Archive for NEWS

Facial recognition: tech giants take a step back

Last week, a few major tech companies informed the public that they will not provide facial recognition software to law enforcement. These companies are concerned about the way in which their technology might be used.

What happens when software that threatens our privacy falls into the hands of organization which we no longer trust? In general, being aware of tracking software causes a feeling of being spied on and a feeling of insecurity. This insecurity that spreads throughout society is likely causing these companies to revise their strategy. Current developments surely have had an impact on an already distorted social environment. A pandemic and worldwide protests are a mix we have never experienced before in human history.

Definition of facial recognition

The definition of facial recognition, or “face recognition” as the Electronic Frontier Foundation (EFF) defines it, is:

A method of identifying or verifying the identity of an individual using their face. Face recognition systems can be used to identify people in photos, video, or in real-time.

Facial recognition is one of the technologies that even laymen can understand in how it can be used against citizens by a malevolent or untrustworthy government. Other methods like social profiling and behavioral analysis are more elusive and less easy to comprehend.

In an earlier blog, we already discussed the very different rules, laws and regulations that exist around the world when it comes to facial recognition. Depending on the type of government and the state of technology, the rules are very different—or they don’t exist at all.

The stated bans by Amazon, IBM, and Microsoft announced over the course of one week, however, were more or less directly aimed at US organizations, perhaps as a result of a growing distrust about local law enforcement agencies in general and due to the behavior of some police departments in particular. But we can likely expect these bans to spread out across the world. (And I think that is a good thing.) Laws have a tendency to follow the developments in society, always trailing one step behind. But in this case it looks important enough to wait until the development and legislature can go hand in hand.

The companies

Microsoft halted the sale of facial recognition technology to law enforcement in the US, stating that the ban would stick until federal laws regulating the technology’s use were put into place. In other words, they want to have rules in place for the use of the technology before they provide it.

Amazon, which is potentially one of the biggest players in this space, has their own custom tech called Rekognition. It’s being licensed to businesses and law enforcement. Earlier on, Amazon had already announced a similar ban for very much the same reason, letting the public know that it would require “stronger regulations to govern the ethical use of facial recognition technology.”

IBM did not limit the ban to the US but it did explain their motives in a letter to Congress. In this letter the company addressed the subject by writing it had no plans to market facial recognition software if it would be used “for mass surveillance, racial profiling, violations of basic human rights and freedoms, or any purpose which is not consistent with our values and Principles of Trust and Transparency.”

Why we do not want facial recognition

Many groups like American Civil Liberties Union (ACLU) and EFF have made objections against this technology as it is considered a breach of privacy to use biometrics to track and identify individuals without their consent. Many feel that there is already more than enough technology out there that keeps track of our behavior, preferences, and movement. The technology does not necessarily always know who we are down to the level of personally identifiable information (PII). Many people get uneasy when they find out how well aware advertisers and shops are of our preferences by tracking our browsing habits and online purchases.

And some incidents certainly don’t help the case at all. For example, the Baltimore police department reportedly ran social media photos through face recognition to identify protesters and arrest them.

Another example of using this technology for a purpose separate than what it was intended for—and also another possible reason for distrust—was the fact that Minnesota police resorted to what it called “contact-tracing” demonstrators arrested after recent protests. But “contact tracing” is a public health effort to help stop the spread of disease like the COVID-19 outbreak. As it turns out, the Minnesota police are looking at it as a model for criminal investigations.

Facial recognition still has its limits

Another objection against facial recognition technology has always been the inaccuracy. There are significant risks that facial recognition used in law enforcement is unreliable.

Most facial recognition software relies on Artificial Intelligence (AI) and, more precisely, Machine Learning (ML). Where facial recognition relies on machine learning the training data is often incomplete or unrepresentative of the general population. A study from MIT Media Lab shows that facial recognition technology works differently across gender and races. In cases where misidentification can lead to arrest or incarceration, we will surely want to avoid such grave errors due to false positives.

Will we ever be ready for facial recognition to be used by law enforcement?

What surely will need to happen is that law enforcement regains the trust of the public in general and that laws regulating the use of facial recognition software will be made effective to satisfy the demands of the manufacturers of facial recognition software.

Whether that means we can lie back and rely on the forces at work to do the right thing is a whole other topic. A large majority of humanity seems to be torn between “I have nothing to hide” and “they already know everything” anyway. That is not a healthy situation and the degree of unease largely depends on which country you happen to live in and many other circumstances beyond your control.

So, even though the chances of facial recognition getting widely used by law enforcement seem to be put on a lower level in the US, this remains a topic to keep an eye on if you value your privacy.

