company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

APT

Turla

loading..
loading..
loading..

Turla Wields: TinyTurla-NG and Espionage Tactics Exposed

Uncover the latest tactics of Russia's Turla APT. This technical report analyzes web attack techniques, PowerShell usage, and provides actionable defense strat...

21-Feb-2024
4 min read

Related Articles

loading..

Android

Trojan

PixPirate analysis reveals advanced Android banking trojan. Accessibility abuse,...

PixPirate is a highly sophisticated financial remote access trojan (RAT) malware that poses a grave threat to the security of banking systems, particularly in Brazil. Developed by skilled threat actors, PixPirate employs advanced anti-research techniques, making it exceptionally elusive and challenging to detect. ## Technical Analysis ### Infection Vector PixPirate employs a two-pronged approach for infection, comprising a downloader and a droppee. This unique strategy allows the malware to operate stealthily and execute fraudulent activities seamlessly. The downloader, often disguised as a legitimate authentication app, lures victims into installing the malware. Once initiated, the droppee is deployed to execute malicious operations, facilitated by the downloader. ![PixPirate-infection-flow-1536x353.png](https://sb-cms.s3.ap-south-1.amazonaws.com/Pix_Pirate_infection_flow_1536x353_b5d6e10e0e.png) ***Attack Flow*** ### Evasion Techniques To evade detection, PixPirate leverages innovative hiding techniques. Unlike traditional malware, PixPirate does not have a main activity, rendering its icon absent from the victim's device. Instead, the downloader triggers the droppee to run through a custom service, circumventing traditional detection methods. ### Malicious Capabilities PixPirate boasts a wide array of malicious functionalities, including: - Manipulating and controlling applications - Keylogging - Collecting installed app lists - Installing and removing apps - Locking and unlocking device screens - Accessing phone accounts and contact lists - Tracking device location - Implementing anti-VM and anti-debugging measures - Maintaining persistence after reboot - Spreading through messaging apps like WhatsApp - Reading, editing, and deleting SMS messages - Disabling Google Play Protect ### Fraud Modus Operandi Primarily targeting Brazilian banks and leveraging the Pix payment platform, PixPirate executes fraudulent transactions seamlessly. By abusing the accessibility service, the malware intercepts banking credentials and initiates unauthorized Pix transactions. Additionally, PixPirate can manipulate transaction details, facilitating fund diversion to malicious actors' accounts. ### Code Analysis PixPirate's codebase exhibits sophistication, utilizing frameworks like Auto.js for automation and obfuscation techniques to hinder analysis. Modular scripts tailored for each targeted bank streamline the theft of credentials and execution of fraudulent transactions. Encryption routines further complicate code analysis, emphasizing the malware authors' commitment to evasion. ### Communication and C2 Infrastructure PixPirate communicates with its command and control (C2) server via HTTP, exchanging data in JSON format. The use of certificate pinning enhances communication security, thwarting interception attempts. A web-based management system facilitates remote control and monitoring of infected devices, providing threat actors with comprehensive oversight. Identifying C2 infrastructure is crucial for disrupting malware communication and preventing further attacks. Here's a deeper look at potential methods PixPirate might employ: #### **Domain Generation Algorithms (DGAs):** PixPirate could leverage algorithms to dynamically generate C2 domain names, making them difficult to blacklist. Analysis of the malware code (if a sample is available) might reveal the DGA logic, including the seed value and character permutation techniques used. #### **Fast Flux DNS:** C2 servers could be constantly changing their IP addresses through a pool managed by the attacker. This makes it challenging to pinpoint and block specific server locations. Network traffic monitoring for rapid DNS requests or suspicious domain resolutions could be indicative of this technique. #### **Steganography:** Data exfiltration or C2 communication might be hidden within seemingly innocuous files like images or audio. Advanced memory forensics or network traffic analysis tools with steganography detection capabilities would be necessary to uncover such techniques. #### **Peer-to-Peer (P2P) Networks:** The malware could utilize P2P communication protocols to establish C2 channels. This decentralization makes it harder to take down the C2 infrastructure as there's no single server point of failure. Monitoring for unusual network activity patterns associated with P2P protocols might be a red flag. #### **Communication Ports:** Non-standard ports like 8080 or 4445 are often used to evade detection by security measures that typically focus on monitoring common