Health Care
Education
IT & Telecom
Government
CISO/CTO
DevSecops
Product
Our Product
We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.
Threatspy
Solutions
By Industry
Health Care
Education
IT & Telecom
By Role
Government
CISO/CTO
DevSecops
Resources
Resource Library
Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.
Threat Feeds
Threat Research
White Paper
SB Blogs
Subscribe to Our Weekly Threat Digest
Company
Contact Us
Have queries, feedback or prospects? Get in touch and we shall be with you shortly.
Our Story
Our Team
Careers
Press & Media
Contact Us
Request Demo
By submitting this form, you agree to our Subscription Agreement and Legal Policies.
Be informed in your inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
APT
Evolution of Reconnaissance Capabilities: Kimsuky's Global Campaign
Learn about Kimsuky's use of ReconShark, their global campaign implications, and effective countermeasures to protect your digital environment.
23-May-2023
3 min read
Related Articles
WordPress
Malware
Balada Injector: A Comprehensive Threat Research on Ongoing WordPress Malware Ca...
Balada Injector is a highly sophisticated and persistent malware campaign that targets WordPress sites. This threat research provides a detailed analysis of the Balada Injector, including its codebase, IoCs, hashing algorithms, file paths, and in-depth technical analysis. The Research aims to help security professionals understand the attack techniques used by the Balada Injector and take appropriate measures to protect their WordPress sites. WordPress is a popular platform for creating websites and blogs, and it is no surprise that cybercriminals often target it. One of the most persistent and evolving malware campaigns that target WordPress sites is the Balada Injector. This malware campaign has been active for several years and continues to evolve, making it difficult for security professionals to detect and prevent. Balada Injector is a PHP malware that injects malicious code into legitimate WordPress files. The code is obfuscated to evade detection and uses a combination of techniques to hide its presence on the infected website. The Balada Injector is modular and consists of several files, each responsible for different functionalities. The malware uses an encrypted configuration file to store its settings, making it challenging to analyze. ## Technical Analysis: The Balada Injector uses a combination of attack techniques to infect WordPress sites. The attack starts with a brute-force attack on the website's login page to gain access to the WordPress dashboard. Once the attacker has access, they upload the Balada Injector's files to the website's server. The malware then modifies the website's files to inject malicious code. The injected code is used to redirect the website's visitors to malicious websites, steal sensitive information such as login credentials, and perform other malicious activities. ## Indicators of Compromise (IoCs): To help security professionals detect and prevent the Balada Injector, the following IoCs have been identified: - File Paths: - /wp-admin/js/wp-auth-check.min.js - /wp-admin/js/user-profile.min.js - /wp-includes/js/wp-auth-check.min.js - /wp-includes/js/tinymce/plugins/wordpress/img/trans.gif - /wp-includes/js/tinymce/plugins/wpeditimage/img/delete.png - Hashing Algorithm: MD5 - Encrypted Configuration File: - /wp-content/plugins/akismet/.data.php - /wp-content/plugins/hello.php - URL Patterns: - hxxps://baladainjector[.]com/*.* - hxxps://baladacontrol[.]com/*.* Balada Injector is a highly persistent and sophisticated malware campaign that targets WordPress sites. The malware uses a combination of attack techniques to evade detection and perform malicious activities. Security professionals must take appropriate measures to protect their WordPress sites from this threat. By understanding the attack techniques used by the Balada Injector and implementing appropriate security measures, website owners can keep their sites secure.
24-Apr-2023
1 min read
Ransomware
Discover the new Dark Power ransomware threat and learn how to protect your syst...
