Network traffic analysis provides critical insights into malware and phishing attacks. Doing it effectively requires using proper tools like ANY.RUN’s Interactive Sandbox. It simplifies the entire process, letting you investigate threats with ease and speed.
Take a look at the key ways you can monitor and analyze network activity with the service.
Connections
Examining network connections involves looking at source and destination IP addresses, ports, URLs, and protocols. During this process, you can observe all activities that may pose a risk to the system, such as connections to known malicious domains and attempts to access external resources.
To correlate the network activity with other behaviors or components of the malware, ANY.RUN identifies the process name and Process Identifier (PID) initiating the connection. This allows you to gain a better understanding of the threat’s functionality and purpose.
In the Connections section, additional attributes like the country (CN) and Autonomous System Number (ASN) provide context for the geographical location and the organization managing the IP address.
The service also lists DNS requests that help you identify malicious domains used for Command & Control (C&C) communication or phishing campaigns.
Use Case: Identifying Agent Tesla’s Data Exfiltration Attempt
Consider the following sandbox session. Here, we can discover a malicious connection to an external server.
Malicious connection identified by the ANY.RUN sandbox and marked with a flame icon
We can navigate to the process that started this connection (PID 6904) to see the details.
The sandbox shows that the process connected to a server controlled by attackers
The service displays two signatures related to the connection, which specify that it was made to a server suspected of data theft over the SMTP port. The sandbox also links the process of Agent Tesla, a malware family used by cyber criminals for remote control and data exfiltration.
Suricata rule used for detecting Agent Tesla’s malicious connection
Thanks to ANY.RUN’s integration of Suricata IDS, you can discover triggered detection rules by navigating to the Threats tab. The detection of data exfiltration over SMTP in this case is done without decryption. The sandbox relies solely on specific sequences of packet lengths characteristic of sending victim data.
HTTP Requests and Content
ANY.RUN provides comprehensive analysis of HTTP requests and their content. To access header information, simply navigate to the Network tab. Here, you’ll find a detailed list of all HTTP requests recorded by the sandbox.
You can investigate HTTP Requests in detail in ANY.RUN
Click on a specific request to view its headers, which include information such as the request method, user-agent, cookies, and response status codes.
ANY.RUN also offers static analysis of the resources transmitted as part of HTTP requests and responses. These may include HTML pages, binary, and other types of files. The sandbox extracts their metadata and strings.
Use Case: Discovering a Server for Collecting Stolen Passwords
When investigating phishing attacks, it is sometimes necessary to check which server ends up receiving the passwords entered by victims on a malicious webpage. To accomplish this task, we need to enable Man-in-the-Middle (MITM) Proxy.
Switching on MITM Proxy takes just one click in the VM setup window
The feature acts as an intermediary between the malware and the server, allowing analysts to intercept and decrypt even HTTPS traffic, typically used for secure communication.
ANY.RUN allows you to interact with the VM including by entering text
Here is an example of a typical attack that is designed to trick users into entering their real login credentials on a fake webpage.
Please Note
Under no circumstances should you enter real credentials when analyzing threats in the ANY.RUN sandbox. Instead, use a non-existent test email and password.
After we enter a fake password, we need to navigate to the HTTP request section. Here, we need to start reviewing the HTTP POST requests, beginning with the most recent connection by time.
The fake password we entered which was exfiltrated via Telegram
In most cases, you will be able to understand which server the web page is communicating with. In our example, the stolen data is being sent to Telegram.
Access MITM Proxy and other PRO features of ANY.RUN for free
Use Case: Collecting Information on Attackers’ Telegram Infrastructure
Here is analysis of XWorm malware sample that connects to a Telegram bot for exfiltrating data collected on the infected system.
Thanks to MITM Proxy, we can decrypt the traffic between the host and the Telegram bot.
Bot token and chat_id are found in the query string
By examining the header of a GET request sent by XWorm we can identify a Telegram bot token along with the id of the chat controlled by attackers where information on successful infections is sent.
Packet capture involves intercepting and recording network packets as they are sent and received by the system. In ANY.RUN, you can determine the specific data being transmitted and received, which can include sensitive information, commands, or exfiltrated data.
Through this detailed examination, you can uncover the structure and content of network packets, including the headers and payloads, which can reveal the nature of the communication. For instance, tracking the information contained in outgoing packets aids in identifying what data was stolen, such as passwords, logins, and cookies.
To study network traffic packets effectively, you can use the Network stream window. Simply select the connection you’re interested in to access RAW network stream data. Received packets are blue, while sent ones are green.
Use Case: Investigating a Pass-the-Hash Attack
Let’s consider the following sandbox analysis. Here, we can observe a theft of an NTLM hash via a malicious web page.
About NTLM
NTLM (NT LAN Manager) authentication is a challenge-response protocol used by Microsoft Windows to verify user credentials.
It involves hashing a user’s password with the MD4 algorithm to create an NTLM hash, which is then used to encrypt a server-sent challenge. NTLM relay attacks intercept and reuse these hashes to impersonate users on other services, enabling unauthorized access without cracking the hash.
Accessing 10dsecurity[.]com led to compromising the system’s NTLM hash
Once we enable MITM Proxy, we can see how the attack is executed. It starts with the victim’s browser sending a request to access an HTML page, which triggers a redirect to an Impacket SMB server hosted on 10dsecurity[.]com.
Impacket is a Python-based toolkit designed for working with network protocols that can be used for harvesting NTLM authentication data.
The sent and received packets of the host’s communication with the SMB server
When the victim’s browser attempts to access the redirected resource via SMB, the Impacket-SMBServer intercepts the request and captures the following information:
The victim’s IP address
NTLM Challenge Data
The victim’s username
The victim’s computer name
Suricata IDS detection rule used for identifying an impacket SMB server with a Wireshark filter
ANY.RUN allows us to download PCAP data for further examination in specialized software like Wireshark. To make it easier to identify the connection of our interest, we can collect a display filter right from the sandbox.
Analysis of the captured packets in Wireshark
Once we upload the data to the program and paste the filter, we can once again determine that it is indeed an impacket SMB server.
Conclusion
Packet capture, payload analysis, protocol dissection, DNS requests, and connection analysis are essential components of this process. By leveraging these techniques, security analysts can gain a comprehensive understanding of malicious activities, enabling them to develop effective countermeasures and protect against evolving cyber threats.
About ANY.RUN
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds.
Interact with samples in real time.
Save time and money on sandbox setup and maintenance
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-02 12:06:402024-11-02 12:06:40How to Capture, Decrypt, and Analyze Malicious Network Traffic with ANY.RUN
Cyble Research and Intelligence Labs (CRIL) researchers investigated 17 vulnerabilities and nine dark web exploits during the period of Oct. 23-29, and highlighted seven vulnerabilities that merit high-priority attention from security teams.
This week’s IT vulnerability report affects an unusually high number of exposed devices and instances: Vulnerabilities in Fortinet, SonicWall, and Grafana Labs can be found in more than 1 million web-facing assets, and a pair of 10.0-severity vulnerabilities in CyberPanel have already been mass-exploited in ransomware attacks.
Security teams should assess which of these vulnerabilities are present in their environments and the risks they pose and apply patches and mitigations promptly.
The Week’s Top IT Vulnerabilities
Here are the top IT vulnerabilities identified by Cyble threat intelligence researchers this week.
CVE-2024-40766: SonicWall SonicOS
CVE-2024-40766 is a 9.8-severity improper access control vulnerability in the administrative interface and controls in the SonicOS operating system used for managing SonicWall’s network security appliances and firewalls. Managed security firm Arctic Wolf has reported that Fog and Akira ransomware operators are increasingly exploiting this vulnerability in SSL VPN environments to gain an initial foothold to compromise networks.
Cyble has detected more than 486,000 internet-exposed devices with this vulnerability, making it a critically important priority for security teams.
CVE-2024-47575 and CVE-2024-23113: Fortinet FortiOS and FortiManager
Fortinet environments are under attack from threat actors exploiting a pair of recent 9.8-severity vulnerabilities: CVE-2024-47575, also known as “FortiJump,” is a vulnerability in Fortinet FortiManager that allows an attacker to execute arbitrary code or commands via specially crafted requests. Recently, researchers disclosed that the threat actor tracked as UNC5820 has been exploiting the flaw since at least June 27, 2024.
