IT NEWS

Instagram verification services: What are the dangers?

Instagram, like other social platforms, has a verification system for high profile accounts. A verified badge means Instagram has confirmed that the account is the authentic presence of a public figure, celebrity or brand.

Have you ever wanted to get your own account verified? We noticed a large number of Instagram accounts all claiming to offer this as a service. Quick, easy, guaranteed. Or so they claim. After digging into it, we had a few questions of our own.

Setting the scene

Here’s just some of the identical profiles we’ve seen promoting one specific verification service.

multiple verify instagram accounts

Most of the profiles contain the same information in the bio section. Here’s a typical example:

instagram verify service

The verification process “takes 1-2 hrs”, has a 100% success rate, and payment is required before processing. You can send a direct message, or visit their shortened link for more information.

Forming an orderly line

The link in the bio section leads to a Google Docs form. Unless you view the document while signed into a Google account, you won’t be able to see the content or fill it in.

The service says it will submit your profile to Instagram for verification. Given the only way to do this as a regular user is submit it yourself via the app, this means the service would presumably need your login details to do it. This is highly relevant to our next line of investigation.

Of media partners and promotional agencies

One section of the form notes the slick, professional approach it has in relation to verification and third-parties:

  • We would like to share everything about our service and marketing strategy. We are the only legitimate agency that provides a guarantee of verification. If we are not able to get you the blue badge, we will refund your entire payment.
  • As you know we have a few talented Instagram media partners agencies. They will do everything for your verification with maintaining all the terms of Instagram authority. They are highly qualified to do that and have a high success rate.

As this article mentions, celebrities may work with agencies with access to Facebook’s Media Partner Support for verification instead. Incidentally, that’s another approach filled with booby-traps. Do we think any of these identical profiles are working to that level?

The form also lists several Instagram accounts which have been “successfully verified” as a result of its guidance. This includes one account which no longer exists, and a well known brand of cheese spread which doesn’t appear to post content anymore. We reached out to the two Instagram accounts which accept direct messages, but didn’t receive a reply.

With all of this in mind, it’s time to ask one of these accounts some questions directly.

Question time for an Instagram verification service

I sent a message to the profile highlighted up above.

instagram dm conversation

I asked the following:

Hi, I have some questions about the verification process and was hoping you could answer before I sign up.

1) What are the fees, and which payment method do you use

2) The form says you use a “few talented Instagram media partner agencies”. Who are the agencies?

3) If there’s a 100% success rate, why is there a money back guarantee for unsuccessful applications?

4) How did you help to verify several accounts which are much older than your own?

5) Why is your own account not verified?

Thanks!

Question 5 is particularly important: with so many identical profiles, how do we even know which one is the real deal? If verification is so easy, where is their own verified profile badge?

At any rate, they only replied after a follow-up message, promised to answer my questions immediately, and promptly disappeared again. It seems my verified status is not to be, but on the evidence seen so far, I think I can live without paying someone money for the privilege.

How verify me scams on social media usually end

There’s a few likely final destinations for respondents of detail-free, evasive operations nestled inside dozens of spam accounts.

  1. They (eventually) send you a request for payment and a link to their processing tool of choice. Once you pay, you never see them or the money again. If you had as much difficulty as I did trying to get basic information from a supposed Instagram verifier, would you trust them with your money?
  2. You’re sent a link to a website asking you to fill in your details. The website is nothing more than a phishing page, grabbing personal details and login information. Worth noting that although the “service” I encountered above made use of a Google Docs form, it did not ask for logins.

  1. Either of these methods may involve a request for scans of identification. Sending scammers copies of your passport pages is never going to be a good idea. One of the most brazen combinations of most of these tactics can be seen in this CNET article from last year.

Safe verification practices

There’s a bit of mystery as to how certain sites verify individuals. Instagram is refreshingly straightforward and direct in its approach. It pretty much all boils down to preventing impersonation of “notable” individuals. If you’re in a big pile of press links, articles about you, things which have gained column inches somewhere, then you’re probably going to be verified.

Here’s some more information from the Head of Instagram, Adam Mosseri:

Follower count doesn’t matter. If you see someone claiming to offer verification based on follower count, you can safely disregard that entity. If you’re asked to login somewhere then don’t do it. And don’t send scans of identification documentation either.

The allure of verification on social media is too powerful for many people to resist, and that’s what scammers are banking on. If you believe you need it, by all means send in an application to your platform of choice. By the same token, think very carefully about entrusting non-verified spam accounts with your personal details, money, or even identity documents. It almost certainly won’t turn out to have been worth it.

The post Instagram verification services: What are the dangers? appeared first on Malwarebytes Labs.

Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware

The Google Threat Analysis Group (TAG) has revealed that of the nine zero-day vulnerabilities affecting Chrome, Android, Apple and Microsoft that it reported in 2021, five were in use by a single commercial surveillance company.

Did I hear someone say Pegasus? An educated guess, but wrong in this case. The name of the surveillance company—or better said, professional spyware vendor—is Cytrox and the name of its spyware is Predator.

Google

TAG routinely hunts for zero-day vulnerabilities exploited in-the-wild to fix the vulnerabilities in Google’s own products. If the group finds zero-days outside of its own products, it reports them to the vendors that own the vulnerable software.

Patches for the five vulnerabilities TAG mentions in its blog are available. Four of them affected the Chrome browser and one the Android kernel component.

Vulnerabilities

By definition, zero-day vulnerabilities are vulnerabilities for which no patch exists, and therefore potentially have a high rate of success for an attacker. That doesn’t mean that patched vulnerabilities are useless to attackers, but they will have a smaller number of potential targets. Depending on the product and how easy it is to apply patches, vulnerabilities can be useful for quite a while.

