Normal view

There are new articles available, click to refresh the page.
Yesterday — 27 May 2023Main stream

Platbox - UEFI And SMM Assessment Tool


UEFI and SMM Assessment Tool

Features

Platbox is a tool that helps assessing the security of the platform:

  • Dumps the platform registers that are interesting security-wise
    • Flash Locks
    • MMIO and Remapping Locks
    • SMM Base and Locks
    • MSRs
  • RW access to the PCI configuration space of devices.
  • RW to physical memory and virtual memory.
  • Allows allocating physical memory and map memory to usermode.
  • Read and Write MSRs.
  • Dump SPI Flash content (BIOS) into a file.
  • Basic dumb SMI Fuzzer.
  • Dump S3 Bootscript (from SMM-Lockbox) into a file.
  • Dump EFI Memory Map (Linux only for now).
  • List UEFI variables.
  • Supports Linux and Windows.
  • Supports Intel and AMD.

Example of 'chipset' command output for an AMD platform

Project Structure

The project is divided as follows:

  • PlatboxDrv: kernel drivers used for Linux and Windows.
  • PlatboxLib: the usermode component that loads the kernel driver and provides access to all the previously listed features.
  • PlatboxCli: a console client that uses the library.
  • Pocs: an example of a program using features from the libary.

Compilation Steps

Windows

Release Build
cmake -G "Visual Studio 17 2022" -A x64 -S .. -B "build64" 
cmake --build build64/ --target platbox_cli --config Release


Threat Roundup for May 19 to May 26

26 May 2023 at 21:57
Threat Roundup for May 19 to May 26

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between May 19 and May 26. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found here that includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files.

The most prevalent threats highlighted in this roundup are:

Threat NameTypeDescription
Win.Ransomware.Djvu-10002408-1RansomwareThe Djvu ransomware encrypts victim's files with Salsa20 and is known for changing its payloads, ransom notes and the file extensions appended to encrypted files. It spreads via cracked or faked applications or updates, keygens or activators. The main payload uses a wide variety of anti-debugging and anti-emulation techniques, which includes checking the location of the system via the keyboard layout or websites.
Win.Virus.Ramnit-10002385-0VirusRamnit is a banking trojan that monitors web browser activity on an infected machine and collects login information from financial websites. It also steals browser cookies and attempts to hide from popular anti-virus software.
Win.Trojan.Qakbot-10002083-1TrojanQakbot, aka Qbot, has been around since at least 2008. Qbot primarily targets sensitive information like banking credentials but can also steal FTP credentials and spread across a network using SMB.
Win.Dropper.Tofsee-10002081-0DropperTofsee is multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more. Infected systems become part of the Tofsee spam botnet and send large volumes of spam messages to infect additional systems and increase the size of the botnet under the operator's control
Xls.Malware.Valyria-10002078-0MalwareValyria is a malicious Microsoft Word document family that is used to distribute other malware, such as Emotet.
Win.Dropper.Zeus-10002075-0DropperZeus is a trojan that steals information such as banking credentials using methods such as key-logging and form-grabbing.
Win.Packed.njRAT-10002074-1PackednjRAT, also known as Bladabindi, is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. The Sparclyheason group originally developed njrAT. Some of the largest attacks using this malware date back to 2014.
Win.Ransomware.TeslaCrypt-10002553-0RansomwareTeslaCrypt is a well-known ransomware family that encrypts a user's files and demands Bitcoin in exchange for a decryptor service. A flaw in the encryption algorithm was discovered that allowed files to be decrypted without paying the ransomware, and eventually, the malware developers released the master key allowing all encrypted files to be recovered easily.

Threat Breakdown

Win.Ransomware.Djvu-10002408-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 19 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION 
Value Name: SysHelper
19
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: SysHelper
19
MutexesOccurrences
{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}19
M5/610HP/STAGE217
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
162[.]0[.]217[.]25419
149[.]154[.]167[.]9918
116[.]202[.]7[.]23917
211[.]40[.]39[.]2515
210[.]182[.]29[.]704
201[.]124[.]33[.]1774
175[.]126[.]109[.]153
211[.]171[.]233[.]1293
211[.]59[.]14[.]902
175[.]119[.]10[.]2312
175[.]120[.]254[.]92
123[.]140[.]161[.]2432
190[.]141[.]35[.]32
2[.]180[.]10[.]72
95[.]158[.]162[.]2002
190[.]219[.]153[.]1012
211[.]119[.]84[.]1121
186[.]182[.]55[.]441
58[.]235[.]189[.]1921
190[.]229[.]19[.]71
49[.]12[.]115[.]1541
187[.]156[.]85[.]1081
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
api[.]2ip[.]ua19
zexeq[.]com19
colisumy[.]com19
t[.]me18
Files and or directories createdOccurrences
I:\5d2860c89d774.jpg19
\SystemID19
\SystemID\PersonalID.txt19
%LOCALAPPDATA%\bowsakkdestx.txt19
%System32%\Tasks\Time Trigger Task19
%LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed6519
%ProgramData%\freebl3.dll18
%ProgramData%\mozglue.dll18
%ProgramData%\msvcp140.dll18
%ProgramData%\nss3.dll18
%ProgramData%\softokn3.dll18
%ProgramData%\vcruntime140.dll18
%LOCALAPPDATA%\7c34bb01-5d78-49c4-8bbb-73fdc7aa126218
%APPDATA%\Microsoft\Network17
%System32%\Tasks\Azure-Update-Task17
%APPDATA%\Microsoft\Network\mstsca.exe17
%LOCALAPPDATA%\7c34bb01-5d78-49c4-8bbb-73fdc7aa1262\build2.exe17
%LOCALAPPDATA%\7c34bb01-5d78-49c4-8bbb-73fdc7aa1262\build3.exe17
%ProgramData%\291861050018182567102343061
%ProgramData%\984340699417744013017792291
%ProgramData%\069587037100252482383029661
%ProgramData%\510852629415865907756702851
%LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed65\64d18a6e518bf68b453134e9fe01968e924fc67e3b6b5274668e606d62842b61.exe1
%LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed65\75022ede411ab60fd9e55d3fa517edfe8488101c916d0b0d91161c8c98da9be8.exe1
%LOCALAPPDATA%\3856b5d6-9eb0-496c-b0d1-db92b0f6ed65\1ed3247b3c2cf5da57d068a93257520d2303b7254fec98110d67194503472a97.exe1

*See JSON for more IOCs

File Hashes

05adccd18a70fd6acb444cb84a27cc488ac86eb449f1a6aea0c8b186cdb39d82
0c43f3559ee70d362f7cefaf9544dd8c85af4fdbbea04377e223fb7aa5d2a7f8
1ed3247b3c2cf5da57d068a93257520d2303b7254fec98110d67194503472a97
232a8cdd9f6d456804c395d931f9cadb0cf453fb1a191346a8c666e34690cb6c
2531aaaf65fa1782e75d54dca67853cb8c1d73e33f2544ec42ba332a87c09793
54d5ea5f0619772766771810cc0f3bf03efd5a354cf60ffa3122a9d346fabfd2
566cb2138f15aad520cd94cf58dc608a897e804798e0a9139e3b3b1637196f61
633e55e6345323a0417415fdb9cf9ac4f4fc2ef7d90a297756e4427cfada76e9
64d18a6e518bf68b453134e9fe01968e924fc67e3b6b5274668e606d62842b61
6661877adf148008ca24225159bfba44e0d4e48b2c45602912fe7393f7c3bc3d
75022ede411ab60fd9e55d3fa517edfe8488101c916d0b0d91161c8c98da9be8
7a9688b68fad5a342d6466a61f10df068126418107182f30860d913516e3aa43
8a0b4cb2e8b68882e37d49cc0dc6d2cd32bea57930015a2ca926475fc5c6f01d
8f1d63d1d9b0dbb9886f4fb29074ee97d365c321bc8200525e2711b76dd186f6
c5483715a06cb05516e089d79c7e6d54eae258e603c037694479fe701635a2a3
c5ded0916b0a6f7c1b259db833a62ac4b0d80c4889aaf8fe1b05867758285e85
cc86e630d4c4236ce2f4778b4f14c6984370c5b921d7ca0526bf2a5aac47247e
ef2614ae93a4b8bf90788e7083129a7ce24ac2452120649251c14700404358b7
f343f2cd877c79dcbd80c57427455a1c7c2ea4ad348173753ea849eb4c64c483

Coverage

ProductProtection
Secure EndpointThreat Roundup for May 19 to May 26
CloudlockN/A
CWSThreat Roundup for May 19 to May 26
Email SecurityThreat Roundup for May 19 to May 26
Network SecurityThreat Roundup for May 19 to May 26
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThreat Roundup for May 19 to May 26
UmbrellaThreat Roundup for May 19 to May 26
WSAThreat Roundup for May 19 to May 26

Screenshots of Detection

Secure Endpoint

Threat Roundup for May 19 to May 26

Secure Malware Analytics

Threat Roundup for May 19 to May 26

MITRE ATT&CK

Threat Roundup for May 19 to May 26

Win.Virus.Ramnit-10002385-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER 
Value Name: AntiVirusOverride
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER 
Value Name: AntiVirusDisableNotify
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER 
Value Name: FirewallDisableNotify
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER 
Value Name: FirewallOverride
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER 
Value Name: UpdatesDisableNotify
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\SECURITY CENTER 
Value Name: UacDisableNotify
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 
Value Name: EnableLUA
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE 
Value Name: EnableFirewall
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE 
Value Name: DoNotAllowExceptions
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\STANDARDPROFILE 
Value Name: DisableNotifications
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WSCSVC 
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WINDEFEND 
Value Name: Start
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\MPSSVC 
Value Name: Start
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION 
Value Name: jfghdug_ooetvtgk
25
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: JudCsgdy
25
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\WUAUSERV 
Value Name: Start
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: Windows Defender
25
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON 
Value Name: Userinit
25
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON 
Value Name: Userinit
25
MutexesOccurrences
{7930D12C-1D38-EB63-89CF-4C8161B79ED4}25
{79345B6A-421F-2958-EA08-07396ADB9E27}25
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
193[.]166[.]255[.]17125
195[.]201[.]179[.]20725
35[.]205[.]61[.]6725
63[.]251[.]106[.]2525
63[.]251[.]235[.]7625
142[.]251[.]35[.]17425
162[.]249[.]65[.]22125
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
google[.]com25
ygqqaluei[.]com25
atw82ye63ymdp[.]com25
mdofetubarhorbvauf[.]com25
warylmiwgo[.]com25
caosusubld[.]com25
bekvfkxfh[.]com25
xomeommdilsq[.]com25
wwyreaohjbdyrajxif[.]com25
grbjgfprk[.]com25
xxsmtenwak[.]com25
ydchosmhwljjrq[.]com25
Files and or directories createdOccurrences
%LOCALAPPDATA%\bolpidti25
%LOCALAPPDATA%\bolpidti\judcsgdy.exe25
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\judcsgdy.exe25
\TEMP\K9eEf4fVf25

File Hashes

069becc422d6f6f1a739f36c19977e86f973de8ac71d43707f821509eeb7e3ab
0737a484e81ccea1561a2d09482722f4b1b78020b471cc9285762f297a19a9e9
08f041ec2fafe6d1b6d4a4df0fd492a490a815bef4c45407c28f01a53eb2f7e9
112d9844d869a67cc760eb9619a8f96648abe63dd788841b2189708a4ab33e79
19888aed71f14a4b18a67e9b8520a79ce32f9a830a887bea6a8e065c90e483d8
1e08f5c1a773ee61cf068aa8b5b1962f60c974797f2bbbf0af783834278a5760
1e43f958047862b254dd56ef12ad553dd1b1b479c66725ff682d173339180272
24975482f70ca48e97a8ae892db449c45d959580cf1799cce910eb62e1d5dc48
2f2e8b9e8e1257ab1d1f6242b2ee21088c03d9b9160d9b6a3c7e6ed045e78710
3120f89d41fba5cfbe8b5e1e9afb4022cfec268620cc3f5bae0f47bcb368d92e
3424188e777af669655e6710ba4954fb973110bca6d0c69aa40ed97e1f64f5d3
3441e7896f39a452d1391c2391e71aecf9bb5b135871887f35c8566f96c571d6
3688dd56fd61ff5ecf322ada31deec7c26d22ea4e3a634d4a06845e65962182f
4023b5e53d127c9a9d1b268e62a988c64010ac96b0ca509c345fa379e082ac38
5370afb0a0c823ade197b86217534fda5969ef7dd45aa9f48128a31e401cc356
556ee8a712446234cf175b2b96280ab6fd4f3b3f8dc76930c3b3d9ec31b68ca3
73045fc3593bb96604879c80f5b3222f5723815b52240fdd6a7e6c1c58ec1596
797514dff7a8b29b0bea85875a39715ee091fbeaa31fdad4428a4f6863a9b8c4
8257c33afc6f826716bbe89628006659a25006f4276a80c2284965a70abad3b4
83eb00995d90f5e09ee93c2dbaa365f9a3cd5ea02ab32c35e26e5c8bc5af7f68
86cc81d40db039da90b44b476b79e2da8ea0d87580130fe52f93f12c100090af
8ece6f1fd15062ed6f52d02be64f58979065c28e8b135244b7cba144e37f4246
9d4dfffc0a7b70f370f7d1a5802415df422813f7ecbaba01e9f0c96270b08a57
9e1559f93288f34005b9eff555fa227d4c0188a0bd378cbba392fae9ab0b0f1b
9fc031cd7bcccfb61552939bc5a445acc5b23d3b3aa3932ac10b249c479a9ea3
*See JSON for more IOCs

