“The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.” reported the Reuters agency.
The ransomware gang published a message in Russian language on its leak site:
The message also asks other ransomware gangs to avoid targeting Chinese companies, because China could represent a safe place for ransomware gangs in case Russia will stop tolerate ransomware operations.
“In our difficult and troubled time when the US government is trying to fight us, I call on all partner programs to stop competing, unite and start fucking up the US public sector” states the message. “I urge not to attack Chinese companies, because where do we pinch if our homeland suddenly turns away from us, only to our good neighbors – the Chinese!”
After the news of the recent shutdown of REvil’s infrastructure by law enforcement agencies, the gangs behind the Darkside and BlackMatter ransomware operations have moved 107 BTC ($6.8 million).
Omri Segev Moyal, CEO and co-founder of security firm Profero, told TheRecord that the threat actors split the funds into multiple wallets. The gang is likely moving the funds to cache out its profits. Moyal shared his findings with law enforcement.
“The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.” reported the Reuters agency.
Omri Segev Moyal, CEO and co-founder of security firm Profero, told TheRecord that the threat actors split the funds into multiple wallets. The gang is likely moving the funds to cache out its profits. Moyal shared his findings with law enforcement.
bc1q9jy4pq5su9slh56gryydwkk0qjnqxvfwzm7xl6 (current major holder wallet)
In May, the Colonial Pipeline facility in Pelham, Alabama, was hit by a cybersecurity attack and its operators were forced to shut down its systems. The pipeline allows carrying 2.5 million barrels of refined gasoline and jet fuel each day up the East Coast from Texas to New York, it covers 45 percent of the East Coast’s fuel supplies.
The New York Times reported that Colonial Pipeline paid the hackers almost $5 million worth of cryptocurrency to receive a decryption key that allowed it to restore the encrypted files. Because the tool was too slow, the company used its backups to restore the systems.
In the aftermath of the attack, Darkside gang shut down its operations, fearing the response of law enforcement. The group also claimed that the feds seized part of its infrastructure and some wallets it was using for its operations.
In July the group rebranded its operation with the name BlackMatter.
Nevertheless, the gang re-launched in July with new infrastructure and under the new name of BlackMatter.
FIN7 hacking group created fake cybersecurity companies to hire experts and involve them in ransomware attacks tricking them of conducting a pentest.
The FIN7 hacking group is attempting to enter in the ransomware business and is doing it with an interesting technique. The gang space creates fake cybersecurity companies that hire experts requesting them to carry out pen testing attacks under the guise of pentesting activities.
FIN7 is a Russian criminal group that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.
One of the companies created by the cyber criminal organizations with this purpose is Combi Security, but researchers from Gemini Advisory discovered other similar organizations by analyzing the site of another fake cybersecurity company named Bastion Security.
The Bastion Secure website is hosted on the Russian domain registrar Beget, which is popular in the Russian cybercrime communities. Most of the submenus of the site return a Russian-language HTTP 404 error, a circumstance that suggests the site creators were Russian speakers. At the time of the report, some of the HTTP 404 errors remain unfixed.
The website is a clone of the website of Convergent Network Solutions Ltd, Bastion Secure’s ‘About’ page states that is a spinoff of the legitimate cybersecurity firm that anyway not linked to the criminal gang.
FIN7, operating under the guise of Bastion Secure, published job offers for programmers (PHP, C++, Python), system administrators, and reverse engineers. The job offers for IT specialist positions ranged between $800 and $1,200 USD a month, which is a good salary for this type of position in post-Soviet states.
The gang was looking for administrators to map out compromised companies’ networks and locate sensitive data, including backup. The initial access to the target organizations was obtained through phishing attacks or by purchasing access on dark web forums.
Once gained access to the target network, the threat actors could then drop malware and ransomware.
“Bastion Secure offered a job offer to a Gemini source and, in the process, provided the source with files that analysts later determined were for the post-exploitation tools Carbanak and Lizar/Tirion. These two tools have been previously attributed to FIN7 and establish the link between Bastion Secure and FIN7.” reads the analysis of Gemini Advisory. “The tasks that were assigned to the Gemini source by FIN7—operating under the guise of Bastion Secure—matched the steps taken to prepare a ransomware attack, providing further evidence that FIN7 has continued to expand into the ransomware sphere.”
A Gemini’s source applied for a job position and was hired, the gang gave him access to a set of post-exploitation tools known to be in the FIN7’s arsenal, such as Carbanak and Lizar/Tirion. The group, through a fake pentesting activity assigned to Bastion Secure, provided access to the network of a target company.
“The files provided to the source by Bastion Secure included files for a software component titled “Command Manager” that was, in fact, a disguised version of the client component of Carbanak (see image 12). Gemini determined this by analyzing the software’s functionality and concluded that it is an updated version of previously identified versions of Carbanak.” continues the expert. “The main functions of the Carbanak command manager are collecting information about an infected computer and obtaining remote access to the infected computer. The files contained an obfuscated PowerShell script that ultimately launches the Lizar/Tirion injector and payload. “
They requested the hired pentesters to conduct reconnaissance and gather the information that could allow them to conduct the attack, such as user and admin accounts’ credentials, and backups.
“Although cybercriminals looking for unwitting accomplices on legitimate job sites is nothing new, the sheer scale and blatancy with which FIN7 operates continue to surpass the behavior shown by other cybercriminal groups. Not only is FIN7 looking for unwitting victims on legitimate job sites, but also attempting to obfuscate its true identity as a prolific cybercriminal and ransomware group by creating a fabricated web presence through a largely legitimate-appearing website, professional job postings, and company info pages on Russian-language business development sites.” concludes the report.
Microsoft is aware that Vxers have devised a method to digitally sign their rootkits through this process. After Bitdefender has reported the discovery, Microsoft has revoked the signature for FiveSys.
In June, the company announced it is investigating a threat actor distributing malicious drivers in attacks aimed at the gaming industry in China. The actor submitted drivers that were built by a third party for certification through the Windows Hardware Compatibility Program (WHCP). One of the drivers signed by Microsoft, called Netfilter, was a malicious Windows rootkit that was spotted while connecting to a C2 in China.
The IT giant pointed out that its WHCP signing certificate was not exposed and that its infrastructure was not compromised by hackers.
The FiveSys rootkit uses the same technique to remain under the radar, it is very similar to the Undead malware and likely originate from China where is used to target domestic games.
