The Cybersecurity and Infrastructure Security Agency (CISA) has recently alerted users to multiple vulnerabilities in Apple products following the release of vital security updates on October 28, 2024. These Apple vulnerabilities could potentially allow cyber threat actors to exploit weaknesses in the software, emphasizing the importance of timely updates for safeguarding systems. Apple product users and administrators are urged to review the advisories and promptly apply the necessary updates.
These updates address vulnerabilities that could potentially expose users to several risks, ranging from unauthorized access to sensitive data to the possibility of complete system control. The products affected by these updates encompass a wide range of operating systems and devices, including iOS and iPadOS versions 18.1 and 17.7.1, macOS versions Sequoia 15.1, Sonoma 14.7.1, and Ventura 13.7.1. Additionally, Safari 18.1, watchOS 11.1, tvOS 18.1, and visionOS 2.1 are also included in this critical update cycle.
Key Apple Vulnerabilities Addressed
These Apple vulnerabilities highlight the ongoing need for users to remain vigilant and ensure their devices are updated to protect against potential threats.
iOS 18.1 and iPadOS 18.1
The advisory reports on affected devices, including the iPhone XS and later models and various iPad models starting from the 7th generation onward. This update specifically addressed several Apple vulnerabilities, enhancing the security of these devices.
Accessibility Issues (CVE-2024-44274): Physical access to locked devices could expose sensitive information. The fix involves improved authentication mechanisms.
App Support (CVE-2024-44255): Malicious applications may exploit shortcuts without user consent. Enhanced path handling has been implemented to mitigate this risk.
CoreMedia Playback (CVE-2024-44273): Vulnerabilities that allow malicious apps to access private information have been addressed through better symlink handling.
CoreText (CVE-2024-44240, CVE-2024-44302): Enhanced checks have fixed issues with malicious fonts that could disclose process memory.
Foundation (CVE-2024-44282): Improved input validation addresses vulnerabilities that could leak user information while parsing files.
Additional vulnerabilities, including those related to ImageIO and the kernel, have also been patched.
Safari 18.1
The Safari update was released on October 29, 2024, and it supported macOS Ventura and macOS Sonoma. This update was designed to address critical issues that could impact user security and functionality within the Safari browser.
Security Vulnerabilities (CVE-2024-44259): Attackers could misuse trust to download malicious content. The fix includes improved state management.
Private Browsing Leakage (CVE-2024-44229): Potential leakage of browsing history in private mode has been resolved with additional validation measures.
macOS Sequoia 15.1
The Apple security update advisory for macOS Sequoia 15.1 addressed vulnerabilities that affected a range of services. By resolving these vulnerabilities, this update enhances overall security and functionality for users.
Apache Vulnerabilities (CVE-2024-39573, CVE-2024-38477): Multiple issues in Apache software impact several Apple projects.
CoreServicesUIAgent (CVE-2024-44295): Enhanced checks prevent unauthorized modifications to protected file system areas.
watchOS 11.1, tvOS 18.1, and visionOS 2.1
Each update features enhancements designed to mitigate vulnerabilities similar to those addressed in previous iOS and macOS releases. For example, the updates incorporate measures that strengthen security across various functionalities, ensuring users are better protected against these Apple vulnerabilities.
CoreMedia Playback (CVE-2024-44273): Ensures that applications cannot access private information through improved symlink handling.
CoreText (CVE-2024-44240, CVE-2024-44302): Fixes related to malicious fonts that could disclose sensitive data.
Recommendations for Users and Administrators
To mitigate the risks associated with these Apple vulnerabilities, CISA advises users to take the following actions:
Immediately apply the latest security updates for all affected Apple products. This is crucial to protect against potential exploitation.
Regularly review and update security settings on devices to ensure they align with best practices.
Provide users with training on recognizing phishing attempts and the importance of not clicking on suspicious links or downloading unverified applications.
Enhance overall security posture by utilizing additional security measures such as firewalls, antivirus software, and intrusion detection systems.
Conclusion
CISA’s recent advisories concerning vulnerabilities in Apple products highlight the critical need for users and organizations to prioritize security updates. With the potential for severe consequences arising from these vulnerabilities, including unauthorized system access and data breaches, timely application of the Apple security update is essential.
Organizations and individual users alike must remain vigilant and proactive in maintaining the integrity of their systems. By promptly addressing vulnerabilities and adhering to best security practices, they can reduce the risk of exploitation and protect sensitive information from cyber threats.
For comprehensive details on each vulnerability and their respective fixes, users are encouraged to consult Apple’s official security documentation and the latest advisories from CISA regarding Apple vulnerabilities.
In this article, we’ll explore the most common types of protectors—packers and crypters—along with simple ways to detect and remove them.
We’ll also introduce some useful tools to simplify the process and improve your malware analysis skills.
What Are Protectors and What Types Are There?
Protectors are tools designed to complicate code analysis, making it harder to detect and examine malware. Two of the most common types of protectors are packers and crypters.
1. Packers
Packers are utilities that package one or more files into a single executable, often adding compression. This process makes static and dynamic detection more difficult, a tactic many types of malware exploit.
Certain malware, like those written in scripting languages (e.g., Python or JavaScript) or relying on non-standard libraries, require packing to function properly by including interpreters and necessary libraries.
Classic examples of packers include installers like NSI and MSI, UPX, MPress, and self-extracting archives (SFX) made with tools like 7zip or WinRAR.
Packers generally don’t protect application data, making it relatively easy to extract them at runtime in a sandbox or remove the packer using static tools.
2. Crypters
Crypters take protection a step further by encrypting the executable’s contents, often adding layers of packing and obfuscation. Designed to obscure code, crypters make analysis more complex and time-consuming. Examples of crypters include NetReactor, Themida, and VmProtect.
Main Protection Methods of Crypters:
Dynamic unpacking in memory to avoid leaving any disk trace.
Encryption of files, data, and code, with decryption at runtime.
Code Obfuscation: Changes the structure and sequence of instructions, transforming (meta)data into unreadable or meaningless characters.
Virtualization: Transforms code into pseudo-instructions that are either regenerated or interpreted at runtime.
Note that without virtualization, code is usually weakly protected and can often be restored to its original or near-original state.
Identifying Packers: Simple Techniques and Useful Tools
Detecting packers can be simplified with a few straightforward techniques and specialized tools like DiE (Detect It Easy). DiE notifies users when a packer is detected, making it a quick solution for initial identification.
Let’s consider the following sample. When analyzing it with DiE v3.10, we can observe the presence of the MPRESS packer.
The results of DiE analysis, revealing the packer MPRESS
Opening the sample in DiE reveals section names that indicate packing.
Section demonstration in DiE with names MPRESS1 and MPRESS2
Packers like UPX and MPRESS often create sections with distinctive names, such as MPRESS1 and MPRESS2, which help analysts identify their usage.
We can also examine PE (Portable Executable) information in the Static Discovering window inside ANY.RUN sandbox. This provides further details to help identify these packers and their specific characteristics.
Demonstration of UPX0 and UPX1 in Static Discovering section
We can identify UPX through section names. In certain cases, packers like VMProtect and Themida can also be identified by their distinct section names.
The .vmp0 section characteristic of VMProtect.
Sections, such as .vmp0, indicate VMProtect (see example).
The .themida section characteristic of Themida
Sections, such as .themida or .taggant, signal the presence of Themida (see example).
Try advanced malware analysis with ANY.RUN for free
For instance, packers like Themida/Winlicense often have sections with random names or blank spaces as section names (example). The image below shows that Sections #4 and #5 have random names, while sections #0 and #3 contain blank spaces instead of names.
The presence of a .taggant section is a distinguishing feature
In VMProtect, the section addresses in the file (specifically the PointerToRawData field) are often set to zero (example).
PointerToRawData is set to zero in sections #0 through #5
In the image above, for sections #0 through #5, PointerToRawData is set to zero, which suggests that unpacking occurs dynamically at runtime.
Unusual Imports
The absence or minimal number of imports suggests that libraries are loaded, and their function addresses are acquired dynamically at runtime.
For .NET applications, a single import (mscoree.dll:: _CorExeMain) is typical. In some cases, a unique mix of functions can reveal the application’s intentions.
