IT NEWS

After the FCC (Federal Communications Commission) made a huge splash weeks ago when it told Google and Apple to pull TikTok from their respective app stores, the federal agency is now warning Americans of an increased wave of SMS phishing attacks.

SMS phishing, otherwise known as smishing or robotexts (FCC’s own terminology), is a form of phishing that attempts to trick people into handing over their personally identifiable information (PII) and/or money using SMS instead of email, which standard phishing usually starts. The FCC has noted that scammers use various lures to trick someone into replying, giving out their information, or clicking a link.

“Like robocallers, a robotexter may use fear and anxiety to get you to interact,” the FCC consumer alert reads. “Texts may include false-but-believable claims about unpaid bills, package delivery snafus, bank account problems or law enforcement action against you. They may provide confusing information—as if they were texting someone else—, incomplete information, or utilize other techniques to spur your curiosity and engagement.”

What motivates criminals to engage in smishing tactics is to get money and personal information or to simply confirm that the number they’re messaging is active, so they can target it in future scam campaigns.

According to the FCC, it tracks consumer complaints instead of text volume. The agency noted a steady climb of unwanted SMS messages, from approximately 5,700 in 2019 to 8,500 by June 30, 2022.

A separate study confirmed this, too, but revealed more sobering numbers. RoboKiller, an app that screens scammy calls and messages, found that Americans were sent a mind-blowing 12 billion spam texts in July 2022.

“That’s nearly 44 spam texts for every person in the country!” And the numbers were no different in June and May 2022.

RoboKiller also pointed out in the report that spam texts have outpaced spam calls for two consecutive years. And one of the notable reasons for this is the FCC mandating the STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs) framework, which was designed to curb spam calls. It’s effective, which is why scammers switched to spam texts.

The FCC posted bite-sized, back-to-back tweets on signs of scam text messages and how Americans can avoid getting scammed.

When you receive a spam text, do not engage with the sender.

Ignore them, but file a complaint to the FCC.

Finally, if you think you were the victim of an SMS text scam, the FCC recommends you report the incident to your local law enforcement agency and notify your bank and mobile carrier.

Stay safe!

The post FCC warns of steep rise in phishing over SMS appeared first on Malwarebytes Labs.

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

In July, LockBit maintained the place it has occupied all year as the most active ransomware variant. Notably, BlackBasta, a relatively new ransomware variant that first appeared in April, took the place occupied by Conti for much of the year as the second most active variant. BlackBasta has been strongly linked to the gang behind Conti and may be the closest thing it has to a successor.

Two other gangs linked to Conti, Hive and KaraKurt, were also very active during July, ensuring that the gang behind “the costliest strain of ransomware ever documented” by the FBI continues to cast a long shadow, despite the retirement of the Conti “brand”.

The international picture followed a familiar pattern, with the USA suffering the largest number of attacks by far, distantly followed by a collection of the largest European economies. Services remained the sector most afflicted, suffering almost a quarter of all attacks.

LockBit

We wrote extensively about LockBit, and the appearance of LockBit 3.0, in last month’s ransomware review. Part of the gang’s success seems to have come from simply avoiding the attention-seeking pitfalls of other gangs. We wrote “…while some ransomware gangs seem to want to tell the world what they think, and how great they are, LockBit seems to care more about what its users think.”

Perhaps we spoke to soon. In July LockBit responded to an interview request by Red Hot Cyber in which it trotted out it’s version of the careworn old nonsense that criminal hackers help security, saying “we are ordinary pentesters and make this world safer”. Thanks to the gang’s threats and ruthless exploitation “companies can learn a security lesson and close vulnerabilities”, apparently. Whatever helps you sleep at night, we suppose.

The interview did contain some useful information too though, revealing that between 10%-50% of LockBit victims pay the ransom. The numbers we report each month are victims who appear on leak sites because they have not paid the ransom, so this tidbit helps us understand the true scale of the ransomware problem.

The interviewee also confirmed the suspected relationship between LockBit 3.0 (also known as LockBit Black) and DarkSide/BlackMatter ransomware, revealing that the LockBit gang paid for DarkSide source code and based the latest version of its ransomware on it. If DarkSide sounds familiar, you may recall that it was the ransomware used in the infamous Colonial Pipeline attack. The DarkSide gang disappeared shortly after the attack “due to the pressure from the US”, only to reemerge as BlackMatter in July, before disappearing again in October 2021, again due to pressure from “authorities”.

BlackBasta

BlackBasta was the second most prolific ransomware variant behind LockBit in July, and it has occupied either the second or third place in our list ever since May, having only emerged the month before.

It burst into existence in April with 11 known victims. Being able to hit so many victims in its first month led some to speculate that it must be the work of an established gang that had a network of experienced affiliates in place, ready to work. It has since been linked to the gang behind the recently retired Conti ransomware, with which it enjoys an eye-catching overlap.

As we reported in May and June, Conti hatched a scheme to fake its own death this year, after its support for Russia’s invasion of Ukraine caused ransom payments to dry up. Members of the gang were alleged dispersed to other “brands” owned by the Conti gang, as well as other gangs it had a relationship with.

