IT NEWS

KONNI evolves into stealthier RAT

This blog post was authored by Roberto Santos

KONNI is a Remote Administration Tool that has being used for at least 8 years. The North Korean threat actor that is using this piece of malware has being identified under the Kimsuky umbrella. This group has been very busy, attacking political institutions located in Russia and South Korea. The last known attack where KONNI Rat was used was described here.

We found that KONNI Rat is being actively developed, and new samples are now including significant updates. In this blog post, we will cover some of the major changes and explain why the security community should keep a close eye on it.

Simplified Attack Chain

The attack usually starts leveraging a malicious Office document. When this document is opened by the victim, a multistage attack is started, involving various steps. But these steps are just the way that the attackers manage to accomplish tasks to elevate privileges, evade detection and deploy required files. As we described in a previous blog post, the attack chain could be summarized in the following diagram:

attackchain.drawio
Simplified attack chain

The attack usually starts leveraging a malicious Office document. When this document is opened by the victim, a multistage attack is started, involving various steps. But these steps are just the way that the attackers manage to accomplish tasks to elevate privileges, evade detection and deploy required files.

The final goal of the attack is installing what is called KONNI Rat, which is a .dll file supported by an .ini file. In a nutshell, the .dll file contains the functionality of the RAT, and the .ini file contains the address of the first C&C server. KONNI Rat’s general behavior remains almost the same as previous versions, but there are changes we will cover below.

Rundll no longer supported

In previous KONNI Rat samples there were two branches. One handles if the malware was launched using a Windows service, and the other handles the execution through rundll. The next image shows these two old branches, with the strings svchost.exe and rundll32.exe visible:

Untitled 2
Old main function showing svchost.exe and rundll32.exe strings

However, new samples will not show these strings. In fact, rundll is no longer a valid way to execute the sample. Instead, when an execution attempt occurs using rundll, an exception is thrown in the early stages.

Untitled 3
Exception produced by a rundll execution

In early stages of our analysis, we thought that they were using the classic process name check, or any other usual technique. The reality is far simpler and brilliant; the actual export just implements the SvcMain prototype so the program will break at some point when accessing one of the arguments.

In the previous image we see the state of the machine at the moment that this exception is thrown. RDI at that point should contain a pointer to the service name. The exception happens because the Service Main function meets one prototype and rundll32 will expect another different prototype:

VOID WINAPI SvcMain( DWORD dwArgc, LPTSTR *lpszArgv )

VOID WINAPI runnableExport(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow)

Basically, at some point of the execution, hinst will be treated as lspzArgv, causing the exception. But why did the attackers delete that functionality? There are multiple benefits.

First of all, we have not seen any recent attack that used rundll. In fact, the only way that the attackers launched KONNI Rat in recent campaigns involves registering a Windows service. So the rundll32 branch wasn’t being used in real world attacks.

But there is another big reason in how sandboxes will fail in collecting the real behavior of the sample, as it just cannot execute that way.

Strings are now protected using AES

Multiple malware families protect their strings in order to defeat most basic string analysis. KONNI wasn’t an exception, and also used this technique. Old samples were using base64 for obfuscation means. Also, they were using a custom alphabet. This custom alphabet was changed from time to time in order to make the decoding task more difficult:

Untitled 4
Old Konni samples included their custom base64 alphabet followed by the obfuscated strings

Now, the attackers made a major change in that regard by protecting the strings using AES encryption. The algorithm followed by new Konni RAT samples could be represented as follows:

encryption.drawio
New KONNI samples now uses AES encryption for string protection

The reason behind that change is clear. As the key used for decryption is the service name, samples run by different service names will not work properly. Moreover, having only the sample without knowing the service name becomes useless, as these strings contain core information about the sample behavior.

Files are also protected using AES

KONNI Rat makes use of various support files when it is executed. One of these files is the .ini file, which contains the primary C&C server, but there are others like the .dat file that is supposed to be dropped eventually, and temporal files that are used to send some basic information about the computer.

Our tests reveal that all of these files are dropped and protected using AES. Cleverly, they reused the algorithm used for string protection, making the file layout identical to the protected strings layout, as they appear in raw memory:

filelayout.drawio
New KONNI samples now uses AES encryption also for file protection

As can be seen from the diagram, the file itself contains the IV and the encrypted data. The key used is extracted from its original filename. In some cases, the names match with the service name, so the keys used in the .ini and the .dat files are the result of applying a SHA256 to the service name as well.

Also, files sent to the C&C server are protected using AES. The IV is generated using a QueryPerformanceCounter API CALL. Filenames are generated concatenating 2 letters that represent the data with the current timestamp, followed by the extension. Furthermore, they will use this newly generated name as AES key, so they send this name through the request to the C&C server.

Untitled 25
Fragment of request about to be sent to the server

In that regard, as the filename is generated automatically using the timestamp, identical files will produce different request contents, as they were encrypted using that filename. Network signatures could also fail to detect the malicious activity, due to that.

Other obfuscation techniques

As we found some samples that were protected just by the means that we described before, we also have found others that were making use of an unidentified packer. We would like to share some of our notes regarding that packer, as others could find it useful in identification and attribution tasks.