In the campaign uncovered by TAG, the spyware vendor used the zero-days in conjunction with other already-patched vulnerabilities. The developers took advantage of the time difference between the availability of patches for some of the critical bugs, as it can take a while before these patches are fully deployed across the Android ecosystem.

TAG says Cytrox abused four Chrome zero-days (CVE-2021-37973CVE-2021-37976CVE-2021-38000, and CVE-2021-38003) and a single Android zero-day (CVE-2021-1048) last year in at least three campaigns conducted on behalf of various governments.

Cytrox

TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Cytrox is one of these vendors, along with the NSO Group—undoubtedly the best known one among them and responsible for Pegasus spyware.

Citizenlab at the University of Toronto published information about Cytrox in December 2021. It says that Cytrox describes its own activities as providing governments with an “operational cyber solution” that includes gathering information from devices and cloud services. It also says it assists with “designing, managing, and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services.”

Cytrox reportedly began life as a North Macedonian start-up and appears to have a corporate presence in Israel and Hungary. As such, Cytrox is believed to be part of the so-called Intellexa alliance, a marketing label for a range of mercenary surveillance vendors that emerged in 2019. The consortium of companies includes Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, along with other unnamed entities, purportedly seeking to compete against other players in the cyber surveillance market such as NSO Group (Pegasus) and Verint.

Government spyware

Spyware packages such as Predator and Pegasus create problematic circumstances for the security teams at Google, Apple, and Microsoft, and it seems like they will not stop any time soon.

Whatever arguments these vendors use about how they are working for governments, and therefore not doing anything illegal, we all know the legitimacy of some governments lies in the eye of the beholder. And it is not always easy to find out who actually controls the data received from the spyware.

It is for good reason that the European Data Protection Supervisor (EDPS) has urged the EU to ban the development and deployment of spyware with the capabilities of Pegasus to protect fundamental rights and freedoms. The EDPS argues that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.

The post Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware appeared first on Malwarebytes Labs.

A week in security (May 16 – 22)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (May 16 – 22) appeared first on Malwarebytes Labs.

Update now! Nvidia released fixes for 10 flaws in Windows GPU drivers

Multiple NVIDIA graphic card models have been found to have flaws in their GPU drivers, with six medium-and four high-severity ratings.

Last Monday, the company released a software security update for NVIDIA GPU Display Driver to address the vulnerabilities. If exploited, they could lead to denial of service, code execution, privilege escalation, and data tampering.

NVIDIA GeForce software, Studio, RTX/Quadro, NVS, and Tesla running Windows and Linux are all affected by this update, covering driver branches R450, R470, and R510. Here are the lists for Windows and Unix/Linux for reference for driver branch histories.

The latest release also covers updates for already unsupported GTX 600 and GTX Kepler-series cards. This is NVIDIA honoring its promise of continuing to provide support for these cards until September 2024—three years after the October 2021 end-of-support date.

Let’s look at each of the vulnerabilities up-close.

High-severity NVIDIA vulnerabilities

  • CVE-2022-28181. A malformed executable or shader file (a program that runs on the GPU) exploiting the DCL_INDEXABLE functionality could lead to memory corruption, code execution, data tampering, denial of service, privilege escalation, and information disclosure. Virtual machines and (theoretically) web browsers can trigger this vulnerability. This is exploitable over the network.
  • CVE-2022-28182. A malformed executable or shader file exploiting the DCL_INDEXRANGE, DCL_RESOURCE_STRUCTURED, and DCL_UNORDERED_ACCESS_VIEW_STRUCTURED functionalities could lead to memory corruption, data tampering, denial of service, information disclosure, and privilege escalation. Virtual machines and (theoretically) web browsers can trigger this vulnerability. This is exploitable over the network.
  • CVE-2022-28183. An unprivileged user could cause an out-of-bounds read (a flaw that allows parts of the memory, which are allocated to more critical functions, to be manipulated), leading to a denial of service and information disclosure. This is exploited with local access.
  • CVE-2022-28184. An unprivileged user could access registers available only to administrator accounts, leading to data tampering, denial of service, and information disclosure. This is exploited with local access.

Medium-severity NVIDIA vulnerabilities

  • CVE-2022-28185. An out-of-bounds write in the ECC (error correction code) layer could lead to data tampering and denial of service.
  • CVE-2022-28186. A validation flaw in the kernel mode layer (nvlddmkm.sys) could lead to data tampering and denial of service.
  • CVE-2022-28187. A memory management software flaw in the kernel mode layer (nvlddmkm.sys) could lead to denial of service.
  • CVE-2022-28188. A validation flaw in kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where input is not correctly validated for being able to process data safely, which could lead to denial of service.
  • CVE-2022-28189. A NULL pointer dereference in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape could lead to a system crash.
  • CVE-2022-28190. A validation flaw in kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where improper input validation could lead to denial of service.

Patch as soon as possible

NVIDIA users are advised to download and apply the patches ASAP. The updates can also be applied via NVIDIA’s GeForce Experience suite.

The post Update now! Nvidia released fixes for 10 flaws in Windows GPU drivers appeared first on Malwarebytes Labs.

Chicago students lose data to ransomware attackers

Chicago Public Schools (CPS) disclosed on Friday that students may have had their data taken in a ransomware incident involving one of its vendors.

The ransomware attack happened last December at Battelle for Kids (BfK), based in Columbus Ohio, which develops services to provide innovation in schools for students and teachers.

