From the Front Lines | New macOS ‘covid’ Malware Masquerades as Apple, Wears Face of APT

  1. Earlier this year, we reported on ESET’s discovery of OSX.DazzleSpy, an information stealer and backdoor likely targeted at Hong Kong’s pro-democracy activists. As part of our own threat hunting activities into DazzleSpy and related malware campaigns such as Zuru, Macma, Gimmick and pymafka, we recently came across a new malware sample that at first sight appeared to be a DazzleSpy variant. Further analysis, however, made that attribution tough to call, but the sample’s novel characteristics and use of multiple open-source projects should make it of interest to threat hunting and detection teams.

Dropper and Persistence

On 20th April, 2022, a DMG named ‘vpn’ was uploaded to VirusTotal.

malicious disk image on VirusTotal

Apparently unremarkable, further analysis showed that the disk image contained an application bundle called ‘vpn.app’, an application built with Platypus, an open-source toolkit that allows developers to turn scripts into Mac applications.

Platypus Mac Application

Platypus applications use a launcher executable in the app bundle to run the script in the bundle’s Resources folder. Since the script is simply a plain text file, it’s easy enough to examine to see what the “application” is really intended to do.

In this case, the script file (shown below) revealed that the supposed ‘vpn.app’ was really something quite different.

vpn malware script

The script begins by creating a hidden folder, ~/.androids, in the User’s home directory. It then checks to see if the host architecture is x86_64 or not via the uname utility.

Depending on the architecture, the script downloads one of two possible second stage Mach-Os from IP http[:]//46[.]137.201.254. Although we were only able to retrieve the x86_64 payload, we can assume that since the Platypus-built application only runs on macOS that the alternative payload would be an arm64 executable built for Apple’s M1 architecture.

The payload is installed in the invisible directory as ~/.androids/softwareupdated. This executable is the target for the persistence LaunchAgent that the script writes to ~/Library/LaunchAgents/com.apple.softwareupdate.plist.

After installing the persistence agent, the script downloads and executes a further payload, dropped with the name covid. This is written to the user’s home directory and neither attempts stealth nor persistence.

Softwareupdated

The choice of the name ‘softwareupdated’ is a masquerade of an Apple system binary of the same name that lives at /System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated.

Our initial assumption that this may have been a DazzleSpy variant stemmed from the fact that the persistence agent uses the same filename as DazzleSpy, i.e.,  ~/Library/LaunchAgents/com.apple.softwareupdate.plist, and an almost identical target executable name (DazzleSpy uses ‘softwareupdate’, rather than ‘softwareupdated’.). On top of that, both use a hidden folder in the user’s home directory to house the target executable (.local in the case of DazzleSpy, .androids here). However, those indicators might easily have been chosen to deliberately confuse attribution, and it is not beyond the realms of possibility that the indicators are merely coincidental.

Things become more interesting when we look at the payload. Static analysis of the malicious softwareupdated shows it to be a Sliver implant.

Sliver

Sliver is an open source red team framework written in Go that supports C2 communications over a variety of protocols, including TLS, HTTP, and DNS.

Sliver on github

While DazzleSpy used a mixture of open-source repos for various tasks, including  the tonymillion Reachability framework, YYModel, and GCDAsyncSocket, this is the first time we’ve seen Sliver used in malware masquerading as Apple binaries and using com.apple labels for persistence.

Sliver implants offer the operator multiple functions useful to adversaries, including opening a shell on the target machine. The softwareupdated binary periodically checks in with the C2 to retrieve scheduled tasks, execute them, and return the results. Sliver implants also have the ability to allow the operator to open an interactive real time session for direct tasking and exploitation.

Covid Binary

The covid binary is also a Go executable, this time packed with UPX. After unpacking, the binary turns out to be an NSApplication built using MacDriver, another open-source project available on Github that provides a toolkit for working with Apple frameworks and APIs in Go.

MacDriver

As with the Sliver implant, the covid executable reaches out to http[:]//46[.]137.201.254,  this time on port 8001, and checks for the number of logical cores via sysctl as a means to detect whether it is running in a virtual machine. Executing the covid binary pops a WebKit view in a standard macOS application window.

webkit in disassembly

More importantly, however, the covid binary uses a “fileless” technique to execute a further payload in-memory, evidenced by the tell-tale signs of NSCreateObjectFileImageFromMemory and NSLinkModule. This technique has been seen in a few campaigns in recent years, including by North Korean-linked APT Lazarus.

NSCreateObjectFileImageFromMemory

While presenting a distracting interface to the user, perhaps around the supposed ‘vpn’ capabilities, the covid binary retrieves and executes a third stage payload.

NSLinkModule

As the final payload was not available to us at the time of the analysis due to the C2 being offline, we are unable to say what the ultimate purpose of the covid binary was intended to be.

Conclusion

The indicators around this particular malware align neatly with what we might expect to see in a red team exercise – a red-teaming framework, singular (now offline) C2 hosted on Amazon, and the use of free and readily available open source tools like UPX, Sliver, MacDriver and Platypus, and, of course, binaries built from Go source code (an increasingly popular choice for malware authors of all stripes). We also note the lack of coherence and stealth used by the actors: an unsigned ‘vpn app’ dropping a payload called ‘covid’ in the User’s home directory doesn’t, at least without more context, make much sense of itself.

However, threat actors of all kinds can now easily imitate one another, and the use of indicators recently associated directly with the DazzleSpy campaign appears to be one of an unhappy accident, deliberate misdirection, or a genuine variant in a known campaign.

We also note that thanks to the use of free, publicly available software, this entire campaign targeting macOS devices was built without using any proprietary Apple tools or software, such as the Xcode IDE. For threat hunters and detection teams, we hope that awareness of the kind of TTPs reported here will aid detection of similar infection attempts, regardless of the nature of the threat actor.

Indicators of Compromise

Name SHA1
vpn.dmg 563d75660e839565e4bb1d91bc1236f5ec3c3da7
script fa2556765290b0a91df3b34e3b09b31670762628
softwareupdated 0cfde0edb076154162e2b21e4ab4deb279aa9c7b
covid (packed) d0eb9c2c90b6f402c20c92e2f6db0900f9fff4f7
covid (unpacked) b4ab73b52a42f995fbabacb94a71f963fc4cda01

File paths
~/covid
~/.androids/softwareupdated
~/Library/LaunchAgents/com.apple.softwareupdate.plist

Network
46[.]137.201.254

Open-Source or Publicly-available Software Used
Go
MacDriver
Platypus
Sliver
UPX

Surviving the Storm | Defending Against Cloud Misconfigurations, Vulnerabilities, and Insider Threats

Over the last decade, Microsoft has expanded its product portfolio from an operating system provider to a company providing various solutions spanning productivity, collaboration, and cloud capabilities. Some organizations today choose Microsoft 365 and Microsoft Azure to consolidate their vendor portfolio while often compromising on best-in-class capabilities. This approach has introduced significant risks to organizations as they become overly dependent on a single vendor.

Today, all Microsoft services are dependent on Azure Active Directory as its primary Identity and Access Management (IAM) solution. With that, the weakest link in a Microsoft environment has become the user identity. When a threat actor can compromise a user identity with elevated privileges like the security administrator role, they can evade all the defense measurements and security tools of Microsoft. In this blog post, we will look into how to identify and defend against some common cloud vulnerabilities, insider threats, and dangerous cloud misconfigurations.

Cloud Vulnerabilities

Cloud services offer significant advantages in scale and operational cost for organizations. Therefore, it is no surprise that over 60% of all enterprises leverage cloud services for their operations. However, with the rising adoption of cloud services, threat actors are shifting their attacks to target the cloud services directly that an organization is utilizing.

This risk presents a challenge for enterprises as they try to combat the already large attack surface of the Windows operating system; they now also have to handle the exponential increase of vulnerabilities in cloud and security services.

