ESET experts reported that the BlackLotus UEFI bootkit, which is sold on hacker forums for about $ 5,000, is indeed capable of bypassing Secure Boot protection.

According to researchers, the malware poses a threat even to fully updated machines running Windows 11 with UEFI Secure Boot enabled.

Let me remind you that we also wrote that Experts discovered ESPecter UEFI bootkit used for espionage, and also that The expert told how he hacked into a nuclear power plant.

BlackLotus was first spotted in October 2022. Its seller claimed that the bootkit had a built-in Secure Boot bypass, built-in Ring0/Kernel deletion protection, and also ran in recovery mode and safe mode.

In addition, the seller claimed that the malware is equipped with anti-virtualization, anti-debugging and obfuscation, which complicates its detection and analysis. Also, according to his statements, the security software cannot detect and destroy the bootkit, since it runs under the SYSTEM account inside a legitimate process.

In addition, Black Lotus is allegedly capable of disabling security mechanisms on target machines, including Hypervisor-Protected Code Integrity (HVCI) and Windows Defender, as well as bypassing User Account Control (UAC).

The experts who discovered it wrote that Black Lotus has a size of 80 kilobytes, is written in assembler and C, and can determine the geofence of the victim in order to avoid infecting machines in the CIS countries. The malware is offered for sale for $5,000, and each new version will cost another $200.

Let me remind you that at that time the experts admitted that all the above features of Black Lotus are nothing more than a publicity stunt, and in reality the bootkit is far from being so dangerous. Unfortunately, these assumptions were not confirmed.

As ESET information security experts, who have been studying the malware since last fall, now report, rumors that the bootkit easily bypasses Secure Boot “have now become a reality”. According to them, the malware uses a year-old vulnerability CVE-2022-21894 to bypass Secure Boot and gain a foothold in the system.

Chronology from vulnerability to bootkit

Microsoft fixed this issue back in January 2022, but attackers can still exploit it because the affected signed binaries were not added to the UEFI revocation list. According to analysts, this is the first documented case of abuse of this vulnerability.

Most likely, information security specialists mean attacks like BYOVD – bring your own vulnerable driver.

Even worse, the PoC exploit for this vulnerability has been available since August 2022, so other cybercriminals may soon take advantage of the problem.

The exact way the bootkit is deployed is still unclear, but the attack begins with the installer component, which is responsible for writing files to the EFI system partition, disabling HVCI and BitLocker, and then rebooting the host.

The researchers say that after exploiting CVE-2022-21894, Black Lotus disables protection mechanisms, deploys a kernel driver and an HTTP loader. The kernel driver, among other things, protects the bootkit files from deletion, while the bootloader communicates with the control server and executes the payload.

While the researchers do not link the malware to any particular hack group or government, they note that the Black Lotus installers they analyzed will not work if the infected computer is located in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.

The post BlackLotus UEFI Bootkit Bypasses Protection even in Windows 11 appeared first on Gridinsoft Blog.

ESET experts have discovered the FatalRAT malware, which targets Chinese-speaking users: the threat is distributed through fake websites of popular applications and advertised through Google Ads.

Let me remind you that we also wrote about Attackers Can Use GitHub Codespaces to Host and Deliver Malware, and you may also be interested in our article: Dangerous Virus & Malware Threats in 2023.

The researchers say that FatalRAT has been active since at least the summer of 2021 and is capable of intercepting keystrokes, changing the victim’s screen resolution, downloading and running files, executing arbitrary shell commands, and stealing or deleting data stored in browsers.

Malware advertising

So far, the malware distribution campaign has not been linked to any known hacker group, and the ultimate goals of the attackers are also unclear. For example, hackers can steal victim information (such as credentials) for sale on darknet forums or for later use in other malicious campaigns.

According to experts, most of the attacks were observed between August 2022 and January 2023 and targeted users in Taiwan, China and Hong Kong.

A small number of infections have also been reported in Malaysia, Japan, Thailand, Singapore, Indonesia, Myanmar and the Philippines.

Basically, hackers distribute their malware through fake websites of popular applications, masquerading as Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao and WPS Office. Some sites offer fake versions of applications in Chinese, when in fact these applications are not available at all in China (eg Telegram).

Fake site

To lure users to malicious sites, hackers promote these sites in Google search results through Google Ads, while trying to make fake domain sites look like real ones. These malicious ads have now been removed.

