company logo


Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.


By Industry




IT & Telecom


By Role


DevOps Engineer


Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest


Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.





PixPirate: Invisible Android Trojan Targets Brazilian Users

PixPirate analysis reveals advanced Android banking trojan. Accessibility abuse, credential theft, and Pix fraud tactics analyzed.

10 min read

Related Articles



StopCrypt ransomware is back with a vengeance! This analysis dives into its mult...

The ever-evolving threat landscape of ransomware demands constant vigilance and in-depth analysis. StopCrypt ransomware, a particularly nasty strain, has garnered significant attention due to its recent resurgence and concerning capabilities. Our Threat Intel Lab at Secure Blink categorically captures the underlying nuances of this StopCrypt ransomware variant showcasing advanced evasion tactics and a sophisticated multi-stage execution process. #### Infection Cycle Upon execution, the ransomware begins by loading the msim32.dll library using the LoadLibrary function, although the significance of this action remains obscure. It then employs a protracted time-delaying loop, iterating over a large number of iterations to artificially prolong execution time. This strategy aims to thwart time-sensitive sandboxes and security mechanisms, complicating detection efforts. Additionally, the malware utilizes techniques such as LocalAlloc and VirtualProtect to manipulate memory permissions, potentially facilitating its malicious activities while evading detection. #### First Stage Payload During the initial stage of execution, the ransomware dynamically resolves essential APIs vital for its operation. Rather than employing straightforward API calls, it constructs API function calls directly on the stack. This method enhances obfuscation and complicates analysis by security tools. The malware meticulously resolves the addresses of critical APIs, including GlobalAlloc, VirtualAlloc, SetLastError, and others. This process ensures the ransomware's ability to allocate memory and execute its malicious routines without relying on fixed API calls that could be easily identified and intercepted. #### Second Stage Payload In the subsequent stage, the ransomware focuses on process hollowing—a technique used to inject malicious code into a legitimate process while maintaining its functionality. Similar to the first stage, API function names are dynamically created on the stack, enhancing obfuscation. The malware resolves the addresses of numerous APIs necessary for process hollowing, including MessageBoxA, WinExec, CreateProcessA, and many others. This comprehensive approach enables the ransomware to effectively manipulate processes and execute its payload while evading detection. #### Final Payload After successfully executing the second stage, the ransomware proceeds to its final payload. It launches a resumed process with specific parameters, creates a new directory to store its binary, and utilizes the icacls.exe utility to deny permissions, thwarting attempts to modify or delete the ransomware. Furthermore, the ransomware schedules tasks to execute its payload at regular intervals, ensuring persistence and continued malicious activity. ![Fig_18_(1).png]( ***StopCrypt Ransomware Note [Sonicwall](*** #### Update A subsequent analysis confirmed the presence of a new variant of StopCrypt ransomware, further underscoring the ongoing evolution and adaptation of these malicious threats.

loading..   30-Apr-2024
loading..   1 min read



Raspberry Robin malware aggressively targets unpatched systems with new 1-day ex...

