IT NEWS

Facebook users wary of security mail find themselves locked out of accounts

It’s not unusual for sites and services to offer additional forms of protection on top of regular security features. Some of the bigger ones even go the extra mile, protecting from attacks up to a potential nation state level.

The most famous example of this recently is likely Google. Its Advanced Protection Program (APP) was deployed to warn people that Fancy Bear was on the prowl. We often see advanced security features like the APP feed back into security features for regular service users too. This is all very good.

What isn’t perhaps quite as good, is when not taking up the offer of additional security features results in a total lock out of your account. This is the complaint that’s been raised by many Facebook users over the last few days.

What happened?

Facebook has a service similar to Google’s APP which it is rolling out to users. That service is called Facebook Protect, and it’s being expanded to more and more countries. As per Facebook’s own description of what it does:

We’re expanding Facebook Protect, our security program for groups of people that are more likely to be targeted by malicious hackers, such as human rights defenders, journalists, and government officials.

No action is required unless you’re prompted to enroll.

We’re also making it easier for these groups of people to set up two-factor authentication.

Sounds like a good plan! However, the roll out and various interactions with Facebook Protect haven’t gone well for everybody. At the beginning of March, people started to receive emails out of the blue which also included a clickable button to set everything up. It also pointed out that if recipients didn’t enable the feature, they’d be locked out of their account.

When is/isn’t the promise of a lockout real?

This immediately threw recipients into confusion, as they tried to figure out if they were being phished:

The fact that Facebook said everything was “fine” if they navigated to the site directly didn’t help ease the feelings of confusion. While the head of security policy at Meta confirmed the mails were real, once the deadline had passed people started to flag issues with getting back into the site:

The lockout begins

As it turns out, many people are now indeed experiencing some form of lockout. Worse, they’re having major issues trying to resume business as usual. Most of the complaints I’ve seen are focused on the fact that they thought the clickable button email was some sort of scam attempt:

This on its own is fairly problematic for those affected. It’ll no doubt be fixed, but if you’re one of the people who ignored the mail, unfortunately there’s no ETA for a fix. What I find particularly interesting in this story is the knock-on effect on additional Facebook/Meta services.

A virtual headache

At launch, users of the Oculus Quest 2 headset found they needed to have a Facebook account in order to play. If the account was banned, bad luck – no more Oculus Questing for you. While it’s been mentioned a few times that Facebook-free headsets will be with us at some point, this doesn’t help people caught by the Protect problem. This is because not only will you lose the ability to use your headset if banned, you’ll also suffer the same fate if the account is disabled for some reason.

Locked out due to not clicking through on an email from the start of March? It’s not just your social platform impacted, it’s your headset, too. As one device owner put it, they’ve had their headset “bricked” to protect them from hackers. They too are suffering from the various options to re-enable things not currently working.

As we mentioned above, this will no doubt be fixed down the line. However, a lot of people really need access to their accounts and devices as soon as possible. For now, it’s a case of the waiting game – all because of an unexpected email and a suspicious looking button.

The post Facebook users wary of security mail find themselves locked out of accounts appeared first on Malwarebytes Labs.

A new rootkit comes to an ATM near you

It’s not unusual to hear about malware created to affect automated teller machines (ATMs). Malware can be planted at the ATM’s PC or its network, or attackers could launch a Man-in-the-Middle (MiTM) attack.

Recently, a new rootkit, which the Mandiant Advanced Practices team have named CAKETAP, was found targeting Oracle Solaris systems running on ATM switch servers. This rootkit is a Unix kernel module that performs several malicious tasks to aid attackers—Mandiant tracks it as UNC2891 (aka LightBasin)—in conducting fraudulent ATM transactions.

CAKETAP has an impressive list of stealth capabilities to hide its presence and activities. It hides network connections, processes, and files. It removes itself from a list of loaded modules on execution and updates data in the last_module_id function to reflect data from a previously loaded module.

This rootkit can conduct fraudulent bank transactions by intercepting specific messages—card and PIN verification messages—sent to the ATM system’s Payment Hardware Security Module (HSM). Banks use this tamper- and intrusion-proof hardware component to generate, manage, and validate cryptographic keys for PINs, magnetic stripes, and EMV chips. When threat actors use a fraudulent card on an affected ATM, CAKETAP alters card verification messages to disable card verification. This, in turn, creates a valid response from the HSM.

