Our cyber threat analysts detected and explored a number of malware campaigns this January. Here are the three most dangerous attacks dissected with the aid of ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup. 

Fake YouTube links redirect users to phishing pages 

Original post on X 

Using the Uniform Resource Identifier authority (URI), phishers obfuscate links and place a legitimate resource address, like http://youtube, at the beginning of URLs to deceive users and make the link appear authentic and safe.   

Not just YouTube is getting abused. We’ll keep monitoring and sharing the details with you, so your company can make effective decisions to address the threat. 

Watch how the attack unveils in our Interactive Sandbox and gather IOCs for setting up your security systems. 
 
View analysis

Use this search request in TI Lookup to find more sandbox sessions and enforce the protection of your business by fine-tuning malware detection in your network:  
 
commandLine:”youtube.com%” 

• Technically, the URI Scheme replaces the userinfo field (user:pass) with a domain name: foo:// <user:pass> @ domain . Zone. 

• Storm 1747 domain infrastructure — checkers, redirectors and main pages — has a standard template for Tycoon 2FA phishkit installed.  

• The technique of replacing user info is also employed by various other phishing kits, such as Mamba 2FA and EvilProxy. 

To study the behavior and indicators of all these malware samples, use ANY.RUN’s Interactive Sandbox.  

Phishers use fake online shops with surveys to steal credit card information 

Original post on X 

The new phishing scheme we named FoxWhoops targets American e-commerce customers with fake sites promising a reward for completing a survey 

The attack utilizes a system of checks. Users who fail them are sent to a Fox News RSS page or a page with a ‘Whoops!’ image. Those who pass the checks are offered to enter their bank card info to purchase the ‘reward’ at a discount.  

 
A number of examples of such attacks have been submitted in our sandbox:  

• Fake Market 

• FoxNews RSS 

• Whoops! 

Checks and redirects:  

1. A script detects scanning by Google, Bing, Baidu, DuckDuckGo, etc.
2. If the first check is passed, the script triggers a redirect 
3. If the second check is passed, the user is redirected to a phishing page with a fake online shop payment form 
4. If the first check fails, the user is redirected to a Fox News RSS feed  
5. If the second check fails, the ‘Whoops’ page is displayed.  

Possible attack scenarios based on these steps:

• Phishing scenario: 1 → 2 → 3. A phishing survey with a ‘reward’ after a small payment in a fake store. Credit card info stolen. 
• Evasion scenario: 1 → 4. If the victim fails the first check, they are redirected to what appears to be a Fox News RSS feed. The URL includes a ‘q’ parameter that specifies the reason for the redirect, such as:  “IP provider is blacklisted! ASN-CXA-ALL-CCI-22773-RDC“. 
• Placeholder scenario: 1 → 2 → 5. Users are shown a placeholder page.  

Examine the attack’s mechanics to facilitate employee security training in your organization and prevent social engineering attempts with ANY.RUN’s Sandbox! 

A SystemBC client is targeting Linux-based platforms

Original post on X 

The Linux version of SystemBC proxy implant is potentially designed for internal corporate services. It is commonly used to target corporate networks, cloud servers, and even IoT devices. 

This Remote Access Trojan is designed to maintain encrypted communication with C2 servers, using the same custom protocol, ensuring connection to a unified infrastructure of both Windows and Linux implants.   

A proxy implant within a victim’s infrastructure is a crucial tool for attackers, allowing for lateral movement and pivoting without deploying additional detectable tools, further evading detection on the host. 

This version is more stealthy and far more dangerous. Samples do not have clear family detection by security vendors. 

Take a look at the Linux version analysis in the sandbox:  

To respond effectively, use ANY.RUN’s Linux virtual machine and quickly detect malicious communication with in-depth network traffic insights, powered by advanced Suricata rules from our experts. 

Conclusion 

The cyber threat landscape this January was marked by sophisticated and varied attack strategies targeting individuals and organizations alike. From phishing schemes exploiting trusted platforms to deceptive fake online shops, hackers demonstrated increasing ingenuity and adaptability. 

Organizations must remain vigilant and proactive by leveraging tools such as ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup to identify and analyze threats in real time. Staying informed and prepared is the key to safeguarding critical assets in this ever-changing digital battlefield. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post 3 Major Cyber Attacks in January 2025 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Ransomware attacks have become a relentless threat to the healthcare sector, exposing sensitive patient data, disrupting life-saving treatments, and placing lives at risk. With healthcare systems underfunded and critical infrastructure vulnerable, cybercriminals find this sector an easy and lucrative target. 

