2024-11-04 CRON#TRAP (Emulated Linux Environments) Samples

 2024-11-04 Securonix: CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging

Attackers distribute a custom QEMU-emulated Linux environment via a malicious .lnk file within a phishing email. When executed, this file installs and initiates a QEMU instance to run a Tiny Core Linux backdoor, enabling covert persistence on the victim's machine.

The .lnk file activates PowerShell to extract and run QEMU, renamed as fontdiag.exe, from a large, concealed zip archive.

This QEMU instance connects to a C2 server, maintaining a hidden presence through an emulated environment undetectable by most antivirus tools.

The emulated environment includes "PivotBox" settings with command aliases for direct interaction with the host, and command logs reveal steps like SSH setup, payload execution, and persistence configurations.

Attackers use legitimate software (QEMU) renamed and executed from uncommon directories, alongside SSH keys and script modifications, ensuring reliable access and minimal detection.

crondx, a Chisel-based backdoor, establishes a secure C2 channel via websockets, enabling encrypted data exfiltration and further payload deployment.

2024-10-30 Lunar Spider's Latrodectus JS loader samples

2024-10-30 EclecticIQ: Inside Intelligence Center: LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus

LUNAR SPIDER’s recent campaign used Latrodectus, a heavily obfuscated JavaScript loader, to deliver Brute Ratel C4 payloads targeting the financial sector. Key technical observations include:

Malvertising and SEO Poisoning: Victims searching tax-related content are redirected to download malicious JavaScript files like Document-16-32-50.js. These scripts retrieve an MSI installer, which deploys Brute Ratel C4 (BRc4) by disguising the payload as legitimate software (vierm_soft_x64.dll under rundll32 execution). This method exemplifies advanced evasion tactics to bypass detection.

Command and Control (C2) Infrastructure:

BRc4 communicates with multiple C2 domains, such as bazarunet[.]com and tiguanin[.]com, allowing remote access and command execution on compromised systems.

Persistent infrastructure overlaps include SSL certificates with issuer fields "AU," "Some-State," and "Internet Widgits Pty Ltd," frequently linked to LUNAR SPIDER’s IcedID operations. Additionally, ASN 395092 (SHOCK-1) consistently hosts both IcedID and Latrodectus campaigns, indicating a shared resource pool across malware families.

The BRc4 payload modifies the Windows registry, specifically adding an entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run for persistence across reboots.

2024-10-23 WarmCookie/BadSpace - APT TA866 - Samples

 2024-10-23 TALOS Threat Spotlight: WarmCookie/BadSpace

Summary: WarmCookie, also known as BadSpace, is a sophisticated malware family that emerged in April 2024, primarily distributed through malspam and malvertising. This malware provides long-term access to compromised environments and facilitates the deployment of additional payloads, such as CSharp-Streamer-RAT and Cobalt Strike. Its infection chains and functionality highlight notable development links to Resident backdoor, indicating possible shared authorship by TA866.

WarmCookie’s infection chain initiates through email lures—typically invoice-related and job agency themes—that direct victims to malicious JavaScript-hosting servers. The obfuscated JavaScript downloader, often delivered as a compressed ZIP, triggers a PowerShell command that uses Bitsadmin to download and execute the WarmCookie DLL, embedding itself in the system with persistence.

Persistence: WarmCookie leverages Task Scheduler to achieve persistence, creating scheduled tasks under %ALLUSERSPROFILE% or %ALLDATA%, and re-executing itself after a 60-second delay. The latest version modifies the typical command-line syntax from /p to /u for execution parameters.

Command-and-Control (C2) Adaptation: TA866 previously used unique, detectable C2 user-agent strings (e.g., Mozilla/4.0 (compatible; MSIE 6.0…)), which have since been updated to blend with standard strings like Mozilla/5.0… Firefox/115.0.

Self-Updating Mechanism: An initial implementation of a self-update command allows WarmCookie to receive updates dynamically from its C2 server, although this feature appears incomplete.

C2 Command Updates

The latest WarmCookie samples feature new C2 commands:

Command 0x8: Receives a DLL from C2, assigns it a temporary filename, and executes it.

Command 0xA: Similar to Command 0x8 but adds hardcoded parameters, allowing self-updating.

2024-10-25 HeptaX - Unauthorized RDP Connections. Nalicious LNK. > Powershell > Bat files Samples

2024-10-25 Cyble: 

HeptaX: Unauthorized RDP Connections for Cyberespionage Operations

Summary:

• The attack starts with a malicious LNK file delivered within a ZIP file, likely distributed through phishing emails, and seems to target the healthcare industry.
• Upon execution, the LNK file initiates a PowerShell command that downloads multiple scripts and batch files from a remote server to establish persistence and control over the victim’s system.

