses are often part of the steal as of late. Spymax has slowly been evolving to acquire most of these over the years and continues to do so this quarter. Often coming in heavily obfuscated, it imitates the names and icons of popular applications but is indeed a malware attempting to hide its true purpose. SMS and malicious redirects feed this malware to unsuspecting victims, and it remains the most prevalent spyware this quarter.

FaceStealer, a more recent addition from last year, has continued its spread, albeit with a lower number of affected users. Its intent is mainly to steal login credentials to popular social media, with more recent strains expanding this intent to other platforms as well. With a variety of FaceStealer applications discovered early this quarter by Meta, we are continuously observing smaller intrusions of this malware on the Play Store. While smaller in impact on their own, even a few users falling victim to this malware can cause a great amount of personal harm. Towards the end of the quarter, Zimperium reported on a larger wave of FaceStealer, dubbed Bully, on the Play Store. Disguised as book reading applications, this strain was primarily targeting Vietnamese users. Using JavaScript injection into the WebView browser, it was able to hijack the legitimate Facebook login screen and steal user credentials. Various obfuscation methods are used to disguise the strings before they are sent to their C2 server.

Facebook login in WebView with injected JavaScript that harvests user logins

Spyware WhatsApp mods have also contributed to the damage done this quarter, with new malicious modifications being discovered by Kaspersky. Imitating a popular modification, the actors behind the malware were able to sneak adverts for their trojanized mod onto popular ad platforms. Once installed, it would act as the original modification but install other malware with it. Alongside this, it would steal private keys related to the WhatsApp account, which could be used to steal the account itself. As per last quarter, we advise users to avoid downloading modifications for WhatsApp or other messengers, as they generally do not come from an official app store. This means that there are no security checks in place and users don’t know what the modification could contain. Whatsapp’s FAQ warns that it could also lead to a suspension or an account ban.

We record the most protected users in Brazil, India, Egypt, the United States, and Turkey in Q4/2022. The top five affected countries remain unchanged from last quarter. Brazil and Turkey both see an increase in affected users, while Egypt and India see a reasonably sharp decline. Users in Yemen are most at risk of encountering spyware, as can be seen in the map below. 

Global risk ratio for mobile spyware in Q4/2022

A slight downward trend in overall protected users still doesn’t diminish the danger posed by these malicious applications. It is likely that we will see an uptick in affected users into the future, as we’ve observed a fair few new additions to the spyware family.

Global Avast users protected from mobile spyware in Q4/2022

Jakub Vávra, Malware Analyst

Acknowledgements / Credits

Malware researchers

Adolf Středa
Alexej Savčin
David Álvarez
Igor Morgenstern
Jakub Křoustek
Jakub Vávra
Jan Rubín
Jan Vojtěšek
Ladislav Zezula
Luigino Camastra
Martin Chlumecký 
Michal Salát
Ondřej Mokoš
Vladimír Žalud

Data analysts

Pavol Plaskoň

Communications

Grace Macej
Marina Ziegler

The post Avast Q4/2022 Threat Report appeared first on Avast Threat Labs.

Dota 2 Under Attack: How a V8 Bug Was Exploited in the Game

8 February 2023 at 09:55

When we think about V8 exploits, the first things that come to mind are probably related to sophisticated browser zero-day exploit chains. While the browser may be the most interesting target for V8 exploits, we shouldn’t forget that this open-source JavaScript engine is also embedded into countless projects other than the browser. And where a JavaScript engine is used across a security boundary to execute potentially untrusted code, security issues may arise.

One such issue affected the massively popular Dota 2 video game. Dota used an outdated build of v8.dll that was compiled in December 2018. It’s no surprise that this build was vulnerable to a range of CVEs, many of them even being known exploited vulnerabilities with public proof-of-concept (PoC) exploits. We discovered that one of these vulnerabilities, CVE-2021-38003, was exploited in the wild in four custom game modes published within the game. Since V8 was not sandboxed in Dota, the exploit on its own allowed for remote code execution against other Dota players.

We disclosed our findings to the developer of Dota 2, Valve. In response, Valve pushed an update for Dota on January 12, upgrading the old and vulnerable version of V8. This update took effect immediately, since Dota has to be up to date for players to participate in online games. Valve also took additional action, by taking down the offending custom game modes, notifying the affected players, and introducing new mitigations to reduce the game’s attack surface.

Dota changelog for the January 12 update.

Background

Dota 2 is a MOBA game that was initially released on July 9, 2013. Despite being almost 10 years old (or perhaps 20 if counting the original Dota 1), it is still attracting a large player base of around 15 million active monthly players. Like other popular games, Dota is a complex piece of software under the hood, assembled from multiple separate components. One component that will be of particular interest to us is the Panorama framework. This is a framework designed by Valve itself to enable user interface development using the well-known web triad of HTML, CSS, and JavaScript. The JavaScript part here was problematic because it got executed by the vulnerable version of V8. Thus, malicious JavaScript could exploit a V8 vulnerability and gain control over the victim’s machine. This wouldn’t be such an issue for the unmodified game, because by default, only legitimate Valve-authored scripts should get executed. However, Dota is very open to customization by the player community, which opens the doors for threat actors to attempt to sneak malicious pieces of JavaScript to their unsuspecting victims.

Customization of Dota can take many forms: There are custom wearable in-game items, announcer packs, loading screens, chat emoticons, and more. Crucially, there are also custom community-developed game modes. These are essentially brand-new games that leverage Dota’s powerful game engine to allow anyone with a bit of programming experience to implement their ideas for a game. Custom game modes play an important role in Dota, and Valve is well aware of the benefits of letting players express their creativity by developing custom game modes. After all, Dota itself started out as a game mode for Warcraft III: The Frozen Throne. This might be why game modes can be installed with a single click from within the game. As a result, there are thousands of game modes available, some of which are extremely popular. For instance, DOTA AUTO CHESS was played by over 10 million players.

Before a game mode can be played by regular players, it must be published on the Steam store. The publishing process includes a verification performed by Valve. While this could potentially weed out some malicious game modes, no verification process is perfect. As we’ll show later, at least four malicious game modes managed to slip through. We believe the verification process exists mostly for moderation reasons to prevent inappropriate content from getting published. There are many ways to hide a backdoor within a game mode, and it would be very time-consuming to attempt to detect them all during verification.

The main game logic of custom game modes is coded in Lua. This is executed on the game server, which can either be the host player’s machine or a dedicated server owned by Valve. For client-side scripting, there is JavaScript from the Panorama framework. This is mainly used to control user interface elements, such as scoreboards or quest status bars. JavaScript is executed by the V8 engine, and there’s full support for many advanced features, including WebAssembly execution. In addition, there’s also a Dota-specific API that exposes additional functionality. Particularly interesting was the $.AsyncWebRequest function, which, in combination with eval, could have been used to backdoor a game mode so that it could execute arbitrary additional JavaScript code downloaded from the internet. Perhaps it was this concern that caused the $.AsyncWebRequest function to be deprecated and eventually removed altogether. However, there are ways around this. For instance, the web request can be made by the server-side Lua code, with the response passed to the client-side JavaScript using game event messaging APIs.

Just Testing

We discovered four malicious custom game modes published on the Steam store, all developed by the same author. The first game mode (id 1556548695) is particularly interesting, as it appears that it is where the attacker only tested the exploit, judging from the lack of an actual payload attached to it. Interestingly enough, the attacker also used this game mode to test various other techniques, leaving in commented-out code or unused functions. This offered us a great opportunity to understand the attacker’s thought process.

The Steam page of the custom game mode where the attacker tested the exploit.

As can be seen in the above screenshot, the attacker was very transparent about the nature of this game mode, naming it test addon plz ignore and even going as far as using the description to urge other players not to download this game mode. While this might seem like an expression of good faith, we’ll show shortly that in the other three malicious game modes, the same attacker took the exact opposite approach and tried to make the malicious code as stealthy as possible. 

The JavaScript exploit in this custom game mode can be found inside overthrow_scoreboard.vjs_c. This used to be a legitimate JavaScript file implementing scoreboard functionality, but the attacker replaced its content with an exploit for CVE-2021-38003. This vulnerability was originally discovered as a zero-day by Google researchers Clément Lecigne and Samuel Groß, when it was used in the wild in an exploit chain against a fully-patched Samsung phone. 

There are now public PoCs and write-ups for this CVE. However, these weren’t available in March 2022, when the attacker last updated the game mode. This means they had to develop a large portion of the exploit themselves (even if there was a public PoC at that time, the attacker would still need to possess some technical skills to backport it to the outdated V8 build that Dota was using). Even so, the core of the exploit was provided in the Chromium bug tracker entry for the CVE. There is a snippet of code that can trigger the vulnerability to leak the purportedly inaccessible TheHole object and then use this leaked object to corrupt the size of a map. The attacker took this snippet and pasted it into their exploit, building up the rest of the exploit on top of this corrupted map.

The core of the exploit that triggers CVE-2021-38003 to leak TheHole object. Note the yay! at the end — that’s simply an expression of joy and it’s in no way necessary for the exploit to work.

Interestingly, the exploit contains a large amount of commented-out code and debug prints. This further suggests that the attacker had to put a lot of effort into weaponizing the vulnerability. The attacker-developed part of the exploit starts by using the corrupted map to corrupt the length of an array, achieving a relative read/write primitive. Then, it corrupts an ArrayBuffer backing store pointer in order to gain an arbitrary read/write primitive. There is no addrof function, as addresses are leaked by placing the target object at a known offset from the corrupted array and then using the relative read primitive. Finally, with the arbitrary read/write in place, the exploit uses a well-known WebAssembly trick to execute custom shellcode. We have tested the whole exploit locally against Dota and can confirm that it worked. 

A JavaScript snippet taken from the exploit. Note the debug prints, comments, and commented-out code.

Apart from this JavaScript exploit, the custom game mode also contains another interesting file, which is ominously named evil.lua. This is where the attacker tested the capabilities of the server-side Lua execution. See the Lua snippet below where the attacker tested the following in particular:

  • Logging
  • Dynamic compilation of additional Lua code (loadstring)
  • Determining the exact version of the Lua interpreter
  • Executing arbitrary system commands (whoami)
  • Coroutine creation
  • Network connectivity (HTTP GET requests)
A Lua snippet taken from evil.lua.

Unfortunately, we do not have access to the full update history of this particular game mode. Therefore, it’s possible that some interesting code from previous versions is no longer present in the version that we analyzed. We can at least see from the changelog that there were nine updates to this game mode, all of them happening either in November 2018 or March 2022. Since the exploited JavaScript vulnerability was only discovered in 2021, we assume that the game mode initially started out as a legitimate game and that the malicious functionality was only added in the March 2022 updates.

The Backdoor

After discovering this first malicious game mode, we were of course wondering whether there are more such exploits out there. Since the attacker did not bother reporting the vulnerability to Valve, we found it likely that they would have malicious intentions and attempt to exploit it at a larger scale. As a result, we developed a script that downloaded all the JavaScript files from all the custom game modes published on the Steam store. This yielded us gigabytes of JavaScript that we could query for suspicious code patterns. 

It didn’t take long to discover three more malicious game modes, all by the same author (who also happened to be the author of the previously analyzed test addon plz ignore game mode). These game modes were named Overdog no annoying heroes (id 2776998052), Custom Hero Brawl (id 2780728794), and Overthrow RTZ Edition X10 XP (id 2780559339). Interestingly, the same author also published a fifth game mode named Brawl in Petah Tiqwa (id 1590547173), which did not include any malicious code (to our great surprise).

The Steam page of one of the backdoored custom game modes.

The malicious code in these new three game modes is much more subtle. There is no file named evil.lua nor any JavaScript exploit directly visible in the source code. Instead, there’s just a simple backdoor consisting of only about twenty lines of code. This backdoor can execute arbitrary JavaScript downloaded via HTTP, giving the attacker not only the ability to hide the exploit code, but also the ability to update it at their discretion without having to update the entire custom game mode (and going through the risky game mode verification process).

The backdoor starts with the JavaScript code sending a custom ClientReady event to the server. This is to signal to the server that there is a new victim game client, waiting to receive the JavaScript payload. The Lua code on the server registered a listener for the ClientReady event. When it receives this event, it makes an HTTP GET request to its C&C server to fetch the JavaScript payload. This payload is expected in the response body, and it’s forwarded to the client-side JavaScript in a custom event named test.

The Lua part of the backdoor, which is executed on the game server.

When the client-side JavaScript receives this test event, it unwraps the payload, dynamically creates a new function out of it, and immediately executes it. On a high level, this is clearly just a simple downloader capable of executing arbitrary JavaScript downloaded from the C&C server. The cooperation of client-side JavaScript and server-side Lua code was only necessary because JavaScript was no longer allowed to directly access the internet.

The JavaScript part of the backdoor, which is executed on the game clients.

At the time that we discovered this backdoor, the C&C server was no longer responding. Even so, we can confidently assume that this backdoor was intended to download the JavaScript exploit for CVE-2021-38003. This is because all three backdoored game modes were updated by the same author within 10 days after said author introduced the JavaScript exploit into their first malicious game mode. However, we remain unsure about whether there was any malicious shellcode attached to the exploit. After all, the use of ngrok for C&C is slightly unconventional and could suggest that the attacker only tested the backdoor functionality. One way or another, we can say that this attack was not very large in scale. According to Valve, under 200 players were affected.

Parting Thoughts

After discovering the four malicious game modes, we tried to hunt for more — unfortunately, our trail went cold. Therefore, it’s not clear what the attacker’s ultimate intentions were. However, we believe that they were not exactly pure research intentions, for two main reasons. First, the attacker did not report the vulnerability to Valve (which would generally be considered a nice thing to do). Second, the attacker tried to hide the exploit in a stealthy backdoor. Regardless, it’s also possible that the attacker didn’t have purely malicious intentions either, since such an attacker could arguably abuse this vulnerability with a much larger impact.

For example, a malicious attacker could attempt to take over a popular custom game mode. Many game modes are neglected by their original developers, so the attacker could try something as simple as promising to fix bugs and continue development for free. After some number of legitimate updates, the attacker could try to sneak in the JavaScript backdoor. Since game modes are updated automatically in the background, the unsuspecting victim players would not have a lot of opportunities to defend themselves.

Alternatively, the attacker could search for other ways to exploit the vulnerability without involving any custom game modes. For instance, the attacker could try to look for a separate XSS vulnerability to chain with the V8 exploit. Such an XSS vulnerability could allow the attacker to execute arbitrary JavaScript within the remote victim’s Panorama instance. The V8 exploit could then be used to break out of the Panorama framework. Note that Panorama is also heavily used in the game’s main menu, so depending on the nature of the XSS vulnerability, this could have a blast radius as big as the 15 million monthly players.

Before we sign off, we would like to thank Valve for quickly addressing our reports. We hope that they will continue updating V8 in the future and reduce the patch gap as much as possible. Valve also shared with us some plans about additional mitigations, and we will be most excited to see those implemented in practice. Due to the potential impact, we would also recommend very careful vetting of future updates for popular custom games.

We can also appreciate that Valve made the decision to publish custom game modes on Steam even though it might put more responsibility on their shoulders. Ultimately, this is a net positive for the overall players’ security, due to the fact that Valve can moderate the published game modes and take down malicious ones. Many other games don’t have such integrated support for custom games, so players resort to downloading mods from random third-party sites, which are often known to bundle malware.

Indicators of Compromise (IoCs)

SHA-256Name
cca585b896017bd87038fd34a7f50a1e0f64b6d6767bcde66ea3f98d6dd4bfd0overthrow_scoreboard.vjs_c
4fad709e74345c39a85ce5a2c7f3b71d755240d27dd46688fa3993298056cf39evil.lua
3c00f15d233a3dd851d68ecb8c7de38b1abf59787643a2159c9d6a7454f9c3b7overthrow_scoreboard.vjs_c
880a0722a5f47d950170c5f66550e1cdef60e4e84c0ce1014e2d6d7ad1b15c14addon_game_mode.lua
85635bd92cc59354f48f8c39c6db7a5f93cabfb543e0bcc3ec9e600f228f2569overthrow_scoreboard.vjs_c
44c79f185576e1ec7d0d7909eb7d4815cbf8348f37f62c0debd0d5056fb1100baddon_game_mode.lua
4d3c6986b924108911709b95cb4c379720c323e6f7b3a069b866b76e0e3ec6b5overthrow_scoreboard.vjs_c
4bb1d6dcb1e12c3e5997b8dc7fa3db45d44bade39cfcceab56f90134ca2d09f3addon_game_mode.lua

The post Dota 2 Under Attack: How a V8 Bug Was Exploited in the Game appeared first on Avast Threat Labs.

Decrypted: BianLian Ransomware

16 January 2023 at 08:00

The team at Avast has developed a decryptor for the BianLian ransomware and released it for public download. The BianLian ransomware emerged in August 2022, performing targeted attacks in various industries, such as the media and entertainment, manufacturing and healthcare sectors, and raised the threat bar by encrypting files at high speeds.

Skip to how to use the BianLian ransomware decryptor

Static analysis of BianLian ransomware 

BianLian is a ransomware strain written in Go language and compiled as a 64-bit Windows executable. Due to the nature of the Go language, there are many strings directly visible in the binary, including details about the directory structure of the author’s PC: 

There are references to asymmetric cryptography libraries in the sample (RSA and elliptic curves), but the ransomware doesn’t do any of it. File data is encrypted with AES-256 in CBC mode. The length of the encrypted data is aligned to 16 bytes, as required by the AES CBC cipher. 

BianLian ransomware behavior 

Upon its execution, BianLian searches all available disk drives (from A: to Z:). For all found drives, it searches all files and encrypts all whose file extension matches one of the 1013 extensions hardcoded in the ransomware binary. 

Interestingly enough, the ransomware doesn’t encrypt the file from the start nor does it encrypt a file to the end. Instead, there is a fixed file offset hardcoded in the binary from which the encryption proceeds. The offset differs per sample, but none of the known samples encrypts data from the start of the file. 

After data encryption, the ransomware appends the .bianlian extension and drops a ransom note called Look at this instruction.txt into each folder on the PC (see Figure 1).

Figure 1: Screenshot of the ransom note

When the encryption is complete, the ransomware deletes itself by executing the following command: 

cmd /c del <sample_exe_name> 

Parameters of the decryptor 

The decryptor can only restore files encrypted by a known variant of the BianLian ransomware. For new victims, it may be necessary to find the ransomware binary on the hard drive; however, because the ransomware deletes itself after encryption, it may be difficult to do so. According to Avast telemetry, common names of the BianLian ransomware file on the victim’s PC include: 

  • C:\Windows\TEMP\mativ.exe 
  • C:\Windows\Temp\Areg.exe 
  • C:\Users\%username%\Pictures\windows.exe 
  • anabolic.exe

When searching for the ransomware binary, we recommend looking for an EXE file in a folder which doesn’t typically contain executables, such as %temp%, Documents or Pictures. It is also recommendable to check the virus vault of your antivirus. The typical size of the BianLian ransomware executable is around 2 MB.  

Should you find a sample of the BianLian ransomware, you can inform us at [email protected]. We are actively looking for new samples and update the decryptor accordingly. 

How to use the Avast decryption tool to decrypt files encrypted by the ransomware 

Follow these steps to decrypt your files: 

1) Download the free decryptor

2) Run the executable file. It starts as a wizard, leading you through the configuration of the decryption process.

3) On the initial page, we have a link to the license information. Click the Next button, when you are ready to start.

4) On the next page, select the list of locations you want to be searched and decrypted. By default, it contains a list of all local drives:

5) On the third page, you need to provide a file in its original form and encrypted by the BianLian ransomware. Enter both names of the files. You can also drag & drop a file from Windows Explorer to the wizard page.

6) If you have an encryption password created by a previous run of the decryptor, you can select I know the password for decrypting files option:

7) The next page is where the password cracking process takes place. Click Start when you are ready to start the process. The password cracking process tries all known BianLian passwords to determine the right one.

8) Once the password is found, you can proceed to decrypt all the encrypted files on your PC by clicking Next

9) On the final page, you can opt-in to back up your encrypted files. These backups may help if anything goes wrong during the decryption process. This option is on by default, which we recommend. After clicking Decrypt the decryption process begins. Let the decryptor work and wait until it finishes decrypting all of your files. 

For questions or comments about the Avast decryptor, email [email protected].

IOCs: 

SHA256
1fd07b8d1728e416f897bef4f1471126f9b18ef108eb952f4b75050da22e8e43
3a2f6e614ff030804aa18cb03fcc3bc357f6226786efb4a734cbe2a3a1984b6f
46d340eaf6b78207e24b6011422f1a5b4a566e493d72365c6a1cace11c36b28b
3be5aab4031263529fe019d4db19c0c6d3eb448e0250e0cb5a7ab2324eb2224d
a201e2d6851386b10e20fbd6464e861dea75a802451954ebe66502c2301ea0ed
ae61d655793f94da0c082ce2a60f024373adf55380f78173956c5174edb43d49
eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2

The post Decrypted: BianLian Ransomware appeared first on Avast Threat Labs.

DDosia Project: Volunteers Carrying out NoName(057)16’s Dirty Work

11 January 2023 at 15:52

A few months ago, we published a blog post about a pro-Russian hacker group called NoName057(16). The group carried out DDoS attacks using a botnet consisting of devices infected with malware called Bobik. NoName057(16)’s success rate using the Bobik botnet to attack selected targets was around 40%. However, the success rate rapidly dropped when the botnet was taken down – as was reported in the group’s Telegram channel early September. 

When we analyzed the Bobik malware in the summer, we discovered another Command and Control (“C&C”) server, outside of the Bobik botnet, used for DDoSing. The server’s configuration included similar DDoS targets to the Bobik botnet’s target list. The newer C&C server commanded clients written in Python, and we detected a command on August 1, 2022. Later, on September 15, 2022, NoName057(16) announced the launch of the DDosia project, which matched the sample we found before their announcement on Telegram. The group entices people to join their efforts by offering prizes for the best performers, paying rewards out in cryptocurrencies.  

On December 5, 2022 the original DDosia C&C server we discovered was taken down. The group, however, continues to post about their attacks, and promote the project, indicating a new C&C server was set up. 

By launching the DDosia project, NoName057(16) tried to create a new parallel botnet to facilitate DDoS attacks. The group publicly announced the DDosia project, while the Bobik botnet deployment was secretive. The NoName(057)16 attracts project members by offering cash rewards to members carrying out the most successful DDoS attacks. After the takedown of the Bobik botnet, we monitored the newly created DDosia botnet through the aforementioned C&C server. 

The DDosia client consisted of a Python script created and controlled by NoName057(16). The DDosia tool is only available for verified/invited users via a semi-closed Telegram group, unlike the Bobik malware which was deployed on victims’ devices without their knowledge. The success rate of the original DDosia project we tracked was lower than the Bobik botnet, but has the potential to be a nuisance when targeted correctly.

Project Philosophy 

Maintaining a botnet consisting of involuntary clients is expensive. The evidence from our previous research showed that NoName057(16) did not own a botnet which they could use as a distribution channel. The group instead used the Bobik botnet, which was, in fact, a sub-botnet of the RedLine Stealer bot that was rented as a botnet-as-a-service. Clearly, the group had the financial resources to afford renting out the botnet, and now to pay best performers of the DDosia project. 

The DDosia project consists of a closed community of volunteers, so-called “heroes”. Project members register using a Telegram bot. After registering, the bot sends a download URL with DDosia executables and a text file with a unique ID identifying the registered user. 

DDosia project members have the option to register a crypto-wallet using their ID number. If a member carries out a sufficiently high number of attacks, they can be awarded up to 80,000 Russian rubles in cryptocurrencies such as Ethereum, BitCoin, and Tether. Members can also check information about their overall statistics in the DDosia Telegram channel. 

In short, NoName057(16) is building a closed community of users who make their computing time available for DDoS attacks. There are approximately 1,000 “heroes”, according to the project’s closed Telegram channel. 

Technical Details 

To become a DDosia member you have to go through a registration process facilitated by the @DDosiabot in the dedicated DDosia project Telegram channel. After registering, members receive a DDosia.zip archive, which includes an executable. NoName057(16) strongly recommends using a VPN client, connecting through servers outside of Russia or Belarus, as traffic from the two countries is often blocked in the countries the group targets.

The structure of the ZIP archive is as follows:

DDosia.zip

  • Linux and macOS folder
    • The Linux and macOS folders contain a Python script with the DDosia application – Dosia.py. The script uses simple obfuscation – the source code is stored as a text file with escaped hex digits corresponding to ASCII characters of the Python script.
  • Windows 
    • The Windows folder includes one Dosia.exe file which is the DDosia Python script packaged as a PyInstaller executable – nothing less, nothing more. 
  • Each folder of the ZIP archive also contains client_id.txt storing a unique ID of the registered user. 

DDosia Application 

The workflow of the DDosia application is straightforward and does not contain any interesting techniques or methods. So, we just summarized the basic aspects of its implementation. 

At the beginning, DDosia reads the client_id.txt file storing the ClientId of the registered user. The first C&C communication sends a list of DDoS targets managed by NoName057(16). DDosia creates worker threads which are used to perform DDoS attacks. The number of threads corresponds to five times the number of logical cores. Similarly, to Bobiks’ attacks, DDoS attacks can be conducted using HTTP, but also on a lower layer via the TCP protocol; the HttpTarget and TcpTarget classes are designed for these attacks. 

Statistical information of each DDosia bot is sent back to the C&C server every minute. The information is identified by the ClientId, and the data contains a list of attacked domains and the number of successful and attempted attacks. A successful attack means that DDosia sends a request to the defined server and receives a response from the server. The communication with the C&C server is unencrypted and unauthenticated, so anyone can easily fake the statistical data and thus win the payout of the day. 

C&C Server 

We found one DDosia C&C located in Russia ⎼ 109.107.181.130. Our Nmap scan discovered three open ports with the following services: 

4200/tcp 

This port was controlled by the Nginx 1.23.1 web server. There was a web page with the title DosiaBotFront; its design is illustrated in Figure 1. It was the administrator console for the configuration of DDosia bots.

Figure 1. Admin interface of Dosia C&C server 
5001/tcp 

The next open port was 5001, classified as the commplex-link. A few other scans identified an HTTP service on this port.
The Nmap scan detected that the C&C communication is unencrypted on the HTTPS layer. 

Other ports 

The new results uncovered one thousand opened ports when we repeated the port scan. The attackers want to make the port scan more difficult and time-consuming. 

C&C Server Discussion 

The main DDosia C&C server (109.107.181.130) was taken down on December 5, 2022, at 9 AM UTC. However, the group continues to actively post on their Telegram channel, so the group must have another botnet. 

C&C Communication 

The DDosia application has two hard-coded URLs that are used to download and upload data to the C&C server. The first one is used to download a list of domains (targets) that will be attacked, the second one is used for statistical reporting. 

  • Get targets: hxxp://109.107.181[.]130:5001/client/get_targets 
  • Send statistical information: hxxp://109.107.181[.]130:5001/set_attack_count 

The list of targets is sent as an uncompressed and unencrypted JSON file. There are two items: targets and randoms. The former contains approximately 20 properties that define DDoS targets; each target is described via several attributes: id, type, method, host, path, body, and more. The latter describes how random strings will look via fields such as: digit, upper, lower, and min/max integer values; see Figure 2

DDosia generates random values at runtime for each attack. The reason is straightforward; the attackers want to randomize HTTP requests and make each HTTP request unique for a better success rate. The randoms replace placeholders in the path or body of the target definition, and their positions are located using this definition $_{number}, as Figure 2 demonstrates. 

Figure 2. JSON file download from C&C server

Detections 

The DDosia project is not classified as common malware, as people execute the application voluntarily. Nevertheless, we actively detect the DDosia application, but the number of hits approaches zero in the limit. 

Our telemetry shows only a handful of detections related to DDosia. However, we registered many exceptions that our users added to their Avast Antivirus. The most notable exceptions are from Russia, namely St. Petersburg, Moscow, Seversk, Tyumen, Pudomyagi, and Rostov-on-Don. Other countries we observed using adding the project to their exceptions are Canada (Toronto), and Germany (Berlin). 

Performance 

One DDosia “hero” can generate approximately 1,800 requests per minute using four cores and 20 threads. Naturally, the speed of request generation depends on the attacker’s internet connection quality. The project currently has approximately 1,000 members. Let’s assume at least half of the users are active, then the total count of requests to defined targets can be up to 900,000 req/min. This can be enough to take down web services that do not expect heavier network traffic. 

Dosia Targets 

The targets of the DDosia project are very similar to Bobik’s targets. The group focuses on private as well as public sectors such as courts, banks, education, public media, government, and transport services (airport, railway). For example, the District Court in Słupsk (PL), West Kredit (LV), Cherkasy National University (UA), Maaleht (EE), or Central Finance and Contracts Agency (LV) were targets. 

Another aspect of DDosia’s targets is the distribution of attacked countries. Although NoName057(16) was founded to support the “special military operation” in Ukraine, the most attacked domains are from Poland, Latvia, Lithuania, followed by Ukraine. 

Dosia Success Rate 

We have been monitoring the DDosia project configurations since August 1, 2022 up until the original server was taken down on December 5, 2022. More than 2,200 DDoS targets were captured within four observed months. The NoName057(16) Telegram channel boasted about 390 successful attacks, so the success rate was approx. 17% with approximately 1,000 DDosia “heroes”. 

The green line of Figure 3 illustrates a trend of successful attacks in the observed period. However, it should be noted that the higher rate of successful attacks is affected by the activity of the Bobik’s botnet, which performed DDoS attacks in parallel. Therefore, the real success rate of DDosia should be counted from approximately September 7, 2022, when the Bobik botnet was taken down. So, if we consider the take-down of the Bobik botnet, the DDosia statistics are 1,400 DDoS targets and 190 successful attacks. Therefore, the current success rate of the DDosia project is approximately 13%. 

The graph also shows a peak on September 2, 2022. NoName057(16) vehemently tried to attack Ukrainian schools and educational institutions at the beginning of the new school year. Similarly, the same targets we observed on the former Bobik server. The institutes under attack were, for instance, the School of Athens, Ukrainian Medical Journal, School Management and Learning Systems, First Cambridge Education Center, and Libera School. Fortunately, none of the targets were taken down on September 2, 2022, although there were disproportionate numbers of configuration changes and attacked domains. 

Figure 3. DDosia botnet statistic

In November the success rate started to increase significantly. There is also a correlation between the number of attacked domains and the number of successful attacks. The attacked domains (blue line) and successful attacks (green line) trends are approaching each other, which can announce upward trends. 

A possible explanation for this upward trend is that the selected targets for the attacks are more homogenous than in the previous periods where the group attacked various targets. In comparison, a list of November’s selected targets included targets mostly within one primary domain. Therefore, if an attack on any subdomain of the main domain was successful, the probability that most subdomains will also be taken down is high because they use a similar platform, security, and network. The group boasted about their “successful” attacks on their Telegram channel. The strategy is a logical step to increase the NoName057(16)’s prestige. Right after the Bobik server went offline on September 5, 2022 the group mostly just posted bizarre pictures of bears and cartoons, rather than boasting about successful attacks. 