Coverage

ProductProtection
Secure EndpointThreat Roundup for May 19 to May 26
CloudlockN/A
CWSThreat Roundup for May 19 to May 26
Email SecurityThreat Roundup for May 19 to May 26
Network SecurityThreat Roundup for May 19 to May 26
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThreat Roundup for May 19 to May 26
UmbrellaThreat Roundup for May 19 to May 26
WSAThreat Roundup for May 19 to May 26

Screenshots of Detection

Secure Endpoint

Threat Roundup for May 19 to May 26

Secure Malware Analytics

Threat Roundup for May 19 to May 26

MITRE ATT&CK

Threat Roundup for May 19 to May 26

Win.Trojan.Qakbot-10002083-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK 
Value Name: bd63ad6b
25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK 
Value Name: bf228d17
25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK 
Value Name: 79eea72
25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK 
Value Name: 7a96a5f8
25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK 
Value Name: f7b512d3
25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK 
Value Name: 88fc7d25
25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK 
Value Name: c22ac29d
25
<HKCU>\SOFTWARE\MICROSOFT\DFWOFIK 
Value Name: 5dfca0e
25
MutexesOccurrences
Global\{06253ADC-953E-436E-8695-87FADA31FDFB}25
{06253ADC-953E-436E-8695-87FADA31FDFB}25
{357206BB-1CE6-4313-A3FA-D21258CBCDE6}25
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Xtuou25

File Hashes

003803cfea14ea1ab8c50539f44899c47c3962b255e4fa860f8bf513f9fcd14f
01462998ce5cb3fc03173775cba990c84af3191917232a907a081a002ff14161
095c224641480b341cd291e9ab1835ff1c322a60aa2f3f01cc0cc63e057a965d
1589c63722c29e201f1af10147c65f50b32b51b65af22162943e80513ae24018
2342220f71c1da2099259d088baeb86e26629021cc7181a62ef1a115e62f4ae9
2555c939e0c07be5e4d628a3ed27405b859b60255a0d58894ef74bcb6e1fc4ef
2d1f3f248e4d7eaad2aa9bde02c671ce353f265a43467c17a6529c827c15ff23
2e1ab538cf381702daac8f75ac7e50ea80fbd0384d543c1672c5b98d1c283713
37256e6f2f172b77e661508b309bd16afff42f6f33ee2905f85bfd3d4e53aad3
3c70a36f03f83982f59c9556f8a56e8db86eae11e9636efceb36eeed643fefdd
3e0454880bbdaf74bac5b7b650faedeb88d480f56f1d5a50865c0ed2c046f7a3
40333e980e0b55a72c7e0a8e62c20d1b3a10bb2ea02da374e0096f2658164fdb
40c795e60417e3b40aaab07762816b8fee0f137a9100fe49a1f05ade040560c8
46f660dee641dee51b74d0b3d5d6afe7368595ce5bbc6f1b83fad3cdf0c5d0eb
48031b637cf6693f3bbaa0201fa061901af40019322a845ce0962d8bc32dd5dd
6c5c213e33895e5165434df3c88a95fc00cfbd5486cb5d2a79c0a1b377331f7c
70f15f684cead742cdb5dd0ec113a12840e9e875ab9a447345cd0bda1320214b
7bea8cbef55a24b5c109b720ec4efdd02df4aaa56b3083ee0d0d9f43505c9d40
8c3319e8e85a9352d0d5c33d0e04c982751d61245b93739547e18ef0fc15a993
900ea93d982f08a4ca8cda388a66d1f166d750a1f9044fbbd8a0c37f4135cc2b
903183498401aef0e57881291dfc86f4cb764329b4c854b868c9b6ac753da5ab
9120b6001e32807a18409932a72476cdb931773d3836b771718378b4ef74c39e
938e715d3a5b8f9331dd1e6537b97c0d5c6f22270ac4c000475e997fded94a8c
9610015dcc3cc02e0759e8baeec6731b0b859c10e98af16164bee87a46c0e170
9a379d1b51277a1ab1f17f91d25693ff1cb80a255dc45c9e86fd8df3aca36277
*See JSON for more IOCs

Coverage

ProductProtection
Secure EndpointThreat Roundup for May 19 to May 26
CloudlockN/A
CWSThreat Roundup for May 19 to May 26
Email SecurityThreat Roundup for May 19 to May 26
Network SecurityN/A
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThreat Roundup for May 19 to May 26
UmbrellaN/A
WSAN/A

Screenshots of Detection

Secure Endpoint

Threat Roundup for May 19 to May 26

Secure Malware Analytics

Threat Roundup for May 19 to May 26

MITRE ATT&CK

Threat Roundup for May 19 to May 26

Win.Dropper.Tofsee-10002081-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 20 samples
Registry KeysOccurrences
<HKU>\.DEFAULT\CONTROL PANEL\BUSES20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'>20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 
Value Name: Type
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 
Value Name: Start
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 
Value Name: ErrorControl
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 
Value Name: DisplayName
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 
Value Name: WOW64
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 
Value Name: ObjectName
20
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 
Value Name: Description
20
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 
Value Name: Config0
20
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 
Value Name: Config1
20
<HKU>\.DEFAULT\CONTROL PANEL\BUSES 
Value Name: Config2
19
<HKLM>\SYSTEM\CONTROLSET001\SERVICES\<random, matching '[A-Z0-9]{8}'> 
Value Name: ImagePath
17
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS 
Value Name: C:\Windows\SysWOW64\isupldcy
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS 
Value Name: C:\Windows\SysWOW64\kuwrnfea
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS 
Value Name: C:\Windows\SysWOW64\zjlgcutp
2
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS 
Value Name: C:\Windows\SysWOW64\jtvqmedz
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS 
Value Name: C:\Windows\SysWOW64\gqsnjbaw
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS 
Value Name: C:\Windows\SysWOW64\scezvnmi
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS 
Value Name: C:\Windows\SysWOW64\cmojfxws
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS 
Value Name: C:\Windows\SysWOW64\xhjeasrn
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS 
Value Name: C:\Windows\SysWOW64\dnpkgyxt
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS 
Value Name: C:\Windows\SysWOW64\rbdyumlh
1
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS DEFENDER\EXCLUSIONS\PATHS 
Value Name: C:\Windows\SysWOW64\lvxsogfb
1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
80[.]66[.]75[.]25420
176[.]113[.]115[.]13619
80[.]66[.]75[.]419
176[.]113[.]115[.]23919
176[.]113[.]115[.]13519
45[.]143[.]201[.]23819
31[.]13[.]65[.]17415
31[.]13[.]65[.]5215
20[.]44[.]209[.]20911
185[.]161[.]248[.]12710
176[.]113[.]115[.]849
66[.]254[.]114[.]418
142[.]250[.]64[.]688
20[.]112[.]52[.]298
149[.]154[.]167[.]997
104[.]16[.]119[.]507
104[.]244[.]42[.]666
52[.]101[.]40[.]296
104[.]18[.]13[.]336
104[.]127[.]87[.]2106
142[.]250[.]217[.]1966
104[.]244[.]42[.]705
142[.]250[.]65[.]1965
20[.]103[.]85[.]335
20[.]84[.]181[.]625

*See JSON for more IOCs

Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
microsoft-com[.]mail[.]protection[.]outlook[.]com20
microsoft[.]com20
vanaheim[.]cn20
249[.]5[.]55[.]69[.]bl[.]spamcop[.]net19
249[.]5[.]55[.]69[.]cbl[.]abuseat[.]org19
249[.]5[.]55[.]69[.]dnsbl[.]sorbs[.]net19
249[.]5[.]55[.]69[.]in-addr[.]arpa19
249[.]5[.]55[.]69[.]sbl-xbl[.]spamhaus[.]org19
249[.]5[.]55[.]69[.]zen[.]spamhaus[.]org19
www[.]google[.]com19
i[.]instagram[.]com15
www[.]instagram[.]com15
api[.]twitter[.]com11
in-jsproxy[.]globh[.]com11
mobile[.]twitter[.]com8
www[.]pornhub[.]com8
api[.]steampowered[.]com8
identity[.]bitwarden[.]com8
t[.]me7
www[.]evernote[.]com6
steamcommunity[.]com6
docs[.]google[.]com5
ev-h[.]phncdn[.]com5
auth[.]gaijinent[.]com5
www[.]tiktok[.]com4

*See JSON for more IOCs

Files and or directories createdOccurrences
%SystemRoot%\SysWOW64\config\systemprofile20
%SystemRoot%\SysWOW64\config\systemprofile:.repos20
%SystemRoot%\SysWOW64\<random, matching '[a-z]{8}'>20
%TEMP%\<random, matching '[a-z]{8}'>.exe17
%TEMP%\Administrator.bmp1
%TEMP%\nwcnlas.exe1
%TEMP%\udjushz.exe1
%TEMP%\hqwhfum.exe1

File Hashes

238ce8c9c1843ed679b1fbb20b895036dcaf7a774ccdd208991e1aa7d2e8b971
275f63b3fa7aa1136c6d135806cd618f2fe36e184bc3b12925c6e9ae79d468b7
2c141ed24be119c7f61824c2dc962a096d36721844695fca23c5f943d51e41e2
310144f3ba280383cc3a74d91167092c9eb19bb99d7a778d7c18ff6369679080
3741e95639f74b4f83da4714046c786d2c3dfe2e46f1cd66bf7258e8056e7f4a
3ed81f6036ce912ad798d96d56f36e59aa41e95f36cc6e9b2ca18e595a1fa2d8
46f25d898d70e882d1b0cdd1deec43c2a8d444f156eb7b47fa120b15084aee89
55b5ce7205447783ec1b1894ad61cb73061803559989171a6bd03d64ed4589fc
603b5e4db94e0c034ed1d2cee6d1288c3da702d92948ddd546426c524da8ba3d
6223c2e338ac109c51eaa357ab1886c8ea9ff3780b2e9ff71b4c7d3865bf3a56
722e5c91ecf06847724305f285a3f349fce7f2027d4960d101fcc922a35af69c
7d8d5064d6347eab9b3075de62aecfb724c9de766932da7e0228b70fdf1c63f7
a4c66af7621c1c9194da75d307c48045f337f70f3e7955d617fc5966939d51f8
a80cfe1db921aada4e1a6b20fb60abe99a3bbc600b102cd54afad440f008a1d6
be1017245c789df35b3d30d38a25b485ff307a07d5bdf71062629fb7eff7f7ab
c48668266709447939ac10f570b38c8eb474219ec05009fc748b9ec347033828
d03eb3758c52095597e1bef352c808d743831b838f84e22a215c808110d62fc4
eb9e999898a7a1b0668a81378f4962434e6373896bfeea0f0274c66f9e3b6b35
f929b9f4cf0e41a10d35fcebe508f8ef8a5bc0e52b1ee0b75abc058997117f6f
fa2c7e4264186b27bc40d6c149dfbe6d551ea39d6ab337a4d295484ac331ac14

Coverage

ProductProtection
Secure EndpointThreat Roundup for May 19 to May 26
CloudlockN/A
CWSThreat Roundup for May 19 to May 26
Email SecurityThreat Roundup for May 19 to May 26
Network SecurityThreat Roundup for May 19 to May 26
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThreat Roundup for May 19 to May 26
UmbrellaThreat Roundup for May 19 to May 26
WSAThreat Roundup for May 19 to May 26

Screenshots of Detection

Secure Endpoint

Threat Roundup for May 19 to May 26

Secure Malware Analytics

Threat Roundup for May 19 to May 26

MITRE ATT&CK

Threat Roundup for May 19 to May 26

Xls.Malware.Valyria-10002078-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 25 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\FILEEXTS\.JS25
<HKCR>\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\BAGS\16025
MutexesOccurrences
Local\10MU_ACB10_S-1-5-5-0-6786325
Local\10MU_ACBPIDS_S-1-5-5-0-6786325
Files and or directories createdOccurrences
%TEMP%\sfoWQ.txt25
%TEMP%\sfoWQ.txt:Zone.Identifier25
%APPDATA%\sfoWQ.txt25

File Hashes

09214b75e113f9df8029db90913919de573c5d16ca8005453a9b4df5c2744ab4
0d7dcea3a78eccc8abc6d1ddb7761bf5c0d15c79159af7af22fa6c06a7c76491
1e9cef0c192fff11cba232a102639387bca0af47e9fcd160a55d20065c54cf08
3a6e2f267fbdd6b5a1248c6e56612f18594e1d5c0a3d8d4d9dd69711f426913f
49c980bb98d56a511b2adfe87a2e2f03dc172e1c0cab88fb72eaaca7d7f892fa
4fd4219515547335f22d38747308304a193f3736f62c131a2866ba4ea8c2efab
55c31c60c2143a851b33ba43bd05a4ca4ed1f49d34d650c764325d52159bd3bc
57879f11611c36bfeec0fc76275ca7a98181382a6e9ee120980da2f63b200677
5d7a2f9dbfdd4972d426ac27035251ca04b70ee49568a07b54b9b0bb20b539f6
60c215a73729207311b3fa8bdf9d3a92979b3b4a3647c6473f8e9e94cc844d47
61e6f84d6d68a96fd8d52f792c21b5121e218b405e14b08041fa1bcd7a2815f6
6ace2eb7f0abd2231439d20ae7280432bfeffc0ff54030fd8b45c925788b5b45
750e11c32b4992167d3b803e15d11d678a242f3accbde86e8b2897abea12017e
7776a45f3bb6e284fc41398d99c7d4078d35333b29d0cd822d143c5662c6e981
7935a802c774f09510b7ea92e1c71518308e3522c2f78e5a3b3514df9d26105f
7c031d1f559da9eb3c4fcee035f403abb2dc3d19c0ac2a7b4f9ef87a21e9c45c
807ab83a7b2a132266e1e127f46feb5b35a6a40b63154e5a52116fcb852adba4
82dfb38db754f42799d4505d8f17ad12fc6d6830c32df2c3fa1aeabbedb5475f
8fcb8cd84bbac5f2fd9431f7287702da9b5c59c3d3d7aa4db6ba456e87db5325
91493c3eb2098e1dc17ae1966bbac80411bb43adc318f69680d845e74245c4c6
93af1d5c4066a77c419cf00614044c269ef119582c428e8ff15a3da71328fdca
94b5d0f1b6def10685e91c5f739acbfb09d533f440dba4f0f62a6f90a892b5e4
9b3076343bb665bc9c0baa44f5b4d08ac9e74dc310906099e453b6270032106a
a1668447abe6177554d6e752d61a74aaa135013b4bb9952becb248045da09b3f
a1f553a776fa0302b46393ddb10d6130839018c28a1220bc8457ef18f17dc45c
*See JSON for more IOCs