For instance, let’s open the Static Discovering window inside the ANY.RUN sandbox for this UPX sample and go to the Imports section.
Static discovering in the ANY.RUN sandbox
Then, let’s search for KERNEL32.DLL.
LoadLibraryA and GetProcAddress point to dynamic library loading
The combination of LoadLibraryA and GetProcAddress indicates dynamic library loading, while VirtualProtect may suggest an intention to change memory page protection to executable.
Since only four functions are present here, this combination is unlikely to be coincidental and can signal intentional manipulation for code execution.
High Entropy
For unpacked files, the overall entropy typically ranges from 5 to 6.5. Packed files, however, often exhibit entropy levels above 7, approaching 8 (the maximum entropy for 8-bit data).
High entropy values can indicate packing or encryption, as they suggest a lack of readable patterns within the file.
Static unpacking: The code is processed by the unpacker but not executed. This method relies on analyzing the packed file without running it, allowing for a safer examination.
Dynamic unpacking: The code is executed and preserved by the unpacker in memory. This approach involves running the packed malware in a controlled environment, often in a sandbox, to observe the unpacked code in action.
Dynamic unpacking is the most challenging type of unpacking, as it often requires the use of a debugger and capturing memory dumps.
This approach allows analysts to observe how the code behaves at runtime, but it demands a controlled environment and more advanced tools to monitor and extract the unpacked code accurately.
To make the process of the analysis easier and faster, you can utilize ANY.RUN’s Interactive Sandbox. It provides memory dumps of unpacked and decrypted data, including the decrypted executable payload.
The sandbox generates memory dumps for various processes and makes them available for download, saving analysts significant time and simplifying the analysis process. You can download these memory dumps and analyze them locally.
There are two options for accessing memory dumps generated inside ANY.RUN’s sandbox.
Click the DMP button to access dumps
You can access them by clicking on the DMP button in the process tree section.
Alternatively, you can go to “Advanced Details” of a process that has the DMP icon next to it and navigate to the “Process dump” section, where you can download the dumps.
Let’s now see how you can address different types of packers.
SFX Installers
SFX (Self-Extracting Archives) is an archive format that, when executed, extracts files and can perform specific actions. In most cases, these archives can be unpacked statically with utilities like 7zip or WinRAR.
To see a typical SFX in action, let’s consider the following sample.
Such archives often have a distinctive icon, indicating they are self-extracting executables:
SFX file icon
Use WinRAR to open the archive and view the extraction settings and packed files within the SFX.
Right-click on the file to access the “Open with WinRAR” option
After opening the file, on the right side, you’ll find extraction parameters, file paths, and the primary executable file. On the left, you can view all files packed within the archive.
Contents of SFX file
MSI Files
To unpack MSI files, a common method is using the command line with msiexec /a. However, this method may not work for every file and can sometimes result in errors.
For instance, with the following sample, attempting this command in a sandbox triggers an error (see sandbox example).
Error unpacking MSI
An alternative solution is LessMSI, a specialized tool for extracting files from MSI packages.
The upload button in ANY.RUN lets you add files to a running sandbox section in real time
Upload the LessMSI archive to a virtual machine in ANY.RUN via the upload button.
File demonstration in LessMSI for files packed in an MSI installer
Launch the GUI version of LessMSI and select the MSI file. Next, the program will display a list of files and their paths for extraction.
Nullsoft Installer
Nullsoft installers are often straightforward to unpack using 7zip. By opening these files with 7zip, you can directly access the contents of the installer.
Demonstration of files packed in the installer, along with special directories that start with the $ symbol
Opening the archive in 7zip reveals the files packed within it, including special directories that typically start with the $ symbol.
This approach allows you to explore the installer’s files easily. However, a limitation is that it doesn’t reveal the initial installation parameters, which may be necessary for deeper analysis.
InnoSetup
Unpacking InnoSetup installers requires specialized tools. The unpacking becomes more challenging because these files often contain embedded scripts that control the installation process.
In this case, 2 useful tools can be used:
innoextract: A command-line tool designed to extract files from InnoSetup packages.
innounp: Another tool that offers similar functionality, supporting various versions of InnoSetup.
The archive contains a single directory, which is, in fact, the Nullsoft SFX
Download the EXE file and start the unpacking process.
The $PLUGINSDIR directory with the app-32.7z, containing the application files
When extracting with 7zip, we obtain a folder containing various files, including an archive with a renamed Chromium executable (in this case, Runtime Broker.exe) and its libraries.
The application data in the app-32.7z archive consists mostly of files related to Chromium
The Electron.js application data is stored in the resources directory.
Files in the resources folder
The app.asar file is an archive containing the Electron.js application data.
To unpack it, you’ll need an npm module.
Install npm: sudo apt install npm
Run the following command to extract the archive: npx @electron/asar extract app.asar extracted
If the asar module isn’t already installed, npm will prompt you to install it.
As a result of running the command, the archive will be unpacked into the extracted folder.
Files extracted from app.asar
The node_modules folder contains the Node.js packages, and index.js is the initial script of the application.
UPX
UPX (Ultimate Packer for eXecutables) is a packer for executable files.
Compatibility: It supports only native PE (Portable Executable) applications.
Unpacking: UPX-packed files are often easy to unpack statically using the same UPX utility.
To unpack a UPX-packed file, you only need to use a single command:
upx –d <file>
UPX can be identified by the presence of sections named UPX0 and UPX1 in the file.
First, download the sample and open it in DiE (version 3.10). DiE will indicate the presence of UPX, listing specific indicators.
Some malware samples use older versions of UPX. In such cases, you’ll need the corresponding version to unpack them. DiE suggests the recommended version, which, in this example, is 3.96.
DiE reports the detection of Packer: UPX
To analyze a sample like this, it’s essential to remove the UPX compression; otherwise, the disassembler won’t be able to interpret the code correctly.
For instance, Ghidra—a free disassembler and decompiler—will display multiple errors when importing a compressed file.
During analysis, Ghidra will detect only a single function. The built-in decompiler will report the incorrect code.
In the image above, on the left side, there is a Listing displaying the single function, while on the right side, the Decompiler window shows an error message.
To conduct analysis, download the latest release of UPX from GitHub.
Next, upload the sample along with the upx.exe file (it’s not necessary to upload the entire archive) to the virtual machine.
In the Command line field, enter “cmd” and use Tools collection on the right.
To do this, switch to the Pro mode in the sandbox and select Tools collection. Here, you can either use previously uploaded tools or upload new ones.
Access all Pro features of ANY.RUN sandbox for free
Before starting the analysis, enter the “cmd” command in the Command line field. This will prevent the sample from running automatically and will open the console at the start of the session.
Unpack the UPX archive and enter the following command in the console:
<path_to_upx>upx.exe -d <filename>
As a result of the command execution, the file will be overwritten with the decompressed version.
UPX confirms a successful unpacking; the file has been overwritten
To ensure the unpacked sample is functioning correctly, let‘s run it in a sandbox.
The sample did not crash and is successfully sending network requests.
When clicking the PE button, the Static Discovering window opens, where we can observe a different hash.
Static analysis of the unpacked file
The Static Discovering window for the unpacked file, shows the name under which it was saved to disk. We can see a decrease in entropy, an increase in file size, and a different hash value.
Now, Ghidra can handle this file without any issues.
Ghidra successfully disassembled the file and identified the library functions
In the Listing section, we see numerous references and functions, and the Decompiler window displays the correct code.
The same process can be done on a physical machine, as UPX does not execute code during unpacking.
Learn to analyze cyber threats
See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Read full guide
AutoIt
AutoIt is often used as a crypter. The simplest way to detect AutoIt is by checking the file description. To do this, go to the Main tab in the Static Discovering window inside ANY.RUN and scroll down.
You may find different mentions of AutoIt in the description.
Here is another example. Usually, such a file is an AutoIt interpreter bundled with a script.
In some cases, a deeper examination is required. Let’s look at the following example.
ANY.RUN automatically add AutoIt tag to the session
In this example, AutoIt was detected by ANY.RUN’s sandbox. Let’s confirm this in DiE.
