Welcome to this week’s edition of the Threat Source newsletter.
Authority bias is one of the many things that shape how we think. Taking the advice of someone with recognized authority is often far easier (and usually leads to a better outcome) than spending time and effort in researching the reasoning and logic behind that advice. Put simply, it’s easier to take your doctor’s advice on health matters than it is to spend years in medical school learning why the advice you received is necessary.
This tendency to respect and follow authoritative instructions translates into our use of computers, too. If you’re reading this, you’ve likely been the recipient of many questions about computer-related matters from friends and family. However, your trust can be abused, even by someone who seems knowledgeable and respectable.
Attackers have learned that by impersonating individuals with some form of authority, such as banking staff, tax officials or IT professionals, they can persuade victims to carry out actions against their own interests. In our most recent Incident Response Quarterly Trends update, we describe how ransomware actors masquerade as IT agents when contacting their victims, instructing them to install remote access software. This allows the threat actor to set up long-term access to the device and continue the pursuit of their malicious objectives.
If someone contacts you out of the blue professing to be an IT or bank/tax expert with urgent or helpful instructions, end the conversation immediately. Follow up with a call to the main contact details of the team or organization that contacted you to verify if the call was genuine. Be aware of the scams that the bad guys are using and spread awareness far and wide. Expect threat actors to attempt to exploit human nature and its own vulnerabilities.
The one big thing
Threat hunting is an integral part of any cyber security strategy because identifying potential incursions early allows issues to be swiftly resolved before harm is incurred. There are many different approaches to threat hunting, each of which may uncover different threats.
Why do I care?
As threat actors increasingly use living-off-the-land binaries (LOLBins) — i.e. using either dual-use tools or the tools that they find already in place on compromised systems — detecting the presence of an intruder is no longer a case of simply finding their malware.
Spotting bad guys is still possible, but requires a slightly different approach: either looking for evidence of the potential techniques they use, or finding evidence that things aren’t quite as they should be.
So now what?
Read about the different types of threat hunting strategies the Talos IR team uses and investigate how these can be used within your environment to improve your chances of finding incursions early.
Top security headlines of the week
MySQL turns 30 The popular database was founded on May 23, 1995 and is at the heart of many high-traffic applications such as Facebook, Netflix, Uber, Airbnb, Shopify, and Booking.com. (Oracle)
Disney Slack attack wasn’t Russian protesters, just a Cali dude with malware A resident of California has pleaded guilty to conducting an attack in which 1.1 TB of data was stolen. The attack was conducted by releasing a trojan masquerading as an AI art generation application. (The Register)
Ransomware Group Claims Attacks on UK Retailers The DragonForce ransomware group says it orchestrated the disruptive cyberattacks that hit UK retailers Co-op, Harrods, and Marks & Spencer (M&S). (Security Week)
Attackers Ramp Up Efforts Targeting Developer Secrets Attackers are increasingly seeking to steal secret keys or tokens that have been inadvertently exposed in live environments or published in online code repositories. (Dark Reading)
Can’t get enough Talos?
Spam campaign targeting Brazil abuses Remote Monitoring and Management tools A new spam campaign is targeting Brazilian users with a clever twist — abusing the free trial period of trusted remote monitoring tools and the country’s electronic invoice system to spread malicious agents. Read now
Threat Hunting with Talos IR Talos recently published a blog on the framework behind our Threat Hunting service, featuring this handy video:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-08 18:06:512025-05-08 18:06:51The IT help desk kindly requests you read this newsletter
Cisco Talos identified a spam campaign targeting Brazilian users with commercial remote monitoring and management (RMM) tools since at least January 2025. Talos observed the use of PDQ Connect and N-able remote access tools in this campaign.
The spam message uses the Brazilian electronic invoice system, NF-e, as a lure to entice users into clicking hyperlinks and accessing malicious content hosted in Dropbox.
Talos has observed the threat actor abusing RMM tools in order to create and distribute malicious agents to victims. They then use the remote capabilities of these agents to download and install Screen Connect after the initial compromise.
Talos assesses with high confidence that the threat actor is an initial access broker (IAB) abusing the free trial periods of these RMM tools.
Talos recently observed a spam campaign targeting Portuguese-speaking users in Brazil with the intention of installing commercial remote monitoring and management (RMM) tools. The initial infection occurs via specially crafted spam messages purporting to be from financial institutions or cell phone carriers with an overdue bill or electronic receipt of payment issued as an NF-e (see Figures 1 and 2).
Figure 1. Spam message purporting to be from a cell phone provider. Figure 2. Spam message masquerading as a bill from a financial institution.
Both messages link to a Dropbox file, which contains the malicious binary installer for the RMM tool. The file names also contain references to NF-e in their names:
AGENT_NFe_<random>.exe
Boleto_NFe_<random>.exe
Eletronica_NFe_<random>.exe
Nf-e<random>.exe
NFE_<random>.exe
NOTA_FISCAL_NFe_<random>.exe
Note: <random> means the filename uses a random sequence of letters and numbers in that position.
The victims targeted in this campaign are mostly C-level executives and financial and human resources accounts across several industries, including some educational and government institutions. This assessment is based on the most common recipients found in the messages Talos observed during this campaign.
Figure 3. Targeted recipients.
Abusing RMM tools for profit
This campaign’s objective is to lure the victims into installing an RMM tool, which allows the threat actor to take complete control of the target machine. N-able RMM Remote Access is the most common tool distributed in this campaign and is developed by N-able, Inc., previously known as SolarWinds. N-able is aware of this abuse and took action to disable the affected trial accounts. Another tool Talos observed in some cases is PDQ Connect, a similar RMM application. Both provide a 15-day free trial period.
To assess whether these actors were using a trial version rather than stolen credentials to create these accounts, Talos checked samples older than 15 days and confirmed all of them returned errors that the accounts were disabled, while newer samples found in the last 15 days were all active.
Talos also examined the email accounts used to register for the service. They all use free email services such as Gmail or Proton Mail, as well as usernames following the theme of the spam campaign, with few exceptions where the threat actors used personal accounts. These exceptions are potentially compromised accounts which are being abused by the threat actors to create additional trial accounts. Talos did not find any samples in which the registered account was issued by a private company, so we can assess with high confidence these agents were created using trial accounts instead of stolen credentials.
N-able is aware of this abuse and took action to disable the affected trial accounts.
Talos found no evidence of a common post-infection behavior for the affected machines, with most machines staying infected for days before any other malicious activity was executed by the tool. However, in some cases, we observed the threat actor installing an additional RMM tool and removing all security tools from the machine a few days after the initial compromise. This is consistent with actions of initial access broker (IAB) groups.
An IAB’s main objective is to rapidly create a network of compromised machines and then sell access to the network to third parties. Threat actors commonly use IABs when looking for specific target companies to deploy ransomware on. However, IABs have varied priorities and may sell their services to any threat actors, including state-sponsored actors.
Adversaries’ abuse of commercial RMM tools has steadily increased in recent years. These tools are of interest to threat actors because they are usually digitally signed by recognized entities and are a fully featured backdoor. They also have little to no cost in software or infrastructure, as all of this is generally provided by the trial version application.
