Critical Bug in WooCommerce Payments Exposes Online Stores to Hackers

/in /by

Critical vulnerability discovered in WooCommerce Payments on WordPress

Automattic, the company responsible for the WordPress content management system, has issued a mandatory security update to patch a critical vulnerability in WooCommerce Payments, a popular online payment system. The flaw, reported by Michael Mazzolini of GoldNetwork, affects versions 4.8.0 and higher and could allow unauthenticated attackers to gain admin access to vulnerable online stores. This could result in the complete takeover of a website without any user interaction. Experts warn that since the vulnerability requires no authentication, it is likely to be exploited on a mass scale soon.

The WooCommerce team has issued a security update that patches the vulnerability. According to Beau Lebens, Head of Engineering at WooCommerce, the team has found no evidence of the vulnerability being targeted or exploited in the wild, and no store or customer data was compromised. However, Automattic has initiated the security update on hundreds of thousands of websites, including those hosted on WordPress.com, Pressable, and WPVIP, to ensure their safety.

Vulnerable WooCommerce online shops being updated

Admins who host a WordPress installation on their own servers will have to manually update their WooCommerce Payments using the provided procedure. Meanwhile, admins of vulnerable WooCommerce online stores hosted on WordPress.com are already in the process of being updated or have already been updated. The patch fixes versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, and 5.6.2.

After securing their stores, admins are advised to check for any suspicious activity, including newly added admin users and suspicious posts. In case of any unexpected activity, admins should immediately update their admin passwords and rotate Payment Gateway and WooCommerce API keys. They are also encouraged to change any private or secret data stored in their WordPress/WooCommerce database, including API keys, public/private keys for payment gateways, and more, depending on their particular store configuration.

Admins advised to check for signs of compromise after WooCommerce patch

The WooCommerce Payments vulnerability could pose a significant threat to online stores, which is why it is essential to take immediate action to protect against it. If you support or develop for other WooCommerce merchants, be sure to share this information and ensure that they are using the latest version of WooCommerce Payments to keep their stores secure.

 

 

(c) Blackhat

Hackers attack Munich Helmholtz Center

/in /by

The communication of the research institution is permanently disrupted. Even the police couldn’t get to the facility at first – and had to send an officer in person to see what was going on there.

A cyber attack was carried out on the Helmholtz Center in Munich, which apparently paralyzed all communication at the research facility on Ingolstädter Landstrasse in Neuherberg. The Munich police confirmed this when asked. The research center has not yet responded to email inquiries – presumably because the IT is still out of order. The facility cannot be reached by phone. “The number you want is currently switched off,” it says when you call.

The attack by the previously unknown hackers is said to have happened at the beginning of last week. The Munich police initially knew nothing about it. When a telephone contact failed after a request from the Süddeutsche Zeitung , the criminal department responsible for cybercrime 12 sent an employee personally to the north of Munich. Since then, the criminal police have been investigating the case.

Several security authorities in Bavaria take care of defending against threats in virtual space. The Cyber ​​Alliance Center Bavaria (CAZ) in the Bavarian State Office for the Protection of the Constitution supports local companies, operators of critical infrastructure as well as universities and research institutions in preventing and defending against electronic attacks by foreign states. The central contact point for cybercrime (ZAC) at the State Criminal Police Office is the central point of contact at the Bavarian police for all Bavarian companies, authorities, associations and institutions “first aiders” and advisors. The Central Office for Cybercrime Bavaria (ZCB) set up at the Bamberg Public Prosecutor’s Office is responsible for processing high-profile investigations in the field of cybercrime throughout Bavaria. It investigates attacks on important sectors of the economy and public institutions or in proceedings in the field of organized cybercrime.

Helmholtz Zentrum München is a research center for health and the environment . Around 2,500 employees work on the more than 50 hectare campus. There are also affiliated facilities in the city of Munich and in Garching. Research focuses on the influence of environmental factors on health.

 

(c) cybercrime

Zoom Zoom: ‘Dark Power’ Ransomware Extorts 10 Targets in Less Than a Month

/in /by

A new threat actor is racking up victims and showing unusual agility. Part of its success could spring from the use of the Nim programming language.

A nascent ransomware gang has burst onto the scene with vigor, breaching at least 10 organizations in less than a month’s time.

The group, which Trellix researchers have named “Dark Power,” is in most ways like any other ransomware group. But it separates itself from the pack due to sheer speed and lack of tact — and its use of the Nim programming language.

“We first observed them in the wild around the end of February,” notes Duy Phuc Pham, one of the authors of a Thursday blog post profiling Dark Power. “So it’s only been half a month, and already 10 victims are affected.”

What’s odd is that there seems to be no rhyme or reason as to whom Dark Power targets, Trellix researchers said. The group has added to its body count in Algeria, the Czech Republic, Egypt, France, Israel, Peru, Turkey, and the US, across the agricultural, education, healthcare, IT, and manufacturing sectors.

