loading..

Product

Our Product

We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.

loading..

Threatspy

Solutions

By Industry

Health Care

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecops

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

loading..

Threat Feeds

loading..

Threat Research

loading..

White Paper

loading..

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..

Our Story

loading..

Our Team

loading..

Careers

Press & Media

loading..

Contact Us
loading..
loading..

Request Demo

loading..

By submitting this form, you agree to our Subscription Agreement and Legal Policies.

background
background
loading..
loading..
loading..
Loading...

Shagle

Malware

Telegram

loading..
loading..
loading..

StrongPity APT After Android Users with Trojanized Telegram App

Learn about the StrongPity APT group's latest espionage campaign targeting Android users with a trojanized Telegram app disguised as the Shagle chat app...

loading..
  19-Jan-2023
loading..
 7 min read

Related Articles

loading..

Linux

BOLDMOVE is a new Linux-based malware discovered in a China-based cyber espionag...

In recent months, there has been an increase in cyber espionage campaigns targeting internet-facing devices, particularly those used for managed security purposes such as firewalls and IPS/IDS appliances. As they are connected to the internet, attackers with the right exploit can obtain access to a network without the victim having to take any action. This gives the attacker more control over the process and reduces the probability of discovery. One such campaign that has been discovered is being widely executed by a China-based group and is targeting FortiOS devices with a new Linux-based malware called "BOLDMOVE". The group is believed to have exploited a recently discovered vulnerability (CVE-2022-42475) in Fortinet's FortiOS SSL-VPN as a zero-day in December 2022. The vulnerability allows remote unauthenticated attackers to crash targeted devices remotely or gain remote code execution. In this threat research we will provide a comprehensive analysis of the BOLDMOVE malware and its conventional tactics, techniques, and procedures (TTPs) leveraged by the China-based threat actor group in their ongoing cyber espionage campaign. ## Background Fortinet is a leading provider of network security devices and the FortiOS operating system is widely used in enterprise networks. In November 2022, Fortinet quietly fixed a vulnerability (CVE-2022-42475) in FortiOS that allows remote unauthenticated attackers to crash targeted devices remotely or gain remote code execution. Fortinet publicly announced the vulnerability in December 2022 and advised its customers to promptly patch their devices as the vulnerability was being actively exploited by threat actors. It wasn't until January 2023 that Fortinet shared more details about how hackers exploited the vulnerability, explaining that threat actors had targeted government entities with custom malware specifically designed to run on FortiOS devices. The attackers were focused on maintaining persistence on exploited devices by using the custom malware to patch the FortiOS logging processes so that specific log entries could be removed or to disable the logging process altogether. ## Malware Analysis BOLDMOVE is a full-featured backdoor written in C that enables Chinese hackers to gain higher-level control over the device, with the Linux version specifically created to run on FortiOS devices. Mandiant identified several versions of BOLDMOVE with varying capabilities, but the core set of features observed across all samples include: Performing system surveying. Receiving commands from the C2 (command and control) server. Spawning a remote shell on the host. Relaying traffic through the breached device. The commands supported by BOLDMOVE allow threat actors to remotely manage files, execute commands, create interactive shells, and control the backdoor. The Windows and Linux variants are largely the same but utilize different libraries, and it is believed that the Windows version was compiled in 2021, almost a year before the Linux variant. One of the Linux variants of BOLDMOVE contains functionality that specifically targets FortiOS devices. One of the key capabilities of BOLDMOVE is its ability to manipulate system logs on a compromised device. This allows attackers to remove specific log entries or disable logging processes entirely, making it more difficult for defenders to detect and track the intrusion. This allows the attackers