For more than a week before the October 23 disclosure of CVE-2024-47575, security researchers were concerned that Fortinet was slow in disclosing a FortiManager zero-day known to be under exploitation. However, it appears that a week before the CVE was released, Fortinet notified customers of a FortiManager vulnerability and provided some recommended mitigations. Some FortiManager customers reported that they didn’t get that communication, suggesting a need for a clearer advisory process. Fortinet update its guidance on the vulnerability yesterday.
Cyble researchers also observed threat actors on a cybercrime forum discussing exploits of CVE-2024-23113, a critical vulnerability in multiple versions of FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager that allows remote, unauthenticated attackers to execute arbitrary code through specially crafted requests.
Cyble has identified 62,000 exposed instances of the FortiManager vulnerability, and 427,000 internet-facing Fortinet devices exposed to CVE-2024-23113 (see graphic below).
Exposed assets for the top vulnerabilities (Cyble research)
CVE-2024-9264: Grafana Labs
CVE-2024-9264 is a 9.4-severity vulnerability in the SQL Expressions experimental feature of Grafana, an open-source analytics and monitoring platform developed by Grafana Labs. It is designed to visualize and analyze data from various sources through customizable dashboards. This feature allows for the evaluation of ‘duckdb’ queries containing user input. These queries are insufficiently sanitized before being passed to ‘duckdb,’ leading to a command injection and local file inclusion vulnerability.
Cyble reported 209,000 internet-facing Grafana instances exposed to the vulnerability.
CVE-2024-51567 and CVE-2024-51568: CyberPanel
CVE-2024-51567 and CVE-2024-51568 are critical vulnerabilities in CyberPanel, an open-source web hosting control panel designed to simplify server management, particularly for those using the LiteSpeed web server. NVD has yet to rate the vulnerabilities, but MITRE has assigned them each a 10.0. CVE-2024-51567 is a flaw in upgrademysqlstatus in databases/views.py, which allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, and was exploited in the wild in October in a massive PSAUX ransomware attack.
CVE-2024-51568 is a command Injection flaw via completePath in the ProcessUtilities.outputExecutioner() sink.
Nearly 33,000 CyberPanel instances are exposed to these vulnerabilities, more than half of which have been targeted in mass ransomware and cryptominer attacks.
CVE-2024-46483: Xlight FTP Server
CVE-2024-46483 is a critical integer overflow vulnerability still undergoing analysis that affects Xlight FTP Server, a high-performance file transfer server for Windows designed to facilitate secure and efficient FTP and SFTP (SSH2) file transfers. The flaw lies in the packet parsing logic of the SFTP server, which can lead to a heap overflow with attacker-controlled content. Multiple organizations across various sectors use this server because of its Active Directory and LDAP integration functionalities. Cyble assesses that attackers could leverage this vulnerability in campaigns due to the availability of public Proof of Concepts (PoC).
Vulnerabilities and Exploits on Underground Forums
CRIL researchers observed multiple Telegram channels and cybercrime forums where channel administrators shared or discussed exploits weaponizing a number of vulnerabilities, some of which were discussed above. Others include:
CVE-2024-9464: A critical OS command injection vulnerability found in Palo Alto Networks’ Expedition tool, which allows an attacker to execute arbitrary OS commands as root, potentially leading to the disclosure of sensitive information.
CVE-2024-42640: A critical vulnerability affecting the angular-base64-upload library, specifically in versions prior to v0.1.21. This vulnerability allows remote code execution (RCE) through the demo/server.php endpoint, enabling attackers to upload arbitrary files to the server.
CVE-2024-3656: A high-risk vulnerability affecting Keycloak versions prior to 24.0.5. The vulnerability allows low-privilege users to access certain endpoints in Keycloak’s admin REST API, enabling them to perform actions reserved for administrators.
CVE-2024-9570: A critical buffer overflow vulnerability in the D-Link DIR-619L B1 router, specifically in firmware version 2.06, occurs in the ‘formEasySetTimezone’ function. The issue arises when the ‘curTime’ argument is manipulated, leading to a situation where an attacker can execute arbitrary code remotely.
CVE-2024-46538: A critical cross-site scripting (XSS) vulnerability in pfSense version 2.5.2 allows attackers to execute arbitrary web scripts or HTML by injecting a ‘crafted payload’ into the $pconfig variable, specifically through the ‘interfaces_groups_edit.php’ file.
CVE-2024-21305: A vulnerability identified as a Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass allows attackers to circumvent HVCI protections, enabling the execution of unauthorized code on affected systems running versions of Windows and Windows Server OS.
CVE-2024-23692: A critical vulnerability affecting the Rejetto HTTP File Server (HFS) that allows unauthenticated remote code execution (RCE) through a command injection flaw.
Cyble Recommendations
To protect against these vulnerabilities and exploits, organizations should implement the following best practices:
To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.
Conclusion
These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products and those that could be weaponized as entry points for wider attacks. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.
Cyble’s weekly sensor intelligence report for clients detailed new attacks on popular WordPress plugins, and IoT exploits continue to occur at very high rates.
Two 9.8-severity vulnerabilities in LightSpeed Cache and GutenKit are under attack, as WordPress and other CMS and publishing systems remain attractive targets for threat actors.
Vulnerabilities in IoT devices and embedded systems continue to be targeted at alarming rates. In addition to older exploits, this week Cyble Vulnerability Intelligence researchers highlighted an older RDP vulnerability that may still be present in some OT networks. Given the difficulty of patching these systems, vulnerabilities may persist and require additional mitigations.
Vulnerabilities in PHP, Linux systems, and Java and Python frameworks also remain under attack.
Here are some of the details of the Oct. 23-29 sensor intelligence report sent to Cyble clients, which also looked at scam and brute-force campaigns. VNC (Virtual Network Computing) was a prominent target for brute-force attacks this week.
CVE-2024-44000 is an Insufficiently Protected Credentials vulnerability in LiteSpeed Cache that allows Authentication Bypass and could potentially lead to account takeover. The issue affects versions of the WordPress site performance and optimization plugin before 6.5.0.1.
An unauthenticated visitor could gain authentication access to any logged-in users – and potentially to an Administrator-level role. Patchstack notes that the vulnerability requires certain conditions to be exploited:
Active debug log feature on the LiteSpeed Cache plugin
Has activated the debug log feature once before, it’s not currently active, and the /wp-content/debug.log file has not been purged or removed.
Despite those requirements, Cyble sensors are detecting active attacks against this WordPress plugin vulnerability.
CVE-2024-9234: GutenKit Arbitrary File Uploads
The GutenKit Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to CVE-2024-9234, with arbitrary file uploads possible due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. The vulnerability makes it possible for unauthenticated attackers to install and activate arbitrary plugins or utilize the functionality to upload arbitrary files spoofed like plugins.
As malicious WordPress plugins are becoming an increasingly common threat, admins are advised to take security measures seriously.
IoT Device and Embedded Systems Attacks Remain High
IoT device attacks first detailed two weeks ago continue at a very high rate, as Cyble honeypot sensors in the past week detected 361,000 attacks on CVE-2020-11899, a medium-severity Out-of-bounds Read vulnerability in the Treck TCP/IP stack before 6.0.1.66, in attempts to gain administrator privileges.
Also of concern for OT environments are attacks on four vulnerabilities in the Wind River VxWorks real-time operating system (RTOS) for embedded systems in versions before VxWorks 7 SR620: CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263. Cyble sensors routinely detect 3,000 to 4,000 attacks a week on these vulnerabilities, which can be present in a number of older Siemens devices.
New to the report this week are several hundred attacks on CVE-2019-0708, a 9.8-severity remote code execution vulnerability in Remote Desktop Services found in several older Siemens devices.
Linux, Java, and Other Attacks Persist
A number of other recent exploits observed by Cyble remain active:
Attacks against Linux systems and QNAP and Cisco devices detailed in our Oct. 7 report remain active.
Cyble sensors detect thousands of phishing scams a week, and this week identified 385 new phishing email addresses. Below is a table listing the email subject lines and deceptive email addresses used in four prominent scam campaigns.
