How to Capture, Decrypt, and Analyze Malicious Network Traffic with ANY.RUN

Network traffic analysis provides critical insights into malware and phishing attacks. Doing it effectively requires using proper tools like ANY.RUN’s Interactive Sandbox. It simplifies the entire process, letting you investigate threats with ease and speed.

Take a look at the key ways you can monitor and analyze network activity with the service.

Connections 

Examining network connections involves looking at source and destination IP addresses, ports, URLs, and protocols. During this process, you can observe all activities that may pose a risk to the system, such as connections to known malicious domains and attempts to access external resources. 

To correlate the network activity with other behaviors or components of the malware, ANY.RUN identifies the process name and Process Identifier (PID) initiating the connection. This allows you to gain a better understanding of the threat’s functionality and purpose. 

In the Connections section, additional attributes like the country (CN) and Autonomous System Number (ASN) provide context for the geographical location and the organization managing the IP address. 

The service also lists DNS requests that help you identify malicious domains used for Command & Control (C&C) communication or phishing campaigns. 

Use Case: Identifying Agent Tesla’s Data Exfiltration Attempt  

Consider the following sandbox session. Here, we can discover a malicious connection to an external server. 

Malicious connection identified by the ANY.RUN sandbox and marked with a flame icon 

We can navigate to the process that started this connection (PID 6904) to see the details.  

The sandbox shows that the process connected to a server controlled by attackers 

The service displays two signatures related to the connection, which specify that it was made to a server suspected of data theft over the SMTP port. The sandbox also links the process of Agent Tesla, a malware family used by cyber criminals for remote control and data exfiltration.  

Suricata rule used for detecting Agent Tesla’s malicious connection

Thanks to ANY.RUN’s integration of Suricata IDS, you can discover triggered detection rules by navigating to the Threats tab. The detection of data exfiltration over SMTP in this case is done without decryption. The sandbox relies solely on specific sequences of packet lengths characteristic of sending victim data. 

HTTP Requests and Content 

ANY.RUN provides comprehensive analysis of HTTP requests and their content. To access header information, simply navigate to the Network tab. Here, you’ll find a detailed list of all HTTP requests recorded by the sandbox.

You can investigate HTTP Requests in detail in ANY.RUN

Click on a specific request to view its headers, which include information such as the request method, user-agent, cookies, and response status codes. 

ANY.RUN also offers static analysis of the resources transmitted as part of HTTP requests and responses. These may include HTML pages, binary, and other types of files. The sandbox extracts their metadata and strings. 

Use Case: Discovering a Server for Collecting Stolen Passwords 

When investigating phishing attacks, it is sometimes necessary to check which server ends up receiving the passwords entered by victims on a malicious webpage. To accomplish this task, we need to enable Man-in-the-Middle (MITM) Proxy. 

Switching on MITM Proxy takes just one click in the VM setup window 

The feature acts as an intermediary between the malware and the server, allowing analysts to intercept and decrypt even HTTPS traffic, typically used for secure communication. 

ANY.RUN allows you to interact with the VM including by entering text

Here is an example of a typical attack that is designed to trick users into entering their real login credentials on a fake webpage. 

Please Note

Under no circumstances should you enter real credentials when analyzing threats in the ANY.RUN sandbox. Instead, use a non-existent test email and password.

After we enter a fake password, we need to navigate to the HTTP request section. Here, we need to start reviewing the HTTP POST requests, beginning with the most recent connection by time.

The fake password we entered which was exfiltrated via Telegram

 In most cases, you will be able to understand which server the web page is communicating with. In our example, the stolen data is being sent to Telegram. 

Access MITM Proxy and other PRO features of ANY.RUN
for free 



Get 14-day trial


Use Case: Collecting Information on Attackers’ Telegram Infrastructure 

Here is analysis of XWorm malware sample that connects to a Telegram bot for exfiltrating data collected on the infected system. 

Thanks to MITM Proxy, we can decrypt the traffic between the host and the Telegram bot.

Bot token and chat_id are found in the query string

By examining the header of a GET request sent by XWorm we can identify a Telegram bot token along with the id of the chat controlled by attackers where information on successful infections is sent.  

Using the bot token and chat id, we can gain access to the data exfiltrated from other systems infected by the same sample. 

Packets 

Packet capture involves intercepting and recording network packets as they are sent and received by the system. In ANY.RUN, you can determine the specific data being transmitted and received, which can include sensitive information, commands, or exfiltrated data.  

Through this detailed examination, you can uncover the structure and content of network packets, including the headers and payloads, which can reveal the nature of the communication. For instance, tracking the information contained in outgoing packets aids in identifying what data was stolen, such as passwords, logins, and cookies. 

To study network traffic packets effectively, you can use the Network stream window. Simply select the connection you’re interested in to access RAW network stream data. Received packets are blue, while sent ones are green. 

Use Case: Investigating a Pass-the-Hash Attack 

Let’s consider the following sandbox analysis. Here, we can observe a theft of an NTLM hash via a malicious web page. 

About NTLM

NTLM (NT LAN Manager) authentication is a challenge-response protocol used by Microsoft Windows to verify user credentials.

It involves hashing a user’s password with the MD4 algorithm to create an NTLM hash, which is then used to encrypt a server-sent challenge. NTLM relay attacks intercept and reuse these hashes to impersonate users on other services, enabling unauthorized access without cracking the hash.

Accessing 10dsecurity[.]com led to compromising the system’s NTLM hash  

Once we enable MITM Proxy, we can see how the attack is executed. It starts with the victim’s browser sending a request to access an HTML page, which triggers a redirect to an Impacket SMB server hosted on 10dsecurity[.]com. 

Impacket is a Python-based toolkit designed for working with network protocols that can be used for harvesting NTLM authentication data. 

The sent and received packets of the host’s communication with the SMB server

When the victim’s browser attempts to access the redirected resource via SMB, the Impacket-SMBServer intercepts the request and captures the following information: 

  • The victim’s IP address 
  • NTLM Challenge Data 
  • The victim’s username 
  • The victim’s computer name 
Suricata IDS detection rule used for identifying an impacket SMB server with a Wireshark filter

ANY.RUN allows us to download PCAP data for further examination in specialized software like Wireshark. To make it easier to identify the connection of our interest, we can collect a display filter right from the sandbox. 

Analysis of the captured packets in Wireshark  

Once we upload the data to the program and paste the filter, we can once again determine that it is indeed an impacket SMB server.  

Conclusion 

Packet capture, payload analysis, protocol dissection, DNS requests, and connection analysis are essential components of this process. By leveraging these techniques, security analysts can gain a comprehensive understanding of malicious activities, enabling them to develop effective countermeasures and protect against evolving cyber threats. 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI LookupYARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds. 
  • Interact with samples in real time. 
  • Save time and money on sandbox setup and maintenance 
  • Record and study all aspects of malware behavior. 
  • Collaborate with your team 
  • Scale as you need. 

Request free trial → 

The post How to Capture, Decrypt, and Analyze Malicious Network Traffic with ANY.RUN appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

IT Vulnerability Report: Fortinet, SonicWall, Grafana Exposures Top 1 Million

1 million vulnerable Fortinet and SonicWall devices

Overview

Cyble Research and Intelligence Labs (CRIL) researchers investigated 17 vulnerabilities and nine dark web exploits during the period of Oct. 23-29, and highlighted seven vulnerabilities that merit high-priority attention from security teams.

This week’s IT vulnerability report affects an unusually high number of exposed devices and instances: Vulnerabilities in Fortinet, SonicWall, and Grafana Labs can be found in more than 1 million web-facing assets, and a pair of 10.0-severity vulnerabilities in CyberPanel have already been mass-exploited in ransomware attacks.

Security teams should assess which of these vulnerabilities are present in their environments and the risks they pose and apply patches and mitigations promptly.

The Week’s Top IT Vulnerabilities

Here are the top IT vulnerabilities identified by Cyble threat intelligence researchers this week.

CVE-2024-40766: SonicWall SonicOS

CVE-2024-40766 is a 9.8-severity improper access control vulnerability in the administrative interface and controls in the SonicOS operating system used for managing SonicWall’s network security appliances and firewalls. Managed security firm Arctic Wolf has reported that Fog and Akira ransomware operators are increasingly exploiting this vulnerability in SSL VPN environments to gain an initial foothold to compromise networks. 

Cyble has detected more than 486,000 internet-exposed devices with this vulnerability, making it a critically important priority for security teams.

CVE-2024-47575 and CVE-2024-23113: Fortinet FortiOS and FortiManager

Fortinet environments are under attack from threat actors exploiting a pair of recent 9.8-severity vulnerabilities: CVE-2024-47575, also known as “FortiJump,” is a vulnerability in Fortinet FortiManager that allows an attacker to execute arbitrary code or commands via specially crafted requests. Recently, researchers disclosed that the threat actor tracked as UNC5820 has been exploiting the flaw since at least June 27, 2024.

For more than a week before the October 23 disclosure of CVE-2024-47575, security researchers were concerned that Fortinet was slow in disclosing a FortiManager zero-day known to be under exploitation. However, it appears that a week before the CVE was released, Fortinet notified customers of a FortiManager vulnerability and provided some recommended mitigations. Some FortiManager customers reported that they didn’t get that communication, suggesting a need for a clearer advisory process. Fortinet update its guidance on the vulnerability yesterday.

Cyble researchers also observed threat actors on a cybercrime forum discussing exploits of CVE-2024-23113, a critical vulnerability in multiple versions of FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager that allows remote, unauthenticated attackers to execute arbitrary code through specially crafted requests.

Cyble has identified 62,000 exposed instances of the FortiManager vulnerability, and 427,000 internet-facing Fortinet devices exposed to CVE-2024-23113 (see graphic below).

Exposed assets for the top vulnerabilities (Cyble research)

CVE-2024-9264: Grafana Labs

CVE-2024-9264 is a 9.4-severity vulnerability in the SQL Expressions experimental feature of Grafana, an open-source analytics and monitoring platform developed by Grafana Labs. It is designed to visualize and analyze data from various sources through customizable dashboards. This feature allows for the evaluation of ‘duckdb’ queries containing user input. These queries are insufficiently sanitized before being passed to ‘duckdb,’ leading to a command injection and local file inclusion vulnerability.

Cyble reported 209,000 internet-facing Grafana instances exposed to the vulnerability.

CVE-2024-51567 and CVE-2024-51568: CyberPanel

CVE-2024-51567 and CVE-2024-51568  are critical vulnerabilities in CyberPanel, an open-source web hosting control panel designed to simplify server management, particularly for those using the LiteSpeed web server. NVD has yet to rate the vulnerabilities, but MITRE has assigned them each a 10.0. CVE-2024-51567 is a flaw in upgrademysqlstatus in databases/views.py, which allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, and was exploited in the wild in October in a massive PSAUX ransomware attack.

