Skip to content

Malware University

Class is in Session

  • About
    • Privacy Policy
  • Contact
  • Resources

Category: Current Events

Mexican Cartels Deploying Lawful Intercept Software

Posted on December 20, 2020 - December 20, 2020 by admin

A group known as the Cartel Project has released a report detailing the targeting of citizen journalists throughout Mexico who report on cartel dealings. Jorge Carrasco was targeted by software from the Israeli NSO Group called Pegasus, confirmed watchdog group Citizen Lab.

The watchdog group has found at least nine journalists in Mexico targeted with the Pegasus software. While it is doubtful NSO Group entertains cartels for business, the Mexican government is a known customer of various “lawful intercept” software businesses, including NSO Group. It is likely the software ends up in the hands of cartel operators through insiders working within the Mexican government.

It is not known whether the eight journalists killed during 2020 in Mexico were targeted with such spyware.

Posted in Current EventsTagged cartels, israel, lawful intercept, mexico, nso groupLeave a comment

FinFisher Raids

Posted on October 14, 2020 - October 14, 2020 by admin

Sometime last week, between October 6 and 8 of 2020, customs, in conjunction with public prosecution, raided FinFisher company offices and private apartments in both Germany and Romania. A group of NGOs including NetzPolitik filed criminal complaints in Germany against the company, asserting the firm is exporting its malware products (used by German police) to foreign countries without obtaining permission.

Managing directors and employees are under active investigation along with the company for violating the Foreign Trade and Payments Act. These investigations begun last summer 2019. Exporting German-made malware outside the state required a license; lacking this, the trader is criminally liable.

FinFisher has formally stated they never exported their software to Turkey, after a sample was found in 2017.

If the relevant authorities find evidence of exporting malware without a license, FinFisher may have a case brought against it in European court.

NetzPolitik did have a prior case against the firm for supposed violations which the NGO lost due to a preliminary injunction silencing their claims.

Posted in Current EventsTagged export control, finfisher, malware development

Chengdu 404

Posted on September 20, 2020 - September 20, 2020 by admin

US DOJ has listed several arrest warrants for Chinese nationals believed to be part of APT41 (Barium). This group is allegedly behind the ASUS hack that lead to hundreds of thousands of infections due to the group using ASUS’s own code signing certificate to push their malware via the company’s update servers.

Some of these infected hosts were targeted with ransomware and cryptojacking malware. The group has engaged in financially-motivated attacks since at least 2012 by targeting gaming companies for the procurement of game currency.

This group, who had a front company named Chengdu 404, likely was coerced by Chinese state officials to engage in traditional espionage activities while allowing the group to continue their financial pursuits.

The group is not known to produce their own 0day exploits but are very quick to deploy new releases once an exploit is dropped, as they did in March 2020 with the Zoho ManageEngine exploit.

Chinese APT groups have traditionally had a reputation of government and corporate espionage for largely information purposes. It appears the Chinese state authorities are turning a blind eye to financially-focused groups so long as they perform actions on behalf of the Party in between their activities.

Posted in Campaign Analysis, Current EventsTagged APT41, ASUS, Barium, Chengdu 404, US DOJLeave a comment

Facebook Hating the Player

Posted on April 5, 2020 - April 5, 2020 by admin

It is alleged in court, officially, Facebook sought out NSO Group in October 2017 to purchase the right to use Pegasus capabilities for users of Onavo Protect.

Onavo Protect was a “free” VPN solution provided by Facebook. The catch was Facebook was analyzing web traffic to detect usage of other apps. This is not the main use case of Pegasus (post exploitation framework for iOS), as representatives wanted to monitor phones of users who had installed Onavo.

The need for Pegasus came from Facebook not having as much insight into user behavior via data collection on iOS as compared with Android. Thus, Facebook potentially wanted to use Pegasus to close the gap between the operating system data collection abilities.

Recently Facebook has been upset due to NSO Group releasing modules for customers which included a 0-click exploit against WhatsApp users.

Posted in Current Events

Charitable Internet Companies, Slow Moving Governments

Posted on March 20, 2020 - March 20, 2020 by admin

Mozilla, creator of popular internet browser Firefox, made the bold move of re-enabling suppor for outdated and very insecure (for governments especially) HTTP encryption protocols TLS v1.0 and 1.1. Several known attacks exists against services exposed over these protocols that are realistically exploitable for nation state attackers.

Many government sites around the world are still hosted using these long-outdated protocols despite being retired by all popular browsers back in October 2018. Qualys SSL Labs found over 97% of surveyed sites are supporting TLS v1.2+.

97% of surveyed sites support TLS 1.2 and 1.3

Still, at least 850000 websites are using these outdated protocols, allowing sophisticated attackers to, at the least, decrypt web traffic of other users.

