Tag: Variant | SpinSafe

New Sysrv Botnet Variant Makes Use of Google Subdomain to Spread XMRig Miner

March 21, 2024/in Internet Security

Sysrv is a well-documented botnet first identified in 2020, with the main payload being a worm written in Golang. It drops a cryptominer onto infected hosts before attempting to propagate itself using various methods, including network vulnerabilities. Over the past few years, the botnet has evolved and adapted and has been broadly documented by researchers from various different organizations [1][2][3]. In this blog we will explore the latest variant (shown in the infection chain diagram below), along with the new techniques used, and the latest IoCs uncovered by Imperva Threat Research.

Compromised Sites

Imperva Threat Research first uncovered suspicious behavior relating to the botnet in early March, in the form of blocked HTTP requests observed hitting Imperva proxies. The requests were highly indicative of bot traffic, targeting many sites, across multiple countries. The requests shared common signatures and attempted to exploit multiple known web vulnerabilities in Apache Struts (CVE-2017-9805) and Atlassian Confluence (CVE-2023-22527 and CVE-2021-26084).

A more interesting observation, however, was the use of a seemingly legitimate domain belonging to a known Malaysian academic institution, whose name we have withheld to allow them to remediate the infection. The domain is used to host the institution’s digital archive, and is based on a platform known as Duraspace or DSpace. The perpetrators of this iteration of the sysrv botnet campaign appear to have compromised the site to host their malicious files.

Updated Dropper Script

As part of our analysis of this campaign, we downloaded and analyzed the malware samples hosted on the compromised site. The first of these was a dropper bash script named “ldr.sh”, which is notably similar to previously documented iterations of the sysrv botnet.

The script defines several variables related to the downloading of the second stage binary: the “cc” variable, which contains the URL of the compromised site; a sys variable, which contains a random string generated from the md5 hash of the date; and, a get function, which can be used to download files from URLs passed to it.

The variables and function are used later in the…

Source…

STOP ransomware, more common than LockBit, gains stealthier variant

March 15, 2024/in Internet Security

StopCrypt, the most common ransomware family of 2023, has a new variant leveraging more advanced evasion tactics.

StopCrypt, also known as STOP/DJVU, surpassed the LockBit ransomware family in detections in 2023, according to Trend Micro’s 2023 Annual Cybersecurity Report published last week. STOP typically targets smaller targets with an average ransom payment size of $619 in the first half of 2023, according to a mid-year report by Chainalysis.

SonicWall reported Tuesday that a new StopCrypt variant employes several evasion tactics in a multi-stage shellcode deployment process, including a long delay loop, dynamic API resolution and process hollowing, or the replacement of code in a legitimate executable to malicious code.

‘Msjd’ StopCrypt ransomware attempts to dodge anti-virus protection

The StopCrypt variant studied by SonicWall’s Capture Labs begins its stealth mission by copying the same data to a location more than 65 million times in a delay loop likely intended to dodge time-sensitive anti-virus mechanisms such as sandboxing.

It then employs multiple stages of dynamic API resolution — calling APIs at runtime rather than linking them directly. This prevents anti-virus detection of artifacts created by direct API calls from static links in the malware code.

After taking a snapshot of the current processes using CreateToolHelp32Snapshot, extracting information using Module32First, and calling VirtualAlloc to allocate memory with read, write and execute permissions, the malware enters a second stage in which it dynamically calls additional APIs to perform process hollowing.

Ntdll_NtWriteVirtualMemory is used to write malicious code into a suspended process created with kernel32_CreateProcessA.

When the suspended process is resumed, the final ransomware payload launches icacls.exe to modify access control lists to prevent the ability to modify or delete a new directory and files created by StopCrypt. The ransomware encrypts the user’s files and adds the extension “.msjd.”

The ransomware note found in the variant studied by SonicWall includes a demand for $980, with a “discount” offer of $490 if the victim contacts the threat actor within 72 hours.

