Security Posts
Infocon: green
ISC Stormcast For Monday, October 2nd, 2023 https://isc.sans.edu/podcastdetail/8682
Categorías: Security Posts
Predictive Policing Software Terrible at Predicting Crimes
A software company sold a New Jersey police department an algorithm that was right less than 1 percent of the time.
Categorías: Security Posts
ISC Stormcast For Monday, October 2nd, 2023 https://isc.sans.edu/podcastdetail/8682, (Mon, Oct 2nd)
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categorías: Security Posts
AT&T Cybersecurity: championing global cybersecurity education & awareness
In an era dominated by technological evolution, Cybersecurity Awareness Month 2023, now celebrating its 20th year, accentuates the growing significance of cybersecurity. This initiative encourages individuals and organizations to embrace crucial cybersecurity measures to help with online safety. AT&T Cybersecurity once again demonstrates its commitment to this cause by actively participating in this pivotal educational month.
Cybersecurity is working all the time, everywhere, whenever you use technology.
As technology permeates every aspect of our lives, from mobile devices to connected home appliances, the necessity for robust cybersecurity has never been more pronounced. Cybercriminals persistently devise methods to compromise technology, aiming to disrupt personal and professional realms. For two decades, Cybersecurity Awareness Month has sought to underline these burgeoning challenges and offer clear, actionable advice to help people construct a secure digital environment for themselves and others.
Businesses such as AT&T Cybersecurity care about every part of the process, including awareness.
Specializing in business security services, AT&T Cybersecurity safeguards businesses through cybersecurity consulting and managed security services. Additionally, AT&T includes protecting consumers through AT&T ActiveArmor and inherent network security. The company emphasizes the importance of ensuring the privacy and security of personal information, including emerging biometric markers such as fingerprints and eye-iris prints.
Theresa Lanowitz, Head Evangelist at AT&T Cybersecurity, calls out the nuance. "You can have security without privacy,” she explains, “but you cannot have privacy without security.” Hence, implementing proper security controls is pivotal to preventing unauthorized access and upholding privacy. “Consumers need to make sure the companies they share information with are committed to protecting their privacy,” she advises.
The theme for 2023 Cybersecurity Awareness Month is "Secure Our World."
The core messages revolve around four essential cybersecurity best practices:
- Use a Password Manager: Understanding the advantages of using password managers while debunking security and user-friendliness myths.
- Use Multifactor Authentication: Look for a way to turn on multifactor authentication on personal and professional devices and networks.
- Recognize and Report Phishing: Learn to identify and report phishing activities, a prevalent technique among cybercriminals.
- Update Software: Installing regular updates and activating automated updates are essential to ensure your software isn’t exposing your computer to threats.
Categorías: Security Posts
Friendly Reminder: ZIP Metadata is Not Encrypted, (Mon, Oct 2nd)
ZIP archives store compressed files including their metadata (filesize, date/time, ...). When a contained file is password protected, the compressed data is encrypted, but the metadata is not.
As an example, take this ZIP file that I created. It contains a single file (mimikatz.exe), and that file is protected with a password (infected):
Although the file is password protected, it's the compressed file content that is encrypted (see screenshot: Encrypted +) but the filename, the filsize, filedate, ..., all that metadata is not encrypted. That can be read without knowing the password.
I was involved in a forum discussion, where the OP shared a password protected ZIP archive of a file that the OP considered suspicious. For whatever reason, the OP wanted us to express our opinion about the file without having the opportunity to take a look at the file (the OP would share the password later with us). I could make an educated guess about the filecontent with the crc32 checksum.
Let me explain.
My tool zipdump.py can be used to analyze ZIP files using Python modules zipfile and pyzipper. But it can also parse the binary structure of a ZIP file, and extract all the relevant metadata in its raw form. I do this with option -f l (find list):
First we see a PKZIP file record (named PK0304 by zipdump), then a PKZIP directory entry record (PK0102) and finally, a PKZIP end-of-directory record (PK0506).
All the metadata is in cleartext.
With the filename and the CRC32 checksum, I can make an educated guess about the file content. I download mimikatz.exe from github, and I calculate its crc32 checksum with hash.py:
The crc32 checksum of the file inside the archive and the file that I downloaded, are the same. This is a weak indication that the files are the same.
crc32 is an error detection checksum, it is not a cryptographic hash. It's only 32 bits long, and it is easy to craft a file that produces a desired crc32 checksum. It is certainly not strong evidence.
The OP was surprised that metadata was not encrypted, so I was pretty sure that the crc32 had not been tampered with.
My trick worked because I had a good idea of what file was inside the archive. Wihout that information, it would have been impossible, because there are countless files with that crc32 checksum.
I think that this crc32 code is also used by Gmail to detect malicious files inside password protected ZIP files.
If you need to create archive files where metadata is also encrypted, you need to use other formats, like 7zip for example. Or double-ZIP your files.
Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Senior handler
Microsoft MVP
blog.DidierStevens.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categorías: Security Posts
4, 5 y 6 de Octubre: Navaja Negra, II Forum Europeo de IA & Horizonte
Comienza la primera semana de Octubre, y yo tengo una agenda más que interesante por delante de actividades que complementaré con algunas actividades públicas que os paso a contar, ya que voy a estar en Alicante, Albacete y en la televisión en abierto en Cuatro con Iker Jiménez y Carmen Porter. Por si alguna de las citas os encajan en vuestra agenda y os apetece venir.
Figura 1: 4, 5 y 6 de Octubre - Navaja Negra,II Forum Europeo de IA de IA & Horizonte
Te dejo a continuación la lista con los detalles de las actividades, pero ten en cuenta que tienes más información y detalles en las webs de los eventos, así que échales un ojo a cada uno de ellos.
4 de Octubre: II Forum Europeo de IA [Alicante]
Me llegó esta invitación por Andrei Manuel, Founder de Bit2Me, y no pude decirle que no, así que he metido un poco con "calzador" en mi agenda un viaje exprés a Alicante el 4 de Octubre, para participar en este evento. Daré una charla de 30 minutos en el foro, que es para hablar de todas las posibilidades y retos de la Inteligencia Artificial, así que como yo estaré al final de la mañana, hablaré de mis cosas. Ya sabéis, si seguís lo que voy publicando por aquí.
Figura 2: II Forum Europeo de IA en Alicante. 4 de Octubre
El evento es de día entero, y tiene un elenco de ponentes espectacular, así que si tienes posibilidad ese día de pasarte por allí, merece la pena que le eches un ojo a la agenda del II Forum Europeo de IA.
5 de Octubre: Navaja Negra [Albacete]
El día siguiente, jueves, toca Albacete para dar la charla en la Navaja Negra, donde me toca dar la primera charla nada más acabar la inauguración, y justo antes del gran Miguel Ángel de Castro, así que emoción a tope. Y la charla será para hablar de una PoC que hemos construido jugando con juguetes. Así que hablaré de "Advanced Persistent Thre...Toys", para contaros un proyecto con el que Pablo González, Fran Ramírez, Alvaro Núñez-Romero y yo llevamos tiempo jugueteando. Ya sabéis, de esas cosas que hacemos en el equipo de Ideas Locas.
Figura 3: Agenda de charlas para Navaja Negra.
De la Navaja Negra poco más que contaros, ya sabéis que es una pedazo de CON de tres días de duración, donde tendréis también un taller de Pablo González y Alvaro Núñez-Romero para aprender, jugar, y practicar con Web3, Hacking & Pentesting de BlockChain, SmartContracts & Tokenomicss usando Level_UP!
