Security Posts

Infocon: green

Exchange Server 0-Day Actively Exploited
Categories: Security Posts

The Challenge of Cracking Iran’s Internet Blockade

Wired: Security - Fri, 2022/09/30 - 23:16
People around the world are rallying to subvert Iran's internet shutdown, but actually pulling it off is proving difficult and risky.
Categories: Security Posts

Threat Advisory: Microsoft warns of actively exploited vulnerabilities in Exchange Server

Cisco Talos - Fri, 2022/09/30 - 23:16

Cisco Talos has released new coverage to detect and prevent the exploitation of two recently disclosed vulnerabilities collectively referred to as "ProxyNotShell," affecting Microsoft Exchange Servers 2013, 2016 and 2019. One of these vulnerabilities could allow an attacker to execute remote code on the targeted server. Limited exploitation of these vulnerabilities in the wild has been reported. CVE-2022-41040 is a Server Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 enables Remote Code Execution (RCE) when PowerShell is accessible to the attackers.

While no fixes or patches are available yet, Microsoft has provided mitigations for on-premises Microsoft Exchange users on Sept. 29, 2022. Even organizations that use Exchange Online may still be affected if they run a hybrid server. Cisco Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. The Hafnium threat actor exploited several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year.

Vulnerability details and ongoing exploitation
Exploit requests for these vulnerabilities look similar to previously discovered ProxyShell exploitation attempts:


Successful exploitation of the vulnerabilities observed in the wild leads to preliminary information-gathering operations and the persistence of WebShells for continued access to compromised servers. Open-source reporting indicates that webShells such as Antsword, a popular Chinese language-based open-source webshell, SharPyShell an ASP.NET-based webshell and China Chopper have been deployed on compromised systems consisting of the following artifacts:

  • C:\inetpub\wwwroot\aspnet_client\Xml.ashx
  • C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx
  • C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx
  • C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx

This activity is consistent with what is typically observed when attackers begin leveraging vulnerabilities in unpatched or vulnerable systems exposed to the internet.

Initial reporting observed the download and deployment of additional malicious artifacts and implants on the infected systems using certutil, however these TTPs may change as more threat actors start exploiting the vulnerabilities followed by their own set of post-exploitation activities.

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on

Cisco Talos is releasing SID 60642 to protect against CVE-2022-41040.

In addition we are releasing SIDs 60637-60641 to protect against malicious activity observed during exploitation of CVE-2022-41082.

The existing SIDs 27966-27968, 28323, 37245, and 42834-42838 provide additional protection for the malicious activity observed during exploitation of CVE-2022-41082.

The following ClamAV signatures have been released to detect malware artifacts related to this threat:

  • Asp.Backdoor.AntSword-9972727-1
  • Asp.Backdoor.Awen-9972728-0
  • Asp.Backdoor.AntSword-9972729-0

IOCsIPs and URLs125[.]212[.]220[.]48

Categories: Security Posts

Threat Roundup for September 23 to September 30

Cisco Talos - Fri, 2022/09/30 - 22:46

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Sept. 23 and Sept. 30. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or For each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found herethat includes the complete list of file hashes, as well as all other IOCs from this post. A visual depiction of the MITRE ATT&CK techniques associated with each threat is also shown. In these images, the brightness of the technique indicates how prevalent it is across all threat files where dynamic analysis was conducted. There are five distinct shades that are used, with the darkest indicating that no files exhibited technique behavior and the brightest indicating that technique behavior was observed from 75 percent or more of the files. The most prevalent threats highlighted in this roundup are: Threat Name Type Description Win.Virus.Parite-9970689-0 Virus Parite is a polymorphic file infector. It infects executable files on the local machine and on network drives. Win.Malware.Zusy-9970856-0 Malware Zusy, also known as TinyBanker or Tinba, is a trojan that uses man-in-the-middle attacks to steal banking information. When executed, it injects itself into legitimate Windows processes such as "explorer.exe" and "winver.exe." When the user accesses a banking website, it displays a form to trick the user into submitting personal information. Win.Dropper.Remcos-9970861-0 Dropper Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. This malware is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. Win.Malware.Emotet-9970880-0 Malware Emotet is currently one of the most widely distributed and active malware families. It is a highly modular threat that can deliver a wide variety of payloads. The botnet is commonly delivered via Microsoft Office documents with macros sent as attachments to malicious emails. Win.Dropper.TrickBot-9970890-0 Dropper TrickBot is a banking trojan targeting sensitive information for certain financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution such as VB scripts. Win.Dropper.XtremeRAT-9971238-0 Dropper XtremeRAT is a remote access trojan active since 2010 that allows the attacker to eavesdrop on users and modify the running system. The source code for XtremeRAT, written in Delphi, was leaked online and has since been used by similar RATs. Win.Dropper.Kuluoz-9971090-0 Dropper Kuluoz, sometimes known as "Asprox," is a modular remote access trojan that downloads and executes follow-on malware, such as fake antivirus software. Kuluoz is often delivered via spam emails pretending to be shipment delivery notifications or flight booking confirmations. Win.Dropper.Shiz-9971537-0 Dropper Shiz is a remote access trojan that allows an attacker to access an infected machine in order to harvest sensitive information. It is commonly spread via droppers or by visiting a malicious site. Win.Packed.Fareit-9971247-1 Packed The Fareit trojan is primarily an information stealer with functionality to download and install other malware. Threat Breakdown Win.Virus.Parite-9970689-0 Indicators of Compromise
  • IOCs collected from dynamic analysis of 29 samples
Value Name: fullpath 29 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 1 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001 1 Files and or directories created Occurrences %TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 29 File Hashes 0536b9760519d832e0c5ff072cad054ef2ae43dbe57330d48c609aeb75e6ae43 0fb870a5615c6c24fa559ae795c3366d80a97622fe2efac880330772344a9760 10308179aec9cf03dfe7fcd95aba9f1da191f70406d653157ea3746e63423c93 15e5fc751dbee4b99c094bbfd15d5b4c3655e0a8a34af84cb4773f2bcd265db8 16048c5e4b000118579343bcf188dbb5bcc0d313bd144a08a76423a7ff990c58 1a16bf0852508c3742325cd1b25c6fa9f9580e42017f273ff81d41edea8bd579 23c44b2d663dcb0224e7a2dcbd9a179923baf1c1d95f221f0435eef3fa6c7913 264dfb45197cb3e37d2054313e54c5549dd53f9d6cbc4a7cf9963b8275e59811 3605daf57520cfe6759abc471cb9a55ff4a6b99711ee3718ce6db3438b63a7e0 39139ac00356189a53c9122b4efa10a9e5ca42b25656cc794d4199d5a0e6003a 3a19cc265b1767563c293cfe5dfd8083a1cb72e37625bd243538f210594bd9bf 51f14dad750e0a93bdf69200d726c8f929a6e903dc837fefc5b2efdf7b33493e 530e290a3e9383bc016d666d4829f2ca2c256f5f32e8c84e71346f1d4a65302a 58950830c787ae1768a8d5aab290270b089b04e61d39e6b82a7daf51696fea03 5b0d897a5c748d58c536b19b0d16b3262cc238d65ac41d22f4552d1a2a0ea966 66fe640d820e530e4554251bcb07177a4f2fdea28fc13beb588898a0374fd20d 714ced6bb466961048291a1f89355892490a10bd6e206a256b2e3b97bf1fec55 7dbd9b1e5792f9085af025e526f331e00c878b2adc2e0d8c4a2c5dba4d79a32b 8c8c7b2a40fcdff745e87d060daac5798bda65e8e1568dd46e69d703a5adace3 933768be5d22750f182e69c91630a6f7af6f5db309ba61f83d5547c9a8865273 95463bf7d0d934880a1292e479f56d69596e43062eb18265ef43905702551af0 a1af5ed894006b1690455b12e58c117725a5274e7fc6f8410af119429171372d a9a2deaa34de9ebc68523c18ad02f8a27aae60818fda1583440df25f336f61c2 aedea0e8e6ee4e36191b3e67dcc71e169ea9c1419b5ad4a062f3f2d37a99f3a3 c000e844ca7377e4f3a8e4bfdf0962897effa1622660e8b48d190e2820ff4429 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint

Secure Malware Analytics


Win.Malware.Zusy-9970856-0 Indicators of Compromise
  • IOCs collected from dynamic analysis of 13 samples
Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 8 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: MaxEntries 1 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 47[.]111[.]103[.]192 13 Domain Names contacted by malware. Does not indicate maliciousness Occurrences os[.]ieycc[.]com 13 Files and or directories created Occurrences \Client.txt 13 %TEMP%\Tomato.ini 13 %APPDATA%\testing.dat 13 \TEMP\1E0F0E0A120B156B155B15E0C0F160E0D160A.exe 1 \TEMP\1F0F0D0C120A156D155E15E0A0E160B0C160F.exe 1 \TEMP\1F0B0B0A120E156C155E15D0A0F160D0E160D.exe 1 \TEMP\1C0B0F0A120C156F155C15E0B0A160F0E160D.exe 1 \TEMP\1B0C0D0C120A156E155C15C0E0D160D0B160E.exe 1 \TEMP\1B0F0A0D120F156E155C15F0C0E160E0F160A.exe 1 \TEMP\1E0F0B0A120F156F155E15D0B0E160B0D160E.exe 1 \TEMP\1D0D0C0E120C156D155F15A0A0E160C0C160A.exe 1 \TEMP\1E0D0C0D120F156E155C15F0A0E160D0C160F.exe 1 \TEMP\1C0B0C0B120D156E155E15A0E0F160B0D160D.exe 1 \TEMP\1E0C0F0F120A156A155B15A0F0A160E0D160A.exe 1 \TEMP\1E0C0A0A120B156F155D15A0E0F160B0A160A.exe 1 \TEMP\1E0B0C0D120C156C155A15D0D0D160B0D160C.exe 1 File Hashes 015c6d06fe9aaa4844b5e008796cbb854cf6765c2ca398f596dd2fceeceb6c95 0de5af728d4834e450386979efd9681bd54bfeb65f687cccd621f3a20331c050 43d5fb959a8c848030537e37f0d0638bc57bb83652dba85ee2e868a17f1d10ef 568bc0b8c2e914ca7cb2f62bfd82839c584d14d3d47b96ea34703b9d024c78ec 7539e13bb8b001f08742f38c29b42135a2b414e2ba095cf3bf74f38db78f3e0f 80459aa210f4e16b123a27b47c1191872b79a6c6a8751613ad1b649a0f1f3426 974e745bbf32ea7bf0bcff7bd04e3b13f8f3c9cf8a79d01f34658729c793e333 aa22f56078cf431f2587ea270f428fff6d4eee5b08d542b40b89a9712e14e5b3 acf7e8303fd53c63b778a611773267ecf001225772bee1fccbd2a2370ad6e658 ae24b008cb2dc1855367cd814581f1092d9899a77e982f8fc746409c29afbaaa b13513bd0c731f688fe25804c6dd74a3126d0494549368c8d692bd85d2024e5f e35cb24702c24b57edf8f1439a1409b6c8c0f97bc30a90a3c396fdd0f3c38f84 f9501ffa9e293c88c61e0071fdc5b7ce2d00e1c8bc20a564ab906dfb9565e4c7 Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint

Secure Malware Analytics


Win.Dropper.Remcos-9970861-0 Indicators of Compromise
  • IOCs collected from dynamic analysis of 42 samples
IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 172[.]98[.]192[.]37 42 Domain Names contacted by malware. Does not indicate maliciousness Occurrences www[.]djapp[.]info 42 Files and or directories created Occurrences %TEMP%\<random, matching '[a-z]{3}[A-F0-9]{3,4}'>.tmp 42 %APPDATA%\Microsoft\Windows\Cookies\NFIM9G9G.txt 10 %TEMP%\FltFD54.exe 1 %TEMP%\FltFAC5.exe 1 %TEMP%\FltFF0C.exe 1 %TEMP%\FltA28D.exe 1 %TEMP%\FltE1AD.exe 1 %TEMP%\FltFAB6.exe 1 %TEMP%\Flt593A.exe 1 %TEMP%\FltF8C2.exe 1 %TEMP%\Flt4F6E.exe 1 %TEMP%\FltFB71.exe 1 %TEMP%\FltA461.exe 1 %TEMP%\FltFD74.exe 1 %TEMP%\Flt23BD.exe 1 %TEMP%\Flt8A88.exe 1 %TEMP%\FltBC04.exe 1 %TEMP%\FltF633.exe 1 %TEMP%\FltB040.exe 1 %TEMP%\Flt6184.exe 1 %TEMP%\Flt540D.exe 1 %TEMP%\Flt5D82.exe 1 %TEMP%\FltBD3A.exe 1 %TEMP%\tnf5FD1.exe 1 %TEMP%\FltC777.exe 1 *See JSON for more IOCs File Hashes 00cda027a316d979f614cd747e8eea14fcc1f7a144b5eb5fc385ea3b52ada9ac 04a7c806cd6404d5547bf136331733e970364c0090c705b0002170ca7fa59882 06a0c6a86e47342846759164e0a7da0087e5926d1bdf48b64ad106b6e53951a4 0d103909b0c3e6ac0021b1aa8bbd17b50d1f94ccfb6011a1b70609b6a45668fe 0d503f2d89c74456f441b95033f1f7f1b5f8c9b9ef338c177beb7e22c3844cb8 13d63a2102b3685464c7f32f95fb4ed6287f51db1da590f7141ad36d2ec0fe00 16de9b5489c9bc4900f94a6939e4a5124caee0ce2ac4dcd938850385c35ecd94 16e1726e22af546ae83bf70500135f69e1f3805c2c49752b6098c07f0815307a 1bb3b038b6da9ca30bf12a24ab4e0361ff60c6375bed74492ac37652e2ecd3da 23f59e71fd7d520a50ae1aaea2c026ae2f05a85d6bf1f24301ceac52e713157b 24d621a695ef4fae5b296bc2bb6071cc90b9c56415f70464797e69080b6a7e75 2635c53ba6293fe95e539dfd0f480835ceb7b47c6971a3024ae8443893eca176 2c65cccfb66e0773395cd78f4c742f03cdf3d482357278cf53cd47ea87f62f04 2d82667b13cc3acb398ae87a83674ce3a334867e82d20b4fd809a14d10323084 2e53c50fd916da51599be464f226b09f28d70fe323cb292c115b9723d402ddde 3457b58ade09a9a581003687d9bd904c6200dcc96aafbb24450c371a165c96d8 3832ee4b74d72c5b4e8299cc9e20248145ff74a7364ebfeb2baa9ee60c0a00d8 38ff5081e308b00e57028e3ad749ae4dccf165796a073fafacd6e6cbad31cc21 3e278b7296bcb58b47e8d60ee9a7f44c548a6d790cdf45fcdff6bc526c395a93 3f4fa0de7c9e2b18b0e16b1cbd72dcc279d5ab6b727992a158ed4bced8663f87 40318b04af3f4761f989d5725e61fc41bd034990e3a86478c897466416632c44 4126cae93a6d1471fbf37ef4a73347ed4fa136486fe7229b06721db5d50ed27c 479e0fa51921d000d9ae53beb96c8d88b3e90ba563b7595db6d015fe0c41beea 50532f85c712a7ba7e79ba23130a568fdfcfde7c3bdbcec90edea02aacef7f9b 535e141dc2b44bdafa9fd3ef6c3355413bd7837c5bfc398c608ea49e150b7727 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella WSA Screenshots of Detection Secure Endpoint

Secure Malware Analytics


Win.Malware.Emotet-9970880-0 Indicators of Compromise
  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{690D1BD7-EA98-1004-3AC9-E87553700E95}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10CDDA71-B745-777B-1AF7-51696DB9BB93}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{8BAB5812-9D02-8F14-74B1-BEDE393F8C1F}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{10DF83AD-199B-9C18-3FEF-E4ECD6A42F66}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{1AD90FE5-CE2F-E8B8-CF09-E0B1912E9542}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{05ED06D6-F422-71CC-26B3-C9964D56F645}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{98B09642-2764-54AE-3333-D8C6CA536428}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{63D99860-AA40-CA79-F681-9DECBEF55447}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{D4B277A3-C25E-BCDE-A054-D41AAC36394B}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{FE9DE6BC-A4CF-8285-E73C-DFE7A08197FE}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{B11CF2E2-C0C2-7860-F12E-428101DCB963}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42} 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{7E6AEF51-F5A7-48A0-B175-FE26B30A3B42}\SHELLFOLDER 25 <HKCU>\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\CLSID\{39D7DE2A-54FC-2744-D7AC-675623A7BCA2} 25 Mutexes Occurrences {24d07012-9955-711c-e323-1079ebcbe1f4} 25 {bf18992f-6351-a1bd-1f80-485116c997cd} 25 {dbad1190-816b-947c-9b01-53ef739d7edb} 25 {ed099f6b-73d9-00a3-4493-daef482dc5ca} 20 Files and or directories created Occurrences %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2580483871-590521980-3826313501-500\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5 25 %System32%\Tasks\Ryddmbivo 25 %APPDATA%\<random, matching '[a-z0-9]{3,7}'> 25 %System32%\8452\eudcedit.exe 1 %APPDATA%\F9NSFA\MRT.exe 1 %APPDATA%\EoXbu\BdeUISrv.exe 1 %System32%\9450\VSSVC.exe 1 %System32%\7744\ComputerDefaults.exe 1 %APPDATA%\RAQ9\calc.exe 1 %System32%\9936\psr.exe 1 %APPDATA%\Q7e9\rekeywiz.exe 1 %System32%\5094\WindowsAnytimeUpgrade.exe 1 %APPDATA%\U6yhd\DeviceDisplayObjectProvider.exe 1 %System32%\5022\msra.exe 1 %APPDATA%\EtXM\fvenotify.exe 1 %System32%\1402\ddodiag.exe 1 %APPDATA%\bsPEU\wbengine.exe 1 %System32%\6726\StikyNot.exe 1 %APPDATA%\Kal6bb\sethc.exe 1 %System32%\6787\ie4uinit.exe 1 %APPDATA%\Y74EoZ\Dxpserver.exe 1 %System32%\7651\rrinstaller.exe 1 %APPDATA%\aF7U\WerFault.exe 1 %System32%\6604\DeviceDisplayObjectProvider.exe 1 %APPDATA%\rmluRRx\MRT.exe 1 *See JSON for more IOCs File Hashes 0be6c8c9f6626f0cbc875a04f81d65ec51646285f607fc23610ced0698d2d356 0e00806596a0084133b662804d645e485a94d42b50e7634608bfc572bc6f99bc 10d50610dc069e961878c8d2be79f7ba638125c2f0229086f27d2261f7ef7074 209494092b65fdebe368f90fdf69cd878f931fb334c059611ccabe84301887e2 24273a46f41c978ebd1b7014cd43c05d7273e638fa539e21adf9b16fcd6d7fa4 270234993c0381d55e1d5615099a692a0e11139d6d5b353f625ac6197cc5fadd 2ce15b1bfa8a577f79da8bbcf2159bf3661aed963cdbbb59ddbf333da4bb52ea 370de40215ce6a4e8f27e33d7a6edcd9cc4c86dc39aa86246d02308f556ff39e 5239bbf6672c93344f21741c4016ea154db5f6aa3989514244de6c55532f54d4 5341a8e7076ea8dbba28ed69ec1130f361c7e90505afbb191f639d6b8295a3e7 634295ad711f68679e6471766d8ca49454c7276348211b6d99a5539e314e7ddb 64c51179f273e00dcb08ddf0c401a3e7c6b4441421f4a0f907bc32f4aaf54191 65c0c35adfcd488cde26d72ba39dd77052f0d6f54c40d10003d824ce1079a630 670db2f68e0bb350f98d1f0ea9624e45536473bb9f1552270be89d87aba17ed9 77c9d7eb923718013ec2145d35a18f17b326655e226b6f252ca6967b0837b39a 8ded5e3631dcd94576d1770289b38005c95c1456588157fd01ea6191c7bcaf1a 91c351ad5a31c40ccf05069b4dde6d0d8e2ff7e78118ca4d110bfe8fcef7d5b6 96e1d30dda3746847269a2707bf4261deadf3d146d1e9df5bd163743ef6b0902 9cebaa66b09ae6043e137c87fece4f2f55a3ae9cbbbb64414e0202a6d3db8932 9d019b660a52484961f7d540d3fe62da22c2c09be968474a614f9dd94ae8c7e5 a2074b34223a80ea0a46784e03ab9e09f86deb98c470c10b2999692fe19777b3 a81460aa2b31719c28672cc624c8fd83e3cbde9d4fc59fb1c55a0713b22a031b a8e2070710eb026f8d9aa46032576b1d474171ea11bb6d2cff97cc9e2069a3af ae65c3182b13c9012b1fc98d483a3c1c7bfd82193d1cd14b1e2a0572458530b1 ae8b637375e736db787d31a4081f2f39ce25908f3276807e43a6eceb4e511377 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint

Secure Malware Analytics


Win.Dropper.TrickBot-9970890-0 Indicators of Compromise
  • IOCs collected from dynamic analysis of 10 samples
Registry Keys Occurrences <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: LanguageList 3 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @explorer.exe,-7001 3 <HKCR>\LOCAL SETTINGS\MUICACHE\82\52C64B7E
Value Name: @C:\Windows\system32\DeviceCenter.dll,-2000 2 Mutexes Occurrences Global\VLock 3 Global\683173c1-3af4-11ed-9660-001517635527 1 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 104[.]18[.]115[.]97 2 91[.]83[.]88[.]51 1 92[.]63[.]102[.]64 1 195[.]133[.]144[.]237 1 34[.]160[.]111[.]145 1 195[.]133[.]196[.]130 1 Domain Names contacted by malware. Does not indicate maliciousness Occurrences obyavlenie[.]lisx[.]ru 10 icanhazip[.]com 2 ipecho[.]net 1 Files and or directories created Occurrences %APPDATA%\winapp\Modules 3 %System32%\Tasks\services update 3 %APPDATA%\winapp\client_id 3 %APPDATA%\winapp\group_tag 3 %APPDATA%\winapp 3 %APPDATA%\winapp\24ae736c30cacc5f26f34e07c47ca97c.exe 1 %APPDATA%\winapp\0g5d59dff6a3d3g20046c0ga554f8f9ef8d3e2c767g46c2592d53d6c604df5g9.exe 1 %APPDATA%\winapp\39g7366fcac6cdd0a64ag077e5ga30354aggg87d682e9cd06940033777cefaf2.exe 1 File Hashes 0a9fd6d744cc4fa8e08eee7c95c58d6cb9cb995a249597bdc8beba4ab5fdd921 0f4c49cee6a2c2f10036b0fa443e8e9de8c2d1b757f36b1491c42c6b503ce4f9 14bf94de8b881459e2f6f49051b1411da60e3526251751048bdde18f99d93f1e 29f7266ebab5bcc0a53af077d4fa20243afff87c681d9bc06930022777bdeae1 42162ca740023f144cf1f5efc8f9680f5db0ac16e0cf9eeb88f57275a5bbd38e 489d8e1c47548164a35abb21dbe155972aa09e6c65c0fd7456baf79d3ffb3539 7820f15d39888555e5d2189015d13491d58e2c345921064777155febcaf9b88e 8c1326a8e1f6c781441f3a5da6fe962337a03b9a3ffd93495e933e051d24f4a0 eac3e3c5636e62a6865ff6e048875506d16ed22ffd8caca23529407eb94a2478 f3395ab28c54a61118784d205926e7122ff7735d92d992c22db9dd63fd3a8e28 Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint

Secure Malware Analytics


Win.Dropper.XtremeRAT-9971238-0 Indicators of Compromise
  • IOCs collected from dynamic analysis of 25 samples
Registry Keys Occurrences <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 16 <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: HKCU 15 <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'>
Value Name: StubPath 2 Mutexes Occurrences XTREMEUPDATE 16 <random, matching [a-zA-Z0-9]{5,9}EXIT> 15 <random, matching [a-zA-Z0-9]{5,9}>PERSIST 11 <random, matching [a-zA-Z0-9]{5,9}> 6 zZgdeZ8P 5 Q6gWX0 5 Q6gWX0PERSIST 5 Global\<random guid> 4 Domain Names contacted by malware. Does not indicate maliciousness Occurrences profesorjedi11[.]myftp[.]biz 10 profesorjedi3[.]myftp[.]biz 3 clarityz[.]no-ip[.]biz 2 dynamic[.]no-ip[.]biz 2 cooempresas1[.]ddns[.]net 1 Files and or directories created Occurrences %TEMP%\x.html 15 %SystemRoot%\SysWOW64\System32 10 %APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.dat 6 %APPDATA%\Microsoft\Windows\<random, matching '[a-zA-Z0-9]{5,9}'>.cfg 6 %SystemRoot%\SysWOW64\Sistem32 5 %APPDATA%\Microsoft\Windows\zZgdeZ8P.cfg 5 %SystemRoot%\SysWOW64\System32\crrsc.exe 5 %APPDATA%\Microsoft\Windows\zZgdeZ8P.dat 5 %APPDATA%\Microsoft\Windows\Q6gWX0.cfg 5 %SystemRoot%\SysWOW64\Sistem32\crrsc.exe 5 %APPDATA%\Microsoft\Windows\Q6gWX0.dat 5 %SystemRoot%\SysWOW64\System32\csrrs.exe 3 %SystemRoot%\SysWOW64\System32\csrss.exe 2 %SystemRoot%\SysWOW64\Drivers\System.exe 1 File Hashes 02bbfb5be9238a07f4bbc310640558187fffe927b6c61aef277f25e556b42976 034fd97c565ab91825e7d810d5e629f00bb25f54ac1ed7f1846e7f1c23d1ecd2 104a08c153d9d099bad368fc405a2888a153bfaa1cf33f99f43fbc1b97d0282f 1a7fa38a87b8d63bdef718b54626476dd952673e010877eb0412041a227ae587 1b70089136743505bd03a024ed1d6faca2a618397aecf14eceafed7e708c42ef 1d281e8cd1c5e451d069a2df9eed854f4bfa28e91881e7e2bfea2be0cfd6e2d0 2a4841ab8656fedadeb5dcc16821ca4789ba29a1df607c72f73fe6de8c55f965 4a5a09ce229c5f06f96114b0c55b1b2a645b75ab6e5f1f3df524efc9e6b549df 4e960f7a51969cc989219642701cb327e7713462eff60866099fb16632e1c636 521f339fe84053ddc608a8f1faf2774ea1f6fa1ee3ad252f642967f27c2ebb2e 52f4aba104b5caadff9baa7eb92e4ff21c176ff183a59f0283555de081e74c9a 53743558915afca3fcf12a83095ed8448502c37ac0ce847268bd34ff2b17eaef 54d8e6f9d64d480ad1381ddcd730d786be7b94b34154fa9ae6a46fc06670732a 58432dc37d6e18bf7f719c42d1a955374dc04c737ec433384fa61ea7c895ce8a 5f0a9ba0fc1146512ec06df04fb3eedcaaf67df5534d2895bdee7d39dbb767d4 6aeceda58114f30d5286bf84e92bfc293d5fb1ed4648c29d9e6ba6e229ad6c0a 73711c78caf84f57df3e54a7e0d47dc5b91c73d521e6e5de2da31694c7a2cd1d 747ae8b9f401e6f92381039c80d98f2fbff9f1c94ab1479c23e9bd67714208b5 7d56d2784dafc2edb6f002e66504b3222f899712167f5d67878e576adf5bfff4 87365c8be5e1df23024d4f06108ca715ca6960fab1db19241af01dc249049b34 95774b16ad3920dee24ad1211ad677003bace3db07e351dcfa92ea8c9fb0de4d 9811dc1790865ba850a085b86faf45d12e6d18de3746fba1f79e7d5bc07b81e6 9fc0af5f00d92876795d06cadc1ec27ce789be7d4396cca1a4d39c10a1a13cee cf6bf580a1c08b6d4c8e4b73c65a156dd87e6157b358a22f58e6c4e741a62088 d2dd951900f73760709d95358434a8d382363f78cbd78a4476e361225b2fdb90 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint

Secure Malware Analytics


Win.Dropper.Kuluoz-9971090-0 Indicators of Compromise
  • IOCs collected from dynamic analysis of 26 samples
Registry Keys Occurrences <HKCU>\SOFTWARE\<random, matching '[a-zA-Z0-9]{5,9}'> 26 <HKCU>\SOFTWARE\HLUAPPSN
Value Name: rtvamnqd 1 <HKCU>\SOFTWARE\UTLRUTMU
Value Name: kilanrco 1 <HKCU>\SOFTWARE\AUBBBWXT
Value Name: opoiitvt 1 <HKCU>\SOFTWARE\BWCRDATG
Value Name: mwxoukfx 1 <HKCU>\SOFTWARE\BTTXALDX
Value Name: jtqieuec 1 <HKCU>\SOFTWARE\BBWAIJEJ
Value Name: emgsvrci 1 <HKCU>\SOFTWARE\MNSVSFDT
Value Name: jkxkagel 1 <HKCU>\SOFTWARE\MBJFFRTQ
Value Name: hrcgucbt 1 <HKCU>\SOFTWARE\NTKIGTHP
Value Name: pjecpkuu 1 <HKCU>\SOFTWARE\NHSATHPS
Value Name: mxopsxdc 1 <HKCU>\SOFTWARE\HPEDSDSE
Value Name: ilxotnrg 1 <HKCU>\SOFTWARE\AFTNNBRU
Value Name: kchufmmw 1 Mutexes Occurrences aaAdministrator 26 abAdministrator 26 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 69[.]64[.]36[.]244 21 16[.]156[.]201[.]237 17 110[.]77[.]220[.]66 15 5[.]249[.]139[.]132 15 85[.]12[.]29[.]251 13 5[.]175[.]166[.]35 13 130[.]60[.]202[.]71 11 198[.]57[.]165[.]46 10 Files and or directories created Occurrences %LOCALAPPDATA%\<random, matching '[a-z]{8}'>.exe 26 File Hashes 01e772c69c3d96d7da41baf1b4630a9b93cda39bd4b5b0234f1de2a818788965 0507e74fa55bfb2a725358b0e5d2a3ad82d95a15b8dda89eda0892276855c6e0 0575881e5f371494a9b928ea409bce3fc15b35f4a6fc47f5b3ccc267e6428d05 13830d13f9538029311649ec0b7d2b70afd36d0d38432550c973123429eb940b 14b22ef72fd4f36063c344d7358e32d9529010b303b09bcc11f562bf2d4981a7 1f226936fa8a2ae6ff457619b2883377cbe741decadc705095d4527a7ae9a4d8 21f96423b4b10c910ef1ae4f584ed1e49944f2166c41aac0d9f53ad042933f89 25c31d64ed3db07f502aee95703ec407b34dff5a3fdc34bf2b3b64250f2ec0e2 3578e19cbb128d0b2b7fb009c8041deed69144c0e20e6c58c18967a2abcc0c1b 422f405e2d70ed3bd58f6e9c4ef7d1a4ed8b912fc8acde5cab9068f34fc55f09 46b398648a6f022657c1a7a6bf0dae147562f354b34fa9b82103d8566b01c771 4cc31dc0d33247799cb383ede808dea70ab9081847e46b2ce95e2c054cd97011 576ed58a06ae914ae06a711af19b30a9f02ece2d435f84b7bea71fedc19dd995 5bad5333dcfea5b33727b34cde45b54d36cbf01d3fb0a1a915de8df1569b4fb1 5e3329e3193099fe8e09922ac85a7ab3e8ae89f0ae4f0f7a93fb30aacc7726e3 5e398a7762fe420158605cfb72bc309197c7c9346fc43a5cc8ccb0a14db25483 66b43dd194bf97f705c361ad1cc82a0f5c1afca7b03d57f99a3011cdefdc536f 6da9fe76f563ff6265b8971b601fb5037a93011fb16294b5ee7564f332d554ed 6ed6b8dececdaf3ee4ce0072d309125c5cef6e3ffef23f48baa3b0d3763462be 7c42e9ea360ccfb28b41c3490b305dcace56fea64e858ac3cde0984f6c9f3d07 816c6679de23475fe46588ce4380091c985ad689210fbf4daea6ca383f423465 8379ba1a2904b162411009fbe1bc4c94efd1ccf72ab38989dffb2077c1a0ec74 86e574bcb8a28b933731a83f9166c23c717a9840dfdecffde9130e9a2d598e08 8e39459d72319dc5e7f184b363ac8d7e3a486fbc6e02f9ad2273d0b0502a188d 8e5f994ccd02d59bc203efd3ff130575c4d9c170599592dd45696b87c4f4b420 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint

Secure Malware Analytics


Win.Dropper.Shiz-9971537-0 Indicators of Compromise
  • IOCs collected from dynamic analysis of 27 samples
Value Name: AutoDetect 27 <HKLM>\SOFTWARE\MICROSOFT
Value Name: KnownFolderDerivedFolderType 1 Mutexes Occurrences Global\674972E3a 27 Global\MicrosoftSysenterGate7 27 internal_wutex_0x<random, matching [0-9a-f]{8}> 27 internal_wutex_0x000004b4 26 internal_wutex_0x0000043c 26 internal_wutex_0x000004dc 25 internal_wutex_0x000000e0 1 internal_wutex_0x0000038c 1 internal_wutex_0x00000448 1 internal_wutex_0x000006a0 1 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 204[.]79[.]197[.]200 15 13[.]107[.]21[.]200 12 45[.]33[.]23[.]183 8 173[.]255[.]194[.]134 6 72[.]14[.]178[.]174 6 72[.]14[.]185[.]43 6 45[.]56[.]79[.]23 5 45[.]33[.]2[.]79 5 45[.]33[.]30[.]197 5 45[.]33[.]18[.]44 4 45[.]79[.]19[.]196 3 198[.]58[.]118[.]167 3 85[.]94[.]194[.]169 2 96[.]126[.]123[.]244 1 45[.]33[.]20[.]235 1 Domain Names contacted by malware. Does not indicate maliciousness Occurrences kevopoxecun[.]eu 27 rycaropynar[.]eu 27 lyxemoxyquf[.]eu 27 puzoxyvojyc[.]eu 27 fotaqizymig[.]eu 27 cidufitojex[.]eu 27 puvacigakog[.]eu 27 xuboninogyt[.]eu 27 cicezomaxyz[.]eu 27 dixyjohevon[.]eu 27 fokisohurif[.]eu 27 volugomymet[.]eu 27 maganomojer[.]eu 27 jefecajazif[.]eu 27 qedylaqecel[.]eu 27 nojotomipel[.]eu 27 gahoqohofib[.]eu 27 rytifaquwer[.]eu 27 kepujajynib[.]eu 27 lyrosajupid[.]eu 27 tuwaraqidek[.]eu 27 pumebeqalew[.]eu 27 cinycekecid[.]eu 27 divulewybek[.]eu 27 vocijekyqiv[.]eu 27 *See JSON for more IOCs Files and or directories created Occurrences %TEMP%\<random, matching [A-F0-9]{1,4}>.tmp 27 %TEMP%\F1A0.tmp 1 %TEMP%\8350.tmp 1 %TEMP%\6709.tmp 1 %TEMP%\5ABC.tmp 1 %TEMP%\DF95.tmp 1 File Hashes 03ceb23a35bcd7170f8e2293c15aa444406959d789fda9ff9e412cf7a3a6ad90 0a00f10084231e3abf745b456d522c27a284cd17e5824a91026e6511a0073792 0a9d1eec9b14e840863b4948703b4c1a50b8d1c16d6cd6c0191ed55e82864ea3 0aa380118e812371de65b56f760676f611ddda8a7dd422ed1e62214c2a8303d1 0b38f48ffc49f1b53724384bd894702bcf49f2d68c1b84e4e0eeb931d572d294 0b8cfcf3c71b18b73ec50c68115b5d7538eab4d21168272d547e4b6316ed592a 0d8afb797e2ce9f712f3b5fb22317ec97cd8ea55b85855ffb33f362f45e3b706 10d952070cca8a50175e4193e23e798484f215faa6ac8261b37caebb4ae4c22a 16487b9aabc544819f3e1843e196d8e6b982b15ae95b9b599af310c0f4a0763e 1751820a0b3e9669c512077ef08caa8cc8bd7cba8bb54eb97c574ba6dfa09d2d 1bafc4ef3a634e29c71f52e5b0f3ea6ab3cd55e25ef9623d8d21302a13ac4833 21c50af5ea57cf75b6bcf6e74b8008b335a440d4f4fd8499d2abc287116a0100 2473d34831b6fef2e985c045c3a00880d05aceeeac10edf1f09ff38a1cbc44af 2602a1096a4eec7291145b4570c1a0e814c03fba18d3d76d1b82f6e0dacaecf8 2656072242b6777473e258b7f0fc7777cda688fe95f0050f375ffeb12f000c28 2856afa65f2c7f0a23be68ce6899f24a9d3e12fa4f3b00644562e1ecdc06eed1 28b92d2ad7b6c9865a5eda3ca5435cbcd7b24fd0b48ed61c9c7b87af542b88ed 29bc8c64d83b59592ced9e79fd8e242344fedaa9bff3d385ce5372de7e035b4b 2a812fc2558cfe90756a59a8d79ec8da9e14d7fec59cd9bbc5189a67a86629eb 2e7fe1b9448cb0cca242f4b72fd956f21ad262587b88135045bc07a010cec102 3047c7b03f084dc15ddbca4044a0fb2376af8b3799e4316194de8ef1474e1bf8 321f58c68fead768a8465532821b62ec741482135b0a5460d48838433cde6133 32b2f95694db2d96de89e4f8644cbdf68229903053c066499141b323d4acca1a 34beb6169472ea58264460d2673a70128474e9bdb62fe998e5c22f9a4fa61a8c 350596b9f1a539dddfd73cb4d10c605ec8cc8ed227bd2f33f31fddd6f190e7d8 *See JSON for more IOCs Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella WSA Screenshots of Detection Secure Endpoint