DDosia Attacks on Poland’s Government 

The attack on the Polish government domain is a prime example of the new selection strategy. The attackers focused on most subdomains of the .gov.pl domain since November 5, 2022; see the list of selected subdomains: 

  • sanok.sr.gov.pl 
  • belchatow.sr.gov.pl 
  • siemianowice.sr.gov.pl
  • aleksandrowkuj.sr.gov.pl 
  • trzcianka.sr.gov.pl 
  • gdansk-poludnie.sr.gov.pl 
  • zywiec.sr.gov.pl 
  • prudnik.sr.gov.pl 
  • katowice-wschod.sr.gov.pl 
  • brodnica.ug.gov.pl 
  • radom.ap.gov.pl 
  • opolska.policja.gov.pl 
  • aplikacja.ceidg.gov.pl 
  • powietrze.gios.gov.pl 
  • exp.lobi.nencki.gov.pl 
  • cpsdialog.gov.pl 
  • puesc.gov.pl 
  • nawa.gov.pl 
  • kssip.gov.pl 
  • ezamowienia.gov.pl 

Most sr.gov.pl web servers run on the same platform (Nginx v1.16.1). If the attackers pick up subdomains running on the same platform, they have a high chance of taking down the selected servers. More importantly, most subdomains (web pages) only have informational characters and do not provide any online services critical to the government. So, these attacks have no value from a cyber attack perspective, except for propaganda on the group’s Telegram channel. 

Another essential point is the attack on the Central Register and Information on Economic Activity (aplikacja.ceidg.gov.pl). The website expects a higher page load because there are electronic services for entrepreneurs. Therefore, the website was more resilient to DDosia attacks. 

An example of an attack without any value is the attack on Poland’s municipality Gmina Brodnica. Their website does not include anti-Russian and Russophobic content; however, it was also under attack despite the NoName057(16) declaration to attack sites with anti-Russian and Russophobic content; see the Telegram post below. Therefore, it is evident that NoName057(16) is not after operational impact in the war in Ukraine but rather uses the conflict as an opportunity to establish itself in the community. 

DDosia Configurations 

Our telemetry has been recording the DDosia configurations from August 1, 2022 – December 5, 2022. Firstly, Figure 3 above illustrates that the configurations are changed four times per day on average; see the red line. Secondly, the average number of attacked domains per day is seventeen. 

Rewards 

NoName057(16) promises a cryptocurrency reward for the most productive members. Suppose the participants link their crypto-wallet during the registration; NoName057(16) posted a few messages announcing the most active members, as shown in the posts below. 

The prize for the winners is in the order of thousands of rubles (hundreds of dollars). We cannot verify whether the crypto money was really sent to the said clients and thereby verify that the group has enough financial resources at their disposal. 

Individual participants send statistics about their progress and achievements periodically to the C&C server; however, in plain text without any protection. A body of statistical information is a simple JSON file with ClientId and IDs of attacked servers. Therefore, anyone can counterfeit their own statistics because each client can obtain their ClientId from client_id.txt. A simple Python script below can fake the statistics, and anyone can be the most active client on any given day. The script also contains a list of the targets’ IDs that can be downloaded from the C&C server in plain text. 

Conclusion 

Based on the aim of our previous study, which was monitoring the activity of the NoName057(16) group, we have captured another method used for DDoSing against Ukraine and the countries surrounding it and siding with Ukraine. 

NoName057(16) has changed their philosophy and built a new botnet using a publicly available tool compared to the Bobik malware that was used previously. The tool is a simple Python script called DDosia. The depth analysis confirms that DDosia is only a tool for DDoSing and does not contain any backdoor functionality. 

The success rate of the DDosia attacks is ~ 13% percent of all of their attack attempts. DDosia is available via a closed community on Telegram, and the number of members is approximately 1,000. If the community is on the rise, we expect the success rate to be higher. Therefore, the successful attack depends on the motivation that NoName057(16) provides to volunteers. At this moment, 1,000 registered heroes may actually mean 500 active instances of DDosia, so servers that expect a high network activity load are more resilient to attacks. 

The targets selected for DDoS attacks are the same as in our previous study. In short, NoName057(16) focuses on companies and organizations that support Ukraine or are “anti-Russian”. At the beginning of November, the target selection was shifted and oriented on subdomains of previously successfully attacked domains, which increased the success rate. 

The new aspect of DDoS attacks is the possibility of being rewarded. The group collects statistical information about performed attacks and successful attempts. Subsequently, the best “heroes” are paid out in cryptocurrencies. However, the statistics can be easily manipulated. 

The NoName057(16) has introduced the DDosia project so they can carry out more DDoS attacks when the previous botnet has been taken down. The power of the attacks is much less than with the previous Bobik botnet. Consequently, time will tell how successful DDosia will be. 

Their DDoS attacks are basically unsophisticated, do not have large impacts, and do not aim to cause significant damage. They want to draw attention to themselves in the media, similar to the Killnet group. Nonetheless, NoName057(16) activities are still more of a nuisance than dangerous. 

References 

The post DDosia Project: Volunteers Carrying out NoName(057)16’s Dirty Work appeared first on Avast Threat Labs.

NeedleDropper

11 January 2023 at 09:07

Since October 2022, we’ve been observing multiple malware types delivered via a new dropper strain that we are referring to as “NeedleDropper”. Its name references one of the ways the dropper stores data. NeedleDropper is not just a single executable, it carries several files which together create a malicious execution, extracting files to decrypt and inject malicious code. The malware tries to hide itself by dropping many unused, invalid files and stores important data between several MB of unimportant data, and also utilizes legitimate applications to perform its execution. NeedleDropper seems to be a new malware strain using the -as-a-service business model, and is sold on hacking forums to threat actors in order to hide the final payload. Thus far, we have blocked more than 30,000 attack attempts on Avast and AVG customers.

Analysis

NeedleDropper is a self-extracting archive that contains a modified AutoIt interpreter, obfuscated AutoIt script, and Visual Basic script, which is used for initial execution. All of this is bundled together with a couple of other files, some of which are used by the malware for its execution (this will be described later). All files are extracted inside a newly created directory inside the current user’s temporary directory. Newly created directory names usually follow the same pattern. The snippet below shows SFX commands (lines 4, 8, 12, 16) being hidden inside the unused text, invalid commands strings will be ignored and only the valid commands will be executed by a SFX archive.

A snippet of the NeedleDropper SFX script

Files

In this section, we’re going to describe key files inside the self-extracting archive, their purpose, and their content. All the files have unique randomly generated names and most of them also have a randomized extension.

Visual Basic Script

The initial VBS script contains multiple lines of comments attempting to hide inside the payload. We’ve seen samples with several MB of comments nested inside them. The script launches a modified AutoIt interpreter with an LXA file as an argument.

A snippet of an initial visual basic payload

Configuration File

The configuration file is an INI file which consists of several key-value pairs and many unused lines attempting to hide any configuration values. These values are frequently present inside S3tt!ng section.

A snippet of the NeedleDropper SFX script

Frequently used key-values pairs and their usage:

  • K3ysX – key for final payload decryption
  • Dir3ctory – working folder created inside “stpth” variable
  • AuEx – obfuscated AutoIt script
  • ExE_c – AutoIt interpreter
  • RP – encrypted payload
  • Delay – delay before the execution starts
  • Antis – enables anti-analysis techniques, such as searching for processes which could indicate VM/sandbox (VMwaretray.exe, VboxService.exe, VBoxTray.exe, ..)
  • StartUps – if not empty, malware will register NeedleDropper’s persistence under \SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key based on the current user’s privileges. The registry key that is used by malware is obtained from the Key inside the configuration file.

Payload

The payload file contains a one-lined reversed hexlified malicious payload. The whole string ends with …x0. Later versions of NeedleDropper move the payload from a separate file to the configuration between [Troj] and [FinTroj] sequence.

A snippet of a payload file content

AutoIt script

The whole execution is done via AutoIt script which is passed as an argument to the AutoIt interpreter when malware launches. Code is hidden inside a large number of unused text lines. Malware places comments (#ce in this case) before each important line to determine what line should be interpreted as a code.

AutoIt script performing execution (junk stripped)

Payload Execution

The malware uses CryptoAPI to decrypt the final payload. It takes the decryption key from the configuration file and calculates its MD5 hash, which is used as a key inside a CryptDecrypt function that decrypts the malicious payload. After this, NeedleDropper spawns RegSvcs.exe in a suspended state and injects the payload via WriteProcessMemory, and resumes the suspended process which leads to the successful execution of the malware.

Visualization of NeedleDropper’s execution flow

Infection Chain

NeedleDropper doesn’t have one significant infection method; they often vary by sample. So far, we’ve noticed the dropper is primarily delivered via spam email attachments. As an email attachment, the malware is usually sent as an encrypted 7z file, or is part of a bigger infection chain starting with an Excel document, for example. However, NeedleDropper samples are also often shared via Discord or via OneDrive links. Due to various infection methods and different payloads, this malware seems to be a service to cybercriminals to hide their payloads.

A snipped of a spam email

The email above contains an excel document that takes advantage of the CVE 2017_11882 vulnerability to drop the vbc.exe (NeedleDropper) file inside the C:\Users\Public directory. Vbc.exe is executed and drops its content into a temp directory. In this particular example,  NeedleDropper decrypts the FormBook payload, which is injected into RegSvcs process and executed.

Visualization of infection chain

Distribution

The below images show the distribution of users Avast protected from NeedleDropper globally.

Map of users Avast protected from NeedleDropper in Q4/2022
Graph of protected users

Conclusion

In this blog post, we described a new malware dropper which is often used by adversaries in their infection chain. Based on our current knowledge, we think that developers will modify the dropper in order to implement different methods which could avoid detection and stay attractive for others to use as a service. We predict NeedleDropper to start infecting more and more people in countries around the world with different, modernized payloads.

Indicators of Compromise

GitHub repository: Needle Dropper

File nameSHA256
NeedleDropper660eb5f2811753c24ecbd5c0e08c68d83d7eca1b2827ed90e2a5189ed61f3a5b
NeedleDropperf7e52f120ab257e0d8e5021077b3370876be16469b76b6e0b6916486b3977bb3
NeedleDropper06b02574925948a3f418ba2851f10585086a5f9b25d8f4e7de62dd52c6a56153
NeedleDroppere53e5e07b3165f507046c5992049a816bdd98969f10cc97a3d2bd010aea30b42
NeedleDropper1b26f3213c07819cd61ed5e10b009ae5862cade4a3a403dcc6f6310485f6306b
Configuration file1d3078201c04bebc6595a2cc874530f1c2a5ff7201db4c8e43660808563c5a63
Configuration filedd7acb0d5e05d581148b614816f5450690f3fcc8ba4b3f00b5db1f3684570053
Configuration file8713d873a8f4179a4079ea46a6ae45a538dc2f07cf7b09f28adc25eec45dc873
Spam email01534a0f3e104b7cbafeeeaac3a0f0bf9d01e017c8a63964d81d0a30baee2916

This article is based on research made by Jan Blažek during work on his bachelor’s thesis.

The post NeedleDropper appeared first on Avast Threat Labs.

Scripting Arbitrary VB6 Applications

4 January 2023 at 15:29

While doing malware analysis it is often required to interact with running code to discover how it operates. This can be done through techniques such as API hooking, debugging, system monitoring etc. Some tasks may even require the extraction, reconstitution, or reuse of malware code in order to perform a certain duty. This is common for code such as domain name generation and decryption routines.

Anytime there is an easy way to reuse existing functionality, my interest is piqued. The research presented in this post gives us another powerful mechanism of code reuse. The technique we will be detailing today is a method in which we can grant ourselves scripting access to any existing Visual Basic 6 (VB6) executable. This technique does not require any source code modifications.

Once implemented, we can access any loaded forms, embedded controls, and public members. This includes access to any class hierarchies held as form level public instances. With some additional work, any live class instance in the program could be accessed in a similar manner. Manually creating new instances of internal classes has also proven possible. 

Similar techniques have been explored in the past. What follows is my run at the problem set.

Background

All VB6 objects are COM Objects which support the IDispatch interface. This is a core feature of the language and allows for them to be trivially utilized by scripting engines. Since it is so easy, it is common for developers to internally add scripting support to their applications for automation purposes.

To develop a component that allows for external automation, Visual Basic 6 supports the ActiveX DLL and ActiveX Exe project types. If you have ever used a script which calls CreateObject(), you have already worked with ActiveX COM Objects. Support for COM is integrated deeply into the Windows operating system and entails many powerful features.

Knowing that all VB6 COM objects are inherently scriptable, can this functionality be enabled for random executables without source code access?

Probing the runtime

In the exploration of this question, I started examining the runtime to see how I might easily extract live object references and manually implement scriptable access.

The first place to look, with the largest impact, is the Forms object.

This object holds a reference to the loaded forms for each VB component. Once we have access to an individual form, we then would also have access to all of its embedded controls and public members. This would be a significant first step and where we begin our journey.

If we look at a native executable which uses the global Forms object we will see the following code generated:

This is easy enough to replicate and should give us a reference to the global Forms object on demand. (Note each VB component gets its own Global object. An ActiveX DLL can not access the main executables forms unless explicitly passed a reference)

Before we can test this theory, we first need a method to execute our own code inside the host VB6 process. DLL injection is the obvious answer, however it is not quite as straight forward as you might think.

There are two factors that must be considered when trying to run injection code in a VB6 process.

The first is runtime initialization. A certain number of internal steps must occur before you call any runtime functions. In our previous paper Binary Reuse of VB6 PCode Functions, this is what the call to CreateIExprSrvObj accomplished. We could inject into a fully loaded process, however that has some side effects which we will discuss later on. For our purposes we will require injection at process startup.

The second thing we must consider is that all VB6 executables use the single threaded apartment model (STA). To use runtime functions, we need to work within the main VB6 thread. Working from other threads will crash the process as the runtime tries to access Thread Local Storage (TLS) members it expects to exist. While people have devised ways to work in multiple threads with VB6, we will avoid it here.

Our initial criteria are:

  • must inject at process startup
  • can not call runtime functions until initialized
  • must only call runtime functions from main VB6 thread

The first experiment was to inject at startup and then place a hook on the user32.BeginPaint API. This hook is called from the main VB thread during form creation. At this point the runtime is fully initialized and ready for use. I created a quick mockup and gave it a shot.

Here we encounter our first road bump. Apparently vbaNew2 can not actually create an instance of this object and throws a Class not registered error. This is strange because we are literally using code lifted from the compiler itself. 

To validate this result I first confirmed my use of the vbaNew2 function with other known good data and then tested it while running from within the hook. Both worked.

I then took a closer look at the sample VB application and found a little surprise. In the disassembly above, we see it check to see if a cached object reference is already alive. If so, then creation is skipped.

The surprise is, even on its very first use in Form_Load, the object reference is already set. The vbaNew2 call is never used and merely a compiler artifact. In fact forcing the call to vbaNew2 leads to the same Class not registered error. 

The Forms object reference is being set before any user code executes. This indicates it must be a special case set by the runtime somewhere. A hardware breakpoint on the objRef_dataSect address quickly confirms this.

The VB runtime has an internal function named TipRegAppObject. This function will scan the VBHeader.ProjectInfo.ExternalTable looking for an entry of type 6 with a matching CLSID. If this is found, it will manually set the object instance address.

If the application developer never used the global Forms class, TipRegAppObject has nothing to do and no reference will be set.

We can not formally create the class we want, If the developer did not use it, then it will not be cached anywhere that is easy to grab. We could search for another way to try to find it, but we already have a universal spot where it is guaranteed to appear.

At this point I decided to hook an internal runtime function. Hooking a hardcoded offset has some downsides like locking us to a specific DLL version. For a research tool, this is an acceptable tradeoff. 

After some more analysis, I decided to hook one layer above TipRegAppObject at CVBApplication::Init(CVBApplication *this).

This gives us access to the full CVBApplication object. This includes access to more internal classes and a reference to the executable’s VBHeader structure.

Implementation

The initial injection routine now sets two hooks. One on CVBApplication::Init to grab a reference to internal runtime classes. The second on BeginPaint which allows us to trigger in the main VB thread once initialization is complete.

The next thing to consider is how to execute our final payload within the main VB6 thread. One technique is to simply load our own ActiveX DLL into the process passing a reference to the main components Forms object. This is basically forcing a plugin model into the application. This should work fine however it is not my first choice. 

My primary target is to gain some kind of remote scripting access. This is where the magic of the Running Object Table (ROT) comes into play. The ROT is how ActiveX exes register themselves as available for use with GetObject().

The COM object lives in one executable running as a server. External clients then connect and use it from another process.

While experimenting with manual ROT registration, I noticed that it worked for form objects, but would not allow access to internal classes.

Error: 0x62 - A property or method call cannot include a reference to a private object, either as an argument or as a return value

We know that the core implementation of the class fully supports scripting. This is not a problem when using an internal script engine or a plugin model. What difference is there between an ActiveX Exe class, and a standard executable class?

Comparing the two in a structure viewer, we find that the Object.ObjectType of ActiveX Exe classes have bit 0x800 set. If we patch this on disk, we now gain full access to all standard classes. The ObjectType can also be patched in memory, but it must be patched before the class is created to take effect. This is why we must inject at process creation. 

Our CVBApplication::Init hook is a perfect time to do this since we already have the reference to the VBHeader structure and no class instances have been created yet. Our complete CVBApplication_Init hook looks like the following:

The complete BeginPaint hook is below:

In this code we first disable our hook so it will not trigger again. We only needed an initial foothold in the main VB thread.

For continued access, we register a new System Menu item and subclass the main window. 

This allows us to manually trigger new features we might want in the future. With the window subclass in place, I also implemented a basic InterProcess Communications (IPC) server for programmatic access. These additions are not required but are useful for future exploration. 

Finally we register the main executable’s global Forms object in the ROT as remote.forms.

With this complete everything is now up and running!

A Windows Script Host (WSH) Javascript that interacts with our test application is shown below:

Even Python can be used:

Conclusion

In this post we have covered how to make any VB6 application remotely scriptable using built in features of the language and operating system.

While we did encounter several snags along the way, everything turned out to be manageable and resulted in a successful trial.

For a brief recap of events:

  • Target VB6 process is started with an injection DLL
  • New thread hooks  CVBApplication_Init and BeginPaint
  • CVBApplication_Init hook:
    • Stores a reference to internal VB objects during runtime initialization
    • Walks VBHeader.ProjectInfo.ObjectTable setting all classes public
  • BeginPaint hook:
    • Runs from main VB6 thread
    • Adds a system menu item and subclasses main window for IPC (optional)
    • Registers internal Forms object in the ROT 
  • IPC allows for bidirectional communications between injector and target process. 

Our first inroads are based on the forms collection for simplicity and depth of impact. This technique can be applied to any COM object instance. 

In addition to the forms collection, access to other internal objects can be intercepted with hooks on various runtime API such as vbaNew, vbaNew2, vbaFreeObj etc. 

Some thoughts on future innovations of this technique:

  • track new class instances and add them to an exposed VB Collection in ROT
  • injector keeps a visual manager of live objects (using IPC callbacks) 
  • injector implements its own script host for integration
  • Ability to stall host process while accessing transitory objects
  • artificially increment reference counts to keep instances alive. 
  • Trigger arbitrary class/form creation using IPC and vbaNew (already tested)

Full source code for this research is included in the following git repository. This includes an injector, DLL, test app, and demonstration scripts.

The code is being released as a proof of concept work. Adaptations may be required for specific targets. This research is just the beginning of what is possible with this technique.

The post Scripting Arbitrary VB6 Applications appeared first on Avast Threat Labs.

Hitching a ride with Mustang Panda

2 December 2022 at 04:00

Avast discovered a distribution point where a malware toolset is hosted, but also serves as temporary storage for the gigabytes of data being exfiltrated on a daily basis, including documents, recordings, and webmail dumps including scans of passports from Asian, American and European citizens and diplomats applying for Burmese visas, from Burmese human rights activists and Burmese government institutions.

We recently came across a peculiar sample – a stager we believe is being used by Mustang Panda. The stager led us to the group’s distribution point, where we found malicious toolsets. We have analyzed the malware and were able to see relations between various campaigns that have been described by other cybersecurity firms over the course of the last years. Based on publicly published research and our own investigations, we can say with high confidence that the modus operandi and the malicious toolset show a strong link to a group related to Mustang Panda, which has previously been reported as a Chinese APT group. The group has been known for gathering intelligence on Mongolia, and further Asian countries, and most recently was suspected of targeting European entities.

The distribution point, an FTP server, is also used as a transition point for exfiltrated victim data, before the data is moved to an unknown location. We continue to observe new data being uploaded and moved from the point, meaning the campaign is still active, and has been going on for some time. Gigabytes of data are moved around, and the amount of data indicates severe compromise of many high-profile targets in Myanmar. The data types include various office documents and PDFs, stolen browser profiles, webmail dumps and even sound recordings. Browsing profiles were also extracted which can provide access to other infrastructures, services, and private data of the victims. Most of the stolen data seems to be in Burmese making it challenging to analyze. The sensitive data is mainly being collected from devices used by the Myanmar government, state administration, police, army, significant public organizations, or companies, and includes data related to diplomatic meetings, court hearings, military information, contracts and more.

Disclaimer: We have only seen partial snapshots of the exfiltrated data as they are deleted shortly after being moved from the distribution point, so it should be noted that the information we have on victims may be inaccurate or incomplete. Most of the documents are in Burmese, therefore, a language barrier has also to be taken into account. Finally, due to the limited scope and the sheer volume of the data, some assumptions had to be made during the research process. We have reached out to local CERTs, informing them of our findings.

Victimology

Nearly all of the victims have close ties to Myanmar and it seems that both the Burmese government and opposition groups are being targeted. We have seen data originating from various departments of several Burmese ministries. Even the Office of the State Administrative Council has been targeted. The government breach is not isolated to Myanmar – we have also seen Myanmar embassies among targets, for example, the embassy in Serbia. The data also contained dumps of a mailbox used to communicate in 2016 and 2017, as well as in 2020 with visa applicants from all around the world. These messages contained scans of passports from citizens and diplomats from various countries, such as China, Australia, Czech Republic, France, Israel, Netherlands, UK, and USA.

After such an extensive list of targets, it ought to be little surprise that Myanmar Police Force is also among the targets. Even some higher profile departments, such as the Office of the Information Police Chief or the Department of Special Investigation, seem to have been breached. Tatmadaw (Myanmar Armed Forces) is also not an exception – we have seen victims from the Bureau of Air Defense, Myanmar Army Engineering, and the United Wa State Army.

Political NGOs and the government’s opposition are also on the list of victims. It is possible that the list is even more extensive as we may not be able to find a straightforward association to said organizations as we would expect more common usage of personal computers or computers that are not centrally maintained by an IT department. We have seen data from devices belonging to the Karen National Union, Center for Diversity and National Harmony, National Reconciliation and Peace Centre, Ethnic Nationalities Affairs Center, and even the Union Civil Service Board.

Exfiltrated Data 

The most common file types being exfiltrated by the group are Microsoft Office documents (.docx, .xlsx, .pptx, etc.), PDF documents, and plain text files. Other file types exfiltrated include audiovisual data in various forms, including sound recordings (.mp3), and pictures (.jpg, .png, etc.) or drawings. Emails, including entire conversations are also exfiltrated.

It appears that the attackers are also looking for and collecting data from browser profiles from various web browsers, e.g. Chrome, Firefox, Opera, and more, a serious threat to victims’ privacy. The stolen browser profiles can provide access to other infrastructures, services, and the victims’ private data of the victims. The attackers are extracting information about browsing history, stored credentials (personal and work), credit cards, used tokens, and valid cookie sessions. Consequently, poorly secured services, such as services without two-factor authentication or without a safe cookie policy, can be easily abused by attackers. Attackers can steal the identity of victims and can use their email, Facebook, Telegram, or other accounts to collect additional information about the victim and their family, friends, and activities.

Highly sensitive data is being collected from victims’ computers, and, in most cases, these are computers used by the Myanmar government, state administration, police, army, significant public organizations, or companies. This in some cases included sensitive data and information belonging to international citizens and diplomats who have interacted with targeted departments.

The documents, and audiovisual data being exfiltrated by the group is massive. The files include everything from:

  • Email dumps including visa applications and scans of passports belonging to citizens and diplomats from various countries, such as China, Australia, Czech Republic, France, Israel, Netherlands, UK, and USA
  • A seating plan for the meeting between former US Ambassador to the United Nations Bill Richardson and Myanmar’s leader, Senior Gen. Min Aung Hlaing 
  • Myanmar’s constitution with proposed changes
  • Invitations for diplomatic meetings, meeting programs, calls, and talking points
  • Reports, maps, and screenshots from the Signal messaging app related to the UWSA (United Wa State Army)
  • Data from the Office of the Chief of Myanmar Air Defense Force, including meeting minutes, full staff/rank lists, photo IDs (some with fingerprints), salaries, personal details of employees’ families
  • Peace treaty documents
  • Interrogation reports
  • Contracts
  • Court hearings
  • Town plans
  • Contact information for police officers, including their names, addresses, telephone numbers, and salaries
  • Transcripts of meetings around politics, and elections
  • Meeting minutes and audio recordings of meetings between Myanmar senior officials (Prime minister, Chairman of State Administrative Council) and the President of Tatarstan
  • Military buildings drawings, including munitions storage, oil storage and aerial photos of proposed sites 
  • International banking records and records and transfers from supporters to a refugee group

Ties to known campaigns

Since getting our hands on the distribution point, we have established links between known campaigns already publicly reported and what we have discovered. This gives us clues as to how resourceful the group may be and will also help us assess its modus operandi.

We have found files strongly resembling (or even matching) samples and their relations described in a blogpost by ESET around the Korplug variant dubbed Hodur. The campaign they described was targeting various government organizations in Mongolia, Vietnam, and Myanmar, along with politically-oriented NGOs. This is in alignment with the victimology of the stolen data we have seen on the distribution point. Hodur was attributed to the Mustang Panda group. The related part of the uncovered toolset we analyzed also contained a USB launcher written in Delphi, similar to the one seen accompanying the Hodur variant of Korplug analyzed by ESET. This installer is responsible for firing up the infection chain leading to a variant of Korplug RAT.

Similarly, we’ve found similarities to operations attributed to LuminousMoth both in structure and purpose. For instance, we have seen a very similar structure as the one described in Bitdefender’s research on the LuminousMoth group. Namely, the usage of the same binaries for sideloading, same pattern for exfiltration – using RAR for collection and a sideloaded library for exfiltration via Google Drive. Perhaps the most common pattern was the usage of a USB launcher written in Delphi that was attributed to Mustang Panda, which was also described in Bitdefender’s research.

In some cases, we have seen some unreliable links to older campaigns such as Operation NightScout, a rather old KMPlayer supply-chain attack, or Operation Harvest. Namely, binaries used for sideloading or names of encrypted payloads matched the ones used in these old campaigns. Nevertheless, the specific payloads differ significantly, so while some of these were attributed to Mustang Panda, the similarity could also be coincidental.

Toolset overview

The storage we have discovered contains many archives with various tools to be downloaded by infected victims. We will use names of these archives to impose basic structure on the data we have found. It is worth noting that these names are partially consistent in successive versions. For instance, we have found an archive KKL which was later on accompanied by another version with a slightly different configuration called KKL1.

Some archives contained complete toolsets, whereas others only had single purpose tools in them that were meant to be used in connection with other tools; for instance, one contained a keylogger that obviously lacked any exfiltration functionality. This provides a strong indication that the tools are intended to be used modularly. We will build upon that and first talk about the usual Mustang Panda theme – Korplug. Then we’ll get to the more specific tools and end with the single purpose tools. Notably, nearly all the tools, aside from Korplug, its loaders, and Delphi installers, haven’t been described before. The RAT written in Go (JSX) or the  modular backdoor (US_2) deserve an extra mention due to their complexity 

From the data we have seen, we conjecture that the main exfiltration tools are variants of tools contained in archives named GDU, which use Google Drive for the exfiltration. Since we haven’t seen any exfiltration tool that uses the distribution point directly and the path on the server of exfiltrated files contains gd, we presume that the responsible group uses some other tools to move files from various Google Drives to the distribution point we saw.

A brief look at the toolsets brings up another interesting fact: almost all the files show approximately (up to a few cases within seconds) a seven or eight hour offset between the compilation timestamp and the “last modified” timestamp of the file itself. Since the compilation timestamp is usually in UTC and the archives use the local time for the contents’ last modification date, this places us at UTC-8 and UTC-7. Therefore, we presume that the build setup operated in a time resembling Pacific Standard Time (PST) and Pacific Daylight Time (PDT), used on the West Coast of the United States. There are a few caveats – SE3 and SE4 contain files that were compiled on November 1, 2021 and still have an eight hour offset even though none of the countries using PST/PDT transitions to PST that early (both USA and Canada transition to PST a few days later).

There is also a file with an obviously spoofed compilation timestamp. HT3 contains a DLL Vender.dll whose compilation timestamp dates more than a month after the last modification date. This further weakens hypotheses that build upon timestamp offsets. Unfortunately, we have no further leads explaining this outlier. The latest version of the uploader (multiUpload.exe), whose usage was spotted at the beginning of June, has a compilation timestamp of January 3, 2020. This is also very likely spoofed as analyses of the previous versions of this tool show clear evolution and, according to their respective timestamps, they were all compiled in April 2021. Not to mention that the corresponding infrastructure was only created at the end of May 2022.

The folder /pub/god, which contained the toolset archives, was removed on June 25, 2022. On the same day, a new folder /pub/god1 was created with two files to which we didn’t have read access. Two days later, the new folder was gone and /pub/god appeared again with a subset of the original tools.

Variations on Korplug

The first group of tools that we’ll introduce are various versions of Korplug. The binaries used for side-loading were already seen before. Even though the loaders were mostly new, they were rather uninteresting. A common theme was a Delphi binary that served as a launcher to be executed from an infected USB drive. As we’ve already mentioned, a similar installer was previously seen in campaigns attributed to Mustang Panda. It just executes the Korplug loader from a folder named “Kaspersky” that is on the very same USB drive. See the diagram below (based on a toolset from an archive named BMD) for more details. 

Note the usage of the folder name “Kaspersky” and usage of “Symantec” in the names of the executables; since the launcher relies on social engineering tricks, it depends on a common strategy using seemingly legitimate file names to dispel any doubts concerning the content.

Contents of an archive called BMD. Archive YK41 follows the same structure, with ShellselDb.dat being replaced with hp_ui.xslbcdsj and without the Delphi launcher.

There were also simpler infection chains, containing just a signed clean binary, a loader to be side-loaded, and an encrypted Korplug. These were contained in archives WD, 127C, and 1260M. The latter interestingly used the OleView.exe binary which then side-loaded the ACLUI.dll that decrypted and executed ACLUI.DLL.UI. The same signed binary, which surprisingly also has the same name of the encrypted payload, was used in the KMPlayer supply-chain attack in 2013. The accompanying research was only published in Chinese, likely due to the attack being limited to a few devices.

Exfiltration toolset

The exfiltrated data on the server in /pub/gd folder showed perfect correlation to the data produced by GDU toolsets (GDU_OLD, GDU, GDU1, GDU2, GDU1_NEW, GDU3, GDUPIZ). These tools collect the files on the victim’s disk, pack them into an archive whose name is prefixed with the victim’s ID and upload that archive onto a Google Drive. We presume that the name GDU is an acronym for Google Drive Uploader. While the tools themselves were technically rather simple, the exfiltration process and their evolution piqued our interest.

The analysis of the exfiltration process brought up several interesting observations. A few days after May 24, 2022, the day we started systematically monitoring Google Drives used for the exfiltration, we started to see more frequent token changes and new features being implemented. These features mitigated possible downtime caused by the migration to a new token. Since Google Drive has extensive logging functionality and the tokens have to be present on the infected devices, it is only a reasonable expectation that access to these drives is monitored to some extent.