1. • The LNK file, once opened, triggers PowerShell commands that download additional payloads from hxxp://157.173.104[.]153.
   • These scripts enable the attacker to create a new user account with administrative privileges and alter RDP settings, reducing authentication requirements for easier unauthorized access.
2. • A persistent shortcut (LNK) file is created in the Windows Startup folder to maintain access.
   • The primary PowerShell script communicates with the C2 server, constructing URLs with a unique identifier (UID) for the compromised machine to fetch commands or additional payloads.
   • If UAC is detected as weak or disabled, the attack proceeds with further stages that lower the system's security configurations.
3. • A secondary payload, "ChromePass," is introduced, targeting Chromium-based browsers to harvest stored credentials, escalating the risk of compromised accounts.
   • Scripts configure the system to facilitate remote desktop access, enabling actions such as data exfiltration, monitoring, and installation of further malware.
4. • Subsequent batch files (e.g., k1.bat, scheduler-once.bat) execute commands that hide traces, remove logs, and schedule tasks disguised as system operations to maintain persistence and evade detection.
   • The final stages involve the execution of a PowerShell script that performs reconnaissance, collects extensive system data, and sends it encoded to the C2 server.

Download

 
Download. Email me if you need the password scheme.

2024-10-03 Amnesia Stealer Samples

2024-10-03 Threatmon: Amnesia Stealer 

Amnesia Stealer, a customizable open-source malware, was identified by ThreatMon on September 17, 2024.

Functions as Malware-as-a-Service (MaaS), making it easily accessible for cybercriminals.

Uses Discord and Telegram for Command & Control (C2) operations.

Capable of stealing sensitive data like browser passwords, Discord tokens, cryptocurrency wallets, and Wi-Fi credentials.

Features keylogging, clipboard hijacking, and can bypass Windows Defender.

Can inject additional malware like trojans, cryptocurrency miners, and droppers.

Available in three versions: Free, VIP, and an Android variant (in development).

Android version can steal call logs, SMS, and WhatsApp session files.  -- Key findings by Threatmon.

--------

Download

 
Download. Email me if you need the password scheme.

2024-09-24 Linux Malware Cryptocurrency Miners, DONUT LOADER, RUDEVIL RAT, KAIJI- Stager and DDoS botnet samples

 2024-09-26 Elastic: Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse

Elastic Security Labs uncovered a sophisticated Linux malware campaign targeting servers through an Apache2 web server exploit in March 2024. The attackers used a mix of tools, including custom malware, KAIJI (a DDoS botnet), and RUDEDEVIL (a cryptocurrency miner). They utilized C2 channels disguised as kernel processes, Telegram bots for communication, and cron jobs for persistence. The campaign also involved leveraging gambling APIs, potentially for money laundering activities.

The attackers exploited an Apache2 server, gaining arbitrary code execution. They deployed KAIJI malware and downloaded a script (00.sh) to erase traces and kill other mining processes.

The attackers used a file server to distribute malware for different architectures. RUDEDEVIL and KAIJI malware variants were identified, each serving different purposes, like mining cryptocurrency or conducting DDoS attacks.

• RUDEDEVIL: A cryptocurrency miner with various functions such as socket creation, privilege handling, decryption, and process monitoring. The malware also includes an XOR-based encryption routine for concealing its activities.
• KAIJI: A DDoS botnet capable of evading detection, setting up persistence, and altering SELinux policies. Its deployment involved moving system binaries, using bind mount techniques, and creating multiple backdoors for control.

The attackers utilized GSOCKET for encrypted communication, disguised as kernel processes. They also employed cron jobs, PHP payloads, and Systemd services to establish and maintain persistence on compromised hosts. Telegram bots and gambling APIs were used to relay information back to the C2 server.

Download

 
Download. Email me if you need the password scheme.

2024-09-23 SNIPBOT RomCom Multi-Stage RAT Samples

Image courtesy of Palo Alto 

 2024-09-23 Palo Alto Unit42: Inside SnipBot: The Latest RomCom Malware Variant 

This latest version integrates novel obfuscation techniques and exhibits distinct post-infection activities not seen in previous variants (RomCom 3.0 and PEAPOD/RomCom 4.0).