The post Facial recognition: tech giants take a step back appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

End of line: supporting IoT in the home

Trouble is potentially brewing in Internet of Things (IoT) land, even if the consequences may still be a little way off. System updates and issues surrounding expiring certificates will pose problems for manufacturers and headaches for consumers.

System updates for fun and profit

One of the first mainstream collisions of putting updates out to pasture and angry device owners yelling “Why doesn’t this work anymore” was probably at the tail end of 2019 and involved streaming giant Netflix. If you have internet connected devices, then those devices will require updating. It may be a security issue, it could be a UI redesign, perhaps the code deep down in the guts between the backend and what you see in front of you has had a change cascading its way through how everything operates.

People realised this very quickly when Netflix started letting people know their TVs would no longer work quite how they had previously. This approach makes sense; there’s only so much you can do with older bits and pieces of hardware with regards the ever-present march of the new. At some point, it simply won’t be able to cut the mustard and then (best case scenario) you’re having to fall back on third party apps instead of official solutions. That could end up being a security risk all by itself.

Not so smart device?

White goods like fridges, freezers, and more general kitchen equipment around the home, are usually pretty expensive. Devices with IoT tech in them, even more so. You’re paying a premium for functionality you may not use that often. It’s likely some folks buy IoT devices for the home without even knowing they possess said capability. It’d certainly go some way to explaining why so many of these things are found online, unsecured, with no password (or a fixed password easily Googled).

Into this hot mess steps a number of expectations; primarily among them, how long you can expect the device to be supported.  We’re not talking about apps allowing you perform smaller tasks now, so much as we are raising expectations about core functionality. Namely: how long will manufacturers ensure our IoT device, all hooked up to the big wide web, keep ticking over. Not only in terms of “does it work”, but also “is it still secure?”

As always, the devil is in the details (or at least some additional information).

Mapping out the end times

Planned obsolesce is something that’s been around in tech circles for years. The basic idea is to keep making money by building in some form of limited shelf life into a device, in a way which makes you continually fork over some cash above  and beyond the original purchase…because  you’re now onto the next one…and the one after that…and the latest model does a handful of new things,  so you’d better buy that too…

You get the idea. Design cycles become shorter, new product releases are rushed out the door, potentially filled with bugs, leaving you to wonder if the new additions could’ve been included in the product you already own.

The addition of more new and intricate technology in white goods is arguably adding to the list of things which could break and/or go wrong over time. Reliance on the ever-shifting sands of the Internet also means things will simply go out of date a lot faster than if it were a plain old washing machine, tumble drier, or fridge.

It’s wise not to become too wrapped up in conspiracy theories on this subject; some caution is advised. By the same token, this is absolutely a thing that happens and major organisations have caught some heat for it.

Even so, we’re now at a point where IoT is firmly established in homes whether we like it or not. More of our devices are becoming internet connected; even if you purposely go out of your way to avoid it, chances are you’ll begrudgingly get stuck with it at some point. For most people in that situation, it tends to end up being a television set. However, the IoT sky is the limit and it could be pretty much anything, really.

Behold my impressive collection of legal documents

At this point, we’re at warranties and guarantees. These can differ greatly with regards to protection depending on where you live, but they are typically tied to laws relevant to your area. You’d think it’d be straightforward; in actual fact, it’s more along the lines of Cole Porter singing Anything Goes as he desperately tries to make sense of 600 pages of legalese.

More often than not, the extended warranty is what offers the most protection. It’s also the one which involves handing over more money, registering on the website, sending off a card, or just forgetting to do any of those previously mentioned then panicking when the toaster explodes.

With all new IoT tech inside your washing machine, you may well be more likely to want extra protection in the event of things going wrong. One slight annoyance, Cole Porter yells from behind his impressive correction of legal documents: will that fancy extended 7-year warranty outlive the IoT tech in your fridge?

Going back to the above article, it’s all a bit worryingly vague. When asked how long support can be expected, answers range from “issued as required,” to “up to ten years,” and at least one vendor who said “a maximum of two years,” with the not massively reassuring caveat that support is not limited to two years.

Glad we’ve cleared that one up, then. Thanks, Cole.

As per the “Which report?” advice, you may have to start asking manufacturers exactly how long IoT tech in a device will be supported versus the length your warranty runs for. Good luck.

Be certain with your certificates

SSL certificates help keep the web safe by firing up the old encryption cannon and ensuring everything you do is kept from prying eyes, be it regular browsing, online banking, gaming, or just streaming some TV shows. The problem is, lots of those certificates are due to expire in the next few years and all of those IoT devices in your home making use of them could be caught in the fallout.