On the other hand, when a regular ATM user uses a valid card on an affected ATM, CAKETAP stores the verification message from a valid transaction, which essentially says that the card is not fraudulent, and forwards it to the HSM, allowing for routine transactions to continue uninterrupted. CAKETAP sends this stored verification message to the HSM to trick it into allowing a fraudulent transaction by sending the stored message.

“Based on Mandiant’s investigation findings, we believe that CAKETAP was leveraged by UNC2891 as part of a larger operation to successfully use fraudulent bank cards to perform unauthorized cash withdrawals from ATM terminals at several banks,” Mandiant security researchers said in the report.

UNC2891 (aka LightBasin) are financially motivated and uses an arsenal of tools in their ATM attack campaigns: two of which are backdoors called TINYSHELL and SLAPSTICK; two decryptors called STEELCORGI and STEELHOUND; a network reconnaissance toolkit named SUN4ME; two keyloggers called WINGHOOK and WINGCRACK; and utilities named BINBASH, WIPERIGHT, and MIGLOCLEANER.

mandiant unc2891
Diagram of UNC2891’s tools in use in an ATM attack (Source: Mandiant)

Mandiant has noted that, although LightBasin and another threat actor UNC1945 have overlapping operational tactics, they cannot readily conclude that they are the same. “For example, it is possible that significant portions of UNC2891 and UNC1945 activity are carried out by an entity that is a common resource to multiple threat actors, which could explain the perceived difference in intrusion objectives—a common malware developer or an intrusion partner, for example,” the report concludes.

The post A new rootkit comes to an ATM near you appeared first on Malwarebytes Labs.

A week in security (March 14 – 20)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (March 14 – 20) appeared first on Malwarebytes Labs.

Facebook phish claims “Someone tried to log into your account”

Watch out for bogus Facebook phishing messages winging their way to your mailbox. The ruse is quite simple: The mail senders are relying on the recipient’s sense of panic to respond without thinking about it.

The mail looks professional enough, and seeks to imitate what would be a fairly typical looking message from Facebook. As for the panic aspect, the phishers have pinned the hopes of this attack onto the old faithful “Someone is trying to login as you, so you’d better do something about it ASAP” routine.

The phish

The mail itself combines a fairly clean design with minimal messaging. There’s a tendency with some phish attempts to overstuff the mail with all manner of nonsense to look more convincing. When that happens, we often see increasing amounts of typos or broken mail design. This one simply gets to the point. It reads as follows:

Someone tried to Iog into Your Account, User lD 

A user just logged into your Facebook account from a new device Samsung S21. We are sending you this email to verify it’s really you.

Thanks,

The Facebook Team

So far, so good. However, it goes a bit off the rails with the two clickable buttons presented. The first one says “Report the user” which makes sense. The second one just says “Yes, me” instead of something more plausible such as “Yes, it’s me” or even just “It was me”. This may set some alarm bells ringing.

The functionality

What happens when you click the button(s)? The expected process is to be whisked away to a phishing page and enter your details. Not here. This one follows the same pattern as a mail we covered a little while ago.

You may remember the phish attempt claiming to have detected unusual sign-in activity from Russia. That mail didn’t bother with phishing pages. Instead, it popped open a pre-formatted mail in your client of choice for you to respond to the creators. Anybody replying would likely receive additional requests for login details or much more besides.

This phish follows the same path, opening one of two pre-filled response styles depending on which button you select. “Report the user” is the most interesting one, pre-filling the subject line as “Send statement”.

What is sent back may be a booby-trapped document of some kind, or perhaps phishing done through a form. It’s also possible the dialogue will simply continue via mail. Whatever they’re up to, they should be treated with the cold shoulder they so richly deserve.

Go to the source

Always remember to navigate directly to the sender of supposed security alerts. If it’s genuine, you should be able to address whatever issue you’ve been sent. If there’s no sign of it, consider sending it along to them directly. It may be a scam sample they’ve not seen before, and this can in turn help them to protect a wider userbase. Above all else: don’t panic, because this is how attackers can trick you into doing something you’ll regret.

Report, block, and go about your day.

