IT NEWS

Patchwork is an Indian threat actor that has been active since December 2015 and usually targets Pakistan via spear phishing attacks. In its most recent campaign from late November to early December 2021, Patchwork has used malicious RTF files to drop a variant of the BADNEWS (Ragnatela) Remote Administration Trojan (RAT).

What is interesting among victims of this latest campaign, is that the actor has for the first time targeted several faculty members whose research focus is on molecular medicine and biological science.

Instead of focusing entirely on victimology, we decided to shade some light on this APT. Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own RAT, resulting in captured keystrokes and screenshots of their own computer and virtual machines.

Ragnatela

We identified what we believe is a new variant of the BADNEWS RAT called Ragnatela being distributed via spear phishing emails to targets of interest in Pakistan. Ragnatela, which means spider web in Italian, is also the project name and panel used by Patchwork APT.

Ragnatela RAT was built sometime in late November as seen in its Program Database (PDB) path “E:new_opsjlitest __change_ops -29no – CopyReleasejlitest.pdb”. It features the following capabilities:

• Executing commands via cmd
• Capturing screenshots
• Logging Keystrokes
• Collecting list of all the files in victim’s machine
• Collecting list of the running applications in the victim’s machine at a specific time periods
• Downing addition payloads
• Uploading files

In order to distribute the RAT onto victims, Patchwork lures them with documents impersonating Pakistani authorities. For example, a document called EOIForm.rtf was uploaded by the threat actor onto their own server at karachidha[.]org/docs/.

That file contains an exploit (Microsoft Equation Editor) which is meant to compromise the victim’s computer and execute the final payload (RAT).

That payload is stored within the RTF document as an OLE object. We can deduce the file was created on December 9 2021 based on the source path information.

Ragnatela RAT communicates with the attacker’s infrastructure via a server located at bgre.kozow[.]com. Prior to launching this campaign (in late November), the threat actor tested that their server was up and running properly.

The RAT (jli.dll) was also tested in late November before its final compilation on 2021-12-09, along with MicroScMgmt.exe used to side-load it.

Also in late November, we can see the threat actor testing the side-loading in a typical victim machine.

Victims and victim

We were able to gain visibility on the victims that were successfully compromised:

• Ministry of Defense- Government of Pakistan
• National Defense University of Islam Abad
• Faculty of Bio-Science, UVAS University, Lahore, Pakistan
• International center for chemical and biological sciences
• HEJ Research institute of chemistry, International center for chemical and biological sciences, univeristy of Karachi
• SHU University, Molecular medicine

Another – unintentional – victim is the threat actor himself which appears to have infected is own development machine with the RAT. We can see them running both VirtualBox and VMware to do web development and testing. Their main host has dual keyboard layouts (English and Indian).

Other information that can be obtained is that the weather at the time was cloudy with 19 degrees and that they haven’t updated their Java yet. On a more serious note, the threat actor uses VPN Secure and CyberGhost to mask their IP address.

Under the VPN they log into their victim’s email and other accounts stolen by the RAT.

Conclusion

This blog gave an overview of the latest campaign from the Patchwork APT. While they continue to use the same lures and RAT, the group has shown interest in a new kind of target. Indeed this is the first time we have observed Patchwork targeting molecular medicine and biological science researchers.

Thanks to data captured by the threat actor’s own malware, we were able to get a better understanding about who sits behind the keyboard. The group makes use of virtual machines and VPNs to both develop, push updates and check on their victims. Patchwork, like some other East Asian APTs is not as sophisticated as their Russian and North Korean counterparts.

Indicators of Compromise

Lure

karachidha[.]org/docs/EOIForm.rtf
5b5b1608e6736c7759b1ecf61e756794cf9ef3bb4752c315527bcc675480b6c6

RAT

jli.dll
3d3598d32a75fd80c9ba965f000639024e4ea1363188f44c5d3d6d6718aaa1a3

C2

bgre[.]kozow[.]com

The post Patchwork APT caught in its own web appeared first on Malwarebytes Labs.