Talos created a trial account to test what features were available for a trial user. In the case of the N-able remote access tool, the trial version offers a full set of features only limited by the 15-day trial period. Talos was able to confirm that by using a trial account, the threat actor has full access to the machine, including remote desktop like access, remote command execution, screen streaming, keystroke capture and remote shell access.
Figure 4. N-able management interface showing available remote access tools. Figure 5. Administrative shell executed on a remote machine.
The threat actor also has access to a fully featured file manager to easily read and write files to the remote file system.
Figure 6. N-able file manager.
The network traffic these tools create is also disguised as regular traffic, with many tools using communication over HTTPS and connecting to resources which are part of the infrastructure provided by the application provider. For example, N-able Remote Access uses a domain associated with its management interface, hosted on Amazon Web Services (AWS):
hxxps://upload1[.]am[.]remote[.]management/
hxxps://upload2[.]am[.]remote[.]management/
hxxps://upload3[.]am[.]remote[.]management/
hxxps://upload4[.]am[.]remote[.]management/
Disclaimer: The URLs above are part of the management infrastructure for the RMM tools described in this blog and are not controlled by the threat actor. Customers must complete an assessment before enabling block signatures for these domains.
The domain the agent uses is the same for any customer using the tool, with only the username and API key differentiating which customer the agent belongs to, as can be seen in Figure 7. This makes it even more difficult to identify the origin of the attacks and perform threat actor attribution.
Figure 7. Example configuration file.
By extracting the configuration files inside the agent installer files still available on Dropbox, we can see some email addresses follow the same theme of the spam emails, using names of finance-related users and domains, while others could be potentially compromised accounts being used to create trial accounts for N-able Remote Access.
With these trial versions being limited only by time and providing full remote-control features with little to no cost to the threat actors, Talos expects these tools to become even more common in attacks.
Cisco Secure Firewall Application control is able to detect the unintended usage of RMM tools in customer’s networks. Instructions on how to set up Application control can be found at Cisco Secure Firewall documentation.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
ClamAV detections are also available for this threat:
Disclaimer: The URLs below are part of the management infrastructure for the RMM tools described in this blog and are not controlled by the threat actor. An assessment must be done by customers before enabling block signatures for these domains.
IOCs for this threat can be found on our GitHub repository here.
In April, the release of version 136 of Google Chrome finally addressed a privacy issue for the browser that’s been widely known about since 2002 (which issue, btw, is also present in all other major browsers). This was real bad news for unscrupulous marketers, who’d been exploiting it wholesale for 15 years. From this menacing description, you might be surprised to learn that the threat is a familiar and seemingly harmless convenience: links that your browser highlights a different color after you visit them.
From a blue sky to purple rain
Changing the color of links to visited sites (by default from blue to purple) was first introduced 32 years ago in the NCSA Mosaic browser. After that, this user-friendly practice was adopted by almost all browsers in the 1990s. And it later became the standard for Cascading Style Sheets (CSS) — a language for adding stylization to web pages. Such recoloring occurs by default in all popular browsers today.
However, as early as in 2002, researchers noticed that this feature could be abused by placing hundreds or thousands of invisible links on a page and using JavaScript to detect which of them the browser renders as visited. In this way, a rogue site could partially uncover a user’s browsing history.
In 2010, researchers discovered that this technique was being used in the wild by some major sites to snoop on visitors — among which were YouPorn, TwinCities, and 480 other sites then popular. It was also found that platforms like Tealium and Beencounter were offering history-sniffing services, while the advertising firm Interclick was implementing this technology for analytics, and even faced legal action. Although it won the lawsuit, the major browsers have since modified their code for processing links to make it impossible to read whether a link was visited or not.
However, advances in web technologies created new workarounds for snooping on browsing history. A 2018 study described four new ways to check the state of links — two of which affected all tested browsers except the Tor Browser. One of the vulnerabilities — CVE-2018-6137 — made it possible to check visited sites at up to 3000 links per second. Meanwhile new, increasingly sophisticated attacks to extract browsing history continue to appear.
Why history theft is dangerous
Exposing your browsing history, even partially, poses several threats to users.
Not-so-private life. Knowing what sites you visit (especially if it relates to medical treatment, political parties, dating/gambling/porn sites, and similar sensitive topics), attackers can weaponize this information against you. They can then tailor a scam or bait to your individual case — be it extortion, a fake charity, the promise of new medication, or something else.
Targeted checks. A history-sniffing site could, for example, run through all the websites of the major banks to determine which one you use. Such information can be of use to both cybercriminals (say, for creating a fake payment form to fool you) and legitimate companies (say, for seeing which competitors you’ve looked at).
Profiling and deanonymization. We’ve written many times about how advertising and analytics companies use cookies and fingerprinting to track user movements and clicks across the web. Your browsing history serves as an effective fingerprint, especially when combined with other tracking technologies. If an analytics firm’s site can see what other sites you visited and when, it essentially functions as a super-cookie.
Guarding against browser history theft
Basic protection appeared in 2010 almost simultaneously in the Gecko (Firefox) and WebKit (Chrome and Safari) browser engines. This guarded against using basic code to read the state of links.
Around the same time, Firefox 3.5 introduced the option to completely disable the recoloring of visited links. In the Firefox-based Tor Browser, this option is enabled by default — but the option to save browsing history is disabled. This provides a robust defense against the whole class of attacks but sorely impacts convenience.
Unless you sacrifice an element of comfort, however, sophisticated attacks will still be able to sniff your browsing history.
Attempts are underway at Google to significantly change the status quo: starting with version 136, Chrome will have visited link partitioning enabled by default. In brief, it works like this: links are only recolored if they were clicked from the current site; and when attempting a check, a site can only “see” clicks originating from itself.
The database of website visits (and clicked links) is maintained separately for each domain. For example, suppose bank.com embeds a widget showing information from banksupport.com, and this widget contains a link to centralbank.com. If you click the centralbank.com link, it will be marked as visited — but only within the banksupport.com widget displayed on bank.com. If the exact same banksupport.com widget appears on some other site, the centralbank.com link will appear as unvisited. Chrome’s developers are so confident that partitioning is the long-awaited silver bullet that they’re nurturing tentative plans to switch off the 2010 mitigations.
What about users?
If you don’t use Chrome, which, incidentally has plenty of other privacy issues, you can take a few simple precautions to ward off the purple menace.
Update your browser regularly to stay protected against newly discovered vulnerabilities.
Use incognito or private browsing if you don’t want others to know what sites you visit. But read this post first — because private modes are no cure-all.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-07 13:06:392025-05-07 13:06:39Safeguarding your browsing history | Kaspersky official blog
The financial sector is heavily targeted by cybercriminals. Banks, investment firms, and credit unions are prime victims of attacks aimed at stealing sensitive data or holding it hostage for massive ransoms. One emerging threat in this landscape is Nitrogen Ransomware, a malicious group discovered in September 2024.
It has since then been notoriously renowned for several successful attacks like that on SRP Federal Credit Union in South Carolina in December 2024. However, there is still a scarcity of information on the group’s TTPs, and this deficit highlights the value of solutions like ANY.RUN’s threat intelligence and malware analysis suite.