The post Facebook phish claims “Someone tried to log into your account” appeared first on Malwarebytes Labs.

AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI

The FBI has issued an advisory about the AvosLocker ransomware. Notably the FBI has noticed that several victims have reported Microsoft Exchange Server vulnerabilities as the intrusion vector.

AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including financial services, critical manufacturing, and government facilities.

Threat profile

AvosLocker ransomware is a multi-threaded Windows executable written in C++ that runs as a console application and shows a log of actions performed on victim systems. AvosLocker ransomware encrypts files on a victim’s server and renames them with the “.avos” extension.

The AvosLocker executable leaves a ransom note called GET_YOUR_FILES_BACK.txt in all directories where encryption occurs. The ransom note includes a .onion site that contains instructions for paying the ransom and receiving a decryption key.

ransom note 1

Attention!

Your systems have been encrypted, and your confidential documents were downloaded.

In order to restore your data, you must pay for the decryption key & application.

You may do so by visiting us at <onion address>.

This is an onion address that you may access using Tor Browser which you may download at https://www.torproject.org/download/

Details such as pricing, how long before the price increases and such will be available to you once you enter your ID presented to you below in this note in our website.

Contact us soon, because those who don’t have their data leaked in our press release blog and the price they’ll have to pay will go up significantly.

The corporations whom don’t pay or fail to respond in a swift manner have their data leaked in our blog, accessible at <onion address>

So, besides encrypting your files, AvosLocker also exfiltrates data and threatens to publish the stolen data to its leaks site. The public leak site not only lists victims of AvosLocker, along with a sample of data allegedly stolen from the victim’s network, but also gives visitors an opportunity to view a sample of victim data and to purchase that data.

The FBI also notes that in some cases, AvosLocker victims receive phone calls from an AvosLocker representative. The caller encourages the victim to go to the .onion site to negotiate, and threatens to post stolen data online. In some cases, AvosLocker actors will threaten and execute distributed denial-of-service (DDoS) attacks during negotiations.

Exchange vulnerabilities

Since AvosLocker is a Ransomware-as-a-Service it may depend on the affiliate which of the vulnerabilities gets used.

The Exchange Server vulnerabilities are named as: CVE-2021-31207, CVE-2021-34523, and CVE-2021-34473, and CVE-2021-26855.

CVE-2021-31207: a Microsoft Exchange Server security feature bypass vulnerability. The vulnerability allows a remote user to bypass the authentication process. This is the way in.

CVE-2021-34523: a Microsoft Exchange Server elevation of privilege (EoP) vulnerability. The vulnerability allows a user to raise their permissions. This is how they take control.

CVE-2021-34473: a Microsoft Exchange Server remote code execution (RCE) vulnerability. The vulnerability allows an authenticated user to execute arbitrary code in the context of SYSTEM and write arbitrary files. This allows the attacker to drop malware on the server and run it.

This is exactly the same attack chain we described in August 2021. This chain of attack was generally referred to as ProxyShell.

Another RCE vulnerability in Exchange Server has been seen as well:

CVE-2021-26855: the ProxyLogon vulnerability which we discussed in detail in our article on Microsoft Exchange attacks causing panic as criminals go shell collecting. The vulnerability allows an attacker to drop a webshell on a vulnerable Exchange Server. A web shell is a script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Obviously, not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)

Mitigation

As we stated earlier, all these vulnerabilities have been patched. So, if you are wondering which updates to install next and you are running one or more Microsoft Exchange Server instances, starting there might be a good idea.

Microsoft’s team has published a script on GitHub that can check the status of protection against ProxyLogon vulnerabilities of Exchange servers.

Detection

Malwarebytes detects AvosLocker as Ransom.AvosLocker.

detection 2
Malwarebytes blocks Ransom.AvosLocker

Stay safe, everyone!

The post AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI appeared first on Malwarebytes Labs.

Fake Esports voting sites looking to phish Steam users

We’ve seen Esports occasionally become the focus of gaming or Steam scams. One particular tactic of note was to claim joining an official league is an easy process. Links to third-party hosted files would offer up a supposedly cracked ESEA Esports league client. In reality, it was a data stealing Trojan.

One current twist on Esports where Steam scams are concerned is the “vote for my team” fakeout.