ports (e.g., port 80 for HTTP traffic). Analyzing network traffic logs for connections to these non-standard ports would be a crucial step in identifying C2 communication. #### **Traffic Patterns:** Short, intermittent bursts of network traffic are characteristic of beaconing or data exfiltration. Security solutions with traffic analysis capabilities can be configured to identify such patterns and trigger alerts. ### Payload Analysis HTTP POSTs are the exfiltration method due to their widespread use and ability to blend in with legitimate application traffic. Payload Obfuscation: Here are some techniques PixPirate might leverage to conceal exfiltrated data within HTTP POST requests: **Base64 Encoding:** A common method for transforming binary data (e.g., stolen credentials) into a printable format suitable for embedding within a URL or HTTP POST body. Decoding with Base64 would be required to reveal the original data. **Custom Encryption:** The malware might implement its own encryption algorithm to further obscure the data. Reverse engineering the malware code would be necessary to understand the custom encryption scheme and decrypt the payload. **Steganography Techniques:** Data can be hidden within seemingly harmless image or audio files using steganographic techniques. Forensic analysis tools with steganography detection capabilities would be crucial for uncovering such methods. **Packed or Compressed Data:** Techniques like ZIP or custom compression could be used to reduce the size of the exfiltrated data before transmission. Decompression or unpacking would be required to analyze the content. #### Identifying Specific Data Exfiltrated: Here's what to look for in the exfiltrated data: **Banking Credentials:** Usernames, passwords, and session tokens used for accessing financial applications. SMS Messages: Particularly those containing one-time passwords (OTPs) used for multi-factor authentication. **Device Information:** IMEI, phone number, and other identifiers that could be used for fingerprinting the victim's device. **Network Traffic Analysis Considerations:** **Examining the content-type header of HTTP POST requests:** It might reveal indicators of obfuscation, such as application/octet-stream for binary data or custom content types defined by the malware. **Correlating network traffic with application activity:** Monitoring spikes in network traffic coinciding with user interactions within banking apps could be a red flag. ### Disassembly Insights (Speculative - Sample Required) #### Obfuscation Mechanisms: **String Encryption:** Algorithms like XOR, RC4, or custom ciphers are likely to be employed to mask API calls and configuration data. **Junk Code Insertion:** Expect meaningless instructions or misleading control flow to complicate reverse engineering. **Dynamic Packing:** The malware might contain a self-unpacking routine to reveal core functionality only at execution time. #### Core Functionality **Keystroke Logging:** **Targeted APIs:** `AccessibilityService`, `InputMethodManager`, or potential overlays for keystroke interception. **Accessibility Abuse:** **Likely API Misuse:** `AccessibilityEvent` monitoring, `performAction()`, or `getText()` for UI manipulation and sensitive data extraction. **Financial Fraud Logic:** **Targeted Apps:** API calls specific to Brazilian banking applications expected. **Transaction Manipulation:** Potential modifications to EditText fields, simulated button presses within the victim's banking app. #### Evasion Techniques **Anti-Debugging:** **Debug Flag Checks:** May look for `android.os.Debug.isDebuggerConnected()`. **Emulator Detection:** Verification of device properties (IMEI, Build properties, etc.) suggestive of a sandbox environment. **Anti-Security Tools:** **Process Tampering:** Attempts to kill or disable security software processes by name or signature. Hook Evasion: Obfuscation of key API calls used by security tools to avoid analysis. **Runtime Obfuscation:** **Code Repackaging:** Dynamic loading of DEX files or native libraries to conceal functionality until executed. **Reflection:** API calls made indirectly to hinder static analysis. ### Key Capabilities - **Accessibility Service Abuse:** PixPirate leverages Android's Accessibility Service in a malicious manner to manipulate the user interface and steal sensitive data from banking applications. Here's a deeper look at the potential technical aspects of this abuse: - **Accessibility Service Permission Request:** The malware likely presents a rationale to the user requesting Accessibility Service permissions. This request could be disguised as a seemingly legitimate need for enhanced app functionality, tricking the user into granting extensive control over their device. - **AccessibilityEvent Monitoring:** Once Accessibility Service permissions are granted, PixPirate can monitor various AccessibilityEvents fired by the system and targeted banking applications. These events provide granular details about UI changes, element focus, and text input, allowing the