Tag Archive for: windows

Iranian Hackers’ Sophisticated Malware Targets Windows and macOS Users

/in


Jul 06, 2023Ravie LakshmananEndpoint Security / Malware

Iranian hackers

The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware.

“TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho,” Proofpoint said in a new report.

“When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok. TA453 also employed multi-persona impersonation in its unending espionage quest.”

TA453, also known by the names APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011. Most recently, Volexity highlighted the adversary’s use of an updated version of a Powershell implant called CharmPower (aka GhostEcho or POWERSTAR).

In the attack sequence discovered by the enterprise security firm in mid-May 2023, the hacking crew sent phishing emails to a nuclear security expert at a U.S.-based think tank focused on foreign affairs that delivered a malicious link to a Google Script macro that would redirect the target to a Dropbox URL hosting a RAR archive.

Windows macOS Malware

Present within the file is an LNK dropper that kicks off a multi-stage procedure to ultimately deploy GorjolEcho, which, in turn, displays a decoy PDF document, while covertly awaiting next-stage payloads from a remote server.

But upon realizing that the target is using an Apple computer, TA453 is said to have tweaked its modus operandi to send a second email with a ZIP archive embedding a Mach-O binary that masquerades as a VPN application, but in reality, is an AppleScript that reaches out to a remote server to download a Bash script-based backdoor called NokNok.

UPCOMING WEBINAR

🔐 Privileged Access Management: Learn How to Conquer Key Challenges

Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.

Reserve Your Spot

NokNok, for its part, fetches as many as four modules that are capable of…

Source…

Avast released a free decryptor for Windows version of Akira ransomwareSecurity Affairs

/in


Avast released a free decryptor for the Akira ransomware that can allow victims to recover their data without paying the ransom.

Cybersecurity firm Avast released a free decryptor for the Akira ransomware that can allow victims to recover their data without paying the ransom.

The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate,

Akira is a Windows ransomware with a 64-bit Windows binary, it is written in C++ and uses the Boost library to implement the asynchronous encryption code. The authors used Microsoft Linker version 14.35. 

In June 2023, the malware analyst rivitna published a sample of the ransomware that is compiled for Linux. This Linux version is 64-bit and also uses the Boost library, it uses the Crypto++ library instead of Windows CryptoAPI.

“During the run, the ransomware generates a symmetric encryption key using CryptGenRandom(), which is the random number generator implemented by Windows CryptoAPI. Files are encrypted by Chacha 2008 (D. J. Bernstein’s implementation).” reads the report published by Avast.

“The symmetric key is encrypted by the RSA-4096 cipher and appended to the end of the encrypted file. Public key is hardcoded in the ransomware binary and differs per sample.”

The ransomware appends .akira extension to the encrypted files and drops a ransom note named akira_readme.txt in each folder.

Akira ransomware

The researchers discovered a few similarities between the Akira ransomware and the Conti v2 ransomware, a circumstance that suggests the authors may have used the leaked source code of the Conti ransomware.

The list of similarities includes:

  1. List of file type exclusions.
  2. List of directory exclusions.
  3. The structure of the Akira file tail is equal to the file tail appended by Conti.

The first step is to download the decryptor binary. Avast provides a 64-bit decryptor, as the ransomware is also a 64-bit and can’t run on 32-bit Windows. If you have no choice but to use 32-bit applications, you may download 32-bit decryptor here.

Avast released both a 64-bit decryptor and a 32-bit Windows…

Source…

iTunes on Windows security flaw allows unauthorized access

/in


iTunes on Windows has a security flaw

Researchers have found a vulnerability in iTunes for Windows that lets users escalate system privileges, and Windows users should update the app.

In late 2022, the Synopsys Cybersecurity Research Center (CyRC) discovered a security vulnerability within the Windows version of the iTunes app. Exploiting it can lead to local privilege escalation to achieve system-level privileges.

User privileges, also known as permissions, define what a user account can do on a computer system. They are an essential part of the system’s security, ensuring that users can perform tasks without compromising the system’s security.

Privileges can include the ability to open files, change or delete data, or modify system settings. Users with administrative privileges can do more, such as installing new apps and managing user accounts.

With this vulnerability, someone with limited user privileges on a Windows computer, specifically running specific versions of iTunes, could exploit the system to acquire elevated privileges. That could allow a malicious person to gain unauthorized access to sensitive data, change or delete data they aren’t supposed to, or launch attacks on other computers within the same network.

The iTunes software creates a folder (“SC Info”) on the Windows system. Only the system should use this folder, but iTunes gives all users complete control over it.

If a user deletes this folder and then creates a link from where the folder was to the Windows system folder, this forces a system repair process that recreates the folder.

That new folder, linked to the system folder, gives assailants high-level access to the Windows system.

How to protect yourself from the iTunes bug

The Synopsys team already reported the vulnerability to Apple, tracked as CVE-2023-32353 in the database of publicly-disclosed computer security flaws known as Common Vulnerabilities and Exposures. As a result, Apple issued a patch on May 23.

It affects versions of iTunes on Windows before 12.12.9, and users are advised to install the update…

Source…

Two Microsoft Windows bugs under attack, one in Secure Boot with a manual fix • The Register

/in


Patch Tuesday May’s Patch Tuesday brings some good and some bad news, and if you’re a glass-half-full type, you’d lead off with Microsoft’s relatively low number of security fixes: a mere 38.

Your humble vulture, however, is a glass-half-empty-and-who-the-hell-drank-my-whiskey kind of bird, so instead of looking on the bright side, we’re looking at the two Microsoft bugs that have already been found and exploited by miscreants. Plus a third vulnerability, which has been publicly disclosed. We’d suggest patching these three stat.

Six of the 38 vulnerabilities are deemed “critical” because they allow remote code execution.

The two that are under active exploit, at least according to Microsoft, are CVE-2023-29336, a Win32k elevation of privilege vulnerability; and CVE-2023-24932, a Secure Boot security feature bypass vulnerability, which was exploited by the BlackLotus bootkit to infect Windows machines. Interestingly enough, BlackLotus abused CVE-2023-24932 to defeat a patch Microsoft issued last year that closed another bypass vulnerability in Secure Boot. Thus Redmond fixed a hole in Secure Boot, and this malware abused a second bug, CVE-2023-24932, to get around that.

CVE-2023-29336 is a 7.8-out-of-10 rated flaw in the Win32k kernel-mode driver that can be exploited to gain system privileges on Windows PCs. 

“This type of privilege escalation is usually combined with a code execution bug to spread malware,” Zero Dan Initiative’s Dustin Childs said. “Considering this was reported by an AV company, that seems the likely scenario here.” 

Redmond credited Avast bug hunters Jan Vojtešek, Milánek, and Luigino Camastra with finding and disclosing the bug.

Time to boot out a threat

Meanwhile, CVE-2023-24932 received its own separate Microsoft Security Response Center (MSRC) advisory and configuration guidance, which Redmond says is necessary to “fully protect against this vulnerability.”

“This vulnerability allows an attacker to execute self-signed code at the Unified Extensible Firmware Interface (UEFI) level while Secure Boot is enabled,” MSRC warned. “This is used by threat actors primarily as a persistence and defense evasion mechanism.”

If also noted, however,…

Source…