On the contrary, we have not seen such behavior with the distribution point. This could be attributed to the fact that the distribution point is never exposed by the toolsets, which brings us to the assessment that the group presumes the distribution point to be secret or not worth monitoring.

Timeline of GDU exfiltration toolsets

Version overview

The oldest version GDU uses RAR executable to collect the data and an encrypted rar.dat to store parameters for the RAR binary. Starting from GDU_OLD, they migrated to their own collector piz.exe (this functionality was later moved to a DLL to be side-loaded) and retained an encrypted rar.dat where they stored their configuration. These toolsets also rely on two optional configuration files that are backed up by hard-coded values: token.dat containing an encrypted token for Google Drive and time.ini that contains last execution date along with the victim’s ID. The setup and the choice of binaries for side-loading bears resemblance to the LuminousMoth campaigns and tooling.

An archive GDU that contains a version relying on RAR instead of piz.exe for data collection.

The exfiltration process is usually handled by a variant of MyUpload.dll that is supplemented by the aforementioned configuration files. Quite recently, a new version of GDU1 has appeared on the distribution point (which we’ll call GDU1_NEW)  which came with its successor multiUpload.exe. multiupload.exe eschews hard-coded tokens and makes the exfiltration process more resilient to disruptions.

Archive GDU_OLD that uses its own collector piz.exe to collect potentially interesting files before the exfiltration.

The version we are calling GDU_OLD is basically the same as GDU1 and GDUPIZ, the most significant difference being a different PE being used for side-loading. GDU1 and GDUPIZ rely on CefSub.exe and subsequently on CefBrowser.dll instead of AtlTracetool.exe. GDUPIZ also uses a slightly different approach to execute the file collection tool piz.exe – the version included in this folder is in fact a renamed clean binary spoololk.exe which in turn side-loads vntfxf32.dll. This malicious binary implements the file-collecting functionality formerly contained in piz.exe. GDU2 is basically the same as GDUPIZ.

On June 8, 2022, we saw a new GDU1 toolset on the distribution point. This time MyUpload.dll has been upgraded to provide redundancy in the exfiltration process. It no longer uses token.dat but rather uses a Github repository as its source for the token. If this fails, there are two backups – one using HTTP PUT to www.watercaltropinfo[.]com with Basic HTTP Authorization (123:123). The other sends the data via HTTPS POST to m.watercaltropinfo[.]com. The collector is the same as in GDUPIZ. GDU3 uses basically the same process but uses different PE for side-loading (FwcMgmt.exe).

Tokens

A special chapter is devoted to Google Account tokens that are used in these tools, partially because our research may have forced the group’s hand to refresh the tokens once they discovered that we knew of their Google Drives. The fact that after each token decommission, every client had to have the token updated and that GDU toolsets do not have any remote update functionality suggests that these toolsets have to be accompanied by other tools that provide this update functionality. We have noticed a longer delay between the decommissioning of the token from May 29, 2022 and before a replacement token was being distributed. Its distribution coincides with the time a new version of GDU1_NEW was released. It’s exactly this version that has introduced new functionality in the exfiltration tool, namely smoother token swapping and failsaves for cases when Google Drive exfiltration fails. Therefore, we presume that this delay was caused by the development of this new functionality.

SourceRefresh TokenMetadata
GDU/GDU_OLD1//030YFi1XWWVY2CgYIARAAGAMSNwF-L9Ir_I6Aqhg4gn3UWyi3I5J_6q4VxHPYNkit3x9RtlpVkFCEOD4KU-E2u7NghS0hx5nPU8YFirst seen: 22.4.2021Not accessible
Distribution point1//0clbh_CVKereiCgYIARAAGAwSNwF-L9IrtPxC9zt-onaeeq2gTUwZTVa8f8ILvDYM8dyVVjmmKmNr5Pnsi27iMjLll2dxbDRxUQsFirst seen: 22.4.2021Not accessible
GDU1/GDU2/GDUPIZ1//0cZLNy7GH0LknCgYIARAAGAwSNwF-L9IrV7aXKTZb-WQM1aqXkjX0ph25dTZngOYAUlAXHB1NvCorgw62XI_TXsWNrK98KBYfbpAFirst seen: 17.3.2022Our first access: 24.5.2022Usable until: 26.5.2022
Distribution point1//0e29aixufumhCCgYIARAAGA4SNwF-L9IrX2w0GnjBQe4g5hQWKJlXjIQF7XZBnQ9VKArYhJVwOayZq9Ad-G8YHbsptTN5DhfXI2EFirst seen: 29.5.2022Our first access: 29.5.2022Usable until: 3.6.2022
Github1//0ewRnXWCf2AunCgYIARAAGA4SNwF-L9IradANDPAvIqPOaIfReqT1fQ0GO5A9FnUhdpdI0Q0V1IRye5RbTi-hcGQbbHKgDc02xfMFirst seen: 8.6.2022Our first access: 8.6.2022Still usable

Temporal analysis of exfiltrated data

We can also have a look at the metadata of the exfiltrated archives. What is rather unsurprising are the upload times which closely coincide with Burmese business hours – a smaller peak in the morning and a huge peak in the afternoon. Note that Myanmar is in UTC+6:30 time zone and China, presumed land of origin of Mustang Panda, is in UTC+8.

What is more interesting are events produced by the group itself – transfers from Google Drive onto the distribution point and deletion of files from the distribution point. The huge peak is around 18:00 MM time which coincides with the end of the work day in Myanmar. The spread of starts of upload windows is negligible, leading us to the presumption that the transfer is automated. We have seen a few archives being placed in the wrong directories which could indicate that the tooling is still under development or there’s still some manual work involved… Usually, the files have accumulated during the day on Google Drive and were transferred to the distribution point in the evening MM time.

As we already mentioned in the introduction of uncovered tools, we have found quite a lot of files that were “missing” something. By that we mean that on their own, they were either lacking communication functionality or implemented some techniques that were useless without being accompanied by another payload. Interestingly, while these were also using side-loading, they were not relying on external encrypted files, making their execution flow straightforward with 2-point graphs. For the sake of brevity, we will list these in a table:

ArchiveClean executableSideLoaded DLLPurpose (high-level)
MG/MG44dabs.ex/44.exSensorAware.dllfingerprinting/remote shell
AUDmcsync.exmcaltlib.dllaudio recording
CHRbrowser.exbrowser_elf.dllCookie dumping
T3YKygfdt.execorecrl.dllremote shell
UCmelt_64.exelibmlt-6.dllUAC bypass
KKL/KKL1mscorsvw.exemscorsvc.dll (contains KBE.dll)clipboard stealer, keylogger
Archive KKL contained a straightforward stealer in KBE.dll that was also hard-coded (in an encrypted form) in mscorsvc.dll from which it was unpacked after side-loading. The newer KKL1 was practically the same.

There are also a few standalone files such as x.ex in archive X which composes logs of registry entries (Run), services, and scheduled tasks along with checking all signatures of executable files in %WINDIR%. Archive NB contains nb.dat which is just the nbstat utility executable. There was also a coinminer in the archive INFO along with its encrypted configuration file.

An interesting utility is DISK2 (and its variant DISKM); it is responsible for monitoring the system drive for any changes. Both are accompanied by a configuration file that defines which files are of interest and where such files should be copied to. It also notifies its C&C server about these files via an encrypted message over HTTP. There is also a version of this tool named MF20211228 that does not contain any configuration file and does not copy files anywhere, it just sends messages to the C&C server.

Contents of an archive DISK2. This toolset is responsible for monitoring the system drive for any changes in files defined by its configuration.

Oddballs in the collection

JSX

JSX archives (JSX86 and newer JSX861 for 32 bit version and JSX64 and newer JSX641 for 64 bit version) deserve a separate mention as they use a rather uncommon setup; a JavaScript file is at the beginning of the chain and instead of side-loading, the respective DLL is launched as a service. mozload.dll is a RAT written in Go that uses HTTPS and websockets for its communication. Interestingly, the RAT uses TLS Client Authentication; see Appendix A.1 and Appendix A.2 for the private key and the certificate.

The execution flow of the packages from JSX archives.

HT3

HT3 simply does not fall into any of the previous categories – it is a backdoor with external configuration accompanied with a shellcode loader and UAC bypass.

Execution flow of HT3. Note that it contains both 32 bit and 64 bit versions of an UAC bypass tool.

SE

Now we are finally getting to a more complex setup. These archives include several versions with very similar structures and sometimes with varying payloads. Functional changes are presented below; note that these do not include changes in side-loading which will be discussed later on. All versions feature a few evasion tricks that use registry tricks to hide files and file extensions.

VersionVersion changes
SE1Uses volume name for USB installer executable
SE3/SE4/SSEUses Delphi launcher (the one attributed to Mustang Panda), persistence integrated into LPVDPOCX.OCX (equivalent of facesdk.dll from SE1)
SE5Uses volume name for USB installer executable, rollbacks to old USB installer
SE6No significant functional changes
SE7No significant functional changes

SE3 and therefore also SE4 and SSE (which are mostly the same) use vivaldi.exe and vivaldi_elf.dll for its evasion module. Also, FacialFeatureDemo.exe and facesdk.dll are replaced by Symantecs.exe and LDVPOCX.OCX; the latter integrating persistence into itself instead of having it in a separate module. Interestingly, the USB installer has been replaced with one similar to the one in the archive BMK; a Delphi launcher that executes Symantec.cmd which is actually Symantecs.exe. These versions are also the only ones that have renamed 3 of 4 payload bundles (using csdkset.dat for backdoor, EdrEpmpCStorages.dat for USB installer, and PchEpmpCStorages.dat with WTSAPI32.dll). Confusingly, WTSAPI32.dll does not seem to be used anywhere and will be used for side-loading by later versions when the USB installer replacement is roll-backed.

SE6 and SE7 abuse old Avast’s proxy executable wsc_proxy.exe to side-load wsc.dll which serves as the dispatcher. Aside from this change, there are no other significant changes to the functionality.

The schema of contents and the control flow of SE1. In newer versions, the persistence module is integrated in the dispatcher.

U5_2

The last complex toolset that we will present is from the archive U5_2. Most of the functional code is encrypted and bundled in AtiVir.csc. With the exception of a  chain to a removable drive watcher, all the parts share similar XOR keys: user_panda_%section_name%; a rather interesting choice if the toolset really belongs to Mustang Panda.

An interesting part of the toolset is a file install_.exe that reads a file from a given path, takes the serial number of the volume where the file is located, computes MD5 hash from the serial number and changes the  first bytes of the file to the hex-encoded computed hash value.

The schema of contents and the control flow of U5_2.

Server infrastructure

The distribution point is an FTP server located in Malaysia that is accessible without a password (username anonymous, password is empty). We have also encountered a different FTP server in late 2020 containing very similar archives to the ones we now know contain exfiltrated data. Unfortunately, we did not have enough information to process the archives it contained. We presume that these two FTP servers were closely related or that even the current FTP server may be successor of the one we found previously.

We have noticed that the FTP server has stopped responding in October. Fortunately, the server itself was still alive and the distribution has migrated to using HTTP instead of FTP. They also started using HTTP Authorization; nevertheless, they have reused a weak username:password combination (123:123). This has caused a downtime of a few days in our tracking, but with a quick fix, we’ve managed to get back on track. Presumably, this might have been another attempt to foil our tracking attempts.

Our telemetry data also revealed another server in Russia. A client from Myanmar tried to download an archive XYZ from it via HTTP. Upon further inspection, the archive was found to be identical to XYZ from the aforementioned FTP server. We have tried to crawl the server for archives and files we have already seen on the FTP server and found the following toolsets:

Archive on the HTTP serverMatching archive on the FTPNote
gdupiz.rarGDURetrieved from our telemetry
xcrs.exeXDiscovered by crawling
jsx861.rarJSX861Discovered by crawling

The fact that the affected client is from Myanmar, and the fact that the server contains some parts of the described toolset strongly indicates that it is part of the same campaign. Nevertheless, since at least one archive was renamed, we were unable to fully enumerate its contents. Similarly, we were not able to verify whether the server contains exfiltrated data.

C&C infrastructure

JSX RAT

The JSX RAT attempts to communicate with 103.169.90[.]132 using TLS client authentication. The certificate (see Appendix A.2) is hard-coded and we can try to use it to confirm related infrastructure. Looking at the server certificate data, we see that it imitates a real hosting company.

Common name:        blue.net
City, country:      San Francisco, CA, US
Fingerprint (sha1): e0adf667e287b0051988dda2b85e7541d7532703
Self-signed

Interestingly, the C&C’s certificate had the exact same subject as the client certificate. Searching for other servers that use the same certificate yielded a couple more servers. Furthermore, we were able to confirm that the majority of these servers are running the same C&C software because they accept the RAT’s hard-coded client certificate.

A server at 118.31.166[.]5 seems to be an outlier among these servers with port 4433 being exposed. Since it is the oldest one using the same certificate and the server exhibits the same communication traits on that port, we suspect that it might be a development server.

Two of these servers were open to RDP connections with a certificate that had o9c[.]pg as its CN (Common name). We tried to go further using these certificates to uncover further candidates for C&Cs. The timeline of uncovered servers is below:

Timeline of servers using the discovered certificates. Blue ones use a certificate with blue[.]net CN, red ones use o9c[.]pg as CN, purple ones have both. The highlighted line corresponds to JSX RAT C&C.

These are servers using the same certificate:

IPGeoNotes
103.169.90[.]132MYOriginal C&C Ports: 443, 22, 53, 3389
45.79.409[.]10USSuspected RAT C&C on port 443
118.31.166[.]5CNSuspected RAT C&C on port 443, different response codes
181.215.246[.]173MY
39.104.52[.]188CNSuspected RAT C&C on port 443
45.56.90[.]127USSuspected RAT C&C on port 443
154.204.176[.]249HK
47.244.2[.]17HKSuspected RAT C&C on port 443, RDP
47.96.236[.]105CN
134.122.129[.]170HKSuspected RAT C&C on port 443
172.105.158[.]102USSuspected RAT C&C on port 443, RDP
192.46.213[.]63INSuspected RAT C&C on port 443
Overview on the servers with ties to JSX RAT C&C.

These are RDP servers sharing the same certificate as the two C&Cs with open RDP port:

IPGeoNotes
47.75.123[.]100HK
47.242.171[.]26HK
47.57.87[.]221HK
172.105.118[.]92SG
172.105.159[.]130US
47.244.2[.]17HKIs also on the previous list.
47.242.95[.]126HK
8.210.16[.]197HK
172.104.92[.]7JP
45.33.34[.]11US
45.79.102[.]41US
47.57.108[.]231HK
194.195.240[.]87DE
47.56.65[.]198HK
8.210.128[.]37HK
172.105.158[.]102USIs also on the previous list.
47.57.110[.]128HK
47.242.6[.]26HK
23.92.26[.]127US
47.75.183[.]119HK

Other C&C servers:

FolderGeoC&CNotes
DISK2/DISKM/MF20211228RU188.127.249[.]169Stealer
HT3MY45.121.147[.]172Korplug
JSXMY103.169.90[.]132RAT
MG/MG44SG23.106.122[.]81Remote shell
SE4/SE5/SE6/SE7SG91.245.253[.]72Backdoor (ZIPDLL.dll)
SEEMY103.91.66[.]116Backdoor (ZIPDLL.dll)
T3YKMY111.90.148[.]95Remote shell
U5_2MY103.117.141[.]202RAT
YK51LOWMY
N/A
mod.mmgpms[.]com
txt.mm-film[.]com
Backdoor
1260MUS45.134.83[.]4Korplug
GDU1_NEW/GDU3https://github.com/YanNaingOo0072022/View2015Encrypted Google Drive token

Conclusion

It is not very often we stumble upon such a stash of samples that is used to distribute malware to infected devices; especially when we are talking about tools that are strongly correlated with a notorious APT group. We have shown links to multiple previously published research around campaigns both using tools and TTPs, providing us with high confidence that the threat actor in question is Mustang Panda.

The exfiltrated data indicates that the toolsets that we have found were actively used around Myanmar. For instance, we have found audio recordings that corresponded to the audio recording tools we have identified in the archive named AUD. Although many tools were simplistic in their nature and sometimes also in chosen obfuscation methods, some archives contained tools which seem to deserve further analysis; be it due to their complexity or technical implementation.

What was really surprising was the sheer scale of the compromitation. We have identified many high-profile government targets, some opposition entities along with a few NGOs. It is worth noting that given the sheer volume of data and the language barrier, we have only been able to associate some of the victims with a specific organization. This means that the list of targets is likely incomplete and should be considered as approximate. Nevertheless, the daily rate of gigabytes of exfiltrated data should be enough to give a strong hint on the scale of the operation.

Appendix

C&Cs

FolderC&CNotes
DISK2188.127.249[.]169Stealer
HT345.121.147[.]172Korplug
JSX103.169.90[.]132RAT
MG/MG4423.106.122[.]81Remote shell
SE4/SE5/SE6/SE791.245.253[.]72
193.42.36[.]214
Backdoor (ZIPDLL.dll)
SEE103.91.66[.]116Backdoor (ZIPDLL.dll)
T3YK111.90.148[.]95Remote shell
U5_2103.117.141[.]202RAT
YK51LOWmod.mmgpms[.]com
txt.mm-film[.]com
Backdoor
1260M45.134.83[.]4Korplug
GDU1_NEW/GDU3https://github.com/YanNaingOo0072022/View2015Encrypted Google Drive token

Certificates and keys

A.1 JSX private key

-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIPq1gFM9BHY6lKw+F09iQ4rY5ZDpZhpVuLbLEgKpN1EFoAoGCCqGSM49
AwEHoUQDQgAE8ReYJNz1RlchdTIxo0/4GqPVsJ2m6QFMW0vVMLKYWeINX4Ih9vPV
OgzHq6+qeNxzvAbS4D9jTETTMKssSssr0Q==
-----END EC PRIVATE KEY-----

A.1 JSX certificate

-----BEGIN CERTIFICATE-----
MIICBDCCAamgAwIBAgIUPAoKZshUkyHcTvej+gio/kTTd/AwCgYIKoZIzj0EAwIw
RTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
c2NvMREwDwYDVQQDEwhibHVlLm5ldDAeFw0yMTEwMTIwMzQ0MDBaFw0zMTEwMTAw
MzQ0MDBaMEUxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2Fu
IEZyYW5jaXNjbzERMA8GA1UEAxMIYmx1ZS5uZXQwWTATBgcqhkjOPQIBBggqhkjO
PQMBBwNCAATxF5gk3PVGVyF1MjGjT/gao9WwnabpAUxbS9UwsphZ4g1fgiH289U6
DMerr6p43HO8BtLgP2NMRNMwqyxKyyvRo3cwdTAOBgNVHQ8BAf8EBAMCBaAwEwYD
VR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQULCt+JQ1h
n+CNR27Lm0giuJbAHGAwIQYDVR0RBBowGIIIYmx1ZS5uZXSCDHd3dy5ibHVlLm5l
dDAKBggqhkjOPQQDAgNJADBGAiEA9c8UxcF/xYGVThbl3vfKpmJQKQLi8LP+2cui
o9Z3iZICIQCxJOXs+4ScVpyIkw8HYCCv3x0CDVv4xfiGHEEW+ZLZYA==
-----END CERTIFICATE-----

Side-loads

ArchiveBinaryDLL
BMD,YK41Symantec.exeSHELLSEL.ocx
YK41LOWGoogleUpdate.exeSbieDll.dll
YK41LOWatkexComSvcRes.exeCefBrowser.dll
HT3x.exeVender.dll
GDUSamvd.exeSmadHook32.dll
GDUPIZvsgraphics.exevsgResources.dll
GDU1/GDU2CefSub.exeCefBrowser.dll
GDU2/GDUPIZ/GDU1_NEW/GDU3piz.exevntfxf32.dll
GDU_OLDAltTraceTool.exeatltracetoolui.dll
GDU1_NEW/GDU3NitroPro.exeCefBrowser.dll
GDU3piz.exeFwcWsp.dll
WD HP.exeHPD.dll
DISK2/DISKM/MF2021188HPCustPartUI.exeHPCustPartUI.dll
127COleView.exeACLUI.dll
KKL/KKL1mscorsvw.exemscorsvc.dll
MG/MG44dabs.ex/44.exSensorAware.dll
AUDmsync.exmcaltib.dll
CHRbrowser.exbrowser_elf.dll
T3YKygfdt.execorecrl.dll
UCmelt_64.exelibmlt-6.dll
1260Mupservice.exebreakpad.dll
U5_2HPCustPartUI.exeHPCustPartUI.dll
U5_2PlugInInstallerUtility2.exePlugInInstallLib.exe
SE1FacialFeatureDemo.exefacesdk.dll
SE1/SE3/SE4/SE5/SE6/SE7/SEECUZ.exeZIPDLL.dll
SE1%volume_drive%.exeMSFTEDIT.dll
SE1/SE7GUP.exelibcurl.dll
SE1spoololk.exeWNTFXF32.dll
SE3/SE4/SE5/SE6/SEEvivaldi.exevivaldi_elf.dll
SE6/SE7wsc_proxy.exewsc.dll

File hashes

\1260M

1ded7b4cab302bc7229c92723056d07d5bd9563e88fe082da0a396942fba5958 breaklog.dat (Korplug)
2895fdac192a4b0ffd70b6b207d49cd7c8f68945eb5c09e3d51e2fded6c6c32f breakpad.dll (Loader)
ce13248fa2da5b27773f855c2dd0c6ce276b4a10b020e4da57bc47ab0fe07eae upservice.exe

\127C

1769c7778cbcd937ae317f4982f404b0d7ae7ee5e2b2af4efb160c5233a8f476 ACLUI.dll (Korplug)
8ff84f79455b84bd73e7c0641532a60e8132599c29d3f85fb54f3d7da53e1817 ACLUI.DLL.UI (Loader)
91f6547bceddfb2f241570ac82c00de700e311e4a38dea60d8619638f1ed3520 OleView.Exe

\AUD

cd6bcf240de87fe3f1b5a6a24db1b2728acad5f7bcfe124e5bc2d7bdac2f64a9 mcaltlib.dll (Audio recording)
075f9dfb6ab3379f69165c03991abf1a969ca0c21e04564543564dc536ea95dd mcsync.ex

\BMD

55eacabb7c054355d2e8c3a82c075338c9ac642d86ee5d3fa1fca3f621e43cb2 SHELLSEL.ocx (Loader)
d139940023fa2c602e2a31faa807b9df074f34747511bd61db961d20155b8c84 ShellselDb.dat (Korplug)
61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantec.exe
491d9f6f4e754a430a29ac6842ee12c43615e33b0e720c61e3f06636559813f7 SymantecHp.exe (Launcher)

\CHR

e3e2164c54a5c8ab063695bc41b6c0c0ddc390c790de8ad24d6169dba46f7734 22.1.1.1543.manifest
4063cf4ba2d4e12c277479399d4489e45a48b1013d8d54b5a589784fe7158978 browser_elf.dll (cookie dumping)
12b15f31f295416417f1e028904a4e10a0c8ec39dd00bac7df4887c194f2865b browser.ex

\DISK2

8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6 HPCustParticUI.exe (Sideload)
7ea21215968c43f9fe28f94926e3547f2f7a0e35cdf40392b0b6aea80fe11314 HPCustPartUI.dll (Stealer)
c9121c7874d2fd88ff7af35eb3f3cd18ab7162390db008043037383cdad6ff56 HPCustPartUI.log (Ecnrypted stealer config)
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f MSVCR120.dll

\DISKM

8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6 HPCustParticUI.exe (Sideload)
788fe764f6f5e0fff31b06fd8b94ee0cf51a3082c1321d8db96708c2a6abc3ee HPCustPartUI.dll (Stealer)
62d770f240cecebd6cf725df05ab1e863d83895abc9396664a6090dbcc983d6f HPCustPartUI.log (Ecnrypted stealer config)
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f MSVCR120.dll

\GDU

d12a1750980ef3943c6d7e152948059261944b8afe06b8a280b7fbe61aba3c9b rar.dat (Config)
e64b533d60a21ca8ddbfcf8a1b154ed351383b0196d534bf229101a6cc4d1931 rar330.exe (RAR)
def8fdb95bb53514698b9df1c64e329adfca59adf2e898c3daab16f1e4760bc6 RarCon.SFX (Exfiltrator)
4f54a6555a7a3bec84e8193d2ff9ae75eb7f06110505e78337fa2f515790a562 Samvd.exe
375e88d1f38604c901f2b9fd5b9ada4c44c1f4c172f7cd58cd67e9248ff966ab SmadHook32c.dll (Loader)

\GDU-OLD

197d0ad8e3f6591e4493daaee9e52e53ecf192e32f9d167c67f2ffb408c76f2c AtlTraceTool8.exe
33f631c0b561199b5feb9020faa99e50efa9f421d7484ffa640c5561494726da mfc110u.dll
45a61f4b7e5798f1389a7d6abc8a924c37db6f51552b4cafc901e7e4a50dabc6 msvcr110.dll
db75b25b69b7b6f3206226461d8bde7c05049922dc463e8932d11710fad74833 piz.exe (Collector)
46811fc41623677637aaadcfbe89811d187b390bfd7e4f3e8efd2dd1d078a631 rar.dat (config)
0dcaf08b7b1f8de3999af567144b13f36bea3a68f46f81f8443a81a50a86a09c atltracetoolui.dll (Loader)

\GDU1

2c17b68040dda192939e4b7f65b2935cb6c467b8a4b2c3d512bde6cc5a60adaf cache (Exfiltrator)
e412569c23722c469ee533efb62bbded53d1909b58c8cf7bff9897c466c9df9a CefBrowser.dll (Loader)
cb8a83b590893daa9b02b8e1a1c9afb68d6f2a82c9e0d2d2c63a36a510f6fda3 CefSub.exe
beb44eadd141b7ae46e40e1bf888c302cb7096826e772f0b20ce6f213c69058d piz.exe (Collector)
46811fc41623677637aaadcfbe89811d187b390bfd7e4f3e8efd2dd1d078a631 rar.dat (config)

\GDU2

2c17b68040dda192939e4b7f65b2935cb6c467b8a4b2c3d512bde6cc5a60adaf cache (Exfiltrator)
e412569c23722c469ee533efb62bbded53d1909b58c8cf7bff9897c466c9df9a CefBrowser.dll (Loader)
cb8a83b590893daa9b02b8e1a1c9afb68d6f2a82c9e0d2d2c63a36a510f6fda3 CefSub.exe
390d75e6c7fc1cf258145dc712c1fac1eb183efccee1b03c058cec1d790e46b1 piz.exe (Collector)
46811fc41623677637aaadcfbe89811d187b390bfd7e4f3e8efd2dd1d078a631 rar.dat (config)
869b8dd87e402049eae435de3de1e15a021d9fcbf79a20be3b030d3782599903 vntfxf32.dll

\HT3

59cf961f7316656e73b269a86b04836a7a7254f021a8a3132a927b02373225d6 AUG.json (Encrypted and compressed data)
091408cdd56267bc4fb4cb54f2d91701aa8cdcede334a648566eea89f1682925 Vender.dll (Loader)
00bfbbe6e9d0c54312de906be79cc1e9f18b2957856a1215eaff1ac7bb20e66f x.exe

\JSX64

c617016fb8809655f9189648b9b41a727c0b49cdb79a28f13f710d23f3527a64 install.js (Executer)
21bf4631775b6c17f9e94c0901ffbb7718a0e6094582bcb1683b934aca24e18f mozload.dll (RAT)
f4a31d15cd5aa3441e5e31c1add6e0c3551a1aad5abb75f0abd76990f2824acc scx.exe (Installer)
645ee3601aea4c1af8b938f64698bf6c5978b1151aef53e183bb768791c927e2 svchost.dll

\JSX641

73903c2c46b5055380fc2a238c96f7f2ca2a5acf1cd1e568b2d2be0638c68fd1 install.js (Executer)
50bee35c965a99b3f8f722296e4ed6474ca62d96ea5fc4897e7d1563ed173d5e mozload.dll (RAT)
e27bfbe87c78945b1d79fc027c3f0a27a07d0dddc742783bf686c1a8133a2f48 scx.exe (Installer)
8cebfe33cd69747cc1333fe598d9b0331103e0869d6f1b1f75e28b3b8f11243d svchost.dll

\JSX86

c617016fb8809655f9189648b9b41a727c0b49cdb79a28f13f710d23f3527a64 install.js (Executer)
fd1ec183124d2d82dae1dd228de88440bc142cf6430c9c93518e25f1dde052fd mozload.dll (RAT)
9e3788cacb3d38e4e15da7e4887650efa6a3b17a65a314fcb4e059d9f88481a8 scx.exe (Installer)
5e8311c26091839a292e2d12f88378f8093fc739ced86aa1e9ba1b707ad516d8 svchost.dll

\JSX861

73903c2c46b5055380fc2a238c96f7f2ca2a5acf1cd1e568b2d2be0638c68fd1 install.js (Executer)
f9d94c1dcdbcefddb4f1d47291422c6198fd11052aea761acf8b5755802ca922 mozload.dll (RAT)
49a81878ec282c3c9d4dd72920d9283e2c86d0bb96b468e010901b3f4f9c75ed scx.exe (Installer)
79440abf29d1b56cb1c95a12f554fe052e21a865fea56a025e216f342ffbccbd svchost.dll

\KKL

fae5b61723106d44de46b3ec49e80067f63f82f09501142186984a658bc99c38 KBE.dll (Clipboard stealer, keylogger)
ed6b3af0edcd3b57c0616e1b7819b5e1c1e72327300172ff2664b158f65861b2 mscorsvc.dll (Loader)
0809e3b71709f1343086eeb6c820543c1a7119e74eef8ac1aee1f81093abec66 mscorsvw.exe

\KKL1

4afa4582975d31144b3af692f123f87b6400a45475e41fa1822c7acdb17590f0 KBE.dll (Clipboard stealer, keylogger)
9af8336050c40105864bf9314355471494dc631fd88a0b444291b63b941b7822 mscorsvc.dll (Loader)
0809e3b71709f1343086eeb6c820543c1a7119e74eef8ac1aee1f81093abec66 mscorsvw.ex

\MF20211228

8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6 HPCustParticUI.exe
9f1d1a94026c54396a4c0b6327d317836dc9dc67178810428302efcbf5225a42 HPCustPartUI.dll (Stealer)
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f MSVCR120.dll

\MG

473b4f8b8640a68d1092f6b54b521c6b0ccb1c567eca4a18a2c2da3481bc027a dabs.ex
cfe1447e7515ad831fcfedb9a5c1a721885b0542b775e4028a277a27e724ec73 SensorAware.dll (Figerpring, remote-shell)

\MG44

473b4f8b8640a68d1092f6b54b521c6b0ccb1c567eca4a18a2c2da3481bc027a 44.ex
cfe1447e7515ad831fcfedb9a5c1a721885b0542b775e4028a277a27e724ec73 SensorAware.dll (Figerpring, remote-shell)

\NB

c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e nb.dat (Nbtscan)