Breaching education

Around 490,000 students and 56,000 employees found their data breached by those responsible for the ransomware. The data accessed by criminals, stretching from 2015 to 2019, included a variety of information potentially including:

  • Name
  • School
  • CPS email
  • Employee ID number
  • Battelle for Kids username

The notification breach says that home addresses, health/financial information, and social security numbers were not exposed.

Chicago Public Schools is offering free credit monitoring for those affected.

A late notification

The breach occurred in December but the notification did not, which raises several questions related to lateness of notification for those impacted. According to Bleeping Computer, the CPS contract with BfK means immediate notification of any data breach.

Despite this, it took no fewer than four months to get word out that something had occurred. Letters pertaining to the breach were sent out towards the end of April. The reason for this is that it took this long to verify the breach had actually taken place. That isn’t all, however. Other breaches related to the compromise of Battelle for Kids suggests private student data was revealed “as far back as 2011”.

According to the Chicago Sun Times, a spokesperson for CPS says the breach was “caused [and] exacerbated by BfK’s failure to follow the information security terms of their contract”. They go on to single out a failure to encrypt data and purge old records. We talk about ransomware breaches often, and frequently mention the benefits of having a sensible back-up plan. This sounds like a case which may well have benefited greatly from this approach.

Schools: a ripe target for ransomware

All forms of education are an increasingly popular place to be for ransomware criminals. Schools, Universities, and (as we see above) third-party organisations are all valid targets. Even if the schools have a watertight security setup, it may not be the case for external suppliers and other entities interacting with the data in some way.

Outbreaks in schools and universities may not be life-threatening in the way attacks on the healthcare sector can be. However, severe delays to applications, operations, and teaching generally can have a big impact on students.

Tips to avoid ransomware

  • Keep devices updated. Secure your devices with the latest updates and patches. It’s not just the Operating System you have to consider here. Outdated software and applications are frequently the launchpad for exploits leading to ransomware attacks.
  • Update your security software. Often your first line of defence, help it to help you by automating updates and scans.
  • Strengthen remote access. A common ransomware pitfall is leaving remote services unsecured. Provide a limit on password guess attempts for remote desktops. You can also combine remote services with multifactor authentication.
  • Avoid strange attachments. Booby-trapped Word/Excel documents are a big threat in these realms, especially where Macros are concerned.
  • Browser controls for bad ads. Malvertising is another method for dropping ransomware onto systems. Restricting certain features like JavaScript will help, though this may make some sites unusable in places. Dedicated extensions which control scripts more generally, tracking, or untrustworthy ad networks will also help.
  • Encrypt and back it up. Keep your data encrypted whenever possible, and get into the habit of backing up regularly. Store backups externally, away from the main network. Ensure your backups are stored in a logical way and not a confused mess of folders and files, so you can easily find and restore files if you need to.

The post Chicago students lose data to ransomware attackers appeared first on Malwarebytes Labs.

Hunting down your data with Whitney Merrill: Lock and Code S03E11

Depending on where you live, you can ask a company to hand over all the data it has collected about you and, in a matter of weeks as mandated by law, that company has to fork that information over.

Whether the company will abide on time, however, is a different story.

In the European Union, the United Kingdom, and California, consumers have a leg up in understanding what data is collected about them, largely thanks to several laws passed in those regions in the last few years. And at least in California, people can request that a company hand over the data it has collected about them, even if they are not an active user of that company’s product or a customer of that company’s services.

That’s because in today’s world, your data is not collected only by the companies you directly interact with, but also by the companies that your friends and families interact with.

In February of last year, Whitney Merrill proved this was true when she requested her data from the then-popular app Clubhouse. Though Merrill did not have an account with the company and was not a user of the app, she proved that Clubhouse did have her phone number, which had been shared with Clubhouse by Merrill’s contacts who were active users.

Merrill, who has requested her data from several more companies since then, learned more about data privacy compliance than about just what is being collected about her. Each request, Merrill said, can be different from another, and each request is done separately, forcing users who want to learn more about how their data is collected to spend increasingly more of their own time—time which they may not realistically have. The entire model right now, Merrill said, has many flaws.

“We all interact with thousands and thousands of websites and providers that collect our data—maybe hundreds is probably a better number—in any given week or year. And, as a result, you have to go to each individual one and ask for access to your data… The burden is really on the end user.”

Whitney Merrill, Data Protection Officer and Privacy Counsel at Asana

This week on the Lock and Code podcast with host David Ruiz, we speak with Merrill about the difficulties of requesting your own data from a company and why some companies seem to interpret data privacy laws as mere suggestions. We also touch on proposed solutions to today’s problems with cross-border data transfers and what “data localization” may lead to in the future.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “God God” by Wowa (unminus.com)

The post Hunting down your data with Whitney Merrill: Lock and Code S03E11 appeared first on Malwarebytes Labs.

Unknown APT group has targeted Russia repeatedly since Ukraine invasion

An unknown Advanced Persistent Threat (APT) group has targeted Russian government entities with at least four separate spear phishing campaigns since late February, 2022.

The campaigns, discovered by the Malwarebytes Threat Intelligence team, are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely. The malware uses a number of advanced tricks to hide what it does and how it works, but our analysts have been able to reverse engineer the malware, reveal its inner workings, and uncover some clues about its possible origins.

Attribution is always difficult, and there is no shortage of countries or agencies with an interest in getting covert access to Russian government computers—and the recent invasion of Ukraine has simply increased the stakes. Although our analysis and attribution efforts are ongoing, we have discovered some indicators that suggest the threat actor may be a Chinese group.

The campaigns

The APT group has launched at least four campaigns since late February, using a variety of lures, detailed below.