Crying foul on bogus voting

This trick has been around for a while now, but shows no signs of going away. As some have noticed, it is indeed “flaring up again”. The scam routinely separates unwary gamers from their logins. It’s also used to spam people from compromised accounts. On top of all that, the social pressure of “Please help me out” is often too good to let go.

An additional headache here is that people change usernames on Steam all the time. As a result, some people assume the message sender is actually a friend and not a stranger. This makes it even more likely they’ll feel obliged to assist.

People want to be helpful, and this slice of social engineering takes full advantage of this.

How does it work?

A Steam user receives an unsolicited message from a stranger. It may be sent via Steam’s own messenger service, or it could be in a Steam-themed Discord channel. The scammer presents the “offer” as a way to help a fellow Steam enthusiast out, or tie it to fictional rewards if the message recipient takes part. The message may also be sent in a different language. Some scammers simply won’t care about this, on the basis they can just send it to a seemingly never-ending pool of other recipients.

After some small talk, the scammer will ask the message recipient if they want to join their Esports team. More likely, they’ll ask them to vote for their team in an upcoming competition, or do some form of nomination to take part.

Clicking into the site and hitting the specified team vote button will typically open up a phishing page or window. If the intended victim uses some form of account protection such as Steam Guard, they’ll be asked to switch it off. Once this is all done and dusted, the account is officially phished and at the mercy of the phisher(s).

What’s the impact from being phished in this manner?

We’ve touched on a few of the impacts, but they include:

  • Spamming your friends. Not great, and they’ll likely unfriend you once they see suspicious messages rolling in.
  • Losing your digital items. Hard-earned items will vanish, after being sent to other accounts. If you paid real money for those items then they’re at risk too. The scammer may even just choose to sell the entire account in one go. If you used money in your Steam wallet to purchase a valuable item, both money and item may be lost.
  • Loss of access. Perhaps an obvious one, but you probably don’t need the hassle of trying to get through to customer support when the pandemic continues to cause significant delays on, well, everything.

Protecting your Steam account from esports voting scams

You’ll probably be familiar with some of these Steam security suggestions:

  • Add additional protection to the email account tied to Steam. If 2FA style safeguards are available, be sure to use them. If you have a second, backup email account tied to the primary account, then make sure that’s locked down too.
  • Enable Steam Guard. It’ll mean the scammers have to work harder to access your account. While it won’t tip everyone off, having to awkwardly ask you for your 2FA code may be enough to set alarm bells ringing.
  • Unsure if an account is one of your friends sporting a new username? Hover over the username of the person messaging you on their profile. It’ll reveal a list of all the old names they’ve gone by. If you’re unable to view their profile at all, add that to the “probably suspicious” pile.
  • Never, ever log into anything related to Steam via messages from friends or strangers. Even if you know the person sending the message, it’s possible they’ve been compromised and are being used to send more spam.

The post Fake Esports voting sites looking to phish Steam users appeared first on Malwarebytes Labs.

How to protect RDP

You didn’t really think that the ransomware wave was coming to an end, did you? You may be tempted to think so, given the decline in reports about massive ransomware campaigns. Don’t be fooled.

Over the last five years, one of the primary attack vectors for ransomware attacks has been the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, a tool for remotely controlling a PC that gives you all the power and control you would have if you were actually sitting behind it—which is what makes it so dangerous in the wrong hands.

Bruce-force attacks

Threat actors use brute-force password guessing attacks to find RDP login credentials. These attacks use computer programs that will try password after password until they guess one correctly, or run out of passwords. The passwords they guess can be sold via criminal markets to ransomware gangs that use them to breach their victims’ networks.

Once they have RDP access, ransomware gangs can deploy specialized tools to:

  • Elevate their privileges (when needed)
  • Leave backdoors for future use
  • Gain control over wider parts of the infiltrated network
  • Deploy ransomware and leave payment instructions

The first three steps are most important for businesses to pay attention to, as they need to be examined after a breach has been noticed. The easiest and cheapest way to stop a ransomware attack is to prevent the initial breach of the target, and in many cases that means locking down RDP.

