Clicky

Pages

Tuesday, September 10, 2024

2024-09-10 KIMSUKY (North Korean APT) Sample (Sakai @sakaijjan - Terms and Conditions.msc)


 2024-09-10 Sakai @sakaijjang 김수키(Kimsuky) 에서 만든 악성코드-Terms and conditions(이용 약관).msc(2024.9.6)   - Kimsuky (North Korea) - Terms and Conditions.msc

by https://x.com/sakaijjang?lang=en 

Article translation in English 

More about Kimsuky: 2020-10-27 CISA North Korean Advanced Persistent Threat Focus

  •  The malware is delivered as a file named "Terms and conditions.msc," containing embedded PowerShell commands.
  • The PowerShell script is executed in a hidden window (-WindowStyle Hidden), preventing user awareness.
  • The script uses Invoke-Expression (iex) to execute code and Invoke-WebRequest (iwr) to download a malicious script from hxxps://0x0(.)st/Xyl7(.)txt.
  • The downloaded data, encoded in hexadecimal, is decoded into a byte array.
  • The decoded data is initially saved as an MP3 file (e.g., vBqz.mp3) in the system’s public documents folder.
  • The MP3 file is then renamed to an executable file (e.g., vBqz.exe), disguising the payload as a media file.
  • The executable is run using conhost.exe in the background with the -NoNewWindow option, ensuring it remains hidden.
  • File Camouflage: The use of the MP3 extension initially disguises the executable file.
  • Stealthy Execution: Utilizing system utilities like conhost.exe and executing commands in hidden windows help evade user detection and security software.
  • Command-and-Control (C2) Infrastructure: The malware’s reliance on a public site for payload distribution suggests a flexible and easily reconfigurable C2 mechanism.
  • Hexadecimal Encoding: The use of encoded data indicates potential obfuscation techniques; decoding this data can reveal more about the malware.
  • Potential Variants: Different versions of this malware may exist, with variations in the payload or C2 URLs. Monitoring and updating detection rules, such as YARA, would be beneficial.

Download

2024-09-03 LUXY Ransomware / Stealer Sample

 2024-09-03 K7 Security Labs: Luxy: A Stealer and a Ransomware in one




  • The sample is a .NET 32-bit executable, enforcing single-instance execution via a mutex and ensuring network connectivity before proceeding. It also implements anti-VM checks using System UUIDs, process names, and other system identifiers to evade sandbox environments.
  • Browser Data Extraction: Utilizes methods like GETENCRYPTIONKEY to extract and decrypt stored passwords and cookies from various browsers.
  • Cryptocurrency Wallet Theft: Targets wallets such as Zcash, Ethereum, and others, copying wallet files to a text file for exfiltration.
  • Session File Theft: Extracts Minecraft session files, logging them in a source.txt file, potentially compromising user authentication.
  • Roblox Cookie Theft: Steals cookies from the registry and browsers using PowerShell commands.
  • File Encryption: Deploys AES256 encryption on all files in the malware execution path, renaming files post-encryption. The encryption method uses a 128-bit key and IV, padding the plaintext to meet AES block size requirements.
  • Ransom Note: After encryption, a ransom note is dropped, informing the victim of the encryption and providing instructions to obtain the decryption key.

The Ransom note reads: 

ATTENTION!

Don't worry, you can return all your files!

All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.

The only method of recovering files is to purchase decrypt tool and unique key for you.

This software will decrypt all your encrypted files.

Price of private key and decrypt software is $980.

Discount 50% available if you contact us first 72 hours, that's price for you is $490.

Please note that you'll never restore your data without payment.

To get this software and key you need join our server discord:

discord.gg/

Personal ID:

Download

Saturday, September 7, 2024

2024-09-05 SHRINKLOCKER (Bitlocker) Ransomware Samples

2024-09-05 Splunk: ShrinkLocker Malware: Abusing BitLocker to Lock Your Data

ShrinkLocker is a newly discovered ransomware strain that exploits BitLocker, a legitimate Windows feature, to encrypt data by locking users out of their systems. Unlike traditional ransomware, ShrinkLocker leverages BitLocker's secure boot partition to make decryption extremely challenging. The malware initiates its attack by identifying the operating system and determining whether it’s a suitable target. It modifies key system registry settings, particularly those related to Remote Desktop Protocol (RDP) and Trusted Platform Module (TPM), to suit its objectives. After disabling BitLocker key protectors, ShrinkLocker shrinks non-boot partitions by 100MB, formats these partitions, and reconfigures boot files to destabilize the system, potentially rendering it irreparable. The malware also exfiltrates data to a command-and-control server and attempts to erase traces of its activity by deleting logs, firewall rules, and scheduled tasks.