Secure Malware Analytics


Win.Packed.Fareit-9971247-1 Indicators of Compromise
  • IOCs collected from dynamic analysis of 13 samples
Value Name: HWID 13 IP Addresses contacted by malware. Does not indicate maliciousness Occurrences 168[.]144[.]38[.]105 13 File Hashes 1acb437594832fbf922ea62142314c31026f4345dfd31cf843acb52eca1aec92 1cc621b3d1a8db17783e813726cee6309e7802110a6d93779b7096e723023628 39b43b15aeb0a1aff4ca35928a2dd25aa6439c2faa24721424a749cd5b376153 57e6addd9c1c9f9367c48020e1f004a26cd6b361c6145ec97e554fd991ca5925 6bc8e9d23757833faff22d586d92d2274283e5bbe400bf07fdd2c5a070f39bd2 84238de8af6828ea6864308ce0ea0f0e798c31c2e105c3b7bf0f238732738d78 8f1566be038140548e9c1350a9ae28d95c1b70b8f79c0ba3ba094ffec8b530c2 914e1a2a9ca34ba6b66795165ea9e57d2817f3aa23ed662a565c9ad6c6476459 a9b1fb4abbebe49a65998d688a02819d8bdc3eeeebad496b94b5f6b27ff4e49b b7f64dd2cb3cb310bfbbd54e29b4f9c03e94bd474ab487e403aec3357350307a c6c1fcd270017f81a8113545eb42471f98700eb162ccbd4272b54de6435c4971 f4fd5a689233ea0c7c0d1599f14b68554f5c07f0c12c86981e0eef4be06940be fb2a62eecd3f1a04e0633f43d472229ef3994de0a212da08d21c9fea8577016e Coverage Product Protection Secure Endpoint Cloudlock N/A CWS Email Security Network Security N/A Stealthwatch N/A Stealthwatch Cloud N/A Secure Malware Analytics Umbrella N/A WSA N/A Screenshots of Detection Secure Endpoint

Secure Malware Analytics


Categories: Security Posts

High-severity Microsoft Exchange 0-day under attack threatens 220,000 servers

ArsTechnica: Security Content - Fri, 2022/09/30 - 22:01
Enlarge (credit: Getty Images) Microsoft late Thursday confirmed the existence of two critical vulnerabilities in its Exchange application that have already compromised multiple servers and pose a serious risk to an estimated 220,000 more around the world. The currently unpatched security flaws have been under active exploit since early August, when Vietnam-based security firm GTSC discovered customer networks had been infected with malicious webshells and that the initial entry point was some sort of Exchange vulnerability. The mystery exploit looked almost identical to an Exchange zero-day from 2021 called ProxyShell, but the customers’ servers had all been patched against the vulnerability, which is tracked as CVE-2021-34473. Eventually, the researchers discovered the unknown hackers were exploiting a new Exchange vulnerability. Webshells, backdoors, and fake sites “After successfully mastering the exploit, we recorded attacks to collect information and create a foothold in the victim's system,” the researchers wrote in a post published on Wednesday. “The attack team also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system.”Read 9 remaining paragraphs | Comments
Categories: Security Posts

Microsoft: Two New 0-Day Flaws in Exchange Server

Krebs - Fri, 2022/09/30 - 18:51
Microsoft Corp. is investigating reports that attackers are exploiting two previously unknown vulnerabilities in Exchange Server, a technology many organizations rely on to send and receive email. Microsoft says it is expediting work on software patches to plug the security holes. In the meantime, it is urging a subset of Exchange customers to enable a setting that could help mitigate ongoing attacks. In customer guidance released Thursday, Microsoft said it is investigating two reported zero-day flaws affecting Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability that can enable an authenticated attacker to remotely trigger the second zero-day vulnerability — CVE-2022-41082 — which allows remote code execution (RCE) when PowerShell is accessible to the attacker. Microsoft said Exchange Online has detections and mitigation in place to protect customers. Customers using on-premises Microsoft Exchange servers are urged to review the mitigations suggested in the security advisory, which Microsoft says should block the known attack patterns. Vietnamese security firm GTSC on Thursday published a writeup on the two Exchange zero-day flaws, saying it first observed the attacks in early August being used to drop “webshells.” These web-based backdoors offer attackers an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. “We detected webshells, mostly obfuscated, being dropped to Exchange servers,” GTSC wrote. “Using the user-agent, we detected that the attacker uses Antsword, an active Chinese-based opensource cross-platform website administration tool that supports webshell management. We suspect that these come from a Chinese attack group because the webshell codepage is 936, which is a Microsoft character encoding for simplified Chinese.” GTSC’s advisory includes details about post-compromise activity and related malware, as well as steps it took to help customers respond to active compromises of their Exchange Server environment. But the company said it would withhold more technical details of the vulnerabilities for now. In March 2021, hundreds of thousands of organizations worldwide had their email stolen and multiple backdoor webshells installed, all thanks to four zero-day vulnerabilities in Exchange Server. Granted, the zero-day flaws that powered that debacle were far more critical than the two detailed this week, and there are no signs yet that exploit code has been publicly released (that will likely change soon). But part of what made last year’s Exchange Server mass hack so pervasive was that vulnerable organizations had little or no advance notice on what to look for before their Exchange Server environments were completely owned by multiple attackers. Microsoft is quick to point out that these zero-day flaws require an attacker to have a valid username and password for an Exchange user, but this may not be such a tall order for the hackers behind these latest exploits against Exchange Server. Steven Adair is president of Volexity, the Virginia-based cybersecurity firm that was among the first to sound the alarm about the Exchange zero-days targeted in the 2021 mass hack. Adair said GTSC’s writeup includes an Internet address used by the attackers that Volexity has tied with high confidence to a China-based hacking group that has recently been observed phishing Exchange users for their credentials. In February 2022, Volexity warned that this same Chinese hacking group was behind the mass exploitation of a zero-day vulnerability in the Zimbra Collaboration Suite, which is a competitor to Microsoft Exchange that many enterprises use to manage email and other forms of messaging. If your organization runs Exchange Server, please consider reviewing the Microsoft mitigations and the GTSC post-mortem on their investigations.
Categories: Security Posts

Deepfake Bruce Willis may be the next Hollywood star, and he’s OK with that

ArsTechnica: Security Content - Fri, 2022/09/30 - 18:35
Enlarge / Deepfake Bruce Willis as he appeared in a 2021 commercial for Russian mobile company MegaFon. (credit: MegaFon) Bruce Willis has sold the "digital twin" rights to his likeness for commercial video production use, according to a report by The Telegraph. This move allows the Hollywood actor to digitally appear in future commercials and possibly even films, and he has already appeared in a Russian commercial using the technology. Willis, who has been diagnosed with a language disorder called aphasia, announced that he would be "stepping away" from acting earlier this year. Instead, he will license his digital rights through a company called Deepcake. The company is based in Tbilisi, Georgia, and is doing business in America while being registered as a corporation in Delaware. In 2021, a deepfake Bruce Willis appeared in a Russian cell phone commercial for MegaFon. Deepcake obtained Willis' likeness by training a deep learning neural network model on his appearances in blockbuster action films from the 1990s. With his facial appearance known, the model can then apply Willis' head to another actor with a similar build in a process commonly called a deepfake. Deepfakes have become popular in recent years on TikTok, with unauthorized deepfakes of Tom Cruise and Keanu Reeves gathering large followings.Read 4 remaining paragraphs | Comments
Categories: Security Posts

Mystery hackers are “hyperjacking” targets for insidious spying

ArsTechnica: Security Content - Fri, 2022/09/30 - 17:22
Enlarge (credit: Marco Rosario Venturini Autieri/Getty Images) For decades, virtualization software has offered a way to vastly multiply computers’ efficiency, hosting entire collections of computers as “virtual machines” on just one physical machine. And for almost as long, security researchers have warned about the potential dark side of that technology: theoretical “hyperjacking” and “Blue Pill” attacks, where hackers hijack virtualization to spy on and manipulate virtual machines, with potentially no way for a targeted computer to detect the intrusion. That insidious spying has finally jumped from research papers to reality with warnings that one mysterious team of hackers has carried out a spree of “hyperjacking” attacks in the wild. Today, Google-owned security firm Mandiant and virtualization firm VMware jointly published warnings that a sophisticated hacker group has been installing backdoors in VMware’s virtualization software on multiple targets’ networks as part of an apparent espionage campaign. By planting their own code in victims’ so-called hypervisors—VMware software that runs on a physical computer to manage all the virtual machines it hosts—the hackers were able to invisibly watch and run commands on the computers those hypervisors oversee. And because the malicious code targets the hypervisor on the physical machine rather than the victim’s virtual machines, the hackers’ trick multiplies their access and evades nearly all traditional security measures designed to monitor those target machines for signs of foul play. Read 10 remaining paragraphs | Comments
Categories: Security Posts