\SE1\Bin

8364bae4e2951957403cbe3a78362edb7d41c34f49c81f0336fcb28d1510d5e1 facesdk.dll (Dispatcher)
0d243cbcd1c3654ca318d2d6d08f4e9d293fc85a68d751a52c23b04314c67b99 FacialFeatureDemo.exe
e5bbbf34414426f63e6cd1354c306405e54bf31279829c7542dccfb7d85af0ec GUP.exe
92717951aae89e960b142cef3d273f104051896a3d527a78ca4a88c22b5216a5 gup.xml
7e1c49d45935fb5d20add5baf60400fb64fbf0299a3af3b0be764b2d265e368a libcurl.dll (hides malware files)
390d75e6c7fc1cf258145dc712c1fac1eb183efccee1b03c058cec1d790e46b1 spoololk.exe
abf7bb6eb92f2f358e8e57c1be03efe5a7f81e3d3eb4134257c3483e9e7782c0 VNTFXF32.dll (persistence)

\SE1\Data

1a4e92e09957578cc8d8c1fbdaba55e306e7bcbc6208ee00e33bb37e849156f9 aweu23jj46jm7dc
13cf1c57f1c143c592173b1e91ddb652d5dd1c2015289ac890a37253058b54be bjca3a0e2sfbs
12acd296a009d9e8fbd9511d3c0586f331d450b9c12f651e0554764e50cfb7e7 sf24acvywsake
4a6ed717a2d7f0953e4b25c2652c9a231146f60b35d9a5e3cf782c772727b1bc sf33kasliaeae

\SE3\Bin

61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantecs.exe
a8f3bc45ac0dcf351c028ecabfd68e8e551cd97f8dc0fc6e62e135668cde9277 LDVPOCX.OCX (Dispatcher)
bb6cf240bdabeea90321cab7d48e268df2b5240d84aab0d5ae5ffe415a6943e4 vivaldi_elf.dll (hides malware files)
58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494 vivaldi.exe

\SE3\Data

51c3d115e0173e3ba6eeaea3d53b86bce45367e50feed82d8efed2065d845d28 3.8.2259.42.manifest
6ded96d7609cc085db57764c40a38379cba50b965f959650ca8d1605ae0411e8 csdkset.dat
a8f0dff3c57621282a1262ddaa559f055f2f2cc717a7695d8bfbf7a6898b843c EdrEpmpCStorages.dat
7659be61fc1e16c4721b451225ec7c8f932e9e7357894ddea3a4ada9583996b5 PchEpmpCStorages.dat
9015378ed6d7537f07e61c78b3c35766d63465970b63d13c9b447dc8bb90e2d7 prodcltdef.dat

\SE4\Bin

61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantecs.exe
01cd1530b0db54c834ef275e0cc617645a23e1f250bc35c248d546c28da220fb vivaldi_elf.dll (hides malware files)
9fb4c9f1995b02ece99b62a4efc0df5c916a1858f57730225f3c419fce0de24c LDVPOCX.OCX (Dispatcher)
58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494 vivaldi.exe

\SE4\Data

51c3d115e0173e3ba6eeaea3d53b86bce45367e50feed82d8efed2065d845d28 3.8.2259.42.manifest
01cd1530b0db54c834ef275e0cc617645a23e1f250bc35c248d546c28da220fb csdkset.dat
baaaffe80060fb89b06ff19dfb6c76835fc6639d81513e2d9e49716f1816ccc4 EdrEpmpCStorages.dat
9fb4c9f1995b02ece99b62a4efc0df5c916a1858f57730225f3c419fce0de24c LDVPOCX.OCX
f488e4e838fa447c9b08fc74d4180faeb465f9070c443625b7515aed7c282fa6 PchEpmpCStorages.dat
ab89d614923b92ce2eb7ed48357b2d1755b8a8f572ead3b32bb63a79e259186d prodcltdef.dat

\SE5\Bin

5828fd07716140e5fefec1b07751378d9b76952e66b2c0fb0a860313d4030b4d LDVPOCX.OCX (Dispatcher)
61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantecsy.exe
bb6cf240bdabeea90321cab7d48e268df2b5240d84aab0d5ae5ffe415a6943e4 vivaldi_elf.dll (hides malware files)
58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494 vivaldi.exe

\SE5\Data

e6fdd0d22abe3484d57715bd83143e5810b74f3f9dc8780344c66af2c0894d76 aweu23jj46jm7dc
50814a35a9d157405252c8ba52c12d1cf5adf137598173c6522cbe058e14b7ff bjca3a0e2sfbs
1d68f4afd0fd908d35db6d9710ab2fc92fb5ca739d6351e1bf513e068fbd00a0 sf24acvywsake
5427cd51f0120a27ed75d3ac27d6f8eac6f27c54d8658236a52a281d6433496b sf33kasliaeae

\SE6\Bin

a67094334ae2135e50bf2074f08d3a99075a53a174da6bdf22eca54293bb8e9b vivaldi_elf.dll (hides malware files)
58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494 vivaldi.exe
bd4635d582413f84ac83adbb4b449b18bac4fc87ca000d0c7be84ad0f9caf68e wsc_proxy.exe
e0c240f5776d158da7529d8c0e3d5be4d6f007e51e4be570e05b744d0452011d wsc.dll (Dispatcher)

\SE6\Data

51c3d115e0173e3ba6eeaea3d53b86bce45367e50feed82d8efed2065d845d28 3.8.2259.42.manifest
7620acb11f0471515079a69ee2cec0cd74485fb13c779d41c2b43b87718c63ff aweu23jj46jm7dc
3fc3fb81a43b9ac155e42367769eb5c0d6dd08c06a025ba93697c6b2667bf1e7 bjca3a0e2sfbs
f2c5004450a749bef14ee779e1c8e4c08702f089248d0a282e6a679d29b0996d sf24acvywsake
10d58013b8a34e10e8548b016154963097dcff15e5673bf24e8ed18513ad4a64 sf33kasliaeae

\SE7\Bin

e5bbbf34414426f63e6cd1354c306405e54bf31279829c7542dccfb7d85af0ec GUP.exe
92717951aae89e960b142cef3d273f104051896a3d527a78ca4a88c22b5216a5 gup.xml
7e1c49d45935fb5d20add5baf60400fb64fbf0299a3af3b0be764b2d265e368a libcurl.dll (hides malware files)
bd4635d582413f84ac83adbb4b449b18bac4fc87ca000d0c7be84ad0f9caf68e wsc_proxy.exe
e4ddf5af63fdfe85c5a4573d4768699ebdaa5b5b67b7cb6834840c696808a8e5 wsc.dll (Dispatcher)

\SE7\Data

b7a38292131c131d75413133f101114a1b72bd02e27cc6aea7a836ff964f961f sf24acvywsake
28aadf5b14ba0cb38a33ab53796dba12e7d59479744f0cca225b10be44730b9c sf33kasliaeae
ec56a6fa6804e47f331daee1460c3d07e01fe45edac5d6b1feb01fbbd8396f91 aweu23jj46jm7dc
e32447bd309a6941a1fff4fa559376d9c723afd1b9ce2a1c2dced4b9db6a6f6a bjca3a0e2sfbs

\SSE

51c3d115e0173e3ba6eeaea3d53b86bce45367e50feed82d8efed2065d845d28 3.8.2259.42.manifest
5dafacfa147f087dd0a706cf274e20cbb58f634ba14424d3433efc2e829aa7cd csdkset.dat
b9924c66506ccad566d6c26b8db499e498a9dc840acacb2d8d3bf9d73818814a EdrEpmpCStorages.dat
180a2f3eb004f93590e4fb18cdc3dd6e18815587637ac354ca99f7513aa63633 LDVPOCX.OCX (Dispatcher)
9add5663bc846b4b7cdefcd0e09b882e2f16f755e2e6540efc6ea2072c93f3f2 PchEpmpCStorages.dat
756d1cb0e74b309d53d4f16b043514da128c8b3b89c7d5e46897b61f74bad2d7 prodcltdef.dat
61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantec.exe
bb6cf240bdabeea90321cab7d48e268df2b5240d84aab0d5ae5ffe415a6943e4 vivaldi_elf.dll (hides malware files)
58e7af5eb1acb5c9bee821d59054c69263aed3dce1b95616255dea7114ad8494 vivaldi.exe

\T3YK

3c0d3783a5ccdecf3786db0053b1352d6fb5a37d9081cc32ec6d5bb611064ce3 coreclr.dll (remote shell)
f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe ygfdt.exe

\U5_2

2a971ba79f9f7378e11a47dcafa78e9fe4b1f0c659f7f310209d3e6671d5dc31 Ativir.csc (bundled payloads)
9cd8c5d34fd460dd0e240f5e54ade689d808469d6da5e0bd087cc71e6f851c6a core.exe (executes path from config)
caeb48fd04a5fe8b0b4bd32b538ed5f1f303b0487037cf37864f0b5665ff093a install_.exe
2f2a5e5cdb262cd62b43b88bf1e9cfb40a26eac5897616b9eacec4e25d95cbb9 PlugInInstallerUtility2.exe
a90e048c74697775bba2e4c4bfa45d369e44e9a020a83956aa44a50ab8a9a249 PlugInInstallLib.dll

\UC

f349183462f1aeac8d3afb43c723af0252c157d376637f30fb7c87fdf80ee965 libmlt-6.dll (UAC bypass)
a23dbce5bcde8ce541b8f326a951d29f6241280d944a1e921ca8658d3d4b65ac melt_64.exe

\WD

8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6 HP
97efd0abf726acfc1a5b4a0b460a727724f43ef9f1e788bada4942d715d4ab87 HPD (Loader)
86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f MSVCR1
5f31d558417528b4c635afd6c17347dc393c7dfcecfb79040fe97d9f1abf3776 S (korplug)

\X

28bed0d5bcfb2d5597af881a2be3098327f2d83f14948c6a46cde3cd0776eb1c x.ex (status checker)

\YK41

edab53d39734965a7cadc2a21662d6a16c9b04b2961dfe9eb76aeda040786e25 hp_ui.xslbcdsj (encrypted Korplug)
071558464f6d067f3044b7ee3819fcb3a049b8be3535043db41123c2fde5d451 SHELLSEL.ocx (Loader)
61d1943f0b702f4c16bb37228ade1d8f0ef4675b480921950d026c82e4a65fde Symantec.exe

\YK51LOW

cb8a83b590893daa9b02b8e1a1c9afb68d6f2a82c9e0d2d2c63a36a510f6fda3 atkexComSvcRes.exe
9bdccd5e4617dfbcaf85228c60703369a8848ad8bb86e00e75e504a26fbe932a CefBrowser.dll
b29b38217921a6b36113049bd9cb4fb2ec52816bff7cd731621ff2fa3dbc7b01 DP45126C.lfl (Decryptor)
90a29c688ce683fb2201145faac00cb44c3d5566697279b68960c6bc3208ae84 GoogleUpdate.exe
fa56ba25861f1b5040afd04bfbfd36353004cd6b2c457971fb01db26ff002f35 GoogleUpdateOnDemand.exe
c9ed69e7bf233ba1edd18a1f91671faee9b7756aa77fe517319098706e78cde5 SbieDll.dll (Loader)

The post Hitching a ride with Mustang Panda appeared first on Avast Threat Labs.

ViperSoftX: Hiding in System Logs and Spreading VenomSoftX

21 November 2022 at 13:04

We’ve been closely monitoring an information stealer called ViperSoftX. ViperSoftX was first reported on Twitter in 2020, and by Fortinet in the same year. Some aspects of ViperSoftX were also described previously by Colin Cowie. However, it has undergone very intensive development since then, intensifying throughout 2022. The malware authors’ constant game of hide-and-seek in which they continually improve their strategies and techniques to avoid detections shows no signs of stopping. We, therefore, decided to put the pieces together to provide a comprehensive analysis.

This multi-stage stealer exhibits interesting hiding capabilities, concealed as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files, among others. ViperSoftX focuses on stealing cryptocurrencies, clipboard swapping, fingerprinting the infected machine, as well as downloading and executing arbitrary additional payloads, or executing commands.

One of the payloads ViperSoftX distributes is a specific information stealer in the form of a browser extension for Chromium-based browsers. Due to its standalone capabilities and uniqueness, we decided to give it its own name, VenomSoftX. The malicious extension provides full access to every page the victim visits, carries out man-in-the-browser attacks to perform cryptocurrency addresses swapping by tampering with API requests’ data on popular cryptocurrency exchanges, steals credentials and clipboard content, tampers with crypto addresses on visited websites, reports events using MQTT to the C&C server, and more.

ViperSoftX is mostly spread via cracked software such as Adobe Illustrator, Corel Video Studio, Microsoft Office, and more, commonly distributed over torrents.

Campaign overview

Since the beginning of 2022, we have protected more than 93,000 of our users. As the malware is mostly spread via torrents and software-sharing sites, ViperSoftX activity is distributed all over the world. The most impacted countries are India (7,000+), USA (6,000+), and Italy (5,000+).

Map illustrating the targeted countries since the beginning of 2022

Monetary gain

Both ViperSoftX and VenomSoftX focus on stealing cryptocurrencies from infected computers, either by scanning local files or by using more sophisticated techniques. In the table below, we show an estimation of the attackers’ total earnings for relevant cryptocurrency wallets.

CryptocurrencyEarnings in cryptocurrency~Earning in USD
Bitcoin5.947 BTC$116,812.81
Ethereum5.312 ETH$7,826.13
Dogecoin34,355.528 DOGE$3,474.47
Bitcoin Cach9.11997194 BCH$1,021.39
Cosmos (ATOM)65.153 ATOM$846.44
Tezos191.445553 XTZ$241.32
Dash4.72446445 DASH$199

Table with monetary gain (data refreshed 2022-11-08)

The amounts in the wallets ViperSoftX and VenomSoftX redirect stolen cryptocurrencies to add up to about $130,421.56, as of November 8, 2022. This is just the amount sent to cryptocurrency wallets, and doesn’t include other possible profits from other activities.

Technical analysis

Overview of the infection chain

From cracked software to fake logs

In the beginning, ViperSoftX is served to victims when they download what they believe to be cracked software. It is commonly named Activator.exe or Patch.exe. Upon execution, however, the victim is infected with ViperSoftX.

Activator.exe extraction

Activator.exe is in fact a loader that decrypts data from itself using AES in CBC mode.

The decryption algorithm performs a checksum as follows:

  1. Read 4 bytes at offset 0x24 from the end of the file which gives an offset
  2. Hash the offset value using SHA256
  3. Read the rest of the bytes (from -0x20) and compare it to the hash

If the checksum holds, the offset points to the location where the data is stored at offset+0x24 from the end of the binary. Since the data is stored from the end of the binary, offset is also the size of the data blob. This blob can be decrypted straight away using a hardcoded key as well as IV inside the binary:

Key71C54C3BCFFCE591A70C0B5BA6448327BC975D89F3021053125F1CB9A7C0AF72
IVC0BA0B56EAC742AFD4CB680EE0EB4FB0

The decrypted data blob is a serialized protocol buffer structure. The structure template contains two protobuf messages as shown below:

We can use this template to deserialize the structure, revealing five different files:

  • A log file with a hidden additional payload resulting in the ViperSoftX PowerShell (see next subsections)
  • XML file for the task scheduler
  • SyncAppvPublishingServer.vbs (clean) that is used to create a scheduled task for persistence
  • Application binary (usually clean) that is supposed to be cracked
  • Manifest file

Last but not least, you can find the extraction Python script in our GitHub repository.

Analyzing the files

The most interesting file is the aforementioned “log file” which is usually more than 5 MB in size and contains a single malicious line of code (usually from 17,302 lines in total, but this might vary in different versions).

This log file is usually named and stored as:
C:\Windows\Logs\system-logs.txt
although we saw variants dropping the same “log” files disguising as a “driver” or a “text” file, e.g.
C:\Windows\System32\Drivers\p4kizn\e12de1ae-2139-45f6-b883-3c58243f23d6.sys
C:\Windows\2ZQ2UoL\5A7C4B54-4404-4424-83DA-CC696BED43D3.txt
where the subfolder names and the GUIDs are randomized.

An example of such a malicious line can be found below. As we will see later, this line actually contains a script that is decoded and executed.

Example of the log file with a single malicious line on the line 17,034

The malware creates a scheduled task using the legacy SyncAppvPublishingServer.vbs script for executing these hidden scripts afterward as well for ensuring persistence. Note that the line number varies depending on the malware configuration provided in the scheduled task.

Hidden Script Variants

We have seen two variants of hidden scripts lurking in the logs so far.

The first variant is a simple dropper that downloads another payload from a hardcoded C&C server and executes it. We have only seen the ViperSoftX information stealer downloaded as a payload so far. We will cover the stealer separately in the subsection below.

The first variant of the PowerShell script – simple dropper

The second variant is in the form of a PowerShell script without the encoding. This script contains two parts, the first one is a set of decryption functions and the second is an encrypted data blob.

Example of the log file with a single malicious line on line 17,034 (second variant)

The script uses AES in CBC mode to decrypt the payload, the ViperSoftX stealer. The AES key is passed via the command line by the scheduled task created by Activator.exe. You can find the decryption process in this CyberChef template.

ViperSoftX Information Stealer

When the payload is dropped, an obfuscated ViperSoftX PowerShell script is presented to us. We have seen multiple variants of ViperSoftX, suggesting that the malware is under active development. In the text below, we will cover the stealer’s features as a whole.

Stealing Capabilities

First, let’s have a look at what ViperSoftX is actually capable of stealing. ViperSoftX performs fingerprinting of the infected machine, focusing on various types of information, including:

  • Computer name
  • Username
  • OS information and its architecture
  • Installed antivirus or other security software and whether the solution is active

The malware focuses on stealing cryptocurrencies. To do so, it searches the typical locations for web browser extensions and locally stored wallets. The full list of locations can be found in the Appendix. More generic information, such as OS, architecture, and username, is obtained using WMI and system variables.

ViperSoftX searches for cryptocurrencies stored locally on the infected device in cryptocurrency software and browser extensions, and monitors the clipboard for cryptocurrency wallet addresses to perform clipboard swapping.

The gathered data, as well as the fingerprint, is then concatenated together into a single string, encoded by base64, and sent to the hardcoded C&C server in the User-Agent HTTP header. Note that C&C servers vary across versions:
http://api.private-chatting[.]com/connect

Each time the victim copies anything to their clipboard, ViperSoftX scans the content using predefined regular expressions in the background. If the expression matches one of the configured wallet addresses belonging to the specific cryptocurrency, the malware replaces the content with the attacker’s address and sends a notification to the C&C server in the X-Notify HTTP header in a form of three values:
Cryptocurrency type - victim’s address - attacker’s address

The cryptocurrency type reflects what type of cryptocurrency was matched and can be one of the following: BTC, BCH, BNB, ETH, XMR, XRP, DOGE, or DASH.

The malware also checks title texts of opened windows (MainWindowTitle property) and if it spots an application focused on cryptocurrencies or finance, it logs its presence into:
%SystemDrive%\Users\Public\log.dat
The full list of searched keywords can be found in the Appendix.

On top of the information-stealing core, ViperSoftX provides RAT functionalities as well, like executing arbitrary commands on the command line, downloading an additional arbitrary payload provided by the C&C server, and executing it, as well as removing itself completely from the system. The RAT functionality can also be used, for example, to steal cryptocurrencies from their locations, which it previously identifies and sends to the C&C server.

Host Header Spoofing

Aside from trying to steal cryptocurrencies, the malware spoofs host headers to obfuscate its communication with the C&C servers.

The spoofed host header consists of five to 10 lowercase alpha letters, but the true destination is in the hardcoded $meta_host variable. This way, the real C&C server address is obfuscated by a random-looking domain that doesn’t exist.

VenomSoftX Browser Extensions

Newer versions of ViperSoftX information stealer are capable of loading a custom malicious browser extension to Chromium-based browsers installed on infected computers. The extension is provided by the C&C server. The extension is basically another standalone information stealer, we are calling VenomSoftX, but is installed by ViperSoftX, as described below. The extension disguises itself as various popular browser extensions to avoid user detection. 

The main goal VenomSoftX is also to steal cryptocurrencies from the unsuspecting victim. The difference is, VenomSoftX mainly does this by hooking API requests on a few very popular crypto exchanges victims visits/have an account with. When a certain API is called, for example, to send money, VenomSoftX tampers with the request before it is sent to redirect the money to the attacker instead. Although similar in principle to what information stealers like ViperSoftX do and rather a common clipboard swapping, this technique is performed at a lower level, meaning the victim has little to no chance of noticing the money is being transferred elsewhere.

Installing the extension

ViperSoftX’s approach is simple. The malware downloads a VenomSoftX PowerShell installer from the C&C server e.g. by base64-decoding a hardcoded request metadata directly from the PowerShell script, following a request to:
http://apps-analyser[.]com/api/v1/<HASH>
depending on the malware version. This can hold different payloads, but we will focus on the VenomSoftX browser extension.

After the installer script is downloaded from the C&C server and the VenomSoftX browser extension is extracted, the installer searches several locations for .lnk files and if such a link file belongs to Chrome, Brave, Opera, or Edge, it modifies the link file with a parameter --load-extension=<path_to_the_malicious_extension>. This way, when the user starts their favorite browser, they actually load the malicious extension with it.

These locations are checked for link files leading to browsers:

  • %USERPROFILE%\Desktop
  • %USERPROFILE%\OneDrive\Desktop
  • %PUBLIC%\Desktop
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs
  • %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

The extension ID is randomly generated, provided random lowercase characters to represent the extension folder and randomly generated version number of the extension:

$(Get-Random -Minimum 1 -Maximum 10).$(Get-Random -Minimum 1 -Maximum 10).$(Get-Random -Minimum 1 -Maximum 10)._0

We observed further versions of ViperSoftX containing a full update mechanism. These versions were able to walk through the modified .lnk files, parse the manifest.json file of the malicious extension, and when an older version or an old write timestamp of the extension was detected on the infected system than what was advertised by the C&C server, the malware requested an update and replaced the extension files to the newest version by a dedicated command (provided by the C&C server).

The extension tries to disguise itself as well known and common browser extensions such as Google Sheets. In reality, the VenomSoftX is yet another information stealer deployed onto the unsuspecting victim with full access permissions to every website the user visits from the infected browser.

Diving into javascript shenanigans

The extension contains several files, as shown in the table below. Each file has a different purpose:

File namePurpose
128.pngGoogle Sheets icon to disguise the extension
content.bootstrap.jsOrchestrates the malicious activity, sends results using MQTT
manifest.jsonThe extension’s manifest file
rules.jsonURL filter rules for Kucoin
webpack_block.jsRequest tampering and credential theft on Blockchain.com
webpack_bnb.jsRequest tampering and cryptocurrency theft on Binance
webpack_cb.jsRequest tampering and cryptocurrency theft on Coinbase
webpack_common.jsContains an address book for pattern matching, clipboard monitoring and stealing
webpack_content.jsWhen no exchange is detected – attacker’s addresses are replaced on the visited websites with the ones that victim entered earlier
webpack_gt.jsRequest tampering and cryptocurrency theft on Gate.io
webpack_kuc.jsRequest tampering and cryptocurrency theft on Kucoin

The malware focuses on five big cryptocurrency exchanges, reflected by abbreviations in the modules names.

In the paragraphs below, we’ll focus on what each of the modules do, in detail.

content.bootstrap.js

This module is the starting point of VenomSoftX and it is loaded with every site visit. It orchestrates what modules to load and it is also responsible for sending stolen data to the C&C server.

The scripts are loaded depending on the visited domain. The bootstrap checks what site is being loaded and if it is one of the following: Blockchain.com, Binance, CoinBase, Gate.io, or Kucoin, the module loads an appropriate “webpack”. If the user is on any other site, webpack_content.js is loaded. The module webpack_common.js is loaded by default regardless of which site the victim visits.

Determination process which modules to load (deobfuscated)

All the modules serve their own purpose. However, two of the modules, webpack_common.js and webpack_block.js, are capable of sending data back to the collector server using a Paho MQTT client present in the content.bootstrap.js. The MQTT client has an event listener set to a hardcoded value b8b0becb-080a-46af-9688-e3671fcc4166 that indicates data should be sent to an MQTT broker, harvesting the data:
broker.emqx[.]io
Note that the collector address can vary in different versions.

The sent data are structured as follows:
MSG: time: <utc_datetime>
ip: <client_ip>
data: <data>

The time and ip fields are obtained using a public service (https://worldtimeapi.org/api/ip).

The data field is either clipboard content with a cryptowallet and other metadata, or stolen credentials for blockchain.com. See further sections below for details.

webpack_common.js

The “common” module is loaded to every website, regardless of whether it is a cryptocurrency exchange or something else. It is used to define an address book with regular expression patterns, which is used for crypto address matching on several occasions in other modules.

The structure of the address book is in the form of a dictionary, where the key is the regular expression and the value is yet another dictionary containing three values: coin, address, and network. An example of such an address book can be seen in the below snippet. For the full address book, see Appendix.

A snippet of a possible address book (incomplete, deobfuscated)

Furthermore, each time the user pastes anything into any website (except the malicious address from the address book), this module checks whether the clipboard content matches any of the regular expressions from the address book and if they do, it sends the following data to the collector server encoded using base64. The data for the MQTT message has a following construct:

Action

Site: <URL>
Browser: <USER-AGENT>
Clipboard: <CLIPBOARD-WALLET-ADDRESS>
Time: <TIMESTAMP>

webpack_content.js

This module monitors two input elements for content the user fills into websites and it is loaded when the victim is outside of any of the mentioned exchange sites:

  • HTMLInputElement
  • HTMLTextAreaElement

This is done by implementing hooks in getters of these elements to try to find a compatible crypto address for the user’s input and if found, the malware creates new localStorage entry with a combination of visited site and the compatible address:
website_attackerAddress: userAddress
The compatible address is found when the provided address matches any of the regular expressions from the address book described in the previous section.

After that, a custom MutationObserver watches for dynamic changes in the site (e.g. loading the page, displaying a message sent earlier in the user’s messenger client, etc.) and if such a change occurs, the malware replaces all mentions of the malicious address (if found) with the user’s address using the localStorage. This effectively hides all traces of the malicious address in the website’s body.

Note that since the information is stored directly in the persistent localStorage, the functionality survives a browser restart, PC restart, or re-visiting the page anytime in the future. The victim has to clear the user data in their browser or uninstall the malware extension altogether to get rid of the malicious behavior.

For the sake of demonstrating this behavior, we decided to create a demo PoC of a simple page that illustrates the whole process of content tampering while the malware is active:

  1. First two buttons, Attacker address and User address, fill in attacker address or user address to the “Dynamic content to be pasted” line on the webpage
  2. Get value” button triggers the getter but the hook is inactive since the provided address doesn’t match cryptowallet address pattern (it is too short)
  3. The user fills in a compatible address
  4. Get value” button creates a localStorage entry with the entered address
  5. The attacker’s address is always replaced with the one from localStorage
Demo illustrating the content tampering process

Draining the victim’s accounts

As we already mentioned, VenomSoftX focuses on five different crypto exchanges/websites, namely on Blockchain.com, Binance, Coinbase, Gate.io, and Kucoin.

In these modules, the malware tries to tamper with API requests the sites use for several actions like money withdrawal or sending security codes. This is done by creating hooks on the API calls (or rather functions responsible for sending those requests), parsing their structure, and replacing the response’s body with the desired attacker’s contents – commonly meaning that the recipient’s address is replaced by the attacker’s one as well as the amount is set to the value of an available account balance if known. The request is then processed by the malware without the user noticing anything, completely draining the victim’s portfolio as a result.

Note that the user has little to no chance to notice this. In comparison to a rather common clipboard swapping, for example, this “swapping” is performed on a lower level. Since the transactions on blockchains/ledgers are inherently irreversible, when the user checks the transaction history of payments afterward, it is already too late.

The complete list of hooked API functions can be found in the Appendix. The only file that differs from the rest is webpack_block.js. This module focuses on www.blockchain.com and it tries to hook https://blockchain.info/wallet. It also modifies the getter of the password field to steal entered passwords. Once the request to the API endpoint is sent, the wallet address is extracted from the request, bundled with the password, and sent to the collector as a base64-encoded JSON via MQTT.

Since the rest of the hooks are the same on the higher level if we ignore API differences, we will use the Binance module as an illustration example.

The Binance module recognizes six different API calls invoking malicious interactions. When the user logs in to the site, it is expected that at some point the API function
https://www.binance.com/bapi/asset/v3/private/asset-service/asset/get-user-asset
will be called. VenomSoftX then parses and saves all assets available on the victim’s account. When the user tries to manipulate their savings, e.g. withdrawing their money, the malware intercepts the request
https://www.binance.com/bapi/capital/v3/private/capital/withdraw/apply
and tampers with the request body, modifying the address to redirect the money to the attacker’s address if a compatible attacker’s address was found. The amount of the request is also set to the maximum amount available obtained by the previous step. After the tampering, the request is passed further like nothing happened, effectively draining the victim’s wallet.

Conclusion

In this blog post, we took a closer look at ViperSoftX, a long-standing information stealer, and its malicious browser extension payload VenomSoftX. We described both information stealers’ infection chains, and how the original payload hides and decrypts on the infected system.

We described what both ViperSoftX and VenomSoftX steal and how the browser extension leverages its full access to every page the victim visits and carries out man-in-the-browser attacks by silently tampering with the API requests popular cryptocurrency exchanges use, resulting in draining the victim’s accounts.