CVE-2024-51568 is a command Injection flaw via completePath in the ProcessUtilities.outputExecutioner() sink.

Nearly 33,000 CyberPanel instances are exposed to these vulnerabilities, more than half of which have been targeted in mass ransomware and cryptominer attacks.

CVE-2024-46483: Xlight FTP Server

CVE-2024-46483 is a critical integer overflow vulnerability still undergoing analysis that affects Xlight FTP Server, a high-performance file transfer server for Windows designed to facilitate secure and efficient FTP and SFTP (SSH2) file transfers. The flaw lies in the packet parsing logic of the SFTP server, which can lead to a heap overflow with attacker-controlled content. Multiple organizations across various sectors use this server because of its Active Directory and LDAP integration functionalities. Cyble assesses that attackers could leverage this vulnerability in campaigns due to the availability of public Proof of Concepts (PoC).

Vulnerabilities and Exploits on Underground Forums

CRIL researchers observed multiple Telegram channels and cybercrime forums where channel administrators shared or discussed exploits weaponizing a number of vulnerabilities, some of which were discussed above. Others include:

CVE-2024-9464: A critical OS command injection vulnerability found in Palo Alto Networks’ Expedition tool, which allows an attacker to execute arbitrary OS commands as root, potentially leading to the disclosure of sensitive information.

CVE-2024-42640: A critical vulnerability affecting the angular-base64-upload library, specifically in versions prior to v0.1.21. This vulnerability allows remote code execution (RCE) through the demo/server.php endpoint, enabling attackers to upload arbitrary files to the server.

CVE-2024-3656: A high-risk vulnerability affecting Keycloak versions prior to 24.0.5. The vulnerability allows low-privilege users to access certain endpoints in Keycloak’s admin REST API, enabling them to perform actions reserved for administrators.

CVE-2024-9570: A critical buffer overflow vulnerability in the D-Link DIR-619L B1 router, specifically in firmware version 2.06, occurs in the ‘formEasySetTimezone’ function. The issue arises when the ‘curTime’ argument is manipulated, leading to a situation where an attacker can execute arbitrary code remotely.

CVE-2024-46538: A critical cross-site scripting (XSS) vulnerability in pfSense version 2.5.2 allows attackers to execute arbitrary web scripts or HTML by injecting a ‘crafted payload’ into the $pconfig variable, specifically through the ‘interfaces_groups_edit.php’ file.

CVE-2024-21305: A vulnerability identified as a Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass allows attackers to circumvent HVCI protections, enabling the execution of unauthorized code on affected systems running versions of Windows and Windows Server OS.

CVE-2024-23692: A critical vulnerability affecting the Rejetto HTTP File Server (HFS) that allows unauthenticated remote code execution (RCE) through a command injection flaw.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

  • To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
  • Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
  • Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
  • Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
  • Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
  • Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
  • Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products and those that could be weaponized as entry points for wider attacks. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.

The post IT Vulnerability Report: Fortinet, SonicWall, Grafana Exposures Top 1 Million appeared first on Cyble.

Blog – Cyble – ​Read More

Cyble Sensors Detect New Attacks on LightSpeed, GutenKit WordPress Plugins

Cyble detects attacks on WordPress plugins, IoT, VNC

Overview

Cyble’s weekly sensor intelligence report for clients detailed new attacks on popular WordPress plugins, and IoT exploits continue to occur at very high rates.

Two 9.8-severity vulnerabilities in LightSpeed Cache and GutenKit are under attack, as WordPress and other CMS and publishing systems remain attractive targets for threat actors.

Vulnerabilities in IoT devices and embedded systems continue to be targeted at alarming rates. In addition to older exploits, this week Cyble Vulnerability Intelligence researchers highlighted an older RDP vulnerability that may still be present in some OT networks. Given the difficulty of patching these systems, vulnerabilities may persist and require additional mitigations.

Vulnerabilities in PHP, Linux systems, and Java and Python frameworks also remain under attack.

Here are some of the details of the Oct. 23-29 sensor intelligence report sent to Cyble clients, which also looked at scam and brute-force campaigns. VNC (Virtual Network Computing) was a prominent target for brute-force attacks this week.

CVE-2024-44000: LiteSpeed Cache Broken Authentication

CVE-2024-44000 is an Insufficiently Protected Credentials vulnerability in LiteSpeed Cache that allows Authentication Bypass and could potentially lead to account takeover. The issue affects versions of the WordPress site performance and optimization plugin before 6.5.0.1.

An unauthenticated visitor could gain authentication access to any logged-in users – and potentially to an Administrator-level role. Patchstack notes that the vulnerability requires certain conditions to be exploited:

  • Active debug log feature on the LiteSpeed Cache plugin
  • Has activated the debug log feature once before, it’s not currently active, and the /wp-content/debug.log file has not been purged or removed.

Despite those requirements, Cyble sensors are detecting active attacks against this WordPress plugin vulnerability.

CVE-2024-9234: GutenKit Arbitrary File Uploads

The GutenKit Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to CVE-2024-9234, with arbitrary file uploads possible due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. The vulnerability makes it possible for unauthenticated attackers to install and activate arbitrary plugins or utilize the functionality to upload arbitrary files spoofed like plugins.

As malicious WordPress plugins are becoming an increasingly common threat, admins are advised to take security measures seriously.

IoT Device and Embedded Systems Attacks Remain High

IoT device attacks first detailed two weeks ago continue at a very high rate, as Cyble honeypot sensors in the past week detected 361,000 attacks on CVE-2020-11899, a medium-severity Out-of-bounds Read vulnerability in the Treck TCP/IP stack before 6.0.1.66, in attempts to gain administrator privileges.

Also of concern for OT environments are attacks on four vulnerabilities in the Wind River VxWorks real-time operating system (RTOS) for embedded systems in versions before VxWorks 7 SR620: CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263. Cyble sensors routinely detect 3,000 to 4,000 attacks a week on these vulnerabilities, which can be present in a number of older Siemens devices.

New to the report this week are several hundred attacks on CVE-2019-0708, a 9.8-severity remote code execution vulnerability in Remote Desktop Services found in several older Siemens devices.

Linux, Java, and Other Attacks Persist

A number of other recent exploits observed by Cyble remain active:

Attacks against Linux systems and QNAP and Cisco devices detailed in our Oct. 7 report remain active.

Previously reported vulnerabilities in PHP, GeoServer, and Python and Spring Java frameworks also remain under active attack by threat actors.

Phishing Scams Detected by Cyble

Cyble sensors detect thousands of phishing scams a week, and this week identified 385 new phishing email addresses. Below is a table listing the email subject lines and deceptive email addresses used in four prominent scam campaigns.

E-mail Subject  Scammers Email ID  Scam Type  Description 
VERIFICATION AND APPROVAL OF YOUR PAYMENT FILE  infohh@aol.com  Claim Scam  Fake refund against claims 
Online Lottery Draw Reference Claim Code  annitajjoseph@gmail.com  Lottery/Prize Scam  Fake prize winnings to extort money or information 
RE: Great News  cyndycornwell@gmail.com  Investment Scam  Unrealistic investment offers to steal funds or data 
Re: Consignment Box  don.nkru3@gmail.com  Shipping Scam  Unclaimed shipment trick to demand fees or details 

Brute-Force Attacks Target VNC

Of the thousands of brute-force attacks detected by Cyble sensors in the most recent reporting period, Virtual Network Computing (VNC, port 5900) servers were among the top targets of threat actors. Here are the top 5 attacker countries and ports targeted:

  • Attacks originating from the United States targeting ports were aimed at port 5900 (30%), 22 (28%), 445 (25%), 3389 (14%) and 80 (3%).
  • Attacks originating from Russia targeted ports 5900 (88%), 1433 (7%), 3306 (3%), 22 (2%) and 445 (1%).
  • The Netherlands, Greece, and Bulgaria primarily targeted ports 3389, 1433, 5900, and 443.

Security analysts are advised to add security system blocks for the most attacked ports (typically 22, 3389, 443, 445, 5900, 1433, 1080, and 3306).

Recommendations and Mitigations

Cyble researchers recommend the following security controls:

  • Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
  • Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
  • Constantly check for Attackers’ ASNs and IPs.
  • Block Brute Force attack IPs and the targeted ports listed.
  • Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
  • For servers, set up strong passwords that are difficult to guess.

Conclusion

With active threats against multiple critical systems highlighted, companies need to remain vigilant and responsive. WordPress and VNC installations and IoT devices were some of the bigger attack targets this week and are worth additional attention by security teams. The high volume of brute-force attacks and phishing campaigns demonstrates the general vulnerability crisis faced by organizations.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is key in protecting defenses against exploitation and data breaches.

The post Cyble Sensors Detect New Attacks on LightSpeed, GutenKit WordPress Plugins appeared first on Cyble.

Blog – Cyble – ​Read More

NVIDIA shader out-of-bounds and eleven LevelOne router vulnerabilities

NVIDIA shader out-of-bounds and eleven LevelOne router vulnerabilities

Cisco Talos’ Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website

NVIDIA Graphics remote out-of-bounds execution vulnerabilities

Discovered by Piotr Bania.

NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

Talos discovered multiple out-of-bounds read vulnerabilities in Nvidia that could be triggered remotely in virtualized environments, via web browser, potentially leading to disclosure of sensitive information and further memory corruption. Researchers used RemoteFX; while recently deprecated by Microsoft, some older machines may still use this software.

Advisories related to these vulnerabilities:
TALOS-2024-1955 (CVE-2024-0121)
TALOS-2024-2012 (CVE-2024-0117)
TALOS-2024-2013 (CVE-2024-0118)
TALOS-2024-2014 (CVE-2024-0120)
TALOS-2024-2015 (CVE-2024-0119)

LevelOne wireless SOHO router vulnerabilities

Discovered by Patrick DeSantis and Francesco Benvenuto.

Eleven vulnerabilities of different types were discovered in the LevelOne WBR-6012 SOHO router.

The LevelOne WBR-6012 is a low-cost wireless SOHO router, marketed as an easy-to-configure and operate internet gateway for homes and small offices.

Talos discovered these vulnerabilities in the R0.30e6 version of the router:

TALOS-2024-1979 (CVE-2024-28875,CVE-2024-31151): Hard-coded credentials exist in the web service, allowing attackers to gain unauthorized access during the first 30 seconds post-boot. Used with other vulnerabilities that force a reboot, time restrictions for exploitation can be greatly reduced. An undocumented user account with hard-coded credentials also exists.

TALOS-2024-1981 (CVE-2024-24777): A cross-site request forgery vulnerability exists in the web application, and a specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious web page to trigger this vulnerability.

TALOS-2024-1982 (CVE-2024-31152): An improper resource allocation vulnerability exists due to improper resource allocation within the web application. A series of HTTP requests can cause a reboot, which could lead to network service interruptions and access to a backdoor account.

TALOS-2024-1983 (CVE-2024-32946): A cleartext transmission vulnerability exists, and sensitive information is transmitted via FTP and HTTP services, exposing it to network sniffing attacks.

