Understanding Process Injection:

Process injection is a technique often used by cyber attackers to execute malicious code within the memory space of a legitimate process. By doing so, they can evade detection and gain unauthorized access to system resources. Traditionally, this method involves three key steps: allocating memory in the target process, writing the malicious code into this allocated space, and then executing the code to carry out the attack.

The Role of Windows Thread Pools:

Central to this new technique is the exploitation of Windows thread pools. Thread pools in Windows are integral for managing worker threads, which are used to perform various tasks in the background. These pools efficiently manage the execution of multiple threads, reducing the overhead associated with thread creation and destruction. In legitimate scenarios, thread pools enhance the performance and responsiveness of applications. Windows thread pools are a system feature used to manage multiple threads efficiently. These pools allow for the execution of worker threads that perform tasks in the background, optimizing the use of system resources. Thread pools are integral to the Windows operating system and are used by various applications for performing asynchronous tasks.

SafeBreach’s research delves into how these thread pools can be manipulated for malicious purposes. By exploiting the mechanisms that govern thread pool operations, attackers can inject malicious code into other running processes, bypassing traditional security measures. This technique presents a significant challenge to existing EDR solutions, which are typically designed to detect more conventional forms of process injection. Here are some examples of such manipulations:

1. Inserting Malicious Work Items:
   • Attackers can insert malicious work items into the thread pool. These work items are essentially tasks scheduled to be executed by the pool’s worker threads. By inserting a work item that contains malicious code, an attacker can execute this code under the guise of a legitimate process.
2. Hijacking Worker Threads:
   • An attacker might hijack the worker threads of a thread pool. By taking control of these threads, the attacker can redirect their execution flow to execute malicious code. This method can be particularly effective because worker threads are trusted components within the system.
3. Exploiting Timer Queues:
   • Windows thread pools use timer queues to schedule tasks to be executed at specific times. An attacker could exploit these timer queues to schedule the execution of malicious code at a predetermined time, potentially bypassing some time-based security checks.
4. Manipulating I/O Completion Callbacks:
   • Thread pools handle I/O completion callbacks, which are functions called when an I/O operation is completed. By manipulating these callbacks, an attacker can execute arbitrary code in the context of a legitimate I/O completion routine.
5. Abusing Asynchronous Procedure Calls (APCs):
   • While not directly related to thread pools, attackers can use Asynchronous Procedure Calls, which are mechanisms for executing code asynchronously in the context of a particular thread, in conjunction with thread pool manipulation to execute malicious code.
6. Worker Factory Manipulation:
   • The worker factory in a thread pool manages the worker threads. By manipulating the worker factory, attackers can potentially control the creation and management of worker threads, allowing them to execute malicious tasks.
7. Remote TP_TIMER Work Item Insertion:
   • This involves creating a timer object in the thread pool and then manipulating it to execute malicious code. The timer can be set to trigger at specific intervals, executing the malicious code repeatedly.
8. Queue Manipulation:
   • Attackers can manipulate the queues used by thread pools to prioritize or delay certain tasks. By doing so, they can ensure that their malicious tasks are executed at a time when they are most likely to go undetected.

These examples illustrate the versatility and potential stealth of using Windows thread pools for malicious purposes. The exploitation of such integral system components poses a significant challenge to cybersecurity defenses, requiring advanced detection and prevention mechanisms. The following thread pool work items that can be scheduled in Windows. Here’s how each one could potentially be vulnerable to attacks:

1. Worker Factory Start Routine Overwrite: Overwriting the start routine can redirect worker threads to execute malicious code.
2. TP_WORK Insertion: By inserting TP_WORK objects, attackers could run arbitrary code in the context of a thread pool thread.
3. TP_WAIT Insertion: Manipulating wait objects can trigger the execution of malicious code when certain conditions are met.
4. TP_IO Insertion: By intercepting or inserting IO completion objects, attackers could execute code in response to IO operations.
5. TP_ALPC Insertion: Attackers could insert ALPC (Advanced Local Procedure Call) objects to execute code upon message arrival.
6. TP_JOB Insertion: Jobs can be associated with malicious actions, executed when certain job-related events occur.
7. TP_DIRECT Insertion: Direct insertion allows immediate execution of code, which can be abused for running malware.
8. TP_TIMER Insertion: Timers can be used by attackers to schedule the execution of malicious payloads at specific times.