Finalsite, a popular platform for creating school websites, appears to have recovered significant functionality after being attacked by a still-unknown ransomware on Tuesday, January 4, 2022. At least 8,000 schools are said to have been affected by the resulting outage.

According to an open letter published on its Twitter account:

On Tuesday, January 4, our team identified the presence of ransomware on certain systems in our environment.

In the time since the incident, our security, infrastructure, and engineering teams have been working around the clock to restore full backup systems and bring our network back to full performance, in a safe and secure manner.

Internet users who are directly or indirectly affected by this ransomware incident took to Reddit to raise some concerns. User /u/flunky_the_majestic writes: “Many districts are complaining that they are unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol. The impact of this outage is far greater than the attention it has received.” [1]

Some Reddit users also used this thread to complain about K12 schools continuing to use old technology and the challenges they faced on why it has remained this way. This is a notable one from someone who works in K12:

The first good news is the company says it has found no evidence of data theft.

The second good news is, as of Finalsite’s status entry hours ago, “the vast majority of front-facing websites are online.” As a caveat, it added that some of these sites still lack some functionality and content, such as admin log-in, calendar events, and the directory of constituent groups, which the team is working to restore. While the CMS company continues to restore from backups, investigation is ongoing still as of this writing.

The third and final bit of good news is related to the second: Finalsite got it so right by making and keeping backups of all their most important data. Remember that it’s not a matter of “if” but “when” ransomware—or another cyberthreat—strikes. Sometimes, companies who deem themselves secure can still get hit. And when (not if) they do, organizations need a recovery plan and the right kind of backups.

Companies restoring from backup in just a few days after an attack rather than paying the ransom is, by far, the least worst outcome. This is also quite difficult to pull off because of so many questions to consider first before doing anything. On top of that, there are instances where backups could fail us. Malwarebytes Labs’s podcast, Lock and Code, has covered this very dilemma. Listen to the full podcast below:

Finalsite also kept it simple and honest, which we greatly applaud. Some (if not most) organizations leave it at “sophisticated cyberattack”—perhaps for fear of ridicule or criticism over “not doing enough”. While this is understandable, Finalsite admitting they have been ransomware victims but are actually doing something about it is somewhat refreshing to see. We can only hope that other organizations, regardless of size, follow their example.

The post Ransomware attacks Finalsite, renders 8,000 school sites unreachable for days appeared first on Malwarebytes Labs.

Over 100 real estate websites have been compromised by the same web skimmer in a supply chain attack.

So what happened?

On Monday, January 3, Palo Alto said it had found a supply chain attack that used a cloud video platform to distribute skimmer campaigns. The attacker injected the skimmer’s JavaScript code into video files, so whenever someone imported the video, their website would get embedded with the skimmer code as well.

Palo Alto worked with the cloud video platform and the real estate company to help them remove the malware before publishing the post, and the incident was resolved last year. Palo Alto didn’t name either of the companies involved by name, but it did share a list of domains where the malicious code was deployed, which indirectly identified Sotheby’s as the real estate company.

In Malwarebytes’ own ongoing investigations into web skimmers, our researchers found a script on VirusTotal that gave us a clue about the affected cloud video platform. We identified the skimmer group as Inter. The domain used for data exfiltration was known to us and has been used in previous campaigns over the past couple of years.

Following up on this we found several more instances of that campaign also on VirusTotal. This one is from January 2021 and is seen inserted in the JavaScript of the same video player.

Brightcove

In 2015, Brightcove proudly announced that it had partnered with Sotheby’s, one of the world’s oldest and largest auction houses, to deliver live auction experiences.

Brightcove’s online video platform is a Software-as-a-Service (SaaS) platform that is built to provide both a secure and reliable foundation that helps its customers scale and manage their video content. Customer data is hosted in a multi-tenant environment, but segregation is integrated into the application at the customer level.

Adding JavaScript

So, how does the attacker inject the malicious code into the player of the cloud video platform? There’s only one conceivable way to achieve this.

