Malware Archives - TuxCare

U.S. Seizes $30 Million Worth of Crypto from North Korean Hackers

Chainalysis, a U.S. company, said it had worked with the FBI to recover more than $30 million in cryptocurrency stolen from online video game maker Axie Infinity by North Korea-linked Lazarus Group, marking the first time digital assets seized by the malicious attacker have been recovered.

The amount recovered is just a percentage of the estimated $600 million that the FBI alleges North Korean hackers stole from the makers of a popular video game that allows users to earn digital currency.

“The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized), and demonstrate that it is becoming more difficult for bad actors to successfully cash out their ill-gotten crypto gains,” Erin Plante, senior director of investigations at Chainalysis said.

Plante, Chainalysis’ lead investigator said the seizure, which will not be the last, is a significant development for law enforcement, and investigators are working hard to seize the remaining loot.

According to Plante, the chain analysis was involved in the seizures, using “advanced tracking techniques to track stolen funds to withdraw ATMs, and working with law enforcement and industry stakeholders to quickly freeze funds.”

The Lazarus Group had access to five of the nine private keys owned by transaction validators for Ronin Network’s cross-chain bridge. Subsequently, the group facilitated two withdrawal transactions: one for 173,600 Ether (ETH) and the other for $25.5 million Coin USDC, noting that the Lazarus group pocketed these funds using “over 12,000 different crypto addressees to date.” Chainalysis stated the stolen ETH coins were mixed in batches with the popular Tornado Cash mixed service.

The sources for this piece include an article in TheHackerNews.

Bumblebee Malware Offers a new Infection Chain

A new version of the Bumblebee malware loader has been discovered by researchers. The new strain of malware offers a new chain of infection, including the use of a PowerScript framework for stealthy reflective injection of a DLL payload into memory.

Unlike in the past, when it reached victims via e-mails containing password-protected zipped USO files, the new variant uses a VHD (Virtual Hard Disk) file instead of the ISO file. The new VHD file contains a LNK shortcut file.

Instead of running Bumblebee (DLL) directly, the LNK now executes “imageda.ps1,” which starts a PowerShell window and hides it from the user by abusing the ‘ShowWindow’ command. The SP1 script is obfuscated using Base64 and string concatenation to evade AV detection while loading the second stage of the PowerShell loader.

For the second stage of the infection, a similar disguise tactic is used as the first. This tactic includes the PowerShell module which is used to load the 64-bit malware into the memory of the PowerShell process through reflective injection.

“PowerSploit is an open source post-exploitation framework in which the malware uses a method, Invoke-ReflectivePEInjection, for reflectively loading the DLL into the PowerShell Process. This method validates the embedded file and performs multiple checks to ensure that the file is loaded properly on the executing system,” Cyble explains in the report.

The new chain of infection allows Bumblebee to load from memory and never touch the hard drive of the computer, minimizing the chances of being detected and stopped by antivirus tools. Increasing its stealthiness also provides the malware loader with a stronger initial access threat and increases its chances of enticing ransomware and malware operators.

The sources for this piece include an article in BleepingComputer.

New ‘GIFShell’ Attack Technique Exploits Microsoft Teams GIFs

A new ‘GIFShell” attack technique exploits bugs and vulnerabilities in Microsoft Teams to abuse legitimate Microsoft infrastructure, execute malicious files, execute commands, and exfiltrate data.

According to Bobby Rauch, the cybersecurity consultant and pentester who discovered the hidden vulnerabilities, the “GIFShell” technique allows attackers to create a reverse shell that transmits malicious commands via base64 encoded GIFs in Teams. The outputs are then exfiltrated through GIFs retrieved by Microsoft’s own infrastructure.

To create the reverse shell, attackers need to convince a user to install a malicious stager that executes commands and uploads command output via a GIF URL to a Microsoft Teams web hook.

Microsoft Teams vulnerabilities exploited by the malware include Microsoft Teams security controls bypass which allows external users to send attachments to Microsoft Teams users.

The malware also modifies sent attachments to allow users to download files from an external URL instead of the generated SharePoint link. It forges attachments from Microsoft Teams to appear as harmless files, but instead downloads a malicious executable program or document. It uses insecure URLs to allow SMB NTLM hash theft or NTLM relay attacks.