Key Points:

• Capabilities: SnipBot allows attackers to execute commands and download additional modules onto the victim's system. It deploys an initial signed executable downloader, followed by unsigned EXEs or DLLs.
• Infection Vector: Delivered via email containing links that redirect to the SnipBot downloader. The downloader uses anti-sandbox tricks, including checking the file’s original name and verifying at least 100 entries in the RecentDocs registry key. It also employs window message-based control flow obfuscation.
• Post-Infection Activity:
  • Downloads additional DLL payloads, injecting them into explorer.exe using COM hijacking. Specifically, it registers the malicious DLL (keyprov.dll) as a thumbnail cache library in the registry (HKCU\SOFTWARE\Classes\CLSID).
  • The primary payload, single.dll, listens on port 1342 for commands such as deleting registry keys, executing stored DLL payloads, and initiating further updates.
  • Creates and manages registry keys (HKCU\SOFTWARE\AppDataSoft\Software) to store encrypted payloads and keep track of updates.
• Command & Control: Contacts its C2 domains (e.g., xeontime[.]com) to download payloads. Encrypts strings, including the C2 domain and API function names, to evade detection.

Download

 
Download. Email me if you need the password scheme.

File Information

• 
  ├── 0be3116a3edc063283f3693591c388eec67801cdd140a90c4270679e01677501 atch scan052224 CV.exe 
• ├── 2c327087b063e89c376fd84d48af7b855e686936765876da2433485d496cb3a4.exe 
• ├── 5390ba094cf556f9d7bbb00f90c9ca9e04044847c3293d6e468cb0aaeb688129 Attachment CV June2024.exe 
• ├── 57e59b156a3ff2a3333075baef684f49c63069d296b3b036ced9ed781fd42312 Attachment Medical report.exe 
• ├── 5b30a5b71ef795e07c91b7a43b3c1113894a82ddffc212a2fa71eebc078f5118  CV for a job.exe 
• ├── 5c71601717bed14da74980ad554ad35d751691b2510653223c699e1f006195b8  Atch Data Breach Evidence.pdf                                                                                          Open with Adobe Acrobat.exe 
• ├── a2f2e88a5e2a3d81f4b130a2f93fb60b3de34550a7332895a084099d99a3d436  atch List of Available Documents.exe 
• ├── b9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045  webtime-e.exe 
• ├── cfb1e3cc05d575b86db6c85267a52d8f1e6785b106797319a72dd6d19b4dc317.exe 
• └── f74ebf0506dc3aebc9ba6ca1e7460d9d84543d7dadb5e9912b86b843e8a5b671 резюме.pdf 

Malware Repo Links

Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.

2024-09-19 UNC1860 Iran APT - Temple of Oats ( OATBOAT, TEMPLEDOOR, SASHEYAWAY, OBFUSLAY, WINTAPIX, CRYPTOSLAY) Samples

 2024-09-19 Mandiant: UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks

UNC1860 is an Iranian state-sponsored threat actor, likely affiliated with the Ministry of Intelligence and Security (MOIS), known for its persistent and stealthy operations. It employs a variety of specialized tools, passive backdoors, and custom utilities to target high-priority networks, such as government and telecommunications entities in the Middle East.

Passive Implants: UNC1860 relies on custom-made passive backdoors like TOFULOAD and WINTAPIX, which leverage undocumented Input/Output Control (IOCTL) commands for communication, bypassing standard detection mechanisms used by EDR systems. These implants operate without initiating outbound traffic, making them difficult to detect through traditional network monitoring tools.

Windows Kernel Driver: UNC1860 repurposed a legitimate Iranian antivirus kernel mode driver, Sheed AV, for stealthy persistence. This driver is used in TEMPLEDROP, a passive backdoor that protects its own files and other malware it deploys, preventing modification and enhancing its evasion capabilities.

Obfuscation and Encryption: The group implements custom XOR encryption and Base64 encoding/decoding libraries to avoid detection. For example, XORO, a rolling encryption module (MD5: 57cd8e220465aa8030755d4009d0117c), is used in several utilities such as TANKSHELL and TEMPLEPLAY. These encryption methods, although simple, are tailored to evade standard detection signatures.

TEMPLEPLAY and VIROGREEN Controllers: These GUI-operated malware controllers allow UNC1860 or third-party actors to manage compromised systems easily. They provide features such as:

Command execution via the Command Prompt Tab.

File transfer through Upload and Download Tabs.

Using infected systems as middleboxes through the Http Proxy Tab, facilitating RDP connections even in restricted environments.

Web Shells and Droppers: Web shells like STAYSHANTE and SASHEYAWAY are frequently deployed after initial access is achieved. These shells enable further persistence by deploying full passive backdoors, such as TEMPLEDOOR and FACEFACE, which can execute commands, transfer files, and interact with system services.

