Malwarebytes consumer product roundup: The latest

At Malwarebytes, we’re constantly evolving to protect our customers. These days, our products don’t just protect you from malware, we protect your identity, defend you from ads, safeguard your social media, and keep your mobile safe too.

Here are the innovations we’ve made in our products recently. Are you making the most of them?

Malwarebytes Premium

Windows

Tamper / Uninstall Protection. This allows you to password protect your software so that it can’t be removed remotely.

Trusted Advisor. This dashboard provides an easy-to-understand assessment of your computer’s security with a single comprehensive protection score, and clear, expert-driven advice.

Brute Force Protection. This blocks Remote Desktop Protocol (RDP) attacks, which are attempts by cybercriminals to access a computer remotely. We do this by blocking IP addresses that exceed a threshold of invalid login attempts.

Smart Scan. This enables you to schedule scans at a time when you’re not using your computer, which is best for productivity.

Mac

The old adage about Macs not getting viruses is simply not true. Macs need protection too and our Premium for Mac is now compatible with macOS Sonoma.

Mobile Security

Whether you’re on iOS or Android, our Mobile Security app just got an upgrade. Our Premium Plus plan now includes a full-featured VPN to help keep your connections private, no matter where you are. Using the latest VPN technology, WireGuard® protocol, you can enjoy better online privacy at a quicker speed than traditional VPNs.

What you get with our apps:

Android: Scan for viruses and malware, and detect ransomware, android exploits, phishing scams, and even potentially unwanted apps.

iOS: Detect and stop robocalls and fake texts, phishing links, malicious sites, and annoying ad trackers (while browsing in Safari).

Browser Guard

Available for both Windows and Mac, Malwarebytes Browser Guard is our free browser extension for Chrome, Edge, Firefox, and Safari that blocks unwanted and unsafe content, giving users a safer and faster browsing experience. It’s the world’s first browser extension to do this, while at the same time identifying and stopping tech support scams.

Browser Guard adds an extra layer to your personal security, on top of your antivirus or firewall. Because it’s a browser extension, it can offer protection in the browser that other means of protection do not have access to.

We’ve recently made enhancements to Browser Guard:

Improved protection: Stops even more threats with enhanced phishing detection. 

New scanning blocks: Prevents websites from scanning for vulnerable network ports. 

Facebook support: Blocks ads and sponsored content from appearing on Facebook feeds. 

Monthly overview: Summary showcases what has been blocked. 

On top of that, Malwarebytes Premium Security users (Windows only) can now take advantage of:

Content control: Take control of your browsing experience and define what’s appropriate for you and your family. Fully customize the content you want to block while browsing.

Import and export: Use your preferences and customized rules with all your browsers, even on other devices. This helps you to experience a consistent and clean web experience. Discover on this video how to transfer Malwarebytes Browser Guard settings to another browser.

Historical Detection Statistics: View past detections and see what we’ve protected you from.  

Want to see Browser Guard in action? Read the 25 most popular websites vs Malwarebytes Browser Guard

Malwarebytes Identity Theft Protection

Newly released, Malwarebytes Identity Theft Protection scours the dark web for your personal information, prevents your social media account from being hacked, and even keeps an eye on your credit (US only) — and it’s all backed by an up-to-$2 million identity theft insurance. (Insurance coverage is $1 or $2 million depending on selected package (latter only available in the US plan Ultimate))

Here’s what you get (based on your selected plan):

Ongoing monitoring: Peace of mind that we are actively working in the background to keep you safe

Real-time alerts: Immediate notifications if we identify suspicious activity

Recommendations and best practices: Advice on how to prevent identity theft, and help if it happens

Identity restoration helpline and top-notch customer support.

Black Friday sale

Save 50% on our Home bundles for a limited time only!

Malwarebytes – ​Read More

Explained: Privacy washing

Question: Who said the sentence below?

“Privacy is at the heart of everything we do.”

Answer: Sundar Pichai, the CEO of Alphabet and its largest subsidiary Google. And if you look at the recent actions Google has announced, you’d be tempted to take his word for it:

An initiative to let Chrome hide your IP address.

Strengthening the safeguard measures for Google Workspace customers.

Changing data retention practices to make auto-delete the default.

But at the same time, Google is under fire because some of its actions seem half-baked. Allegedly Google’s option to “browse privately” is nothing more than a word play.

Let’s be fair. Google makes lots and lots of money by knowing what we are looking for. And to achieve that goal it needs to gather as much information as possible about us. Maybe not specifically about us as a person, but at least about us as a group.

Data are the most coveted currency of our era, and technology giants like Facebook, Google, and Amazon are considered the behemoths of the data gathering industry. If they don’t already, they want to know everything about each and every one of us.

We’re not all equally valued though. Certain milestones in a person’s life prompt major changes in buying patterns, whether that’s becoming a parent, moving home, getting married, buying a car, or going through a divorce. Some of the most personal and secretive troves of data rank as the most expensive.

In a recent blog, privacy company Proton explained how Google is spending millions lobbying and actively fighting against privacy laws that would protect you from online surveillance.

Proton used the expression, “privacy washing” which compares Google’s disparity between actions and words to those of the world’s largest environmental polluters who portray themselves as eco-conscious, known as “green washing.

According to lobbying reports and other records, Alphabet and its subsidiaries have spent more than $125 million on federal lobbying, campaign contributions, and trade associations since 2019.

This is done under the guise that Google wants regulators to let companies decide themselves what’s good for you and for society. But so far, big tech is consistently letting us down in this regard.

A small but telling example was a recent court case where a judge ruled that car manufacturers collecting users’ text messages and call logs did not meet the Washington Privacy Act’s (WPA) standard that a plaintiff must prove that “his or her business, his or her person, or his or her reputation” has been threatened.

In other words they can steal all the data they want as long as you can’t prove that it doesn’t hurt your business, yourself or your reputation. Does that sound fair to you?

Several US states are going through the process of passing new comprehensive consumer privacy laws, in an attempt to give American citizens more control over their personal data. Privacy advisor IAPP reckons that by 2026, 13 state privacy laws will have taken effect, as newly enacted laws in Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas will join California, Colorado, Connecticut, Utah, and Virginia.

The European Union (EU) is a pioneer when it comes to privacy laws, so it’s easy to see why Big Tech has spent so much money (about $30 million in 2021) lobbying European lawmakers to protect their data gathering practices. Google has been among the most aggressive to water down or slow down the expansion of consumer protections through additional regulations — in particular the Digital Markets Act, Digital Services Act, and ePrivacy Regulation. Google happily bragged about stalling the ePrivacy Regulation, which would crack down on tracking cookies.

It’s common for industries to lobby lawmakers on issues affecting their business. But there is a massive disparity in the state-by-state battle over privacy legislation between well-funded, well-organized tech lobbyists and their opposition of relatively scattered consumer advocates and privacy-minded politicians, The Markup has found.

So, Sundar Pichai, we would like you to put your money where your mouth is. And make some real changes to improve our privacy, rather than engage in privacy washing.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

Malwarebytes – ​Read More

Nothing Chats pulled from Google Play

Sometimes it’s all in the name. The Nothing Chats beta has been pulled from the Google Play Store after reports that the company behind it has access to your (unencrypted) messages.

Nothing Phone 2 owners were promised a first-of-its-kind app developed in partnership with Sunbird, which allowed them to message other iMessage users via blue bubbles on their Nothing Phone.

And, as promised, the beta version was made available for download in the Play Store on Friday November 17, 2023. But today the Nothing Chats page says:

We’ve removed the Nothing Chats beta from the Play store and will be delaying the launch until further notice to work with Sunbird to fix several bugs. We apologize for the delay and will do right by our users.

Now, it’s pretty normal for beta releases to have some bugs that need ironing out. That’s what they are in beta for. But these weren’t some mildly annoying bugs.

Basically, Nothing Chats is just a reskinned version of the existing Sunbird application, which is currently available on the Google Play Store. In essence the Nothing Chats app routes your messages through a macOS virtual machine that sends them on as iMessages. But to do this the Nothing Chats application is required to send your Apple ID credentials to its servers, so it can authenticate on your behalf.

According to Nothing, Sunbird’s architecture provides a system to deliver a message from one user to another without ever storing it at any point in its journey. But only one day after the release of the beta, Texts.com published a blog titled Sunbird / ‘Nothing Chats’ is Not Secure.