These vulnerabilities generally stem from the fact that thread pools execute callback functions, which attackers may manipulate to point to their code, thus achieving code execution within the context of a legitimate process.

Implications for Endpoint Detection and Response (EDR) Solutions

The research by SafeBreach Labs tested the newly discovered Pool Party variants against five leading EDR solutions: Palo Alto Cortex, SentinelOne EDR, CrowdStrike Falcon, Microsoft Defender For Endpoint, and Cybereason EDR. The result was startling, as none of the tested EDR solutions were able to detect or prevent the Pool Party attack techniques. This underscores the need for ongoing innovation in cybersecurity defense mechanisms to keep pace with evolving threats. The exploitation of Windows thread pools for process injection, as highlighted in the SafeBreach article, has significant implications for Endpoint Detection and Response (EDR) solutions. These implications necessitate a reevaluation and enhancement of current EDR strategies:

1. Challenge to Traditional Detection Methods:
   • Traditional EDR solutions often rely on signature-based detection and known behavioral patterns to identify threats. However, the manipulation of Windows thread pools represents a more sophisticated attack vector that may not be easily detected through these conventional methods. This calls for an advancement in detection technologies.
2. Need for Deeper System Monitoring:
   • EDR solutions must now consider deeper system monitoring, particularly focusing on the internals of operating systems like thread pool activities, thread creation, and execution patterns. This level of monitoring can help in identifying anomalies that are indicative of thread pool exploitation.
3. Enhancing Behavioral Analysis Capabilities:
   • EDR systems need to enhance their behavioral analysis capabilities to detect unusual activities that could signify a threat. This includes monitoring for irregularities in thread pool usage, unexpected execution of code within thread pools, and other anomalies that deviate from normal system behavior.
4. Integration of Advanced Heuristics:
   • Integrating advanced heuristics and machine learning algorithms can help EDR solutions become more proactive in detecting new and sophisticated attack methods. These technologies can learn from evolving attack patterns and adapt their detection mechanisms accordingly.
5. Improving Response Strategies:
   • In addition to detection, EDR solutions must improve their response strategies to such threats. This includes automated containment measures, quick eradication of threats, and efficient recovery processes to minimize the impact of an attack.
6. Collaboration and Threat Intelligence Sharing:
   • EDR vendors and cybersecurity experts need to collaborate and share threat intelligence actively. By understanding the latest attack trends and techniques, such as those involving thread pool exploitation, EDR solutions can be better equipped to protect against them.
7. Educating Users and Administrators:
   • EDR solutions should also focus on educating users and system administrators about these new threats. Awareness can play a crucial role in early detection and response to sophisticated attacks.
8. Regular Updates and Patch Management:
   • Continuous updating and patch management are crucial. EDR solutions must ensure that they are updated with the latest threat definitions and that they can identify vulnerabilities in systems that need patching or updates.
9. Zero Trust Approach:
   • Implementing a zero trust approach can be beneficial. EDR solutions should treat every process and thread as a potential threat until verified, ensuring strict access controls and monitoring at all levels.
10. Forensic Capabilities:
    • Enhancing forensic capabilities is essential for post-incident analysis. Understanding how an attack was carried out, including thread pool exploitation, can provide valuable insights for strengthening EDR strategies.

In summary, the exploitation of Windows thread pools for process injection presents a complex challenge for EDR solutions, necessitating a shift towards more advanced, intelligent, and comprehensive cybersecurity strategies.