For example, security researchers at Proofpoint discovered that threat actors could initiate direct attacks against Microsoft Office 365 due to a design flaw that could allow attackers to encrypt files stored on SharePoint and OneDrive. In this example, the threat actor creates a malicious OAuth web application and lures a legitimate user to grant the threat actor the permissions for an account takeover.

SentinelLabs disclosed a privilege escalation vulnerability in Windows Defender in 2021 that had remained undiscovered for 12 years. In 2022, the same researchers also showed how Azure Defender for IoT contained multiple flaws affecting cloud and on-premise customers that allowed for remote code execution by unauthenticated attackers.

Meanwhile, numerous variants of NTLM relay attacks have been discovered, with Microsoft even stating that some had the status of ‘won’t fix‘.

Due to often limited visibility into cloud environments, many organizations struggle to secure their crown jewels effectively or assume the responsibility of securing their cloud instances with the Cloud Service Provider (CSP). According to the IBM Data Breach report, more than 33 billion records were exposed in 2018 and 2019 alone due to cloud misconfigurations.

Insider Threat

The 2022 Insider Threat Report from Cybersecurity Insiders identified that insider incidents have become more frequent over the last 12 months. Let’s look into insider threats more closely and then explore the relationship in the context of Microsoft environments.

Type of Insider Threats

  • Incautious Insiders: Incautious insiders are individuals with access to the corporate environment who make an innocent or careless mistake resulting in a cyber attack. These could be individuals that aren’t cyber aware and, for example, fall for a targeted social engineering trap.
  • Malicious Insiders: Malicious insiders are individuals who have access to the corporate environment and agree to help threat actors, often for monetary gain. A recent prominent example would be a former Canadian government employee who pleaded guilty to working for a ransomware group responsible for hacking hospitals during the pandemic.

Cloud Misconfiguration

As organizations accelerate their adoption of cloud services to enable their digital transformation journey, security has often become an afterthought. The assumption that securing cloud instances is the sole responsibility of Cloud Service Providers (CSP) is dangerous. In a recent example, a VPN service provider had discovered a cloud misconfiguration that can result in attackers accessing sensitive data stored on Microsoft Azure Blob accounts. The 2022 Cloud Security Report from Check Point confirms that 27% of organizations experienced a security incident in their public cloud infrastructure, while 23% of those were caused due to cloud misconfigurations.

Counter Measurements Provided by Microsoft

When examining the majority of attacks that target Microsoft environments, it’s clear that the top three reasons for these are cloud vulnerabilities, insider threats, and cloud misconfigurations. Across all, what most have in common are weak security policies and implementations on the identity front. It is no surprise that Microsoft advocates that 99.9 % of account compromises can be prevented with Multi-Factor-Authentication (MFA). The challenge is that only 22% of enterprise customers utilize MFA, and even then, the basic implementation is often insufficient. For example, a cybersecurity researcher recently discovered how to leverage a built-in functionality of WebView 2 to extract cookies that allow the attacker to bypass MFA authentication.

As many organizations moved their user identity from on-premise Active Directory to hybrid or cloud-native identity with Azure Active Directory (Azure AD), new risks are rising. To better understand the security risk, we first need to understand the different roles in Azure AD and its relationship to Microsoft services. Today, all Microsoft services leverage Azure AD to manage Access controls. To help manage access controls, Microsoft offers several built-in roles that allow a user to manage Microsoft resources once assigned.

The highest privilege is given to the ‘Global Administrator’ role that gets full access to all aspects of Microsoft services. Generally, this built-in role is highly guarded; however, Microsoft offers more roles such as ‘Security Administrator’, which grants full access to all Microsoft security services including Microsoft 365 Defender, Microsoft Defender for Endpoint, and Microsoft Sentinel or ‘Security Reader’ that grants read-only access to the Microsoft security products. These roles are commonly given to security personnel within an organization. Be aware that, even if an organization utilizes Role-Base-Access-Control (RBAC) in Microsoft 365 Defender or Microsoft Defender for Endpoint any compromised user identity with the Security Administrator or Global Administrator privilege will be able to overwrite access controls and access the management consoles.

Microsoft is aware that these roles can be influential and that there is a risk when these are compromised. Therefore, Microsoft advocates for using capabilities like Just-In-Time-Access and broader Privileged Identity Management (PIM) services. However, similarly to MFA, only a tiny subset of enterprise organizations are utilizing these services due to their complex implementation. For those that do not, once a threat actor can compromise a user identity with, say, security administrator privileges, they now have access to the majority of Microsoft services, allowing them to evade the built-in security capabilities Microsoft offers.

Attack Simulations

Let’s examine a few possible threat models for an enterprise environment that leverages Microsoft.

Identity-Based Attack

For this exercise, the example enterprise has no Multi-Factor-Authentication (MFA), and has a Hybrid Azure AD model, and utilizes Microsoft Defender for Endpoint. In this case, the threat actor compromises a user identity from security staff, confirms that the user account has security administrator privileges, and enumerates through the Microsoft 365 portal the enabled security controls and products. The threat actor then chooses whether they want to disable those or simply avoid them as they progress to reach their end goal.

identity-based attack

Due to the nature of the attack, Microsoft Defender for Endpoint is ineffective as it’s missing the context of the user identity.

Cloud-Based Attack

For this exercise the example enterprise has Multi-Factor-Authentication (MFA) and Privileged Identity Management (PIM), and Microsoft Defender for Cloud Apps. In this case, the threat actor identifies one or multiple employees in the IT or Security team and offers monetary gain if they were to perform certain actions inside the corporate network. As a result, given the user is within the IT or security division, the enabled security controls will most likely not raise immediate alerts for the suspicious activity but rather after the fact.

cloud-based attack

People, Process, and Technology

The fundamental question becomes how organizations can reduce the risk of cloud misconfigurations, vulnerabilities in Microsoft products, and insider threats. When looking at this issue, it’s essential to understand the requirements across people, processes, and technology.

People

According to research by Mimecast, 90% of security breaches are caused due to human error. As such, it starts and ends with driving an effective security awareness program to reduce the risk of innocent or careless mistakes resulting in a cyber attack. It’s important to acknowledge that nobody is immune from making mistakes and neither from falling for a targeted social engineering attack. Therefore, the way we drive the internal cyber awareness culture is paramount. Employees need to understand their privilege levels, how they can contribute to securing the enterprise, and report suspicious activities.

Processes

Consistent processes are critical and need to be tested. For example, the employee device usage policy should not leave room for interpretation. It should be clear what employees can or cannot do and outline the relevant security controls that need to be in place.

Furthermore, it should be clear how employees can report possible security incidents effectively. When defining these processes, it’s essential that beyond just defining these, they are getting tested to ensure the security team can identify blind spots ahead of time.

Technology

According to the Verizon 2022 Data Breach Investigations Report, 61% of all breaches involved user identities. When looking at many enterprise organizations today, the IT and Security team needs to support various operating systems, cloud services, and endpoint types. These environments are often a combination of legacy and modern systems.

With that, it’s no surprise that many organizations today have between 25 and 49 independent tools from 10 or more vendors to detect, triage, investigate or hunt for threats. However, as organizations are looking into vendor consolidation, they are looking for platform vendors that can help them across their digital estate rather than focusing on individual silos.

As such, enterpises need to consider the integration of security capabilities that can detect, protect and respond to threats across the entire estate, leveraging the complementary nature of XDR and ITDR.

Conclusion

As organizations utilize cloud services, it is essential to understand the new threat models and be aware that securing cloud services isn’t the sole responsibility of the CSP. Importantly, as security teams start to pivot, focusing on securing the cloud, it is important to look at the bigger picture for the enterprise environment and understand the risks across different surfaces–identity, email, endpoint, network–and identify means to protect, detect, respond, and recover from cyber threats across the entire digital estate.

To learn more about how SentinelOne can help protect your organization from the issues discussed above, visit Singularity Identity.

Singularity RANGER | AD Assessor
A cloud-delivered, continuous identity assessment solution designed to uncover vulnerabilities in Active Directory and Azure AD

The Good, the Bad and the Ugly in Cybersecurity – Week 27

The Good

An alleged ransomware affiliate has reached a plea deal in the United States for collaborating with a ransomware-as-a-service (RaaS) gang.