Raspberry Robin is a sophisticated and persistent worm-like malware that spreads primarily through removable storage devices. Initial infection often begins when an infected USB drive is connected to a Windows system. Raspberry Robin leverages legitimate Windows tools to facilitate the download and execution of malicious payloads, exploiting vulnerabilities to escalate privileges and establish persistence. It is associated with diverse threat groups like [EvilCorp](, [FIN11](, TA505, and those involved in the [Clop ransomware]( operations. Raspberry Robin's capabilities pose severe cybersecurity risks, including data theft, lateral movement, and deployment of ransomware. ### **Key Findings** - **Evolving Tactics:** Raspberry Robin continuously updates its infection mechanisms, evasions, and exploit capabilities. This renders traditional signature-based detection less effective and demands robust behavioral analysis for mitigation. - **1-day Exploit Acquisition:** Raspberry Robin demonstrates a notable ability to rapidly acquire and weaponize 1-day vulnerabilities. This includes the exploitation of CVE-2023-36802 and CVE-2023-29360. Some of these exploits appear to be purchased from third-party sources. - **Focus on Privilege Escalation:** The malware's use of exploits indicates a strong emphasis on gaining system-level privileges on compromised machines, potentially leading to widespread damage and disruption. - **Modified Communication and Lateral Movement:** Recent updates show Raspberry Robin has altered its communication channels and lateral movement techniques, presumably to evade detection mechanisms. - **New Delivery Method:** Reports indicate a shift from primarily USB-based delivery to the distribution of malicious archives disguised as legitimate Windows components, primarily via Discord. ### **Technical Analysis** #### **Initial Infection Vector: Discord** Raspberry Robin's use of Discord for distribution presents a calculated strategic shift. Discord, a popular communication platform, is frequented by gamers and online communities. Attackers exploit this platform's trust factor to lure unsuspecting users into downloading and executing malicious files. Here's a detailed breakdown of the infection process: - 1. **Malicious Archive:** Attackers upload a malicious archive (RAR or ZIP) to Discord, often disguised with names resembling legitimate software (e.g., "Windows_Update.rar" or ""). These archives may also contain a decoy, a legitimate and signed Microsoft executable (e.g., OleView.exe) commonly used for image viewing. - 2. **Social Engineering:** Attackers may employ social engineering tactics within Discord channels or private messages to trick users into downloading the archive. This could involve impersonating a trusted source (e.g., a gaming forum administrator) or offering cracked software or game hacks. - 3. **Execution via DLL Sideloading:** Once the archive is downloaded and extracted, the user might be prompted to run the seemingly harmless decoy executable (e.g., OleView.exe). However, in the background, the malware exploits a vulnerability within the decoy to load a malicious DLL from the same directory as the archive. This DLL sideloading technique bypasses traditional security measures that focus on the file reputation of the initial executable. - 4. **Persistence Mechanisms:** Raspberry Robin employs a multi-pronged approach to maintain a persistent presence on infected systems, ensuring continued malicious activity even after a system reboot. Here's a closer look at some of the common techniques: - 5. **Scheduled Tasks:** Raspberry Robin can create scheduled tasks within the Windows Task Scheduler. These tasks trigger the execution of the malware payload at predefined intervals, ensuring persistence and potentially evading detection by mimicking legitimate scheduled activities. - 6. **Registry Modification:** The malware can manipulate the Windows Registry to establish persistence. By adding malicious entries under keys like Run and RunOnce, Raspberry Robin ensures automatic execution during system startup. - 7 **Service Installation:** In some cases, Raspberry Robin may attempt to install itself as a Windows service. This grants the malware a higher level of privilege and makes it more difficult to remove. - 8 **File Dropping:** The malware may drop additional malicious files onto the compromised system. These files can serve various purposes, such as providing a secondary persistence mechanism, downloading additional payloads, or interfering with system security tools. - 9 **Boot Sector Infection:** In rare instances, Raspberry Robin may infect the Master Boot Record (MBR) of a storage device. This can be particularly dangerous as it grants the malware rootkit-like capabilities, making it highly challenging to eradicate. ### **Payload Execution and Evasion:** - **Anti-Analysis Techniques:** Raspberry Robin incorporates sophisticated anti-analysis techniques to hinder the investigation and circumvent