loading..

Product

Our Product

We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.

loading..

Threatspy

Solutions

By Industry

Health Care

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecops

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

loading..

Threat Feeds

loading..

Threat Research

loading..

White Paper

loading..

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..

Our Story

loading..

Our Team

loading..

Careers

Press & Media

loading..

Contact Us
loading..
loading..

Request Demo

loading..

By submitting this form, you agree to our Subscription Agreement and Legal Policies.

background
background
loading..
loading..
loading..
Loading...

Linux

loading..
loading..
loading..

BOLDMOVE: New Linux Malware Discovered in China-based Espionage Targeting FortiOS Devices

BOLDMOVE is a new Linux-based malware discovered in a China-based cyber espionage campaign that targets FortiOS devices. The malware is used to maintain persist...

loading..
  25-Jan-2023
loading..
 6 min read

Related Articles

loading..

Malware

Shagle

Telegram

Learn about the StrongPity APT group's latest espionage campaign targeting Andro...

In recent years, the threat landscape of mobile devices has grown exponentially, with Advanced Persistent Threat (APT) groups increasingly targeting mobile devices as a means to gain access to sensitive information. One such APT group, which goes by the moniker StrongPity has resurfaced lately. StrongPity APT is a cyber-espionage group infamous for its targeted attacks against individuals and organizations in the Middle East and North Africa, as well as in Europe and South America. The group has been active since at least 2012, and has been known to use a variety of tools and techniques to gain access to its targets. In this [threat research](https://www.secureblink.com/threat-research), we will provide an in-depth analysis of the StrongPity APT group campaign, which primarily targets Android users with a trojanized version of the legitimate Telegram app and its methods of operation, as well as the technical details of the malware used in the campaign. ## Background: StrongPity APT group has been active since at least 2012 and is known for its targeted attacks against individuals and organizations in the Middle East and North Africa, as well as in Europe and South America. The group has been known to use a variety of tools and techniques to gain access to its targets, including phishing emails, watering hole attacks, and malware. The group's primary focus is on espionage, but it has also been known to use its access to target's systems for financial gain. The group is believed to have been active since at least 2012 and is known for using a variety of tactics to target individuals and organizations in a number of countries, including Belgium, France, Italy, Spain, and Turkey. The group has been linked to a number of high-profile attacks, including the targeting of a Turkish mobile operator in 2016 and a number of attacks against Belgian and Italian telecommunications companies in 2017. ## Campaign Overview: The latest campaign by the StrongPity APT group is focused on Android users and leverages a fully functional but trojanized version of the legitimate Telegram app, which despite being non-existent, has been repackaged as "the" Shagle app. The campaign is being [distributed](http://twitter.com/malwrhunterteam/status/1549125906416943108) through a website impersonating Shagle services, which only provides an Android app to download, with no web-based streaming possible. The trojanized app uses the same package name as the legitimate Telegram app, which means that if the official Telegram app is already installed on the device, the backdoored version cannot be installed. ## Malware Analysis: The StrongPity backdoor has various spying features, including the ability to record phone calls and collect SMS messages, call logs, and contact lists. The malware is also capable of exfiltrating data from other apps if the victim grants the app notification access and activates accessibility services. This allows the attackers to gain access to sensitive information from a variety of apps including Viber, Skype, Gmail, Messenger, and Tinder. ![Trojanized app requesting dangerous permissions.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Trojanized_app_requesting_dangerous_permissions_c6a35492dc.jpg) ***Trojanized app requesting dangerous permissions*** The malware's 11 dynamically triggered modules are responsible for these various functions and are being documented publicly for the first time. The StrongPity malware is modular in nature, with additional binary modules being downloaded from the C&C server, which means that the number and type of modules used can be changed at any time to fit the campaign requests. This modularity allows the malware to remain flexible and adaptable to the needs of the campaign. ![11 module-fetch.