DiE reports the detection of an AutoIt signature
To extract and decompile the script, we can use AutoIt-Ripper.
Let’s install it using pip install autoit-ripper.
The latter is quite easy to use:
autoit-ripper <file> <output_dir>
As a result of running the command, the restored script is saved to a file named script.au3. Besides, all the associated files were detected and saved.
Now it’s possible to analyze the script’s actions by opening it in a text editor.
In most cases, the scripts are also obfuscated and will require more in-depth analysis
In this example, we see the execution of CL_Debug_Log.txt with specific parameters.
The script drops to disk and modifies asacpiex.dll, saves it as a separate file, and then unpacks it
Opening CL_Debug_Log.txt in DiE reveals that it is a standalone version of 7zip.
The VS_VERSION_INFO can be spoofed, but in this case, all evidence suggests that this file is an archiver
In this way, the malware unpacks the files necessary for its operation. In addition, the script contains checks for execution in a virtual environment.
The script checks information about graphic adapters in the system
It also includes checks for the presence of antivirus software.
The script checks running processes for names that match popular antivirus solutions
NetReactor
NetReactor is a packer and obfuscator for applications written in .NET.
Supports code virtualization.
Files and libraries are not saved to disk but are loaded directly into memory.
Changes the structure of the code, making analysis more difficult.
Most files can be successfully unpacked using NetReactorSlayer, but for the best results, dynamic unpacking is recommended. This method executes the code within the operating system, allowing system functions to be called as needed for a more accurate unpacking process.
Let’s look at an example with the PureHVNC payload.
Next, run the analysis session using dnSpy and NetReactorSlayer.
Before processing, you can see numerous namespaces.
Multiple namespaces are visible
Let’s locate the configuration class.
Open Type References and locate the IPAddress class.
Right-click on it and select Analyze.
In the opened window, click on Used by to find the method where this class is used.
The obfuscated code
We see presence of goto and labels scattered throughout the code to confuse the execution flow
Now, open NetReactorSlayer and select the sample.
There are multiple settings available; the default settings work well for this purpose.
Click Start Deobfuscation and wait for the process to complete.
The program decrypts strings, simplifies the code, and even attempts to remove virtualization.
The file is saved with the suffix _Slayed.
Now, open the received file in dnSpy. As a result, the unnecessary namespaces have been removed.
No excessive namespaces
The classes have been renamed too.
Renamed classes
Next, let’s look for the usage of IPAddress as well.
Now, the goto statements are positioned appropriately, and the labels are no longer scattered
The lengthy class names have been shortened, and the fields have been renamed according to their respective values. The code has become easier to analyze, and string literals are now included.
Often, in addition to being packed, malware is stored in an encrypted form within a special loader (crypter).
This analysis demonstrates the process of extracting the payload using dnSpy.
After execution, the crypter decrypts the payload and performs an injection into the target process.
With the help of dnSpy, let’s attach the debugger to the process. To do this, go to the Debug tab and click on Attach to Process.
Click Attack to Process
Then, choose the process you want.
Pick the process of your interest
Note that to debug 32-bit processes, you should run dnSpy x86, and for 64-bit processes, use dnSpy x64.
Pause the process and open the Modules window.
Click Modules
Right-click on the main module, then select Open Module from Memory.
We see that InstallUtil has been replaced with EMPRESA992
After opening the module, obfuscation can be observed.
Click Save Module and transfer the saved file to the console version of NetReactorSlayer.
As a result, we get the following output.
NetReactorSlayer corrected the entry point, removed unnecessary code, and saved result to disk as InstallUtil_Slayed.exe.
The associated library MessagePack.dll has been saved as a separate file.
MessagePack.dll
Now, the payload InstallUtil_Slayed.exe can be run separately and analyzed through debugging (See sample analysis).
SmartAssembly and Other .NET Packers
Another popular packer for .NET applications is SmartAssembly.
Besides obfuscating the code (which makes the execution order unclear and renames identifiers to unreadable terms), SmartAssembly complicates analysis with a large number of delegates that are resolved at runtime, including those used for decrypting strings.
Let’s open the sample in DiE and confirm the presence of the protector.
We can see how DiE detects Protector Smart Assembly.
Smart Assembly detected by DiE
In the US (User Strings) tab, there is an abnormally small number of strings.
Let’s switch to dnSpy.
Upon opening the sample, you will immediately notice an attribute indicating the presence of the SmartAssembly protector.
You will also notice the characteristic namespaces associated with SmartAssembly.
These artifacts are quite common among protectors, particularly in .NET applications.
Next, click on Go to Entry Point.
In this case, while the code (control flow) is not obfuscated, the strings are obtained through a delegate call with a numeric argument.
We see a call to Console.WriteLine that displays the result from a delegate using a numeric argument.
Earlier, we used NetReactorSlayer to remove the protector.
While it is a specialized tool, it can also be used for general purposes, such as simplifying code, though with some limitations.
Let’s try to simplify the code using NetReactorSlayer.
While this tool simplified the code readability, it was unable to decrypt the strings.
In the simplified code, the purpose of the delegates used in Console.WriteLine is clear
Now, let’s use another tool—de4dot—which is also part of what NetReactorSlayer uses for code simplification. You can also utilize de4dot-cex, which is the improved version of de4dot.
For this case, we will use de4dot to remove SmartAssembly.
As a result, the file is processed in a similar way.
de4dot and NetReactor simplify names in the same way
However, the string encryption has also been removed.
The GetString delegates have been replaced with string literals.
In DiE, you can view all the decrypted strings.
The processed file often retains functionality and can make runtime analysis easier.
de4dot works with many other protectors and can simplify code analysis.
If de4dot doesn’t succeed, try using NetReactorSlayer, which may be more effective at further simplifying complex code.
However, for older versions of NetReactor (below 6.0), de4dot remains the preferred option.
Themida, VMProtect
Themida and VMProtect are packers and obfuscators for applications that support virtualization and code mutation.
Virtualization: This feature protects the malware code at runtime, not just in static analysis.
Extracting Samples: In most cases, virtualization is not applied, allowing an unpacked sample to be extracted from memory, though it may be partially modified.
Static Unpacking: This is generally unlikely, as these commercial packers adapt quickly to new analysis methods.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds.
Interact with samples in real time.
Save time and money on sandbox setup and maintenance
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-10-30 13:06:402024-10-30 13:06:40Packers and Crypters in Malware and How to Remove Them
The recent Strela Stealer phishing campaign, uncovered by Cyble Research and Intelligence Labs (CRIL), poses as an invoice notification to trick users into engaging with it.
This campaign predominantly targets users in Central and Southwestern European regions, adjusting its focus based on locale settings to maximize its reach within specific demographics.
Phishing emails carry ZIP file attachments containing heavily obfuscated JavaScript (.js) files, which are designed to evade detection by security tools.
The JavaScript file conceals a base64-encoded PowerShell command that, when executed, launches a malicious payload directly from the WebDAV server without saving the file to disk.
The payload, Strela Stealer, is embedded within an obfuscated DLL file, specifically targeting systems in Germany and Spain.
Strela Stealer is programmed to steal sensitive email configuration details, such as server information, usernames, and passwords.
In addition to stealing credentials, Strela Stealer gathers detailed system information, enabling attackers to conduct reconnaissance and potentially launch further targeted actions on compromised systems.
Executive Summary
Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users through spam email campaigns containing malicious ISO attachments, which included a .lnk file and a polyglot file. When executed, the .lnk file triggered the polyglot file, executing both the lure html and Strela stealer DLL using “rundll32.exe”.
The Threat Actors (TAs) then evolved their tactics by using spear-phishing emails with ZIP file attachments, as identified by Palo Alto. When users downloaded and extracted the archive, a JavaScript file was saved onto their system. Executing the JavaScript file dropped a Base64-encoded file and a batch file. The Base64 file was then decoded using the “certutil -f decode” command, creating a DLL that was executed using “rundll32.exe” with the exported function “hello.“
In their latest campaign, the TAs are using spear-phishing emails with ZIP file attachments containing obfuscated JavaScript code intended to run through WScript. This JavaScript code executes a base64-encoded PowerShell command, which executes the final malicious DLL from a WebDAV server using “rundll32.exe” via the exported function “Entry.” By using this method, the malicious DLL file is not saved on the disk, allowing it to evade detection by security products.