Apparent beneficiaries included operators of three of the five most prevalent ransomware variants in July: BlackBasta, Hive, and the resurgent KaraKurt.

REvil returns

July was also notable for the reappearance of REvil, aka Sodinokibi, perhaps the most notorious name in ransomware. A single victim appeared on the gang’s Tor leak site in July, the first since April.

While many other groups were far more active, the group’s reputation ensures that any sign of life demands to be taken seriously.

REvil is responsible for two of the most significant ransomware attacks in history: The 2021 attack on JBS, the world’s largest meat processing company, and an enormous, cascading supply-chain attack against Kaseya VSA and its customers a month later. The attack on Kaseya was ultimately resolved when the company announced that it had acquired the decryption key needed to free the victims, without paying REvil its $70 million ransom demand. The source of the key was later revealed to have been the FBI, which had successfully infiltrated the group’s infrastructure.

Since then REvil has led a stop-start existence. Under pressure from US law enforcement, the gang went dark in July 2021. It reappeared a few months later before being forced offline when its infrastructure was hijacked by a multi-country law enforcement operation in October.

In January, in a highly unusual move, eight of its members were arrested in Russia by the FSB. However, even that wasn’t enough to keep the gang down for long. It’s infrastructure sparked back into life in April before going dark again, only for it to reappear in July.

New gangs appear

Last month also saw a glut of new ransomware gangs appear. The newcomers in our list are BianLian, Yanluowang, 0mega, Cheers, and RedAlert. With 11 known victims, the debut of BianLian is comparable in size to the appearance of BlackBasta in April, so we will be watching it closely in August.

The post Ransomware review: July 2022 appeared first on Malwarebytes Labs.

We get a few questions about ransomware protection and how our Endpoint Detection and Response software can protect you from ransomware. In this post, our security experts answer some of your most frequently asked questions about ransomware and how our EDR can help—let’s get started.

Q: When considering an EDR solution, what anti-ransomware features should I be looking for?

Adam Kujawa, security evangelist and director of Malwarebytes Labs:

“First, it should quickly identify and isolate systems that are infected with ransomware. Second, it should detect ransomware-like behavior and automatically kill and remove the threat from the system. Third, it should provide options for file recovery (in case something does get encrypted). Fourth, it should have features that are valuable for detecting and thwarting malware in general, such as exploit prevention, behavioral detection of never-before-seen malware, malicious website blocking, and brute force protection.”

Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes:

“Ransomware stems from the exploitation of trust. We know that in society and computer systems, trust is essential and foundational for communication productivity and growth. What’s needed is encapsulated in a principle called trust-but-verify! In the context of EDR, trust-but-verify means the algorithmic “detection” part of EDR must employ heuristics to look for anomalous encryption that deviates from known-good encryption. This is the trust-but-verified part of a modern EDR tool. To make the EDR tool a solution, it must offer four essential functionalities:

1. Contain threats, allowing time to investigate and document.
2. Easy, non-vendor-specific language describing detected suspicious activity.
3. Precision instrumentation for eradicating malware, potentially unwanted programs, and potentially unwanted changes.
4. Instrumentation to search for indicators across the rest of your managed endpoints for early signs.”

Q: Other than the percentage of malware-detected efficacy, what other factors should I consider when acquiring an anti-ransomware solution? 

Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes:

“Other than efficacy, you need to look also at integration—the EDR must become part of your system. It should not be a standalone solution; it should be usable and not complex. Have a “single pane of glass”—with Malwarebytes cloud-based Nebula platform, for example, you have access to an intuitive UI which helps you gain visibility into all activity across your entire organization. If I could summarize it into a single sentence, you don’t want just a next-gen solution; you need a solution that any IT professional will understand without specialized cyber-forensic knowledge.”

Q: How is detecting ransomware different from other malware?

Adam Kujawa, security evangelist and director of Malwarebytes Labs:

“Up until around 2013, most malware infections were problems that could easily be solved ‘after the fact’.  For example, a bank credential stealing bot can infect a system, steal your credentials and commit fraud. Well the bank can clear out those fraud charges, you can change your credentials and you can clean the system, suddenly the whole attack can be treated as an inconvenience rather than a significant disruption, almost like it didn’t happen. Ransomware, on the other hand, immediately encrypts files and sometimes locks down vital system settings used for recovery, as well as deleting locally stored backups, and it’s often used against multiple endpoints at the same time. So, recovery after the fact is nearly impossible without being prepared, or paying the ransom. This kind of threat requires a lot more planning, redundancy and threat monitoring than any other type of malware out there. Imagine regular malware infections as seasonal allergies, while ransomware is like being hit with pepper spray in the face.”

Q: How does Malwarebytes EDR protect against ransomware attacks?