E-mail Subject
Scammers Email ID
Scam Type
Description
VERIFICATION AND APPROVAL OF YOUR PAYMENT FILE
infohh@aol.com
Claim Scam
Fake refund against claims
Online Lottery Draw Reference Claim Code
annitajjoseph@gmail.com
Lottery/Prize Scam
Fake prize winnings to extort money or information
RE: Great News
cyndycornwell@gmail.com
Investment Scam
Unrealistic investment offers to steal funds or data
Re: Consignment Box
don.nkru3@gmail.com
Shipping Scam
Unclaimed shipment trick to demand fees or details
Brute-Force Attacks Target VNC
Of the thousands of brute-force attacks detected by Cyble sensors in the most recent reporting period, Virtual Network Computing (VNC, port 5900) servers were among the top targets of threat actors. Here are the top 5 attacker countries and ports targeted:
Attacks originating from the United States targeting ports were aimed at port 5900 (30%), 22 (28%), 445 (25%), 3389 (14%) and 80 (3%).
Attacks originating from Russia targeted ports 5900 (88%), 1433 (7%), 3306 (3%), 22 (2%) and 445 (1%).
The Netherlands, Greece, and Bulgaria primarily targeted ports 3389, 1433, 5900, and 443.
Security analysts are advised to add security system blocks for the most attacked ports (typically 22, 3389, 443, 445, 5900, 1433, 1080, and 3306).
Recommendations and Mitigations
Cyble researchers recommend the following security controls:
Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
Constantly check for Attackers’ ASNs and IPs.
Block Brute Force attack IPs and the targeted ports listed.
Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
For servers, set up strong passwords that are difficult to guess.
Conclusion
With active threats against multiple critical systems highlighted, companies need to remain vigilant and responsive. WordPress and VNC installations and IoT devices were some of the bigger attack targets this week and are worth additional attention by security teams. The high volume of brute-force attacks and phishing campaigns demonstrates the general vulnerability crisis faced by organizations.
To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is key in protecting defenses against exploitation and data breaches.
Cisco Talos’ Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.
Talos discovered multiple out-of-bounds read vulnerabilities in Nvidia that could be triggered remotely in virtualized environments, via web browser, potentially leading to disclosure of sensitive information and further memory corruption. Researchers used RemoteFX; while recently deprecated by Microsoft, some older machines may still use this software.
Discovered by Patrick DeSantis and Francesco Benvenuto.
Eleven vulnerabilities of different types were discovered in the LevelOne WBR-6012 SOHO router.
The LevelOne WBR-6012 is a low-cost wireless SOHO router, marketed as an easy-to-configure and operate internet gateway for homes and small offices.
Talos discovered these vulnerabilities in the R0.30e6 version of the router:
TALOS-2024-1979 (CVE-2024-28875,CVE-2024-31151): Hard-coded credentials exist in the web service, allowing attackers to gain unauthorized access during the first 30 seconds post-boot. Used with other vulnerabilities that force a reboot, time restrictions for exploitation can be greatly reduced. An undocumented user account with hard-coded credentials also exists.
TALOS-2024-1981 (CVE-2024-24777): A cross-site request forgery vulnerability exists in the web application, and a specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious web page to trigger this vulnerability.
TALOS-2024-1982 (CVE-2024-31152): An improper resource allocation vulnerability exists due to improper resource allocation within the web application. A series of HTTP requests can cause a reboot, which could lead to network service interruptions and access to a backdoor account.
TALOS-2024-1983 (CVE-2024-32946): A cleartext transmission vulnerability exists, and sensitive information is transmitted via FTP and HTTP services, exposing it to network sniffing attacks.
TALOS-2024-1984 (CVE-2024-33699): A weak authentication vulnerability exists in the web application firmware, which allows attackers to change the administrator password to gain higher privileges without knowing the current administrator password.
TALOS-2024-1985 (CVE-2024-33603): An information disclosure in the web application allows unauthenticated users to access an undocumented verbose system log page and obtain sensitive data, such as memory addresses and IP addresses for login attempts. This flaw could lead to session hijacking due to the device’s reliance on IP addresses for authentication.
TALOS-2024-1986 (CVE-2024-33626): A web application information disclosure vulnerability can reveal sensitive information, such as the Wi-Fi WPS PIN, through a hidden page accessible by an HTTP request. Disclosure of this information could enable attackers to connect to the device’s Wi-Fi network.
TALOS-2024-1996 (CVE-2024-23309): An authentication bypass vulnerability results from the web application’s reliance on client IP addresses for authentication. Attackers can spoof an IP address to gain unauthorized access without a session token.
TALOS-2024-1997 (CVE-2024-28052): A buffer overflow vulnerability can be caused by specially crafted HTTP POST requests with URIs containing 1,454 or more characters, not starting with “upn” or “upg”.
TALOS-2024-1998 (CVE-2024-33700): An improper input validation within the FTP functionality can enable attackers to cause denial of service through a series of malformed FTP commands.
TALOS-2024-2001 (CVE-2024-33623): A denial-of-service vulnerability, triggered by multiple types of specially crafted HTTP POST requests, will cause the router to crash.
Software developers tend to be advanced computer users at the very least, so you could assume they’d be more likely to spot and thwart a cyberattack. However, experience shows that no one is fully immune to social engineering — all it takes is the right approach. For IT professionals, such an approach might involve the offer of a well-paid job at a high-profile company. Chasing a dream job can make even seasoned developers lower their guard and act like kids downloading pirated games. And the real target (or rather —victim) of the attack might be their current employer.
Recently, a new scheme has emerged in which hackers infect developers’ computers with a backdoored script disguised as a coding test. This isn’t an isolated incident, but just the latest iteration of a well-established tactic. Hackers have been using fake job offers to target IT specialists for years — and in some cases with staggering success.
You might think that the consequences should remain the particular individual’s problem. However, in today’s world, it’s highly likely that the developer uses the same computer for both their main work and the coding test for the new role. As a result, not only personal but also corporate data may be at risk.
Fake job posting, crypto game, and a $540 million heist
One of the most notorious cases of fake job ads used for malicious purposes was witnessed in 2022. Hackers managed to contact (likely through LinkedIn) a senior engineer at Sky Mavis, the company behind the crypto game Axie Infinity, and offer him a high-paying position.
Enticed by the offer, the employee diligently went through several stages of the interview set up by the hackers. Naturally, it all culminated in a “job offer”, sent as a PDF file.
The document was infected. When the Sky Mavis employee downloaded and opened it, spyware infiltrated the company’s network. After scanning the company’s infrastructure, the hackers managed to obtain the private keys of five validators on Axie Infinity’s internal blockchain — Ronin. With these keys they gained complete control over the cryptocurrency assets stored in the company’s wallets.
This resulted in one of the largest crypto heists of the century. The hackers managed to steal 173,600 ETH and 25,500,000 USDC, which was worth approximately $540 million at the time of the heist.
More fake job postings, more malware
In 2023, several large-scale campaigns were uncovered in which fake job offers were used to infect developers, media employees, and even cybersecurity specialists (!) with spyware.
One attack scenario goes like this: someone posing as a recruiter from a major tech company contacts the target through LinkedIn. After some back-and-forth, the target receives an “exciting job opportunity”.
However, to land the job, they must demonstrate their coding skills by completing a test. The test arrives in executables within ISO files downloaded from a provided link. Running these executables infects the victim’s computer with the NickelLoader malware, which then installs one of two backdoors: either miniBlindingCan or LightlessCan.
In another scenario, attackers posing as recruiters initiate contact with the victim on LinkedIn, but then smoothly transition the conversation to WhatsApp. Eventually they send a Microsoft Word file with the job description. As you might guess, this file contains a malicious macro that installs the PlankWalk backdoor on the victim’s computer.
Yet another variation of the attack targeting Linux users featured a malicious archive titled “HSBC job offer.pdf.zip”. Inside the archive was an executable file disguised as a PDF document. Interestingly, in this case, to mask the file’s true extension, the attackers used an exotic symbol: the so-called one dot leader (U+2024). This symbol looks like a regular period to the human eye but is read as a completely different character by the computer.
Once opened, this executable displays a fake PDF job description while, in the background, launching the OdicLoader malware, which installs the SimplexTea backdoor on the victim’s computer.
Fake coding test with a Trojan on GitHub
A recently discovered variation of the fake job attack starts similarly. Attackers contact an employee of the target company pretending to be recruiters seeking developers.
When it comes to the interview, the victim is asked to complete a coding test. However, unlike the previous variations, instead of sending the file directly, the criminals direct the developer to a GitHub repository where it is stored. The file itself is a ZIP archive containing a seemingly innocuous Node.js project.
However, one component of this project contains an unusually long string, specially formatted to be overlooked when scrolling quickly. This string holds the hidden danger: heavily obfuscated code that forms the first stage of the attack.