Technical Details:
The Strela Stealer campaign begins with a carefully crafted phishing email written in German, with a theme designed to resemble an invoice for a recent product purchase. The email aims to encourage recipients to open the attached ZIP file RG_175_133572_7063403.zip under the pretense of verifying or processing a transaction. The figure below shows one of the phishing emails.
Figure 1 – Phishing Email
Inside the ZIP file named “RG_175_133572_7063403.zip,” there is a highly obfuscated JavaScript file named “1819737872954318698.js.” This JavaScript file employs advanced obfuscation techniques, using string substitution to generate and execute its hidden code. When triggered, it runs through Windows Script Host (wscript), which then initiates a PowerShell command embedded within the script.
The PowerShell command further contains a base64-encoded payload. Once decoded and executed, this encoded command reaches out to a WebDAV server and executes a malicious DLL file named “96492217114973.dll” on the target system, allowing Strela Stealer to embed itself and begin its data-theft operations. The figure below shows the de-obfuscated JavaScript code.
Figure 2 – JavaScript File
The DLL file acts as a loader for the main payload and includes only a single export function named “Entry”. The DLL includes numerous conditional jump instructions, making analysis more challenging and potentially causing the disassembler to crash. Furthermore, several functionalities may not work properly in the debugger with default settings due to the extensive branching and conditions. The figure below shows the IDA graph view.
Figure 3 – IDA graph view
Upon execution, the DLL accesses a hardcoded key within its “.data” section, as shown in Figure 5. This key is used to decrypt additional data stored in the same section, ultimately extracting the main executable payload.
Figure 4 – Key present in DLL file
The code below demonstrates the use of XOR and other arithmetic operations for decryption.
Figure 5 – Decrypting the MZ header
The image below displays the decrypted MZ content.
Figure 6 – MZ Header
The resulting MZ file runs directly from the “rundll32.exe” process. For analysis, we extracted this payload and examined it separately, identifying it as Sterla Stealer, a malware active since April 2022.
Here we compared the previous version of Sterla Stealer with the new one.
Campaign Identified in 2022
Campaign Identified in March 2024
Latest Campaign
No code obfuscation
Employed control flow obfuscation
Employed control flow obfuscation
No decryption of PE file from DLL file
Decrypts a memory mapped PE file
Decrypts a memory mapped PE file
strela, server.php, key4.db, and login.json strings present in the decrypted PE file
strela, server.php, key4.db, and login.json strings present in the decrypted PE file
Strela string is removed
PDB path is present
No PDB path
No PDB path
Export function name: Strela
Export function name: hello
Export function name: Entry
Drops payload from ISO
Drops payload from ZIP
Executes payload from WebDAV Server
While the Strela stealer is running, it hides its window by calling the “ShowWindow” Win32 API with the “SW_HIDE” parameter for the current process. It then creates a thread to display a fake error message, as shown below.
Figure 7 – Fake error message
Next, the stealer obtains the locale settings from the victim’s machine by utilizing the GetKeyboardLayout API and comparing the results to the specific hardcoded Language identifiers mentioned below.
0407 – German (Germany)
0C0A – Spanish (Spain)
042D – Basque (Spain)
If any of these language identifiers match, the stealer continues its execution; if not, it stops. This behavior indicates that the malware specifically targets regions within Germany and Spain.
Figure 8 – Locale Check
Targeting Thunderbird
The malware scans for Thunderbird profiles and collects “logins.json” and “key4.db” files from all profiles found on the system. These files contain sensitive information, including usernames, passwords, and other email configuration details. Once obtained, the data within these files is encrypted using a custom encryption method with a hardcoded key, “96be98b2-8a00-410d-87da-2482cc8b7793”, and then sent to the TAs command and control (C&C) server at “94.159.113.48” via a POST request. Following the data transmission, the malware expects the response “ANTIROK” from the C&C server and continues to resend the encrypted data using the same encryption method until this response is received.
Figure 9 – Targeting Thunderbird profiles
Targeting Outlook
To steal Outlook information, the malware examines specific registry keys to retrieve IMAP server details, usernames, and passwords, which are typically stored in encrypted form. It accesses the following registry paths:
Using the “CryptUnprotectData” Win32 API, it decrypts these details into plain text. After decryption, the malware applies custom encryption using the same hardcoded key as in the Thunderbird case and an XOR operation before sending the encrypted data to the threat actor’s command-and-control (C&C) server.
Gathering System Information
Continuing its data gathering, the malware executes the “systeminfo” command, saving the output as a text file within the Temp directory. This file is then exfiltrated to the TA’s C&C server using the previously mentioned encryption technique.
Figure 10 – Gathering systeminfo
In some cases, if the response “ANTIROK” is not received from the C&C server, the stealer attempts to re-encrypt the existing encrypted content using the same method. This results in the transmission of the actual data without encryption, as illustrated in the figure below.
Figure 11 – Data Exfiltration
In its final steps, the malware utilizes a COM object to navigate through the system’s “SpecialFolders” paths, collecting filenames from each directory. This data is compiled into a single output and sent to the attacker’s C2 server. By gathering information on files stored in sensitive locations, the malware enables the TA to perform reconnaissance, potentially planning further data exfiltration or deploying additional malicious activities based on the obtained directory structure.
Conclusion
The recent iterations of the Strela Stealer campaign reveal a notable advancement in malware delivery techniques, highlighting increased sophistication and stealth. By employing spear-phishing emails that contain ZIP file attachments, the malware successfully circumvents conventional security defenses. The use of heavily obfuscated JavaScript, along with base64-encoded PowerShell commands, significantly complicates detection and response efforts. Additionally, executing the DLL file directly from the WebDAV server without saving it to disk effectively bypasses security mechanisms, enabling unauthorized access to sensitive information. This evolution underscores the importance of proactive cybersecurity measures to counter such advanced threats.
Cyble’s Threat Hunting Packages
At Cyble, we understand the evolving landscape of cyber threats and the need for robust security measures. Our Threat Hunting Packages are specifically designed to detect suspicious remote WebDAV share access and file execution activities, such as those employed by the Strela Stealer malware.
In addition to our sophisticated detection capabilities, our Threat Hunting Packages include custom YARA rules tailored to identify signatures associated with Strela Stealer. These rules enhance the Organization’s security posture by enabling quick detection of known threats, ensuring that systems remain protected against sophisticated malware tactics.
For further details on this threat and several others being constantly analyzed by Cyble Research and Intelligence Labs, schedule a demo today.
Recommendations
Conduct regular training sessions to educate employees about phishing tactics, including recognizing suspicious emails and attachments.
Deploy robust endpoint protection solutions that can detect and respond to malicious activity, including obfuscated scripts and unauthorized file executions.
Implement strict access controls on WebDAV servers, ensuring only authorized users have access. Disable WebDAV if it is not required for business operations to minimize potential attack vectors.
Limit the execution of PowerShell scripts and other scripting languages on endpoints unless necessary for business operations.
Develop and regularly update an incident response plan that includes specific procedures for handling phishing attacks and malware infections.
Implement multi-factor authentication for accessing sensitive systems and accounts, adding an additional layer of security against credential theft.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-10-30 13:06:392024-10-30 13:06:39Strela Stealer targets Central and Southwestern Europe through Stealthy Execution via WebDAV
In June 2024, security researchers published their analysis of a novel implant dubbed “MuddyRot”(aka “BugSleep“). This remote access tool (RAT) gives operators reverse shell and file input/output (I/O) capabilities on a victim’s endpoint using a bespoke command and control (C2) protocol. This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort.
Key findings
BugSleep implant implements a bespoke C2 protocol over plain TCP sockets.
BugSleep operators have demonstrated multiple file-obfuscation techniques to avoid detection.
BugSleep implements reverse shell, file I/O, and persistence capabilities on the target system.
Sending and receiving data
This blog will use sample b8703744744555ad841f922995cef5dbca11da22565195d05529f5f9095fbfca for analysis. Two of the lowest functions in the C2 stack, referred to as SendSocket (FUN_1400034c0) and ReadSocket (FUN_140003390), are very light wrappers for the send and receive API functions and handle payload encryption. They include some error handling by attempting to send or receive data 10 times before failing.