The U.S. Department of Justice has identified the threat actor as a former employee of Public Services and Procurement Canada, the Canadian government’s department for the federal government’s real estate activity. According to a recent report, the defendant pleaded guilty to hacking-related charges as a member of the NetWalker threat group. This particular threat group offers ransomware-as-a-service to target law enforcement, schools, higher education institutions, and hospitals based in the United States.

Since its first sighting in 2020, security experts believe that the threat actors behind NetWalker have collected over $46 million in ransoms. But in March 2022, the Department of Justice announced that the U.S. government had extradited the defendant from Canada to Florida, seizing approximately $28 million USD of Bitcoin in the process.

This is a major victory for both victims of the NetWalker ransomware gang and international law enforcement. Many threat actors operate in areas that are difficult for U.S. law enforcement to reach, and as a result, often escape the trial process and accountability for their actions. Moreover, the defendant’s plea deal also contains an agreement to cooperate with prosecutors on related investigations, potentially giving international law enforcement the leads they need to eliminate other major threats in the cybersecurity landscape.

The Bad

The Black Basta ransomware group has struck again. Recently, New Peoples Bank, a community bank serving Virginia, West Virginia, Tennessee, and North Carolina, notified their customers of an “interruption” to their services that they discovered on June 15th, 2022.

Since its first sighting in April 2022, Black Basta has gained notoriety for launching double extortion attacks by leveraging older malware to establish a foothold in infected systems.

In their statement, New Peoples Bank detailed their investigation and response efforts, which includes involving law enforcement, regulators and a third-party cybersecurity firm in the investigation. According to the latest findings, a threat actor gained access to the bank’s systems on June 9th and managed to evade existing security controls to access personally identifiable information, including customers’ Social Security numbers, driver’s license numbers, financial account information, and electronic signatures.

Despite their system outages, New Peoples Bank has confirmed that at the time of publication, all of the bank’s systems have been restored, and all transactions from June 15th onwards have been processed. However, the bank has cautioned people to keep an eye on their account statements and credit reports for suspicious activity, and are offering a one-year membership to an identity protection and monitoring program to provide extra visibility.

Incidents like these show how emerging threats can impact organizations and enterprises, even when they have a security framework in place, and how vital it is to ensure that your cybersecurity program can stay ahead of new vulnerabilities and sophisticated threats.

The Ugly

This week, the FBI and the Western District of Oklahoma uncovered a group running a piracy scheme involving millions of dollars worth of stolen software licenses.

According to a press release from the U.S. Department of Justice, authorities have indicted three individuals for violating wire fraud and money laundering statutes while running an operation to sell over $88 million USD worth of licenses stolen from Avaya Holdings Corporation. These licenses were affiliated with Avaya’s IP Office phone system, and allowed customers to unlock premium features, including an expansion of a small or medium-sized business’ phone network or the addition of voicemail.

While these software licenses can only be generated by Avaya and sold by authorized distributors and resellers, one defendant used his system administrator privileges to not only generate software license keys to sell but also hijack accounts that belong to former Avaya employees to generate even more keys, and conceal his activity from the corporation for years.

While detailing the evidence surrounding the defendants’ money laundering, the indictment also discussed the unseen consequences of this piracy scheme. According to the press release, the $88 million in revenue these actors brought in allowed them to “undercut the global market” for Avaya’s software by selling software licenses for significantly below the company’s wholesale price. One defendant was even quoted as saying their collaboration could “corner” Avaya’s market.

This scheme offers a sobering reminder of how internal actors can pose a serious threat by leveraging lateral movement and privilege escalation. Although many design their cybersecurity programs to keep pace with outside threats, it’s important to have measures in place to detect and prevent suspicious activity from the inside. Without this preparation, companies stand to lose much more in the long run.

Rise in Identity-Based Attacks Drives Demand for a New Security Approach

The frequency of ransomware attacks has doubled over the last couple of years, accounting for 10% of all breaches. According to the 2022 Verizon Data Breach Investigation Report, the ‘human element’ is the primary means of initial access in 82% of breaches, with social engineering and stolen credentials serving as key threat actor TTPs. Attackers consistently attempt to access valid credentials and use them to move throughout enterprise networks undetected. These challenges are driving CISOs to put identity security at the top of their priority list.

Traditional Identity Solutions Still Leave Room for Attacks

Traditional identity security solutions topping the list include Identity and Access Management (IAM), Privileged Access Management (PAM), and Identity Governance and Administration (IGA). These tools ensure the right users have appropriate access and employ continuous verification, guiding principles of the zero-trust security model.

However, Identity and Access Management – focusing solely on provisioning, connecting, and controlling identity access – is just the starting point to identity security. Coverage must extend beyond the initial authentication and access control to other identity aspects such as credentials, privileges, entitlements, and the systems that manage them, from visibility to exposures to attack detection.

From an attack vector perspective, Active Directory (AD) is an obvious asset. AD is where identity and its key elements naturally exist, which is why it is in an attacker’s crosshairs and a top security concern. In addition, as cloud migration continues at a rapid pace, additional security challenges arise as IT teams move quickly to provision across their environments.

When AD vulnerabilities combine with the cloud’s tendency toward misconfiguration, the need for an additional layer of protection beyond provisioning and access management becomes much clearer.

Identity Security with a New Twist

Modern, innovative identity security solutions provide essential visibility into credentials stored on endpoints, Active Directory (AD) misconfigurations, and cloud entitlement sprawl. Identity Attack Surface Management (ID ASM) and Identity Threat Detection and Response (ITDR) are new security categories designed to protect identities and the systems that manage them.

These solutions complement and operate in conjunction with Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Network Detection and Response (NDR), and other similar solutions.

ID ASM looks to reduce the identity attack surface to limit the exposures attackers can exploit. The fewer exposures, the smaller the identity attack surface. For most enterprises, this means Active Directory, whether on-premises or in Azure.

While EDR is a robust solution that looks for attacks on endpoints and collects data for analysis, ITDR solutions look for attacks targeting identities. Once an ITDR solution detects an attack, it adds a layer of defense by providing fake data that redirects the attacker to an authentic-looking decoy and automatically isolates the compromised system conducting the query.

ITDR solutions also provide incident response assistance by collecting forensic data and gathering telemetry on the processes used during the attack. The complementary nature of EDR and ITDR fit perfectly together to achieve a common goal – thwarting an attacker’s efforts.

ID ASM and ITDR solutions provide detection of credential misuse, privilege escalation, and other tactics that attackers exploit or engage in within the network. They close critical gaps between identity access management and endpoint security solutions, stopping cybercriminal attempts to exploit vulnerable credentials to move through networks undetected.

Identity Threat Security Solutions

SentinelOne has leveraged its deep experience in privilege escalation and lateral movement detection and offers a best-of-breed solution in the Identity Threat Detection and Response and ID ASM spaces. The company has secured its leadership position based on its broad ITDR and ID ASM solutions portfolio.

Identity Security Products:

  • Ranger® AD for continuous assessment of Active Directory exposures and activities that would indicate an attack
  • Singularity® Identity for detection of unauthorized activity and attacks on Active Directory, protection against credential theft and misuse, prevention of Active Directory exploitation, attack path visibility, attack surface reduction, and lateral movement detection

It’s Time for a New Identity Security Approach

With identity-based attacks on the rise, today’s businesses require the ability to detect when attackers exploit, misuse, or steal enterprise identities. This need is particularly true as organizations race to adopt the public cloud, and both human and non-human identities continue to increase exponentially.

Given the penchant for attackers to misuse credentials, leverage Active Directory (AD), and target identities through cloud entitlement, it is critical to detect identity-based activity with modern ID ASM and ITDR solutions.

Learn more about SentinelOne’s Ranger AD® and Singularity® Identity solutions.