Robert DeStefano, Senior Global Product Marketing Manager at Malwarebytes:

“First, Malwarebytes’ EDR anti-ransomware layer constantly monitors endpoint systems and automatically kills processes associated with ransomware activity. It features a dedicated real-time detection engine that does not use signatures, and doesn’t require updates. Second, our solution uses multiple combined modes of endpoint isolation, so if an endpoint is attacked, it can easily halt malware from spreading and causing harm—minimizing disruption to IT and users during attacks. Third—we give you up to 72 hours of ransomware rollback. We make use of local cache on each endpoint, storing all relevant changes to the device for up to 72 hours. If you’re infected, Malwarebytes simply backs out device changes and restores files that were encrypted, deleted, or modified. You don’t have to lose all that time reimaging an endpoint. And perhaps most importantly, all of this is offered through the ‘single pane of glass’ that Zamani mentioned earlier—meaning you can easily manage endpoints to prevent threats from entering, detect infections that find their way into your environment, and remediate with one click, keeping your servers and workstations secure against ransomware while keeping your end users productive.”

Q: How often and at what intervals are files backed up? How much space does it take?

David Pier, Senior Sales Engineer at Malwarebytes:

“Our file backup is not triggered on a time basis—it’s really driven by our activity monitoring feature. The backups are only going to be created in an instance where Malwarebytes has detected suspicious behavior. And for the second question, data storage space isn’t an issue, as our proprietary dynamic exclusion technology learns ‘good’ behavior of applications and minimizes storage utilization. Additionally, administrators can configure their policies to dynamically manage disk space requirements, based on the remaining available disk space.”

Q: Can you identify when the first infection took place and if the same threat process has been installed across the environment or on other devices, such as malicious scheduled tasks?

David Pier, Senior Sales Engineer at Malwarebytes:

“Yes! You can do this with the Flight Recorder feature of our EDR, which allows you to search event data captured from all of your managed endpoints to investigate and identify indicators of compromise. You can search data like files, registry, processes, and networking activity up to the past 7 days to threat hunt or analyze when a compromise occurred in your environment. You can search through file properties, such as the file hash or the file name, or you could leverage something like searching actual command line arguments that were used by the attacker to try and locate the original infection points.”

Q: How many full time employees are needed to deploy and manage your EDR?

David Pier, Senior Sales Engineer at Malwarebytes:

“That is something we hear very frequently at Malwarebytes; customers are coming from other EDR solutions or other security solutions, and a large concern is your team may only be two to three, maybe five people at most. An EDR solution that you might be interested in may require you to have full-time staff to manage, or configure it. Malwarebytes EDR is not that kind of solution. This is something that we’ve successfully deployed with teams as small as two people managing this. You do not need additional headcount, you don’t need a dedicated SOC to make this program work. That being said, this solution works very well at scale. We have customers with 1000s of endpoints running this solution and effectively using it as an EDR so really, it’s a tool built for customers of any size.”

Q: Would we need a physical server or can this be operated from a cloud-based system?

David Pier, Senior Sales Engineer at Malwarebytes:

“There’s no requirement for any physical architecture,” says Pier. “You could use it entirely cloud-based if you have cloud-based servers or cloud-based VMs. Really the only requirement we have is making sure that your endpoints can reach the Malwarebytes cloud infrastructure, which is all done through HTTPS traffic. So typically, it’s not something you need to customize unless you have a very restrictive network.”

Read about how companies used Malwarebytes EDR to fend off ransomware 

To help you understand the ransomware threat and how Malwarebytes EDR can help, we’ve curated a collection of customer case studies that illustrate the common patterns of ransomware protection and recovery across a variety of industry sectors and business sizes. Check out a few of them below!

City of Vidalia gains a ransomware and vulnerability-free zone

Mike Carney Toyota tackles the rising ransomware threat

Alden Central Schools gains peace-of-mind protection against ransomware threats

The post Ransomware protection with Malwarebytes EDR: Your FAQs, answered! appeared first on Malwarebytes Labs.

Managed Service Providers (MSPs), organizations that allow companies to outsource a variety of IT and security functions, are a growing market. Because they are a potential gateway to lots of company networks they make a very attractive target for cybercriminals.

In a recent threat advisory Huntress noticed that an increasing number of Initial Access Brokers (IAB) are focusing on MSPs. In a recent example, a US-based MSP called NetStandard suffered a cyberattack causing the company to shut down its MyAppsAnywhere cloud services.

NetStandard

On July 27, 2022 NetStandard reported a cyberattack on some of its hosted services to its customers. However, details are sparse, and the MSP is staying silent on the issue. The firm’s website was down at first but it moved it to the cloud relatively fast. But I could find no mention of the attack there.

The information it shared with its customers said:

“As of approximately 11:30 AM CDT July 26, NetStandard identified signs of a cybersecurity attack within the MyAppsAnywhere environment. Our team of engineers has been engaged on an active incident bridge ever since working to isolate the threat and minimize impact.”

MyAppsAnywhere is an integrated suite of cloud-based hosted services including Dynamics GP, CRM, Exchange, and SharePoint.