This protocol uses a pseudo-TLV (Type Length Value) structure with only two types: integer or string. Integers are sent as little-endian 4- or 8-byte values, and strings are prepended with the 4-byte value of its length. Payloads are then encrypted by subtracting a static value from each byte in the buffer (in this sample it is three).
Type
Value
Plain text
Cipher text
IntegerMsg
6
06 00 00 00
03 FD FDFD
StringMsg
Talos
05 00 00 00 48 65 6C 6C 6F
02 FD FDFD 51 5E 69 6C 70
Figure 1: Example of data encryption used by BugSleep
There are two main functions for handling C2 communications: C2Loop (FUN_1400012c0) and CommandHandler (FUN_1400028a0). C2Loop is responsible for setting up socket connections with the server and sending a beacon, while CommandHandler is responsible for processing and executing commands from the server.
After setting up the socket connection, the implant beacons (FUN_140003d80) to the C2 server for a command. The beacon is a StringMsg in the form ComputerName/Username. If the server responds with an IntegerMsg equal to 0x03, BugSleep will terminate itself. We suspect this is remnants of an old kill command or an emergency kill without the overhead of reading the real kill command later.
Each BugSleep command is sent as an IntegerMsg after the beacon response. The following enumeration defines all the command IDs discovered.
Figure 2: Command IDs used by implant
Phoning home
The implant communicates using plain TCP sockets, which can be seen using a Netcat listener and Wireshark.
Figure 3: BugSleep beacon as seen through Wireshark.
Recalling the message encryption demonstrated in Figure 1, the beacon can be decrypted with a little bit of Python (Figure 4). This will be used again when building the rest of the C2 server.
Figure 4: Decoding beacon data
Python C2 server
With an understanding of the protocol basics, it is time to start building the C2 server. Full source code can be found here.
Beacon
As mentioned earlier, the BugSleep beacon function sends a StringMsg and reads an IntegerMsg response from the server. Since the IntegerMsg returned can be anything but 0x03, we returned the length of the Computer Name/Username string received by the server.
Figure 5: Output from C2 server receiving beacon data
Ping command
The simplest command to implement is the Ping command. It has the command ID of 0x63 (BugSleep subtracts one from whatever ID it receives). The code is simple: send back 4 bytes.
Figure 6: Switch case for handling ping command
Once the beacon comes in, the server is responsible for:
Sending 4 bytes for beacon response
Sending 4 bytes for Ping command ID
Reading 4 bytes of Ping data
The ping command was observed sending back 4 bytes recently allocated on the heap, so it’s not guaranteed to know what that data looks like. To validate things are really working, a breakpoint can be set in WinDbg and memory set manually before being sent.
Figure 7: Confirming 0xdeadbeef written to memory is received by the server in a Ping command
File commands
The next set of commands are responsible for downloading files onto the compromised system or uploading files to the C2 server (PutFile and GetFile, respectively). These commands are inverses of each other, so only the GetFile command will be discussed in detail. The methodology was to trace each call to SendSocket or ReadSocket and implement the response for that call in Python. In CommandHandler, the implant reads the length and value off the wire. This is the file to be retrieved.
Figure 8: GetFile reading path string length and path string from socket
The CmdGetFile function opens the target file and chunks it over the socket one page at a time. The list of SendSocket calls is as follows:
Figure 9: SendSocket calls made by CmdGetFile function Figure 10: Example C2 server output from GetFile command
The PutFile command differs slightly from the GetFile command with how it uses pointer math to process incoming pages.
Figure 11: Tricky file pointer math
This translates to each page starting with a 4-byte page number followed by 1020 bytes (or 0x3fc) of file data, which the GetFile command does not do; it sends full 1024-byte pages of file data without page numbers.
Reverse shell
The last command is the reverse shell. This is the most complex because it requires many reads and writes over the socket. The disassembly is rather long and difficult to keep track of the socket calls, so we have omitted it. Effectively, the implant spawns a cmd.exe process (FUN_1400016e0) and reads the command to execute from the socket. The shell command and its output are marshaled between the processes via pipes during the session. The complexity of this operation comes from BugSleep incrementally reporting return values from pipe API calls while attempting to read shell output (FUN_140003840). The implant will enter this loop of reading commands and sending output until it receives the string “terminaten”.
Figure 12: Example output from C2 server running the reverse shell command
The rest of the commands are less complex but have been implemented and are viewable here.
Snort detection
This server gives Talos the ability to emulate any number of conversations between BugSleep and its operators. This traffic is crucial for writing and validating our detections’ performance in the wild.
The initial candidate for detection would be the beacon. It is the first opportunity to shut down communications, isolating any BugSleep instance from receiving commands. It was observed that each beacon has the form of <len><data>, where data is sub_string(COMPUTER_NAME + “/” + USERNAME, 3). This string is not long or static, which makes it a poor candidate for a fast_pattern; however, recall that each beacon is prepended with a 4-byte length of this string. A Computer Name/Username string from any given victim is unlikely to be longer than 255 characters. This means most length fields are going to look like |XX 00 00 00| or |XX FD FD FD| when encoded. This could be a quick match, early in the stream, at a static offset, making it a decent fast_pattern candidate.
Figure 13: Detecting higher order encoded zero bytes of beacons sent from BugSleep
This will work but is likely to cause false-positives (FP) in the wild. Every sample of BugSleep was seen using port 443. The implant is also reaching outside the network to a C2 server, so traffic to be inspected by this rule can be reduced using the following header:
Figure 14: Restricting rule to inspect traffic leaving the network to port 443
The flow:to_server,established option can be used to restrict Snort to data coming from a client over established TCP streams. The FP-rate on this rule still isn’t great. Any TCP traffic leaving the network on port 443 with |FD FD FD| at offset 1 will alert. That might sound unique, but it does not indicate with confidence that the traffic is a BugSleep beacon.
One powerful tool in Snort to add more logic or state to rules is flowbits. These allow a writer to have a sense of state within a stream across multiple rules. In this case, the beacons aren’t enough to reliably alert on. What if we use flowbits to chain beacons with the commands being sent back? The commands themselves don’t provide much content, as they are variable length non-deterministic strings (e.g., get, put, etc.) or a nondeterministic 4-byte integer (e.g., heartbeat, increment timeout, etc.). They do, however, all start with a 4-byte command ID. Setting a flowbit when a beacon leaves the network will allow another rule down the line to alert with higher confidence if it sees a command ID come back in the same stream.
Command rules
The pcre rule option can be used to reduce 11 rules down to one. Like the beacon rule, the three zero bytes, encoded as |03|, can be used as a fast_pattern. Once the rule has entered, the bugsleep_beacon flowbit check can be performed to help the rule exit quickly in the event of a false positive. After the three |03| bytes are confirmed to be at offset five, a PCRE can verify one of the command IDs is present.
Figure 15: Snort rule for detecting BugSleep command sent from C2 server
Sharp edges
Sometimes, we are reminded that Snort can handle or interpret data differently than expected. Conveniently, this sample’s traffic was a perfect example and opportunity to peek under the hood and see what Snort sees. Originally, our beacon rule looked like this, trying to catch the encoded forward-slash that is always present in the Computer Name/Username string (encoded as a comma).
Figure 16: Beacon rule attempting to catch forward-slash in Computer Name/Username string
Recall that the implant will:
Connect to the server
Send a string length (4 bytes)
Send the PC/User string N bytes
Read 4 bytes back to ensure a response
Read 4-byte command ID and N command data bytes
Start sending command responses
As Snort is reading data over the wire, it is interpreting it and sorting it into different buffers (pkt_data, file_data, js_data, http_*, etc.). In this case, as TCP data is being chunked along the wire, Snort is looking at those individual TCP segments. Only after it has enough data will it flush into the larger “TCP stream” buffer so a rule can parse the entire stream sent from a client or server.