In recent years, ransomware attacks have not only caused financial losses but have also shaken public trust in healthcare organizations. Hospitals, medical service providers, and even blood donation centers have been hit, leaving a trail of chaos. 

This article highlights how healthcare organizations can benefit from ANY.RUN‘s Interactive Sandbox and Threat Intelligence Lookup to identify, investigate, and analyze ransomware attacks, using a real-world case study of the Interlock ransomware group. 

The Impact of Ransomware on Healthcare 

Before we dive deeper into how ANY.RUN helps counter such threats, let’s examine how devastating ransomware attacks can be across the healthcare sector. 

What’s at stake? 

• Loss of patient trust: Exposed personal and health information undermines confidence in healthcare providers. 

• Operational disruption: Hospitals and medical facilities are forced to halt services, delaying critical treatments. 

• Financial strain: Organizations face ransom demands, legal fees, and recovery costs, compounding the impact. 

Why Healthcare Is a Prime Target 

1. Sensitive data: Patient records are incredibly valuable on the black market. Ransomware groups exploit this by encrypting data and demanding payments for decryption. 

2. Critical infrastructure: Many healthcare systems cannot afford prolonged downtime due to their role in patient care. 

3. Underfunded cybersecurity: Many healthcare providers operate on tight budgets, often prioritizing patient services over robust IT defenses. 

4. Slow detection: A common issue is the inability to identify and respond to attacks in their early stages, which allows ransomware to spread undetected. 

Interlock Group: Active Ransomware Threat to Healthcare 

Interlock is a ransomware actor that engages in double-extortion. 

In late 2024, the Interlock ransomware group launched targeted attacks against multiple healthcare facilities in the United States, causing significant disruptions and exposing sensitive patient data: 

• Brockton Neighborhood Health Center: Breached on October 20, 2024, undetected until December 17, 2024. 

• Legacy Treatment Services: Attack detected on October 26, 2024. 

• Drug and Alcohol Treatment Service: Breach discovered on October 24, 2024. 

How ANY.RUN Helps at Different Stages of Interlock Attacks

ANY.RUN provides healthcare organizations with proactive tools to analyze and investigate ransomware attacks at various stages. 

Let’s discover how by having a look at the Interlock ransomware group. The stages of the attack are taken from one of the most detailed reports on the threat from Talos, released on January 14, 2025. 

1. Initial Compromise (TA0001) 

At this stage, the Interlock ransomware group uses the Drive-by Compromise technique to gain access to the victim’s infrastructure. 

Drive-by Compromise: How It Happened 

The Interlock ransomware group either compromised or newly registered a phishing website, as evidenced by recent registration data in Whois. This phishing site was designed to appear as a news feed, complete with links for downloading software. Unwary users visiting the site were tricked into downloading malicious files. 

Here is how ANY.RUN’s Threat Intelligence Lookup could be used by analysts at this stage of the attack. 

Early Detection of Malicious Domains 

By querying the domain apple-online.shop, ANY.RUN found that users first flagged and analyzed the website on September 6, 2024, almost a month before public mentions of the group appeared in this report.

This means ANY.RUN detected suspicious activity nearly two months before the Talos report was published. 

Thanks to ANY.RUN’s access to public samples of the latest cyber threats from around the world, users of TI Lookup were able to identify Interlock’s domain as malicious before public reports. With such early detection, healthcare organizations can take preventative measures long before public alerts are raised. 

Understanding Website Content 

With the help of ANY.RUN’s Interactive Sandbox, you can view how the malicious website looked like and what content was used to deceive users. By analyzing such sites, healthcare organizations can train employees to recognize and avoid similar threats in the future. 

View analysis session 

The virtual machine allows anyone to see the behavior of this threat and interact with it in real time. 

Expanding on Known Threat Information 

ANY.RUN’s data can also enrich users’ existing knowledge of the attack.  

While reports stated that the attackers used malware disguised as a Google Chrome updater, ANY.RUN uncovered additional tactics, such as mimicking MSTeams and MicrosoftEdge updates (evident in filenames like MSTeamsSetup.exe and MicrosoftEdgeSetup.exe). 