malware to understand the current context and user interactions within the banking app. - **User Interaction Simulation:** By leveraging the Accessibility Service API, PixPirate can programmatically simulate user interactions. This could involve injecting clicks on specific buttons, modifying text fields (e.g., entering fraudulent payee information), or even swiping gestures used for navigation within the banking app. - **Content Extraction (Text & Data):** The AccessibilityService API grants access to the content of views and windows. PixPirate can exploit this functionality to steal sensitive data displayed on the screen, such as account balances, transaction details, or even one-time passwords (OTPs) used for multi-factor authentication. - **Potential Implementation Techniques:** **Android Framework APIs:** AccessibilityService APIs like AccessibilityNodeInfo.getText() or performAction() are likely used to interact with UI elements and extract data. **Custom View Groups/Overlays:** The malware might create custom views or overlays that lie on top of legitimate banking app screens. User interactions with the underlying banking app would be captured by the overlay, allowing PixPirate to steal input details. **Impact:** Accessibility Service abuse grants PixPirate extensive control over the user's device, enabling it to bypass user interaction requirements and manipulate banking applications for fraudulent purposes. - **Credential Theft:** PixPirate employs a multi-pronged approach to steal banking credentials, significantly increasing the likelihood of success. Here are some potential techniques the malware might leverage: **Keystroke Logging:** PixPirate can monitor keystrokes entered by the user on the device. This includes capturing login credentials, PINs, and any other sensitive information typed within the banking app or other financial platforms. **Phishing:** The malware might integrate phishing tactics within its functionality. Deceptive web pages or overlays resembling legitimate login screens could be displayed to the user, tricking them into surrendering their credentials unknowingly. **Accessibility Service Abuse:** As mentioned previously, Accessibility Service permissions can be exploited to read content displayed on the screen. This grants PixPirate access to any credentials or sensitive data entered by the user within the banking app interface. - **Fraudulent Transactions:** PixPirate's primary goal is to manipulate the Pix payment system, a popular Brazilian instant payment platform, within the victim's banking applications to initiate unauthorized fund transfers. Once it gains control through Accessibility Service abuse or stolen credentials, PixPirate can leverage its ability to simulate user interactions to automate the Pix transfer process. Here's a breakdown of the potential manipulative techniques: **Modifying Payee Information:** PixPirate can alter the payee details within the banking app interface. This could involve injecting malicious recipient names or bank accounts for fraudulent transactions. **Tampering with Transfer Amounts:** The malware can manipulate the transfer amount field to initiate unauthorized high-value transactions. **Bypassing Confirmation Screens:** Accessibility Service abuse allows PixPirate to automate confirmation screens typically presented during Pix transactions. The malware can bypass these safeguards with simulated clicks or actions, pushing through fraudulent transfers without the user's knowledge or consent. **SMS Interception:** This capability allows bypassing SMS-based two-factor authentication mechanisms. **Evasion and Concealment:** PixPirate uniquely disguises itself as a two-part malware ("downloader" and "droppee") and hides its launcher icon. This is likely supplemented with code obfuscation to hinder detection. ### Attack Chain - Victim is tricked into downloading the malware, potentially disguised as a legitimate application. - PixPirate's "downloader" component installs the core "droppee" payload. - The malware hides its icon to evade the user's notice. - May request Accessibility Service permissions under a false pretense or via social engineering. - Monitors banking app usage and steals credentials through Accessibility Service abuse (keystroke logging, UI content reading). - Intercepts incoming SMS messages to potentially obtain and bypass two-factor authentication codes. - C2 Communication May send stolen credentials and other sensitive data to attacker-controlled servers. - PixPirate programmatically manipulates the compromised banking app to initiate unauthorized fund transfers. ## End Note PixPirate represents a significant advancement in malware sophistication, posing a grave threat to the security of financial institutions, particularly in Latin America. Its multifaceted evasion techniques, coupled with automated fraud capabilities, underscore the urgency for robust cybersecurity measures. Security researchers must remain vigilant and collaborate to combat evolving threats like PixPirate effectively.