Members of the Texts.com reverse engineering team took it upon themselves to take a look into the Sunbird application and its security practices, and found a few vulnerabilities and implementation issues.

texts team took a quick look at the tech behind nothing chats and found out it’s extremely insecure

it’s not even using HTTPS, credentials are sent over plaintext HTTP

backend is running an instance of BlueBubbles, which doesn’t support end-to-end encryption yet pic.twitter.com/IcWyIbKE86

— Kishan Bagaria (@KishanBagaria) November 17, 2023

While Sunbird tries to implement end-to-end-encryption (E2EE), its implementation is overshadowed by decrypting, and then storing the unencrypted payloads in its database.

The apps route all data relating to a message sent by Sunbird, and Nothing Chat, including the contact information, message contents, and attachment URLs to the Sunbird’s Sentry. This Sentry acts as a debugging platform, which allows access to the data in plaintext by authorized parties within the company.

Which is not what Nothing promised:

All Chats messages are end-to-end encrypted, meaning neither we nor Sunbird can access the messages you’re sending and receiving.

Other investigators found that Nothing Chats sends all media attachments, including user images, to Sentry with links to those attachments visible in plain text.

Thread time!

Summary:
– Sunbird has access to every message sent and received through the app on your device.

– All of the documents (images, videos, audios, pdfs, vCards…) sent through Nothing Chat AND Sunbird are public.

– Nothing Chats is not end-to-end encrypted.

— Dylan Roussel (@evowizz) November 18, 2023

Nothing Chats sends all media attachments, including user images, to Sentry with links to those attachments visible in plain text. Further, researchers found all data was sent and stored through Firebase. They found over 630,000 media files currently stored by Sunbird via Firebase including images, videos, PDFs, audio, and more. So, while it may be true that Sunbird doesn’t store user data on its own servers, the data does get stored.

This isn’t a major problem for everyone, but the authentication is. By sending our Apple ID to a third-party service, we are not only trusting the third-party with our texts, but should they become compromised, our photos, videos, contacts, notes, keychain, and more are at risk.

Users worried about a spill of sensitive data should read our guide: Involved in a data breach? Here’s what you need to know.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Malwarebytes – ​Read More

Why less is more: 10 steps to secure customer data

In an advisory aimed at the protection of customers’ personal data, the Australian Cyber Security Centre (ACSC) has emphasized that businesses should only collect personal data from customers that they need in order to operate effectively.

While that may seem like kicking in an open door, it’s really not. It’s relatively easy to decide which personal data you need to have for a new customer. It’s a bit harder to stop there. Many small business use pre-formatted questionnaires that ask for information they don’t actually need for day to day operations, and it’s hard to keep track of data they no longer need.

The advisory, titled Securing Customer Personal Data for Small and Medium Businesses, is written for small and medium businesses, but many larger corporations could benefit from it as well. The guide was written because data breaches against Australian businesses and their customers are increasing in complexity, scale, and impact.

It outlines a few steps businesses can take to organize, minimize, and control the personal data they collect, in order to contain the impact of a data breach. With the growing tendency to do business online, businesses have a responsibility to keep the personal data they collect safe.

The ACSC recommends implementing 10 steps to secure customer personal data:

Create a register of personal data. Keep an inventory of the types of data you have collected and where they are stored. For example, a register of databases and data assets.

Limit the personal data you collect. Do not collect data “just in case.” You don’t have to worry about what you don’t have stored.

Delete unused personal data. Probably the hardest step, it takes policies stipulating how long customers’ personal data should be stored before it is deleted.

Consolidate personal data repositories. Consolidating customers’ personal data into centralized locations or databases allows businesses to focus on key data repositories and apply enhanced security practices.

Control access to personal data. Employees should only have access to customers’ personal data that they need in order to do their job.

Encrypt personal data. Full disk encryption should be applied to devices that access or store customers’ personal data, such as servers, mobile phones and laptops. Customers’ personal data should be protected by encryption when communicated between different devices over the internet. Additionally, businesses may choose to implement file-based encryption to add an extra layer of protection in the event that systems are compromised as part of a cyberattack.

Backup personal data. Backups are an essential measure to ensure an organization can recover important business data in case of damage, loss or destruction. Backups are also critical in protecting customers’ personal data from common incidents such as ransomware attacks or physical damage to devices.

Log and monitor access to personal data. Implementing logging and monitoring practices can assist businesses in detecting unauthorized access to customers’ personal data.

Implement secure Bring Your Own Device (BYOD) practices. Businesses that employ BYOD policies need to have appropriate protections in place to ensure that this is done securely and does not increase the risk of data breaches. It’s important to have a clear policy and rules to enforce it.

Report data breaches involving personal data. Make sure you are aware of the existing local reporting obligations in case you are the victim of a data breach involving customers’ personal data.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Malwarebytes – ​Read More

Atomic Stealer distributed to Mac users via fake browser updates

Atomic Stealer, also known as AMOS, is a popular stealer for Mac OS. Back in September, we described how malicious ads were tricking victims into downloading this piece of malware under the disguise of a popular application.

In an interesting new development, AMOS is now being delivered to Mac users via a fake browser update chain tracked as ‘ClearFake’. This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.

With a growing list of compromised sites at their disposal, the threat actors are able to reach out a wider audience, stealing credentials and files of interest that can be monetized immediately or repurposed for additional attacks.

Discovery

ClearFake is a newer malware campaign that leverages compromised websites to distribute fake browser updates. It was originally discovered by Randy McEoin in August and has since gone through a number of upgrades, including the use of smart contracts to build its redirect mechanism, making it one of the most prevalent and dangerous social engineering schemes.

On November 17, security researcher Ankit Anubhav observed that ClearFake was distributed to Mac users as well with a corresponding payload:

The Safari template mimics the official Apple website and is available in different languages:

Since Google Chrome is also popular on Macs, there is a template for it which closely resembles the one used for Windows users:

Atomic Stealer

The payload is made for for Mac users, a DMG file purporting to be a Safari or Chrome update. Victims are instructed on how to open the file which immediately runs commands after prompting for the administrative password.

Looking at the strings from the malicious application, we can see those commands which include password and file grabbing capabilities:

find-generic-password -ga ‘Chrome’ | awk ‘{print $2}’ SecKeychainSearchCopyNext:
/Chromium/Chrome /Chromium/Chrome/Local State FileGrabber tell application “Finder”
set desktopFolder to path to desktop folder
set documentsFolder to path to documents folder
set srcFiles to every file of desktopFolder whose name extension is in {“txt”, “rtf”, “doc”, “docx”, “xls”, “key”, “wallet”, “jpg”, “png”, “web3”, “dat”}
set docsFiles to every file of documentsFolder whose name extension is in {“txt”, “rtf”, “doc”, “docx”, “xls”, “key”, “wallet”, “jpg”, “png”, “web3”, “dat”}

In the same file, we can find the malware’s command and control server where the stolen data is sent to:

Macs need protection too

Fake browser updates have been a common theme for Windows users for years, and yet up until now the threat actors didn’t expand onto MacOS in a consistent way. The popularity of stealers such as AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments.

Because ClearFake has become one of the main social engineering campaigns recently, Mac users should pay particular attention to it. We recommend leveraging web protection tools to block the malicious infrastructure associated with this threat actor.

Malwarebytes users are protected against Atomic Stealer:

Indicators of Compromise

Malicious domains

longlakeweb[.]com
chalomannoakhali[.]com
jaminzaidad[.]com
royaltrustrbc[.]com

AMOS stealer

4cb531bd83a1ebf4061c98f799cdc2922059aff1a49939d427054a556e89f464
be634e786d5d01b91f46efd63e8d71f79b423bfb2d23459e5060a9532b4dcc7b

AMOS C2

194.169.175[.]117

Malwarebytes – ​Read More

Check Point Research Unraveling the Rug Pull: a Million-Dollar Scam with a  Fake Token Factory

By Oded Vanunu, Dikla Barda, Roman Zaikin

Highlights

 Blockchain Vigilance Unveils Million-Dollar Heist: Our Threat Intel Blockchain system uncovered an ongoing Rug Pull event, and traced the actor behind this scheme   

The Scammer’s Tactics: Exploiting Hype for Ill-Gotten Gains, The perpetrator lured unsuspecting victims into investing.

Unraveling the Scam: A Step-by-Step Deception The scam operated in several stages, including the creation of fake tokens, the manipulation of liquidity pools, simulated trading activities, and the extraction of funds.