This shows that by identifying alternative disguises used for malware, ANY.RUN equips organizations to anticipate a broader range of file disguises utilized by Interlock. 

IOCs and File Analysis 

Reports mentioned a specific file named upd_2327991.exe used in the attack. ANY.RUN’s database reveals additional files with similar naming conventions, such as: 

• upd_8816295.exe 

• upd_1416836.exe 

This suggests that the attackers generated file names using random alphanumeric patterns. Each file had distinct hash values (SHA256), which serve as unique Indicators of Compromise (IOCs): 

• 8d911ef72bdb4ec5b99b7548c0c89ffc8639068834a5e2b684c9d78504550927 

• 97105ed172e5202bc219d99980ebbd01c3dfd7cd5f5ac29ca96c5a09caa8af67 

The analysis showed that with the help of ANY.RUN’s TI Lookup and Interactive Sandbox, healthcare organizations facing Interlock ransomware attacks could: 

• Discover the Start Date of Attacks: Get information about the first activities of the attacking group, which often happen before public reports.  

• Study the Attacker’s Setup: Identify the domains, IP addresses, and other parts of the attacker’s setup to learn more about their tactics and methods.  

• Improve Detection Systems: Collect additional IOCs to configure defensive mechanisms and improve attack detection. 

2. TA0002: Execution

Once attackers gain initial access, the Execution phase begins. This stage involves deploying malicious payloads or executing harmful commands on the compromised device. In the Interlock ransomware attacks, users unknowingly launch a fake updater file, triggering the execution of malware and allowing attackers to establish control over the victim’s system. 

How Interlock Group Executes Their Attacks

The reports revealed that the attackers leveraged Remote Access Tools (RATs), which provided them with full control of the infected machine. By disguising these RATs as legitimate software, such as Chrome, MSTeams, or Microsoft Edge updaters, the attackers ensured that their actions remained unnoticed until significant damage was done. 

Detecting Encrypted URLs in Fake Updaters

With ANY.RUN Sandbox, analysts could uncover that the fake-updater contained encrypted URLs used to communicate with the attackers’ infrastructure. For example, the xor-url tag in ANY.RUN revealed hidden URLs within the malware’s configuration files. 

View analysis session 

By clicking on the CFG (Configuration) option in the sandbox, analysts can view decrypted URLs. These insights provide actionable intelligence about the malware’s communication methods and help identify similar patterns in future attacks. 

Using YARA Search to Find More Samples

ANY.RUN’s YARA Search functionality allowed researchers to create a rule for detecting RAT samples linked to the attack.  

Here’s an example of a YARA rule tailored for identifying Interlock’s disguised RAT samples: 

rule Interlock_RAT {  

    strings:  

        $ = "/MSTeamsSetup.exe\" xor  

        $ = "/ChromeSetup.exe\" xor  

        $ = "/MicrosoftEdgeSetup.exe\" xor  

    condition:  

        any of them  

} 

This YARA rule uncovered over 44 new malicious files, each representing a new indicator.

These IOCs can be added to detection systems, expanding the scope of protection. 

Discovering Additional IOCs 

In addition to detecting malicious files, ANY.RUN’s sandbox session revealed network IOCs such as URLs and IP addresses that previously were not covered in other reports. 

The URL shown above was not included in the detailed report from Talos.  

Had the organizations encountering this URL and payload used ANY.RUN’s Interactive Sandbox, they would be able to run the RAT in a safe virtual environment and see its malicious nature. This could have prevented them from detonating the payload on their own systems. 

During Execution, ANY.RUN helps users: 

• Discover IOCs: Find additional file and network IoCs, including those found in configurations. 

• Find Unknown Threats: Discover previously unknown threats. 

• Analyze Threats: Safely explore suspicious URLs and detonate payloads. 

3. TA0006: Credential Access 

Once attackers gain the ability to execute commands on a compromised system, their next move often involves stealing access credentials. In the Interlock ransomware attack, the group employed a custom stealer tool to gather and exfiltrate these credentials. 

How Credential Stealing Works in This Attack

• The attackers’ stealer was designed to collect sensitive data, including usernames, passwords, and other access credentials. 

• According to vendor reports, the stolen data was stored in a file named “chrgetpdsi.txt.” This file served as a repository for harvested credentials before exfiltration. 

Let’s use TI Lookup to find more information on the stealer:  

As a result, we see that the Stealer had been detected by ANY.RUN as early as August 2024, well before users began investigating the compromised domain. 