Multi-stage Implants: UNC1860 maintains a suite of "main-stage" implants with advanced capabilities, reserved for high-value targets. These implants, such as TOFULOAD and TEMPLEDROP, demonstrate the group's deep understanding of Windows kernel components and its ability to bypass security measures like kernel protections.

Reverse Engineering and Evasion: UNC1860 exhibits strong reverse engineering skills, especially evident in their repurposing of legitimate software like Windows file system filter drivers. This allows the group to manipulate system components for stealthy operations, using advanced evasion techniques like terminating Windows Event Log service threads and restarting them as needed.

Download

 
Download. Email me if you need the password scheme.

2024-09-18 SAMBASPY Java RAT Samples

 

2024-09-19 Kaspersky: Exotic SambaSpy is now dancing with Italian users

SambaSpy  is a highly obfuscated Java-based RAT, protected by the Zelix KlassMaster protector. It supports a range of malicious activities, including:

• File system and process management
• Keystroke logging using the JNativeHook library, sending keystrokes to the C2 upon key release
• Clipboard content control through Java Abstract Window native libraries
• Webcam access and remote desktop control using the Java Robot and GraphicsDevice classes
• Browser credential theft, targeting Chrome, Edge, Brave, Opera, and others
• Remote shell access and the ability to load additional plugins dynamically via URLClassLoader, using addURL() to invoke downloaded plugins.

SambaSpy exhibits heavy obfuscation to evade detection, with encrypted strings and obfuscated class names and methods. The malware performs detailed environment checks to avoid execution in virtualized or sandbox environments, exiting immediately if the language is not set to Italian. It also encrypts its communications with the C2, complicating analysis.

Some malicious websites contain comments in Brazilian Portuguese, hinting at a possible connection to Brazil. The attackers repeatedly use second-level domains with new subdomains, allowing them to maintain control while shifting operations to evade detection.

Download

 
Download. Email me if you need the password scheme.

2024-09-18 Earth Baxia APT - RIPCOY + SWORDLDR Samples (Spear-Phishing and GeoServer Exploit used to Target APAC)

 

Trend Micro - Infection Chain

2024-09-08 TrendMicro Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC

Earth Baxia, a threat actor suspected to originate from China, has been targeting government organizations in Taiwan and other Asia-Pacific (APAC) countries, using spear-phishing emails and exploiting a vulnerability in GeoServer (CVE-2024-36401), a remote code execution (RCE) exploit. This exploit allowed the attackers to download or copy malicious components, which were then used to deploy customized Cobalt Strike payloads. Their modified Cobalt Strike version included altered signatures for evasion, and they introduced a new backdoor named EAGLEDOOR, which supports multiple communication protocols for payload delivery and information gathering.

The infection chain typically began with spear-phishing emails that delivered malicious attachments or links. These emails often contained decoy documents to lure victims. One of the key methods used by Earth Baxia is the GrimResource technique, which involves downloading files from public cloud services such as AWS and Aliyun. The payloads were injected into legitimate processes using AppDomainManager injection to avoid detection.

Earth Baxia's campaigns primarily targeted government agencies, telecommunication businesses, and the energy sector in countries such as Taiwan, South Korea, the Philippines, and Vietnam. Analysis of Cobalt Strike watermarks and server locations suggests a strong connection to China. During the attack, the group employed sophisticated malware-loading techniques, including DLL side-loading and process injection.

Key malware involved in these campaigns included Cobalt Strike and EAGLEDOOR. The latter used Telegram for command-and-control (C&C) communications and supported various protocols like DNS, HTTP, and TCP for data exfiltration. Earth Baxia utilized public cloud services to host malicious files, making it harder to track their activities. They also used tools like curl for exfiltrating data from victim systems.

Download

 
Download. Email me if you need the password scheme.

2024-08-18 RAPTOR TRAIN NOSEDIVE - Mirai-type IoT Botnet Samples

 2024-09-18 Lumen: Derailing the Raptor Train Black Lotus Labs

The Raptor Train botnet, discovered in 2023, is a large, multi-tiered network primarily composed of compromised SOHO routers, IP cameras, NAS servers, and NVR/DVR devices. The botnet's primary implant, named "Nosedive," is a customized variant of the Mirai malware, designed to infect various IoT architectures like MIPS, ARM, PowerPC, and others. Nosedive implants are delivered via multi-stage droppers using encoded URL schemes, making detection challenging. Once deployed, the malware operates entirely in-memory, allowing for file uploads, downloads, command execution, and DDoS attacks. This memory-resident nature, combined with anti-forensics techniques such as obfuscated processes and multi-stage infections, complicates detection and analysis.