Initially, the get command traffic was alerting while the put command traffic was not. Fortunately, Snort 3 comes with a tracing module to help debug these issues. The buffer option will print out Snort’s different buffers as they are filled and rule_eval will trace the rule as it is evaluated. The following screenshots are output from individual runs of Snort against each PCAP. “snort.raw” represents an individual packet, while “snort.stream_tcp” represents a reassembled TCP stream.
At the start of the working GetFile command, the beacon size and data can be seen as two separate packets (Figure 17).
Figure 17: Individual beacon packets being processed by Snort
Further down, the reassembled TCP stream can be seen being inspected and alerted on. Moving from the top to bottom in Figure 18, the cursor position and state of the buffer can be observed changing as the rule is evaluated. At the end, the flowbit is set and made available for the command rule.
Figure 18: Snort trace output setting flowbit for BugSleep beacon
Further down, the TCP stream for the command data is processed. The higher-order zeroes of the command are found, the flowbit checked, the PCRE performed, and the SID alerts as expected.
Figure 19: Get file command rule alerts on traffic as expected
When the results of the put file command traffic are inspected, a different behavior is observed. The individual packets for beacon length and beacon data are seen coming in; however, the first reassembled TCP stream that Snort is inspecting is the command being sent back to the implant. Figure 20 shows the command ID being found and then the flowbit check failing.
Figure 20: Put file command traffic failing flowbit check
Scrolling further in the log reveals the TCP stream for the beacon data is eventually populated and Snort sets the flowbit as expected. The stream for the command ID, however, has already passed and failed analysis because of the unset flowbit, resulting in no alert. The cause of this issue is the raw packets coming from the client not being reassembled into a TCP stream by the time the server packets are reassembled and inspected. This happens because Snort only reassembles when it has enough data, and 20 bytes is not enough yet.
The fix
Unfortunately, the beacon rule must be tweaked so it can alert as soon as possible and not rely on the TCP reassembly. Recall that the beacon function invokes SendSocket twice, once for 4-length bytes and again for the beacon data. This means the first packet Snort sees will only be 4 bytes long. Adding “bufferlen:=4” restricts Snort to only look at 4-byte packets, significantly reducing any FP rate. Our solution ended up being this:
Figure 21: Fixed beacon rule looking for 4-byte length segments
Now the rules work as expected!
Figure 22: Snort output alerting on traffic from all BugSleep commands
Conclusion
Since BugSleep is a new implant and weekly releases were observed being deployed, this protocol might change and bypass these rules. However, two things have been accomplished:
This variant will no longer communicate over our customers’ networks.
Attackers must invest development time and money to use BugSleep again.
The published Snort SIDs covering this traffic are 63937 and 63938.
Indicators of compromise
Hosts:
1[.]235[.]234[.]202
146[.]19[.]143[.]14
46[.]19[.]143[.]14
5[.]239[.]61[.]97
Hashes
The following Windows executables were collected during our research. Assuming these have not been manipulated, the compilation time for this set of binaries indicates weekly releases of BugSleep.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-10-30 10:06:312024-10-30 10:06:31Writing a BugSleep C2 server and detecting its traffic with Snort
Subscriptions are everywhere these days. So much so, it’s becoming increasingly difficult to keep track of them all. More often than not, we drastically — by more than 2.5x! — underestimate how much we spend, because those small recurring charges fly under the radar and don’t add up to a clear picture in our minds. Yet, statistics* show that many users in developed countries spend annually the equivalent of a month’s salary on subscriptions.
Our research* indicates the average subscriber globally spends $938 annually on 12 subscriptions. Leading the pack are US residents — averaging 18 subscriptions totaling $2349 per year. Brazilians, Indians, and Russians average around 10 subscriptions — costing them $732 annually. Turks get the best deal, spending just $478 for 12 subscriptions.
Why such a disparity? The average cost of a single subscription in the US, Germany, and the UK ($12/month) is three times higher than in Russia ($4/month).
The average annual spend on subscriptions is comparable to a month’s salary
The US government has even taken notice of this subscription management conundrum, recently announcing an initiative to simplify canceling unwanted services. But how did these subscriptions come to permeate every aspect of our lives?
The rise of subscription services
Historically, subscriptions have been a niche market since at least the 17th century — when people could pay a monthly fee for regular publications like newspapers, magazines, or book collection volumes. Even daily milk delivery — common in some countries since the mid-19th century — could be considered a subscription of sorts.
Cable television — offering hundreds of channels packed with movies, series and shows — reigned supreme as the most popular subscription of the late 20th century. When Netflix arrived, it didn’t need to reinvent the wheel — the audience was already primed.
Dollar Shave Club pioneered applying this business model to everyday goods. Since 2011, it’s delivered monthly shaving kits at prices significantly lower than retail. The company received 12,000 orders within the first 48 hours of its launch.
Over the past decade, subscriptions have expanded to encompass practically everything — from weekly meal kits and daily fresh socks to… monthly deliveries of real animal bones for collectors and accessories for backyard chicken farmers.
Among the strangest subscriptions are cooking kits with recipes and vinyl records, and even houseplants — delivered monthly
Subscriptions weren’t initially popular in the software world. Most applications were sold in beautiful boxes, on floppy disks or CDs, requiring a hefty one-off payment. But once purchased, you could use the application indefinitely. The few exceptions to this rule were applications needing frequent updates, such as antivirus software, which adopted the subscription model back in the 1990s.
Subscriptions began to penetrate the software sphere with the rise of cloud services, which store user data on the providers’ servers: Dropbox, web hosting, and so on. Here, recurring payments made sense. However, software companies then realized that recurring payments ultimately generate more revenue than one-time purchases. As a result, they started shoehorning the subscription model onto services that didn’t inherently require regular updates or ongoing vendor involvement. Today, you can subscribe to traditionally “boxed” products like office suites, as well as gaming services, music services, and much more. There are even blatantly exploitative offers like a subscription-based calculator.
“Multi-subscriptions” bundling various services under a single payment are gaining traction. Sometimes these services are at least related — like Microsoft 360, but there are also more complex hybrids like Amazon Prime, which combines free shipping, movies, music, games, discounts on groceries, fuel, medications, and much more. Seemingly convenient, it makes evaluating and managing these subscriptions even more complex.
The most popular subscriptions worldwide
The number of subscriptions per person will likely continue to rise as the vast majority of new software products are released exclusively under a subscription model. Subscription prices are also steadily increasing — over the past two years, the cost of some subscriptions has increased by nearly a third. That’s why subscriptions need to be monitored carefully.
Why managing subscriptions is difficult
With subscriptions so ubiquitous, managing them becomes another basic healthy habit akin to daily exercise or meticulously tracking finances. Not everyone is up to the task. Several technical and psychological factors make it easier to let subscriptions run wild than to actively manage them.
Forgetting to unsubscribe. The very thing that attracts app and service creators to subscriptions is a drawback for customers. It’s not often that people decisively tell themselves, “I’m done with this service!” They typically just use it less and less, eventually forgetting about it for months. Meanwhile, the charges continue. According to various sources, users spend from £39 to $133 monthly on unused subscriptions.
Accumulated data. Migrating data accumulated within a service can be a major hassle. Even after deciding to unsubscribe, people continue paying to avoid losing their data. Sometimes the need for migration dawns just days before renewal, leading users to pay for another year just to buy time for data export.
Duplicate features. For example, subscribing to both Microsoft 365 and Dropbox essentially results in paying twice for cloud storage, as Microsoft 365 includes a direct alternative to Dropbox called OneDrive.
Duplicate subscriptions. Confusing interfaces or poor communication between family members can lead to multiple subscriptions for the same service. Different devices may have different accounts for the same service — each incurring separate charges.
Difficult cancellation process. Some services make unsubscribing incredibly complicated, so frustrated users keep putting it off. As a result, subscriptions can linger around for months or even years, completely unused — but paid for. That’s why the US government decided to step in to streamline cancellation, requiring companies to make it just as simple as subscribing and to make contacting a live support agent easier.
How to get your subscriptions under control
One way to organize your digital life in a subscription-driven world is to cultivate the good habit of diligently documenting your household’s subscriptions as soon as they’re activated and periodically making sure they’re still in use. Even more critical is analyzing every service before subscribing. Will you really be using it regularly? Is pay-as-you-go, or even better, a one-time purchase available? Service and app providers tend to loudly advertise subscription options on their websites while burying alternative payment options like one-time purchases. If you can’t find them, a site-specific Google search may help — just be sure you’re purchasing legitimate software from the official website and not malware from a fake site.