Contiguous instruction obfuscation

The flow of the obfuscated program will make use of series of push-call pairs of instructions, where the pushed values will indicate the actions that the program will take. An image can better explain that:

untitled13
Push – Call series

In particular, we find it interesting that the attackers have placed random bytes between these pairs. This silly trick causes wrong code interpretation for decompilers that will assume that bytes after the push instruction are part of the next instruction. The image below shows how IDA fails in analyzing the code:

Untitled11
Same code as before, showing how IDA won’t represent the real code

Obfuscated program flow

The used packer will obfuscate the original program flow. This is accomplished in various steps. The first required step is to find the Image Base value, placed in a fixed location and the RIP (Instruction Pointer) value.

Untitled 44
EBX will save the RIP value

Once the packer knows these two values, it will start jumping from one place to another, making analysis harder. For that, it will store in some register value of the next address to jump in registers. The value of these registers is calculated right after the jmp instruction, using structures like POP [reg] – JMP [reg] or ADD [reg1, reg2] – JMP [reg1]. Note that decompilers will fail in displaying the real flow, as the jumping address is determined by a somehow undefined register.

Untitled 55
Obfuscated code showing a final jmp to RBX

The combination of these simple techniques ends in the packer being now in control of the flow, but statically the decompiler cannot represent the path that the code will follow. Finally, the packer will execute a big amount of junk instructions and eventually will execute the real interesting code. For instance, the original code will take no more than 20 instructions between GetProcAddress calls in IAT building tasks. but the packed code executes more than 30,000 instructions.

According to our threat intel data, most recent attacks are not making use of that packer anymore.

Conclusion

As we have seen, KONNI Rat is far from being abandoned. The authors are constantly making code improvements. In our point of view, their efforts are aimed at breaking the typical flow recorded by sandboxes and making detection harder, especially via regular signatures as critical parts of the executable are now encrypted.

Malwarebytes users are protected against this attack.

Untitled 14 1

IOCs

A3CD08AFD7317D1619FBA83C109F268B4B60429B4EB7C97FC274F92FF4FE17A2
F702DFDDBC5B4F1D5A5A9DB0A2C013900D30515E69A09420A7C3F6EAAC901B12

The post KONNI evolves into stealthier RAT appeared first on Malwarebytes Labs.

New DazzleSpy malware attacks macOS

DazzleSpy, a piece of malware that attacks macOS, was discovered last fall by researchers at ESET, and now those researchers have released more detailed findings.

DazzleSpy, according to the researchers at ESET, was being spread via watering hole attacks via pro-democracy websites in China. It infected machines using a combination of two vulnerabilities, one in WebKit (the framework that powers Safari) and one in macOS (a privilege escalation vulnerability).

Now, if this sounds familiar, it’s because you’ve been paying attention—this is exactly the same technique as that used by the CDDS (aka Macma) malware that was described by Google in November, even down to spreading through Chinese pro-democracy sites.

The new malware got a foothold via CVE-2021-1789, exploited via a JavaScript file named mac.js loaded by the malicious site. This led to the in-memory execution of native Mac code, which exploits CVE-2021-30869 to gain root privileges. With this high level of privileges, the malware drops its payload onto the machine.

That payload is a very full-featured backdoor, providing the attacker the capability to run any arbitrary command on the infected Mac, start a remote screen viewing session, download files from the Mac, steal the keychain, send synthetic mouse clicks, etc. The full list of capabilities is a bit different than what Google described for CDDS, but it’s important to keep in mind that arbitrary shell command execution is an extremely powerful capability. Although the DazzleSpy implant doesn’t directly support taking screenshots, for example, that’s not hard to do via the screencapture command in the shell.

Decompiled function for sending a mouse event

Are CDDS and DazzleSpy the same?

These two pieces of malware are quite different. The code is very different, and the capabilities are different. They’re also very different in terms of what gets installed. CDDS, for example, distributes multiple executable files across a couple different folders, while the DazzleSpy payload is a single, smaller file (which may optionally also install the open-source KeySteal exploit on older systems, in order to steal keychain data).

Thus, there’s little doubt that these are distinctly different malware, written from different code bases.

However, since both were distributed through the same two macOS vulnerabilities, through pro-democracy websites in China, it’s highly likely these are made by the same folks. The most likely scenario is that this is Chinese government malware, being used for the purpose of tracking democracy advocates.

Why there would be a need for two different pieces of malware is unclear. Perhaps there was some dissatisfaction with the CDDS code, so new malware was written. Perhaps both were run concurrently to see which performed better. Perhaps it’s part of a plan to change the code periodically as a means of avoiding detection.

Then again, perhaps the similarities in usage don’t actually indicate anything at all.

Can we blame the Chinese government?

Attribution is hard, and it’s very difficult to say where a particular malware sample originated without a lot of corroborating data. For example, threat actors have been known to insert Chinese- or Russian-language strings into executables in an attempt at misdirection.

However, there’s a long history of suspected Chinese government use of malware to track oppressed groups, spanning many years. To cite one example, a very similar case occurred in early 2012, in which two different pieces of malware were discovered using Java vulnerabilities to infect Macs. Tibet (aka MaControl), discovered in March 2012, and Sabpab, discovered in April 2012, were both used to target Tibetan activists, at a time when Tibetan protests of Chinese government oppression were at a peak.

In the case of DazzleSpy, the presence of Chinese strings in the executable are far from incontrovertible evidence of Chinese government involvement. The pattern of usage, though, makes it extremely likely.