Coverage

ProductProtection
Secure EndpointThreat Roundup for May 19 to May 26
CloudlockN/A
CWSThreat Roundup for May 19 to May 26
Email SecurityThreat Roundup for May 19 to May 26
Network SecurityN/A
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThreat Roundup for May 19 to May 26
UmbrellaN/A
WSAN/A

Screenshots of Detection

Secure Endpoint

Threat Roundup for May 19 to May 26

Secure Malware Analytics

Threat Roundup for May 19 to May 26

MITRE ATT&CK

Threat Roundup for May 19 to May 26

Win.Dropper.Zeus-10002075-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 35 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\MICROSOFT\GUZUESLO 
Value Name: hbch1bi
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: Mezas
1
<HKCU>\SOFTWARE\MICROSOFT\GUZUESLO 
Value Name: 3055dc04
1
<HKCU>\SOFTWARE\MICROSOFT\GUZUESLO1
<HKCU>\SOFTWARE\MICROSOFT\GUZUESLO 
Value Name: 11822b80
1
MutexesOccurrences
Local\{<random GUID>}1
GLOBAL\{<random GUID>}1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
172[.]245[.]217[.]1221
86[.]133[.]91[.]1531
84[.]59[.]129[.]231
27[.]54[.]110[.]771
184[.]56[.]203[.]91
174[.]103[.]25[.]1991
107[.]221[.]229[.]2161
172[.]5[.]238[.]2221
107[.]196[.]239[.]261
206[.]205[.]226[.]1301
142[.]251[.]40[.]1641
122[.]30[.]92[.]101
201[.]22[.]95[.]101
68[.]84[.]52[.]2271
24[.]31[.]240[.]2541
76[.]218[.]94[.]541
71[.]3[.]137[.]2081
98[.]95[.]188[.]1441
107[.]217[.]225[.]1581
180[.]35[.]68[.]1861
31[.]168[.]72[.]1551
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
www[.]bing[.]com1
www[.]google[.]com1
eqbaguldaxkwhelpbukqxgeuauci[.]net1
wgmvttwcmhhheeasgvofuqoiwo[.]org1
plrhyhjvjffywctkbahgiivxcpr[.]info1
hinbnfxgpqskneahavuoxvtyd[.]com1
qgkzlqraigymbmobukpjtmdib[.]ru1
sxbambmzfifirlnjxsbenrbtpz[.]com1
caozbupzdetgvwinbojtgxxwcqs[.]info1
xrkyxprttpemeqfamztgfykjdet[.]org1
zdphmsfahetgarpjdbmkvxcscnf[.]net1
pztknpblhkrhimnlbrcvspdinb[.]biz1
hpfmztgmrgqhiusfmvlbdtwdiam[.]ru1
pvdigajzpwkkfizfmmjmrpkjfeto[.]com1
cyscqgqsscutljrwqwnbcufexkr[.]net1
nfkbojqskjulbydktduoskztpf[.]org1
pvtgqceifucelgmhekrgmfe[.]biz1
gaaqciscmfiqwthiztlpzscjnyteq[.]com1
vcfqgmhdyxkirrghiblndeixojz[.]ru1
fqtfyjvdqbbqoztirtwvwdkrqk[.]com1
ivpzeiwkwkbxnvcwgqcljnifiz[.]info1
qkpibzvwrwirqcyhhudykgimz[.]biz1
xkvcuqyrstcgyvkpnijdixgbeei[.]net1
mblwytskjplvduxceypeqylce[.]com1
raihobdypsocykrtlcisgnzzl[.]ru1

*See JSON for more IOCs

Files and or directories createdOccurrences
%TEMP%\LZP4377.bat1
%HOMEPATH%\AppData\LocalLow\odaj.koc1
%APPDATA%\Uwname1
%APPDATA%\Uwname\mezas.exe1

File Hashes

02df10e355b422c5bb5e2d597ed5ba186ccd75b1555a02f499ac181b2120ed03
05f6fef63c053c000bbeb362cb05bff689439af1087333a75c69c424581549ba
14053671d31720f2f9221951c1505e601fd9167ff801a805aa816b317f5e912c
168294fb9090044b7bb6c09db9ad27e2e65cde38a71c3596bc9f2081f0711103
16b90f6758b5c39c711ad687a80b7a2ecac0fb7a6d0692d6d16b10f11ae4c1f8
199818c986a03706929b3f1645dd372d53640f43ef052746cebe6d260d38917b
1c5bbb2c3aeee33f6cf3a96baeb0c5e88ea1f39fc71975bba8ec090bb04b51c4
28b99d76eee9430304deb161a95e4bb136f20165ea3f217099e5663281e29809
2b32f617e4dbf6056ef402d619be0c310184c8c6b510058aacba678d19dc4aa0
2dfeefc5caf4511a29ae3fe30a9da8ad2c62ad2ae9fd39ebc2db46a463957597
334d15fcafebf426192ef6d1535eeaa4a7de8126b74e58fbacc6ec94e4f3ab5b
34b6c7ed9349de1a287d0d5592b78cce35522702e91b8ab5db3d62eae6b67b5e
374bd4c2b34ae49846a760619880fd804faed9566d35d25eeda4189c47f98660
64034a052248997224a7e1687a7ed958e5f948f921f3fac55ad2edbb12570daf
6553bb3b7256019f2a51d44b06e823ba23b75c675d881387cdc5483008ecb983
7cc58d096942f3ae0460683bc9f5c35112655be103075ef8f7a58abaf550c979
854a72dd3fbe2c2a0b18ae0bd660757333e10e893b2487390312886634a093be
869d634387c01e319a72f24bdfb0b4c9a2c808aa88a72f7ad171544b713d596d
881d68cc2ac29affc59650aa7ada44c7973fcb014c2f8535b1648a365469e682
9635dd11d2da647afc6bf13c4ce3c8fabd7dfb128f6cfea32d12f7e06f0b4992
a85a35b0487200ca1f49801827aabf6e747ea4a2b07dfd5f7310d3b88b5e3db4
a9f73e6255dbaa0f11d9b1d75d70278ff41f8df374dd31869a68a73d1008e041
af17b70024313eec53d55c113e7c167ad243fb43eeea842f04070d160e9c3f0f
c17798890e73cbfdd95ec9cc21d6253e9a1e823362efa300a3b103f754a19a45
c3b064b3355cd6ab93b68eb0c4651ef6c39601cd5a3419e5cfc50dbf8ef2d581
*See JSON for more IOCs

Coverage

ProductProtection
Secure EndpointThreat Roundup for May 19 to May 26
CloudlockN/A
CWSThreat Roundup for May 19 to May 26
Email SecurityThreat Roundup for May 19 to May 26
Network SecurityThreat Roundup for May 19 to May 26
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThreat Roundup for May 19 to May 26
UmbrellaThreat Roundup for May 19 to May 26
WSAThreat Roundup for May 19 to May 26

Screenshots of Detection

Secure Endpoint

Threat Roundup for May 19 to May 26

Secure Malware Analytics

Threat Roundup for May 19 to May 26

MITRE ATT&CK

Threat Roundup for May 19 to May 26

Win.Packed.njRAT-10002074-1

Indicators of Compromise

  • IOCs collected from dynamic analysis of 23 samples
Registry KeysOccurrences
<HKCU>\SOFTWARE\7E3975E4EF230D7D91954
<HKCU>\SOFTWARE\7E3975E4EF230D7D9195 
Value Name: 8BE2FB14B479CCDD9BC15BEAF091A52DF492882CB14B74F194A69E01EEF8E94C
2
<HKCU>\SOFTWARE\7E3975E4EF230D7D9195 
Value Name: 6E2CF9A6CE187C062019E955FF60F4FC3EF815C130C306272E592ACCF4FC927A
2
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: 737bd67e46d5cadac827d831840e1c9e
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: 74863e1e5b984f4d9f6114e67967ba5a
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: d9dbb7f30ccf6b9605ba0f91e4001e71
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: dc9f4568244aa164419d8d55d41d338c
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: e4f591a3b114bf24d3f9b3a6ef913cb4
1
<HKCU>\SOFTWARE\7E3975E4EF230D7D9195 
Value Name: 0452D60D658A43929BF2D5BC049E2C57C2D61F58B6444BAB88834C870305DFDF
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: c2527172636652462d2476d220259bd2
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: 3845e39e1f3dcec4ff7961b0a2f0ba67
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: bbeb2271f980d0c2e59e411521a4e871
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: 890bacd47c7d51fd7312becbd950c7bf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: 708d8fc0a77c9a0879ac7cb1189ea39a
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: d5d3c1f0e4d5aef3a94d97f2fb26b8d6
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: 9520744a7360c89a58faf9868697bdea
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: 2cae9becdde38041e4e330e3f52f0a60
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: e58abc3caa74411ce434a3aa461ead84
1
<HKCU>\SOFTWARE\7E3975E4EF230D7D9195 
Value Name: 91E582DD0FE0224A74B326FAA35161958AAE425DF4B6151646B9C330E7BD5487
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: 6598d612c9ecbbb158c36266743d42c8
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: b8b4e1b25a2b6f817649b78b5b5a5d29
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: b152c91bc1c4e0824480fad7befedebf
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: cc4f48707ebaf216d4fef0b4c0c61272
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: 5be60fdc5ddb62f32a7de89740b3cd166e812a191d5b4813db31d0a45ab00677
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: 12d415023bdd583b20d45b79802e10e84dd45196c3d1caafc488024d3be9eca6
1
MutexesOccurrences
ogqaAwjfB2yh3bfL2
SCv88LFTFFI8dR9w1
1QnSO4JAiZV6WpHF1
N4axFUgaXdIayzbn1
22gJEda1Zfw2vwfK1
hQjSOlWGIZB5DO8N1
nsly6rwu2jgM0E2F1
MuT3h4qwhzPDqNiv1
i92Ri83XAhIENZeN1
CpM0BozFwJiJLCI41
HYYqdMBVvkvW9qet1
iGfoxbmflgpokAoH1
b6yNsMdOe03HL9LG1
leyfUfKDaom1wjaJ1
cCWueNtsBI6pgZxq1
MfH1eroMODfvADCS1
QGrfowgnGcHxTGed1
S7lyHQsJzumSHESB1
3tZldvx3UxeahMbo1
catUiEXpaeVC068N1
axlm4DdNg7oDuPl81
mIZVGJlfF3sM9H741
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
209[.]25[.]140[.]1807
193[.]161[.]193[.]994
209[.]25[.]140[.]2234
209[.]25[.]140[.]2112
18[.]231[.]93[.]1532
54[.]94[.]248[.]372
18[.]229[.]146[.]632
172[.]67[.]34[.]1701
3[.]67[.]112[.]1021
18[.]228[.]115[.]601
18[.]158[.]58[.]2051
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
metal-msn[.]at[.]ply[.]gg6
ayman03-31268[.]portmap[.]io4
0[.]tcp[.]sa[.]ngrok[.]io2
pastebin[.]com1
5[.]tcp[.]eu[.]ngrok[.]io1
engine-perception[.]at[.]ply[.]gg1
battery-columbus[.]at[.]ply[.]gg1
members-path[.]at[.]ply[.]gg1
asked-dress[.]at[.]ply[.]gg1
insurance-chocolate[.]at[.]ply[.]gg1
works-threaded[.]at[.]ply[.]gg1
visit-tamil[.]at[.]ply[.]gg1
Files and or directories createdOccurrences
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\3845e39e1f3dcec4ff7961b0a2f0ba67.lnk1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\bbeb2271f980d0c2e59e411521a4e871.lnk1
%System32%\Tasks\c2527172636652462d2476d220259bd21
%APPDATA%\bbeb2271f980d0c2e59e411521a4e871.exe1
%APPDATA%\9520744a7360c89a58faf9868697bdea.exe1
%APPDATA%\890bacd47c7d51fd7312becbd950c7bf.exe1
%ProgramData%\708d8fc0a77c9a0879ac7cb1189ea39a.exe1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\d5d3c1f0e4d5aef3a94d97f2fb26b8d6.lnk1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\9520744a7360c89a58faf9868697bdea.lnk1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\890bacd47c7d51fd7312becbd950c7bf.lnk1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\708d8fc0a77c9a0879ac7cb1189ea39a.lnk1
%System32%\Tasks\3845e39e1f3dcec4ff7961b0a2f0ba671
%APPDATA%\d5d3c1f0e4d5aef3a94d97f2fb26b8d6.exe1
%System32%\Tasks\bbeb2271f980d0c2e59e411521a4e8711
%System32%\Tasks\890bacd47c7d51fd7312becbd950c7bf1
%APPDATA%\2cae9becdde38041e4e330e3f52f0a60.exe1
%System32%\Tasks\d5d3c1f0e4d5aef3a94d97f2fb26b8d61
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\2cae9becdde38041e4e330e3f52f0a60.lnk1
%System32%\Tasks\708d8fc0a77c9a0879ac7cb1189ea39a1
%ProgramData%\e58abc3caa74411ce434a3aa461ead84.exe1
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\e58abc3caa74411ce434a3aa461ead84.lnk1
%System32%\Tasks\2cae9becdde38041e4e330e3f52f0a601
%System32%\Tasks\e58abc3caa74411ce434a3aa461ead841
%System32%\Tasks\9520744a7360c89a58faf9868697bdea1
%ProgramData%\6598d612c9ecbbb158c36266743d42c8.exe1