Check Point Researchers calls out investors to understand the details of this step-by-step process, crucial to protect themselves from falling victim to similar schemes.

 Background

In the dynamic realm of cryptocurrency, recent events have highlighted the ever-present threat of Rug Pulls—deceptive maneuvers that leave investors empty-handed. Our Threat Intel Blockchain system, developed by Check Point, recently sounded the alarm on a sophisticated scheme that managed to pilfer nearly $1 million. Let’s delve into the details of this elaborate crypto con and understand how it unfolded.

Check Point’s Threat Intel blockchain system identified and alerted the following address 0x6b140e79db4d9bbd80e5b688f42d1fcf8ef97798

This address involves in blacklisted activities, our system has begun monitoring the activities associated with the wallet address:

This is the balance of the scammer’s wallet (15/11/23), This address operated 40 distinct rug pulls and has been stolen almost 1 million dollars!

The scammer (0x6b140e79db4d9bbd80e5b688f42d1fcf8ef97798) tactic is to create tokens based on the latest hypes to lure victims to buy his tokens, for example, the token name GROK 2.0 (0xd4b726c5b5e6f63d16a2050ee3ac4a0f0f81f1d4), possibly derived from a well-known AI system (X GROK), is intended to attract buyers.

The Anatomy of the Scam:

How did this elaborate scam work, and how did it manage to siphon off a substantial sum? Here’s a breakdown:

Creating Fake Tokens: The scam commenced with the creation of deceptive tokens, exemplified by the token GROK 2.0. The choice of names often mirrored trending topics to attract unsuspecting buyers.

Adding Money to the Liquidity Pool: To create a façade of legitimacy, the scammer injected funds into the token pool, creating the illusion of a vibrant and active token.

orchestrated Trading Activities: Leveraging a specialized function (0x521da65d) in the contract, the scammer executed simulated trades, making it appear as if genuine buying and selling were occurring. However, it was merely a ruse orchestrated by the scammer.

Pumping Up the Volume: Another function (0xf029e7cf) came into play, facilitating large-scale trades between WETH cryptocurrency and the GROK token. This artificial inflation created a sense of high demand and value, enticing investors to join in.

Attracting Buyers: Capitalizing on the perceived attractiveness of the token, users began buying in, unaware of the impending deception.

Taking the Money: Once the token had sufficiently lured in investors, the scammer executed the final move—withdrawal of liquidity from the token pool, leaving token purchasers with empty hands and depleted funds.

Technical part

The scammer used 2 different smart contracts to trade and pump the token volume. The first contract address he used is 0x2ef3216e95e2b7c8e378ae64534100e69598f955 which contained the simulated trading function (0x521da65d).

function 0x521da65d

The function 0x521da65d is responsible for selling and buying the token for the scammer, this function has been executed 226 times for just this token. The function’s behavior is contingent on the Boolean varg7, which dictates its course, leading to two separate execution routes.

The first route (0x306b) is swapping from WETH cryptocurrency to GROK 2.0 (buying)

As you can see in this image:

And the 2nd route (0x2bac) represents swapping from GROK 2.0 to WETH (selling)

For the second smart contract, the scammer operated using the address 0x4b2a0290e41623fbfeb5f6a0ea52dc261b65e29b, where he executed the function 0xf029e7cf to artificially boost the token’s volume.

function 0xf029e7cf

This function receives five parameters:

decoding the following data sent to this function unveil the following arguments:

Varg0 is the Uniswap router address that the scammer will use to swap the tokens.

Varg1 is the WETH cryptocurrency address, which will be used to swap against the GROK token.

Varg2 is the GROK 2.0 token address.

Varg3 is the amount of the token to swap.

Varg4 is the number of times to swap this token.

Looking deeper into the function we revealed the scammer used the function ‘swapExcatToekensSupportingFeeOnTransferTokens’ from Uniswap Router (varg0) to swap 9 times (varg4) from WETH(varg1) to GROK(varg2) and from GROK to WETH with a total amount of $ 420,000 which pumps the volume of the token and lures traders and bots to buy it.

The swaps loop can be seen in the following screenshot:

In the scam’s final phase, the scammer withdrew funds from the token’s liquidity pool after attracting a sufficient number of buyers and the token price increase. This is demonstrated by the fact that they removed liquidity from their deceptive tokens on 81 occasions.

Conclusion:

As the crypto landscape continues to evolve, staying vigilant and informed is paramount for investors. The recent Rug Pull incident serves as a stark reminder of the need for heightened awareness and due diligence. By understanding the tactics employed by scammers, we can collectively work towards creating a safer and more secure crypto environment.

It’s crucial to note that our commitment to safeguarding the crypto community extends beyond mere detection. Check Point researchers are actively monitoring domains associated with the identified scammer’s wallet address and similar. The Threat Intel Blockchain system, developed by Check Point, continues to accumulate valuable information on emerging threats, and this intelligence will be shared in the coming future. In this collaborative effort, we aim to empower investors with the knowledge needed to navigate the crypto space securely and protect themselves from potential pitfalls. For more information contact us at: blockchain@checkpoint.com

The post Check Point Research Unraveling the Rug Pull: a Million-Dollar Scam with a  Fake Token Factory appeared first on Check Point Research.

Check Point Research – ​Read More

The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks

Research by: Marc Salinas Fernandez

Key Points

Check Point Research (CPR) provides a case study of some of the most recent ransomware attacks targeting Linux systems and ESXi systems which have been increasing over the last few years.

Although we have long been aware of similar ransomware threats in Windows environments, the versions targeting Linux are still relatively simpler.

The release of Babuk’s source code in 2021 has clearly facilitated the emergence of a multitude of ransomware families.

Many of the families that target Linux heavily utilize the OpenSSL library along with ChaCha20/RSA and AES/RSA algorithms.

Introduction

During the last few months, we conducted a study of some of the top ransomware families (12 in total) that either directly developed ransomware for Linux systems or were developed in languages with a strong cross-platform component, such as Golang or Rust, thereby allowing them to be compiled for both Windows and Linux indiscriminately.

Our main objectives were to increase our understanding of the main motivations for developing ransomware targeting Linux instead of Windows systems, which historically have been the main target until now. We also tried to identify the main similarities and differences between the ransomware developed by these families and compare them to the ransomware developed for Microsoft systems.

Brief History

To compare the ransomware families developed for Linux and those targeting Windows, we first need to focus on the historical evolution of both systems.

Figure 1 – Linux ransomware families.
Figure 2 – Windows ransomware families.

To begin with, we should note that the first attributable ransomware sample (albeit in a very early stage) dates back to 1989. This threat, known as AIDS, was propagated through floppy disks and targeted Windows systems.

It was not until GPCode in 2004 that we started to see the first malware families that truly resembled what we are used to seeing today when we talk about ransomware. All these families focused on Windows environments, and soon the ransomware threat started to evolve, such as improved encryption schemes, as seen in Archiveus in 2006, or the appearance of Reveton in 2012 as the first RaaS.

It was not until 2015, with Linux.Encoder.1, that we began to see ransomware families focused specifically on Linux. By this time, these threats were already highly developed for Windows systems. Despite the level of maturity that these threats show in Windows, the reality is that in many aspects this has not translated into a direct transfer of all these capabilities to Linux. Instead, we have been seeing how these threats undergo the same stages of evolution in these other systems.

In fact, although there was already ransomware for Linux in 2015, it remained relatively insignificant until the last few years, when we began to see a huge proliferation of these threats. Starting in 2020 and continuing through to the present, we have begun to observe a worrying increase in attackers’ interest in these systems, with the appearance of Linux versions of the major RaaS and cross-platform samples developed in languages such as Golang or Rust.

Technical overview

Of the families currently targeting Linux-based operating systems, we analyzed some of the most recent ones:

Maori

Cl0p

Cylance

Royal

ViceSociety

IceFire

BlackCat

ESXiArgs

Rorschach

Monti

LockBit

GwisinLocker

One of the first things we noticed in the samples we analyzed is the extent to which the tool itself is simplified in many cases, leaving only minimal capabilities and content within the binary, and in some cases reducing them to only the file encryption code. This leaves the sample very dependent on external configurations, scripts or command lines to configure its targets. One of the most notable examples is Cl0p, which only has the encryption capability, and the only parameter it supports is a path to encrypt.