Mac malware gets an early start in 2022

DazzleSpy is actually not the first new Mac malware to appear so far this year, despite the fact that it’s only January. SysJoker coverage appeared a couple weeks before. Discovered by Intezer during an investigation into a Linux server infection, this was the official first Mac malware of 2022. However, there are some questions about whether this is actually in the wild – questions that are borne out by the lack of any detections at all in the wild. This may have been a proof-of-concept for Mac that hadn’t actually been released yet. (Malware creators sometimes upload early builds of their malware to VirusTotal, to see if any antivirus engines detect them, which can lead to discovery of those pre-release programs by researchers.)

It’s too early to make any assumptions about what this means for malware in 2022, though. It’s not uncommon for Mac malware research to follow a pattern of multiple discoveries early in the new year, followed by less frequent discoveries as the year continues.

Conclusion

If you have visited a pro-democracy Chinese website and think you might be infected, run a scan with Malwarebytes. It will detect this as OSX.DazzleSpy.

Alternately, you can also look for it manually. The items you’re most likely to see are:

/var/root/Library/LaunchAgents/com.apple.softwareupdate.plist
/var/root/.local/

This plist file and the .local folder are created by the malware when run as root, and the vulnerabilities used to drop the malware do involve root escalation. This is also a good place to drop these files, as it’s a location you cannot view within the Finder. You can only access the contents of /var/root/ by using something that operates as the root user, such as sudo on the command line.

However, it’s also possible the malware could get dropped into the user folder, in which case you’ll see these paths instead:

~/Library/LaunchAgents/com.apple.softwareupdate.plist
~/.local/

The post New DazzleSpy malware attacks macOS appeared first on Malwarebytes Labs.

Windows Update has changed over the years. Here are 25 group policies to avoid

Microsoft has published a list of 25 group policies that administrators should not use in Windows 10 and Windows 11 as they do not provide optimal behavior or cause unexpected results.

Since November 2015 when Windows 10 was first introduced, there have been many changes and some of them have caused Windows Update policies to interfere with performance, while others have been replaced with different versions.

Microsoft has identified which older policies have become irrelevant or replaced with a better option. The policies in this article are all more or less tied to Windows updates. Notifications, the ability to dictate the behavior of update downloads, installation, and restarts, and the settings experience have all shifted dramatically from what was originally released in the early Windows 10 versions.

This posting from Microsoft helps bring clarity to many years of frustration experienced by IT admins and Windows enthusiasts that wanted or needed to control the Windows Update experience.

As Alex Smith, Technical Product Manager at Malwarebytes, puts it:

“I am happy to see Microsoft finally clear the air on Group Policies for Windows Update. IT admins and Windows enthusiasts like myself have been frustrated trying to control the Windows Update experience on managed devices for years. At times, we questioned our technical sanity since the results wouldn’t align with the group policies being used. Now, that will be a thing of the past.”

Group policies

Administrators can work with Group Policy Objects (GPO) to customize a computer’s functions and the user experience. Designed to be used mostly by network administrators, group policies define what specific users or a group of users can do on machines in their network, restricting or allowing features as necessary.

Where can I find the policies?

To change the Group Policies’ settings you will typically use the Group Policy Editor. The Group Policy Editor is a utility that allows you to configure Group Policy settings for a Windows PC or a group of PCs. Note that this is only available for Windows Pro versions.

Probably the easiest way to open the Group Policy Editor is by using search in the Start menu. First, click the Start button, and when it pops up, type gpedit and hit Enter when you see an entry called Edit Group Policy in the list of results.

Windows 11

To make life easier for Windows 11 users, Microsoft created a sub-folder under Windows Update to specify Legacy Policies. Please note that these sub-folders are only available in the Windows 11 ADMX templates. ADMX files are XML‑based administrative template files, that are language‑neutral and support multilingual display of policy settings. Microsoft Windows manages ADMX files from the central store that is a central location in the domain.

While admins need to select an OS-specific set of ADMX files for the central store, Microsoft has provided a method that admins can use to manage the policies for the other operating systems in their environment.

Deprecated policies

You can find the complete list of deprecated policies and suggested replacements in Microsoft‘s article. This list shows which policies are not recommended, why they are not recommended, and how to get the same or similar behavior with either default settings or recommended policies. This list can really help Windows administrators to review their existing group policy configurations and replace outdated policies with newer variants that provide more control and expected behavior.

A quick overview was provided in a tweet by Aria Carley (@ariaupdated) who wrote the article.

The post Windows Update has changed over the years. Here are 25 group policies to avoid appeared first on Malwarebytes Labs.

A week in security (January 17 – 23)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (January 17 – 23) appeared first on Malwarebytes Labs.

Microsoft is now disabling Excel 4.0 macros by default

Back in October 2021, Microsoft announced in an email to customers that it planned to disable Excel 4.0 macros by default to protect customers from malicious documents.

Last week—after three decades of macro viruses, and three decades of trying to convince every single Excel user individually to disable macros—Microsoft made the change.

Good news

Excel 4.0 macros, aka XLM macros, were first added to Excel in 1992. They allowed users to add commands into spreadsheet cells that were then executed to perform a task. Unfortunately, we soon learned that (like any code) macros could be made to perform malicious tasks. Office documents have been a favorite hiding place of malicious code ever since.