sandboxing. - **Sandbox Detection:** Checks for the presence of virtual machine artifacts or sandbox environments. If detected, the malware may cease execution or only deliver decoy payloads. - **Security Tool Detection:** Detects the presence of security software like antivirus programs or EDR solutions and adjusts its behavior accordingly. - **Obfuscation and Encryption:** Heavily obfuscates code and data, making static analysis time-consuming. Employs encryption to conceal important data structures and communication protocols. - **Multi-Stage Delivery:** Divides the malware into multiple stages packed within individual components. This layered approach requires analysts to unpack and analyze each stage sequentially, increasing the complexity of understanding the full extent of the malware's functionality. ### **Exploit Utilization and Privilege Escalation:** Raspberry Robin's rapid incorporation of 1-day exploits highlights its focus on achieving system-level privileges to bypass security restrictions. Here's an analysis of the two known exploits recently used: #### **CVE-2023-36802:** - **Vulnerability Type:** Type Confusion vulnerability within the Microsoft Streaming Service Proxy (mssrv.sys) driver. This vulnerability stems from mishandling data within the driver, allowing an attacker to inject arbitrary code and execute it with SYSTEM privileges. - **Impact:** Allows local privilege escalation to SYSTEM, the highest privilege level in Windows. With SYSTEM privileges, an attacker gains complete control over the infected system and can perform a wide range of malicious activities, including disabling security software, installing additional malware, and stealing sensitive data. - **Observed Usage:** Raspberry Robin started exploiting this vulnerability shortly after public disclosure, indicating the threat actors behind the malware have established channels to acquire exploit kits or have the capability to develop their own exploits. In some cases, it appears that the exploit was purchased from an exploit developer or marketplace, highlighting the commoditization of these vulnerabilities and the ease with which they can be incorporated into malware by attackers. #### **CVE-2023-29360:** - **Vulnerability Type:** Local privilege escalation vulnerability within the Windows Trusted Platform Module (TPM) device driver. The Trusted Platform Module (TPM) is a hardware component that enhances security features on a modern computer system. This vulnerability arises from a flaw in the communication between the TPM device driver and the operating system, potentially allowing an attacker to execute arbitrary code in kernel mode with elevated privileges. - **Impact:** Successful exploitation of this vulnerability can grant an attacker SYSTEM privileges, enabling them to take complete control of the affected system. This can lead to a plethora of malicious activities, including installing persistent malware, stealing sensitive data, disrupting critical system processes, and launching further attacks within the compromised network. - **Observed Usage:** Demonstrating its tendency to rapidly adopt new exploits, Raspberry Robin began integrating an exploit for CVE-2023-29360 within a short time frame after the vulnerability details were publicly disclosed. This swift exploitation highlights the importance of timely system patching and the need for organizations to prioritize vulnerability management practices. The fact that Raspberry Robin was able to acquire and deploy this exploit so quickly suggests that the malware operators have established connections within the cybercrime underground or possess the in-house capability to develop their own exploits. ## **Exploit Flow: Dissecting Raspberry Robin's Tactics** Raspberry Robin's exploit targets a specific range of Windows 10 builds (up to 22621). It meticulously customizes its attack based on the detected operating system version. **Initialization:** The malware establishes a core data structure to guide the exploit process. **OS Fingerprinting:** It determines the exact Windows version, ensuring tailored exploit execution for optimal success. **Offset Calculation:** Token and PreviousMode offsets are carefully chosen to match the vulnerabilities within specific OS builds. **EPROCESS Address Leak:** Raspberry Robin cleverly utilizes the `NtQuerySystemInformation` API in conjunction with undocumented system structures. This allows it to obtain sensitive kernel object addresses, a critical step for privilege escalation. **Pipe Generation:** A unique, randomized pipe name is created using UUIDs. This pipe facilitates communication and coordination during the ongoing attack. ### **Diverging Paths Based on Build:** The exploit's precise execution diverges depending on whether the Windows build is older or newer than 19044. Understanding these nuanced differences is crucial for effective mitigation. Google Project Zero offers a comprehensive analysis that sheds light on the specific variations involved