The rootkit was used by threat actors to redirect internet traffic to a custom proxy server.
“The main purpose of the rootkit is to redirect internet traffic and route it to a custom proxy server. To achieve this, the driver serves locally a Proxy Autoconfguration Script to the browser. The driver will periodically update this autoconfguration script. The script has a list of domains/URLs for which it redirects traffc to an endpoint under the attacker’s control.” reads the report published by Bitdefender.
The rootkit is able to redirect both http and https traffic, in the latter case, it installs a custom root certificate to about browser’s warnings of the unknown identity of the proxy server.
The malware maintains a list of digital signatures used to detect drivers associated with Netfilter and fk_undead malware families and prevent that they are loaded.
Bitdefender identified several user mode binaries that are used to fetch and execute the malicious drivers onto the target machines. According to the experts, FiveSys uses four drivers, but at this time they have only detected only two of them.
“It also has an estimated four drivers, but in our research, we only managed to isolate two:
PacSys(PC.sys) is responsible for delivering the proxy autoconfguration script (the *.PAC fle, hence thename probably).
Up.sys downloads an executable and starts it using an embedded dll which it injects from kernel mode. Both drivers can protect the other module too, and reinstall it if it gets deleted.
Even though, technically speaking, the malware families are not among the sophisticated ones, the fact that they abuse digital signatures in this manner seriously undermines the credibility of this protection mechanism.”
To minimize the chance of a C2 takedown, the rootkit uses a built-in list of 300 domains on the “.xyz” TLD that are randomly generated and that stored in an encrypted form inside the binary.
Upon contacting the C2, the rootkit will select a random domain from the list, each such domain having several DNS A records.
The paper published by Bitdefender also includes indicators of compromise (IoCs.)
Evil Corp cybercrime gang is using a new ransomware called Macaw Locker to evade US sanctions that prevent victims from paying the ransom.
Evil Corp has launched a new ransomware called Macaw Locker to evade US sanctions that prevent victims from making ransom payments.
Bleeping Computer, citing Emsisoft CTO Fabian Wosar, reported that the Macaw Locker ransomware is the latest rebrand of Evil Corp. The Macaw Locker ransomware encrypts victims’ files and append the .macaw extension to the file name of the encrypted files. The malware drops ransom notes (macaw_recover.txt) in each folder, the ransom note includes the link to a unique victim negotiation page.
The Evil Corp cybercrime group (aka the Dridex gang Indrik Spider, the Dridex gang, and TA505) has been active in cybercrime activities since 2007. The group started its operations by developing and distributing the infamous Dridex banking Trojan, then it switched to ransomware operation by infecting victims’ computer networks with the BitPaymer ransomware.
In 2019, the U.S. Department of Justice (DoJ) has charged Russian citizens Maksim V. (32) and Igor Turashev (38) for distributing the infamous Dridex banking Trojan, and for their involvement in international bank fraud and computer hacking schemes.
The US Government announced sanctions for ransomware negotiation firms that will support victims of the Evil Corp group in the ransom payments.
Due to these sanctions, Evil Corp launched several ransomware operations that employed different strains of ransomware, such as WastedLocker, Hades, Phoenix Locker, and PayloadBin.
A vulnerability in the WinRAR is a trialware file archiver utility for Windows could be exploited by a remote attacker to hack a system.
Positive Technologies researcher Igor Sak-Sakovskiy discovered a remote code execution vulnerability, tracked as CVE-2021-35052, in the popular WinRAR trialware file archiver utility for Windows.
The vulnerability affects the trial version of the utility, the vulnerable version is 5.70.
“This vulnerability allows an attacker to intercept and modify requests sent to the user of the application. This can be used to achieve Remote Code Execution (RCE) on a victim’s computer. It has been assigned the CVE ID – CVE-2021-35052.” reads the post published by Sak-Sakovskiy. “We found this vulnerability by chance, in WinRAR version 5.70.”
After a series of test, the expert noticed that after the trial period has expired, the software started displaying the error message, one time out of three executions. This window used to display the error uses mshtml.dll implementation for Borland C++ in which WinRAR has been written.
The expert used Burp Suite as a default Windows proxy to intercept traffic generated when the message is displayed.
The analysis of the response code sent when WinRAR alerts the user about the end of the free trial period via “notifier.rarlab[.]com” revealed that modifying it to a “301 Moved Permanently” redirect message if was possible to cache the redirection to a malicious domain for any subsequent request. Experts also noticed that an attacker with access to the same network domain carry out ARP spoofing attacks to remotely launch applications, retrieve local host information, and run arbitrary code.
“Next, we attempted to modify intercepted responses from WinRAR to the user. Instead of intercepting and changing the default domain “notifier.rarlab.com” responses each time with our malicious content, we noticed that if the response code is changed to “301 Moved Permanently” then the redirection to our malicious domain “attacker.com” will be cached and all requests will go to the “attacker.com”.” continues the expert. “Next, we attempted to modify intercepted responses from WinRAR to the user. Instead of intercepting and changing the default domain “notifier.rarlab.com” responses each time with our malicious content, we noticed that if the response code is changed to “301 Moved Permanently” then the redirection to our malicious domain “attacker.com” will be cached and all requests will go to the “attacker.com”.”
Experts pointed out that vulnerabilities in third-party software pose serious risks to organizations, they can be exploited to access any resource of the system and potentially of the network hosting it.
“It’s impossible to audit every application that could be installed by a user and so policy is critical to managing the risk associated with external applications and balancing this risk against the business need for a variety of applications. Improper management can have wide reaching consequences.” concludes the post.
The United States Department of Justice sentenced two individuals that were providing bulletproof hosting to various malware operations.
The United States Department of Justice sentenced to prison two individuals involved in providing bulletproof hosting to various malware operations, including Citadel, SpyEye, Zeus, and the Blackhole exploit kit.
The two individuals, Aleksandr Skorodumov (33) of Lithuania, and Pavel Stassi (30) of Estonia, administrated the bulletproof hosting service between 2009 and 2015.
The duo, along with Russian nationals Aleksandr Grichishkin and Andrei Skvortsov, founded an organization that was offering bulletproof hosting, they rented the attack infrastructure (IP addresses, servers, and domains) to crooks who used it to spread multiple malware families and conducted several malicious activities.
The defendants helped their clients to evade detection by monitoring sites used to blocklist technical infrastructure used for crime. Every time a content was flagged as malicious, the defendants moved it to new infrastructure and used false or stolen identities to register it.