In July 2021, Microsoft released a new Excel Trust Center setting option to restrict the usage of Excel 4.0 (XLM) macros. As planned, this setting is now the default when opening Excel 4.0 (XLM) macros.

Administrators also have the option to completely block all XLM macro usage (including in new user-created files) by enabling the Group Policy, “Prevent Excel from running XLM macros”, which is configurable via Group Policy Editor or registry key.

Backward compatibility

For backward compatibility reasons the feature was never removed, despite being superseded by Visual Basic for Applications (VBA) just one year after XLM macros were introduced.

I understand the argument in favor of keeping it back then, but why keep it enabled by default for so long after, when so few people use it? Microsoft could have made it so that those that needed Excel 4.0 macros had to turn the feature on, and the rest of us (the overwhelming majority of Excel users) could have been more secure without having to remember to turn it off.

Will you miss it?

It is very, very unlikely you will miss Excel 4.0 macros. XLM was the default macro language for Excel through Excel 4.0, but beginning with version 5.0, Excel recorded macros in VBA by default, although XLM recording was still allowed as an option. After version 5.0 that option was discontinued. All versions of Excel are capable of running XLM macros, though Microsoft discourages their use.

Now—almost 30 years after they were made obsolete—it’s fair to stay that the biggest users of Excel 4.0 macros are probably malicious threat actors.

Abuse cases

Attackers have always liked Office macros because they provide a simple and reliable method to spread malware using legitimate features, and without relying on any vulnerability or exploit. XLM macros have been used to drop many well-known malware families, including ZLoader, TrickBot, BitRat, QBot, Dridex, FormBook and StrRat, among others.

But this does not mean that now all documents are safe to open now. Malware authors are moving on to use other vulnerabilities like CVE-2017-11882.

Security over backward compatibility

Despite the shared joy about this security enhancing rollout, it raises the question of when security should overrule backward compatibility? Microsoft must have better things to do than fix obsolete features from the past century.

Wouldn’t it have been preferable if the step up to VBA in 1993 had been less steep, so we could all forget about 4.0 and move on to the latest version without having to look over our shoulder? Or perhaps Microsoft could have disabled this potentially dangerous feature decades ago and left it to those who actually wanted it to turn it back on?

If history has taught us anything, it’s that the incentive to enable something you need is a lot stronger than the incentive to disable something that might be potentially dangerous.

Stay safe, everyone!

The post Microsoft is now disabling Excel 4.0 macros by default appeared first on Malwarebytes Labs.

Warning issued over tampered QR codes

Avid readers of the Malwarebytes Labs blog will be well aware of QR code scams.

Take, for example, that QR code scam in the Netherlands that victimized at least a dozen (and definitely more) car owners. It went like this: Someone approaches you and says they want to pay for their parking but can’t find payment terminals that accept cash. They then ask you to kindly pay on their behalf—say, $5 USD—by scanning a QR code with their bank’s app after they hand you the money. Sadly, that ends up with you parting with a lot more than $5.

And then last week, the Austin Police Department in Texas released a scam alert on Twitter about “pay-to-park” scams involving a QR code that directs users to a phish.

Now, the FBI has released a public service announcement (PSA) about criminals using malicious QR codes.

Be extra vigilant when faced with a QR code

QR codes provide contactless access to a product or service, and they’ve proven useful and very convenient especially with the pandemic still ongoing. The problem is that there’s no way of distinguishing between a genuine code and a malicious one. Cybercriminals know this too and have capitalized on it.

“Cybercriminals tamper with both digital and physical QR codes to replace legitimate codes with malicious codes,” notes the FBI alert. “A victim scans what they think to be a legitimate code but the tampered code directs victims to a malicious site, which prompts them to enter login and financial information. Access to this victim information gives the cybercriminal the ability to potentially steal funds through victim accounts.”

QR codes can also be embedded with malware. Once scanned, the malware can be dropped onto the device and executed. Depending on the malware, criminals could steal personal and financial information (if you bank using your smartphone) from you, make your device part of a botnet, or spy on you.

Criminals can also replace legitimate QR codes in establishments to mislead users and direct them to a potentially malicious site. In certain cases where a contactless way of paying is available but does not use QR codes, it would be easy for criminals to just add their QR code sticker and make users believe that they should scan it.

This is exactly what happened in the fraudulent “pay-to-park” scheme.

7HWG6XUL7RH47CUB6XMT2I4ZAI
Anyone looking at this parking meter in Austin, Texas has their attention directed to a QR code sticker at the bottom right of the “Pay by App Parking” service ad, which encourages car owners to download an app to easily pay for parking. This QR code makes it look like users are supposed to scan it in order to download the app. (Source: KPRC Click2Houston)

How to protect yourself from QR code scams

The FBI has recommended the following steps that users should keep in mind:

  • Check the URL to ensure you’re being directed to a site where you’re supposed to be directed once you scan a QR code. Watch out for misspellings in the URL.
  • When you see a QR code in a shop and want to scan it, make sure you check for signs of tampering, such as a sticker over the QR code itself.
  • Download an app from your go-to app store, not from a QR code.
  • Use the built-in scanner through your smartphone’s camera to scan for QR codes. There is no need to download another one from the app store as there are fake QR code scanners, too.
  • If you receive a QR code either in the mail or sent to you by a friend, get in touch with them first and verify if they have indeed sent you the code.
  • If you can, avoid making payments via a QR code. There are better and more secure ways of paying.