loading..   04-Apr-2024
loading..   1 min read
loading..

1-Day

Worm

Raspberry Robin malware aggressively targets unpatched systems with new 1-day ex...

Raspberry Robin is a sophisticated and persistent worm-like malware that spreads primarily through removable storage devices. Initial infection often begins when an infected USB drive is connected to a Windows system. Raspberry Robin leverages legitimate Windows tools to facilitate the download and execution of malicious payloads, exploiting vulnerabilities to escalate privileges and establish persistence. It is associated with diverse threat groups like [EvilCorp](https://www.secureblink.com/threat-research/wastedlocker-and-evil-corp), [FIN11](https://www.secureblink.com/cyber-security-news/fin11-hackers-spotted-using-new-techniques-in-ransomware-attacks), TA505, and those involved in the [Clop ransomware](https://www.secureblink.com/threat-research/clop-ransomware) operations. Raspberry Robin's capabilities pose severe cybersecurity risks, including data theft, lateral movement, and deployment of ransomware. ### **Key Findings** - **Evolving Tactics:** Raspberry Robin continuously updates its infection mechanisms, evasions, and exploit capabilities. This renders traditional signature-based detection less effective and demands robust behavioral analysis for mitigation. - **1-day Exploit Acquisition:** Raspberry Robin demonstrates a notable ability to rapidly acquire and weaponize 1-day vulnerabilities. This includes the exploitation of CVE-2023-36802 and CVE-2023-29360. Some of these exploits appear to be purchased from third-party sources. - **Focus on Privilege Escalation:** The malware's use of exploits indicates a strong emphasis on gaining system-level privileges on compromised machines, potentially leading to widespread damage and disruption. - **Modified Communication and Lateral Movement:** Recent updates show Raspberry Robin has altered its communication channels and lateral movement techniques, presumably to evade detection mechanisms. - **New Delivery Method:** Reports indicate a shift from primarily USB-based delivery to the distribution of malicious archives disguised as legitimate Windows components, primarily via Discord. ### **Technical Analysis** #### **Initial Infection Vector: Discord** Raspberry Robin's use of Discord for distribution presents a calculated strategic shift. Discord, a popular communication platform, is frequented by gamers and online communities. Attackers exploit this platform's trust factor to lure unsuspecting users into downloading and executing malicious files. Here's a detailed breakdown of the infection process: - 1. **Malicious Archive:** Attackers upload a malicious archive (RAR or ZIP) to Discord, often disguised with names resembling legitimate software (e.g., "Windows_Update.rar" or "Adobe_Patcher.zip"). These archives may also contain a decoy, a legitimate and signed Microsoft executable (e.g., OleView.exe) commonly used for image viewing. - 2. **Social Engineering:** Attackers may employ social engineering tactics within Discord channels or private messages to trick users into downloading the archive. This could involve impersonating a trusted source (e.g., a gaming forum administrator) or offering cracked software or game hacks. - 3. **Execution via DLL Sideloading:** Once the archive is downloaded and extracted, the user might be prompted to run the seemingly harmless decoy executable (e.g., OleView.exe). However, in the background, the malware exploits a vulnerability within the decoy to load a malicious DLL from the same directory as the archive. This DLL sideloading technique bypasses traditional security measures that focus on the file reputation of the initial executable. - 4. **Persistence Mechanisms:** Raspberry Robin employs a multi-pronged approach to maintain a persistent presence on infected systems, ensuring continued malicious activity even after a system reboot. Here's a closer look at some of the common techniques: - 5. **Scheduled Tasks:** Raspberry Robin can create scheduled tasks within the Windows Task Scheduler. These tasks trigger the execution of the malware payload at predefined intervals, ensuring persistence and potentially evading detection by mimicking legitimate scheduled activities. - 6. **Registry Modification:** The malware can manipulate the Windows Registry to establish persistence. By adding malicious entries under keys like Run and RunOnce, Raspberry Robin ensures automatic execution during system startup. - 7 **Service Installation:** In some cases, Raspberry Robin may attempt to install itself as a Windows service. This grants the malware a higher level of privilege and makes it more difficult to remove. - 8 **File Dropping:** The malware may drop additional malicious files onto the compromised system. These files can serve various purposes, such as providing a secondary persistence mechanism, downloading additional payloads, or interfering with system security tools. - 9 **Boot Sector Infection:** In rare instances, Raspberry Robin may infect the Master Boot Record (MBR) of a storage device. This can be particularly dangerous as