Figura 4: Taller sobre Seguridad en Web3 en Navaja Negraimpartido por Álvaro Núñez-Romero.
Y luego, la lista de ponentes, pues espectacular, como siempre. Amador Aparicio, Fernando Rubio Román, Manuel S. Lemos, Marc Rivero, Ruth Sala Ordoñez, Raúl Siles, Miguel Ángel de Castro, Pablo González, Alvaro Núñez-Romero, Joel Gámez Molina, Ivan Portillo, Emilio Rico Ruiz, Abraham Pasamar o Ricardo Narvaja entre otros.
Figura 5: Habrá stand y sesión de firmas de 0xWord
También habrá un stand de 0xWord allí, y podrás usar tus Tempos de MyPublicInbox para conseguir libros, chapas, pegatinas, etcétera, así que ven listo si quieres algo de material. Y haremos unos horarios de firmas de libros con algunos autores. Yo estaré el día 5 de Noviembre firmando nada más terminar mi charla, así que si quieres comprar un libro y llevártelo firmado, yo estaré por allí una hora o así para ello. Y si los llevas comprados online por anticipado, para recoger allí, tendrás prioridad para recogerlos.
Del 05 al 06 de Octubre: Horizonte [Televisión en abierto - Cuatro] Y para terminar la semana, nada más regresar de Navaja Negra iré directo al plató de televisión de Horizonte de mis queridos Iker Jiménez y Carmen Porter, para hablar de tecnología, actualidad, y esas cosas que tanto nos gustan a los dos. Os encantaría ver cómo Iker deja volar su imaginación y le saca partido a la GenAI en su día a día.
Figura : En Horizonte con Iker Jiménez y Carmen Porter
Será como siempre, unos minutos, probablemente después de las 12:00, pero realmente el programa comienza el Jueves 05 a las 23:00 horas, así que si eres de los que disfrutan la noche de la televisión, por allí estaré.
¡Saludos Malignos!
Autor: Chema Alonso (Contactar con Chema Alonso)
Sigue Un informático en el lado del mal RSS 0xWord
- Contacta con Chema Alonso en MyPublicInbox.com
Figura 1: 4, 5 y 6 de Octubre - Navaja Negra,II Forum Europeo de IA de IA & Horizonte
Te dejo a continuación la lista con los detalles de las actividades, pero ten en cuenta que tienes más información y detalles en las webs de los eventos, así que échales un ojo a cada uno de ellos.
4 de Octubre: II Forum Europeo de IA [Alicante]
Me llegó esta invitación por Andrei Manuel, Founder de Bit2Me, y no pude decirle que no, así que he metido un poco con "calzador" en mi agenda un viaje exprés a Alicante el 4 de Octubre, para participar en este evento. Daré una charla de 30 minutos en el foro, que es para hablar de todas las posibilidades y retos de la Inteligencia Artificial, así que como yo estaré al final de la mañana, hablaré de mis cosas. Ya sabéis, si seguís lo que voy publicando por aquí.
Figura 2: II Forum Europeo de IA en Alicante. 4 de Octubre
El evento es de día entero, y tiene un elenco de ponentes espectacular, así que si tienes posibilidad ese día de pasarte por allí, merece la pena que le eches un ojo a la agenda del II Forum Europeo de IA.
5 de Octubre: Navaja Negra [Albacete]
El día siguiente, jueves, toca Albacete para dar la charla en la Navaja Negra, donde me toca dar la primera charla nada más acabar la inauguración, y justo antes del gran Miguel Ángel de Castro, así que emoción a tope. Y la charla será para hablar de una PoC que hemos construido jugando con juguetes. Así que hablaré de "Advanced Persistent Thre...Toys", para contaros un proyecto con el que Pablo González, Fran Ramírez, Alvaro Núñez-Romero y yo llevamos tiempo jugueteando. Ya sabéis, de esas cosas que hacemos en el equipo de Ideas Locas.
Figura 3: Agenda de charlas para Navaja Negra.
De la Navaja Negra poco más que contaros, ya sabéis que es una pedazo de CON de tres días de duración, donde tendréis también un taller de Pablo González y Alvaro Núñez-Romero para aprender, jugar, y practicar con Web3, Hacking & Pentesting de BlockChain, SmartContracts & Tokenomicss usando Level_UP!
Figura 4: Taller sobre Seguridad en Web3 en Navaja Negraimpartido por Álvaro Núñez-Romero.
Y luego, la lista de ponentes, pues espectacular, como siempre. Amador Aparicio, Fernando Rubio Román, Manuel S. Lemos, Marc Rivero, Ruth Sala Ordoñez, Raúl Siles, Miguel Ángel de Castro, Pablo González, Alvaro Núñez-Romero, Joel Gámez Molina, Ivan Portillo, Emilio Rico Ruiz, Abraham Pasamar o Ricardo Narvaja entre otros.
Figura 5: Habrá stand y sesión de firmas de 0xWord
También habrá un stand de 0xWord allí, y podrás usar tus Tempos de MyPublicInbox para conseguir libros, chapas, pegatinas, etcétera, así que ven listo si quieres algo de material. Y haremos unos horarios de firmas de libros con algunos autores. Yo estaré el día 5 de Noviembre firmando nada más terminar mi charla, así que si quieres comprar un libro y llevártelo firmado, yo estaré por allí una hora o así para ello. Y si los llevas comprados online por anticipado, para recoger allí, tendrás prioridad para recogerlos.
Del 05 al 06 de Octubre: Horizonte [Televisión en abierto - Cuatro] Y para terminar la semana, nada más regresar de Navaja Negra iré directo al plató de televisión de Horizonte de mis queridos Iker Jiménez y Carmen Porter, para hablar de tecnología, actualidad, y esas cosas que tanto nos gustan a los dos. Os encantaría ver cómo Iker deja volar su imaginación y le saca partido a la GenAI en su día a día.
Figura : En Horizonte con Iker Jiménez y Carmen Porter
Será como siempre, unos minutos, probablemente después de las 12:00, pero realmente el programa comienza el Jueves 05 a las 23:00 horas, así que si eres de los que disfrutan la noche de la televisión, por allí estaré.
¡Saludos Malignos!
Autor: Chema Alonso (Contactar con Chema Alonso)
Sigue Un informático en el lado del mal RSS 0xWord
- Contacta con Chema Alonso en MyPublicInbox.com
Categorías: Security Posts
Update: xor-kpa.py Version 0.0.8
This is just a small update to my XOR known-plaintext attack tool, with some improvements on the algorithm.
xor-kpa_V0_0_8.zip (http)
MD5: EB6397FC81C920DF4E1753A4A31DA9B4
SHA256: 9706979A4B1FBC6E318F6015C69ED2759ADC871632FDB9034615A4488DAC32E0
MD5: EB6397FC81C920DF4E1753A4A31DA9B4
SHA256: 9706979A4B1FBC6E318F6015C69ED2759ADC871632FDB9034615A4488DAC32E0
Categorías: Security Posts
Update: simple_listener.py Version 0.1.3
This updates changes the THP_READALL logic, and adds THP_ECHO_THIS and THP_ALLOW_LIST.
simple_listener_v0_1_3.zip (http)
MD5: 6C90E789D4C10B6EF5E918306A7A58E7
SHA256: 16E55E8983E4208151CB407F72238537C7631396FFFECC431230F7879AFAC664
MD5: 6C90E789D4C10B6EF5E918306A7A58E7
SHA256: 16E55E8983E4208151CB407F72238537C7631396FFFECC431230F7879AFAC664
Categorías: Security Posts
Overview of Content Published in September
Here is an overview of content I published in September:
Blog posts:
SANS ISC Diary entries:
Categorías: Security Posts
Update on Naked Security
To consolidate all of our security intelligence and news in one location, we have migrated Naked Security to the Sophos News platform.