*See JSON for more IOCs

File Hashes

0370568ad761d369d0fe91aa0bf745ed954676aea7674e3238bf5f133cff49ed
10f1764ba7cb74110a0a9db2920c7d3007bbd3e13df111a2b697f3c244ad3a21
12d415023bdd583b20d45b79802e10e84dd45196c3d1caafc488024d3be9eca6
1a4101c995b330093388628b206da88250bcceebc0c3ef6b25334db5babfe5fb
305d0c9e1e847a7306285575091f523f521dea096cfc8db5a7b32e465ac180bc
353d5db9b2e6175843d74a62770d7fd2a82b43d06154b7cef6137e49a23c74ba
5be60fdc5ddb62f32a7de89740b3cd166e812a191d5b4813db31d0a45ab00677
5f2bd99627a93373f1a3ca2728063698863b10b0479faf782fab447a1e061e2d
720fb13f797dbba6a0ec19877c644abb0dde8bf6906b2ea4559a2a7cafe6b5cd
73619700a7d06a97037c3dc393146d58f7624356f766f9bb19fe9d33308522f2
80b8a0a5cca9ed908dec4f2441a9515efa3bde5a0b67a689316816c4ad6eae85
8c66b9dec0e884de4cc10f46b73f666ebe0ed0c5709a80fc7bedf0f4eddea473
95f8c56216adfc5127dfe195128001298dd815b85b2335f8da2def24b5364ee3
b26c13faf1b58138c2e4bb181ecf5cd561bef6fa0e9dfc343248453d34be55bd
b8338d589b1622dffb54ce8f512b8b70df7315ee75b28f47000e39cd5b9a40c4
c043c8d127281746c9c81a202bfb9f9a2ff3150775b50285d78e78c069d04712
c6042c265751e439c5a96222b5821e2c526614b3189d614ddc1e89f8e41433d6
d4268de943471bbfb03cd03056504d6e0ff7c81ad6b684d6af6d28d89f5d4c08
db67fb81e08ae38d7241c2247b0429e261481c3e069f7be47bb5a71dd0ed8e9f
e75fd2007d1c704022a95ba8a0726c737a980eedb99bef704c83da5742c154bb
eb13e60e5169d58acf9264f620d7474c697b48fde63db5c9af551d5431c9aaf8
ed74db49ccee7eb4b157dfaa6ddc6faf068f267eb9ff50000225879bfdb4b8ce
f6e407e5b8ce98202da3776a3936e61a07e3acd5538eace8d232d763b0b707ef

Coverage

ProductProtection
Secure EndpointThreat Roundup for May 19 to May 26
CloudlockN/A
CWSThreat Roundup for May 19 to May 26
Email SecurityThreat Roundup for May 19 to May 26
Network SecurityThreat Roundup for May 19 to May 26
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThreat Roundup for May 19 to May 26
UmbrellaThreat Roundup for May 19 to May 26
WSAThreat Roundup for May 19 to May 26

Screenshots of Detection

Secure Endpoint

Threat Roundup for May 19 to May 26

Secure Malware Analytics

Threat Roundup for May 19 to May 26

MITRE ATT&CK

Threat Roundup for May 19 to May 26

Win.Ransomware.TeslaCrypt-10002553-0

Indicators of Compromise

  • IOCs collected from dynamic analysis of 16 samples
Registry KeysOccurrences
<HKLM>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM 
Value Name: EnableLinkedConnections
15
<HKCU>\SOFTWARE\XXXSYS15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\ACTION CENTER\CHECKS\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.CHECK.0 
Value Name: CheckSetting
15
<HKCU>\SOFTWARE\XXXSYS 
Value Name: ID
15
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'>15
<HKCU>\Software\<random, matching '[A-Z0-9]{14,16}'> 
Value Name: data
15
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: Eoawaa
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: Windows Update Installer
1
<HKLM>\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: BCSSync
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: pjluoctfesrw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: pooqkvflocpc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: fwxkhpyjafio
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: eacropxvpihj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: vnqeujgcjhuk
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: exetrpjyrtxg
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: njlwvbxfxmkw
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: efwffgphvtdj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: unwhvdemefqp
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: tfeckcphtbxc
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: gqvoaslhlyoj
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: ypojwqitnhyi
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: tguywpqhaosq
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: jhrayyslywvo
1
<HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN 
Value Name: rcjftpogpimu
1
MutexesOccurrences
ityeofm9234-2342315
c7312001
-9caf4c3fMutex1
FvLQ49I›¬{Ljj6m1
SSLOADasdasc0009001
SVCHOST_MUTEX_OBJECT_RELEASED_c0009X00GOAL1
IP Addresses contacted by malware. Does not indicate maliciousnessOccurrences
85[.]128[.]188[.]13815
162[.]241[.]224[.]20315
34[.]98[.]99[.]3015
35[.]205[.]61[.]6715
23[.]221[.]227[.]1869
23[.]221[.]227[.]1746
194[.]58[.]112[.]1651
204[.]95[.]99[.]2431
Domain Names contacted by malware. Does not indicate maliciousnessOccurrences
biocarbon[.]com[.]ec15
imagescroll[.]com15
music[.]mbsaeger[.]com15
stacon[.]eu15
surrogacyandadoption[.]com15
worldisonefamily[.]info15
apps[.]identrust[.]com15
api[.]wipmania[.]com1
n[.]ezjhyxxbf[.]ru1
n[.]hmiblgoja[.]ru1
n[.]jntbxduhz[.]ru1
n[.]lotys[.]ru1
n[.]oceardpku[.]ru1
n[.]vbemnggcj[.]ru1
n[.]yqqufklho[.]ru1
n[.]yxntnyrap[.]ru1
n[.]zhgcuntif[.]ru1
Files and or directories createdOccurrences
%ProgramFiles%\7-Zip\Lang\ka.txt15
%ProgramFiles%\7-Zip\Lang\kaa.txt15
%ProgramFiles%\7-Zip\Lang\kab.txt15
%ProgramFiles%\7-Zip\Lang\kk.txt15
%ProgramFiles%\7-Zip\Lang\ko.txt15
%ProgramFiles%\7-Zip\Lang\ku-ckb.txt15
%ProgramFiles%\7-Zip\Lang\ku.txt15
%ProgramFiles%\7-Zip\Lang\ky.txt15
%ProgramFiles%\7-Zip\Lang\lij.txt15
%ProgramFiles%\7-Zip\Lang\lt.txt15
%ProgramFiles%\7-Zip\Lang\lv.txt15
%ProgramFiles%\7-Zip\Lang\mk.txt15
%ProgramFiles%\7-Zip\Lang\mn.txt15
%ProgramFiles%\7-Zip\Lang\mng.txt15
%ProgramFiles%\7-Zip\Lang\mng2.txt15
%ProgramFiles%\7-Zip\Lang\mr.txt15
%ProgramFiles%\7-Zip\Lang\ms.txt15
%ProgramFiles%\7-Zip\Lang\nb.txt15
%ProgramFiles%\7-Zip\Lang\ne.txt15
%ProgramFiles%\7-Zip\Lang\nl.txt15
%ProgramFiles%\7-Zip\Lang\nn.txt15
%ProgramFiles%\7-Zip\Lang\pa-in.txt15
%ProgramFiles%\7-Zip\Lang\pl.txt15
%ProgramFiles%\7-Zip\Lang\ps.txt15
%ProgramFiles%\7-Zip\Lang\pt-br.txt15

*See JSON for more IOCs

File Hashes

08ebc4366098a724b58093793a462378a5470db3eadfca7c18b8f7126aad2ecb
0ba923eb73b1cb82d42ff8645951a98c45316a731fb2a0c0f395778e2a2a5179
3337931b618168c2c64296cc81b799a18f8782a26238f9dd2611d100c2238d75
487a322749e90bdf30fac46a5288fabf7bcdebe59af9919982ef8c262f80d97b
858834e73fe318b38ee3892cd7176018ee7f0d92d77ac51720a2adf2e7f5968a
a082b3171dfb990cdd22cfa3c0a084fd0b0226d207e35392a9575b5b3de0fde7
a3a7a5c48776290b7ea21051c68ea52e03db8a48557ee427db38fcb39fe3bd12
a68adce292f5e29c375c48cc0a948919bd7e8220cd77ceff3a4dd5db253d24ab
a92906b93160cc0bd8839140fda9176bb4fd2ea43b02048abe9530adb02812cc
cf5b6f7838462079df7cd50bcc5a88a5fd1898858b7705a535614816c70910e4
d007157de960ff25746397334372a2651d6360826585eeefdc4157cf991cd58e
d2388700bb70974763294d5d5ca53c1e71010f6515547ddf9a6911af3630778c
d3e8d5372326ecdc926ec6fc0ea043f11561161a9faae8232276a2513cf2149c
e6b62755739953f09eca8a85937fcbe0f184533c50c67715804946f4c2c4f655
eb8db1b9fc2448610fd85c267b461e2faf987f982577381450563ee0d24ae186
f8bc090131eb16ee8007f62dabbe472eed7c7354436f8aec9372a81e2e686164

Coverage

ProductProtection
Secure EndpointThreat Roundup for May 19 to May 26
CloudlockN/A
CWSThreat Roundup for May 19 to May 26
Email SecurityThreat Roundup for May 19 to May 26
Network SecurityThreat Roundup for May 19 to May 26
StealthwatchN/A
Stealthwatch CloudN/A
Secure Malware AnalyticsThreat Roundup for May 19 to May 26
UmbrellaThreat Roundup for May 19 to May 26
WSAThreat Roundup for May 19 to May 26

Screenshots of Detection

Secure Endpoint

Threat Roundup for May 19 to May 26

Secure Malware Analytics

Threat Roundup for May 19 to May 26

MITRE ATT&CK

Threat Roundup for May 19 to May 26

Memory corruption vulnerability in Mitsubishi PLC could lead to DoS, code execution

26 May 2023 at 19:00
Memory corruption vulnerability in Mitsubishi PLC could lead to DoS, code execution

Cisco Talos recently discovered a memory corruption vulnerability in the Mitsubishi MELSEC iQ-F FX5U programmable logic controller that is caused by a buffer overflow condition.

The iQ-F FX5U is one offering in Mitsubishi’s MELSEC PLC line of hardware that comes with a built-in processor, power supply, Ethernet and 16 I/O points. Users can configure this PLC to host multiple network services, such as an HTTP Server, FTP Server, FTP Client, MODBUS/TCP interface and other Mitsubishi-specific protocols.

A vulnerability, TALOS-2023-1727 (CVE-2023-1424), exists in the device’s MELSOFT Direct functionality that is triggered if an adversary sends the targeted device a specially crafted network packet.

This buffer overflow condition could lead to a denial-of-service condition within the RTOS task responsible for parsing the MELSOFT Direct protocol, and potentially give the adversary the ability to execute remote code on the targeted device.

Cisco Talos worked with Mitsubishi to ensure this vulnerability is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Mitsubishi Electric Corp. MELSEC iQ-F FX5U, versions 1.240 and 1.260. Talos tested and confirmed these versions of the controller could be exploited by this vulnerability, however, Mitsubishi also stated in its advisory that versions 1.220 and later are affected.

The following Snort rules will detect exploitation attempts against these vulnerabilities: 61432 and 61433. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.

What is a web shell?

26 May 2023 at 12:00
What is a web shell?

Editor's note: The Need to Know is a new series from Talos, which focuses on cybersecurity terms, threats, tools and tactics that are discussed in our broader threat research. Think of this as a living encyclopedia of security terms and trends.

Cisco Talos Incident Response recently released our 2023 Q1 Incident Response Quarterly Trends report. One of the most noteworthy trends was the prolific use of web shells in cyberattacks.

In fact, not only were web shells the most observed threat overall, but they also appeared in almost a quarter of all incidents. That’s a marked increased from our previous trends report (the usage growing from 6% to 25%).

You may be wondering, why is that? Or maybe, what are web shells? And why do attackers use them in their campaigns? Let’s break it down:

What are web shells?

A web shell is a tool that bad actors may use to interact with and maintain access to a system, after an initial compromise[M(1] . It takes the form of a web script (a piece of code) which is then uploaded to a vulnerable system. Afterwards, it can be used to interact with the underlying operating system.

The complexity of modern systems, especially websites that may include third-party software or libraries (that, in turn, make many outbound connections), means that malicious scripts that threat actors use for initial access, are easily missed.

After that initial access, malicious web scripts can leverage exploitation techniques, or are used to carry out further attacks.

How are web shells typically used in attacks?

Attackers will look for vulnerabilities within a system to find the best place (as far as they are concerned) to drop a web shell (or in many cases, multiple shells). Those vulnerabilities might be in a website content management system or an unpatched web server, for example.

The point of this is to establish a foothold to gain persistent access to a system. Imagine you’ve built a secret door that no one else knows about – you have the key, so you can return as often as you like.

Adversaries then have several options in front of them, depending on their ultimate motivation. We’ve seen them remotely execute arbitrary code or commands, as well as move laterally within the network, or deliver additional malicious payloads.