When the cloud platform user creates a player, the user is allowed to add their own JavaScript customizations by uploading a JavaScript file to be included in their player. In this specific instance, the user uploaded a script that could be modified upstream to include malicious content.

It stands to reason that the attacker gained access and altered the static script at its hosted location by attaching skimmer code. On the next player update, the video platform re-ingested the compromised file and served it along with the impacted player.

The question here is, was the attacker using a Sotheby’s account or a Brightcove account to alter the code? In the last case there is a big chance that the attacker used this method on other companies’ players. Palo Alto concluded after analysis of the sites it identified, that all the compromised sites belong to one parent company and that all these compromised sites were importing the same video.

Code analysis

For a deep dive analysis of the JavaScript code we happily refer you to the post by Palo Alto.

The code is heavily obfuscated, but after unraveling we can tell that it uses two different functions to verify whether a string matches a credit card pattern and to validate any matches by using a checksum formula.

Another part is used to detect and thwart debugging, but the most interesting part is how the skimmer steals information and sends it out. We can tell that the skimmer is trying to gather victims’ sensitive information such as names, emails, phone numbers, and send them to a collection server, https://cdn-imgcloud[.]com/img (highlighted in the first screenshot).

In this type of supply chain attack, it is important to understand where the initial breach happened so that information can help to find more potential victims, but also to help prevent future instances.

This post was written with the immense help of the Malwarebytes Threat Intel team.

The post Card skimmers strike Sotheby’s in Brightcove supply chain attack appeared first on Malwarebytes Labs.

Two-factor authentication (2FA) has been around for a while now and for the majority of tech users in the US and UK, it has became a security staple. Indeed, wake up calls brought about by data breaches have stirred others out of their comfort zones into finally adopting 2FA and making it part of their online lives.

But online criminals—quick as they are with anything at this rate—are already one (if not several) step ahead.

As early as 2017, cybercriminals have been incorporating capabilities to defeat 2FA into their kits. With 2FA becoming much more commonplace, such kits are increasing in popularity and are in high demand in the underground market.

Academics from Stony Brook University and Palo Alto Networks—namely Brian Kondracki, Babak Amin Azad, Nick Nikiforakis, and Oleksii Starov—have found at least 1,200 phishing kits online capable of capturing or intercepting 2FA security codes. This, of course, would enable them to bypass any any 2FA procedures their target victims have already set up.

According to their report entitled “Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits” cybercriminals are using Man-in-The-Middle (MiTM) phishing kits which mirror live content to users while at the same time extract credentials and session cookies in transit.

These kits make it easy for the cybercriminals, because the harvesting of 2FA authentication session tokens are automatic. And because victims can browse within the phishing page as if it’s the real thing after they authenticate, users are less likely to notice they’ve been phished.

MiTM phishing attacks are perfect for scenarios where cybercriminals don’t want to use malware to steal credentials, and the attack itself doesn’t need human involvement in the process. Perhaps this is why email accounts, social media accounts, and some gaming accounts (as opposed to banking sites) are likely targets of MiTM phishers. These services have a more relaxed approach on how they log in users and keep them logged in until they manually log out.

Some of these services also create authentication sessions that can remain valid for years. Such sessions tokens can be used to abuse the account on a long term basis without the user knowing.

There are currently three widely known MiTM toolkits in popular hacking forums and code repositories: Evilginx, Muraena, and Modlishka. Among these, Modlishka (the Polish word for “mantis”) is the most familiar, and we covered it back in 2019.

Using machine learning, the academics created a fingerprinting tool they called PHOCA (Latin word for “seal”, the sea mammal). Per the report, PHOCA “can detect previously-hidden MITM phishing toolkits using features inherent to their nature, as opposed to visual cues.” All one needs to do is feed the tool with a URL or domain name, and then the tool determines if its web server is a MiTM phishing toolkit by using its trained classifier.