TALOS-2024-1984 (CVE-2024-33699): A weak authentication vulnerability exists in the web application firmware, which allows attackers to change the administrator password to gain higher privileges without knowing the current administrator password.

TALOS-2024-1985 (CVE-2024-33603): An information disclosure in the web application allows unauthenticated users to access an undocumented verbose system log page and obtain sensitive data, such as memory addresses and IP addresses for login attempts. This flaw could lead to session hijacking due to the device’s reliance on IP addresses for authentication.

TALOS-2024-1986 (CVE-2024-33626): A web application information disclosure vulnerability can reveal sensitive information, such as the Wi-Fi WPS PIN, through a hidden page accessible by an HTTP request. Disclosure of this information could enable attackers to connect to the device’s Wi-Fi network.

TALOS-2024-1996 (CVE-2024-23309): An authentication bypass vulnerability results from the web application’s reliance on client IP addresses for authentication. Attackers can spoof an IP address to gain unauthorized access without a session token.

TALOS-2024-1997 (CVE-2024-28052): A buffer overflow vulnerability can be caused by specially crafted HTTP POST requests with URIs containing 1,454 or more characters, not starting with “upn” or “upg”.

TALOS-2024-1998 (CVE-2024-33700): An improper input validation within the FTP functionality can enable attackers to cause denial of service through a series of malformed FTP commands.

TALOS-2024-2001 (CVE-2024-33623): A denial-of-service vulnerability, triggered by multiple types of specially crafted HTTP POST requests, will cause the router to crash.

Cisco Talos Blog – ​Read More

Backdoor in coding test on GitHub | Kaspersky official blog

Software developers tend to be advanced computer users at the very least, so you could assume they’d be more likely to spot and thwart a cyberattack. However, experience shows that no one is fully immune to social engineering — all it takes is the right approach. For IT professionals, such an approach might involve the offer of a well-paid job at a high-profile company. Chasing a dream job can make even seasoned developers lower their guard and act like kids downloading pirated games. And the real target (or rather —victim) of the attack might be their current employer.

Recently, a new scheme has emerged in which hackers infect developers’ computers with a backdoored script disguised as a coding test. This isn’t an isolated incident, but just the latest iteration of a well-established tactic. Hackers have been using fake job offers to target IT specialists for years — and in some cases with staggering success.

You might think that the consequences should remain the particular individual’s problem. However, in today’s world, it’s highly likely that the developer uses the same computer for both their main work and the coding test for the new role. As a result, not only personal but also corporate data may be at risk.

Fake job posting, crypto game, and a $540 million heist

One of the most notorious cases of fake job ads used for malicious purposes was witnessed in 2022. Hackers managed to contact (likely through LinkedIn) a senior engineer at Sky Mavis, the company behind the crypto game Axie Infinity, and offer him a high-paying position.

Enticed by the offer, the employee diligently went through several stages of the interview set up by the hackers. Naturally, it all culminated in a “job offer”, sent as a PDF file.

The document was infected. When the Sky Mavis employee downloaded and opened it, spyware infiltrated the company’s network. After scanning the company’s infrastructure, the hackers managed to obtain the private keys of five validators on Axie Infinity’s internal blockchain — Ronin. With these keys they gained complete control over the cryptocurrency assets stored in the company’s wallets.

This resulted in one of the largest crypto heists of the century. The hackers managed to steal 173,600 ETH and 25,500,000 USDC, which was worth approximately $540 million at the time of the heist.

More fake job postings, more malware

In 2023, several large-scale campaigns were uncovered in which fake job offers were used to infect developers, media employees, and even cybersecurity specialists (!) with spyware.

One attack scenario goes like this: someone posing as a recruiter from a major tech company contacts the target through LinkedIn. After some back-and-forth, the target receives an “exciting job opportunity”.

However, to land the job, they must demonstrate their coding skills by completing a test. The test arrives in executables within ISO files downloaded from a provided link. Running these executables infects the victim’s computer with the NickelLoader malware, which then installs one of two backdoors: either miniBlindingCan or LightlessCan.

In another scenario, attackers posing as recruiters initiate contact with the victim on LinkedIn, but then smoothly transition the conversation to WhatsApp. Eventually they send a Microsoft Word file with the job description. As you might guess, this file contains a malicious macro that installs the PlankWalk backdoor on the victim’s computer.

Yet another variation of the attack targeting Linux users featured a malicious archive titled “HSBC job offer.pdf.zip”. Inside the archive was an executable file disguised as a PDF document. Interestingly, in this case, to mask the file’s true extension, the attackers used an exotic symbol: the so-called one dot leader (U+2024). This symbol looks like a regular period to the human eye but is read as a completely different character by the computer.

Once opened, this executable displays a fake PDF job description while, in the background, launching the OdicLoader malware, which installs the SimplexTea backdoor on the victim’s computer.

Fake coding test with a Trojan on GitHub

A recently discovered variation of the fake job attack starts similarly. Attackers contact an employee of the target company pretending to be recruiters seeking developers.

When it comes to the interview, the victim is asked to complete a coding test. However, unlike the previous variations, instead of sending the file directly, the criminals direct the developer to a GitHub repository where it is stored. The file itself is a ZIP archive containing a seemingly innocuous Node.js project.

However, one component of this project contains an unusually long string, specially formatted to be overlooked when scrolling quickly. This string holds the hidden danger: heavily obfuscated code that forms the first stage of the attack.

When the victim runs the malicious project, this code downloads, unpacks, and executes the code for the next stage. This next stage is a Python file without an extension, with a dot at the beginning of the filename signaling to the OS that the file is hidden. This script launches the next step in the attack — another Python script containing the backdoor code.

Thus, the victim’s computer ends up with malware that can maintain continuous communication with the command-and-control server, execute file system commands to locate and steal sensitive information, download additional malware, steal clipboard data, log keystrokes, and send the collected data to the attackers.

As with the other variations of this scheme, the hackers count on the victim using their work computer to complete the “interview” and run the “test”. This allows the hackers to access the infrastructure of the target company. Their subsequent actions can vary, as history shows: from trojanizing software developed by the victim’s company to direct theft of funds from the organization’s accounts, as seen in the Sky Mavis case mentioned at the beginning of this article.

How to protect yourself

As we noted above, there’s currently no bulletproof defense against social engineering. Virtually anyone can be vulnerable if the attacker finds the right approach. However, you can make the task significantly more challenging for attackers:

Kaspersky official blog – ​Read More

Threat actors use copyright infringement phishing lure to deploy infostealers

  • Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
  • The decoy email and fake PDF filenames are designed to impersonate a company’s legal department, attempting to lure the victim into downloading and executing malware. 
  • This campaign abuses Google’s Appspot[.]com domains, a short URL and Dropbox service, to deliver an information stealer onto the target’s machine to avoid network security product detections. 
  • Talos also observed the threat actor using multiple techniques to evade antivirus detection and sandbox analysis, such as code obfuscation, shellcode encryption, hiding malicious code in resource data to expand the file size to over 700 MB, and embedding LummaC2 or Rhadamanthys information stealers into legitimate binaries. 

Phishing email campaign targets Taiwan 

Threat actors use copyright infringement phishing lure to deploy infostealers

Talos observed an unknown threat actor conducting a malicious phishing campaign targeting victims in Taiwan since at least July 2024. The campaign specifically targets victims whose Facebook accounts are used for business or advertising purposes. 

The initial vector of the campaign is a phishing email containing a malware download link. The phishing email uses traditional Chinese in decoy templates and the fake PDF files, suggesting the target is likely traditional Chinese speakers. Some of the fake PDF filenames that we observed during our analysis are: 

  • IMAGE COPYRIGHTED.exe 
  • [Redacted] 的影片內容遭到侵犯版權.exe (translates to “[Redacted]’s video content has been copyright infringed.exe”) 
  • 版權侵權信息- [Redacted] Media Co Ltd.exe (translates to “Copyright Infringement Information – [Redacted] Media Co Ltd.exe”) 
  • 版權侵權信息- [Redacted] Media Group Inc.exe (translates to “Copyright Infringement Information – [Redacted] Media Group Inc.exe”) 
  • 版權侵權信息- [Redacted] Technology Group.exe (translates to “Copyright Infringement Information – [Redacted] Technology Group.exe”) 
  • 版權侵權信息- [Redacted] Co. Ltd.exe (translates to “Copyright Infringement Information – [Redacted] Co. Ltd.exe”) 
  • [Redacted] Online -宣布侵權.exe (translates to “[Redacted] Online – declare infringement.exe”) 

The decoy email and fake PDF filenames are designed to impersonate a company’s legal department, attempting to lure the victim into downloading and executing malware. Another observation we found is that the fake PDF malware uses the names of well-known technology and media companies in Taiwan and Hong Kong. This provides strong evidence that the threat actor conducted thorough research before launching this campaign. 

Additionally, we observed two phishing emails masquerading as notices from a well-known industrial motor manufacturer and a famous online shopping store in Taiwan. The emails claim that the company’s legal representatives have issued a notice to a Facebook page administrator alleging copyright infringement due to the unauthorized use of their images and videos for product promotion. The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance. Last but not least, with these two emails, we can easily identify that the threat actor uses the same template with minor modifications, such as changing the company name, legal department information, address, and website.  

Threat actors use copyright infringement phishing lure to deploy infostealers

Phishing email impersonating a well-known industrial motor manufacturer. 

Threat actors use copyright infringement phishing lure to deploy infostealers

Phishing email impersonating a famous online shopping store. 

Attribution 

Talos observed an unknown image printing EPS file within the encrypted archive, with the filename “Support.” Based on the file name and file size, it is likely that all encrypted archives we found on VirusTotal, which we have not been able to decrypt, contain the same EPS files inside. Pivoting off the EPS file metadata and its preview image on a search engine, we found an identical image with the same file name on a Vietnamese-language website. However, there is no strong evidence that it was created by an author from that region.   

Threat actors use copyright infringement phishing lure to deploy infostealers

Support EPS file metadata. 

Threat actors use copyright infringement phishing lure to deploy infostealers

The support EPS file preview image in this campaign (left) and the image we found from the internet (right). 

Actor infrastructure 

The threat actor is abusing Google’s Appspot.com domains, a short URL and Dropbox service, to deliver an information stealer onto the target’s machine. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. When the victim clicks on the download link, it initially connects to Appspot.com, then redirects to a short URL created by a third-party service, and finally redirects to Dropbox to download the malicious archive. The actor is using the third-party data storage service as a download server to deceive network defenders.  

Threat actors use copyright infringement phishing lure to deploy infostealers

Malware download link. 

We also discovered that the actor is using multiple command and control (C2) domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing.  

Threat actors use copyright infringement phishing lure to deploy infostealers

C2 domain DNS requests. 