When it comes to “subscription accounting”, the dedicated subscription management service SubsCrab can help. It keeps track of all your subscriptions and sends advance notifications about upcoming payments and subscription expirations. The hardest (and most tedious) part of keeping track of subscriptions is recording them immediately, but SubsCrab can help with this, too. You can connect it to your mailbox, and in some countries to incoming bank statements, and it will automatically scan these sources to detect new subscriptions. This way, all your services will gradually be accounted for, including forgotten ones — and unexpected bank charges reduced. Additionally, SubsCrab lets you manually add other recurring payments, like a mortgage. For more details on the features and settings of SubsCrab, check our review.
Make sure to let your family members know about the new system, and regularly review your subscriptions to cancel those that are no longer needed. Before renewing a subscription, be sure to check the SubsCrab app — it tracks special offers and promo codes, helping you make significant savings on renewals.
* Statistics are based on anonymized data from SubsCrab users (over 150,000 users worldwide, excluding China, from January 2023 to August 2024). This may not reflect the entire market but is representative of a certain audience of users who actively track their subscriptions.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-10-30 10:06:312024-10-30 10:06:31How to stay on top of your subscriptions and save money | Kaspersky official blog
You may not always stop your personal information from ending up in the internet’s dark recesses, but you can take steps to protect yourself from criminals looking to exploit it
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-10-30 08:06:592024-10-30 08:06:59Don’t become a statistic: Tips to help keep your personal data off the dark web
The Ransomware Vulnerability Matrix, a vital repository on GitHub, represents a new step forward in understanding ransomware vulnerabilities. This invaluable repository catalogs known Common Vulnerabilities and Exposures (CVEs) that ransomware groups exploit, providing insights into ransomware types, vulnerable technologies, and the threat actors involved, including ransomware gangs, affiliates, and state-backed actors.
The Ransomware Vulnerability Matrix serves as a critical resource for cybersecurity professionals tasked with prioritizing threats and assessing exposure to ransomware vulnerabilities. Each entry within the matrix details the specific ransomware gang that exploited a particular CVE, links to verification sources, and includes crucial data about the affected technologies. By compiling this information, the matrix aids teams in tracking and mitigating ransomware vulnerabilities effectively.
By providing detailed insights into ransomware vulnerabilities, the matrix highlights the methods and tools employed by ransomware operators, offering a framework for assessing risks and enhancing defenses.
Detailed Vulnerability Insights
The matrix encompasses a wide array of products and corresponding CVEs exploited by various ransomware groups. Here are a few notable entries:
Adobe ColdFusion
CVE(s): CVE-2023-29300 & CVE-2023-38203
Ransomware Group(s): Storm-0501
Source(s): Microsoft
Apache ActiveMQ
CVE(s): CVE-2023-46604
Ransomware Group(s): RansomHub
Source(s): CISA
Atlassian Confluence
CVE(s):
CVE-2023-22515 (RansomHub)
CVE-2023-22518 (Cerber)
CVE-2022-26134 (Cerber)
These entries not only identify the vulnerabilities but also the associated threat actors, underscoring the complex landscape of ransomware attacks. For instance, the notorious group LockBit has leveraged vulnerabilities in Apache’s Log4j, specifically CVE-2021-44228, to facilitate their attacks.
Implications of Ransomware Vulnerabilities
Ransomware vulnerabilities pose significant risks to organizations, as they can lead to data breaches, operational disruptions, and financial losses. Ransomware gangs exploit these vulnerabilities to infiltrate systems, encrypt critical data, and demand ransoms for decryption keys. Understanding the specific CVEs associated with ransomware attacks allows organizations to implement effective cybersecurity measures.
State-backed actors also play a crucial role in the ransomware ecosystem. Their involvement complicates the threat landscape, as they often have access to advanced tools and techniques that can bypass traditional defenses. The Ransomware Vulnerability Matrix provides insights into these state-backed threats, helping organizations recognize and prepare for potential attacks.
Recommendations and Mitigations
To leverage the insights from the Ransomware Vulnerability Matrix effectively, organizations should consider the following recommendations:
Continuously update the matrix with data from CVE databases to ensure it reflects the latest vulnerabilities and trends.
Implement a system to categorize the severity of each CVE, allowing teams to prioritize patching efforts based on risk.
Include information on when specific CVEs began to be exploited by ransomware groups, providing context for emerging threats.
Offer specific mitigation recommendations for each CVE, enabling organizations to implement targeted defenses.
Develop a notification system for newly discovered vulnerabilities to keep organizations ahead of potential threats.
Link vulnerabilities to tactics and techniques outlined in the MITRE ATT&CK framework for better threat modeling.
Conclusion
The Ransomware Vulnerability Matrix is an organized and insightful resource that empowers cybersecurity professionals in their fight against ransomware attacks. By detailing known vulnerabilities and associating them with specific ransomware types and threat groups, the matrix enhances the ability to assess risks and prioritize defenses.
By utilizing the Ransomware Vulnerability Matrix, organizations can not only upgrade their defenses but also contribute to the broader fight against the cyber threats posed by ransomware gangs. This proactive approach is essential for protecting networks and ensuring the integrity of vital systems.
CERT-UA, the Cyber Emergency Response Team for Ukraine, uncovered a phishing campaign orchestrated by the threat actor UAC-0215. This campaign specifically targeted public institutions, major industries, and military units across Ukraine.
The phishing emails were cleverly disguised to promote integration with popular platforms like Amazon and Microsoft, as well as advocating for Zero Trust Architecture (ZTA). However, the emails contained malicious .rdp configuration files that, when opened, established a connection to an attacker-controlled server.
This connection provided unauthorized access to a variety of local resources, including disk drives, network assets, printers, audio devices, and even the clipboard. The sophistication of this campaign raises security concerns for critical infrastructure in Ukraine.
Campaign Overview
The campaign was first detected on October 22, 2024, with intelligence suggesting that the preparatory groundwork was laid as early as August 2024. The phishing operation’s extensive reach highlights not only a localized threat but also a broader international concern, as multiple cybersecurity organizations worldwide have corroborated it. The implications of this attack extend beyond individual organizations, threatening national security.
The primary targets of the phishing campaign include public authorities, major industries, and military organizations within Ukraine. This operation is assessed to have a high-risk score, indicating a threat to these sectors. The campaign is attributed to the advanced persistent threat (APT) group known as UAC-0215, utilizing rogue Remote Desktop Protocol (RDP) techniques.
Technical Details
The phishing campaign attributed to UAC-0215 utilizes rogue Remote Desktop Protocol (RDP) files to infiltrate key Ukrainian institutions. The malicious emails are designed to appear legitimate, enticing recipients to open attachments that ultimately compromise their systems. When a victim unwittingly opens the .rdp configuration file, it connects their computer to the attacker’s server, granting extensive access to critical local resources, including:
Disk Drives
Network Resources
Printers
COM Ports
Audio Devices
Clipboard
This access allows the attackers to execute unauthorized scripts and programs, further compromising the system.
Conclusion
The intelligence gathered suggests that the UAC-0215 campaign extends beyond Ukrainian targets, indicating a potential for broader cyberattacks across multiple regions, especially amid heightened tensions in the area, including recent cyberattacks on Ukraine that have garnered international concern.
This campaign highlights the growing sophistication of phishing tactics employed against Ukraine, as the attackers exploited RDP configurations to gain significant control over critical systems within public and industrial sectors, jeopardizing sensitive information and operational integrity.
Recommendations and Mitigations
To mitigate the risks posed by UAC-0215 and similar threats, organizations are advised to implement the following strategies:
Establish better filtering rules at the mail gateway to block emails containing .rdp file attachments. This measure is critical in reducing exposure to malicious configurations.
Limit users’ ability to execute .rdp files unless specifically authorized. This precaution will minimize the risk of accidental executions that could lead to breaches.