Early detection of malicious tools like this Stealer provides security teams with actionable intelligence to defend against evolving threats. 

4. TA0008: Lateral Movement 

At the Lateral Movement phase, attackers aim to spread across the network, gaining access to additional systems and resources.  

The Interlock ransomware group moved laterally within networks using legitimate remote administration tools like Putty, Anydesk, and RDP. These tools are often abused by attackers to access additional systems undetected. 

The ANY.RUN Sandbox excels at identifying the presence of these tools when they are abused for malicious purposes.

By executing suspicious files in a controlled environment, ANY.RUN can: 

• Detect the execution of Putty, Anydesk, or RDP-related activities. 

• Provide detailed insights into how these tools are being used by attackers. 

5. TA0010: Data Exfiltration 

In the Data Exfiltration phase, attackers transfer stolen data out of the victim’s network. The Interlock ransomware group used Azure cloud storage to exfiltrate data. 

Inside the ANY.RUN sandbox, you can see the system configuration data being sent to a Command and Control (C2) server via the RAT. 

ANY.RUN captures data sent by the RAT to attacker-controlled servers. For this example, logs revealed information sent to IP 217[.]148[.]142[.]19 over port 443: 

Using tools like CyberChef, we can decrypt the logged traffic (e.g., XOR-encrypted data) to identify what attackers exfiltrated. 

Thus, during the Data Exfiltration phase, ANY.RUN Sandbox logs traffic sent to external systems, allowing analysts to identify exactly what data is being transmitted to the attacker’s server. 

ANY.RUN’s Key Benefits for Healthcare Organizations

ANY.RUN empowers healthcare organizations with fast, safe, and effective tools to investigate and analyze cyber threats: 

• Pin malicious indicators to actual threats to gain a better understanding of the risks your organization is facing.  
• Receive in-depth reports with IOCs, TTPs, and malware behavior summaries. 
• Simplify and speed up threat analysis for SOC team members at all levels, saving time and increasing productivity.
• Accelerate the alert triage process and reduce the workload through fast operation speeds, a user-friendly interface, and smart automation.
• Safely examine sensitive data in a private mode, ensuring compliance with cybersecurity and data protection requirements.
• Gain access to detailed insights into malware’s behavior and better understand threats to streamline incident response.
• Collaborate with team members, share results, and coordinate efforts efficiently during incident handling.
• Optimize the cost of responding to incidents by accessing detailed data with ANY.RUN’s interactive analysis, which helps in developing new detection and protection methods.

Conclusion 

ANY.RUN can be an invaluable tool at various stages of ransomware attacks. During incident investigations, TI Lookup can provide critical data on the threat at hand. Running malware in the ANY.RUN Sandbox before executing it on a local machine allows for a proactive identification of the threat and thorough analysis of its behavior.

By combining ANY.RUN’s tools, healthcare organizations can not only enhance the understanding of the threats’ capabilities but also ensure that they are identified and mitigated effectively. 

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s services → 

The post How ANY.RUN Helps Healthcare Organizations Against Ransomware: Interlock Case Study appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

• Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor since as early as July 2024 targeting users, predominantly in Poland and Germany, based on the phishing email language. 
• The actor has delivered different payloads, including Agent Tesla, Snake Keylogger, and a new undocumented backdoor we are calling TorNet, dropped by PureCrypter malware.  
• The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence.  
• The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions.  
• We also found that the actor connects the victim’s machine to the TOR network using the TorNet backdoor for stealthy command and control (C2) communications and detection evasion. 

The campaign 

The intrusions start with a phishing email as the initial infection vector. The actor is impersonating financial institutions and manufacturing and logistics companies by sending fake money transfer confirmations and fake order receipts, respectively. The phishing emails are predominantly written in Polish and German, indicating actor’s intent to primarily target users in those countries. We also found some phishing email samples from the same campaign written in English. We assess with medium confidence that the actor is financially motivated, based on the phishing email themes and the filenames of the email attachments.  

The phishing email has attachments with the file extension “.tgz”, indicating that the actor has used GZIP to compress the TAR archive of the malicious attachment file to disguise the actual malicious content of the attachment and evade email detections. 

When a user opens the compressed email attachment and manually unzips it and runs a .NET loader executable, it eventually downloads encrypted PureCrypter malware from a compromised staging server. The Loader decrypts the PureCrypter malware and runs it in the system memory.  