Indicators of Compromise (IoC)

ViperSoftX

File nameSHA256
Activator.exee1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a
Hidden log script first variant0bad2617ddb7586637ad81aaa32912b78497daf1f69eb9eb7385917b2c8701c2
Hidden log script second variant0cb5c69e8e85f44725105432de551090b28530be8948cc730e4b0d901748ff6f
ViperSoftX PowerShell23b9075dac7dbf712732bb81ecd2c21259f384eb79ae8fdebe29b7c5a12d0519
ViperSoftX’s browser installer5c5202ed975d6647bd157ea494d0a09aac41d686bcf39b16a870422fa77a9add

VenomSoftX

File nameSHA256
content.bootstrap.js3fe448df20c8474730415f07d05bef3011486ec1e070c67683c5034ec76a2fcb
manifest.json0de9a23f88b9b7bda3da989dce7ad014112d88100dceaabca072d6672522be26
rules.json1d6845c7b92d6eb70464a35b6075365872c0ae40890133f4d7dd17ea066f8481
webpack_block.js7107ab14a1760c6dccd25bf5e22221134a23401595d10c707f023f8ca5f1b854
webpack_bnb.jsddee23e2bfd6b9d57569076029371e6e686b801131b6b503e7444359d9d8d813
webpack_cb.js947215a1c401522d654e1d1d241e4c8ee44217dacd093b814e7f38d4c9db0289
webpack_common.js7b75c1150ef10294c5b9005dbcd2ee6795423ec20c512eb16c8379b6360b6c98
webpack_content.jsd7dfc84af13f49e2a242f60804b70f82efff7680cddf07f412667f998143fe9c
webpack_gt.js4da1352e3415faa393e4d088b5d54d501c8d2a9be9af1362ca5cc0a799204b37
webpack_kuc.js705deecbbb6fd4855df3de254057c90150255c947b0fb985ea1e0f923f75a95f

C&C

C&C
api.private-chatting[.]com
apps-analyser[.]com
wmail-blog[.]com
wmail-service[.]com

Appendix

Scripts and tools

  • Extractor for ViperSoftX’s initial payloads (commonly named Activator.exe)
  • CyberChef template for decrypting the second variant of the hidden scripts in logs

List of wallet addresses

CryptocurrencyAddress
ADAaddr1q9c27w7u4uh55sfp64ahtrnj44jkthpe7vyqgcpt73z9lrq7fw3juld8k2ksz2p82tv45j8yc5wzqmr4ladxyt0vjxrsf33mjk
ATOMcosmos1mcah8lel6rxhlqsyrzpm8237cqcuzgyw70nm6f
BNBbnb1u64a2n3jhw4yh73s84rc58v8wxrwp7r8jwakpr
BNBbnb1vmwl54jxj9yvsgz33xtyuvqnurdjy2raqnttkq
BTC1L8EBHDeiHeumtcpcroaxBceXnWFiYU5dh
BTC1Pqkb4MZwKzgSNkaX32wMwg95D9NfW9vZX
BTC32Wx3dsHCCxyJZLwseFYkgeFqVk16tCCcF
BTC3JvBvRuBfYvB6MjzMornj9EQpxhq9W7vXP
BTCbc1qn6ype8u5kgj672mvsez9wz9wt9wk22tzd5vprp
BTCbc1qxgz2g8kn2kg0wqqrmctyxu5n925pnwphzlehaw
BTCqq9yrhef7csy3yzgxgs0rvkvez440mk53gv8ulyu6a
BTCqqh3g98z60rdl05044xxt7gkgncezmdfy5tja99z53
DASHXdxTmTFuHrcHnQQhfweAnHtExFB5BXmU1z
DASHXtwj8uGx77NYBUki1UCPvEhe4kHYi6yWng
DOT122zNSYNN2TSR2H5wBCX16Yyvq7qLFWo1d6Lvw2t9CNxMxt1
DOGEDDxhfK5wbJkRN25mAbBYk3ND4xLjiMRyNq
DOGEDUUNTm23sVwLyiw27WW9ZPT9XfiWhB1Cvf
ETH0x12507F83Dde59C206ec400719dF80D015D9D17B6
ETH0x884467182849bA788ba89300e176ebe11624C882
KAVAkava1emxzwjw84e0re7awgue9kp4gseesyqrttg69sm
SOL7j5bxiFPSsScScBEjLj9qud5Yc2CqXGmembX3hQBdFTd$
USDTTDJLMdJWPrKNMHuxgpQL8QPYgvdXTnWJao
XMR475WGyX8zvFFCUR9ufThrNRtJmzmU13gqH9GV2WgAjbR7FgRVCWzokdfVf2hqvRbDBaMzBm1zpDiBTpBgxLt6d7nAdEEhC4
XMR48qx1krgEGzdcSacbmZdioNwXxW6r43yFSJDKPWZb3wsK9pYhajHNyE5FujWo1NxVwEBvGebS7biW9mjMEWdMevqMGmDJ6x
XRPrH6dyKWNpcvFz6fQ4ohyDbevSxcxdxfSmz
XRPrpzn8Ax7Kz1A4Yi8KqvzV43KYsa59SH2Aq
XTZtz1g6rcQAgtdZc8PNUaTUzrDD8PYuCeVj4mb
ZECt1XjiZx8EydDDRuLisoYyVifcSFb96a3YBj
ZILzil1aw3kyrymt52pq2e4xwzusdfce9e5tmewvshdrm

Also in our GitHub.

ViperSoftX

List of monitored cryptocurrency locations

Complete list in our Github.

List of monitored window titles

Monitored window titles
binance
coinbase
blockchain
voyager
blockfi
coindesk
etoro
kucoin
citi
paxful
paypal
huobi
poloniex
bittrex
kraken
bitfinex
bitstamp

Also in our GitHub.

VenomSoftX

Address book

Complete list in our Github.

List of hooked API calls

Blockchain.com
https://blockchain.info/wallet
Binance
https://www.binance.com/bapi/accounts/v1/protect/account/email/sendEmailVerifyCode
https://www.binance.com/bapi/accounts/v1/protect/account/email/sendMobileVerifyCode
https://www.binance.com/bapi/kyc/v1/private/risk/check/withdraw-pre-check
https://www.binance.com/bapi/capital/v3/private/capital/withdraw/apply
https://www.binance.com/bapi/asset/v3/private/asset-service/asset/get-user-asset
https://www.binance.com/bapi/capital/v1/private/capital/deposit/queryUserDepositAddress
Coinbase
https://www.coinbase.com/api/v3/coinbase.public_api.authed.sends.Sends/CreateSend
https://www.coinbase.com/api/v3/coinbase.public_api.authed.sends.Sends/CreateSendMax
https://www.coinbase.com/api/v3/coinbase.public_api.authed.accounts.Accounts/GetAccounts
https://www.coinbase.com/api/v3/coinbase.public_api.authed.sends.Sends/CommitSend
https://www.coinbase.com/graphql/query?&operationName=ReceiveContentQuery
Gate.io
https://www.gate.io/myaccount/second_confirm
Kucoin
https://www.kucoin.com/_api/payment/withdraw/safe-img
https://www.kucoin.com/_api/payment/withdraw/apply
https://www.kucoin.com/_api/account-front/query/currency-balance
https://www.kucoin.com/_api/payment/deposit-address/get

The post ViperSoftX: Hiding in System Logs and Spreading VenomSoftX appeared first on Avast Threat Labs.

PNG Steganography Hides Backdoor

10 November 2022 at 12:15

Our fellow researchers from ESET published an article about previously undocumented tools infiltrating high-profile companies and local governments in Asia. The tools, active since at least 2020 are designed to steal data. ESET dubbed them Worok. ESET monitored a significant break in activity from May 5, 2021 to the beginning of 2022. Nevertheless, when Worok became active again, new targeted victims – including energy companies in Central Asia and public sector entities in Southeast Asia – were infected to steal data based on the types of the attacked companies.

The researchers from ESET described two execution chains and how victims’ computers are compromised. The initial compromise is unknown, but the next stages are described in detail, including describing how the final payload is loaded and extracted via steganography from PNG files. However, the final payload has not been recovered yet. Detailed information about Worok, chains, and backdoor commands can be found in the ESET’s article Worok: The big picture.

Our analysis aims to extend the current knowledge of ESET research. We have captured additional artifacts related to Worok at the end of the execution chain. The PNG files captured by our telemetry confirm that the purpose of the final payload embedded in these is data stealing. What is noteworthy is data collection from victims’ machines using DropBox repository, as well as attackers using DropBox API for communication with the final stage.

Compromise Chain

We intend to remain consistent with the terminology set by ESET’s research. Our research also has not discovered the whole initial compromise of the malware. However, we have a few new observations that can be part of an infiltrating process.

Figure 1 illustrates the original compromise chain described by ESET. In some cases, the malware is supposedly deployed by attackers via ProxyShell vulnerabilities. In some corner cases, exploits against the ProxyShell vulnerabilities were used for persistence in the victim’s network. The attackers then used publicly available exploit tools to deploy their custom malicious kits. So, the final compromise chain is straightforward: the first stage is CLRLoader which implements a simple code that loads the next stage (PNGLoader), as reported by ESET.

Figure 1. Worok compromise chain
Initial Compromise

The specific initial attack vector is still unknown, but we found four DLLs in compromised machines containing the code of CLRLoader. Our detections captured a process tree illustrated in Figure 2.

Figure 2. Process tree running CLRLoader

This process tree was observed for WLBSCTRL.DLL, TSMSISrv.DLL, and TSVIPSrv.DLL. The mutual process that executes the DLLs is svchost -k netsvcs. Therefore, the initial process is SvcHost introducing a Windows service. The DLL files help us to identify two Windows services, namely IKE and AuthIP IPsec Keying Modules (IKEEXT) and Remote Desktop Configuration (SessionEnv). Both services are known for their DLL hijacking of DLL files missing in the System32 folder by default, SCM and DLL Hijacking Primer.

Lateral movement

The DLL hijacking in the System32 folder is not a vulnerability by itself because the attackers need administrator privileges to write into it. However, we assume the existence of an implemented reverse shell with administrator privileges as a consequence of the initial compromise. In that case, the attacker can efficiently perform the lateral movement via Service Control Manager (SVCCTL).

In short, the attackers place the hijacked DLL files into %SYSTEMROOT%\System32 and then start an appropriate service remotely. 

List of abused Windows services and their DLL files:

  • IKE and AuthIP IPsec Keying Modules
    • C:\Windows\System32\WLBSCTRL.dll
  • Remote Desktop Configuration
    • C:\Windows\System32\TSMSISrv.dll
    • C:\Windows\System32\TSVIPSrv.dll

The second observed DLL hijacked is related to VMware machines. The attackers can misuse the hijacking of vmGuestLib.dll, which is used by the WMI Performance Adapter (WmiApSrv) service to provide performance information.

On system start, WmiApSrv loads vmStatsProvider.dll, which tries to call vmGuestLib.dll from %ProgramFiles%\VMware\VMware Tools\vmStatsProvider\win32 as the first one. However, the original library is located at %SYSTEMROOT%\System32. Hence, if the attackers place vmGuestLib.dll into the %ProgramFiles% location, it also leads to DLL hijacking.

These two approaches are probable scenarios of how CLRLoader can be executed, and the compromise chain shown in Figure 1 launched. The elegance of this approach is that attackers do not have to create a new service that may reveal suspicious activities. The attackers abuse only export functions of hijacked DLLs, whose empty reimplementation does not cause an error or any other indicator of compromise. Moreover, the persistence of CLRLoader is ensured by the legitim Windows services.

CLRLoader

CLRLoader is a DLL file written in Microsoft Visual C++. It implements the DllMain method, which is responsible for loading the next stage (.NET variant of PNGLoader). The rest of the exported functions correspond to the interfaces of the hijacked DLLs, but the implementation of the export functions is empty. So, invoking this function does not cause a crash in the calling processes. Just for completeness, the hijacked files also contain digital signatures of the original DLL files; naturally, the signature is invalid.

CLRLoader is activated by calling LoadLibraryExW from an abused process/service. LoadLibraryExW is called with zero dwFlags parameters, so the DllMain is invoked when the malicious DLL is loaded into the virtual address space. An example of the CLRLoader code can be seen in Figure 3.

Figure 3. DllMain of hijacked DLL

CLRLoader checks the presence of the .NET DLL file containing PNGLoader, creates a mutex, and finally executes PNGLoader via CorBindToRuntimeEx API.

We recognized two variants of PNGLoader with the entry points as follow:

  • Jsprofile.Jspfilter (Setfilter)
  • pngpcd.ImageCoder (PngCoder)

PNGLoader

The second stage (PNGLoader) is loaded by CLRLoader or, as reported by ESET, by PowHeartBeat. We do not see any code deploying PNGLoader on infiltrated systems yet, but we expect to see it in a similar manner as the lateral movement.

PNGLoader is a loader that extracts bytes from PNGs files and reconstructs them into an executable code. PNGLoader is a .NET DLL file obfuscated utilizing .NET Reactor; the file description provides information that mimics legitimate software such as Jscript Profiler or Transfer Service Proxy.

The deobfuscated PNGLoader code includes the entry point (Setfilter) invoked by CLRLoader. There is a hardcoded path loader_path that is searched for all PNG files recursively. Each .png file is verified to the specific bitmap attributes (height, width) and steganographically embedded content (DecodePng). The Setfilter method is shown in Figure 4.

Figure 4. The Setfilter method of PNGLoader

The steganographic embedding relies on one of the more common steganographic techniques called least-significant bit (LSB) encoding. In general, this method embeds the data in the least-significant bits of every pixel. In this specific implementation, one pixel encodes a nibble (one bit per each alpha, red, green, and blue channel), i.e. two pixels contain a byte of hidden information, as illustrated in Figure 5. While this method is very easy to detect by a simple statistical analysis, such change in pixel value is hardly perceivable by the naked eye.

Figure 5. Byte reconstruction from 2 pixels

The steganographically embedded content is then extracted in four steps as follows.

  • The first 16 bytes (32 pixels) of the PNG file are extracted, and the first 8 bytes must match a magic number. This check is performed due to the computational complexity necessary to pull the rest of the pixels (approx. hundreds of thousands of pixels). The following 8 bytes then represent the length of the embedded payload.
  • The following extracted data is an encrypted payload in Gzip format.
  • The extracted payload is decrypted using a multiple-byte XOR hard-coded in PNGLoader.
  • The result of XORing is Gzip data that is un-gzipped.

The result of these steps is the final payload steganographically embedded in the PNG file.

Steganographically Embedded Payload

If PNGLoader successfully processes (extract → decode → unpack) the final payload, it is compiled in runtime and executed immediately. Our telemetry has picked up two variants of PNGLoader working with the magic numbers recorded in Figure 6.

Figure 6. Data structure embedded in PNG bitmap

The first payload implementation is a PowerShell script, as demonstrated by the code fragment of PNGLoader in Figure 7. Like our ESET colleagues, we have no sample of this payload yet, but we expect a similar function as the second payload implementation described below.

Figure 7. Code fragment of PNGLoader executing the PowerShell payload

The second payload implementation is .NET C# compiled and executed via the CompileAssemblyFromSource method of the CSharpCodeProvider class, see Figure 8.

Figure 8. Execution of C# payload embedded in PNG bitmap

The .NET C# payload has a namespace Mydropbox, class Program, and method Main. The namespace indicates that the payload operates with DropBox. Our telemetry captured a few PNG files, including the steganographically embedded C# payload.

PNG Files

At first glance, the PNG pictures look innocent, like a fluffy cloud; see Figure 9. Our telemetry has captured three PNG pictures with the following attributes: 

  • Size: 1213 x 270 (px)
  • Bit Depth: 8, Color Type: 6 (RGB + Alpha)
Figure 9. Malicious PNG file with steganographically embedded C# payload

As we mentioned before, malware authors rely on LSB encoding to hide malicious payload in the PNG pixel data, more specifically in LSB of each color channel (Red, Green, Blue, and Alpha). Let us have a look at their bit-planes. Figure 10 shows one of the higher bit planes for each color channel; notice that each of these images looks far from random noise. If we had a look at an image without data embedded in its LSB, we would usually see similar patterns.

Figure 10. One of the RGB bit-planes without hidden data

Now, to put it into contrast, let us have a look at LSB bit-planes. Figure 11 shows LSB bit-planes for every channel of the PNG image with the embedded encrypted (and compressed) payload. Recall that both encryption and compression should usually increase the entropy of the image. Therefore, it should be no surprise that LSB bit-planes of such an image look like random noise. It is evident that the whole canvas of LSB bit-planes is not used.

Figure 11. Zero (LSB) bit-plains channels with embedded data

The payload occupies only pixels representing the payload size, and the rest are untouched; see the algorithm below.

In this specific case, the PNG files are located in C:\Program Files\Internet Explorer, so the picture does not attract attention because Internet Explorer has a similar theme as Figure 12 shows.

Figure 12. Example of graphic Internet Explorer theme

DropBoxControl

At this time, we can extend the ESET compromise chain by the .NET C# payload that we call DropBoxControl – the third stage, see Figure 13.

Figure 13. Extended compromise chain

DropBoxControl is a backdoor that communicates with the attackers via the DropBox service. Noteworthy, the C&C server is a DropBox account, and whole communications, such as commands, uploads, and downloads, are performed using regular files in specific folders. Therefore, the backdoor commands are represented as files with a defined extension. DropBoxControl periodically checks the DropBox folder and executes commands based on the request files. The response for each command is also uploaded to the DropBox folder as the result file.

The text below describes the individual DropBoxControl components and the whole backdoor workflow.

DropBox API

DropBoxControl implements the DropBox communication by applying the standard API via HTTP/POST. There is a dedicated class, DropBoxOperation, wrapping the API with the method summarized in Table 1. A DropBox API key, sent in the HTTP header, is hard-coded in the DropBoxControl sample but can be remotely changed.

DropBoxControl MethodAPI
DropBox_FileDownloadhttps://content.dropboxapi.com/2/files/download
DropBox_DataUploadhttps://content.dropboxapi.com/2/files/upload
DropBox_FileDeletehttps://api.dropboxapi.com/2/files/delete_v2
DropBox_GetFileListhttps://api.dropboxapi.com/2/files/list_folder
Table 1. DropBox API implemented by DropBoxControl
Commands

The attackers control the backdoor through ten commands recorded in Table 2.

CommandDescription
cmdRun cmd /c <param> & exit, the param is sent by the attackers.
exeExecute a defined executable with specific parameters.
FileUploadDownload data from the DropBox to a victim’s machine.
FileDownloadUpload data from a victim’s machine to the DropBox.
FileDeleteDelete data from a victim’s machine.
FileRenameRename data from a victim’s machine.
FileViewSent file information (name, size, attributes, access time) about all victim’s files in a defined directory
ChangeDirSet a current directory for the backdoor
InfoSend information about a victim’s machine to the DropBox
ConfigUpdate a backdoor configuration file; see Configuration
Table 2. Backdoor commands

The Info command sends basic information about an infiltrated system as follows:

  • ClientId hard-coded in each DropBoxControl sample
  • Version of DropBoxControl sample (seen 1.1.2.0001)
  • Hostname of a victim’s machine
  • List of all victim’s IPs
  • Version and file size of explorer.exe
  • Windows architecture
  • List of hard drivers, including total size, available free space, and drive type
  • The current time of victim’s machine
Configuration

DropBoxControl, the object of this study, uses three files located on C:\Program Files\Internet Explorer. The file names try to look legitimate from the perspective of the Internet Explorer folder.

ieproxy.dat

This file contains the DropBoxControl configuration that is encrypted. It configures four variables as follows:

  • DropboxId: API key used for authorization
  • Interval: how often the DropBox disk is checked
  • UpTime/DownTime: defines the time interval when the backdoor is active (seen 7 – 23)

See the example of the configuration file content:
Bearer WGG0iGT****AAGkOdrimId9***QfzuwM-nJm***R8nNhy,300,7,23

iexplore.log

The iexplore.log file is a log file of DropBoxControl which records most actions like contacting the DropBox, downloading/uploading files, configuration loading, etc. Log entities are logged only if a sqmapi.dat file exists. The login engine is curiously implemented since the log file is not encrypted and contains decrypted data of the ieproxy.dat file.

Encryption

DropBoxControl encrypts the configuration file (actually without effect), and the DropBox communication. The config file is encrypted using multi-byte XOR with a hard-coded key (owe01zU4). Although the API communication is encrypted via HTTPS, data stored on the DropBox is encrypted by its own algorithm.

The data is encrypted using another hard-coded byte array (hexEnc), TaskId, and ClientId. Moreover, TaskId is used as an index to the hexEnc array, and the index is salted with ClientId in each iteration; see Figure 14. It is similar to the algorithm used by PowHeartBeat, as described in the ESET report.

Figure 14. Encryption algorithm used for DropBox files
DropBox Files

As we mentioned above, the communication between the backdoors and the attackers is performed using the DropBox files. In general, DropBox files that contain valuable information are encrypted. Each file, in addition to the data itself, also includes flags, the task type (command), and other metadata, as seen in Figures 15 and Table 3.

Figure 15. The file structure of DropBox files
ItemLengthDescription
EncType1Flag – data in the file is encrypted
GzipType1Flag – data in the file is gzipped
TaskType2Command type
DataLen4Data length
Table 3. DropBox file header

Returning to the DropBox files, we explore a DropBox file structure of the DropBox account. A root folder includes folders named according to the ClientId that is hard-coded in the DropBoxControl sample; more precisely, in the PNG file.

Each client folder holds a time.txt file which includes a number that is a count of the backdoor iteration. One iteration means contacting and processing an appropriate client folder in the DropBox repository.

The attackers specify the task type and eventual parameters. The task type and parameters are then packed using the file header and uploaded into the appropriate client folder as a request file (.req). Further analysis found that the backdoor processes its .req files and creates a result file (.res) as a response for each request file. The result file has the same file structure shown in Figure 15, but data, data length, and task type have different values, since returned data contains requested (stolen) information.

Comparing all DropBox folders (Figure 16), we determined the name of the request and result files in this form: [0-9]+-[0-9]+. The filename is used for request/response identification and also for data encrypting.

For example, let’s use the request file name 31-1233.req. The IDMessage is 31-1233 and TaskId is 1233. So, the data is encrypted using the ClientId and TaskId, plus hard-coded hexEnc; see Encryption.

Figure 16. List of DropBox files
DropBoxControl Workflow

We defined and described the basic functionality of DropBoxControl in the sections above. Therefore, we can summarize all this knowledge into a backdoor workflow and outline the whole process of data collecting, uploading, downloading, and communicating with the DropBox repository.

In the beginning, PNGLoader extracts the stenographically embedded DropBoxControl and invokes the Main method of the C# Mydropbox.Program class. DropBoxControl then decrypts and loads the configuration file containing the DropBox API key. Most of the actions are recorded in the log file.

If the current time is between UpTime and DownTime interval, DropBoxControl is active and starts the main functionality. It contacts the DropBox repository and uploads the time.txt file into the client folder. If the time.txt upload is successful, the backdoor downloads a list of all files stored in the client folder. The file list is iterated, and each request (.req) file is downloaded and processed based on the tasks type (command). DropBoxControl executes the command and creates the result file (.res) with the requested information. The resulting encrypted file is uploaded back into the client folder. Finally, the processed request (.req) file is deleted.

Victimology

The victims we saw targeted in this campaign are similar to those that ESET saw. The victims of this campaign were companies and government institutions in Asia and North America, namely Mexico. Vietnam and Cambodia are the other countries affected by DropBoxControl. One of the DropBoxControl connections was monitored from an IP associated with the Ministry of Economic Development of Russia.

Discussion

The third stage of the compromise chain is represented by the C# implementation of DropBoxControl. The DropBoxControl functionality allows attackers to control and spy on victims’ machines. Moreover, the backdoor has access to the Program Files folder, so we expect it to run under administrator privileges. The most common command observed in log files is obtaining information about victims’ files, followed by data collecting.

The typical command for the data collecting is via the cmd command; see the example below:

rar.exe a -m5 -r -y -ta20210204000000 -hp1qazxcde32ws -v2560k Asia1Dpt-PC-c.rar c:\\*.doc c:\\*.docx c:\\*.xls c:\\*.xlsx c:\\*.pdf c:\\*.ppt c:\\*.pptx c:\\*.jpg c:\\*.txt >nul

The attacks focus on collecting all files of interest, such as Word, Excel, PowerPoint, PDF, etc. They recursively search the files in the C:\ drive and pack them into an encrypted rar archive, split into multiple files.

Another command decrypted from the request file executes Ettercap, which sniffs live network connections using man-in-the-middle attacks; see the command below:

ettercap.exe -Tq -w a.cap -M ARP /192.168.100.99/ //

The attackers can sniff network communications and intercept user credentials sent via, e.g., web pages.

In short, DropBoxControl is malware with backdoor and spy functionality.

DropBox Account

Our telemetry has captured these three DropBox APIs:

Bearer gg706X***************Ru_43QAg**********1JU1DL***********ej1_xH7e
Bearer ARmUaL***************Qg02vynP**********ASEyQa***********deRLu9Gx
Bearer WGG0iG***************kOdrimId**********ZQfzuw***********6RR8nNhy

Two keys are registered to “Veronika Shabelyanova” (vershabelyanova1@gmail[.]com) with Chinese localization. The email is still active, as well as the DropBox repository. The user of the email is a Slavic transcription of “Вероника Шабелянова”.

The third DropBox repository is connected with a Hong Kong user “Hartshorne Yaeko” (yaekohartshornekrq11@gmai[l].com)

DropBox Files

We are monitoring the DropBox repositories and have already derived some remarkable information. The DropBox accounts were created on 11 July 2019 based on README files created on account’s creation.

At this time, there is only one DropBox repository that seems to be active. It contains seven folders with seven time.txt files, so there are seven active DropBoxControl instances, since the time.txt files have integers that are periodically incremented; see DropBox Files. Moreover, the integer values indicate that the backdoors run continuously for tens of days. Regarding the backdoor commands, we guess the last activity that sent request files was on 1 June 2022, also for seven backdoors. Finally, the total count of folders representing infiltrated machines equals twenty-one victims.

In April 2022, the attackers uploaded a Lua script implementing the nmap Library shortport searching for Telnet services using s3270 to control IBM mainframes; see the script below.

Code Quality of DropBoxControl

While we usually refrain from commenting on the code quality, in this case it deserves mentioning as the code quality is debatable at best and not every objection can be blamed on obfuscation.

The code contains a lot of redundant code; both duplicate code and code that serves no function. An indication of unfamiliarity with C# is usage of one’s own implementation of serialization/deserialization methods instead of using C# build-in functions. The threading code does not rely on usual synchronization primitives such semaphores, mutexes, etc. but rather uses bool flags with periodic checks of thread states. The code also contains parts that are presumably copied from API documentation. For instance, the implementation of DropBox_FileDownload contains the same comment as in the DropBox documentation; see the illustration below.

Another weird quirk is the encryption method for the configuration file. The DropBoxControl author has attempted to obfuscate the configuration in the ieproxy.dat file because the API key is sensitive information. However, when the config file is decrypted and applied, the configuration content is logged into the iexplore.log file in plain text.

In other words, the whole DropBoxControl project looks like a school project. Authors do not adhere to usual coding practices, rely on their own implementation of common primitives, and reuse code from documentation examples. This leads us to an assessment that DropBoxControl authors are different from authors of CLRLoader and PNGLoader due to significantly different code quality of these payloads.

Conclusion

The purpose of this study has been to confirm the assumptions of our fellow researchers from ESET published in the article about the Worok cyberespionage group. Our research managed to extend their compromise chain, as we have managed to find artifacts that fit the chain accompanying the samples in question.

We have described probable scenarios of how the initial compromise can be started by abusing DLL hijacking of Windows services, including lateral movement. The rest of the compromise chain is very similar to the ESET description.

The key finding of this research is the interception of the PNG files, as predicted by ESET. The stenographically embedded C# payload (DropBoxControl) confirms Worok as the cyberespionage group. They steal data via the DropBox account registered on active Google emails.

The prevalence of Worok’s tools in the wild is low, so it can indicate that the toolset is an APT project focusing on high-profile entities in private and public sectors in Asia, Africa, and North America.

Appendix

DropBoxControl Log

[02:00:50]:[+]Main starts.
[02:00:50]:[+]Config exists.
[02:00:50]:[__]DecryptContent is 1,Bearer gg706Xqxhy4*****************gQ8L4OmOLdI1JU1DL**********1ej1_xH7e#,300,7,23
[10:39:40]:[+]In work time.
[10:39:42]:[UPD] UploadData /data/2019/time.txt Starts!
[10:40:08]:[UPD] UploadData /data/2019/time.txt Success!
[10:40:10]:[UPD] UploadData Ends!
[10:40:10]:[+]Get Time.txt success.
[10:40:11]:[+] DropBox_GetFileList Success!
[10:40:11]:[DOWN] DownloadData /data/2019/31-3.req Starts!
[10:40:13]:[DOWN] DownloadData /data/2019/31-3.req Success!
[10:40:13]:[DOWN] DownloadData Ends!
[10:40:26]:[UPD] UploadData /data/2019/31-3.res Starts!
[10:40:27]:[UPD] UploadData /data/2019/31-3.res Success!
[10:40:27]:[UPD] UploadData Ends!
[10:40:27]:[DEL] Delete /data/2019/31-3.req  Starts!
[10:40:28]:[DEL] Delete /data/2019/31-3.req Success!
[10:40:28]:[DEL] Delete Ends!
[10:40:28]:[DOWN] DownloadData /data/2019/31-4.req Starts!
[10:40:29]:[DOWN] DownloadData /data/2019/31-4.req Success!
[10:40:29]:[DOWN] DownloadData Ends!
[10:40:34]:[UPD] UploadData /data/2019/31-4.res Starts!
[10:40:36]:[UPD] UploadData /data/2019/31-4.res Success!
[10:40:36]:[UPD] UploadData Ends!
[10:40:36]:[DEL] Delete /data/2019/31-4.req  Starts!
[10:40:36]:[DEL] Delete /data/2019/31-4.req Success!
[10:40:36]:[DEL] Delete Ends!
[10:40:36]:[DOWN] DownloadData /data/2019/31-5.req Starts!
[10:40:37]:[DOWN] DownloadData /data/2019/31-5.req Success!
[10:40:37]:[DOWN] DownloadData Ends!
[10:40:42]:[UPD] UploadData /data/2019/31-5.res Starts!
[10:40:43]:[UPD] UploadData /data/2019/31-5.res Success!
[10:40:43]:[UPD] UploadData Ends!
[10:40:43]:[DEL] Delete /data/2019/31-5.req  Starts!
[10:40:44]:[DEL] Delete /data/2019/31-5.req Success!
[10:40:44]:[DEL] Delete Ends!
[10:40:44]:[DOWN] DownloadData /data/2019/31-7.req Starts!
[10:40:44]:[DOWN] DownloadData /data/2019/31-7.req Success!
[10:40:44]:[DOWN] DownloadData Ends!
[10:40:49]:[UPD] UploadData /data/2019/31-7.res Starts!
[10:40:50]:[UPD] UploadData /data/2019/31-7.res Success!
[10:40:50]:[UPD] UploadData Ends!
[10:40:50]:[DEL] Delete /data/2019/31-7.req  Starts!
[10:40:52]:[DEL] Delete /data/2019/31-7.req Success!
[10:40:52]:[DEL] Delete Ends!

Task Type Values
CommandTask Type
Cmd_Request0x01
Cmd_Response0x02
Exe_Request0x03
Exe_Response0x04
FileUpload_Request0x05
FileUpload_Response0x06
FileDownload_Request0x07
FileDownload_Response0x08
FileView_Request0x09
FileView_Response0x0A
FileDelete_Request0x0B
FileDelete_Response0x0C
FileRename_Request0x0D
FileRename_Response0x0E
ChangeDir_Request0x0F
ChangeDir_Response0x10
Info_Request0x11
Info_Response0x12
Config_Request0x13
Config_Response0x14
IOCs

PNG file with steganographically embedded C# payload

29A195C5FF1759C010F697DC8F8876541651A77A7B5867F4E160FD8620415977
9E1C5FF23CD1B192235F79990D54E6F72ADBFE29D20797BA7A44A12C72D33B86
AF2907FC02028AC84B1AF8E65367502B5D9AF665AE32405C3311E5597C9C2774

DropBoxControl

1413090EAA0C2DAFA33C291EEB973A83DEB5CBD07D466AFAF5A7AD943197D726

References

[1] Worok: The big picture
[2] Lateral Movement — SCM and DLL Hijacking Primer
[3] Dropbox for HTTP Developers

The post PNG Steganography Hides Backdoor appeared first on Avast Threat Labs.

Avast Q3/2022 Threat Report

2 November 2022 at 08:00

Cybercriminals actively recruiting and paying people to support their malicious activities

Foreword

Three months have passed since we published the Avast Q2/2022 Threat Report and here we are again reviewing the cyber threat landscape via the Avast telemetry and Avast’s experts’ insights. I’m not sure about you, but Q3 passed very quickly for me, probably thanks to the summer holidays here in Europe.

Threat reports are often scary and intimidating, as they describe malware outbreaks and dramatic increases in attacks of various threat types. This report is different, though. We observed a decline in a vast majority of malware types in Q3/2022, which is positive. The common belief in the security industry is that malware authors take off over the summer, causing a decline in malicious activity. The drop in attacks is also caused by users spending more time offline, reducing the attack surface. The war in Ukraine and the recent mobilization of forces in Russia likely also played a part in the decline. It will be interesting to see how this trend will continue in the next quarter.