to maintain persistence on the device for longer periods of time, and also makes it harder for defenders to understand the scope and nature of the attack. Additionally, this version of BOLDMOVE can send requests to internal Fortinet services, allowing attackers to send network requests to the entire internal network and spread laterally to other devices. The Linux variant of BOLDMOVE leverages several statically compiled libraries to implement its functionality, including an undetermined and likely custom library used for event handling, WolfSSL for SSL encrypted communication to the C2 server, and Musl libc. Upon failure, the malware reruns itself in a new process. In addition, if the malware is executed with a command line argument, it would not initiate the backdoor logic but rather attempt to execute the provided argument as a new process. Prior to starting the backdoor's logic, the malware calls the signal function in order to ignore the signals SIGCHLD, SIGHUP, SIGPIPE. The extended version of BOLDMOVE contains all the aforementioned functionality but with additional features. It contains Execution Guardrails (T1480) by verifying that it is running on a specific device and using specific configurations. ## TTPs The China-based group behind the BOLDMOVE malware has used several TTPs in their cyber espionage campaign. These include: Exploiting a zero-day vulnerability in FortiOS devices. Developing custom malware specifically designed to run on FortiOS devices. Maintaining persistence on exploited devices by patching the FortiOS logging processes and disabling logging altogether. Using a C2 server to receive commands and control the malware. Using a remote shell to access and control the compromised device. Relaying network traffic through the breached device. Target Selection: The targeted entities in this campaign have been government entities and managed service providers located in Europe and Africa. This suggests that the group behind the BOLDMOVE malware is focused on gathering sensitive information from government and potentially critical infrastructure organizations. BOLDMOVE malware uses a specific path in order to gain access to and control FortiOS devices. The malware begins by exploiting a zero-day vulnerability in FortiOS devices, specifically CVE-2022-42475. This vulnerability allows for remote unauthenticated attackers to crash targeted devices remotely or gain remote code execution. Once the vulnerability has been exploited, the malware uses a custom-developed Linux variant specifically created to run on FortiOS devices. The malware then uses this variant to perform system surveying, receive commands from the C2 (command and control) server, and spawn a remote shell on the host. Additionally, the malware can relay traffic through the breached device, allowing it to spread laterally to other devices on the network. The attackers also focus on maintaining persistence on the compromised device by patching the FortiOS logging processes and disabling logging altogether. It is important to note that this is not the only way of intrusion and the attackers may use other techniques as well, but this is the general path that is used by the BOLDMOVE malware. ## Mitigation To protect against the BOLDMOVE malware and similar threats, organizations should take the following steps: Apply the latest security patches for FortiOS devices as soon as they become available. Use network segmentation and access controls to limit the spread of malware within the network. Monitor network traffic for signs of malicious activity, such as network communications with known C2 servers. Regularly review system and security logs for signs of suspicious activity. Use endpoint protection and intrusion detection/prevention systems to detect and block malware. Regularly update anti-virus software and perform malware scans. ## Ending Note The BOLDMOVE malware is a new and sophisticated threat that specifically targets FortiOS devices. The China-based group behind the malware has demonstrated a deep understanding of how these devices operate and the initial access opportunity they present. By exploiting a zero-day vulnerability and developing custom malware, the group has been able to maintain a persistent foothold on compromised devices and gather sensitive information from government and critical infrastructure organizations. Organizations should take immediate steps to protect themselves against this threat by applying the latest security patches and implementing the recommended mitigation techniques.