Singularity RANGER | AD Assessor
A cloud-delivered, continuous identity assessment solution designed to uncover vulnerabilities in Active Directory and Azure AD

The Link Between AWM Proxy & the Glupteba Botnet

On December 7, 2021, Google announced it was suing two Russian men allegedly responsible for operating the Glupteba botnet, a global malware menace that has infected millions of computers over the past decade. That same day, AWM Proxy — a 14-year-old anonymity service that rents hacked PCs to cybercriminals — suddenly went offline. Security experts had long seen a link between Glupteba and AWM Proxy, but new research shows AWM Proxy’s founder is one of the men being sued by Google.

AWMproxy, the storefront for renting access to infected PCs, circa 2011.

Launched in March 2008, AWM Proxy quickly became the largest service for crooks seeking to route their malicious Web traffic through compromised devices. In 2011, researchers at Kaspersky Lab showed that virtually all of the hacked systems for rent at AWM Proxy had been compromised by TDSS (a.k.a TDL-4 and Alureon), a stealthy “rootkit” that installs deep within infected PCs and loads even before the underlying Windows operating system boots up.

In March 2011, security researchers at ESET found TDSS was being used to deploy Glupteba, another rootkit that steals passwords and other access credentials, disables security software, and tries to compromise other devices on the victim’s network — such as Internet routers and media storage servers — for use in relaying spam or other malicious traffic.

A report from the Polish computer emergency response team (CERT Orange Polksa) found Glupteba was by far the biggest malware threat in 2021.

Like its predecessor TDSS, Glupteba is primarily distributed through “pay-per-install” or PPI networks, and via traffic purchased from traffic distribution systems (TDS). Pay-per-install networks try to match cybercriminals who already have access to large numbers of hacked PCs with other crooks seeking broader distribution of their malware.

In a typical PPI network, clients will submit their malware—a spambot or password-stealing Trojan, for example —to the service, which in turn charges per thousand successful installations, with the price depending on the requested geographic location of the desired victims. One of the most common ways PPI affiliates generate revenue is by secretly bundling the PPI network’s installer with pirated software titles that are widely available for download via the web or from file-sharing networks.

An example of a cracked software download site distributing Glupteba. Image: Google.com.

Over the past decade, both Glupteba and AWM Proxy have grown substantially. When KrebsOnSecurity first covered AWM Proxy in 2011, the service was selling access to roughly 24,000 infected PCs scattered across dozens of countries. Ten years later, AWM Proxy was offering 10 times that number of hacked systems on any given day, and Glupteba had grown to more than one million infected devices worldwide.

There is also ample evidence to suggest that Glupteba may have spawned Meris, a massive botnet of hacked Internet of Things (IoT) devices that surfaced in September 2021 and was responsible for some of the largest and most disruptive distributed denial-of-service (DDoS) attacks the Internet has ever seen.

But on Dec. 7, 2021, Google announced it had taken technical measures to dismantle the Glupteba botnet, and filed a civil lawsuit (PDF) against two Russian men thought to be responsible for operating the vast crime machine. AWM Proxy’s online storefront disappeared that same day.

AWM Proxy quickly alerted its customers that the service had moved to a new domain, with all customer balances, passwords and purchase histories seamlessly ported over to the new home. However, subsequent takedowns targeting AWM Proxy’s domains and other infrastructure have conspired to keep the service on the ropes and frequently switching domains ever since.

Earlier this month, the United States, Germany, the Netherlands and the U.K. dismantled the “RSOCKS” botnet, a competing proxy service that had been in operation since 2014. KrebsOnSecurity has identified the owner of RSOCKS as a 35-year-old from Omsk, Russia who runs the world’s largest forum catering to spammers.

The employees who kept things running for RSOCKS, circa 2016.

Shortly after last week’s story on the RSOCKS founder, I heard from Riley Kilmer, co-founder of Spur.us, a startup that tracks criminal proxy services. Kilmer said RSOCKS was similarly disabled after Google’s combined legal sneak attack and technical takedown targeting Glupteba.

“The RSOCKS website gave you the estimated number of proxies in each of their subscription packages, and that number went down to zero on Dec. 7,” Kilmer said. “It’s not clear if that means the services were operated by the same people, or if they were just using the same sources (i.e., PPI programs) to generate new installations of their malware.”

Kilmer said each time his company tried to determine how many systems RSOCKS had for sale, they found each Internet address being sold by RSOCKS was also present in AWM Proxy’s network. In addition, Kilmer said, the application programming interfaces (APIs) used by both services to keep track of infected systems were virtually identical, once again suggesting strong collaboration.

“One hundred percent of the IPs we got back from RSOCKS we’d already identified in AWM,” Kilmer said. “And the IP port combinations they give you when you access an individual IP were the same as from AWM.”

In 2011, KrebsOnSecurity published an investigation that identified one of the founders of AWM Proxy, but Kilmer’s revelation prompted me to take a fresh look at the origins of this sprawling cybercriminal enterprise to determine if there were additional clues showing more concrete links between RSOCKS, AWM Proxy and Glupteba.

IF YOUR PLAN IS TO RIP OFF GOOGLE…

Supporting Kilmer’s theory that AWM Proxy and RSOCKS may simply be using the same PPI networks to spread, further research shows the RSOCKS owner also had an ownership stake in AD1[.]ru, an extremely popular Russian-language pay-per-install network that has been in operation for at least a decade.

Google took aim at Glupteba in part because its owners were using the botnet to divert and steal vast sums in online advertising revenue. So it’s more than a little ironic that the critical piece of evidence linking all of these operations begins with a Google Analytics code included in the HTML code for the original AWM Proxy back in 2008 (UA-3816536).

That analytics code also was present on a handful of other sites over the years, including the now-defunct Russian domain name registrar Domenadom[.]ru, and the website web-site[.]ru, which curiously was a Russian company operating a global real estate appraisal business called American Appraisal.

Two other domains connected to that Google Analytics code — Russian plastics manufacturers techplast[.]ru and tekhplast.ru — also shared a different Google Analytics code (UA-1838317) with web-site[.]ru and with the domain “starovikov[.]ru.”

The name on the WHOIS registration records for the plastics domains is an “Alexander I. Ukraincki,” whose personal information also is included in the domains tpos[.]ru and alphadisplay[.]ru, both apparently manufacturers of point-of-sale payment terminals in Russia.

Constella Intelligence, a security firm that indexes passwords and other personal information exposed in past data breaches, revealed dozens of variations on email addresses used by Alexander I. Ukraincki over the years. Most of those email addresses start with some variation of “uai@” followed by a domain from one of the many Russian email providers (e.g., yandex.ru, mail.ru). [Full disclosure: Constella is currently an advertiser on this website].

But Constella also shows those different email addresses all relied on a handful of passwords — most commonly “2222den” and “2222DEN.” Both of those passwords have been used almost exclusively in the past decade by the person who registered more than a dozen email addresses with the username “dennstr.”

The dennstr identity leads to several variations on the same name — Denis Strelinikov, or Denis Stranatka, from Ukraine, but those clues ultimately led nowhere promising. And maybe that was the point.

Things began looking brighter after I ran a search in DomainTools for web-site[.]ru’s original WHOIS records, which shows it was assigned in 2005 to a “private person” who used the email address lycefer@gmail.com. A search in Constella on that email address says it was used to register nearly two dozen domains, including starovikov.ru and starovikov[.]com.

A cached copy of the contact page for Starovikov[.]com shows that in 2008 it displayed the personal information for a Dmitry Starovikov, who listed his Skype username as “lycefer.”

Finally, Russian incorporation documents show the company LLC Website (web-site[.]ru)was registered in 2005 to two men, one of whom was named Dmitry Sergeevich Starovikov.

Bringing this full circle, Google says Starovikov is one of the two operators of the Glupteba botnet:

The cover page for Google’s lawsuit against the alleged Glupteba botnet operators.

Mr. Starovikov did not respond to requests for comment. But attorneys for Starovikov and his co-defendant last month filed a response to Google’s complaint in the Southern District of New York, denying (PDF) their clients had any knowledge of the scheme.