In a few intrusions in this campaign, we found that the PureCrypter malware drops and runs the TorNet backdoor. The TorNet backdoor establishes connection to the C2 server and also connects the victim machine to the TOR network. It has the capabilities to receive and run arbitrary .NET assemblies in the victim machine’s memory, downloaded from the C2 server, increasing the attack surface for further intrusions. 

.NET loader implants PureCrypter 

Talos found that the compressed attachment files contain a large .NET executable file. The actor has instrumented the .NET executable to either download the next-stage malicious executables from a remote staging server or to reflectively load an embedded malicious binary.  

Some of the loader samples we analyzed in this campaign download the AES-encrypted binary of the PureCrypter malware hosted on compromised websites in paths “/filescontentgalleries/pictorialcoversoffiles/” and “/post-postlogin/” using a hardcoded URL. The encrypted PureCrypter binaries were stored with the arbitrary filenames using different file extensions, including .pdf, .dat, .wav, .vdf, .mp3 and .mp4. The loader decrypts the PureCrypter binary and loads reflectively. 

In a few other loader samples, we found that the encrypted PureCrypter sample was embedded in the loader, which is decrypted using the AES algorithm and reflectively loaded into the victim machine’s memory.  

PureCrypter drops the TorNet backdoor 

The PureCrypter malware found in this intrusion is a Windows dynamic-link library obfuscated with Eziriz’s .NET Reactor obfuscator. It has resources of encrypted binaries of legitimate DLLs, including Protobuf-net and Microsoft task scheduler DLL along with the TorNet backdoor.  

PureCrypter initially creates a mutex on the victim machine and executes the command to release the currently assigned DHCP IP address of the victim machine, establishes persistence, performs various anti-analysis and detections tasks, drops and runs the payload, and finally executes a command to renew the IP address of the victim machine.  

Cmd /c ipconfig /release 
Cmd /c ipconfig /renew 

The threat actor is likely using this technique to evade detections from the cloud-based anti-malware programs by disconnecting the victim machine from the network and connects back to the network after dropping and running the backdoor.  

The PureCrypter malware performs various anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the victim machine as described below: 

• It checks if the process is debugged using the function “CheckRemoteDebuggerPresent”. 
• It checks for the Sandboxie and Cuckoo sandbox environments by enumerating processes to look for “sbieDLL.dll” and “cuckoomon.dll”. 
• It checks if the DLL is running in the virtual environment by executing the WMI queries and searches for the strings “VMware”, “VIRTUAL”, “AMI”, and “Xen”.  

Select * from Win32_BIOS 
Select * from Win32_ComputerSystem 

• It also checks if the process running is associated with “vmGuestLib.dll” to detect the VMWare environment. 
• It checks if the victim machine username is “john” or “anna” or “xxxxxxxx”.  
• It checks for the strings “amsi.dll” and “amsiscanbuffer” in the running processes modules of the victim machine.  
• It checks if the Event Tracing for Windows (ETW) is configured for the victim machine by attempting to check if any processes point to the function “EtwEventWrite” of “ntdll.dll”.  
• It modifies the Windows Defender settings by executing the PowerShell commands to add its process and the path of the dropped backdoor to the exclusion lists.

Add-MpPreference –ExclusionPath 
Add-MpPreference –ExclusionProcess 

After the evasion checks, PureCrypter decrypts the encrypted backdoor from its resource and drops it to the user profile application temporary folder with a random file name. It also decrypts another file resource using a custom string decryption algorithm, generating the arbitrary filename strings and the task name strings for the Windows Task scheduler.  

PureCrypter establishes the persistence in the Run registry key by adding the path of the loader. It also creates a Windows task using a task name gained by decrypting the strings from the resource file and executes the loader every two to four minutes with no execution time limit. The task can run if the machine switches to battery power and will not stop if it runs on a low battery power. The threat actor has instrumented this technique to possibly ensure an uninterrupted infection avoiding the victim machine operating system to deprioritize the process when a victim machine is running on low battery power mode.  

PureCrypter drops a Visual Basic script in the Windows startup folder with the instructions to load and execute the dropped backdoor. 