Stay safe!

The post Warning issued over tampered QR codes appeared first on Malwarebytes Labs.

Discord scammers go CryptoBatz phishing

It’s not been a great couple of weeks for people looking to get in on NFTs. Missing apes, rug-pulls, it’s all go in non-fungible token land. The latest mishap has come to light, in the shape of bad planning and the slowly shifting impermanence of link ownership.

Rockstar Ozzy Osbourne announced “CryptoBatz” just a week or so ago. Whoever put the marketing campaign together deserves some sliver of credit for self-consciously poking fun at aspects of NFT culture in the promo video.

“He started thinking, started working…locked away in his library for weeks working on something big. He teamed up with a company called Sutter Systems. Their mission was to create an NFT project that wasn’t another celebrity rug pull.”

Well, they didn’t end up with a rug pull but they did end up with an accidental phish-ball rolling unstoppably downhill. But how?

Minting some Batz

Close to 10,000 digital NFT bats were supposed to be put up for grabs on an NFT marketplace. The bats reference a rather infamous moment in Osbourne’s career, and allow the owner to “breed” them with NFT images from other collections. A bit like Pokemon on the blockchain, perhaps.

As with any NFT project looking to gain leeway with the general public, it has a Discord server. There’s a good chance pretty much any digital project has a similar setup, and this is nothing unusual. However, things started to go wrong in a hurry – and it’s all down to the CryptoBatz Discord.

Discord in Discord Land

Not long after the bats went on sale, people started to complain about phishing links from official sources. Could it be true? Had this somehow turned into an incredibly bizarre rug-pull? The answer is no. It was something much more mundane.

The CryptoBatz project had, at some point, changed at least one of the URLs it was working with. They switched out the old Discord vanity URL for a new one, but didn’t delete old tweets containing the now outdated URL. Can you guess what the scammers did?

As per the above tweet, the scammers set up a new Discord server using the old CryptoBatz vanity URL. As potential victims naturally came across tweets with the old link in it, they were then directed to the (bogus) Discord server.

From there, it’s a short step to having their cryptocurrency wallets connected to things they shouldn’t be. End result: drained wallets, lost funds, CryptoBatz everywhere.

The financial impact of a cryptocurrency phish

According to this Verge article, the scammers made off with quite a bit of bank. Transactions to the tune of around $40,000 were sent to a digital wallet containing “more than $150,000”. The team behind the project claim they’re not responsible for “scammers exploiting Discord”, though it’s hard to argue against them having simply deleted outdated links in the first place. No links, no scam able to take place.

All the same: the back and forth doesn’t really help the victims. Even a project fronted by known entities can easily wander into a bad NFT situation, an area of digital business where it’s all a bit Wild West by default.

I suppose we must now add “Always check the most up-to-date link on any social feed related to NFT sales” to the growing list of tips to avoid gracing your digital wallet with an Electric Funeral.

The post Discord scammers go CryptoBatz phishing appeared first on Malwarebytes Labs.

Dark Souls servers taken offline over hacking fears

There’s been trouble brewing over the weekend for players of the smash-hit Dark Souls series. PvP (player vs player) servers were temporarily shut down by the developers after a hack.

Dark Souls says that PvP servers for console versions (PlayStation, Xbox) were not affected, and that it is a PC-centric issue.

What happened?

It all begins with a popular streamer playing a Souls game in PvP mode. You can view a recording of the stream here (warning: the language is not safe for work). The stream changes very unexpectedly. It switches from regular gameplay to a meme image which includes character Thanos and the words “oof my game crashed”.

On top of that, Text to Speech voice kicks in and begins a long ramble aimed at the streamer. You’ll also hear the incredibly confused streamer in the background, talking about seeing “powershell.exe” on their screen. Someone had gained control of his PC, mid-stream, to crash his game and autoplay the synthesised speech.

Dark Souls players have run into hacking related problems before, and, as a result, player-created tools like anti-cheat system Blue Sentinel are incredibly popular. Even so, it couldn’t help with this particular “attack” when it came to attention.

Spreading the word

The majority of information bouncing around the player base came from notices in relevant gaming Discord servers, like so:

Hey everyone, it’s come to our attention that a Remote Code Execution (also known as RCE) exploit has emerged for Dark Souls III on PC. This means that potentially malicious players connected to your game may be able to execute code by sending information to your game that directly affects aspects of your operating system. This can lead to sensitive information leaks, including but not limited to: installation of malicious programs such as keyloggers or viruses, theft of account information or login tokens, and access to other sensitive information such as banking info or other things that may be stored on your computer.

We’ve referenced the program Blue Sentinel, a community-made program that serves as a third-party anti-cheat in the past for issues like this; however, it has apparently been made known that RCE can bypass Blue Sentinel. For this reason, it is recommended that if you play Dark Souls III on PC, you may want to stay offline until a further development is made against this exploit. If you still really want to play online, know that there is still a risk of the aforementioned effects, and it would still be recommended to do some research into the Blue Sentinel mod to see if it can help with anti-cheat effects.

This rapid-response spread of information, along with the developers/publisher being made aware of it in public led to Sentinel being updated to ward off the RCE.

Do you need to worry about this?