loading..
  25-Jan-2023
loading..
  1 min read
loading..

Malware

SSH

Analysis of MCCrash cross-platform botnet that targets Windows & Linux devices, ...

Malware operations continue to remain ever-evolving as threat actors constantly seek to add new capabilities to existing botnets and target a wider range of devices. One such example has been the MCCrash malware, also known as DEV-1028, which is a cross-platform botnet that infects Windows devices, Linux devices, and IoT devices. This botnet is particularly dangerous due to its ability to spread through enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices and launching distributed denial of service (DDoS) attacks against private Minecraft servers. ![Distribution-of-minecraft-servers-that-could-be-affected-by-mccrash.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Distribution_of_minecraft_servers_that_could_be_affected_by_mccrash_5ffcc6d8e4.jpg) ***Distribution of Minecraft Servers by Version (MSTI)*** In this [analysis](https://www.microsoft.com/en-us/security/blog/2022/12/15/mccrash-cross-platform-ddos-botnet-targets-private-minecraft-servers/), we will delve into the technical details of the MCCrash malware, including its spreading mechanism, DDoS capabilities, and the platforms it targets. We will also provide recommendations for organizations to prevent their devices from becoming part of a botnet and for Minecraft server owners to update and protect their servers from this threat. ## Cross-Platform Botnet Spreading Mechanism The MCCrash botnet initially infects devices through the installation of malicious cracking tools that purport to acquire illegal Windows licenses. These cracking tools contain additional code that downloads and launches a fake version of svchost.exe through a PowerShell command. In some cases, the downloaded file is named svchosts.exe. Next, svchost.exe launches the main Python script, malicious.py, which contains all the logic of the botnet. This script scans the internet for SSH-enabled Linux-based devices, including Debian, Ubuntu, CentOS, and IoT workloads such as Raspbian, which are commonly enabled for remote configuration. It then launches a dictionary attack to propagate to these devices. Once a device is found, the botnet downloads the file Updater.zip from repo[.]ark—event[.]net onto the device, which creates the file fuse. The fuse file then downloads a copy of malicious.py onto the device. Both svchost.exe and fuse are compiled using PyInstaller, which bundles all the Python runtime files into a single executable. This spreading mechanism makes the MCCrash botnet unique, as the malware can be removed from the infected source PC but could persist on unmanaged IoT devices in the network and continue to operate as part of the botnet. ## DDoS Capabilities The MCCrash botnet is known to launch DDoS attacks against private Minecraft servers using crafted packets. This type of attack likely involves the botnet sending large amounts of traffic to a specific server, causing it to become overwhelmed and unable to function properly. It is believed that the botnet's DDoS capabilities are being sold as a service on forums or darknet sites. A breakdown of the systems affected by the botnet over a three-month period showed that most of the devices were located in Russia. ![Fig-4-the-ddos-botnet-attack-flow.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Fig_4_the_ddos_botnet_attack_flow_53d8a0d77f.jpg) ***DDoS Botnet Attack Flows (MSTI)*** ![Code Snippet 1.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Code_Snippet_1_7ad0cacb3e.jpg) ***Code Snippet 1*** The above code snippet demonstrates how a simple brute force attack on an SSH-enabled device using the Python library paramiko. The function `ssh_brute_force` attempts to connect to the specified host using the given username and password. If the connection is successful, it prints a success message; otherwise, it prints a failed message. The `main` function then iterates through a list of passwords and attempts to connect to the host with each one. ![Code Snippet 2.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Code_Snippet_2_c4ebcb0b97.jpg) ***Code Snippet 2*** This code snippet demonstrates how the MCCrash botnet propagates to other devices. It uses the paramiko library to connect to an SSH-enabled device and download a file named Updater.zip using SFTP. The file is then extracted, and the file named fuse is executed, which in turn downloads and executes the main Python script of the botnet, malicious.py. This script is then executed with the specified command. ![Code Snippet 3.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Code_Snippet_3_31f24ba05a.jpg) ***Code Snippet 3*** ## Targeted Platform The MCCrash botnet targets a range of platforms, including Windows devices, Linux devices, and IoT devices. These devices are often targeted due to their insecure settings and the fact that they are commonly enabled for remote configuration. ## Recommendations for Prevention To prevent devices from becoming part of the MCCrash botnet, organizations should ensure that they manage, keep up to date, and monitor not just traditional endpoints but also IoT devices. This includes implementing strong passwords and regularly updating them, as well as disabling unnecessary services and protocols. It is also important for organizations to ensure that all software is downloaded from reputable sources and to keep all software ## Indicators of Compromise: - ***Presence of malicious cracking tools***: MCCrash botnet spreads initially through installing malicious cracking tools that purport to acquire illegal Windows licenses. These tools may contain additional code that downloads and launches the botnet. - ***Presence of svchost.exe or svchosts.exe***: The MCCrash botnet uses a fake version of svchost.exe to launch the main Python script, malicious.py. This file may be named svchost.exe or svchosts.exe. - ***Presence of Updater.zip***: The MCCrash botnet propagates to other devices by downloading a file named Updater.zip from a specified URL. The presence of this file on a device may indicate compromise by the botnet. - ***Presence of fuse***: The MCCrash botnet creates a file named fuse on compromised devices, which is used to download and execute the main Python script, malicious.py. The presence of this file may indicate compromise by the botnet. - ***Presence of malicious.py***: The main Python script of the MCCrash botnet is named malicious.py. The presence of this file on a device may indicate compromise by the botnet. - ***Connections to known malicious IP addresses***: The MCCrash botnet may communicate with available malicious IP addresses as part of its operation. Observing connections to these IP addresses may help identity compromised by the botnet. - ***Network traffic related to Minecraft servers***: The MCCrash botnet is known to launch distributed denial of service (DDoS) attacks against private Minecraft servers using crafted packets. Observing network traffic related to Minecraft servers may help identify the presence of the botnet. Here is an example code snippet that searches for the presence of the file malicious.py on a system: ![Test.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Test_2e3dd62f81.jpg) This code snippet recursively searches through the file system starting from the root directory and looks for the presence of the file malicious.py. If it is found, it prints the full path to the file. This can be adapted to search for other IOCs as well.