Mitigation

Mitigating threats that involve the exploitation of Windows thread pools for process injection requires a multi-faceted approach, combining advanced technological solutions with proactive security practices. Here are some potential measures and recommendations:

1. Enhanced Detection Algorithms:
   • Endpoint Detection and Response (EDR) solutions should incorporate advanced algorithms capable of detecting anomalous behaviors associated with thread pool manipulation. This includes unusual activity patterns in worker threads and unexpected changes in thread pool configurations.
2. Deep System Monitoring:
   • Implement deep monitoring of system internals, especially focusing on thread pools and worker thread activities. Monitoring should include the creation of work items, modifications to timer queues, and the execution patterns of threads.
3. Regular Security Audits:
   • Conduct regular security audits of systems to identify potential vulnerabilities. This includes reviewing and updating the configurations of thread pools and ensuring that security patches and updates are applied promptly.
4. Advanced Threat Intelligence:
   • Utilize advanced threat intelligence tools to stay informed about new vulnerabilities and attack techniques involving thread pools. This intelligence can be used to update defensive measures continuously.
5. Employee Training and Awareness:
   • Educate IT staff and employees about the latest cybersecurity threats, including those involving thread pool exploitation. Awareness can help in early detection and prevention of such attacks.
6. Behavioral Analysis and Heuristics:
   • Implement security solutions that use behavioral analysis and heuristics to detect unusual patterns that might indicate thread pool exploitation. This approach can identify attacks that traditional signature-based methods might miss.
7. Zero Trust Architecture:
   • Adopt a zero trust architecture where systems do not automatically trust any entity inside or outside the network. This approach can limit the impact of an attack by restricting access and permissions to essential resources only.
8. Regular Software Updates:
   • Ensure that all software, especially operating systems and security tools, are regularly updated. Updates often include patches for known vulnerabilities that could be exploited.
9. Isolation of Sensitive Processes:
   • Isolate sensitive processes in secure environments to reduce the risk of thread pool manipulation affecting critical operations. This can include using virtual machines or containers for added security.
10. Incident Response Planning:
    • Develop and maintain a robust incident response plan that includes procedures for dealing with thread pool exploitation. This plan should include steps for containment, eradication, recovery, and post-incident analysis.

By implementing these measures, organizations can strengthen their defenses against sophisticated attacks that exploit Windows thread pools, thereby enhancing their overall cybersecurity posture.

The post How to Bypass EDRs, AV with Ease using 8 New Process Injection Attacks appeared first on Information Security Newspaper | Hacking News.

The Alarming Emergence of Web Shells in Cyber Warfare

Web shells, a relatively obscure term outside cybersecurity circles, represent a formidable threat in the digital age. They are malicious scripts or programs that hackers deploy on compromised web servers, enabling remote access and control. The discovery of HrServ marks a significant escalation in this digital arms race. Typically, web shells are rudimentary in nature, but HrServ breaks this mold with its advanced capabilities and stealthy operations, setting a new benchmark for cyber threats.

Stumbling Upon ‘HrServ’

The journey to unearthing HrServ began with the routine analysis of suspicious files. Researchers stumbled upon ‘hrserv.dll,’ initially not appearing to deviate from the norm. However, closer inspection revealed its true nature. The web shell exhibited unprecedented features, including custom encoding methods for client communications and the ability to execute commands directly in the system’s memory, a tactic that significantly complicates detection.

Decoding HrServ’s Sophisticated Mechanics

HrServ’s infection chain starts with the creation of a scheduled task named ‘MicrosoftsUpdate,’ which further executes a batch file. This file then facilitates the copying of ‘hrserv.dll’ into the crucial System32 directory, effectively embedding the malware deep within the system. From here, HrServ springs to life, initiating an HTTP server and managing client-server communication with intricate custom encoding, involving Base64 and FNV1A64 hashing algorithms.

The Ingenious GET Parameter Technique

One of the most striking aspects of HrServ is its utilization of a GET parameter technique in its HTTP requests, specifically the parameter ‘cp.’ The GET parameter technique used in the HrServ web shell attack involves using specific parameters in the URL of an HTTP GET request to trigger various functions within the malware. In this case, the parameter named “cp” plays a critical role. Different values of this “cp” parameter lead to different actions being executed by the web shell. For example:

• GET with cp=0: Calls VirtualAlloc, copies a custom decoded NID cookie value, and creates a new thread.
• POST with cp=1: Creates a file and writes the custom decoded POST data to it.
• GET with cp=2: Reads a file using the custom decoded NID cookie value and returns it in the response.
• GET with cp=4 and 7: Returns Outlook Web App HTML data.
• POST with cp=6: Indicates a code execution process, copying decoded POST data to memory and creating a new thread.