Categorías: Security Posts
Pitfalls of relying on eBPF for security monitoring (and some solutions)
By Artem Dinaburg
eBPF (extended Berkeley Packet Filter) has emerged as the de facto Linux standard for security monitoring and endpoint observability. It is used by technologies such as BPFTrace, Cilium, Pixie, Sysdig, and Falco due to its low overhead and its versatility.
There is, however, a dark (but open) secret: eBPF was never intended for security monitoring. It is first and foremost a networking and debugging tool. As Brendan Gregg observed:
eBPF has many uses in improving computer security, but just taking eBPF observability tools as-is and using them for security monitoring would be like driving your car into the ocean and expecting it to float.
But eBPF is being used for security monitoring anyway, and developers may not be aware of the common pitfalls and under-reported problems that come with this use case. In this post, we cover some of these problems and provide workarounds. However, some challenges with using eBPF for security monitoring are inherent to the platform and cannot be easily addressed.
Pitfall #1: eBPF probes are not invoked
In theory, the kernel is never supposed to fail to fire eBPF probes. In practice, it does. Sometimes, although very rarely, the kernel will not fire eBPF probes when user code expects to see them. This behavior is not explicitly documented or acknowledged, but you can find hints of it in bug reports for eBPF tooling.
This bug report provides valuable insight. First, the issues involved are rare and difficult to debug. Second, the kernel may be technically correct, but the observed behavior on the user side is missing events, even if the proximate behavior was different (e.g., too many probes). Comments on the bug report present two theories for why events are missing:
- First, there is a set limit on the number of kRetProbes that the kernel can have active at once. As of kernel 6.4.5, the default limit is 4,096. Attempts to create more kRetProbes will fail, resulting in a missed event.
- Second, the callback logic for a kProbe and a kRetProbe is slightly different, which means that sometimes a kProbe will not see a matching kRetProbe, resulting in a missed event.
- Missed events, as the kernel stops calling the probe
- Data loss due to the lack of storage space for new data
- Data loss due to the complete overwriting of older but not yet consumed data by newer information
- Data corruption from partial overwrites or complex data formats, disrupting normal program operation
- On function2 exit
- On function3 entry
- On function3 exit
- On syscall_name exit
- function2 is often called outside of the context you are interested in (i.e., outside of syscall_name).
- function2 may not have the same signature across kernel revisions. If we just use the function as an opaque breakpoint, signature changes do not affect our probe.
Categorías: Security Posts
From ERMAC to Hook: Investigating the technical differences between two Android malware variants
Authored by Joshua Kamp (main author) and Alberto Segura.
Summary
Hook and ERMAC are Android based malware families that are both advertised by the actor named “DukeEugene”. Hook is the latest variant to be released by this actor and was first announced at the start of 2023. In this announcement, the actor claims that Hook was written from scratch [1]. In our research, we have analysed two samples of Hook and two samples of ERMAC to further examine the technical differences between these malware families.
After our investigation, we concluded that the ERMAC source code was used as a base for Hook. All commands (30 in total) that the malware operator can send to a device infected with ERMAC malware, also exist in Hook. The code implementation for these commands is nearly identical. The main features in ERMAC are related to sending SMS messages, displaying a phishing window on top of a legitimate app, extracting a list of installed applications, SMS messages and accounts, and automated stealing of recovery seed phrases for multiple cryptocurrency wallets.
Hook has introduced a lot of new features, with a total of 38 additional commands when comparing the latest version of Hook to ERMAC. The most interesting new features in Hook are: streaming the victim’s screen and interacting with the interface to gain complete control over an infected device, the ability to take a photo of the victim using their front facing camera, stealing of cookies related to Google login sessions, and the added support for stealing recovery seeds from additional cryptocurrency wallets.
Hook had a relatively short run. It was first announced on the 12th of January 2023, and the closing of the project was announced on April 19th, 2023, due to “leaving for special military operation”. On May 11th, 2023, the actors claimed that the source code of Hook was sold at a price of $70.000. If these announcements are true, it could mean that we will see interesting new versions of Hook in the future.
The launch of Hook
On the 12th of January 2023, DukeEugene started advertising a new Android botnet to be available for rent: Hook.
Forum post where DukeEugene first advertised Hook.
Hook malware is designed to steal personal information from its infected users. It contains features such as keylogging, injections/overlay attacks to display phishing windows over (banking) apps (more on this in the “Overlay attacks” section of this blog), and automated stealing of cryptocurrency recovery seeds.
Financial gain seems to be the main motivator for operators that rent Hook, but the malware can be used to spy on its victims as well. Hook is rented out at a cost of $7.000 per month.
Forum post showing the rental price of Hook, along with the claim that it was written from scratch.
The malware was advertised with a wide range of functionality in both the control panel and build itself, and a snippet of this can be seen in the screenshot below.
Some of Hook’s features that were advertised by DukeEugene.
Command comparison
Analyst’s note: The package names and file hashes that were analysed for this research can be found in the “Analysed samples” section at the end of this blog post.
While checking out the differences in these malware families, we compared the C2 commands (instructions that are sent by the malware operator to the infected device) in each sample. This analysis did lead us to find several new commands and features on Hook, as can be seen just looking at the number of commands implemented in each variant.
SampleNumber of commandsHook sample #158Hook sample #268Ermac sample #1 & #230
All 30 commands that exist in ERMAC also exist in Hook. Most of these commands are related to sending SMS messages, updating and starting injections, extracting a list of installed applications, SMS messages and accounts, and starting another app on the victim’s device (where cryptocurrency wallet apps are the main target). While simply launching another app may not seem that malicious at first, you will think differently after learning about the automated features in these malware families.
Automated features in the Hook C2 panel.
Both Hook and ERMAC contain automated functionality for stealing recovery seeds from cryptocurrency wallets. These can be used to gain access to the victim’s cryptocurrency. We will dive deeper into this feature later in the blog.
When comparing Hook to ERMAC, 29 new commands have been added to the first sample of Hook that we analysed, and the latest version of Hook contains 9 additional commands on top of that. Most of the commands that were added in Hook are related to interacting with the user interface (UI).
Hook command: start_vnc
The UI interaction related commands (such as “clickat” to click on a specific UI element and “longpress” to dispatch a long press gesture) in Hook go hand in hand with the new “start_vnc” command, which starts streaming the victim’s screen.
A decompiled method that is called after the “start_vnc” command is received by the bot.
In the code snippet above we can see that the createScreenCaptureIntent() method is called on the MediaProjectionManager, which is necessary to start screen capture on the device. Along with the many commands to interact with the UI, this allows the malware operator to gain complete control over an infected device and perform actions on the victim’s behalf.