Other targets

Huntress reports that it also noticed a cybercriminal using the handle “Beeper” looking for help to process an MSP. It concluded that the cybercriminal had probably gained initial access to an MSP and found that it was more than they can handle on their own. Their, translated, forum post says:

“I have access to the MSP panel of 50+ companies. Over 100 ESXi, 1000+ servers.

All companies are American and approximately in the same time zone. I want to work qualitatively, but I do not have enough people.”

Around the same time another threat actor going by “vesiyr” posted they had found RDP access to UK companies with an expected revenue of $5 million plus. They were willing to sell that access. The multiple RDP access could mean that vesiyr also gained initial access to an MSP.

Why MSPs are targets

While these incidents are very likely unrelated, they show the interest that IABs have in breaching MSPs. Hardly surprising, since it provides them with an opportunity for supply chain attacks or orchestrated attacks on a multitude of victims.

MSPs are an attractive target because a succesful breach can give the attacker enormous leverage, as well as access to some or all of the computer systems of the MSP’s customers. Those customers often rely on the same MSP for security as well, so there is one less hurdle to clear when the threat actor focuses on the MSP’s clients.

Attacks on MSPs are nothing new. In 2018 the Cybersecurity & Infrastructure Security Agency (CISA) released an alert saying it was aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs).

The holy grail of MSP attacks are unpatched vulnerabilities in software used by MSPs to perform security or administration tasks on customers’ computers. The 2021 attack on Kaseya VSA—an attack that leveraged a vulnerability in a tool used by MSPs to launch ransomware on hundreds of MSP customers’ networks simultaneously—is widely regarded as the worst ransomware attack of all time.

In another ransomware attack, threat actors gained access to an MSP’s ConnectWise control tool and took down operations in 22 small Texas cities in a coordinated attack.

Mitigation

MSPs should be aware of both the trust invested in them by their clients and the heightened attention they are likely to receive from IABs.

MSP clients that do not conduct the majority of their own network defense should work with their MSP to determine what they can expect in terms of security. MSP clients should understand the supply chain risk associated with their MSP.

The post NetStandard attack should make Managed Service Providers sit up and take notice appeared first on Malwarebytes Labs.

It pays to be careful where cold calls from someone claiming to work for your bank are concerned. Scam callers are impersonating bank staff, with suggestions of dubious payments made to your account. One unfortunate individual has already lost around $1,000 to this slice of telephone-banking based fraud. With a little press intervention they were lucky enough to get it back. Sadly most people don’t get that far.

What’s happening, and how can you avoid it?

An unauthorised payment: A scammer’s steps to success

This attack has several steps. Here’s how it plays out:

• The scam begins with a call from a supposed fraud team. This is a common confidence trick, it sounds convincing and it has a sense of urgency built in. The call also spoofs the caller ID of the bank, another easy-to-pull-off tactic which makes the call look more plausible.
• Setting the recipient of the call off-balance is the aim of the game. And what better way to have them second guess themselves than by referring to technology they may not have used before? In this case, the scammer claims the victim’s bank account has made a fraudulent Zelle transfer of $1,000 to somebody in Texas. Zelle is a US based digital payments network. To the recipient of such a call, it may well just sound like a big scary thing has happened to their money which they don’t fully understand.
• Adding some time-based pressure is the final blow. “Hurry up and follow my dubious instructions or you lose all of your money” is a very successful tactic. Victims are dissuaded from calling their bank directly because they would just be “redirected back to the fraud team”. In this case, the victim was told to reverse the transaction by punching in a code given to them by the fraudster. After the first $1,000 vanished, the scammer risked it all on another claim of $5,000 in fraudulent transfers. Thankfully, the victim was having none of it and more losses were averted.

Am I protected?

It’s trickier than ever to deal with a case of banking fraud. Banks and payment systems increasingly put the onus on the individual to not get caught out by deception. If you bank online and send people money, you’ll likely have gone through a fraud check flow.

This is where the site asks you to confirm who you’re sending money to and why. If you select “romance” (for example), you’ll be warned about romance scams and eventually you’ll tick a box to confirm that you recognise the risks. If something goes wrong, on your own head be it.

This is almost note for note what happened to the person in the news story above. The bank said that because the victim “authorised” the payment, no protection was in place. This is clearly not an accurate reading of what happened, and the money request was clearly fraudulent. Even so, this is what you may have to contend with should you wander into a fraud situation.

Watch out for red flags

There’s several aspects of this attack common to many others which may indicate a fraud attempt.

• They don’t want you to call the bank back. If you do this, the fraud falls to pieces. A genuine member of staff would have no issue with you calling them yourself.
• Pressure tactics. If a bank calls you out of the blue and claims that they’re powerless to stop something without your assistance, be very cautious. Is your bank really unable to perform a basic banking action?
• Knowing your date of birth, address, and other information doesn’t mean the caller is genuine. They may have obtained the data from a phish, or a security breach.
• Referencing third party payment apps may be another red flag, especially if they talk about technology you’ve not used before.

The post Bank fraud scammers trick victims with claims of bogus Zelle transfers appeared first on Malwarebytes Labs.