When the victim runs the malicious project, this code downloads, unpacks, and executes the code for the next stage. This next stage is a Python file without an extension, with a dot at the beginning of the filename signaling to the OS that the file is hidden. This script launches the next step in the attack — another Python script containing the backdoor code.
Thus, the victim’s computer ends up with malware that can maintain continuous communication with the command-and-control server, execute file system commands to locate and steal sensitive information, download additional malware, steal clipboard data, log keystrokes, and send the collected data to the attackers.
As with the other variations of this scheme, the hackers count on the victim using their work computer to complete the “interview” and run the “test”. This allows the hackers to access the infrastructure of the target company. Their subsequent actions can vary, as history shows: from trojanizing software developed by the victim’s company to direct theft of funds from the organization’s accounts, as seen in the Sky Mavis case mentioned at the beginning of this article.
How to protect yourself
As we noted above, there’s currently no bulletproof defense against social engineering. Virtually anyone can be vulnerable if the attacker finds the right approach. However, you can make the task significantly more challenging for attackers:
Raise awareness among employees — including developers — about cyberthreats through specialized training. Setting up such training is simple with our automated educational platform, Kaspersky Automated Security Awareness Platform.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-10-31 16:07:302024-10-31 16:07:30Backdoor in coding test on GitHub | Kaspersky official blog
Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan.
The decoy email and fake PDF filenames are designed to impersonate a company’s legal department, attempting to lure the victim into downloading and executing malware.
This campaign abuses Google’s Appspot[.]com domains, a short URL and Dropbox service, to deliver an information stealer onto the target’s machine to avoid network security product detections.
Talos also observed the threat actor using multiple techniques to evade antivirus detection and sandbox analysis, such as code obfuscation, shellcode encryption, hiding malicious code in resource data to expand the file size to over 700 MB, and embedding LummaC2 or Rhadamanthys information stealers into legitimate binaries.
Phishing email campaign targets Taiwan
Talos observed an unknown threat actor conducting a malicious phishing campaign targeting victims in Taiwan since at least July 2024. The campaign specifically targets victims whose Facebook accounts are used for business or advertising purposes.
The initial vector of the campaign is a phishing email containing a malware download link. The phishing email uses traditional Chinese in decoy templates and the fake PDF files, suggesting the target is likely traditional Chinese speakers. Some of the fake PDF filenames that we observed during our analysis are:
IMAGE COPYRIGHTED.exe
[Redacted] 的影片內容遭到侵犯版權.exe (translates to “[Redacted]’s video content has been copyright infringed.exe”)
版權侵權信息- [Redacted] Media Co Ltd.exe (translates to “Copyright Infringement Information – [Redacted] Media Co Ltd.exe”)
版權侵權信息- [Redacted] Media Group Inc.exe (translates to “Copyright Infringement Information – [Redacted] Media Group Inc.exe”)
版權侵權信息- [Redacted] Technology Group.exe (translates to “Copyright Infringement Information – [Redacted] Technology Group.exe”)
版權侵權信息- [Redacted] Co. Ltd.exe (translates to “Copyright Infringement Information – [Redacted] Co. Ltd.exe”)
[Redacted] Online -宣布侵權.exe (translates to “[Redacted] Online – declare infringement.exe”)
The decoy email and fake PDF filenames are designed to impersonate a company’s legal department, attempting to lure the victim into downloading and executing malware. Another observation we found is that the fake PDF malware uses the names of well-known technology and media companies in Taiwan and Hong Kong. This provides strong evidence that the threat actor conducted thorough research before launching this campaign.
Additionally, we observed two phishing emails masquerading as notices from a well-known industrial motor manufacturer and a famous online shopping store in Taiwan. The emails claim that the company’s legal representatives have issued a notice to a Facebook page administrator alleging copyright infringement due to the unauthorized use of their images and videos for product promotion. The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance. Last but not least, with these two emails, we can easily identify that the threat actor uses the same template with minor modifications, such as changing the company name, legal department information, address, and website.
Phishing email impersonating a well-known industrial motor manufacturer.
Phishing email impersonating a famous online shopping store.
Attribution
Talos observed an unknown image printing EPS file within the encrypted archive, with the filename “Support.” Based on the file name and file size, it is likely that all encrypted archives we found on VirusTotal, which we have not been able to decrypt, contain the same EPS files inside. Pivoting off the EPS file metadata and its preview image on a search engine, we found an identical image with the same file name on a Vietnamese-language website. However, there is no strong evidence that it was created by an author from that region.
Support EPS file metadata.
The support EPS file preview image in this campaign (left) and the image we found from the internet (right).
Actor infrastructure
The threat actor is abusing Google’s Appspot.com domains, a short URL and Dropbox service, to deliver an information stealer onto the target’s machine. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. When the victim clicks on the download link, it initially connects to Appspot.com, then redirects to a short URL created by a third-party service, and finally redirects to Dropbox to download the malicious archive. The actor is using the third-party data storage service as a download server to deceive network defenders.
Malware download link.
We also discovered that the actor is using multiple command and control (C2) domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing.
C2 domain DNS requests.
Malware infection summary
The infection chain begins with a phishing email containing a malicious download link. When the victim downloads the malicious RAR file, they will need a specific password to extract it, revealing a fake PDF executable malware and an image printing file. Once the malware is decrypted and the fake PDF executable is run, it will execute the embedded LummaC2 or Rhadamanthys information stealer, which then collects the victim’s credentials and data, sending them back to the C2 server.
The malicious RAR file usually contains a fake PDF executable malware and an image printing file, but we observed a few malicious RAR files that contain an additional DLL file. However, without the correct password, we are not able to extract the malicious RAR file and analyze it.
The RAR file contains a fake PDF and an image printing file.
The RAR file contains a fake PDF, an image printing file, and additional DLL file.
The fake PDF executable malware variant was delivered as a payload in this campaign. This malware will embed LummaC2 or Rhadamanthys information stealers into legitimate binary and the legitimate binary including iMazing Converter, foobar2000, Punto Switcher, PDF Visual Repair, LedStatusApp, and PrivacyEraser. Below shows one of the file details of the fake PDF executable.
Fake PDF file detail information.
LummaC2 stealer and its loader
LummaC2 Stealer is a type of malware designed to exfiltrate sensitive information from compromised systems. It can target system details, web browsers, cryptocurrency wallets, and browser extensions. Written in C, this malware is sold on underground forums. To avoid detection and analysis, it employs various obfuscation methods. The malware connects to a C2 server to receive instructions and transmit the stolen data.
The loader for LummaC2 changes the execution flow of the binary malware, causing it to invoke an unknown library to execute the malicious code functions. This strategic modification complicates detection and analysis efforts. Once these malicious functions are invoked, the malware utilizes the CreateFileMappingA API to write the payload into a mapped memory block, effectively hiding it within the system’s memory. After successfully mapping the payload, the malware then executes it.
Call to an unknown library to execute the malicious code functions.
When the malware begins executing the shellcode in memory, it first decrypts the second half of the program block, which contains part of the shellcode loader and the LummaC2 malware execution file. Once the decryption is complete, it will call the VirtualAllocate API to allocate a memory block, write the information stealer’s execution file to that block, and then execute it.
Jump code to shellcode block.
Encrypted shellcode (left side) and decrypted shellcode (right side).
We also collected all of the build IDs of the LummaC2 in this campaign and below are the screenshots of the LummaC2 stealer alert message box and its POST message.
Alert message shown to the user when executing LummaC2.
POST message with act=life and url path /api.
Build ID:
sTDsFx–Socks
iAlMAC–ghost
Rhadamanthys stealer and its loader
Rhadamanthys is a sophisticated information stealer that emerged in 2022 and is sold on underground forums. This comprehensive stealer malware is capable of gathering system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data from various other applications. It employs numerous anti-analysis techniques, complicating analysis efforts and hindering its execution in sandbox environments.
We observed the Rhadamanthys loader in this campaign contains 10 sections in its binary structure. Despite the presence of multiple sections, the threat actor specifically targets the .rsrc section to insert the malicious code. This section is heavily obfuscated to conceal the malicious activities and make analyses more challenging. The choice of the .rsrc section is strategic, as it is typically associated with resource data like icons and menus, making it less likely to raise immediate suspicion.
The loader of Rhadamanthys binary structure sections.