2024-08-30 Cicada ESXi Ransomware Sample

 



Cicada3301, a ransomware group first detected in June 2024, appears to be either a rebranded or derivative version of the ALPHV ransomware group, employing a ransomware-as-a-service (RaaS) model. The ransomware, written in Rust, targets both Windows and Linux/ESXi environments, utilizing ChaCha20 for encryption. Technical analysis reveals several key similarities with ALPHV: both use nearly identical command structures for shutting down VMs and removing snapshots, and share a similar file-naming convention. The ransomware's binary is an ELF file, with its Rust origin confirmed through string references and investigation of the .comment section.

Key parameters include sleep, which delays the ransomware's execution, and ui, which displays the encryption progress on the screen. The key parameter is crucial for decryption; if it's not provided or incorrect, the ransomware will stop running. The main function, linux_enc, starts the encryption process by generating a random key using OsRng. Files larger than 100 MB are encrypted in parts, while smaller files are encrypted entirely using ChaCha20. The ChaCha20 key is then secured with an RSA public key and added, along with a specific file extension, to the end of the encrypted file.

Initial access appears to be facilitated by the Brutus botnet, with threat actors using stolen or brute-forced credentials to gain entry via ScreenConnect. The IP address associated with this attack is tied to the Brutus botnet, raising the possibility of a direct connection between the botnet operators and Cicada3301. The ransomware also features a decryption check routine, where an encoded and encrypted ransomware note stored within the binary is decrypted using the provided key, validating the correct decryption.


Download


Download. (Email me if you need the password scheme)



File Information

63e0d4e861048f581c9e5c64b28a053eb0023d58eebf2b943868d5f68a67a8b7 esxi

The article didn't include any hashes, only the YARA rule. While this sample doesn't trigger a match with the rule, I believe it's the same malware

Tuesday, September 3, 2024

2024-09-02 ABYSS Ransomware Windows and Linux Samples




Abyss Ransomware, first identified in 2023, is a sophisticated ransomware strain targeting both Windows and Linux systems, with a specific focus on VMware ESXi environments. It employs advanced encryption techniques, multi-extortion tactics, and strategic network infiltration to disrupt operations across various sectors, including finance, healthcare, and technology.

Key Characteristics:

Target Platforms: Windows, Linux (particularly VMware ESXi)
Encryption: Utilizes the Salsa20 encryption algorithm; appends .abyss or .crypt extensions.
Initial Access Vectors: Phishing emails, weak SSH configurations, and exploiting known vulnerabilities in exposed servers.
Multi-Extortion Tactics: Encrypts files and exfiltrates data, threatening public exposure on a TOR-based leak site if ransom demands are not met.
Windows Variant:

Service Termination: Disables critical services (e.g., MSSQL, Exchange) to ensure encryption success.
Persistence: Alters boot configuration to disable recovery options.
File Encryption: Employs Salsa20; ransom note WhatHappened.txt is dropped in each directory.
Obfuscation: Written in C++, using techniques to evade detection and hinder forensic analysis.
Linux Variant:

VMware ESXi Targeting: Leverages esxcli to manage and shut down virtual machines for encryption.
Selective Encryption: Avoids critical system directories to maintain partial system functionality.
Persistence: Establishes daemon processes to ensure the ransomware remains active post-reboot.


Monday, September 2, 2024

2022-2024 North Korea Citrine Sleet /Lazarus FUDMODULE ( BYOVD ) Rootkit Samples


2024-08-30 Microsoft: North Korean threat actor Citrine Sleet exploiting Chromium zero-day 

2024-03-01 Lazarus group operations — A deep dive into FudModule Rootkit by Lucas Mancilha

2024-08-28 CORONA MIRAI Botnet Spreads via Zero-Day (CVE-2024-7029) - command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) Samples






Akamai's Security Intelligence and Response Team (SIRT) has identified a new botnet campaign exploiting multiple vulnerabilities, including a zero-day vulnerability, CVE-2024-7029, discovered by Aline Eliovich. This command injection vulnerability exists in the brightness function of AVTECH IP camera devices, allowing for remote code execution (RCE). The botnet spreads a Mirai variant with strings referencing the COVID-19 virus, leveraging this vulnerability to infect systems.