The ESET report notes that Trojanized installers downloaded from fake sites delivered the real application to the victim’s device to avoid detection, as well as the files needed to run FatalRAT. The installers themselves were digitally signed .MSI files created with the Windows installer.

According to the researchers, this campaign was aimed at the widest possible range of users and could affect anyone.

Let me remind you that the media wrote that Google Scammer Pleads Guilty in $123 Million Theft.

The post FatalRAT Malware Masks As Popular Apps in Google Ads appeared first on Gridinsoft Blog.

What is MSIL/Microsoft.Bing.A detection?

Around the first week of November 2022, many ESET antivirus software users started seeing an unusual detection. Their program was stubbornly reporting a threat detected in an ordinary file – BingWallpaper.exe, which, as you can guess by its name, belongs to a Bing Wallpaper app. It is a genuine program, issued and signed by Microsoft, that offers dynamic wallpaper change for users’ desktops. VirusTotal shows that this file is clear and distributed by Microsoft.

However, that did not stop ESET from showing that detection. Its appearance is not a false positive, as ESET forum administration assures. Hence, someone found its functions malicious and added it to a detection database. The same administrator also said that their team has already messaged Microsoft with their statements and requirements to remove the detection. The funny moment is that despite being detected, the file cannot be removed properly, as the directory it is located in is protected by Windows. Thus, you’d see the notifications like “File could not be cleaned”.

The peculiar thing is that the detected application is supplied along with the newest Windows 11 version – 22H2. Therefore, updating your PC to that version or installing a fresh Win11 distribution having ESET onboard will lead to constant detection pop-ups. Neither ESET nor Microsoft say a word about the real reasons for such a situation, despite the story being active for over a week. Some say that the reason for such a decision is the fact that the Wallpaper app offers to set Bing as the default search engine – but that offer is pretty clear and can be declined, contrary to what is usually counted as a reason to consider unwanted applications.

What can I do with BingWallpaper.exe detection?

Not much, but at least you can make them much less often. First and foremost, you can remove the program manually, through one of the regular ways. The Bing Wallpaper app is not concealed in any way, so you will find it in the list of apps on your computer. If you can’t find it for some reason, it will appear in the system apps list, available in the default Appwiz utility.

However, not all people acknowledge the Wallpaper app from the antivirus detection popup. For those who use the program, the way to get rid of the MSIL/Microsoft.Bing.A detection is to set it as a false positive in the antivirus settings. It is not clear how quickly ESET and Microsoft will reach a consensus, so it may be a convenient temporary solution. That way, the security solution will keep detecting the file but have to ignore it as you forced it to do so.

The post MSIL/Microsoft.Bing.A Detection (BingWallpaper.exe) appeared first on Gridinsoft Blog.

The malware received its name due to the fact that it uses pCloud, Dropbox and Yandex.Disk cloud storages as control servers.

Let me remind you that we also wrote that Vulnerability in macOS Leads to Data Leakage, and also that Microsoft Releases PoC Exploit to Escape MacOS Sandbox.

The capabilities of CloudMensis indicate that the main goal of its operators is to collect confidential information from infected machines. For example, the malware is capable of taking screenshots, stealing documents, intercepting keystrokes, and compiling lists of emails, attachments, and files stored on removable media.

CloudMensis supports dozens of different commands, which allows its operators to perform a variety of actions on infected machines:

1. change in the malware configuration the cloud storage provider and authentication tokens, file extensions of interest, the frequency of polling cloud storage, and so on;
2. make a list of running processes;
3. to capture the screen;
4. make a list of letters and attachments;
5. make a list of files on removable media;
6. run shell commands and upload the result to the cloud storage;
7. download and execute arbitrary files.

According to ESET analysis, attackers infected the first Mac as early as February 4, 2022. Since then, they have only occasionally used the backdoor to compromise other machines, hinting at the targeted nature of this campaign.

Interestingly, once deployed, CloudMensis is able to bypass the Transparency Consent and Control (TCC) system, which asks the users if they need to grant the app permission to take screenshots or monitor keystrokes. The TCC mechanism is designed to block access to sensitive user data, allowing macOS users to customize privacy settings for various applications and devices (including microphones and cameras).