Why Financial Sector Is Vulnerable
The numbers don’t lie: in 2024, 10% of all cyberattacks targeted the financial industry, according to reports.
From ransomware to financial fraud and cloud infrastructure exploits, banks and credit unions face all the kinds of threats that there are. The stakes are high — cyberattacks now cost organizations up to $2.5 billion per incident, with ransomware attacks alone spiking to 20–25 major incidents daily, a fourfold increase in financial losses since 2017.
Why is the financial sector so attractive? It’s simple: money and data. Financial institutions hold sensitive customer information and control vast sums of capital, which makes them tempting targets for ransomware groups like Nitrogen. Early detection and adversary tactics analysis are critical to minimizing damage, and that’s where services like ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup come in handy.
Meet Nitrogen Ransomware
There are traces of Nitrogen from July 2023, but it’s consensual to track it from September 2024. It was initially observed targeting not only finance but also construction, manufacturing, and tech, primarily in the United States, Canada, and the United Kingdom. The routine was to encrypt critical data and demand a ransom to unlock it. One of their confirmed victims, SRP Federal Credit Union, a South Carolina-based institution serving over 195,000 customers, fell prey on December 5, 2024.
Little is known about Nitrogen’s tactics due to limited public data, but a report by StreamScan provides a starting point.
It offers key indicators of compromise and some insights into the methods. Interestingly, Nitrogen shares similarities with another ransomware strain, LukaLocker, including identical file extensions for encrypted files and similar ransom notes. This overlap raises questions about their origins, but deeper analysis is needed to confirm connections.
The StreamScan report is the primary source of information on Nitrogen, detailing a few critical IOCs:
Ransomware File: A malicious executable with the SHA-256 hash 55f3725ebe01ea19ca14ab14d747a6975f9a6064ca71345219a14c47c18c88be
Mutex: A unique identifier, nvxkjcv7yxctvgsdfjhv6esdvsx, created by the ransomware before encryption.
Vulnerable Driver: truesight.sys, a legitimate but exploitable driver used to disable antivirus and endpoint detection tools.
System Manipulation: Use of bcdedit.exe to disable Windows Safe Boot, hindering system recovery.
While this report is a good start, it’s light on details. This is where ANY.RUN steps in, offering deeper insights through dynamic analysis and threat intelligence enrichment.
ANY.RUN’s Threat Intelligence Versus Nitrogen
Let’s research some of the above-mentioned indicators via Threat Intelligence Lookup to find more IOCs, behavioral data, and technical details on Nitrogen attacks.
1. Tracking the Mutex
Before encrypting files, Nitrogen creates a unique mutex (nvxkjcv7yxctvgsdfjhv6esdvsx) to ensure only one instance of the ransomware runs at a time. Using ANY.RUN’s Threat Intelligence Lookup, analysts can search for this mutex and uncover over 20 related samples, with the earliest dating back to September 2, 2024.
For each sample, an analysis session can be explored to enrich the understanding of the threat and gather additional indicators not featured in public research.
All sandbox analyses contain a selection of linked IOCs
ANY.RUN’s analyses also link Nitrogen to LukaLocker, as both share similar code structures and behaviors. By identifying additional IOCs from related tasks, ANY.RUN helps organizations update their detection systems to block Nitrogen before it strikes.
An analysis session in the sandbox where Luka was detected
Collect threat intelligence with TI Lookup to improve your company’s security
Nitrogen exploits truesight.sys, a legitimate driver from RogueKiller AntiRootkit, to kill AV/EDR processes and thus disable antivirus and endpoint detection tools. This driver, listed in the LOLDrivers catalog, is used by threat actors because it’s not inherently malicious, so it does not trigger standard defenses.
truesight.sys description in LOLDrivers’ catalog
ANY.RUN’s TI Lookup reveals over 50 analyses linked to truesight.sys:
ANY.RUN’s Interactive Sandbox’s ability to detect and flag this activity ensures organizations can block such exploits early.
Learn to Track Emerging Cyber Threats
Check out expert guide to collecting intelligence on emerging threats with TI Lookup
Read full guide
3. Catching System Manipulation
Nitrogen uses the Windows utility bcdedit.exe to disable Safe Boot, a recovery mechanism that could otherwise help restore an infected system. As the StreamScan report says:
Example from the StreamScan report
ANY.RUN allows analysts to use YARA rules to search for this behavior, identifying samples that tamper with system settings.
YARA rule from the StreamScan report
A simple YARA search in ANY.RUN’s TI Lookup returned several files linked to this tactic, each with associated analysis sessions that reveal additional IOCs.
YARA rule search in TI Lookup
By integrating these IOCs into SIEM or EDR systems, organizations can detect and block attempts to modify Windows boot settings before encryption begins, stopping Nitrogen in its tracks. To defend against threats like Nitrogen, security teams should:
Monitor for unusual use of PowerShell, WMI, and DLL sideloading.
Block known malicious infrastructure and domains.
Educate employees about phishing and social engineering tactics.
Use threat intelligence services to proactively hunt for related IOCs and TTPs.
Conclusion
The financial sector’s battle against ransomware is far from over, but solutions like ANY.RUN are leveling the playing field. By dissecting Nitrogen Ransomware’s tactics —system manipulation, driver exploitation, and mutex creation — ANY.RUN empowers cybersecurity teams to detect, analyze, and respond to the threat faster. Its dynamic analysis capabilities let analysts observe malware in action, from file encryption to system components abuse, in a safe sandbox environment. Meanwhile, its TI Lookup enriches threat data by providing additional indicators, uncovering connections to other attacks, campaigns, and techniques.
Nitrogen is a reminder that today’s cyberattacks are not only persistent — they’re precise. As Nitrogen and similar groups continue to evolve, staying proactive with dynamic analysis and enriched threat intelligence is the key to keeping financial institutions safe, to avoid direct capital losses, reputation damage.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Editor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X.
These days, it’s easy to come across new ransomware strains without much effort. But the ransomware threat landscape is far broader than it seems, especially when you dive into the commodity ransomware scene. This type of ransomware is developed by a group that sells a builder to third-party operators, with no formal agreement or contract between them, unlike the more organized Ransomware-as-a-Service (RaaS) model.
On this side of the fence, we see countless new products appearing on the cybercrime shelf every day. They’re much harder to track, as victims, strains, infrastructure, and builds often have no direct connection to each other.
Let’s take a look at one of them: Mamona Ransomware. Never heard of it? That’s probably because it’s a new strain but despite its short lifespan, it has already made some noise. It’s been spotted in campaigns run by BlackLock affiliates (who are also linked to Embargo), one of its online builders was exposed and later leaked on the clearnet, and the DragonForce group even stole the main website’s .env file, publishing it on their Dedicated Leak Site on Tor under the headline: “Is this your .env file?”
So, let’s find out what this is all about.
Mamona Ransomware in action
Mamona Ransomware: Key Takeaways
Emerging threat: Mamona is a newly identified commodity ransomware strain.
No external communication: The malware operates entirely offline, with no observed Command and Control (C2) channels or data exfiltration.