Using Nim as an Advantage

One other significant way that Dark Power distinguishes itself is in its choice of programming language.

“We see that there is a trend where cybercriminals are extending to other programming languages,” Pham says. The trend is fast spreading among threat actors. “So even though they’re using the same kind of tactics, the malware will evade detection.”

Dark Power utilizes Nim, a high-level language its creators describe as efficient, expressive, and elegant. Nim was “a bit of an obscure language originally,” the authors noted in their blog post, but “is now more prevalent with regards to malware creation. Malware creators use it since it is easy to use and it has cross-platform capabilities.”

It also makes it more difficult for the good guys to keep up. “The cost of the continuous upkeep of knowledge from the defending side is higher than the attacker’s required skill to learn a new language,” according to Trellix.

What Else We Know About Dark Power

The attacks themselves follow a well-worn ransomware playbook: Social-engineering victims through email, downloading and encrypting files, demanding ransoms, and extorting victims multiple times regardless of whether they pay.

The gang also engages in classic double extortion. Even before victims know they’ve been breached, Dark Power “might have already collected their sensitive data,” Pham explains. “And then they use it for the second ransom. This time they say that if you’re not going to pay, we’re going to make the information public or sell it on the Dark Web.”

As always, it’s a Catch-22, though, because “there is no guarantee that if you pay the ransom, there will be no consequences.”

Thus, enterprises need to have policies and procedures in place to protect themselves, including the ability to detect Nim binaries.

“They can try to establish robust backup and recovery systems,” says Pham. “This is, I think, the most important thing. We also suggest that organizations have a very precise, very powerful incident response plan in place before all of this can happen. With that, they can reduce the impact of the attack if it occurs.”

 

(c) Nate Nelson

[QuickNote] Decrypting the C2 configuration of Warzone RAT

/in /by

1. Introduction

Warzone RAT is a type of malware that is capable of infiltrating a victim’s computer and giving attackers remote access and control over the system. The malware has gained notoriety for its advanced capabilities and ability to evade detection, making it a serious threat to computer security.

Warzone RAT is typically spread through phishing emails or other social engineering techniques, where attackers trick victims into downloading and installing the malware on their systems. Once the malware is installed, it can perform a variety of malicious actions, including stealing passwords, taking screenshots, and logging keystrokes. It can also download and execute additional malware, giving attackers even more control over the victim’s system.

One of the key features of Warzone RAT is its ability to encrypt its configuration data, making it difficult for security experts to analyze and understand how the malware operates. Currently, there are two variants of the malware in circulation, each using a different method to decode its configuration. The first variant uses standard RC4 encryption, while the second variant uses a modified version of RC4. This modification makes it even more challenging to decrypt and analyze the malware’s configuration data.

2. Analysis

Sample1: 00930cccd81e184577b1ffeebf08ee6a32dd0ef416435f551c64d2bcb61d46cf (use standard RC4)

Sample2: 61f8bf26e80b6d6a7126d6732b072223dfc94203bb7ae07f493aad93de5fa342 (use modified RC4)

In Warzone RAT, the configuration info is stored in the .bss PE section of the malware’s code. The .bss section is typically used for storing uninitialized data. The format of the configuration is as follows: [Key length] [RC4 key] [Encrypted data]. Below is an illustration of the configuration stored in the .bss section in both samples.

The steps to perform the process of retrieving information and copying data from the .bss section to memory are the same in both samples. The pseudo-code is shown below:

The pseudo code in function wzr_decrypt_config in both samples is the same, which involves extracting the RC4 Key and Encrypted data, and then using RC4 to decrypt the configuration. The difference lies in function wzr_perform_rc4.

The function wzr_perform_rc4 in sample 1 uses standard RC4 to decrypt the configuration. Its pseudocode is shown below:

Thus, we can easily use CyberChef to perform configuration decoding or write a Python script to automate for similar samples.

The pseudocode for function wzr_perform_rc4 in sample 2 as shown below. Prior to decryption, it allocates an array of 250 bytes, filled with zero values. Then, it copies the extracted rc4_key into this array. Finally, it calls the wzr_rc4_crypt function, which uses the modified RC4 algorithm to decrypt the configuration.

The complete pseudocode of the wzr_rc4_crypt function is as follows:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

void __thiscall wzr_rc4_crypt(wzr_rc4_data *rc4_info, _BYTE *data)

{

  idx = 0;

  if ( rc4_info->rc4Sbox )

  {

    if ( rc4_info->rc4_key_250b )

    {

      rc4_info->counter2 = 0;

      LOBYTE(i) = 0;

      rc4_info->counter1 = 0;

      do

      {

        rc4_info->rc4Sbox[i] = rc4_info->counter1;

        i = rc4_info->counter1 + 1;

        rc4_info->counter1 = i;

      }

      while ( i < 256 );

      rc4_info->counter1 = 0;

      for ( i = 0; i < 256; rc4_info->counter1 = i )