Securing RDP

If you want to deploy software to remotely operate your work computers, RDP is essentially a safe and easy-to-use protocol, with a client that comes pre-installed on Windows systems and is also available for other operating systems. There are a few things you can do to make it a lot harder to gain access to your network over unauthorized RDP connections:

  • Decide if you really need RDP. This is an important question and you should not be afraid to ask it. Even if you are hardened against brute-force attacks, there is always the chance that attackers will find a remote vulnerability in RDP and exploit it. Before you enable RDP for anyone, be sure that you need it.
  • Limit access to the users who need it. Reduce the number of opportunities an attacker has to guess a weak password by following the principle of least privilege. This cannot be done from the Remote Desktop settings but requires security policies. We have included a guide on how to do this later in this article.
  • Limit access to specific IP addresses. This is another form of following the principle of least privilege. There is simply no need for many IP addresses to have access to your RDP clients. Rather than banning the IP addresses that don’t need access, allow only those that do.
  • Use strong passwords. Even the most persistent attacker will only ever guess very weak passwords because it is more cost effective to make a few guesses on a lot of computers than it is to make lots of guesses on one. So the first and most basic form of defence is to have users choose even moderately strong passwords—meaning passwords that don’t appear in lists of the most commonly used passwords, and aren’t based on dictionary words. Of course, getting users to actually do that is notoriously difficult, so you need to use other hardening measures as well.
  • Use rate limiting. Rate limiting (such as Malwarebytes Brute Force Protection) has the effect of significantly strengthening the defenses of weak passwords. It works by reducing the speed at which attackers can make login attempts, typically by shutting them out for a period of time after a small number of incorrect guesses. This represents a huge barrier for a computer program looking to race through tens or even hundreds of thousands of password attempts.
  • Use multi-factor authentication (MFA). MFA can stop password guessing in its tracks but it can be difficult to roll out and support. Any second authentication factor will make attacks significantly more difficult, but factors that don’t require user interaction—such as hardware keys and client certificates—are the most robust.
  • Put RDP behind a VPN. Forcing users to connect to a VPN before they can log in to RDP effectively takes RDP off the Internet and away from password guessing attacks. This can be extremely effective but it comes at the cost of maintaining a VPN, and simply shifts the burden of securing your users’ point of access from RDP to the VPN. Diligent patching is essential. In the last few years ransomware gangs and other cybercriminals have made extensive use of vulnerabilities in popular, corporate VPNs.
  • Use a Remote Desktop Gateway Server. This provides additional security and operational benefits, like MFA. The logs it takes of RDP sessions can prove very useful if you find yourself trying to figure out what might have happened after a breach. Because the logs are not on the compromised machine, they are harder for intruders to modify or delete.
  • Do not disable Network Level Authentication (NLA). NLA offers an extra authentication level. Enable it, if it wasn’t already.
Network Level Authentication

Other things that might help

The things in the list below aren’t effective enough to constitute genuine hardening, but might help reduce the volume of attacks you see. They are easy to do but they are not a substitute for the list above.

  • Changing the RDP port. Some hardening guides recommend changing the RDP port so that it does not use the default port number, 3389. Although this might reduce the number of scans that find your RDP clients, our research suggests that plenty of attackers will still find you.
  • Retire the Administrator username. Although some password guessing attacks use a variety of usernames, including automatically generated ones, many of them simply try to guess the password for the user named Administrator (or the local equivalent). However, because usernames are not treated as secrets by either users or systems, unlike passwords, you should not rely on the obscurity of your usernames to protect you.

Limiting access to the users that need it

The first step in this process is to create a user group that will be allowed remote access. You can do this in the Group Policy Management Console (GPMC.MSC).

  • In this console, select Computer Configuration > Windows Settings > Security Settings > Restricted Groups.
  • Right-click Restricted Groups and then click Add Group.
  • Click Browse > type Remote > click Check Names and you should see “REMOTE DESKTOP USERS.”
  • Click OK in the Add Groups dialog.
  • Click Add beside the MEMBERS OF THIS GROUP box and click Browse.
  • Type the name of the domain group, then click Check Names > click OK > OK.
  • On the PC, run an elevated command prompt and type GPUPDATE/FORCE to refresh the GPolicy.
  • You should see the group added under the SELECT USERS button on the REMOTE tab of the PC’s SYSTEM PROPERTIES.