Criminals using a 2FA bypass is inevitable. PHOCA seems to be the only tool that can successfully pinpoint and help users thwart MiTM phishing websites. Aside from PHOCA, the academics propose client-side fingerprinting and TLS fingerprinting as form of detection method to greatly help thwart this type of attack.

Seemingly invisible threats like MiTM phishing are real. And we hope that we can protect from it sooner rather than later.

The post Intercepting 2FA: Over 1200 man-in-the-middle phishing toolkits detected appeared first on Malwarebytes Labs.

The New York State Office of the Attorney General has warned 17 companies that roughly 1.1 million customers have had their user accounts compromised in credential stuffing attacks.

Credential stuffing is the automated injection of stolen username and password pairs in to website login forms, in order to fraudulently gain access to user accounts. Many users reuse the same password and username/email, so if those credentials are stolen from one site—say, in a data breach or phishing attack—attackers can use the same credentials to compromise accounts on other services.

While credential stuffing may seem like a tiresome and long-winded game for attackers, it has proven to be very effective against. And unlike many other types of cyberattacks, credential stuffing attacks often require little technical knowledge.

The consequences

When attackers gain access to an account, they have several options to monetize it, such as:

• Draining stolen shopping accounts of stored value, or making purchases.
• Accessing more sensitive information such as credit card numbers, private messages, pictures, or documents which can ultimately lead to identity theft.
• Using a forum or social media account to send phishing messages or spam.
• Selling the known-valid credentials to other attackers on underground forums.

Needless to say that avoiding becoming a victim is worth the trouble.

What can users do?

Besides listening to us telling you that you should not reuse passwords across multiple platforms, there are some other thing you can do.

Start using a password manager. They can help you create strong passwords and remember them for you. Some passwords managers can be tricky at first, but once you get the hang of them you will wonder how you ever managed without one.

Then find out which credentials are at risk. You can check for compromised accounts on the website Have I been pwned? You can find information on how to use that site in our article “Have I been pwnd?”– What is it and what to do when you *are* pwned. The credentials shown as pwned there are the first ones you need to change the password for.

When it comes to which steps to take if you suspect there might be identity theft at play, we recommend you read this post we wrote after the Equifax breach some years ago.

What should organizations do?

Something that would make all of our lives easier is if organizations made it impossible, or harder at least, to credential stuff their sites and services.

One effective safeguard is to implement and enforce multi-factor-authentication (MFA). However, this puts a big part of the burden on the customers since they will have to take the extra steps before they are logged in. Another method to protect customers is to prevent them from use compromised credentials. This functionality typically relies on third party vendors that compile credentials from known data breaches.

Other more user-friendly solutions are bot detection methods and application firewalls.

Bot detection methods can distinguish between human and bot traffic even when the bot traffic has been disguised. Bot detection can be event-based and identifies bots using network characteristics, device characteristics, and behavior characteristics. More complex bot detection methods use behavioral analysis and artificial intelligence to detect login attempts that are seen as abnormal.  A less complex method to distinguish between bots and humans are the well-known CAPTCHA challenges.

Web Application Firewalls (WAF) are often the first line of defense against malicious traffic. They can block or throttle multiple attempts from the same source or at the same account. They can also use blocklists based on known IP addresses that have recently engaged in attacks. Sophisticated credential stuffing attacks, however, are often able to circumvent most WAF security measures.

No more passwords

Recently, we’ve seen initiatives that strive towards more password-less authentication. On this site we have discussed alternatives to get rid of passwords for good, along with the possible downside of the bold move Microsoft made towards a password-less future.

As with most things in security, switching to a password-less authentication will have pros and cons. It’s likely to have a different outcome for different organizations, but it seems something that is at least worth thinking through.

Stay safe, everyone!

The post Hackers take over 1.1 million accounts by trying reused passwords appeared first on Malwarebytes Labs.

When removing malware from an iOS device, it is said that users need to restart the device to clear the malware from memory.

That is no longer the case.

Security researchers from ZecOps have created a new proof-of-concept (PoC) iPhone Trojan capable of doing “fun” things. Not only can it fake a device shutting down, it can also let attackers snoop via the device’s built-in microphone and camera, and receive potentially sensitive data due to it still being connected to a live network connection.

