Can your photos and other data be downloaded or erased from your smartphone while it’s charging from a public charging port — on public transport, in a clinic, at the airport, and so on? Despite manufacturers’ safety measures, it’s sometimes possible.
Hackers first came up with such attacks way back in 2011: if an innocent-looking USB charging port doesn’t just supply electricity but contains a hidden computer, it can connect to your smartphone in data-transfer mode using the Media Transfer Protocol (MTP) or Picture Transfer Protocol (PTP) and extract data from the device. This attack became known as juice-jacking, and both Google and Apple quickly came up with a safeguard: when a smartphone is connected to a device supporting MTP/PTP, it asks the user whether to allow data transfer or just charge. For many years, this simple precaution seemed to solve the problem… until 2025 — when researchers from Graz University of Technology in Styria, Austria, discovered a way to bypass it.
ChoiceJacking attack
In the new attacks — dubbed ChoiceJacking attacks — a malicious device disguised as a charging station confirms on its own that the victim supposedly wants to connect in data-transfer mode. Depending on the manufacturer and OS version, there are three variants of the attack. Each variant finds a different way to bypass a certain limitation in the USB protocol: a device cannot operate in both host mode (as a computer) and peripheral mode (e.g., as a mouse or keyboard) at the same time.
The first method is the most complex but works on both iOS and Android. A microcomputer is disguised as a charging station. This microcomputer can connect to a smartphone as a USB keyboard, USB host (computer), and Bluetooth keyboard.
When the smartphone is plugged in, the malicious station emulates a USB keyboard and sends commands to turn on Bluetooth and connect to a Bluetooth device — the very same malicious computer, now impersonating a Bluetooth keyboard. After that, the system reconnects via USB, now posing as a computer. The smartphone asks the user whether to allow data transfer — and the malicious device confirms the request via a Bluetooth “keystroke”.
The second method only works on Android and doesn’t require Bluetooth. The malicious charger pretends to be a USB keyboard and floods the smartphone with keystrokes — overwhelming the input buffer. While the OS is busy processing this meaningless input, the charger disconnects and reconnects — this time as a computer. A prompt appears on screen asking which mode to connect in, and right at that moment the tail end of the keyboard input buffer plays out, containing a keystroke sequence that confirms connection in data-transfer mode (MTP, PTP, or even ADB debug mode).
The third method — also Android-only — exploits the fact that all tested smartphones incorrectly implement the Android Open Access Protocol (AOAP). The malicious device connects as a computer right away, and when the confirmation screen appears, it sends the necessary keystroke events through AOAP. According to the protocol, simultaneous operation in both USB-host and AOAP modes is prohibited — but in practice, this restriction is often ignored.
Which devices are protected from USB ChoiceJacking?
Both Apple and Google blocked these attack methods in iOS/iPadOS 18.4, and Android 15, respectively. Now, in order to confirm USB data transfer, it’s not enough to simply press Yes — you need to pass biometric authentication or enter a password. Unfortunately, on Android, the OS version alone doesn’t guarantee your smartphone’s safety. For example, Samsung devices running the One UI 7 shell don’t request authentication — even after updating to Android 15.
That’s why Android users who have updated to Android 15 are advised to connect their smartphone to a known safe computer via a cable and check whether a password or biometric confirmation is required. If not — avoid public charging stations.
How serious is this, and how to protect yourself?
While law enforcement agencies have occasionally warned about USB data-theft attacks (1, 2), no real-world attacks have ever been publicly documented. This doesn’t mean they’ve never occurred, but it clearly isn’t a widespread threat.
If you’re concerned about such attacks, you should only charge you devices using your own trusted charger or power bank, or use a USB data blocker — an adapter that allows only power to flow through the cable while preventing data transmission. These adapters, also called “USB Condoms”, are quite effective, but can slow down charging on newer smartphones since they also block the data signals required for Quick Charge mode. Alternatively, you could use a cheap charge-only USB cable (which can’t transmit data), but you should test it first with a trusted computer to ensure no data-transfer prompt appears on the screen; then you’ll need to carry it around with you everywhere — and keep in mind that it also rules out Quick Charge.
The most crucial and widely available protection is updating to the latest versions of Android or iOS.
If you ever find yourself in a bind — with an outdated OS, no blocker, and an urgent need to use the nearest USB charger — just remain vigilant while charging. When you connect the phone, watch the screen: if it doesn’t just start charging but prompts you to choose the connection type, select Charging only. If you’re really worried about your data, it’s better to unplug and look for a less “smart” port.
For more on other unusual smartphone hacks — check these out:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-27 11:06:402025-05-27 11:06:40The ChoiceJacking attack: stealing smartphone photos and data while charging via USB | Kaspersky official blog
For an email attack to succeed, the first thing cybercriminals need to do is get their messages in front of potential victims. In a recent post, we covered how scammers leveraged notifications from GetShared — a fully legitimate service for sharing large files. Today, we examine another method for delivering malicious emails. The operators behind this scam have learned to insert custom text into genuine thank-you messages sent by Microsoft 365 to its new business subscribers.
A genuine Microsoft email with a nasty surprise inside
The attack kicks off with a legitimate email in which Microsoft thanks the recipient for purchasing a Microsoft 365 Apps for Business subscription. The email does, in fact, arrive from the Redmond tech giant’s legitimate address: microsoft-noreply@microsoft.com. One would be hard-pressed to imagine an email address with a more trusted reputation, so the message easily gets past any email server filters.
One more time, just so we’re clear: this is an honest-to-goodness email from Microsoft. The contents match a typical purchase confirmation. In the screenshot below, the company thanks the recipient for buying 55 Microsoft 365 Apps for Business subscriptions worth a total of $587.95.
Example of a Microsoft business notification where attackers inserted their message in the Billing information section
The crux of the scam lies in the text attackers add to the Billing information section. Typically, this section contains the subscriber company’s name and the billing address. However, the scammers swap out that information for their own phone number, plus a note encouraging the recipient to call “Microsoft” if they need any assistance. The types of “purchased” subscriptions suggest that the scammers are targeting company employees.
They prey on a common employee fear: making an expensive, unnecessary purchase could cause trouble at work. And since resolving the issue by email isn’t an option (the message comes from a no-reply address), the victim is left with little choice but to call the phone number provided.
Who answers the calls, and what happens next?
If the victim takes the bait and decides to call to inquire about the subscriptions they’ve supposedly purchased, the scammers deploy social engineering tricks.
A Reddit user, who’d received a similar email and called the number, shared their experience. According to the victim, the person who answered the call insisted on installing some support software, and sent an EXE file. The subsequent conversation suggests that the file contained a RAT of some kind.