      {

        rc4Sbox = rc4_info->rc4Sbox;

        rc4_info->counter2 += rc4Sbox[i] + rc4_info->rc4_key_250b[i % 250];

        rc4Sbox[i] ^= rc4Sbox[rc4_info->counter2];

        // swap values

        rc4_info->rc4Sbox[LOBYTE(rc4_info->counter2)] ^= rc4_info->rc4Sbox[LOBYTE(rc4_info->counter1)];

        rc4_info->rc4Sbox[LOBYTE(rc4_info->counter1)] ^= rc4_info->rc4Sbox[LOBYTE(rc4_info->counter2)];

        i = rc4_info->counter1 + 1;

      }

      rc4_info->counter1 = 0;

      rc4_info->counter2 = 0;

      // Decrypt data

      if ( rc4_info->data_length )

      {

        j = 0;

        do

        {

          rc4_info->counter1 = j + 1;

          rc4Sbox = rc4_info->rc4Sbox;

          k = (j + 1);

          rc4Sbox_value1 = rc4Sbox[k];

          rc4_info->counter2 += rc4Sbox_value1;

          rc4Sbox_value1_ = rc4Sbox_value1;

          rc4Sbox_value2 = rc4Sbox[rc4_info->counter2];

          rc4Sbox[k] = rc4Sbox_value2;

          rc4_info->rc4Sbox[LOBYTE(rc4_info->counter2)] = rc4Sbox_value1;

          rc4Sbox_ = rc4_info->rc4Sbox;

          data[idx] ^= rc4Sbox_[(rc4_info->counter2 + rc4Sbox_value2)] ^ (rc4Sbox_[(rc4Sbox_value2 + rc4Sbox_value1_)]

                                                                        + rc4Sbox_[(rc4Sbox_[((0x20 * rc4_info->counter2) ^ (rc4_info->counter1 >> 3))]

                                                                                  + rc4Sbox_[((0x20 * rc4_info->counter1) ^ (rc4_info->counter2 >> 3))]) ^ 0xAA]);

          j = ++rc4_info->counter1;

          ++idx;

        }

        while ( idx < rc4_info->data_length );

      }

    }

  }

}

With the pseudocode above, we can rewrite the decoding code in Python as follows. This is the code I wrote, and you can write it in your own way as long as it performs the task correctly.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

# Refs: https://stackoverflow.com/questions/9433541/movsx-in-python

def SIGNEXT(x, b):

    m = (1 << (b -1))

    x = x & ((1 << b) -1)

    return ((x ^ m) – m)

# This routine is responsible for decrypting the stored C2.

def rc4_customized_decryptor(data, key):

    idx = 0

    counter1 = 0

    counter2 = 0

    # Initialize RC4 S-box

    rc4Sbox = list(range(256))

    # Modify RC4 S-box

    for i in range(256):

        counter2 += (rc4Sbox[i] + key[i%250])

        counter2 = counter2 & 0x000000FF

        rc4Sbox[i] ^= rc4Sbox[counter2]

        rc4Sbox[counter2 & 0xFF] ^= rc4Sbox[counter1 & 0xFF]

        rc4Sbox[counter1 & 0xFF] ^= rc4Sbox[counter2 & 0xFF]

        counter1 = i+1

    # Decrypt data

    counter1 = 0

    counter2 = 0

    j = 0

    decrypted = []

    while(idx < len(data)):

        counter1 = j + 1

        k = (j+1)

        rc4Sbox_value1 = rc4Sbox[k]

        counter2 += (SIGNEXT(rc4Sbox_value1, 8) & 0xFFFFFFFF)

        rc4Sbox_value1_ = (SIGNEXT(rc4Sbox_value1, 8) & 0xFFFFFFFF)

        rc4Sbox_value2 = rc4Sbox[counter2 & 0x000000FF]

        rc4Sbox[k] = rc4Sbox_value2

        rc4Sbox[(counter2 & 0x000000FF)] = rc4Sbox_value1

        tmp1 = rc4Sbox[((0x20 * counter1) ^ (counter2 >> 3)) & 0x000000FF]

        tmp2 = rc4Sbox[((0x20 * counter2) ^ (counter1 >> 3)) & 0x000000FF]

        tmp3 = rc4Sbox[((tmp1 + tmp2) & 0x000000FF) ^ 0xAA]

        tmp4 = rc4Sbox[(rc4Sbox_value2 + rc4Sbox_value1_) & 0x000000FF]

        tmp5 = (tmp3 + tmp4) & 0x000000FF

        tmp6 = rc4Sbox[(counter2 + rc4Sbox_value2) & 0x000000FF]

        decrypted.append(data[idx] ^ (tmp5 ^ tmp6))

        counter1 += 1

        j = counter1

        idx += 1

    return bytes(decrypted)

Below are the results of using a Python script to extract the configuration of Warzone RAT from the samples used in the article.