Due to various governments apparently not having the means to upgrade their infrastructure during the global virus pandemic known as “Corona”, Mozilla decided to re-enable support for these retired, forbidden protocols to allow sharing of information.

Posted in Current EventsTagged government, TLS, virusLeave a comment

Dump SHA1

Posted on January 9, 2020 - January 9, 2020 by admin

Some French and Singaporean researchers recently demonstrated a practical attack against SHA-1 hashing by performing a PGP/GnuPG impersonation attack. The team used an Nvidia GTX 970 at an estimated rental cost of $11,000 USD for a collision and $45,00 USD for a chosen-prefix collision. In total the attack took about two months to complete.

Such news is similar to the practical attacks shown in 2009 against MD5. Signature schemes and handshake security in “secure” protocols such as TLS and SSH are now known vulnerable.

It is recommended to remove SHA-1 from your selected hash choice from any tool or protocol you are using. Legacy GnuPG still uses SHA-1 by default for identity certifications.

CVE-2019-14855 was assigned to this demonstration.

Posted in Current EventsTagged cracking, cve-2019-14855, GnuPG, hash, sha1

FBI Asks Apple To Help It Unlock IPhones Of Naval Base Shooter

Posted on January 9, 2020 - January 9, 2020 by admin

The FBI has asked Apple to help it unlock two iPhones that belonged to the murderer Mohammed Saeed Alshamrani, who shot and killed three young US Navy students in a shooting spree at a Florida naval base last month.

Late on Monday, FBI General Counsel Dana Boente sent the letter to Apple’s general counsel.

The FBI argued the same case after the San Bernardino shooting.

Namely, the bureau says that it’s asked for help from other federal agencies – it sent the iPhones to the FBI’s crime lab in Quantico, Virginia – and from experts in other countries, as well as “Familiar contacts in the third-party vendor community.”

The dog and pony show continues for the FBI, whom always pretends it does not have access to 0day or publicly updated jailbreaking methods such as checkm8 or Checkra1n.

Posted in Current EventsTagged apple, FBI, iphone, jailbreak

Microsoft Claims Russia/Iran/North Korea Most Aggressive

Posted on July 18, 2019 - July 18, 2019 by admin

“About 84% of these attacks targeted our enterprise customers, and about 16% targeted consumer personal email accounts,” says Microsoft Corporate Vice President for Customer Security & Trust, Tom Burt. Hacking groups from Iran, North Korea, and Russia were behind the vast majority of nation-state attacks against Microsoft customers over the past year, with the most notable activity coming from threat actors such as “Holmium” and “Mercury” operating from Iran, “Thallium” operating from North Korea, and two actors operating from Russia called “Yttrium” and “Strontium.”

The data collected by the Microsoft Threat Intelligence Center while analyzing these attacks has been added by Redmond within its own security products which help the company protect its customers from future advanced persistent threat (APT) group operations targeting its user base. Microsoft also issued 781 notifications to organizations part of its free AccountGuard service after unearthing a number of attacks coordinated by APT groups and targeting democracy fundamental entities such political parties and campaigns, as well as democracy-focused think tanks and nongovernmental organizations (NGOs) from 26 countries across four continents.

While monitoring nation-state backed cyber-espionage campaigns, Microsoft detected attacks targeting the 2016 U.S. presidential election and the last French presidential election, with U.S. senatorial candidates also being under siege in 2018 after being attacked by the Russian-backed Strontium hacking (aka Fancy Bear or APT28 ). A number of other cyber-espionage campaigns targeting European democratic institutions were also detected by Redmond’s Threat Intelligence Center (MSTIC) and Digital Crimes Unit (DCU) between September and December 2018, with employees of the German Council on Foreign Relations, the Aspen Institutes in Europe and the German Marshall Fund being among some of the targeted individuals in these attacks.

“As we head into the 2020 elections, given both the broad reliance on cyberattacks by nation-states and the use of cyberattacks to specifically target democratic processes, we anticipate that we will see attacks targeting U.S. election systems, political campaigns or NGOs that work closely with campaigns,” added Burt.

Posted in Current EventsTagged APT28, hacking, Holmium, Iran, Mercury, Microsoft, North Korea, Russia, Strontium, Thallium, Yttrium

NewsBeef APT Updates Their Campaign

Posted on July 18, 2019 - July 18, 2019 by admin

USCYBERCOM’s VirusTotal executable object uploads appeared in our January 2017 private report “NewsBeef Delivers Christmas Presence”, an examination of a change in the tactics used in spear-phishing and watering hole attacks against Saudi Arabian targets. Previous analysis of the NewsBeef APT indicates that the group focuses on Saudi Arabian (SA) and Western targets, and lacks advanced offensive technology development capabilities.