The victim didn’t suspect anything was amiss until the scammer promised to refund money to their bank account. That was a red flag, as they shouldn’t have had access to the victim’s banking details. The scammer went on to ask the victim to sign in to their online banking to check if the transaction had gone through.
The victim believes that the software installed on their computer was malware that would have allowed the attackers to intercept their login credentials. Fortunately, they recognized the danger early enough and hung up. Within the same thread, other Reddit users reported similar emails containing various contact details.
How scammers send phishing emails from a genuine Microsoft address
How, exactly, the attackers manage to send Microsoft notifications to their victims is still something of a mystery. The most plausible explanation came from another Reddit user, who suggested that the scam operators were using stolen credentials or trial versions to access Microsoft 365. By using BCC or simply entering the victim’s email address when purchasing a subscription, they can send messages like the one shown in the screenshot above.
An alternative theory is that the scammers gain access to an account with an active Microsoft 365 subscription and then use the billing-information resend feature — specifying the target user as the recipient.
Whichever is true, the attackers’ goal is to replace the billing information — the only part of the Microsoft notification they can alter — with their own phone number.
How to protect yourself against such attacks
Malicious actors keep finding new loopholes in well-known, perfectly legitimate services to use for phishing campaigns and scams. That’s why, to keep an organization secure, you need not only technical protections but also administrative controls. Here’s what we recommend:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-26 17:06:402025-05-26 17:06:40How scammers exploit genuine Microsoft business notifications
ESET Research has been tracking Danabot’s activity since 2018 as part of a global effort that resulted in a major disruption of the malware’s infrastructure
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-24 18:06:492025-05-24 18:06:49Danabot under the microscope
Smart homes today are nothing like the science fiction in late-90s movies. They’re a reality for almost everyone living in a major city. You’d be hard-pressed to find a modern apartment without smart electricity outlets, speaker, or TV. In new construction, you’ll sometimes see homes built smart right from the get-go, which results in entire smart residential complexes. Residents can manage not just their in-apartment devices, but also external systems like intercoms, cameras, gates, utility meters, and fire alarms – all through a single app.
But what happens if there’s a security hole in an app like that? Our experts in the Global Research and Analysis Team (GReAT) know the answer. They’ve uncovered a vulnerability in the Rubetek Home app and explored the potential security risks for smart-home owners, which, thankfully, didn’t materialize.
What the vulnerability was all about
This vulnerability stemmed from the app sending sensitive data during its logging process. The developers used the Telegram Bot API to collect analytics and send debug information files from users to a private development-team chat via a Telegram bot.
The problem was that these files, in addition to system information, contained users’ personal data and, more critically, refresh tokens needed to authorize access to the user’s account. Potential attackers could have forwarded all these files to themselves using the same Telegram bot. To do this, they could obtain its Telegram token and the chat ID from the app code, and then iterate through the sequential numbers of messages containing the files.
Recently, logging events via Telegram has become increasingly popular. It’s convenient and fast to receive important notifications in messenger. However, this approach requires caution: we recommend not to forward sensitive data in the application logs, and, in addition, to prohibit copying and forwarding content from the group in Telegram settings or use the protect_content parameter when sending a message through a Telegram bot.
Important note: we contacted Rubetek immediately upon discovering the vulnerability. At the time of this post, the issue had been fixed.
Potential attackers could have gained access to data that all of the user’s apps were sending to the developer. The list of this data is mind-boggling:
Full name, email address or cellphone number, and address of the property linked to the app
List of devices linked to the smart-home system
Information about events logged by smart devices, like whether the home was armed or disarmed, or whether any suspicious sounds were picked up by cameras
System information about devices within the local home network: MAC address, IP address, and device type
IP addresses for connecting to cameras over the WebRTC protocol
Snapshots from smart cameras and intercoms
The user’s chats with form of assistance
Tokens allowing to initiate a new session with the user’s account
Users of both Android and iOS apps were at risk.
What happens if bad actors actually gain control of your smart home?
This wide range of data could have allowed for comprehensive surveillance – permitting knowing who lives where and on which days they aren’t home. Criminals could have learned someone’s schedule and, during those empty hours, enter any apartment after remotely disabling cameras and other security systems through the app.
While such a blatant break-in would certainly have been noticed, there are other, more subtle possibilities. For example, by exploiting the vulnerability, attackers could have remotely changed the colors of smart lightbulbs and floor temperatures, endlessly turning lights on and off, causing the homeowners a noticeable financial loss.
What’s even more unsettling was the potential for an attacker to target not just one apartment or house, but thousands of residents in an entire complex. Of course, simultaneously disabling access-control systems wouldn’t have gone unnoticed by the building management, but how quickly would they work out what was happening, and what damage could residents suffer in the meantime?
How to secure your smart home
Keep in mind that the type of vulnerabilities we’re discussing could be present in other smart-home apps as well. Being one of millions of customers, you have virtually no way of knowing if an app has been compromised. Therefore, if you notice even the slightest kinds of suspicious activity, such as new people on your guest list, unauthorized opening and closing of gates and doors, and so on, we recommend contacting the app administrator and vendor as soon as possible.
Back in a more common scenario, like using smart devices within your own apartment with no network administrator to turn to, we recommend following these rules:
Secure your Wi-Fi router by changing the default password to a stronger one, disable WPS, and enable WPA2 encryption.
Create a dedicated Wi-Fi network for your smart-home devices, and set a different password for it. Modern routers support guest networks, so if, say, a smart cradle is hacked, criminals won’t gain access to your computers or smartphones.
Use the Kaspersky Premium app to regularly check your network for unauthorized devices. If everything is fine, Smart Home Monitor will only show information about your devices.
Set strong passwords for each device. You don’t have to memorize them: Kaspersky Password Manager can handle that.
Regularly update the firmware of all your smart devices – including your router.
Check out these links to explore other potential risks of a hacked smart home and ways to protect your property.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-23 10:06:452025-05-23 10:06:45Vulnerability in the Rubetek Home smart-home app | Kaspersky official blog
Cisco Talos reviewed six months of network connection telemetry logs spanning June 1, 2024 – Dec. 31, 2024, containing 3,220,829 log events and 742 unique base domains, to explore if domains that PowerShell rarely contacts are more likely to be malicious.
Key findings reveal that the odds of a rare domain being malicious were 3.18 times higher than for frequently contacted domains (95% CI: 0.39–25.9), suggesting a trend towards higher risk in rare domains.
Notably, the non-rare domain ‘githubusercontent.com’ was flagged as malicious due to activity from its subdomain ‘raw.githubusercontent.com’. This is an example of why subdomains should be considered when looking for malicious network traffic, especially for cloud services where the service itself is legitimate, but the content hosted on it is not guaranteed to be.