in each exploit path. ### **Raspberry Robin's Exploit** This malware demonstrates a disturbing pattern of rapid vulnerability adoption: **CVE-2023-29360:** This vulnerability was swiftly exploited after its public disclosure. This highlights the attackers' ability to either quickly develop exploits in-house or efficiently acquire them from external sources. **CVE-2023-36802:** Strong evidence suggests Raspberry Robin deployed this exploit as a 1-day. This showcases a swift integration process and points to potential connections within the cybercrime underground. **Shared Characteristics:** Similarities observed between the exploits for CVE-2023-29360 and CVE-2023-36802, including code structure and obfuscation techniques, indicate a focused attacker. This attacker likely specializes in exploiting vulnerabilities within the `mssrv.sys` driver, raising concerns about further exploitation attempts in the future. ### **Exploit Evolution: A Race Against Time** Raspberry Robin's development timeline paints an alarming picture – the window between vulnerability disclosure and exploitation is rapidly shrinking. This emphasizes the absolute necessity of timely patch management. Unpatched systems provide attackers with extended periods to leverage known vulnerabilities, significantly increasing risk. ### **Command and Control (C2) Communication:** Raspberry Robin dynamically establishes communication with its C2 servers to receive further instructions and download additional payloads. Here's how it operates: **Tor Network:** The malware primarily depends on the Tor Network for anonymizing its C2 communications, making it difficult to trace its origin. **Domain Generation Algorithm (DGA):** May employ a DGA to generate a list of potential C2 domains as a fallback mechanism. If unable to establish a connection to the hardcoded domains, the malware will attempt to connect to domains generated by its DGA, increasing resilience and hindering takedowns. **Data Exfiltration:** Raspberry Robin can exfiltrate sensitive information from infected systems. This data includes process trees, filenames from various system directories, and other system-related information. Stolen data is encrypted and then sent via Tor for further actions by the threat actor. ### **Potential Impact** A successful Raspberry Robin infection can have significant consequences for individuals and organizations: **Data Theft:** The malware's data exfiltration capabilities allow attackers to steal sensitive information like login credentials, financial details, and intellectual property, leading to financial losses or reputational damage. **Ransomware Deployment:** Raspberry Robin is often observed as a primary access broker for ransomware attacks. Once attackers gain an initial foothold in a network via Raspberry Robin, they can deploy ransomware payloads to encrypt critical data and demand payment. **Network Compromise:** With its worm-like behavior and lateral movement capabilities, Raspberry Robin can infect multiple machines within a network. This widespread compromise can disrupt operations, causing downtime and hindering productivity. ### **Mitigation Strategies** **Zero-Trust Architecture:** Implement a Zero-Trust security model that emphasizes the principle of least privilege and rigorous access controls. This limits the ability of Raspberry Robin to gain elevated permissions and spread laterally. **Endpoint Security:** Employ robust endpoint security solutions that include advanced behavioral detection and exploit protection capabilities. **Regular Patching:** Ensure operating systems and applications are up-to-date with the latest security patches to close known vulnerabilities that Raspberry Robin exploits. **Network Segmentation:** Segment networks to prevent malware from easily spreading throughout the environment. **User Education:** Train users on identifying phishing attacks, social engineering techniques, and the importance of downloading files only from trusted sources. **Monitoring and Threat Hunting:** Regularly monitor network activity for indicators of compromise (IOCs) related to Raspberry Robin. Use threat-hunting processes to proactively detect and neutralize adversarial activity. ### **Conclusion** Raspberry Robin poses a severe threat due to its adaptability, use of advanced tactics, and ability to deliver devastating payloads. This approach allows Raspberry Robin to leverage the trusted status of signed executables and bypass potential red flags for unsuspecting users. By employing social engineering and exploiting a well-known application (Discord) frequented by a specific target demographic (gamers), Raspberry Robin demonstrates a focus on tailored attacks for maximum impact. Its rapid exploitation of vulnerabilities underscores a commitment to exploiting weaknesses as they emerge. Staying vigilant, implementing a multi-layered security approach, and maintaining up-to-date threat intelligence are crucial to mitigating the risks posed by Raspberry Robin.