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/11_module_fetch_0f5f0a4496.jpg) ***Modules of 11 getting fetched from C&C Servers*** ## Targeting Shagle Users Shagle is a legitimate random-video-chat platform that allows strangers to talk via an encrypted communications channel. However, the platform is entirely web-based and does not offer a mobile app. StrongPity has been found using a fake website since 2021 that impersonates the actual Shagle site to trick victims into downloading a malicious Android app. ![Fake vs Real App.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Fake_vs_Real_App_6ab74d219d.jpg) ***Comparison between legit as well as fake Shagle app*** Once installed, this app enables the hackers to conduct espionage on the targeted victims, including monitoring phone calls, collecting SMS texts, and grabbing contact lists. The fake Shagle website is designed to mimic the original website and is likely being spread through spear-phishing emails, smishing (SMS phishing), or instant messages on online platforms. ## Victimology: The campaign is likely very narrowly targeted, as ESET telemetry still hasn’t identified any victims. The repackaged version of Telegram uses the same package name as the legitimate Telegram app, which means that if the official Telegram app is already installed on the device of a potential victim, then this backdoored version can’t be installed. This might mean that the threat actor first communicates with potential victims and pushes them to uninstall Telegram from their devices if it is installed or the campaign focuses on countries where Telegram usage is rare for communication. ![Malicious app won't install as Telegram installed.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Malicious_app_won_t_install_as_Telegram_installed_83a15382fa.jpg) ***If official Telegram app is already installed then trojanized version cannot be successfully installed*** ## Code Analysis The malicious Android application distributed by StrongPity is an APK file named "video.apk," which is the standard [Telegram](https://core.telegram.org/api/obtaining_api_id#using-telegrams-open-source-code) v7.5.0 (February 2022) app modified to impersonate a Shagle mobile app. [ESET researchers](https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/) were able to attribute the campaign to the StrongPity APT group based on code similarities with past payloads and the fact that the Android app is signed with the [same certificate](http://www.trendmicro.com/ru_ru/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html) the APT used to sign an app that mimicked the Syrian e-gov Android application in a 2021 campaign. Upon installation, the malware requests access to the Accessibility Service and then fetches an AES-encrypted file from the attacker's command and control server. This file consists of 11 binary modules extracted to the device and used by the backdoor to perform various malicious functionality. Each module performs an espionage function and is triggered as needed. ### Here is a following list of malicious spyware modules: libarm.jar: records phone calls libmpeg4.jar: collects text of incoming notification messages from 17 apps local.jar: collects file list (file tree) on the device phone.jar: misuses accessibility services to spy on messaging apps by exfiltrating contact name, chat message, and date resources.jar: collects SMS messages stored on the device services.jar: obtains device location systemui.jar: collects device and system information timer.jar: collects a list of installed apps toolkit.jar: collects contact list watchkit.jar: collects a list of device accounts wearkit.jar: collects a list of call logs The gathered data is stored in the app's directory, encrypted with AES, and eventually sent back to the attacker's command and control server. ## Indicators of Compromise In order to detect and protect against the StrongPity malware, it is important to be aware of the following Indicators of Compromise (IoCs): File Hashes: The following file hashes have been identified as associated with the StrongPity malware: 50F79C7DFABECF04522AEB2AC987A800AB5EC6D7 (video.apk) 77D6FE30DAC41E1C90BDFAE3F1CFE7091513FB91 (libarm.jar) 5A15F516D5C58B23E19D6A39325B4B5C5590BDE0 (libmpeg4.jar) D44818C061269930E50868445A3418A0780903FE (local.jar) F1A14070D5D50D5A9952F9A0B4F7CA7FED2199EE (phone.jar) ## Mitigation & Prevention: To protect against the StrongPity campaign, it is important to be cautious when downloading apps from third-party app stores, and to only download apps from official app stores such as Google Play. Additionally, organizations should implement security controls such as firewalls, intrusion detection systems, and anti-virus software to detect and prevent malware infections. It is also important to be aware of phishing attempts, and to be cautious when clicking on links in emails or text messages. Additionally, organizations should be aware of the signs of a potential APT attack, such as unusual network traffic, and to have incident response plans in place to quickly detect and respond to an attack. Regularly updating software and systems, and providing cybersecurity training to employees can also help to prevent a successful attack.

loading..
  19-Jan-2023
loading..
  1 min read
loading..

Malware

SSH

Analysis of MCCrash cross-platform botnet that targets Windows & Linux devices, ...