1. Interactive map of Ukraine

The threat actor started this campaign around February 26, 2022, and distributed its custom malware with the name interactive_map_UA.exe, trying to disguise it as an interactive map of Ukraine. This campaign began a few days after Russia invaded Ukraine, which shows the threat actor was monitoring the situation between Ukraine and Russia and took advantage of it to lure targets in Russia.

2. Log4j patch

In this campaign the threat actor packaged its custom malware in a tar file called Patch_Log4j.tar.gz, a fake fix for December’s high-profile Log4j vulnerability.

This campaign ran in early March and was primarily aimed at RT TV (formerly Russia Today or Rossiya Segodnya, a Russian state-controlled international television network funded by the Russian government). The APT group had access to almost 100 RT TV employees’ email address.

The emails were sent with the subject “Ростех. ФСБ РФ. Роскомнадзор. Срочные сиправления уязвимостей”, which translates into “Rostec. FSB RF. Roskomnadzor. Urgent Vulnerability Fixes”. (Rostec is a Russian state-owned defense conglomerate founded by Putin.)

The emails also come with a number of image files and a PDF attached, perhaps to make the email less suspicious, and to bypass any systems that flag emails by number of attachments.

eml 2
A spear phishing email from an unknown APT group claims to have “urgent vulnerability fixes”

The PDF attachment—О кибербезопасности 3.1.2022.pdf—pretends to be from the “Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation”. It contains instructions about how to execute the fake patch, as well as a bulleted list of security advice such as “Use two-factor authentication”, “Issue separate credit cards for purchases”, and “Use Kaspersky antivirus”.

Screen Shot 2022 05 19 at 3.19.24 PM
A PDF attachment tries to build trust with security advice and instructions on how to run the fake Log4j patch

In a confident demonstration of just how little attention people pay to such lists it ends “Do not open or reply to suspicious emails.”

The list even includes a link to a page on VirusTotal that proclaims in bright green letters that “No security vendors and no sandboxes flagged this file as malicious”. This is just another effort to convince the victims that the attachment is not malicious—the file on VirusTotal has nothing to do with the attachment and appears to be a legitimate OpenVPN file.

virustotal
The PDF attachment links to a VirusTotal entry for an unrelated file

In another effort to build trust, the spear phishing email links to the website rostec.digital, a domain registered by the threat actor, hosting a site made look like the official Rostec website.

This email also contains links to fake Instagram and Facebook accounts. Interestingly, the threat actor created the Facebook page in June 2021, nine months before it was used in this campaign. This was probably an attempt to attract followers, to make the page look more legitimate, and it suggests the APT group were planning this campaign long before the invasion of Ukraine.

rostech
The rostec.digital website
facebook
The rostec.digital facebook account
instagram
The rostec.digital Instagram account

3. Build Rostec

The Rostec defense conglomerate also appears in the third campaign. This time the threat actor used the file name build_rosteh4.exe for its malware—an apparent attempt to make it look like software from Rostec.

4. Saudi Aramco job

The most recent campaign occured in mid April and used a Word document containing a fake job advert for a “Strategy and Growth Analyst” position at Saudi Aramco as a lure.

(We also discovered a self-extracting archive file that belonged to this campaign—the archive file used a Jitsi video conferencing software icon as decoy, and created a directory named Aramco under C:ProgramData.)

Although the job advert is written in English, it also contains a message in Russian, asking users to enable macros.

doc 2
A malicious job advert urges Russian readers to enable macros

The document uses remote template injection to download a macro-embedded template, which executes a macro that drops a VBS script called HelpCenterUpdater.vbs in the %USER%DocumentsAdobeHelpCenter directory.

The template also seems to do a redundant check for the existence of %USER%DocumentsD5yrqBxW.txt and only if it doesn’t exist, will it drop the script and execute it.

Screenshot 2022 05 11 at 9.27.21 PM
Macros embedded in the remote template

The obfuscated HelpCenterUpdater.vbs script drops another obfuscated VBS file named UpdateRunner.vbs and downloads the main payload—a DLL named GE40BRmRLP.dll—from its command and control (C2) server. (Interestingly, some anti-analysis code, and code responsible for persistence, seems to be commented out in UpdateRunner.vbs and isn’t executed.)

In another payload related to this campaign, the script seems to drop an EXE instead of a DLL, but after analyzing both it seems they share the same code.

Screenshot 2022 05 15 at 4.47.09 PM
Deobfuscated HelpCenterUpdater.vbs

The job of the UpdateRunner.vbs script is to execute the DLL through rundll32.exe.

Screenshot 2022 05 16 at 1.23.08 PM
Deobfuscated UpdateRunner.vbs

The malicious DLL contains the code that communicates with the C2 server and executes the commands it receives from it.

Screenshot 2022 05 20 at 4.11.55 PM
The attack chain for the Saudi Aramco-themed APT campaign

The malware, which is common to all four campaigns, is explained in detail in the next section.

Payload analysis

This analysis focuses on the GE40BRmRLP.dll payload from the Saudi Aramco campaign, but the malware used in all four campaigns is essentially the same, with small differences in the code.

The DLL is heavily obfuscated and most of the library functions are statically linked. IDA is barely able to recognize any functions, though it was able to recognize a few that indicate the DLL was most likely compiled with LLVM. The DLL’s original name is supposed to be simpleloader.dll, as we can see after analyzing it a bit.

Screenshot 2022 05 17 at 2.33.04 PM
The DLLMain function from GE40BRmRLP.dll

Before we dive into the functionality and capabilities of this malware, let’s look at various methods it uses to make the analysis difficult for us.

Anti-analysis techniques

Control Flow Flattening

All of the samples used in these campaigns use control flow flattening heavily, a technique that flattens the nested structure of a program, making analysis very difficult. We used the D810 plugin for IDA which has the capability to deobfuscate flattened code and make the decompilation more readable.