Skvortsov was responsible for the marketing activity of the group, while Grichishkin was the organization’s day-to-day leader and oversaw its personnel.
Skorodumov was one of the organization’s lead systems administrators, he configured and managed the clients’ domains and IP addresses, provided technical assistance to help clients optimize their malware and botnets.
Stassi conducted several administrative tasks for the group, such as registering webhosting and financial accounts using stolen and/or false personal information.
Skorodumov was sentenced to 48 months in prison and Stassi to 24 months in prison.
Grichishkin and Skvortsov are pending sentencing and have already pleaded guilty, both face up to 20 years in prison.
“Every day, transnational organized cybercriminals deploy malware that ravages our economy and victimizes our citizens and businesses,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division. “The criminal organizations that purposefully aid these actors — the so-called bulletproof hosters, money launderers, purveyors of stolen identity information, and the like — are no less responsible for the harms these malware campaigns cause, and we are committed to holding them accountable. Prosecutions like this one increase the costs and risks to cybercriminals and ensure that they cannot evade responsibility for the enormous injuries they cause to victims.”
The Commerce Department’s Bureau of Industry and Security (BIS) would ban U.S. firms from selling hacking tools to authoritarian regimes.
The Commerce Department’s Bureau of Industry and Security (BIS) would introduce a new export control rule aimed at banning the export or resale of hacking tools to authoritarian regimes.
The rule announced by the BIS tightens export controls on technology that could be used by adversaries to conduct malicious cyber activities and surveillance of private citizens resulting in human rights abuse.
The rull will become effective in 90 days and will ban the export of “cybersecurity items” for National Security (NS) and Anti-terrorism (AT) reasons.
“Specifically, this rule establishes a new control on these items for National Security (NS) and Anti-terrorism (AT) reasons, along with a new License Exception Authorized Cybersecurity Exports (ACE) that authorizes exports of these items to most destinations except in the circumstances described. These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it.” reads the announcement published by the Bureau of Industry and Security, Commerce.
The new License Exception Authorized Cybersecurity Exports would allow the export, reexport and transfer (in-country) of ‘cybersecurity items’ to most destinations, while retaining a license requirement for exports to countries of national security or weapons of mass destruction concern. The license will be required for those countries subject to a U.S. arms embargo.
The complete list includes states of weapons of mass destruction or national security concern or subject to a U.S. arms embargo.
The rule is consistent with the result of BIS’s negotiations in the Wassenaar Arrangement (W.A.) multilateral export control regime and results from a review of comments from Congress, the private sector, academia, civil society, and other stakeholders.
U.S. Secretary of Commerce Gina M. Raimondo explained that the new rule aims at preventing the use of this technology by threat actors that could hit US computer networks threaten U.S. national security.
“The United States is committed to working with our multilateral partners to deter the spread of certain technologies that can be used for malicious activities that threaten cybersecurity and human rights. The Commerce Department’s interim final rule imposing export controls on certain cybersecurity items is an appropriately tailored approach that protects America’s national security against malicious cyber actors while ensuring legitimate cybersecurity activities.” said U.S. Secretary of Commerce Raimondo.
Threat actors are continually looking for better ways to target organizations, here are the top five attack vectors to look out for in 2022.
Malicious actors are continually looking for better ways to carry out successful cyber attacks. Whether motivated by a potential payday or the ability to access confidential information, cybercriminals have plenty of incentive to focus on what works best in achieving their goals. This article focuses on the top five attack vectors organizations should look out for and defend against in 2022.
Phishing techniques use social engineering to trick victims into taking an action that helps an attacker compromise your network or access your sensitive information assets. Fraudulent emails purporting to be from authoritative company sources are the main phishing attacks that employees fall victim to. These emails persuade employees to reveal passwords for important applications or download malicious files to their devices.
Some threat actors carry out phishing attacks using social media and networking platforms, such as Twitter or LinkedIn. Phishing scams remain such a widely used attack vector because of their efficiency. The potential rewards for very little effort make phishing scams highly attractive attack vectors requiring minimal technical knowledge.
Some phishing scams target particular individuals because of their close proximity to sensitive information or because those individuals are likely to have administrative access to network resources. Some phishing scams are so convincing that they can fool even seasoned security professionals. A solid defense against phishing requires a dual approach of employee awareness and an anti-phishing email filtering solution.
2. Stolen Credentials
Stolen credentials continue to cause problems for businesses of all sizes. A 2021 report on data breaches found that stolen credentials were the initial attack vector used in 61 percent of breaches. Using stolen passwords is an easy way to masquerade as a genuine user and access sensitive information or infiltrate deeper into your network.
It’s straightforward for threat actors to purchase bulk lists of stolen username-password credentials on the dark web. Other attack vectors such as phishing emails can be used to trick employees into disclosing their passwords, which cybercriminals then use to access your network.
The problems posed by stolen credentials stem from a perfect storm of poor password hygiene and weak identity and access management controls. Employees regularly reuse their passwords across multiple applications and services, which means that a single stolen password could provide an easy entry route into your network. Many organizations provide excessive access privileges to users, which worsens the impact of a credential compromise by giving hackers access to administrative functions or critical systems.
3. API Exploits
Organizations can create new opportunities for growth through the use of APIs, which integrate their applications and service with other resources in the wider digital ecosystem. APIs facilitate communication between different apps and services. The use of APIs has become so widespread that many technologists say we’re living in an API economy.
Ever on the lookout for new opportunities to get their hands on sensitive data, many threat actors realize that the proliferation of APIs may work to their advantage. Traditional security tactics cannot detect API attacks, so many organizations remain open to a breach or data exfiltration via APIs. This API security checklist provides best practices and considerations for closing off your APIs as an attack vector.
4. Remote Technology
The speed at which cyber attacks exploiting remote technology increased during the Covid-19 pandemic serves as a telling example of how threat actors dynamically adapt the attack vectors they use in response to changing conditions. A 2020 report found that 20 percent of organizations experienced a security breach due to remote work.
The technologies used by organizations to facilitate remote work include virtual private network (VPN) connections and remote desktop protocol (RDP). These technologies let employees access business applications and resources from outside the physical location of their place of work.
While the use of remote technology will likely reduce over time compared to at the height of the pandemic, it’s clear that remote work is here to stay in some capacity. Opportunistic threat actors know that with remote work not going away, there will be chances to gain entry to corporate networks by exploiting RDP and VPN connections.