The Dark Power ransomware is a newly discovered threat that encrypts files on a victim's computer and demands a ransom in exchange for the decryption key. This [Threat Research](https://www.secureblink.com/threat-research) aims to provide a comprehensive analysis of this Dark Power ransomware group, including information about the encryption algorithm, file naming conventions, and the victim naming and shaming website. The research also includes details about the IOCs, hashes, binary string encryption, processes, ransomware signatures, timelines, and attack behaviors.  ***Dark Power Ransomware Note*** ## Technical Analysis The Dark Power ransomware appears to be rather opportunistic, with no specific sector or geographic area targeted. The sample information shows the filename as "ef.exe" with a file size of 1323422 bytes (1.3 MB) and a compile date of 2023-01-29 02:01:33. The compiler used is Nim MINGW x64, which is commonly used by malware creators because of its cross-platform capabilities and ease of use. ## File Analysis The Dark Power ransomware has a file name of ef.exe, and its MD5, SHA-1, and SHA-256 hashes are `df134a54ae5dca7963e49d97dd104660, 9bddcce91756469051f2385ef36ba8171d99686d, and 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394`, respectively. The file size of the ransomware is 1.3 MB, and its compile date is 2023-01-29 02:01:33. The ransomware is compiled using the Nim MINGW x64 compiler, a popular choice for malware creators due to its ease of use and cross-platform capabilities. ## Encryption Method The Dark Power ransomware uses a 64-character long randomized lowercase ASCII string to initialize its encryption algorithm. The ransomware uses the [Nimcrypto](https://github.com/cheatfate/nimcrypto) library to perform cryptographic operations, and the AES CRT algorithm is used for encryption.  ***Encryption Key*** The ransomware encrypts its strings to make it more difficult for defenders to create a generic detection rule. The encrypted strings are base64 encoded, and the ransomware uses a fixed key, which is the SHA-256 hash of a hard-coded string, to decrypt the strings. Each decryption call uses a different initialization vector (IV), which is also included within the ransomware binary. ## Encryption Key Initialization Upon execution, the ransomware creates a randomized 64-character long lowercase ASCII string, which initializes the encryption algorithm. This string is unique on each targeted machine, hindering the creation of a generic decryption tool. The Nimcrypto library is used to carry out cryptographic operations, and the cryptographic algorithm used is AES CRT. ## Binary String Encryption The ransomware encrypts strings within the binary, making it harder for defenders to create a generic detection rule. The ciphertext strings are present within the binary in a base64 encoded format. Once the encrypted string is decoded, the string is decrypted using a fixed key, which is the SHA-256 hash of a hard-coded string. Each decryption call uses a different initialization vector (IV). Decrypted strings are added as comments in the decompiler view, making the malware analysis easier.  ***String Decryption Assembly*** ## Stopping Services The Dark Power ransomware targets specific services on the victim's machine. It stops the following services: veeam, memtas, SQL, mssql, backup, vss, sophos, svc$, and mepocs. Disabling these services makes it difficult for the victim to recover their files, as the services either free files (i.e. databases), which allows the ransomware to encrypt them. The [Volume Shadow Copy Service](https://learn.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service) (VSS) is also stopped, which is common for ransomware to do. The goal is to increase the chance that a victim will pay the demanded ransom. The ransomware detects services or processes that match the predefined list and prints "[YES] in killing (service name)" to the console. ## Process Termination Processes that often block files are terminated. The ransomware queries the Windows Management Instrumentation (WMI) named “winmgmts: & {impersonationLevel=impersonate}!.\root\cimv2” with the query “select * from win32_process”. This query returns a list of all running processes. Any matches with the predefined process names are terminated. The ransomware targets Microsoft Office processes, such as excel.exe, winword.exe, powerpnt.exe, and visio.exe, as well as specific processes related to database management, including sql.exe, oracle.exe, and dbsnmp.exe. By terminating these processes, the ransomware ensures that it can complete its encryption process without encountering locked files. ## Victim Naming and Shaming Website The Dark Power ransomware gang has a victim-naming and shaming website, filled with non-paying victims and stolen data. The website is used as leverage to pressure victims into paying the ransom. The website contains victim names, company names, the date of the attack, the amount of data stolen, and a description of the stolen data. The website also has a countdown timer, which appears to be a deadline for the ransom payment. If the payment is not made by the deadline, the website will supposedly release the stolen data to the public. Ransomware gangs often use this tactic to increase pressure on the victim to pay the ransom. ## Timelines The Dark Power ransomware has been observed in the wild since January 2023, with the earliest sample compiled on January 29th, 2023. As of this writing, the gang has not publicly released any victim data, nor have they made any notable media statements. However, this could change in the future as the gang grows and seeks to establish itself in the ransomware landscape. ## Attack Behaviors Based on our analysis of the Dark Power ransomware, the gang appears to be using a relatively standard approach to ransomware attacks. The ransomware is likely delivered via phishing emails or other social engineering tactics, which trick victims into downloading and executing the malware. Once the malware is executed, it begins its encryption process, which targets a wide range of file types and locations on the victim's machine. The gang also uses a variety of tactics to prevent victims from recovering their files, including stopping critical system services, terminating certain processes, and deleting shadow copies. Additionally, the gang has set up a victim-shaming website, which they use to put pressure on victims to pay the ransom. This approach is not unique to Dark Power, but it is a common tactic used by ransomware gangs to increase the likelihood of receiving payment. ## Conclusion The Dark Power ransomware gang is a new player in the ransomware landscape, using a relatively standard approach to their attacks. They appear to be opportunistic in their targeting, without focusing on any particular sector or geography. The encryption process is initialized with a unique key for each machine, making it more challenging to create a generic decryption tool. The gang uses a variety of tactics to prevent victims from recovering their files, including stopping critical system services, terminating certain processes, and deleting shadow copies. The victim shaming website increases pressure on victims to pay the ransom. Organizations need to remain vigilant against such attacks and take appropriate measures to prevent them, such as user awareness training, regularly backing up critical data, and deploying up-to-date anti-malware software.