As noted in the Talos Q1 2023 Incident Response report, exploitation of public-facing applications was the top observed initial access technique, with the increased web shell activity likely contributing to this significant observation.

Notable example: China Chopper

China Chopper is a web shell that allows attackers to retain access to an infected system using a client side application, which contains all the information required to control the target.

In 2019, due to its significant use over the previous two years (including espionage campaigns), two Talos researchers took a closer look at the China Chopper web shell. They explored several cases studies where China Chopper was used.

How can you detect web shells?

A web shell will often leave sticky fingerprints at the scene. An intrusion prevention system such as Snort can help detect if an attacker has used a tool like a web shell to gain remote access.

Cisco Secure Network Analytics can help uncover rogue connections, as can Cisco Umbrella by blocking malicious connections at the DNS level.

Organizations should deploy endpoint detection and response tools such as Cisco Secure Endpoint, which gives users the ability to track process invocation and inspect processes.

Prevention recommendations

The increase in web shell engagements highlights the need for more awareness and protections in helping to prevent web shells. Talos provides the following recommendations:

· Routinely update and patch all software and operating systems to identify and remediate vulnerabilities or misconfigurations in web applications and web servers.

· In addition to patching, perform general system hardening, including removing services or protocols where they are unnecessary and being aware of all systems exposed directly to the internet.

· Disable unnecessary php functions in your “php.ini”, such as eval(), exec(), peopen(), proc_open() and passthru().

· Frequently audit and review logs from web servers for unusual or anomalous activity.

Read the full 2023 Q1 Talos Incident Response Quarterly Trends report[MOU2]

Before yesterdayMain stream

Tool Release: Code Query (cq)

26 May 2023 at 15:14

Code Query is a new, open source universal code security scanning tool.

CQ scans code for security vulnerabilities and other items of interest to security-focussed code reviewers. It outputs text files containing references to issues found, into an output directory. These output files can then be reviewed, filtered by unix command line tools such as grep, or used as a means to ‘jump’ into the codebase at the specified file:line reference.

One popular mode of use is to consider the output files as a ‘todo’ list, deleting references as they are reviewed and either considered false positives, or copying the references into some report file to either review in detail or provide the basis for a bug report.

The tool is extremely basic, largely manual, and assumes deep knowledge of application security vulnerabilities and code review. It does, however, have the advantages of being relatively fast and reliable, and working even when only partial code is available.

CQ is intended to be used in a security code review context by human experts. It is not intended for use in automated scenarios, although it might be applied in that context.

The CQ project is located at: https://github.com/nccgroup/cq

CowCloud

25 May 2023 at 17:28

A common challenge technical teams (e.g. penetration testers) face is centralized deployment and pipelining execution of security tools. It is possible that at some point you have thought about customising several tools, buying their commercial licenses, and allowing a number of people to run the tools from AWS.

The problem is that this means you also have to deal with a bunch of tedious tasks like giving your team access to the EC2 instances, managing the IAM users, updating the OS to protect against privilege escalation, protecting tool licenses, powering the EC2 instances on and off as required.

Let’s imagine that we want to define a pipeline that we want to execute it continuously (e.g. a CI/CD pipeline). When given a range of IP addresses, it scans the UDP ports with Nmap, launches Nessus PRO to analyse the available ports for vulnerabilities and also runs ScoutSuite to evaluate an AWS account. Let’s further imagine that we want all this traffic to originate from a specific pool of AWS IP addresses, that the pipeline tools should be executed in a distributed manner and, while we’re at it, offer the user a web interface so as to abstract them from all the infrastructure that runs underneath.

CowCloud is a serverless solution to distribute workloads in AWS that can execute these pipelines. To get started, spin up an EC2 instance, access it, install Nmap, Nessus and register your Nessus pro license. Then download the ec2py/template.py file from the CowCloud repository and customise it to run both tools against one target and saves the output in the temporal folder `tmp_folder`.

Once you confirm that the template.py works, create a snapshot of the EC2 instance and save the AMI ID of the snapshot.

Next, clone the repository locally, open the Terraform/variables.tf file, and update the AMI variable with your AMI ID, and then simply follow the rest of the installation steps in the repository’s Readme.md.

At the end of the CowCloud deployment, access the URL shown in the Terraform output, log into the website, and queue a new task. Subsequently, the tasks will be consumed by the ec2py tool, which runs on an EC2 instance using your AMI as the base image. And the output/result/reports will be compressed, encrypted and uploaded to an S3 bucket so that the user can download the result of the Nmap and Nessus scans.

That’s all there is to it!

This solution is ideal for cases where you want to maintain an AMI with up-to-date commercial and open source tools and custom configurations for your pentests. With CowCloud, you can abstract users from the hurdles of maintaining and managing the infrastructure so that they only have to worry about the target. All they have to do is send a small amount of required information to the tools that run on the EC2 instances.

CowCloud can be used for a whole range of purposes – you may already have thought of some use cases yourself – but some of the more common ones are detailed below:

  • Baselining security testing. Use CowCloud to launch a series of tools that you consider as a baseline every time you do an external pentest (or participate in a bug bounty) and from a pool of EIPs from which the client expects to receive attacks
  • Centralized Tool Access and Management. Add API keys and commercial licenses to your AMI so you can provide your teams with the best and most relevant capability, while responsibly managing your licenses.
  • Distributed password cracking in AWS. Update the `instance_type` in the variables.tf file with one suitable for cracking passwords

Check out the CowCloud tool here: https://github.com/nccgroup/cowcloud

EntropyReducer - Reduce Entropy And Obfuscate Youre Payload With Serialized Linked Lists


EntropyReducer: Reduce The Entropy Of Youre Payload And Obfuscate It With Serialized Linked Lists


How Does It Work

EntropyReducer algorithm is determined by BUFF_SIZE and NULL_BYTES values. The following is how would EntropyReducer organize your payload if BUFF_SIZE was set to 4, and NULL_BYTES to 2.


Obfuscation Algorithm

  • EntropyReducer first checks if the input raw payload is of a size that's multiple of BUFF_SIZE, if not, it pads it to be as so.
  • It then takes every BUFF_SIZE chunk from the payload, and makes a linked list node for it, using the InitializePayloadList function, initializing the payload as a linked list.
  • The created node will have an empty buffer of size NULL_BYTES, that will be used to lower the entropy
  • At this point, although EntropyReducer completed its task by lowering the entropy of the payload, it doesn't stop here. It then continues to randomize the order of each node in the linked list, breaking down the raw payload's order. This step is done via a Merge Sort Algorithm that is implemented through the MergeSort function.
  • The sorted linked list is in random order because the value in which the linked list is sorted is the XOR value of the first three bytes of the raw payload, this value determines its position in the re-organized linked list, this step can be shown here
  • Since saving a linked list to a file is impossible due to the fact that it's linked together by pointers. We are forced to serialize it.
  • Serialization of the generated linked list is done via the Obfuscate function here.
  • After that, the serialized data is ready to be written to the output file.

Deobfuscation Algorithm

  • Since the last step in the Obfuscation Algorithm was serializing the linked list, the first thing that must be done here is to deserialize the obfuscated payload, generating a linked list from it, this step is done here in the Deobfuscate function.
  • Next step is to sort the linked list using the node's Id, which is done using the same Merge Sort Algorithm used before.
  • Now, the linked list is in the right order to re-construct the payload's bytes as they should. So we simply strip the payload's original bytes from each node, as done here.
  • Last step is to free the allocated nodes, which is done here.

Usage

  • EntropyReducer simply read the raw payload file from the command line, and writes the obfuscated version to the same file's name prefixed with ".ER".
  • The size of the final obfuscated payload varies depending on the values of both BUFF_SIZE and NULL_BYTES. However, it can be determined using the following equation
FinalSize = ((OriginalSize + BUFF_SIZE - OriginalSize % BUFF_SIZE ) / BUFF_SIZE) * (BUFF_SIZE + NULL_BYTES + sizeof(INT))
  • The PoC project in this repo is used to execute the ".ER" file generated as an example of deserializing and deobfuscating it.

Include In Your Projects

All you have to do is add EntropyReducer.c and EntropyReducer.h files to your project, and call the Deobfuscate function. You can check PoC/main.c for reference.


Output Example

In this example, BUFF_SIZE was set to 3, and NULL_BYTES to 1.

  • The raw payload, first payload chunk (FC 48 83)

  • The same payload chunk, but at a different offset


Profit

  • The same file, AES encrypted, scores entropy of 7.110.

  • Nearly the same result with the RC4 algorithm as well; 7.210

  • Using EntropyReducer however, scoring entropy even lower that that of the original raw payload; 4.093


The Merge Sort Algorithm Is Taken From c-linked-list.



從資安麻瓜到紅隊演練專家-Vtim

25 May 2023 at 16:00

「提到駭客,你會想到誰?是《駭客任務》的尼歐、 V 怪客、《看臉時代》裡的小路、還是橘子?」紅隊演練專家 Vtim 笑著問道。

目前於 DEVCORE 戴夫寇爾擔任紅隊演練專家的 Vtim,現年 27 歲,曾帶領過多次紅隊演練專案,擁有數十場紅隊演練經驗,也有豐富的資安競賽及國際企業漏洞獎勵計畫經驗,亦通過 OSCP、OSWE 認證,具備專業的 Web 檢測與內網滲透能力。「我其他身份是漏洞賞金獵人跟業餘 CTF 玩家!」Vtim說。

CTF 意外得名 從此走上資安路

大學前兩年,Vtim 的課後活躍度遠高於課堂活躍度。

「好像很多人覺得駭客就是敲敲鍵盤就能入侵了?但其實當駭客要學的東西實在太多了!」Vtim 邊說邊展示了一張密密麻麻的資安證照圖,最上面的小字則寫著「356 種證照」。大學時期就讀於國立成功大學資訊工程學系的 Vtim,坦言自己大學前兩年基本上都在翹課耍廢、忙著跑活動跟打電動,直到大三才開始好好努力、天天向上,閒著沒事就刷演算法題,大四暑假某天,室友隨口問他要不要一起參加「AIS3 新型態資安暑期課程」,沒有多想的他隨口答應後,才得知報名前要先考「CTF (Capture the Flag) pre-exam」。在此之前連「XSS」、「SQL Injection」都一問三不知的他,竟意外地拿下了第四名,自此開啟了他對資安的興趣。

大四下學期,Vtim 卯起來找線上資安課程自學,學習各種入侵系統的原理以及攻擊手法,與此同時,室友則沉迷於 LOL 英雄聯盟,為了消除惱人的背景噪音,Vtim 試著以駭客的方式斷了室友網路。「結果他們就更吵了……一直在哀嚎!」他笑道。除此之外,他也開始試著自己打各種 CTF 線上比賽。特別的是,他沒有像其他人一樣組隊參賽累積更多分數,而是一個人摸索、學習別人的解題思路。

Vtim 大四下學會斷室友網路時使用的無線網卡。

漏洞獎勵、漏洞比賽、實戰證照一把罩

大學畢業後,Vtim 進入國立臺灣科技大學資訊管理系研究所資訊安全實驗室,由吳宗成教授指導。碩士時期,Vtim 順利通過徵選,連續成為教育部「資安人才培育計畫-資安實務導師制度-臺灣好厲駭」兩屆培訓學員,導師則分別是 DEVCORE 的執行長暨共同創辦人 Allen 及首席資安研究員 Orange(同時也是 Vtim 及許多人眼中的「傳奇滲透師」),也在此時認識了許多駭客大神。除此之外,他也開始嘗試破解靶機類型的題目,拓展原本僅限於 CTF 的解題題型。

同一時間,Vtim 也進入了資安公司實習,主要負責滲透測試的執行。也是在實習後,他才明顯感受到企業真實環境與線上比賽的差異,例如企業不像靶機一定有洞、指定滲透的系統不見得熟悉。除此之外,如何將測試時的發現轉換為企業可理解的報告,也是平時自學時少有機會學習的技能。

為了證明自己所學的價值,Vtim 開始參與漏洞獎勵計畫,並成功發現 LINE 的漏洞,取得人生中首次漏洞獎勵的成就,獲得了 1,000 美金的獎勵。與朋友組隊參加漏洞挖掘競賽,也順利奪冠。首次嘗試挑戰 OSCP (Offensive Security Certified Professional)實戰型證照,即順利通過。Vtim 補充,考生須在 24 小時打下 5 台機器,再花 24 小時寫一份滲透測試報告,是非常考驗體力跟能力的一張證照。

Vtim 首次嘗試挑戰 OSCP 實戰型證照,即順利通過。

同事強到不禁懷疑人生 第一線學高手思路不斷成長

因為「所有技能點都點在攻擊」,Vtim 在研究所畢業後,尋找的也是攻擊測試相關工作。評估過後,履歷只投了 DEVCORE。「當時打 CTF 時很崇拜 Orange 跟 Angelboy,發現他們都在 DEVCORE,就覺得這間公司應該是台灣駭客技術最頂尖的,也希望能加入增強自己的實力!」他回憶。

過五關斬六將後,Vtim 以紅隊演練專家的身份加入 DEVCORE。「一開始其實蠻挫折的,因為自己太缺乏後滲透需要的知識,經驗也不足。」Vtim 說,自己原本所學僅是單純打下主機,但實際打下主機後怎麼繞過防毒軟體、EDR、橫向移動、內網滲透,都是本來在打靶機題目較少學到的手法。此外,技術強大的同事群,也讓他不禁懷疑起自己的能力。

但 Vtim 並未因挫折感而放棄,相反地,憑著對技術的熱情,不斷學習高手們的思路,他也不斷成長,讓自己越來越強大。「遇到困難時,我會想像這些人會怎麼做,藉此調整自己的心態和思路,在面對問題時不至於沒有方向或驚慌失措。」他由衷地說。DEVCORE 的前輩們也相當樂於分享,讓他逐漸找出解決問題的方法,也在眾多高手的刺激下,不斷精進自己。

