#malwaredetection

https://bit.ly/3tkCG80 - 🔒 Encrypted npm packages were found targeting a major financial institution, raising concerns about the intent behind these publications. Phylum's analysis revealed sophisticated malware-like behavior, with the packages containing an encrypted blob targeted at a specific organization's domain. The situation highlights the complexities in determining the true nature of such cybersecurity threats. #Cybersecurity #MalwareDetection #FinancialInstitutionTargeted 🔎 In early November 2023, Phylum began tracking suspicious npm package publications. These packages executed encrypted payloads using local machine information, suggesting a highly targeted attack. The decrypted payload revealed an embedded binary designed to exfiltrate user credentials to an internal Microsoft Teams webhook of the targeted financial institution. This indicated either an inside job, a red team simulation, or external threat actors with substantial network access. #TargetedCyberAttack #DataExfiltration #CyberThreatAnalysis 🕵️ The attack mechanism was sophisticated, starting with a postinstall hook in the package.json. The code was designed to collect system-related information and use it for AES encryption. The attacker's focus on specific strings and environment variables suggested a detailed knowledge of the target's internal systems. #CyberAttackTactics #EncryptionMethods #SystemVulnerability 👥 After decrypting the payload, Phylum contacted the targeted organization. They discovered that the packages were part of an advanced adversary simulation exercise by the company's red team. While the intent was benign, this incident underscores the importance of vigilance against software supply chain attacks. #RedTeamSimulation #SupplyChainSecurity #CyberDefense 📊 The attack methodology revealed that developers are high-value targets and software libraries are rarely vetted for malicious modifications. This incident shows the effectiveness of software supply chain attacks, even against well-prepared organizations. It emphasizes the need for comprehensive security measures to protect against such sophisticated threats. #DeveloperSecurity #SoftwareSupplyChain #CyberSecurityAwareness 💡 Phylum's analysis of this case highlights the challenges in open source security. Their automatic analysis of packages in open source registries underscores the importance of identifying risks in using these packages. The incident serves as a reminder that today's red team exercise could be tomorrow's genuine threat, urging organizations to be adequately prepared.

https://bit.ly/3QVvTe0 - 🔐 A sophisticated new variant of the Jupyter information stealer, also known as Yellow Cockatoo, Solarmarker, and Polazert, has been increasingly targeting users of Chrome, Edge, and Firefox browsers. This malware is capable of backdooring machines and harvesting a variety of sensitive data, including credentials, cookies, and information from browser password managers. #JupyterMalware #CyberSecurity #DataTheft 🕵️ VMware's Carbon Black researchers have observed this variant using PowerShell command modifications and digitally signed payloads to evade detection. The malware's advanced evasion techniques and use of legitimate-looking certificates are of particular concern, as they allow it to bypass malware detection tools. #MalwareDetection #Infosec #VMwareCarbonBlack 🌐 Other cybersecurity firms like Morphisec and BlackBerry have identified Jupyter's diverse capabilities, including functioning as a full-fledged backdoor and acting as a dropper for other malware. Its sophisticated methods include hollowing shell code to evade detection and executing PowerShell scripts. #CyberThreats #BackdoorMalware #Morphisec #BlackBerry 💳 The malware operators have employed various distribution techniques, including search engine redirects, drive-by downloads, phishing, and SEO poisoning. Recent attacks have seen the use of valid certificates to sign the malware, making it appear legitimate and tricking users into downloading it. #MalwareDistribution #DigitalCertificates #Phishing 📈 The rise in infostealers like Jupyter follows a trend of increased remote work. Infostealers are being used more frequently to gather credentials that enable access to enterprise networks. Firms like Red Canary and Uptycs have reported a significant rise in such attacks, emphasizing the opportunistic nature of these malware campaigns. #RemoteWorkSecurity #InfostealerTrend #RedCanary #Uptycs 🌐 The impact of Jupyter and other infostealers is severe, with stolen data often sold on the dark web, posing significant risks to both organizations and individuals. The increasing sophistication and frequency of these attacks highlight the need for advanced cybersecurity measures.