3. End

The article would like to conclude here. I hope that it provides useful information for you during the process of analyzing the Warzone RAT malware. To protect against Warzone RAT and other types of malware, users should take precautions such as being cautious when opening email attachments, using strong passwords, and keeping their software up to date. It is also important to use antivirus software and to keep it updated regularly. By taking these steps, users can help to protect themselves against the threat of Warzone RAT and other types of malware.

4. Refs

https://research.openanalysis.net/warzone/malware/config/2021/05/31/warzone_rat_config.html

https://exploitreversing.files.wordpress.com/2022/11/mas_6-1.pdf

 

(c) kienmanowar

Memory Forensics R&D Illustrated: Detecting Hidden Windows Services

/in /by

As mentioned in a recent blog post, our team is once again offering in-person training, and we have substantially updated our course for this occasion. Over the next several weeks, we will be publishing a series of blog posts, offering a sneak peek at the types of analysis incorporated into the updated Malware & Memory Forensics training course.

Introduction

To begin the series, this post discusses a new detection technique for hidden services on Windows 7 through 11. Since not all readers will be familiar with hidden services and the danger they pose on live systems, we will start with some brief background. We will then walk through how services.exe stores service information, and how we can recover it in an orderly manner. This will lead to how we developed two new Volatility 3 plugins to help automate detection of hidden services.

The power of these plugins will be showcased against the powerful GhostEmperor APT rootkit that was discovered in the wild by researchers at Kaspersky. GhostEmperor employs a kernel mode rootkit and a userland DLL to maintain persistence and control the victim system. This DLL operates as a service that is hidden from live analysis and DFIR triage tools, and it interacts directly with the rootkit driver in kernel memory. As will be demonstrated, by automatically detecting the hidden service of GhostEmperor through memory analysis, we can quickly find the rest of its components, including those hidden on the live system.

Services Background

Services are a powerful feature of Windows that allow malware to run in one of three possible forms. The first allows malware to register a DLL that will be loaded into a shared svchost.exe process, hiding it amongst other DLLs loaded inside the same process, as well as the many svchost.exe instances that run on a normal system. The second form allows malware to run as its own process. The third, and most dangerous, form is when malware creates a service to load a kernel driver (rootkit).

When services are created and started using standard methods, a few artifacts are left behind for investigators to find. The first is a set of registry keys and values under CurrentControlSet\Services\<service name>. The second is the service’s entry within a linked list maintained by services.exe. This list is enumerated when system APIs, such as EnumServiceStatus{A,W,Ex}, and tools, such as sc.exe query, are used to enumerate services on the running system.

Given the power of services, malware often abuses the ability to create or hijack services for its own purposes. This leads to the inspection of services on a running system by endpoint detection and response solutions (EDRs) and threat hunting teams to look for any suspicious signs. To avoid detection while keeping a service active, malware has historically targeted both sources of artifacts—the registry keys and the services.exe list—with registry keys being targeted in two ways: deleting or hiding them.

In the first approach, malware will delete its registry keys while running, and then rewrite them before system shutdown or reboot. This has a major disadvantage though, as sudden system crashes or service stops prevent the malware from re-registering its persistence.

This deficiency led to the current approach malware takes, including by GhostEmperor, which is to simply hide its keys from the running system. The following screenshot shows Kaspersky’s report on the malware’s approach:

As discussed in Kapersky’s report, the CmRegisterCallback usage effectively allows the malware to hide its service’s keys from tools on the live system. Detecting this malicious callback is possible with Volatility’s callbacks plugin though, and there are also EDRs capable of enumerating callbacks from within kernel memory. To avoid these EDRs, some rootkits found during recent APT campaigns have implemented a completely new method of registry key hiding, known as GetCellRoutine hijacking, that we will cover in an upcoming post along with another new Volatility 3 plugin.

Beyond the registry, malware also wants to hide its malicious service from tools on the live system that query services.exe to enumerate running services. To accomplish this, malware will inject code into the services.exe process, and then unlink the malicious service of interest. This will effectively hide the service from live DFIR triage tools and built-in Windows commands. It’s the detection of these unlinked services using new memory forensics capabilities that we cover further in this blog post.

Note: Chapter 12 in The Art of Memory Forensics is devoted to discussion of Windows services, ways malware abuses them, and several historical methods of detection. If you would like a complete treatment of the subject after reading this blog post, then we suggest reading this chapter.

Detecting Unlinked Services

As mentioned, a wide variety of malware samples will unlink their malicious services for anti-forensics purposes. The following screenshot from the Kaspersky report on GhostEmperor describes this for the malware sample:

In our analyzed memory sample, the name of the hidden service is “msdecode”, which is one of the possibilities listed in the report.

The Art of Memory Forensics details one method for detecting unlinked services with Volatility. This method relies on scanning physical memory for services records, and then drawing a dot graph of how each service is linked to other services. This linkage is based on the previous and next pointers of the doubly linked list. During normal operations, each service record should have one service’s forward pointer referencing it, and one service’s backwards pointer referencing it. In the case of an unlinked service, the hidden service will have no services that reference it. The following image from The Art of Memory Forensics shows how this detection logic is applied to an unlinked wscsvc service:

As can be seen, all services other than wscsvc have previous and next pointers (green and red arrows) pointing to them from other services. This is a direct visual indication that the wscsvc service is unlinked.