Malware infection summary 

The infection chain begins with a phishing email containing a malicious download link. When the victim downloads the malicious RAR file, they will need a specific password to extract it, revealing a fake PDF executable malware and an image printing file. Once the malware is decrypted and the fake PDF executable is run, it will execute the embedded LummaC2 or Rhadamanthys information stealer, which then collects the victim’s credentials and data, sending them back to the C2 server. 

Threat actors use copyright infringement phishing lure to deploy infostealers

The malicious RAR file usually contains a fake PDF executable malware and an image printing file, but we observed a few malicious RAR files that contain an additional DLL file. However, without the correct password, we are not able to extract the malicious RAR file and analyze it. 

Threat actors use copyright infringement phishing lure to deploy infostealers

The RAR file contains a fake PDF and an image printing file.  

Threat actors use copyright infringement phishing lure to deploy infostealers

The RAR file contains a fake PDF, an image printing file, and additional DLL file. 

The fake PDF executable malware variant was delivered as a payload in this campaign. This malware will embed LummaC2 or Rhadamanthys information stealers into legitimate binary and the legitimate binary including iMazing Converter, foobar2000, Punto Switcher, PDF Visual Repair, LedStatusApp, and PrivacyEraser. Below shows one of the file details of the fake PDF executable. 

Threat actors use copyright infringement phishing lure to deploy infostealers

Fake PDF file detail information. 

LummaC2 stealer and its loader 

LummaC2 Stealer is a type of malware designed to exfiltrate sensitive information from compromised systems. It can target system details, web browsers, cryptocurrency wallets, and browser extensions. Written in C, this malware is sold on underground forums. To avoid detection and analysis, it employs various obfuscation methods. The malware connects to a C2 server to receive instructions and transmit the stolen data. 

The loader for LummaC2 changes the execution flow of the binary malware, causing it to invoke an unknown library to execute the malicious code functions. This strategic modification complicates detection and analysis efforts. Once these malicious functions are invoked, the malware utilizes the CreateFileMappingA API to write the payload into a mapped memory block, effectively hiding it within the system’s memory. After successfully mapping the payload, the malware then executes it. 

Threat actors use copyright infringement phishing lure to deploy infostealers

Call to an unknown library to execute the malicious code functions. 

When the malware begins executing the shellcode in memory, it first decrypts the second half of the program block, which contains part of the shellcode loader and the LummaC2 malware execution file. Once the decryption is complete, it will call the VirtualAllocate API to allocate a memory block, write the information stealer’s execution file to that block, and then execute it.   

Threat actors use copyright infringement phishing lure to deploy infostealers

Jump code to shellcode block. 

Threat actors use copyright infringement phishing lure to deploy infostealers 

Threat actors use copyright infringement phishing lure to deploy infostealers 

Encrypted shellcode (left side) and decrypted shellcode (right side). 

We also collected all of the build IDs of the LummaC2 in this campaign and below are the screenshots of the LummaC2 stealer alert message box and its POST message. 

Threat actors use copyright infringement phishing lure to deploy infostealers

Alert message shown to the user when executing LummaC2. 

Threat actors use copyright infringement phishing lure to deploy infostealers

POST message with act=life and url path /api. 

Build ID: 

  • sTDsFx–Socks 
  • iAlMAC–ghost 

Rhadamanthys stealer and its loader 

Rhadamanthys is a sophisticated information stealer that emerged in 2022 and is sold on underground forums. This comprehensive stealer malware is capable of gathering system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data from various other applications. It employs numerous anti-analysis techniques, complicating analysis efforts and hindering its execution in sandbox environments. 

We observed the Rhadamanthys loader in this campaign contains 10 sections in its binary structure. Despite the presence of multiple sections, the threat actor specifically targets the .rsrc section to insert the malicious code. This section is heavily obfuscated to conceal the malicious activities and make analyses more challenging. The choice of the .rsrc section is strategic, as it is typically associated with resource data like icons and menus, making it less likely to raise immediate suspicion.  

Threat actors use copyright infringement phishing lure to deploy infostealers

The loader of Rhadamanthys binary structure sections. 

After analysis, we discovered that the Rhadamanthys loader employs several sophisticated techniques to ensure its persistence and evasion. Initially, the loader copies itself and writes the file to “C:Users[user]DocumentslumuiUpdaterffUpdaar.exe”. In order to avoid detection by antivirus programs and sandbox environments, it expands the file size to over 700 MB. This significant increase in file size is intended to bypass heuristic and signature-based detection mechanisms commonly used by security products, which may struggle to process such large files effectively. 

Threat actors use copyright infringement phishing lure to deploy infostealers

The loader copies itself to the lumuiUpdater folder. 

Furthermore, the loader is configured to start automatically by modifying the Windows Registry. It writes an entry to “HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun” and key name value “sausageLoop”, a registry key that specifies programs to be launched during the system startup. This registry modification ensures that the malicious loader is executed every time the victim’s computer restarts, thereby maintaining its persistence on the infected system. 

Threat actors use copyright infringement phishing lure to deploy infostealers

The loader is configured to start automatically. 

Finally, the loader executes the legitimate system process “%Systemroot%system32dialer.exe” and injects Rhadamanthys’ payload into it. This process injection technique allows the malware to run its malicious code within the context of a legitimate system process, further evading detection. Additionally, it uses mutex objects to ensure that only one instance of the malware runs on the infected host. Below is the list of mutex names we observed in this campaign, which has also been disclosed in previous reporting by other. 

  • GlobalMSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session1MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session2MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session3MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session4MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session5MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session6MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session7MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session8MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 

Coverage 

Threat actors use copyright infringement phishing lure to deploy infostealers

 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64167-64169. 

IOC 

IOCs for this research can also be found at our GitHub repository here

Cisco Talos Blog – ​Read More

How to remove your personal information from Google Search results

Have you ever googled yourself? Were you happy with what came up? If not, consider requesting the removal of your personal information from search results.

WeLiveSecurity – ​Read More

The Cybersecurity and Infrastructure Security Agency (CISA) Reports Urgent Security Updates for Apple Products

Apple

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has recently alerted users to multiple vulnerabilities in Apple products following the release of vital security updates on October 28, 2024. These Apple vulnerabilities could potentially allow cyber threat actors to exploit weaknesses in the software, emphasizing the importance of timely updates for safeguarding systems. Apple product users and administrators are urged to review the advisories and promptly apply the necessary updates.

These updates address vulnerabilities that could potentially expose users to several risks, ranging from unauthorized access to sensitive data to the possibility of complete system control. The products affected by these updates encompass a wide range of operating systems and devices, including iOS and iPadOS versions 18.1 and 17.7.1, macOS versions Sequoia 15.1, Sonoma 14.7.1, and Ventura 13.7.1. Additionally, Safari 18.1, watchOS 11.1, tvOS 18.1, and visionOS 2.1 are also included in this critical update cycle.

Key Apple Vulnerabilities Addressed

These Apple vulnerabilities highlight the ongoing need for users to remain vigilant and ensure their devices are updated to protect against potential threats.

iOS 18.1 and iPadOS 18.1

The advisory reports on affected devices, including the iPhone XS and later models and various iPad models starting from the 7th generation onward. This update specifically addressed several Apple vulnerabilities, enhancing the security of these devices.

  • Accessibility Issues (CVE-2024-44274): Physical access to locked devices could expose sensitive information. The fix involves improved authentication mechanisms.
  • App Support (CVE-2024-44255): Malicious applications may exploit shortcuts without user consent. Enhanced path handling has been implemented to mitigate this risk.
  • CoreMedia Playback (CVE-2024-44273): Vulnerabilities that allow malicious apps to access private information have been addressed through better symlink handling.
  • CoreText (CVE-2024-44240, CVE-2024-44302): Enhanced checks have fixed issues with malicious fonts that could disclose process memory.
  • Foundation (CVE-2024-44282): Improved input validation addresses vulnerabilities that could leak user information while parsing files.

Additional vulnerabilities, including those related to ImageIO and the kernel, have also been patched.

Safari 18.1

The Safari update was released on October 29, 2024, and it supported macOS Ventura and macOS Sonoma. This update was designed to address critical issues that could impact user security and functionality within the Safari browser.

  • Security Vulnerabilities (CVE-2024-44259): Attackers could misuse trust to download malicious content. The fix includes improved state management.
  • Private Browsing Leakage (CVE-2024-44229): Potential leakage of browsing history in private mode has been resolved with additional validation measures.

macOS Sequoia 15.1

The Apple security update advisory for macOS Sequoia 15.1 addressed vulnerabilities that affected a range of services. By resolving these vulnerabilities, this update enhances overall security and functionality for users.

  • Apache Vulnerabilities (CVE-2024-39573, CVE-2024-38477): Multiple issues in Apache software impact several Apple projects.
  • CoreServicesUIAgent (CVE-2024-44295): Enhanced checks prevent unauthorized modifications to protected file system areas.

watchOS 11.1, tvOS 18.1, and visionOS 2.1

Each update features enhancements designed to mitigate vulnerabilities similar to those addressed in previous iOS and macOS releases. For example, the updates incorporate measures that strengthen security across various functionalities, ensuring users are better protected against these Apple vulnerabilities.

  • CoreMedia Playback (CVE-2024-44273): Ensures that applications cannot access private information through improved symlink handling.
  • CoreText (CVE-2024-44240, CVE-2024-44302): Fixes related to malicious fonts that could disclose sensitive data.

Recommendations for Users and Administrators

To mitigate the risks associated with these Apple vulnerabilities, CISA advises users to take the following actions:

  • Immediately apply the latest security updates for all affected Apple products. This is crucial to protect against potential exploitation.
  • Regularly review and update security settings on devices to ensure they align with best practices.
  • Provide users with training on recognizing phishing attempts and the importance of not clicking on suspicious links or downloading unverified applications.
  • Enhance overall security posture by utilizing additional security measures such as firewalls, antivirus software, and intrusion detection systems.

Conclusion

CISA’s recent advisories concerning vulnerabilities in Apple products highlight the critical need for users and organizations to prioritize security updates. With the potential for severe consequences arising from these vulnerabilities, including unauthorized system access and data breaches, timely application of the Apple security update is essential.

Organizations and individual users alike must remain vigilant and proactive in maintaining the integrity of their systems. By promptly addressing vulnerabilities and adhering to best security practices, they can reduce the risk of exploitation and protect sensitive information from cyber threats.

For comprehensive details on each vulnerability and their respective fixes, users are encouraged to consult Apple’s official security documentation and the latest advisories from CISA regarding Apple vulnerabilities.

References

https://www.cisa.gov/news-events/alerts/2024/10/29/apple-releases-security-updates-multiple-products

The post The Cybersecurity and Infrastructure Security Agency (CISA) Reports Urgent Security Updates for Apple Products appeared first on Cyble.

Blog – Cyble – ​Read More

Packers and Crypters in Malware and How to Remove Them

In this article, we’ll explore the most common types of protectors—packers and crypters—along with simple ways to detect and remove them.  