Stopping users from manually restarting an infected device by making them believe they have successfully done so is a notable malware persistence technique. On top of that, human deception is involved: Just when you thought it’s gone, it still pretty much there.

The researchers dubbed this overall attack “NoReboot,” and it does not exploit any flaws on the iOS platform. This means Apple cannot patch for it.

How they did it

So how does the malware stop the actual device shutdown from happening while making it look like it did to users? In a nutshell, the researchers hijack the shutdown event on an iOS device. This involves injecting new code to three daemons—programs that run in the background that have their own unique functions: InCallService, SpringBoard, and Backboardd.

InCallService is responsible for sending the “shutdown” signal to SpringBoard when a user manually turns off the iOS device. The researchers were able to hijack this signal using a hooking process. So instead of InCallService sending the signal to SpringBoard as it’s supposed to, it instead signals SpringBoard and Backboardd to execute the codes injected into them.

The code in SpringBoard tells it to exit, not launch again, and only respond to a long button press. Since SpringBoard responds to user interaction and behavior, the daemon being unresponsive gives the impression that the device is off when, in fact, it’s not.

The code in BackBoardd, on the other hand, tells it to hide the spinning wheel animation, which pops up when SpringBoard ceases to work.

At this point, the iOS device looks and feels like a brick. But note that it’s still pretty much on, still connected to the internet, and still has functional features readily available for remote exploitation. Note that once an iOS device is infected with NoReboot, it starts its snooping via the camera.

Just as the device shutdown is simulated, NoReboot can also simulate a device to startup. And the BackBoardd daemon plays a huge role in this. Since SpringBoard is no longer functioning, Backboardd takes control of the screen and responds to user inputs, including long button presses. Backboardd is told to show the Apple logo, a known indicator that the iOS device has indeed been turned off, which makes users let go of the button and stop them from truly rebooting the device. Then SpringBoard is relaunched so Backboardd can give back its privilege to control the screen.

You can read more about how NoReboot works in detail in ZecOps’s post here.

“Is this thing on?”

Since Apple introduced a feature that allows device owners to track their phones even when they’re turned off, things have never been the same. “On” remains on, while “off” is not-quite-off anymore. And this only gives attackers an opportunity to let their malware persist on affected devices.

NoReboot is a mere PoC at this point, but its code is already public. It’s only a matter of time before iOS attackers start incorporating this into their malware kits. That said, let’s arm ourselves with what we can do as users at this point.

If you suspect that your device is compromised by a NoReboot-like malware, you can keep pressing the force reboot buttons after the the Apple logo appears. Remember that this is a simulated reboot, and keeping the restart buttons depressed would force the infected device to truly reboot. iOS device owners can also use Apple Configuration, which you can download for free.

Stay vigilant!

(Kudos to Thomas Reed for additional helpful insights)

The post New iPhone malware spies via camera when device appears off appeared first on Malwarebytes Labs.

There’s a lot of concern in the cryptocurrency realm at the moment. A yield farming platform “utilizing arbitrage to gain optimal yield with low risk” has gone AWOL. Site down, Twitter account deleted, no word from the team behind it explaining what happened. Worst of all, some $10 million worth of funds have been drained leading to accusations of rug-pulling.

So what’s gone wrong with rugs in the land of yield farming?

Yield farming in DeFi (Decentralised Finance)

Yield farming is a popular target for scams, as lots of money is dropped into new services with the hope of big payouts via passive income earnings further down the line. People do receive payouts, by the way. Here’s someone who picked up $1,700 because he used one particular service prior to a specific date. However, as the article notes, many projects are open source. This makes it easy for people with bad intentions to fire up a bogus service of their own, wait for funds to be pumped into it, and then vanish.

This is, of course, not very good when it happens. Sadly, this is what may have happened in this case.

What is a rug pull in cryptocurrency?