In the ransomware family named “ESXiArgs” the binary itself does not even have the RSA public key embedded but needs the path to a file containing the key as a parameter so it can carry out the encryption. This sample doesn’t even have the ability to encrypt a whole directory; the attacker has to iterate over every file with a script executing the encryptor. In fact, the malware name was given due to the TTPs of the actors that use this malware, which is very oriented to this type of system, although the capabilities of the binary itself are totally generic.

Many of the Linux-oriented ransomwares have so little logic apart from the encryption capacity that detecting them can be challenging, as all their code is based on the same crypto code that many other legitimate applications may contain. A communication protocol with a server, the execution of some commands to prepare the system for the encryption, the ability to create some kind of persistence (found on many of the most active Windows families), or even an embedded configuration are, in many cases, anomalous elements that could help to enable more elaborate detections ofthe malware, but which do not exist in most of these ransomware families.

Of course, there are some exceptions such as BlackCat, which is a cross-platform sample and has Windows-specific functionalities such as deleting shadow copies or searching for shared folders. Or GwisinLocker, which has an embedded encrypted configuration that allows it to work without the need for parameters and act more independently.

The primary and most notable motivation is undoubtedly the special interest in ESXi virtualization systems. This makes a lot of sense, as by attacking these systems, the attackers can greatly impact multiple services and machines (all virtualized using this technology) by focusing only on this ESXi server instead of trying to pivot on several different computers and servers running Windows. This is probably why the vast majority of the Linux-targeting ransomware families, despite having very few capabilities apart from the encryption itself, tend to run specific commands aimed at interacting with ESXi systems, in particular:

Figure 3 – Subset diagram on Linux ransomware families.

It is important to point out that since ESXi systems are not exactly the same as Linux systems, the different samples released contain the necessary libraries statically linked so that they can run independently on both systems. We have also found samples of the same family compiled specifically for each of the different systems.

A very common pattern in all Linux-centric families is that they tend to focus on specific technologies, which are linked mainly to the main infection path for this type of threat in these systems. Unlike what we are accustomed to in families that target Windows, such as Ryuk or REvil whose intrusions are often initiated through phishing campaigns to many users, one of the most common infection chains for Linux is exploiting a vulnerability in some exposed service of the victim’s servers. This is also true for vulnerabilities in ESXi, but there are also other cases, such as IceFire which exploits a vulnerability in an IBM technology (CVE-2022-47986) or Cl0p whose Linux version has among its target directories several paths related to Oracle databases along with the generic ones of a Linux system.

Infection Vector

In the Windows environment, ransomware actors employ a wide range of infection vectors to breach systems. Many of the most aggressive Windows-targeting ransomware reach the victim’s infrastructure via phishing emails containing malicious attachments (commonly using macros inside documents) or links. For example, Emotet was often the initial payload delivered, and the full infection of the victim’s infrastructure ended with the deployment of a Ryuk or Sodinokibi sample.

Along with phishing emails, in the past the use of exploit kits like Rig and Magnitude to exploit vulnerabilities in software such as browsers or plugins led to ransomware execution (much less common these days).

Another common infection vector is the exploitation or brute-forcing of Remote Desktop Protocol (RDP) servers exposed to the internet.

If we try to perform this same analysis with respect to ransomware families developed for Linux systems, we can quickly see how the scenario changes. Many of these systems are deployed for the purpose of running services that are exposed to the Internet, services in which vulnerabilities are eventually found to be particularly critical, as they can allow access to an organization’s network.

The exploitation of vulnerabilities found on exposed services is one of ransomware’s main means of infection. It is worth noting that the Kill Chain in these cases often involves the deployment of a Webshell that ends up being the tool that initially allows them to access and take control of the server in question.

Gaining access with stolen credentials, for example, using SSH, is another growing area. Credentials are often stolen as the result of leaks caused by other malware infections or as a result of lateral movement by the same infection that involves the entire network of Windows systems.

In these cases, detection within Linux systems is very complicated, as attackers often use internal system accounts and legitimate tools to access systems instead of backdoors, with a very similar impact as the use of LoLbins on Windows systems.

Another common entry to Linux systems is similar to what happens in Windows systems with the RDP service, the scanning of different exposed services, and the subsequent brute force attacks trying to gain access to the servers through weak credentials. This is a much “noisier” technique, but still effective, and is becoming difficult to identify since the access is through legitimate credentials obtained from the exposed service itself.

It is interesting to note that, if we focus on all the common infection vectors for Linux servers, each pattern targets exposed servers and critical services. Once again, we can see that the Linux-targeting ransomware attacks are much more focused on organizations and companies than on general users.

Code Reuse

As in many malware families of other types of threats (like Mirai or Quasar), as soon as the source code of a successful threat is published, other opportunistic groups rapidly appear and try to take advantage of this code to create their own tools through small (and in some cases not so small) modifications. In the case of Linux ransomware, the most notable is Babuk ransomware, of which we can find, among many others, the Cylance or Rorschach samples.

Figure 4 – Code overlaps on Babuk based families

Along with the problem that this fact implies, since many actors with fewer resources or technical capacity quickly get a functional tool, we have at least the advantage that, in many cases, the detection of the initial tool can allow us to detect all the sub-families that may appear from this source code.

Persistence in the system

Persistence is not as big a factor in ransomware as it is in other types of threats because once the victim’s files and directories are encrypted, another execution in the same system is largely meaningless. However, the kill chain of this type of malware has indeed evolved greatly, especially in Windows environments, as the aim is not to encrypt a single computer but to spread to others. In most cases, the attackers’ objective is to compromise the entire infrastructure bit by bit. Once they have taken control, the entire AD forest is encrypted, for example, by means of a GPO, or the most critical computers are encrypted to increase the attackers’ chances of receiving the ransom payment.

Prior to the execution of the ransomware, a whole series of threats and tools that allow the attackers to access the systems is executed. These do require persistence as the compromise of the entire infrastructure can take a long time. However, while this is the most common scenario, there are cases where the threat itself has its own ability to establish persistence.

In Windows environments, ransomware achieves persistence through various means. The most notable examples include Registry Manipulation, like the case of WannaCry and Ryuk, that ensures their payloads execute during system startup, along with the use of Scheduled Tasks, like the case of many threat actors behind Sodinokibi (REvil), which leveraged the Windows Task Scheduler to create malicious tasks, ensuring ransomware execution at regular intervals.

Another common way for gaining persistence on Windows systems is Service Creation, which is the most restrictive as it requires administrator permissions on the victim’s computer but is one of the most commonly used in more advanced stages of infection in which the attackers already obtained the necessary credentials and have some control over the infrastructure.

In ESXi and Linux systems it is much less common to see ransomware employing many of the known methods for persistence usually exploited by other kinds of threats. After access, the vulnerable server is directly encrypted and, in many cases, such as LockbitESXiArgsBlackCat, or Gwisin, the malware has the ability to self-delete after execution.

The deployment of Webshells as part of the infection process should also be considered as maintaining persistence. The Webshells act as backdoors and allow the actors to maintain access to these servers after reboots or changes of any kind. In scenarios where servers are accessed through lateral movement during a more complex compromise, persistence in this case is mostly reduced to the creation of user accounts or the exfiltration of original server credentials, which allows the attackers to maintain access through legitimate services such as SSH.

Finally, given the clear evolution of incidents related to Linux systems compared to Windows systems, sooner or later the deployment of backdoors such as Merlin or Poseidon , like what is now happening on Windows with Cobalt Strike, will become more common. Therefore, attackers need to take advantage of techniques more similar to those we see in Windows systems, such as Cron Jobs (the equivalent of the Windows Task Scheduler) or executions such as Daemons (equivalents of Windows Services), to gain persistence.

Primary Objectives

In the area of victim typology and targets of Linux-oriented ransomware, we see some of the biggest differences with respect to their Windows counterparts. First of all, we must take into account the context in which each of these systems is found. Windows is more prevalent in personal computers for individuals and in user workstations for most organizations. However, in the field of servers, the situation is not so clear, especially for certain types of deployments using Linux, which is often the only effective option.

This means that just as we can easily find multiple ransomware families for Windows focused on individuals and endpoints, this is a lot less common for Linux systems. Ransomware targeting Linux is much more clearly oriented towards exposed servers or servers on the internal network that is accessed by pivoting from infections initiated on Windows machines.