it grants the malware rootkit-like capabilities, making it highly challenging to eradicate. ### **Payload Execution and Evasion:** - **Anti-Analysis Techniques:** Raspberry Robin incorporates sophisticated anti-analysis techniques to hinder the investigation and circumvent sandboxing. - **Sandbox Detection:** Checks for the presence of virtual machine artifacts or sandbox environments. If detected, the malware may cease execution or only deliver decoy payloads. - **Security Tool Detection:** Detects the presence of security software like antivirus programs or EDR solutions and adjusts its behavior accordingly. - **Obfuscation and Encryption:** Heavily obfuscates code and data, making static analysis time-consuming. Employs encryption to conceal important data structures and communication protocols. - **Multi-Stage Delivery:** Divides the malware into multiple stages packed within individual components. This layered approach requires analysts to unpack and analyze each stage sequentially, increasing the complexity of understanding the full extent of the malware's functionality. ### **Exploit Utilization and Privilege Escalation:** Raspberry Robin's rapid incorporation of 1-day exploits highlights its focus on achieving system-level privileges to bypass security restrictions. Here's an analysis of the two known exploits recently used: #### **CVE-2023-36802:** - **Vulnerability Type:** Type Confusion vulnerability within the Microsoft Streaming Service Proxy (mssrv.sys) driver. This vulnerability stems from mishandling data within the driver, allowing an attacker to inject arbitrary code and execute it with SYSTEM privileges. - **Impact:** Allows local privilege escalation to SYSTEM, the highest privilege level in Windows. With SYSTEM privileges, an attacker gains complete control over the infected system and can perform a wide range of malicious activities, including disabling security software, installing additional malware, and stealing sensitive data. - **Observed Usage:** Raspberry Robin started exploiting this vulnerability shortly after public disclosure, indicating the threat actors behind the malware have established channels to acquire exploit kits or have the capability to develop their own exploits. In some cases, it appears that the exploit was purchased from an exploit developer or marketplace, highlighting the commoditization of these vulnerabilities and the ease with which they can be incorporated into malware by attackers. #### **CVE-2023-29360:** - **Vulnerability Type:** Local privilege escalation vulnerability within the Windows Trusted Platform Module (TPM) device driver. The Trusted Platform Module (TPM) is a hardware component that enhances security features on a modern computer system. This vulnerability arises from a flaw in the communication between the TPM device driver and the operating system, potentially allowing an attacker to execute arbitrary code in kernel mode with elevated privileges. - **Impact:** Successful exploitation of this vulnerability can grant an attacker SYSTEM privileges, enabling them to take complete control of the affected system. This can lead to a plethora of malicious activities, including installing persistent malware, stealing sensitive data, disrupting critical system processes, and launching further attacks within the compromised network. - **Observed Usage:** Demonstrating its tendency to rapidly adopt new exploits, Raspberry Robin began integrating an exploit for CVE-2023-29360 within a short time frame after the vulnerability details were publicly disclosed. This swift exploitation highlights the importance of timely system patching and the need for organizations to prioritize vulnerability management practices. The fact that Raspberry Robin was able to acquire and deploy this exploit so quickly suggests that the malware operators have established connections within the cybercrime underground or possess the in-house capability to develop their own exploits. ## **Exploit Flow: Dissecting Raspberry Robin's Tactics** Raspberry Robin's exploit targets a specific range of Windows 10 builds (up to 22621). It meticulously customizes its attack based on the detected operating system version. **Initialization:** The malware establishes a core data structure to guide the exploit process. **OS Fingerprinting:** It determines the exact Windows version, ensuring tailored exploit execution for optimal success. **Offset Calculation:** Token and PreviousMode offsets are carefully chosen to match the vulnerabilities within specific OS builds. **EPROCESS Address Leak:** Raspberry Robin cleverly utilizes the `NtQuerySystemInformation` API in conjunction with undocumented system structures. This allows it to obtain sensitive kernel object addresses, a critical step for privilege escalation. **Pipe Generation:** A unique, randomized pipe name is created using UUIDs. This pipe facilitates communication and coordination during the ongoing attack. ### **Diverging Paths Based on Build:** The exploit's precise execution diverges depending on whether the Windows build is older or newer than 19044. Understanding these nuanced differences is