Research Methodology
Hypothesis
At a sufficiently high volume of telemetry, domain names that PowerShell rarely connects to are more likely to be malicious than domains that are frequently connected to, regardless of PowerShell module.
Data Collection
Talos queried telemetry for PowerShell network connection logs from a time period of June 1, 2024 to Dec. 31, 2024. This dataset included the following processes: ‘powershell.exe’, ‘powershell studio.exe’, ‘powershell_ise.exe’, ‘powershelltools.exe’, ‘powershelltoolsx64.exe’, ‘pwsh’, and ‘pwsh.exe’. All of these processes are different versions of PowerShell. Talos excluded non-public top-level domains (TLDs), such as internal domains, to focus on external connections.
Data Processing
Using the tldextract library, Talos extracted base domains (e.g., ‘automox.com’ from ‘api.automox.com’), resulting in 742 unique base domains. Rarity was defined as an average of ≤5 average contacts per full domain, calculated by dividing the total contacts by the number of unique full domains per base domain. This threshold identified 550 rare domains (74.1% of the total).
Threat Intelligence and Manual Review
Talos assessed domain reputation using ReversingLabs (RL), which flagged a domain as malicious if any third-party source indicated so. To mitigate false positives (e.g., ‘adobe.com’), 29 domains were manually reviewed and overridden as benign, and their process arguments were documented. For subdomains such as ‘raw.githubusercontent.com’ under ‘githubusercontent.com’, the process arguments in those logs were manually reviewed, flagging 5 out of 10 connections as malicious based on commands like downloading PowerSploit or executing Invoke-Mimikatz, ensuring comprehensive threat detection.
Findings & Analysis
Domain Contact Distribution
The distribution of contacts was heavily skewed:
Percentiles: 60th percentile at 5.0 contacts, 90th at 82.0, 95th at 321.55, and 99th at 7,925.87
Top Domains: ‘automox.com’ (2,282,308 contacts), ‘launchdarkly.com’ (493,812), and ‘amazonaws.com’ (166,536) accounted for most activity.
Automox is a service for automated endpoint configuration and patch management.
LaunchDarkly is a software development platform for managing feature flags and context-aware targeting of features.
Amazon Web Services (AWS) is the largest cloud service provider.
Rare Domains: 550 of 742 domains fell into the rare category.
Figure 1. Cumulative distribution of domain contact frequencies.
Malicious Domain Statistics
Rare Domains: 9 malicious out of 550 (1.64%, 95% CI: 0.86%–3.08%)
Non-Rare Domains: 1 malicious out of 192 (0.52%, 95% CI: 0.09%–2.89%), notably ‘githubusercontent.com’
Odds Ratio: 3.18 (95% CI: 0.39–25.9), indicating a trend towards higher risk in rare domains, though not statistically significant (chi-square p=0.4291, Fisher’s exact p=0.4668), likely due to small sample sizes (9 rare, 1 non-rare)
Figure 2. Malicious rates by domain rarity.
Case Study: githubusercontent.com
The non-rare domain ‘githubusercontent.com’ (38 contacts, 2 full domains: ‘raw.githubusercontent.com’ and ‘objects.githubusercontent.com’, average 19.00 contacts per full domain) was flagged as malicious due to 5 manually identified malicious contacts from ‘raw.githubusercontent.com’. These contacts involved potentially malicious PowerShell commands, such as downloading and executing scripts like PowerSploit or Invoke-Mimikatz. The other subdomain, ‘objects.githubusercontent.com’ (28 contacts), showed no malicious activity. This finding illustrates that even frequently contacted domains can host malicious subdomains, emphasizing the need for subdomain-level analysis in threat detection.
Comparison to other Processes
Another research question investigated was how the domains contacted by other similar processes would compare to those contacted by PowerShell. For the purposes of this research, Talos chose the following processes for analysis:
‘rundll32.exe’
Python (including macOS and Windows versions)
‘cmd.exe’
‘cscript.exe’
‘wscript.exe’
‘bash’
‘zsh’
These processes are primarily other command line or script interpreters, as well as ‘rundll32.exe’, which allows executing Dynamically Linked Libraries (DLLs) from the command line.
When the same heuristics as were utilized for PowerShell were applied to the domains contacted by these processes, the results varied somewhat. Across 156,203 total connection records for ‘rundll32.exe’, 940 unique domains were contacted. Of these, 722 of these domains were “rare,” using the same heuristic applied to PowerShell (i.e., they were contacted at most five times). Only one of the domains contacted was found to be malicious, either among the rare domains or the non-rare domains.
Similarly, among 795,346 total connection records for Python, 825 unique domains were contacted and 616 were rare using the same criteria. None of the rare domains were malicious, while 1 of the non-rare domains was. The processes cscript, cmd, zsh and csh had similar results, with no or single digit numbers of malicious domains contacted. However, wscript was much more interesting. It had a much smaller amount of total utilization in the dataset investigated, with just 6,936 connection events and 82 unique domains contacted. Of these, 58 domains were rare (or roughly 71%), and 5 were found to be malicious.
Recommendations
Prioritize Rare Domains: Security teams should focus investigations on rare domains due to their higher likelihood of being malicious, despite statistical non-significance. This finding applies primarily to PowerShell and wscript among the processes considered in this research.
Subdomain Analysis: For frequently contacted domains, analyze subdomains and process arguments to detect malicious activity, as demonstrated with ‘githubusercontent.com’.
Integrate Manual Review: Combine automated threat intelligence with manual reviews to reduce false positives and identify nuanced threats, particularly in high-contact domains.
Investigate Anomalous Utilization of ‘wscript.exe’: Some environments may still commonly utilize wscript. However, this research suggests that in environments where it is rare, it has the highest likelihood to be used to connect to malicious domains of the processes researched.
Future Work
This research presents several opportunities for future research. One opportunity is temporal analysis to determine if there were time-based patterns for contacting domains, and if so, determining if these patterns could be used to identify malicious activity. This could potentially include seeing increased contacts of malicious domains during weekends or off-hours. Time-series analysis could be applied to the data to test this hypothesis.
Another opportunity is the behavioral analysis of process arguments, focusing on identifying recurring patterns tied to malicious activity, such as downloading PowerShell scripts from a remote host, or exfiltration of data. This could be used to refine the current rarity to malicious correlation of 1.64% for rare domains versus 0.52% for non-rare domains. This may spotlight behavioral red flags and give actionable insights for more precision detection logic.
Finally, future research can develop a risk scoring system that integrates multiple factors such as contact frequency, malicious rate, TLDs and even ReversingLabs’ network threat intelligence. This can provide a scalable and practical tool for security teams to prioritize high-risk domains, whether rare or non-rare like ‘githubusercontent.com’. This builds on the current analysis but also paves the way for more robust, data-driven strategies to combat threats, ensuring this research delivers lasting value to the security community.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-23 10:06:452025-05-23 10:06:45Scarcity signals: Are rare activities red flags?