Local encryption only: All cryptographic processes are executed locally using custom routines, with no reliance on standard libraries.
Obfuscated delay technique: A ping to 127[.]0.0[.]7 is used as a timing mechanism, followed by a self-deletion command to minimize forensic traces.
False extortion claims: The ransom note threatens data leaks, but analysis confirms there is no actual data exfiltration.
File encryption behavior: User files are encrypted and renamed with the .HAes extension; ransom notes are dropped in multiple directories.
Decryption available: A working decryption tool was identified and successfully tested, enabling file recovery.
Functional, despite poor design: The decrypter features an outdated interface but effectively restores encrypted files.
This emerging ransomware can be clearly observed within ANY.RUN’s cloud-based sandbox environment. You can explore a full analysis session below for a detailed visual breakdown.
When you hear about ransomware, your first educated guess is usually a threat that comes from the outside, exfiltrates sensitive files, encrypts the local versions, and then demands a ransom. Pretty much the full ransomware cycle. But this one is different. it has no network communication at all, acting surprisingly as a mute ransomware. So far, the only connections it attempts are local, plus one to port 80 (HTTP), where no data is actually sent or received.
A connection to port 80 is attempted, but not established
This lack of network communication strongly suggests that the encryption key is either generated locally on the fly or hardcoded within the binary itself. In the medium term, this increases the chances of reverse-engineering a working decrypter which, fortunately, we already have in this case.
A closer look reveals that the encryptor relies entirely on homemade routines. There are no calls to standard cryptographic libraries, no use of the Windows CryptoAPI, and no references to external modules like OpenSSL. Instead, all cryptographic logic is implemented internally using low-level memory manipulation and arithmetic operations.
Speed up and simplify analysis of malware and phishing threats with ANY.RUN’s Interactive Sandbox
One key routine is located at internal offsets such as 0x40E100. This function is repeatedly called after pushing registers and buffer pointers to the stack and exhibits patterns typical of custom symmetric logic.
Custom encryption logic with no standard crypto
The symmetric structure reinforces the hypothesis of a static or trivially derived key, making Mamona a strong example of commodity ransomware that prioritises simplicity over cryptographic robustness.
Still, just because this malware doesn’t communicate with external hosts doesn’t mean it can’t cause serious local damage. Let’s take a closer look.
How Mamona Executes Its Attack
The first thing Mamona does is execute a ping command as a crude time delay mechanism, chaining it with a self-deletion routine via cmd.exe.
The use of ping 127[.]0.0[.]7 is a classic trick in commodity malware: instead of using built-in sleep APIs or timers (which can be flagged by behavioural monitoring), the malware sends ping requests to a loopback IP address, effectively pausing execution.
Interestingly, it uses 127[.]0.0[.]7 instead of the more common 127[.]0.0[.]1, likely as a basic form of obfuscation. It’s still within the reserved localhost block (127[.]0.0[.]0/8) but may bypass simple detection rules that specifically target 127[.]0.0[.]1.
A crude yet useful delay mechanism
Once the short delay is complete, the second part of the command attempts to delete the executable from disk using Del /f /q. Since a process can’t delete itself while it’s still running, this whole sequence is executed in a separate shell process. This is a simple but effective form of self-cleanup, aimed at reducing forensic traces post-infection.
Even if the mechanism isn’t simple, ANY.RUN understands the hidden intention and flags the behavior
Mamona begins with a straightforward reconnaissance phase, harvesting basic host data like the system’s name and configured language. It then proceeds to drop a ransom note (README.HAes.txt) not only on the Desktop, but recursively inside multiple folders, increasing the chances the victim will see it.
Recon routine and ransom note dropping
Following the ransom note deployment, Mamona begins encrypting user files, renaming them with the .HAes extension and making them inaccessible. To reinforce the impact, it changes the system wallpaper to a stark warning: “Your files have been encrypted!”
Files receive a new extension
The ransom note shares links to a dedicated leak site (DLS) and a victim’s chat support, both on Tor. Also, it states that “we have stolen a significant amount of your important files from your network” and “Refuse to pay: your stolen data will be published publicly” but that actually does not happen, as we discussed earlier. There’s literally no network activity so this seems to be a threat to coerce the victim into paying the ransom.
“Mamona, R.I.P!”. Ransom note, with a couple of lies
But we have an ace up our sleeve. For this engagement, alongside the malware sample, we also managed to obtain a decrypter thanks to Merlax, a friend and fellow malware researcher. Let’s take a look at how it works.
Undoing Mamona’s Damage
We’re dealing with a Ctrl-Z in .exe form, so let’s give it a chance and see how it performs. Visually, it’s a mess: the interface looks like a homemade project built with an older version of Visual Studio. UI elements are poorly rendered, often misaligned or clipping outside window boundaries.
But the backend does its job far better than the frontend, and the files are back to normal.
Files on the desktop went back to normal
By analysing the decrypter, we find an interesting internal function at offset 0x40C270. Much like in the ransomware sample, we observe a series of low-level operations: alignment to 4-byte boundaries (and $0xfffffffc, %ecx), fixed memory offsets (add $0x23), and repeated use of instructions such as mov, lea, and arithmetic operations, all indicative of a custom-built symmetric routine.
Despite the absence of a traditional XOR operation, the logic appears reversible and consistent with homemade encryption mechanisms.
Disassembly of the decrypter around offset 0x40C270
We have already infected our test machine and vaccinated it, and we are ready for the next stop on our journey: the ATT&CK Matrix. As usual, ANY.RUN takes care of that automagically.
Learn to analyze cyber threats
Follow along a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Read full guide
Mapping the Threat: Mamona via MITRE ATT&CK
ANY.RUN’s ATT&CK integration makes it easy to understand and track malware behaviour by profiling its events, tactics, and techniques.
Mamona’s ATT&CK Matrix on ANY.RUN
Let’s take a look at how Mamona’s behaviour fits into this framework:
Discovery: T1012:Query Registry + T1082: System Information Discovery. The reconnaissance routine where the malware queries different local registries like hostname and language.
Execution: T1059.003:Command and Scripting Interpreter. Since Mamona spawns CMD to invoke ping as a cheap delay mechanism and then moves on to its self-deletion.
Defense Evasion: T1070.004:Indicator Removal. The self deletion routine attached to the previous ping command.
Impact: T1486: Data Encrypted for Impact. The encryption process where all our files end up having the “.HAes” extension.
This sums up Mamona’s behavior, which deviates from the usual pattern seen in commodity ransomware. It shows no network activity, no Command and Control channels over Telegram, Discord, or similar platforms. Instead, it relies on a weak, locally executed key generation routine and doesn’t include any form of double extortion, making its threats of data theft and publication purely coercive.
What it does have is a retro-styled decrypter that, despite its clunky and outdated interface, simply works.
Mamona Threat Impact
The Mamona ransomware campaign presents significant risks despite its offline, minimalistic design:
For end users: Victims face immediate file encryption, system disruption, and psychological pressure through false claims of data theft. The ransom note’s threatening tone adds urgency, even though there’s no actual data exfiltration.