  • CVE-2024-7029: This vulnerability affects AVTECH IP camera models with firmware versions up to AVM1203 FullImg-1023-1007-1011-1009. The flaw allows attackers to inject commands through the "brightness" parameter in the device's web interface, leading to remote code execution.
  • Exploitation: The botnet campaign not only exploits CVE-2024-7029 but also targets older, unpatched vulnerabilities, such as a Hadoop YARN RCE, CVE-2014-8361, and CVE-2017-17215. These vulnerabilities, though older, remain effective due to their widespread use in unpatched systems.
  • Spread of Mirai Variant: The attack chain involves exploiting the identified vulnerabilities to download and execute a variant of the Mirai botnet. This variant, known as Corona Mirai, connects to command-and-control servers and spreads across networks, particularly through Telnet on ports 23, 2323, and 37215.
  • Affected Devices: The vulnerability primarily impacts AVTECH IP camera models, specifically those running the AVM1203 firmware versions mentioned above. Despite these models being discontinued, they are still in use in critical infrastructure, including transportation authorities

Affected Models:

  • AVTECH IP Cameras: Specifically models running up to AVM1203 firmware versions FullImg-1023-1007-1011-1009.


Download

2024-08-29 ASYNCRAT Samples



2024
-08-29 Esentire: Exploring AsyncRAT and Infostealer Plugin Delivery Through Phishing Emails

eSentire's Threat Response Unit (TRU) discovered an AsyncRAT infection that was delivered through a Windows Script File (.wsf) via email. The malicious .wsf file, named “SummaryForm_,” downloaded a VBScript from a remote server, which then fetched a fake image file. 
This file was actually a ZIP archive that, once extracted, ran additional scripts to establish persistence on the system. The scripts created a scheduled task to execute the AsyncRAT payload repeatedly, making it difficult to detect and remove. The payload was injected into the RegAsm.exe process using a DLL to further evade detection.



Additionally, this version of AsyncRAT included an infostealer plugin designed to exfiltrate data from popular web browsers like Chrome and Firefox, as well as cryptocurrency wallet extensions such as MetaMask and Coinbase. The attack highlights the use of multiple stages and obfuscation techniques to maintain persistence and steal sensitive information from the infected system.



Download

2024-08-29 UNDERGROUND Ransomware Samples





The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978). The group exploits the Microsoft Office and Windows HTML RCE vulnerability (CVE-2023-36884). Other methods, such as phishing emails and access via Initial Access Brokers (IABs), may also be used.

    • Shadow Copies Deletion: It removes all shadow copies to prevent file recovery:
    • bash
    • Copy code
    • vssadmin.exe delete shadows /all /quiet
    • RDP Session Limits: Sets a 14-day limit on Remote Desktop sessions to maintain persistence:
    • bash
    • Copy code
    • reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f
    • SQL Server Service Stop: Halts the MS SQL Server service to disrupt operations:
    • bash
    • Copy code
    • net.exe stop MSSQLSERVER /f /m
    • Ransom Note Deployment: Drops a ransom note named “!!readme!!!.txt” in directories containing encrypted files.
  • File Encryption: The ransomware encrypts files without altering their extensions, making it harder to visually identify encrypted files. It avoids encrypting critical system files (e.g., .sys, .exe, .dll) to maintain system functionality.
  • Log and File Deletion: It creates and runs a script (temp.cmd) to delete the original ransomware file and clear Windows Event logs, complicating forensic analysis.
  • Data Leak Site: The ransomware group maintains a site where they post stolen data from their victims, spanning industries such as construction, pharmaceuticals, and manufacturing. As of July 2024, they have listed 16 victims.
  • Telegram Channel: The group also uses a Telegram channel to distribute stolen data, with links to files hosted on Mega, a cloud storage service.


Download

2024-08-23 ANGRY STEALER (Rage stealer variant) Telegram rat . Samples




2024-08-23 Cyfirma. A Comprehensive Analysis of Angry Stealer : Rage Stealer in a New Disguise (Telegram rat).