crucial for effective mitigation. Google Project Zero offers a comprehensive analysis that sheds light on the specific variations involved in each exploit path. ### **Raspberry Robin's Exploit** This malware demonstrates a disturbing pattern of rapid vulnerability adoption: **CVE-2023-29360:** This vulnerability was swiftly exploited after its public disclosure. This highlights the attackers' ability to either quickly develop exploits in-house or efficiently acquire them from external sources. **CVE-2023-36802:** Strong evidence suggests Raspberry Robin deployed this exploit as a 1-day. This showcases a swift integration process and points to potential connections within the cybercrime underground. **Shared Characteristics:** Similarities observed between the exploits for CVE-2023-29360 and CVE-2023-36802, including code structure and obfuscation techniques, indicate a focused attacker. This attacker likely specializes in exploiting vulnerabilities within the `mssrv.sys` driver, raising concerns about further exploitation attempts in the future. ### **Exploit Evolution: A Race Against Time** Raspberry Robin's development timeline paints an alarming picture – the window between vulnerability disclosure and exploitation is rapidly shrinking. This emphasizes the absolute necessity of timely patch management. Unpatched systems provide attackers with extended periods to leverage known vulnerabilities, significantly increasing risk. ### **Command and Control (C2) Communication:** Raspberry Robin dynamically establishes communication with its C2 servers to receive further instructions and download additional payloads. Here's how it operates: **Tor Network:** The malware primarily depends on the Tor Network for anonymizing its C2 communications, making it difficult to trace its origin. **Domain Generation Algorithm (DGA):** May employ a DGA to generate a list of potential C2 domains as a fallback mechanism. If unable to establish a connection to the hardcoded domains, the malware will attempt to connect to domains generated by its DGA, increasing resilience and hindering takedowns. **Data Exfiltration:** Raspberry Robin can exfiltrate sensitive information from infected systems. This data includes process trees, filenames from various system directories, and other system-related information. Stolen data is encrypted and then sent via Tor for further actions by the threat actor. ### **Potential Impact** A successful Raspberry Robin infection can have significant consequences for individuals and organizations: **Data Theft:** The malware's data exfiltration capabilities allow attackers to steal sensitive information like login credentials, financial details, and intellectual property, leading to financial losses or reputational damage. **Ransomware Deployment:** Raspberry Robin is often observed as a primary access broker for ransomware attacks. Once attackers gain an initial foothold in a network via Raspberry Robin, they can deploy ransomware payloads to encrypt critical data and demand payment. **Network Compromise:** With its worm-like behavior and lateral movement capabilities, Raspberry Robin can infect multiple machines within a network. This widespread compromise can disrupt operations, causing downtime and hindering productivity. ### **Mitigation Strategies** **Zero-Trust Architecture:** Implement a Zero-Trust security model that emphasizes the principle of least privilege and rigorous access controls. This limits the ability of Raspberry Robin to gain elevated permissions and spread laterally. **Endpoint Security:** Employ robust endpoint security solutions that include advanced behavioral detection and exploit protection capabilities. **Regular Patching:** Ensure operating systems and applications are up-to-date with the latest security patches to close known vulnerabilities that Raspberry Robin exploits. **Network Segmentation:** Segment networks to prevent malware from easily spreading throughout the environment. **User Education:** Train users on identifying phishing attacks, social engineering techniques, and the importance of downloading files only from trusted sources. **Monitoring and Threat Hunting:** Regularly monitor network activity for indicators of compromise (IOCs) related to Raspberry Robin. Use threat-hunting processes to proactively detect and neutralize adversarial activity. ### **Conclusion** Raspberry Robin poses a severe threat due to its adaptability, use of advanced tactics, and ability to deliver devastating payloads. This approach allows Raspberry Robin to leverage the trusted status of signed executables and bypass potential red flags for unsuspecting users. By employing social engineering and exploiting a well-known application (Discord) frequented by a specific target demographic (gamers), Raspberry Robin demonstrates a focus on tailored attacks for maximum impact. Its rapid exploitation of vulnerabilities underscores a commitment to exploiting weaknesses as they emerge. Staying vigilant, implementing a multi-layered security approach, and maintaining up-to-date threat intelligence are crucial to mitigating the risks posed by Raspberry Robin.