Why Do So Many Data Protection Programs Fail

Zscaler Research - Fri, 2022/09/30 - 17:00
If complex operations and administration are hindering your data protection program’s effectiveness, check out our Data Protection Transformed event, where we'll unveil groundbreaking innovations that will help your program get to where it needs to be. It astounds me how often I hear about the failure of a data protection program. If I were to pick 10 CISOs out of a line up, I could guess that half of them have a story about such a failure—worse yet, the other half probably don’t even have a program in place. Your organization’s data is its lifeblood, and it’s one of the most valuable things you have to protect, so it’s imperative to learn from mistakes and understand why and how to avoid typical data protection program pitfalls. So, what are the main reasons why a data protection program fails? There are usually two themes that appear over and over again: operations and accountability. When Operations Fail This one is a common one, and it harkens back to on-premises data loss prevention (DLP) technology. Traditional appliance-based approaches to DLP were quite popular back in the day, and they’re still prevalent across many large organizations, but they’re inherently complex to manage and administrate. Detection is largely dependent upon the quality of your DLP regex signatures, and this requires specialized expertise to fine-tune. Add to the equation a healthy dose of rinse and repeat day to day and you have a process that can quickly snowball into a full-blown operations nightmare. Many companies find it difficult to keep up with the requirements for such a program, or, they simply don’t have the skill set or budget to upkeep it. So, how can this be avoided? We’ll start off by stating a simple fact: legacy approaches to DLP are no longer viable. Data has left the data center for the cloud, and users have left the corporate network and are connecting through unsecured networks, instead. There’s no more traffic on your network to inspect for data loss, which means you’re likely missing it left and right off-network. Forcing users back onto the network through a DLP appliance kills the user experience as well. Moving to a cloud based SSE approach is usually the primary response to this challenge, but not all SSE platforms are created equal. A true SSE platform is built with key capabilities in mind, such as: Proven inline inspection at scale - If an SSE platform can’t deliver best-in-class inspection based upon enterprise grade SLAs, you can’t trust it with your business critical traffic. ML and behavior analytics to improve detection fidelity and efficacy - An SSE platform should reduce the amount of required customization and administration and deliver simply better data protection. When Accountability Fails This data protection challenge is common, and it’s largely a knowledge issue. Most organizations have a wealth of data across multiple departments—some sensitive, some not. How do you know which sensitive data needs to be blocked and which doesn’t? Each business unit has their own unique requirements, and it can be difficult to know these requirements. To make matters worse, communications between the data protection team and the business units themselves tends to be far from optimal. You may get a snapshot of data protection requirements by business unit, but as time goes on, these requirements can change, and, because of the lack of communication, aren’t updated. This results in protection policy inefficiencies that can lead to data loss. To avoid this outcome, you need the right security. Leveraging a cloud-delivered data protection platform drastically helps with visibility, and since all devices and cloud apps, on- and off- network, are inspected by the platform, you have visibility that you’d lack with an on-premise DLP. That said, you still need to understand the classifications of data getting transferred as well as what types of sensitive data are leaving your organization. Look for a platform with strong classification engines and the ability to scale inspection with ease across organizational traffic. As you illuminate the data leaving your organization, you’ll quickly discover risk areas and behaviors that help you close the gaps on the data you need to protect. Building the Right Data Protection Program As you think through your organization's data protection needs and evaluate your options for platforms, it’s important to take one thing away: having something is better than nothing. Many organizations often don’t even have a protection program because of all the challenges that come with creating one. It’s important to realize that there is no one-size-fits-all approach to data protection. Every company has its own needs, requirements, and culture, and these will impact how they strategize their program. One thing is clear, though—a purpose-built, cloud-delivered platform that provides scalability, performance, and intelligent visibility is fundamental for a great data protection program. If complex operations and administration are hindering your data protection program’s effectiveness, check out our Data Protection Transformed event, where we'll unveil groundbreaking innovations that will help your program get to where it needs to be.
Categories: Security Posts

Exchange Server 0-Day Actively Exploited, (Fri, Sep 30th)

SANS Internet Storm Center, InfoCON: green - Fri, 2022/09/30 - 15:43
In a blog post, Vietnamese security company GTSC noted that they saw evidence of a new "ProxyShell" like vulnerability being exploited in the wild. The evidence came from compromised Exchange servers GTSC observed when responding to incidents [1]. Later, Trend Micro confirmed that two vulnerabilities tracked by Trend Micro's zero-day initiative were involved in the compromise described by GTSC [2]. Trend Micro had reported the vulnerabilities to Microsoft about a month ago. Microsoft has now published a blog post with its own guidance [3] Microsoft identified two vulnerabilities as contributing to the recent incidents: CVE-2022-41040: A Server Side Request Forgery (SSRF) issue. 
CVE-2022-41082: A remote code execution (RCE) issue. The SSRF vulnerability can be used to trigger the RCE vulnerability. An attacker does need to be authenticated to exploit the SSRF vulnerability.  No patch is available if you run Microsoft Exchange on premise, but you can use URL rewrite rules to prevent exploitation. Post exploitation, rules in Microsoft Sentinel and Microsoft Defender for Endpoint can be used to detect webshells and HTTP rewrite payloads installed by attackers. There is no word as to a possible patch being released early. But the URL rewrite workaround should be sufficient for now. And please make sure all available patches are applied. Microsoft Exchange servers are a top target for attackers these days. [1]
[3] ---
Johannes B. Ullrich, Ph.D. , Dean of Research,
Twitter| (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different”

Naked Security Sophos - Fri, 2022/09/30 - 15:25
Double-play 0-day in Exchange - what you need to know, and what you can do
Categories: Security Posts

Go Update iOS, Chrome, and HP Computers to Fix Serious Flaws

Wired: Security - Fri, 2022/09/30 - 13:00
Plus: WhatsApp plugs holes that could be used for remote execution attacks, Microsoft patches a zero-day vulnerability, and more.
Categories: Security Posts

Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium

ESET - Fri, 2022/09/30 - 12:00
ESET researchers have discovered Lazarus attacks against targets in the Netherlands and Belgium that use spearphishing emails connected to fake job offers The post Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium appeared first on WeLiveSecurity
Categories: Security Posts

How analyzing employee behavior can improve your cybersecurity posture

AlienVault Blogs - Fri, 2022/09/30 - 12:00
This blog was written by an independent guest blogger. Despite the ongoing rise in social engineering attacks, the idea that cybersecurity is only about technology manifests within most of our minds. Organizations often neglect human behavior's impact on their cybersecurity postures. Instead, they spend lavishly on endpoint security tools, threat hunting programs, and building incident response plans. Admittedly, these security measures are a crucial part of mitigating attacks. However, it is critical to remember the role of your employees in maintaining a robust cybersecurity posture, specifically as cybercriminals have been increasingly targeting and exploiting human behavior.    How employee behavior impacts cybersecurity A study by IBM highlights that human error is the leading cause of 95% of cybersecurity breaches. Although human errors are by definition unintentional, generally caused by a significant lack of awareness, they can often result in adverse circumstances. In other words, an unsuspecting employee who accidentally falls victim to a phishing attack can expose their organization to significant data breaches, causing major operational, reputational, and financial damage. One such example is the Sequoia Capital attack, which was successful because an employee fell victim to a phishing attack. The company, known for being Silicon Valley's oldest notable venture fund, was hacked in February 2021. The attack exposed some of its investors' personal and financial information to third parties, resulting in significant damage to the company. Such attacks demonstrate the consequences of inadequate phishing awareness training that every organization must provide to its employees. In this sense, simulated micro-learning can be highly effective at teaching teams to recognize potentially malicious messages. A recent report by Hoxhunt found that after some 50 simulations, people’s “failure rates” plummeted from 14% to 4%. By being exposed to simulated phishing attacks over time, they became far more skilled at recognizing them. Beyond educational solutions, ensuring that your employees practice proper password hygiene is likewise critical. Although passwords have played a remarkable role in ensuring cyber security, relying only on a single password makes your organization vulnerable since it can be stolen or compromised. Your users might be ignorant of password security and keep generic passwords such as "12345" susceptible to brute force attacks and hack attacks. These practices are standard within an organization that doesn't deploy the use of secure password managers and has strict password security guidelines for employees to follow. How can your employees help maintain cybersecurity? The significant rise in social engineering attacks and the ongoing occurrence of data breaches due to human error have reinforced the idea that humans are the weakest link in cybersecurity. A workforce that can be distracted or tricked is indeed a liability. However, this narrative is hardly set in stone. With the below strategies in place, it’s possible to maximize team vigilance and circumvent much of the risk associated with human error. Integrate the principle of least privilege access The principle of least privileged access has become a crucial aspect of effective cybersecurity. According to this information security philosophy, every user, application, or process should only have a limited amount of permission necessary to complete a particular task. In other words, it stresses the importance of maintaining a hierarchy within an organization so that every employee only has access to the kinds of sensitive information that they need to do their work. This method significantly helps strengthen an organization's cybersecurity posture. It eliminates human error and minimizes the attack surface in case of a hack attempt. Any account that a hacker breaks into will only have limited information. Help employees deploy proper password security Maintaining password security is a crucial step every organization needs to strengthen its cybersecurity posture. Since most employees are lax when it comes to maintaining password security, it falls upon organizational leaders and policies to ensure people adhere to best practices. The most crucial step is that organizations need to start using multi-factor authentication (MFA) methods. As the name implies, this technique often involves using a code that is generated upon request and is received on a personal device or email. This method is secure and reliable, as the only way a threat actor can access the account is by acquiring personal devices or emails. Apart from that, organizations can also use managed single sign-on (SSO) services and secure password management platforms that help keep complex passwords with additional layers of security. Educate and spread awareness regarding phishing attacks Phishing attacks are a menace and are not going away anytime soon. Since these attacks work on exploiting human behavior and psychology, many of these attacks are successful. It's their success rate that is causing phishing attacks to rise significantly. In the last year alone, 83% of organizations claim to have experienced a phishing attack. Amidst this, organizations must deploy adequate training and awareness regarding phishing attacks. An organization can either do this through seminars or exercise classes or utilize gamified applications and software that help improve training. Strictly monitor employee behavior Not every human-enabled attack is caused by an unsuspecting employee. Insider threats are also a common occurrence that every organization needs to remain vigilant of. It is, therefore, crucial for businesses to strictly monitor their employees’ behavior. It is essential to carefully study each employee and notice if they show any signs of malice against the organization. Moreover, organizations can also hire third-party vendors to conduct human reconnaissance practices that rely on studying individuals' online and normal daily activities to gain insight into their personalities. Such background checks can help management identify any wolf in sheep's clothing prowling in their midst. Implement identity and access management Identity and access management (IAM) is a set of techniques designed to ensure that only the right person or job role is allowed access to a particular tool, information, or resource. Implementing IAM enables the organization to manage employee apps without having to log in each time as an administrator. Moreover, it also helps manage a range of identities, including people, software, and even hardware. Proper implementation of IAM not only helps enhance productivity but also improves security. It minimizes the chances of slip-ups such as lost passwords and makes access to sensitive information secure and easy. Final words To do their jobs well, employees need access to many types of information and resources. Because humans can be tricked in ways that tech can’t detect, they are also the easiest targets for threat actors. Since employees play such a crucial role, analyzing and learning about their behavior can help the organization understand the weaknesses and cracks in its cybersecurity posture. This can help leaders to deploy adequate training and tools that enable cybersecurity. 
Categories: Security Posts