Vtim(後排左二)與同事於 DEVCORE 充電週密室逃脫,訓練解題能力。

紅隊演練成本高 駭客專攻網路邊界

「紅隊演練」對很多人而言還是相當陌生,Vtim 解釋,紅隊演練其實是漏洞檢測服務的一種,漏洞檢測服務可分為弱點掃描、滲透測試、紅隊演練,其中紅隊演練是測試範圍最全面、最貼近現實駭客攻擊手法,且能發現營運層面缺失並檢視整體資安防禦機制,因此紅隊演練所需的人力門檻更高、使用資源更多,成本也是三者最高的。

若要以一句話解釋紅隊演練,即是企業委任專業紅隊團隊,設法透過各種方式、甚至組合式的攻擊手法,模擬入侵企業,在時限內達成企業指定任務,如取得某台電腦的控制權或核心內網的機密資料等。他強調,許多企業將資安防禦重點放在核心網站及系統,對於駭客而言,若攻擊這類防守嚴密的區塊成本過高,則會將攻擊目標轉移到企業較網路邊界中防護較弱的系統。

至於如何從找出網路邊界的系統進而入侵成功?他舉例,紅隊工作主要可以分成兩個階段,分別是取得外網進入點以及內網滲透,以第一階段的取得外網進入點而言,攻擊者會嘗試各種攻擊手法入侵企業內網,例如突破防守較薄弱的網路邊界主機,或從 GitHub 等線上軟體原始碼代管服務平台尋找企業洩漏的程式碼或機敏資訊以利用。此外,亦可能嘗試進行社交工程,寄送植入後門程式的釣魚信件,甚至實體前往目標公司附近進行 WiFi 封包的側錄及破解,待成功進入企業內網後,即開始第二階段的內網滲透,一步步從網路邊界進行橫向移動,最終入侵到核心網段,取得核心系統控制權或取得機密資料,達成任務目標。

與新知及時限賽跑 熱情及解題能力很重要

對於這個職位的挑戰,Vtim 認真思考了一下,表示身為紅隊須不斷與新的技術賽跑,新的知識與架構日新月異,只能不斷持續學習與突破。此外,每次專案也都在嘗試突破自己的極限,常常遇到時限迫在眉睫但始終找不到進入點,最後才又「絕處逢生」,也需要承受一定程度的心理壓力。

他認為,紅隊專家除了懂攻擊,還要懂得如何提供客戶專業的資安防禦建議,需要有綜觀全局的能力。「對客戶而言,攻擊不完全是重點,他們更想知道找到問題後如何緩解風險。」Vtim 表示。

下班後的 Vtim 還與同事組成樂團,擔任 Bass 手的角色。

對於未來,Vtim 期待自己成為全能型的白帽駭客。「進攻過程會遇到很多不同的環境,不同攻擊階段也需要不同領域的技巧,我希望自己能掌握全部面向,獨力排解所有難題,達到『指哪打哪、攻擊自如』的境界。」他滿懷期待地說。

Exploiting the Sonos One Speaker Three Different Ways: A Pwn2Own Toronto Highlight

During Pwn2Own Toronto 2022, three different teams successfully exploited the Sonos One Speaker. In total, $105,000 was awarded to the three teams, with the team of Toan Pham and Tri Dang from Qrious Secure winning $60,000 since their entry was first on the schedule. Part of Pwn2Own competitions involves a random drawing for order. Not only does the team selected first get the full award if they are successful, but the subsequent entries are also more likely to have bug collisions. That means if three teams show up with the same exploit, only the first one randomly selected will get full credit. That’s not exactly what happened during the event, but some bug collisions did occur. In fact, there were four unique bugs used by the three different teams. Let’s take a look at the vulnerabilities used during the contest and see which team used which bug.

CVE-2023-27354 – The Unique libsmb2 Info Leak

With three different teams targeting the Sonos speaker, it’s obviously a huge advantage to go first. The team from Qrious Secure was randomly selected to go first, and they successfully exploited the speaker using a two-bug chain. This first bug used was this info leak, and they ended up being the only team to use this particular bug during the contest.

On the speaker, there exists a daemon named anacapad that handles all Sonos-specific functions, including accessing music services, LED control, and audio playback. The vulnerability exists in the way anacapad handles SMBv2 replies from a server, specifically in the smb2_process_query_directory_fixed() function that processes query directory reply data. It does this by allocating an smb2_query_directory_reply struct and storing the result in the Protocol Data Unit (PDU) pdu->payload field. The function then extracts the output buffer offset and length from the query directory reply from the server:

The speaker then checks that the output buffer does not overlap with the query directory reply header. The offset here will later be used to calculate the IOV_OFFSET:

This will also be used at:

The output_buffer here will later be used to decode file information from that directory PDU response from the server in the smb2_decode_fileidfulldirectoryinformation field. However, it never checks if the offset is within the len of a PDU packet. This can be leveraged to perform an information leak by acting as a SMB server and sending a malformed PDU query directory response with a large offset. The client will decode the file information from an out-of-bounds (OOB) memory region and send that information back to the malicious SMB server as part of a filename. By manipulating the offset, the SMB server can determine libc and heap addresses on the client, which are useful for the next step of the exploit chain.

CVE-2023-27353 – The Other Infoleak

The libsmb2 bug wasn’t the only infoleak we saw during the contest. Two of the teams used CVE-2023-27533/ZDI-23-448 to kick off their exploit. This vulnerability resides in the /msprox endpoint, which serves as a proxy for Sonos Speaker array communication. It forwards the user-supplied SOAP request to other registered speakers. When a user sends a request to this endpoint, the request is handled by function sub_15DFA0(), which in turn calls sub_1C86C0(). The following code snippet is from sub_1C86C0 in the anacapad binary, corresponding to assembly code from address 0x1C876C:

The code fails to check the return value of snprintf() at [1], and later uses this value as the size of an outgoing HTTP header buffer at [2]. The team from STAR Labs used this bug by sending a crafted request that provides overly long parameters to the snprintf() function at [1]. In this way, the return value from snprintf() (request_len) exceeds the size of the request buffer, which is 0x1000 bytes. At [2], it calls ana_server_send_request() to send the contents of the request buffer, using request_len as the length. STAR Labs used this out-of-bounds read (OOBR) vulnerability to leak the address of the .text segment.

The DEVCORE Team took a slightly different route to achieve the same effect. Their exploit relied on acting like a rogue Sonos Speaker adjacent on the network to the target. This allowed them to reach the following code, which contains an out-of-bounds read vulnerability analogous to the one discussed above. The result is leakage of stack data right after the request_body buffer.

From address location 0x1C889C:

While they took different approaches, both teams arrived at the same vulnerable code and leaked the data needed to continue their exploit.

CVE-2023-27352 – Remote Code Execution Through libsmb2

Now that we have our info leaks established, let’s take a look at how two teams leveraged that information for code execution. Both the Qrious Secure and STAR Labs teams leveraged a use-after-free (UAF) bug in the libsmb2 library. Again, since Qrious Securewas randomly chosen to go first, they won the full $60,000 while the bug collision resulted in STAR Labs earning $22,500.

Sonos provides SMB functionality by incorporating the open-source libsmb2 library with a few modifications. It runs within the anacapad daemon and can be reached by unauthenticated users to play music via the smb2 shared directory.

smb2_closedir is implemented as below in libsmb2:

And smb2_lazy_readdir is implemented as follows:

The main function handling data returned from an SMB server is as follows:

The control flow proceeds as follows:

(1) smb2_lazy_readdir -> smb2_fetchfiles_async -> smb2_cmd_query_directory_async -> create pdu (PDU) with internal message_id (MID) -> add to wait_queue (3)

When the client receives data from a server (4), it will decode the header (5) and find the PDU via its message_id (6). The interesting thing is that smb2_fetchfiles_async() function adds the PDU to wait_queue, which then holds a callback to fetchfiles_cb() at (7). This callback keeps the dir structure within its private data (8). Before it finishes, it invokes dir->cb callback at (9).

Back to (6), in a normal scenario, the SMB server will return the data with the valid message_id as MID, and the callback will be triggered before dir is freed in close_dir at (2). However, if the server sends an invalid message_id (different from MID), the PDU will not be found and will still be alive in wait_queue. Should this occur, the PDU will keep holding on to the dir struct pointer. When (2) finishes, the dir pointer will be freed, and the PDU will be left holding a dangling pointer.

The next time the client tries to read data from the server, if we reply with a previously valid message_id of MID, the client will decode the data and find the corresponding PDU via that MID. This time the PDU’s callback fetchfiles_cb will be called, and at (4) it will access the dangling pointer. By reallocating the freed dir structure before fetchfiles_cb is called, we can control the value cb and thereby gain control of $PC by pointing cb to maliciously crafted data.

Combined with the memory address leak from CVE-2023-27354, this vulnerability can be used to achieve remote code execution.

The STAR Labs team took a different approach to hit the same vulnerability. As stated above, the speaker allows us to play media files remotely using SMB using libsmb2. One of the added functions to this library is smb2_lazy_readdir(). Here is how they triggered the bug.

        -- smb2_opendir() is called, which will return an smbdir (smb2dir structure).         -- smbdir is later passed into smb2_lazy_readdir() together with a custom callback function.

smb2_cmd_query_directory_async() receives a callback function with the following prototype and any user-defined structure (in this case smb2dir):

This function will then insert a pdu (smb2_pdu) into a request queue waiting to be handled. After a reply is received, the callback will be invoked with the received data. The Sonos device passes the smbdir structure as cb_data, then populates it inside the callback. This code snippet is in sub_109C0() function of the libsmb2.so.1 binary, corresponding to assembly code from address 0x10A04:

If wait_for_reply fails, meaning smb2_cmd_query_directory_async did not receive any valid response for its pdu, smb2_closedir is invoked to free thesmbdir object. Then smb2_disconnect_share function is called. However, during this process, a dangling pointer to smbdir is left in the request queue.

In smb2_disconnect_share, it calls wait_for_reply->smb2_service->smb2_service_fd->smb2_read_from_socket->smb2_read_data. In smb2_read_data, it uses smb2_find_pdu to retrieve the pdu based on the message_id of the response packet, which is controllable by the attacker. If our response specifies the message_id of the Query Directory pdu, smb2_find_pdu will return the smb2_cmd_query_directory_async’s pdu. Finally, when pdu->cb is invoked from z_query_directory_cb_109C0, the dangling pointer leads to $PC control.

Reclaiming the freed smb2dir object is accomplished by appending extra data onto the response packet from server. The client will allocate a buffer to store this extra padding data.

The exploit uses a modified impacket to implement a malicious smb server.

The exploit proceeds as follows.

  1. Send a command to the target device to add a new SMB share.
  2. Using a modified smb2QueryDirectory() function in the exploit’s impacket SMB server, return a malformed response to the client’s smb2_cmd_query_directory request, producing a dangling pointer.
  3. When the client calls smb2_disconnect_share function, it sends a disconnect tree request to server. Using a modified smb2TreeDisconnect function in the impacket SMB server, the exploit returns a Query Directory response with the message_id from step 2. Additionally, the exploit appends data to this response to reclaim the smb2dir object in the client.
  4. The exploit gains control of $PC via the overwritten smb2dir->cb pointer and uses ROP to get shell.

CVE-2023-27355 – Remote Code Execution via the MPEG-TS Parser

This remote code execution bug was used only by the DEVCORE team. Due to the random draw, this was the third attempt on the Sonos, which left them at a disadvantage as they were more likely to run into a bug collision. They did collide regarding their info leak, which we have already discussed above. However, the remote code execution portion of their exploit chain was unique and earned its own CVE.

While parsing a .ts audio file, the Sonos speaker does not check the length of the Adaptation field, which leads to a stack buffer overflow. The bug results from the ability to specify an arbitrary value to the afelen field. The speaker will then read the specified number of bytes into the payload buffer, smashing the stack.

From address: 0x406604

Since Sonos enables exploit mitigations, the attacker needs to leak some information first. During the contest, the DEVCORE entry first leaked the stack canary, stack address and program base address using the previously described CVE-2023-27353. Once they obtained those values, exploitation is straightforward. They used the MPEG-TS parser vulnerability to overwrite the return address and jump to the exec() wrapper.

As the #x19 and #x22 registers are also controllable by the exploit, the attacker can set these registers to a controllable stack buffer and execute arbitrary commands.

The end result was a successful demonstration during the contest, but due to the collision of CVE-2023-27353, the DEVCORE team didn’t win the full amount. Still, they earned $22,500 for being the third team to exploit the Sonos speaker during the event.

Wrapping Things Up 

It’s always interesting to see different teams reach similar conclusions when targeting a piece of software. It’s equally as interesting when they take completely different paths but still end up with the same result. In this example, we had three different teams use a various combination of three different bugs to get code execution on a Sonos speaker. In the end, we awarded these teams a total of $105,000 for their efforts. Situations like this also highlight how bug collisions can encourage more thorough and innovative research to avoid duplicate entries in the future. All three of these teams had participated in Pwn2Own before, and we certainly hope they return for future events.

Now that many of the bugs disclosed during Pwn2Own Toronto are patched, we’ll continue to disclose some of those details on this blog. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.

It’s apparently hip to still be using Windows 7

25 May 2023 at 18:00
It’s apparently hip to still be using Windows 7

Welcome to this week’s edition of the Threat Source newsletter.

As a longtime macOS user, I must admit I’m behind the times when it comes to Microsoft Windows. Since buying a Steam Deck, I’ve actually come to learn more about Linux and the Proton compatibility layer than I ever did about Windows.