For organizations: Mamona can interrupt workflows, encrypt shared drives, and complicate incident response, especially in environments lacking offline backups or real-time monitoring. Its simplicity also makes it harder to detect through conventional network-based defenses.
For security teams: The absence of C2 traffic and use of locally executed logic reduce visibility in traditional detection systems. Its use of basic commands like ping and cmd.exe mimics legitimate activity, requiring deeper behavioral analysis to flag accurately.
For the broader threat landscape: Mamona exemplifies the rise of easy-to-use, builder-based ransomware that favors simplicity over sophistication. Its leaked builder lowers the entry barrier for attackers, raising concerns about wider adoption by low-skilled threat actors.
Conclusion
The analysis of Mamona Ransomware shows how even a quiet, offline threat can cause disruptions.
This strain highlights a rising trend: ransomware that trades complexity for accessibility. It’s easy to deploy, harder to detect with traditional tools, and still effective enough to encrypt systems and pressure victims into paying. Its leaked builder and low barrier to entry only raise the risk of widespread abuse by less sophisticated attackers.
By analyzing Mamona in real time using ANY.RUN’s Interactive Sandbox, we were able to capture the full attack chain, from initial execution and system changes to ransom note deployment and encryption logic, all without needing external network traces.
Here’s how this type of dynamic analysis helps defenders stay ahead:
Detect threats faster: Spot unusual behavior, even in offline-only attacks.
See everything in motion: Monitor local activity, file operations, and persistence techniques as they happen.
Speed up investigations: Gather and interpret IOCs without jumping from one tool to another.
Respond more effectively: Share artifacts and tactics across security teams.
Experience real-time visibility with ANY.RUN and catch threats others might miss.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-06 12:06:402025-05-06 12:06:40Mamona: Technical Analysis of a New Ransomware Strain
At Cisco Talos, we understand that effective cybersecurity isn’t just about responding to incidents — it’s about preventing them from happening in the first place. One of the most powerful ways we do this is through proactive threat hunting. Our Talos Incident Response (Talos IR) team works closely with organizations to not only address existing threats but to anticipate and mitigate potential future risks. A key component of our threat-hunting approach is the Splunk SURGe team’s PEAK Threat Hunting Framework, which enables us to conduct comprehensive and proactive hunts with precision.
What is the PEAK Threat Hunting Framework?
The PEAK Framework (Prepare, Execute, and Act with Knowledge) offers a structured methodology for conducting effective and focused threat hunts. It ensures that every hunt is aligned with an organization’s specific needs and threat landscape. At the core of the PEAK framework are baseline hunts, which lay the foundation for proactive threat detection, alongside advanced techniques such as hypothesis-driven hunts and model-assisted threat hunts (M-ATH), which further enhance threat detection and mitigation.
Baseline hunts: the foundation of proactive threat hunting
Baseline hunts involve establishing a clear understanding of an organization’s normal operating environment in terms of user activity, network traffic and system processes. By documenting and analyzing this baseline, Talos IR can identify anomalous behavior that may signal malicious activity.
While these hunts can be a reactive measure, it’s important to use them proactively to detect threats trying to blend in with regular operations, such as insider threats, advanced persistent threats (APTs) and even novel attack techniques that might otherwise go undetected.
The key steps in baseline hunts are:
Defining Normal Activity: Understanding what “normal” looks like in your environment, using data from system logs, user behavior, and network traffic.
Anomaly Detection: Proactively hunting for deviations from the baseline that could indicate potential threats.
Refining the Baseline: Continuously improving and updating the baseline to account for emerging threats and changes in your infrastructure.
Hypothesis-driven hunts: Testing assumptions about threats
In addition to baseline hunts, Talos IR also uses hypothesis-driven hunts to proactively test assumptions about potential threats. These hunts are guided by specific hypotheses or educated guesses about what attackers might be doing in a given environment. Rather than relying on a static, one-size-fits-all approach without adjustments, hypothesis-driven hunts are dynamic, adapting to the specific questions and emerging threats that arise.
For example, a hypothesis-driven hunt might begin with the assumption that a particular group of users is being targeted by a phishing campaign. The hunt would focus on testing this assumption by looking for evidence of malicious emails, unusual login patterns or attempts to collect or exfiltrate data.
The key steps in hypothesis-driven hunts are:
Forming Hypotheses: Based on threat intelligence and past incidents, teams generate specific hypotheses about possible attack vectors or adversary behaviors.
Testing Hypotheses: Using data sources such as endpoint telemetry, authentication logs or network traffic, the hypothesis is tested to see if evidence supports the theory.
Analyzing Results: If the hypothesis is validated, further investigation is done to understand the full scope of the potential threat.
Model-assisted threat hunts: Leveraging machine learning to find hidden threats
Another powerful tool in Talos IR’s proactive hunting approach is model-assisted threat hunts (M-ATHs). These hunts leverage machine learning and advanced statistical models to sift through vast amounts of data and identify patterns that may indicate hidden threats. M-ATHs allow our team to detect threats that would be difficult to find using traditional methods.
Machine learning models are trained to detect suspicious behavior across different domains — such as user activity, network traffic or system logs — by looking for deviations from typical patterns. Over time, as these models learn from new data and threat intelligence, they improve in their ability to detect emerging threats.
The key steps in M-ATHs are:
Data Collection: Gathering large datasets from multiple sources, including network traffic, endpoint data, authentication logs, and more.
Model Training: Using machine learning algorithms to identify patterns in normal and malicious behavior.
Anomaly Detection: The trained model helps identify new, previously undetected anomalies or potential threats by looking for deviations from established patterns.
Refinement: The model is refined as new data is collected and analyzed, improving its ability to detect subtle threats.
Empowering threat hunts with Talos Threat Intelligence
A crucial element that enriches and empowers every Talos IR threat hunt is Talos Threat Intelligence. By integrating up-to-date, high-fidelity threat intelligence into our hunts, we enhance the accuracy, relevance, and speed of our investigations. Talos Threat Intelligence provides a continuous stream of data on emerging threats, attack trends and adversary tactics, which helps us refine hypotheses, adjust baselines and improve our machine learning models.
This intelligence is not just a complement to our hunting process; it is embedded in every stage. It helps guide our hypothesis-driven hunts, sharpens our baseline detections and feeds into the models we use for anomaly detection. With Talos Threat Intelligence, we ensure that every hunt is aligned with the latest threat landscape, empowering your team with the knowledge needed to stay one step ahead of attackers.
Proactive engagements for IR Retainer customers
For Talos IR Retainer customers, baseline hunts, hypothesis-driven hunts, and model-assisted threat hunts provide a valuable layer of ongoing, proactive support. These hunts help organizations detect and mitigate threats before they escalate into full-blown incidents. Our expert hunters work directly with your teams, ensuring that you stay ahead of evolving threats.
Some key benefits of these proactive engagements include:
Early Detection: Identifying abnormal activities that could signal a breach or malicious action, reducing the risk of an attack spreading.
Continuous Improvement: As we refine the baseline and hunting models, your security posture improves over time, allowing for faster and more accurate threat detection.
Actionable Insights: Proactive hunts deliver actionable intelligence that helps your teams strengthen their defenses, based on the latest threat trends and attack methods.