As a result, Linux ransomware is clearly aimed at medium and large organizations compared to Windows threats, which are much more general in nature.

In the same way, the internal structure of both systems also causes differences in how attackers approach the selection of folders and files to encrypt. We can find listings in many Linux-oriented samples that aim to avoid directories such as /boot, /etc, or /sys that could cause the system to become corrupted, just as we are used to seeing Windows malware avoiding the or directories.

In the absence of a configuration within Windows malware that contains targets, it indiscriminately traverses all the system disks. In Linux malware, it is much more common to find threats completely dependent on a parameter or configuration that provides one or more target directories, without which the threat does not execute. Some examples of this include RoyalMontiCylance or Lockbit.

The difference in the management of extensions in Linux and Windows also generates somewhat curious behavior from attackers. One such case is Cl0p that uses the characters “.” in an attempt to differentiate files from folders. This is very effective in Windows, but that does not necessarily work well in Linux given the little relevance that extensions have in this system.

Figure 5 – Usage of “.” for extensions by Cl0p ransomware

In any case, although many of them are completely dependent on a parameter at least indicating a path to encrypt, it is not present in all families, and for other samples, it is a remarkable fact that apart from very specific cases for paths related to ESXi or CL0p with Oracle paths “/u01 /u02 /u03 /u04”, the /home and /root folders are the most recurrent in configurations, followed by /opt that appears in certain cases.

Exfiltration

In Linux, exfiltration is usually connected to the infection vector. In cases where the infection occurred using stolen credentials, access is generally gained using legitimate tools such as the SSH service, which at the same time allows all types of information to be extracted from the servers without the need to deploy other tools.

Likewise, in many scenarios in which the exploitation of a vulnerability to gain access to servers is linked to the deployment of a Webshell, something similar occurs as the majority of Webshells, along with the ability to execute Linux commands, have their own capabilities for uploading and downloading files from the victim server. Therefore, they are often also used as a tool to carry out exfiltration.

In Windows systems, the use of RDP, WinSCP, or RClone could be similar to the use of SSH or other legitimate tools such as Curl or Wget in Linux. Something very common in Windows, and not so common in Linux, is the use of more complex threats such as past threats Trickbot or Emotet, or the use of CobaltStrike or other post-exploitation frameworks for this purpose. As we suggested in our discussion of persistence, it is very likely that as ransomware samples mature, the TTPs of the actors will also mature, and we will end up seeing this scenario in Linux with the use of backdoors such as Merlin or Poseidon.

It is worth noting that this aspect is becoming highly relevant.Ransomware groups have been exploiting double extortion for some time now since they not only hijack files but also threaten to expose their victims’ sensitive information on their leak sites. In fact, several prominent groups, such as Cl0p, have already carried out campaigns in which they have directly skipped the encryption tool to focus solely on the theft of information for subsequent extortion.

Impact on the system

During a ransomware incident, one of the critical points, both at the detection and forensic level, is the impact of the attackers on the system beyond the encryption itself. In Windows environments, we are very used to tight monitoring of commands aimed at deleting ShadowCopies, disabling backups in general, and attempting to disable or bypass security tools. The execution of commands aimed at shutting down target services, such as databases, is relatively common as well, as this allows the threat to encrypt most of the critical files, thereby increasing the pressure on the victim to pay the ransom.

In Linux systems, the concern for backups as well as the shutdown of security tools is not yet as common as it is with Windows. However, we can find some elements that impact the system that can help with early detection if proper monitoring is maintained. The first example, which is also common in Windows environments, is a Mutex, created by many threats before starting the encryption to avoid simultaneous executions that can corrupt files without the possibility of return. In the same way that generating a certain specific mutex in Windows acts as a “vaccine” for some families, in Linux, we have samples such as Lockbit, which by default generates a file called /tmp/locker.pid that, in case it is already in the system at the time of execution, causes the immediate termination of the process (regardless of whether the process that previously generated it was the ransomware itself).

Similar to what happens in Windows, some families generate less repetitive files, as in the case of Gwisin, whose generated Mutex file is much more random: /tmp/.66486f04-bf24-4f5e-ae16-0af0fdb3d8fe.

A much simpler and less effective version when it comes to detection are the log files. It is not uncommon to find samples from real campaigns that, during encryption, generate files with debug information, such as HelloKitty ransomware or Monti, which generate work.log and result.txt files respectively, with information on their execution and encryption, and whose internal strings are very characteristic of both families. However, it should be noted that the existence of these files does not prevent their execution in any case, as occurs with Mutex.

With respect to the execution of commands that can be monitored, the only really noteworthy case is the one concerning virtualization on ESXi systems. As we discussed previously, most Linux-oriented ransomware samples have an ESXi version or are compiled in such a way that they are directly compatible. This is why obtaining the list of running machines as well as the ability to stop them to allow encryption is really common in these samples. Some examples of this include the Royal Ransomware:

Figure 6 – Esxi commands embedded on Royal ransomwareMonti Ransomware:

Figure 7 – Esxi commands embedded on Monti ransomware

or Gwisin and BlackCat ransomwares:

esxcli –formatter=csv –format-param=fields==”DisplayName,WorldID” vm process list
esxcli vm process kill –type=force –world-id=
esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list
esxcli vm process kill –type=force –world-id=

The monitoring of this type of execution can be of real interest, as if they occur, it is moments before the encryption, which allows us to anticipate the encryption, and possibly detect and act upon it in time.

Cryptographic Scheme

Finally, we have the core part of this type of threat, i.e., the crypto that comes into play for each ransomware threat. In Windows, we are very used to seeing how in some cases, like Conti, this part is delegated to the Windows APIs themselves. In many others, the malware uses many different crypto libraries like CryptoPP (e.g., PYSA Ransomware), mbedtls (e.g., Petya) and libgcrypt (e.g., Moneybird).

Among the samples for Linux systems, it is much simpler as the use of the OpenSSL library to perform all crypto tasks predominates in almost half of the samples. In fact, several of the most well-known families have this library statically linked in the binary itself, representing more than 50% of the threat code. There are still some edge cases where the malware is developed in Golang or Rust, where the native libraries/modules for each language predominate.

In terms of algorithms, on Windows, it gets a bit more difficult to observe patterns since there are many different algorithms used among the huge variety of known families, while ChaCha20 and RSA slightly predominate over the rest. When more uncommon libraries or algorithms are used, it ends up in design flaws on the threat, with its consequent public decryptor.

Unsurprisingly, a smaller number of variants can be found in the Linux world. The majority of these samples primarily rely on AES for encryption, with ChaCha20 being the most common alternative in several families. As for asymmetric encryption algorithms, RSA takes precedence in the vast majority of cases, occupying a secondary role.

As in all the above points, there are exceptions. ESXiArgs employs Sosemanuk for symmetric encryption, while the “smartest” of them, Cl0p, employs RC4 with an embedded key at the point where asymmetric encryption is typically utilized. This approach renders file decryption trivial without the need for payment.

At the end of the day, threat actors, especially in this field, prioritize efficiency because the faster the threat is able to cover all the target files, the less options are available for defense.  Reliability is the second consideration, and therefore they use robust libraries and algorithms to reduce the number of design flaws that may allow security researchers to break their encryption. These two factors cause the different actors to create relatively uniform tools, which helps us gain insight into the tools and priorities used, which in turn enables us to more easily detect this type of threat.

Conclusions

Our analysis of various Linux-targeting ransomware families reveals an interesting trend towards simplification, where their core functionalities are often reduced to just basic encryption processes, thereby leaving the rest of the work to scripts and legitimate system tools. This minimalist approach not only renders them heavily reliant on external configurations and scripts but also makes them more difficult to detect.

Our research also showed some of the distinctive strategies among ransomware families, with a clear focus on ESXi systems but with other technologies too. The ransomware main entry vectors are vulnerabilities in exposed services, which in some cases are precisely the most relevant services and, therefore, the main targets for this type of threat.

Comparing the ransomware encryption techniques between Windows systems and Linux, the malware families that target Linux favor OpenSSL as the main library used and AES as a common encryption cornerstone, with RSA serving as the primary asymmetric choice. All of this provides a relative uniformity of tools among the different threat actors.

Check Point customers remain protected against the threats covered by this research while using Check Point Harmony Endpoint , and Threat Emulation – which provide comprehensive coverage of attack tactics and file-types.

