Tag Archive for: spread

New Sysrv Botnet Variant Makes Use of Google Subdomain to Spread XMRig Miner

/in


Sysrv is a well-documented botnet first identified in 2020, with the main payload being a worm written in Golang. It drops a cryptominer onto infected hosts before attempting to propagate itself using various methods, including network vulnerabilities. Over the past few years, the botnet has evolved and adapted and has been broadly documented by researchers from various different organizations [1][2][3]. In this blog we will explore the latest variant (shown in the infection chain diagram below), along with the new techniques used, and the latest IoCs uncovered by Imperva Threat Research.

Compromised Sites

Imperva Threat Research first uncovered suspicious behavior relating to the botnet in early March, in the form of blocked HTTP requests observed hitting Imperva proxies. The requests were highly indicative of bot traffic, targeting many sites, across multiple countries. The requests shared common signatures and attempted to exploit multiple known web vulnerabilities in Apache Struts (CVE-2017-9805) and Atlassian Confluence (CVE-2023-22527 and CVE-2021-26084).

A more interesting observation, however, was the use of a seemingly legitimate domain belonging to a known Malaysian academic institution, whose name we have withheld to allow them to remediate the infection. The domain is used to host the institution’s digital archive, and is based on a platform known as Duraspace or DSpace. The perpetrators of this iteration of the sysrv botnet campaign appear to have compromised the site to host their malicious files.

Updated Dropper Script

As part of our analysis of this campaign, we downloaded and analyzed the malware samples hosted on the compromised site. The first of these was a dropper bash script named “ldr.sh”, which is notably similar to previously documented iterations of the sysrv botnet.

The script defines several variables related to the downloading of the second stage binary: the “cc” variable, which contains the URL of the compromised site; a sys variable, which contains a random string generated from the md5 hash of the date; and, a get function, which can be used to download files from URLs passed to it.

The variables and function are used later in the…

Source…

DarkGate gang using CAPTCHA to spread malware

/in


Legal advertising tools are being leveraged by cybercriminals to conceal their illicit campaigns and track victims to see how responsive they are to malware links, an analyst warns.

Hewlett Packard’s latest threat insights disclosure was revealed today (February 15th) and shines a light on DarkGate, a consortium of web-based criminals who are using legal advertising tools to augment their spam-based malware attacks.

Hewlett’s threat research team, HP Wolf Security, says it tracked DarkGate, observed operating as a malware provider since 2018, and noticed a shift in tactics last year that entailed using legitimate advertisement networks “to track victims and evade detection.”

It added: “By using ad services, threat actors can analyze which lures generate clicks and infect the most users – helping them refine campaigns for maximum impact.”

DarkGate targets potential victims with a carefully crafted email phishing campaign that encourages them to click on an infected PDF file – so far, so normal.

But instead of rerouting the target directly to the payload once they do click, the DarkGate campaign sends them to a legitimate online ad network first.

“The ad URL contains identifiers and the domain hosting the file,” said Wolf Security. “In the backend definition of the ad link, the threat actor defines the final URL, which is not shown in the PDF document. Using an ad network as a proxy helps cybercriminals to evade detection and collect analytics on who clicks their links.”

Turning defense into attack

This ploy also allows DarkGate to lean into the ad company’s own defenses – cunningly using these to conceal its own nefarious activities.

“Since the ad network uses CAPTCHAs to verify real users to prevent click fraud, it’s possible that automated malware analysis systems will fail to scan the malware because they are unable to retrieve and inspect the next stage in the infection chain, helping the threat actor to evade detection,” said Wolf Security.

This has the added benefit of making the lure appear more plausible – being routed through a legitimate ad network domain and asked to pass a CAPTCHA test only adds to the campaign’s veneer of…

Source…

Raspberry Robin Malware Upgrades with Discord Spread and New Exploits

/in


Feb 09, 2024NewsroomMalware / Dark Web

Raspberry Robin Malware

The operators of Raspberry Robin are now using two new one-day exploits to achieve local privilege escalation, even as the malware continues to be refined and improved to make it stealthier than before.

This means that “Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time,” Check Point said in a report this week.

Raspberry Robin (aka QNAP worm), first documented in 2021, is an evasive malware family that’s known to act as one of the top initial access facilitators for other malicious payloads, including ransomware.

Attributed to a threat actor named Storm-0856 (previously DEV-0856), it’s propagated via several entry vectors, including infected USB drives, with Microsoft describing it as part of a “complex and interconnected malware ecosystem” with ties to other e-crime groups like Evil Corp, Silence, and TA505.

Cybersecurity

Raspberry Robin’s use of one-day exploits such as CVE-2020-1054 and CVE-2021-1732 for privilege escalation was previously highlighted by Check Point in April 2023.

The cybersecurity firm, which detected “large waves of attacks” since October 2023, said the threat actors have implemented additional anti-analysis and obfuscation techniques to make it harder to detect and analyze.

“Most importantly, Raspberry Robin continues to use different exploits for vulnerabilities either before or only a short time after they were publicly disclosed,” it noted.

“Those one-day exploits were not publicly disclosed at the time of their use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a zero-day and was sold on the dark web.”

A report from Cyfirma late last year revealed that an exploit for CVE-2023-36802 was being advertised on dark web forums in February 2023. This was seven months before Microsoft and CISA released an advisory on active exploitation. It was patched by the Windows maker in September 2023.

Raspberry Robin Malware

Raspberry Robin is said to have started utilizing an exploit for the flaw sometime in October 2023, the same month a public exploit code was made available, as well as for CVE-2023-29360 in August. The latter was publicly…

Source…

Hackers using Microsoft Teams for phishing attacks to spread malware: Report

/in


Cybercriminals are leveraging Microsoft Teams for a new malware campaign, using group chat requests to push DarkGate malware paylo…
Read More
Cybercriminals are using Microsoft’s video conferencing platform Teams for a new malware campaign. According to a report by AT&T Cybersecurity research, hackers are using Microsoft Teams group chat requests as new phishing attacks to push malicious attachments that can install DarkGate malware payloads on victims’ systems. Researchers claim that the attackers may have used a compromised Teams user (or domain) to send over 1,000 malicious Teams group chat invites.

How these Microsoft Teams group chat requests can be harmfulThe report claims that once the malware is installed on a victim’s system, it will reach out to its command-and-control server. This server has already been identified as part of DarkGate malware infrastructure by Palo Alto Networks, report Bleeping Computer.

As per the report, the hackers were able to push this phishing campaign as Microsoft allows Teams users to message other users by default.

AT&T Cybersecurity network security engineer Peter Boyle has warned: “Unless absolutely necessary for daily business use, disabling External Access in Microsoft Teams is advisable for most companies, as email is generally a more secure and more closely monitored communication channel. As always, end users should be trained to pay attention to…

Source…