Why it matters
The cybersecurity landscape is constantly evolving, and traditional defensive methods alone are no longer sufficient. Threat actors are adept at blending malicious activity with normal operations, making it difficult to spot attacks using conventional means. By conducting baseline hunts, hypothesis-driven hunts and model-assisted threat hunts, Talos IR gives your organization the tools it needs to stay ahead of adversaries.
As new evidence is uncovered during a hunt, our team adapts and refines the investigation in real time — evolving the hypothesis, adjusting the scope or pivoting to new areas of focus based on what the data reveals.
If an active threat, adversary or malicious activity is detected during a hunt, Talos IR can dynamically pivot the engagement and escalate the situation to our 24/7 on-call Incident Response team. This ensures rapid response for containment, mitigation and eradication, effectively minimizing the potential impact of the threat.
Our Talos IR team collaborates seamlessly with the hunting team to deliver real-time support in identifying, isolating and neutralizing active threats. This integrated approach ensures your systems remain secure and prevents the threat from escalating further.
At Talos, our goal is to empower your team with the knowledge and tools to detect threats proactively, before they turn into incidents. Through our IR Retainer services, we provide continuous support to help you improve your security posture and stay one step ahead of emerging threats, all while leveraging the full power of Talos Threat Intelligence.
For more information about this service, download our At-a-Glance:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-06 10:06:422025-05-06 10:06:42Proactive threat hunting with Talos IR
Earlier this year, Apple announced a string of new initiatives aimed at creating a safer environment for young kids and teens using the company’s devices. Besides making it easier to set up kids’ accounts, the company plans to give parents the option of sharing their children’s age with app developers so as to be able to control what content they show.
Apple says these updates will be made available to parents and developers later this year. In this post, we break down the pros and cons of the new measures. We also touch on what Instagram, Facebook (and the rest of Meta) have to do with it, and discuss how the tech giants are trying to pass the buck on young users’ mental health.
Before the updates: how Apple protects kids right now
Before we talk about Apple’s future innovations, let’s quickly review the parental control status quo on Apple devices. The company introduced its first parental controls way back in June 2009 with the release of the iPhone 3.0, and has been developing them bit by bit ever since.
As things stand, users under 13 must have a special Child Account. These accounts allow parents to access the parental control features built into Apple’s operating systems. Teenagers can continue using a Child Account until the age of 18, as their parents see fit.
What Apple’s Child Account management center currently looks like. Source
Now for the new stuff…
The company has announced a series of changes to its Child Account system related to how parental status is verified. Additionally, it’ll soon be possible to edit a child’s age if it was entered incorrectly. Previously, for accounts of users under 13, it wasn’t even an option: Apple suggested waiting “for the account to naturally age up”. In borderline cases (accounts of kids just under 13), you could try a workaround involving changing the birth date — but such tricks won’t be needed for much longer.
But perhaps the most significant innovation relates to simplifying the creation of these Child Accounts. Henceforth, if parents don’t set up a device before their under-13-year-old starts using it, the child can do it themselves. In this case, Apple will automatically apply age-appropriate web content filters and only allow pre-installed apps, such as Notes, Pages, and Keynote.
Upon visiting the App Store for the first time to download an app, the child will be prompted to ask a parent to complete the setup. On the other hand, until parental consent is given, neither app developers nor Apple itself can collect data on the child.
At this point, even the least tech-savvy parent might ask the logical question: what if my child enters the wrong age during setup? Say, not 10, but 18. Won’t the deepest, darkest corners of the internet be opened up to them?
How Apple intends to solve the age verification issue
The single most substantial of Apple’s new initiatives announced in early 2025 attempts to address the problem of online age verification. The company proposes the following solution: parents will be able to select an age category and authorize sharing this information with app developers during installation or registration.
This way, instead of relying on young users to enter their date-of-birth honestly, developers will be able to use the new Declared Age Range API. In theory, app creators will also be able to use age information to steer their recommendation algorithms away from inappropriate content.
Through the API, developers will only know a child’s age category — not their exact date of birth. Apple has also stated that parents will be able to revoke permission to share age information at any time.
In practice, access to the age category will become yet another permission that young users will be able to give (or, more likely, not give) to apps — just like permissions to access the camera and microphone, or to track user actions across apps.
This is where the main flaw of the proposed solution lies. At present, Apple has given no guarantee that if a user denies permission for age-category access, they won’t be able to use a downloaded app. This decision rests with app developers, as there are no legal consequences for allowing children access to inappropriate content. Moreover, many companies are actively seeking to grow their young audience, since young kids and teens spend a lot of their time online (more on this below).
Finally, let’s mention Apple’s latest innovation: its updating its age-rating system. It will now consist of five categories: 4+, 9+, 13+, 16+, and 18+. In the company’s own words, “This will allow users a more granular understanding of an app’s appropriateness, and developers a more precise way to rate their apps”.
Apple is updating its age rating system — it will comprise five categories. Source
Apple and Meta disagree over who’s responsible for children’s safety online
The problem of verifying a young person’s age online has long been a hot topic. The idea of showing ID every time you want to use an app is, naturally, hardly a crowd-pleaser.
At the same time, taking all users at their word is asking for trouble. After all, even an 11-year-old can figure out how to edit their age in order to register on TikTok, Instagram, or Facebook.
App developers and app stores are all too eager to lay the responsibility for verifying a child’s age at anyone else’s doorstep but their own. Among app developers, Meta is particularly vocal in advocating that age verification is the duty of app stores. And app stores (especially Apple’s) insist that the buck stops with app developers.
Many view Apple’s new initiatives on this matter as a compromise. Meta itself has this to say:
“Parents tell us they want to have the final say over the apps their teens use, and that’s why we support legislation that requires app stores to verify a child’s age and get a parent’s approval before their child downloads an app”.
All very well on paper — but can it be trusted?
Child safety isn’t the priority: why you shouldn’t trust tech giants
Entrusting kids’ online safety to companies that directly profit from the addictive nature of their products doesn’t seem like the best approach. Leaks from Meta, whose statements on Apple’s solution we cited above, have repeatedly shown that the company targets young users deliberately.
For example, in her book Careless People, Sarah Wynne-Williams, former global public policy director at Facebook (now Meta), recounts how in 2017 she learned that the company was inviting advertisers to target teens aged 13 to 17 across all its platforms, including Instagram.
At the time, Facebook was selling the chance to show ads to youngsters at their most psychologically vulnerable — when they felt “worthless”, “insecure”, “stressed”, “defeated”, “anxious”, “stupid”, “useless”, and/or “like a failure”. In practice, this meant, for example, that the company would track when teenage girls deleted selfies to then show them ads for beauty products.
Another leak revealed that Facebook was actively hiring new employees to develop products aimed at kids as young as six, with the goal of expanding its consumer base. It’s all a bit reminiscent of tobacco companies’ best practices back in the 1960s.
Apple has never particularly prioritized kids’ online safety, either. For a long time its parental controls were quite limited, and kids themselves were quick to exploit holes in them.