Ransomware.Wins.HelloKitty.ta.D

Ransomware.Wins.GwisinLocker.ta.A

Ransomware.Wins.Clop.ta.I

Ransomware.Wins.Royal.ta.B

Ransomware.Wins.IceFire.ta.A

Ransomware.Wins.Monti.ta.A

Ransomware.Wins.ESXi.ta.B

Ransomware.Wins.Babuk.ta.A

Ransomware.Wins.LockBit.ta.AK

Ransomware.Wins.BlackCat.ta.M

Yara rules

rule linux_Babuk_ransomware {
meta:
author = “Marc Salinas @ CheckPoint Research”
description = “Detects samples of the Linux ransomware family Babuk”
malware_family = “Babuk”
date = “09/08/2023”

hash1 = “b711579e33b0df2143c7cb61246233c7f9b4d53db6a048427a58c0295d8daf1c”
hash1 = “d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c”

strings:
$str1 = “Statistic:”
$str2 = “Encrypted files: %d”
$str3 = “Usage: %s /path/to/be/encrypted”

$bablock1 = “.x1x2x3”
$bablock2 = “/_r_e_a_d_m_e.txt”

$cylance1 = “.Cylance”
$cylance2 = “CYLANCE_README.txt”

$orig1 = “How To Restore Your Files.txt”
$orig2 = “.babyk”
condition:
uint32(0) == 0x464c457f and (all of ($str*) or all of ($cylance*) or all of ($bablock*) or all of ($orig*))
}

rule linux_ESXi_ransomware {
meta:
author = “Marc Salinas @ CheckPoint Research”
description = “Detects samples of the Linux ransomware family ESXi”
malware_family = “ESXi”
date = “09/08/2023”

hash1 = “11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66”

strings:
$usage = “usage: encrypt <public_key> <file_to_encrypt> [<enc_step>] [<enc_size>] [<file_size>]”

$coms1 = “init_libssl returned %dn”
$coms2 = “encrypt_file”
$coms3 = “encrypt_simple”
$coms4 = “lseek [start]”

$cde1 = {48 8B 85 80 FD FF FF 48 01 85 50 FF FF FF 48 8B 8D 38 FF FF FF C7 85 28 FD FF FF 67 66 66 66 C7 85 2C FD FF FF 66 66 66 66 48 8B 85 28 FD FF FF 48 F7 E9 48 C1 FA 02 48 89 C8 48 C1 F8 3F 48 89 D3 48 29 C3 48 89 9D 40 FD FF FF 48 8B 85 40 FD FF FF 48 C1 E0 02 48 03 85 40 FD FF FF 48 01 C0 48 89 CA 48 29 C2 48 89 95 40 FD FF FF 48 83 BD 40 FD FF FF 00}
$cde2 = {48 8B 85 30 FD FF FF 48 D1 E8 48 8B 95 30 FD FF FF 83 E2 01 48 09 D0 F2 48 0F 2A C0 66 0F 28 C8 F2 0F 58 C8 F2 0F 11 8D 48 FD FF FF}
$cde3 = {F2 0F 10 05 15 6F 00 00 F2 0F 59 85 48 FD FF FF F2 0F 11 85 28 FF FF FF 48 8B 85 48 FF FF FF 48 89 85 50 FD FF FF 48 83 BD 50 FD FF FF 00}
condition:
uint32(0) == 0x464c457f and ( $usage or 3 of ($coms*) or 1 of ($cde*) )
}

rule linux_Monti_ransomware {
meta:
author = “Marc Salinas @ CheckPoint Research”
description = “Detects samples of the Linux ransomware family Monti”
malware_family = “Monti”
date = “09/08/2023”

hash1 = “edfe81babf50c2506853fd8375f1be0b7bebbefb2e5e9a33eff95ec23e867de1”
strings:
$str1 = “Total encrypted: %sn”
$str2 = “Encrypting %sn”
$str3 = “Cannot rename file %sn”
$str4 = “fork() error.”

$cde = {55 48 89 E5 48 83 EC 50 48 89 7D B8 48 89 75 B0 48 C7 45 C0 7F 44 4E 00 48 C7 45 C8 81 44 4E 00 48 C7 45 D0 84 44 4E 00 48 C7 45 D8 87 44 4E 00 48 C7 45 E0 8A 44 4E 00 C6 45 F3 05 C7 45 F4 00 00 00 00 48 8B 45 B8 48 85 C0}
condition:
uint32(0) == 0x464c457f and ( $cde or all of ($str*))
}

rule linux_IceFire_ransomware {
meta:
author = “Marc Salinas @ CheckPoint Research”
description = “Detects samples of the Linux ransomware family IceFire”
malware_family = “IceFire”
date = “09/08/2023”

hash1 = “e9cc7fdfa3cf40ff9c3db0248a79f4817b170f2660aa2b2ed6c551eae1c38e0b”
strings:
$str1 = “iFire.pid”
$str2 = “—–BEGIN RSA PUBLIC KEY—–“
$str3 = “ComSpec=C:\Windows\syste”
$str4 = “./boot./dev./etc./lib./proc./srv./sys./usr./var./run”
$str5 = “Do not try to recover files yourself”
condition:
uint32(0) == 0x464c457f and 3 of ($str*)
}

rule linux_Royal_ransomware {
meta:
author = “Marc Salinas @ CheckPoint Research”
description = “Detects samples of the Linux ransomware family Royal”
malware_family = “Royal”
date = “09/08/2023”

hash1 = “b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c”

strings:
$str1 = “Testing RSA encryption”
$str2 = “-vmonly”
$str3 = “Most likely what happened was that you decided to save some money”

$cde1 = {48 8D 85 30 FF FF FF BA 90 00 00 00 BE 00 00 00 00 48 89 C7 ?? ?? ?? ?? ?? 48 8D 85 30 FF FF FF 48 89 C6 BF E8 0D 58 00 ?? ?? ?? ?? ?? 48 8B 85 60 FF FF FF 48 85 C0}
$cde2 = {48 8B 85 60 FF FF FF 48 89 C2 48 8B 4D D0 8B 45 CC 48 89 CE 89 C7 ?? ?? ?? ?? ?? 83 F0 01 84 C0}
$cde3 = {48 8D 85 30 FA FF FF 41 B8 00 00 00 00 48 89 C1 BA DD 0D 58 00 BE E0 0D 58 00 BF E0 0D 58 00 B8 00 00 00 00 ?? ?? ?? ?? ?? BF 00 00 00 00 }
condition:
uint32(0) == 0x464c457f and ( 2 of ($str*) or 1 of ($cde*))
}

rule linux_BlackCat_ransomware {
meta:
author = “Marc Salinas @ CheckPoint Research”
description = “Detects samples of the Linux ransomware family BlackCat”
malware_family = “BlackCat”
date = “09/08/2023”

hash1 = “e2dcd1eaf59e7e10b9dfeedc6f2b0678efac7907f17ee8b4e8791c39c1fbaa58”

strings:
$str1 = “no-vm-kill-names”
$str2 = “safeboot-network”
$str3 = “NO_VM_KILL_NAMES”
$str4 = “Preparing Logger”
$str5 = “already borrowed”
$str6 = “/cargo/registry/src/github.com”
condition:
uint32(0) == 0x464c457f and 4 of ($str*)
}

rule linux_HelloKitty_ransomware {
meta:
author = “Marc Salinas @ CheckPoint Research”
description = “Detects samples of the Linux ransomware family HelloKitty”
malware_family = “HelloKitty”
date = “09/08/2023”

hash1 = “754f2022b72da704eb8636610c6d2ffcbdae9e8740555030a07c8c147387a537”

strings:
$str1 = “cr:%d f:%sn”
$str2 = “cr:%d l:%d f:%sn”
$str3 = “Done:%s file size:%lu crypt size:%lu n “
$str4 = “All your important documents, photos, databases were stolen”
$str5 = “.README_TO_RESTORE”
$str6 = “libcrypto.so not found n try to find manual and make link to libcrypto.so n”
$str7 = “Usage:%s [-m (10-20-25-33-50) ] Start Path n”
$str8 = “Error InitAPI !!!nExitn”
condition:
uint32(0) == 0x464c457f and 4 of ($str*)
}

rule linux_Lockbit_ransomware {
meta:
author = “Marc Salinas @ CheckPoint Research”
description = “Detects samples of the Linux ransomware family Lockbit”
malware_family = “Lockbit”
date = “09/08/2023”