But it still came as a shock to me this week when I uncovered a weird trend on social media: People bragging about still using Windows 7.

Microsoft stopped putting out free security updates for Windows 7 in January 2020 and only more recently stopped offering its paid Extended Security Updates (ESU). The company explicitly told users at the beginning of this year that it was unsafe to continue to keep using Windows 7 and that users should upgrade to Windows 10 or use a new machine that can run Windows 11.

Yet I still found an entire subreddit dedicated to keeping Windows 7 up and running on computers and countless posts promoting how well the 13-year-old operating system runs with modern GPUs and graphics cards.

Steam, the most popular video game storefront on PCs, only recently announced that it was ending support for Windows 7 and 8, and even then, it won’t be official until January. And Roblox, which is quietly one of the biggest video games in the world, only recently ended support for Windows 7 and 8.

I’m sure there are other examples of this among other types of software, but video games are the most specific corner of the internet I’m in, so that’s my frame of reference.

The moral of the story here is that using Windows 7 to do anything, but especially connecting to the internet (which is required to download and play video games) is a terrible idea. Attackers are always targeting outdated operating systems because they’re the most likely to be unpatched and vulnerable.

Running an operating system that is no longer receiving any type of security updates is extremely dangerous. If infected, that single machine could also be used as a springboard for the attacker to target and infect other machines on your network.

Since the start of this year, there have been 47 vulnerabilities discovered in Windows 7, according to the U.S.’s National Institute of Standards and Technology Vulnerability Database. There are even more security issues with third-party software running on Windows 7.

Just because something is old, doesn’t mean that attackers aren’t paying attention anymore. Without official support or security updates for Windows 7, Microsoft is no longer compelled to disclose formal vulnerabilities with CVEs attached to inform users about any security holes in the operating system.

Upgrading a PC or buying a new one is expensive, I get it. But Windows 7 isn’t a novelty anymore, it’s a security risk. If you feel like you absolutely have to keep Windows 7 running on a machine for some reason, make sure it is isolated from your network or just doesn’t connect to the internet at all.

But more preferably, upgrade to Windows 10. If you’re already using Windows 7, it’s free, and likely whatever hardware you’re using can support Windows 10. If you’re starting from scratch, many online stores have deeply discounted product keys for Windows 10 or 11 for $20 or less — just make sure to download the ISO directly from Microsoft still.

The one big thing

Montana recently became the first state in the U.S. to ban the app TikTok, though the law still has a long way to go before it can be enforced. The state’s governor signed a bill last week that prohibits mobile application stores from offering the app in the state by the start of 2024, or else they’ll face fines. However, it’s currently unclear if it’s even feasible for Montana to enforce this ban, as app stores don’t geofence certain applications on its stores, and internet service providers are exempt from having to enforce these rules. TikTok has recently become a target for Republican lawmakers over concerns that its Chinese-backed parent company is collecting and using Americans’ data. TikTok and popular TikTok creators in Montana have already sued the state to stop the law.

Why do I care?

Even if you are not an active TikTok user, the ban is noteworthy because it has major implications for American law and the enforcement of the First Amendment in the U.S. Opponents of Montana’s bill say it's a clear violation of the First Amendment. The various legal challenges are likely going to shift through the legal system for months, but any eventual decisions could influence how states view banning certain technology or even books and movies.

So now what?

There are many questions still unanswered about how this ban will work or whether it will stand. So for now, interested parties can’t do much but sit back and wait for the legal proceedings to play out.

Top security headlines of the week

Apple released a security update for many of its devices last week that fixed three zero-day vulnerabilities in the WebKit browser engine. A few days after the patches initially dropped, security researchers also discovered the updates addressed a different vulnerability known as “ColdInvite” (CVE-2023-27930). An attacker could exploit ColdInvite to attack a co-processor chip on iPhones and escape its isolation environment, eventually accessing the iPhone’s kernel. The three WebKit vulnerabilities affect some iPhones and iPads. CVE-2023-28204, CVE-2023-32373 and CVE-2023-32409 could be exploited to escape the Web Content sandbox. Google’s Threat Analysis Group and Amnesty International co-reported CVE-2023-32409, which led many security experts to speculate means attackers exploited this issue to spread spyware. (SecurityWeek, Forbes)

Two popular Android set-top TV boxes sold on Amazon are preloaded with malware that quietly generates revenue for the manufacturers in the background. The devices click on ads while running without the user knowing and connect to a global botnet of other infected Android devices around the globe. Despite the reported security issues, the devices were still for sale on Amazon as of earlier this week. However, the security researcher who discovered this botnet worked with the internet company hosting the command and control servers that sent directions to devices part of the botnet to take those servers down. However, that doesn’t mean the botnet or ad-click malware could never come back — the easiest solution for users is to replace the devices immediately. (TechCrunch, ArsTechnica)

Security researchers are concerned that two new top-level domains from Google — .zip and .mov — will cause confusion among users and potentially open the door for scammers. Because these new TLDs (like .com, .gov, .uk, etc.) are the same as popular file extensions, adversaries could disguise legitimate-looking file names and actually send people to a malicious web address without the user knowing that it could even be a web page. They could also be used to create legitimate-looking URLs that match that of a real website but just add one character in a long string, eventually pointing people to a malicious file or site. However, Google says it's actively monitoring for domain abuse. (Wired, Ars Technica)

Can’t get enough Talos?

  • Beers with Talos Ep. #136: Oh hello, “Susan”

Upcoming events where you can find Talos

Cisco Live U.S. (June 4 - 8)

Las Vegas, NV

Discover Cyber Workshop for Women (June 8)

Doha, Qatar

REcon (June 9 - 11)

Montreal, Canada

Most prevalent malware files from Talos telemetry over the past week


SHA 256: 856777e16c153722ebd3f389197d4b6482f8afb2e51345e1ab19760c486c3f78
MD5: c720ac483a5752c2b69945a8ad673162
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: DeepScan:Generic.BitcoinMiner.9.88FBC400

SHA 256: e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934
MD5: 93fefc3e88ffb78abb36365fa5cf857c
Typical Filename: Wextract
Claimed Product: Internet Explorer
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201

SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
Typical Filename: mssqlsrv.exe
Claimed Product: N/A
Detection Name: Trojan.GenericKD.65065311

SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

25 May 2023 at 12:02
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware


We would like to thank The Citizen Lab for their cooperation, support and inputs into this research.

  • Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).
  • Our research specifically looks at two components of this mobile spyware suite known as “ALIEN” and “PREDATOR,” which compose the backbone of the spyware implant. Our findings include an in-depth walkthrough of the infection chain, including the implants’ various information-stealing capabilities.
  • A deep dive into both spyware components indicates that ALIEN is more than just a loader for PREDATOR and actively sets up the low-level capabilities needed for PREDATOR to spy on its victims.
  • We assess with high confidence that the spyware has two additional components — tcore (main component) and kmem (privilege escalation mechanic) — but we were unable to obtain and analyze these modules.
  • If readers suspect their system(s) may have been compromised by commercial spyware, please consider notifying Talos’ research team at [email protected] to assist in furthering the community’s knowledge of these threats.



ALIEN and PREDATOR part of growing rise in spyware use

Threat actors’ use of commercial spyware has been on the rise, and the number of companies supplying these products and services seems to keep growing. Most commercial spyware is intended for government use, with firms like NSO Group advertising their products as technology that helps prevent terrorism, investigate crime, and enhance national security. However, in recent years, ethical and legal questions have swirled around the use of these surveillance tools, which have become known in the security community as “mercenary spyware.” As a response to the rapid proliferation and growing concern over the misuse of these products, on March 27, 2023, the Biden-Harris administration signed an Executive Order prohibiting the U.S. government from using commercial spyware that poses national security risks or has been misused by foreign actors to enable human rights abuses.

Spyware suppliers take great care to make the final payloads difficult to detect, obtain, analyze and protect against by creating deployment sequences that often require little or no user interaction. The delivery mechanism is usually an exploit chain that can start a zero-click exploit, like FORCEDENTRY, which is produced by Israeli spyware firm NSO Group, or with a link that the victim is tricked into clicking (i.e., a “one-click” exploit), like the one created by the surveillance company Cytrox to deploy their own spyware known as “PREDATOR.” (Note: Cytrox is owned by Intellexa, which sells the PREDATOR spyware.)

PREDATOR is an interesting piece of mercenary spyware that has been around since at least 2019, designed to be flexible so that new Python-based modules can be delivered without the need for repeated exploitation, thus making it especially versatile and dangerous.

New analysis from Talos uncovered the inner workings of PREDATOR and the mechanisms it uses to communicate with the other spyware component deployed along with it known as “ALIEN.” Both components work together to bypass traditional security features on the Android operating system. Our findings reveal the extent of the interweaving of capabilities between PREDATOR and ALIEN, providing proof that ALIEN is much more than just a loader for PREDATOR as previously thought to be.



Intellexa spyware framework

Intellexa’s spyware products, like most recently exposed spyware tools, have multiple components that can be grouped into three major buckets aligned with consecutive stages of the attack:

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware


The first two — exploitation and privilege escalation — are often grouped in exploit chains, which start by exploiting a remote vulnerability to obtain remote code execution (RCE) privileges, followed by mitigation circumvention and privilege escalation, since the vulnerable processes are often less privileged.

An example of the initial chain is covered in detail in this 2021 blog post from Google TAG. The report describes how adversaries exploited five different zero-day vulnerabilities to deliver ALIEN, the implant in charge of loading the PREDATOR spyware. The vulnerabilities, which were discovered in 2021, are CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 — all of which affect Google Chrome, and CVE-2021-1048 in Linux and Android.

While ALIEN and PREDATOR can be used against Android and iOS mobile devices, the samples we analyzed were specifically designed for Android. For privilege escalation, the spyware is configured to use a method called QUAILEGGS, or, if QUAILEGGS is not present, it will use a different method called “kmem.” The samples we analyzed were running QUAILEGGS.

There is no way to know for sure what vulnerability QUAILEGGS exploits without having access to the code itself. Nevertheless, we decided to share our assessment in hopes that other researchers might be able to add to it.

We assess that QUAILEGGS likely exploits the aforementioned zero-day vulnerability CVE-2021-1048. Based on Google’s root cause analysis, this vulnerability allows code injection into privileged processes, which is exactly what happens with ALIEN when QUAILEGGS is used. According to the Linux kernel development git logs, the vulnerability was public since August 2020 and patched in September. However, some Google Pixel phones remained vulnerable until March 2021 and Samsung devices until at least October 2021.

From the PREDATOR components Cisco Talos had access to, we assess that there are at least two more components that we have not been able to analyze: “tcore” and "kmem.”

The tcore Python module is loaded by loader.py, the key instrumentor module, after all initializations are completed.

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

Loader module importing tcore.

If tcore fails to load, the loader deletes the downloaded encrypted SQLite3 file. It first tries to delete the file, and if that fails, attempts to open the file for write operations and write zero bytes to it to wipe it clean, effectively eradicating the file contents without deleting the file itself.

We assess that the tcore Python module contains the core spyware functionality. Analysis of the native code inside ALIEN and PREDATOR indicates that the spyware can record audio from phone calls and VOIP-based applications. It can also collect information from some of the most popular applications, including Signal, WhatsApp and Telegram. Peripheral functionalities include the ability to hide applications and prevent applications from being executed upon device reboot.

The second component we are missing is the artifact that implements the KMEM module. Based on our analysis of the “_km” python module, we assess that KMEM provides arbitrary read and write access into the kernel address space.

Access gained by exploiting CVE-2021-1048 would allow the spyware to execute most of its capabilities, including loading and executing additional payloads at SYSTEM level. Eventually, this could lead to the user gaining kernel access and making configuration setting changes to kmem.



Spyware implant architecture and overview


ALIEN/PREDATOR teamwork

The spyware implant runs a variety of processes to bypass the inherent restrictions of Android’s security model. The spyware takes the “__progname” of the process that is currently running and then uses it to decide what set of functions to call. The processes looked for are: zygote64, system_server, installd, audioserver (alien_voip) and a second version of audioserver (alien_recorder).


The zygote64 and system_server call chains are the ones that do the most work while the installd call chain sets up the file structures for the other portions of the spyware. Each of these call chains set up a process structure used to intercept specific ioctl commands, where the spyware uses the functionality of that process to abuse the SELinux context to grant different functionality to the other processes.

The image below shows an example in which the SELinux policy-applied zygote process prevents all kinds of access to sockets, except for Unix-type local ones.

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

Source: https://android.googlesource.com/platform/system/sepolicy/+/master/private/app_zygote.te#130

However, by storing the recorded audio in a shared memory area using ALIEN, then saving it to disk and exfiltrating it with PREDATOR, this restriction can be bypassed. This is a simplified view of the process — keep in mind that ALIEN is injected into the zygote address space to pivot into specialized privileged processes inside the Android permission model. Since zygote is the parent process of most of the Android processes, it can change to most UIDs and transition into other SELinux contexts that possess different privileges. Therefore, this makes zygote a great target to begin operations that require multiple sets of permissions.

The ALIEN component configuration contains the URL to download the PREDATOR component. During the initialization, it starts the download and calls its main_exec() function by importing it using dlsym(), thus initializing the main component of the spyware. It is unclear how ALIEN is initially started, but it is highly likely that it is loaded from the shellcode executed by the exploits used in the initial stage.

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

Download URL for PREDATOR in ALIEN.

ALIEN is also responsible for updating PREDATOR after, for instance, secondary exploitation.

If the configuration contains the string “_refresh”, the file downloaded will be stored as fs.db that will be processed by the sqlimper.py module residing inside PREDATOR and not ALIEN, thus strengthening our findings that these two modules are highly dependent on each other. It is worth noting that fs.db is an SQLite3-encrypted database that may contain new configuration settings or serialized Python code, thus making it extremely modular and adaptable spyware.