It wasn’t until 2024 that Apple finally closed a vulnerability allowing kids to bypass controls just by entering a specific nonsensical phrase in the Safari address bar. That was all it took to disable Screen Time controls for Safari — giving kids access to any website. The vulnerability was first reported back in 2021, yet it took three years for the company to react.
Content control: what really helps parents
Child psychology experts agree that unlimited consumption of digital content is bad for children’s psychological and physical health. In his 2024 book The Anxious Generation, US psychologist Jonathan Haidt describes how smartphone and social media use among teenage girls can lead to depression, anxiety, and even self-harm. As for boys, Haidt points to the dangers of overexposure to video games and pornography during their formative years.
Apple may have taken a step in the right direction, but it’ll be for nothing if third-party app developers decide not to play ball. And as the example of Meta illustrates, relying on their honesty and integrity seems premature.
Therefore, despite Apple’s innovations, if you need a helping hand, you’ll find one… at the end of your own arm. If you want to maintain control over what and how much your child consumes online with minimal interference in their life, look no further than our parental control solution.
Kaspersky Safe Kids lets you view reports detailing your child’s activity in apps and online in general. You can use these to customize restrictions and prevent digital addiction by filtering out inappropriate content in search results and, if necessary, blocking specific sites and apps.
What other online threats do kids face, and how to neutralize them? Essential reading:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-05 14:07:522025-05-05 14:07:52Apple beefs up parental controls: what it means for kids | Kaspersky official blog
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-03 23:07:032025-05-03 23:07:03RSAC 2025 wrap-up – Week in security with Tony Anscombe
Welcome to this week’s edition of the Threat Source newsletter.
Recently, I was invited to sit on a panel at the CIO4Good Conference here in Washington D.C., where I talked about incident response and cyber preparedness to a room full of CIOs who help lead wonderful missions to help others. I’m incredibly fortunate to be able to volunteer for the NGO community. I’ve been involved with them for a few years now, and it has been a singular experience.
I sit in a uniquely blessed situation. Cisco Talos is resourced to help protect our customers — we have expertise, tooling and a huge array of diverse security skillsets. A humanitarian assistance or non-governmental organization (NGO) usually has none or very few of these luxuries. If I can take some of my time and experience here at Talos and help others who provide housing to the homeless, protect refugees or feed the hungry, damn right I’m gonna do it. And NGOs? They really need help.
In today’s global humanitarian funding climate, money and grants are very scarce to come by. This means the competition for the dollars that remain is fierce, and that things like cybersecurity can fall by the wayside. But security in an NGO is incredibly important. We’re talking about incredibly vulnerable and marginalized people who deserve aid, and the amazing volunteers who should have privacy without malicious interference.
The hard truth is that cybersecurity can be a bleak space. We as professionals do not operate in the “good news” business. We work, and thrive, in adversarial conditions — actively searching for what the bad guys are doing and learning how they are coming after the good guys. They’re launching ransomware. They are extorting and causing real harm to others. This is day in and day out, and it can wear you down mentally. You have to endure and focus on the mission. After all, that’s the gig.
This is why I enjoy volunteering by either giving some of my time and expertise to a mentee or to an NGO that has an outstanding mission to help others. It puts fuel in your soul and reminds you that others are fighting their own good fights. These organizations are some of the best. They have a thankless, often dangerous, mission to help others have better lives. The way I see it, volunteering is the least I could do.
This week is bittersweet because we’re discussing the final section of Talos’ 2024 Year in Review report. Let’s jump into the abyss of AI-based threats together.
Why do I care?
AI may not have upended the threat landscape last year, but it’s setting the stage for 2025, where agentic AI and automated vulnerability discovery could pose serious challenges for defenders. The future may bring:
The use of agentic AI to conduct multi-stage attacks or find creative ways to access restricted systems
Improved personalization and professionalization of social engineering
Automated vulnerability discovery and exploitation
Capabilities to compromise AI models, systems and infrastructure that organizations around the world are building
So now what?
Continue to stay informed and alert, and for more information, read Talos’ blog post about these threats or download the full Year in Review.
Top security headlines of the week
AirPlay Vulnerabilities Expose Apple Devices to Zero-Click Takeover. The identified security defects, 23 in total, could be exploited over wireless networks and peer–to-peer connections, leading to the complete compromise of not only Apple products, but also third-party devices that use the AirPlay SDK. (SecurityWeek)
4 Million Affected by VeriSource Data Breach. VeriSource says the stolen information belonged to employees and dependents of companies using its services. It has been working with its customers to “collect the necessary information to notify additional individuals affected by this incident.” (SecurityWeek)
SAP NetWeaver Visual Composer Flaw Under Active Exploitation. CVE-2025-31324 is a critical vulnerability with a maximum CVSS score of 10 that affects all SAP NetWeaver 7.xx versions. It allows unauthenticated remote attackers to upload arbitrary files to Internet exposed systems without any restrictions. (DarkReading)
FBI shares massive list of 42,000 LabHost phishing domains. The FBI has shared 42,000 phishing domains tied to the LabHost cybercrime platform, one of the largest global phishing-as-a-service (PhaaS) platforms that was dismantled in April 2024. (BleepingComputer)
Can’t get enough Talos?
State-of-the-art phishing: MFA bypass. Cybercriminals are bypassing multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) attacks via reverse proxies, intercepting credentials and authentication cookies.
TTP Episode 11. Craig, Bill and Hazel discuss three of the biggest callouts from Cisco Talos’ latest Incident Response Quarterly Trends.
Talos Takes: Identity and MFA. Hazel and friends discuss how AI isn’t rewriting the cybercrime playbook, but it is turbo charging some of the old tricks, particularly on the social engineering side.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-01 18:06:432025-05-01 18:06:43Understanding the challenges of securing an NGO
Cybercriminals are bypassing multi-factor authentication (MFA) using adversary-in-the-middle (AiTM) attacks via reverse proxies, intercepting credentials and authentication cookies.
The developers behind Phishing-as-a-Service (PhaaS) kits like Tycoon 2FA and Evilproxy have added features to make them easier to use and harder to detect.
WebAuthn, a passwordless MFA solution using public key cryptography, prevents password transmission and nullifies server-side authentication databases, offering a robust defense against MFA bypass attacks.
Despite its strong security benefits, WebAuthn has seen slow adoption. Cisco Talos recommends that organizations reassess their current MFA strategies in light of these evolving phishing threats.
For the past thirty years, phishing has been a staple in many cybercriminals’ arsenals. All cybersecurity professionals are familiar with phishing attacks: Criminals impersonate a trusted site in an attempt to social engineer victims into divulging personal or private information such as account usernames and passwords. In the early days of phishing, it was often enough for cybercriminals to create fake landing pages matching the official site, harvest authentication credentials and use them to access victims’ accounts.
Since that time, network defenders have endeavored to prevent these types of attacks using a variety of techniques. Besides implementing strong anti-spam systems to filter phishing emails out of users’ inboxes, many organizations also conduct simulated phishing attacks on their own users to train them to recognize phishing emails. These techniques worked for a time, but as phishing attacks have become more sophisticated and more targeted, spam filters and user training have become less effective.