The botnet operates across three tiers: Tier 1 devices (bots), Tier 2 C2 servers, and Tier 3 management nodes. Tier 1 devices are compromised using 0-day and n-day vulnerabilities, with a lifespan of about 17 days. Tier 2 C2 nodes facilitate communication between bots and are managed from Tier 3 nodes using a custom Electron-based tool called "Sparrow." Sparrow enables operators to control C2 servers, deploy payloads, manage bots, and conduct exploitation activities.

Download

 
Download. Email me if you need the password scheme.

2024-09-12 SUPERSHELL + 2023-03-13 SHELLBOT Targeting Linux SSH servers Samples

 

2024-09-12 Ahnlab: SuperShell malware targeting Linux SSH servers

• SuperShell is a sophisticated backdoor malware targeting Linux SSH servers, written in the Go language, which allows cross-platform functionality on Linux, Windows, and Android. Created by a Chinese-speaking developer, it operates as a reverse shell, enabling attackers to execute commands remotely on the compromised systems. The attack begins with brute force and dictionary attacks against SSH servers, using weak credentials like "root/password" and "root/123456qwerty." Once access is gained, attackers execute a series of commands to download and install SuperShell, leveraging tools like wget, curl, tftp, and FTP, with download sources often hosted on compromised servers.
• 
  
• SuperShell's obfuscation adds complexity, but it can still be identified through specific internal strings and its runtime behavior. The malware's installation process is versatile, targeting directories like /tmp, /var/run, /mnt, and /root, with commands often including clean-up actions to remove traces post-installation (rm -r *). Typically, the payload involves downloading a script or binary, which is then executed with elevated permissions using chmod +x followed by execution (./ssh1). This pattern is consistently observed across multiple commands, highlighting the malware's redundancy and persistence in ensuring successful deployment.
• Additionally, the attackers often deploy XMRig, a Monero cryptocurrency miner, alongside SuperShell, hinting at a dual-purpose attack: maintaining persistent control over the system while generating illicit cryptocurrency. 

 2023-03-13 Ahnlab: ShellBot Malware Being Distributed to Linux SSH Servers

• On March 13, 2023, ASEC reported that ShellBot, a Perl-based DDoS bot, is actively targeting Linux SSH servers. The malware exploits weak SSH credentials through brute-force attacks, gaining access to deploy its payload. Once installed, ShellBot connects to a Command and Control (C&C) server via the IRC protocol, enabling attackers to issue commands, steal data, and launch DDoS attacks.
• Initial Access: Attackers scan for servers with open SSH ports (port 22) and use brute-force tools to guess weak or default credentials.
• Installation: After gaining access, ShellBot is deployed, often achieving persistence by modifying startup scripts or cron jobs.
• IRC Protocol: ShellBot uses the IRC protocol for C&C communication, allowing it to receive commands like executing remote tasks or launching DDoS attacks without needing a custom C&C infrastructure.
• Customization: ShellBot is highly customizable, with variants like "LiGhT’s Modded perlbot v2" offering different capabilities and attack methods tailored by various threat actors.

Download

 
Download. Email me if you need the password scheme.

2024-09-19 X-WORM RAT (Phishing) Samples

2024-09-12 0day in {REA_TEAM}: The X-Worm malware is being spread through a phishing email
by m4n0w4r

More about X-Worm: Malpedia: X-Worm Malware with wide range of capabilities ranging from RAT to ransomware.

• Phishing Tactics: An attacker sent an email with a shortened link that, when clicked, triggered the download of a file named Itinerary.doc_.zip.
• The downloaded .zip file contained a shortcut file (.lnk).
• This .lnk file was used to download and run a malicious batch script (output4.bat), which employed bitsadmin to download a harmful payload, disguised as svchost.com, into the %temp% folder.
• The svchost.com file was analyzed using tools like DiE and ExeInfo, revealing it to be part of the XWorm malware family, protected by .NET Reactor.
• The malware's code was heavily obfuscated but was partially deobfuscated using the NETReactorSlayer tool.
• MD5 hashing, AES encryption in ECB mode, and Base64 decoding to decrypt strings.
• The malware’s configuration included a host (cyberdon1[.]duckdns[.]org), port (1500), and other parameters like a Telegram token and chat ID.
• XWorm Version: The analyzed version of XWorm was 5.6.

Download

 
Download. Email me if you need the password scheme.