After establishing persistence, PureCrypter loads the dropped backdoor by accessing it through a URL scheme “file[://]<Path of the dropped backdoor>” and injects the backdoor into the .NET runtime executable process in the victim machine. The threat actor is using this technique to possibly masquerade the file access activity as a web request in the victim machine logs and to bypass detections for loading a file from suspicious file paths on the victim machine.  

Payload TorNet creates a backdoor on the victim machine 

Talos discovered a new .NET backdoor as the payload in the recent intrusions of this campaign, which we call TorNet. TorNet backdoor is also obfuscated with Eziriz’s .NET Reactor obfuscator and has hash values for the compilation time. This could be the artifact that was created when the samples were compiled in Visual Studio with the “/deterministic” parameter. When Visual Studio is configured to generate deterministic binaries, the compiled date/time field of the binaries will be replaced by a hash of the compilation options. Talos had previously seen, and reported this technique used by other threat actors to disguise the actual compilation time of the malware binaries.    

TorNet initially decodes a base64-encoded string to obtain the C2 domain, port number, and an alphanumeric string of 16 characters (5e7a81857a353068). It then performs the anti-debugging, anti-malware, anti-VM, and sandbox evasion checks similar to PureCrypter we discussed in the previous section.  

After the evasion checks, TorNet establishes a TCP socket connection to the C2 server by resolving the IP address of the C2 domain decoded from the base64-encoded string. The connection uses one of the port numbers 8194, 7890, or 8410. We observed that the C2 domains used by the backdoor were resolving to the IP address 104[.]168[.]7[.]37 during the period of our research. 

After establishing the connection to the C2 server, TorNet sends the gained string “5e7a81857a353068” by decoding the base64-encoded strings to the C2 server, creating a hexadecimal byte stream of length 20 and writes it to a memory stream by compressing it using the GzipStream function.  

HEX stream: “3A 12 12 10 35 65 37 61 38 31 38 35 37 61 33 35 33 30 36 38” 

ASCII equivalent: “:<2-byte place holder>n5e7a81857a353068” 

TorNet then generates an MD5 hash value of the string “5e7a81857a353068” and uses it as a key to encrypt the compressed 20-byte hexadecimal data stream using the triple DES algorithm. Using the Bitconverter function, TorNet splits the encrypted byte stream and sends it to the C2 server by writing it to the TCP stream through the socket.  

The C2 server may send an arbitrary encrypted .NET assembly as a response to a TorNet’s request. TorNet will decrypt the arbitrary binary and reflectively run it. During our research, we were unable to receive a response from the C2, still analyzing the TorNet binary allowed us to assess that the received response will be an arbitrary .NET assembly code, enabling the attack surface for further attack.  

TorNet also connects the victim machine to the TOR network. It downloads the TOR expert bundle from the TOR Project archive site, unpacks it and runs the “tor[.]exe” as a background process to connect to TOR.  

Once TOR is running, TorNet connects to the TOR network using the TOR SocksPort (127[.]0[.]0[.]1:9050), and with the “socket.Poll” function, it routes all traffic from the backdoor process on the victim machine through the TOR network. The threat actor is leveraging the TOR network to anonymize the C2 communication and evade detection.  

Coverage 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64440, 64439, 64437, 64438 and 301115. 

ClamAV detections are also available for this threat: 

Win.Backdoor.TorNet-10041435-0  
Win.Downloader.TorNet-10041463-0  
Win.Malware.TorNet-10041565-0  
Win.Malware.TorNet-10041601-0  
Win.Trojan.TorNet-10041734-0 

Indicators of Compromise  

IOCs for this threat can be found in our GitHub repository here. 

Cisco Talos Blog – ​Read More

Overview

Cyble’s vulnerability intelligence report to clients last week examined high-risk flaws in 7-Zip, Microsoft Windows, and Fortinet, among other products. It also examined dark web claims of a zero-day vulnerability in Apple iOS.

In all, the report from Cyble Research and Intelligence Labs (CRIL) looked at 14 vulnerabilities and dark web exploits, including one vulnerability with a maximum CVSS severity score of 10.0 and another with more than 276,000 web exposures.

Here are some of the vulnerabilities highlighted by Cyble’s vulnerability intelligence unit as meriting high-priority attention by security teams.

The Top IT Vulnerabilities

CVE-2024-50603 is a 10.0-severity OS Command Injection vulnerability in the Aviatrix Controller that could allow an unauthenticated user to execute arbitrary commands against the cloud networking platform controller, due to improper neutralization of special elements used in an OS command. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.