Such a thing impacted users of Roku, who found an expiring certificate broke their service. More general warnings of certificate expiration peg the next big fallout sometime around the tail end of 2021. I, for one, am looking forward to the immense joy gleaned from being told by text that the SSL certificate on my fridge freezer has expired and I’ll have to fix it myself.

A televisual turning point

With all of the above becoming things for a harried shopper to consider, it’s worth remembering that the smart in some devices gives manufacturers additional valuable data on people buying their things. I hope you like adverts the moment you fire up your TV, or the big box in your front room watching pretty much everything you do related to it.

It’s in their interest to push digital into as many devices as possible, and claims from manufacturers already exist that stripping the previously not included smart tech from devices, would make said devices more expensive. Put simply: it isn’t going away anytime soon.

Warranties which may not warranty, certificates which might fail to certify, lifespans which don’t match the length of cover promised, and data harvested from advertisements to try and upsell more smart tech. That’s the current lie of the land when you next go out to replace that 5 year old fridge in need of patching up.

Should you figure it out, please let us know – I think we’d all appreciate the helping hand.

The post End of line: supporting IoT in the home appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature

This blog post was authored by Hossein Jazi and Jérôme Segura

On June 10, we found a malicious Word document disguised as a resume that uses template injection to drop a .Net Loader. This is the first part of a multi-stage attack that we believe is associated to an APT attack. In the last stage, the threat actors used Cobalt Strike’s Malleable C2 feature to download the final payload and perform C2 communications.

This attack is particularly clever for its evasion techniques. For instance, we observed an intentional delay in executing the payload from the malicious Word macro. The goal is not to compromise the victim right away, but instead to wait until they restart their machine. Additionally, by hiding shellcode within an innocuous JavaScript and loading it without touching the disk, this APT group can further thwart detection from security products.

Lure with delayed code execution

The lure document was probably distributed through spear phishing emails as a resume from a person allegedly named “Anadia Waleed.” At first, we believed it was targeting India but it is possible that the intended victims could be more widespread.

Figure 1: Resume

The malicious document uses template injection to download a remote template from the following url:


Figure 2: Template injection

The domain used to host the remote template was registered on February 29, 2020 by someone from Hong Kong. Creation time for the document is 15 days after this domain registration.

The downloaded template, “indexa.dotm”, has an embedded macro with five functions:

  • Document_Open
  • VBA_and_Replace
  • Base64Decode
  • ChangeFontSize
  • FileFolderExist.

The following shows the function graph of the embedded macro.

Figure 3: Macro functions graph

The main function is Document_open which is executed upon opening the file. This function drops three files into the victim’s machine:

  • Ecmd.exe: UserForm1 and UserForm2 contain two Base64 encoded payloads. Depending on the version of .Net framework installed on the victim’s machine, the content of UserForm1 (in case of .Net v3.5) or UserForm2 (other versions) is decoded and stored in “C:ProgramData”.
  • cf.ini: The content of the “cf.ini” file is extracted from UserForm3 and is AES encrypted, which later on is decrypted by ecmd.exe.
  • ecmd.exe.lnk: This is a shortcut file for “ecmd.exe” and is created after Base64 decoding the content of UserForm4. This file is dropped in the Startup directory as a trigger and persistence mechanism.

Ecmd.exe is not executed until after the machine reboots.

Figure 4: Document_Open
Figure 5: Custom Base64 decode function

ChangeFontSize and VBA_and_Replace functions are not malicious and probably have been copied from public resources [1, 2] to mislead static scanners.

Intermediary loader

Ecmd.exe is a .Net executable that pretends to be an ESET command line utility. The following images show the binary certificates, debugger and version information.

The executable has been signed with an invalid certificate to mimic ESET, and its version information shows that this is an “ESET command line interface” tool (Figure 6-8).

Figure 6: Certificate information
Figure 7: Version information
Figure 8: Debugger information

ecmd.exe is a small loader that decrypts and executes the AES encrypted cf.ini file mentioned earlier. It checks the country of the victim’s machine by making a HTTP post request to ““. It then parses the XML response and extracts the country code.

Figure 9: Getcon function: make http post request to “”
Figure 10: output

If the country code is “RU” or “US” it exits; otherwise it starts decrypting the content of “cf.ini” using a hard-coded key and IV pair.

Figure 10: ecmd.exe main function

The decrypted content is copied to an allocated memory region and executed as a new thread using VirtualAlloc and CreateThread APIs.

Figure 11: runn function

ShellCode (cf.ini)

A Malleable C2 is a way for an attacker to blend in command and control traffic (beacons between victim and server) with the goal of avoiding detection. A custom profile can be created for each target.