Welcome to this week’s edition of the Threat Source newsletter.
Talos recently published research into how threat actors are increasingly teaming up across the attack chain. Each group handles a slice of the operation, passing the breach along like a relay baton.
It’s a concerning trend — one that we believe calls for rethinking traditional threat modeling. But one thing stood out to me while reading: cybercriminals are often terrible at teamwork.
What if the ransomware affiliate is waiting on credentials that never arrive? The access broker sells a foothold, but the tooling meant to exploit it isn’t ready, doesn’t work in the target environment or never shows up at all?
Ghosting isn’t limited to dating apps or job interviews (and if you’ve been through six interview rounds and still heard nothing, I see you). Cybercriminals flake too — whether it’s bad timing, better targets, internal drama… or maybe they just went to get a haircut (an actual complaint that a Conti member made about a fellow actor not showing up).
In this compartmentalized model, the threat chain becomes a fragile supply line, stitched together in real time. Efficient, yes — but brittle. If one actor drops out, the whole operation can unravel. And let’s not pretend there’s honour among cybercriminals. They’re opportunists. What’s to stop a broker from selling the same credentials to multiple buyers? Or backing out entirely if a better offer lands?
Of course, this ecosystem isn’t monolithic. Some groups run like structured businesses — access brokers, malware builders, “customer” (aka victim) services, the works. Others are looser, relying on whoever turns up in their DMs with access for sale. It’s the latter where ghosting seems more likely. In organised crews, a flaky broker risks reputational damage. In the freelance underworld, it’s just Tuesday.
Oof, I didn’t mean to knock freelancers there. Just, you know, those ones…
History suggests fallouts are inevitable. Conti’s collapse, as Wired reported, started with a single angry post and spiraled into a full on leak about poor performance records:
“I have 100 people here, half of them, even 10 percent, do not do what they need.”
– Stern (or Demon), former Conti CEO
LAPSUS$ imploded under its own infighting. One REvil affiliate even ranted on a cybercrime forum like a scammed eBay buyer.
To twist a familiar phrase: compartmentalized threats are only as strong as their weakest link. What if that link has poor communication skills, no follow-through and a serious case of commitment issues?
The one big thing
In Talos’ most recent blog post, we shared that UAT-6382, Chinese-speaking threat actors, have exploited Cityworks, a widely-used asset management system, through a remote code execution vulnerability (CVE-2025-0994). The actors are deploying advanced malware for long-term persistence and control.
Why do I care?
UAT-6382 is not only exploiting this vulnerability, but they’re also employing sophisticated tools like web shells, Rust-based malware loaders, and frameworks like Cobalt Strike to burrow deep into systems. This could lead to data breaches and operational downtime.
So now what?
While the intrusions we mentioned in the blog have been contained, exploitation may be continuing in the wild. Use the indicators of compromise (IOCs) listed in the blog to scan your environment.
Top security headlines of the week
NATO-Flagged Vulnerability Tops Latest VMware Security Patch Batch VMware patches flaws that expose users to data leakage, command execution and denial-of-service attacks. No temporary workarounds available. (SecurityWeek)
NIST’s ‘LEV’ Equation to Determine Likelihood a Bug Was Exploited The new equation, introduced by the National Institute of Standards and Technology (NIST), aims to offer a mathematical likelihood index that could be a game-changer for SecOps teams and vulnerability patch prioritization. (Dark Reading)
Kettering Health hit by system-wide outage after ransomware attack Kettering Health, a healthcare network that operates 14 medical centers in Ohio, was forced to cancel inpatient and outpatient procedures following a cyberattack that caused a system-wide technology outage. (BleepingComputer)
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-22 18:06:412025-05-22 18:06:41Ghosted by a cybercriminal
These days, we’re hardly ever separated from our devices. According to a 2024 study conducted in the U.S. by analytics firm Reviews.org, the average user spends around 2.5 months of a year on their smartphone! That’s a staggering figure — showing just how deeply mobile devices have become ingrained into our daily lives.
A digital detox — a trendy term for taking a break from our screens and notifications — can benefit anyone with a smartphone and/or laptop. According to a review of 10 studies conducted between 2013 and 2023, digital detoxes help improve sleep quality, life satisfaction, and overall wellbeing. They also reduce anxiety, stress, depression, and phone addiction. What’s more, regular digital breaks can restore the brain’s ability to focus for long periods and process information deeply.
However, completely unplugging from the internet can pose certain cybersecurity risks to your digital life. So today, we’ll look at how to give your mind a rest while ensuring the security of your accounts, devices, data, and even smart home.
What could go wrong during a digital detox?
Of course, it’s impossible to completely eliminate all risks, but you can make some preparations to minimize their impact. But what kinds of risks are we talking about?
Account theft — both of regular, single-service accounts, and ecosystem accounts (like Google, Apple, Facebook, Instagram, Samsung, etc.) via password guessing or SIM swapping.
Unauthorized subscriptions and charges.
Leak of personal data from password dumps or due to a lack of two-factor authentication.
Account hijacking in messengers and social networks.
Use of your devices or accounts to send spam.
Loss or theft of your gadgets.
Household issues — break-ins while you’re away, flooding, gas leaks, or fires.
How to stay in control during a digital detox?
Start with a digital spring-clean, and strengthen your digital perimeter across a few key areas.
Accounts, data, and finances
Review your subscriptions. More than half of users worldwide pay for subscriptions they don’t use. According to one study, only 38% of respondents had used all of their subscriptions in the past six months. The majority had unused ones: 15% hadn’t used two, 11% three, and 3% more than five. Moreover, we tend to underestimate our total subscription costs by two to three times — even though we spend, on average, around a thousand dollars a year on them! So reviewing your subscriptions is a great place to start your digital detox, and dedicated subscription managers can help make this easier.
Make a list of subscriptions to pause or cancel completely while you’re away. And conversely, make sure the services that require ongoing payments are linked to an account with enough funds to cover them during your detox. This might include services like website hosting autopayments, VPS rental for a project, or a paid cloud storage or mail server. Also check how long your data is retained after suspending a subscription — and when it might be permanently deleted.
Beef up your passwords. Review your critically important accounts: online banking, government service portals, crypto wallets, and so on. If you’re already using a password manager, take advantage of the built-in password leak check If you store passwords in your browser, or your password manager can’t check for compromised passwords, switch to Kaspersky Password Manager. Replace weak passwords with unique and strong ones — our password manager can generate and remember them for you.