After analysis, we discovered that the Rhadamanthys loader employs several sophisticated techniques to ensure its persistence and evasion. Initially, the loader copies itself and writes the file to “C:Users[user]DocumentslumuiUpdaterffUpdaar.exe”. In order to avoid detection by antivirus programs and sandbox environments, it expands the file size to over 700 MB. This significant increase in file size is intended to bypass heuristic and signature-based detection mechanisms commonly used by security products, which may struggle to process such large files effectively.
The loader copies itself to the lumuiUpdater folder.
Furthermore, the loader is configured to start automatically by modifying the Windows Registry. It writes an entry to “HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun” and key name value “sausageLoop”, a registry key that specifies programs to be launched during the system startup. This registry modification ensures that the malicious loader is executed every time the victim’s computer restarts, thereby maintaining its persistence on the infected system.
The loader is configured to start automatically.
Finally, the loader executes the legitimate system process “%Systemroot%system32dialer.exe” and injects Rhadamanthys’ payload into it. This process injection technique allows the malware to run its malicious code within the context of a legitimate system process, further evading detection. Additionally, it uses mutex objects to ensure that only one instance of the malware runs on the infected host. Below is the list of mutex names we observed in this campaign, which has also been disclosed in previous reporting by other.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protection with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64167-64169.
IOC
IOCs for this research can also be found at our GitHub repository here.
Have you ever googled yourself? Were you happy with what came up? If not, consider requesting the removal of your personal information from search results.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-10-31 08:09:022024-10-31 08:09:02How to remove your personal information from Google Search results
The Cybersecurity and Infrastructure Security Agency (CISA) has recently alerted users to multiple vulnerabilities in Apple products following the release of vital security updates on October 28, 2024. These Apple vulnerabilities could potentially allow cyber threat actors to exploit weaknesses in the software, emphasizing the importance of timely updates for safeguarding systems. Apple product users and administrators are urged to review the advisories and promptly apply the necessary updates.
These updates address vulnerabilities that could potentially expose users to several risks, ranging from unauthorized access to sensitive data to the possibility of complete system control. The products affected by these updates encompass a wide range of operating systems and devices, including iOS and iPadOS versions 18.1 and 17.7.1, macOS versions Sequoia 15.1, Sonoma 14.7.1, and Ventura 13.7.1. Additionally, Safari 18.1, watchOS 11.1, tvOS 18.1, and visionOS 2.1 are also included in this critical update cycle.
Key Apple Vulnerabilities Addressed
These Apple vulnerabilities highlight the ongoing need for users to remain vigilant and ensure their devices are updated to protect against potential threats.
iOS 18.1 and iPadOS 18.1
The advisory reports on affected devices, including the iPhone XS and later models and various iPad models starting from the 7th generation onward. This update specifically addressed several Apple vulnerabilities, enhancing the security of these devices.
Accessibility Issues (CVE-2024-44274): Physical access to locked devices could expose sensitive information. The fix involves improved authentication mechanisms.
App Support (CVE-2024-44255): Malicious applications may exploit shortcuts without user consent. Enhanced path handling has been implemented to mitigate this risk.
CoreMedia Playback (CVE-2024-44273): Vulnerabilities that allow malicious apps to access private information have been addressed through better symlink handling.
CoreText (CVE-2024-44240, CVE-2024-44302): Enhanced checks have fixed issues with malicious fonts that could disclose process memory.
Foundation (CVE-2024-44282): Improved input validation addresses vulnerabilities that could leak user information while parsing files.
Additional vulnerabilities, including those related to ImageIO and the kernel, have also been patched.
Safari 18.1
The Safari update was released on October 29, 2024, and it supported macOS Ventura and macOS Sonoma. This update was designed to address critical issues that could impact user security and functionality within the Safari browser.
Security Vulnerabilities (CVE-2024-44259): Attackers could misuse trust to download malicious content. The fix includes improved state management.
Private Browsing Leakage (CVE-2024-44229): Potential leakage of browsing history in private mode has been resolved with additional validation measures.
macOS Sequoia 15.1
The Apple security update advisory for macOS Sequoia 15.1 addressed vulnerabilities that affected a range of services. By resolving these vulnerabilities, this update enhances overall security and functionality for users.
Apache Vulnerabilities (CVE-2024-39573, CVE-2024-38477): Multiple issues in Apache software impact several Apple projects.
CoreServicesUIAgent (CVE-2024-44295): Enhanced checks prevent unauthorized modifications to protected file system areas.
watchOS 11.1, tvOS 18.1, and visionOS 2.1
Each update features enhancements designed to mitigate vulnerabilities similar to those addressed in previous iOS and macOS releases. For example, the updates incorporate measures that strengthen security across various functionalities, ensuring users are better protected against these Apple vulnerabilities.
CoreMedia Playback (CVE-2024-44273): Ensures that applications cannot access private information through improved symlink handling.
CoreText (CVE-2024-44240, CVE-2024-44302): Fixes related to malicious fonts that could disclose sensitive data.
Recommendations for Users and Administrators
To mitigate the risks associated with these Apple vulnerabilities, CISA advises users to take the following actions:
Immediately apply the latest security updates for all affected Apple products. This is crucial to protect against potential exploitation.
Regularly review and update security settings on devices to ensure they align with best practices.
Provide users with training on recognizing phishing attempts and the importance of not clicking on suspicious links or downloading unverified applications.
Enhance overall security posture by utilizing additional security measures such as firewalls, antivirus software, and intrusion detection systems.
Conclusion
CISA’s recent advisories concerning vulnerabilities in Apple products highlight the critical need for users and organizations to prioritize security updates. With the potential for severe consequences arising from these vulnerabilities, including unauthorized system access and data breaches, timely application of the Apple security update is essential.
Organizations and individual users alike must remain vigilant and proactive in maintaining the integrity of their systems. By promptly addressing vulnerabilities and adhering to best security practices, they can reduce the risk of exploitation and protect sensitive information from cyber threats.
For comprehensive details on each vulnerability and their respective fixes, users are encouraged to consult Apple’s official security documentation and the latest advisories from CISA regarding Apple vulnerabilities.
In this article, we’ll explore the most common types of protectors—packers and crypters—along with simple ways to detect and remove them.
We’ll also introduce some useful tools to simplify the process and improve your malware analysis skills.
What Are Protectors and What Types Are There?
Protectors are tools designed to complicate code analysis, making it harder to detect and examine malware. Two of the most common types of protectors are packers and crypters.
1. Packers
Packers are utilities that package one or more files into a single executable, often adding compression. This process makes static and dynamic detection more difficult, a tactic many types of malware exploit.
Certain malware, like those written in scripting languages (e.g., Python or JavaScript) or relying on non-standard libraries, require packing to function properly by including interpreters and necessary libraries.
Classic examples of packers include installers like NSI and MSI, UPX, MPress, and self-extracting archives (SFX) made with tools like 7zip or WinRAR.
Packers generally don’t protect application data, making it relatively easy to extract them at runtime in a sandbox or remove the packer using static tools.
2. Crypters
Crypters take protection a step further by encrypting the executable’s contents, often adding layers of packing and obfuscation. Designed to obscure code, crypters make analysis more complex and time-consuming. Examples of crypters include NetReactor, Themida, and VmProtect.
Main Protection Methods of Crypters:
Dynamic unpacking in memory to avoid leaving any disk trace.
Encryption of files, data, and code, with decryption at runtime.
Code Obfuscation: Changes the structure and sequence of instructions, transforming (meta)data into unreadable or meaningless characters.
Virtualization: Transforms code into pseudo-instructions that are either regenerated or interpreted at runtime.
Note that without virtualization, code is usually weakly protected and can often be restored to its original or near-original state.
Identifying Packers: Simple Techniques and Useful Tools
Detecting packers can be simplified with a few straightforward techniques and specialized tools like DiE (Detect It Easy). DiE notifies users when a packer is detected, making it a quick solution for initial identification.
Let’s consider the following sample. When analyzing it with DiE v3.10, we can observe the presence of the MPRESS packer.
The results of DiE analysis, revealing the packer MPRESS
Opening the sample in DiE reveals section names that indicate packing.
Section demonstration in DiE with names MPRESS1 and MPRESS2
Packers like UPX and MPRESS often create sections with distinctive names, such as MPRESS1 and MPRESS2, which help analysts identify their usage.
We can also examine PE (Portable Executable) information in the Static Discovering window inside ANY.RUN sandbox. This provides further details to help identify these packers and their specific characteristics.