An actionable way to defend against remote access threats is to require multi factor authentication (MFA) for these connections. MFA requires users to provide another category of evidence that verifies their identity in addition to the standard username-password combination they use to log in. These distinct pieces of evidence can include a one-time password or a fingerprint scan.
5. IoT Devices
IoT devices include wearable devices, coffee makers, sensors, and cameras, all of which connect to the Internet. Many organizations don’t have visibility into all of their IoT devices. Furthermore, it’s common for IoT devices to use default credentials that hackers can easily guess.
IoT devices are veritable storehouses of data about the environment they are in and the people that use them. A cyber attack on an IoT device could also be the initial entry point from which a hacker accesses your wider network and installs ransomware that locks down key systems.
Organizations need a serious approach to secure their IoT infrastructures, including:
Full device visibility
Changing default usernames and passwords
Using strong passwords
Segmenting the network so that an IoT compromise can’t spread to key IT systems and assets
Update IoT devices on time
As we come into 2022, get your organization ready to combat these top five cyber attack vectors. Each of them calls for its own defense strategy to limit the chances of malicious threat actors successfully leveraging them to access or disrupt your valuable data and services.
About the Author:Ronan Mahony is a freelance content writer mostly focused on cybersecurity topics. He likes breaking down complex ideas and solutions into engaging blog posts and articles. He’s comfortable writing about other areas of B2B technology, including machine learning and data analytics. He graduated from University College Dublin in 2013 with a degree in actuarial science, however, he followed his passion for writing and became a freelance writer in 2016. He currently also works with Bora. In his spare time, Ronan enjoys hiking, solo travel, and cooking Thai food.
A Cookie Theft malware was employed in phishing attacks against YouTube creators, Google’s Threat Analysis Group (TAG) warns.
Financially motivated threat actors are using Cookie Theft malware in phishing attacks against YouTube creators since late 2019. According to Google’s Threat Analysis Group (TAG) researchers, who spotted the campaign, the attacks were launched by multiple hack-for-hire actors recruited on Russian-speaking forums. Below are the job descriptions used to recruit the hackers.
The hackers used fake collaboration opportunities (i.e. a demo for anti-virus software, VPN, music players, photo editing or online games) to hijack the channel of YouTube creators. Once hijacked the channel, attackers either sell it to the highest bidder or employ it in cryptocurrency scam scheme.
Hijacked channels ranged from $3 USD to $4,000 USD depending on the number of subscribers.
The malware landing page is disguised as a software download URL that was sent via email or a PDF on Google Drive, or via Google documents containing the phishing links. The researchers identified around 15,000 actor accounts, most of which were created for this campaign.
Experts also observed the attackers driving targets to messaging apps like WhatsApp, Telegram or Discord because Google is able to neutralize phishing attempts via Gmail,
Upon running the fake software, a cookie stealing malware will be executed. The malware steals the browser cookies from the infected machine and sends them to C2 servers. Experts noticed that all the malware involved in this campaign runs in a non-persistent mode.
Some of the malicious codes used in this campaign are RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad, and Kantal, along with open-source malware like Sorano and AdamantiumThief.
Once delivered on the targets’ systems, the malware was used to steal their credentials and browser cookies which allowed the attackers to hijack the victims’ accounts in pass-the-cookie attacks.
“While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics,” said Ashley Shen, a TAG Security Engineer.
“Most of the observed malware was capable of stealing both user passwords and cookies. Some of the samples employed several anti-sandboxing techniques including enlarged files, encrypted archive and download IP cloaking. A few were observed displaying a fake error message requiring user click-through to continue execution.” reads the analysis published by Google TAG.
Google shared its findings with the FBI and shared Indicators of Compromise for this campaign.
Researchers warn of a new evolution of the PurpleFox botnet, operators included exploits and leverage WebSockets for C2 communication.
Researchers from TrendMicro have documented a recent evolution of the PurpleFox botnet, the experts discovered a new .NET backdoor, dubbed FoxSocket, that is highly associated with the PurpleFox operation.
Its operators have added new exploits and payloads, according to the experts, the new variant leverages WebSockets to implement more secure C2 bidirectional communication.
Currently, the new variant was employed in attacks aimed at users in the Middle East. The analysis of the C2 infrastructure revealed that the most notable activity is in the US, Turkey, UAE, Iraq, and Saudi Arabia.
The attack chain starts with the execution of PowerShell commands that fetch a malicious payload from URLs associated with multiple compromised servers. Most of the servers are located in China and belong to the infrastructure of the PurpleFox botnet.
The payload fetched by the PowerShell targets 64-bit architecture systems, it is a long script consisting of three components:
Upon executing the script, it will check the Windows version of the targeted host and the presence of patches for the following list of vulnerabilities:
Windows 7/Windows Server 2008 [CVE-2020-1054 (KB4556836, KB4556843), CVE-2019-0808 (KB4489878, KB4489885, KB2882822]
Windows 8/Windows Server 2012 [CVE-2019-1458 (KB4530702, KB4530730)]
Windows 10/Windows Server 2019 [CVE-2021-1732 (KB4601354, KB4601345, KB4601315, KB4601319)]
“After selecting the appropriate vulnerability, it uses the PowerSploit module to reflectively load the embedded exploit bundle binary with the target vulnerability and an MSI command as arguments. As a failover, it uses the Tater module to launch the MSI command.” reads the analysis published by TrendMicro. “The goal is to install the MSI package as an admin without any user interaction.”
The MSI package first removes registry keys associated with the old Purple Fox installations if any are present, then it replaces the components of the malware with new ones.
The package also sets two registry values under the key “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager” and runs a .vbs script that creates a Windows firewall rule to block incoming connections on ports 135, 139, and 445.
The final backdoor is a DLL file protected by the VMProtect.
The installer also uses a rootkit driver that hides its files, registry keys, and processes, to avoid detection.
This variant outstands for the use of WebSockets for communications.
“Afterward, the client will try to send the property PublicKey, which will be used at the C&C side on another ECDiffieHellmanCng object to generate a shared secret agreement. Eventually, this data will be sent on the WebSocket as the first key exchange message.” continues the analysis. “However, instead of sending it in cleartext, the client deploys a symmetric AES encryption for any communication over the WebSocket for the first exchange, as no shared secret is established yet, and the AES encryption will generate a default key for this first exchange. “
TrendMicro observed the following list of WebSocket commands and highlighted that there are some minor differences between variants across them.