This technique allows the malware to perform various actions based on the HTTP request it receives, making it a versatile and dangerous tool for attackers. The use of common parameters like those found in Google services could also help mask the malicious traffic, blending it with legitimate web traffic and making detection more challenging.

Mimicking Google’s Web Traffic Patterns

In a cunning move to evade detection, HrServ’s communication pattern is modeled to mimic Google’s web services. This resemblance is not accidental but a deliberate attempt to blend malicious traffic with legitimate web services, making it a needle in a digital haystack for network monitoring systems.

The Afghan Government Entity: A Sole Victim with Global Implications

Remarkably, the only known victim of HrServ, as per the available data, was a government entity in Afghanistan. This targeted approach hints at the possibility of state-sponsored cyber espionage, although the attribution remains unclear. The implications of such a sophisticated attack extend far beyond a single entity, posing a stark reminder of the vulnerabilities inherent in digital infrastructures worldwide.

Unraveling the Mystery: Who is Behind HrServ?

The origins and affiliations of the HrServ creators remain shrouded in mystery. However, certain clues point towards a non-native English-speaking group, deduced from language patterns and technical intricacies observed in the malware. Moreover, the use of specific parameters akin to those in Google services suggests a high level of sophistication and understanding of global web traffic patterns.

Looking Ahead: A Cybersecurity Challenge for the Future

The discovery of HrServ represents a watershed moment in the ongoing battle between cybercriminals and defenders. Its sophisticated design, evasive techniques, and targeted application signify a new era in cyber threats, one where traditional defense mechanisms may no longer suffice. As cybersecurity experts continue to dissect and understand HrServ, the digital world braces for future challenges, emphasizing the ever-evolving nature of cyber threats and the perpetual need for innovative defense strategies.

The post How hrserver.dll stealthy webshell can mimic Google’s Web Traffic to hide and compromise networks appeared first on Information Security Newspaper | Hacking News.

The container image that was discovered in the environment was uploaded by a service that provides something called “traffic monetization.” However, in this situation, the service offers to pay users who are willing to install the piece of software that accepts traffic from various mobile app users and proxies it through this container app. The phrase may be employed in a wider sense and indicate multiple sorts of services, but in this instance, the service promises to pay users who install the software. It is speculated that the subscriber will be compensated monetarily in exchange for the routing of the other subscriber’s network traffic via the subscriber’s very own network. Upon registering for the service, the user is provided with a one-of-a-kind token that acts as an ID. This token will thereafter be customized and utilized for the purpose of collecting any potential income.

There is no visibility on the traffic being handled by the subscriber’s device while it is being used as a proxy after the software or container belonging to the attacker has been installed or started.

The piece of software, which has been given the name “TrafficStealer,” accomplishes its goals by using a variety of operational modes. The developers assert that there is nothing unlawful in the traffic, but at the same time, they assert that they do not own any of the traffic that is created on the client. This assertion is based on the premise that victims are the ones who are operating the container and the application.

The whole of the data sent to and received from the server is encoded, and the connection takes place over an odd TCP port, both of which raise questions about the activities. Customers that are seeking to gauge how well their advertisements are doing not only have to pay for the use of their networks’ traffic but also have to deal with the unknown traffic that is being routed via their networks.

When using the official service, the user is required to register an account in order to generate a token that can be used as a parameter. Additionally, the user is required to create a one-of-a-kind ID in order to operate the service locally. The malicious actor that hacked into the system had their token hard-coded and sent along to the container setup as a parameter.

In searching for code repositories exhibiting a similar pattern of behavior, they came across instances of the same pattern in the Dockerfile and docker-compose.yaml files. Even on the YAML files used in cloud pipelines, the same behavior might be seen in certain implementations of the problem. YAML configuration files provide applications and software some degree of structure when it comes to the assignment of software settings and parameters, while the cloud pipeline makes it possible to automate the deployment, operation, and change of cloud services. In this particular scenario, the process of publishing the configuration file and automatically deploying it to the cloud was made easier by the developers and publishers of these YAML files by automating the process. As a consequence, this leads to a quicker deployment of malicious services, more automation, and, most crucially, increased attack scale. Given these files and behaviors, the amount of revenue received by the attacker will increase proportionally with the number of runners that are deployed.