Enabletwo-factor authentication (2FA) wherever possible so that logging in requires a one-time code. Keep in mind that codes sent via SMS aren’t secure — so for critical accounts (banks, email, social networks, ecosystem accounts like Google and Apple), switch to an authenticator app wherever you can. By the way, our password manager can help here too.
Make backups. Create up-to-date backups of important files stored both locally and online — because the internet remembers not quite everything. Keep multiple copies — for example, on NAS at home as well as in a reliable cloud with encryption features. Don’t forget to make fresh backups of your smartphone and any other devices you’re taking with you, and store them in a safe place.
Give backup access to people you trust. If you’re a blogger, run Telegram channels or video-hosting platforms, or have popular social media accounts, be sure to set them up so you’re not the only one with access. In case attackers do manage to compromise your account — for example, through SIM swapping or hijacking session cookies — a prompt response is essential, even if you’re away. Kaspersky Password Managercan help here too: install it on multiple devices and sync your passwords and two-factor authentication tokens across them.
Notify your bank of your travel plans so they don’t block your card due to a “suspicious transaction” abroad. Depending on your bank, this can be done via in-app chat, a hotline, or in person.
Gadgets and connectivity
Install security updates. Update the operating systems, apps, and firmware on all your gadgets to the latest versions. Patches fix known vulnerabilities and lower the chances of a successful attack on you. If you’re using Android, check out our pain-free guide to installing Android updates.
Protect your devices. Make sure your both your computer and smartphone are protected with reliable security software. Enable disk encryption, and set a strong password for unlocking your device — whether you’re taking it with you or leaving it behind. On smartphones, disable biometric access, use strong passcodes, and enable automatic data-wipe after several failed unlock attempts.
To be able to locate lost Apple devices, turn on Find My. Kaspersky for Android has a similar feature for Android devices.
Protect your SIM cards from being swapped. Your cellphone number provides access to many services. It can be used to access social media, banking, government services, and — most critically — ecosystem accounts that store important personal data like your calendar, cloud documents, and payment card data saved in your browser. Criminals may try to get a duplicate of your SIM card at a mobile store to bypass SMS or call verification. Of course, this can happen at any time, but if you’re away, you won’t be able to respond as quickly.
Some mobile carriers let you set a password without which all SIM reissue requests are denied. Some providers let you prohibit them from providing you with services remotely and preventing anyone from replacing your SIM card, even if they have а power of attorney – real or fake. Check what options your provider offers, and for more tips on SIM swapping protection, see our article on the topic.
Set a good old PIN code on your primary SIM card before your trip — especially if you plan to remove it from your phone to leave at home, or swap it for a travel SIM while abroad. That way, even if your SIM falls into the wrong hands, they won’t be able to access your accounts: once inserted into a phone, the SIM won’t work without the PIN code. If you have an eSIM, keep the multi-use eSIM activation QR code stored in a secure place — or opt for single-use codes instead.
Make sure you have a backup communication channel. If you’re heading somewhere where mobile signal is unreliable or nonexistent — like in mountainous regions — satellite SMS services (like Garmin’s inReach) or Apple’s Emergency SOS via satellite feature can be useful. Be sure to check the subscription details in advance and confirm the service is available in the country you’re visiting.
Personal safety
Check yourdigital legacy settings and designate who gets access to your accounts if something happens to you. In Apple’s ecosystem, you can assign an account recovery contact in case you completely lose access to your Apple ID. With a code they receive according to your instructions, the trusted person can help you regain access to your account and data — such as a smartphone backup. However, they won’t get direct access to your data. In addition to a recovery contact, Apple also lets you designate a Legacy Contact. Google offers a similar feature called Inactive Account Manager, which is especially worth setting up if you plan not to use Google services for a long time. This option sends your selected contacts a backup of chosen data after a set period of inactivity — the default is three months. If that’s not enough for your full-on digital detox, be sure to increase the inactivity period in the settings so you don’t alarm your trusted contacts.
Decide which smart-home and IoT devices should remain active while you’re away. Surveillance cameras and alarms should ideally not just stay on, but be connected to an uninterruptible power supply. That way, the alarm can still send a signal to the monitoring center even if burglars cut the power before breaking in. On the other hand, smart sockets, speakers, or appliances you don’t plan to use should be unplugged and disconnected from the internet. Learn more about smart-home protection here.
Change the default passwords on all IoT devices to your own, strong ones, and don’t forget your router. Many devices come with standard login/password combos out of the box, making them vulnerable to botnet attacks. Also, if an attacker gains access to your IP camera, they can monitor your home and plan a break-in while you’re away.
Make sure you (or a trusted person) can receive critical alerts — for example, from smoke, gas, or flood detectors — and that a relative, trusted neighbor, or friend can quickly deal with any issues. Leave your trusted contact with spare keys and a way to reach you. If you’re going fully offline for your digital detox, this could be your hotel’s phone number or the contact details of your travel companion.
How to minimize gadget use on vacation
A full digital detox might feel too extreme for many people. But if you want to truly relax without worrying about your online life or offline property, we recommend at least sticking to the following rules:
Forget about the news, social media, and email — or at least stop checking them all the time. Special modes on Apple and Android devices can help limit your access to the most distracting apps. If these built-in tools aren’t enough, you could “become your own child” — install Kaspersky Safe Kids (included in your Kaspersky Premium subscription) and customize it by setting filters for apps, websites, and social media — adding daily time limits for each.
Minimize your digital footprint. Avoid posting vacation photos or updates in public in real time — better is to share the memories once you’re back. That way, you’re not telling the world: “Hey, I’m not home and won’t be for two more weeks!” If you really can’t resist, at least limit the audience to close friends only.
Let colleagues and family know in advance that you’ll be away, so they won’t worry or — most importantly — send you anything sensitive or urgent via email or messaging apps. Also, review your messaging account settings to prevent hijacking while you’re gone. Scammers love to strike when account owners are absent — so a quick reminder to your contacts not to fall for messages like “Hey! Can you lend me $100 till tomorrow?” can save you a lot of trouble.
Set up an out-of-office message for your email and voicemail stating that you’re temporarily offline — without giving too many details about your destination or reasons for your trip.
Take just one, essential device. If you’re traveling, don’t bring every gadget you own. Choose just one — whether a laptop, tablet, or smartphone — and keep it in your carry-on luggage. At your accommodation, store your device in a safe and never leave it unattended — even if you don’t plan to use it. If someone gets physical access to your device, they could compromise your data — and in the case of a smartphone, even steal your SIM card.