hash1 = “472836ed669d3927d50055e801048696375b37fce03b2f046e3e1039fb88e048”
strings:
$cde1 = {31 FF 41 BE 01 00 00 00 ?? ?? ?? ?? ?? 4C 89 E7 48 89 44 24 18 ?? ?? ?? ?? ?? BA F1 B0 64 00 48 89 C1 BE 14 00 00 00 48 89 E7 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 48 89 D9 48 89 C2 48 89 E6 BF C0 BB 64 00 31 C0}
$cde2 = {55 BE 60 BA 64 00 53 48 89 FB 48 81 EC 08 04 00 00 48 89 E7 48 89 E5 ?? ?? ?? ?? ?? BE 15 5F 43 00 48 89 E7 ?? ?? ?? ?? ?? BE 6C BA 64 00 48 89 E7 ?? ?? ?? ?? ?? BE 15 5F 43 00 48 89 E7 ?? ?? ?? ?? ?? BE 74 BA 64 00 48 89 E7 ?? ?? ?? ?? ?? BE 10 5F 43 00 48 89 DF }
$cde3 = {48 83 C3 01 ?? ?? ?? ?? ?? 48 29 EB 48 98 31 D2 48 F7 F3 48 8B 5C 24 08 48 8D 04 2A 48 8B 6C 24 10 48 83 C4 18 C3}
condition:
uint32(0) == 0x464c457f and 1 of ($cde*)
}

rule linux_GwisinLocker_ransomware {
meta:
author = “Marc Salinas @ CheckPoint Research”
description = “Detects samples of the Linux ransomware family GwisinLocker”
malware_family = “GwisinLocker”
date = “09/08/2023”

hash1 = “7594bf1d87d35b489545e283ef1785bb2e04637cc1ff1aca9b666dde70528e2b”

strings:
$str1 = “error: option `–%s` %sn”
$str2 = “Usage: %s”
$str3 = “c.d/%s* stop”
$str4 = “show this help message and exit”

$ext = “.mcrgnx”
$hex = {66 30 66 64 62 33 64 38}

$cde1 = {48 8B 74 24 08 31 FF ?? ?? ?? ?? ?? 48 85 C0 49 89 C7 0F 94 C1 41 83 FD 01 41 89 DD 0F 94 C0 08 C1}
$cde2 = {41 54 55 53 48 81 EC 30 01 00 00 48 89 E5 48 89 EF ?? ?? ?? ?? ?? 48 8D 7C 24 20 B9 21 00 00 00 48 89 EA 48 8D 35 36 8B 00 00 F3 48 A5 8B 06 BE 0E 01 00 00 89 07 0F B7 05 2F 8C 00 00 66 89 47 04 48 8D 7C 24 20}
condition:
uint32(0) == 0x464c457f and ( (2 of ($str*) and ($ext or $hex)) or 1 of ($cde*) )
}

rule linux_Cl0p_ransomware {
meta:
author = “Marc Salinas @ CheckPoint Research”
description = “Detects samples of the Linux ransomware family Cl0p”
malware_family = “Cl0p”
date = “09/08/2023”

hash1 = “09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef”

strings:
$str1 = “C_I_0P”
$str3 = “README_C_I_0P.TXT”
$str4 = “OR WRITE TO THE CHAT AT->”

$cde1 = {55 89 E5 57 81 EC 24 02 00 00 8D 8D F8 FE FF FF BA A4 83 10 08 B8 FC 00 00 00 89 44 24 08 89 54 24 04 89 0C 24 ?? ?? ?? ?? ?? 8B 45 08 89 44 24 08 C7 44 24 04 8C 83 10 08 8D 85 F8 FD FF FF 89 04 24 ?? ?? ?? ?? ?? 8D 85 F8 FE FF FF B9 FF FF FF FF 89 85 E8 FD FF FF B8 00 00 00 00 FC 8B BD E8 FD FF FF F2 AE 89 C8 F7 D0 83 E8 01 89 45 F8 C7 44 24 08 B4 01 00 00 C7 44 24 04 42 00 00 00 8D 85 F8 FD FF FF 89 04 24 ?? ?? ?? ?? ?? 89 45 F4 8B 45 F8 89 44 24 08 8D 85 F8 FE FF FF 89 44 24 04 8B 45 F4 89 04 24 ?? ?? ?? ?? ?? 8B 45 F4 89 04 24 ?? ?? ?? ?? ?? 81 C4 24 02 00 00 5F 5D C3}
$cde2 = {8D 95 0B FF FF FF B8 75 00 00 00 89 44 24 08 C7 44 24 04 00 00 00 00 89 14 24 ?? ?? ?? ?? ?? C7 45 F4 00 00 00 00}
condition:
uint32(0) == 0x464c457f and 1 of them
}

The post The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks appeared first on Check Point Research.

Check Point Research – ​Read More

Operationalize cyber risk quantification for smart security

Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.

At the same time, executives are feeling increasing pressure to improve cybersecurity programs with the rise of newly adopted U.S. Securities and Exchange Commission (SEC) regulations, which require publicly traded companies to rapidly disclose cyberattacks and material information about their cybersecurity risk management, strategy and governance.

Cyber risk quantification (CRQ) has emerged as the most effective way to maximize cyber risk management programs by translating cyber risk into specific financial impacts. According to Forrester Research, “CRQ will fundamentally revolutionize the way that security leaders engage with boards and executives to discuss cybersecurity.”

Reporting cyber risk to executives and boards of directors

News headlines of cyberattacks and zero-day vulnerability exploits have become typical conversation topics in boardrooms. In fact, cyber risk has become one of the top five risks facing organizations. In today’s world, it is essential for security leaders to communicate cyber risks to their boards in a clear, concise and understandable way. Often, cybersecurity reports are filled with too many technical details, hindering executives from making well-informed decisions and accurately assessing the cybersecurity risk landscape. This can lead to confusion and subjective decision-making.

By operationalizing CRQ, security leaders can provide executive-level reporting that communicates the financial impacts of cyberattacks targeting vital business assets, leading to disruptions in operations, system outages and reduced production and costs associated with recovery.

Put simply, cyber risk is a business risk and should be communicated in business terms. Using the outputs of a CRQ program, leaders can drive alignment with their boards and executive teams and improve their overall risk reduction strategies and investments.

Watch the on-demand webinar

Security spend optimization

Security executives feel pressured to increase protection measures and reduce risk in the most cost-effective way, taking into consideration economic constraints and limited budgets. However, traditional decision-making methods often rely on subjective information, making it challenging to objectively justify previous or upcoming security investments. Operationalizing CRQ adds objectivity to the decision-making process. It enables organizations to optimize cybersecurity programs and tool investments by prioritizing spending based on financial risk reduction and maximizing return on investment (ROI).

Without first quantifying the risks in the context of the current security control posture as a baseline, organizations cannot accurately quantify the effectiveness of their security initiatives or determine their next investment. Understanding the organization’s financial risk exposure allows security leaders to focus on areas with the most significant risk reduction opportunities and prioritize security initiatives that align with the business to better mitigate the most significant risks facing the business.

Enterprise risk program development

To provide decision-makers with an overall organizational risk profile, cyber risk must be fully integrated into the overall enterprise risk management (ERM) program. However, this is only possible by understanding the financial implications of cyber threats so that organizations can align their risk mitigation efforts with business objectives and enhance overall organizational resilience.

Historically, many organizations have developed independent risk management procedures, including ERM, cybersecurity risk, operational risk and compliance and IT risk. CRQ is becoming a best practice among leading organizations to develop and operate effective risk management programs, re-vamp risk scoring and integrate ERM procedures. Leading organizations that have leveraged CRQ to improve their management processes have developed a single, integrated operating model for risk management. This allows for better analytics to identify and track trends across lines of business or functional areas, as well as systemic risks to the organization.

While this requires a fresh approach to thinking about risk management, incorporating several risk management functions, the result is a standardized, consistent and well-understood risk identification, analysis and reporting process. CRQ provides the organization with a singular definition of risk and removes any uncertainty about how to report risks to leadership and the board. By reporting risks in terms of business impact and financial exposure, CRQ removes the subjective interpretations that rely on nominal scales or color codes.

As one chief risk officer recently shared, “We noted that many risks stemming from different lines of business are similar in nature and share common root causes. Using a singular risk management evaluation process allows us to identify expected impacts quickly and, more importantly, leverage proven mitigation approaches to address those risks.”