2023-11-23 BEAVERTAIL and INVISIBLE_FERRET Lazarus Group Malware Samples

2023-11-23 Palo Alto Unit42: Hacking Employers and Seeking Employment: Two Job-Related

This is a 2023 article by Unit42 covering two cyber campaigns, "Contagious Interview" (CL-STA-0240) and "Wagemole" (CL-STA-0241), linked to the Lazarus group (North Korea). 

There is a more recent campaign VMCONNECT described by Reversing Labs here 2024-09-10 Fake recruiter coding tests target devs with malicious Python packages but I don't have samples for that one.

 These campaigns target job-seeking activities to deploy malware and conduct espionage. 

Contagious Interview (CL-STA-0240):

• The campaign targets software developers by posing as employers and convincing them to download malicious NPM packages during fake job interviews. The malware, BeaverTail and InvisibleFerret, is cross-platform, running on Windows, Linux, and macOS.

• BeaverTail: A JavaScript-based malware that steals cryptocurrency wallet information and loads the second-stage payload, InvisibleFerret.

  InvisibleFerret: A Python-based backdoor with capabilities including fingerprinting, remote control, keylogging, and browser credential theft. It communicates with a C2 server using JSON-formatted messages and supports commands for data exfiltration and additional malware deployment.

• The threat actors use GitHub to host malicious NPM packages, creating accounts with minimal activity to avoid detection.

Wagemole (CL-STA-0241):

• Wagemole involves North Korean actors using fake identities to apply for remote IT jobs, likely to funnel wages to North Korea's weapons programs and potentially conduct espionage.

• Exposed Infrastructure: Researchers found resumes, interview scripts, and other fraudulent materials on GitHub. These documents impersonate IT professionals and aim to gain unauthorized employment at US companies.

Download

 
Download. Email me if you need the password scheme.

2024-09-10 KIMSUKY (North Korean APT) Sample (Sakai @sakaijjan - Terms and Conditions.msc)

 2024-09-10 Sakai @sakaijjang 김수키(Kimsuky) 에서 만든 악성코드-Terms and conditions(이용 약관).msc(2024.9.6)   - Kimsuky (North Korea) - Terms and Conditions.msc

by https://x.com/sakaijjang?lang=en 

Article translation in English 

More about Kimsuky: 2020-10-27 CISA North Korean Advanced Persistent Threat Focus

•  The malware is delivered as a file named "Terms and conditions.msc," containing embedded PowerShell commands.
• The PowerShell script is executed in a hidden window (-WindowStyle Hidden), preventing user awareness.
• The script uses Invoke-Expression (iex) to execute code and Invoke-WebRequest (iwr) to download a malicious script from hxxps://0x0(.)st/Xyl7(.)txt.
• The downloaded data, encoded in hexadecimal, is decoded into a byte array.
• The decoded data is initially saved as an MP3 file (e.g., vBqz.mp3) in the system’s public documents folder.
• The MP3 file is then renamed to an executable file (e.g., vBqz.exe), disguising the payload as a media file.
• The executable is run using conhost.exe in the background with the -NoNewWindow option, ensuring it remains hidden.
• File Camouflage: The use of the MP3 extension initially disguises the executable file.
• Stealthy Execution: Utilizing system utilities like conhost.exe and executing commands in hidden windows help evade user detection and security software.
• Command-and-Control (C2) Infrastructure: The malware’s reliance on a public site for payload distribution suggests a flexible and easily reconfigurable C2 mechanism.
• Hexadecimal Encoding: The use of encoded data indicates potential obfuscation techniques; decoding this data can reveal more about the malware.
• Potential Variants: Different versions of this malware may exist, with variations in the payload or C2 URLs. Monitoring and updating detection rules, such as YARA, would be beneficial.

Download

 
Download. Email me if you need the password scheme.

2024-09-03 LUXY Ransomware / Stealer Sample

 2024-09-03 K7 Security Labs: Luxy: A Stealer and a Ransomware in one

• The sample is a .NET 32-bit executable, enforcing single-instance execution via a mutex and ensuring network connectivity before proceeding. It also implements anti-VM checks using System UUIDs, process names, and other system identifiers to evade sandbox environments.
• Browser Data Extraction: Utilizes methods like GETENCRYPTIONKEY to extract and decrypt stored passwords and cookies from various browsers.
• Cryptocurrency Wallet Theft: Targets wallets such as Zcash, Ethereum, and others, copying wallet files to a text file for exfiltration.
• Session File Theft: Extracts Minecraft session files, logging them in a source.txt file, potentially compromising user authentication.
• Roblox Cookie Theft: Steals cookies from the registry and browsers using PowerShell commands.
• File Encryption: Deploys AES256 encryption on all files in the malware execution path, renaming files post-encryption. The encryption method uses a 128-bit key and IV, padding the plaintext to meet AES block size requirements.
• Ransom Note: After encryption, a ransom note is dropped, informing the victim of the encryption and providing instructions to obtain the decryption key.