Malware operations continue to remain ever-evolving as threat actors constantly seek to add new capabilities to existing botnets and target a wider range of devices. One such example has been the MCCrash malware, also known as DEV-1028, which is a cross-platform botnet that infects Windows devices, Linux devices, and IoT devices. This botnet is particularly dangerous due to its ability to spread through enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices and launching distributed denial of service (DDoS) attacks against private Minecraft servers. ![Distribution-of-minecraft-servers-that-could-be-affected-by-mccrash.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Distribution_of_minecraft_servers_that_could_be_affected_by_mccrash_5ffcc6d8e4.jpg) ***Distribution of Minecraft Servers by Version (MSTI)*** In this [analysis](https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/), we will delve into the technical details of the MCCrash malware, including its spreading mechanism, DDoS capabilities, and the platforms it targets. We will also provide recommendations for organizations to prevent their devices from becoming part of a botnet and for Minecraft server owners to update and protect their servers from this threat. ## Cross-Platform Botnet Spreading Mechanism The MCCrash botnet initially infects devices through the installation of malicious cracking tools that purport to acquire illegal Windows licenses. These cracking tools contain additional code that downloads and launches a fake version of svchost.exe through a PowerShell command. In some cases, the downloaded file is named svchosts.exe. Next, svchost.exe launches the main Python script, malicious.py, which contains all the logic of the botnet. This script scans the internet for SSH-enabled Linux-based devices, including Debian, Ubuntu, CentOS, and IoT workloads such as Raspbian, which are commonly enabled for remote configuration. It then launches a dictionary attack to propagate to these devices. Once a device is found, the botnet downloads the file Updater.zip from repo[.]ark—event[.]net onto the device, which creates the file fuse. The fuse file then downloads a copy of malicious.py onto the device. Both svchost.exe and fuse are compiled using PyInstaller, which bundles all the Python runtime files into a single executable. This spreading mechanism makes the MCCrash botnet unique, as the malware can be removed from the infected source PC but could persist on unmanaged IoT devices in the network and continue to operate as part of the botnet. ## DDoS Capabilities The MCCrash botnet is known to launch DDoS attacks against private Minecraft servers using crafted packets. This type of attack likely involves the botnet sending large amounts of traffic to a specific server, causing it to become overwhelmed and unable to function properly. It is believed that the botnet's DDoS capabilities are being sold as a service on forums or darknet sites. A breakdown of the systems affected by the botnet over a three-month period showed that most of the devices were located in Russia. ![Fig-4-the-ddos-botnet-attack-flow.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Fig_4_the_ddos_botnet_attack_flow_53d8a0d77f.jpg) ***DDoS Botnet Attack Flows (MSTI)*** ![Code Snippet 1.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Code_Snippet_1_7ad0cacb3e.jpg) ***Code Snippet 1*** The above code snippet demonstrates how a simple brute force attack on an SSH-enabled device using the Python library paramiko. The function `ssh_brute_force` attempts to connect to the specified host using the given username and password. If the connection is successful, it prints a success message; otherwise, it prints a failed message. The `main` function then iterates through a list of passwords and attempts to connect to the host with each one. ![Code Snippet 2.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Code_Snippet_2_c4ebcb0b97.jpg) ***Code Snippet 2*** This code snippet demonstrates how the MCCrash botnet propagates to other devices. It uses the paramiko library to connect to an SSH-enabled device and download a file named Updater.zip using SFTP. The file is then extracted, and the file named fuse is executed, which in turn downloads and executes the main Python script of the botnet, malicious.py. This script is then executed with the specified command. ![Code Snippet 3.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Code_Snippet_3_31f24ba05a.jpg) ***Code Snippet 3*** ## Targeted Platform The MCCrash botnet targets a range of platforms, including Windows devices, Linux devices, and IoT devices. These devices are often targeted due to their insecure settings and the fact that they are commonly enabled for remote configuration. ## Recommendations for Prevention To prevent devices from becoming part of the MCCrash botnet, organizations should ensure that they manage, keep up to date, and monitor not just traditional endpoints but also IoT devices. This includes implementing strong passwords and regularly updating them, as well as disabling unnecessary services and protocols. It is also important for organizations to ensure that all software is downloaded from reputable sources and to keep all software ## Indicators of Compromise: - ***Presence of malicious cracking tools***: MCCrash botnet spreads initially through installing malicious cracking tools that purport to acquire illegal Windows licenses. These tools may contain additional code that downloads and launches the botnet. - ***Presence of svchost.exe or svchosts.exe***: The MCCrash botnet uses a fake version of svchost.exe to launch the main Python script, malicious.py. This file may be named svchost.exe or svchosts.exe. - ***Presence of Updater.zip***: The MCCrash botnet propagates to other devices by downloading a file named Updater.zip from a specified URL. The presence of this file on a device may indicate compromise by the botnet. - ***Presence of fuse***: The MCCrash botnet creates a file named fuse on compromised devices, which is used to download and execute the main Python script, malicious.py. The presence of this file may indicate compromise by the botnet. - ***Presence of malicious.py***: The main Python script of the MCCrash botnet is named malicious.py. The presence of this file on a device may indicate compromise by the botnet. - ***Connections to known malicious IP addresses***: The MCCrash botnet may communicate with available malicious IP addresses as part of its operation. Observing connections to these IP addresses may help identity compromised by the botnet. - ***Network traffic related to Minecraft servers***: The MCCrash botnet is known to launch distributed denial of service (DDoS) attacks against private Minecraft servers using crafted packets. Observing network traffic related to Minecraft servers may help identify the presence of the botnet. Here is an example code snippet that searches for the presence of the file malicious.py on a system: ![Test.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Test_2e3dd62f81.jpg) This code snippet recursively searches through the file system starting from the root directory and looks for the presence of the file malicious.py. If it is found, it prints the full path to the file. This can be adapted to search for other IOCs as well.