Rules created by the user are stored in a database protected by System Integrity Protection (SIP), which ensures that only the TCC daemon can modify them. Thus, if a user has disabled SIP on the system, CloudMensis will grant itself the necessary permissions by simply adding new rules to TCC.db.

However, even if SIP is enabled and any version of macOS Catalina prior to 10.15.6 is installed on the machine, CloudMensis can still gain the necessary rights by exploiting a vulnerability in CoreFoundation, which has the identifier CVE-2020-9934 and which Apple fixed two years ago. This bug will force the TCC daemon (tccd) to load a database that CloudMensis can write to.

The vector of infection, as well as the goals of the hackers, are still unknown, but the researchers write that, judging by the way the attackers handle Objective-C, they are practically unfamiliar with macOS. At the same time, experts admit that CloudMensis is still a powerful spy tool that can pose a serious threat to potential victims.

The post CloudMensis Malware Attacks MacOS Users appeared first on Gridinsoft Blog.

According to experts, Chinese “government” hackers from the Mustang Panda group (aka HoneyMyte, Bronze President, RedDelta and TA416) are behind the attacks.

Let me remind you that we wrote that Hacker groups split up: some of them support Russia, others Ukraine, and also that, for example, RuRansom Malware Destroys Data in Russian Systems, so perhaps the Chinese hackers simply chose a side.

This hacker group has been active since at least July 2018, and most often its attacks target various regions of Southeast Asia, although sometimes hackers are also interested in targets from Europe and the United States.

Secureworks reports that this time the Mustang Panda is exhibiting unusual behavior as the attackers now appear to have focused on Russian military personnel and officials working near the border with China. In their phishing baits, hackers exploit the theme of Russia’s invasion of Ukraine: malicious documents are written in English and disguised as data published by the EU on sanctions against Belarus.

Such lures are .exe executable files, but disguised as PDF documents and are named in Russian – “Blagoveshchensk – Blagoveshchensk border detachment.” The question arises why the document named in Russian contains the text in English, but the logic of the hackers in this matter has remained a mystery to researchers. Secureworks specialists came to only one clear conclusion: the target of this campaign is Russian officials or the military in the border region.

Running the executable extracts many additional files, including the decoy document itself, which can be seen in the screenshot above, a malicious DLL loader, an encrypted version of the PlugX (aka Korplug) malware, and another .exe file.

PlugX is the main tool of hackers; it is a remote access Trojan for Windows that allows to execute various commands on infected systems, steal files, install backdoors and additional malicious payloads. Several Chinese hack groups have been relying on this malware for many years.

It should be noted that the results of the Secureworks study complement the reports of Proofpoint and ESET, released last month. They detailed the use of a new PlugX variant codenamed Hodur, so named because of its resemblance to another variant called THOR.

The post Stabbed in the back: Chinese Mustang Panda Cyberspies Attack Russian Officials appeared first on Gridinsoft Blog.

UEFI attacks are the holy grail for hackers. After all, UEFI is loaded before the operating system and controls all processes at an “early start”. Hence the main danger associated with compromising this environment: if you make changes to the UEFI code, you can take complete control of the computer. For example, change memory or disk contents, or force the operating system to run a malicious file. Since we are talking about low-level malware, it will not work to get rid of it by replacing the hard drive or reinstalling the OS.

The first bootkit for UEFI, LoJax, was discovered by ESET in 2018. Then the researchers concluded that it was the work of the Russian-speaking “government” hack group Fancy Bear.

Since then, UEFI bootkits have been found more than once, and the last such case was described last week: Kaspersky Lab experts spoke about the tools of the Chinese cyber-espionage group GhostEmperor.

Now the list of UEFI bootkits has been replenished with one more item, the ESPecter malware. ESET experts say that the first attacks using this malware were discovered back in 2012. However, then ESPecter was not used as a bootkit for UEFI, its original purpose was to attack systems with BIOS. Only in 2020 did the malware authors update the code and switched to attacks on UEFI.

Researchers still do not know exactly how the attacks of these unknown attackers begin. It is unclear if they are gaining physical access to the target systems or whether they are using classic phishing to deploy ESPecter on the victim’s network.

However, once the installation process begins, the initial ESPecter components are known to modify the Windows Boot Manager and bypass the Windows Driver Signature Enforcement (DSE) to load and run an unsigned malicious driver – the actual payload of the ESPecter bootkit.