Unfortunately, this detection method is no longer viable for two main reasons. First, the Connected Devices Platform subsystem creates a wide variety of temporary services during system operations. This means that smear (changes to memory during acquisition) will often cause these services to appear as unlinked when using the method that detected wscsvc. The second reason is that scanning physical memory will find copies of service records relating to services that have since changed state (restarting, start<->stop). The ability to recover these historical records is a powerful aspect of memory forensics, but unfortunately clutters the results for this particular use case, as the historical records are no longer tracked by services.exe.

To illustrate these issues, we created a Volatility 3 plugin, svclinks, that reports a text-based version of the visual graph. We ran svclinks against our memory sample infected with GhostEmperor. This plugin reports only services that it thinks are unlinked, and the results are shown below:

 

As can be seen, while our target service, Msdecode, is in the reported list of unlinked services, so are several other services, all of which are false positives. Given the inability to rely on our old method, we needed to develop a new one.

Replicating services.exe‘s Enumeration of Services

Knowing that the live system uses the list inside of services.exe to report services, along with the fact that malware takes great effort to hide from this list, we chose to use it as a source for detecting unlinked services. This detection relies on cross-comparing the services found through scanning, which Volatility 3 already supports, versus the list walking performed in our new plugin. This is similar to using pslist and psscan (or psxview) to detect unlinked processes within the kernel.

Over the years, Microsoft has made substantial changes to the methods services.exe uses to track services, but, luckily for us, we only have to be concerned with changes in the data structure layout and the name of global variables. The following screenshots show how the services.exe database is declared across Windows versions:

Windows 10+:

Windows 7:

For data structure layouts, Volatility 3 already contained definitions for most of the types needed. All we had to add was the CServiceDatabase type and the offset to the first service record. Luckily, this was at a constant offset for all versions tested.

Enumerating the Service List in Volatility 3

To automate detection of unlinked services, two Volatility 3 plugins were developed. The first, svclist, locates and then enumerates the list of services maintained by services.exe. The second, svcdiff, compares the services obtained from scanning with the services obtained from walking the list. We will now discuss how these plugins are implemented with several screenshots of code. If you would like to read a nearly line-by-line breakdown of implementing a Volatility 3 plugin that performs similar actions, please see our post on detecting the skeleton key attack of Mimikatz.

Finding the Service Database

Obtaining the address of the service database inside of a particular memory sample is easy, since Volatility 3 supports automatic symbol resolution through PDB files. This tells us our plugin precisely where to find the database within the memory sample.

To start this recovery, Volatility’s process enumeration API is used to find the _EPROCESS object for services.exe. Next, the following code is used to automatically download and parse the PDB file for the executable, and then search the variations of the service database’s symbol name:

The end result of this code is that the svclist plugin will automatically know where to find the services database, which then tells the plugin how to find the beginning of the list.

Enumerating Services from the List

Once the list is found, Volatility’s traverse API for services can be used to walk the list; svclist then has little work left to do, as the existing svcscan plugin already contains a get_record_tuple API that gathers the information about a service (name, path, PID, etc.) to report to the analyst:

Using this, the output from our plugin then looks the same as when svcscan runs.

Detecting Unlinked Services in Volatility 3

Our detection of unlinked services in the new svcdiff plugin is based on comparing the set of services generated by the svcscan plugin and our new svclist plugin. In particular, each of these plugins is programmatically run, and then the names of any service found through scanning—but not through list walking—is reported.

By keying in on the name, we work around the issues found when linked-list pointers are used. This fix works because even if a service is stopped and restarted (which creates multiple data structures in memory), the name will be the same between runs. The name-based approach also removes the chance of false positives from the temporary services generated on Windows 10+.

The following screenshot shows the core of this plugin and how easy it is to leverage existing APIs in Volatility 3 to produce powerful new capabilities:

In this code, the services_scan API is first used to gather the names of services based on scanning. As shown in the get_tuple_record screenshot, the name of the service is the sixth entry. Next, service_list from our new plugin is used to gather services like services.exe does on the live system. Finally, a simple set difference is used to determine names found from scanning that were not found in the list. These are then reported to the output rendering API.

Detecting Ghost Emperor

With our new plugin available, automatically detecting GhostEmperor’s unlinked service is as simple as one Volatility invocation:

In this invocation, svcdiff reports only one service, Msdecode, which we know is the one hidden by GhostEmperor.

Exploring the Hidden Service

With this information in hand, we can investigate further by determining other components and actions of this service. To start, we can look at the list of DLLs inside of the process (reported as PID 4756 by svcdiff):


In this abbreviated output, we see DLLs inside of system32, as well as the msdecode.dll of the malware. By applying the –dump option to dlllist, the plugin will extract all of a processes DLLs to disk. Looking at the strings output of this extracted file shows the name of several APIs used for gathering sensitive system information and anti-forensics purposes:

The extracted DLL file can then be loaded into your reverse-engineeering (RE) tool of choice, scanned with YARA signatures, and other static analysis techniques.