Sends the current date on the victim machine
Leaks DriveInfo.GetDrives() results info for all the drives
Leaks DirectoryInfo() results info for a specific directory
FileInfo()results info for a specific file
Recursive directory search
Executes WMI queries – ManagementObjectSearcher()
Closes the WebSocket Session
Exits the process
Spawns a new process
Downloads more data from a specific URL to the victim machine
DNS lookup from the victim machine
Leaks specific file contents from the victim machine
Writes new content to a specific location
Downloads data then write to a specific file
Renegotiates session key for symmetric encryption
Gets current process ID/Name
Returns the configuration parameter for the backdoor
Kills the process then start the new process with a different config
Kills specific process with PID
Queries internal backdoor object properties
Leaks hashes of some specific files requested
Kills list of PIDs
Deletes list of files/directories requested
Moves list of files/directories to another location
Creates new directory to a specific location
Researchers from TrendMicro also shared a list of Indicators of Compromise for this threat.
Tech giant Acer was hacked again in a few days, after the compromise of the servers in India, threat actors also breached some of its systems in Taiwan.
Tech giant Acer was hacked twice in a week, the same threat actor (Desorden) initially breached some of its servers in India, now it is claiming to have also breached some systems in Taiwan.
Last week the company revealed that its after-sales service systems in India were hit by an isolated attack.
The incident was disclosed after threat actors have advertised the sale of more than 60 GB of data on an underground cybercrime forum.
The threat actors now claim to have breached the servers of Acer Taiwan on October 15th and have stolen internal data, including employee and product information.
Desorden compromised Acer for the second time in less than a week to demonstrate that the company is still exposed to cyber attacks to its negligence, he also claims that other servers in Asia of the company are still vulnerable.
In response to the intrusion, Acer Taiwan took down the compromised server.
“We have recently detected an isolated attack on our local after-sales service system in India and a further attack in Taiwan. Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems. We are notifying all potentially affected customers in India, while the attacked Taiwan system does not involve customer data. The incident has been reported to local law enforcement and relevant authorities, and has no material impact to our operations and business continuity.” reads the statement issued by the Tech giant.
While the threat actors claimed to have obtained information on customers, login credentials for retailers and distributors, and corporate and financial documents, the company pointed out only employees’ data was exposed.
China-linked cyberespionage group LightBasin hacked mobile telephone networks around the world and used specialized tools to access calling records.
A China-linked hacking group, tracked as LightBasin (aka UNC1945), hacked mobile telephone networks around the globe and used specialized tools to access calling records and text messages from telecommunications companies.
The cyberespionage group has been active since at least 2016, according to the CrowdStrike researchers it is using a very sophisticated toolset. CrowdStrike researchers reported that at least 13 telecommunication companies were compromised by since 2019.
The campaign was uncovered by CrowdStrike by investigating a series of security incidents in multiple countries, the security firm added that the threat actors show an in-depth knowledge of telecommunications network architectures.
“LightBasin (aka UNC1945) is an activity cluster that has been consistently targeting the telecommunications sector at a global scale since at least 2016, leveraging custom tools and an in-depth knowledge of telecommunications network architectures.” reads the report published by Crowdstrike.“Recent findings highlight this cluster’s extensive knowledge of telecommunications protocols, including the emulation of these protocols to facilitate command and control (C2) and utilizing scanning/packet-capture tools to retrieve highly specific information from mobile communication infrastructure, such as subscriber information and call metadata.”
The hacking group initially compromised one of the telecommunication companies by leveraging external DNS (eDNS) servers which are part of the General Packet Radio Service (GPRS) network.
The eDNS are used in roaming between different mobile operators, threat actors leveraged it to connect directly to and from other compromised telecommunication companies’ GPRS networks via SSH and through previously deployed implants.
The group was able to target other telecommunications-specific systems in the GPRS network such as Service Delivery Platform (SDP) systems, and SIM/IMEI provisioning, as well as Operations Support Systems (OSS), and Operation and Maintenance Units (OMU).
Crowdstrike collected evidence of the use of password-spraying attempts using extremely weak either third-party-focused passwords (i.e. huawei) for the initial compromise.
Once compromised the eDNS servers, the attackers deployed a custom backdoor, tracked as SLAPSTICK, that allowed them to access the Solaris Pluggable Authentication Module (PAM). The implant was used by LightBasin to steal passwords to access other systems and deploy additional implants.
Later, the hacking group accessed multiple eDNS servers from compromised telecommunications companies and used another implant tracked as PingPong.
“Later, LightBasin returned to access several eDNS servers from one of the compromised telecommunications companies while deploying an ICMP traffic signalling implant tracked by CrowdStrike as PingPong under the filename /usr/bin/pingg, with persistence established through the modified SysVinit script /etc/rc.d/init.d/sshd through the following additional line:
cd /usr/bin && nohup ./pingg >/dev/null 2>&1 &
“This implant waits for a magic ICMP echo request, which, when sent to the system, established a TCP reverse shell to an IP address and port specified within the magic packet. The /bin/bash process spawned by PingPong masquerades under the process name httpd.”
Experts pointed out that eDNS servers are protected from general external internet access by firewalls, for this reason, attackers send commands to the PingPong implant via ICMP request from another compromised GPRS network infrastructure.
Then the backdoor sets a TCP reverse shell to an IP address and port specified in the “magic packet” it has received.
LightBasin also added iptables rules to the eDNS server to establish SSH access from five compromised companies.
Additionally, the actor used a trojanized version of the iptables utility that removed output containing the first two octets from IP addresses belonging to other hacked companies, making it more difficult for admins to find the modified rules.
Researchers noticed that LightBasin uses a novel technique involving the use of SGSN emulation software for C2 connections involving also the TinyShell open-source backdoor.
“TinyShell is an open-source Unix backdoor used by multiple adversaries; however, LightBasin uniquely combined this implant with the publicly available SGSN emulator sgsnemu2 through a bash script. This script constantly ran on the system, but only executed certain steps between 2:15 and 2:45 UTC each day.” continues the analysis.
The report also includes info about additional malware and utilities used by the group along with a set of recommendations and Indicators of Compromise (IoCc).
The report also includes additional malware and utilities used by the group along with a set of recommendations.
Zero-day exploit broker Zerodium announced it is looking for zero-day vulnerabilities in the Windows clients of ExpressVPN, NordVPN, and Surfshark.