Although there are many tools that can perform control flow flattening, in this case we suspect OLLVM—an obfuscator for LLVM—was used. The different samples had different levels of flattening and OLLVM allows users to specify this. Additionally we also saw what looks like the Bogus Control Flow LLVM pass being used.

Screenshot 2022 04 26 at 11.10.09 PM
Control Flow Flattening used by the malware

String obfuscation

The payload’s strings are obfuscated with simple XOR encoding. The decode_string function which is used to decode a string takes 3 arguments: The encoded string, the destination of the decoded string, and the byte that is used while decoding the string.

Each string is decoded every time it’s required by the malware.

Screenshot 2022 05 17 at 4.53.23 PM
The decode_string function from GE40BRmRLP.dll

Command and control

Before contacting its C2 server the malware derives an ID which is unique to every machine, which could be used to differentiate infections. It uses the data from the following APIs to construct the ID:

  • GetFileAttributesA on the C:Windows directory
  • GetComputerNameA
  • GetVolumeInformationA on the C: drive

It then calculates a hash of this data using the Blake2b-256 algorithm and sends it when it makes the first contact with its C2.

Screenshot 2022 05 17 at 8.51.43 PM
Deriving the ID

The C2 address is decoded every time the malware sends a request. To communicate with the C2 the malware uses GET requests in the form url/?wSR=data, where data contains the encoded information.

Interestingly Any.run and Fiddler fail to capture the HTTPS requests made by the malware. To make them, the malware doesn’t use any library functions but instead implements everything over raw sockets, and it uses the WolfSSL library to implement SSL itself. Our analysis also uncovered traces of http-parser from ZephyrOS. The certificate used for the SSL communication is stored inside the binary as chunks of encoded strings. Initially the malware decodes this data and stores it. Later, while making the HTTPS request, it loads this data using WolfSSL’s loadX509orX509REQFromBuffer.

After making every request the malware sleeps for a random amount of time.

Screenshot 2022 05 17 at 10.38.06 PM
HTTPS GET request

Based on the response to the above request, the malware decides which of command to execute:

  1. getcomputername. This retrieves the computer name using GetComputerNameA and sends a response to the C2 containing the unique id and the computer name.
  2. upload. This receives a file name and file contents from the C2 which it writes to the local file system.
  3. execute. This receives a command line instruction from the C2 and executes it using CreateProcessA. If the command is successful then the malware sends the UID with the “OK” string to the C2, or the output of GetLastError if it fails.
  4. exit. This is used to terminate the malware process.
  5. ls. This command uses a directory name from the C2, or the name of the current directory if one isn’t provided. It uses the FindFirstFile and FindNextFile function to retrieve a list of all the files under the directory and sends it back to the C2.
Screenshot 2022 05 18 at 12.36.52 AM
The upload command
Screenshot 2022 05 18 at 1.07.40 AM
The List Files command

Attribution

Attribution is difficult, and threat actors are known to use indicators from other groups as false flags. The attribution of the APT behind these campaigns is ongoing, but based on the infrastructure used we assess with low confidence that this group is a Chinese actor.

All of the C2s are from BL Networks, which has been used by Chinese APTs in the past. Also, we discovered infrastructure overlap between the malware we analyzed and the Sakula Rat malware used by the Deep Panda APT.

Screenshot 2022 05 19 at 10.13.20 AM
Infrastructure overlap between Sakula RAT and the malware analzed in this article

Another interesting indicator we found was that the macro used in the Aramco campaign is almost identical to some macros used by TrickBot and BazarLoader in the past. We think the actor may have used the same macro builder to generate its macro, and they may have used it as a false flag. There are some other weak indicators, such as WolfSSL, which has been used by Lazarus and Tropic Troopers, but they are not enough to help attribute the attack to any specific actor.

Malwarebytes customers were proactively protected against these campaigns thanks to our heuristic detection engines.