It is reported that hackers usually use ESPecter to deploy other malware and try to gain a foothold in the system in order to “survive” reinstallation of the OS. The malware detected in such attacks includes a backdoor Trojan that cybercriminals used to search for confidential files on the local system, periodically create screenshots and launch a keylogger.

ESET analysts point out that ESPecter is the second known UEFI bootkit that uses EFI System Partition (ESP) as its entry point. The first malware of this kind was a bootkit recently discovered by Kaspersky Lab, which is part of the FinSpy toolkit. The point is, other UEFI bootkits usually use UEFI SPI flash memory.

Let me remind you that we also told that The expert told how he hacked into a nuclear power plant.

The post Experts discovered ESPecter UEFI bootkit used for espionage appeared first on Gridinsoft Blog.

ESET has released an update to the article stating that hackers have infected the android NoxPlayer emulator with malware, and we are also adding following information: “BigNox stated that they sent the latest files to the update server for NoxPlayer and that when launching NoxPlayer now will start a scan of application files previously installed on users’ computers”.

The GridinSoft Blog is not responsible for the accuracy of the information provided by BigNox.

ESET experts discovered an attack on the supply chain, during which an unknown hack group compromised the developers of the popular Android emulator NoxPlayer and infected it with the malware code.

NoxPlayer is free and designed to emulate Android applications on Windows or macOS computers. The emulator is developed by the Hong Kong company BigNox and is used by more than 150,000,000 users in 150 countries.

The researchers write that they discovered an attack targeting BigNox on January 25, 2021.

According to them, the attackers compromised one of the company’s official APIs (api.bignox.com), as well as file hosting servers (res06.bignox.com). Using the obtained access, the hackers “worked” with the URL address to download the updates and, as a result, distributed malware among NoxPlayer users.

The following threats were distributed through NoxPlayer. A previously unknown malware that allows tracking victims and that is also capable of executing commands received from the command and control server, deleting files, downloading and uploading files, and so on. The other two malware were already known to experts: they were variations of Gh0st RAT (with keylogger capabilities) and PoisonIvy RAT.

While analysts believe the attackers have had access to BigNox’s servers since at least September 2020, the hackers did not attack the company’s entire sizable user base, but instead focused their efforts on specific machines. Based on this, the experts conclude that they have discovered a narrowly targeted attack aimed at infecting a certain class of users. Therefore, so far, only five people from Taiwan, Hong Kong and Sri Lanka have been identified as affected by the infected version of NoxPlayer.

The relationship and similarities noted by ESET experts are explained by the fact that all three malwares that were deployed through the NoxPlayer update are very similar to another malware that was used during the hacking of the website of the Myanmar presidential administration (2018) and the University of Hong Kong (2020).

Let me remind you about the fact that new worm for Android spreads rapidly via WhatsApp.

The post Hackers infected the Android emulator NoxPlayer with malware appeared first on Gridinsoft Blog.

The main purpose of malware is to trick users into adware or subscription scams.

The link to the fake Huawei Mobile app redirects users to a site that is very similar to the Google Play Store. Once installed on a device, a malicious application requests access to notifications, which it uses to carry out an attack. In particular, it is interested in the WhatsApp Quick Reply feature, which is used to reply to incoming messages directly from notifications.

In addition to reading notifications, the app also requests permissions to run in the background and draw on top of other apps – overlapping any other app running on the device with its own window, which can be used to steal credentials.

Although the message is sent to the same contact only once an hour, the message content and the link to the application are retrieved from a remote server, which means that malware can be used to spread other malicious sites and applications.

According to the researcher, it was not possible to establish how the initial infection occurs. It should be noted, however, that worm malware can spread incredibly quickly from multiple devices to many others via SMS, email, social media posts, channels/chat groups, etc.

It should also be noted that more than 30 million WhatsArp users have recently abandoned the messenger since the beginning of the year. This was reported by the British edition of The Guardian.

The ongoing massive leave of users from WhatsApp is associated with a poorly prepared update of the terms of service on this platform, journalists say. Many saw in them the upcoming cancellation of the confidentiality of correspondence, which is associated with the provision of data by the messenger to its parent company Facebook, whose management lost trust of the users.