Dispositivos que compensan huella de carbono y se pagan en Criptomonedas en con @Bit2Me

Un informático en el lado del mal - Fri, 2022/09/30 - 07:25
Ayer tuvimos nuestro Metaverse Day en Telefónica, donde anunciamos muchas cosas, pero para que no se pierdan todas en la maraña de información, quería ir desgranando poco a poco lo que contamos, que fueron muchas cosas. Y para empezar, quería hablaros de la integración que hemos hecho de la pasarela de pago de Bit2Me en nuestra tienda de dispositivos
Figura 1: Dispositivos que compensan huella de carbono y se paganen Criptomonedas en con Bit2Me es una plataforma de tienda online que utilizamos en Telefónica Digital para hacer pruebas de innovación que nos permitan sacar resultados y evolucionar los e-commerce de todo el grupo. Hay hacemos pruebas con diferentes tipos de dispositivos, distintas técnicas de promoción, venta o financiación, pero también lo tenemos para entender a las nuevas formas de compra que tienen los consumidores.
Figura 2: Dispositivos Reacondicionados. Ver catálogo completo en
El catálogo de dispositivos no es demasiado grande, porque nuestro objetivo es comercializar un subconjunto no demasiado grande pero con distintas estrategias de A-B Testing que nos enseñen. Por ejemplo, en hay un catálogo de dispositivos re-acondicionados grande, que es una tendencia del mercado que hemos incorporado en nuestros canales.
Figura 3: Compensación de 50Kg de CO2
También hemos hecho un esfuerzo por hacer este mundo más sostenible, así que los dispositivos también compensan huella de carbono. Cuando selecciones la compra de un dispositivo, te damos información detalla de su Eco Rating y nosotros compensamos en tu nombre 50 Kg de CO2.
Figura 4: Eco Rating de Samsung Galaxy A22 5G 128GB
Eso permite crear un modelo de consumo más sostenible, que es una de las preocupaciones más importantes para muchas personas hoy en día. Por ejemplo, este Samsung tiene, como podéis ver en la b, su compensación en huella de carbono en formato Eco Rating.
Figura 5: Consola Microsoft XBox Series S 512 G con pago en cripto por Bit2Me
Ahora hemos dado un paso más allá, y hemos integrado la pasarela de pago de Bit2Me para un conjunto grande dispositivos con precios de entre 200€ y 500 € para que los usuarios que lo deseen puedan pagar con criptomonedas de forma sencilla.
Figura 6: Pasarela de pago de Bit2Me en
Bit2Me es una plataforma DeFi (Decentralized Finnaces) que permite tener un wallet de criptomonedas a los usuarios, y una pasarela de pago para los e-commerce con los que hacer el cambio de Cripto a Euros o Dólares, durante el proceso de compra de la forma más sencilla posible. Así, si lo deseas, puedes pagar de una manera integrada con criptomonedas desde la propia plataforma de e-commerce de
Figura 7: Finalización del pago con Cripto en gracias a Bit2Me
Al final, el mundo del tokenomics va a abrir nuevas formas de transferir valor, y los e-commerce, poco a poco van a ir abriéndose a este mundo que viene, así que desde queríamos ser de los primeros en experimentar estas nuevas formas de pago Web3, y gracias a nuestros compañeros de Bit2Me ya es una realidad.
¡Saludos Malignos!
Autor: Chema Alonso (Contactar con Chema Alonso)  

Sigue Un informático en el lado del mal RSS 0xWord
- Contacta con Chema Alonso en
Categories: Security Posts

S3 Ep102: How to avoid a data breach [Audio + Transcript]

Naked Security Sophos - Thu, 2022/09/29 - 20:45
Latest episode - listen now! Tell fact from fiction in hyped-up cybersecurity news...
Categories: Security Posts

Update: Version 0.0.11

Didier Stevens - Wed, 2022/09/28 - 23:40
This new version of rtfdump, my tool to analyze RTF files, brings json output for options -O and -F. (http)
MD5: AFC884082B251BF288B05203DD5D4F69
SHA256: CB3984924137897F75E62C3A835BB9197CBF1DDBD6BCFB3E18423999B06A36C8
Categories: Security Posts

Healthcare Industry Leads the Way in Fixing Software Flaws

Zero in a bit - Thu, 2022/09/22 - 22:06
The healthcare industry is transforming patient care through software, from 24/7 digital patient portals, to AI-fueled medical research, and everything in between. As innovation reaches new heights, how does healthcare stack up against other sectors in terms of software security flaws and the ability to remediate them? Our latest State of Software Security Report found that 77 percent of applications in this sector have vulnerabilities – a slight uptick from last year’s 75 percent – with 21 percent considered high severity. Healthcare takes first place for fixing flaws at 27 percent. Developers in the space should be applauded for tackling complex authentication issues and insecure dependencies with success over the last 12 months. When clocking the time it takes to remediate flaws found by static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA), healthcare organizations fall right in the middle of the pack. It’s also worth mentioning that healthcare…
Categories: Security Posts

It pays to be Circomspect

By Fredrik Dahlgren, Staff Security Engineer In October 2019, a security researcher found a devastating vulnerability in, a decentralized, non-custodial mixer on the Ethereum network. uses zero-knowledge proofs (ZKPs) to allow its users to privately deposit and withdraw funds. The proofs are supposed to guarantee that each withdrawal can be matched against a corresponding deposit to the mixer. However, because of an issue in one of the ZKPs, anyone could forge a proof of deposit and withdraw funds from the system. At the time, the team saved its users’ funds by exploiting the vulnerability to drain the funds from the mixer before the issue was discovered by someone else. Then they patched the ZKPs and migrated all user funds to a new version of the contract. Considering the severity of the underlying vulnerability, it is almost ironic that the fix consisted of just two characters. The fix: Simply replace = by <== and all is well (obviously!). This bug would have been caught using Circomspect, a new static analyzer for ZKPs that we are open-sourcing today. Circomspect finds potential vulnerabilities and code smells in ZKPs developed using Circom, the language used for the ZKPs deployed by It can identify a wide range of issues that can occur in Circom programs. In particular, it would have found the vulnerability in early in the development process, before the contract was deployed on-chain. How Circom works was developed using Circom, a domain-specific language (DSL) and a compiler that can be used to generate and verify ZKPs. ZKPs are powerful cryptographic tools that allow you to make proofs about a statement without revealing any private information. For complex systems like a full computer program, the difficult part in using ZKPs becomes representing the statement in a format that the proof system can understand. Circom and other DSLs are used to describe a computation, together with a set of constraints on the program inputs and outputs (known as signals). The Circom compiler takes a program and generates a prover and a verifier. The prover can be used to run the computation described by the DSL on a set of public and private inputs to produce an output, together with a proof that the computation was run correctly. The verifier can then take the public inputs and the computed output and verify them against the proof generated by the prover. If the public inputs do not correspond to the provided output, this is detected by the verifier. The following figure shows a small toy example of a Circom program allowing the user to prove that they know a private input x such that x5 - 2x4 + 5x - 4 = 0: A toy Circom program where the private variable x is a solution to a polynomial equation The line y <== x5 - 2 * x4 + 5 * x - 4 tells the compiler two things: that the prover should assign the value of the right-hand side to y during the proof generation phase (denoted y <-- x5 - 2 * x4 + 5 * x - 4 in Circom), and that the verifier should ensure that y is equal to the right-hand side during the proof verification phase (which is denoted y === x5 - 2 * x4 + 5 * x - 4 in Circom). This type of duality is often present in zero-knowledge DSLs like Circom. The prover performs a computation, and the verifier has to ensure that the computation is correct. Sometimes these two sides of the same coin can be described using the same code path, but sometimes (for example, due to restrictions on how constraints may be specified in R1CS-based systems like Circom) we need to use different code to describe computation and verification. If we forget to add instructions describing the verification steps corresponding to the computation performed by the prover, it may become possible to forge proofs. The vulnerability In the case of, it turned out that the MIMC hash function used to compute the Merkle tree root in the proof used only the assignment operator <-- when defining the output. (Actually, it uses =, as demonstrated in the GitHub diff above. However, in the previous version of the Circom compiler, this was interpreted in the same way as <--. Today, this code would generate a compilation error.) As we have seen, this only assigned a value to the output during proof generation, but did not constrain the output during proof verification, leaving the verifying contract vulnerable. Our new Circom bug finder, Circomspect Circomspect is a static-analyzer and linter for programs written in the Circom DSL. Its main use is as a tool for reviewing the security and correctness of Circom templates and functions. The implementation is based on the Circom compiler and uses the same parser as the compiler does. This ensures that any program that the compiler can parse can also be parsed using Circomspect. The abstract syntax tree generated by the parser is converted to static single-assignment form, which allows us to perform simple data flow analyses on the input program. The current version implements a number of analysis passes, checking Circom programs for potential issues like unconstrained signals, unused variables, and shadowing variable declarations. It warns the user about each use of the signal assignment operator <--, and can often detect if a circuit uses <-- to assign a quadratic expression to a signal, indicating that the signal constraint assignment operator <== could be used instead. This analysis pass would have found the vulnerability in the described above. All issues flagged by Circomspect do not represent vulnerabilities, but rather locations that should be reviewed to make sure that the code does what is expected. As an example of the types of issues Circomspect can find, consider the following function from the circom-pairing repository: An example function from the circom-pairing repository This function may look a bit daunting at first sight. It implements inversion modulo p using the extended Euclidean algorithm. Running Circomspect on the containing file yields a number of warnings telling us that the assignments to the arrays y, v, and newv do not contribute to the return value of the function, which means that they cannot influence either witness or constraint generation. Running Circomspect on the function find_Fp_inverse produces a number of warnings. A closer look at the implementation reveals that the variable y is used only to compute newv, while newv is used only to update v and v is used only to update y. It follows that none of the variables y, v, and newv contribute to the return value of the function find_Fp_inverse, and all can safely be removed. (As an aside, this makes complete sense since running the extended Euclidean algorithm on two coprime integers num and p computes two integers x and y such that x * num + y * p = 1. This means that if we’re interested in the inverse of num modulo p, it is given by x, and the value of y is not needed. Since x and y are computed independently, the code used to compute y can safely be removed.) Improving the state of ZKP tooling Zero-knowledge DSLs like Circom have democratized ZKPs. They allow developers without a background in mathematics or cryptography to build and deploy systems that use zero-knowledge technology to protect their users. However, since ZKPs are often used to protect user privacy or assure computational integrity, any vulnerability in a ZPK typically has serious ramifications for the security and privacy guarantees of the entire system. In addition, since these DSLs are new and emerging pieces of technology, there is very little tooling support available for developers. At Trail of Bits, we are actively working to fill that void. Earlier this year we released Amarna, our static-analyzer for ZKPs written in the Cairo programming language, and today we are open sourcing Circomspect, our static analyzer and linter for Circom programs. Circomspect is under active development and can be installed from or downloaded from the Circomspect GitHub repository. Please try it out and let us know what you think! We welcome all comments, bug reports, and ideas for new analysis passes.
Categories: Security Posts