loading..
  23-Dec-2022
loading..
  1 min read
loading..

Malware

Infostealer

Ducklogs

Ducklogs Malware-as-a-Service offers functionality to steal & exfiltrate user da...

Ducklogs, a newly emerged web-based malware as a service helping even low-level hackers access malicious resources & tools for facilitating a series of attacks on compromised systems. It comes bundled with a combination of malicious software packages, remote access, stealer, keylogger, and clipper malware to steal & exfiltrate user data such as account credentials, session cookies, browsing history, crypto wallets, etc. to its C&C server. According to [CRIL](https://blog.cyble.com/2022/12/01/ducklogs-new-malware-strain-spotted-in-the-wild/), Ducklogs malware works in the SaaS model as advertised across hacking forums at attractive pricing at a relatively low price of $19.99 per month, $39.99 for three months, and $69.99 for a lifetime. The MaaS claims to have thousands of malicious user bases paying subscription fees to develop and launch over 4,000 malware builts. Besides that, Ducklogs operators also help to circulate payload via a file-dropping tool and a file extension changer as a part of their additional services limited to a few users. ![Figure-1-–-DuckLogs-Stealer-Advertisement-in-CyberCrime-Forum.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_1_Duck_Logs_Stealer_Advertisement_in_Cyber_Crime_Forum_09065059de.jpg) ***DuckLogs Stealer Ads in CyberCrime Forum*** ## Features & Capabilities of Ducklogs Malware-as-a-Service - DuckLogs provides a sophisticated web-based platform that allows hackers to execute several malicious functions, such as building the malware binary by customizing the options provided on the Settings page of the web panel, monitoring & downloading stolen user logs, etc. - DuckLogs are built with primarily an information stealer and a remote access trojan (RAT) component, but it has more than 100 individual modules that target specific applications such as messaging apps, emails, web browsers, VPN account data, passwords, cookies, login data, histories, and cryptocurrency wallets. - Ducklogs RAT component offers functionality allowing to fetch files from the command and control (C2) server and run them on the compromised systems, display a crash screen, shutdown, restart, logout, or lock the device, or open URLs in the browser. - Ducklogs supports Telegram notifications, encrypted user logs, and communication, obfuscation of code, process hollowing to launch payloads containing malicious codes in memory, a persistence mechanism, and a bypass for the Windows User Account Control. ![Figure-11-Process-hollowing-to-inject-the-final-payload.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_11_Process_hollowing_to_inject_the_final_payload_79cdc0c709.jpg) ***Process hollowing to inject the final payload*** ## Conclusion We have also observed multiple active malicious instances of DuckLogs C2 servers in the wild, translating that it has been an emerging threat. It comes with a wide range of functionality and availability as Malware-as-a-Service, including initial infection vectors such as spam & phishing emails. Therefore, it is always recommended to be double-sure before opening any links with new or unknown emails. Always be careful while copying sensitive data on the clipboard, and also the same applies before pasting it.

loading..
  17-Dec-2022
loading..
  1 min read