Controls for the malware operator related to the “start_vnc” command. Command implementation For the commands that are available in both ERMAC and Hook, the code implementation is nearly identical. Take the “logaccounts” command for example: Decompiled code that is related to the “logaccounts” command in ERMAC and Hook. This command is used to obtain a list of available accounts by their name and type on the victim’s device. When comparing the code, it’s clear that the logging messages are the main difference. This is the case for all commands that are present in both ERMAC and Hook. Russian commands Both ERMAC and the Hook v1 sample that we analysed contain some rather edgy commands in Russian, that do not provide any useful functionality. Decompiled code which contains Russian text in ERMAC and first versions of Hook. The command above translates to “Die_he_who_reversed_this“. All the Russian commands create a file named “system.apk” in the “apk” directory and immediately deletes it. It appears that the authors have recently adapted their approach to managing a reputable business, as these commands were removed in the latest Hook sample that we analysed. New commands in Hook V2 In the latest versions of Hook, the authors have added 9 additional commands compared to the first Hook sample that we analysed. These commands are: CommandDescriptionsend_sms_manySends an SMS message to multiple phone numbersaddwaitviewDisplays a “wait / loading” view with a progress bar, custom background colour, text colour, and text to be displayedremovewaitviewRemoves the “wait / loading” view that is displayed on the victim’s device because of the “addwaitview” commandaddviewAdds a new view with a black background that covers the entire screenremoveviewRemoves the view with the black background that was added by the “addview” commandcookieSteals session cookies (targets victim’s Google account)safepalStarts the Safepal Wallet application (and steals seed phrases as a result of starting this application, as observed during analysis of the accessibility service)exodusStarts the Exodus Wallet application (and steals seed phrases as a result of starting this application, as observed during analysis of the accessibility service)takephotoTakes a photo of the victim using the front facing camera One of the already existing commands, “onkeyevent”, also received a new payload option: “double_tap”. As the name suggests, this performs a double tap gesture on the victim’s screen, providing the malware operator with extra functionality to interact with the victim’s device user interface. More interesting additions are: the support for stealing recovery seed phrases from other crypto wallets (Safepal and Exodus), taking a photo of the victim, and stealing session cookies. Session cookie stealing appears to be a popular trend in Android malware, as we have observed this feature being added to multiple malware families. This is an attractive feature, as it allows the actor to gain access to user accounts without needing the actual login credentials. Device Admin abuse Besides adding new commands, the authors have added more functionality related to the “Device Administration API” in the latest version of Hook. This API was developed to support enterprise apps in Android. When an app has device admin privileges, it gains additional capabilities meant for managing the device. This includes the ability to enforce password policies, locking the screen and even wiping the device remotely. As you may expect: abuse of these privileges is often seen in Android malware. DeviceAdminReceiver and policies To implement custom device admin functionality in a new class, it should extend the “DeviceAdminReceiver”. This class can be found by examining the app’s Manifest file and searching for the receiver with the “BIND_DEVICE_ADMIN” permission or the “DEVICE_ADMIN_ENABLED” action. Defined device admin receiver in the Manifest file of Hook 2. In the screenshot above, you can see an XML file declared as follows: android:resource=”@xml/buyanigetili. This file will contain the device admin policies that can be used by the app. Here’s a comparison of the device admin policies in ERMAC, Hook 1, and Hook 2: Differences between device admin policies in ERMAC and Hook. Comparing Hook to ERMAC, the authors have removed the “WIPE_DATA” policy and added the “RESET_PASSWORD” policy in the first version of Hook. In the latest version of Hook, the “DISABLE_KEYGUARD_FEATURES” and “WATCH_LOGIN” policies were added. Below you’ll find a description of each policy that is seen in the screenshot. Device Admin PolicyDescriptionUSES_POLICY_FORCE_LOCKThe app can lock the deviceUSES_POLICY_WIPE_DATAThe app can factory reset the deviceUSES_POLICY_RESET_PASSWORDThe app can reset the device’s password/pin codeUSES_POLICY_DISABLE_KEYGUARD_FEATURESThe app can disable use of keyguard (lock screen) features, such as the fingerprint scannerUSES_POLICY_WATCH_LOGINThe app can watch login attempts from the user The “DeviceAdminReceiver” class in Android contains methods that can be overridden. This is done to customise the behaviour of a device admin receiver. For example: the “onPasswordFailed” method in the DeviceAdminReceiver is called when an incorrect password is entered on the device. This method can be overridden to perform specific actions when a failed login attempt occurs. In ERMAC and Hook 1, the class that extends the DeviceAdminReceiver only overrides the onReceive() method and the implementation is minimal:
Full implementation of the class to extend the DeviceAdminReceiver in ERMAC. The first version of Hook contains the same implementation. The onReceive() method is the entry point for broadcasts that are intercepted by the device admin receiver. In ERMAC and Hook 1 this only performs a check to see whether the received parameters are null and will throw an exception if they are. DeviceAdminReceiver additions in latest version of Hook In the latest edition of Hook, the class to extend the DeviceAdminReceiver does not just override the “onReceive” method. It also overrides the following methods: Device Admin MethodDescriptiononDisableRequested()Called when the user attempts to disable device admin. Gives the developer a chance to present a warning message to the useronDisabled()Called prior to device admin being disabled. Upon return, the app can no longer use the protected parts of the DevicePolicyManager APIonEnabled()Called after device admin is first enabled. At this point, the app can use “DevicePolicyManager” to set the desired policiesonPasswordFailed()Called when the user has entered an incorrect password for the deviceonPasswordSucceeded()Called after the user has entered a correct password for the device When the victim attempts to disable device admin, a warning message is displayed that contains the text “Your mobile is die”. Decompiled code that shows the implementation of the “onDisableRequested” method in the latest version of Hook. The fingerprint scanner will be disabled when an incorrect password was entered on the victim’s device. Possibly to make it easier to break into the device later, by forcing the victim to enter their PIN and capturing it. Decompiled code that shows the implementation of the “onPasswordFailed” method in the latest version of Hook. All keyguard (lock screen) features are enabled again when a correct password was entered on the victim’s device. Decompiled code that shows the implementation of the “onPasswordSucceeded” method in the latest version of Hook. Overlay attacks Overlay attacks, also known as injections, are a popular tactic to steal credentials on Android devices. When an app has permission to draw overlays, it can display content on top of other apps that are running on the device. This is interesting for threat actors, because it allows them to display a phishing window over a legitimate app. When the victim enters their credentials in this window, the malware will capture them. Both ERMAC and Hook use web injections to display a phishing window as soon as it detects a targeted app being launched on the victim’s device. Decompiled code that shows partial implementation of overlay injections in ERMAC and Hook. In the screenshot above, you can see how ERMAC and Hook set up a WebView component and load the HTML code to be displayed over the target app by calling webView5.loadDataWithBaseURL(null, s6, “text/html”, “UTF-8”, null) and this.setContentView() on the WebView object. The “s6” variable will contain the data to be loaded. The main functionality is the same for both variants, with Hook having some additional logging messages. The importance of accessibility services Accessibility Service abuse plays an important role when it comes to web injections and other automated feature in ERMAC and Hook. Accessibility services are used to assist users with disabilities, or users who may temporarily be unable to fully interact with their Android device. For example: users that are driving might need additional or alternative interface feedback. Accessibility services run in the background and receive callbacks from the system when AccessibilityEvent is fired. Apps with accessibility service can have full visibility over UI events, both from the system and from 3rd party apps. They can receive notifications, they can get the package name, list UI elements, extract text, and more. While these services are meant to assist users, they can also be abused by malicious apps for activities such as: keylogging, automatically granting itself additional permissions, and monitoring foreground apps and overlaying them with phishing windows. When ERMAC or Hook malware is first launched, it prompts the victim with a window that instructs them to enable