Nebula

IOCs

C2 Domains

windowsipdate[.]com
microsoftupdetes[.]com
mirror-exchange[.]com

C2 IPs

168.100.11.142
192.153.57.83
45.61.137.211
206.188.197.35

Download Domain

fatobara[.]com

Download IP

91.210.104.54

Hashes

Name Hash
Final payload cbde42990e53f5af37e6f6a9fd14714333b45498978a7971610acb640ddd5541
86ecd536c84cec6fc07c4cb3db63faa84f966a95763d855c7f6d7207d672911e
917820338751b08cefc635090fc23b4556fa77b9007a8f5d72c11e0453bfec95
22bdc42a86d3c70a01c51f20f5b7cfb353319691a8102f0fe3ea02af9079653e
12c20f9dbdb8955f3f88e28dc10241f35659dbcd74dadc9a10ca1b508722d69a
3f16055dc0f79f34f7644cae21dfe92ffc80f2c3839340a7beebd9436da5d0eb
f5658588c36871421f287f12e7e9ba5afba783a7003da1043a9c52d10354b909
ca95e8a8b6fb11b5129821f034b337b06cdf407fa9516619f3baed450ac1cf2d
bac1790efe7618c5b2b9e34e6e1d36ec51592869bcc5fb304dd7554c32731093
5d039f4368f88a2299be91303c03143e340f700f1fc8aa0a8cdbfbc5a193c6be
patch_Log4j.tar.gz 4b622d63e6886b1430f6ca9cba519cbefde60cd8b6dbcade7c3a152c3930e7c7
PDF attachment f4db6fa3a83052152b5d16dc6a4e9749afafc026612ff5c3ad735743736ac488
Emails 0625566ec55f0a083d1c1a548a2631502f17e455066b29731e29d372918e6541 0925b3c05cef6d3476a97b7d4975e9e3ceefedf62f42663b9c02070e587b3f2d 111fef44ba63f11279572f1e7e4d6ce5613ef8fe3b76808355cdcbed47b49fec 1c886a9138f3b0e0b18f1c0da83719a9b5351db7ce24baa13c0e56ef65d96d02 1fb0cd76ec5ae70f08a87f9e81cb5e9b07f9b3306772ae723fa63ff5abfa0d07 27d19efedb6a7c8d3c65fe06fd5be9c3e236600e797e5058705db1e2335ec2ad 310fa9c65aa182a59e001e8f61c079e27d73b8eb5f8f8965509cb781d97ba811 3627b37b341efa0b36352d76480dce994f481e672ebf9fa2da114a1339cf6c01 3655420f72d0c14cfb113ccb53e9ac85b87883913c3844b3e0bfb7bd7230a9bd 3b2ef76ec2eb3b4db4b7efe14d88c5338f1dc4eb9a9cf309989362d193c25403 3e9254d8cb25b2abf4fb755feaaf41c0059c68067e64de01a9242e5d9e47ab33 3ff96e73aeb0419df67bc5fec786a4dc82e4a9051274b4fc3cbc3ae3af7fdf94 44118322165be32de86569972e9f599a3c79a2336ca6f76c29861b40905cd067 4b6b0c29ece1c4719ec4d5186fb6247603fa1f03bd473bf6ef6367995e8c1121 4f28db1131ace2fce96e84172e0a861eb471ea054799e1132eb4945e4dca550b 4f8c2079ac98a3e8e085be8e88ff7b53ea70cb131cba4bfd2784e391d24c27e9 5a662050df51863575700a8e21efe605f4e789404d4bb53b4299f32b93e8d20f 5aa0a15e052fea2a2d445940ef751ddf3d3ae7c43c095a738b9bd603efc7df8b 5b9c7fe8ee5756dbd8563b3efe8dbc0966ad9044ff223b8797940f9e4e47333e 5ccf98699b96c811f4dab768cf486dc0f31b098dba30e031ba4ab2a5a5a3aba8 7ee7b2193b1e53f93dc2ed573d8f927cfa0916ccf111ff35faef9c4b153456f2 80a3de79f6c859d6c4667f705588c7c254d24fca2f44704123a2ba38e7c285a9 810d6566d9879c10a6a8581bb6ea6bed83a14a869383ad7e1ee16eadfd5bbb54 811827026414bdd400257cd3f048a1c75a2b211d02ac790510b800baa0702de4 81f24d1c310214b8f66345f250a6d5493e5e1cdf06d39d18a96cd9f93a1e7655 ac328efa54b6dd4497ba5dc6195474b8b9e5a7bcd32d5733e5006be9bbd0dc22 b63ef28fc1b0b1180fe9f476fe2ef3970b9928b009354e996bb2bf4ece223031 b99580152dde60622c1a962cd7cee1834d0ee86490785ac02d8ee51b73be008f c9623e83d875d6b9ca1a80087151b59a4037159c605ee92c6c795252ccf89596 cd277299ed849de71e88f698c1c06b0cfa65f166b0e90fc620aa50f6efe70161 d4062c6fd3813299ac721309fe0385a5337cea8b8e3605b05458467aeb23d8c0 e19b7dfe0e693c468c73f0a9e4c751216787daeff7d933cedcc10c932bd2835e e444303f1888b1ee5eeb69a0c4c3372b0cd2276b6987b0b18ea2267ff7ba19ad f15d90da5e253aaf570d29ffb9bf87ce7d8292b953d13e5a0f86b8671a4c57e7 fa800e6e16444894455b2a8f9e245efbe8b298fc8af9d7f8e155bb313ca9e7bb fc4af16fed48bd3a029ce8bfc4158712f9ab0cd8b82ca48cb701923d0a792015

The post Unknown APT group has targeted Russia repeatedly since Ukraine invasion appeared first on Malwarebytes Labs.

Why you should act like your CEO’s password is “querty”

A poor password at the highest levels of an organisation can cost a company millions in losses.

Recent findings show that half of IT leaders store passwords in shared documents. On top of that, it seems that folks at executive level are not picking good passwords either. Researchers from NordPass combed through a large list of CEO and business owner breaches. Their findings should renew considerations for additional security measures at executive level.

The findings

The five most common passwords among C-level executives, managers, and business owners were “123456”, “password”, “12345”, “123456789”, and our old friend “qwerty”. Terrifyingly, but perhaps not surprisingly, this looks exactly like every other list of the most frequently used passwords, suggesting no extra precautions are in place (or enforced) at the top.

Executives really love to use the names “Tiffany”, “Charlie”, Michael”, and “Jordan” for their passwords. I was curious to know if these are the names of executives’ name their kids. My entirely unscientific trawl for the names of CEO’s children turned up list of CEOs themselves. Henry, William, Jack, James, and David are all very popular names. This doesn’t match up with our list of password names. However, there is one list which claims that the Michaels of this world are most likely to become CEOs. Are CEOs naming their passwords after themselves? I’d like to think not, but then I probably wouldn’t have expected to be writing about “123456” either.

Animals and mythical creatures are popular choices. When not naming passwords after themselves, dragons and monkeys are both incredibly popular and also incredibly easy to guess.

Breaking and entering

Common ways corporate breaches and basic passwords spill all over the floor are issues we’ve covered at length. We recently highlighted recommendations from the Cybersecurity and Infrastructure Security Agency which deal with most of the causes of CEO password loss.

