Tag: Stealthy | SpinSafe

Socks5Systemz: How Darktrace’s Anomaly Detection Unraveled a Stealthy Botnet

March 26, 2024/in Internet Security

How does Loader Malware work?

Throughout 2023, the Darktrace Threat Research team identified and investigated multiple strains of loader malware affecting customers across its fleet. These malicious programs typically serve as a gateway for threat actors to gain initial access to an organization’s network, paving the way for subsequent attacks, including additional malware infections or disruptive ransomware attacks.

How to defend against loader malware

The prevalence of such initial access threats highlights the need for organizations to defend against multi-phase compromises, where modular malware swiftly progresses from one stage of an attack to the next. One notable example observed in 2023 was Pikabot, a versatile loader malware used for initial access and often accompanied by secondary compromises like Cobalt Strike and Black Basta ransomware.

While Darktrace initially investigated multiple instances of campaign-like activity associated with Pikabot during the summer of 2023, a new campaign emerged in October which was observed targeting a Darktrace customer in Europe. Thanks to the timely detection by Darktrace DETECT™ and the support of Darktrace’s Security Operations Center (SOC), the Pikabot compromise was quickly shut down before it could escalate into a more disruptive attack.

What is Pikabot?

Pikabot is one of the latest modular loader malware strains that has been active since the first half of 2023, with several evolutions in its methodology observed in the months since. Initial researchers noted similarities to the Qakbot aka Qbot or Pinkslipbot and Mantanbuchus malware families, and while Pikabot appears to be a new malware in early development, it shares multiple commonalities with Qakbot [1].

First, both Pikabot and Qakbot have similar distribution methods, can be used for multi-stage attacks, and are often accompanied by downloads of Cobalt Strike and other malware strains. The threat actor known as TA577, which has also been referred to as Water Curupira, has been seen to use both types of malware in spam campaigns which can lead to Black Basta ransomware attacks [2] [3].Notably, a rise in Pikabot campaigns were observed in September and October 2023,…

Source…

Syrian group Anonymous Arabic distributes stealthy malware Silver RAT

January 9, 2024/in Computer Security

Syrian group Anonymous Arabic distributes stealthy malware Silver RAT

Pierluigi Paganini
January 09, 2024

A hacker group that calls itself Anonymous Arabic is distributing a stealthy remote access trojan called Silver RAT.

Cyfirma researchers observed threat actors called ‘Anonymous Arabic’ distributing a C# remote access trojan called Silver RAT. The malware supports multiple capabilities, including bypassing anti-viruses and covertly launching hidden applications, browsers, and keyloggers.

The hacker group is active on multiple hacker forums (XSS, Darkforum, TurkHackTeam, and others) and runs a Telegram channel offering a range of services including the distribution of cracked RATs, leaked databases, carding activities, and the sale of social media bots. Another malware developed by the same group is called S500 RAT.

The current version of the RAT, Silver RAT v1.0, is a Windows-based threat, but experts believe that the developers are going to launch also an Android variant. Silver RAT v1.0 also supports destructive features such as data encryption using ransomware, and functions to destroy system restore points.

“The developer of Silver RAT is, known as ‘noradlb1,’ and is active on prominent hacking forums like XSS, Darkforum, TurkHackTeam, and others, with an arguably respected reputation.” reads the analysis published by Cyfirma. “The RAT first appeared on their Telegram channel and later on Turkhackteam and 1877 forums. Silver RAT was cracked and leaked on Telegram around October, 2023, and now users on Telegram and GitHub are sharing cracked versions of Silver RAT v1.0 to users without the means to purchase RATs (however there is evidence from user conversations that this may not be as effective as other well-known RATs like xworm).”

CYFIRMA reported that the group has been using a well-known Crypto wallet and employ multiple addresses for transactions to manage different crypto currencies (Bitcoin, Ethereum and USDT (Tether)).

The Bitcoin wallet was empty at the time of the analysis, but experts recorded approximately 2,275.67 USD of transactions between December 24,2023 and December 25,2023 period.

During the investigation, the researchers…

Source…

Stealthy new botnet targets VPN devices and routers while staying disguised

January 4, 2024/in Internet Security

The US Government, together with several other countries, has issued a joint Cybersecurity Advisory notice warning of malicious work being carried out by a state-sponsored Chinese cyber actor known as Volt Typhoon.

The Chinese group has been observed targeting US critical infrastructure sectors, and other countries are believed to be at risk.

In fact, the attack uncovered by Microsoft earlier this year has captured the attention not only of the NSA, CISA, and FBI of the United States, but also officials in Australia, Canada, New Zealand, and the UK.

Chinese group stealthily targeting routers

According to Microsoft, the group, which has only been active since 2021, has previously targeted critical infrastructure on the Micronesian island Guam in the Western Pacific, which is an unincorporated territory of the US, as well as other American regions.

This particular campaign looks not to be especially focused, with sectors including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education all under threat.

Volt Typhoon uses built-in network administration tools, otherwise known as living off the land, to evade endpoint detection by blending in with normal Windows system and network activities.

Microsoft summarized the steps: “They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence.”

The threat actor was also noted to be blending into normal network activity by routing its traffic through compromised small office and home office (SOHO) network equipment, such as routers, firewalls, and VPN devices.

The security notice suggests that organizations harden domain controllers and monitor event logs, look for abnormal account activity, and investigate unusual IP addresses. Full details of the attack and mitigations can be found on the US Department of Defense’s website.

More from TechRadar Pro

Source…

xorbot: A Stealthy Botnet Family That Defies Detection

December 28, 2023/in Internet Security

I. Background of xorbot

In November 2023, NSFOCUS Global Threat Hunting System detected that a type of elf file was being widely distributed and accompanied by a large amount of suspected encrypted outbound communication traffic. However, the detection rate of mainstream antivirus engines on this file was close to zero, which aroused our curiosity. After further manual analysis, we identified a novel botnet family with strong occultness. Given that the family uses multiple rounds of xor operations in encryption and decryption algorithms, NSFOCUS Research Labs named the Trojan xorbot.

Unlike a large number of botnet families secondary developed based on open source code, xorbot was built from scratch with a brand-new architecture. Developers attached great importance to the concealment of Trojan horses and even sacrificed propagation efficiency for better concealment effect. The latest version of Trojan horse added a large amount of garbage codes on the basis of the initial version, which increased the file volume by more than 30 times. On the traffic side, it also took painstaking efforts to randomly generate data sent during the initial online interaction stage, and introduced encryption and decryption algorithms to encrypt and store key information, thus invalidating the method of detecting character features in communication traffic.

II. Sample Analysis of xorbot

Version change

Shortly after the initial propagation version of xorbot, which first appeared in November 2023 with a file size around 30 KB, NSFOCUS Global Threat Hunting System detected another variant of the Trojan that soared nearly 30-fold to close to 1200 KB.

Figure 1 Comparison of file sizes in different versions of xorbot

Through further analysis, we confirm that the xorbot Trojan communicates in the new version by introducing _libc_connect() and _libc_recv() series functions of the libc library, but the core function modules remain unchanged.

Figure 2 xorbot core function module

Trojan developers have added a large amount of invalid code to mask malicious branches, making the current antivirus engine detection rate close to zero. Although junk code can oversize files and affect their propagation…

Source…

Tag Archive for: Stealthy

How does Loader Malware work?

How to defend against loader malware

What is Pikabot?

Syrian group Anonymous Arabic distributes stealthy malware Silver RAT

A hacker group that calls itself Anonymous Arabic is distributing a stealthy remote access trojan called Silver RAT.

I. Background of xorbot

II. Sample Analysis of xorbot

Version change