At the root of this problem is the fact that usernames are often easy to guess or discover, and people are generally very bad at using strong passwords. People also tend to re-use the same weak passwords across many different sites. Cybercriminals, armed with a victim’s username and password, will often attempt credential stuffing attacks, and log into many different sites using the same username/password combination.
To prove that users are valid, authentication systems generally rely on at least one of three authentication methods or factors:
Something you know (ex. a username and password)
Something you have (ex. a smartphone or USB key)
Something you are (ex. your fingerprint or face recognition)
In the presence of increasingly sophisticated phishing messages, using only one authentication factor, such as a username/password, is problematic. Many network defenders have responded by implementing MFA, which includes an additional factor, such as an SMS message or push notification, as an extra step to confirm a user’s identity when logging in. By including an additional factor in the authentication process, compromised usernames and passwords become much less valuable to cybercriminals. However, cybercriminals are a creative bunch, and they have devised a clever way around MFA. Enter the wild world of MFA bypass!
Typically, this is done using a reverse proxy. A reverse proxy functions as an intermediary server, accepting requests from the client before forwarding them on to the actual web servers to which the client wishes to connect.
To bypass MFA the attacker sets up a reverse proxy and sends out phishing messages as normal. When the victim connects to the attacker’s reverse proxy, the attacker forwards the victim’s traffic onwards to the real site. From the perspective of the victim, the site they have connected to looks authentic — and it is! The victim is interacting with the legitimate website. The only difference perceptible to the victim is the location of the site in the web browser’s address bar.
By inserting themselves in the middle of this client-server communication the attacker is able to intercept the username and password as it is sent from the victim to the legitimate site. This completes the first stage of the attack and triggers an MFA request sent back to the victim from the legitimate site. When the expected MFA request is received and approved, an authentication cookie is returned to the victim through the attacker’s proxy server where it is intercepted by the attacker. The attacker now possesses both the victim’s username/password as well as an authentication cookie from the legitimate site.
Figure 1. Flow diagram illustrating MFA bypass using a reverse proxy.
Phishing-as-a-Service (PhaaS) kits
Thanks to turnkey Phishing-as-a-Service (Phaas) toolkits, almost anyone can conduct these types of phishing attacks without knowing much about what is happening under the hood. Toolkits such as Tycoon 2FA, Rockstar 2FA, Evilproxy, Greatness, Mamba 2FA and more have emerged in this space. Over time the developers behind some of these kits have added features to make them easier to use and harder to detect:
Phaas MFA bypass kits typically include templates for the most popular phishing targets to aid cybercriminals in the task of setting up their phishing campaigns.
MFA bypass kits limit access to the phishing links to only users who possess the correct phishing URL and redirect other visitors to benign webpages.
MFA bypass kits often check the IP address and/or User-Agent header of the visitor, preventing access if the IP address corresponds to a known security company/crawler or if the User-Agent indicates that it is a bot. User-Agent filters may also be used to further target the phishing attacks towards users running specific hardware/software.
Reverse proxy MFA bypass kits typically inject their own JavaScript code into the pages they serve to victims to gather additional information about the visitor, and handle redirects after the authentication cookie has been stolen. These scripts are often dynamically obfuscated to prevent static fingerprinting that would allow security vendors to identify the MFA bypass attack sites.
To thwart anti-phishing defenses which may automatically visit URLs contained in an email at the time it is received, there may be a short, programmable delay between when the phishing message is sent and when the phishing lure URL is activated.
Figure 2. An example phishing message associated with the Tycoon 2FA phishing toolkit.
Accelerating the rise in MFA bypass attacks via reverse proxy are publicly available open-source tools, such as Evilginx. Evilginx debuted in 2017 as a modified version of the popular open-source web server nginx. Over time, the application was redesigned and rewritten in Go and implements its own HTTP and DNS server. Although it is marketed as a tool for red teams’ penetration testing needs, because it is open source, anyone can download and modify it.
Fortunately for defenders, there are characteristics common to Evilginx deployments, as well as other AiTM MFA bypass toolkits, that can provide clues an MFA bypass attack may be in progress:
Many MFA bypass reverse proxy servers are hosted on relatively newly registered domains/certificates.
Capturing an authentication cookie only gives attackers access to the victim’s account for that single session. Once they have access to a victim’s account, many attackers add additional MFA devices to the account to maintain persistence. By auditing MFA logs for this kind of activity, defenders may find accounts that have fallen victim to MFA bypass attacks.
By default, Evilginx phishing lure URLs have a URL path consisting of 8 mixed case letters.
By default, Evilginx uses HTTP certificates obtained from LetsEncrypt. Additionally, the certificates it creates by default have an Organization set to “Evilginx Signature Trust Co.”, and a CommonName set to “Evilginx Super-Evil Root CA”.
After a session authentication cookie has been intercepted by the attacker, they will typically load this cookie into their own browser to impersonate the victim. Unless the attacker is careful, for a time, there will be two different users with different User-Agents and IP addresses using the same session cookie. This may be discoverable through web logs or security products that look for things like “impossible travel”.
To avoid the victim clicking a link that redirects them away from the phishing site, the Evilginx reverse proxy rewrites URLs contained in the HTML from the legitimate site. Popular phishing targets may utilize very specific URL paths, and network defenders can look for these URL paths being served from servers other than the legitimate site.
Many MFA bypass reverse proxy implementations are written using Transport Layer Security (TLS) implementations that are native to that programming language. Thus, the TLS fingerprint of the reverse proxy and the legitimate website will be different.
WebAuthn to the rescue?
FIDO (Fast IDentity Online) Alliance and W3C created WebAuthn (Web Authentication API) — a specification that enables MFA based on public key cryptography. WebAuthn is essentially passwordless. When a user registers for MFA using WebAuthn, a cryptographic keypair is generated. The private key is kept on the user’s device, and the corresponding public key is kept on the server.
When a client wants to log in, they indicate this to the server who responds with a challenge. The client then signs this data and returns it to the server. The server can verify the challenge was signed using the user’s private key. No passwords are ever entered into a web form, and no passwords are transmitted over the internet. This also has the side effect of making server-side authentication databases useless to attackers. What good will stealing a public key do?
Figure 3. The WebAuthn authentication process.
As an extra layer of security, WebAuthn credentials are also bound to the website origin where they will be used. For example, suppose a user clicks a link in a phishing message and navigates to an attacker-controlled reverse proxy at mfabypass.com, which is impersonating the user’s bank. The location in the web browser’s address bar will not match the location of the bank to which the credentials are bound, and the WebAuthn MFA authentication process will fail. Binding credentials to a specific origin also eliminates related identity-based attacks such as credential stuffing, where attackers try to reuse the same credentials at multiple sites.
Although the WebAuthn specification was first published back in 2019, it has experienced relatively slow adoption. Based on authentication telemetry data from Cisco Duo for the past six months, it appears that WebAuthn MFA authentications still make up a very low percentage of all MFA authentications.
To a certain degree, this is understandable. Many organizations may have already rolled out other types of MFA and may feel like that is enough protection. However, they may want to rethink their approach as more and more phishing attacks implement MFA bypass strategies.
Coverage
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