The image that was used to infect the honeypot was downloaded 500,000 times from Docker Hub alone, which resulted in 15 MB of data being processed in a couple of seconds. The discovery of this containerized version of TrafficStealer demonstrates how threat actors modify their tactics in order to make the most of emerging platforms and popular software. There is a possibility that some of the customers who are aware of this service and who are ostensibly benefiting from it are not really reaping the returns that were promised on capital costs such as the original membership fee that they paid for cloud services. On the other hand, it’s possible that some people are blindly running it and making income for the attackers without even realizing it. This suggests that there will be reductions in the fees collected for cloud services. In addition, the users did not provide permission for the piece of software to operate on their individual environments (in particular as a PUA), and as a result, it is quite probable that they do not have any control over the traffic that utilizes the network as a proxy. In the event that the network is being used for illegal actions, the IP address of the person or organization that is using it without their knowledge is the one that is recorded.

The post How TrafficStealer utility allows anyone to earn money via vulnerable Docker containers appeared first on Information Security Newspaper | Hacking News.

The ransomware firm is well-known for its RaaS  business model, in which it rents ransomware to hackers in exchange for payment. This new piece of malicious software has been given the name locker_Apple_M1_64, and it also exists in PowerPC-specific variants. According to Vx-Underground, a site that analyzes malware samples, the new piece of malicious software known as locker_Apple_M1_64 was discovered for the first time in November 2022 targeting Mac computers. Although it has not been found by any of the anti-malware engines on VirusTotal, there is very little information available regarding this virus since the autumn of last year.

Researchers have observed that the LockBit ransomware gang is broadening the scope of its attacks by going after Macs.

Researchers have observed that the LockBit ransomware gang is broadening the scope of its attacks by going after Macs. This is a major advancement in the strategies that they use. Despite the fact that the virus may be executed on Macs, it does not provide a significant threat owing to a number of considerations. Because the malware sample that Wardle evaluated was not signed by a trustworthy certificate, the macOS operating system would not allow it to function.

Even if the malicious software were successful in penetrating a macOS device, Apple’s file system security technologies, such as Transparency, Consent, and Control (abbreviated as TCC), would mitigate the damage it might do to the system. In addition, the malicious software included flaws, which led experts to the conclusion that it was not yet fit .

In a post on his blog, experts said that the ransomware had a number of bugs and weaknesses, including buffer overflows that result in the program terminating itself prematurely. The introduction of a macOS variant of malware targeting Mac machines by the LockBit ransomware gang is a major breakthrough in the group’s assault techniques. However, according to the findings of Apple’s research, the most recent version of the malicious software does not present a significant threat to macOS computers because of the safety precautions that have been taken.

The post The new LockBit Ransomware for MacOS sounds scary, but its code is so dumb appeared first on Information Security Newspaper | Hacking News.

The LockBit 3.0 ransomware is a continuation of the LockBit 2.0 and LockBit ransomware programs. It uses a Ransomware-as-a-Service (RaaS) model to carry out its activities and functions as a RaaS model. LockBit has been functioning as an affiliate-based ransomware variant as of January 2020; affiliates deploying the LockBit RaaS utilize a broad variety of TTPs to target a wide variety of enterprises and critical infrastructure organizations, which may make it difficult to effectively defend computer networks or mitigate their effects.

LockBit 3.0, also known as “LockBit Black,” is an updated version of the ransomware that is more modular and elusive than its earlier incarnations. It also has characteristics with the malware known as Blackmatter and Blackcat.