loading..   11-Mar-2024
loading..   1 min read



Uncover the latest tactics of Russia's Turla APT. This technical report analyze...

Turla, a Russian state-sponsored Advanced Persistent Threat (APT) group, conducts sophisticated cyberespionage against government institutions, NGOs, and organizations aligned with Russian interests. This [Threat Research]( provides a detailed analysis of Turla's historical context, recent operations named "Turla Wields," and a thorough technical analysis of their tools and techniques. ### Origins and Historical Context Turla, also known as Snake, Uroburos, Waterbug, and Venomous Bear, emerged in the late 1990s, targeting governments and militaries globally. Their operations align with Russia's geopolitical interests, focusing on nations bordering Russia and former Soviet states. Turla is adept at evading detection, preferring long-term intelligence gathering over disruptive attacks. ### Turla Wields: Recent Attack Trends and Targeting Recent campaigns target NGOs, particularly those supporting Ukrainian causes. Turla exploits legacy infections like Andromeda botnet, employs spear-phishing with weaponized PDFs, and constantly evolves its toolkit, including TinyTurla-NG and TurlaPower-NG. Motives range from military intelligence gathering to destabilizing opposition parties and supporting hybrid warfare. ### Technical Analysis of Turla Techniques Turla's initial infection vectors include spear-phishing, zero-day vulnerabilities, and compromised websites. They establish persistence using TinyTurla-NG, leveraging DLL loading and file masquerading. Communication with command and control servers is disguised within regular web traffic, employing redundant C2s for resilience. ### Data Exfiltration Techniques Turla employs custom tools like TurlaPower-NG to target password managers and browser history databases. Data exfiltration involves file archiving and staged uploads, obscuring their activities over time. ### "Living off the Land" Approach Turla increasingly relies on PowerShell for operations, employing obfuscation techniques and disabling command history recording to evade detection. ### Countermeasures and Defense Considerations Patching vulnerabilities, especially zero-days, is crucial. Endpoint Detection and Response (EDR) platforms with behavioral baselining and anomaly detection can spot Turla's subtle activities. Application and script whitelisting, along with security awareness training, enhance defenses. Web infrastructure hardening and intrusion detection systems are also recommended. ## Technical Analysis: Evolving Toolset Breakdown ### TinyTurla-NG and TurlaPower-NG Deep Dive #### TinyTurla-NG - Network Protocols: HTTP/HTTPS with custom headers and unusual User-Agent strings. - C2 Commands: Task scheduling logic and data encoding for exfiltration. - Persistence: Registry hiding, DLL hijacking methods, and boot-time execution. #### TurlaPower-NG - Target Files: Focus on password managers and browser history SQLite databases. - Data Extraction Logic: Parsing methods and obfuscation techniques. - Archiving: Compression and encryption methods used for file uploads. ### Obfuscation and Anti-Forensics Turla employs meaningless variable names, packed executables, and sandbox evasion techniques to hinder analysis. They ensure minimal forensic traces by cleaning temporary files and overwriting disk images. ### Historical Malware Progression Turla's tools have evolved from executable-based to PowerShell-based, leveraging trusted Windows programs for stealth and adaptability. Staged exfiltration and variable beaconing remain consistent features across toolsets. ## Victim Profiling & Targeting Patterns ### Target Industries & Organizations Turla targets a range of industries, including defense, technology, government, diplomacy, and NGOs. Specific organizations and job titles vary, with a focus on technical staff for network compromise and decision-makers for policy insight. ### Geographic Shifts & Geopolitical Correlation Turla's targeting intensifies around geopolitical events involving Russia, such as elections and conflicts. Analysis reveals patterns of intelligence gathering preceding significant actions, indicating strategic alignment with Russian interests. ## Code Snippets for Detection The following are representative indicators based on open-sourced reports on TinyTurla-NG and similar C2 mechanisms Turla often uses. Use with caution – APTs evolve, so these patterns may change in future samples: `Registry Modification (Possible Turla DLL Loading)` HKEY_CURRENT_USER\Software\Classes\CLSID\{<unusual-looking-GUID>} –Suspicious values within this key can point to persistence via COM object loading `Unusual HTTP Beaconing Traffic Patterns` # Example YARA-like Pattern – simplified - targeting WordPress C2 traffic rule turla_wp_beacon { meta: description = "Possible Turla compromise of WordPress sites for C2" author = "<Your Org Name>" date = "2024-02-27" strings: $http_header = {Content-Type: multipart/form-data;} $beacon_id = /page=[0-9]{8}/ condition: $http_header and $beacon_id and all of them } `PowerShell Obfuscation Techniques (Simplified Examples)` PowerShell # Base64 Encoding to Conceal Commands $cmd = "iex <base64 encoded command>" Invoke-Expression $cmd # Modifying Command Execution Flow $var = 'Something'; $var[3..1] -join '' # Reconstructs a hidden string # PowerShell History Evasion Set-PSReadLineOption -HistorySaveStyle SaveNothing ## Conclusion Turla's persistence and adaptability make them a formidable threat to global security. Understanding their techniques and motivations is crucial for developing effective defense strategies. By implementing rigorous countermeasures and leveraging threat intelligence, organizations can mitigate the risk posed by Turla's cyberespionage activities.

loading..   21-Feb-2024
loading..   1 min read