Talk of remote execution is always scary. You don’t want someone potentially having the ability to do whatever they want to your system. However, the impact from this code-related shenanigan seems to have had an incredibly limited impact. That is to say, the one single streamer from the above video.

It’s claimed whoever first discovered the ability to do this tried to get the developer’s attention and disclose responsibly. It’s also claimed that they didn’t get very far. From a Reddit thread:

I’ll try and clear things up: A person who isn’t malicious discovered a new RCE method, and tried to contact From about it through multiple channels. They ignored him. In an attempt to raise awareness to it so that it would be fixed (as this is a SEVERE security flaw), he did a live benign showcase on stream. It didn’t “leak”. Nobody has it beside him.

If this is accurate, then it’s reassuring with regards to potential spread. At this point, there doesn’t appear to be any reports of it happening outside the gaming stream. Even so, someone could’ve conceivably discovered it separately. There’s also concerns upcoming title Elden Ring could be affected as it apparently shares a lot of code with the older games.

Either way, developer From Software is on the case and the issue is being addressed. More information will probably be revealed over the next few days. If you’re worried, playing offline and running Blue Sentinel is likely your best bet until the fixes are confirmed to solve the problem.

The post Dark Souls servers taken offline over hacking fears appeared first on Malwarebytes Labs.

Segway store compromised with Magecart skimmer

In the early 2000’s, the Segway company released a personal transporter that would become iconic. The Segway Human Transporter was quickly sold on Amazon and featured in a number of movies.

Since 2015, Segway has been a subsidiary of Chinese-based company Ninebot and sells electric scooters under the Ninebot brand. By 2020, a number of changes in personal transportation forced the company to halt the production of its famous Segway PT.

Our web protection team recently identified a web skimmer on Segway’s online store. In this blog, we will review the attack and tie it back to a previous campaign that is attributed to Magecart Group 12. We already have informed Segway so that they can fix their site, but are publishing this blog now in order to raise awareness.

Magecart-style attack

Stefan Dasic, from our web protection team, identified a connection to a known skimmer domain (booctstrap[.]com) loaded by the Segway store. This domain has been active since November and is connected to a previously documented campaign sometimes referred to as “ant and cockroach”.

The hostname at store.segway[.]com is running Magento, the popular Content Management System (CMS) used by many e-commerce sites and also a favorite among Magecart threat actors. While we do not know how Segway’s site was compromised, an attacker will usually target a vulnerability in the CMS itself or one of its plugins.

image 6
Figure 1: Malwarebytes blocks an attack while shopping on Segway’s website

Based on urlscanio data, the website was compromised at least since January 6th. Malwarebytes was already blocking the booctstrap[.]com domain and its hosting server at 185.130.104[.]143 since November. Looking at our telemetry, we can see that the number of blocks (attacks prevented on our customers’ machines) also goes up around the January 6th mark.

image 1
Figure 2: Number of blocks for skimmer domain based on Malwarebytes telemetry

The top 5 countries exposed to this skimmer, based on our telemetry data, are:

  • United States (55%)
  • Australia (39%)
  • Canada (3%)
  • UK (2%)
  • Germany (1%)

Favicon campaign

A fairly long but innocuous piece of JavaScript disguised as ‘Copyright’ is responsible for dynamically loading the skimmer such that it will not be visible by looking at the HTML source code.

image 2
Figure 3: Code snippet featuring the skimmer loader injected into Segway site

Instead, if we check the code via the browser’s debugger we can see how the URL is constructed:

image 4
Figure 4: Skimmer URL revealed by debugging its loader

The threat actors are embedding the skimmer inside a favicon.ico file. If you were to look at it, you’d not notice anything because the image is meant to be preserved. However, when you analyze the file with a hex editor, you will notice that it contains JavaScript starting with an eval function.

image 5
Figure 5: Actual skimmer hidden inside an image saved as a favicon

There is a lot that has been written about this skimmer and the threat group behind it. Sucuri’s Denis Sinegubko covered it and Jordan Herman from RiskIQ also wrote about the numerous ties it shares with a number of incidents that can attributed to Magecart Group 12.

The compromise of the Segway store is a reminder that even well-known and trusted brands can be affected by Magecart attacks. While it usually is more difficult for threat actors to breach a large website, the payoff is well worth it.

Malwarebytes customers were already protected thanks to our website shield available in Malwarebytes for Desktop as well as our Browser Guard extension.

The post Segway store compromised with Magecart skimmer appeared first on Malwarebytes Labs.

Data Privacy Day: Know your rights, and the right tools to stay private

Not all data privacy rights are the same.

There’s the flimsy, the firm, the enforceable, and the antiquated, and, unfortunately, much of what determines the quality of your own data privacy rights is little more than your home address.  

Those in Chile, for example, enjoy a globally rare constitutional right to data protection, and if any Chilean feels their rights have been disturbed or threatened, they can file a “Constitutional Protection Action.” People in the European Union and the United Kingdom enjoy strong data protections because of the General Data Protection Regulation, the sweeping data privacy law which gave the public many new rights in 2018, including a “right to access”—which allows an individual to ask a company to hand over all the data it has collected on them—and a “right to erasure,” which allows a person to ask that company to delete that data. In Germany, already  covered by GDPR, the newly-agreed-upon government is reportedly considering the addition of a “right to encryption,” which, depending on how it is defined, could be the first of its kind, and a much-needed defense against other international efforts, like in Australia, to weaken encryption through regulation. That anti-encryption thrust is not too different in America, where federal law enforcement officials have repeatedly blamed strong encryption as one of the largest reasons that they cannot stop crime before it happens.