We’ll also introduce some useful tools to simplify the process and improve your malware analysis skills. 

What Are Protectors and What Types Are There? 

Protectors are tools designed to complicate code analysis, making it harder to detect and examine malware. Two of the most common types of protectors are packers and crypters

1. Packers 

Packers are utilities that package one or more files into a single executable, often adding compression. This process makes static and dynamic detection more difficult, a tactic many types of malware exploit.  

Certain malware, like those written in scripting languages (e.g., Python or JavaScript) or relying on non-standard libraries, require packing to function properly by including interpreters and necessary libraries. 

Classic examples of packers include installers like NSI and MSI, UPX, MPress, and self-extracting archives (SFX) made with tools like 7zip or WinRAR. 

Packers generally don’t protect application data, making it relatively easy to extract them at runtime in a sandbox or remove the packer using static tools. 

2. Crypters

Crypters take protection a step further by encrypting the executable’s contents, often adding layers of packing and obfuscation. Designed to obscure code, crypters make analysis more complex and time-consuming. Examples of crypters include NetReactor, Themida, and VmProtect. 

Main Protection Methods of Crypters: 

  1. Dynamic unpacking in memory to avoid leaving any disk trace. 
  1. Encryption of files, data, and code, with decryption at runtime. 
  1. Code Obfuscation: Changes the structure and sequence of instructions, transforming (meta)data into unreadable or meaningless characters. 
  1. Virtualization: Transforms code into pseudo-instructions that are either regenerated or interpreted at runtime. 

Note that without virtualization, code is usually weakly protected and can often be restored to its original or near-original state. 

Identifying Packers: Simple Techniques and Useful Tools 

Detecting packers can be simplified with a few straightforward techniques and specialized tools like DiE (Detect It Easy). DiE notifies users when a packer is detected, making it a quick solution for initial identification. 

Let’s consider the following sample. When analyzing it with DiE v3.10, we can observe the presence of the MPRESS packer. 

The results of DiE analysis, revealing the packer MPRESS

Opening the sample in DiE reveals section names that indicate packing. 

Section demonstration in DiE with names MPRESS1 and MPRESS2 

Packers like UPX and MPRESS often create sections with distinctive names, such as MPRESS1 and MPRESS2, which help analysts identify their usage. 

We can also examine PE (Portable Executable) information in the Static Discovering window inside ANY.RUN sandbox. This provides further details to help identify these packers and their specific characteristics. 

Analysis of a sample with UPX sections 

Demonstration of UPX0 and UPX1 in Static Discovering section

We can identify UPX through section names. In certain cases, packers like VMProtect and Themida can also be identified by their distinct section names.

The .vmp0 section characteristic of VMProtect. 

Sections, such as .vmp0, indicate VMProtect (see example).

The .themida section characteristic of Themida 

Sections, such as .themida or .taggant, signal the presence of Themida (see example).

Try advanced malware analysis with ANY.RUN for free 



Sign up now


Common Indicators of Packers 

The most common indicators for packers include: 

Unusual Section Names and Placement 

For instance, packers like Themida/Winlicense often have sections with random names or blank spaces as section names (example). The image below shows that Sections #4 and #5 have random names, while sections #0 and #3 contain blank spaces instead of names.

The presence of a .taggant section is a distinguishing feature 

In VMProtect, the section addresses in the file (specifically the PointerToRawData field) are often set to zero (example).

PointerToRawData is set to zero in sections #0 through #5

In the image above, for sections #0 through #5, PointerToRawData is set to zero, which suggests that unpacking occurs dynamically at runtime.

Unusual Imports

The absence or minimal number of imports suggests that libraries are loaded, and their function addresses are acquired dynamically at runtime. 

For .NET applications, a single import (mscoree.dll:: _CorExeMain) is typical. In some cases, a unique mix of functions can reveal the application’s intentions.  

For instance, let’s open the Static Discovering window inside the ANY.RUN sandbox for this UPX sample and go to the Imports section. 

Static discovering in the ANY.RUN sandbox

Then, let’s search for KERNEL32.DLL.

LoadLibraryA and GetProcAddress point to dynamic library loading

The combination of LoadLibraryA and GetProcAddress indicates dynamic library loading, while VirtualProtect may suggest an intention to change memory page protection to executable.  

Since only four functions are present here, this combination is unlikely to be coincidental and can signal intentional manipulation for code execution. 

High Entropy 

For unpacked files, the overall entropy typically ranges from 5 to 6.5. Packed  files, however, often exhibit entropy levels above 7, approaching 8 (the maximum  entropy for 8-bit data).  

High entropy values can indicate packing or encryption, as they suggest a lack of readable patterns within the file.

Entropy shown in DiE for the following sample

This entropy level can be checked using tools like DiE (Detect it Easy)

Demonstration of entropy in ANY.RUN’s Static discovering section

You can also check it right inside the ANY.RUN sandbox.

Unpacking Different Types of Packers 

There are two main types of unpacking: 

  1. Static unpacking: The code is processed by the unpacker but not executed. This method relies on analyzing the packed file without running it, allowing for a safer examination. 
  1. Dynamic unpacking: The code is executed and preserved by the unpacker in memory. This approach involves running the packed malware in a controlled environment, often in a sandbox, to observe the unpacked code in action. 

Dynamic unpacking is the most challenging type of unpacking, as it often requires the use of a debugger and capturing memory dumps.  

This approach allows analysts to observe how the code behaves at runtime, but it demands a controlled environment and more advanced tools to monitor and extract the unpacked code accurately. 

To make the process of the analysis easier and faster, you can utilize ANY.RUN’s Interactive Sandbox. It provides memory dumps of unpacked and decrypted data, including the decrypted executable payload. 

The sandbox generates memory dumps for various processes and makes them available for download, saving analysts significant time and simplifying the analysis process. You can download these memory dumps and analyze them locally.  

There are two options for accessing memory dumps generated inside ANY.RUN’s sandbox. 

Click the DMP button to access dumps

You can access them by clicking on the DMP button in the process tree section. 

Alternatively, you can go to “Advanced Details” of a process that has the DMP icon next to it and navigate to the “Process dump” section, where you can download the dumps.

Let’s now see how you can address different types of packers.

SFX Installers 

SFX (Self-Extracting Archives) is an archive format that, when executed, extracts files and can perform specific actions. In most cases, these archives can be unpacked statically with utilities like 7zip or WinRAR

To see a typical SFX in action, let’s consider the following sample.

Such archives often have a distinctive icon, indicating they are self-extracting executables: 

SFX file icon

Use WinRAR to open the archive and view the extraction settings and packed files within the SFX. 

Right-click on the file to access the “Open with WinRAR” option

After opening the file, on the right side, you’ll find extraction parameters, file paths, and the primary executable file. On the left, you can view all files packed within the archive. 

Contents of SFX file

MSI Files

To unpack MSI files, a common method is using the command line with msiexec /a. However, this method may not work for every file and can sometimes result in errors.  

For instance, with the following sample, attempting this command in a sandbox triggers an error (see sandbox example). 

Error unpacking MSI

An alternative solution is LessMSI, a specialized tool for extracting files from MSI packages. 

Let’s see how it works this using the following sample.  

The upload button in ANY.RUN lets you add files to a running sandbox section in real time

Upload the LessMSI archive to a virtual machine in ANY.RUN via the upload button

File demonstration in LessMSI for files packed in an MSI installer 

Launch the GUI version of LessMSI and select the MSI file. Next, the program will display a list of files and their paths for extraction. 

Nullsoft Installer 

Nullsoft installers are often straightforward to unpack using 7zip. By opening these files with 7zip, you can directly access the contents of the installer. 

Let’s examine this sample for more details.

Demonstration of files packed in the installer, along with special directories that start with the $ symbol 

Opening the archive in 7zip reveals the files packed within it, including special directories that typically start with the $ symbol. 

This approach allows you to explore the installer’s files easily. However, a limitation is that it doesn’t reveal the initial installation parameters, which may be necessary for deeper analysis. 

InnoSetup 

Unpacking InnoSetup installers requires specialized tools. The unpacking becomes more challenging because these files often contain embedded scripts that control the installation process. 

In this case, 2 useful tools can be used: 

  • innoextract: A command-line tool designed to extract files from InnoSetup packages. 
  • innounp: Another tool that offers similar functionality, supporting various versions of InnoSetup. 

Let’s consider this sample

Start a virtual machine with the necessary utilities and unpack innoextract. 

As a result, we’ll obtain several directories. The main one is appRedist, which contains the executable file. 

Additionally, files such as help documents, libraries, samples, and other related resources are extracted.

Registry data entries are extracted separately as well. 

The app directory contains files unpacked by the installer. 

The reg$HKCU directory contains data entries that are added to the registry under CURRENT_USER

Innounp works in a similar way. 

As a result, application and registry data are extracted.

The advantage of this utility is that it restores the installation script and saves it in a file. 

We can open this file in a notepad. 

The [Run] section contains information about the files that will be executed after unpacking. 

NSIS + ASAR 

It’s worth mentioning the SFX archives used by Electron.js

Let’s consider this example

The archive contains a single directory, which is, in fact, the Nullsoft SFX

Download the EXE file and start the unpacking process. 

 The $PLUGINSDIR directory with the app-32.7z, containing the application files

When extracting with 7zip, we obtain a folder containing various files, including an archive with a renamed Chromium executable (in this case, Runtime Broker.exe) and its libraries. 

The application data in the app-32.7z archive consists mostly of files related to Chromium

The Electron.js application data is stored in the resources directory. 

Files in the resources folder 

The app.asar file is an archive containing the Electron.js application data

To unpack it, you’ll need an npm module. 

  • Install npm: sudo apt install npm 
  • Run the following command to extract the archive: npx @electron/asar extract app.asar extracted 
  • If the asar module isn’t already installed, npm will prompt you to install it. 

As a result of running the command, the archive will be unpacked into the extracted folder. 

Files extracted from app.asar 

The node_modules folder contains the Node.js packages, and index.js is the initial script of the application. 

UPX 

UPX (Ultimate Packer for eXecutables) is a packer for executable files. 

  • Compatibility: It supports only native PE (Portable Executable) applications. 
  • Unpacking: UPX-packed files are often easy to unpack statically using the same UPX utility. 

To unpack a UPX-packed file, you only need to use a single command:

upx –d <file> 

UPX can be identified by the presence of sections named UPX0 and UPX1 in the file. 

Let’s observe it with the following sample.

First, download the sample and open it in DiE (version 3.10). DiE will indicate the presence of UPX, listing specific indicators. 

Some malware samples use older versions of UPX. In such cases, you’ll need the corresponding version to unpack them. DiE suggests the recommended version, which, in this example, is 3.96

DiE reports the detection of Packer: UPX

To analyze a sample like this, it’s essential to remove the UPX compression; otherwise, the disassembler won’t be able to interpret the code correctly. 