Despite all of the disruption caused by Google’s legal and technical meddling, AWM is still around and nearly as healthy as ever, although the service has been branded with a new name and there are dubious claims of new owners. Advertising customer plans ranging from $50 a day to nearly $700 for “VIP access,” AWM Proxy says its malware has been running on approximately 175,000 systems worldwide over the last 24 hours, and that roughly 65,000 of these systems are currently online.

AWM Proxy, as it exists today.

Meanwhile, the administrators of RSOCKS recently alerted customers that the service and any unspent balances will soon be migrated over to a new location.

Many people seem to equate spending time, money and effort to investigate and prosecute cybercriminals with the largely failed war on drugs, meaning there is an endless supply of up-and-coming crooks who will always fill in any gaps in the workforce whenever cybercriminals face justice.

While that may be true for many low-level cyber thieves today, investigations like these show once again how small the cybercriminal underground really is. It also shows how it makes a great deal of sense to focus efforts on targeting and disrupting the relatively small number of established hackers who remain the real force multipliers of cybercrime.

Securing the Nation’s Critical Infrastructure | Action Plans to Defend Against Cyber Attacks

Industries around the globe increasingly rely on operational technology (OT) and industrial control systems (ICS) to support their mission-critical infrastructures while at the same time they are facing a significant increase in cyber threats.

According to CISA, the Russian government is exploring options for cyberattacks against critical infrastructure systems. Other threat actors have deliberately targeted critical infrastructure in the past and the challenge remains: how do we protect mission-critical cyber assets that are crucial to the nation’s well-being?

Why Do Cybercriminals Target Critical Infrastructure?

There are several reasons why cybercriminals target critical infrastructure. Most of the malicious cyber activities on ICS and Supervisory control and data acquisition (SCADA) systems are financially or politically motivated.

Financially-motivated attackers seek to hit public services with ransomware, in part because such assets are often running on legacy hardware or software and may be vulnerable to known exploits. Ransomware operators also hope that the mission-critical nature of such targets will force organizations to pay the ransom in order to protect those that rely on the services they provide. 

Politically-motivated attackers, meanwhile, seek to disrupt critical national infrastructure during times of crisis or when significant events are taking place, such as elections, health emergencies and wars. Such politically-motivated attacks often reach beyond their intended targets, causing collateral damage to other organizations. During Russia’s invasion of Ukraine, for example, threat actors targeted essential organizational infrastructure within and beyond the region. These state-sponsored cyber operations have included distributed denial-of-service (DDoS) attacks and the deployment of destructive malware against the Ukrainian government and critical national infrastructure (CNI) organizations.

Targeting critical infrastructure to trigger a panic can include attacking the nation’s financial and healthcare systems or electricity grids. Cybercriminals have attacked high-value organizations and those that provide critical services in several high-profile incidents. These included AcidRain, an attack on Viasat KA-SAT modems in Europe, Russian state-sponsored distributed denial-of-service (DDoS) attacks, the Colonial Pipeline attack, a ransomware attack on JBS Foods, and a supply chain attack on Kaseya Limited.

How Do Cybercriminals Exploit Critical Infrastructure?

Several factors have contributed to devastating organizational breaches. Here are some of the ways that cyber criminals explore options for potential cyberattacks:

  • Exploit vulnerable systems – Unpatched and misconfigured devices in the critical infrastructure pose a significant risk of being breached. Attackers look for vulnerabilities that exist in the standard and proprietary ICS protocols, including MMS (Manufacturing Message Specification), GOOSE (Generic Object Oriented Substation Event) by IEC 61850 standard, MODBUS (supervision and control), DNP3 (Energy and Water), BACNET (Building Automation), and IPMI (Baseboard Management Control). They know the mitigations may not always be possible and attempt to exploit these weaknesses.
  • Perform denial-of-service (DOS) attacks – Attackers can gain access through a compromised IT system, perform reconnaissance activities and move laterally to the OT network to launch a denial-of-service attack.
  • Deploy ransomware and/or wipers – a recent report from CISA shows an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally. CISA, the FBI and the NSA have observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors. They also observed that several ransomware groups had developed code to stop critical infrastructure or industrial processes.

Recommended Action Plans to Protect ICS Systems

Securing infrastructure requires a new approach to mitigating cyber-attacks targeting OT/ICS systems vulnerabilities. Here are some recommended action plans that will help protect essential OT assets in today’s interconnected world:

  • Conduct security assessments of OT (ICS/SCADA) systems regularly.
  • Identify OT and IT networks and implement network segmentation between IT and OT networks. Network segmentation limits the ability of adversaries to pivot to the OT network even if the IT network is compromised.
  • Identify assets in the OT network and eliminate possible vulnerabilities across a comprehensive set of attack vectors.
  • Protect endpoints to reveal any suspicious, malicious activity in industrial networks. Identify, detect, and investigate suspicious activity indicating lateral movements within IT and OT networks. Deploy endpoint-based solutions, such as Singularity Identity to detect lateral connections.
  • Protect credentials. Russian state-sponsored APT actors have demonstrated their ability to maintain persistence using compromised credentials.
  • Implement data backup procedures on both the IT and OT networks. Regularly test backup procedures and ensure that backups are isolated from network connections that could enable the spread of malware. Understand actual behavior, e.g., the type of device, what it is doing, and what it tries to connect to.

How Can the SentinelOne Identity Portfolio Help?

SentinelOne is the leader in deception technology and offers innovative ICS security solutions to protect critical infrastructure. Five of the Fortune 10’s largest ICS/SCADA organizations have already widely deployed the company’s comprehensive solutions. The PNNL(Pacific Northwest National Laboratory), a DoE national laboratory, also validated the security solutions protecting critical national infrastructure.

The Singularity™ Hologram solution provides comprehensive deception capabilities covering traditional enterprise IT and OT networks. The deception platform offers adaptive cybersecurity defense using machine learning to create deception campaigns that address the evolving attack surface. The platform supports a large subset of ICS protocols and allows customers to build emulations of various PLCs, SCADA nodes, medical equipment and more. Attackers targeting and exploiting vulnerabilities in Human Machine Interface (HMI) systems are common attack vectors. Customers can deploy decoy HMI systems using golden images.

The ICS security solution provides comprehensive deception capabilities covering traditional enterprise IT and OT networks. The platform projects deceptive decoys into SCADA, ICS, IoT, Point of Sale, and Medical Device networks, identifying attacker lateral movement and reconnaissance activity targeting production-critical systems. Additionally, the Singularity™ Identity solutions deploy deceptive credentials that can detect and report on cybercriminals leveraging their operations through remote services and exploiting ICS infrastructure.

Conclusion

Critical infrastructure is vital to public safety and health in many ways, but these essential services are often maintained by organizations with small budgets running legacy hardware and software.

To ensure the safety of mission-critical assets, organizations must put in place robust action plans that include autonomous endpoint security controls that can reduce the need for a large SOC while still continuously monitoring the ICS network for suspicious and malicious activity. To learn more about how SentinelOne can help, contact us or request a free demo.

Get a Demo of SentinelOne’s Identity Suite
Bringing Identity to XDR. Ready to experience the market’s leading identity security suite?

The Good, the Bad and the Ugly in Cybersecurity – Week 26

The Good

This week saw good news as cops in Europe busted a gang said to be behind several million euros worth of fraud. In a joint operation run by Belgian and Dutch police, an organised crime group involved in phishing, fraud, scams and money laundering was dismantled.

As a result of the operation, police made nine arrests and seized electronic devices, designer jewelry, firearms, cryptocurrency and tens of thousands of euros in cash. The arrested individuals were men between the ages of 25 and 36 and a 25-year-old woman.

europol cyber crime

The gang’s MO involved sending victims phishing links via email, text messages and chat apps including WhatsApp. The links led to fake banking websites, where victims were lured into entering their banking credentials, which the gang subsequently harvested.