This blog post was authored by Ankur Saini and Hossein Jazi

The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.

This advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.

Based on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as OAK.

In this blog post, we will analyze Woody Rat’s distribution methods, capabilities as well as communication protocol.

Distribution methods

Based on our knowledge, Woody Rat has been distributed using two different formats: archive files and Office documents using the Follina vulnerability.

The earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by @MalwareHunterTeam.

The following diagram shows the overall attack flow used by the threat actor to drop Woody Rat:

Archive files

In this method, Woody Rat is packaged into an archive file and sent to victims. We believe that these archive files have been distributed using spear phishing emails. Here are some examples of these archive files:

• anketa_brozhik.doc.zip: It contains Woody Rat with the same name: Anketa_Brozhik.doc.exe.
• zayavka.zip: It contains Woody Rat pretending to be an application (application for participation in the selection.doc.exe).

Follina vulnerability

The threat actor is using a Microsoft Office document (Памятка.docx) that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat. The used lure is in Russian is called “Information security memo” which provide security practices for passwords, confidential information, etc.

Woody Rat Analysis

The threat actor has left some debugging information including a pdb path from which we derived and picked a name for this new Rat:

A lot of CRT functions seem to be statically linked, which leads to IDA generating a lot of noise and hindering analysis. Before initialization, the malware effectively suppresses all error reporting by calling SetErrorMode with 0x8007 as parameter.

As we will see later, that malware uses multiple threads and so it allocates a global object and assigns a mutex to it to make sure no two clashing operations can take place at the same time. This object enforces that only one thread is reaching out to the C2 at a given time and that there are no pending requests before making another request.

Deriving the Cookie

The malware communicates with its C2 using HTTP requests. To uniquely identify each infected machine, the malware derives a cookie from machine specific values. The values are taken from the adapter information, computer name and volume information, and 8 random bytes are appended to this value to avoid any possible cookie collisions by the malware.

A combination of GetAdaptersInfo, GetComputerNameA and GetVolumeInformationW functions are used to retrieve the required data to generate the cookie. This cookie is sent with every HTTP request that is made to the C2.

Data encryption with HTTP requests

To evade network-based monitoring the malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the C2. The public key used for RSA-4096 is embedded inside the binary and the malware formulates the RSA public key blob at runtime using the embedded data and imports it using the BCryptImportKeyPair function.

The malware derives the key for AES-CBC at runtime by generating 32 random bytes; these 32 bytes are then encrypted with RSA-4096 and sent to the C2. Both the malware and C2 simultaneously use these bytes to generate the AES-CBC key using BCryptGenerateSymmetricKey which is used in subsequent HTTP requests to encrypt and decrypt the data. For encryption and decryption the malware uses BCryptEncrypt and BCryptDecrypt respectively.

C2 HTTP endpoint request

knock – This is the first HTTP request that the malware makes to the C2. The machine-specific cookie is sent as part of the headers here. This is a POST request and the data of this request contains 32 random bytes which are used to derive AES-CBC key, while the 32 bytes are RSA-4096 encrypted.

The data received as response for this request is decrypted and it contains the url path to submit (/submit) the additional machine information which the malware generates after this operation.

submit – This endpoint request is used to submit information about the infected machine. The data sent to the C2 is AES-CBC encrypted. Data sent via submit API includes:

• OS
• Architecture
• Antivirus installed
• Computer Name
• OS Build Version
• .NET information
• PowerShell information
• Python information (Install path, version etc.)
• Storage drives – includes Drive path, Internal name etc.
• Environment Variables
• Network Interfaces
• Administrator privileges
• List of running processes
• Proxy information
• Username
• List of all the User accounts

The malware currently detects 6 AVs through Registry Keys; these AVs being Avast Software, Doctor Web, Kaspersky, AVG, ESET and Sophos.

ping – The malware makes a ping GET http request to the C2 at regular intervals. If the C2 responds with “_CRY” then the malware proceeds to send the knock request again but if the C2 responds with “_ACK” the response contains additional information about which command should be executed by the malware.

The malware supports a wide variety of commands which are classified into _SET and _REQ requests as seen while analyzing the malware. We will dive into all these commands below in the blog.

C2 Commands

The malware uses a specific thread to communicate with the C2 and a different one to execute the commands received from the C2. To synchronize between both threads, the malware leverages events and mutex. To dispatch a command it modifies the state of the event linked to that object. We should note all the communications involved in these commands are AES encrypted.

_SET Commands

• PING – This command is used to set the sleep interval between every ping request to the C2.
• PURG – Unknown command
• EXIT – Exit the command execution thread.

_REQ Commands

• EXEC (Execute)- Executes the command received from the C2 by creating a cmd.exe process, the malware creates two named pipes and redirects the input and output to these pipes. The output of the command is read using ReadFile from the named pipe and then “_DAT” is appended to this data before it is AES encrypted and sent to the C2.

• UPLD (Upload) – The Upload command is used to remotely upload a file to the infected machine. The malware makes a GET request to the C2 and receives data to be written as file.
• INFO (Submit Information) – The INFO command is similar to the “submit” request above; this command sends the exact information to the C2 as sent by the “submit” request.