accessibility services for the malicious app. Instruction window to enable the accessibility service, which is shown upon first execution of ERMAC and Hook malware. A warning message is displayed before enabling the accessibility service, which shows what actions the app will be able to perform when this is enabled. Warning message that is displayed before enabling accessibility services. With accessibility services enabled, ERMAC and Hook malware automatically grants itself additional permissions such as permission to draw overlays. The onAccessibilityEvent() method monitors the package names from received accessibility events, and the web injection related code will be executed when a target app is launched. Targeted applications When the infected device is ready to communicate with the C2 server, it sends a list of applications that are currently installed on the device. The C2 server then responds with the target apps that it has injections for. While dynamically analysing the latest version of Hook, we sent a custom HTTP request to the C2 server to make it believe that we have a large amount of apps (700+) installed. For this, we used the list of package names that CSIRT KNF had shared in an analysis report of Hook [2]. Part of our manually crafted HTTP request that includes a list of “installed apps” for our infected device. The server responded with the list of target apps that the malware can display phishing windows for. Most of the targeted apps in both Hook and ERMAC are related to banking. Part of the C2 server response that contains the target apps for overlay injections. Keylogging Keylogging functionality can be found in the onAccessibilityEvent() method of both ERMAC and Hook. For every accessibility event type that is triggered on the infected device, a method is called that contains keylogger functionality. This method then checks what the accessibility event type was to label the log and extracts the text from it. Comparing the code implementation of keylogging in ERMAC to Hook, there are some slight differences in the accessibility event types that it checks for. But the main functionality of extracting text and sending it to the C2 with a certain label is the same. Decompiled code snippet of keylogging in ERMAC and in Hook. The ERMAC keylogger contains an extra check for accessibility event “TYPE_VIEW_SELECTED” (triggered when a user selects a view, such as tapping on a button). Accessibility services can extract information about a selected view, such as the text, and that is exactly what is happening here. Hook specifically checks for two other accessibility events: the “TYPE_WINDOW_STATE_CHANGED” event (triggered when the state of an active window changes, for example when a new window is opened) or the “TYPE_WINDOW_CONTENT_CHANGED” event (triggered when the content within a window changes, like when the text within a window is updated). It checks for these events in combination with the content change type “CONTENT_CHANGE_TYPE_TEXT” (indicating that the text of an UI element has changed). This tells us that the accessibility service is interested in changes of the textual content within a window, which is not surprising for a keylogger. Stealing of crypto wallet seed phrases Automatic stealing of recovery seeds from crypto wallets is one of the main features in ERMAC and Hook. This feature is actively developed, with support added for extra crypto wallets in the latest version of Hook. For this feature, the accessibility service first checks if a crypto wallet app has been opened. Then, it will find UI elements by their ID (such as “com.wallet.crypto.trustapp:id/wallets_preference” and “com.wallet.crypto.trustapp:id/item_wallet_info_action”) and automatically clicks on these elements until it navigated to the view that contains the recovery seed phrase. For the crypto wallet app, it will look like the user is browsing to this phrase by themselves. Decompiled code that shows ERMAC and Hook searching for and clicking on UI elements in the Trust Wallet app. Once the window with the recovery seed phrase is reached, it will extract the words from the recovery seed phrase and send them to the C2 server. Decompiled code that shows the actions in ERMAC and Hook after obtaining the seed phrase. The main implementation is the same in ERMAC and Hook for this feature, with Hook containing some extra logging messages and support for stealing seed phrases from additional cryptocurrency wallets. Replacing copied crypto wallet addresses Besides being able to automatically steal recovery seeds from opened crypto wallet apps, ERMAC and Hook can also detect whether a wallet address has been copied and replaces the clipboard with their own wallet address. It does this by monitoring for the “TYPE_VIEW_TEXT_CHANGED” event, and checking whether the text matches a regular expression for Bitcoin and Ethereum wallet addresses. If it matches, it will replace the clipboard text with the wallet address of the threat actor. Decompiled code that shows how ERMAC and Hook replace copied crypto wallet addresses. The wallet addresses that the actors use in both ERMAC and Hook are bc1ql34xd8ynty3myfkwaf8jqeth0p4fxkxg673vlf for Bitcoin and 0x3Cf7d4A8D30035Af83058371f0C6D4369B5024Ca for Ethereum. It’s worth mentioning that these wallet addresses are the same in all samples that we analysed. It appears that this feature has not been very successful for the actors, as they have received only two transactions at the time of writing. Transactions received by the Ethereum wallet address of the actors. Since the feature has been so unsuccessful, we assume that both received transactions were initiated by the actors themselves. The latest transaction was received from a verified Binance exchange wallet, and it’s unlikely that this comes from an infected device. The other transaction comes from a wallet that could be owned by the Hook actors. Stealing of session cookies The “cookie” command is exclusive to Hook and was only added in the latest version of this malware. This feature allows the malware operator to steal session cookies in order to take over the victim’s login session. To do so, a new WebViewClient is set up. When the victim has logged onto their account, the onPageFinished() method of the WebView will be called and it sends the stolen cookies to the C2 server. Decompiled code that shows Google account session cookies will be sent to the C2 server. All cookie stealing code is related to Google accounts. This is in line with DukeEugene’s announcement of new features that were posted about on April 1st, 2023. See #12 in the screenshot below. DukeEugene announced new features in Hook, showing the main objective for the “cookie” command. C2 communication protocol HTTP in ERMAC ERMAC is known to use the HTTP protocol for communicating with the C2 server, where data is encrypted using AES-256-CBC and then Base64 encoded. The bot sends HTTP POST requests to a randomly generated URL that ends with “.php/” (note that the IP of the C2 server remains the same). Decompiled code that shows how request URLs are built in ERMAC. Example HTTP POST request that was made during dynamic analysis of ERMAC. WebSockets in Hook The first editions of Hook introduced WebSocket communication using Socket.IO, and data is encrypted using the same mechanism as in ERMAC. The Socket.IO library is built on top of the WebSocket protocol and offers low-latency, bidirectional and event-based communication between a client and a server. Socket.IO provides additional guarantees such as fallback to the HTTP protocol and automatic reconnection [3]. Screenshot of WebSocket communication using Socket.IO in Hook. The screenshot above shows that the login command was issued to the server, with the user ID of the infected device being sent as encrypted data. The “42” at the beginning of the message is standard in Socket.IO, where the “4” stands for the Engine.IO “message” packet type and the “2” for Socket.IO’s “message” packet type [3]. Mix and match – Protocols in latest versions of Hook The latest Hook version that we’ve analysed contains the ERMAC HTTP protocol implementation, as well as the WebSocket implementation which already existed in previous editions of Hook. The Hook code snippet below shows that it uses the exact same code implementation as observed in ERMAC to build the URLs for HTTP requests. Decompiled code that shows the latest version of Hook implemented the same logic for building URLs as ERMAC. Both Hook and ERMAC use the “checkAP” command to check for commands sent by the C2 server. In the screenshot below, you can see that the malware operator sent the “killme” command to the infected device to uninstall Hook. This shows that the ERMAC HTTP protocol is actively used in the latest versions of Hook, together with the already existing WebSocket implementation. The infected device is checking for commands sent by the C2 in Hook. C2 servers During our investigation into the technical differences between Hook and ERMAC, we have also collected C2 servers related to both families. From these servers, Russia is clearly the preferred country for hosting Hook and ERMAC C2s. We have identified a total of 23 Hook C2 servers that are hosted in Russia. Other countries that we have found ERMAC and Hook are hosted in are:
[1] – https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities
[2] – https://cebrf.knf.gov.pl/komunikaty/artykuly-csirt-knf/362-ostrzezenia/858-hookbot-a-new-mobile-malware
[3] – https://socket.io/docs/v4/