Configure firewall settings to prevent the Microsoft Remote Desktop client (mstsc.exe) from establishing RDP connections to external, internet-facing resources. This step will thwart unintended remote access and reduce the potential for exploitation.
Utilize Group Policy to disable resource redirection in RDP sessions. By setting restrictions under “Device and Resource Redirection” in Remote Desktop Services, organizations can prevent attackers from accessing local resources during RDP sessions.
Using Threat Intelligence (TI) feeds in your cybersecurity strategy can significantly impact not only your organization’s security posture but also its business performance. Such an integration brings many benefits that directly and indirectly improve cost-efficiency, operational effectiveness, and strategic decision-making.
Let’s explore these improvements in detail.
Cost Savings and ROI
Investing in TI feeds can lead to significant cost savings by preventing costly data breaches and minimizing the need for reactive security measures. By avoiding breaches, businesses can sidestep the high costs associated with incident response, legal fees, and regulatory fines.
Proactive security measures allow for more efficient use of security budgets by enabling organizations to allocate resources where they are needed most, improving the efficiency of security spend.
Key metrics:
Reduction in incident response costs
Lower cost per security incident
Improved ROI on security investments
Informed Decision-Making
Quality TI feeds provide critical insights that guide better decision-making across the organization, ensuring that security efforts are focused on the most pressing threats. The strategic insights extracted from TI feeds help security leaders make more informed decisions, improving the organization’s risk posture. By identifying the most critical threats, TI feeds allow companies to focus resources more efficiently, reducing wasted security spend.
Key metrics:
Improvement in risk scoring
Reduction in time to detect and respond to threats
Increased efficiency in security spend
Integrate ANY.RUN TI Feeds into your security systems
A company’s reputation is one of its most valuable assets, and Cyber Threat Intelligence feeds help protect this by informing organizations of incidents that could harm their brand image. Early detection of threats reduces the likelihood of incidents that could damage a company’s name and negatively impact shareholder value.
Businesses with strong security postures stand out in the market, appealing to new security-conscious clients and reassuring existing customers, which leads to greater trust.
Key metrics:
Improvement in Net Promoter Score (NPS)
Positive impact on Customer Lifetime Value (CLV)
Better business opportunities
Operational Efficiency
TI feeds also help businesses streamline their cybersecurity efforts by automating threat detection and reducing downtime caused by attacks. Integrating CTI feeds with existing security tools can contribute to wider and more accurate threat detection, as well as better response process, improving mean time to resolution (MTTR).
Key metrics:
Improvement in MTTR
Reduction in system downtime
Increase in operational uptime
Compliance and Reporting
For many industries, regulatory compliance is essential, and TI feeds are a key element of a business’s cybersecurity blueprint for keeping pace with required standards. Apart from improved threat detection, TI feeds help document incidents, enrich security reports, and meet requirements for frameworks like GDPR, HIPAA, and PCI.
Key metrics:
Reduction in non-compliance penalties
Decrease in audit preparation time
Improvement in audit scores
Integrate Cyber Threat Intelligence Feeds from ANY.RUN
ANY.RUN offers advanced Threat Intelligence Feeds that provide accurate and fresh Indicators of Compromise (IOCs) for precise threat identification, including:
Command-and-control (C2) IP addresses: Addresses used by malware to communicate with attackers.
URLs and domain names: Infrastructure associated with malicious activities.
Our feeds data is extracted from millions of sandbox analyses of the latest malware and phishing samples. These samples are publicly uploaded to ANY.RUN by our global community of over 500,000 analysts. The data is carefully processed using advanced algorithms and proprietary technology to reduce false positives.
Our feeds offer more than just simple Indicators of Compromise. They provide direct links to full sandbox analysis sessions. For each indicator, users can view the entire malware interaction, including memory dumps, network traffic, and event timelines.
Try TI Feeds and other Threat Intelligence services from ANY.RUN
In an environment where cyber threats are constantly evolving, Threat Intelligence feeds are invaluable for businesses looking to maintain a strong security posture. From cost savings and better decision-making to brand protection and operational efficiency, TI feeds provide the insights and automation needed to safeguard your business and maintain growth. By integrating TI feeds into your cybersecurity strategy, you can ensure proactive protection and long-term resilience.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds
Interact with samples in real time
Save time and money on sandbox setup and maintenance
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-10-29 10:06:582024-10-29 10:06:58How TI Feeds Support Organizational Performance
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have launched an investigation into a series of cyber intrusions linked to hackers believed to be affiliated with the Chinese state-linked threat actors.
This investigation follows reports that the phone communications of prominent U.S. political figures, including former President Donald Trump, Vice President Kamala Harris’ campaign team, and vice-presidential candidate JD Vance, have been targeted in a sweeping cyber-espionage effort.
Allegations of Unauthorized Access by Chinese State Linked Threat Actors
The FBI and CISA issued a statement confirming their investigation into “unauthorized access to commercial telecommunications infrastructure” perpetrated by actors associated with the People’s Republic of China, reported CBS News. This response was prompted by specific malicious activities detected within the telecommunications sector, which the agencies say are part of a larger Chinese hacking campaign aimed at gathering sensitive information from high-level U.S. officials.
The agencies emphasized their quick action, stating that upon identifying the threat, they immediately notified affected telecommunications companies, provided technical assistance, and shared crucial information to help potential victims mitigate their exposure.
High-Profile Targets
Reports indicate that the hacking campaign targeted the phone communications of several key political figures, including Donald Trump and JD Vance, as part of a broader strategy to compromise the communications of U.S. officials.
According to sources cited by CNN, the Chinese hackers also sought to infiltrate the communications of senior officials within the Biden administration. The gravity of these allegations raises concerns over the potential for foreign espionage and the safety of sensitive government communications.
Reacting to these findings, Steven Cheung, a spokesperson for Trump’s campaign, criticized the Harris campaign for allegedly “emboldening” China, reflecting the heightened political tensions surrounding the issue. However, it remains unclear whether the hackers succeeded in accessing any specific information from the targeted communications, reported Asian News International.
The Broader Context
The New York Times was among the first to report on this breach, revealing that the hacking effort is part of a wider Chinese campaign that has successfully infiltrated several U.S. telecommunications companies over the past few months.
Investigators believe that these hackers aim to access sensitive national security information, including information on wiretap warrant requests made by the U.S. Justice Department. Notably, there is currently no evidence suggesting that the hackers targeted communications linked to law enforcement activities involving Trump and Vance.
Major U.S. broadband and internet providers, such as AT&T, Verizon, and Lumen, have also been identified as targets in this ongoing campaign.
The Response from U.S. Authorities
In light of these events, U.S. agencies are taking a coordinated approach to combat the threat posed by foreign hackers. CISA reiterated its commitment to working closely with industry partners to strengthen cybersecurity in U.S. elections. They encouraged any organization that suspects it may be a victim of similar attacks to reach out to local FBI field offices or CISA for assistance.
The information about this breach coincides with other cybersecurity threats facing the U.S. political domain. Iranian hackers have also targeted Trump’s campaign, leading to the theft and subsequent publication of sensitive campaign emails.
These hackers, linked to Iran’s Basij paramilitary force, shared the stolen material with a Democratic operative who subsequently published it through various channels. The ongoing conflict between foreign actors and U.S. political campaigns highlights the precarious nature of cybersecurity in U.S. elections.
In a related investigation, the hacking group known as Mint Sandstorm, or APT42, reportedly compromised multiple Trump campaign staff accounts earlier this year. The U.S. Department of Justice has indicted three Iranian hackers involved in this breach, underscoring the persistent threat posed by foreign actors in U.S. elections cybersecurity.
International Response
As the investigation into the Chinese-linked hacks unfolds, the Chinese government has denied involvement in these alleged cyber activities. The geopolitical implications of such hacking campaigns are profound as China, Iran, and Russia continue to explore avenues to influence or monitor aspects of U.S. elections.
While U.S. intelligence agencies indicate that China has not made a significant effort to influence the presidential election directly, it has targeted various congressional and local election races through covert social media campaigns.
The investigation into the telecom hacks targeting high-profile U.S. politicians represents a critical moment in the ongoing struggle against cyber espionage. As authorities work to unravel the details of this sophisticated breach, the implications for national security remain an open question.