Despite fewer attacks in Q3/2022, this report still contains many highlights. Raccoon Stealer’s activity is like a rollercoaster ride, and it went rampant this quarter, spreading via cracked software. The other stealers, Formbook and AgentTesla, reminded us that Office macros are mostly dead, for now. Malware authors are instead abusing ISO and IMG formats on Windows. Coniminers are still one of the top malware types, and 70% of their attacks are deployed using web coinminers on infected pages. We’ve also seen a new botnet called Pitraix, which is, fortunately, not prevalent, at least for now. Unfortunately, we cannot say the same about the Warzone RAT, which significantly boosted its presence in various countries such as Hungary and New Zealand. Furthermore, adware on Windows significantly grew in Central, South, and Eastern Europe, and mobile adware is still the top threat targeting Android users.

In addition to the malware activity we observed, this report also describes how cybergangs are actively recruiting and paying people to support their criminal activities. The LockBit group was very active this quarter, beginning a bug bounty program and even offering $1,000 to anyone tattooing their logo onto their body. The NoName057(16) hacker group, desperate to continue DDoSing governments and businesses supporting Ukraine, started paying people to download their program and DDoS for them after their Bobik botnet C2 server was taken down (coincidentally after we published a blog post about them).

Keep safe and happy reading!

Jakub Křoustek, Malware Research Director

Methodology

This report is structured into two main sections – Desktop-related threats, where we describe our intelligence around attacks targeting the Windows, Linux, and Mac operating systems, and Mobile-related threats, where we describe the attacks focusing on the Android and iOS operating systems.

Furthermore, we use the term risk ratio in this report to describe the severity of particular threats, calculated as a monthly average of “Number of attacked users / Number of active users in a given country.” Unless stated otherwise, calculated risks are only available for countries with more than 10,000 active users per month.

We changed the threat labeling algorithm we use for our Threat Reports to ensure our data is even more accurate. As a result, the numbers appearing in this Threat Report should not be compared with those from our previous reports. We recomputed statistics from previous quarters to provide quarter-over-quarter comparisons in this Threat Report.

Desktop-Related Threats

Advanced Persistent Threats (APTs)

Among other threat actor groups, we continue to track Chinese threat actors, as well as a few groups in the Southeast Asia region and a Russian-speaking threat group. We gained new insights into their activities and campaigns, but their operations retain a similar modus operandi and targets. We continuously share our insights at cybersecurity conferences.

We recently presented our research on Operation Dragon Castling at Virus Bulletin 2022. This operation was facilitated by CVE-2022-24934, a zero-day vulnerability in WPS Office that enabled concealing execution of malware via the office suite’s update mechanism.

At the beginning of December, we will present our research on a huge operation in Southeast Asia in a talk titled "Hitching a ride with Mustang Panda" at the AVAR conference in December 2022. We presume a Chinese-speaking group called Mustang Panda is responsible for the operation due to the target selection and the toolset used.

Chinese-speaking Groups

LuckyMouse, a well-known Chinese-speaking threat group, known for targeting government agencies in Asia and the Middle East, attacked agencies in the United Arab Emirates, Taiwan, and the Philippines in Q3/2022. We found backdoors on infected machines, password stealers for Chrome, and open-source tools, like BadPotato, for privilege escalation. LuckyMouse uses a HyperBro backdoor loaded and decrypted by a sideloaded DLL. The attackers likely infected machines through a compromised server, where instead of the MiMi chat application, they inserted a backdoor. TrendMicro recently described LuckyMouse’s backdoor infection vector and the post-exploitation tools.

Southeast Asian Actors

At the beginning of August, researchers from Morphisec released a blog post describing changes in the yty malware framework, a well-known tool used by the Donot Team (also known as APT-C-35). Office documents containing malicious macros or a combination of RTF injection and the Microsoft Equation editor (CVE-2017-1182) vulnerability usually deliver the next stage to victims.

Our telemetry shows the group was most active in Pakistan, where we discovered DLL modules from yty’s framework on several infected machines in our user base. Malicious documents with the `.inp` extension are the source of infection. The infected victims installed outdated versions of Inpage software, a word processor for Urdu and Arabic languages widely used in the region. We believe the attackers are leveraging old known vulnerabilities in the Inpage software, as described by Palo Alto Networks. We assume the victims work for governmental institutions, based on the documents’ metadata and filenames.

Transparent Tribe, or APT36, is another group from the region we are tracking. They continue to attack victims in India and Afghanistan, as other researchers also reported. The group is believed to originate from Pakistan and focuses its activities on neighboring countries. The group infects victim PCs using spear-phishing and Office documents with malicious VBA macros dropping embedded obfuscated .NET-based executables into arbitrary paths in the `%ALLUSERSPROFILE%` directory. We identified that the executables belong to the CrimsonRAT strain, Transparent Tribe‘s custom malware used to access infected networks. The activity is analogous to what was described in greater detail by researchers from Cisco Talos and Fortinet.

Russian Actors

The Gamaredon group continues to be very active and tightly focused on Ukraine in Q3/2022, broadening its attacks on military and government institutions motivated by the Russian aggression in Ukraine. The overall number of attacks and general modus operandi has not changed since last quarter. Still, they introduced a few new tools to their toolset, including file exfiltration tools, various droppers, and new ways of distributing payloads and IPs of C&C servers. Our telemetry also shows the group targeted foreign embassies in Ukraine.

Luigino Camastra, Malware Researcher
Igor Morgenstern, Malware Researcher
Jan Holman, Malware Researcher
Tomáš Zvara, Malware Researcher

Adware

Desktop adware rapidly accelerated at the end of Q3/2022. In the beginning and middle of the observed quarter, adware activity stabilized with a slight downward trend, as the graph below illustrates.

Graph showing users (globally) Avast protected from desktop adware in Q2/2022 vs. Q3/2022

The peak at the end of Q3/2022 began on September 16, 2022. Adware activity significantly grew predominantly in Central, South, and Eastern Europe:

Graph showing users Avast protected in the Czech Republic, Slovakia, Poland, Greece, Croatia, Estonia, Latvia, Lithuania, and Ukraine in Q3/2022

We identified an adware variant responsible for the peak in September. The adware called DealPly is a Chrome extension that modifies a new page design in the Chrome browser. The extension is called Internal Chromium Extension and has permission to replace newly opened tabs, read browsing history, change bookmarks, and manage apps, extensions, and themes in the browser.

DealPly Adware Chrome extension: Internal Chromium Extension

The new tab can look similar to the screenshot below. The extension modifies advertising shortcuts and sends statistical and search information to attackers.

The new Chrome tab modified by the malicious Internal Chromium Extension

DealPly’s extension is not usually downloaded by users directly, but other malware installs it without the user’s knowledge and ensures its persistence, so they cannot remove the extension manually.

The adware we detected in the beginning and middle of Q3/2022 was adware on suspicious websites. This type of adware waits for a user to click on an arbitrary hyperlink and replaces the original link with one that redirects the user to advertising websites.

Here’s a list of ad servers:

  • deshaici[.]net
  • gapscult[.]com
  • informeresapp[.]com
  • mobile5shop[.]com
  • naigristoa[.]com
  • saumeechoa[.]com
  • go.ad2upapp[.]com

The suspicious websites lure victims by offering prizes or free services; see the examples below. However, the redirections lead to websites with malicious content or pages that want contact or login information.

Examples of adware websites

We monitored a noticeable decrease in the adware risk ratio for users in Brazil, the United States, the United Kingdom, Italy, Austria, and Switzerland. On the other hand, there was an increase in the risk ratio for users in Poland, Croatia, Latvia, and Hungary; see the map below.

Map showing global risk ratio for adware in Q3/2022

In Q3/2022, more than 40% of the adware we saw was from various adware families. However, the clearly identified strains of adware are: DealPly, RelevantKnowledge, DownloadAssistant, and CloverPlus.

The most common adware threats for MacOS were: Bundlore, Pirrit, Spigot, Adload, and MaxOfferDeal.

Martin Chlumecký, Malware Researcher

Bots

The botnet landscape was rather calm in comparison to the previous turbulent quarters – no miraculous revivals or medialized takedowns. Nevertheless, botnet activity remained consistent, consistently dangerous. With Ukraine defending itself from Russian aggression and the Western World providing support to Ukraine, some Russian groups are utilizing their resources to attack organizations and infrastructure in Europe. There are also several other entrenched botnets and spambots plaguing our lives with their existence (and spam).

In our Q2/2022 Threat Report, we noted botnets experimenting with new formats of malicious attachments, such as ISO or IMG files. While these formats have some limitations on who can actually open them, based on the version of the used operating system, they are still gaining popularity in spite of the fact that the original motivation for their usage is no longer valid.

The pro-Russian group NoName057(16) remains very active. Their DDoS botnet Bobik is still attacking organizations in countries voicing their support for Ukraine or imposing sanctions on Russia. Their targets include both private institutions, such as news agencies or banks, and government institutions including courts, parliament, and police. Their attacks are retaliatory. The sites they target change depending on current events. For example, the group attacked sites belonging to the Finnish government after Finland announced their intention to join NATO in August. The group’s success rate (the number of sites they manage to take down vs. the number of sites they target) is 40%, based on our observations. Moreover, approximately 20% of the attacks they claim to be responsible for cannot be accounted for in their configuration files.

The main Bobik C2 server was taken down, after we published our blog post about NoName057(16), and the botnet stopped working. On August 15, 2022, the group announced they were recruiting for a new project, presumably to continue their DDoS attacks. They later opened a new group dedicated to their DDOSIA project, as reported by Radware. As of late-October, the Telegram group had 777 members. The project allows anyone to download a binary through which they can be identified and carry out DDoS attacks and in return, be awarded cryptocurrencies from the group. We have been monitoring DDOSIA’s configurations since August 1, 2022. The configuration file is updated four times a day, on average.

A new botnet called Pitraix is gaining a bit of traction on hacking fora. The botnet source code was originally hosted on Github and written in Go. Go has become a popular choice for smaller projects lately. For instance, Black Lotus Labs recently described another newish botnet written in Go. The botnet has P2P architecture relying on TOR for its communication. Rather unusual, the project was not framed as a security tool nor for educational purposes as is usual for similar projects.

Quarterly comparison of protected users. Notice the first peak in Q1/2022 corresponding to the week when Russia attacked Ukraine

Overall, the botnet risk ratio is significantly lower than in the previous quarter, slowly getting back to the pre-war situation. We noticed a significant decline in Emotet’s activity, and a similar trend holds true for Tofsee. The only considerable outlier is MyKings. MyKings’ activity soared, with Ursnif trailing behind. Other botnet activity only slightly increased.

Currently, our data indicates that the following botnets (and their variants) are the most active in their recruitment:

  • Phorpiex
  • Emotet
  • Tofsee
  • MyloBot
  • Nitol
  • Dorkbot
  • MyKings
  • Ursnif
  • Amadey

Adolf Středa, Malware Researcher

Coinminers

The value of cryptocurrencies is stagnating at long-time lows, but coinminers are still one of the most prevalent malware types we block in the wild. The number of coinminers we protected our users from in Q3/2022 decreased slightly (-4%).

Graph showing users (globally) Avast protected from coinminers in Q3/2022

Users in Serbia were most at risk of encountering coinminers in Q3/2022, with a 7.28% risk ratio. The risk ratio for users in Madagascar encountering a coinminer was 4.55%, up slightly compared to the previous quarter. Users in Madagascar were among those most at risk of encountering coinminers. We also detected an increase in coinminer activity in Montenegro (6.59% risk ratio), as well as in Egypt where the risk ratio rose to 3.81% (+32% QoQ).

Map showing global risk ratio for coinminers in Q3/2022

Web coinminers continue to lead, gaining even more market share in Q3/2022. Web coinminer activity increased by 6% and they now hold 70% of the coinmining market share. We observed an increase in KingMfcMiner detections and protected 45% more users from the miner in Q3/2022 compared to Q2/2022. CoinHelper’s activity also increased its market share by 9%.

XMRig remains the leading coinmining executable. However, XMRig activity dropped by 11%. According to our telemetry, XMRig holds 15% of the coinminer market share.

The most common coinminers in Q3/2022 were:

  • Web miners (various strains)
  • XMRig
  • CoinBitMiner
  • VMiner
  • CoinHelper
  • NeoScrypt
  • FakeKMSminer

Jan Rubín, Malware Researcher

Information Stealers

Raccoon Stealer activity went rampant in Q3/2022 following the malware’s announced return, which we reported in our previous report. We protected +370% more users from Raccoon Stealer in Q3/2022 vs. Q2/2022. Despite Raccoon Stealer’s growth, overall information stealer activity declined by 14% in Q3/2022.

Graph showing users (globally) Avast protected from information stealers in Q3/2022

The countries where users are most at risk of encountering information stealers remained the same, for the most part, except for some countries in Africa, as can be seen in the heatmap below. Users in Mali encountered more information stealers (+14% risk ratio) than in Q2/2022, as did users in Yemen (+16% risk ratio) and Congo (+11% risk ratio). Further notable changes occurred in Brazil, where the information stealer risk ratio dropped by 24%. Avast’s presence in Brazil, where we saw a 28% drop in the number of users we protected from information stealers, is significant and is part of the reason we observed an overall decrease in information stealer numbers.

Map showing global risk ratio for information stealers in Q3/2022

FormBook continues to be the most active information stealer in Q3/2022, further increasing its market share by 8%, gaining 26% of the overall information stealer market share. The market share held by other top information stealer strains declined in Q3/2022: Lokibot (-35%), RedLine Stealer (-17%), and AgentTesla (-4%). Raccoon Stealer and SnakeKeylogger, on the other hand, significantly increased their market share by 450% and 53%, respectively.

The most common information stealers in Q3/2022 were:

  • FormBook
  • RedLine Stealer 
  • AgentTesla
  • Lokibot
  • Raccoon Stealer
  • SnakeKeylogger

Raccoon Stealer Reaches New Heights

We protected significantly more users from the second version of Raccoon Stealer at the beginning of Q3/2022.

Graph showing users (globally) Avast protected from Raccoon Stealer in Q3/2022

Raccoon Stealer mainly makes its way onto computers via “cracked” software. The archives through which Raccoon Stealer spreads promise cracked versions of software like Adobe Photoshop, Filmora Video Editor, and uTorrent Pro, but deliver Raccoon Stealer instead.

Raccoon Stealer not only steals data but is also capable of downloading and executing further malicious files, including miners and other stealers.

GuLoader Phishing Emails

We observed new phishing email campaigns rising in late August and September, mainly targeting users in Spain, the Czech Republic, Romania, and other countries. We protected over 26,000 users. The campaigns use ISO archive attachments containing new versions of GuLoader that drop AgentTesla or FormBook.

Graph showing users (globally) Avast protected from the GuLoader campaigns in Q3/2022

Discord Based Information Stealers Attacking Linux Users

We also observed some new malware families (i.ex. A new variant of Sshbru or ServerHijacker-B) written in Go programming language and abusing Discord Webhooks to leak information. These malware strains first identify or create an attack vector to hijack the system (i.ex. by enumerating the vulnerabilities in the LAN network of the victim, changing the password for root, and so on) and then get the public IP address which is leaked to the attackers via Discord Webhooks for a later intrusion. Computer access is likely to be sold on the black market.

Jan Rubín, Malware Researcher
Vladimir Martyanov, Malware Researcher
David Álvarez, Malware Analyst

Ransomware

Ransomware activity increased by nearly a quarter (+24%) in Q2/2022. In Q3/2022, ransomware activity stabilized, and slightly decreased. There were no peaks in ransomware activity in Q3/2022, as shown in the graph below, and is the reason for this decrease in risk ratio.

New countries are on top of the list of countries in which users are most at risk of encountering ransomware in Q3/2022:

  • Papua New Guinea
  • Mozambique
  • Afghanistan
  • Ghana
  • Vietnam

The risk ratio for ransomware remained the same or slightly decreased in most countries in Q3/2022 (compared to the Q2/2022), but there are some outliers. The ransomware risk ratio increased by 70% in Vietnam, 49% in Thailand, 33% in Denmark, 16% in Canada, and 12% in Spain and Germany.

Here is a map of the ransomware risk ratio by country:

STOP, and WannaCry ransomware continued to be the most prevalent ransomware strains targeting our user base:

  • STOP
  • WannaCry
  • Thanatos
  • Sodinokibi / REvili (and its successors)
  • Magniber
  • LockerGoga
  • Conti offsprings
  • LockBit

Intermittent File Encryption

More and more ransomware strains now use partial (intermittent) methods of encryption (AtomSilo, Conti, BlackMatter, LockBit), to rapidly encrypt files. During a ransomware attack, file encryption needs to be quick to avoid user detection. The longer encryption takes, the higher the chances the potential victim notices the attack. A vigilant user may notice increased disk activity and check what’s going on. Also, the time needed to fully encrypt a collection of large files (such as movies or databases) may be significantly high.

CrySiS ransomware implemented partial encryption already in 2016, for example, but now more ransomware strains use complicated methods of partial encryption, and they are often configurable:

  • Full Encryption: The file is fully encrypted. This is the “safest” method (from the point of view of the attackers) but can take a very long time, especially when encrypting movie files or large databases.
  • Header only: The ransomware only encrypts the beginning of the file (up to a specified amount of bytes). This invalidates headers of most file types and renders them unrecognizable.
  • Header + Tail: In addition to the file header, the header + tail method also encrypts part of the file end. This covers ZIP-like files (ZIP archives and MS Office files)
  • Dot Pattern: The ransomware encrypts files by blocks – N bytes are encrypted, M bytes are left intact.

The methods described above can be combined, such as encryption of the file header and encryption of the rest using Dot Pattern encryption.

Multiple new ransomware strains emerged in Q3/2022, often attacking Windows, Linux, and ESXi servers. One of them was Luna ransomware, allegedly originating from Russia. Luna is written in the Rust programming language and can therefore be compiled for multiple platforms. Security researchers from Kaspersky confirmed all platform versions were built from the same source files.

Furthermore, ransomware authors continue innovating their ransoming techniques, and some recent attacks in the enterprise sector no longer involve file encryption, but data exfiltration followed by secure file deletion or corruption. In this scenario, companies depend on criminals to provide the original files after payment.

The LockBit Story

An interesting series of events involving the LockBit ransomware gang took place in Q3/2022. At the end of June, the gang behind the ransomware released a new version of the encryptor, code-named Black (because they copied it from the Black Matter ransomware gang). With this release, they announced a bug bounty program. Any bug or vulnerability reported to the gang will bring significant rewards. Reported bugs can be a weakness in the encryption process, a vulnerability in their website, or vulnerabilities in the TOX messenger or the TOR network. The juiciest reward (one million USD) is up for grabs and will go to the person who finds out the name of the affiliate boss.

In addition to the bounty program, the gang offered $1,000 USD to anyone who tattooed the LockBit logo on their body. The gang demanded video proof. According to photos posted to Twitter, some desperate people actually got the tattoo. We hope they got their reward and it was worth it…

The group paid a bounty reward of $50,000 to a person(s) who found a vulnerability in the encryption of large database files. They may pay more for bugs than others pay for RCE vulnerabilities, but they should consider paying their developers more. One of their developers got angry and leaked the builder of the cryptor. The package was briefly available on Github, but Github disabled it. The leaked package contained an RSA key generator and the builder of the ransomware+decryptor. With the leaked package, anyone could create their build of the ransomware and start a ransomware gang. Some seized the opportunity and did just that – the BlooDy ransomware gang, and TommyLeaks/School boys gang took the builder and made their own cryptors.

One of the LockBit gang’s victims is a security company called Entrust, which suffered a cyber attack on June 18, 2022. Shortly after the attack, the LockBit gang claimed they were behind the attack. Together with the ransomware attack, they also extorted Entrust’s internal data and threatened to leak it, if the company didn’t pay the ransom.

The leaked data (including legal documents, marketing spreadsheets, and accounting data) was published on the gang’s Tor sites. Nevertheless, the sites went offline shortly after due to a DDoS attack, believed to originate from Entrust. Entrust never confirmed they were behind the attack.

But the story didn’t end there. Following the (counter) attack, the LockBit gang announced they were back with new triple-extortion tactics – encryption, extortion, and DDosing. The group published a torrent with 342 GB of Entrust’s stolen data online. Furthermore, the LockBit gang announced they would strengthen their infrastructure to prevent future DDoS attacks.

This quarter was also the sixth anniversary of the NoMoreRansom initiative, which helps millions of victims of ransomware attacks. Avast is a partner and we recently added a decryptor for the MafiaWare666 ransomware.

Jakub Křoustek, Malware Research Director
Ladislav Zezula, Malware Researcher

Remote Access Trojans (RATs)

RAT activity, in most parts of the world, continues to decline, just like in previous quarters. In our Q2/2022 Threat Report, we speculated that RAT activity would continue to decline over the summer, and we were right.

Graph showing users (globally) Avast protected from RATs in Q2/2022 and Q3/2022

Users in Afghanistan, Yemen, and Iraq were most at risk of encountering a RAT in Q3/2022. RAT activity did however significantly increase in Hungary and New Zealand. The Warzone RAT is responsible for the increase in Hungary (+118%), the 59% increase in New Zealand is mostly due to Remcos and njRAT activity.

The countries where the risk ratio declined the most are: Spain (-36%), Canada (-31%), Czech Republic (-29%), and Slovakia (-28%). In our Q2/2022 Threat Report, we reported Japan as the country with the biggest increase in RAT attacks. In this quarter the number decreased, and Japan is among the safest countries together with Finland, France, and Switzerland.

Map showing global risk ratio for RATs in Q3/2022

The most prevalent RATs in our user base in Q3/2022 were:

  • HWorm
  • njRAT
  • Warzone
  • Remcos
  • NanoCore
  • AsyncRat
  • NetWire
  • QuasarRAT
  • DarkComet
  • Adwind

The top strains mostly stayed the same. As already mentioned, we saw a rather large campaign spreading Warzone in Hungary. A Remcos campaign also hit most of Asia, and the Netwire RAT targeted users in South Africa with a campaign.

Other RATs with a significant increase in prevalence in Q3/2022:

  • LimeRAT (+85%)
  • SpyNet (+41%)
  • BoubedzRAT (+40%)

While these RATs are not as prevalent, their prevalence increased considerably in Q3/2022. LimeRAT was mostly active in Africa and South Asia, while SpyNet was active in Brazil and the BoubedzRAT in Columbia.

We published a blog post about a RAT called Backdoorit written in Go in Q3/2022. Backdoorit mainly focuses on stealing Minecraft related files, Visual Studio, and IntelliJ projects.

Several new RATs appeared or were discovered during Q3/2022. ApolloRAT is a new and interesting RAT because of its use of Nuitka to compile Python source to C source as reported by Cyble. The set of features is quite common in the domain of RATs with the exception of “Prank” commands such as >rickroll. It uses Discord for its C&C communication.

CodeRAT appeared in Q2/2022. In Q3/2022 the developer publicly shared the code on GitHub, after being confronted by security researchers from SafeBreach. CodeRAT’s main goal is to monitor its victims’ social media activity and what they do on local machines. It features approximately 50 commands interacting with various parts of the operating system. It can also deploy other malware. The communication methods are also interesting, CodeRAT makes use of Telegram groups or a USB flash drive.

WoodyRAT was active for at least a year before it was discovered by Malwarebytes. The attackers make use of the Follina vulnerability to spread their RAT. According to the analysis, the malware can extract data from the infected computer, run commands and code, including injecting to other processes.

The Lazarus APT group added a new tool to their arsenal, as reported by Cisco Talos. This tool is called MagicRAT. MagicRAT is a relatively simple tool that can launch additional payloads, run arbitrary commands and manipulate files on infected machines. What makes it stand out is its use of the Qt Framework. Since MagicRAT does not have a user interface, the Qt Framework is likely used to increase the complexity of the malware and to make analysis harder.

Last but not least, the developer and seller of Imminent Monitor RAT SaaS was arrested by the Australian Federal Police. The RAT allows operators to spy on their victims via their webcam and microphone, among other things. According to the report the RAT has been sold to more than 14,500 individuals across 128 countries.

Ondřej Mokoš, Malware Researcher

Rootkits

Rootkit activity declined in Q3/2022, as shown in the chart below.

Graph showing users (globally) Avast protected from rootkits in Q1-Q3/2022

The distribution trend of rootkit strains continued as expected based on the previous two quarters (Q1/2022 and Q2/2022). The primary strain in Q3/2022 was the R77RK rootkit developed by the bytecode77 group. R77RK holds a 40% market share.

Users (globally) Avast protected from rootkits vs. users (globally) Avast protected from the R77Rootkit in Q3/2022

The chart above shows R77RK is a major rootkit, as its trend copies the overall rootkit trend in Q3/2022. The R77RK’s GitHub repository is still active. One notable correlation can be seen on September 1, 2022, when the authors’ released new functionality for R77RK. They implemented a rootkit activation via injection of a specific shell code. The release date corresponds with the peak; see the chart above.

The map below animates R77RK’s activities moved to Eastern Europe and Northern Asia. On the other hand, Canada and the United States remain the least affected countries.

Map showing global distributions of R77Rootkit activities in Q2/2022 and Q3/2022

Another rootkit making rounds in Q3/2022 was Alureon, which steals credentials and credit card information by capturing the system’s network traffic. However, Alureon’s market share in the wild is only about 5%.

Map showing global risk ratio for rootkits in Q3/2022

The global risk ratio of all rootkits is the same as in Q2/2022, and China remains the country in which users have the highest risk of encountering a rootkit. Q3/2022 confirmed that R77RK is still the most popular open-source rootkit in the wild.

Martin Chlumecký, Malware Researcher

Technical support scams

Technical support scams dipped at the end of July and the beginning of August. We assume the scammer community wanted to enjoy their summer break. This calm period lasted only a few weeks and ended at the end of August. Our September stats show more activity compared to July.

Graph showing users (globally) Avast protected from tech support scams in Q2-Q3/2022

The top affected countries remained the same as in Q1 and Q2/2022. Users in Japan were targeted most, with a risk ratio of 3.16%, followed by Germany, the United States, and Canada, where activity slightly increased.

Map showing global risk ratio for tech support scams in Q3/2022
Screenshot of a prevalent TSS targeting users in Germany

In Q3/2022, we registered hundreds of unique telephone numbers used in TSS scams. Here are the top 20 phone numbers:

+1(888)-350-3496+1(888)-350-3495
+1(833)-690-1082+1(833)-690-1085
+1(833)-690-1079+1(844)-449-0455
+1(888)-213-0940+1(866)-622-6692
+1(844)-838-9290+1(833)-522-6669
+1(817)-813-2707+1(844)-300-0063
+1(844)-819-3386+1(866)-344-4412
+1(877)-294-2845+1(888)-320-3547
+1(805)-271-6246+1(888)-850-1320
+1(877)-512-2485+1(844)-594-2674

Alexej Savčin, Malware Analyst

Vulnerabilities and Exploits

At the end of July, Microsoft published research about a private-sector offensive actor they refer to as KNOTWEED. KNOTWEED deployed a custom piece of malware, called Subzero, through a number of infection vectors, including zero-day exploits for Microsoft Windows and Adobe Reader. While the researchers were not successful in recovering the Adobe exploit, they found and patched CVE-2022-22047, a nasty bug used for privilege escalation.

Also noteworthy were new Microsoft Exchange zero-days (CVE-2022–41040 and CVE-2022–41082), discovered in the wild by GTSC Cyber Security. The exploits were strikingly similar to ProxyShell, an Exchange exploit discovered in 2021. As far as we know, the zero-days were only used in a limited number of targeted attacks, thus far.

Our own exploit research in Q3/2022 was mostly focused on Roshtyak, the backdoor payload associated with Raspberry Robin. Roshtyak uses CVE-2020-1054 and CVE-2021-1732, both Windows LPE exploits, to elevate privileges. Read our blog if you are interested in more details.

We also continued to track browser exploit kits, and we found PurpleFox, Rig, and Underminer to be active throughout the quarter.

The most frequently used exploit for MacOS was MacOS:CVE-2019-8900. A vulnerability in the Boot ROM of some Apple devices can be exploited by an unauthenticated local user to execute arbitrary code upon booting those devices.

Jan Vojtěšek, Malware Reseracher

Web skimming

In Q3/2022, the most common malicious domain used for web skimming attacks was hubberstore[.]com. Infected e-commerce websites, like sites selling event tickets, notebooks, and wine – mostly in Brazil, called code from the malicious domain. We protected nearly 20,000 users from the webskimmer in Q3/2022. In some cases, malicious code was present on an infected site, while in other cases, sites loaded additional code from hubberstore[.]com/app.js or a similar file name. The GET request exfiltrated payment details to the hubberstore malicious domain.

Here are some examples of what the GET requests look like:

  • hubberstore[.]com/<infected-webpage-name>.php?&drac=<user-data-base64-encoded>
  • hubberstore[.]com/chk/apicielo.php?chave=<user-data-plaintext>
  • hubberstore[.]com/v2/search?public_key=<user-data-base-64>

A Czech e-commerce site called bohemiadrogerie[.]cz was also infected. In this case, the attackers inserted their payment form on the website. The image below shows what the site looks like with and without the fake payment form. After entering payment details, customers receive an error message: The selected payment method is currently unavailable, please try again. The page is then reloaded and displayed without the payment form.

The skimmer on the Czech site uses a specific pattern ;function boms()in the malicious code. The same pattern was on the domain naturalfreshmall[.]com to host the malicious skimmer code, which we reported in our Q1/2022 Threat Report.

Attackers also exploited other legitimate sites, such as sites selling clothes, shoes, jewellery, furniture and medical supplies, to host their skimming code. Specifically, they used guyacave[.]fr, servair[.]com and stripefaster[.]com. Attackers exfiltrated payment details via the POST request to URLs like guyacave[.]fr/js/tiny_mce/themes/modern/themes.php and similar for the other domains. In some cases, the POST request was sent to the infected e-commerce site itself, indicating that the attacker has full access to the compromised sites. We protected nearly 17,000 users globally from this webskimmer.

In conclusion, there are still many long-term infected websites. Malicious code often remains on an infected website even after the exfiltration domain no longer exists.

Pavlína Kopecká, Malware Analyst

Mobile-Related Threats

Adware

Continuing the trend from previous years, adware was still the dominant threat facing mobile users in Q3/2022. This dominance brings intrusive advertisements, often paired with several stealth features. These combine to rake in money through advertisements for the adware creators while negatively impacting the user experience of mobile users worldwide.

HiddenAds and FakeAdBlockers continue to be the most prevalent adware families. They often use overlays to display advertisements to the user, even when using other applications on the phone. They may delay this activity by several days to confuse the user about the source of the intrusive advertisements. As per their name, HiddenAds can also hide their icon from the home screen, making it more difficult for mobile users to find the source of these frustrating ads.

Several new waves of HiddenAds made it onto the Google Play Store, such as Scylla, with added obfuscation but a similar set of features to previous HiddenAds strains. FakeAdBlockers continue to spread through fake games and applications downloaded from unofficial sources. Both families often come under the guise of games, camera filters, wallpaper apps, and keyboard themes, to name a few. It is advisable to avoid third-party stores and unknown websites when downloading applications, instead using Google’s Play Store while checking reviews and requested permissions.

Adware mostly affects mobile users in Asia, the Middle East, and South America. Brazil, India, Argentina, and Mexico again hold the top spots in the quarter, with increases in affected users in India and Mexico. The US holds fifth place, but we see a 25% decrease in affected users compared to last quarter. Adware is the most common mobile threat facing mobile phone users worldwide today.