• UPEX (Upload and Execute) – This is a combination of UPLD and EXEC command. The commands first writes a file received from the C2 and then executes that file.
• DNLD (Download) – The DNLD command allows the C2 to retrieve any file from the infected machine. The malware encrypts the requested file and sends the data via a POST request to the C2.
• PROC (Execute Process) – The PROC command is similar to the EXEC command with slight differences, here the process is directly executed instead of executing it with cmd.exe as in EXEC command. The command uses the named pipes in similar fashion as used by the EXEC command.
• UPPR (Upload and Execute Process) – This is a combination of UPLD and PROC command. The command receives the remote file using the upload command then executes the file using PROC command.
• SDEL (Delete File) – This is used to delete any file on the infected system. It also seems to overwrite the first few bytes of the file to be deleted with random data.
• _DIR (List directory) – This can list all the files and their attributes in a directory supplied as argument. If no directory is supplied, then it proceeds to list the current directory. File attributes retrieved by this command are:
  • Filename
  • Type (Directory, Unknown, File)
  • Owner
  • Creation time
  • Last access time
  • Last write time
  • Size
  • Permissions
• STCK (Command Stack) – This allows the attacker to execute multiple commands with one request. The malware can receive a STCK command which can have multiple children commands which are executed in the same order they are received by the malware.
• SCRN (Screenshot) – This command leverages Windows GDI+ to take the screenshot of the desktop. The image is then encrypted using AES-CBC and sent to the C2.
• INJC (Process Injection) – The malware seems to generate a new AES key for this command. The code to be injected is received from the C2 and decrypted. To inject the code into the target process it writes it to the remote memory using WriteProcessMemory and then creates a remote thread using CreateRemoteThread.

• PSLS (Process List) – Calls NtQuerySystemInformation with SystemProcessInformation to retrieve an array containing all the running processes. Information sent about each process to the C2:
  • PID
  • ParentPID
  • Image Name
  • Owner
• DMON (Creates Process) – The command seems similar to PROC with the only difference being the output of the process execution is not sent back to the C2. It receives the process name from the C2 and executes it using CreateProcess.
• UPDM (Upload and Create Process) – Allows the C2 and upload a file and then execute it using DMON command.

SharpExecutor and PowerSession Commands

Interestingly, the malware has 2 .NET DLLs embedded inside. These DLLs are named WoodySharpExecutor and WoodyPowerSession respectively. WoodySharpExecutor provides the malware ability to run .NET code received from the C2. WoodyPowerSession on the other hand allows the malware to execute PowerShell commands and scripts received from the C2.

WoodyPowerSession makes use of pipelines to execute these PS commands. The .NET dlls are loaded by the malware and commands are executed via the methods present in these DLLs:

We will look at the commands utilising these DLLs below:

• DN_B (DotNet Binary) – This command makes use of the RunBinaryStdout method to execute Assembly code with arguments received from the C2. The code is received as an array of Base64 strings separated by 0x20 character.
• DN_D (DotNet DLL) – This method provides the attacker a lot more control over the execution. An attacker can choose whether to send the console output back to the C2 or not. The method receives an array of Base64 strings consisting of code, class name, method name and arguments. The DLL loads the code and finds and executes the method based on other arguments received from the C2.
• PSSC (PowerSession Shell Command) – Allows the malware to receive a Base64 encoded PowerShell command and execute it.
• PSSS (PowerSession Shell Script) – This command allows the malware to load and execute a Base64 encoded PowerShell script received from the C2.
• PSSM (PowerSession Shell Module) – This command receives an array of Base64 encoded strings, one of which contains the module contents and the other one contains the module name. These strings are decoded and this module is imported to the command pipeline and then invoked.

Malware Cleanup

After creating the command threads, the malware deletes itself from disk. It uses the more commonly known ProcessHollowing technique to do so. It creates a suspended notepad process and then writes shellcode to delete a file into the suspended process using NtWriteVirtualMemory. The entry point of the thread is set by using the NtSetContextThread method and then the thread is resumed. This leads to the deletion of the malware from disk.

Unknown threat actor

This very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, nased on what we were able to collect, there weren’t any solid indicators to attribute this campaign to a specific threat actor.

Malwarebytes blocks the Follina exploit that is being leveraged in the latest Woody Rat campaign. We also already detected the binary payloads via our heuristic malware engines.

IOCs

Woody Rat:

• 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0
• 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b
• b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a
• 43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce
• 408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e
• 0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834
• 5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80
• 3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3
• 9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d

C2s:

• kurmakata.duckdns[.]org
• microsoft-ru-data[.]ru
• 194.36.189.179
• microsoft-telemetry[.]ru
• oakrussia[.]ru

Follina Doc:
Памятка.docx
ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb
Follina html file:
garmandesar.duckdns[.]org:444/uoqiuwef.html
Woody Rat url:
fcloud.nciinform[.]ru/main.css (edited) 

The post Woody RAT: A new feature-rich malware spotted in the wild appeared first on Malwarebytes Labs.