Demonstration of UPX0 and UPX1 in Static Discovering section
We can identify UPX through section names. In certain cases, packers like VMProtect and Themida can also be identified by their distinct section names.
The .vmp0 section characteristic of VMProtect.
Sections, such as .vmp0, indicate VMProtect (see example).
The .themida section characteristic of Themida
Sections, such as .themida or .taggant, signal the presence of Themida (see example).
Try advanced malware analysis with ANY.RUN for free
For instance, packers like Themida/Winlicense often have sections with random names or blank spaces as section names (example). The image below shows that Sections #4 and #5 have random names, while sections #0 and #3 contain blank spaces instead of names.
The presence of a .taggant section is a distinguishing feature
In VMProtect, the section addresses in the file (specifically the PointerToRawData field) are often set to zero (example).
PointerToRawData is set to zero in sections #0 through #5
In the image above, for sections #0 through #5, PointerToRawData is set to zero, which suggests that unpacking occurs dynamically at runtime.
Unusual Imports
The absence or minimal number of imports suggests that libraries are loaded, and their function addresses are acquired dynamically at runtime.
For .NET applications, a single import (mscoree.dll:: _CorExeMain) is typical. In some cases, a unique mix of functions can reveal the application’s intentions.
For instance, let’s open the Static Discovering window inside the ANY.RUN sandbox for this UPX sample and go to the Imports section.
Static discovering in the ANY.RUN sandbox
Then, let’s search for KERNEL32.DLL.
LoadLibraryA and GetProcAddress point to dynamic library loading
The combination of LoadLibraryA and GetProcAddress indicates dynamic library loading, while VirtualProtect may suggest an intention to change memory page protection to executable.
Since only four functions are present here, this combination is unlikely to be coincidental and can signal intentional manipulation for code execution.
High Entropy
For unpacked files, the overall entropy typically ranges from 5 to 6.5. Packed files, however, often exhibit entropy levels above 7, approaching 8 (the maximum entropy for 8-bit data).
High entropy values can indicate packing or encryption, as they suggest a lack of readable patterns within the file.
Static unpacking: The code is processed by the unpacker but not executed. This method relies on analyzing the packed file without running it, allowing for a safer examination.
Dynamic unpacking: The code is executed and preserved by the unpacker in memory. This approach involves running the packed malware in a controlled environment, often in a sandbox, to observe the unpacked code in action.
Dynamic unpacking is the most challenging type of unpacking, as it often requires the use of a debugger and capturing memory dumps.
This approach allows analysts to observe how the code behaves at runtime, but it demands a controlled environment and more advanced tools to monitor and extract the unpacked code accurately.
To make the process of the analysis easier and faster, you can utilize ANY.RUN’s Interactive Sandbox. It provides memory dumps of unpacked and decrypted data, including the decrypted executable payload.
The sandbox generates memory dumps for various processes and makes them available for download, saving analysts significant time and simplifying the analysis process. You can download these memory dumps and analyze them locally.
There are two options for accessing memory dumps generated inside ANY.RUN’s sandbox.
Click the DMP button to access dumps
You can access them by clicking on the DMP button in the process tree section.
Alternatively, you can go to “Advanced Details” of a process that has the DMP icon next to it and navigate to the “Process dump” section, where you can download the dumps.
Let’s now see how you can address different types of packers.
SFX Installers
SFX (Self-Extracting Archives) is an archive format that, when executed, extracts files and can perform specific actions. In most cases, these archives can be unpacked statically with utilities like 7zip or WinRAR.
To see a typical SFX in action, let’s consider the following sample.
Such archives often have a distinctive icon, indicating they are self-extracting executables:
SFX file icon
Use WinRAR to open the archive and view the extraction settings and packed files within the SFX.
Right-click on the file to access the “Open with WinRAR” option
After opening the file, on the right side, you’ll find extraction parameters, file paths, and the primary executable file. On the left, you can view all files packed within the archive.
Contents of SFX file
MSI Files
To unpack MSI files, a common method is using the command line with msiexec /a. However, this method may not work for every file and can sometimes result in errors.
For instance, with the following sample, attempting this command in a sandbox triggers an error (see sandbox example).
Error unpacking MSI
An alternative solution is LessMSI, a specialized tool for extracting files from MSI packages.
The upload button in ANY.RUN lets you add files to a running sandbox section in real time
Upload the LessMSI archive to a virtual machine in ANY.RUN via the upload button.
File demonstration in LessMSI for files packed in an MSI installer
Launch the GUI version of LessMSI and select the MSI file. Next, the program will display a list of files and their paths for extraction.
Nullsoft Installer
Nullsoft installers are often straightforward to unpack using 7zip. By opening these files with 7zip, you can directly access the contents of the installer.
Demonstration of files packed in the installer, along with special directories that start with the $ symbol
Opening the archive in 7zip reveals the files packed within it, including special directories that typically start with the $ symbol.
This approach allows you to explore the installer’s files easily. However, a limitation is that it doesn’t reveal the initial installation parameters, which may be necessary for deeper analysis.
InnoSetup
Unpacking InnoSetup installers requires specialized tools. The unpacking becomes more challenging because these files often contain embedded scripts that control the installation process.
In this case, 2 useful tools can be used:
innoextract: A command-line tool designed to extract files from InnoSetup packages.
innounp: Another tool that offers similar functionality, supporting various versions of InnoSetup.
The archive contains a single directory, which is, in fact, the Nullsoft SFX
Download the EXE file and start the unpacking process.
The $PLUGINSDIR directory with the app-32.7z, containing the application files
When extracting with 7zip, we obtain a folder containing various files, including an archive with a renamed Chromium executable (in this case, Runtime Broker.exe) and its libraries.
The application data in the app-32.7z archive consists mostly of files related to Chromium
The Electron.js application data is stored in the resources directory.
Files in the resources folder
The app.asar file is an archive containing the Electron.js application data.
To unpack it, you’ll need an npm module.
Install npm: sudo apt install npm
Run the following command to extract the archive: npx @electron/asar extract app.asar extracted
If the asar module isn’t already installed, npm will prompt you to install it.
As a result of running the command, the archive will be unpacked into the extracted folder.
Files extracted from app.asar
The node_modules folder contains the Node.js packages, and index.js is the initial script of the application.
UPX
UPX (Ultimate Packer for eXecutables) is a packer for executable files.
Compatibility: It supports only native PE (Portable Executable) applications.
Unpacking: UPX-packed files are often easy to unpack statically using the same UPX utility.
To unpack a UPX-packed file, you only need to use a single command:
upx –d <file>
UPX can be identified by the presence of sections named UPX0 and UPX1 in the file.
First, download the sample and open it in DiE (version 3.10). DiE will indicate the presence of UPX, listing specific indicators.
Some malware samples use older versions of UPX. In such cases, you’ll need the corresponding version to unpack them. DiE suggests the recommended version, which, in this example, is 3.96.
DiE reports the detection of Packer: UPX
To analyze a sample like this, it’s essential to remove the UPX compression; otherwise, the disassembler won’t be able to interpret the code correctly.
For instance, Ghidra—a free disassembler and decompiler—will display multiple errors when importing a compressed file.
During analysis, Ghidra will detect only a single function. The built-in decompiler will report the incorrect code.
In the image above, on the left side, there is a Listing displaying the single function, while on the right side, the Decompiler window shows an error message.
To conduct analysis, download the latest release of UPX from GitHub.
Next, upload the sample along with the upx.exe file (it’s not necessary to upload the entire archive) to the virtual machine.
In the Command line field, enter “cmd” and use Tools collection on the right.
To do this, switch to the Pro mode in the sandbox and select Tools collection. Here, you can either use previously uploaded tools or upload new ones.
Access all Pro features of ANY.RUN sandbox for free
Before starting the analysis, enter the “cmd” command in the Command line field. This will prevent the sample from running automatically and will open the console at the start of the session.
Unpack the UPX archive and enter the following command in the console:
<path_to_upx>upx.exe -d <filename>
As a result of the command execution, the file will be overwritten with the decompressed version.
UPX confirms a successful unpacking; the file has been overwritten
To ensure the unpacked sample is functioning correctly, let‘s run it in a sandbox.
The sample did not crash and is successfully sending network requests.
When clicking the PE button, the Static Discovering window opens, where we can observe a different hash.