A rug pull (or “being rugged”, as they call it in cryptocurrency circles) is not a fun experience. Someone creates an altcoin (any coin other than Bitcoin) on a DEX (decentralised exchange). They then spend some time hyping that token on as many platforms as possible. The more noise, the better: anything to attract potential users. As more people invest, the idea is that the token increases in value. The liquidity of the project goes up as a result.

When hype is at its maximum and investors are running wild, the creators suddenly drain the pool of its funds and fade from existence. Anyone who bought into the project is left with worthless tokens. At this point, sites and services related to the scam token are scrubbed, and a lot of people are out of pocket. The rug is well and truly pulled.

What’s happened to Arbix?

A project called Arbix Finance has indeed pulled its site and deleted its Twitter. Arbix was audited and approved by Certik in November, adding legitimacy to itself and a way to reassure users it is on the level. Here’s an example press release in relation to certification of another cryptocurrency platform. Audits and certifications such as these are common in the DeFi space, so it’s probably a bit disconcerting for users to see the rug pull happen despite such forms of approval.

The audit history page for Arbix Finance currently reads as follows:

“Warning: This project has been confirmed to be a rugpull and is deemed high risk. Do not engage, or interact, with this project.”

Where did the money go?

The Certik Twitter feed is currently revealing pieces of its investigation into what’s happened. It’s quite likely there’s more to come, so this isn’t the full story at present, but here’s the current timeline of events:

Word of the rugpull first breaks. People are told to steer clear of interacting, because it’s still possible to get tangled up in losing some more money:

Money invested by users (the missing $10m) is sent to a variety of addresses, with a big chunk of the missing funds dumped.

That thread and offshoots of it are still being updated, so if you’re impacted you’ll want to bookmark for future reference.

If you want to see more information about the wallets used to hold the funds and where they were sent afterwards, see this tweet.

Next steps

There isn’t much advice that can be given to potential victims in this specific case. More digging is required, and it’s possible one benefit of this service having been audited is it may help with finding out who’s behind this. It’s also possible the project owners may appear at the eleventh hour with an explanation. For now, we have to just wait and see.

There’s a lot of angry people on social media in relation to this one. We’ve seen a few links being sent claiming to be forms of “help” or support from Arbix which resolve to things like Telegram links. With no way to verify, we’d suggest being very cautious around any links sent to offer assistance.

You definitely don’t want to lose out twice over

People are making money in cryptocurrency, but rug pulls remain a huge loss for all concerned. If you haven’t run into one of these scams yet, read up on ways to minimise the threat. It’s a Wild West out there.

The post $10m of funds goes missing in what appears to be a cryptocurrency rug-pull appeared first on Malwarebytes Labs.

On New Year’s Eve, Seif Elsallamy (@0x21SAFE on Twitter), a bug bounty hunter and security researcher, pointed out a phish-worthy security flaw he found on Uber’s email system. The flaw allowed anyone to send emails on behalf of Uber, meaning they would end with “@uber.com“, just like the one below:

An email address with “@uber.com” legitimately sent from one of Uber’s email servers will no doubt pass through email spam filters and reach their intended recipients. Knowing that this can be done by anyone opens multiple phishing opportunities for the would-be scammer.

They could start sending out a fake email marketing campaign to Uber clients, potentially using a list from the 57 million user data breach in 2017. The email could contain a link to click on that leads to an external site that was made to look like it’s from Uber, too. Suffice to say, there is a lot of scamming potential here.

And this is not a case of email spoofing—which makes an email appear to come from somewhere legitimate but actually comes from somewhere entirely different—but a case of a successful HTML injection into a vulnerable email endpoint on Uber’s side.

As BleepingComputer said, it’s similar to the flaw disclosed by Youssef Sammouda in 2019 which allowed anyone to send an email on behalf of Facebook using an “@fb.com” email address. But the similarities end there, because while Facebook fixed the issue and awarded Sammouda a bounty, Uber has not done the same.