Now you can open the related local policies by opening Control Panel > System and Security > Administrative Tools > Local Security Policy > User Rights Assignment.

User Rights Assignment

Remove the “Administrators” group from the “Allow log on through Remote Desktop Services” policy and certainly do not grant access to the account with the username “Administrator.” That account is perfect for the intruders—they would love to take it over. Also remove the “Remote Desktop Users Group” as contradictory as that may seem. Because by default, the user group “Everyone” is a member of the “Remote Desktop Users” group.

Now, add the user(s) that you specifically want to have remote access to this system, and make sure that they have the rights they need—but nothing more. Restrict the actions they can perform to limit the damage that they can do if the account should ever become compromised.

Secure your network resources

In the context of RDP attacks, it is also important that you apply some internal safety measures. PCs that can be used remotely should be able to use network resources, but not be able to destroy them. Use restrictive policies to keep the possible damage at bay that any user, not just a remote one, can do.

Aftermath of an attack

If you have been impacted by a ransomware attack via RDP, you’ll need to take some steps to better secure your network and endpoints. After you have recovered your files from a backup or by forking over the ransom, you need to check your systems for any changes the attackers have made that would make a future visit easier for them—especially if you decided to pay the ransom. By paying the threat actors, you have essentially painted a bulls-eye on your own back. You are now a desirable target, because they know you will pay to get your files back, if necessary.

To be sure there are no artifacts left behind, check the computer that was used to access the network via RDP for Trojans and hacking tools, and also any networked devices that could have been accessed from the compromised machine.


This article was originally published in August 2018 and was extensively updated in March 2022. Since this article was first published, Malwarebytes has added Brute Force Protection to the Nebula cloud-based security console. Check it out.

The post How to protect RDP appeared first on Malwarebytes Labs.

Double header: IsaacWiper and CaddyWiper

As war in Ukraine rages, new destructive malware continues to be discovered. In this short blog post, we will review IsaacWiper and CaddyWiper, two new wipers that do not have much in common based on their source code, but with the same intent of destroying targeted Ukrainian computer systems.

IsaacWiper

IsaacWiper was one of the artifacts security company ESET reported to be targeting Ukraine. Other artifacts were named as HermeticWiper (wiper), HermeticWizard (spreader) and HermeticRansom (ransomware). IsaacWiper is far less advanced than HermeticWiper, the first wiper that was found which we analyzed here.

IsaacWiper is made of an executable, compiled with Visual Studio. The executable has imported functions like DeviceIoControl, WriteFile, MoveFile, GetDiskFreeSpaceEx, FindNextFileW. Although these functions are legitimate, the combination of all these imports could be suspicious. Sections analysis, on other hand, is perfectly normal. No strange segments are found, and entropy has the expected values:

1

The sample is presented in DLL form with just one export, named _Start@4 that contains the main functionality of the malware:

2

The malware will iterate through all system disks, overwriting the first bytes of these disks:

3

The following chunk shows an extract of the code responsible for that behavior. Also, it can be seen how the volume is unlocked after write operations:

4

We have found that not only the physicalDrive but also partitions are wiped in the process. The wiper will iterate through the filesystem, enumerating files and overwriting them. This behavior is similar to ransomware activity, but in this case there is no decryption key. Once the data has been overwritten, it is lost:

5

The attackers left in the code various log strings. An example of one of these debug strings, being referenced inline is presented below:

6

In fact, these debug strings describe pretty well the malware functionality. All debug strings are presented below:

7

As it can be seen, the attackers’ goal is destroying data on victims systems. Affected users will lose their files, and their computers will be unbootable, forcing them to reinstall the OS.

CaddyWiper

CaddyWiper is a 3rd Wipper (after HermeticWiper and IzaakWiper) that was observed in this year’s attack on Ukraine. In contrast to HermeticWiper, this one is very small, and has less complex capabilities.

The sample is not signed and its compilation date is: 14 March 2022 07:19:36 UTC. The executable is dedicated to destroying files and partition information for each available disk.

The main function of the wiper can be seen below:

8

First, the wiper checks if it is running on the Primary Domain Controller. The malware will avoid trashing Domain Controllers, probably because it wants to keep them alive for the purpose of propagation.

