Tag Archive for: Payload

Ransomware campaign targets popular open-source packages with cleverly hidden payload


An ongoing ransomware campaign hides its payload in an uncommon way by targeting popular open-source packages that typically receive nearly 15 million installations per week, according to new findings by Checkmarx and Phylum.

In a blog post, Checkmarx researchers said the campaign uses a form of typosquatting to target the popular “requests” package on Pypi and the “discord.js” package on NPM, and includes embedded ransomware. When executed, the ransomware encrypts files on the victim’s computer and demands payment of $100 in cryptocurrency to unlock them.

Unlike most open-source attacks where malicious packages are being executed upon installation, Alik Koldobsky, security researcher at Checkmarx, told SC Media that the payload is hidden in multiple strategic locations and only executes when the victims use the actual functions of the packages, which makes the campaign hard to detect by many security scanners.

 The malware payload supports multiple operating systems, allowing the campaign to target a wider audience. In addition, attackers named the ransomware messages and infrastructure after the U.S. Central Intelligence Agency.

A detailed attribution has yet to be done, but researchers discovered clues through further investigation that imply the attacker is Russian — the Telegram user account associated with the attack has a Russian phone number, and the attacker interacts with researchers directly in Russian.

Screenshot of a conversation with the attacker in Russian (credit: Checkmarx)

Even after Checkmarx reported the attacks, the offender’s account is still able to publish potentially malicious packages on NPM and PyPi, where software supply chain attacks are rampant. Researchers say they will continue to monitor for any new activity.

Koldobsky warned that there would be more attacks from the same actors as well as copycats, simply because the method is easy and impactful.

Besides the campaign’s uncommon way of hiding its payload, it is rare yet not unknown for ransomware attackers to use open source as a delivery system, said Mike Parkin, senior technical engineer at Vulcan Cyber. In August, Sonatype discovered multiple malicious Python packages that embedded…

Source…

Feds Warn of TrickBot Spear-Phishing Attacks Delivering Malware Payload


By Jessica Davis

– A joint federal alert warns that all entities should be on the alert for a newly observed spear-phishing campaign, leveraging malicious emails to deliver the TrickBot malware payload. Healthcare administrators should review the alert to view attack methods and indicators of compromise.

TrickBot is highly modular and is delivered through multiple stages, as its hackers leverage a full suite of tools to conduct a range of nefarious activities. Its hackers are highly sophisticated and continuously evolve the threat to further its impact.

The malware has been active since 2016, first as a banking trojan and now as a variant often paired with other malicious threats.

The alert comes on the heels of a recent report from Check Point that ranked TrickBot as the leading malware variant, since the global takedown of the Emotet botnet in January.

Despite the global takedown, hackers are continuing to leverage other high-ranking threats that have previously seen a high level of success, such as Trickbot. It’s the first time the TrickBot trojan has topped the malware index, and it rose from the third position in January.

READ MORE: TrickBot Spear-Phishing Campaign Deploys Malware for Remote Access

TrickBot was the fourth-most prevalent malware variant in 2020, affecting 8 percent of all global organizations. In fact, the threat was used in the massive ransomware attack against Universal Healthcare Services in the Fall of 2020.

The hackers used TrickBot to detect and harvest data from UHS’ systems prior to the ransomware deployment. All 400 sites were impacted by the incident, which lasted for more than three weeks and cost the health system about $67 million in lost revenue and recovery efforts.

“Criminals will continue using the existing threats and tools they have available, and Trickbot is popular because of its versatility and its track record of success in previous attacks,” researchers noted.  

“Even when a major threat is removed, there are many others that continue to pose a high risk on networks worldwide, so organizations must ensure they have…

Source…

GitHub-hosted malware calculates Cobalt Strike payload from Imgur pic


malware

A new strand of malware uses Word files with macros to download a PowerShell script from GitHub.

This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script on Windows systems.

Multiple researchers have linked this strain to MuddyWater (aka SeedWorm and TEMP.Zagros), a government-backed advanced persistent threat (APT) group, first observed in 2017 while mainly targeting Middle Eastern entities.

Word macro spins up PowerShell script hosted on GitHub

This week researcher Arkbird has shared details on a new macro-based malware that is evasive and spawns payload in multifaceted steps.

The malware strand which looks “like MuddyWater,” according to the researcher, ships as an embedded macro within a legacy Microsoft Word (*.doc) file, in the style of the APT group.

In tests by BleepingComputer, when the Word document is opened, it runs the embedded macro. The macro further launches powershell.exe and feeds it the location of a PowerShell script hosted on GitHub.

Word Macro with link to GitHub
Macro script embedded within the malicious Word doc
Source: BleepingComputer 

The single-line PowerShell script has instructions to download a real PNG file (shown below) from the image hosting service Imgur.

While this image itself may be benign, its pixel values are used by the PowerShell script in calculating the next stage payload, a technique known as steganography. 

Malware calculates next stage payload by decoding the image pixel values
Malware calculates the next stage payload by decoding the pixel values within this image
Source: Imgur

As observed by BleepingComputer and shown below, the payload calculation algorithm runs a foreach loop to iterate over a set of pixel values within the PNG image and performs specific arithmetic operations to obtain functional ASCII commands.

imgur payload download
PowerShell script hosted on GitHub downloads PNG from Imgur and uses it to calculate the payload
Source: BleepingComputer

Decoded script executes Cobalt Strike payload

The decoded script obtained from manipulating the PNG’s pixel values is a Cobalt Strike script.

Cobalt Strike is a legitimate penetration testing toolkit that allows attackers to deploy “beacons” on compromised devices to remotely “create shells,…

Source…