Falling on deaf ears

It often comes as a surprise when companies ignore bug reports that may actually have a huge impact on their business. Elsallamy’s finding has not only brought to light an old bug once more, but also unearthed a history of Uber not taking the issue seriously and, in turn, not doing anything about it.

Elsallamy tweeted: “Bring your [calculator] and tell me what would be the result if this vulnerability has been used with the 57 million email address that has been leaked from the last data breach? If you know the result then tell your employees in the bug bounty triage team.”

Soufiane el Habti (@wld_basha on Twitter), another bug bounty hunter, hopped on the original tweet thread, saying he raised the same issue to Uber last year but the triage team “closed it as informative”. Shiva Maharaj (@ShivaSMaharaj on Twitter) claimed that he reported this bug in 2015/2016, but said “they don’t care.”

When BleepingComputer asked what Uber should do to address this concern, Elsallamy said: “They need to sanitize the users’ input in the vulnerable undisclosed form. Since the HTML is being rendered, they might use a security encoding library to do HTML entity encoding so any HTML appears as text.”

Given how easy it is to perform HTML injections, clients and employees in Uber should keep a close eye on potential phishing and/or scam attacks.

The post Careful! Uber flaw allows anyone to send an email from uber.com appeared first on Malwarebytes Labs.

The Purple Fox rootkit is being spread as an installer for the popular Telegram instant messaging app for Windows, according to researchers.

It’s not clear how the installer in this case was distributed, although it seems like at least some were delivered via email. Common distribution methods for this type of installer are phishing campaigns, forum spam, YouTube posts and comments, as well as untrustworthy software download sites. We’ve also seen the same malicious downloader in a combination with a WhatsApp for Windows installer.

But what makes the newly found Telegram installer special is the fact that the malicious part of the install is done separately in several small files. This makes the malware harder to detect and makes it easier for the malware authors to replace parts that have a high detection rate.

It starts with an installer called “Telegram Desktop.exe” which is an AutoIT script that drops a legitimate Telegram installer and a malicious downloader called “TextInputh.exe”. The legitimate Telegram installer is not executed, but the malicious downloader is immediately used as a downloader for the next stage of the attack.

It downloads and executes more files, which get deleted after they have done their work. Then User Account Control (UAC) is disabled, specific antivirus initiations are blocked, and information about security tools on the affected system are gathered and sent to a hardcoded command and control (C2) address.

The malware checks specifically for the presence of 360 AV software and will shut it down and block initiation.

The final stage of the infection requires a reboot for the new registry settings to take effect, including the disabled UAC. The disabled UAC setting allows the malware to download and deploy the Purple Fox rootkit.

Purple Fox background

Purple Fox is the name given to a malware family that has been in constant development ever since it was discovered in 2018. Back then it was a relatively simple Trojan that relied on exploit kits and phishing emails to spread. By the end of 2020, however, Purple Fox was using brute force attacks over Server Message Block (SMB), a network protocol that allows Windows computer to share files.

Then, in March 2021, researchers discovered that the Purple Fox malware included a rootkit and was wormable. A rootkit allows the attackers to hide the malware on a machine and make it difficult to detect and remove. Wormable malware is capable of spreading from one vulnerable computer to another automatically.

The Purple Fox infrastructure consists mostly of exploited servers that are used to host payloads, act as C2 servers, or serve as worm nodes. This makes it harder to track down the threat actors, but it also makes the infrastructure vulnerable if key servers get cleaned up by their rightful owners.

In September 2021, researchers found a new backdoor written in .NET which is believed to be associated with PurpleFox. This backdoor leverages WebSocket to communicate with its C2 servers, resulting in a more robust and secure means of communication. WebSocket is a communication protocol that allows streams of data to be exchanged between a client and server over a single TCP connection.

Mitigation

The most important advice to avoid this kind of infection is to download software only from trusted sources. Sometimes easier said than done, but trust me, it pays off.

Malwarebytes protects against and detects the malicious downloader by using the Artificial Intelligence module of its real-time protection.