Zerodium is looking to pay for zero-day exploits for vulnerabilities in the Windows clients of three virtual private network (VPN) service providers, ExpressVPN, NordVPN, and Surfshark.
The company announced with a message posted on Twitter:
VPN services allow users to protect their anonymity when accessing resources online, they allow hiding the user’s IP address by routing the connection through a network of servers used by the provider.
Zerodium is searching for information disclosure, IP address leak, or remote code execution in the Windows VPN software of the three service providers. The company is not interested in local privilege escalation.
The request is not surprising, the three providers are used by tens of millions of users worldwide, including cybercriminals. Zerodium will likely resell the zero-day exploits to law enforcement and intelligence agencies that will use them for their investigation into cybercriminal activities and operations carried out by nation-state actors.
NordVPN and Surfshark have been used by threat actors in the past.
In July, Zerodium announced it was looking for zero-day exploits for VMware vCenter Server. vCenter Server is the centralized management utility for VMware, and is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single centralized location. The company announced payouts up to $100,000 for zero-days in vCenter Server.
In June, the zero-day exploit broker announced it was looking for 0day exploits affecting the IM client tool Pidgin on Windows and Linux. The company payouts were up to $100,000 for zero-days in Pidgin, which is a free and open-source multi-platform instant messaging client.
Sentinel Labs experts have analyzed the new Karma ransomware and speculate it represents an evolution of the Nemty ransomware operation.
Karma ransomware is a new threat that was first spotted in June of 2021, it is important to distinguish it from a different threat with the same name that is active since 2016.
Sentinel Labs researchers explored the links between the Karma ransomware and other malware families such as NEMTY and JSWorm.
The researchers analyzed eight samples used in attacks that took place in June 2021 and analyzed them finding important code similarities with some ransomware variants of Gangbang and Milihpen that were active in the wild at least since January 2021. The analysis of the compilation dates of the samples suggests that the Karma ransomware is still under active development.
The similarities between Karma and the above variants included the exclusion of extensions and folders and the presence of debug messages.
“From our analysis, we see similarities between JSWorm and the associated permutations of that ransomware family such as NEMTY, Nefilim, and GangBang. Specifically, the Karma code analyzed bears close similarity to the GangBang or Milihpen variants that appeared around January 2021.” reads the analysis published by SentinelLabs.
The experts conducted a “bindiff” on Karma and Gangbang samples and noticed that the ‘main()’ function is quite similar.
The analysis of the encryption process implemented in the sample analyzed revealed that the earlier ones were using the Chacha20 encryption algorithm, while the most recent samples were using the Salsa20 algorithm.
“Diving in deeper, some samples show that the ChaCha20 algorithm has been swapped out for Salsa20. The asymmetric algorithm (for ECC) has been swapped from Secp256k1 to Sect233r1. Some updates around execution began to appear during this time as well, such as support for command line parameters.” continues the report.
Like other ransomware operations, the Karma gang has set up a leak site where publish the stolen data of those victims that don’t pay the ransom.
“Karma is a young and hungry ransomware operation. They are aggressive in their targeting, and show no reluctance in following through with their threats. The apparent similarities to the JSWorm family are also highly notable as it could be an indicator of the group being more than they appear.” “The rapid iteration over recent months suggests the actor is investing in development and aims to be around for the foreseeable future.” concludes the report that also includes Indicators of Compromise (IoCs) for the threat.
Symantec spotted a previously unknown nation-state actor, tracked as Harvester, that is targeting telecommunication providers and IT firms in South Asia.
Symantec spotted a previously unknown nation-state actor, tracked as Harvester, that is using a custom implant, dubbed Backdoor.Graphon, in attacks aimed at telecommunication providers, IT firms, and government entities in South Asia. At this time, the APT group is mostly targeting organizations in Afghanistan.
“The Harvester group uses both custom malware and publicly available tools in its attacks, which began in June 2021, with the most recent activity seen in October 2021. Sectors targeted include telecommunications, government, and information technology (IT). The capabilities of the tools, their custom development, and the victims targeted, all suggest that Harvester is a nation-state-backed actor.” reads the analysis published by Symantec.
The threat actors deployed the Graphon backdoor on victim machines alongside other downloaders and screenshot tools to take over the systems, exfiltrate sensitive data and spy on user activities.
Symantec researchers have yet to discover the initial attack vector, experts believe that the attackers could have used spear-sphishing messages sharing a malicious URL.
The cyberspies leverage legitimate CloudFront and Microsoft infrastructure for its command and control (C&C) activity in the attempt to evade detection.
Below is a list of tools used by the Harvester group in the attacks spotted by the researchers:
Backdoor.Graphon – custom backdoor that uses Microsoft infrastructure for its C&C activity
Custom Downloader – uses Microsoft infrastructure for its C&C activity
Custom Screenshotter – periodically logs screenshots to a file
Cobalt Strike Beacon – uses CloudFront infrastructure for its C&C activity (Cobalt Strike is an off-the-shelf tool that can be used to execute commands, inject other processes, elevate current processes, or impersonate other processes, and upload and download files)
Metasploit – an off-the-shelf modular framework that can be used for a variety of malicious purposes on victim machines, including privilege escalation, screen capture, to set up a persistent backdoor, and more.
The downloader leverages the Costura Assembly Loader, it prepares the environment on the target system by adding a registry value for a new load-point, and eventually opening an embedded web browser within its own UI using the URL hxxps://usedust[.]com.
“The attackers then run commands to control their input stream and capture the output and error streams. They also periodically send GET requests to the C&C server, with the content of any returned messages extracted and then deleted.” continues the analysis. “Data that cmd.exe pulled from the output and error streams is encrypted and sent back to the attackers’ servers.”
The custom screenshot tool allows operators to take photos that are saved in a password-protected ZIP archive for exfiltration. The malware deletes all archives older than a week.
The researchers have not yet attributed the activity to a specific nation-state actor, Symantec’s report includes Indicators of Compromise (IoCs) for this threat.
FBI, CISA, NSA have published a joint advisory about the operation of the BlackMatter ransomware gang and provides defense recommendations.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have published an advisory that provides details about the BlackMatter ransomware operations and defense recommendations.
This advisory provides information on tactics, techniques, and procedures (TTPs) associated with the ransomware gang that were obtained from the analysis of a sample of BlackMatter ransomware as well from trusted third-party reporting.