Use a backup phone for SMS messages. If you’re swapping your main SIM for a local or tourist one, insert your home SIM into an old backup phone — ideally a basic button phone with a long battery life — and turn off mobile data. This way, you’ll still receive calls and texts to your main number and can react promptly if something suspicious happens — like getting a two-factor authentication code you didn’t request, or a bank alert about a strange transaction or loan approval. To avoid roaming charges, simply do not answer the calls from this device and contact the caller on another channel. Keep this phone in a hotel safe or other secure spot and check it at least once a day.
Avoid risky connections. If possible, avoid connecting to unknown Wi-Fi networks or using someone else’s computer — especially if your goal is to unplug from the internet and screens. If you do need to get online (say, to check an important email), use your own device and stick to trusted Wi-Fi networks — or, better yet, mobile internet. Tourist SIM cards with cheap data plans are available pretty much everywhere in today’s world. With public Wi-Fi, use a secure connection to encrypt your traffic. And never enter passwords when using internet café networks or shared computers.
How to avoid missing anything important when you return
After your digital vacation, it’s important to return online wisely — checking what happened while you were away.
Power on your devices and check for updates. Turn on all the gadgets you’d switched off. Security updates may have been released while you were away; install them as soon as possible before actively using your devices again. Make sure your antivirus databases are also up to date. If you had any IoT devices unplugged, turn them back on and ensure they’re working properly and reconnected to your home network (and double-check that no passwords have been reset).
Review notifications and logs. Go through the backlog of notifications in your email, banking apps, and social media accounts. Pay close attention to login attempt alerts, two-factor authentication codes, and bank messages about transactions. If you notice any attempts to access your accounts that occurred during your digital detox, your first step should be to change the passwords for those services, terminate suspicious sessions if possible, and contact support. An SMS or push notification with a login code you didn’t request is a strong sign of a potential hack or SIM-swap attempt; in that case, immediately reach out to your mobile provider and the service in question.
Check your SIM card and phone. After a long time offline, make sure your phone number is still active and functioning, and that your balance hasn’t been drained by any suspicious activity. A pre-set PIN code and a restriction on reissuing SIM cards should reliably protect your number. However, it’s still worth double-checking your mobile account and, at the slightest suspicion, requesting a detailed expenses log from your mobile provider.
Assess your resilience and make notes and amendments for the future. Reflect on how well your digital ecosystem held up during your time away. The ideal outcome: nothing went wrong, your data is intact, your accounts are secure, and your home is fine. If that’s the case, congratulations — not only did you enjoy your break, but you also confirmed that your security measures work even without constant supervision. If any issues did arise — say, a backup failed or an IP camera went offline — treat them not as disasters but as lessons to learn, and take measures to improve your setup going forward.
We hope these tips help you enjoy a smooth and secure digital-detox vacation. Make the most of your time offline — and remember, it’s better to be safe than sorry. And to be even safer, follow our Telegram channel.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-22 16:06:402025-05-22 16:06:40A Kaspersky checklist for a safe vacation | Kaspersky official blog
A new phishing campaign is spreading the Remcos Remote Access Trojan (RAT) through DBatLoader. It employs User Account Control (UAC) bypass, obfuscated scripts, Living Off the Land Binaries (LOLBAS) abuse, and persistence mechanisms.
Here’s an analysis of the infection chain, key techniques, and detection tips.
The attack likely starts with a phishing email containing an archive.
Analysis of the malicious sample inside ANY.RUN’s Interactive Sandbox
Inside it, there is a malicious executable named “FAKTURA”, which deploys DBatLoader on the system.
Use of .pif Files for Disguise and UAC Bypass
DBatLoader uses .pif (Program Information File) files as a method of disguise and execution.
Originally intended for configuring how DOS-based programs should run in early Windows systems, .pif files have become obsolete for legitimate use. However, they are still executable on modern Windows versions, making them useful for attackers.
Windows treats .pif files similarly to .exe files. When executed, they can run without triggering warning dialogs, depending on system configuration.
Trailing spaces allow attackers to abuse Windows’s folder name handling
In the analysis, the malicious alpha.pif (a Portable Executable file) bypassed UAC by creating fake directories like “C:Windows “ (note the empty space), exploiting Windows’s folder name handling to gain elevated privileges.
Get extra sandbox licenses for your team as a gift Take advantage of ANY.RUN’s special offers before May 31
Evasion and Persistence: Ping Command and Scheduled Task
One observed command line uses PING.EXE to ping the local loopback address (127.0.0.1) ten times. While legitimate programs may use this to test network connectivity by sending ICMP echo requests, malware like DBatLoader uses it to introduce artificial delays for time-based evasion.
ANY.RUN flags PING.EXE activity and identifies it as a delay simulation
In some cases, this technique can also be repurposed for remote system discovery.
The malicious svchost.pif file launched NEO.cmd through CMD, which then executed extrac32.exe to add a specific path to Windows Defender’s exclusion list, allowing it to evade further detection.
The sandbox highlights evasion and persistence activities in the MITRE ATT&CK Matrix
To maintain persistence and survive following reboots, DBatLoader abuses a scheduled task to trigger a Cmwdnsyn.url file, which launches a .pif dropper.
Obfuscation and Remcos Deployment
Obfuscation complicates the analysis for security professionals
The loader used .cmd files obfuscated with BatCloak to download and run Remcos.
The sandbox flags the injected process and detects Remcos
Remcos injects into trusted system processes SndVol.exe, colorcpl.exe or others, varying on each new instance, blending in with the rest of the processes.
Spot Similar Attacks with Proactive Sandbox Analysis
Multi-stage attacks that utilize different means of staying hidden on the system are hard to identify with standard signature-based solutions. The most effective way to ensure detection is to proactively detonate the suspicious files inside the safe, virtual environment of a malware sandbox.
ANY.RUN’s Interactive Sandbox allows security teams to conduct fast and in-depth analysis of malware and phishing attacks to maximize the detection rate. The service offers fully interactive cloud-based VMs supporting Windows, Android, and Linux systems.
Accelerate Threat Analysis: The sandbox detects malware strains in under 40 seconds, reducing incident investigation time and boosting SOC productivity.
Keep Your Infrastructure Safe: Analyze suspicious files and URLs in a cloud-based, isolated environment to eliminate the risk of compromising corporate infrastructure.
Boost Team Collaboration: Configure access levels, track productivity, and coordinate the team’s work on threat analysis.
Improve Cost-Effectiveness: Minimize financial losses with faster threat analysis and detection that supercharges response and containment.
See all ANY.RUN’s 9th Birthday special offers and get yours before May 31
Analysts can monitor unusual file paths, track processes for unexpected activity, analyze network connections, and, most importantly, manually engage with the system and threats.
The sandbox flags all the malicious behaviors and generates a detailed report with IOCs that can be adapted for detection rules and endpoint security improvement.