As companies continue to mature their cyber risk capabilities by adopting CRQ, they should consider incorporating CRQ into other risk functions and work towards adopting an integrated risk management operating model.

Getting started with cyber risk quantification

Whether you are trying to stay ahead of regulations, reacting to a cyber event or being proactive, adopting CRQ can help your organization improve cybersecurity reporting, optimize budgets, create risk-based security roadmaps, prioritize vulnerabilities and enhance ERM. By doing so, security leaders enable their executives and board members to make well-informed, risk-based and financially responsible decisions when it comes to risk.

Organizations can take simple steps to make progress on this journey. We recommend starting small, picking one or two use cases that best align with your organization’s security goals and integrating CRQ into business processes that drive actionable results.

If you would like to learn more, please contact Randall Spusta (rgspusta@us.ibm.com) at IBM or Cary Wise (cwise@threatconnect.com) at ThreatConnect, and we can assist you in operationalizing CRQ for your organization.

Watch this on-demand webinar for a deeper dive into these real-world CRQ use cases.

The post Operationalize cyber risk quantification for smart security appeared first on Security Intelligence.

Security Intelligence – ​Read More

Scattered Spider ransomware gang falls under government agency scrutiny

As you may have read in our November Ransomware Review, Scattered Spider is a relatively new, albeit dangerous, ransomware gang who made headlines in September for attacking MGM Resorts and Caesar Entertainment. For small security teams, one of the most important findings about the group is their use of Living Of The Land (LOTL) techniques to avoid detection: Scattered Spider aka Octo Tempest employs everyday tools like PowerShell for reconnaissance and stealthily alters network settings to bypass security measures. They also exploit identity providers and modify security systems, blending their malicious activities with normal network operations.

In a joint cybersecurity advisory (CSA) on Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) provided detailed information about the techniques leveraged by Scattered Spider. The advisory was issued in response to the recent activity by Scattered Spider against the commercial facilities sector and subsectors.

CISA and the FBI consider Scattered Spider to be experts that use multiple social engineering techniques, especially phishing, push bombing, and SIM swap attacks, to obtain credentials, install remote access tools, and bypass multi-factor authentication (MFA).

Push bombing is a targeted MFA attack in which an attacker triggers multiple login attempts against the target’s single-sign-on (SSO) portal or publicly exposed corporate apps and services. The objective is that the target will grow tired of the notifications or make a mistake and allow the access.

SIM swapping, also known as SIM jacking, is the act of illegally taking over a target’s cell phone number. This can be done in a number of ways, but one of the most common methods involves tricking the target’s phone carrier into porting the phone number to a new SIM under the control of the attacker.

Scattered Spider is a group that typically targets large companies and their contracted information technology (IT) help desks. To lend credibility to their phishing mails they often register domains like victimname-sso[.]com, victimname-servicedesk[.]com or victimname-okta[.]com.

Once the groups establish access, Scattered Spider often searches the victim’s Slack, Microsoft Teams, and Microsoft Exchange online for emails or conversations regarding the intrusion, along with any security response to see if their attack has been discovered.

The advisory describes how elaborate these efforts can be:

“The threat actors frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses.”

According to several sources, Scattered Spider has a relationship to ALPHV/BlackCat and has recently started using their ransomware for data exfiltration and file encryption.

The FBI seemingly struggles to arrest group members, even though they’re believed to be based in the US and other Western countries, because victims don’t come forward and share details about their incidents. For that reason, the FBI and CISA have urged victim organizations to share information about attacks with the agencies.

Another initiative that may hinder Scattered Spider’s tactics is the fact that the US Federal Communications Commission (FCC) has adopted new rules to protect US consumers from SIM-swapping attacks and port-out scams. These new rules require US wireless providers to use secure methods of authenticating a customer when they request porting a SIM card to a new device or their phone number to a new carrier.

How to avoid ransomware

Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.

Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.

Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.

Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.

Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.

Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Malwarebytes – ​Read More

20th November – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 20th November, please download our Threat_Intelligence Bulletin.

TOP ATTACKS AND BREACHES

Russia-affiliated military intelligence group SandWorm is reportedly responsible for an attack against 22 critical infrastructure companies in Denmark. The attacks, most severe in Danish history, have compromised industrial control systems and forced companies from the energy sector to work offline.
Medusa ransomware group has claimed two attacks this week. One of the victims, Toyota Financial Services, resorted to taking its operations partially offline to prevent further damage, whilst another victim, Canadian fin-tech giant Moneris, claimed it was able to prevent critical data leakage.
An elaborate attack on numerous European diplomatic and government entities, international organizations, and internet service providers, perpetrated by the Russia-affiliated APT29 group (AKA Cozy Bear) has been unveiled. The group launched a sophisticated phishing campaign to gain initial access and leveraged newly found WinRAR vulnerability CVE-2023-38831 to execute arbitrary code.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat
(APT.Win.APT29, APT.Wins.APT29.ta, APT.Wins.APT29)

Ransomware group AlphV/BlackCat claimed to have attacked American financial company MeridianLink. Notably, AlphV has reported the company’s failure to disclose the breach to the U.S. Securities and Exchange Commission. In response, the company claimed the attack was contained.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.BlackCat, Ransomware_Linux_BlackCat)

LockBit ransomware group added two new US victims to its list: Community Dental and Planet Home Lending. The companies hold highly sensitive medical and financial information, which LockBit threaten to publish should the requested ransom not be paid.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Lockbit; Gen.Win.Crypter.Lockbit; Ransomware.Wins.LockBit.ta; Ransomware_Linux_Lockbit)

Samsung UK discovered a year-long data breach which compromised information of the company’s eCommerce site users. This week, it became apparent that an attacker exploited a vulnerability in a 3rd party vendor to access the data.
North Carolina’s Bladen county has suffered a cyber-attack which allowed hackers access to the county’s data systems. Access to some of the county government’s data is restricted, suggesting data was encrypted in an effort to extort ransom payment.

VULNERABILITIES AND PATCHES

In November’s Patch Tuesday, Microsoft have issued security updates for 58 flaws and five zero-day vulnerabilities. Three critical flaws were fixed: Azure information disclosure bug (CVE-2023-36052), a Remote Code Execution in Windows Internet Connection Sharing (CVE-2023-36397), and a Hyper-V escape flaw that allows executions of programs on the host with SYSTEM privileges (CVE-2023-36400).
Vulnerability researchers have discovered new attack methods against Google Workspace and Google Cloud Platform. The methods involve exploitation of cloned machines with Google Credentials Provider for Windows, a bypass of Google’s MFA process, and a password-reset bug. This could result in data exfiltration from all Google-managed platforms.
A zero-day cross-site scripting (XSS) vulnerability (CVE-2023-37580) in Zimbra email server was detected. Four groups were observed to have exploited the flaw to steal email data, credentials and authentication tokens. Most activities are believed to have occurred after a fix was published on GitHub.

Check Point IPS blade provides protection against this threat (Zimbra Collaboration Cross-Site Scripting (CVE-2023-37580))

THREAT INTELLIGENCE REPORTS

Check Point Research has published a report highlighting the activities of Russian cyber-espionage group Gamaredon and its use of a USB-propagating worm dubbed LitterDrifter. Gamaredon primarily focuses on Ukrainian targets, however LittleDrifter was observed in other countries as well. The worm spreads automatically and communicates with C2 servers to maintain persistent control across diverse targets.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (APT.Win.Gamaredon, Trojan-Dropper.WIN32.Gamaredon, Trojan.Win32.Gamaredon)

Check Point Research witnessed an increase in cyber-crime targeting of online-shoppers as the November sales period approaches. Attackers used phishing websites designed to lure bargain shoppers, and crafted phishing emails impersonating luxury brands to steal customer’s credentials.
Check Point Research conducted an experimental deep dive to test ChatGPT’s malware analysis capabilities. The findings focus on the guidance the AI system requires in order to expand its capabilities and deliver a verdict.
Researchers have observed a recent phishing campaign by a likely Palestinian-based APT group Molerats (aka TA402, Gaza Cybergang). The group has targeted MENA based government entities using new tactics, such as the new downloader ‘IronWind’ and unique file attachments to evade detection.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (APT.Wins.TA402.ta)

The post 20th November – Threat Intelligence Report appeared first on Check Point Research.

Check Point Research – ​Read More