The shell code uses the Cobalt Strike Malleable C2 feature with a jquery Malleable C2 profile to download the second payload from “time.updateeset[.]com”.

Figure 12: Malleable C2 request

This technique has been used by two other recent Chinese APTs—Mustang Panda and APT41.  

The shellcode first finds the address of ntdll.exe using PEB and then calls LoadLibrayExA to load Winint.dll. It then uses InternetOpenA, InternetConnectA, HttpOpenRequestA, InternetSetOptionA and HttpSendRequestA APIs to download the second payload.
The API calls are resolved within two loops and then executed using a jump to the address of the resolved API call.

Figure 13: Building API calls

The malicious payload is downloaded by InternetReadFile and is copied to an allocated memory region.

Figure 14: InternetReadFile

Considering that communication is over HTTPS, Wireshark is not helpful to spot the malicious payload. Fiddler was not able to give us the payload either:

Figure 15: Fiddler output

Using Burp Suite proxy we were able to successfully verify and capture the correct payload downloaded from time.updateeset[.]com/jquery-3.3.1.slim.min.js. As can be seen in Figure 16, the payload is included in the jQuery script returned in the HTTP response:

Figure 16: Payload happened to the end of jquery

After copying the payload into a buffer in memory, the shellcode jumps to the start of the buffer and continues execution. This includes sending continuous beaconing requests to “time.updateeset[.]com/jquery-3.3.1.min.js” and waiting for the potential commands from the C2.  

Figure 17: C2 communications

Using Hollow Hunter we were able to extract the final payload which is Cobalt Strike from ecmd’s memory space.


A precise attribution of this attack is a work in progress but here we provide some insights into who might be behind this attack. Our analysis showed that the attackers excluded Russia and the US. The former could be a false flag, while the latter may be an effort to avoid the attention of US malware analysts.

As mentioned before, the domain hosting the remote template is registered in Hong Kong while the C2 domain “time.updateeset[.]com” was registered under the name of an Iranian company called Ehtesham Rayan on Feb 29, 2020. The company used to provide AV software and is seemingly closed now. However, these are not strong or reliable indicators for attribution.

Figure 11: whois registration information

In terms of TTPs used, Chinese APT groups such as Mustang Panda and APT41 are known to use jQuery and the Malleable C2 feature of Cobalt Strike. Specifically, the latest campaign of Mustang Panda has used the same Cobalt Strike feature with the same jQuery profile to download the final payload which is also Cobalt Strike. This is very similar to what we saw in this campaign, however the initial infection vector and first payload are different in our case.


Anadia Waleed resume.doc

Remote Template: indexa.dotm

Remote Template Url:




Cf.ini shell-code after decryption:

Cobalt Strike downloaded shellcode:

Cobalt Strike payload

The post Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

VPNs: should you use them?

We are going to talk today about something you’ve likely heard of before: VPNs, or Virtual Private Networks. We at Malwarebytes have delved into these tools in greater depth, and we’ve literally discussed them on the digital airwaves.

But we want to answer a question we’ve been getting more and more. Folks aren’t as curious about what a VPN is anymore, as they are about whether they should use one.

The answer is: it depends. For that, we’re here to help.

How a VPN works

To understand how a VPN works and whether you should use one, it is best to first understand what happens when you’re browsing the Internet. Whenever you open up a web browser and go to a website, you’re connecting to that website and exchanging information with it. This is your Internet “traffic,” and it can reveal quite a bit of information about you, including what websites you visit, your IP address, and more.

A VPN acts like a “tunnel” for your Internet traffic. Your traffic goes into the tunnel, and emerges out of one of the exit nodes of the VPN service. The tunnel encrypts your data, making it undecipherable to your Internet Service Provider (ISP). At best, your ISP can see that some encrypted traffic is going to a VPN service, but not the contents of that traffic, and not where it comes out of.

The interesting thing to note here is that, with this basic functionality, a VPN can actually serve many different needs. As we wrote before:

Depending on who you ask, a VPN is any and all of these: [1] a tunnel that sits between your computing device and the Internet, [2] helps you stay anonymous online, preventing government surveillance, spying, and excessive data collection of big companies, [3] a tool that encrypts your connection and masks your true IP address with one belonging to your VPN provider, [4] a piece of software or app that lets you access private resources (like company files on your work intranet) or sites that are usually blocked in your country or region.

Without a VPN, your Internet Service Provider, or ISP, can see almost everything you interact with online. Who you connect to, what type of traffic, where you are geographically. No bueno.

Obscuring your traffic with a VPN

If you use a VPN, your ISP knows you’ve connected to a VPN, but it cannot inspect the content of your traffic, and does not know where it comes out at the other end.