Kernel Mode Components

After examining loaded DLLs, we can then examine the handles of the process to determine which system resources it is accessing. Since we know a kernel rootkit is involved, we search for any references to Device files within the handles output. Device files are created by drivers to allow userland processes to “speak” directly with the driver. This is the most commonly used interface by rootkits to allow the controlling process to specify filenames, registry keys, and processes to hide, as well as actions like enabling privilege escalation.

Looking at the Device files being accessed by the Msdecode service process shows us an interesting entry to a device named dump_audio_codec0;  the other entries are present on all Windows systems:

Attempting to investigate dump_audio_code0 further instantly shows that it is malicious in nature. The following screenshot shows the output of the modules and driverscan plugins of Volatility 3 while searching for the driver:

As seen, the driver does not appear in modules output, which only happens when anti-forensics techniques are used. This is verified by the output of driverscan that shows the module’s base address and size have both been set to “0”. This is a common anti-forensics technique to hide a module on a live system and prevent its direct extraction from memory.

This technique is, in fact, so common that Volatility has a special-purpose plugin called drivermodule to detect discrepancies between module and driver data structures:

In this output, two modules are reported. The first, RAW, will trigger in all nearly all memory samples but, as seen in the first column, it is reported as a known exception. However, dump_audio_code0 is not, and as we verified multiple times already, this driver is definitely worthy of deep investigation.

Between the usage of our new svclist plugin, along with the drivermodule plugin, we have directly detected both the userland and kernel components of the rootkit, and we have done so without any existing IOCs specific to GhostEmperor. As demonstrated, memory forensics continues to be a necessary component to accurately detect modern rootkits and malware.

Conclusion

In this blog post we have demonstrated a new memory-forensics technique to detect hidden services in a smear-resistant manner. Given the number of malware samples that hide services from the live system, as well as the danger posed by these services, it is essential that malware can be detected in a reliable manner.

If you have any questions about this blog post, please let us know! You can email us, or find us on Mastodon and Twitter. We also have our own Slack Server.  If you enjoyed this content, then be sure to check out the announcement of our updated training class. During the course, students are taught how to detect modern malware, such as the sample discussed in this blog post, as well as gain significant hands-on experience through many real-world labs.

Finally, we will be presenting new research on triaging modern Windows rootkits at BSidesCharm in Baltimore in a few weeks, so please come say hello if you will be there!

 

(c) Volatility Labs

New Android Banking Malware Attacking Over 400 Financial Apps

/in /by

Several threat actors have already been exploiting a newly discovered Android banking trojan, dubbed Nexus, to penetrate 450 financial applications and steal data.

While this malware was identified by cybersecurity analysts at Italian cybersecurity firm, Cleafy, they affirmed that it is still in its early development stages.

However, ATO attacks against banking portals and cryptocurrency service providers can be conducted using this malware as it is equipped with all the main features.

Cleafy discovered the presence of the new Android banking Trojan known as “Nexus” in June 2022. Although Cleafy first thought Nexus was a highly dynamic variation of the previously tracked Trojan known as “Sova,” additional analysis revealed that Nexus has unique traits and capabilities.

At the time of detection, the malware was discovered to have merged numerous portions of Sova code. Not only that even it also displayed a broad variety of capabilities that allowed it to attack over 200 mobile banking, cryptocurrency, and other financial apps.

Price tag or fee

Earlier this month, cybersecurity firm Cyble documented the emergence of this new malware in several hacking forums. So, the threat actors behind this malware advertised it to potential clients as a subscription service with a monthly fee of $3,000.

As early as June 2022, at least six months before the malware was announced, there was evidence that the malware was being used in real-world attacks. It has been reported that most Nexus infections are occurring in Turkey.

Moreover, it appears to incorporate a ransomware module actively developing and reuses parts of another banking trojan named SOVA.

Countries excluded

This is interesting to note since the Nexus authors have clearly specified that their malware will not be used in any of the following countries:-

  • Azerbaijan
  • Armenia
  • Belarus
  • Kazakhstan
  • Kyrgyzstan
  • Moldova
  • Russia
  • Tajikistan
  • Uzbekistan
  • Ukraine
  • Indonesia

Apart from this, Android’s accessibility service can be abused by malware to read 2FA codes from SMS messages and Google Authenticator apps.

Here is a list of some updated and new functionalities that have been added:-

  • The ability to delete SMS messages received
  • Activate or stop the 2FA stealer module
  • Ping a C2 server periodically to update itself.

The MaaS approach enables the threat actors to streamline their efforts in generating profits from malware by offering a pre-built infrastructure to their clients.

Without a VNC module, Nexus’ action range and capabilities are currently limited. Nexus is a threat that can infect hundreds of devices globally in accordance with the infection rate determined from multiple C2 panels.