For instance, Ghidra—a free disassembler and decompiler—will display multiple errors when importing a compressed file. 

During analysis, Ghidra will detect only a single function. The built-in decompiler will report the incorrect code.

In the image above, on the left side, there is a Listing displaying the single function, while on the right side, the Decompiler window shows an error message.

To conduct analysis, download the latest release of UPX from GitHub.

Next, upload the sample along with the upx.exe file (it’s not necessary to upload the entire archive) to the virtual machine. 

In the Command line field, enter “cmd” and use Tools collection on the right.

To do this, switch to the Pro mode in the sandbox and select Tools collection. Here, you can either use previously uploaded tools or upload new ones. 

Access all Pro features of ANY.RUN sandbox for free 



Get 14-day trial


Before starting the analysis, enter the “cmd” command in the Command line field. This will prevent the sample from running automatically and will open the console at the start of the session. 

All further steps are carried out in the following analysis session

Unpack the UPX archive and enter the following command in the console:

<path_to_upx>upx.exe -d <filename> 

As a result of the command execution, the file will be overwritten with the decompressed version. 

UPX confirms a successful unpacking; the file has been overwritten

To ensure the unpacked sample is functioning correctly, let‘s run it in a sandbox. 

The sample did not crash and is successfully sending network requests.

When clicking the PE button, the Static Discovering window opens, where we can observe a different hash. 

Static analysis of the unpacked file

The Static Discovering window for the unpacked file, shows the name under which it was saved to disk. We can see a decrease in entropy, an increase in file size, and a different hash value.

Now, Ghidra can handle this file without any issues.

Ghidra successfully disassembled the file and identified the library functions

In the Listing section, we see numerous references and functions, and the Decompiler window displays the correct code.

The same process can be done on a physical machine, as UPX does not execute code during unpacking. 


Learn to analyze malware in a sandbox

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis



AutoIt 

AutoIt is often used as a crypter. The simplest way to detect AutoIt is by checking the file description. To do this, go to the Main tab in the Static Discovering window inside ANY.RUN and scroll down. 

You may find different mentions of AutoIt in the description. 

Let’s consider the following sample.

ANY.RUN detects presence of AutoIt

Here is another example. Usually, such a file is an AutoIt interpreter bundled with a script. 

In some cases, a deeper examination is required. Let’s look at the following example.

ANY.RUN automatically add AutoIt tag to the session

In this example, AutoIt was detected by ANY.RUN’s sandbox. Let’s confirm this in DiE

DiE reports the detection of an AutoIt signature

To extract and decompile the script, we can use AutoIt-Ripper

Let’s install it using pip install autoit-ripper.  

The latter is quite easy to use:

autoit-ripper <file> <output_dir> 

As a result of running the command, the restored script is saved to a file named script.au3. Besides, all the associated files were detected and saved. 

Now it’s possible to analyze the script’s actions by opening it in a text editor. 

In most cases, the scripts are also obfuscated and will require more in-depth analysis

In this example, we see the execution of CL_Debug_Log.txt with specific parameters. 

The script drops to disk and modifies asacpiex.dll, saves it as a separate file, and then unpacks it

Opening CL_Debug_Log.txt in DiE reveals that it is a standalone version of 7zip.  

The VS_VERSION_INFO can be spoofed, but in this case, all evidence suggests that this file is an archiver

In this way, the malware unpacks the files necessary for its operation. In addition, the script contains checks for execution in a virtual environment. 

The script checks information about graphic adapters in the system

It also includes checks for the presence of antivirus software. 

The script checks running processes for names that match popular antivirus solutions

NetReactor 

NetReactor is a packer and obfuscator for applications written in .NET

  • Supports code virtualization. 
  • Files and libraries are not saved to disk but are loaded directly into memory. 
  • Changes the structure of the code, making analysis more difficult. 

Most files can be successfully unpacked using NetReactorSlayer, but for the best results, dynamic unpacking is recommended. This method executes the code within the operating system, allowing system functions to be called as needed for a more accurate unpacking process. 

Let’s look at an example with the PureHVNC payload.

Next, run the analysis session using dnSpy and NetReactorSlayer.  

dnSpy is no longer maintained; however, you can download a forked version

Then, open the sample in dnSpy

Before processing, you can see numerous namespaces

Multiple namespaces are visible

Let’s locate the configuration class. 

Open Type References and locate the IPAddress class. 

Right-click on it and select Analyze

In the opened window, click on Used by to find the method where this class is used. 

The obfuscated code
We see presence of goto and labels scattered throughout the code to confuse the execution flow

Now, open NetReactorSlayer and select the sample. 

There are multiple settings available; the default settings work well for this purpose. 

Click Start Deobfuscation and wait for the process to complete. 

The program decrypts strings, simplifies the code, and even attempts to remove virtualization. 

The file is saved with the suffix _Slayed

Now, open the received file in dnSpy. As a result, the unnecessary namespaces have been removed. 

No excessive namespaces

The classes have been renamed too. 

Renamed classes

Next, let’s look for the usage of IPAddress as well. 

Now, the goto statements are positioned appropriately, and the labels are no longer scattered

The lengthy class names have been shortened, and the fields have been renamed according to their respective values. The code has become easier to analyze, and string literals are now included. 

Often, in addition to being packed, malware is stored in an encrypted form within a special loader (crypter). 

This analysis demonstrates the process of extracting the payload using dnSpy

After execution, the crypter decrypts the payload and performs an injection into the target process. 

With the help of dnSpy, let’s attach the debugger to the process. To do this, go to the Debug tab and click on Attach to Process

Click Attack to Process

Then, choose the process you want. 

Pick the process of your interest

Note that to debug 32-bit processes, you should run dnSpy x86, and for 64-bit processes, use dnSpy x64

Pause the process and open the Modules window. 

Click Modules

Right-click on the main module, then select Open Module from Memory.

We see that InstallUtil has been replaced with EMPRESA992

After opening the module, obfuscation can be observed. 

Click Save Module and transfer the saved file to the console version of NetReactorSlayer

As a result, we get the following output. 

NetReactorSlayer corrected the entry point, removed unnecessary code, and saved result to disk as InstallUtil_Slayed.exe

The associated library MessagePack.dll has been saved as a separate file. 

MessagePack.dll

Now, the payload InstallUtil_Slayed.exe can be run separately and analyzed through debugging (See sample analysis). 

SmartAssembly and Other .NET Packers 

Another popular packer for .NET applications is SmartAssembly

Check out this example.

Besides obfuscating the code (which makes the execution order unclear and renames identifiers to unreadable terms), SmartAssembly complicates analysis with a large number of delegates that are resolved at runtime, including those used for decrypting strings. 

Let’s open the sample in DiE and confirm the presence of the protector.  

We can see how DiE detects Protector Smart Assembly. 

Smart Assembly detected by DiE

In the US (User Strings) tab, there is an abnormally small number of strings.

Let’s switch to dnSpy

Upon opening the sample, you will immediately notice an attribute indicating the presence of the SmartAssembly protector.

You will also notice the characteristic namespaces associated with SmartAssembly.

These artifacts are quite common among protectors, particularly in .NET applications. 

Next, click on Go to Entry Point

In this case, while the code (control flow) is not obfuscated, the strings are obtained through a delegate call with a numeric argument. 

We see a call to Console.WriteLine that displays the result from a delegate using a numeric argument.

Earlier, we used NetReactorSlayer to remove the protector. 

While it is a specialized tool, it can also be used for general purposes, such as simplifying code, though with some limitations. 

Let’s try to simplify the code using NetReactorSlayer

While this tool simplified the code readability, it was unable to decrypt the strings. 

In the simplified code, the purpose of the delegates used in Console.WriteLine is clear

Now, let’s use another tool—de4dot—which is also part of what NetReactorSlayer uses for code simplification. You can also utilize de4dot-cex, which is the improved version of de4dot. 

For this case, we will use de4dot to remove SmartAssembly

As a result, the file is processed in a similar way. 

de4dot and NetReactor simplify names in the same way

However, the string encryption has also been removed. 

The GetString delegates have been replaced with string literals. 

In DiE, you can view all the decrypted strings. 

The processed file often retains functionality and can make runtime analysis easier. 

de4dot works with many other protectors and can simplify code analysis. 

If de4dot doesn’t succeed, try using NetReactorSlayer, which may be more effective at further simplifying complex code. 

However, for older versions of NetReactor (below 6.0), de4dot remains the preferred option. 

Themida, VMProtect 

Themida and VMProtect are packers and obfuscators for applications that support virtualization and code mutation. 

  • Virtualization: This feature protects the malware code at runtime, not just in static analysis. 
  • Extracting Samples: In most cases, virtualization is not applied, allowing an unpacked sample to be extracted from memory, though it may be partially modified. 
  • Static Unpacking: This is generally unlikely, as these commercial packers adapt quickly to new analysis methods. 

For a more detailed analysis, refer to our article: VMProtect and Themida Malware Analysis

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI LookupYARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds. 
  • Interact with samples in real time. 
  • Save time and money on sandbox setup and maintenance 
  • Record and study all aspects of malware behavior. 
  • Collaborate with your team 
  • Scale as you need. 

Request free trial → 

The post Packers and Crypters in Malware <br>and How to Remove Them appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Strela Stealer targets Central and Southwestern Europe through Stealthy Execution via WebDAV

Strela Infostealer, malware, WebDAV

Key Takeaways

  • The recent Strela Stealer phishing campaign, uncovered by Cyble Research and Intelligence Labs (CRIL), poses as an invoice notification to trick users into engaging with it.
  • This campaign predominantly targets users in Central and Southwestern European regions, adjusting its focus based on locale settings to maximize its reach within specific demographics.
  • Phishing emails carry ZIP file attachments containing heavily obfuscated JavaScript (.js) files, which are designed to evade detection by security tools.
  • The JavaScript file conceals a base64-encoded PowerShell command that, when executed, launches a malicious payload directly from the WebDAV server without saving the file to disk.
  • The payload, Strela Stealer, is embedded within an obfuscated DLL file, specifically targeting systems in Germany and Spain.
  • Strela Stealer is programmed to steal sensitive email configuration details, such as server information, usernames, and passwords.
  • In addition to stealing credentials, Strela Stealer gathers detailed system information, enabling attackers to conduct reconnaissance and potentially launch further targeted actions on compromised systems.

Executive Summary

Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users through spam email campaigns containing malicious ISO attachments, which included a .lnk file and a polyglot file. When executed, the .lnk file triggered the polyglot file, executing both the lure html and Strela stealer DLL using “rundll32.exe”.

The Threat Actors (TAs) then evolved their tactics by using spear-phishing emails with ZIP file attachments, as identified by Palo Alto. When users downloaded and extracted the archive, a JavaScript file was saved onto their system. Executing the JavaScript file dropped a Base64-encoded file and a batch file. The Base64 file was then decoded using the “certutil -f decode” command, creating a DLL that was executed using “rundll32.exe” with the exported function “hello.