The STOP variant…

Source…

Jupyter Malware Variant Targets Browsers, Crypto-Wallets with Sophisticated Evasion Techniques

March 4, 2024/in Computer Security

Security researchers have identified a significant uptick in attacks by a new, more sophisticated variant of the Jupyter malware, targeting popular browsers and crypto-wallets with advanced evasion techniques. This variant, also known as Yellow Cockatoo, Solarmarker, and Polazert, has been active since at least 2020 but has seen a resurgence with enhancements that make it harder to detect.

A Persistent Data-Stealing Cyber Threat

VMware’s Carbon Black team recently observed the malware leveraging PowerShell command modifications and legitimate-looking, digitally signed payloads to infect a growing number of systems. These modifications enhance Jupyter’s evasion capabilities, allowing it to backdoor machines and harvest a variety of credential information without detection. Morphisec and BlackBerry have further detailed its capabilities, including support for command and control communications and the execution of PowerShell scripts and commands, highlighting its function as a full-fledged backdoor.

Jupyter: Getting Around Malware Detection

The recent attacks have seen the Jupyter operator using valid certificates to digitally sign the malware, making it appear legitimate to malware detection tools. VMware researchers noted the malware’s use of SEO poisoning and search engine redirects as part of its attack chain, demonstrating its sophisticated credential harvesting and encrypted communication capabilities. Abe Schneider, threat analyst lead at Carbon Black, highlighted new improvements to the infostealer, including the use of an installer called InnoSetup, which serves as the first payload delivered to victim devices.

A Troubling Increase in Infostealers

Jupyter’s resurgence is part of a broader, concerning trend in the rise of infostealers, exacerbated by the shift to remote work during the COVID-19 pandemic. Organizations like Red Canary and Uptycs have reported sharp increases in infostealer distribution, with attackers leveraging the malware to gain quick, persistent, and privileged access to enterprise networks and systems. The demand for stolen data on criminal forums remains high, underscoring the ongoing threat posed…

Source…

New Chameleon Android malware variant emerges with fingerprint lock bypass capability

December 25, 2023/in Mobile Security

A new variant of Chameleon Android malware has been found in the wild with new features, notable among them the ability to bypass fingerprint locks.

The Chameleon Android banking trojan first entered the scene in early 2023 with a primary focus on mobile banking applications in Australia and Poland but has since expanded into other countries, including the U.K. and Italy. The malware uses multiple loggers but has somewhat limited functionality.

Earlier versions of Chameleon could perform actions on behalf of the victim, with those behind the malware able to undertake account and device takeover attacks. As detailed Dec. 21 by researchers at ThreatFabric, Chameleon has traditionally abused the Android Accessibility Service to steal sensitive information from endpoints and mount overlay attacks.

However, the new version comes with two changes: the ability to bypass biometric prompts and the ability to display an HTML page to enable accessibility service in devices implementing Android 13’s “Restricted Settings” feature. According to the researchers, the enhancements elevate the sophistication and adaptability of the new Chameleon variant, making it a more potent threat in the ever-evolving landscape of mobile banking trojans.

The new Chameleon variant starts by scanning to see if the OS is Android 13 or newer. If it is, the malware then prompts the user to turn on accessibility services, going so far as to guide the user through the process. Once complete, the malware can then perform unauthorized actions on the user’s behalf.

That’s not a particularly unique ability among malware families, but the next part is where it gets interesting: the ability to interrupt biometric operations on the targeted device and bypass fingerprint locks.

The method employs the KeyguardManager application programming interface and AccessibilityEvent, an Android system-level event that provides information about changes in the user interface to assess the screen and keyguard status. Keyguard in Android is a system component responsible for managing device security, such as screen lock and authentication mechanisms.

The malware evaluates the keyguard’s state concerning various…

Source…

Tag Archive for: Variant

Compromised Sites

Updated Dropper Script

‘Msjd’ StopCrypt ransomware attempts to dodge anti-virus protection

A Persistent Data-Stealing Cyber Threat

Jupyter: Getting Around Malware Detection

A Troubling Increase in Infostealers