 

(c) Guru

New Dark Power ransomware claims 10 victims in its first month

/in /by

A new ransomware operation named ‘Dark Power’ has appeared, and it has already listed its first victims on a dark web data leak site, threatening to publish the data if a ransom is not paid.

The ransomware gang’s encryptor has a compilation date of January 29, 2023, when the attacks started.

Furthermore, the operation has not been promoted on any hacker forums or dark web spaces yet; hence it’s likely a private project.

According to Trellix, which analyzed Dark Power, this is an opportunistic ransomware operation that targets organizations worldwide, asking for relatively small ransom payments of $10,000.

Dark Power attack details

The Dark Power payload was written in Nim, a cross-platform programming language with several speed-related advantages, making it suitable for performance-critical applications like ransomware.

Also, because Nim is only now starting to get more popular among cybercriminals, it is generally considered a niche choice that is unlikely to be detected by defense tools.

Trellix does not provide details regarding Dark Power’s infection point, but it could be an exploit, phishing emails, or other means.

Upon execution, the ransomware creates a randomized 64-character long ASCII string for initializing the encryption algorithm with a unique key on each execution.

Next, the ransomware terminates specific services and processes on the victim’s machine to free up files for encryption and minimize the chances of anything blocking the file-locking process.

During that stage, the ransomware also stops the Volume Shadow Copy Service (VSS), data backup services, and anti-malware products in its hardcoded list.

<img class="i-amphtml-blurry-placeholder" src="data:;base64,Terminated processes and services
Terminated processes and services (Trellix)

After all of the above services are killed, the ransomware sleeps for 30 seconds and clears the console and Windows system logs to prevent analysis from data recovery experts.

The encryption uses AES (CRT mode) and the ASCII string generated upon launch. The resulting files are renamed with the “.dark_power” extension.

Interestingly, two versions of the ransomware circulated in the wild, each with a different encryption key scheme.

The first variant hashes the ASCII string with the SHA-256 algorithm and then splits the result into two halves, using the first as the AES key and the second as the initialization vector (nonce).

The second variant uses the SHA-256 digest as the AES key and a fixed 128-bit value as the encryption nonce.

System-critical files like DLLs, LIBs, INIs, CDMs, LNKs, BINs, and MSIs, as well as the Program Files and web browser folders, are excluded from encryption to keep the infected computer operational, thus allowing the victim to view the ransom note and contact the attackers.

<img class="i-amphtml-blurry-placeholder" src="data:;base64,Files and folders excluded from encryption
Files and folders excluded from encryption (Trellix)

The ransom note, which was last modified on February 9, 2023, gives victims 72 hours to send $10,000 in XMR (Monero) to the provided wallet address to get a working decryptor.

Dark Power’s ransom note stands out compared to other ransomware operations as it is an 8-page PDF document containing information about what happened and how to contact them over the qTox messenger.

<img class="i-amphtml-blurry-placeholder" src="data:;base64,The first page of the ransom note
The first page of the ransom note (Trellix)

Victims and activity

When writing this, the Tor site of Dark Power was offline. However, it is not uncommon for ransomware portals to go offline periodically as negotiations with victims develop.

Trellix reports that it has seen ten victims from the USA, France, Israel, Turkey, the Czech Republic, Algeria, Egypt, and Peru, so the targeting scope is global.

<img class="i-amphtml-blurry-placeholder" src="data:;base64,Dark Power's extortion page
Dark Power’s victim extortion page (Trellix)

The Dark Power group claims to have stolen data from the networks of these organizations and threatens to publish them if they don’t pay the ransom, so it’s yet another double-extortion group.

 

(c) Bill Toulas

Microsoft pushes OOB security updates for Windows Snipping tool flaw

/in /by

Microsoft released an emergency security update for the Windows 10 and Windows 11 Snipping tool to fix the Acropalypse privacy vulnerability.

Now tracked as CVE-2023-28303, the Acropalypse vulnerability is caused by image editors not properly removing cropped image data when overwriting the original file.

For example, if you take a screenshot and crop out sensitive information, such as account numbers, you should have reasonable expectations that this cropped data will be removed when saving the image.

However, with this bug, both the Google Pixel’s Markup Tool and the Windows Snipping Tool were found to be leaving the cropped data within the original file.

For example, in the image below, you can see how extra data is saved after the IEND file marker, which denotes the end of a PNG file. Normally, there should be no data after the IEND marker.

Cropped data mistakenly saved after IEND marker
Cropped data mistakenly saved after IEND marker

This extra data could be used to partially recover the cropped image content, potentially exposing sensitive content that was never meant to be public.

Security researchers have told BleepingComputer that the number of public images impacted by this flaw may be high, with VirusTotal alone hosting over 4,000 images affected by the Acropalypse bug.

Therefore, on services catering to image hosting, the number of Acropalypse-impacted images is likely much higher.