During the compilation process, LockBit 3.0 is customized with a wide variety of variables, each of which influences the way the ransomware operates. During the process of the ransomware actually being put into action inside an environment belonging to a victim, numerous arguments may be given in order to further adjust the malware’s behavior. For instance, LockBit 3.0 allows for the acceptance of extra arguments for some actions, such as lateral movement and restarting in Safe Mode (see LockBit Command Line parameters under Indicators of Compromise). If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then the execution of the ransomware will need the input of a password argument. Those who are affiliated with LockBit 3.0 but fail to input the right password will be unable to carry out the ransomware. A cryptographic key, the password is used to decode the LockBit 3.0 executable. LockBit 3.0 is able to prevent malware detection and analysis by encrypting the code in such a way that it is indecipherable and cannot be executed. This renders the code useless for detecting and analyzing malware. Since the encrypted potion of the LockBit 3.0 executable will change depending on the cryptographic key that was used for encryption while simultaneously creating a one-of-a-kind hash, signature-based detections may not be able to identify the LockBit 3.0 executable. LockBit 3.0 will decrypt the main component when given the proper password, then continue decrypting or decompressing its code, and finally run the ransomware.

LockBit 3.0 will only infect computers that do not have language settings that are compatible with an exclusion list that has been specified. A configuration flag that was first set at the time of compilation will ultimately decide whether or not a system language is verified when it is actually being used at runtime. On the list of languages that cannot be used are not limited to, but do include, Romanian (spoken in Moldova), Arabic (spoken in Syria), and Tatar (Russia). LockBit 3.0 will halt execution if a language from the exclusion list is found [T1614.001], but it will not infect the system.

In order to lessen the risk of ransomware attacks and lessen their severity when they do occur, the FBI, CISA, and the MS-ISAC all advise enterprises to put into practice the mitigations.

The post The new black version of Lockbit ransomware is even more destructive and difficult to detect appeared first on Information Security Newspaper | Hacking News.

Other discoveries include something called PyPI malware “minimums,” which is programmed to look for the presence of a virtual machine (VM) before carrying out its intended function. The goal is to thwart the efforts of security researchers, who frequently test suspected malware in virtual machines (VMs), in order to learn more about the danger.

The total number of packages that have been identified as malicious, suspicious, or proof-of-concept since 2019 has nearly reached 107,000 thanks to the discoveries made by the company’s AI tooling.

A new piece of Python malware with capabilities combining those of a remote access tool (RAT) and information stealer was also found by the security vendor.

Last but not least, it discovered a developer with a dubious appearance who went by the name “infinitebrahamanuniverse” and uploaded more than 33,000 packages that described themselves as sub-packages of “no-one-left-behind” or “nolb.” The latter was taken off the market a week ago after it was discovered by the npm security team that it was dependent on every other npm package that was publicly available. Now take into consideration a malicious actor who is exploiting this dependency in order to launch an attack. This threat actor can launch a Denial of Service (DoS) attack against a company’s download channel by adding it to a typosquatting package. This attack can waste the time of developers by forcing them to wait for their npm environment to be ready. The installation of a package that has this dependency can also result in an excessive consumption of resources. If you have been following along with this series, you should already be aware that the events depicted here are not completely implausible.

The post 691 malicious npm packages and 49 PyPI components containing crypto-miners, remote access Trojans discovered appeared first on Information Security Newspaper | Hacking News.

According to Checkpoint, TrickGate is an excellent illustration of a robust and resilient packer-as-a-service. It has been able to go under the radar of cyber security researchers for a number of years and is consistently becoming better in a variety of different ways.

Although a lot of very good study was done on the packer itself, TrickGate is a master of disguises and has been given a number of different titles due to the fact that it has so many different characteristics. A number of names have been given to it, including “TrickGate,” “Emotet’s packer,” “new loader,” “Loncom,” and “NSIS-based crypter.”

At the end of 2016, they made our first observation of TrickGate. During that time, it was used to spread the Cerber malware. Since that time, they have been doing ongoing research on TrickGate and have discovered that it is used to propagate many forms of malicious software tools, including ransomware, RATs, information thieves, bankers, and miners. It has come to their attention that a significant number of APT organizations and threat actors often employ TrickGate to wrap their malicious code in order to evade detection by security solutions. Some of the most well-known and top-distribution malware families have been wrapped by TrickGate, including Cerber, Trickbot, Maze, Emotet, REvil, CoinMiner, Cobalt Strike, DarkVNC, BuerLoader, HawkEye, NetWire, AZORult, Formbook, Remcos, Lokibot, AgentTesla, and many more. TrickGate has also been involved in the wrapping of many other malware.