If the current machine is not a Domain Controller, the wiping starts. It recursively wipes files in the C:Users directory. Then, it iterates over available hard disks, starting from “D:” and wipes recursively all the files it can access.

The wiping is done in the following way:

9

It tries to grant access to the files before writing:

10

All the files/directories are enumerated by well-known APIs: FindFirstFileA/FindNextFileA. If the found element is a directory, the function is called recursively. And if it is a file, a new buffer filled with 0s is allocated, and the file content is overwritten with it. The buffer is limited to 10 Mb max, so if the file is bigger than this, only the beginning of it will be wiped.

Interestingly, this enumeration starts from the drive letter D (treating C as a separate case), so if there are any disks mounted as A or B, they are skipped. Finally the malware wipes layout information of the available disks/partitions:

11

It starts from the \.PHYSICALDRIVE9, and at each iteration decrements the partition number by one.

The wiping of the partition layout is implemented via IOCTL sent to the drive device: IOCTL_DISK_SET_DRIVE_LAYOUT_EX. The malware sets an empty buffer as the new layout.

The sample is very mildly obfuscated and most of the used strings are stack-based. Also the Import Table is very small, containing only one function. All the needed functions are dynamically retrieved, with the help of a custom lookup routine:

12

CaddyWiper is extremely light in comparison to HermeticWiper, which was the most complex from all the wipers that have been associated with those attacks. There is no code overlap between each of them, and most likely they have been written by different authors.

Protection

Malwarebytes clients are protected against both of these wipers:

13
14

References

  1. https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
  2. https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-ukraine-hit-by-destructive-attacks-before-and-during-the-russian-invasion-with-hermet/

Indicators of Compromise

IsaacWiper

13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033

CaddyWiper

a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea

The post Double header: IsaacWiper and CaddyWiper appeared first on Malwarebytes Labs.

Meet Exotic Lily, access broker for ransomware and other malware peddlers

The Google Threat Analysis Group (TAG) has shared their observations about a group of cybercriminals called Exotic Lily. This group has specialized itself as an initial access broker, which means they find a vulnerability in an organization’s defenses, exploit that vulnerability, and sell the access to the victim’s network to an interested party, several times over with different victims.

Among these interested parties TAG found the Conti and Diavol ransomware groups. Because Exotic Lily’s methods involved a lot of detail, they are believed to require a level of human interaction that is rather unusual for cybercrime groups focused on large scale operations.

Initial access broker

Like in any maturing industry, you can expect to see specialization and diversification. Initial access brokers are an example of specialized cybercriminals. They will use a vulnerability to gain initial access, and, probably based on the nature of the target, sell this access to other cybercriminals that can use this access to deploy their specific malware.

These initial access brokers are different from the usual ransomware affiliates that will deploy the ransomware they are affiliated with themselves and use the infrastructure provided by the ransomware as a service (RaaS) group to get a chunk of the ransom if the victim decides to pay. The RaaS will provide the encryption software, the contact and leak sites, and negotiate the ransom with the victim. An initial access broker will inform another cybercriminal by letting them know they have found a way in at company xyz, and inquire how much they are willing to pay for that access.

Exotic Lily

From the TAG blog we can learn that Exotic Lily was very much specialized. Their initial attack vector was email. Initially, they were targeting specific industries such as IT, cybersecurity, and healthcare, but that focus has become less stringent.

Their email campaigns gained credibility by spoofing companies and employees. Their email campaigns were targeted to a degree that they are believed to be sent by real human operators using little to no automation. To evade detection mechanisms they used common services like WeTransfer, TransferNow, and OneDrive to deliver the payload.

Last year, researchers found that Exotic Lily used the vulnerability listed as CVE-2021-40444, a Microsoft MSHTML Remote Code Execution (RCE) vulnerability. Microsoft also posted a blog about attacks that exploited this vulnerability. Later, the group shifted to using customized versions of BazarLoader delivered inside ISO files.

Based on the fact that the Exotic Lily’s operations require a lot of human interaction, the researchers did an analysis of the “working hours” and came to the conclusion that it looks like a regular 9 to 5 operation located in a Central or Eastern Europe time zone.