Controls for the malware operator related to the “start_vnc” command. Command implementation For the commands that are available in both ERMAC and Hook, the code implementation is nearly identical. Take the “logaccounts” command for example: Decompiled code that is related to the “logaccounts” command in ERMAC and Hook. This command is used to obtain a list of available accounts by their name and type on the victim’s device. When comparing the code, it’s clear that the logging messages are the main difference. This is the case for all commands that are present in both ERMAC and Hook. Russian commands Both ERMAC and the Hook v1 sample that we analysed contain some rather edgy commands in Russian, that do not provide any useful functionality. Decompiled code which contains Russian text in ERMAC and first versions of Hook. The command above translates to “Die_he_who_reversed_this“. All the Russian commands create a file named “system.apk” in the “apk” directory and immediately deletes it. It appears that the authors have recently adapted their approach to managing a reputable business, as these commands were removed in the latest Hook sample that we analysed. New commands in Hook V2 In the latest versions of Hook, the authors have added 9 additional commands compared to the first Hook sample that we analysed. These commands are: CommandDescriptionsend_sms_manySends an SMS message to multiple phone numbersaddwaitviewDisplays a “wait / loading” view with a progress bar, custom background colour, text colour, and text to be displayedremovewaitviewRemoves the “wait / loading” view that is displayed on the victim’s device because of the “addwaitview” commandaddviewAdds a new view with a black background that covers the entire screenremoveviewRemoves the view with the black background that was added by the “addview” commandcookieSteals session cookies (targets victim’s Google account)safepalStarts the Safepal Wallet application (and steals seed phrases as a result of starting this application, as observed during analysis of the accessibility service)exodusStarts the Exodus Wallet application (and steals seed phrases as a result of starting this application, as observed during analysis of the accessibility service)takephotoTakes a photo of the victim using the front facing camera One of the already existing commands, “onkeyevent”, also received a new payload option: “double_tap”. As the name suggests, this performs a double tap gesture on the victim’s screen, providing the malware operator with extra functionality to interact with the victim’s device user interface. More interesting additions are: the support for stealing recovery seed phrases from other crypto wallets (Safepal and Exodus), taking a photo of the victim, and stealing session cookies. Session cookie stealing appears to be a popular trend in Android malware, as we have observed this feature being added to multiple malware families. This is an attractive feature, as it allows the actor to gain access to user accounts without needing the actual login credentials. Device Admin abuse Besides adding new commands, the authors have added more functionality related to the “Device Administration API” in the latest version of Hook. This API was developed to support enterprise apps in Android. When an app has device admin privileges, it gains additional capabilities meant for managing the device. This includes the ability to enforce password policies, locking the screen and even wiping the device remotely. As you may expect: abuse of these privileges is often seen in Android malware. DeviceAdminReceiver and policies To implement custom device admin functionality in a new class, it should extend the “DeviceAdminReceiver”. This class can be found by examining the app’s Manifest file and searching for the receiver with the “BIND_DEVICE_ADMIN” permission or the “DEVICE_ADMIN_ENABLED” action. Defined device admin receiver in the Manifest file of Hook 2. In the screenshot above, you can see an XML file declared as follows: android:resource=”@xml/buyanigetili. This file will contain the device admin policies that can be used by the app. Here’s a comparison of the device admin policies in ERMAC, Hook 1, and Hook 2: Differences between device admin policies in ERMAC and Hook. Comparing Hook to ERMAC, the authors have removed the “WIPE_DATA” policy and added the “RESET_PASSWORD” policy in the first version of Hook. In the latest version of Hook, the “DISABLE_KEYGUARD_FEATURES” and “WATCH_LOGIN” policies were added. Below you’ll find a description of each policy that is seen in the screenshot. Device Admin PolicyDescriptionUSES_POLICY_FORCE_LOCKThe app can lock the deviceUSES_POLICY_WIPE_DATAThe app can factory reset the deviceUSES_POLICY_RESET_PASSWORDThe app can reset the device’s password/pin codeUSES_POLICY_DISABLE_KEYGUARD_FEATURESThe app can disable use of keyguard (lock screen) features, such as the fingerprint scannerUSES_POLICY_WATCH_LOGINThe app can watch login attempts from the user The “DeviceAdminReceiver” class in Android contains methods that can be overridden. This is done to customise the behaviour of a device admin receiver. For example: the “onPasswordFailed” method in the DeviceAdminReceiver is called when an incorrect password is entered on the device. This method can be overridden to perform specific actions when a failed login attempt occurs. In ERMAC and Hook 1, the class that extends the DeviceAdminReceiver only overrides the onReceive() method and the implementation is minimal:
Full implementation of the class to extend the DeviceAdminReceiver in ERMAC. The first version of Hook contains the same implementation. The onReceive() method is the entry point for broadcasts that are intercepted by the device admin receiver. In ERMAC and Hook 1 this only performs a check to see whether the received parameters are null and will throw an exception if they are. DeviceAdminReceiver additions in latest version of Hook In the latest edition of Hook, the class to extend the DeviceAdminReceiver does not just override the “onReceive” method. It also overrides the following methods: Device Admin MethodDescriptiononDisableRequested()Called when the user attempts to disable device admin. Gives the developer a chance to present a warning message to the useronDisabled()Called prior to device admin being disabled. Upon return, the app can no longer use the protected parts of the DevicePolicyManager APIonEnabled()Called after device admin is first enabled. At this point, the app can use “DevicePolicyManager” to set the desired policiesonPasswordFailed()Called when the user has entered an incorrect password for the deviceonPasswordSucceeded()Called after the user has entered a correct password for the device When the victim attempts to disable device admin, a warning message is displayed that contains the text “Your mobile is die”. Decompiled code that shows the implementation of the “onDisableRequested” method in the latest version of Hook. The fingerprint scanner will be disabled when an incorrect password was entered on the victim’s device. Possibly to make it easier to break into the device later, by forcing the victim to enter their PIN and capturing it. Decompiled code that shows the implementation of the “onPasswordFailed” method in the latest version of Hook. All keyguard (lock screen) features are enabled again when a correct password was entered on the victim’s device. Decompiled code that shows the implementation of the “onPasswordSucceeded” method in the latest version of Hook. Overlay attacks Overlay attacks, also known as injections, are a popular tactic to steal credentials on Android devices. When an app has permission to draw overlays, it can display content on top of other apps that are running on the device. This is interesting for threat actors, because it allows them to display a phishing window over a legitimate app. When the victim enters their credentials in this window, the malware will capture them. Both ERMAC and Hook use web injections to display a phishing window as soon as it detects a targeted app being launched on the victim’s device. Decompiled code that shows partial implementation of overlay injections in ERMAC and Hook. In the screenshot above, you can see how ERMAC and Hook set up a WebView component and load the HTML code to be displayed over the target app by calling webView5.loadDataWithBaseURL(null, s6, “text/html”, “UTF-8”, null) and this.setContentView() on the WebView object. The “s6” variable will contain the data to be loaded. The main functionality is the same for both variants, with Hook having some additional logging messages. The importance of accessibility services Accessibility Service abuse plays an important role when it comes to web injections and other automated feature in ERMAC and Hook. Accessibility services are used to assist users with disabilities, or users who may temporarily be unable to fully interact with their Android device. For example: users that are driving might need additional or alternative interface feedback. Accessibility services run in the background and receive callbacks from the system when AccessibilityEvent is fired. Apps with accessibility service can have full visibility over UI events, both from the system and from 3rd party apps. They can receive notifications, they can get the package name, list UI elements, extract text, and more. While these services are meant to assist users, they can also be abused by malicious apps for activities such as: keylogging, automatically granting itself additional permissions, and monitoring foreground apps and overlaying them with phishing windows. When ERMAC or Hook malware is first launched, it prompts the victim with a window that instructs them to enable accessibility services for the malicious app. Instruction window to enable the accessibility service, which is shown upon first execution of ERMAC and Hook malware. A warning message is displayed before enabling the accessibility