In their latest campaign, the TAs are using spear-phishing emails with ZIP file attachments containing obfuscated JavaScript code intended to run through WScript. This JavaScript code executes a base64-encoded PowerShell command, which executes the final malicious DLL from a WebDAV server using “rundll32.exe” via the exported function “Entry.” By using this method, the malicious DLL file is not saved on the disk, allowing it to evade detection by security products.

Technical Details:

The Strela Stealer campaign begins with a carefully crafted phishing email written in German, with a theme designed to resemble an invoice for a recent product purchase. The email aims to encourage recipients to open the attached ZIP file RG_175_133572_7063403.zip under the pretense of verifying or processing a transaction. The figure below shows one of the phishing emails.

Phishing, email
Figure 1 – Phishing Email

Inside the ZIP file named “RG_175_133572_7063403.zip,” there is a highly obfuscated JavaScript file named “1819737872954318698.js.” This JavaScript file employs advanced obfuscation techniques, using string substitution to generate and execute its hidden code. When triggered, it runs through Windows Script Host (wscript), which then initiates a PowerShell command embedded within the script.

The PowerShell command further contains a base64-encoded payload. Once decoded and executed, this encoded command reaches out to a WebDAV server and executes a malicious DLL file named “96492217114973.dll” on the target system, allowing Strela Stealer to embed itself and begin its data-theft operations. The figure below shows the de-obfuscated JavaScript code.

Javascript
Figure 2 – JavaScript File

The DLL file acts as a loader for the main payload and includes only a single export function named “Entry”. The DLL includes numerous conditional jump instructions, making analysis more challenging and potentially causing the disassembler to crash. Furthermore, several functionalities may not work properly in the debugger with default settings due to the extensive branching and conditions. The figure below shows the IDA graph view.

IDA
Figure 3 – IDA graph view

Upon execution, the DLL accesses a hardcoded key within its “.data” section, as shown in Figure 5. This key is used to decrypt additional data stored in the same section, ultimately extracting the main executable payload.

DLL
Figure 4 – Key present in DLL file

The code below demonstrates the use of XOR and other arithmetic operations for decryption.

MZ Header
Figure 5 – Decrypting the MZ header

The image below displays the decrypted MZ content.

MZ header
Figure 6 – MZ Header

The resulting MZ file runs directly from the “rundll32.exe” process. For analysis, we extracted this payload and examined it separately, identifying it as Sterla Stealer, a malware active since April 2022.

Here we compared the previous version of Sterla Stealer with the new one.

Campaign Identified in 2022 Campaign Identified in March 2024 Latest Campaign
No code obfuscation Employed control flow obfuscation Employed control flow obfuscation
No decryption of PE file from DLL file Decrypts a memory mapped PE file Decrypts a memory mapped PE file
strela, server.php, key4.db, and login.json strings present in the decrypted PE file strela, server.php, key4.db, and login.json strings present in the decrypted PE file Strela string is removed
PDB path is present No PDB path No PDB path
Export function name: Strela Export function name: hello Export function name: Entry
Drops payload from ISO Drops payload from ZIP Executes payload from WebDAV Server

While the Strela stealer is running, it hides its window by calling the “ShowWindow” Win32 API with the “SW_HIDE” parameter for the current process. It then creates a thread to display a fake error message, as shown below.

Error message
Figure 7 – Fake error message

Next, the stealer obtains the locale settings from the victim’s machine by utilizing the GetKeyboardLayout API and comparing the results to the specific hardcoded Language identifiers mentioned below.

  • 0407 – German (Germany)
  • 0C0A – Spanish (Spain)
  • 042D – Basque (Spain)

If any of these language identifiers match, the stealer continues its execution; if not, it stops. This behavior indicates that the malware specifically targets regions within Germany and Spain.

Locale Check
Figure 8 – Locale Check

Targeting Thunderbird

The malware scans for Thunderbird profiles and collects “logins.json” and “key4.db” files from all profiles found on the system. These files contain sensitive information, including usernames, passwords, and other email configuration details. Once obtained, the data within these files is encrypted using a custom encryption method with a hardcoded key, “96be98b2-8a00-410d-87da-2482cc8b7793”, and then sent to the TAs command and control (C&C) server at “94.159.113.48” via a POST request. Following the data transmission, the malware expects the response “ANTIROK” from the C&C server and continues to resend the encrypted data using the same encryption method until this response is received.

Thunderbird
Figure 9 – Targeting Thunderbird profiles

Targeting Outlook

To steal Outlook information, the malware examines specific registry keys to retrieve IMAP server details, usernames, and passwords, which are typically stored in encrypted form. It accesses the following registry paths:

  • Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
  • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
  • SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\

Using the “CryptUnprotectData” Win32 API, it decrypts these details into plain text. After decryption, the malware applies custom encryption using the same hardcoded key as in the Thunderbird case and an XOR operation before sending the encrypted data to the threat actor’s command-and-control (C&C) server.

Gathering System Information

Continuing its data gathering, the malware executes the “systeminfo” command, saving the output as a text file within the Temp directory. This file is then exfiltrated to the TA’s C&C server using the previously mentioned encryption technique.

Systeminfo
Figure 10 – Gathering systeminfo

In some cases, if the response “ANTIROK” is not received from the C&C server, the stealer attempts to re-encrypt the existing encrypted content using the same method. This results in the transmission of the actual data without encryption, as illustrated in the figure below.

Data Theft
Figure 11 – Data Exfiltration

In its final steps, the malware utilizes a COM object to navigate through the system’s “SpecialFolders” paths, collecting filenames from each directory. This data is compiled into a single output and sent to the attacker’s C2 server. By gathering information on files stored in sensitive locations, the malware enables the TA to perform reconnaissance, potentially planning further data exfiltration or deploying additional malicious activities based on the obtained directory structure.

Conclusion

The recent iterations of the Strela Stealer campaign reveal a notable advancement in malware delivery techniques, highlighting increased sophistication and stealth. By employing spear-phishing emails that contain ZIP file attachments, the malware successfully circumvents conventional security defenses. The use of heavily obfuscated JavaScript, along with base64-encoded PowerShell commands, significantly complicates detection and response efforts. Additionally, executing the DLL file directly from the WebDAV server without saving it to disk effectively bypasses security mechanisms, enabling unauthorized access to sensitive information. This evolution underscores the importance of proactive cybersecurity measures to counter such advanced threats.

Cyble’s Threat Hunting Packages

At Cyble, we understand the evolving landscape of cyber threats and the need for robust security measures. Our Threat Hunting Packages are specifically designed to detect suspicious remote WebDAV share access and file execution activities, such as those employed by the Strela Stealer malware.

In addition to our sophisticated detection capabilities, our Threat Hunting Packages include custom YARA rules tailored to identify signatures associated with Strela Stealer. These rules enhance the Organization’s security posture by enabling quick detection of known threats, ensuring that systems remain protected against sophisticated malware tactics.

For further details on this threat and several others being constantly analyzed by Cyble Research and Intelligence Labs, schedule a demo today.

Strela Stealer, Infostealer

Recommendations

  • Conduct regular training sessions to educate employees about phishing tactics, including recognizing suspicious emails and attachments.
  • Deploy robust endpoint protection solutions that can detect and respond to malicious activity, including obfuscated scripts and unauthorized file executions.
  • Implement strict access controls on WebDAV servers, ensuring only authorized users have access. Disable WebDAV if it is not required for business operations to minimize potential attack vectors.
  • Limit the execution of PowerShell scripts and other scripting languages on endpoints unless necessary for business operations.
  • Develop and regularly update an incident response plan that includes specific procedures for handling phishing attacks and malware infections.
  • Implement multi-factor authentication for accessing sensitive systems and accounts, adding an additional layer of security against credential theft.

MITRE ATT&CK® Techniques

Tactic Technique Procedure
Initial Access (TA0001) Phishing (T1566) The campaign starts with spear-phishing emails containing ZIP file attachments.
Execution (TA0002) User Execution (T1203) The obfuscated JavaScript code executes via WScript, running PowerShell commands.
Execution (TA0002) Command and Scripting Interpreter (T1059) PowerShell commands are triggered to execute the final payload.
Credential Access (TA0006) Credential Dumping (T1003) The malware retrieves usernames and passwords from Thunderbird and Outlook profiles.
Discovery (TA0007) System Information Discovery (T1082) Executes systeminfo to gather system details and save it as a text file.
Discovery (TA0007) File and Directory Discovery (T1083) Collects filenames from system directories using COM objects.
Command and Control (TA0011) Application Layer Protocol (T1071) The encrypted data is sent to the C&C server via HTTP POST requests.
Exfiltration (TA0010) Exfiltration Over Command and Control Channel (T1041) The stolen data, including login credentials, is exfiltrated to the TA’s server.