CYFIRMA analyzed malware known as "Angry Stealer", which is heavily advertised on platforms like Telegram,   a repackaged version of the previously identified "Rage Stealer"
  • The dropper is a 32-bit Win32 executable written in .NET, which acts as the initial stage of the attack. Upon execution, it deploys two key payloads: "Stepasha.exe" and "MotherRussia.exe,
  • Stepasha.exe - The Info-Stealer:
    • Once deployed, "Stepasha.exe" begins an extensive data collection process. It targets sensitive information stored on the infected system, including browser data (passwords, cookies, autofill data), cryptocurrency wallets, VPN credentials, and system information.
    • The collected data is then packaged into a ZIP file and exfiltrated to a remote Telegram channel. This process leverages hardcoded credentials and bypasses SSL validation, ensuring the data reaches the attacker without interruption.
    • The malware incorporates techniques to avoid detection, such as tampering with file timestamps and ensuring only one instance runs at a time.
  • MotherRussia.exe - The Builder Tool:
    • This secondary payload acts as a builder, allowing the creation of additional malicious executables. The user provides specific inputs, such as bot tokens and chat IDs, which are then embedded into the generated executable.
    • The tool is likely designed for tasks related to remote desktop operations or bot interactions, making it easier for attackers to automate and scale their malicious activities.
  • Angry Stealer" is a direct descendant of "Rage Stealer," sharing the same codebase and functionality. This rebranding approach allows cybercriminals to market the same malware under different names, reaching new buyers and avoiding detection by reusing proven tactics.
  • The dropper was compiled in a .NET environment, likely within an isolated setup like Windows Defender Application Guard, suggesting that the developers took precautions to avoid detection during development.


Download

2024-08-14 OSX BANSHEE infostealer Samples







 This analysis of BANSHEE Stealer reveals a sophisticated macOS-based malware (sold for $3,000) developed by Russian threat actors, targeting both x86_64 and ARM64 architectures. BANSHEE Stealer is designed to collect a wide range of data from infected systems, including browser history, cookies, logins, cryptocurrency wallets, and around 100 browser extensions. The malware employs basic anti-analysis techniques, such as debugging and virtualization detection using the sysctl API and system profiling commands, and avoids infecting systems set to the Russian language.

 It uses AppleScripts for tasks like muting system sound, phishing for user passwords, and copying keychain data. The stolen data is then compressed, XOR-encrypted, Base64-encoded, and exfiltrated to a remote server.  

BANSHEE Stealer targets nine browsers for browser data collection—Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, OperaGX, and Safari - extracting history, cookies, and login credentials. Interestingly, it focuses on Safari cookies using an AppleScript script, while other browsers have a broader range of data collected. The malware also scans for around 100 browser plugins, saving the data in a specified temporary directory.

BANSHEE Stealer targets wallets like Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger. It copies wallet-related files to a temporary directory for later exfiltration. The malware's functionality is structured in several C++ files, including Controller. cpp, which manages core tasks like anti-debugging measures using the sysctl API, language checks via CFLocaleCopyPreferredLanguages, and exfiltration processes.

The malware's exfiltration method involves compressing the collected data into a ZIP file using the ditto command, followed by XOR encryption and Base64 encoding. The resulting file is then exfiltrated via an HTTP POST request to a command-and-control server using the cURL command.


Download


d556042c8a77ba52d39e211f208a27fe52f587047140d9666bbeca6032eae604 localfile~ x64

 

2024-08-22 PEAKLIGHT Stealthy Memory-Only Malware Samples





Analysis of complex memory-only malware that uses a multi-stage infection chain to evade detection. The attack starts with a malicious Microsoft Shortcut File (LNK) hidden in fake movie ZIP files. When executed, this file uses forfiles.exe and mshta.exe to run a heavily obfuscated PowerShell script, which downloads more payloads from a remote CDN. The script operates entirely in memory and uses custom decryption routines to handle encrypted payloads, protected by AES-CBC or AES-ECB and encoded in hexadecimal or Base64.

PEAKLIGHT further evades detection by employing DLL side-loading techniques to execute infostealers like Cryptbot and SHADOWLADDER malware, while dynamically unpacking ZIP files and running their contents in hidden directories. By using legitimate Windows tools and trusted content delivery networks for its operations.



2024-08-21 MOONPEAK malware from North Korean UAT-5394 Samples




2024-08-21 Talos Intelligence 

Cisco Talos has identified a new RAT family named "MoonPeak," a variant of the open-source XenoRAT malware. This RAT is currently being developed by the North Korean state-sponsored threat actor group UAT-5394.

 UAT-5394 moved from relying on cloud services to setting up their own infrastructure.
Servers identified in this campaign include 95.164.86.148, which served as a MoonPeak C2 on Port 9999, and 167.88.173.173, a server that was initially thought to be linked to the Gamaredon APT but was later found to be under UAT-5394's control. This server was used to compile MoonPeak v2 malware and connect to other C2s over Ports 9966 and 8936.

Talos also uncovered multiple test VMs, including 45.87.153.79 and 45.95.11.52, used to validate MoonPeak infections.  MoonPeak RAT modifies the original XenoRAT source code by changing the client namespace from "xeno rat client" to "cmdline." This change prevents MoonPeak from connecting to out-of-the-box XenoRAT C2 servers and ensures that any unauthorized or rogue implants cannot connect to their custom MoonPeak servers.