Also, despite the recent surge in popularity for VPNs, these tools have been in use for businesses for a long time now. They are typically used to access resources remotely as if you were at the office.

In some cases we have even seen performance boosts by using a VPN, where artificial throttling is circumvented by the use of a VPN. Because you’re tunneling your connection, your ISP can’t peek at your traffic and throttle it, based on the kind of traffic. Believe it or not, this is a real issue, and some ISPs throttle users’ traffic when they see file sharing for example.

Consumer recommendations

There are several paths you can take when deciding to implement a VPN. Not only do these tools works on your personal devices like your laptops and mobile phones, but, in some cases, you can insert your own router into the mix.

In many cases, the router provided by your ISP is not a device that you fully control, and using it for your networking needs might open you to possible security issues.

These devices sometimes have administrative functions that aren’t accessible to subscribers. Some mid to higher range routers offered on the market today allow you to put the VPN on the router, effectively encapsulating all your traffic.

The hardware route

A possible solution would be to get such a router and install the VPN on it, rather than on your individual machines. This has the added bonus that it provides VPN protection to devices that don’t support VPNs, like handhelds, consoles, and smart devices.

In the past, we have seen ISP hardware breached by hard coded accounts on the modem/routers they offer to their subscribers.

Sadly, ISP customer support often balks at helping out if you insert your own equipment in the mix. (In fact, they might make you remove it from the equation before they’ll provide support.)

This solution is specific to each router, and a bit more advanced.

The software route

You can also use a VPN application provided by the VPN provider. This application will provide VPN tunneling to the computer it is installed on, and only that, so keep that in mind.

One of the strongest options to consider for your software solution is a “kill switch” functionality. This ensures that if anything happens to the VPN application, it doesn’t “fail open” or allow internet traffic through if the VPN is broken. Think about it. You’re installing this application for the explicit functionality that it can tunnel your traffic. If the app malfunctions, there might be privacy risks in the app still allowing you to connect to the Internet, but letting your traffic go un-tunneled.

More than anything, a kill switch prevents the chance that you’re operating with a false sense of security. What you say online, and the chance that it was you who said it, can draw attention in some countries with far stricter laws on free speech.

Another factor that makes a VPN really perform is when they have a lot of exit nodes. These exit nodes are locations that can be used to circumvent geolocation. The more that are available, and the greater the variety, the more versatile and useful the VPN service is.

Speed is also a factor for VPN exit nodes. There’s not much point in having a ton of exit nodes unless they’re fast. One of the drawbacks of using a VPN is that by adding all these “hops” between nodes, your traffic will take longer to route. If the nodes are reasonably fast, the end user shouldn’t notice significant slowdowns.

You should have a VPN provider that doesn’t discriminate the type of traffic that flows through their network. Some smaller VPNs don’t have the necessary infrastructure to handle large volumes of Peer-to-peer or bittorrent traffic, and either ban it outright or have actual data caps.

Final thoughts

Remember, when you’re thinking about adopting one of these tools, you’re transferring trust: When you use a VPN you transfer access to your traffic to a 3rd party, the VPN provider. All that visibility that users balk at relinquishing to their ISP has now been handed over to their VPN provider. Careful consideration should be given to the trustworthiness of said VPN provider.

There are documented cases where a VPN provider revealed that their users could be de-anonymized and that the VPN provider did in fact keep logs and was willing to turn them over.

Remember, VPNs should not be viewed as shadowy tools. They are, in all actuality, business and privacy tools. They let the researchers who fight malware find out what that malware actually does. They let employees connect to company resources away from the office—which is of the utmost importance today. And they allow you, the user, to reclaim a measure of privacy.

It is therefore important to choose carefully. Most VPNs offer a service where they promise not to log or inspect your traffic. In many cases, though, this claim is impossible to verify.

The best option for VPNs, then? Read reviews, scour forums, and look for the functionalities that are important, specifically, to you. You may find what you’re looking for just around the corner.

The post VPNs: should you use them? appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →

A week in security (June 8 – 14)

Last week on Malwarebytes Labs, we looked into nasty search hijackers that worried a lot of Chrome users; a list of considerations for MSPs when looking for an RMM platform; the complaint faced by ParetoLogic, the company that issues SpeedyPC, a product that claims to find and remove various PC errors; and a ransomware attack that affected car manufacturers like Honda and Enel.

Other cybersecurity news

Stay safe, everyone!

The post A week in security (June 8 – 14) appeared first on Malwarebytes Labs.

Posted in: NEWS

Leave a Comment (0) →
Page 426 of 450 «...400410420424425426427428...»