Static analysis of the unpacked file
The Static Discovering window for the unpacked file, shows the name under which it was saved to disk. We can see a decrease in entropy, an increase in file size, and a different hash value.
Now, Ghidra can handle this file without any issues.
Ghidra successfully disassembled the file and identified the library functions
In the Listing section, we see numerous references and functions, and the Decompiler window displays the correct code.
The same process can be done on a physical machine, as UPX does not execute code during unpacking.
Learn to analyze cyber threats
See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Read full guide
AutoIt
AutoIt is often used as a crypter. The simplest way to detect AutoIt is by checking the file description. To do this, go to the Main tab in the Static Discovering window inside ANY.RUN and scroll down.
You may find different mentions of AutoIt in the description.
Here is another example. Usually, such a file is an AutoIt interpreter bundled with a script.
In some cases, a deeper examination is required. Let’s look at the following example.
ANY.RUN automatically add AutoIt tag to the session
In this example, AutoIt was detected by ANY.RUN’s sandbox. Let’s confirm this in DiE.
DiE reports the detection of an AutoIt signature
To extract and decompile the script, we can use AutoIt-Ripper.
Let’s install it using pip install autoit-ripper.
The latter is quite easy to use:
autoit-ripper <file> <output_dir>
As a result of running the command, the restored script is saved to a file named script.au3. Besides, all the associated files were detected and saved.
Now it’s possible to analyze the script’s actions by opening it in a text editor.
In most cases, the scripts are also obfuscated and will require more in-depth analysis
In this example, we see the execution of CL_Debug_Log.txt with specific parameters.
The script drops to disk and modifies asacpiex.dll, saves it as a separate file, and then unpacks it
Opening CL_Debug_Log.txt in DiE reveals that it is a standalone version of 7zip.
The VS_VERSION_INFO can be spoofed, but in this case, all evidence suggests that this file is an archiver
In this way, the malware unpacks the files necessary for its operation. In addition, the script contains checks for execution in a virtual environment.
The script checks information about graphic adapters in the system
It also includes checks for the presence of antivirus software.
The script checks running processes for names that match popular antivirus solutions
NetReactor
NetReactor is a packer and obfuscator for applications written in .NET.
Supports code virtualization.
Files and libraries are not saved to disk but are loaded directly into memory.
Changes the structure of the code, making analysis more difficult.
Most files can be successfully unpacked using NetReactorSlayer, but for the best results, dynamic unpacking is recommended. This method executes the code within the operating system, allowing system functions to be called as needed for a more accurate unpacking process.
Let’s look at an example with the PureHVNC payload.
Next, run the analysis session using dnSpy and NetReactorSlayer.
Before processing, you can see numerous namespaces.
Multiple namespaces are visible
Let’s locate the configuration class.
Open Type References and locate the IPAddress class.
Right-click on it and select Analyze.
In the opened window, click on Used by to find the method where this class is used.
The obfuscated code
We see presence of goto and labels scattered throughout the code to confuse the execution flow
Now, open NetReactorSlayer and select the sample.
There are multiple settings available; the default settings work well for this purpose.
Click Start Deobfuscation and wait for the process to complete.
The program decrypts strings, simplifies the code, and even attempts to remove virtualization.
The file is saved with the suffix _Slayed.
Now, open the received file in dnSpy. As a result, the unnecessary namespaces have been removed.
No excessive namespaces
The classes have been renamed too.
Renamed classes
Next, let’s look for the usage of IPAddress as well.
Now, the goto statements are positioned appropriately, and the labels are no longer scattered
The lengthy class names have been shortened, and the fields have been renamed according to their respective values. The code has become easier to analyze, and string literals are now included.
Often, in addition to being packed, malware is stored in an encrypted form within a special loader (crypter).
This analysis demonstrates the process of extracting the payload using dnSpy.
After execution, the crypter decrypts the payload and performs an injection into the target process.
With the help of dnSpy, let’s attach the debugger to the process. To do this, go to the Debug tab and click on Attach to Process.
Click Attack to Process
Then, choose the process you want.
Pick the process of your interest
Note that to debug 32-bit processes, you should run dnSpy x86, and for 64-bit processes, use dnSpy x64.
Pause the process and open the Modules window.
Click Modules
Right-click on the main module, then select Open Module from Memory.
We see that InstallUtil has been replaced with EMPRESA992
After opening the module, obfuscation can be observed.
Click Save Module and transfer the saved file to the console version of NetReactorSlayer.
As a result, we get the following output.
NetReactorSlayer corrected the entry point, removed unnecessary code, and saved result to disk as InstallUtil_Slayed.exe.
The associated library MessagePack.dll has been saved as a separate file.
MessagePack.dll
Now, the payload InstallUtil_Slayed.exe can be run separately and analyzed through debugging (See sample analysis).
SmartAssembly and Other .NET Packers
Another popular packer for .NET applications is SmartAssembly.
Besides obfuscating the code (which makes the execution order unclear and renames identifiers to unreadable terms), SmartAssembly complicates analysis with a large number of delegates that are resolved at runtime, including those used for decrypting strings.
Let’s open the sample in DiE and confirm the presence of the protector.
We can see how DiE detects Protector Smart Assembly.
Smart Assembly detected by DiE
In the US (User Strings) tab, there is an abnormally small number of strings.
Let’s switch to dnSpy.
Upon opening the sample, you will immediately notice an attribute indicating the presence of the SmartAssembly protector.
You will also notice the characteristic namespaces associated with SmartAssembly.
These artifacts are quite common among protectors, particularly in .NET applications.
Next, click on Go to Entry Point.
In this case, while the code (control flow) is not obfuscated, the strings are obtained through a delegate call with a numeric argument.
We see a call to Console.WriteLine that displays the result from a delegate using a numeric argument.
Earlier, we used NetReactorSlayer to remove the protector.
While it is a specialized tool, it can also be used for general purposes, such as simplifying code, though with some limitations.
Let’s try to simplify the code using NetReactorSlayer.
While this tool simplified the code readability, it was unable to decrypt the strings.
In the simplified code, the purpose of the delegates used in Console.WriteLine is clear
Now, let’s use another tool—de4dot—which is also part of what NetReactorSlayer uses for code simplification. You can also utilize de4dot-cex, which is the improved version of de4dot.
For this case, we will use de4dot to remove SmartAssembly.
As a result, the file is processed in a similar way.
de4dot and NetReactor simplify names in the same way
However, the string encryption has also been removed.
The GetString delegates have been replaced with string literals.
In DiE, you can view all the decrypted strings.
The processed file often retains functionality and can make runtime analysis easier.
de4dot works with many other protectors and can simplify code analysis.
If de4dot doesn’t succeed, try using NetReactorSlayer, which may be more effective at further simplifying complex code.
However, for older versions of NetReactor (below 6.0), de4dot remains the preferred option.
Themida, VMProtect
Themida and VMProtect are packers and obfuscators for applications that support virtualization and code mutation.
Virtualization: This feature protects the malware code at runtime, not just in static analysis.
Extracting Samples: In most cases, virtualization is not applied, allowing an unpacked sample to be extracted from memory, though it may be partially modified.
Static Unpacking: This is generally unlikely, as these commercial packers adapt quickly to new analysis methods.
ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
With ANY.RUN you can:
Detect malware in seconds.
Interact with samples in real time.
Save time and money on sandbox setup and maintenance
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-10-30 13:06:402024-10-30 13:06:40Packers and Crypters in Malware and How to Remove Them
The recent Strela Stealer phishing campaign, uncovered by Cyble Research and Intelligence Labs (CRIL), poses as an invoice notification to trick users into engaging with it.
This campaign predominantly targets users in Central and Southwestern European regions, adjusting its focus based on locale settings to maximize its reach within specific demographics.
Phishing emails carry ZIP file attachments containing heavily obfuscated JavaScript (.js) files, which are designed to evade detection by security tools.
The JavaScript file conceals a base64-encoded PowerShell command that, when executed, launches a malicious payload directly from the WebDAV server without saving the file to disk.
The payload, Strela Stealer, is embedded within an obfuscated DLL file, specifically targeting systems in Germany and Spain.
Strela Stealer is programmed to steal sensitive email configuration details, such as server information, usernames, and passwords.
In addition to stealing credentials, Strela Stealer gathers detailed system information, enabling attackers to conduct reconnaissance and potentially launch further targeted actions on compromised systems.