JusTalk, a popular mobile video calling and messaging app with 20 million global users, exposed a massive database of supposedly private messages to the public Internet for months. According to security researcher Anurag Sen, who discovered the open database, the messages were stored unencrypted, and the database itself was not locked behind a password.

“Rest assured your calls and messages are secured,” the JusTalk website reads, “Only you and the person you communicate with can see, read, or listen to them: even the JusTalk team won’t access your data!”

But, as we know, “won’t access” is not the same as “can’t access”. And when anybody has the ability to see somebody else’s private data, it opens the door for both malice and mistakes.

The open database is a logging database the company, Ningbo Jus Internet Technology, uses to keep track of app bugs and errors. It also houses hundreds of gigabytes of data and is hosted on a Huawei cloud server in China. Sen said anyone can access the data using a web browser if they have the right IP address.

Data collected from Shodan, a search engine for exposed devices and databases, shows that the company continued to use the database until it was first exposed in early January (at least).

Because the database is, essentially, a smorgasbord of every data the company collects—chat logs, video logs, granular location data, data of child users of their JusTalk Kids app, records from their JusTalk second phone number—it’s complicated to put a number on affected victims of this breach. However, it is prudent to assume everyone using Ningbo Jus’s products is affected.

The server was collecting and storing more than 10 million individual logs each day, including millions of messages sent over the app, including the phone numbers of the sender, the recipient and the message itself. The database also logged all placed calls, which included the caller’s and recipient’s phone numbers in each record.

~ Zack Whittaker, TechCrunch

Shortly after TechCrunch published a story on JusTalk not really having end-to-end encryption, the open database was no longer accessible.

As Shodan is used by security researchers and online criminals alike, TechCrunch found evidence that someone had already accessed the database—perhaps even created copies of the data there. The outlet found an undated ransom note left by a data extortionist in the database for the company to find.

Because the database has all collected data stored in one place, it’s doubtful that the company even noticed this ransom note. Ningbo Jus may not even know that it’s already being extorted.

The blockchain address associated with the ransom note has not yet received any funds.

The post For months, JusTalk messages were accessible to everyone on the Internet appeared first on Malwarebytes Labs.

In a new critical security advisory, VMSA-2022-0021, VMWare describes multiple vulnerabilities in several of its products, one of which has a CVSS score of 9.8. Exploiting these vulnerabilities would enable a threat actor with network access to bypass authentication and execute code remotely.

Vulnerabilities

VMWare patched several other vulnerabilities. These bugs would enable attackers to gain remote code execution or to escalate privileges to ‘root’ on unpatched servers.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). You will find the most important ones listed below.

CVE-2022-31656

CVE-2022-31656 is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users and was assigned a CVSS score of 9.8 out of 10. A remote attacker with network access to a vulnerable user interface could use this flaw to bypass authentication and gain administrative access. (VMWare credits security researcher Petrus Viet with discovering this vulnerability.)

CVE-2022-31659 and CVE-2022-31658

The same researcher found two Remote Code Execution (RCE) vulnerabilities with a CVSS score of 8 out of 10—CVE-2022-31658 and CVE-2022-31659. CVE-2022-31658 is a JDBC injection RCE, and CVE-2022-31659 us a SQL injection RCE. Both can be chained with CVE-2022-31656, turning the authentication bypass achieved into something that allows an attacker to perform remote code execution. These vulnerabilities also affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation products.

CVE-2022-31665

CVE-2022-31665 is a JDBC injection RCE vulnerability that exists in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. JDBC (Java Database Connectivity) is an application programming interface (API) for Java, which defines how a client may access a database. A malicious actor with administrator and network access can trigger a remote code execution.

Other privilege escalation vulnerabilities

Besides the already mentioned vulnerability listed as CVE-2022-31656 VMWare fixed CVE-2022-31660, CVE-2022-31661, and CVE-2022-31664 which are all local privilege escalation vulnerabilities. These vulnerabilities would allow a threat actor with local access to escalate privileges to ‘root’.

Mitigation

Even though there is no evidence that the critical CVE-2022-31656 authentication bypass vulnerability is actively being exploited in attacks, VMWare states that it is extremely important that you quickly take steps to patch or mitigate all the issues in on-premises deployments.

To fully protect yourself and your organization, please install one of the patch versions listed in the VMware Security Advisory, or use the workarounds listed in the VMSA.

Stay safe, everyone!

The post Update now! VMWare patches critical vulnerabilities in several products appeared first on Malwarebytes Labs.

In no time at all, kids will be going back to school or starting college. And while gearing up for this, it’s very important to be aware of the threat from device loss in the school environment.

Maybe you are away at university for the first time and have a new place to live, or maybe your kids have devices they take into school. Whatever the reason, if you lose a device or it gets stolen, the end result can be quite serious—from loss of sensitive data, wasted time and misplaced work, to blackmail or harassment if the data is unencrypted.