The most recent NewsBeef campaign uses this toolset in conjunction with spearphishing emails, links sent over social media/standalone private messaging applications, and watering hole attacks that leverage compromised high-profile websites (some belonging to the SA government).
The group changed multiple characteristics year over year – tactics, the malicious JavaScript injection strategically placed on compromised websites, and command and control C2 infrastructure.
The NewsBeef actor deployed a new toolset in a campaign that focused primarily on Saudi Arabian targets; BeEF does not appear to be deployed as a part of the current campaign; Compromised government and infrastructure-related websites are injected with JavaScript that geolocates and redirects visitors to spoofed, attacker-controlled web-servers; Improvements in JavaScript injection and obfuscation may extend server persistence; NewsBeef continues to deploy malicious macro-enabled Office documents, poisoned legitimate Flash and Chrome installers, PowerSploit, and Pupy tools.

The NewsBeef campaign is divided into two main attack vectors, spearphishing and strategic web compromise (watering hole) attacks.
On December 25, 2016, the NewsBeef APT stood up a server to host a new set of Microsoft Office documents (maintaining malicious macros and PowerShell scripts) to support its spear-phishing operations. To compromise websites and servers, the group identified vulnerable sites and injected obfuscated JavaScript that redirected visitors to NewsBeef-controlled hosts (which tracked victims and served malicious content).

These compromised servers include Saudi Arabian government servers and other high-value organizational identities relevant to their targets.
Their injection and obfuscation techniques enable the actor to serve the same JavaScript with every page visit to the “watering hole” site as well as increase the difficulty of identifying the malicious JavaScript source on compromised sites.

These recent attacks against legitimate servers (when compared to previous NewsBeef activity) indicate that NewsBeef operators have improved their technical skills, specifically their ability to covertly inject JavaScript code into served web pages. For example, on a Saudi government website, the NewsBeef APT delivered packed JavaScript into the bottom of a referenced script that is included in every page served from the site. The JavaScript resource changes on every compromised website among many other referenced JavaScript sources, making it difficult to track down the source of the malicious script per site.


The filenames of the malicious Office documents (hosted at the spoofed NTG site) are relevant to typical IT and contracting resources and indicate that this scheme relies on effective social engineering tactics related to human resources and IT activities.


The malicious DLL deployed by NewsBeef contains Python code, a Python interpreter, and the MSVC runtime library as well as code that loads the Python interpreter, runs Python code and exports some functions for Python. The main functionality of the backdoor is implemented in packages (Python code, compiled Python C extensions, compiled executable files) and modules (Python code).

As this recent campaign indicates, the NewsBeef APT appears to have shifted its intrusion toolset away from BeEF and towards macro-enabled malicious Office documents, PowerSploit, and Pupy.

Posted in Campaign Analysis, Current EventsTagged beef, CYBERCOM, malicious macros, NewsBeef, Powershell, powersploit, pupy, Python, Saudi Arabia, spearphishing, watering holes

Cloud Hopper a Top Notch APT

Posted on June 27, 2019 - July 1, 2019 by admin

The “Cloud Hopper” attack group is back in the spotlights this week after an informative report of Operation “Soft Cell” by security firm Cybereason. Detailed campaigns tracked by the firm display traits similar to how “APT10” associated groups have operated in the past.

Active since at least 2012 against telecommunications providers, “Soft Cell” was observed to target Active Directory domain servers once access was obtained on a target network before expanding their access. This suggests the group is primarily interested in long-term compromise of their targets. Their ongoing operations for months, and at times years, shows the group has the discipline and ability to practice stealthy and persistent attacks usually associated with well-funded nation-state groups.

Adaptability while maintaining access is a key ability for sophisticated nation-state groups. Such groups expect and plan for alternative routes during pre-attack operational activities.

Initial Access

A web shell (China Chopper) written for IIS servers was dropped after web-based compromise. From this webshell reconnaissance activity was observed by operators running basic diagnostic commands from a spawned cmd.exe instance with tools such as ipconfig, find, netstat, and whoami.

The second notable activity after initial access was running a modified nbtscan tool to identify NetBIOS name servers both locally and over the network. This tool was used by the actors to find shares on the internal Windows network.

Elevation

Utilities such as Mimikatz were modified and deployed after the reconnaissance phase. Their modified artifact removed the need for command line arguments, likely to evade various techniques employed by EDR solutions to detect common tools like Mimikatz during execution. Modified and compiled code also has the advantage of easily defeating Anti-Virus solutions due to changes in signature(s) of code segments and structure, largely with no real work needed by the technical team powering Cloud Hopper’s operations.

