Tag Archive for: Abuses

AWS cryptojacking campaign abuses less-used services to hide

/in


To remain undetected for longer in cloud environments, attackers have started to abuse less-common services that don’t get a high level of security scrutiny. This is the case of a recently discovered cryptojacking operation, called AMBERSQUID, that deploys cryptocurrency mining malware on AWS Amplify, AWS Fargate, and Amazon SageMaker instead of the more obvious Amazon Elastic Compute Cloud (Amazon EC2).

“The AMBERSQUID operation was able to exploit cloud services without triggering the AWS requirement for approval of more resources, as would be the case if they only spammed EC2 instances,” researchers from security firm Sysdig said in a report. “Targeting multiple services also poses additional challenges, like incident response, since it requires finding and killing all miners in each exploited service.”

How the AMBERSQUID cryptojacking campaign works

The Sysdig researchers came across the cryptojacking campaign while scanning 1.7 million Linux container images hosted on Docker Hub for malicious payloads. One container showed indicators of cryptojacking when executed and further analysis revealed several similar containers uploaded by different accounts since May 2022 that download cryptocurrency miners hosted on GitHub. Judging by the comments used in the malicious scripts inside the containers, the researchers believe the attackers behind the campaign are from Indonesia.

When deployed on AWS using stolen credentials, the malicious Docker images execute a series of scripts, starting with one that sets up various AWS roles and permissions. One of the created roles is called AWSCodeCommit-Role and is given access to AWS Amplify service, a service that lets developers build, deploy and host full-stack web and mobile applications on AWS. This role also gets access to AWS CodeCommit, a managed source-code repository service, and AWS CloudWatch, an infrastructure monitoring and data visualization service.

A second role that is created by the container scripts is called sugo-role, and this role has full access to SageMaker, another AWS service that allows data scientists to build, train, and deploy machine-learning models. A third created role is…

Source…

Twitter Files: “Global Engagement Center” Abuses Preceded Angus King’s Blacklist

/in


Have you noticed the narrative around “disinformation” changing recently?

In his new, self-styled outlet Racket News, Twitter Files journalist Matt Taibbi examines three, interrelated streams of activity by the U.S. government, private consultants, and social media giants from 2015 to the present that – taken jointly – paint a troubling picture of efforts to “de-platform” voices it smeared at suspicious.

This analysis provides a new context in which to consider Sen. Angus King’s campaign reaching out to Twitter in 2018 to provide an “enemies list” of hundreds of “suspicious” accounts, many of which were Mainers and supporters of King’s opponent, State Sen. Eric Brakey (R-Androscoggin), in that year’s election.

By the time King’s campaign did it, conspiring with social media firms to blacklist, de-platform, and smear political critics had become a cultural norm within the Washington-Palo Alto circuit.

In his reporting Thursday, Taibbi looked at the Global Engagement Center (GEC), an internal sub-agency within the State Department created under the Obama administration. The U.S. developed the GEC as a tool for better monitoring what the rest of the world says about us and correcting misperceptions. But what began as Uncle Sam’s PR firm morphed into an information weapon used by the political establishment against its enemies.

Following the election of Donald Trump in 2016, GEC’s focus shifted from Islamic extremism to “fighting disinformation.” A new breed of “disinformation warriors” was born – young people with minimal world experience who were somehow able to make calls about what was probable Russian interference, or – once that chestnut had been played for well more than it was worth – domestic extremists.

There were, for example, GEC-funded activities The Maine Wire reported on last month that commingled financing with left-wing billionaire philanthropist George Soros’ Open Society Institute to create a “Disinformation Index” that included a number of prominent conservative news sites in the U.S.

Taibbi’s report shows how a diverse array of interests…

Source…

Trend Micro : Emotet Spam Abuses Unconventional IP Address Formats to Spread Malware

/in


We observed Emotet spam campaigns using hexadecimal and octal representations of IP addresses, likely to evade detection via pattern matching. Both routines use social engineering techniques to trick users into enabling document macros and automate malware execution. Upon receiving these standards, operating systems (OS) automatically convert the values to the dotted decimal quad representation to initiate the request from the remote servers. Users and businesses are cautioned to detect, block, and enable the relevant security measures to prevent compromise using Emotet for second stage delivery of malware such as TrickBot and Cobalt Strike.

Routine using hexadecimal IP addresses

The samples we found start with an email-attached document using Excel 4.0 Macros, a dated feature used to automate repetitive tasks in Excel that malicious actors have abused to deliver malware. Abuse of the feature in this case allows the malware to execute once the document is opened using the auto_open macro.

Figure 1. Attached document in the emails lures users into enabling the macros

The URL is obfuscated with carets and the host contains a hexadecimal representation of the IP address. Using CyberChef, we converted the hexadecimal numbers to find the more commonly used dotted decimal equivalent, 193[.]42[.]36[.]245.

Figure 2. Using carets for obfuscation

Figure 3. Converting the hexadecimal numbers to dotted decimal representation

Once executed, the macro invokes cmd.exe > mshta.exe with the URL containing the hex representation of the IP address as an argument, which will download and execute an HTML application (HTA) code from the remote host.

Figure 4. Downloading and executing an HTA code

Routine using octal IP addresses

Much like the hexadecimal representation sample, the document also uses Excel 4.0 Macros to run the malware once the…

Source…

Hacking group’s new malware abuses Google and Facebook services

/in


Molerats

Molerats cyberespionage group has been using in recent spear-phishing campaigns fresh malware that relies on Dropbox, Google Drive, and Facebook for command and control communication and to store stolen data.

The hackers have been active since at least 2012 and are considered to be the low-budget division of a larger group called the Gaza Cybergang.

Two backdoors and a downloader

The Molerats threat actor used in recent operations two new backdoors – called SharpStage and DropBook, and one previously undocumented malware downloader named MoleNet.

Designed for cyberespionage, the malware attempts to avoid detection and takedown efforts by using Dropbox and Facebook services to steal data and receive instructions from the operators. Both backdoors implement Dropbox to extract stolen data.

The attack starts with an email luring political figures or government officials in the Middle East (Palestinian Territories, UAE, Egypt, Turkey) to download malicious documents.

One of the lures in campaigns delivering the new malware was a PDF file referencing the recent talks between Israeli Prime Minister Benjamin Netanyahu and His Royal Highness Mohammed bin Salman, Saudi Crown Prince.

The document showed only a summary of the content and instructed the recipient to download password-protected archives stored in Dropbox or Google Drive for the full information.

Two of these files were SharpStage and DropBook backdoors, which called a Dropbox storage controlled by the attacker to download other malware. A third one was another backdoor, Spark, also used by Molerats in previous campaigns.

Commands over Facebook

A technical report from Cybereason’s Nocturnus Team [PDF] notes that the Python-based DropBook backdoor distinguishes from other tools in Molerats’ arsenal because it receives instructions only through fake accounts on Facebook and Simplenote, the note-taking app for iOS.

The hackers control the backdoor through commands published in a post on Facebook. They used the same method to provide the token necessary to connect to the Dropbox account. Simplenote acts as a backup in case the malware cannot retrieve the token from Facebook.

With commands coming from multiple sources on a…

Source…