27-Mar-2023
1 min read
IoT Devices
Botnet
Mirai
Learn about the MIRAi botnet and its devastating impact on IoT devices. Understa...
The Mirai botnet is a notorious malware that targets Internet of Things (IoT) devices. It was first discovered in 2016 and has since then caused several high-profile Distributed Denial of Service (DDoS) attacks, taking down major websites such as Twitter, Netflix, and GitHub. Mirai uses a combination of default login credentials and known vulnerabilities to infect IoT devices and turn them into botnets that can be controlled remotely. This [threat research](https://www.secureblink.com/threat-research) provides a detailed analysis of the Mirai botnet, including its technical aspects, code analysis, and attack behaviors.  ***Attack Flow*** ## Technical Analysis Mirai botnet targets IoT devices such as routers, cameras, and DVRs. The botnet primarily uses two methods to infect these devices: brute-forcing default credentials and exploiting known vulnerabilities. Once the botnet infects an IoT device, it communicates with the command and control (C&C) server to receive instructions on what action to take next. Mirai botnet is known to use a custom-built TCP protocol for communication between its bots and the C&C server. ## Code Analysis Mirai botnet is written in C and compiled using the GNU Compiler Collection (GCC). The malware is modular in nature, with each module designed to perform a specific function. The modules are loaded on the infected device based on the commands received from the C&C server. Mirai botnet contains several modules, including a scanner module that is used to scan the internet for vulnerable IoT devices, an attack module that launches DDoS attacks, and a command execution module that allows the attacker to execute commands on the infected device. ## IoCs, Hashes, and Signatures Mirai botnet can be identified by its IoCs, hashes, and signatures. Some of the IoCs associated with Mirai botnet are: IP addresses of the C&C server TCP ports used by the C&C server Binary strings used by the malware Processes associated with the malware Some of the known hashes of the Mirai botnet are: SHA1: 8e6e74f31ef37d6c9e2bca91be4d707e28de8094 MD5: 1f16ba92ec7ce1b3d88f5c31b6e29aa7 SHA256: f79b538f772f22e2d11a9e9b12f34da61cf08185c5e5a3e064008b3c097ae455 Some of the known signatures of the Mirai botnet are: ELF:Mirai-A [Trj] TR/MIRAI.WIN32.AA ## Timelines The first attack associated with the Mirai botnet was reported in September 2016, when the KrebsOnSecurity website was targeted with a DDoS attack that peaked at 620 Gbps. Since then, Mirai botnet has been responsible for several high-profile attacks, including the one that targeted DNS provider Dyn in October 2016. The botnet has continued to evolve, with new variants being discovered over time. ## Attack Behaviors Mirai botnet is primarily used for launching DDoS attacks. The botnet is capable of generating a high volume of traffic, which can take down even the most robust websites. The malware is also known to have been used for cryptocurrency mining and spreading other malware.
25-Mar-2023
1 min read
Secure Blink help Developers and Security Engineer to secure their Web Applications & APIs proactively using our cutting-edge heuristic approach.