loading..
  23-Dec-2022
loading..
  1 min read
loading..

Malware

Infostealer

Ducklogs

Ducklogs Malware-as-a-Service offers functionality to steal & exfiltrate user da...

Ducklogs, a newly emerged web-based malware as a service helping even low-level hackers access malicious resources & tools for facilitating a series of attacks on compromised systems. It comes bundled with a combination of malicious software packages, remote access, stealer, keylogger, and clipper malware to steal & exfiltrate user data such as account credentials, session cookies, browsing history, crypto wallets, etc. to its C&C server. According to [CRIL](https://blog.cyble.com/2022/12/01/ducklogs-new-malware-strain-spotted-in-the-wild/), Ducklogs malware works in the SaaS model as advertised across hacking forums at attractive pricing at a relatively low price of $19.99 per month, $39.99 for three months, and $69.99 for a lifetime. The MaaS claims to have thousands of malicious user bases paying subscription fees to develop and launch over 4,000 malware builts. Besides that, Ducklogs operators also help to circulate payload via a file-dropping tool and a file extension changer as a part of their additional services limited to a few users. ![Figure-1-–-DuckLogs-Stealer-Advertisement-in-CyberCrime-Forum.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_1_Duck_Logs_Stealer_Advertisement_in_Cyber_Crime_Forum_09065059de.jpg) ***DuckLogs Stealer Ads in CyberCrime Forum*** ## Features & Capabilities of Ducklogs Malware-as-a-Service - DuckLogs provides a sophisticated web-based platform that allows hackers to execute several malicious functions, such as building the malware binary by customizing the options provided on the Settings page of the web panel, monitoring & downloading stolen user logs, etc. - DuckLogs are built with primarily an information stealer and a remote access trojan (RAT) component, but it has more than 100 individual modules that target specific applications such as messaging apps, emails, web browsers, VPN account data, passwords, cookies, login data, histories, and cryptocurrency wallets. - Ducklogs RAT component offers functionality allowing to fetch files from the command and control (C2) server and run them on the compromised systems, display a crash screen, shutdown, restart, logout, or lock the device, or open URLs in the browser. - Ducklogs supports Telegram notifications, encrypted user logs, and communication, obfuscation of code, process hollowing to launch payloads containing malicious codes in memory, a persistence mechanism, and a bypass for the Windows User Account Control. ![Figure-11-Process-hollowing-to-inject-the-final-payload.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_11_Process_hollowing_to_inject_the_final_payload_79cdc0c709.jpg) ***Process hollowing to inject the final payload*** ## Conclusion We have also observed multiple active malicious instances of DuckLogs C2 servers in the wild, translating that it has been an emerging threat. It comes with a wide range of functionality and availability as Malware-as-a-Service, including initial infection vectors such as spam & phishing emails. Therefore, it is always recommended to be double-sure before opening any links with new or unknown emails. Always be careful while copying sensitive data on the clipboard, and also the same applies before pasting it.

loading..
  17-Dec-2022
loading..
  1 min read