Map showing global risk ratio for mobile adware in Q3/2022

Bankers

Cerberus/Alien keeps its top place in the banker sphere in Q3/2022, while Hydra and RoamingMantis finally surpass Flubot in terms of protected users. Following an eventful last quarter with the Flubot group disbanding by Europol, we finally saw a marked decrease of 50% in Flubot’s reach in Q3/2022. Considering Flubot dominated the banker sphere with its SMS phishing campaigns attacking users across Europe and the US, it is encouraging to see the positive effects of Europol’s actions.

Bankers still rely on established methods of infection and delivery, with SMS phishing being the favored approach. Several new droppers appeared on the Google Play Store, third-party stores, and forums, propagating known or slightly adjusted versions of existing bankers. Most recently, TrendMicro discovered the DawDropper dropper, which delivers a multitude of banker strains over the span of an extended period. We, therefore, believe it is a dropper service used by multiple banker strains, mitigating cost and effort for banker authors.

Interestingly, the number of protected users in Q3/2022 was slightly higher than last quarter. However, we continue to be on a long-term downward trend, as can be seen in the chart below. Flubot’s demise significantly contributed to this decline, as we’ve seen fewer banker-spreading campaigns since its disbanding.

Graph showing users (globally) Avast protected from mobile bankers in Q3/2021-Q3/2022

We saw some movement in the top affected countries in Q3/2022, with Spain, France, and Turkey coming in as the most targeted, while France shows a striking 70% increase in protected users. Contrary to this, we see a sharp decline in protected users in Italy, Germany, Australia, and the UK, up to a 40% drop.

Map showing global risk ratio for mobile bankers in Q3/2022

TrojanSMS

In Q3/2022 we observed a continuation of existing premium SMS scams which started late last year and a few older strains retiring. SMSFactory and Darkherring remain the main TrojanSMS offenders this quarter. UltimaSMS and GriftHorse have finally been eliminated, as their number of protected users plummeted to nearly zero.

These TrojanSMS families rely on premium SMS subscriptions or sending SMS messages to premium numbers to extract money from victims. Left undetected, these malwares can rack up expensive phone bills, which is why they often come with stealth features to avoid discovery, hiding the application icon and the sent SMS messages. In the worst case scenario, the user forgets about the application or cannot identify the culprit while their money is siphoned away.

It is interesting to compare the methods of delivery of theseTrojanSMS strains. Families such as UltimaSMS, GriftHorse, and DarkHerring were distributed through the Google Play Store, and their numbers were in the tens of millions when discovered. However, following their discovery and takedown from the Play Store, these strains were nearly eliminated and no longer affected large numbers of users. On the other hand, SMSFactory, which uses pop-ups, malvertising, and fake app stores to deliver its payload, is still operating today, and we see a steady number of protected users still affected. While we observed some minor changes to the application and their C2 servers in the past few months, the malware and its functionality remain the same. SMSFactory accounts for over 60% of protected users this quarter, clearly dominating the TrojanSMS market.

The distribution of protected users is similar to last quarter, with Brazil, Russia, Ukraine, Germany, and India holding the top spots. Azerbaijan, Kyrgyzstan. and Iraq show the highest risk ratio numbers.

Map showing global risk ratio for mobile TrojanSMS in Q3/2022

With the exit of UltimaSMS and GriftHorse, as well as declining numbers for DarkHerring, the overall TrojanSMS trend is downward in Q3/2022. However, SMSFactory appears to be here to stay; hence we predict the numbers will maintain or slightly decline into the next quarter.

Graph showing users (globally) Avast protected from mobile TrojanSMS in Q3/2022

Spyware

Spyware has been a persistent threat to users for the last several years. More recently, we tracked some spikes in activity in Q3/2022. Spymax leads with the most reach for several quarters now, while we observe Facestealer becoming a more persistent threat this year.

Spyware’s purpose is to spy on the user’s activity, including photos, messages, location, and other personal information. More recently, these malwares tend to look for login credentials, banking details, and even crypto wallet addresses. Spymax has accrued these features over the span of several years and often comes heavily obfuscated to evade detection. It imitates a variety of applications and made it onto the Google Play Store a few times during the Covid pandemic. FaceStealer, on the other hand, is rather new, appearing last year, with the ability to create convincing overlays to trick users into entering login credentials. According to our observations, and research conducted by Meta, these apps were reasonably successful in attacking users, often using the Play Store as a delivery method. The apps aim to steal logins initially only to social media platforms, but now also steal a variety of logins.

Of note is another form of Spyware we’ve seen more of in the last few quarters. These are malicious modified versions of popular messaging apps such as WhatsApp and Telegram. Numerous mods posted on forums, discord servers, and third-party app stores offer functionality not present in the original messaging applications, which is where malicious versions of these applications may spread. We advise users to avoid installing and using modded applications as there’s no guarantee that they are safe to use. There’s potential for personal information, photos, and messages to be stolen from user accounts. Malicious actors may even steal unique keys associated with the account, which may lead to loss of access to the account itself. Additionally, Whatsapp’s FAQ warns that unofficial applications or mods may lead to account suspension or a complete ban. We, therefore, advise users to only install messaging applications from official app stores.

Spyware appears to have a relatively broad global distribution of affected users, with Brazil having the most affected users despite a 21% drop in Q3/2022. Following are India, Egypt, and the US, each with roughly a 10% increase in protected users this quarter.

Map showing global risk ratio for mobile Spyware in Q3/2022

We observed a downward trend last quarter. Still, it appears that new versions of FaceStealer bolstered the numbers of protected users this quarter. Overall, Spyware has been on the rise for the last two years.

Graph showing users (globally) Avast protected from mobile Spyware in Q3/2022

Jakub Vávra, Malware Analyst

Acknowledgements / Credits

Malware researchers

Adolf Středa
Alexej Savčin
Daniel Beneš
David Álvarez
Igor Morgenstern
Jakub Křoustek
Jakub Vávra
Jan Holman
Jan Rubín
Jan Vojtěšek
Ladislav Zezula
Luigino Camastra
Michal Salát
Martin Chlumecký 
Ondřej Mokoš
Pavlína Kopecká
Tomáš Zvara
Vladimir Martianov
Vladimír Žalud

Data analysts
  • Pavol Plaskoň
Communications
  • Marina Ziegler
  • Stefanie Smith

The post Avast Q3/2022 Threat Report appeared first on Avast Threat Labs.

Recovery of function prototypes in Visual Basic 6 executables

26 October 2022 at 13:53

I was recently probing into the Visual Basic 6 format trying to see how the IDispatch implementation resolved vtable offsets for functions.

While digging through the code, I came across several structures that I had not yet explored. These structures revealed a trove of information valuable to reverse engineers.

As we will show in this post, type information from internal structures will allow us to recover function prototypes for public object methods in standard VB6 executables.

This information is related to IDispatch internals and does not require a type library like those found with ActiveX components.

For our task of malware analysis, a static parsing approach will be of primary interest.

Background

Most VB6 code units are COM objects which support the IDispatch interface. This allows them to be easily passed around as generic types and used with scripting clients.

IDispatch allows functions to be called dynamically by name. The following VB6 code will operate through IDispatch methods:

This simple code demonstrates several things:

  • VB6 can call the proper method from a generic object type
  • named arguments in the improper order are correctly handled
  • values are automatically coerced to the correct type if possible (here the string “5” is converted to long)

If we add a DebugBreak statement, we can also see that the string “myFunc” is passed in as an argument to the underlying __vbaLateMemNamedCallLd function. This allows IDispatch::Invoke to call the proper function by string name.

From this we can intuit that the IDispatch implementation must know the complete function prototype along with argument names and types for correct invocation to occur.

We can further test this by changing an argument name, adding unexpected arguments, or setting an argument type to something that can not be coerced too long.

Each of these conditions raises an error before the function is called.

Note that there is no formal type library when this code is compiled as a standard executable. This type information is instead embedded somewhere within the binary itself.

So where is this type information stored, and how can we retrieve it?

The Hunt

If we start probing the runtime at BASIC_CLASS_Invoke we will encounter internal functions such as FuncSigOfMember, EpiGetInvokeArgs, CoerceArg, and so on. As we debug the code, we can catch access to known VB6 structures and watch where the code goes from there.

Before we get deeper, I will give a quick high-level overview of the Visual Basic 6 file format.

VB6 binaries have a series of nested structures that layout all code units, external references, forms etc. They start with the VBHeader and then branch out, covering the various aspects of the file.

In the same way that the Windows loader reads the PE file to set up proper memory layout, the VB runtime (msvbvm60.dll) reads in the VB6 file structures to ready it for execution within its environment.

Good references for the VB6 file format include:

The structure and fields names I use in this document primarily come from the Semi-VBDecompiler source. A useful structure browser is the free vbdec disassembler:
http://sandsprite.com/vbdec/

For our work, we will start with the ObjectTable found through the VBHeader->ProjectInfo->ObjectTable.

The ObjectTable->ObjectArray holds the number of Object structures as defined by its ObjectCount field. An example is shown below:

This is the top-level structure for each individual code object. Here we will find the ProcNamesArray containing ProcCount entries. This array reveals the public method names defined for the object.

The Meat

The Object->ObjInfo structure will also lead us to further information of interest. ObjInfo->PrivateObject will lead us to the main structure we are interested in for this blog post.

I could not find public documentation on this structure or those below it. What follows is what I have put together through analysis.

Development of this information had me working across four different windows simultaneously.

  • disassembly of the vb runtime
  • disassembly of the target executable
  • debugger stepping through the code and syncing the disasm views
  • specialized tool to view and search vb6 structures

The following is my current definition of the PrivateObj structure:

In the debugger, I saw vb runtime code accessing members within this structure to get to the vtable offsets for an Invoke call. I then compiled a number of source code variations while observing the effects on the structure. Some members are still unknown, but the primary fields of interest have been identified.

The PrivateObj structure leads us to arrays describing each code object’s public function, variable, and event type information.

Counts for the event and variable arrays are held directly within the PrivateObj itself. To get the count for the public functions, we have to reference the top-level Object->ProcCount field.

Note that there is a null pointer in the FuncType array above. This corresponds to a private function in the source code. If you look back, you will also see that same null entry was found in the ProcNames array listed earlier.

Each one of these type information structures is slightly different. First, we will look at what I am calling the FuncTypDesc structure.

I currently have it defined as follows:

The structure displayed above is for the following prototype:

This structure is where we start to get into the real meat of this article. The number of types defined for the method is held within the argSize field. The first three bits are only set for property types.

  • 111 is a property Set
  • 010 is a property Let
  • 001 is a property Get (bFlags bit one will additionally be set)

The type count will be the remaining bits divided by four.

If the bFlags bit one is set, the last entry represents the method’s return value. In all other scenarios, the types represent the arguments from one to arg count. VB6 supports a maximum of 59 user arguments to a method.

An argSize of 0 is possible for a sub routine that takes no arguments and has no return value.

The vOff field is the vtable offset for the member. The lowest bit is used as a flag in the runtime and cleared before use. Final adjusted values will all be 32-bit aligned.

The optionalVals field will be set if the method has optional parameters which include default values.

LpAryArgNames is a pointer to a string array. It is not null- terminated, so you should calculate the argument count before walking it.

After the structure, we see several extra bytes. These represent the type information for the prototype. This buffer size is dynamic.

A mapping of these values was determined by compiling variations and comparing output for changes. The following values have been identified.

The above code, shows that 0x20, 0x40, and 0x80 bits have been set to represent ByRef, Array, and Optional specifiers. These are combined with the base types identified in the enumeration. These do not align with the standard VARIANT VARENUM type values.

The comobj and internal flags are special cases that embed an additional 32-bit value after the type specifier byte.

This will link to the targets ObjInfo structure for internal objects.

If the comobj type is encountered, an offset to another structure will be found that specifies the objects library guid, clsid, library name, and dll path. We will show this structure later when we cover public variables.

It is important to note that these offsets appear to always be 32-bit aligned. This can introduce null padding between the type byte and the data offset. Null padding has also been observed between individual type bytes as well. Parsers will have to be tolerant of these variations.

Below is the type definition for the following prototype:

Next up comes a quick look at the PubVarDesc structure. Here is a structure for the following prototype:

This example shows flag 0x1D to declare an external COM object type. An offset then follows this to a structure which defines the details of the COM object itself.

The value 0x3c in the varOffset field is where the data for this variable is stored. For VB6 COM objects the ObjPtr() returns a structure where the first member is a pointer to the objects Vtable. The areas below that contain class instance data. Here myPublicVar would be found at ObjPtr()+0x3c.

Finally, we will look at an EventDesc structure for the following prototype:

This structure closely follows the layout of the PubFuncDesc type. One thing to note, however, is that I have not currently been able to locate a link to the Event name strings embedded within the compiled binaries.

In practice, they are embedded after the strings of the ProcNamesArray.

Note that the class can raise these events to call back to the consumer. There is no implementation of an event routine within the code object that defines it.

Conclusion

In this post, we have detailed several structures which will allow analysts to parse the VB object structures and extract function prototypes for public object members.

This type information is included as part of the standard IDispatch plumbing for every user-generated VB6 form, class, user control, etc. This does not apply to functions in BAS code modules as they are not COM objects internally.

It is also interesting to note that VB6 embeds this type data right along with the other internal structures in the .text section of the PE file. No type library is required, and this feature can not be disabled.

While the structures portion of the .text section can contain various compiler-generated native code stubs, all user code falls into the memory range as defined by the VBHeader.ProjectInfo.StartOfCode and EndOfCode offsets.

The framework required to analyze a VB6 binary and resolve the information laid out in this posting can be fairly complex. Luckily open-source implementations already exist to help ease the burden.

Structure and prototype extraction routines have already been included in the free vbdec disassembler. This tool can also generate IDC scripts to apply the appropriate structure definitions to a disassembly.

VB6 binaries are typically considered hard to analyze. Extracting internal function prototypes will be a very welcome addition for reverse engineers.

The post Recovery of function prototypes in Visual Basic 6 executables appeared first on Avast Threat Labs.

Decrypted: MafiaWare666 Ransomware

4 October 2022 at 11:36

Avast releases a MafiaWare666 ransomware decryption tool. MafiaWare666 is also known as JCrypt, RIP Lmao, BrutusptCrypt or Hades.

Skip to how to use the MafiaWare666 ransomware decryptor.

MafiaWare666’s Behavior

MafiaWare666 is a ransomware strain written in C# which doesn’t contain any obfuscation or anti-analysis techniques. It encrypts files using the AES encryption. We discovered a vulnerability in the encryption schema that allows some of the variants to be decrypted without paying the ransom. New or previously unknown samples may encrypt files differently, so they may not be decryptable without further analysis.

The ransomware searches special folder locations (Desktop, Music, Videos, Pictures and Documents) and encrypts files with the following extensions:

3fr 7z accdb ai apk arch00 arw asp aspx asset avi bar bat bay bc6 bc7 big bik bkf bkp blob bsa c cas cdr cer cfr cpp cr2 crt crw cs css csv csv d3dbsp das dazip db0 dba dbf dcr der desc divx dmp dng doc doc docm docx docx dwg dxg epk eps erf esm ff flv forge fos fpk fsh gdb gho h hkdb hkx hplg hpp html hvpl ibank icxs indd index itdb itl itm iwd iwi jpe jpeg jpg js kdb kdc kf layout lbf litemod lrf ltx lvl m2 m3u m4a map mcmeta mdb mdb mdbackup mddata mdf mef menu mkv mlx mov mp3 mp4 mpeg mpqge mrwref ncf nrw ntl odb odc odm odp ods odt odt ogg orf p12 p7b p7c pak pdd pdf pef pem pfx php pk7 pkpass png ppt ppt pptm pptx pptx psd psk pst ptx py qdf qic r3d raf rar raw rb re4 rgss3a rim rofl rtf rw2 rwl sav sb sid sidd sidn sie sis slm sln snx sql sql sr2 srf srw sum svg syncdb t12 t13 tax tor txt upk vb vcf vdf vfs0 vpk vpp_pc vtf w3x wallet wav wb2 wma wmo wmv wotreplay wpd wps x3f xlk xls xls xlsb xlsm xlsx xlsx xml xxx zip zip ztmp

Encrypted files are given a new extension, which varies among the samples.

  • .MafiaWare666
  • .jcrypt
  • .brutusptCrypt
  • .bmcrypt
  • .cyberone
  • .l33ch

The ransomware displays a window with instructions explaining how to pay the ransom, once it completes the encryption process. The instructions tell victims to contact the attacker and pay them in Bitcoin. The ransom price is relatively low, between $50 – $300, although some of the older samples with different names demand much more, up to one Bitcoin, which is around $20,000 at the time of publishing.

Here are some examples of MafiaWare666 ransom notes:

How to use the Avast MafiaWare666 ransomware decryption tool  to decrypt files encrypted by the  ransomware

Follow these steps to decrypt your files:

1) Download the free decryptor

2) Run the executable file. It starts as a wizard, leading you through the configuration of the decryption process.

3) On the initial page, you can read the license information if you want, but you really only need to click “Next”

4) On the next page, select the list of locations you want to be searched and decrypted. By default, it contains a list of all local drives:

5) On the third page, you need to provide a file in its original form and encrypted by the MafiaWare666 ransomware. Enter both names of the files. If you have an encryption password created by a previous run of the decryptor, you can select “I know the password for decrypting files” option:

6) The next page is where the password cracking process takes place. Click “Start” when you are ready to start the process. The password cracking process uses all known MafiaWare666 passwords to determine the right one.

7) Once the password is found, you can proceed to decrypt all the encrypted files on your PC by clicking “Next”.

8) On the final page, you can opt-in to backup your encrypted files. These backups may help if anything goes wrong during the decryption process. This option is on by default, which we recommend. After clicking “Decrypt” the decryption process begins. Let the decryptor work and wait until it finishes decrypting all of your files.

Indicators of Compromise (IoCs):

IoCs are available at https://github.com/avast/ioc/tree/master/MafiaWare666.

.MafiaWare666

6e91c9b5d052842093c6c292ec8224755d376aba6172d94faa241d8b192cb265
73d8e7baa073997d060ecf826b533263cf857a89b36a5fea809b7dbfc70b2d25
8324172e89866ed7122a9518bdc07e07ec2d173462dbbe2ff030fb408bc18123

.jcrypt

89ebe17b6dbb9dac780a4e2fe38da0261fa671cc79f4fe07cb9d26d9c0e447d2
979962e2d9f64ee15854e6df908627c90ab85a0a346c11656df46d3130459dc9

.brutusptCrypt

8c1a97f84caa9d58940d936a1c79c1c8d5fb791e1b3cac9fda22d195d3aeaea9

.bmcrypt

5d4ba2e6cc18dc509e73f3ceeea82a83ca252d07444a6b669947d31f60c6dfb8

.cyberone

ee376851cb318f77b9c8b715a09c5c0ce11043f679bb39fa5b5d67242c1c3bb9

The post Decrypted: MafiaWare666 Ransomware appeared first on Avast Threat Labs.

Raspberry Robin’s Roshtyak: A Little Lesson in Trickery

22 September 2022 at 10:48

There are various tricks malware authors use to make malware analysts’ jobs more difficult. These tricks include obfuscation techniques to complicate reverse engineering, anti-sandbox techniques to evade sandboxes, packing to bypass static detection, and more. Countless deceptive tricks used by various malware strains in-the-wild have been documented over the years. However, few of these tricks are implemented in a typical piece of malware, despite the many available tricks. 

The subject of this blog post, a backdoor we dubbed Roshtyak, is not your typical piece of malware. Roshtyak is full of tricks. Some are well-known, and some we have never seen before. From a technical perspective, the lengths Roshtyak takes to protect itself are extremely interesting. Roshtyak belongs to one of the best-protected malware strains we have ever seen. We hope by publishing our research and analysis of the malware and its protection tricks we will help fellow researchers recognize and respond to similar tricks, and harden their analysis environments, making them more resistant to the evasion techniques described.

Roshtyak is the DLL backdoor used by Raspberry Robin, a worm spreading through infected removable drives. Raspberry Robin is extremely prevalent. We protected over 550K of our users from the worm this year. Due to its high prevalence, it should be no surprise that we aren’t the only ones taking note of Raspberry Robin. 

Red Canary’s researchers published the first analysis of Raspberry Robin in May 2022. In June, Symantec published a report describing a mining/clipboard hijacking operation, which reportedly made the cybercriminals at least $1.7 million. Symantec did not link the malicious operation to Raspberry Robin. Nevertheless, we assess with high confidence that what they analyzed was Raspberry Robin. This assessment is based on C&C overlaps, strong malware similarity, and coinfections observed in our telemetry. Cybereason, Microsoft, and Cisco published further reports in July/August 2022. Microsoft reported that Raspberry Robin infections led to DEV-0243 (a.k.a Evil Corp) pre-ransomware behavior. We could not confirm this connection using our telemetry. Still, we find it reasonable to believe that the miner payload is not the only way Raspberry Robin infections are being monetized. Other recent reports also hint at a possible connection between Raspberry Robin and Evil Corp.

A map showing the number of users Avast protected from Raspberry Robin

There are many unknowns about Raspberry Robin, despite so many published reports. What are the ultimate objectives behind the malware? Who is responsible for Raspberry Robin? How did it become so prevalent? Unfortunately, we do not have answers to all these questions. However, we can answer an important question we saw asked multiple times: What functionality is hidden inside the heavily obfuscated DLL (or Roshtyak as we call it)? To answer this question, we fully reverse engineered a Roshtyak sample, and present our analysis results in this blog post.

Overview

Roshtyak is packed in as many as 14 protective layers, each heavily obfuscated and serving a specific purpose. Some artifacts suggest the layers were originally PE files but were transformed into custom encrypted structures that only the previous layers know how to decrypt and load. Numerous anti-debugger, anti-sandbox, anti-VM, and anti-emulator checks are sprinkled throughout the layers. If one of these checks successfully detects an analysis environment, one of four actions are taken. 

  1. The malware calls TerminateProcess on itself to avoid exhibiting any further malicious behavior and to keep the subsequent layers encrypted.
  2. Roshtyak crashes on purpose. This has the same effect as terminating itself, but it might not be immediately clear if the crash was intentional or because of a bug thanks to Roshtyak’s obfuscated nature.
  3. The malware enters an infinite loop on purpose. Since the loop itself is located in obfuscated code and spans thousands of instructions, it might be hard to determine if the loop is doing something useful or not.
  4. The most interesting case is when the malware reacts to a successful check by unpacking and loading a fake payload. This happens in the eighth layer, which is loaded with dozens of anti-analysis checks. The result of each of these checks is used to modify the value of a global variable. There are two payloads encrypted in the data section of the eighth layer: the real ninth layer and a fake payload. The real ninth layer will get decrypted only if the global variable matches the expected value after all the checks have been performed. If at least one check succeeded in detecting an analysis environment, the global variable’s value will differ from the expected value, causing Roshtyak to unpack and execute the fake payload instead. 
Roshtyak’s obfuscation causes even relatively simple functions to grow into large proportions. This necessitates some custom deobfuscation tooling if one wants to reverse engineer it within a reasonable timeframe.

The fake payload is a BroAssist (a.k.a BrowserAssistant) adware sample. We believe this fake payload was intended to mislead malware analysts into thinking the sample is less interesting than it really is. When a reverse engineer focuses on quickly unpacking a sample, it might look like the whole sample is “just” an obfuscated piece of adware (and a very old one at that), which could cause the analyst to lose interest in digging deeper. And indeed, it turns out that these fake payload shenanigans can be very effective. As can be seen on the screenshot below, it fooled at least one researcher, who misattributed the Raspberry Robin worm, because of the fake BrowserAssistant payload.

A security researcher misattributing Raspberry Robin because of the fake payload. This is not to pick on anyone, we just want to show how easy it is to make a mistake like this given Roshtyak’s trickery and complexity.

The Bag of Tricks

For the sake of keeping this blog post (sort of) short and to the point, let’s get straight into detailing some of the more interesting evasion techniques employed by Roshtyak.

Segment registers

Early in the execution, Roshtyak prefers to use checks that do not require calling any imported functions. If one of these checks is successful, the sample can quietly exit without generating any suspicious API calls. Below is an example where Roshtyak checks the behavior of the gs segment register. The check is designed to be stealthy and the surrounding garbage instructions make it easy to overlook.

A stealthy detection of single-stepping. Only the underscored instructions are useful.

The first idea behind this check is to detect single-stepping. Before the above snippet, the value of cx was initialized to 2. After the pop ecx instruction, Roshtyak checks if cx is still equal to 2. This would be the expected behavior because this value should propagate through the stack and the gs register under normal circumstances. However, a single step event would reset the value of the gs selector, which would result in a different value getting popped into ecx at the end.

But there is more to this check. As a side effect of the two push/pop pairs above, the value of gs is temporarily changed to 2. After this check, Roshtyak enters a loop, counting the number of iterations until the value of gs is no longer 2. The gs selector is also reset after a thread context switch, so the loop essentially counts the number of iterations until a context switch happens. Roshtyak repeats this procedure multiple times, averages out the result, and checks that it belongs to a sensible range for a bare metal execution environment. If the sample runs under a hypervisor or in an emulator, the average number of iterations might fall outside of this range, which allows Roshtyak to detect undesirable execution environments.

Roshtyak also checks that the value of the cs segment register is either 0x1b or 0x23. Here, 0x1b is the expected value when running on native x86 Windows, while 0x23 is the expected value under WoW64.

APC injection through a random ntdll gadget

Roshtyak performs some of its functionality from separate processes. For example, when it communicates with its C&C server, it spawns a new innocent-looking process like regsvr32.exe. Using shared sections, it injects its comms module into the address space of the new process. The injected module is executed via APC injection, using NtQueueApcThreadEx.

Interestingly, the ApcRoutine argument (which marks the target routine to be scheduled for execution) does not point to the entry point of the injected module. Instead, it points to a seemingly random address inside ntdll. Taking a closer look, we see this address was not chosen randomly but that Roshtyak scanned the code section of ntdll for pop r32; ret gadgets (excluding pop esp, because pivoting the stack would be undesirable) and picked one at random to use as the ApcRoutine

A random pop r32; ret gadget used as the entry point for APC injection

Looking at the calling convention for the ApcRoutine reveals what’s going on. The pop instruction makes the stack pointer point to the SystemArgument1 parameter of NtQueueApcThreadEx and so the ret instruction effectively jumps to wherever SystemArgument1 is pointing. This means that by abusing this gadget, Roshtyak can treat SystemArgument1 as the entry point for the purpose of APC injection. This obfuscates the control flow and makes the NtQueueApcThreadEx call look more legitimate. If someone hooks this function and inspects the ApcRoutine argument, the fact that it is pointing into the ntdll code section might be enough to convince them that the call is not malicious.

Checking read/write performance on write-combined memory

In this next check, Roshtyak allocates a large memory buffer with the PAGE_WRITECOMBINE flag. This flag is supposed to modify cache behavior to optimize sequential write performance (at the expense of read performance and possibly memory ordering). Roshtyak uses this to detect if it’s running on a physical machine. It conducts an experiment where it first writes to the allocated buffer and then reads from the allocated buffer, all while measuring the read/write performance using a separate thread as a counter. This experiment is repeated 32 times and the check is passed only if write performance was at least six times higher than read performance most of the times. If the check fails, Roshtyak intentionally selects a wrong RC4 key, which results in failing to properly decrypt the next layer.

Hiding shellcode from plain sight

The injected shellcode is interestingly hidden, too. When Roshtyak prepares for code injection, it first creates a large section and maps it into the current process as PAGE_READWRITE. Then, it fills the section with random data and places the shellcode at a random offset within the random data. Since the shellcode is just a relatively small loader followed by random-looking packed data, the whole section looks like random data. 

A histogram of the bytes inside the shared section. Note that it looks almost random, the most suspicious sign is the slight overrepresentation of null bytes.

The section is then unmapped from the current process and mapped into the target process, where it is executed using the above-described APC injection technique. The random data was added in an attempt to conceal the existence of the shellcode. Judging only from the memory dump of the target process, it might look like the section is full of random data and does not contain any valid executable code. Even if one suspects actual valid code somewhere in the middle of the section, it will not be easy to find its exact location. 

The start of the shellcode within the shared section. It might be hard to pinpoint the exact start address because it unconventionally starts on an odd bt instruction.

Ret2Kernel32

Roshtyak makes a point of cleaning up after itself. Whenever a certain string or piece of memory is no longer needed, Roshtyak wipes and/or frees it in an attempt to destroy as much evidence as possible. The same holds for Roshtyak’s layers. Whenever one layer finishes its job, it frees itself before passing execution onto the next layer. However, the layer cannot just simply free itself directly. The whole process would crash if it called VirtualFree on the region of memory it’s currently executing from.

Roshtyak, therefore, frees the layer through a ROP chain executed during layer transitions to avoid this problem. When a layer is about to exit, it constructs a ROP chain on the stack and returns into it. An example of such a ROP chain can be seen below. This chain starts by returning into VirtualFree and UnmapViewOfFile to release the previous layer’s memory. Then, it returns into the next layer. The return address from the next layer is set to RtlExitUserThread, to safeguard execution.

A simple ROP chain consisting of VirtualFree -> UnmapViewOfFile -> next layer -> RtlExitUserThread

MulDiv bug

MulDiv is a function exported by kernel32.dll, which takes three signed 32-bit integers as arguments. It multiplies the first two arguments, divides the multiplication result by the third argument, and returns the final result rounded to the nearest integer. While this might seem like a simple enough function, there’s an ancient sign extension bug in Microsoft’s implementation. This bug is sort of considered a feature now and might never get fixed.

Roshtyak is aware of the bug and tests for its presence by calling MulDiv(1, 0x80000000, 0x80000000). On real Windows machines, this triggers the bug and MulDiv erroneously returns 2, even though the correct return value should be 1, because (1 * -2147483648) / -2147483648 = 1. This allows Roshtyak to detect emulators that do not replicate the bug. For example, this successfully detects Wine, which, funnily enough, contains a different bug, which makes the above call return 0.

Tampering with return addresses stored on the stack

There are also tricks designed to obfuscate function calls. As shown in the previous section, Roshtyak likes to call functions using the ret instruction. This next trick is similar in that it also manipulates the stack so a ret instruction can be used to jump to the desired address. 

To achieve this, Roshtyak scans the current thread’s stack for pointers into the code section of one of the previous layers (unlike the other layers, this one was not freed using the ROP chain technique). It replaces all these pointers with the address it wants to call. Then it lets the code return multiple times until a ret instruction encounters one of the hijacked pointers, redirecting the execution to the desired address.

Exception-based checks

Additionally, Roshtyak contains checks that set up a custom vectored exception handler and intentionally trigger various exceptions to ensure they all get handled as expected.

Roshtyak sets up a vectored exception handler using RtlAddVectoredExceptionHandler. This handler contains custom handlers for selected exception codes. A top-level exception handler is also registered using SetUnhandledExceptionFilter. This handler should not be called in the targeted execution environments (none of the intentionally triggered exceptions should fall through the vectored exception handler). So this top-level handler just contains a single call to TerminateProcess. Interestingly, Roshtyak also uses ZwSetInformationProcess to set SEM_FAILCRITICALERRORS using the ProcessDefaultHardErrorMode class. This ensures that even if the exception somehow is passed all the way to the default exception handler, Windows would not show the standard error message box, which could alert the victim that something suspicious is going on.