It is believed the gang stole several million euros and used money mules to cash out the proceeds. Investigators believe that the group may also have been involved in drugs and firearms trafficking.

While the victims appear to have largely been located in Belgium, the suspects were all arrested in the Netherlands. This is another good example of how important collaboration between different law enforcement agencies is in tackling the cross-border nature of cyber crime.

The Bad

Last month we reported on a new zero-click remote code execution vulnerability affecting the Microsoft Windows Support Diagnostic Tool (ms-msdt) popularly known as Follina and more formerly tracked as CVE-2022-30190. This week, Ukrainian cyber defense outift CERT-UA spotted exploitation of Follina via a lure document titled “Nuclear Terrorism A Very Real Threat.rtf”.

It seems that the Russian intelligence GRU-linked threat actor APT28 is using fear of nuclear war to distribute malware via a poisoned Word document.

APT28 Follina exploitation

According to other researchers, the document is weaponized with Follina and downloads and executes a .Net executable that steals cookies and saved passwords from Chrome, Edge and Firefox browsers. The stolen data is then exfiltrated via email to an attacker-controlled email account.

Several other attacks leveraging CVE-2022-30190 have been attributed to various APTs since Follina was first discovered four weeks ago, including Chinese-linked hackers and another Russian APT threat actor widely known as Sandworm. APT28 is just the latest jumping on the bandwagon.

While browser theft isn’t the most heinous of cyber crimes that organizations have to worry about, it’s worth remembering that credentials stored in browsers can provide threat actors with the kind of initial access they crave for long-tail hacks that are difficult to attribute or trace. It’s also a timely reminder for organizations to revisit their coverage for the Follina vulnerability. Microsoft finally got around to patching the flaw in its June 14th update and security teams are urged to ensure they take appropriate mitigation measures.

The Ugly

240 million users of cloud storage service MEGA received unwelcome news this week when researchers showed the company’s privacy claims fell somewhat short of the truth. MEGA advertises itself as offering “secure cloud storage and communication privacy by design”, boasting that “MEGA has a robust cryptographic process…no one will ever be able to access your data on MEGA. Even in the exceptionally improbable event MEGA’s entire infrastructure is seized!”

Mega bug

Unfortunately, it turns out that it is precisely the “robust cryptographic process” that is insecure. The research says that MEGA–or some entity with control over MEGA’s infrastructure–can decrypt user data and that a malicious service provider could insert files into a user’s cloud storage.

In an advisory, MEGA admitted that the research identified flaws that could be exploited “either by MEGA acting maliciously or by an external party acting similarly”. Presumably, that includes MEGA complying with any confidential law enforcement or government order it might be served with.

The problem lies in the way MEGA “rolled its own” cryptographic architecture, a double-whammy which means that while the company has patched the initial attack vector used by the researchers, it has not resolved the underlying weaknesses due to the complexity of its own architecture. The company did reward the research team from ETH Zurich with a “significant payment”, but whether MEGA users will be satisfied that their data remains unreadable by the company, law enforcement, or “bad actors” remains to be seen.

On the Board of Directors? Beware of These Six Common Cyber Security Myths

The days when cyber security was merely a technical or niche issue to be dealt with by some small department in the basement are long behind us. Boards now have CISOs and CIOs, and yet there is still a need for all directors to understand the impact of cyber security risk when making strategic business decisions as well as to understand what to ask when a breach takes place.

Failing to grasp the nature of cyber security in today’s business environment can have dire consequences. Proper board preparedness and planning are critical both to protecting the business and to insulating officers and directors from liability.  Accordingly, directors must ensure that the business is ready to face cyber risks and the potential legal ramifications of those risks by aligning the organization’s cyber risk profile with its business needs.

Of course, there is no shortage of information out there on cyber security and cyber risk, but much of it is couched in sales and marketing jargon peculiar to one vendor or another, and what isn’t is often aimed at a technical audience with a level of detail that is rarely relevant to high-level decision makers. In this post, we cut through the clutter and cover the basics of cyber risk management for directors by dispelling six common cybersecurity myths.

Myth 1: Cyber Security Is Only Necessary for Some Businesses

Many believe that only certain kinds of companies require cyber security and that if they are not in that list, cyber security isn’t for them. Typically that list includes:

  • technology companies

  • companies that store sensitive customer data (PII)

  • Health, infrastructure and other organizations legally required by law

  • Companies of a certain size or value

Cybersecurity is critical for all organizations, regardless of their industry. The ongoing wave of ransomware attacks has shown that attackers are opportunistic and will target any organization that has valuable data or systems that they can exploit.

Even companies that don’t store sensitive data (PII) can be hacked or infected with ransomware if their systems are not properly secured, and PII is not the only thing that can be stolen or compromised in a cyber attack. Organizations can also lose money, suffer damage to their reputation, and experience other negative consequences as a result of a cyber breach.

Similarly, size is not a significant factor in risk assessment. Any organization, regardless of size, can be a target for cyber attacks. Small businesses are often seen as easier targets because they may not have the same resources to devote to cyber security as larger organizations. The level of risk increases if the business does not take the necessary precautions to protect itself.

All businesses regardless of size, industry or value should have a comprehensive cyber security plan in place to protect themselves from potential attacks.

Myth 2: Security Software Is All You Need to Stay Safe

There are so many pinpoint tools in the cybersecurity defense arsenal. Tools like SIEM, SOAR, Firewalls, Anti Virus, and many others have proven in recent years that they are not sufficient to keep businesses out of negative news cycles.

The modern working environment allows employees more freedom than ever before, with the ability to install software and to gain access to company assets from the endpoint, wherever they may be physically located.

The effort of staying safe from cyber risk may start with getting the right tool to see it all, but it does not end there. As the cybersecurity landscape continues to evolve, defense capabilities need to keep pace, too.

The idea of total protection from cyber threats is unrealistic. However, organizations are best served when their boards promote a culture of cyber awareness and integrate investments into cyber resilience with the overall strategic vision of the organization.

Myth 3: Software Vulnerabilities Aren’t an Issue for the Board

Every piece of software that an organization uses can also introduce vulnerabilities that make it easy to penetrate the corporate network.

Some recent high-profile examples include CVE-2022-30190 (aka the Follina vulnerability), which allows attackers to compromise a Windows machine simply by sending a malicious Word document, and CVE-2021-44228 (aka Log4Shell), a vulnerability in a Apache’s Log4j library that most companies didn’t even realize was in their software stack.

Unfortunately, the biggest and most likely source of vulnerabilities in your software stack is likely the operating system itself. Here’s some sobering statistics:

  • In 2020, Microsoft confirmed 1,220 new vulnerabilities impacting their products, a 60% increase on the previous year.

  • 807 of 1,220 vulnerabilities were associated with Windows 10, with 107 of those related to code execution, 105 to overflows, 99 to gaining information, and 74 to gain privileges.

  • In 2021, 836 new vulnerabilities were confirmed, 455 of which impact Windows 10 and 107 allow malicious code execution.

While patch management is certainly the responsibility of your IT team, boards need to understand that no amount of patching is going to negate the security risk presented by the operating system itself.

This means that your organizations should look to partner with security-first companies that can provide a holistic approach to security. Avoid relying on the OS vendor either to patch everything or to provide security add-ons to plug the gaps.

Develop a strategy that aims to reduce risk by decreasing dependencies while easily integrating your security solution with the rest of your software stack.

Myth 4: You Don’t Need to Worry About Supply Chain Attacks

Even if an organization manages to keep its own software safe, any other service provider can unknowingly facilitate a way into the network. In recent times, we’ve seen the SolarWinds supply chain attack, where the attackers were able to compromise thousands of organizations through the SolarWinds software update, and the Kaseya incident, in which attackers targeted Kaseya VSA servers—commonly used by MSPs and IT management firms—to infect downstream customers with ransomware.

Such attacks are highly lucrative for threat actors because compromising one weak link enables access to a complete portfolio of customers using that software.

Ensuring you have maximal protection against digital supply chain attacks is a strategic decision that needs to be taken at the board level.