Social engineering

As with most email campaigns the amount of social engineering largely defines how successful such a campaign can be. Between the millions of emails sent in a “spray-and-pray” attack, to the thousands that Exotic Lily sends out per day, there is a huge difference in success rate.

Exotic Lily used identity spoofing where they replaced the TLD for a legitimate domain and replaced it with “.us”, “.co” or “.biz”.  At first, the group would create entirely fake personas posing as employees of a real company. These personas would come including social media profiles, personal websites, and AI generated profile pictures. That must have been a lot of work, so at some point the group started to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.

Using such spoofed accounts, the attackers would send spear phishing emails with a business proposal and even engage in further communication with the target by attempting to schedule a meeting to discuss the project’s design or requirements.

IOC’s

SHA-256 hashes of the BazarLoader ISO samples:

  • 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be
  • 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269
  • c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

SHA-256 hashes of the BUMBLEBEE ISO samples:

  • 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32
  • 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8
  • 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9
  • 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd
  • 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225

IP address of the C&C server:

  • 23.81.246.187

Stay safe, everyone!

The post Meet Exotic Lily, access broker for ransomware and other malware peddlers appeared first on Malwarebytes Labs.

Beware of this bogus (and phishy) “Instagram Support” email

Recently, a fake Instagram email successfully bypassed Google’s email filters and made it into hundreds of employee inboxes used by a prominent US life insurance company based in New York.

This was revealed in a report by Armorblox, a cybersecurity company specializing in stopping business email compromise (BEC) campaigns. According to its threat research team, the spoofed email originated from “lnstagram Support” with the email address, membershipform@outlook.com.tr. The “l” you see in “Instagram” is actually a small letter “L”. It wouldn’t have been obvious—if not for Gmail automatically setting the first letter of a sender’s name in caps—as you can see from the screenshot below.

Clearly, threat actors have layered their campaign with a number of known fraud tactics, one of which is using a homoglyph (or homograph), making this a good example of a homograph attack, as well.

A homograph attack is a method of deception where threat actors take advantage of how certain character scripts look the same. In this case, a small “L” looks the same as a big “i”.

armorblox instagram phish
The fake “Instagram Support” email that appeared to have targeted employees of a New York-based insurance firm. (Source: Armorblox)

The initial scam email reads in full:

FROM: Lnstagram Support <membershipform@outlook.com.tr>
SUBJECT: Instagram Support
MESSAGE BODY:
You have been reported for sharing fake content in your membership. and approved by us.
You must Verify your membership. If You Can't Verify Within 24 Hours
Your membership will be permanently deleted from our servers.
You can continue by pressing the Verify button to verify your membership.

The phishing email tells the recipient that their Instagram account has been reported for spreading fake or false information, which nowadays is not unheard of and considered a serious breach of Instagram’s Terms of Service. The scammers then push the recipient to verify their “membership” within 24 hours else their Instagram account will be deleted. Incorporating a sense of urgency is a scam red flag because it aims to get users to act first and think later when it’s too late.

Clicking the verify button takes users to a Google’s Site page instead of the actual Instagram page—another red flag. Here, users are then asked for their credentials as a requirement for verification.

armorblox fake instagram page
Clicking the Verify button here again directs users to the actual phishing page, as you can see below (Source: Armorblox)
armorblox actual phish
Note that the rhetoric has now shifted from the victim being a fake news proponent to a copyright law-breaker. (Source: Armorblox)

The phishing site also offers up some fraudulent text that can make the whole process feel more official. The text from the phishing site is as follows:

We have received numerous complaints that you violated our copyright laws regarding your account. If you do not give us feedback, your account will be removed within 24 hours. If you think this is wrong, please verify your information below. We ask for this information because we cannot verify that you are the real owner of your account.

Be on the lookout, dear Reader, for this or similar campaigns that might land in your work inbox in the future. We always advise caution when dealing with emails—both unsolicited and claiming to have come internally—especially those that want something from you and pressures you to act quickly “or else”. If you have an email that you’re unsure if it’s a phish, ask your colleagues or contact the person who sent you the email via other means. Better safe than sorry, as they say, because one small slip-up is all it takes for an entire organization to get compromised. After all, big attacks do start small.

Stay safe!

The post Beware of this bogus (and phishy) “Instagram Support” email appeared first on Malwarebytes Labs.