Executive Summary
Strela Stealer, first identified by DCSO in late 2022, is a type of information-stealing malware primarily designed to exfiltrate email account credentials from widely used email clients, including Microsoft Outlook and Mozilla Thunderbird. This malware initially targeted Spanish-speaking users through spam email campaigns containing malicious ISO attachments, which included a .lnk file and a polyglot file. When executed, the .lnk file triggered the polyglot file, executing both the lure html and Strela stealer DLL using “rundll32.exe”.
The Threat Actors (TAs) then evolved their tactics by using spear-phishing emails with ZIP file attachments, as identified by Palo Alto. When users downloaded and extracted the archive, a JavaScript file was saved onto their system. Executing the JavaScript file dropped a Base64-encoded file and a batch file. The Base64 file was then decoded using the “certutil -f decode” command, creating a DLL that was executed using “rundll32.exe” with the exported function “hello.“
In their latest campaign, the TAs are using spear-phishing emails with ZIP file attachments containing obfuscated JavaScript code intended to run through WScript. This JavaScript code executes a base64-encoded PowerShell command, which executes the final malicious DLL from a WebDAV server using “rundll32.exe” via the exported function “Entry.” By using this method, the malicious DLL file is not saved on the disk, allowing it to evade detection by security products.
Technical Details:
The Strela Stealer campaign begins with a carefully crafted phishing email written in German, with a theme designed to resemble an invoice for a recent product purchase. The email aims to encourage recipients to open the attached ZIP file RG_175_133572_7063403.zip under the pretense of verifying or processing a transaction. The figure below shows one of the phishing emails.
Figure 1 – Phishing Email
Inside the ZIP file named “RG_175_133572_7063403.zip,” there is a highly obfuscated JavaScript file named “1819737872954318698.js.” This JavaScript file employs advanced obfuscation techniques, using string substitution to generate and execute its hidden code. When triggered, it runs through Windows Script Host (wscript), which then initiates a PowerShell command embedded within the script.
The PowerShell command further contains a base64-encoded payload. Once decoded and executed, this encoded command reaches out to a WebDAV server and executes a malicious DLL file named “96492217114973.dll” on the target system, allowing Strela Stealer to embed itself and begin its data-theft operations. The figure below shows the de-obfuscated JavaScript code.
Figure 2 – JavaScript File
The DLL file acts as a loader for the main payload and includes only a single export function named “Entry”. The DLL includes numerous conditional jump instructions, making analysis more challenging and potentially causing the disassembler to crash. Furthermore, several functionalities may not work properly in the debugger with default settings due to the extensive branching and conditions. The figure below shows the IDA graph view.
Figure 3 – IDA graph view
Upon execution, the DLL accesses a hardcoded key within its “.data” section, as shown in Figure 5. This key is used to decrypt additional data stored in the same section, ultimately extracting the main executable payload.
Figure 4 – Key present in DLL file
The code below demonstrates the use of XOR and other arithmetic operations for decryption.
Figure 5 – Decrypting the MZ header
The image below displays the decrypted MZ content.
Figure 6 – MZ Header
The resulting MZ file runs directly from the “rundll32.exe” process. For analysis, we extracted this payload and examined it separately, identifying it as Sterla Stealer, a malware active since April 2022.
Here we compared the previous version of Sterla Stealer with the new one.
Campaign Identified in 2022
Campaign Identified in March 2024
Latest Campaign
No code obfuscation
Employed control flow obfuscation
Employed control flow obfuscation
No decryption of PE file from DLL file
Decrypts a memory mapped PE file
Decrypts a memory mapped PE file
strela, server.php, key4.db, and login.json strings present in the decrypted PE file
strela, server.php, key4.db, and login.json strings present in the decrypted PE file
Strela string is removed
PDB path is present
No PDB path
No PDB path
Export function name: Strela
Export function name: hello
Export function name: Entry
Drops payload from ISO
Drops payload from ZIP
Executes payload from WebDAV Server
While the Strela stealer is running, it hides its window by calling the “ShowWindow” Win32 API with the “SW_HIDE” parameter for the current process. It then creates a thread to display a fake error message, as shown below.
Figure 7 – Fake error message
Next, the stealer obtains the locale settings from the victim’s machine by utilizing the GetKeyboardLayout API and comparing the results to the specific hardcoded Language identifiers mentioned below.
0407 – German (Germany)
0C0A – Spanish (Spain)
042D – Basque (Spain)
If any of these language identifiers match, the stealer continues its execution; if not, it stops. This behavior indicates that the malware specifically targets regions within Germany and Spain.
Figure 8 – Locale Check
Targeting Thunderbird
The malware scans for Thunderbird profiles and collects “logins.json” and “key4.db” files from all profiles found on the system. These files contain sensitive information, including usernames, passwords, and other email configuration details. Once obtained, the data within these files is encrypted using a custom encryption method with a hardcoded key, “96be98b2-8a00-410d-87da-2482cc8b7793”, and then sent to the TAs command and control (C&C) server at “94.159.113.48” via a POST request. Following the data transmission, the malware expects the response “ANTIROK” from the C&C server and continues to resend the encrypted data using the same encryption method until this response is received.
Figure 9 – Targeting Thunderbird profiles
Targeting Outlook
To steal Outlook information, the malware examines specific registry keys to retrieve IMAP server details, usernames, and passwords, which are typically stored in encrypted form. It accesses the following registry paths:
Using the “CryptUnprotectData” Win32 API, it decrypts these details into plain text. After decryption, the malware applies custom encryption using the same hardcoded key as in the Thunderbird case and an XOR operation before sending the encrypted data to the threat actor’s command-and-control (C&C) server.
Gathering System Information
Continuing its data gathering, the malware executes the “systeminfo” command, saving the output as a text file within the Temp directory. This file is then exfiltrated to the TA’s C&C server using the previously mentioned encryption technique.
Figure 10 – Gathering systeminfo
In some cases, if the response “ANTIROK” is not received from the C&C server, the stealer attempts to re-encrypt the existing encrypted content using the same method. This results in the transmission of the actual data without encryption, as illustrated in the figure below.
Figure 11 – Data Exfiltration
In its final steps, the malware utilizes a COM object to navigate through the system’s “SpecialFolders” paths, collecting filenames from each directory. This data is compiled into a single output and sent to the attacker’s C2 server. By gathering information on files stored in sensitive locations, the malware enables the TA to perform reconnaissance, potentially planning further data exfiltration or deploying additional malicious activities based on the obtained directory structure.
Conclusion
The recent iterations of the Strela Stealer campaign reveal a notable advancement in malware delivery techniques, highlighting increased sophistication and stealth. By employing spear-phishing emails that contain ZIP file attachments, the malware successfully circumvents conventional security defenses. The use of heavily obfuscated JavaScript, along with base64-encoded PowerShell commands, significantly complicates detection and response efforts. Additionally, executing the DLL file directly from the WebDAV server without saving it to disk effectively bypasses security mechanisms, enabling unauthorized access to sensitive information. This evolution underscores the importance of proactive cybersecurity measures to counter such advanced threats.
Cyble’s Threat Hunting Packages
At Cyble, we understand the evolving landscape of cyber threats and the need for robust security measures. Our Threat Hunting Packages are specifically designed to detect suspicious remote WebDAV share access and file execution activities, such as those employed by the Strela Stealer malware.
In addition to our sophisticated detection capabilities, our Threat Hunting Packages include custom YARA rules tailored to identify signatures associated with Strela Stealer. These rules enhance the Organization’s security posture by enabling quick detection of known threats, ensuring that systems remain protected against sophisticated malware tactics.
For further details on this threat and several others being constantly analyzed by Cyble Research and Intelligence Labs, schedule a demo today.
Recommendations
Conduct regular training sessions to educate employees about phishing tactics, including recognizing suspicious emails and attachments.
Deploy robust endpoint protection solutions that can detect and respond to malicious activity, including obfuscated scripts and unauthorized file executions.
Implement strict access controls on WebDAV servers, ensuring only authorized users have access. Disable WebDAV if it is not required for business operations to minimize potential attack vectors.
Limit the execution of PowerShell scripts and other scripting languages on endpoints unless necessary for business operations.
Develop and regularly update an incident response plan that includes specific procedures for handling phishing attacks and malware infections.
Implement multi-factor authentication for accessing sensitive systems and accounts, adding an additional layer of security against credential theft.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-10-30 13:06:392024-10-30 13:06:39Strela Stealer targets Central and Southwestern Europe through Stealthy Execution via WebDAV