Ensure your board’s strategy includes things such as deploying the right security solution, developing an Incident Response (IR) plan, ensuring application integrity policies only allow authorized apps to run, and driving a cybersecurity-centric culture.

Myth 5: You Can’t Do Anything About Cyber Security Threats

While it is true that some threats are out of your control, there are many things you can do to protect your organization from cyber attacks. Implementing strong cyber security measures can help reduce your risk of being targeted by cyber criminals.

It is also important to remember that while it may be true that you cannot secure your organization against every possible attack, there are steps that organizations can take to make themselves as secure as possible against the most likely attacks.

In the vast majority of cases, threat actors are financially-motivated, and they are looking for easy wins. Like the weakest animal in the herd, the companies that cannot protect themselves will soon be picked off by cyber predators.

Implementing a comprehensive cybersecurity plan, including several layers of security, will help to protect your organization from most attacks.

Myth 6: It’s Impossible to Train Employees to be Cyber Secure

While employees are a key part of any organization’s cyber security strategy, they cannot be expected to be experts in cybersecurity. Organizations need to provide employees with appropriate training and resources. This includes regular awareness of the kinds of threats the business faces, simple steps in how to identify things like phishing emails or unusual requests, and clear steps for reporting suspicious activity. Social engineering, more commonly known as the subtle art of convincing people to click on spear phishing emails, remains one of the most common ways cybercriminals operate today.

Think of employees as an aid to your cyber defenses, and ensure that they not only have the means to report anything suspicious but that they feel safe and confident in doing so.

Conclusion

Cybersecurity is all about managing risk as effectively as possible. There is no organization in the world that is immune to cyber threats, but in today’s threat landscape, it is vital that cyber security is understood to be a strategic factor that must be planned from the very top of the organization. The risk to the business is too great for it to start anywhere else.

If you would like to learn more about how SentinelOne can help manage cyber security risk in your organization, contact us or request a free demo.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

From the Front Lines | 3 New and Emerging Ransomware Threats Striking Businesses in 2022

In the first half of 2022, there has been no let up in the number of attacks on businesses by ransomware operators. Conti, LockBit, BlackCat and the LAPSUS$ group may have been generating most of the prime-time cyber headlines, but there are a number of smaller players that have emerged or developed over recent months that are quietly infiltrating companies, stealing their data and demanding high-dollar sums for file decryption and a promise not to leak sensitive company data.

In this post, we provide a high-level overview of three new ransomware threats that have recently emerged–Zeon, HelloXD, and Dark Angels–and provide technical indicators for each to aid threat hunting and intrusion detection teams.

1. Zeon Ransomware

Zeon ransomware was first observed in late January 2022. The group does not currently advertise its victims or data via a known public blog, although the dropped ransom note makes the usual threat of such public exposure for non-compliant victims, stating “We’ve downloaded a pack of your internal data and are ready to publish it on out [sic] news website if you do not respond”.

Zeon ransom note

The ransom note further prompts victims to visit a TOR-based payment portal to proceed with the payment. According to one source, victims must pay in XMR or BTC, with a fee of 25% in case of the latter.

Observed Zeon payloads are Python-based executables packaged via pyInstaller and further obfuscated via pyArmor.

On execution, Zeon ransomware payloads attempt to stop any services or processes that could inhibit the encryption process. These include common backup processes and utilities as well as well known security products. For example, Zeon will attempt to stop known processes from McAfee, Sophos and Kaspersky.

The ransomware uses both taskkill.exe and net.exe to terminate the prescribed processes. The following table provides a full list of affected processes.

mfevtp backup EPUpdate acronis
MBAM vmcomp W3S MsDts
Back IISAdmin Monitor EsgShKernel
Smcinst vmwp RESvc Endpoint
bedbg swi_ Veeam PDVF
CCSF TrueKey task xchange
IMAP4 Afee mfemms ESHASRV
mms vss SmcService FA_Scheduler
DCAgent NetMsmq ntrt sql
VeeamTransportSvc Report Sophos UIODetect
veeam VeeamNFSSvc EPSecurity wbengine
Backup ekrn Eraser Enterprise
POP3 KAVF klnagent WRSVC
SNAC Antivirus SMTP AVP
AcrSch Exchange EhttpSrv tmlisten
mfefire McShield

Zeon achieves persistence via Scheduled Task. The ransomware generates and executes its scheduled task via cmd.exe.

The following command output can be observed upon execution:

cmd.exe /c schtasks.exe /Run /TN zE0xO6us
schtasks.exe /Create /TN zE0xO6tMpus /TR "CMD.EXE DEL /F /Q "{PATHIM}" >> NUL" /sc once /st 00:00 /RL HIGHEST
Zeon execution chain

Once encrypted, the .zeon extension will be added to all affected files and the ransom note is dropped as “re_ad_me.html” on the Desktop.

The ransomware also changes the victim’s desktop wallpaper.

Zeon Desktop Wallpaper

2. HelloXD Ransomware

HelloXD is a new ransomware family that first appeared towards the end of 2021. It is another in a long line of families derived from the various Babuk source code leaks. As such, both Windows and Linux variants of HelloXD have been observed.

Like Zeon, HelloXD does not currently host a public blog or victim shaming site. The ransom note instructs victims to engage the attackers via TOX chat as opposed to a direct chat link, .onion TOR website or standard email.

HelloXD ransom note

HelloXD is under rapid development, and many versions have been observed in the wild, with the author making continuous efforts to improve upon the malware’s obfuscation and file encryption routines. Initial samples of HelloXD were encrypted with a version of UPX, and some early versions also used a combination of HC-128 and Curve25519-Donna. Later examples of HelloXD ransomware have built additional layers onto the modified UPX packing, as well as updated the file encryption routine, swapping out HC128 for Rabbit Cipher.

We have observed that HelloXD payloads attempt to inhibit recovery via deletion of shadow copies:

vssadmin.exe delete shadows /all /quiet

Analyzed payloads have a rather noisy way of incorporating delays into the execution of the malware using the following:

PING.EXE 1.1.1.1 -n 1 -w 3000

Upon encryption, files are given the .HELLO extension.

Recent examples of HelloXD also install copies of MicroBackdoor, which provides the threat actors with additional RAT-level access to breached systems.

HelloXD has, for a time, been openly discussed and sold in darknet crime forums. Alongside that, the actor behind HelloXD has been receiving some unwanted attention around the exposure of HelloXD as well and mocked for being exposed by security researchers.

Threat actors learn from x4k’s exposure
Threat actors learn from x4k’s exposure

3. Dark Angels Ransomware

In May 2022, researchers found another Babuk-derivative that behaves very similarly to HelloXD called ‘Dark Angels’ (aka DarkAngels). Early reports on Dark Angels suggest that each ransomware sample is targeted specifically for a given organization, not unlike Mindware and SFile, which we reported on previously.

Dark Angels’ victims are instructed to communicate with the threat actor via TOR-based chat portal and are given the (now) usual warning about not attempting to contact law enforcement, engage recovery teams or hire negotiators.

Dark Angels ransom note

The ransomware attempts to stop the following services upon execution:

memtas mepocs sophos
veeam backup GxVss
GxBlr GxFWD GxCVD
GxCIMgr DefWatch ccEvtMgr
ccSetMgr SavRoam RTVscan
QBFCService QBIDPService Intuit.QuickBooks.FCS
QBCFMonitorService YooBackup YooIT
zhudongfangyu sophos stc_raw_agent
VSNAPVSS VeeamTransportSvc VeeamDeploymentService
VeeamNFSSvc veeam PDVFSService
BackupExecVSSProvider BackupExecAgentAccelerator BackupExecAgentBrowser
BackupExecDiveciMediaService BackupExecJobEngine BackupExecManagementService
BackupExecRPCService AcrSch2Svc AcronisAgent
CASAD2DWebSvc CAARCUpdateSvc

Dark Angels payloads have the ability to spread to available network shares and can accept associated parameters. The ‘paths’ and ‘shares’ command line parameters are both available. The method of share discovery can vary depending on the option provided.