Speaking of America, the variety in data privacy rights around the world applies just as well to the country itself: People who live mere miles apart enjoy wildly different data privacy protections because, in the absence of a comprehensive, federal data privacy law for all Americans, individual states have passed data privacy laws for their residents and their residents alone.

This segmented, legislative push has created a patchwork quilt of privacy in the country. In its most north-eastern reaches, those east of the Salmon Falls River—which serves as a dividing line between Vermont and Maine—are protected from having their Internet Service Provider (ISP) sell, share, or grant access to their data without their specific approval. Those west of the river, however, have no such protection. And Californians, separately, have the fortune of data privacy protections similar to those included in GDPR, but their neighbors in Arizona, Utah, and Oregon are without luck.

This is the frustrating state of data privacy rights today, but you have a role to play to make it better.

Thankfully, in many countries around the world, the public can still use online tools to protect their own data privacy. No legal regime to worry about, no case law to be cited. Just user choice.

So, want to hide your internet activity specifically from your ISP, or from eavesdroppers while you’re connected to a public, unprotected network? Use a VPN. Want to gain even more privacy and send your Internet traffic through a few layers of encryption? Use the TOR network and its related browser. Want to stop invasive ad tracking? Use a more private-forward browser or download a devoted browser extension. Want to hide your online searches? This one is easy—use a private search engine.

This Data Privacy Day—which we are celebrating for the whole week— don’t limit yourself to just the data privacy rights you’re given by your country or state. Instead, broaden and deepen your own data privacy by finding out which of the many data privacy tools is right for you.

The tangled web of US data privacy rights and laws

In the United States, there is no federal law protecting all types of data for all Americans.

Instead, the national data rights that every American enjoys are purely sectoral—isolated, industry-specific protections regarding, for example, healthcare information, credit reporting accuracy, children’s data, and, bizarrely enough, VHS rental records. (Since that law has not been found to apply to streaming services, it is presumably only of use to the residents of Bend, Oregon, home to the so-called “Last Blockbuster.”)

This piecemeal strategy is the consequence of occasional laser-focus from US Congress members on only the problems facing them at that very moment. That VHS rental history law? That was passed in 1988 after a newspaper published the video rental records of then-Supreme Court nominee Robert Bork. (The journalist who wrote the story succinctly proved a point—that, as Bork himself had argued, Americans had no real rights to privacy beyond those explicitly encoded in law.) A separate law protecting children’s privacy was signed in 1998 as the public feared wanton collection of kids’ data online.  

For about two years, though, that laser-focus found an ironic subject: Broader protections.

Starting in 2018, US Congress members homed in on crafting a comprehensive data privacy law that would restrict how companies and organizations collect, use, share, and sell Americans’ data. Roughly a dozen bills were introduced in the House of Representatives and the Senate, and substantive, new ideas on data privacy were considered.

There was also Senator Ron Wyden’s bill, which recommended jail time as a consequence for tech company executives who played a vital part in violating Americans’ data privacy rights. There was Senator Amy Klobuchar’s bill, which tried to standardize perplexing, yawn-inducing—and potentially unfair—“Terms of Service” agreements by requiring that those agreements be written in “language that is clear, concise, and well-organized.” There was Senator Marco Rubio’s bill and its light touch on regulation, which simply asked that the US Federal Trade Commission write its own rules on privacy that Congress later adopt. And there were other, novel proposals, like the ACCESS Act, which focused on data portability, and the Data Accountability and Transparency Act, which erred away from today’s singular focus on user “consent,” which, even under the best intentions, can often translate to a deluge of webpages all asking: “Do you agree to our use of cookies?”

Disappointingly, none of these bills moved forward, and following the US presidential election in 2020, new priorities were mapped out for Congress. Thankfully, in the United States, there are more legislative machines at work that can pass data privacy laws at home—the individual states themselves.

For years now, the majority of US states have at least attempted to lasso companies into better handling the consumer data that is collected whenever users interact with their websites, use their products, or respond to their social media posts. In fact, according to a recent analysis by The New York Times, only 15 states have essentially ignored consumer data privacy legislation; every other state has either introduced, passed, or signed a law, or replaced a comprehensive data privacy bill with a task force committed to researching the topic.

Within those 35 states, though, only three have found success—California, Colorado, and Virginia all passed consumer data privacy laws in the past few years. And not to immediately rob those successes of their merit, but each of those laws has its own problems, and the law in Virginia, especially, has drawn rebuke from Electronic Frontier Foundation (EFF) and American Civil Liberties Union (ACLU).

Kate Ruane, senior legislative counsel at ACLU, said in speaking with The New York Times that Virginia’s law, when it was still a bill, was “pretty weak.”

“It essentially allows big data-gathering companies to continue doing what they have been doing,” Ruane said.

At this point, it’s easy to think that US data privacy rights are following a sad trend of one step forward, two steps back. Just a few years ago, federal lawmakers were interested in data privacy. Then, they weren’t. Stateside, multiple states introduced broad data privacy laws for their residents. Then, only three such laws actually passed, and each law has its own problems.