A combination of weak and reused passwords, and risky password-sharing habits make up the majority of hits on the “these passwords can lead to nothing good” indicator.

What happens when you combine bad password practices with human error and poor security infrastructure? These weak and obvious passwords just help to bring the whole thing crashing down that little bit faster.

There are some very smart attacks and compromises out there. Clever attackers can exfiltrate data from a network for weeks or months before making a more overt move. You’d expect people hijacking CEO data to be made to really work for it at every level. Sadly this research seems to suggest the opposite is happening in a lot of cases.

If nothing else, I’d love to see the actual response on the part of the criminals. What do they think when pulling down a C-Level executive’s data and discovering their email password is “sandwich”? Are they surprised? Is it business as usual? Do they think it can’t possibly be real, and they’re staring down the wrong end of a prank or law enforcement bust?

Is the CEO password sky falling? A word of caution…

There are some caveats here. The research doesn’t go into detail with regard to additional security measures in place. Yes, a CEO may have the worst password you’ve ever seen. That doesn’t mean the business has been popped right open.

Maybe they had two-factor authentication (2FA) set up. The password may be gone, but unless the attacker also has access to the CEO’s authentication app on their phone, it may not be much use. The CEO may use a hardware authentication token plugged into their desktop. Admins may have set up that one machine specifically for use by the CEO, for all CEO-related activity. It may not be usable remotely, and could be tied to a VPN an added precaution.

Having said all of that

Manager? Use a password manager

If we’re talking purely about fixing the short, terrible, obvious passwords, then some additional work is required. 2FA, lockouts, and hardware tokens are great. Ultimately they’re fixing a myriad of additional problems regardless of whether the password is good or bad.

To fix bad password practices, we need to look to tools which can improve them and help keep them a bit more secure at the same time. I am talking about password managers, of course.

A password manager is a software application that gets around the twin evils of poor passwords and password reuse by creating strong, random passwords and then remembering them.

They can function online, so they are accessible via the web and can sync passwords between devices, or they can work entirely offline. Offline password managers are arguably more secure. Online components can add additional risk factors and a way for someone to break in via exploits. The important part is to keep the master password to access your vault secure, and to use 2FA if available for an additional layer of protection. Make your master password long and complex—don’t use “querty”.

Password managers with browser extensions can help deter phishing. Your password manager will object to entering a password into the wrong website, no matter how convincing it looks. No more risk of accidental logins!

Some password manager tools allow you to share logins with other users in a secure fashion. They don’t show or display the password to the other users, rather they just grant a form of access managed by the tool or app itself. If your CEO has no option but to share a password with somebody else, this is the only safe way to do it.

There’s never been a better time to wean ourselves away from shared password documents and the name “Michael” as the digital keys to an organisation’s kingdom. It’s perhaps time for CEOs and other executives to lead from the front where security is concerned.

The post Why you should act like your CEO’s password is “querty” appeared first on Malwarebytes Labs.

Cardiologist moonlighted as successful ransomware developer

The US has charged a 55-year-old French-Venezuelan cardiologist from Venezuela with “attempted computer intrusions and conspiracy to commit computer intrusions”. This was revealed in an unsealed complaint in a federal court in Brooklyn, New York.

Moises Luis Zagala Gonzales worked as a ransomware developer on the side, renting out and selling ransomware tools to cybercriminals. He is known by many names—all related to his line of work—in the criminal underground: “Nosophoros” (Greek for “disease-bearer” or “diseased”), “Aesculapius” (Greek God of Medicine and Doctors), and “Nebuchadnezzar” (famed Babylonian king responsible for conducting the first recorded clinical trial in history).

US Attorney Breon Peace, who announced the charges, said:

“As alleged, the multi-tasking doctor treated patients, created and named his cyber tool after death, profited from a global ransomware ecosystem in which he sold the tools for conducting ransomware attacks, trained the attackers about how to extort victims, and then boasted about successful attacks, including by malicious actors associated with the government of Iran. Combating ransomware is a top priority of the Department of Justice and of this Office. If you profit from ransomware, we will find you and disrupt your malicious operations.”

Jigsaw v2 and Thanos are Zagala’s creations

Jigsaw made its first appearance in 2016. Initially called “BitcoinBlackmailer”, Jigsaw became a memorable ransomware strain in that it depicted Billy the Puppet, a macabre figure from the popular thriller franchise Saw.

malwarebytes jigsaw ransom note
The Jigsaw ransomware ransom note (Source: Marcelo Rivero | Malwarebytes)

Saw-inspired, Jigsaw puts pressure on victims to do what they’re told: Pay up now, or more of your files will be deleted every hour you delay. On top of this, it also has (in Zagala’s description) a “Doomsday” counter that counts the times a user attempts to terminate the ransomware.

“If the user kills the ransomware too many times, then it’s clear he won’t pay, so better erase the whole hard drive,” Zagala wrote about the tool.

The Thanos ransomware, Zagala’s second ransomware tool, was advertised as a “Private Ransomware Builder” in 2019. Presumably, he named it after a malevolent comic villain, who is based on “Thanatos”, the personification of death in Greek mythology.

malwarebytes thanos ransom note
The Thanos ransomware ransom note (Source: Marcelo Rivero | Malwarebytes)

Thanos allowed criminals to create their own unique ransomware strain, which they could then rent out to other criminals. Interested criminals could purchase a license for Thanos or join Zagala’s affiliate program, where he received a cut of the ransom payout.

The complaint alleged Zagala bragged that Thanos was “nearly undetected” by antivirus software. After encrypting all files, Thanos also deletes itself, making detection and recovery “almost impossible” for the victim.