There is tremendous room for variation in the first access made by the packer’s users. They keep an eye on the packed samples that are mostly propagating via phishing emails that include malicious attachments, as well as through malicious URLs.

The shellcode loader is the second step, and it is this stage that is accountable for decrypting and executing the shellcode.

There were three distinct programming languages that were used for the shellcode loader, as they discovered. Similar functionality may be achieved via the use of NSIS script, AutoIT script, and C.  The packer revolves on the shellcode as its central component. Deciphering the payload and then covertly inserting it into a new process is the responsibility of this component.  The payload is the actual code that is harmful, and it is what is responsible for carrying out the action that was meant to be malicious. The payloads are distinct for each actor because of how they used the packer.

It is fascinating to see how TrickGate performs direct-syscalls since it employs a method that is similar to that of Hell’s Gate. Hell’s Gate is a method that was shown in public for the first time in the year 2020 as a mechanism to dynamically obtain and run direct syscall numbers. 

They produced strings that correlate the most desired malware over the last six years to a single Packer-as-a-Service called TrickGate. TrickGate’s transformational skills make it difficult to detect and monitor, so they had to construct these strings. When trying to identify a danger, it is essential to have a solid understanding of the components that make up the packer. This is because stopping the packer will provide protection against the threat at an earlier stage, before the payload begins to run.

Researchers have a tendency to concentrate their attention on the actual malware, leaving the packer stub alone, which results in packers receiving less attention than they otherwise would. The detected packer, on the other hand, may now be used as a focus point in order to identify new or previously undisclosed forms of malware.

The post Majority of the ransomware gangs used this packer to bypass antivirus and encrypt devices appeared first on Information Security Newspaper | Hacking News.

It is true that this iteration of the malware includes quite a few changes compared to its predecessor; nonetheless, it is quite evident that this is only an upgrade and enhancement of the earlier versions of Ermac. It is likely that the criminals, adopting a tactic that is commonly used in marketing strategies, made the decision to launch a new brand with their most recent product rather than keeping the existing one, which was associated primarily with activities pertaining to cryptowallets and the exfiltration of personally identifiable information (PII). This is a very plausible explanation for the events that took place. Following a successful installation and configuration of the malware, the bot will attempt to communicate with its C2 server using standard HTTP traffic.

In its connection with the C2 Server, Hook employs the same same encryption methods that Ermac makes use of. The information is first encoded in Base64 before being encrypted using AES-256-CBC with a key that has been hardcoded. In addition to the HTTP traffic that was used in the earlier Ermac versions, this new form of the malware now utilizes WebSocket communication. This is a change that was made as part of the modification process. The implementation is dependent on Socket.IO, which is an implementation over HTTP and WebSocket that allows real-time communication in both directions between web clients and servers. This communication may take place in real time. This is the channel over which the bot registers itself with its server, transmits a list of programs that are currently installed on the device, and downloads a list of targets.

The most significant improvement in terms of capabilities is provided by a component known as VNC, which stands for virtual network computing. Virtual Network Computing, sometimes known as VNC, is a specialized version of a program that allows users to share their screens and exercise remote control over their devices. However, threat actors have been using this phrase to denote any kind of functionality that may be found in a Remote Access Tool (RAT). In the instance of Hook, this is accomplished by interacting with the many UI components that are necessary to carry out a broad variety of tasks via the use of the Accessibility Services.

Hook is now able to join the ranks of malware families that are capable of performing full DTO and completing a full fraud chain without the need of any extra channels, beginning with the exfiltration of personally identifiable information and continuing all the way through the transaction. The fact that fraud scoring systems have a far more difficult time identifying this sort of activity is the primary selling point for Android bankers.

The malicious software is able to simulate a broad variety of user actions on the device, including as clicking, filling in text areas, and executing gestures. This is the list of new commands that are associated with the RAT features that have been reported.