Microsoft supports sending HTML-based 64-encoded GIFs, but does not scan the byte content of these GIFs. This allows malicious commands to be delivered within a normal-looking GIF. Since Microsoft stores Teams messages in a parsable file located locally on the victim’s machine, it can be accessed by a less privileged user.

Microsoft servers fetch GIFs from remote servers that allow data exfiltration via GIF file names.

The sources for this piece include an article in BleepingComputer.

Prynt Stealer’s Backdoor Steals Data Stolen from Cyberattacks

A backdoor in information stealing malware, Prynt Stealer is used to steal data that is exfiltrated by other cyberattackers, according to Zscaler ThreatLabz researchers.

Already, the malware sells for $100 for a one-month license and $900 for a lifetime subscription, offering attackers tremendous capabilities. These include the ability to log keystrokes, steal credentials from web browsers, and suck data from Discord and Telegram.

Prynt Stealer code comes from two other open source malware families, AsyncRAT and StormKitty. New additions to the malware include a Telegram channel that collects information stolen from other threat actors through a backdoor.

To perform the data exfiltration, Prynt Stealer uses code copied from StormKitty with minor changes. The malware also includes an anti-analysis feature that equips the malware to continuously monitor the victim’s process list for processes such as taskmgr, netstat and wireshark,

As soon as the victim’s process list is detected, the malware blocks the Telegram command and control channels.

The researchers also identified two other variants of the malware written by the author of the malware, Prynt Stealer: WorldWind and DarkEye.

DarkEye is an implant with a free Prynt Stealer builder. The builder is designed to drop and execute a remote access trojan called Loda RAT, an AutoIT-based malware that can access and exfiltrate both system and user information. DarkEye also acts as a keylogger, takes screenshots, starts and terminates processes, and downloads additional malware payloads over a connection to a C2 server.

“While this untrustworthy behavior is nothing new in the world of cybercrime, the victims’ data end up in the hands of multiple threat actors, increasing the risks of one or more large-scale attacks to follow. Note that there are cracked/leaked copies of Prynt Stealer with the same backdoor, which in turn will benefit the malware author even without direct compensation,” write Zscaler ThreatLabz researchers Atinderpal Singh and Brett Stone-Gross.

The sources for this piece include an article in TheHackerNews.

Linux Malware Reach All-Time High In 2022

Although Linux is the most private and secure operating system, according to AtlasVPN, it has seen an increase in malware samples.

The results showed that Linux malware grew exponentially in the first half of 2022, reaching an all-time high after 1.7 million samples were discovered by researchers.

While most malware sampling took place in the first half of 2022, malware samples recorded in the first half of 2022 between January and June 2022 increased by almost 650% from 226,324 to nearly 1.7 million. The trend however continued, albeit at a reduced pace.

The increase in malware samples targeting Linux remains surprising, and it underscores a new trend of attackers focus on Linux. Although a short decline has been recorded, it remains unclear whether more malware samples will target Linux or whether the decline in malware samples will continue.

Researchers found that April had the highest number of malware samples registered, with 400,931. The report found that the huge increase in malware samples follows a massive decline that was already recorded between the fourth quarter of 2021 and the first quarter of 2022.

At one point, a 2% decline was recorded, but the decline did not last long.

According to AtlasVPN, the “cumulative number of new Linux malware samples in H1 2022 was 31% higher than the number of such samples in the whole of 2022.”

However, despite the massive increase in Linux malware samples, Windows takes the lead as the most malware-infected operating system. AtlasVPN acknowledged Windows position stating that “41.4 million newly programmed Windows malware samples were identified in H1 2022.”

Linux remains a secure operating system for developers and other users. The operating systems provide various security features, including an open source framework, user privilege model, and built-in kernel security defenses.

The sources for this piece include an article in MUO.

Resources

State of Enterprise Linux Cybersecurity ... Read More State of Enterprise Linux Cybersecurity ...
Dangerous remotely exploitable vulnerability ... Read More Dangerous remotely exploitable vulnerability ...
Securing confidential research data ... Read More Securing confidential research data ...
State of Enterprise Vulnerability Detection ... Read More State of Enterprise Vulnerability Detection ...
Demand for Rapid Risk Elimination for ... Read More Demand for Rapid Risk Elimination for ...
TuxCare Free Raspberry Pi Patching Read More TuxCare Free Raspberry Pi Patching