The good news here is that you don’t have to—you shouldn’t have to—wait around for your government representatives to decide when you deserve data privacy rights. You deserve those rights today.

Here’s how you can take some first steps forward.

The right data privacy tools for you

In the US and in many countries abroad, one of the most powerful data privacy rights you have is the right to use a tool that can put data privacy into your own hands.

Data privacy tools are actually a lot like US data privacy rights, in that there are specific tools that protect specific types of data, or they protect your data in specific circumstances. While this variety is appreciated, it also means there is no one single solution to keep your information private online at all times.

To avoid any confusion about what tool can protect what data, here’s a quick run-down of what is available and how it can help you:

  • A privacy-forward web browser or a devoted web browser extension can block third-party ad tracking
  • A private search engine keeps your online searches private, protecting your interests from being sold to advertisers who want to serve you more ads
  • A VPN can obscure your Internet traffic from your Internet Service Provider and encrypt your data on public networks
  • The Tor Network and the Tor browser can route your Internet traffic through multiple “relays,” or servers, encrypting the data multiple times along the way

Knowing all that, let’s start with the simplest option that can also protect you from the most subversive and invisible form of data privacy invasion.

Privacy-forward web browsers and browser extensions

If you’re using a web browser that is made by a company that makes the majority of its money from online advertising (according to Wired, Google’s advertising revenue alone in one quarter of 2020 was $26 billion), your online browsing behavior is being stealthily watched across nearly every website you visit. As your browsing habits start to form a profile of who you are, where you live, what you like, and what you typically buy, you’ll start to see ads that follow you around constantly.

This is the work of third-party ad tracking. Due to the implementation of cookies in nearly every corner of the public-facing Internet, nearly all of our Internet behavior is tracked online. That information then gets packaged and sold to companies that want to deliver ads specifically to you and people like you.

To stop this type of invisible, online tracking, you should use a web browser that takes your privacy seriously. Options like Firefox, Safari, and Brave all block many types of ad tracking by default, which means that from the first time you launch these programs, you’ll start being protected, no user intervention needed.

If you’re too attached to your web browser to ditch it, you can also download a browser extension for this very same purpose. Several browser extensions that block ad trackers include Malwarebytes Browser Guard, EFF’s Privacy Badger, and the self-titled ad-and-tracker blocking extension made by Ghostery.

For those interested, Ghostery has also released a web browser that, with a monthly subscription fee, comes with a host of other privacy tools, including the company’s web analytics tool and a private search engine.

Speaking of which…

Private search engines

A private search engine, like the ones built by DuckDuckGo or, more recently, Brave, will keep your searches yours. Both companies promise that they do not collect or track your searches, and that they do sell that search data to third parties.

Though Brave’s search engine is newer and still in beta, DuckDuckGo has been in business for years, and this month, it passed the 100 billion total search mark.

VPNs

Any discussion on data privacy wouldn’t be complete without talking about VPNs. VPNs, or virtual private networks, are tools that can help you hide your Internet traffic from your Internet Service Provider, which might appeal to you in the United States because your ISP could actually take what it knows about you and then sell that data to the highest bidder, who will then use your information to send you even more ads across the Internet.

VPNs can also provide vital protection to you whenever you connect to the Internet on a public network, like at a coffee shop, an airport, or hotel. If those networks are not password-protected, then it is easier for eavesdroppers to watch your Internet traffic on that network. With a VPN, your traffic is encrypted and illegible to outside parties.

Because there are so many options out there, you can read our guide about how to choose the best VPN for you.

The Tor network and browser

The Tor network, in a way, is the Internet run by people—not companies, not conglomerates, not revenue-chasing decision-makers. The way it works is that volunteers around the world set up individual servers for Tor users to connect to—and through—when browsing online. This means that whenever you browse the Internet through the Tor network, your Internet traffic actually moves through three separate servers, which Tor calls “relays.” The last relay that you connect to then connects you to your final destination online, like a website. Because your traffic has been sent through three relays and encrypted each time it goes through a relay, the website you eventually connect to does not actually know who you are. It cannot collect any meaningful data about your age, your gender, your location, your politics, or your interests.

With the Tor network, then, you can obscure what advertising companies the world over want to know about you and what they spend countless dollars to discover.

Years ago, utilizing the Tor network required quite a bit of technical work, but with the nonprofit’s release of the Tor browser, much of that work can be done by the browser itself.

If you’re interested in taking your privacy to the next level, consider downloading the Tor browser and connecting to the Internet through a Tor connection, which the browser can configure the first time you start it up.

It’s not just about tools. Adopt new rules

While all the tools we described above can better protect your online privacy, there’s one more thing you should consider this Data Privacy Week, and that’s how you treat other people’s privacy online, too.

The devices that we carry in our hands every single day are capable of recording so much of our daily lives, and that includes private moments of other people’s lives, too. The photos you take with family, the conversations you have with friends, the videos you record and share—all of these can and do include people other than yourself who have their own idea of privacy, both online and off. Think about how much you care about your own privacy, and then think about what you can do to protect the privacy of others around you.

Don’t share private conversations, don’t post embarrassing videos, and don’t send photos around unless you know that other people in the photos are okay with it.

For years, we’ve heard that cybersecurity is a team sport. It’s time to treat data privacy like one, too.

The post Data Privacy Day: Know your rights, and the right tools to stay private appeared first on Malwarebytes Labs.