The BlackMatter group launched its operations at at the end of July, the gang claims to be the successor of Darkside and REvil groups. Like other ransomware operations, BlackMatter also set up its leak site where it publishes data exfiltrated from the victims before encrypting their system.
The launch of the BlackMatter ransomware-as-a-service (RaaS) was first spotted by researchers at Recorded Future who also reported that the gang is setting up a network of affiliates using ads posted on two cybercrime forums, such as Exploit and XSS.
The group is recruiting crooks with access to the networks of large enterprises, which have revenues of $100 million/year or larger, in an attempt to infect them with its ransomware. The group is looking for corporate networks in the US, the UK, Canada, or Australia.
BlackMatter ransomware operators announced that they will not target healthcare organizations, critical infrastructure, organizations in the defense industry, and non-profit companies. In August, the gang has implemented a Linux encryptor to targets VMware ESXi virtual machine platform.
BlackMatter operators have already hit numerous U.S.-based organizations and have demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.
Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network. BlackMatter then remotely encrypts the hosts and shared drives as they are found.
The sample analyzed by the researchers allowed them to discover that the ransomware operators used compromised administrator credentials to discover all the hosts in the victim’s Active Directory. In order to list all accessible network shares for each host the malicious code used Microsoft Remote Procedure Call (MSRPC) function (srvsvc.NetShareEnumAll) that allowed listing all accessible network shares for each host.
“The BlackMatter variant uses embedded admin or user credentials that were previously compromised and NtQuerySystemInformation and EnumServicesStatusExW to enumerate running processes and services, respectively. BlackMatter then uses the embedded credentials in the LDAP and SMB protocol to discover all hosts in the AD and the srvsvc.NetShareEnumAll Microsoft Remote Procedure Call (MSRPC) function to enumerate each host for accessible shares.” reads the joint alert. “Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON.”
BlackMatter operators use a separate encryption binary for Linux-based machines that can encrypt ESXi virtual machines. The experts noticed that BlackMatter operators wipe or reformat backup data stores and appliances instead of encrypting backup systems.
The alert also includes Snort signatures that can be used by network defenders to detect the network activity associated with BlackMatter.
CISA, the FBI, and NSA urge network defenders to apply the following mitigations to reduce the risk of compromise by BlackMatter ransomware:
Implement Detection Signatures;
Use Strong Passwords;
Implement Multi-Factor Authentication;
Patch and Update Systems;
Limit Access to Resources over the Network;
Implement Network Segmentation and Traversal Monitoring;
Use Admin Disabling Tools to Support Identity and Privileged Access Management;
Implement and Enforce Backup and Restoration Policies and Procedures;
The US agencies also urge critical infrastructure organizations to apply the following additional mitigations:
Disable the storage of clear text passwords in LSASS memory.
Consider disabling or limiting New Technology Local Area Network Manager (NTLM) and WDigest Authentication.
Implement Credential Guard for Windows 10 and Server 2016, enable Protected Process Light for Local Security Authority (LSA).
Minimize the AD attack surface
The alert also provides the following recommendations for responding to ransomware attacks:
Trustwave’s SpiderLabs researchers have released a free decryptor for the BlackByte ransomware that can allow victims to recover their files.
Researchers from Trustwave’s SpiderLabs have released a decryptor that can allow victims of the BlackByte ransomware to restore their files for free.
The experts spotted the BlackByte ransomware while investigating a recent malware incident. The analysis of the ransomware revealed that it was developed to avoid infecting systems that primarily use Russian or related languages.
Unlike other ransomware that may have a unique key in each session, BlackByte uses the same raw key to encrypt files and it uses the symmetric-key algorithm AES. Anyone that could access the raw key would be able to decrypt the files.
The experts noticed that the ransomware fetches a .PNG file that embeds multiple keys and which is the same for all the victims. The researchers analyzed it to create a free decryptor.
“Unlike other ransomware that may have a unique key in each session, BlackByte uses the same raw key (which it downloads) to encrypt files and it uses a symmetric-key algorithm – AES. To decrypt a file, one only needs the raw key to be downloaded from the host. As long as the .PNG file it downloaded remains the same, we can use the same key to decrypt the encrypted files.” reads the analysis published by Trustwave.
The ransomware also implements worm capabilities, and it crashes if the encryption key download fails.
Experts noticed that the ransomware also sets its process priority class to above normal and uses SetThreadExecutionState APIm this trick prevents the system from entering in the sleep mode.
Then the malware removes applications and terminates processes that can interfere with the encryption process.
BlackByte also terminates Raccine anti-ransomware utility and removes it from the infected system.
In order to prevent the victims from recovering the encrypted files, BlackByte deletes all shadow copies and Windows restore points, deletes the recycle bin, disables controlled folder access, enables file and printer sharing and network discovery, and enables the SMB1 protocol.
Experts also noticed that the ransomware doesn’t include exfiltration capabilities even if its operators claim to steal victims’ data.
“The auction site that is linked in the ransom note is also quite odd, see below. The site claims that it has exfiltrated data from its victims, but the ransomware itself does not have any exfiltration functionality. So this claim is probably designed to scare their victims into complying.” states the analysis.
Anyway the good news is the availability of the decryptor, Trustwave released the free tool on GitHub.
The Uptycs Threat Research Team spotted a campaign in which the TeamTNT threat actors deployed a malicious container image on Docker hub.
The Uptycs Threat Research Team recently identified a campaign in which the TeamTNT threat actors deployed a malicious container image (hosted on Docker Hub) with an embedded script to download Zgrab scanner and masscanner—penetration testing tools used for banner grabbing and port scanning respectively. Using the scanning tools inside the malicious Docker image, the threat actor tries to scan for more targets in the victim’s subnet and perform further malicious activities.
Criminal groups continue to target Docker Hub, GitHub, and other shared repositories with container images and software components that include malicious scripts and tools. They often aim to spread coinminer malware, hijacking the computing resources of victims to mine cryptocurrency.
In this post, we will detail the technical analysis of the malicious components deployed by the TeamTNT threat actor.
Alpineos profile – Responsible Disclosure
The malicious Docker image was hosted in Docker Hub under the handle name alpineos, a community user who joined Docker Hub on May 26, 2021. At the time of this writing, alpineos profile was hosting 25 Docker images (See Figure 1).
Figure 1: Alpineos Docker hub handle
The Dockerapi image which we analysed had 5,400 downloads within approximately two weeks of being added. Another Docker image from the repository, ‘basicxmr’ has been downloaded more than 100,000 times. This clearly suggests that the profile is actively developing malicious images.