CVE-2025-0411 is a critical vulnerability in the 7-Zip file archiving software that allows attackers to bypass the Mark-of-the-Web (MOTW) protection mechanism, which is intended to warn users about potentially dangerous files downloaded from the internet. An attacker could use the vulnerability to craft an archive file so that the files do not inherit the MOTW mark when they are extracted by 7-Zip. The vulnerability was just announced, but a patch has been available since November 30. As 7-Zip lacks an auto-update function, users must download the update directly.

CVE-2024-12084 is a 9.8-severity Heap-Based Buffer Overflow vulnerability in the Rsync file synchronization tool. The vulnerability arises from improper handling of checksum lengths that exceed the fixed limit of 16 bytes (SUM_LENGTH) during the processing of user-controlled data. An attacker could manipulate checksum lengths, leading to out-of-bounds memory writes in the sum2 buffer. This could enable remote code execution (RCE) on systems running the Rsync server. Cyble detected more than 276,000 vulnerable web-facing Rsync exposures (image below).

Dark Web Exploits and Zero Days

The Cyble report also looked at vulnerabilities actively discussed by threat actors on cybercrime forums, suggesting a high risk of attacks against those flaws. Cyble also identified threat actors offering zero-day vulnerabilities for sale in Apple iOS and other products. The Apple zero-day exploit allegedly weaponizes a vulnerability present in Apple devices running iOS 17.x.x and 18.x.x, resulting in remote code execution.

Among the vulnerabilities under dark web discussion were:

• CVE-2024-49138, a critical Elevation of Privilege vulnerability affecting the Windows Common Log File System (CLFS) driver
• CVE-2023-34990, a critical relative path traversal vulnerability in Fortinet’s FortiWLM wireless LAN management solution
• CVE-2024-55591, an authentication bypass vulnerability in Fortinet’s FortiOS and FortiProxy.

Cyble Recommendations

To protect against these vulnerabilities and exploits, Cyble recommended that organizations implement the following best practices:

• Regularly update all software and hardware systems with the latest patches from official vendors.
• Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
• Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
• Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents, including ransomware-resistant backups. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
• Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
• Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
• Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

Actively exploited vulnerabilities—and those identified as being at high risk of exploitation—should be a top priority for security teams as they prioritize their patching efforts. They should also consider other indicators of risk, such as web exposures, data sensitivity, and criticality of affected systems and applications. With increasing discussion of these exploits on dark web forums, organizations must stay vigilant and proactive.

Implementing strong security practices is essential to protecting sensitive data and maintaining system integrity. A comprehensive threat intelligence solution like Cyble can monitor for threats and leaks specific to your environment, allowing you to respond quickly to events and prevent them from becoming wider incidents.

To access full IT vulnerability and other reports from Cyble, click here.

The post IT Vulnerability Report: 7-Zip, Windows and Fortinet Fixes Urged by Cyble appeared first on Cyble.

Blog – Cyble – ​Read More

If you’re anything like me, you probably share plenty of photos, videos and documents, and send lots of voice messages and emails every single day too. But how often do you stop to consider the additional data contained in these files? For each of these files/media contains metadata — which can reveal a lot of interesting details not meant for prying eyes; for example, a photo’s time and location, a document’s editing history, device information, IP address, geolocation, and much more. So, for example, whenever you post an innocent selfie on social media, you’re also making public a whole ton of extra information that you might not necessarily want others to see.

In this article, we explore the pros and cons of metadata and how to remove it.

What is metadata and what’s it for?

To put it simply, metadata is additional information about a file’s content. Such data is added to files by applications that create or process them, operating systems, or users themselves. In most cases, metadata is created and updated automatically. For example, for files, this can include the creation date, last modified date, type, owner, and so on. In the case of photos, metadata can include the date and location, exposure settings, camera or smartphone model, and so on, recorded in Exif format. Specifically which data is stored depends on the camera/smartphone model and settings.

Some metadata is “visible” and easy to edit. For example, audio files contain special tags describing the content — author, artist, album, track name, genre, etc. — that can be easily changed in any media player.

Other metadata is less evident. Did you know, for example, that from the metadata of an office document you can easily discover who edited it, when, for how long, and using which programs? In some cases, you can even restore the entire edit history from the first keystroke.