Similar to those of earlier iterations of Ermac, the target list is quite comprehensive and comprises establishments from all over the globe.

The actor makes a guarantee to his purchasers of more than a hundred targets, the vast majority of them are the same objectives that were available in earlier editions of Ermac. On the other hand, this updated version includes hundreds of additional targets, some of which are social applications and others of which are financial applications. New targets include those who have been banned from entering the country from South America, Asia, Africa, and the Middle East.

You may obtain a quick review of the areas that Hook focuses on the most by looking at the following:

The recent events surrounding Hook, the most recent member of the Ermac family of viruses, are pointing in a very specific path. Hook is now a member of the very hazardous class of malware that is able to carry out a whole attack chain, beginning with infection and ending with fraudulent transaction. In addition to this, it comes equipped with new features that are typical of spyware. These features make it possible for criminals to monitor and spy on the device, giving them complete visibility not only into the victim’s financial information, but also into their messaging, geolocation, and control over the files that are stored on the phone. As was previously mentioned, the Ermac malware family was one of the most widely distributed families in 2022. Now, with the release of its most recent development, Hook, ThreatFabric anticipates that Ermac will make the final quality leap and join Hydra and ExobotCompact/Octo on the podium of Android Bankers that are available for rent.

The post This new android malware allows to hack & spy on any Android phone appeared first on Information Security Newspaper | Hacking News.

Emotet, has affected 14% of organizations around the world in June, an increase that is almost double compared to the previous month. This malware is highly profitable thanks to its ability to go unnoticed. Its persistence also makes it difficult to remove once a device is infected, making it the perfect tool in a cybercriminal’s arsenal. Conceived as a banking Trojan, it is often distributed via phishing emails and has the ability to embed other malware, increasing its ability to cause widespread damage.

There are other malwares that have increased their presence such as Raspaberry Robin, GuLoader and Wacatac. The first one was discovered a few months ago (September 2021) and is distributed via infected USB drives, uses various legitimate Windows functionalities to communicate with its C&C servers and execute malicious payloads. GuLoader first appeared in December 2019 and was used to download Parallax RAT, but has been applied to other remote access Trojans such as Netwire, FormBook, and Agent Tesla. Lastly, Wacatac is a Trojan threat that locks files but does not encrypt them like typical ransomware. When Wactac infiltrates a user’s system, it changes the names of the target files by appending a “”.wctw” extension. The lack of data encryption capability makes this threat reversible. Wactac is normally spread using spam email campaigns and rogue software.

“Snake Keylogger continues to climb the scale of malware with the highest incidence thanks to its ease in infecting sensitive information,” says cyber security specialist. “Along with the rise of Keylogger, it is also important to notify the rise of Emotet, which continues to reign and with more presence than in previous months, thanks to its persistence and evasion techniques. The fact that Emotet is self-propagating and that Keylogger can infect any type of file, makes them so high on the list and you have to be very careful with them”, .

The 3 most wanted malware in June:

*The arrows show the change in position in the ranking compared to the previous month.

1. Emotet – Emotet is an advanced, self-propagating, and modular Trojan that was once used as a banking Trojan and is currently distributing other types of malware or malicious campaigns. Emotet uses multiple methods to maintain persistence and evasion techniques to avoid detection and can spread via spam phishing emails containing malicious attachments or links.

1. Formbook – FormBook is an Infostealer targeting the Windows operating system and was first detected in 2016. It is marketed as Malware as a Service (MaaS) on underground hacking forums due to its powerful circumvention techniques and relatively low price. FormBook collects credentials from various web browsers, collects screenshots, monitors and logs keystrokes, and can download and execute files on command from its C&C.

↑ Snake Keylogger – Snake is a modular .NET keylogger and credential stealer first detected in late November 2020; its main functionality is to record user keystrokes and transmit the collected data to threat actors. Snake infections pose a huge threat to users’ privacy and online security, as the malware can steal virtually all kinds of sensitive information and is a particularly evasive and persistent keylogger.

The post The most dangerous keylogger malware of 2022: Snake Keylogger appeared first on Information Security Newspaper | Hacking News.