Their modified Mimikatz tool allowed the group to dump NTLM hashes on the compromised machines. A second technique to obtain coveted NTLM hashes was performed by dumping specific hives from the Windows Registry containing the hashes. The SAM hive HKEY_LOCAL_MACHINE\SAM and Security hive HKEY_LOCAL_MACHINE\Security store these essential hashes.

Pivoting

With the network mapped and credentials stolen (and not necessarily cracked), the group had all they needed to remotely establish sessions. The target telco’s network’s production and database servers, along with their Domain Controller (!), were successfully compromise.

WMI and PsExec remote command execution, Windows sysadmin utilities, were used to successfully run the landscape of their target network.

Persistence

Despite having all information and IP routing necessary to perform a complete domain compromise, the group performed additional tasks to enable persistence in forms other than their initial attack vector.

The attackers created high-privilege domain user accounts to perform actions after their first goal was achieved: domain compromise.

Changing the source of malicious operation, from the perspective of the Windows subsystem and network managers, provides multiple benefit. Obviously, it allows a deeper foothold into the system, having now a webshell along with domain-privileged accounts. Higher-privileged accounts, especially on machines with regular network traffic, are much quieter when performing administrative based tasks. With deployment of a RAT, such as PoisonIvy this threat actor used, they can maintain “phone home” or “callback” connectivity, bypassing the need to “push” into a network, opting to “pull” access at intervals.

This PoisonIvy variant abused a trusted and signed Samsung tool, runhelp.exe, was deployed as a Nullsoft Installer Package (NSIS) package. Once unpacked and run, the Samsung tool loaded a fake DLL posing as a legitimate dll, ssMUIDLL.dll, causing the malicious code to execute. The result was a scheduled task which would run the legitimate Samsung tool with the malicious payload. This is known as DLL Side Loading.

Exfiltration

The actor opted for the RAR archival utility for compressing desired data for exfiltration. They were spotted keeping the WinRAR tool and their compressed data for exfiltration in the Recycle Bin folder.

These RAR data were stored as multi-part archives. This technique, among the others mentioned, are staples among the APT10 actor(s).

hTran was used attempting to exfiltrate targeted data out of segmented networks. The code was modified from the original; likely an attempt to evade detection of EDR and Anti-Virus solutions. The structure and debug output was almost identical, with key phrases left in the deployed payload, likely due to lack of English-language skills.

For example, “Connect error” became “C e.”.

Reasons for Attack

The most obvious reason for a nation-state targeting large telcos of nations is to track call/message data. These Call Detail Records (CDRs) are a way of telephone companies tracking data from:

  • Device details
  • Physical location
  • Device vendor and version
  • Source, destination, and duration of call

With such information, the unit can monitor another nation’s citizens, including their leaders. If they need further access, they can know the exact make/model of a device used by a target.

As a last resort, the unit also has the ability to potentially “jam” the data/voice network by destroying the infrastructure.

If the unit is extremely technically sophisticated, the desire is there from the management, and the target allows such technical operation, the group may pull off infected firmware updates, rogue base station legitimacy, or other such fanciful Hollywood-esque attacks which may actually exist as a capability.

Areas for Improvement

The attackers were found conducting multiple campaigns from the same IP address. When you’re a big nation state and not looking to cause overt damage, operation security is practically optional.

This author could critique the operation in many ways. The fact is the techniques described here work, and work well, for multi-year operations against higher-sophisticated targets such as telcos.

Hats off to the Cloud Hopper group for a long-term successful campaign that has likely monitored and lead to exploitation of several high-value political and business targets of the affected countries.

Without a doubt these operations will continue from the Chinese groups. They will continue to stay at the level (A/B/C/D/F grading) required to achieve and maintain access to sources of data their state deems critical to the operational success and future viability of their country.

No need to bring out the A-team for adversaries which do not demand it.

Posted in Campaign Analysis, Current EventsTagged APT10, China Chopper, Cloud Hopper, hTran, Mimikatz, Operation Soft Cell, PoisonIvyLeave a comment

Posts navigation

Older posts
Newer posts

Recent Posts

  • Manual Scraping
  • Nitter Replacement
  • MFA Abuse in Splunk
  • Virtualbox Automation
  • Repository Poisoning

Recent Comments

    Archives

    • August 2024
    • July 2023
    • August 2022
    • March 2022
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • February 2021
    • December 2020
    • October 2020
    • September 2020
    • April 2020
    • March 2020
    • January 2020
    • July 2019
    • June 2019

    Categories

    • Campaign Analysis
    • Campaign Management
    • Code Analysis
    • Current Events
    • Malware Development
    • Techniques
    • Uncategorized
    • Utilities

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org
    Proudly powered by WordPress | Theme: micro, developed by DevriX.