And it’s not just one piece of technology to worry about. Students are likely to own tablets, laptops, and mobile phones at the bare minimum. It’s tricky to juggle all the potential privacy and security pitfalls when dealing with so many pieces of technology…but it can be done!

How to protect yourself against mobile device theft

A phone is much easier to lose track of in school or on campus than a much larger device like a laptop. It’s also a great target for thieves for precisely the same reason. Depending on the model, your device likely contains a wealth of security options. Here’s what you can do in advance to take the sting out of a mobile theft.

• Lock your device. Your lockscreen should serve as the barrier between you and your data. This is because it’ll also serve as the barrier between your device and other people. Protect it with a passcode, or biometrics (such as your thumbprint, your faceprint, or even a scan of your eye). Should someone steal your phone or simply pick it up off the ground after you drop it, they won’t be able to access your data.
• Encrypt your data. If your device isn’t encrypted, the information on it is potentially at risk if the phone is stolen. Once encrypted, everything on the device is scrambled in a way which requires the correct PIN to access the secured data. Older versions of Android used something called Full-Disk encryption. Newer versions use File-based encryption. iPhones and iPads have encryption as standard when using Face or Touch ID, or a passcode. You can check by going to Settings > Face ID/TouchID & Passcode. If you scroll to the bottom you should see “Data Protection is enabled”
• Turn on Find my phone. This option is hidden away in the security settings of most Androids, and you may need to dig around a little to find it. It does what it suggests, using a combination of several forms of technology to locate the missing device. On Apple products, it’s likely to be turned on by default, but you can check by navigating to the “Find My” app.

How to protect yourself against laptop theft

Laptops aren’t quite as easy to make disappear as a mobile device, but it does happen! Here are some of the ways you can prevent laptop theft while on campus or out and about between classes.

• Don’t neglect physical security. Never leave your laptop bag unattended, even for a second. Going back to the counter for another coffee? Take it with you. Need to go to the bathroom? Pack your laptop away, and take it with you. Sitting at a table with your bag on the floor? Put one foot through the laptop bag’s strap, so if someone tries to snatch it they won’t be able to.
• Observe campus rules. If the laptop you’re using is campus supplied, the device may be encrypted by default. There may well be security tools present to help fend off potential malware infections, but there may be nothing available to remedy loss or theft, such as location tracking. While it may be tempting to install a third-party tracking tool, your school or university will have policies with regard to what you can, or cannot, install. If in doubt, ask IT for assistance.
• Encrypt your device (again). If you’re using a Windows operating system, you have a couple of options available. You could, for example, make use of BitLocker. If you’re running Windows Home, you may well have to consider using a third-party alternative because BitLocker isn’t available. On Macs, you can use FileVault to encrypt your device.
• Turn on Find your device. This works in a similar fashion to trace tools for lost mobiles and should be set up when you first get your device. On Windows, navigate to Start > Settings > Update & Security > Find my device, and then select “Change” to finish configuring. On Mac, navigate to System Preferences > AppleID > iCloud. Select Find My Mac and click Allow.

A tip for both mobiles and laptops

No matter what you’re taking on campus, remember to backup your data. Device loss is bad enough, but losing everything on the device makes it even worse. Get into the routine of backing up data daily.

Your mobile may also have the option of cloud backups. Take care to check how the data is stored, if it’s encrypted, and if it eventually expires. There may well be a limited amount of space available, or it could eat into some of your data allowance.

There are more options on the desktop. You could use removable storage, additional hard drives, local desktop backups, and more. There are also various cloud-based options available like Dropbox and Google Drive, and it’s worth noting that many of these services will also work on mobile too.

The post How to protect yourself and your kids against device theft appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs:

• Update Google Chrome now! New version includes 11 important security patches
• Lightning Framework, modular Linux malware
• Malware spent months hoovering up credit card details from 300 US restaurants
• Lock down your Neopets account: Data breach being investigated
• Demo: Your data has been encrypted! Stopping ransomware attacks with Malwarebytes EDR
• Microsoft clamps down on RDP brute-force attacks in Windows 11
• SonicWall urges customers to patch critical SQL injection bug ASAP
• T-Mobile agrees to pay customers $350 million in settlement over data breach
• Simplifying the fight against ransomware: An expert explains
• PrestaShop warns of vulnerability: Update your stores now
• In post-Roe US, experts share how to keep your data private
• Anti-vaxxer dating site exposes user data
• IIS extensions are on the rise as backdoors to servers
• “Orwellian in the extreme” food store installs facial recognition cameras to stop crime, faces backlash
• TikTok owner ByteDance pushed a pro-China agenda to Americans, say former employees
• Radioactivity monitoring and warning system hacked, disabled by attackers
• Google delays Chrome third party cookie sunsetting…again
• Criminals using compromised social media accounts to “post indecent images of children” says UK cybercrime organization
• The ransomware landscape changes as fewer victims decide to pay
• To settle with the DoJ, Uber must confess to a cover-up. And it did.

Stay safe!

The post A week in security (July 25 – July 31) appeared first on Malwarebytes Labs.