service, which shows what actions the app will be able to perform when this is enabled. Warning message that is displayed before enabling accessibility services. With accessibility services enabled, ERMAC and Hook malware automatically grants itself additional permissions such as permission to draw overlays. The onAccessibilityEvent() method monitors the package names from received accessibility events, and the web injection related code will be executed when a target app is launched. Targeted applications When the infected device is ready to communicate with the C2 server, it sends a list of applications that are currently installed on the device. The C2 server then responds with the target apps that it has injections for. While dynamically analysing the latest version of Hook, we sent a custom HTTP request to the C2 server to make it believe that we have a large amount of apps (700+) installed. For this, we used the list of package names that CSIRT KNF had shared in an analysis report of Hook [2]. Part of our manually crafted HTTP request that includes a list of “installed apps” for our infected device. The server responded with the list of target apps that the malware can display phishing windows for. Most of the targeted apps in both Hook and ERMAC are related to banking. Part of the C2 server response that contains the target apps for overlay injections. Keylogging Keylogging functionality can be found in the onAccessibilityEvent() method of both ERMAC and Hook. For every accessibility event type that is triggered on the infected device, a method is called that contains keylogger functionality. This method then checks what the accessibility event type was to label the log and extracts the text from it. Comparing the code implementation of keylogging in ERMAC to Hook, there are some slight differences in the accessibility event types that it checks for. But the main functionality of extracting text and sending it to the C2 with a certain label is the same. Decompiled code snippet of keylogging in ERMAC and in Hook. The ERMAC keylogger contains an extra check for accessibility event “TYPE_VIEW_SELECTED” (triggered when a user selects a view, such as tapping on a button). Accessibility services can extract information about a selected view, such as the text, and that is exactly what is happening here. Hook specifically checks for two other accessibility events: the “TYPE_WINDOW_STATE_CHANGED” event (triggered when the state of an active window changes, for example when a new window is opened) or the “TYPE_WINDOW_CONTENT_CHANGED” event (triggered when the content within a window changes, like when the text within a window is updated). It checks for these events in combination with the content change type “CONTENT_CHANGE_TYPE_TEXT” (indicating that the text of an UI element has changed). This tells us that the accessibility service is interested in changes of the textual content within a window, which is not surprising for a keylogger. Stealing of crypto wallet seed phrases Automatic stealing of recovery seeds from crypto wallets is one of the main features in ERMAC and Hook. This feature is actively developed, with support added for extra crypto wallets in the latest version of Hook. For this feature, the accessibility service first checks if a crypto wallet app has been opened. Then, it will find UI elements by their ID (such as “com.wallet.crypto.trustapp:id/wallets_preference” and “com.wallet.crypto.trustapp:id/item_wallet_info_action”) and automatically clicks on these elements until it navigated to the view that contains the recovery seed phrase. For the crypto wallet app, it will look like the user is browsing to this phrase by themselves. Decompiled code that shows ERMAC and Hook searching for and clicking on UI elements in the Trust Wallet app. Once the window with the recovery seed phrase is reached, it will extract the words from the recovery seed phrase and send them to the C2 server. Decompiled code that shows the actions in ERMAC and Hook after obtaining the seed phrase. The main implementation is the same in ERMAC and Hook for this feature, with Hook containing some extra logging messages and support for stealing seed phrases from additional cryptocurrency wallets. Replacing copied crypto wallet addresses Besides being able to automatically steal recovery seeds from opened crypto wallet apps, ERMAC and Hook can also detect whether a wallet address has been copied and replaces the clipboard with their own wallet address. It does this by monitoring for the “TYPE_VIEW_TEXT_CHANGED” event, and checking whether the text matches a regular expression for Bitcoin and Ethereum wallet addresses. If it matches, it will replace the clipboard text with the wallet address of the threat actor. Decompiled code that shows how ERMAC and Hook replace copied crypto wallet addresses. The wallet addresses that the actors use in both ERMAC and Hook are bc1ql34xd8ynty3myfkwaf8jqeth0p4fxkxg673vlf for Bitcoin and 0x3Cf7d4A8D30035Af83058371f0C6D4369B5024Ca for Ethereum. It’s worth mentioning that these wallet addresses are the same in all samples that we analysed. It appears that this feature has not been very successful for the actors, as they have received only two transactions at the time of writing. Transactions received by the Ethereum wallet address of the actors. Since the feature has been so unsuccessful, we assume that both received transactions were initiated by the actors themselves. The latest transaction was received from a verified Binance exchange wallet, and it’s unlikely that this comes from an infected device. The other transaction comes from a wallet that could be owned by the Hook actors. Stealing of session cookies The “cookie” command is exclusive to Hook and was only added in the latest version of this malware. This feature allows the malware operator to steal session cookies in order to take over the victim’s login session. To do so, a new WebViewClient is set up. When the victim has logged onto their account, the onPageFinished() method of the WebView will be called and it sends the stolen cookies to the C2 server. Decompiled code that shows Google account session cookies will be sent to the C2 server. All cookie stealing code is related to Google accounts. This is in line with DukeEugene’s announcement of new features that were posted about on April 1st, 2023. See #12 in the screenshot below. DukeEugene announced new features in Hook, showing the main objective for the “cookie” command. C2 communication protocol HTTP in ERMAC ERMAC is known to use the HTTP protocol for communicating with the C2 server, where data is encrypted using AES-256-CBC and then Base64 encoded. The bot sends HTTP POST requests to a randomly generated URL that ends with “.php/” (note that the IP of the C2 server remains the same). Decompiled code that shows how request URLs are built in ERMAC. Example HTTP POST request that was made during dynamic analysis of ERMAC. WebSockets in Hook The first editions of Hook introduced WebSocket communication using Socket.IO, and data is encrypted using the same mechanism as in ERMAC. The Socket.IO library is built on top of the WebSocket protocol and offers low-latency, bidirectional and event-based communication between a client and a server. Socket.IO provides additional guarantees such as fallback to the HTTP protocol and automatic reconnection [3]. Screenshot of WebSocket communication using Socket.IO in Hook. The screenshot above shows that the login command was issued to the server, with the user ID of the infected device being sent as encrypted data. The “42” at the beginning of the message is standard in Socket.IO, where the “4” stands for the Engine.IO “message” packet type and the “2” for Socket.IO’s “message” packet type [3]. Mix and match – Protocols in latest versions of Hook The latest Hook version that we’ve analysed contains the ERMAC HTTP protocol implementation, as well as the WebSocket implementation which already existed in previous editions of Hook. The Hook code snippet below shows that it uses the exact same code implementation as observed in ERMAC to build the URLs for HTTP requests. Decompiled code that shows the latest version of Hook implemented the same logic for building URLs as ERMAC. Both Hook and ERMAC use the “checkAP” command to check for commands sent by the C2 server. In the screenshot below, you can see that the malware operator sent the “killme” command to the infected device to uninstall Hook. This shows that the ERMAC HTTP protocol is actively used in the latest versions of Hook, together with the already existing WebSocket implementation. The infected device is checking for commands sent by the C2 in Hook. C2 servers During our investigation into the technical differences between Hook and ERMAC, we have also collected C2 servers related to both families. From these servers, Russia is clearly the preferred country for hosting Hook and ERMAC C2s. We have identified a total of 23 Hook C2 servers that are hosted in Russia. Other countries that we have found ERMAC and Hook are hosted in are:
- The Netherlands
- United Kingdom
- United States
- Germany
- France
- Korea
- Japan
[1] – https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities
[2] – https://cebrf.knf.gov.pl/komunikaty/artykuly-csirt-knf/362-ostrzezenia/858-hookbot-a-new-mobile-malware
[3] – https://socket.io/docs/v4/
Categorías: Security Posts
Building a Cyber Resilient Business: The Protection Layer
Cybercrime is on the rise. The number of ransomware attacks has increased by 18%, while the worldwide volume of phishing attacks doubled to 500 million in 2022. Depending on the size of the business, one-third to two-thirds of businesses suffer malware attacks in any given year.