Indicators Of Compromise

Indicators Indicator Type Description
dcd7dd2aaef3e87b467ce4e4682a63d2d01da20e31fada494435ae8a921c09ae SHA256 Email
75d996a0a5262bff134d7a752efd1fb6325bc2ce347b084967e06725008180f9 SHA256 Email
c5279ff9c215afbd5c54793c6fc36c80d2cefb0342a1471581b15e43bd4a9b08 SHA256 Email
be76ab2054ef174331abfef53825254ac26bfc9657dca9c3767a5e5daf7bec1e SHA256 Email
4e38abd0fef9a4b3f4cbc674601bc10766d4db588cb83d3e5fb50ec573c372cd SHA256 Email
08007bc4c3711990eddd7cb342d176f470298027d923589206e4c9212cc95ba3 SHA256 JavaScript
12cd832efcd3e3a6938ca5d445f572731b64866afc0129219d8110030aa22242 SHA256 JavaScript
150f490ae97098342e192a6722872e86d468cbd2fd8b3d6c46f4601acdea85d1 SHA256 JavaScript
154daf225df559d44d066027a5179aa68ebd9ce046787faa84bd3c230ad3fd08 SHA256 JavaScript
16ae254deaa02b0acf5beda73cb178eb5c50e50b8d1752841ae8148b28354585 SHA256 JavaScript
1a60dd873e71c926ede3bc395e45e10062f063a374f05e7ff6721b6e35706ec5 SHA256 JavaScript
1f3b7fb2ec7e3f292a9d5fab2e263c777c4273af872673d324d580387a5f3236 SHA256 JavaScript
22d34569742fc22c109f65a2edc8ef264c44f61e20014ac27160931acfba296c SHA256 JavaScript
294c66460c3b0da83a3ed894bd1fb8a7fc5fed2b8fb3f6adb555d4b558371f00 SHA256 JavaScript
2c447b38bc71b6b68234e3f7ea389807a9d61597aab5a11cc60133ee01fb7b79 SHA256 JavaScript
3078f89fa189af1fc8d9b76ab03e2ae34de080072057d5630f8d829c18e0b29b SHA256 JavaScript
32b8f94f5f7f359a3ef758a8de8ed554c7e5dec2b75f9a65461167eaa874cd00 SHA256 JavaScript
34e9df65677f7e89fd3514103d9a75f7fb526485f1c8fa3bf82fe8896991683a SHA256 JavaScript
34fdf466af7288f0b458daaca9eb76be88e182ae1b2eadb3281371c2d6726bc3 SHA256 JavaScript
36a0751216fc7f90559abb10dcec2c1153e70c9d4da4d06a0a206ec2e726b92f SHA256 JavaScript
37984a476fdeda094cdb82957a5aa0d2835527c4f403775d5e0182c64cb1a7fb SHA256 JavaScript
3c09514e197004d822fd26798372cd7dc30ddcc7fe5585a8a13475319f57e7de SHA256 JavaScript
3fe89e89556c0210bfb5094a524b1f81c87cde6b6bb2320abbe61d68ac6c4a4b SHA256 JavaScript
404341b290e56b21c74d5768a98580813f5e81a5ef2e97e1af7aec6cb2a719b0 SHA256 JavaScript
4781f4c8a8a43b559d1c1452e0e967cd23f7fd3d41a1065e5a3ec3366e3bf496 SHA256 JavaScript
4a2317a78749539a8bf0d1e134bd68f64a5e956dee9a12157028969949bb29c4 SHA256 JavaScript
4eaf2d0023d9531ee9e0d3958014260d95b817af5e74b9c6819f371a1a5af753 SHA256 JavaScript
50c9bd0f5deca0b2edbc4128aa7895ec0268a246e536110efe81e3a3da696b0c SHA256 JavaScript
540492ee7e2e3a0036bc34ff47519a17ad6a8300319b1ff9a1d1a210333cb46d SHA256 JavaScript
58b0ae24a7f325b8c3acd001b4bdff35fc7e440a0bb910750e019a2657de0822 SHA256 JavaScript
59894ed00aaa9f8ab743ea09a1c7add38b7bf378b073aea978fb1703ea9aacdd SHA256 JavaScript
59c8dcd99af398b149bfd80b921e1b06f97e8cc6908d806b174341efb899d647 SHA256 JavaScript
5a3633e0aad62b5ca063e3ffb15a2bbcdf7138f82113299b53f8194525cb32a3 SHA256 JavaScript
5b296616d0cd44147e84e638dffed68d07b305bcee60601147bf41cb01e8c038 SHA256 JavaScript
5c3a86bd9fb12cad7a98041d1ff35ac739b41a9e43abc525c4e96d61be6f9565 SHA256 JavaScript
6044ea92d233b14cc6422e1cea8ee7ea8e241812f3e780f57f096101e5917f8a SHA256 JavaScript
662a2a870928dc42d9cd04dbbb7a948300c98496bf4f68aa7ce1320d93da3180 SHA256 JavaScript
666060f975e34e610bea2a3e2a6c8bad58506bee6acfbaefd2c02e563736351f SHA256 JavaScript
67e95381a8d220063ea1a44e75bc9c9c2e0d973fb991c0ce92a798a1bfe23c1d SHA256 JavaScript
680ea9c726dbfb5b8486ef5b5babb63704f32b4e3e949053b13a344440fe5149 SHA256 JavaScript
68ffebea33905d680c382b4df481c564817044cf41345f41166cfaca106abfee SHA256 JavaScript
6cb21cba9555eec2a173719188ffa609f3f99b6f615ada694db3e2de7fa4d9fe SHA256 JavaScript
70f500e1941ce7f0ae0d4c12c44f3e265c701c1169193a55e5f842c093f303cc SHA256 JavaScript
72c9297608f3ccb059aec33126178e40bd343c3c24b14a8a31a7742757a08a00 SHA256 JavaScript
760c12ae673ae8902dfa096c17bbce7fc3e20eec069b7cc00d6bf1dd4a28757b SHA256 JavaScript
76972fe36498d115bbcb742d842698fea1ebc062d0f79426dfbcaf4ad8bec0bd SHA256 JavaScript
78c315657a6dd2d6ca01388aa3575344b689cbd18c172d83fe94399156b8010b SHA256 JavaScript
7fcf23ad9d241ccd8f46a9a65bdd99741bade2bf323599f5639ebf160d35aa1e SHA256 JavaScript
8502cf3b180e3ee6e526b5b33e17647d7234773c278d9009a6ae58a01fd96b97 SHA256 JavaScript
8661d72b99ae335b6c0c74e2d2f156f8611666fe7f118ae251e224c8602f72f2 SHA256 JavaScript
8ba18307df322c7c930dc19ff5f3a36b6a9040cc0dd05e65c1a434887a407b70 SHA256 JavaScript
9082620184a4fe05ed92a0e88caea02cfec14d4c6494dc55269d8afade95d352 SHA256 JavaScript
9255e44bcf40afa3c3fbd19f13a1d277c3bd7bd457866e904b220779fadce886 SHA256 JavaScript
93fc8a04b28af9feb86c348c9b3a7d8422729697832e6895f8738b663da32905 SHA256 JavaScript
9a9303997fefb2de0a66db9652d53bce7d17b9a1e8e738ee91801a29f72621d6 SHA256 JavaScript
9aefb3b5e3a0727c6d96b103c432acb57c42294373bbd8d984a8aeb94659cd43 SHA256 JavaScript
9eb4a88bc7ba156af849fcd956744c65677372db5e5cb09115df8ec900928cbb SHA256 JavaScript
9fc8d64d8204045764d0990647d42cb386c98501199553d043c277133549193a SHA256 JavaScript
a09688c0ce051235e92bb938090eebedea57c706158e0b665edce17d8dbe7543 SHA256 JavaScript
a0def4009d3d6444b05f8d4071a65fbba6b6b36176104fc1fbb04affd0282969 SHA256 JavaScript
a21f6c960cb3a702a9cf1da645301688b98763a8d1a4269a6b010616477e742f SHA256 JavaScript
a76fc70044c88c9313da07e3afa039640373c639ac16ae85ddef201fa5995ce3 SHA256 JavaScript
a77cd7dcea434bea2ce6dbc1af32668007c0fc5168a325c0c9df8f976d47ae0c SHA256 JavaScript
b0f2cff2784b1779a9688a3cd43436d272683554b356d2a6f75903e40ce680ed SHA256 JavaScript
b2efbb7368a89a746f5f1aea8e3df16cb017b4f79e0a6c3c1aaf51a7437cdd1b SHA256 JavaScript
b5f9dff76d3cdf16ad8c95e699a4dd347e2bf987d7b9a4601b4bb6b7505a560f SHA256 JavaScript
c1503c63332d723bc67acdc8de2fbaffb92b11de8174030eaf863d7ed152f947 SHA256 JavaScript
c55f10a2633aa6c7f5e246cee23ed04e73896f88a042c070a6c66698dc8b1f3e SHA256 JavaScript
ca3a8107b0c1ecf1a9f258e5b155a652e81710a2fa910bfd5ed31305a10ed06f SHA256 JavaScript
ca6446b428305c1845b87a4562c4ef24d99e5929a2a65101689ca473b0bbec43 SHA256 JavaScript
d3b78c9fdf7df019c14a21c18f4ca27c4210f31191ba5f35de358373b4077d43 SHA256 JavaScript
d40dbeaf32abed1610e11408953ddddad985cea279b86c31a27b841519112bfb SHA256 JavaScript
e2fa1484fa6cccfdae5838e59f4516017c3cd15e4872db0e459c43c8c8076882 SHA256 JavaScript
ea090dccb35324c998ac5c2e3e499ed4c3812372cd6936777a9b4d10f8329c65 SHA256 JavaScript
ee5cee0d57239e192cde8a52398172b515148969e4f6fc4bcf89de24aedafd4b SHA256 JavaScript
f2708c2b771610ecda87d43c409a943fc4df6cdb090737ea47017f5ea4fc6a85 SHA256 JavaScript
f68522b21d226a9d7ab91105e4412ea3ad836801e090e1e6dce766def233c607 SHA256 JavaScript
f85dbbb00236db3abcc3383f2708fa4f53f5a464a62c4338391f513f49ea8b76 SHA256 JavaScript
fc9617a69ee597606fbc68a5280819e48c9679b1d44d09f86cb4b62b68835209 SHA256 JavaScript
fd407ac4d456c2196b128587347d85856989faec188334a8fbc4469f4b4e6ef2 SHA256 JavaScript
fed183856e7f09bb9f73d8c9d57bd3573ec846da1a49dc1eeb295c845007f5a2 SHA256 JavaScript
ffdf20ae5a3124a69711eb46b11b01bed6cffb66aef711732f96ddb4546cb635 SHA256 JavaScript
ffe0ff011712afeb8ebc70e09bb455cc6fdd36c8d3b31004d25dc1cd8cc74b8f SHA256 JavaScript
04f2cd6ddf9faef579d303c5efd2fc65b9997e05c3f75ea9b0cfc474f5e9019a SHA256 Strela Stealer
13d96ed827887f6c31d907a5ee29441e2afd95be683e51e874cf5ad8207c1a98 SHA256 Strela Stealer
1970d38e7fa45a46e792372a19d890541c87d1007ddedd53858b6df6728d72ff SHA256 Strela Stealer
dbd301f710d45acdd639cda5cd47a5453b9abb8a361ed250bfc47de70318fec6 SHA256 Strela Stealer
13531bd403e5f8f607bf16144c38ffd94004eafa8e6a098628b915de07ba432b SHA256 Strela Stealer
080caffde331496a46e8cb35acd107ed113046b46310747a2dd15a62efab23b5 SHA256 Strela Stealer
bd26724bdc8c5d9cb65d361231048725fbc31072d4c457c23531bc4333460011 SHA256 Strela Stealer
77836c0b18bbfef70fd04ba674ea045bf109851efe76ae9bcc55c2dcd08cc3c5 SHA256 Strela Stealer
03853c56bcfdf87d71ba4e17c4f6b55f989edb29fc1db2c82de3d50be99d7311 SHA256 Strela Stealer
cd39bec789b79d9ea6a642ab2ddc93121f5596de21e3b13c335ceaddb83f2083 SHA256 Strela Stealer
b9ae263904d3a5fb8471a0f8ab95fcbb224f632e6185e3a110e8d5aed9785420 SHA256 Strela Stealer
vaultdocker[.]com Domain Malicious
cloudslimit[.]com Domain Malicious
dailywebstats[.]com Domain Malicious
endpointexperiment[.]com Domain Malicious
apitestlabs[.]com Domain Malicious
94[.]159[.]113[.]48 IP Malicious

References

https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc
https://unit42.paloaltonetworks.com/strelastealer-campaign/

The post Strela Stealer targets Central and Southwestern Europe through Stealthy Execution via WebDAV appeared first on Cyble.

Blog – Cyble – ​Read More