When everything is set up, Roshtyak begins generating exceptions. The first exception is generated by a popf instruction, directly followed by a cpuid instruction (shown below). The value popped by the popf instruction was crafted to set the trap flag, which should, in turn, raise a single-step exception. On a physical machine, the exception would trigger right after the cpuid instruction. Then, the custom vectored exception handler would take over and move the instruction pointer away from the C7 B2 opcodes, which mark an invalid instruction. However, under many hypervisors, the single-step exception would not be raised. This is because the cpuid instruction forces a VM exit, which might delay the effect of the trap flag. If that is the case, the processor will raise an illegal instruction exception when trying to execute the invalid opcodes. If the vectored exception handler encounters such an exception, it knows that it is running under a hypervisor. A variation of this technique is described thoroughly in a blog post by Palo Alto Networks. Please refer to it for more details. 

The exception-based check using popf and cpuid to detect hypervisors

Another exception is generated using the two-byte int 3 instruction (CD 03). This instruction is followed by garbage opcodes. The int 3 here raises a breakpoint exception, which is handled by the vectored exception handler. The vectored exception handler doesn’t really do anything to handle the exception, which is interesting. This is because by default, when Windows handles the two-byte int 3 instruction, it will leave the instruction pointer in between the two instruction bytes, pointing to the 03 byte. When disassembled from this 03 byte, the garbage opcodes suddenly start making sense. We believe this is a check against some overeager debuggers, which could “fix” the instruction pointer to point after the 03 byte.

Moreover, the vectored exception handler checks the thread’s CONTEXT and makes sure that registers Dr0 through Dr3 are empty. If they are not, the process is being debugged using hardware breakpoints. While this check is relatively common in malware, the CONTEXT is usually obtained using a call to a function like GetThreadContext. Here, the malware authors took advantage of CONTEXT being passed as an argument to the exception handler, so they did not need to call any additional API functions.

Large executable mappings

This next check is interesting mostly because we are not sure what it’s really supposed to check (in other words, we’d be happy to hear your theories!). It starts with Roshtyak creating a large PAGE_EXECUTE_READWRITE mapping of size 0x386F000. Then it maps this mapping nine times into its own address space. After this, it memsets the mapping to 0x42 (opcode for inc edx), except for the last six bytes, which are filled with four inc ecx instructions and jmp dword ptr [ecx] (see below). Next, it puts the nine base addresses of the mapped views into an array, followed by an address of a single ret instruction. Finally, it points ecx into this array and calls the first mapped view, which results in all the mapped views being called sequentially until the final ret instruction. After the return, Roshtyak validates that edx got incremented exactly 0x1FBE6FCA times (9 * (0x386F000 - 6)).

The end of the large mapped section. The jmp dword ptr [ecx] instruction is supposed to jump to the start of the next mapped view.

Our best guess is that this is yet another anti-emulator check. For example, in some emulators, mapped sections might not be fully implemented, so the instructions written into one instance of the mapped view might not propagate to the other eight instances. Another theory is the check could be done to request large amounts of memory that emulators might fail to provide. After all, the combined size of all the views is almost half of the standard 32-bit user mode address space.

Detecting process suspension

This trick abuses an undocumented thread creation flag in NtCreateThreadEx to detect when Roshtyak’s main process gets externally suspended (which could mean that a debugger got attached). This flag essentially allows a thread to keep running even when PsSuspendProcess gets called. This is coupled with another trick abusing the fact that the thread suspend counter is a signed 8-bit value, which means that it maxes out at 127. Roshtyak spawns two threads, one of which keeps suspending the other one until the suspend counter limit is reached. After this, the first thread keeps periodically suspending the other one and checking if the call to NtSuspendThread keeps failing with STATUS_SUSPEND_COUNT_EXCEEDED. If it does not, the thread must have been externally suspended and resumed (which would leave the suspend counter at 126, so the next call to NtSuspendThread would succeed). Not getting this error code would be suspicious enough for Roshtyak to quit using TerminateProcess. This entire technique is described in more detail in a blog post by Secret Club. We believe that’s where the authors of Roshtyak got this trick from. It’s also worth mentioning Roshtyak uses this technique only on Windows builds 18323 (19H1) and later because the undocumented thread creation flag was not implemented on prior builds.

Indirect registry writes

Roshtyak performs many suspicious registry operations, for example, setting up the RunOnce key for persistence. Since modifications to such keys are likely to be monitored, Roshtyak attempts to circumvent the monitoring. It first generates a random registry key name and temporarily renames the RunOnce key to the random name using ZwRenameKey. Once renamed, Roshtyak adds a new persistence entry to the temporary key before finally renaming it back to RunOnce. This method of writing to the registry can be easily detected, but it might bypass some simple hooking-based monitoring methods.

Similarly, there are multiple methods Roshtyak uses to delete files. Aside from the apparent call to NtDeleteFile, Roshtyak is able to effectively delete a file by setting FileDispositionInformation or FileRenameInformation in a call to ZwSetInformationFile. However, unlike the registry modification method, this doesn’t seem to be implemented in order to evade detection. Instead, Roshtyak will try these alternative methods if the initial call to NtDelete file fails. 

Checking VBAWarnings

The VBAWarnings registry value controls how Microsoft Office behaves when a user opens a document containing embedded VBA macros. If this value is 1 (meaning “Enable all macros”), macros are executed by default, even without the need for any user interaction. This is a common setting for sandboxes, which are designed to detonate maldocs automatically. On the other hand, this setting is uncommon for regular users, who generally don’t go around changing random settings to make themselves more vulnerable (at least most of them don’t). Roshtyak therefore uses this check to differentiate between sandboxes and regular users and refuses to run further if the value of VBAWarnings is 1. Interestingly, this means that users, who for whatever reason have lowered their security this way, are immune to Roshtyak.

Command line wiping

Roshtyak’s core is executed with very suspicious command lines, such as RUNDLL32.EXE SHELL32.DLL,ShellExec_RunDLL REGSVR32.EXE -U /s "C:\Users\<REDACTED>\AppData\Local\Temp\dpcw.etl.". These command lines don’t look particularly legitimate, so Roshtyak attempts to hide them during execution. It does this by wiping command line information collected from various sources. It starts by calling GetCommandLineA and GetCommandLineW and wiping both of the returned strings. Then it attempts to wipe the string pointed to by PEB->ProcessParameters->CommandLine (even if this points to a string that has already been wiped). Since Roshtyak is often running under WoW64, it also calls NtWow64QueryInformationProcess64 to obtain a pointer to PEB64 to wipe ProcessParameters->CommandLine obtained by traversing this “second” PEB. While the wiping of the command lines was probably meant to make Roshtyak look more legitimate, the complete absence of any command line is also highly unusual. This was noticed by the Red Canary researchers in their blog post, where they proposed a detection method based on these suspiciously empty command lines.

Roshtyak’s core process, as shown by Process Explorer. Note the suspiciously empty command line.

Additional tricks

Aside from the techniques described so far, Roshtyak uses many less sophisticated tricks that are commonly found in other malware as well. These include:

  • Hiding threads using ThreadHideFromDebugger (and verifying that the threads really got hidden using NtQueryInformationThread)
  • Patching DbgBreakPoint in ntdll
  • Detecting user inactivity using GetLastInputInfo
  • Checking fields from PEB (BeingDebugged, NtGlobalFlag)
  • Checking fields from KUSER_SHARED_DATA (KdDebuggerEnabled, ActiveProcessorCount, NumberOfPhysicalPages)
  • Checking the names of all running processes (some are compared by hash, some by patterns, and some by character distribution)
  • Hashing the names of all loaded modules and checking them against a hardcoded blacklist
  • Verifying the main process name is not too long and doesn’t match known names used in sandboxes
  • Using the cpuid instruction to check hypervisor information and the processor brand
  • Using poorly documented COM interfaces
  • Checking the username and computername against a hardcoded blacklist
  • Checking for the presence of known sandbox decoy files
  • Checking MAC addresses of own adapters against a hardcoded blacklist
  • Checking MAC addresses from the ARP table (using GetBestRoute to populate it and GetIpNetTable to inspect it)
  • Calling ZwQueryInformationProcess with ProcessDebugObjectHandle, ProcessDebugFlags, and ProcessDebugPort
  • Checking DeviceId of display devices (using EnumDisplayDevices)
  • Checking ProductId of \\.\PhysicalDrive0 (using IOCTL_STORAGE_QUERY_PROPERTY)
  • Checking for virtual hard disks (using NtQuerySystemInformation with SystemVhdBootInformation)
  • Checking the raw SMBIOS firmware table (using NtQuerySystemInformation with SystemFirmwareTableInformation)
  • Setting up Defender exclusions (both for paths and processes)
  • Removing IFEO registry keys related to process names used by the malware

Obfuscation

We’ve shown many anti-analysis tricks that are designed to prevent Roshtyak from detonating in undesirable execution environments. These tricks alone would be easy to patch or bypass. What makes analyzing Roshtyak especially lethal is the combination of all these tricks with heavy obfuscation and multiple layers of packing. This makes it very difficult to study the anti-analysis tricks statically and figure out how to pass all the checks in order to get Roshtyak to unpack itself. Furthermore, even the main payload received the same obfuscation, which means that statically analyzing Roshtyak’s core functionality also requires a great deal of deobfuscation. 

In the rest of this section, we’ll go through the main obfuscation techniques used by Roshtyak.

A random code snippet from Roshtyak. As can be seen, the obfuscation makes the raw output of the Hex-Rays decompiler practically incomprehensible.

Control flow flattening

Control flow flattening is one of the most noticeable obfuscation techniques employed by Roshtyak. It is implemented in an unusual way, giving the control flow graphs of Roshtyak’s functions a unique look (see below). The goal of control flow flattening is to obscure control flow relations between individual code blocks. 

Control flow is directed by a 32-bit control variable, which tracks the execution state, identifying the code block to be executed. This control variable is initialized at the start of each function to refer to the starting code block (which is frequently a nop block). The control variable is then modified at the end of each code block to identify the next code block that should be executed. The modification is performed using some arithmetic instructions, such as add, sub, or xor.

There is a dispatcher using the control variable to route execution into the correct code block. This dispatcher is made up of if/else blocks that are circularly linked into a loop. Each dispatcher block takes the control variable and masks it using arithmetic instructions to check if it should route execution into the code block that it is guarding. What’s interesting here is there are multiple points of entry from the code blocks into the dispatcher loop, giving the control flow graphs the jagged “sawblade” look in IDA. 

Branching is performed using a special code block containing an imul instruction. It relies on the previous block to compute a branch flag. This branch flag is multiplied using the imul instruction with a random constant, and the result is added, subbed, or xored to the new control variable. This means that after the branch block, the control variable will identify one of the two possible succeeding code blocks, depending on the value that was computed for the branch flag.

Control flow graph of a function obfuscated using control flow flattening

Function activation keys

Roshtyak’s obfuscated functions expect an extra argument, which we call an activation key. This activation key is used to decrypt all local constants, strings, variables, etc. If a function is called with a wrong activation key, the decryption results in garbage plaintext, which will most likely cause Roshtyak to get stuck in an infinite loop inside the control flow dispatcher. This is because all constants used by the dispatcher (the initial value of the control variable, the masks used by the dispatcher guards, and the constants used to jump to the next code block) are encrypted with the activation key. Without the correct activation key, the dispatcher simply does not know how to dispatch.

Reverse engineering a function is practically impossible without knowing the correct activation key. All strings, buffers, and local variables/constants remain encrypted, all cross-references are lost, and worse, there is no control flow information. Only individual code blocks remain, with no way to know how they relate to each other.

Each obfuscated function has to be called from somewhere, which means the code calling the function has to supply the correct activation key. However, obtaining the activation key is not that easy. First, call targets are also encrypted with activation keys, so it’s impossible to find where a function is called from without knowing the right activation keys. Second, even the supplied activation key is encrypted with the activation key of the calling function. And that activation key got encrypted with the activation key of the next calling function. And so on, recursively, all the way until the entry point function.

This brings us to how to deobfuscate the mess. The activation key of the entry point function must be there in plaintext. Using this activation key, it is possible to decrypt the call targets and activation keys of functions that are called directly from this entry point function. Applying this method recursively allows us to reconstruct the full call graph along with the activation keys of all the functions. The only exceptions would be functions that were never called and were left in by the compiler. These functions will probably remain a mystery, but since the sample does not use them, they are not that important from a malware analyst’s point of view.

Variable masking

Some variables are not stored in plaintext form but are masked using one or more arithmetic instructions. This means that if Roshtyak is not actively using a variable, it keeps the variable’s value in an obfuscated form. Whenever Roshtyak needs to use the variable, it has to first unmask it before it can use it. Conversely, after Roshtyak uses the variable, it converts it back into the masked form. This masking-based obfuscation method slightly complicates tracking variables during debugging and makes it harder to search memory for a known variable value.

Loop transformations

Roshtyak is creative with some loop conditions. Instead of writing a loop like for (int i = 0; i < 1690; i++), it transforms the loop into e.g. for (int32_t i = 0x06AB91EE; i != 0x70826068; i = i * -0x509FFFF + 0xEC891BB1). While both loops will execute exactly 1690 times, the second one is much harder to read. At first glance, it is not clear how many iterations the second loop executes (and if it even terminates). Tracking the number of loop iterations during debugging is also much harder in the second case.

Packing

As mentioned, Roshtyak’s core is hidden behind multiple layers of packing. While all the layers look like they were originally compiled into PE files, all but the strictly necessary data (entry point, sections, imports, and relocations) were stripped away. Furthermore, Roshtyak supports two custom formats for storing the stripped PE file information, and the layers take turns on what format they use. Additionally, parts of the custom formats are encrypted, sometimes using keys generated based on the results of various anti-analysis checks.

This makes it difficult to unpack Roshtyak’s layers statically into a standalone PE file. First, one would have to reverse engineer the custom formats and figure out how to decrypt the encrypted parts. Then, one would have to reconstruct the PE header, the sections, the section headers, and the import table (the relocation table doesn’t need to be reconstructed since relocations can just be turned off). While this is all perfectly doable (and can be simplified using libraries like LIEF), it might take a significant amount of time. Adding to this that the layers are sometimes interdependent, it might be easier to just analyze Roshtyak dynamically in memory.

A section header in one of the custom PE-like file formats: raw_size corresponds to SizeOfRawData, raw_size + virtual_padding_size is effectively VirtualSize. There is no VirtualAddress or PointerToRawData equivalent because the sections are loaded sequentially.

Other obfuscation techniques

In addition to the above-described techniques, Roshtyak also uses other obfuscation techniques, including:

  • Junk instruction insertion
  • Import hashing
  • Frequent memory wiping
  • Mixed boolean-arithmetic obfuscation
  • Redundant threading
  • Heavy polymorphism

Core Functionality

Now that we’ve described how Roshtyak protects itself, it might be interesting to also go over what it actually does. Roshtyak’s DLL is relatively large, over a megabyte, but its functionality is surprisingly simple once you eliminate all the obfuscation. Its main purpose is to download further payloads to execute. In addition, it does the usual evil malware stuff, namely establishing persistence, escalating privileges, lateral movement, and exfiltrating information about the victim.

Persistence

Roshtyak first generates a random file name in %SystemRoot%\Temp and moves its DLL image there. The generated file name consists of two to eight random lowercase characters concatenated with a random extension chosen from a hardcoded list. The PRNG used to generate this file name is seeded with the volume serial number of C:\. The sample we analyzed hardcoded seven extensions (.log, .tmp, .loc, .dmp, .out, .ttf, and .etl). We observed other extensions being used in other samples, suggesting this list is somewhat dynamic. With a small probability, Roshtyak will also use a randomly generated extension. Once fully constructed, the full path to the Roshtyak DLL might look like e.g. C:\Windows\Temp\wcdp.etl.

After the DLL image is moved to the new filesystem path, Roshtyak stomps its Modified timestamp to the current system time. It then proceeds to set up a RunOnce(Ex) registry key to actually establish persistence. The registry entry is created using the previously described indirect registry write technique. The command inserted into the key might look as follows:

RUNDLL32.EXE SHELL32.DLL,ShellExec_RunDLL REGSVR32.EXE -U /s "C:\Windows\Temp\wcdp.etl."

There are a couple of things to note here. First, regsvr32 doesn’t care about the extensions of the DLLs it loads, allowing Roshtyak to hide under an innocent-looking extension such as .log. Second, the /s parameter puts regsvr32 into silent mode. Without it, regsvr32 would complain that it did not find an export named DllUnregisterServer. Finally, notice the trailing period character at the end of the path. This period is removed during path normalization, so it practically has no effect on the command. We are not exactly sure what the author’s original intention behind including this period character is. It looks like it could have been designed to trick some anti-malware software into not being able to connect the persistence entry with the payload on the filesystem.

By default, Roshtyak uses the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce key for persistence. However, under some circumstances (such as when it detects that Kaspersky is running by checking for a process named avp.exe) the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx will be used instead. The RunOnceEx key is capable of loading a DLL, so when using this key, Roshtyak specifies shell32.dll directly, omitting the use rundll32.

A RunOnceEx persistence entry established by Roshtyak

Privilege escalation

Roshtyak uses both UAC bypasses and regular EoP exploits in an attempt to elevate its privileges. Unlike many other pieces of malware, which just blindly execute whatever UAC bypasses/exploits the authors could find, Roshtyak makes efforts to figure out if the privilege escalation method is even likely to be successful. This was probably implemented to lower the chances of detection due to the unnecessary usage of incompatible bypasses/exploits. For UAC bypasses, this involves checking the ConsentPromptBehaviorAdmin and ConsentPromptBehaviorUser registry keys. For EoP exploits, this is about checking the Windows build number and patch level.

Besides checking the ConsentPromptBehavior(Admin|User) keys, Roshtyak performs other sanity checks to ensure that it should proceed with the UAC bypass. Namely, it checks for admin privileges using CheckTokenMembership with the SID S-1-5-32-544 (DOMAIN_ALIAS_RID_ADMINS). It also inspects the value of the DbgElevationEnabled flag in KUSER_SHARED_DATA.SharedDataFlags. This is an undocumented flag that is set if UAC is enabled. Finally, there are AV checks for BitDefender (detected by the module atcuf32.dll), Kaspersky (process avp.exe), and our own Avast/AVG (module aswhook.dll). If one of these AVs is detected, Roshtyak avoids selected UAC bypass techniques, presumably the ones that might result in detection.

As for the actual UAC bypasses, there are two main methods implemented. The first is an implementation of the aptly named ucmDccwCOM method from UACMe. Interestingly when this method is executed, Roshtyak temporarily masquerades its process as explorer.exe by overwriting FullDllName and BaseDllName in the _LDR_MODULE structure corresponding to the main executable module. The payload launched by this method is a randomly named LNK file, dropped into %TEMP% using the IShellLink COM interface. This LNK file is designed to relaunch the Roshtyak DLL, through LOLBins such as advpack or register-cimprovider.

The second method is more of a UAC bypass framework than a specific bypass method, because multiple UAC bypass methods follow the same simple pattern: first registering some specific shell open command and then executing an autoelevating Windows binary (which internally triggers the shell open command). For instance, a UAC bypass might be accomplished by writing a payload command to HKCU\Software\Classes\ms-settings\shell\open\command and then executing fodhelper.exe from %windir%\system32. Basically, the same bypass can be achieved by substituting the pair ms-settings/fodhelper.exe with other pairs, such as mscfile/eventvwr.exe. Roshtyak uses the following six pairs to bypass UAC:

Class Executable
mscfile eventvwr.exe
mscfile compmgmtlauncher.exe
ms-settings fodhelper.exe
ms-settings computerdefaults.exe
Folder sdclt.exe
Launcher.SystemSettings slui.exe

Let’s now look at the kernel exploits (CVE-2020-1054 and CVE-2021-1732) Roshtyak uses to escalate privileges. As is often the case in Roshtyak, these exploits are stored encrypted and are only decrypted on demand. Interestingly, once decrypted, the exploits turn out to be regular PE files with completely valid headers (unlike the other layers in Roshtyak, which are either in shellcode form or stored in a custom stripped PE format). Moreover, the exploits lack the obfuscation given to the rest of Roshtyak, so their code is immediately decompilable, and only some basic string encryption is used. We don’t know why the attackers left these exploits so exposed, but it might be due to the difference in bitness. While Roshtyak itself is x86 code (most of the time running under WoW64), the exploits are x64 (which makes sense considering they exploit vulnerabilities in 64-bit code). It could be that the obfuscation tools used by Roshtyak’s authors were designed to work on x86 and are not portable to x64.

Snippet from Roshtyak’s exploit for CVE-2020-1054, scanning through IsMenu to find the offset to HMValidateHandle.

To execute the exploits, Roshtyak spawns (the AMD64 version of) winver.exe and gets the exploit code to run there using the KernelCallbackTable injection method. Roshtyak’s implementation of this injection method essentially matches a public PoC, with the biggest difference being the usage of slightly different API functions due to the need for cross-subsystem injection (e.g. NtWow64QueryInformationProcess64 instead of NtQueryInformationProcess or NtWow64ReadVirtualMemory64 instead of ReadProcessMemory). The code injected into winver.exe is not the exploit PE itself but rather a slightly obfuscated shellcode, designed to load the exploit PE into memory.

The kernel exploits target certain unpatched versions of Windows. Specifically, CVE-2020-1054 is only used on Windows 7 systems where the revision number is not higher than 24552. On the other hand, the exploit for CVE-2021-1732 runs on Windows 10, with the targeted build number range being from 16353 to 19042. Before exploiting CVE-2021-1732, Roshtyak also scans through installed update packages to see if a patch for the vulnerability is installed. It does this by enumerating the registry keys under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages and checking if the package for KB4601319 (or higher) is present.

Lateral movement

When it comes to lateral movement, Roshtyak simply uses the tried and tested PsExec tool. Before executing PsExec, Roshtyak ensures it makes sense to run it by checking for a SID matching the “well-knownWinAccountDomainAdminsSid group. If domain admin rights are not detected, Roshtyak skips its lateral movement phase entirely.

Roshtyak attempts to get around detection by setting Defender exclusions, as PsExec is often flagged as a hacktool (for good reasons). It sets a path exclusion for %TEMP% (where it will drop PsExec and other files used for lateral movement). Later, it sets up a process exclusion for the exact path from which PsExec will be executed. 

While we would expect PsExec to be bundled inside Roshtyak, it turns out Roshtyak downloads it on demand from https://download.sysinternals[.]com/files/PSTools.zip. The downloaded zip archive is dropped into %TEMP% under a random name with the .zip extension. PsExec is then unzipped from this archive using the Windows Shell COM interface (IShellDispatch) into a randomly named .exe file in %TEMP%.

The payload to be executed by PsExec is a self-extracting package created by a tool called IExpress. This is an archaic installer that’s part of Windows, which is probably why it’s used, since Roshtyak can rely on it already being on the victim machine. The installer generation is configured by a text file using the Self Extraction Directive (SED) syntax. 

Roshtyak’s IExpress configuration template

Roshtyak uses a SED configuration template with three placeholders (%1, %2, and %3) that it substitutes with real values at runtime. As seen above, the configuration template was written in mixed-case, which is frequently used in Raspberry Robin in general. Once the SED configuration is prepared, it is written into a randomly named .txt file in %TEMP%. Then, iexpress is invoked to generate the payload using a command such as C:\Windows\iexpress.exe /n /q <path_to_sed_config>. The generated payload is dumped into a randomly named .exe file in %TEMP%, as configured by the TargetName directive (placeholder %1).

Once the payload is generated, Roshtyak proceeds to actually run PsExec. There are two ways Roshtyak can execute PsExec. The first one uses the command <path_to_psexec> \\* -accepteula -c -d -s <path_to_payload>. Here, the \\* wildcard instructs PsExec to run the payload on all computers in the current domain. Alternatively, Roshtyak might run the command <path_to_psexec> @<path_to_target_file> -accepteula -c -d -s <path_to_payload>. Here, the target_file is a text file containing a specific list of computers to run the payload on. Roshtyak builds this list by enumerating Active Directory objects using API functions exported from activeds.dll.

Profiling the victim

USB worms tend to have a life of their own. Since their worming behavior is usually completely automated, the threat actor who initially deployed the worm doesn’t necessarily have full control over where it spreads. This is why it’s important for threat actors to have the worm beacon back to their C&C servers. With a beaconing mechanism in place, the threat actor can be informed about all the machines under their control and can use this knowledge to manage the worm as a whole.

The outgoing beaconing messages typically contain some information about the infected machine. This helps financially-motivated cybercriminals decide on how to best monetize the infection. Roshtyak is no exception to this, and it collects a lot of information about each infected victim. Roshtyak concatenates all the collected information into a large string, using semicolons as delimiters. This large string is then exfiltrated to one of Roshtyak’s C&C servers. The exfiltrated pieces of information are listed below, in order of concatenation.

  • External IP address (obtained during a Tor connectivity check)
  • A string hardcoded into Roshtyak’s code, e.g. AFF123 (we can’t be sure what’s the meaning behind this, but it looks like an affiliate ID)
  • A 16-bit hash of the DLL’s PE header (with some fields zeroed out) xored with the lower 16 bits of its TimeDateStamp. The TimeDateStamp appears to be specially crafted so that the xor results in a known value. This could function as a tamper check or a watermark.
  • Creation timestamp of the System Volume Information folder on the system drive
  • The volume serial number of the system drive
  • Processor count (GetActiveProcessorCount)
  • IsWow64Process (_PROCESS_EXTENDED_BASIC_INFORMATION.Flags & 2)
  • Windows version (KUSER_SHARED_DATA.Nt(Major|Minor)Version)
  • Windows product type (KUSER_SHARED_DATA.NtProductType)
  • Windows build number (PEB.OSBuildNumber)
  • Local administrative privileges (ZwQueryInformationToken(TokenGroups)/CheckTokenMembership, check for DOMAIN_ALIAS_RID_ADMINS)
  • Domain administrative privileges (check for WinAccountDomainAdminsSid/WinAccountDomainUsersSid)
  • System time (KUSER_SHARED_DATA.SystemTime)
  • Time zone (KUSER_SHARED_DATA.TimeZoneBias)
  • System locale (NtQueryDefaultLocale(0))
  • User locale (NtQueryDefaultLocale(1))
  • Environment variables (username, computername, userdomain, userdnsdomain, and logonserver)
  • Java version (GetFileVersionInfo("javaw.exe") -> VerQueryValue)
  • Processor information (cpuid to obtain the Processor Brand String)
  • Path to the image of the main executable module (NtQueryVirtualMemory(MemorySectionName))
  • Product ID and serial number of the main physical drive (DeviceIoControl(IOCTL_STORAGE_QUERY_PROPERTY, StorageDeviceProperty))
  • MAC address of the default gateway (GetBestRoute -> GetIpNetTable)
  • MAC addresses of all network adapters (GetAdaptersInfo)
  • Installed antivirus software (root\securitycenter2 -> SELECT * FROM AntiVirusProduct)
  • Display device information (DeviceId, DeviceString, dmPelsWidth, dmPelsHeight, dmDisplayFrequency) (EnumDisplayDevices -> EnumDisplaySettings)
  • Active processes (NtQuerySystemInformation(SystemProcessInformation))
  • Screenshot encoded in base64 (gdi32 method)

Beaconing

Once collected, Roshtyak sends the victim profile to one of its C&C servers. The profile is sent over the Tor network, using a custom comms module Roshtyak injects into a newly spawned process. The C&C server processes the exfiltrated profile and might respond with a shellcode payload for the core module to execute.

Let’s now take a closer look at this whole process. It’s worth mentioning that before generating any malicious traffic, Roshtyak first performs a Tor connectivity check. This is done by contacting 28 legitimate and well-known .onion addresses in random order and checking if at least one of them responds. If none of them respond, Roshtyak doesn’t even attempt to contact its C&C, as it would most likely not get through to it anyway.

As for the actual C&C communication, Roshtyak contains 35 hardcoded V2 onion addresses (e.g. ip2djbz3xidmkmkw:53148, see our IoC repository for the full list). Like during the connectivity check, Roshtyak iterates through them in random order and attempts to contact each of them until one responds. Note that while V2 onion addresses are officially deprecated in favor of V3 addresses (and the Tor Browser no longer supports them in its latest version) they still appear to be functional enough for Roshtyak’s nefarious purposes.

Roshtyak’s hardcoded C&C addresses

The victim profile is sent in the URL path, appended to the V2 onion address, along with the / character. As the raw profile might contain characters forbidden for use in URLs, the profile is wrapped in a custom structure and encoded using Base64. The very first 0x10 bytes of the custom structure serve as an encryption key, with the rest of the structure being encrypted. The custom structure also contains a 64-bit hash of the victim profile, which presumably serves as an integrity check. Interestingly, the custom structure might get its end padded with random bytes. Note that the full path could be pretty large, as it contains a doubly Base64-encoded screenshot. The authors of Roshtyak were probably aware that the URL path is not suitable for sending large amounts of data and decided to cap the length of the victim profile at 0x20000 bytes. If the screenshot makes the exfiltrated profile larger than this limit, it isn’t included.

When the full onion URL is constructed, Roshtyak goes ahead to launch its Tor comms module. It first spawns a dummy process to host the comms module. This dummy process is randomly chosen and can be one of dllhost.exe, regsvr32.exe, or rundll32.exe. The comms module is injected into the newly spawned process using a shared section, obfuscated through the previously described shellcode hiding technique. The comms module is then executed via NtQueueApcThreadEx, using the already discussed ntdll gadget trick. The injected comms module is a custom build of an open-source Tor library packed in three additional protective shellcode layers.

The core module communicates with the comms module using shared sections as an IPC mechanism. Both modules synchronously use the same PRNG with the same seed (KUSER_SHARED_DATA.Cookie) to generate the same section name. Both then map this named section into their respective address spaces and communicate with each other by reading/writing to it. The data read/written into the section is encrypted with RC4 (the key also generated using the synchronized PRNGs).

The communication between the core module and the comms module follows a simple request/response pattern. The core module writes an encrypted onion URL (including the URL path to exfiltrate) into the shared section. The comms module then decrypts the URL and makes an HTTP request over Tor to it. The core module waits for the comms module to write the encrypted HTTP response back to the shared section. Once it’s there, the core module decrypts it and unwraps it from a custom format (which includes decrypting it yet again and computing a hash to check the payload’s integrity). The decrypted payload might include a shellcode for the core module to execute. If the shellcode is present, the core module allocates a huge chunk of memory, hides the shellcode there using the shellcode hiding technique, and executes it in a new thread. This new thread is hidden using the NtSetInformationThread -> ThreadHideFromDebugger technique (including a follow-up anti-hooking check using NtGetInformationThread to confirm that the NtSetInformationThread call did indeed succeed).

Conclusion

In this blog post, we took a technical deep dive into Roshtyak, the backdoor payload associated with Raspberry Robin. The main focus was to describe how to deal with Roshtyak’s protection mechanisms. We showed some never-before-seen anti-debugger/anti-sandbox/anti-VM tricks and discussed Roshtyak’s heavy obfuscation. We also described Roshtyak’s core functionality. Specifically, we detailed how it establishes persistence, escalates privileges, moves laterally, and uses Tor to download further payloads.

We have to admit that reverse engineering Roshtyak was certainly no easy task. The combination of heavy obfuscation and numerous advanced anti-analysis tricks made it a considerable challenge. Nick Harbour, if you’re looking for something to repurpose for next year’s final Flare-On challenge, this might be it.

Indicators of Compromise (IoCs)

IoCs are available at https://github.com/avast/ioc/tree/master/RaspberryRobin.

The post Raspberry Robin’s Roshtyak: A Little Lesson in Trickery appeared first on Avast Threat Labs.

❌
❌