MuddyWater, an Iranian APT, used Thanos ransomware to attack Israeli entities in September 2020. In June 2020, Hakbit, a Thanos offshoot, was used in attacks against pharmaceutical and healthcare sectors (among others) in Austria, Switzerland, and Germany.

“Malware analysts are all over me”

According to the FBI, Zagala began appearing online as “Nebuchadnezzar” because “malware analysts are all over me”.

Around May 3, 2022, law enforcement agencies conducted an interview with a relative of Zagala, who resides in Florida. Zagala used the PayPal account of this relative to receive his illicit ransomware earnings.

The relative provided details that proved helpful in deepening Zagala’s link to his ransomware activities as a creator and underground businessman. They revealed that Zagala taught himself computer programming. The contact details they had for Zagala also matched the registered email associated with Thanos infrastructure.

Zagala is facing up to ten years’ imprisonment if convicted.

The post Cardiologist moonlighted as successful ransomware developer appeared first on Malwarebytes Labs.

How iPhones can run malware even when they’re off

Most people think that turning off their iPhone – or letting the battery die – means that the phone is, well, off. The thing is, this isn’t quite true. In reality, most of the phone’s functionality has ended, but there are components that mindlessly continue a zombie-like existence, for the most part unbeknownst to the user.

Even when the battery dies in your iPhone, it’s not truly dead. The phone will shut itself down to conserve the last little bits of power, and will enter a low power mode that is very different from the Low Power Mode that is offered when the battery drops to 20%, and that is found in the battery settings. These last trickles of power are used to keep certain limited functionality active for some time. The same is true of turning the phone off, except that this functionality can stay active much longer with a battery closer to full.

What is this functionality? Most notably, Express Cards – payment cards used with public transit systems – can continue to work in such a state. So can things like digital home or car keys, which seems logical. After all, you don’t want to get locked out just because your iPhone battery died!

More surprising is that the iPhone’s Find My capabilities continue to function. This means that the phone’s location can still be tracked, in a manner similar to how AirTags work, even after it has been turned off.

Is this a problem or not a problem?

Much ado has been made in the past of the use of things like Express Cards, which can be used without authentication. Someone could potentially jostle you in a public place and scan your phone with a fake public transit payment terminal, thus skimming money off the card you have set as an Express Card. That’s 100% possible, but not really all that likely.

Not to mention that there’s a simpler scenario. Someone could pull the same trick with a normal payment terminal, rather than one pretending to be a public transit terminal, and the tap-to-pay cards in your wallet. That’s a much simpler scenario with a much higher probability of success.

Similarly, digital keys could be used to access your car or your home, if someone stole your phone. Of course, that’s assuming they could figure out where your car or your home are from a locked phone, which is a pretty big “if” unless the thief had some prior knowledge.

In this regard, your phone doesn’t really pose much more of a risk than other things you’d have on your person. Of course, this is highly dependent on circumstances. For example, stealing a phone left on a table while the owner’s not paying attention would be a lot easier than stealing a wallet and keys from someone’s pocket. On the other hand, if a thief snatches someone’s purse or backpack, they may get phone, keys, and wallet, and the phone could easily be the least useful of the three.

Find My, on the other hand, is a bigger problem.

What’s the problem with Find My?

The major use cases for Find My are for you to find a lost device, or for someone you’ve shared your location with to find you. So what’s the problem? I mean, these are situations where you fully intend for your phone to be trackable, right? Unfortunately, there are scenarios that are not so beneficial.

Consider stalking or abuse scenarios where the stalker knows your Apple ID credentials, or has been given – through stealth or bullying – the ability to see your location. This is often the case with intimate partner abuse, for example. If you are in such an abusive situation, you may be under the false impression that turning your phone off will temporarily stop the tracking. Alas, that is not the case, and this could be a painful lesson to learn… both literally and figuratively.

However, there’s a possibility of still worse problems, like malware.

Wait… what?! Did you say malware?

Indeed. German researchers recently found that the Bluetooth firmware, responsible for managing the Bluetooth Low Energy (BLE) communication upon which Find My relies, is not cryptographically signed. Since the firmware is not signed, that means that modifications to the firmware cannot be detected without comparing the firmware to a known-good copy of the firmware.

Since BLE communication continues when the phone is off, the researchers found that there is a theoretical possibility that malware on the device could modify the Bluetooth firmware, thus installing malicious code that could continue to run even when the phone appears to be off. The most likely use case for such malware would be to use the BLE tracking capabilities to monitor the phone’s location.

Now, before you go chucking your phone in the garbage or smashing it with a hammer, let’s keep in mind that this is all theoretical at the moment. Compromising the firmware would require a jailbreak, which is not an easy thing to accomplish remotely. Physical access lowers the difficulty level, but it’s still not likely that this technique could be used by most adversaries.

How can I protect myself?

If you’re in a situation where an abuser is monitoring your location, you should be aware that turning off your phone will not stop the tracking. For those in such situations, we advise seeking help, as disabling the tracking could have bad consequences. If you need to not be tracked for a while, leave your phone in a location where it’s reasonable to expect you might spend some time.

When it comes to malware, there’s not much to worry about at present. There’s no known malware using BLE firmware compromise to remain persistent when the phone is “off.” Further, unless you are likely to be targeted by a nation-state adversary – for example, if you are a human rights advocate or journalist critical of an oppressive regime – you’re not likely to ever run into this kind of problem. (If that ever changes, you can be sure we’ll cover that here!)

If you actually are a potential target for a nation-state adversary, don’t trust that your phone is ever truly off. In such a case, a Faraday bag, or a low-tech flip phone, might be a good investment!

The post How iPhones can run malware even when they’re off appeared first on Malwarebytes Labs.