And those attacks are costing companies a lot of money. In 2022, American businesses lost $10.3 billion to data breaches and cybercrime.
This is all happening while companies are spending trillions digitizing their business operations and trying to obtain secure cyber insurance while keeping up with regulatory changes in GDPR, HIPAA, and Sarbanes-Oxley.
The best way to weather these challenges is to become a cyber resilient business. That means implementing a layered security and data management strategy that encompasses prevention, protection, and recovery so that your data, your bottom line, and your reputation remain secure.
In this article, we’ll discuss the importance of data security and protection.
How to protect your data
A sophisticated, layered security strategy will already have prevention tools like endpoint and DNS protection in place as well as security awareness training to stop threats before they reach your network.
Unfortunately, that’s not enough. Attacks are becoming increasingly sophisticated and complex, and that first line of defense may not catch them all.
If a threat can penetrate the prevention layer, protection-layer tools kick in to neutralize the threat or minimize the damage of an attack.
Here are two tools that can protect your data:
1. Email threat protection and email continuity
Email is one of the most common entry points for attacks, from phishing links to ransomware and business email compromise (BEC) to malicious attachments. Cyber criminals can mimic trustworthy senders so you need a tool that helps you tell the difference between a safe email and suspicious one.
Tools like Webroot’s Advanced Email Threat Protection analyze the links and attachments in messages to detect malware and keep your systems secure against threats. Webroot Email Continuity can continue to send and receive emails for up to 30 days even if the infrastructure is down.
2. Email encryption
Companies rely on email to distribute important information, but when that information is confidential and sensitive, you need an encryption tool to protect it. If a cyber criminal gets access to emails, they won’t be able to access that sensitive data if it’s encrypted.
Webroot Advanced Email Encryption powered by Zix is an industry-grade encryption tool that runs in the background, without disrupting workflows or requiring any input from the user. It’s invisible to the user and requires no extra training, while keeping your communications confidential. Also, default and customizable Data Loss Prevention (DLP) policies are available at no additional cost to prevent unauthorized users from emailing sensitive data to parties outside the organization.
Customer stories
When Spitzer Automotive’s new Chief Information Officer joined the company in 2019, he realized there was a big problem that affected the company’s security and employee productivity: employees were spending too much time reviewing emails for spam. One phishing attack slipping through human review could cause big problems for the company in downtime, financial loss, and reputational damage.
Spitzer chose Webroot’s Advanced Email Threat Protection and Email Continuity as a cloud-based solution to pair with Microsoft 365. Not only were they able to save money by bundling the two together, but it also allowed the company to automate email protection by reducing the number of email threats and quarantining malicious emails.
Allery, Asthma, and Sinus Center had a different reason for using Webroot Email Threat Protection and Email Continuity. As a healthcare group, they had sensitive patient data to protect and a ransomware attack from malicious emails could put that at risk.
Once they put the Webroot system in place, they were able to focus on other IT matters while knowing that patient data was safe. It also allowed them to be HIPAA compliant.
To learn more about building cyber resilience with layered security, download our guide.
The post Building a Cyber Resilient Business: The Protection Layer appeared first on Webroot Blog.
Categorías: Security Posts
How Easy is Email Encryption? You’d Be Surprised.
When it comes to keeping sensitive data safe, email encryption is a necessity. But it doesn’t have to be a necessary evil.
Too many employees and IT experts have experienced the pain of trying to use a needlessly complicated email encryption solution. There’s the endless steps, the hard-to-navigate portals, and the time-consuming processes that add up to a frustrating experience for most.
If this is the experience you’ve come to expect, Webroot Email Encryption powered by Zix is here to surprise you. Webroot simplifies, streamlines, and secures the encryption process making email security easier than ever.
Transparent Delivery Simplifies the Recipient Process
The recipient process has historically been one of the biggest pain points for email encryption software customers. It’s often complicated and cumbersome, filled with portals, secret passwords, and extra steps. It shouldn’t be that difficult just to read an email, and now it doesn’t have to be.
Webroot Email Encryption drastically simplifies the email recipient process. When both the sender and the recipient are Webroot clients, the software will encrypt the outgoing email from one customer, and send it to the recipient completely transparently—regardless of the email content. No portal, no passwords, no extra steps – just a blue bar at the top of the email confirming it was sent securely. From there, the recipient can reply to the email exactly as they would a regular email.
Even without transparent delivery, Webroot’s Email Encryption makes the recipient process intuitive for non-Webroot clients. The recipient secure email portal is designed for non-technical people to be able to access, read, and reply to encrypted emails easily.
State of the Art Filters Enable Automatic Encryption
Security tools only work when people use them, and even with the best IT policies in place, it’s difficult to stop employees from sending sensitive information without encryption. While many organizations have increased their employee training amid an increased threat landscape, training only goes so far.
Exposing sensitive information isn’t just an organizational problem, it’s also a regulatory one. The Health Insurance Portability and Accountability Act (HIPAA) requires that all patient data is kept secure and private. With traditional email encryption solutions, this burden falls on employees every time. For healthcare organizations, this is an added layer of complication on top of an often hectic landscape for employees.
Thankfully, Webroot’s Email Encryption offers automatic encryption, removing the burden from employees of having to remember to encrypt sensitive emails every time they send one. Webroot Email Encryption provides out-of-the-box automatic policies for HIPAA, Social Security numbers, and financial information. When a policy is triggered—whether the sender has elected to encrypt the email or not—emails can be encrypted, blocked or quarantined.
The result? Any email containing sensitive information is automatically encrypted, saving both employees and the organization at large from the threat of a security breach.
Purpose-Built Add-Ons Make Integration Seamless
Email encryption is just one piece of the cybersecurity puzzle. Every organization has a unique set of security needs, and a threat could severely affect operations at any time.
That’s why it’s important to ensure your email encryption solution comes along with purpose-built add-ons and can also seamlessly integrate with other security solutions. Webroot Email Encryption can be easily integrated and is also part of a larger network of threat protection that keeps your organization safe.
OpenText Cybersecurity brings together a number of product families (Webroot, Carbonite and Zix) that can be brought in to improve and enhance the overall user experience, like:
Single Sign-On with SAML 2.0: Allows a user to login to their Webroot Secure Message Portal with their own credentials they’ve already created through the customer’s website. Without having to login again, users click a link to be taken directly to their secure inbox. This feature is implemented in using SAML 2.0, which authorizes user access to web services across organizations.
Webroot Email Threat Protection: Email Encryption provides multilayered filtering for both inbound and outbound emails that lets the right emails through while blocking malicious threats such as phishing, ransomware, impersonation, business email compromise (BEC) and spam. It also offers attachment quarantine, link protections, message retraction, and a round-the-clock live threat analyst team.
Ready to Learn More?
Seeing how simple email encryption can be is surprising, we know. And we’ve only just scratched the surface. If you want to learn more about how OpenText Cybersecurity can help make email surprisingly secure and simple, you can request a demo here.
The post How Easy is Email Encryption? You’d Be Surprised. appeared first on Webroot Blog.
Categorías: Security Posts