Dark Angels ransomware team

In the absence of any command line options, the malware enumerates all local drives and encrypts all targeted files. Upon encryption, files are given the .crypt extension.

Conclusion

Ransomware is continuing to evolve and pivot in an ever-evolving race to gain illicit profits by attacking data on businesses’ computer systems. Threat actors know they must constantly work to stay ahead of both the legal system and the ongoing influx of inhibiting technical controls. Staying abreast of the latest developments in the evolving crimeware scene can help your security and IT teams keep your business secure.

SentinelOne Singularity detects and prevents attacks by Zeon, HelloXD and Dark Angels as well as all other known ransomware families. For more information about how SentinellOne can protect your business, contact us or request a free demo.

Indicators of Compromise

Zeon SHA1
66535700bbce7f90d2add7c504bc0e0523d4d71d
51d18417b2593bb946e08d436692e26da44cfa48
c45d82da884285100ce067bb004a3f1e31e151f5

Zeon SHA256
c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a
8ff189783dc0646513c791421df723187b614f6dbfafad16763e3c369c5dfa2a
fb57abf08a85f1d7ca0a6fdcd76b04ccf964a5b05f2f784492083994773e4590

HelloXD SHA1
4a2ee1666e2e9c40d372853e2203a7f2336b6e03
7a1b6d3ccf9429a5a5c03ce1e6db91c3095e9f34
9785231ebf3d00216aa979f8c705e2513568802e
9c8feeab65f71344713d63f4879e247aba49dce4
4d65559a14bca55f6cca722d09d80ba3e262053d
0ddf8c9a59f5fe5337e65d1e5b2e22381c3ce7e2
1758a8db8485f7e70432c07a9e3d5c0bb5743889

HelloXD SHA256
435781ab608ff908123d9f4758132fa45d459956755d27027a52b8c9e61f9589
ebd310cb5f63b364c4ce3ca24db5d654132b87728babae4dc3fb675266148fe9
65ccbd63fbe96ea8830396c575926af476c06352bb88f9c22f90de7bb85366a3
903c04976fa6e6721c596354f383a4d4272c6730b29eee00b0ec599265963e74
7247f33113710e5d9bd036f4c7ac2d847b0bf2ac2769cd8246a10f09d0a41bab
4e9d4afc901fa1766e48327f3c9642c893831af310bc18ccf876d44ea4efbf1d
709b7e8edb6cc65189739921078b54f0646d38358f9a8993c343b97f3493a4d9

Dark Angels SHA1
529e24c81ede5dfcedcc4fbc7d0030f985c67af1

Dark Angels SHA256
38e05d599877bf18855ad4d178bcd76718cfad1505328d0444363d1f592b0838

Meet the Administrators of the RSOCKS Proxy Botnet

Authorities in the United States, Germany, the Netherlands and the U.K. last week said they dismantled the “RSOCKS” botnet, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. While the coordinated action did not name the Russian hackers allegedly behind RSOCKS, KrebsOnSecurity has identified its owner as a 35-year-old Russian man living abroad who also runs the world’s top spam forum.

The RUSdot mailer, the email spamming tool made and sold by the administrator of RSOCKS.

According to a statement by the U.S. Department of Justice, RSOCKS offered clients access to IP addresses assigned to devices that had been hacked:

“A cybercriminal who wanted to utilize the RSOCKS platform could use a web browser to navigate to a web-based ‘storefront’ (i.e., a public web site that allows users to purchase access to the botnet), which allowed the customer to pay to rent access to a pool of proxies for a specified daily, weekly, or monthly time period. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.”

The DOJ’s statement doesn’t mention that RSOCKS has been in operation since 2014, when access to the web store for the botnet was first advertised on multiple Russian-language cybercrime forums.

The user “RSOCKS” on the Russian crime forum Verified changed his name to RSOCKS from a previous handle: “Stanx,” whose very first sales thread on Verified in 2016 quickly ran afoul of the forum’s rules and prompted a public chastisement by the forum’s administrator.

Verified was hacked twice in the past few years, and each time the private messages of all users on the forum were leaked. Those messages show that after being warned of his forum infraction, Stanx sent a private message to the Verified administrator detailing his cybercriminal bona fides.

“I am the owner of the RUSdot forum (former Spamdot),” Stanx wrote in Sept. 2016. “In spam topics, people know me as a reliable person.”

A Google-translated version of the Rusdot spam forum.

RUSdot is the successor forum to Spamdot, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the community’s implosion in 2010. Even today, the RUSdot Mailer is advertised for sale at the top of the RUSdot community forum.

Stanx said he was a longtime member of several major forums, including the Russian hacker forum Antichat (since 2005), and the Russian crime forum Exploit (since April 2013). In an early post to Antichat in January 2005, Stanx disclosed that he is from Omsk, a large city in the Siberian region of Russia.

According to the cyber intelligence firm Intel 471, the user Stanx indeed registered on Exploit in 2013, using the email address stanx@rusdot.com, and the ICQ number 399611. A search in Google for that ICQ number turns up a cached version of a Vkontakte profile for a Denis “Neo” Kloster, from Omsk, Russia.

Cybersecurity firm Constella Intelligence shows that in 2017, someone using the email address istanx@gmail.com registered at the Russian freelancer job site fl.ru with the profile name of “Denis Kloster” and the Omsk phone number of 79136334444. Another record indexed by Constella suggests Denis’s real surname may in fact be “Emilyantsev” [Емельянцев].

That phone number is tied to the WHOIS registration records for multiple domain names over the years, including proxy[.]info, allproxy[.]info, kloster.pro and deniskloster.com.

A copy of the passport for Denis Kloster, as posted to his Vkontakte page in 2019. It shows that in Oct. 2019, he obtained a visa from the American Embassy in Bangkok, Thailand.

The “about me” section of DenisKloster.com says the 35-year-old was born in Omsk, that he got his first computer at age 12, and graduated from high school at 16. Kloster says he’s worked in many large companies in Omsk as a system administrator, web developer and photographer.

According to Kloster’s blog, his first real job was running an “online advertising” firm he founded called Internet Advertising Omsk (“riOmsk“), and that he even lived in New York City for a while.

“Something new was required and I decided to leave Omsk and try to live in the States,” Kloster wrote in 2013. “I opened an American visa for myself, it was not difficult to get. And so I moved to live in New York, the largest city in the world, in a country where all wishes come true. But even this was not enough for me, and since then I began to travel the world.”

The current version of the About Me page on Kloster’s site says he closed his advertising business in 2013 to travel the world and focus on his new company: One that provides security and anonymity services to customers around the world. Kloster’s vanity website and LinkedIn page both list him as CEO of a company called “SL MobPartners.”

In 2016, Deniskloster.com featured a post celebrating three years in operation. The anniversary post said Kloster’s anonymity business had grown to nearly two dozen employees, most of whom were included in a group photo posted to that article (and some of whom Kloster thanked by their first names and last initials).

The employees who kept things running for RSOCKS, circa 2016.

“Thanks to you, we are now developing in the field of information security and anonymity!,” the post enthuses. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

Mr. Kloster did not respond to repeated requests for comment.

It’s not clear if the coordinated takedown targeting the RSOCKS botnet will be permanent, as the botnet’s owners could simply rebuild — and possibly rebrand — their crime machine. Based on the RSOCKS owner’s posts, that is exactly what they intend to do.

“RSocks ceases to exist,” wrote the Rsocks account on the BlackHatWorld forum on June 17. “But don’t worry. All the active plans and fund balances will be transferred to another service. Stay tuned. We will inform you about its name and all the details later.”

Rsocks told the BlackHatWorld community they would be back soon under a new name.

Malware-based proxy services like RSOCKS have struggled to remain competitive in a cybercrime market with increasingly sophisticated proxy services that offer many additional features. The demise of RSOCKS follows closely on the heels of VIP72[.]com, a competing proxy botnet service that operated for a decade before its owners pulled the plug on the service last year.