As we said, Facebook gives US lawmakers the names of 52 firms it gave deep data access to.

As you know, initially, changes in the policy for providing WhatsApp services were supposed to take effect on February 8. However, due to the beginning of a rapid decline in the number of users, their introduction was postponed to 15 May.

The post New worm for Android spreads rapidly via WhatsApp appeared first on Gridinsoft Blog.

KryptoCibule has three main functions and is capable of: installing cryptocurrency miners on victims’ systems (CPU and GPU miners are used to mine Monero and Ethereum cryptocurrencies), steal files associated with cryptocurrency wallets, and change wallet addresses in the OS clipboard.

“It uses the victim’s resources to mine coins, tries to hijack transactions by replacing wallet addresses in the clipboard, and exfiltrates cryptocurrency-related files, all while deploying multiple techniques to avoid detection. KryptoCibule makes extensive use of the Tor network and the BitTorrent protocol in its communication infrastructure”, — report ESET specialists.

All elements of the “triple threat” for cryptocurrencies were added to the KryptoCibule code gradually, that is, the developers have been improving their malware for two years, and now the malware has turned into a complex multi-component threat, far exceeding the total mass of other malicious programs.

Now KryptoCibule is distributed mainly through torrents with pirated software.

“KryptoCibule is spread through malicious torrents for ZIP files whose contents masquerade as installers for cracked or pirated software and games”, – write ESET experts.

Most of the infected torrents were found on the uloz[.]to site, which is popular in the Czech Republic and Slovakia. The mentioned installer ensures the stability of the malware and its constant presence in the system (through scheduled tasks), and then installs KryptoCibule itself on the victim’s machine.

The researchers write that KryptoCibule uses Tor to communicate with the control servers on the darknet, while a torrent client is used to download torrent files that are responsible for downloading additional modules (proxy servers, mining modules, as well as HTTP and SFT servers).

Interestingly, KryptoCibule checks for antivirus software on victims’ computers, but only looks for ESET, Avast and AVG products. All three companies are based in the Czech Republic and Slovakia. Since the malware targets users from these countries, it seems that hackers believe that only these antiviruses can be installed on the computers of potential victims.

Let me remind you that there were cooler cases: I talked about the fact that hackers cracked European supercomputers and forced them to mine cryptocurrency.

The post KryptoCibule malware steals cryptocurrency from Windows users appeared first on Gridinsoft Blog.

Having penetrated into such a system, the malware collects Word files and other confidential documents, hides them in a special concealed container and waits for the opportunity to transfer data outside.

“We discovered the first copy of Ramsay on VirusTotal. This sample was downloaded from Japan, and it led us to discovery of additional components and versions of the platform”, – say the experts.

Malware, designed to steal information from machines, which are physically isolated from any networks and potentially dangerous peripherals, is very rare. Such computers are mainly used in government systems and corporate networks, and, as a rule, on them stored secret documents, as well as other secret and confidential information, including, for example, intellectual property.

ESET researchers write that they managed to find three different versions of Ramsay, one of which was compiled in September 2019 (Ramsay 1), and the other two at the beginning and end of March 2020 (Ramsay 2.a and 2.b). Ramsay infiltrates the system through malicious documents that are distributed via phishing emails or via a USB drive. Next, malware uses the old RCE problem in Microsoft Office to “deploy” to the system.

All versions of the malware are different from each other and infect victims in different ways, but the essence remains unchanged: having penetrated the system, the malware needs to scan the infected computer, collects Word, PDF and ZIP files in a hidden folder and prepares them for subsequent transfer.

Some versions have a special distribution module that adds copies of Ramsay to all PE files found on removable drives and among network resources.

“Malware could use this mechanism for distribution to reach isolated machines and networks. After all, users can move infected executable files between different levels of the corporate network, and ultimately the malware will end up in isolated systems”, — say the researchers.

ESET analysts admit that they were unable to determine how Ramsay retrieves data, collected on isolated machines. Also, experts did not draw specific conclusions regarding the attribution of Ramsay, however, it is noted that the malware is similar to the Retro malware, which was developed by the South Korean hackers’ group DarkHotel.

Let me remind you that I recently wrote about another unusual attack, also applicable off-line – through the so-called BadUSB.

The post Ramsay malware attacks PCs, which isolated from the outside world appeared first on Gridinsoft Blog.