loading..   11-Mar-2024
loading..   1 min read
loading..

APT

Phishing

Explore ColdRiver's Spica malware in this detailed threat analysis. Uncover Russ...

ColdRiver, a Russia-backed advanced persistent threat (APT) group, has advanced cyber espionage tactics by introducing a custom malware named "Spica." This marks a substantial departure from their traditional long-con credential phishing methods. Google's Threat Analysis Group (TAG) has been actively instrumental in tracking ColdRiver's activities, highlighting their ever-evolving techniques. This [Threat Research](https://www.secureblink.com/threat-research) aims to extend this analysis of ColdRiver, dissecting and scrutinizing the critical underlying aspects of its Spica malware, emphasizing the threat landscape and potential countermeasures. ## Contextual Background ColdRiver, also known as Blue Charlie, Callisto, Star Blizzard, or UNC4057, primarily targets high-profile individuals in NGOs, former intelligence and military officials, and NATO governments. Historically focused on credential phishing, the group has now extended its capabilities to deliver malware, specifically using PDFs as lure documents. ## Evolution of Tactics The progression from traditional phishing to malware delivery is a strategic transition [observed](https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/) by TAG. ColdRiver employs impersonation accounts, posing as experts or individuals affiliated with the target, to establish trust. Recent findings reveal an intricate tactic where benign PDFs, presented as op-eds or articles, are delivered to targets. If the target cannot decipher the encrypted content, a link to a "decryption" utility is sent, introducing the Spica backdoor. ## Spica Malware Analysis ### Infiltration and Execution Spica, written in Rust, utilizes JSON over websockets for command and control (C2). Upon execution, it decodes an embedded PDF, serving as a decoy while establishing persistence and connecting to the C2 server. The malware deploys an obfuscated PowerShell command, creating a scheduled task named "CalendarChecker" for persistence. ### Functional Capabilities Spica functions as a versatile tool, executing arbitrary shell commands, stealing cookies from various browsers, uploading and downloading files, perusing the filesystem, and enumerating documents for exfiltration. The presence of multiple variants suggests a continuous evolution of the backdoor. ### Timeline and Persistence TAG first observed Spica in September 2023, but they believe its usage dates back to November 2022. The malware, identified as "Proton-decrypter.exe," was likely active around August and September 2023. TAG notes the potential existence of multiple Spica versions, each with distinct embedded decoy documents. ## Implications and Targets ColdRiver's strategic shift indicates a desire for broader capabilities, allowing them to