About ANY.RUN
Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN. Our services streamline malware and phishing investigations for organizations worldwide.
Speed up triage and response: Detonate suspicious files using ANY.RUN’s Interactive Sandbox to observe malicious behavior in real time and collect insights for faster and more confident security decisions.
Improve threat detection: ANY.RUN’s Threat Intelligence Lookup and TI Feeds provide actionable insights into cyber attacks, improving detection and deepening understanding of evolving threats.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-05-22 13:06:392025-05-22 13:06:39DBatLoader Delivers Remcos via .pif Files and UAC Bypass in New Phishing Campaign
Cisco Talos has observed exploitation of CVE-2025-0994, a remote-code-execution vulnerability in Cityworks, a popular asset management system.
The Cybersecurity and Infrastructure Security Agency (CISA) and Trimble have both released advisories pertaining to this vulnerability, with Trimble’s advisory specifically listing indicators of compromise (IOCs) related to the intrusion exploiting the CVE.
IOCs pertaining to intrusions discovered by Talos that involve the exploitation of CVE-2025-0994 overlap with those listed in Trimble’s advisory.
Talos clusters this set of intrusions, exploiting CVE-2025-0944, under the “UAT-6382” umbrella of activity. Based on tooling and tactics, techniques and procedures (TTPs) employed by the threat actor, Talos assesses with high confidence that the exploitation and subsequent post-compromise activity is carried out by Chinese-speaking threat actors.
Post-compromise activity involves the rapid deployment of web shells such as AntSword and chinatso/Chopper on the underlying IIS web servers. UAT-6382 also employed the use of Rust-based loaders to deploy Cobalt Strike and VSHell malware to maintain long-term persistent access.
We track the Rust-based loaders as “TetraLoader,” built using a recently publicly available malware building framework called “MaLoader.” MaLoader, written in Simplified Chinese, allows its operators to wrap shellcode and other payloads into a Rust-based binary, resulting in the creation of TetraLoader.
Talos has found intrusions in enterprise networks of local governing bodies in the United States (U.S.), beginning January 2025 when initial exploitation first took place. UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access. Upon gaining access, UAT-6382 expressed a clear interest in pivoting to systems related to utilities management.
The web shells, including AntSword, chinatso/Chopper and generic file uploaders, contained messaging written in the Chinese language. Furthermore, the custom tooling, TetraLoader, was built using a malware-builder called “MaLoader” that is also written in Simplified Chinese. Based on the nature of this tooling, TTPs, hands-on-keyboard activity and victimology, Talos assesses with high confidence that UAT-6382 is a Chinese-speaking threat actor.
Initial reconnaissance
Successful exploitation of the vulnerable Cityworks application leads to the attackers conducting preliminary reconnaissance to identify and fingerprint the server:
cmd.exe /c ipconfig
cmd.exe /c pwd
cmd.exe /c dir
cmd.exe /c dir ..
cmd.exe /c dir c:
cmd.exe /c dir c:inetpub
cmd.exe /c tasklist
Specific folders were enumerated before attempting to place web shells in them:
cmd.exe /c dir c:inetpubwwwroot
cmd.exe /c c:inetpubwwwrootCityworksServerWebSite
cmd.exe /c dir c:inetpubwwwrootCityworksServerWebSiteAssets
UAT-6382 heavily utilizes web shells
Initial reconnaissance almost immediately led to the deployment of web shells to establish backdoor entry into the compromised network. These web shells consisted of multiple variations of AntSword, chinatso and Behinder along with additional generic file uploaders containing messages written in the Chinese language.
Figure 1. ASP based file uploader deployed by UAT-6382.
File enumeration and staging for exfiltration
UAT-6382 enumerated multiple directories on servers of interest to identify files of interest to them and then staged them in directories where they had deployed web shells for easy exfiltration:
cmd.exe /c dir c:inetpubwwwrootCityworksServer
cmd.exe /c copy c:inetpubwwwrootCityworksServer<backup_archives> c:inetpubwwwrootCityworksServerUploads
Deployment of backdoors
UAT-6382 downloaded and deployed multiple backdoors on compromised systems via PowerShell:
The implants Talos recovered are Rust-based loaders containing an encoded or encrypted payload. The payload is decoded/decrypted and injected into a benign process by the loader component. We track the loaders as “TetraLoader.”
TetraLoader analysis
TetraLoader is a simple Rust-based loader. It will decode an embedded payload and inject it into a benign process such as notepad[.]exe to activate the payload. Talos has so far found two types of payloads deployed by TetraLoader on the infected endpoints:
Cobalt Strike beacons: These are position-independent, in-memory Cobalt Strike beacon shellcodes that are injected into a specified benign process by TetraLoader.
VShell stager: Position independent shellcode, we’ve identified as a stager for VShell, that talks to a hardcoded C2 server and executes code issued to it.
TetraLoader is built using a relatively new payload builder framework known as “MaLoader,” which first appeared on GitHub in December 2024. MaLoader has multiple options to encode and embed shellcodes into TetraLoader, the Rust-based container.
Figure 2. MaLoader’s builder interface
MaLoader is written in Simplified Chinese, indicating that threat actors that employed it likely knew the language to a substantial degree of proficiency.