ALIEN and PREDATOR also communicate via binder transactions. During its initialization routines, ALIEN hooks ioctl() to catch binder transactions arriving at its host process. A detailed example of this method of communication can be seen in the audio recording feature description ahead.



ALIEN overview

ALIEN is the primary worker component for the spyware. Once deployed, downloads and activates the remaining components according to the configuration that has been hardcoded into its own binary. We assess with high confidence that ALIEN is injected into a privileged process address space and is then launched in an independent thread.

Initially, ALIEN checks if it has been loaded into zygote64. If this check is positive, it will go ahead and perform its activities. If needed, it will download the PREDATOR component from a hosting site defined in the configuration. Optionally, this can be a refresh, in which case the already existing PREDATOR will be replaced by a new version, meaning a second exploitation of the target device was performed and a new version of tcore is installed. Keep in mind that this is tcore and not the entire PREDATOR payload. ALIEN’s configuration also includes the location for its working directory which is actively utilized for carrying out tasks such as data exfiltration etc.

An example of one such working directory is “/data/local/tmp/wd/”. Spyware artifacts such as PREDATOR and SQLite3-encrypted database files can be found on it.

Path Purpose
/data/local/tmp/wd/pred[.]so PREDATOR spyware shared library
/data/local/tmp/wd/fs[.]db SQLITE3 file containing additional payloads



ALIEN is not just a loader but also an executor — its multiple threads will keep reading commands coming from PREDATOR and executing them, providing the spyware with the means to bypass some of the Android framework security features. Before launching PREDATOR, there are several steps that need to be performed:

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware



Hooking the ioctl() API in the libbinder.so using an open-source library called xHook is one of the means it uses to communicate with PREDATOR. The distributed nature of the spyware requires component communication and synchronization to work properly. The spyware framework has several means of achieving this communication and synchronization.

ALIEN hooks the ioctl() function in libbinder.so, which is responsible for inter-process communication (IPC) in the Android framework. The ioctl hooks are structured to allow the implant to communicate with itself (on forked processes) and with other implant components.

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

Hooking ioctl.

When the implant begins executing, it selects which application context it’s running within. After this activity starts, it will record the thread ID that it is running inside, then register a hook on the ioctl activity in that process. This ioctl hook manages a variety of different binder commands, inside of the BINDER_WRITE_READ IOCTL command. This hook filters all the BINDER_WRITE_READ functions to ALIEN’s own handler commands.

The commands that are redirected include BC_TRANSACTION, BR_TRANSACTION, BR_REPLY, BC_REPLY. This allows the control of information into and out of the target process. Within each of the selected processes mentioned above, there are different actions a malicious module could then take on the system.

This creates an effective way to communicate within the implant while also allowing the implant to hide within other legitimate system processes. The implant communicates discreetly with itself, without network-based indicators and avoiding SELinux restrictions.

On the instalID process, the implant hooks BR_TRANSACTION and BC_REPLY. Each of the commands takes the same action. It then spawns a thread and moves toward recursively changing the permissions of 26 directories belonging to applications and users’ media. Each application has a list of flags associated with it referencing what vendor will likely possess the application and whether to apply the new permissions to said app. In this sample, each application is given the permissions of 777, although the spyware supports an extension of any value. ALIEN also gives them an SELinux context consistent with the configuration of the spyware “u:object_r:shell_data_file:s0” using the function setfilecon. These files (applications) are copied into the configuration directory where the spyware resides, likely to be extracted later.


PREDATOR overview

PREDATOR is a pyfrozen ELF file that contains serialized Python modules and native code used by either of the built-in modules or downloaded modules. ALIEN launches PREDATOR, calling the main_exec() exported function with a parameter that contains two file descriptors. These are shared memory area file descriptors created by ALIEN to be used as a medium for communication between the two components.

The PREDATOR main_exec() function is a simple function that will duplicate the file handles and launch PREDATOR’s real main function on a native thread, thus ensuring it can run without being blocked by ALIEN processes or the main process execution.

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware


Initialization process for PREDATOR.

This threat will call the startPy() function which prepares the Python runtime environment to be used by the spyware. Like any other pyfrozen binary, it starts by importing the usual “__main__” module. Then, it defines the following attributes to the “__main__”:

Name

Usage

SHMEMFD_PC2

Shared memory handle for communication with ALIEN

SHMEMFD_VSS

Shared memory handle for communication with ALIEN

DEV

Defines if the current PREDATOR implant is a development version or not. This will have impact in the amount of logging performed

installID

An installation ID that can be related to the victim, device or campaign. The value is hardcoded in the initialization time. 


The final activities are the import of another module called loader whose main subroutine, a Python function called “mainExec” will be called. It is interesting to note that the installation ID is hardcoded in the native code with a specific value but, in the Python module loader.py, the value is initialized with a placeholder value. Once the Python runtime is properly initialized, PREDATOR will proceed to initialize and start the spyware tcore component.


Spyware capabilities

When used together, these components provide a variety of information stealing, surveillance and remote-access capabilities. The functionalities described here are just a subset of the comprehensive capabilities of the spyware. At this time, Talos does not have access to all components of the spyware; therefore, this capability list should not be considered exhaustive. We believe that capabilities like geolocation tracking, camera access or the ability to make it appear as if the phone is powering off may have been implemented in the tcore module.



Arbitrary code execution

ALIEN also can read and execute code from specified locations on the filesystem. For example, the implant can inject code that was read earlier from “/system/fonts/NotoColorEmoji.ttf” into the system_server process memory for execution.

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

Inject and wait for the result.

The spyware architecture is highly reliable on process-based parallelism. The shell code is injected after a fork() call, the child process will inject the shell code, execute it and exit. Meanwhile, the parent process will wait for the execution of the shell code for five seconds before returning. Given the code flow, we assess with medium confidence that the injected shell code takes the content of “/data/system/.0” as a parameter.

The overall injection process is achieved using ptrace() and mmap() to inject the code into the target process.

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

Overall injection flow.



Audio recording

This spyware can record audio from different sources by several means. It can record from microphone, earpiece- and VOIP-based calls, using deep-level techniques like memcpy hooking inside audio-related processes, or more simply, creating a RECORD interface using the OpenSLES native library. This capability is spread across the two components and just like any other component it can be started from the Python environment loaded by PREDATOR.

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

Audio recorder command codes.

This capability's internal name is pc2. The screenshot above shows the preparation of the Python environment with the constants that will be used as commands between the ALIEN and PREDATOR modules. PREDATOR implements the native code that will be responsible for the communication with ALIEN, on one side, and exposes that code to the Python interpreter so it can be called from the tcore module.

ALIEN attempts to hook the following APIs in the audio libraries being used by a process. The APIs are hooked using the xhook framework. These hooks are established to copy the source data served to the legitimate APIs into a buffer allocated and specified by the spyware.

Lib name

Function to be hooked

libaudioutils.so

memcpy_by_audio_format

.*\\libaudiohal.*.so$

memcpy

.*\\libaudioflinger.so$

memcpy

Hooks created in audio libraries using xhook.

Another set of interception measures deployed by ALIEN includes the setting up of ioctl hooks and a recorder interface. These hooks intercept and identify the operations being carried out/requested by the recorder to copy data into locations defined by the spyware.

These mechanisms target the audioserver process on the device and are meant to essentially record audio from the VOIP and voice recording interfaces. Although the whole infrastructure to enable voice recording is set up by ALIEN, it is primarily operated by PREDATOR, which is responsible for issuing commands to either start or stop recording. This is yet another example of the close relationship between ALIEN and PREDATOR to carry out essential malicious activities on the infected devices.


Adding certificates to the store

The spyware can also add certificates to the current user-trusted certificate authorities by writing the certificate authority’s (CA) public certificate to the path “/data/misc/user/0/cacerts-added”, as shown below.

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware


Even though the spyware has high privileges, it doesn't attempt to add the certificates at the system level. That kind of operation could interfere with the normal functioning of the device. Some versions of Android would even require the remount of the filesystem with read-write permissions. If anything was to go wrong during TLS decryption at the system level, the device may become unstable, likely tipping off the victims. From an attacker’s perspective, the risks outweigh the reward, since with user-level certificates, the spyware can still perform TLS decryption on any communication within the browser.



Application hiding and preventing execution on reboot

Read the contents in “/data/system/.0” and use that as an input for establishing hooks in Android runtime (ART) using a custom version of the YAHFA framework. The way that the hooking works is that ALIEN contains an embedded DEX file which is loaded using the InMemoryClassLoader() method.

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

Embedded DEX in ALIEN

The customized version inside the DEX contains, what seems to be a plugin, called “com.jnative.pluginshideapp”, which implements the methods mentioned below.

  • getInstalledApplications
  • getInstalledPackages
  • queryIntentActivitiesInternal
  • queryIntentReceiversInternal
Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

Malicious plugins with Hooks defined for Package Manager APIs.

The DEX file thus uses these hooks for two key purposes:

  • Hiding Applications/packages: The plugin in the DEX can hook and filter out a specific package/application name from the list of installed packages and applications.
  • Prevent execution on Reboot: The plugin can also hook and be used for filtering out specific names from the list of packages/applications to be run when the BOOT_COMPLETED intent is received via broadcast.




Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

Filtering of applications and packages based on their “packageName” field.

To filter the application/package lists for hiding or disabling them on reboot, the DEX file hooks the original API calls, replacing them with its own custom code. Every time a call is made to the hooked method, the custom code will check the destination list against its own list, removing any matches of application and package names it intends to hide. Filtering of the list is followed by the call to the original API with the filtered list now being used as its argument.

The code we analyzed only implements the BOOT_COMPLETED broadcast, which prevents an application from starting after reboot. This same method could be implemented for other broadcasts, modeling the behavior of other applications in the process. For example, it could do the same for the SMS_RECEIVED broadcast notification, preventing SMSs from reaching the user. This can be considered a more aggressive method of interception use instead of the more commonly used technique of installing an application that receives SMS_RECEIVED broadcasts with higher priority.


Get system information

The spyware uses a variety of sources to gather information about the system. It will enumerate various directories on the file system and read multiple files to extract as much statically available data from the infected device.



Enumerating directories

The ALIEN implant will first get the device manufacturer name from the system property “ro.product.manufacturer”. It checks for specific manufacturers from a hardcoded list:

  • Samsung
  • Huawei
  • Oppo
  • Xiaomi

If any of these manufacturers' names match, it will recursively enumerate the contents of the following directories on disk:

Type

Directories

Messaging

/data/data/com.samsung.android.messaging

Contacts

/data/data/com.samsung.android.providers.contacts

/data/data/com.android.providers.contacts

Media

/data/data/com.samsung.android.providers.media

/data/data/com.android.providers.media

/data/data/com.google.android.providers.media

/data/media/0

/data/media

/data/data/com.google.android.providers.media.module

/data/data/com.android.providers.media.module

Email

/data/data/com.samsung.android.email.provider

com.google.android.gm

Telephony

/data/data/com.android.providers.telephony

Social media apps

/data/data/com.instagram.android

/data/data/com.facebook.orca

/data/data/com.twitter.android

Messaging Apps

/data/data/com.skype.raider

/data/data/jp.naver.line.android

/data/data/com.whatsapp

/data/data/org.telegram.messenger

/data/data/com.viber.voip

/data/data/com.tencent.mm (WeChat)

/data/data/org.thoughtcrime.securesms

/data/data/com.google.android.apps.messaging

ALIEN working directory

/data/local/tmp/wd - This is the directory used by ALIEN to store stolen data from the device.

Browser apps

/data/data/com.android.chrome



Getting Configuration Data

The implant gathers configuration information, but it will also collect contacts, calls and messaging information by copying the content of the files listed below.

The implant will again check for the manufacturer names and then read data from the following files:

  • /data/misc/wifi/.WifiConfigStore.xml
  • /data/local/tmp/wd/WifiConfigStore.xml
  • /data/data/com.android.providers.contacts/databases/contacts2.db-wal
  • /data/data/com.android.providers.media/databases/contacts2.db-wal
  • /data/data/com.android.providers.contacts/databases/contacts2.db-shm
  • /data/data/com.android.providers.media/databases/contacts2.db-shm
  • /data/data/com.android.providers.contacts/databases/contacts2.db
  • /data/data/com.android.providers.media/databases/contacts2.db
  • /data/data/com.android.providers.contacts/databases/calls.db-wal
  • /data/data/com.android.providers.media/databases/calls.db-wal
  • /data/data/com.android.providers.contacts/databases/calls.db-shm
  • /data/data/com.android.providers.media/databases/calls.db-shm
  • /data/data/com.android.providers.contacts/databases/calls.db-journal
  • /data/data/com.android.providers.media/databases/calls.db-journal
  • /data/data/com.android.providers.contacts/databases/calls.db
  • /data/data/com.android.providers.media/databases/calls.db
  • /data/data/com.android.providers.telephony/databases/mmssms.db-wal
  • /data/data/com.android.providers.media/databases/mmssms.db-wal
  • /data/data/com.android.providers.telephony/databases/mmssms.db-shm
  • /data/data/com.android.providers.media/databases/mmssms.db-shm
  • /data/data/com.android.providers.telephony/databases/mmssms.db
  • /data/data/com.android.providers.media/databases/mmssms.db

The content obtained is then written to “/data/local/tmp/wd/”, before being exfiltrated. This can be considered a low-level method of collecting information. Spyware with fewer privileges on the system usually uses the Android framework API to collect such information. This method, however, requires user interaction to provide the necessary permissions.


Coverage

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware


Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.


IOCs

Indicators of Compromise associated with this threat can be found here.



❌
❌