The Ransom note reads: 

ATTENTION!

Don't worry, you can return all your files!

All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.

The only method of recovering files is to purchase decrypt tool and unique key for you.

This software will decrypt all your encrypted files.

Price of private key and decrypt software is $980.

Discount 50% available if you contact us first 72 hours, that's price for you is $490.

Please note that you'll never restore your data without payment.

To get this software and key you need join our server discord:

discord.gg/

Personal ID:

Download

 
Download. Email me if you need the password scheme.

2024-09-05 SHRINKLOCKER (Bitlocker) Ransomware Samples

2024-09-05 Splunk: ShrinkLocker Malware: Abusing BitLocker to Lock Your Data

ShrinkLocker is a newly discovered ransomware strain that exploits BitLocker, a legitimate Windows feature, to encrypt data by locking users out of their systems. Unlike traditional ransomware, ShrinkLocker leverages BitLocker's secure boot partition to make decryption extremely challenging. The malware initiates its attack by identifying the operating system and determining whether it’s a suitable target. It modifies key system registry settings, particularly those related to Remote Desktop Protocol (RDP) and Trusted Platform Module (TPM), to suit its objectives. After disabling BitLocker key protectors, ShrinkLocker shrinks non-boot partitions by 100MB, formats these partitions, and reconfigures boot files to destabilize the system, potentially rendering it irreparable. The malware also exfiltrates data to a command-and-control server and attempts to erase traces of its activity by deleting logs, firewall rules, and scheduled tasks.

Download

 
Download. Email me if you need the password scheme.

2024-08-30 Cicada ESXi Ransomware Sample

 

2024-08-30 Truesec: Dissecting the Cicada (Ransomware)  ESXi Ransomware

Cicada3301, a ransomware group first detected in June 2024, appears to be either a rebranded or derivative version of the ALPHV ransomware group, employing a ransomware-as-a-service (RaaS) model. The ransomware, written in Rust, targets both Windows and Linux/ESXi environments, utilizing ChaCha20 for encryption. Technical analysis reveals several key similarities with ALPHV: both use nearly identical command structures for shutting down VMs and removing snapshots, and share a similar file-naming convention. The ransomware's binary is an ELF file, with its Rust origin confirmed through string references and investigation of the .comment section.

Key parameters include sleep, which delays the ransomware's execution, and ui, which displays the encryption progress on the screen. The key parameter is crucial for decryption; if it's not provided or incorrect, the ransomware will stop running. The main function, linux_enc, starts the encryption process by generating a random key using OsRng. Files larger than 100 MB are encrypted in parts, while smaller files are encrypted entirely using ChaCha20. The ChaCha20 key is then secured with an RSA public key and added, along with a specific file extension, to the end of the encrypted file.

Initial access appears to be facilitated by the Brutus botnet, with threat actors using stolen or brute-forced credentials to gain entry via ScreenConnect. The IP address associated with this attack is tied to the Brutus botnet, raising the possibility of a direct connection between the botnet operators and Cicada3301. The ransomware also features a decryption check routine, where an encoded and encrypted ransomware note stored within the binary is decrypted using the provided key, validating the correct decryption.

Download

Download. (Email me if you need the password scheme)

File Information

63e0d4e861048f581c9e5c64b28a053eb0023d58eebf2b943868d5f68a67a8b7 esxi

The article didn't include any hashes, only the YARA rule. While this sample doesn't trigger a match with the rule, I believe it's the same malware

2024-09-02 ABYSS Ransomware Windows and Linux Samples

2024-09-02 SocRadar: Dark Web Profile: Abyss Ransomware

Abyss Ransomware, first identified in 2023, is a sophisticated ransomware strain targeting both Windows and Linux systems, with a specific focus on VMware ESXi environments. It employs advanced encryption techniques, multi-extortion tactics, and strategic network infiltration to disrupt operations across various sectors, including finance, healthcare, and technology.

Key Characteristics:

Target Platforms: Windows, Linux (particularly VMware ESXi)

Encryption: Utilizes the Salsa20 encryption algorithm; appends .abyss or .crypt extensions.

Initial Access Vectors: Phishing emails, weak SSH configurations, and exploiting known vulnerabilities in exposed servers.

Multi-Extortion Tactics: Encrypts files and exfiltrates data, threatening public exposure on a TOR-based leak site if ransom demands are not met.