Cobalt Strike beacons
The Cobalt Strike beacons are relatively straightforward, with minimal changes as compared to traditionally generated Cobalt Strike beacons. One of the beacons Talos discovered reaches out to the command-and-control (C2) domain “cdn[.]lgaircon[.]xyz” and specifically consists of the following configuration settings:
BeaconType - HTTPS
Port - 443
SleepTime - 45000
MaxGetSize - 2801745
Jitter - 37
MaxDNS - Not Found
PublicKey - b'0x81x9f0rx06t*x86Hx86xf7rx01x01x01x05x00x03x81x8dx000x81x89x02x81x81x00x81x92xaax1dxdephxa6x80xf7xc9x7fxcfxbaxce6xd9x11(x00x1ax95
A second beacon using the same C2 domain consists of the following more detailed configuration:
BeaconType - HTTPS
Port - 443
SleepTime - 35000
MaxGetSize - 2097152
Jitter - 30
MaxDNS - Not Found
PublicKey_MD5 - 00c96a736d29c55e29c5e3291aedb0fd
C2Server - lgaircon[.]xyz,/owa/OPWiaTU-ZEbuwIAKGPHoQAP006-PTsjBGKQUxZorq2
UserAgent - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.3 Safari/605.1.15
HttpPostUri - /owa/idQ0RKiA2O1i9KKDzKRdmIBmkA8uQxmFzpBGRzGjaqG
Malleable_C2_Instructions - NetBIOS decode 'a'
HttpGet_Metadata - ConstHeaders
Host: lgaircon[.]xyz
Accept: */ *
Cookie: MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;ClientId=1C0F6C5D910F9;MSPAuth=3EkAjDKjI;xid=730bf7;wla42=ZG0yMzA2KjEs
ConstParams
path=/calendar
Metadata
netbios
parameter "wa"
HttpPost_Metadata - ConstHeaders
Host: lgaircon[.]xyz
Accept: */ *
SessionId
netbios
prepend "wla42="
prepend "xid=730bf7;"
prepend "MSPAuth=3EkAjDKjI;"
prepend "ClientId=1C0F6C5D910F9;"
prepend "MicrosoftApplicationsTelemetryDeviceId=95c18d8-4dce9854;"
header "Cookie"
Output
netbios
parameter "wa"
PipeName - Not Found
DNS_Idle - Not Found
DNS_Sleep - Not Found
SSH_Host - Not Found
SSH_Port - Not Found
SSH_Username - Not Found
SSH_Password_Plaintext - Not Found
SSH_Password_Pubkey - Not Found
SSH_Banner -
HttpGet_Verb - GET
HttpPost_Verb - GET
HttpPostChunk - 96
Spawnto_x86 - %windir%syswow64gpupdate[.]exe
Spawnto_x64 - %windir%sysnativegpupdate[.]exe
CryptoScheme - 0
Proxy_Config - Not Found
Proxy_User - Not Found
Proxy_Password - Not Found
Proxy_Behavior - Use IE settings
Watermark_Hash - NtZOV6JzDr9QkEnX6bobPg==
Watermark - 987654321
bStageCleanup - True
bCFGCaution - False
KillDate - 0
bProcInject_StartRWX - True
bProcInject_UseRWX - False
bProcInject_MinAllocSize - 26808
ProcInject_PrependAppend_x86 - b'x90x90x90x90x90x90x90x90x90'
Empty
ProcInject_PrependAppend_x64 - b'x90x90x90x90x90x90x90x90x90'
Empty
ProcInject_Execute - ntdll[.]dll:RtlUserThreadStart
NtQueueApcThread-s
SetThreadContext
CreateRemoteThread
kernel32[.]dll:LoadLibraryA
RtlCreateUserThread
ProcInject_AllocationMethod - VirtualAllocEx
bUsesCookies - True
HostHeader -
headersToRemove - Not Found
DNS_Beaconing - Not Found
DNS_get_TypeA - Not Found
DNS_get_TypeAAAA - Not Found
DNS_get_TypeTXT - Not Found
DNS_put_metadata - Not Found
DNS_put_output - Not Found
DNS_resolver - Not Found
DNS_strategy - round-robin
DNS_strategy_rotate_seconds - -1
DNS_strategy_fail_x - -1
DNS_strategy_fail_seconds - -1
Retry_Max_Attempts - 0
Retry_Increase_Attempts - 0
Retry_Duration - 0
Another beacon reaches out to C2 “www[.]roomako[.]com” and has the following configuration:
BeaconType - HTTPS
Port - 443
SleepTime - 25000
MaxGetSize - 2801745
Jitter - 37
MaxDNS - Not Found
PublicKey - b"0x81x9f0rx06t*x86Hx86xf7rx01x01x01x05x00x03x81x8dx000x81x89x02x81x81x00xaa#x18xebx;xd3?xe7xa7xb5x95xb1xe7xb2ax99O)x8exebx/:xc10cxfex04#xe5_ x82xabx9dxbex99xd0Wxb5xfafrax14@x9ax16Fs5xa0xe6xf3xa6x13xdcx91Nxdeqlx89xc5RkDxefqxeaxa8xc5'$xdf]l#xacsx0c/;xc3Exf8x0fSx7fxbdxcdx0b]Ex97xf2xf2Qxe8x00xa7ux04x90rx95xfdxac`k9xefaxe5x9ftWxc5xc7x90xb8x8ax15xab+x02x03x01x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
C2Server - www[.]roomako[.]com,/jquery-3[.]3[.]1[.]min[.]js
UserAgent - Not Found
HttpPostUri - /jquery-3[.]3[.]2[.]min[.]js
HttpGet_Metadata - Not Found
HttpPost_Metadata - Not Found
SpawnTo - b'x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00'
PipeName - Not Found
DNS_Idle - Not Found
DNS_Sleep - Not Found
SSH_Host - Not Found
SSH_Port - Not Found
SSH_Username - Not Found
SSH_Password_Plaintext - Not Found
SSH_Password_Pubkey - Not Found
HttpGet_Verb - GET
HttpPost_Verb - POST
HttpPostChunk - 0
Spawnto_x86 - %windir%syswow64dllhost[.]exe
Spawnto_x64 - %windir%sysnativedllhost[.]exe
CryptoScheme - 0
Proxy_Config - Not Found
Proxy_User - Not Found
Proxy_Password - Not Found
Proxy_Behavior - Use IE settings
Watermark - 987654321
bStageCleanup - True
bCFGCaution - False
KillDate - 0
bProcInject_StartRWX - False
bProcInject_UseRWX - False
bProcInject_MinAllocSize - 17500
ProcInject_PrependAppend_x86 - b'x90x90x90'
Empty
ProcInject_PrependAppend_x64 - b'x90x90x90'
Empty
ProcInject_Execute - ntdll:RtlUserThreadStart
CreateThread
NtQueueApcThread-s
CreateRemoteThread
RtlCreateUserThread
ProcInject_AllocationMethod - NtMapViewOfSection
bUsesCookies - True
HostHeader - Host: www[.]roomako[.]com
VShell stager
The VShell stager is relatively simple and uses rudimentary socket APIs to connect with a hardcoded C2 server such as “192[.]210[.]239[.]172:2219”. The stager, usually injected into a benign process by TetraLoader, initially sends a preliminary beacon to the C2 and then waits for a response. The response sent by the C2 is usually a single-byte Xorred payload that is then executed in memory by the implant. This is likely UAT-6382’s modification in VShell.
Figure 3. Implant receiving and executing shellcode from the C2.
The payload received by the VShell stager is in fact the actual VShell implant. VShell is a GoLang-based implant that talks to its C2 and provides a wide variety of remote access trojan-based functionalities, such as the capabilities to perform file management, run arbitrary commands, take screenshots and run NPS-based proxies on the infected endpoint.
Figure 4. A sample VShell C2 server with one client connected.
Like other Chinese-authored tooling observed in the intrusions, VShell C2 panels are also written in Chinese. Although limited language support for English is available in the panel, it still mostly uses the Chinese language as seen in Figure 5, indicating that operators need to be familiar with the language to use the panel proficiently.
Figure 5. VShell’s file manager panel uses Chinese even when configured to use English.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