Microsoft releases OOB security update

As BleepingComputer reported, Microsoft was testing a fix for the Windows 11 Snipping Tool bug in the Windows Insider Canary channel.

Last night, Microsoft publicly released security updates for both the Windows 10 Snip & Sketch and Windows 11 Snipping Tool program to resolve the Acropalypse flaw.

“We have released a security update for these tools via CVE-2023-28303. We recommend customers apply the update,” Microsoft told BleepingComputer.

After installing this security update, Windows 11 Snipping Tool will be version 10.2008.3001.0, and Windows 10 Snip & Sketch will be version 11.2302.20.0.

Microsoft is now tracking the vulnerability as CVE-2023-28303 and titled it “Windows Snipping Tool Information Disclosure Vulnerability.”

The vulnerability is classified as “Low” severity because it “requires uncommon user interaction and several factors outside of an attacker’s control.”

  1. The user must take a screenshot, save it to a file, modify the file (for example, crop it), and then save the modified file to the same location.
  2. The user must open an image in Snipping Tool, modify the file (for example, crop it), and then save the modified file to the same location.

With that said, in our experience, it is not uncommon to take a screenshot, save it, and then realize you need to crop something out and then overwrite the original image. This image would now have been affected by the bug.

The good news is regardless of how the image is created if you do not share an affected image publicly, you will have little risk of the flaw being exploited unless your device is compromised.

To install the security updates, open the Microsoft Store and go to Libary Get Updates, and the latest version of the Windows Snipping Tool will be automatically installed.

 

(c) Lawrence Abrams

Apple further cracks down on remote work by ‘tracking employee attendance’ via badges

/in /by

Apple is further cracking down on its in-person work requirements. According to Platformer’s Zoë Schiffer, Apple is closely monitoring attendance via badge records to ensure employees are coming to the office at least three times per week.

Apple’s in-person work rules

In a post on Twitter, Schiffer explained that Apple is giving employees “escalating warnings” if they don’t meet the in-person work requirements. Within some organizations at Apple, employees are being told that “failure to comply could result in termination,” though Schiffer clarified that this “doesn’t appear to be a company-wide policy.”

Bloomberg’s Mark Gurman recently reported in depth on some of the changes Apple has recently made in an effort to cut expenses. In that report, Gurman also pointed out that Apple is being more strict on enforcing in-person work requirements.

Apple, like most companies, shifted to remote work in response to the COVID-19 pandemic. Its policies changed on a regular basis in response to COVID-19 data, but almost a year ago it began a transitional “hybrid” return to in-person work. The plan started with Apple requiring in-person work one day per week and gradually expanded to two days per week. As of last September, the policy requires in-person work at least three days per week.

In January, Apple adjusted its policy for COVID-19 testing, dropping the requirement that employees be tested for COVID-19 before working in person.

Individual Apple teams are still believed to have at least some autonomy in enforcing in-person work requirements. Certain teams might require in-person work five days per week, while other teams can theoretically be more lenient on requiring in-person work three days per week. It’s clear, however, that individual teams may slowly be losing that flexibility as Apple looks for ways to cut costs (read: firing).

 

(c) Chance Miller

Exclusive: Microsoft must do more to resolve antitrust issues, rivals say

/in /by

BRUSSELS, March 23 (Reuters) – Microsoft Corp’s (MSFT.O) initial offer to address EU antitrust complaints filed by rivals is insufficient and the U.S. software giant needs to do more, German software provider Nextcloud said, as regulators consider whether to open a formal investigation.

French cloud computing services provider and complainant OVHcloud (OVH.PA) is also waiting for a more concrete proposal from Microsoft, a person with direct knowledge of the matter said.

Resolving the complaints with the companies could help Microsoft stave off a possible EU antitrust investigation that could lead to a fine as much as 10% of its global turnover.

Nextcloud took its grievance to the European Commission in 2021, alleging that Microsoft abuses its dominance by bundling its OneDrive cloud storage service with its Windows 10 and 11 operating system.

Microsoft, which has been hit with more than 1.6 billion euros ($1.7 billion) in EU antitrust fines in the previous decade, reached out a year ago but did not talk about the bundling issues, Nextcloud Chief Executive Frank Karlitschek said on Wednesday.

“I would be interested in more talks but it would have to be a serious conversation,” he told Reuters.

The complaints by OVHcloud, Italian cloud service provider Aruba and a Danish association of cloud service providers focused on Microsoft’s cloud practices and licensing deals.

Microsoft said it introduced changes to its licensing practices in October last year that addressed feedback received from European cloud providers.

“We are grateful for the productive conversations that led us there and appreciate the feedback that we have received since,” a Microsoft spokesperson said.

Aruba and the Danish Cloud Community declined to comment.

A spokesperson for trade group CISPE which filed a complaint about the company’s cloud computing practices to the Commission last year, said Microsoft reached out last week offering to discuss changes.

Cispe’s members include cloud computing market leader Amazon.com Inc (AMZN.O).

($1 = 0.9211 euros)

 

(c) Foo Yun Chee