Windows Variant:

Service Termination: Disables critical services (e.g., MSSQL, Exchange) to ensure encryption success.

Persistence: Alters boot configuration to disable recovery options.

File Encryption: Employs Salsa20; ransom note WhatHappened.txt is dropped in each directory.

Obfuscation: Written in C++, using techniques to evade detection and hinder forensic analysis.

Linux Variant:

VMware ESXi Targeting: Leverages esxcli to manage and shut down virtual machines for encryption.

Selective Encryption: Avoids critical system directories to maintain partial system functionality.

Persistence: Establishes daemon processes to ensure the ransomware remains active post-reboot.

Download

Download (Email me if you need the password scheme)

2022-2024 North Korea Citrine Sleet /Lazarus FUDMODULE ( BYOVD ) Rootkit Samples

2024-08-30 Microsoft: North Korean threat actor Citrine Sleet exploiting Chromium zero-day 

2024-03-01 Lazarus group operations — A deep dive into FudModule Rootkit by Lucas Mancilha

2024-02-28 Avast: Lazarus and the FudModule Rootkit: Beyond BYOVD with anAdmin-to-Kernel Zero-Day - Avast Threat Labs

2024 Blackhat Asia Speakers: Luigino Camastra, Igor Morgenstern Video 

Slides

2024-04-18 Avast: From BYOVD to a 0-day: Unveiling Advanced Exploits inCyber Recruiting Scams - Avast Threat Labs

2022-09-30 ESET: Lazarus & BYOVD: evil to the Windows core

2022-09-22  Ahnlab: Lazarus Group's Rootkit Attack Using BYOVD

Download

2024-08-28 CORONA MIRAI Botnet Spreads via Zero-Day (CVE-2024-7029) - command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) Samples

2024-08-28 Akamai Beware the Unpatchable: Corona Mirai Botnet Spreads via Zero-Day (CVE-2024-7029) - command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV)

Akamai's Security Intelligence and Response Team (SIRT) has identified a new botnet campaign exploiting multiple vulnerabilities, including a zero-day vulnerability, CVE-2024-7029, discovered by Aline Eliovich. This command injection vulnerability exists in the brightness function of AVTECH IP camera devices, allowing for remote code execution (RCE). The botnet spreads a Mirai variant with strings referencing the COVID-19 virus, leveraging this vulnerability to infect systems.

• CVE-2024-7029: This vulnerability affects AVTECH IP camera models with firmware versions up to AVM1203 FullImg-1023-1007-1011-1009. The flaw allows attackers to inject commands through the "brightness" parameter in the device's web interface, leading to remote code execution.
• Exploitation: The botnet campaign not only exploits CVE-2024-7029 but also targets older, unpatched vulnerabilities, such as a Hadoop YARN RCE, CVE-2014-8361, and CVE-2017-17215. These vulnerabilities, though older, remain effective due to their widespread use in unpatched systems.
• Spread of Mirai Variant: The attack chain involves exploiting the identified vulnerabilities to download and execute a variant of the Mirai botnet. This variant, known as Corona Mirai, connects to command-and-control servers and spreads across networks, particularly through Telnet on ports 23, 2323, and 37215.
• Affected Devices: The vulnerability primarily impacts AVTECH IP camera models, specifically those running the AVM1203 firmware versions mentioned above. Despite these models being discontinued, they are still in use in critical infrastructure, including transportation authorities

Affected Models:

• AVTECH IP Cameras: Specifically models running up to AVM1203 firmware versions FullImg-1023-1007-1011-1009.

Download

Download. Email me if you need the password scheme.

2024-08-29 ASYNCRAT Samples

2024-08-29 Esentire: Exploring AsyncRAT and Infostealer Plugin Delivery Through Phishing Emails

eSentire's Threat Response Unit (TRU) discovered an AsyncRAT infection that was delivered through a Windows Script File (.wsf) via email. The malicious .wsf file, named “SummaryForm_,” downloaded a VBScript from a remote server, which then fetched a fake image file. 

This file was actually a ZIP archive that, once extracted, ran additional scripts to establish persistence on the system. The scripts created a scheduled task to execute the AsyncRAT payload repeatedly, making it difficult to detect and remove. The payload was injected into the RegAsm.exe process using a DLL to further evade detection.

Additionally, this version of AsyncRAT included an infostealer plugin designed to exfiltrate data from popular web browsers like Chrome and Firefox, as well as cryptocurrency wallet extensions such as MetaMask and Coinbase. The attack highlights the use of multiple stages and obfuscation techniques to maintain persistence and steal sensitive information from the infected system.

Download