IOCs

A full list of IOCs can be found on the Minerva blog, but we have listed the most important ones below:

Folders:

C:UsersPublicVideos1640618495

C:Users{username}AppDataLocalTempTextInputh

Files:

Telegram Desktop.exe

TextInputh.exe

1.rar

360.tct (which gets renamed to 360.dll)

rundll3222.exe

svchost.txt

Calldriver.exe

Driver.sys

bmd.txt

dll.dll

kill.bat

speedmem2.hg

Registry:

HKEY_LOCAL_MACHINESYSTEMSelectMarkTime

IPs:

144.48.243.79

193.164.223.77

Hashes:

41769d751fa735f253e96a02d0cccadfec8c7298666a4caa5c9f90aaa826ecd1

bae1270981c0a2d595677a7a1fefe8087b07ffea061571d97b5cd4c0e3edb6e0

Stay safe, everyone!

The post Purple Fox rootkit now bundled with Telegram installer appeared first on Malwarebytes Labs.

Adidas has been making waves in the NFT space with a collection of footwear/bored ape crossover sales.

Demand was bound to be high among people who collect these things. As a result, Adidas tried to limit the number of sales to two per person. This is along the same lines as trying to prevent bid sniping on eBay, or ticket scalpers purchasing huge numbers of tickets then selling them on at huge profit. See also: console purchase shenanigans.

When the idea of scarcity is built into what you’re selling, it makes sense that you’d want to give anyone interested a fair chance to buy the item(s) on sale.

Unfortunately, as with all the best laid plans, things went sideways very quickly once the sale opened. When you see what approximates to an apology thread, you know something’s gone wrong. The question is: what?

Let the bidding begin

When an NFT sale opens, people have to bid to obtain their desired NFT and pay a gas fee. This fee can go up or down, but they may be higher or lower depending on supply and demand when you make your payment. The fee itself is needed to compensate for the processing required to make the transaction. There are also numerous ways to avoid higher fees.

So far, so good. Unfortunately, the replies to the announcement are filled with people complaining about minting gone awry, and gas fees lost.

Drafting up a contract

Smart contracts in the NFT space are how people know who owns what after an NFT has been created.

Someone looking to bypass the two item limit created a custom smart contract, which fired up an additional 165 subcontracts to make additional purchases. That’s 330 NFTs purchased at a cost of around $350,000 for gas fees and purchase price, which could easily have gone wrong. As annoying as this is for anyone who lost out on fees, the thing which really interested me in the replies of woe was this:

Customer support scammers move to new realms

Someone dived into the complaints claiming to be “Adidas Originals Support”, eager to help anyone fretting about lost money. Sadly, all is not as it seemed.

“Hello,

This is Adidas Original Support.

We are sorry for any inconveniences so far.

Kindly send a direct message; our best team will attend to you to ensure it is fixed ASAP.

Well, it looks convincing. For one thing, it has a blue ape in a yellow hat for a profile pic. Nobody would pretend to be a fake ape in a yellow hat, would they?

You bet they would. This is the customer support scam we’ve seen many times down the years. It started out targeting FIFA gamers in need of assistance. People doing it realised they could make more money jumping into customer support chats between banks and their customers.

We’ve seen this scam deployed against users of Trust Wallet just this year.

In it for the long run

It stands to reason we’d see this approach work its way over to the NFT space eventually. There’s simply too much speculative money being thrown around to resist. If we had to guess, the scammer would eventually ask for wallet credentials. If you lose your wallet in this way, you’re almost certainly never getting it back again.

The account sending the message has since been suspended by Twitter. However, it’s incredibly easy to set up bogus profiles and we expect to see this one happening a lot more. If a supposedly official account ends up in your replies after something goes wrong, check it has a verified profile. If it doesn’t, there’s a very good chance something may be amiss. As I said earlier: if you lose your wallet in this way, it’s probably gone for good.

Keep your friends close, your monkey jpegs closer, and your cryptowallets closest of all.

The post Customer support scammers take aim at NFT enthusiasts appeared first on Malwarebytes Labs.