Sharkbot is back in Google Play

Fox-IT - Fri, 2022/09/02 - 13:07
Authored by Alberto Segura (main author) and Mike Stokkel (co-author) Introduction After we discovered in February 2022 the SharkBotDropper in Google Play posing as a fake Android antivirus and cleaner, now we have detected a new version of this dropper active in the Google Play and dropping a new version of Sharkbot.
This new dropper doesn’t rely Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware. Instead, this new version ask the victim to install the malware as a fake update for the antivirus to stay protected against threats.
We have found two SharkbotDopper apps active in Google Play Store, with 10K and 50K installs each of them. The Google Play droppers are downloading the full featured Sharkbot V2, discovered some time ago by ThreatFabric. On the 16th of August 2022, Fox-IT’s Threat Intelligence team observed new command-and-control servers (C2s), that were providing a list of targets including banks outside of United Kingdom and Italy. The new targeted countries in those C2s were: Spain, Australia, Poland, Germany, United States of America and Austria. On the 22nd of August 2022, Fox-IT’s Threat Intelligence team found a new Sharkbot sample with version 2.25; communicating with command-and-control servers mentioned previously. This Sharkbot version introduced a new feature to steal session cookies from the victims that logs into their bank account. The new SharkbotDropper in Google Play In the previous versions of SharkbotDropper, the dropper was abusing accessibility permissions in order to install automatically the dropper malware. To do this, the dropper made a request to its command-and-control server, which provided an URL to download the full featured Sharkbot malware and a list of steps to automatically install the malware, as we can see in the following image. Abusing the accessibility permissions, the dropper was able to automatically click all the buttons shown in the UI to install Sharkbot. But this not the case in this new version of the dropper for Sharkbot. The dropper instead will make a request to the C2 server to directly receive the APK file of Sharkbot. It won’t receive a download link alongside the steps to install the malware using the ‘Automatic Transfer Systems’ (ATS) features, which it normally did. In order to make this request, the dropper uses the following code, in which it prepares the POST request body with a JSON object containing information about the infection. The body of the request is encrypted using RC4 and a hard coded key. In order to complete the installation on the infected device, the dropper will ask the user to install this APK as an update for the fake antivirus. Which results in the malware starting an Android Intent to install the fake update. This way, the new version of the Sharkbot dropper is now installing the payload in a non automatic way, which makes it more difficult to get installed – since it depends on the user interaction to be installed -, but it is now more difficult to detect before being published in Google Play Store, since it doesn’t need the accessibility permissions which are always suspicious.
Besides this, the dropper has also removed the ‘Direct Reply’ feature, used to automatically reply to the received notifications on the infected device. This is another feature which needs suspicious permissions, and which once removed makes it more difficult to detect. To make detection of the dropper by Google’s review team even harder, the malware contains a basic configuration hard coded and encrypted using RC4, as we can see in the following image. The decrypted configuration, as we can see in the following image, contains the list of targeted applications, the C2 domain and the countries targeted by the campaign (in this example UK and Italy). If we look carefully at the code used to check the installed apps against the targeted apps, we can realize that it first makes another check in the first lines: String lowerCase = ((TelephonyManager) App.f7282a.getSystemService("phone")).getSimCountryIso().toLowerCase(); if (!lowerCase.isEmpty() && this.f.getString(0).contains(lowerCase)) Besides having at least one of the targeted apps installed in the device, the SharkbotDropper is checking if the SIM provider’s country code is one of the ones included in the configuration – in this campaign it must be GB or IT. If it matches and the device has installed any of the targeted apps, then the dropper can request the full malware download from the C2 server. This way, it is much more difficult to check if the app is dropping something malicious. But this is not the only way to make sure only targeted users are infected, the app published in Google Play is only available to install in United Kingdom and Italy. After the dropper installs the actual Sharkbot v2 malware, it’s time for the malware to ask for accessibility permissions to start stealing victim’s information. Sharkbot 2.25-2.26: New features to steal cookies The Sharkbot malware keeps the usual information stealing features we introduced in our first post about Sharkbot:
  • Injections (overlay attacks): this feature allows Sharkbot to steal credentials by showing a fake website (phishing) inside a WebView. It is shown as soon as the malware detects one of the banking application has been opened.
  • Keylogging: this feature allows Sharkbot to receive every accessibility event produced in the infected device, this way, it can log events such as button clicks, changes in TextFields, etc, and finally send them to the C2.
  • SMS intercept: this feature allows Sharkbot to receive every text message received in the device, and send it to the C2.
  • Remote control/ATS: this feature allows Sharkbot to simulate accessibility events such as button clicks, physical button presses, TextField changes, etc. It is used to automatically make financial transactions using the victim’s device, this way the threat actors don’t need to log in to the stolen bank account, bypassing a lot of the security measures.
Those features were present in Sharkbot 1, but also in Sharkbot 2, which didn’t change too much related to the implemented features to steal information. As ThreatFabric pointed out in their tweet, Sharkbot 2, which was detected in May 2022, is a code refactor of the malware and introduces a few changes related to the C2 Domain Generation Algorithm (DGA) and the protocol used to communicate with the server.
Version 2 introduced a new DGA, with new TLDs and new code, since it now uses MD5 to generate the domain name instead of Base64. We have not observed any big changes until version 2.25, in which the developers of Sharkbot have introduced a new and interesting feature: Cookie Stealing or Cookie logger. This new feature allows Sharkbot to receive an URL and an User-Agent value – using a new command ‘logsCookie’ -, these will be used to open a WebView loading this URL – using the received User-Agent as header – as we can see in the following images of the code. Once the victim logged in to his bank account, the malware will receive the PageFinished event and will get the cookies of the website loaded inside the malicious WebView, to finally send them to the C2. New campaigns in new countries During our research, we observed that the newer C2 servers are providing new targeted applications in Sharkbot’s configuration. The list of targeted countries has grown including Spain, Australia, Poland, Germany, United States of America and Austria. But the interesting thing is the new targeted applications are not targeted using the typical webinjections, instead, they are targeted using the keylogging – grabber – features. This way, the malware is stealing information from the text showed inside the official app. As we can see in the following image, the focus seems to be getting the account balance and, in some cases, the password, by reading the content of specific TextFields. Also, for some of the targeted applications, the malware is providing within the configuration a list of ATS configurations used to avoid the log in based on fingerprint, which should allow to show the usual username and password form. This allows the malware to steal the credentials using the previously mentioned ‘keylogging’ features, since log in via fingerprint should ask for credentials. Conclusion Since we published our first blog post about Sharkbot in March 2022, in which we detected the SharkbotDropper campaigns within Google Play Store, the developers have been working hard to improve their malware and the dropper. In May, ThreatFabric found a new version of Sharkbot, the version 2.0 of Sharkbot that was a refactor of the source code, included some changes in the communication protocol and in the DGA. Until now, Sharkbot’s developers seem to have been focusing on the dropper in order to keep using Google Play Store to distribute their malware in the latest campaigns. These latest campaigns still use fake antivirus and Android cleaners to install the dropper from the Google Play. With all these the changes and new features, we are expecting to see more campaigns, targeted applications, targeted countries and changes in Sharkbot this year. Indicators of compromise SharkbotDropper samples published in Google Play:
  • hxxps://[.]com/store/apps/details?id=com.kylhavy.antivirus
  • hxxps://[.]com/store/apps/details?id=com.mbkristine8.cleanmaster
Dropper Command-and-control (C2):
  • hxxp://mefika[.]me/
Sharkbot 2.25 (introducing new Cookie stealing features):
  • Hash: 7f2248f5de8a74b3d1c48be0db574b1c6558d6edae347592b29dc5234337a5ff
  • C2: hxxp://browntrawler[.]store/ (185.212.47[.]113)
Sharkbot v2.26 sample:
  • Hash: 870747141b1a2afcd76b4c6482ce0c3c21480ae3700d9cb9dd318aed0f963c58
  • C2: hxxp://browntrawler[.]store/ (185.212.47[.]113)
DGA Active C2s:
  • 23080420d0d93913[.]live (185.212.47[.]113)
  • 7f3e61be7bb7363d[.]live (185.212.47[.]113)
Categories: Security Posts
Syndicate content