https://bit.ly/3SlAjfj - 🔍 StripedFly Infection: A shellcode was identified in the WININIT.EXE process, capable of downloading files from bitbucket[.]org and executing PowerShell scripts. The infection's origin was a SMBv1 exploit reminiscent of EternalBlue. After infecting, it propagated within networks using the exploit and SSH protocol, leveraging the keys found on the infected machine. #CyberSecurity #MalwareDetection 🔄 Persistence Methods: The malware adjusts its behavior based on the presence of PowerShell and access rights. If absent, a hidden file is generated in %APPDATA%. Otherwise, its actions vary, establishing persistence in Windows or Linux in multiple ways. #DigitalThreat #MalwarePersistence 📂 Bitbucket Repository: Stored on bitbucket[.]org, the repository was created in June 2018 by Julie Heilman. This repository contained various files, with system.img being a primary infection tool for Windows. As of September 2023, 60,000 initial infections were reported since April 2023. #CyberAttack #DigitalForensics 🔌 Modules: The malware uses a pluggable module system, a trait of APT malware. It possesses both service and functionality modules, each designed for specific tasks. These range from configuration storage and upgrades to command handling and credential harvesting. #APT #ModularMalware 💻 Functionality Modules: These modules perform a variety of tasks. They can interact with victim file systems, capture data, and even execute commands received from the C2 server. They're also capable of scanning and collecting sensitive information from active users. #DataBreach #CyberEspionage ⛏ Monero Mining: A disguised Monero mining module operates as a chrome.exe process. The process is closely monitored, and statistics are reported to the C2 server. Interestingly, the use of this mining module could be for disguise rather than maximum profit. #CryptoMining #CyberSec ⚡ ThunderCrypt Ransomware: During the analysis, a related ransomware called ThunderCrypt, linked to the same C2 server, was discovered. The ransomware had almost similar functionalities to StripedFly, but its most significant attention came from a failed attempt in Taiwan. #Ransomware #DigitalAttack 🔵 EternalBlue Connection: Parallels were drawn between the infamous EternalBlue exploit and StripedFly's creators. Based on PE timestamps, there's a likely connection between the two, although complete validation remains elusive.

https://bit.ly/3o8A7TF - 🔒 Permhash — A New Approach to Analyzing Permissions Permhash is an extensible framework designed to hash the declared permissions of Chromium-based browser extensions and Android Packages (APKs) for clustering, hunting, and pivoting. This research aims to demonstrate permhash's potential for wide use across the security industry. 🌐 Chromium Extensions & APKs Permissions Both Chromium Extensions and APKs require permissions to function, specifying their level of access. Unfortunately, adversaries can abuse these permissions in malicious extensions and APKs for unauthorized actions. 🎯 Adversaries Exploiting Permissions Mandiant has observed various adversaries using malicious extensions and APKs, including UNC3873, BRAINSTORM, BRAINFOG, BRAINLINK, and Nation State Actors like ARCHIPELAGO (subset of APT43) and APT42. 📊 Permhash Hypothesis & Execution Permhash aims to calculate a hash of a joined string of permissions from an extension or APK, serving as a data-point for hunting, clustering, and pivoting between like file types. 📈 Permhash at Scale Permhash analysis of 11,575 extension manifest samples and 13,372 APK samples revealed interesting patterns that can be used to identify malicious extensions and APKs effectively. 🔎 Permhash in the Wild Permhash has successfully identified samples of VENOMSOFT, CERBERUS Android Trojan, and LEMONJUICE Android backdoor, proving its potential in identifying and pivoting between malicious samples. ⚠️ Cautionary Tale APT43 samples demonstrate that as extension versions change, permissions may change, modifying the permhash. This is expected behavior since permhash is adversary-defined. 🛠️ Using Permhash Mandiant and VirusTotal have made permhash available within the VirusTotal Platform, and Mandiant has released a permhash Python library to calculate permhash values for CRX, APK, CRX manifests, or APK manifests. 🛡️ Protection & Mitigation Google, Mandiant, and other security teams are committed to countering advanced threats through Enhanced Safe Browsing, Advanced Protection Program, and Google's Security Checkup. 🔚 Conclusion Permhash can help researchers, analysts, and threat hunters identify connections between large datasets and discover previously unknown related samples, making it a valuable tool in cybersecurity.

https://bit.ly/40lOVMh - Tailoring Sandbox Techniques to Hidden Threats In the article "Tailoring Sandbox Techniques to Hidden Threats," the authors discuss the challenges faced by automated detection systems in addressing evasive malware techniques. They present two notable adaptations to their analysis platform, Advanced WildFire, to improve detection: dependency emulation and stealthy instrumentation through VMI SSL/TLS decryption. Dependency emulation addresses the issue of malware requiring external dependencies to execute. By automatically detecting and adapting the sandbox environment to the files being detonated, this approach prevents unintentional crashes or bugs in the analyzed samples, enabling better detection. An example of dependency emulation is provided through the examination of the Sality malware family, which requires specific libraries to run inside a sandbox. VMI SSL/TLS decryption focuses on intercepting and decrypting malware communications made over HTTPS and other SSL-based protocols. By reverse engineering the ncrypt.dll library in recent versions of the Windows OS, the authors can extract master keys and decrypt SSL communications, as illustrated through a Delphi-based loader example.

BrandLock is the first ever conversion optimization suite for online businesses, that offers a consumer-side malware solution and equips you with smart insights, and tools to increase your on-site conversions. Read the full article