Of course, metadata wasn’t originally designed to be “the perfect stalking tool”, but simply a useful feature. However, you can end up sharing more than you intended; for example, your employer or client could find out how much time you actually spent working on a document, and the Exif data of a selfie you post online can reveal what smartphone you use and where you were at the time. Metadata can also help catch criminals or uncover fraudulent schemes.

For example, in 2019, U.S. law enforcement managed to arrest the fraudster Hicham Kabbaj, who’d been sending his former employer invoices for equipment supplies from a shell company called Interactive Systems for four years. Of course, no equipment was actually supplied, but a total of six million dollars was transferred into Interactive System’s accounts. The fraudster was eventually caught out because of simple oversight: four of the 52 invoices were in the MS Word .doc format, and the metadata listed the author as KABBAJ.

Besides the police, malicious actors can also use metadata. In 2016, we conducted an experiment to try to determine a person’s location from a single photo. For us, this was just a fun exercise, but criminals could have very different motives.

Or consider a slightly more complex scenario: your innocent PDF file somehow ends up in the hands of a malicious actor. How it got there doesn’t matter — let’s say they introduced themselves as your colleague. In this case, the contents of the file may be of no interest to the criminal. What’s important to them, however, is that you’ve already taken the bait (so the attack can continue) and leaked the PDF’s metadata — revealing the software and version you used to create it. With this knowledge, the attacker can send you malware specifically designed to exploit a vulnerability in your particular system. Protecting yourself from this kind of scenario requires a combination of measures: ignoring suspicious messages, removing metadata, and updating your software promptly.

How to remove metadata

You can remove metadata using built-in tools or third-party programs and services. We recommend the former, as then your metadata won’t end up in the hands of third parties this way. Third-party tools act as an extra layer between you and the “cleaned” file. This layer could potentially retain metadata, which criminals could somehow get hold of.

So now let’s look at how to remove metadata from photos and videos, and DOC and PDF files using built-in tools.

Photos and videos

On Windows

In File Explorer, right-click on the file, select Properties, and go to the Details tab. At the bottom of the screen, click Remove Properties and Personal Information, and in the window that opens, either keep the default option Create a copy with all possible properties removed, or manually select the properties you want to remove, and click OK.

On macOS and iOS.

Apple operating systems let you remove or modify the date, time, and geolocation. However, location data is only recorded for photos and videos taken with geolocation services enabled.

To remove or modify metadata on a macOS device, open the Photos app, go to the Image menu, select Location, and click Hide Location. Here you can also Revert to Original Location — which raises the question of where this data is actually stored — or Assign Location to one or more photos after you Copy Location from another photo. Additionally, in the Image menu, you can Adjust Date and Time of the capture.

On an iPhone or iPad, open the Photos app, select the photo to edit, and tap the ⓘ info button, or simply swipe up on the photo. Here, you can Adjust the date, time, and location. For location, you can either select No Location or assign any other location to the photo. (This is useful if you’re posting photos taken in a studio near your home, while pretending to be in, say, Maldives.) To edit multiple photos at once, select them all, tap the three-dot button (…), then choose Adjust Date & Time or Adjust Location.

On Android

On Android devices, you can remove or modify location data using the Google Photos app. Select the photo or video, tap the three-dot More icon, select Edit, and tap Remove location.

DOC files

If you’re using Word, go to the File tab and select Info. Then click Check for Issues, followed by Inspect Document and Inspect. Under Document Properties and Personal Information, click Remove All.

Windows users can also remove DOC file metadata using File Explorer, just as they would with photos and videos.

PDF files

If you’re using Adobe Acrobat, go to File, then Document properties, and select Description. In the window that opens, you can manually edit the author, subject, keywords, and title of the document. Clicking Additional Metadata opens a window displaying all the document’s metadata.

You can also remove PDF metadata using File Explorer in the same way as for photos and videos.

Security Measures

So, what’s the main way to protect yourself from malicious actors exploiting your metadata? Two words: exercising caution. In addition, for maximum security, follow these extra precautions:

• Set your social media profiles to private. This way, attackers won’t be able to use the metadata from your old photos and videos.
• Use a comprehensive security solution. It will act as a safety net — protecting your payment and personal data even if you fall victim to a cybercriminal.
• Remove metadata regularly. At first, this may seem like a lot of extra work just to send a simple selfie, but over time, removing metadata will become second nature.

Kaspersky official blog – ​Read More