The Uptycs Threat Research Team reported the Docker image hosted in the Docker Hub website to the security team on September, 30 2021.
TeamTNT threat actor
TeamTNT is a well known threat actor which targets *nix based systems and misconfigured Docker container environments. Threat actors associated with TeamTNT mostly use open-source tools in their campaigns, such as XMrig miner, Tsunami IRC bot (a.k.a kaiten) and the diamorphine rootkit.
The Attack kill chain
The attack kill chain we observed TeamTNT using is shown below (see Figure 2).
Figure 2: TeamTNT attack life cycle
The different stages of the attack kill chain depicted above are as follows:
Using the monero-ocean shell script, TeamTNT/Hilde deployed a new malicious Docker image named Dockerapi which was hosted on Docker hub website.
Using Docker, the malicious image was run with the privilege flag, and was mounted with the victim host and victim host’s network configuration.
The malicious Docker image had an embedded shell script named ‘pause’.
The ‘pause’ shell script inside the malicious Docker image had commands to install masscanner and the zgrab tool.
After setting up the scanning tools, the functions in the ‘pause’ script start scanning rigorously in the victim subnet on Docker related ports for more target virtual machines (nodes). A node is a part of Docker swarm. A Docker swarm is a group of physical or virtual machines (nodes) operating in a cluster.
Once the target node is found as a result of the Docker-related port scan in the victim subnet, the pause shell script runs the misconfigured alpine Docker image remotely (from the victim machine) in the target node, passing a base64 command as command line. The command:
Generates the ssh keys and adds it to authorized_keys file.
Logs into the target node’s host via ssh and downloads the monero-ocean shell script from the C2 (teamtnt[.]red) into the target node’s host.
The monero-ocean shell script in this campaign later deploys Xmrig miner and the Tsunami IRC bot on the system it is being run on.
The monero-ocean shell script also downloads another shell script (diamorphine shell script) which downloads and deploys the diamorphine rootkit to the victim’s system.
The diamorphine rootkit consists of features like hiding the pid, syscall table hooking and giving root privilege to the pid.
The monero-ocean shell script (c21d1e12fea803793b39225aee33fe68b3184fff384b1914e0712e10630e523e) used as initial vector had the following command to deploy alpineos/Dockerapi Docker image onto the victim system (see Figure 3)
Figure 3: Command to deploy Dockerapi container image
The command shown above runs the Dockerapi image with the following:
–net flag to have host’s network configuration inside container
/host mounted inside container image
Using the command Docker ps, we can identify the malicious Docker image runs pause shell script (see Figure 4).
Figure 4: Dockerapi image runs pause shell script
The pause shell script inside Docker image installs basic utilities and the scanning tools Zgrab and masscan (see Figure 5).
Figure 5: Initial setup done by pause shell script
Upon installation of these tools, commands inside the pause shell script start heavy scanning on Docker related ports in an attempt to target more nodes (machines) in the victim subnet (see Figures 6,7).
Figure 6: Docker related scanned ports in the victim subnet
Figure 7: Masscan and Zgrab commands used for scanning
Masscan and zgrab
Masscan and zgrab scanning commands are used in the Docker container image for scanning and banner grabbing. The functionality of these commands is listed below.
masscan 220.127.116.11/8 -p2377 –rate 50000
The masscan works much like nmap utility which is used for scanning target IPs. In this case masscan scans with a rate of 50,000 pks/sec which is a huge rate against the port 2377.
The zgrab tool is used for vulnerability scanning and part of the zmap project. In this case the attacker used zgrab with 200 send coroutines (threads) for banner grabbing and saving the IP addresses with target opened ports in an output file.
Alpine Docker image deployment
As a result of scanning, once the target node is found, the command inside pause shell script performs the following:
Remotely runs the alpine Docker image with full privilege and host mounted on the target node.
Uses a base64 encoded command which adds newly generated ssh keys to authorized_keys file.
Using the same command, logs into the target node’s host with ssh and downloads the monero-ocean shell script in the target host (see Figures 8,9).
Figure 8: base64 encoded command passed with misconfigured alpine image
The monero-ocean shell script later deploys Xmrig miner and the Tsunami IRC bot on the system it is being run on (see Figures 10 and 11).
Figure 10: command to download XMrig miner
Figure 11: command to download IRC bot
The IRC bot in the victim machine communicates with attacker C2 over port 8080 (see Figure 12).
Figure 12: IRC communication on port 8080
Alongside this, the monero-ocean shell script also contained the command to download diamorphine rootkit shell script (see Figure 13).
Figure 13: command to download diamorphine shell script
The diamorphine shell script (418d1ea67110b176cd6200b6ec66048df6284c6f2a0c175e9109d8e576a6f7ab) deploys the diamorphine rootkit in the victim system (see Figure 14).
Figure 14: Diamorphine Rootkit getting compiled and deployed
The diamorphine rootkit consists of features like hiding the pid, syscall table hooking and giving root privilege to the pid (see Figures 15 and 16).
Figure 15: cr0 WP bit modification for syscall table hooking
Figure 16: Hooked syscalls (getdents and kill)
Uptycs EDR detections
The Uptycs EDR armed with YARA process scanning detected the malware components involved in this campaign with a threat score of 10/10 (see Figure 17,18,19). In addition, Uptycs offers the following abilities to secure your container deployments:
Uptycs integrates with CI/CD tools so that developers can initiate image scans at build time to detect malicious container images before they are deployed to production.
Uptycs continuously monitors and reports on compliance with the CIS Benchmark for Docker to identify misconfigurations that attackers can exploit, and offer remediation guidance so that your team can quickly fix those issues.
Figure 17: Uptycs EDR detection
Figure 18: masscan command captured by the Uptycs EDR
Figure 19: zgrab command captured by the Uptycs EDR
Docker containers have become an integral part of the organisations. A lot of services nowadays run in isolated Docker containers. The threat actors on the other side are also trying to deploy malicious components to escape Docker containers and target host machines and the other nodes connected in a subnet and its swarm. Hence, to maintain a robust security stance, it is crucial to be able to detect malicious images early in the CI/CD pipeline as well as monitor all the container activities in runtime.
The EDR capabilities of Uptycs empowers security teams to detect, investigate attacks in their Docker infrastructure.
Credits: Thanks to Uptycs Threat Research Team members for their inputs and research.