conduct operations beyond conventional phishing. The targets include Ukraine, NATO countries, academic institutions, and NGOs. While specific victim profiles remain undisclosed, TAG emphasizes the limited and targeted use of Spica, aligning with ColdRiver's established tactics. ## Defensive Measures To counter the ColdRiver threat, TAG emphasizes proactive security measures. All identified domains, websites, and files associated with the threat are added to Safe Browsing blocklists. Gmail and Workspace users targeted by government-backed attackers receive alerts, encouraging them to enable Enhanced Safe Browsing for Chrome and ensure device updates. ## Code and Technical Insights ### Spica Backdoor Code TAG provides a YARA rule for detecting the Spica backdoor, outlining specific strings and patterns indicative of its presence. This code analysis aids cybersecurity professionals in identifying and mitigating potential threats. ```yara rule SPICA__Strings { meta: author = “Google TAG” description = "Rust backdoor using websockets for C2 and embedded decoy PDF" hash = "37c52481711631a5c73a6341bd8bea302ad57f02199db7624b580058547fb5a9" strings: $s1 = "os_win.c:%d: (%lu) %s(%s) - %s" $s2 = "winWrite1" $s3 = "winWrite2" $s4 = "DNS resolution panicked" $s5 = "struct Dox" $s6 = "struct Telegram" $s8 = "struct Download" $s9 = "spica" $s10 = "Failed to open the subkey after setting the value." $s11 = "Card Holder: Bull Gayts" $s12 = "Card Number: 7/ 3310 0195 4865" $s13 = "CVV: 592" $s14 = "Card Expired: 03/28" $a0 = "agent\\src\\archive.rs" $a1 = "agent\\src\\main.rs" $a2 = "agent\\src\\utils.rs" $a3 = "agent\\src\\command\\dox.rs" $a4 = "agent\\src\\command\\shell.rs" $a5 = "agent\\src\\command\\telegram.rs" $a6 = "agent\\src\\command\\mod.rs" $a7 = "agent\\src\\command\\mod.rs" $a8 = "agent\\src\\command\\cookie\\mod.rs" $a9 = "agent\\src\\command\\cookie\\browser\\mod.rs" $a10 = "agent\\src\\command\\cookie\\browser\\browser_name.rs" condition: 7 of ($s*) or 5 of ($a*) }. ``` ## Conclusion ColdRiver's adoption of the Spica malware turned out to be a calculated evolution in their threat evolution. This extended analysis presented here offers a thorough breakdown of these tactics and techniques, Spica's technical intricacies, and recommended defensive measures.

loading..   31-Jan-2024
loading..   1 min read
Company Logo
logo

Secure Blink automates the application and API security testing for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

Facebook Logo
Twitter Logo
LinkedIn Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

This website uses cookies to ensure you get the best experience on our website. By continuing on our website, you consent to our use of cookies. To find out more about how we use cookies, please see our Cookies Policy.

contact@secureblink.com

@ Copyright 2024 Secure Blink. All rights reserved.

4th Floor, Plot No- 7-10 Sector 126, Noida, UP -201303