Trend Micro researchers reported recently that since September 2022, attackers have been actively using a malware obfuscation engine called BatCloak, which allows cybercriminals to effectively hide malicious code from antivirus solutions.

According to experts, with BatCloak attackers can easily download different families of malware and exploits through heavily obfuscated batch files. Of the 784 malware detected by researchers, almost 80% were not detected by any of VirusTotal’s antivirus engines.

Let me remind you that we also wrote that ChatGPT Has Become A New Tool For Cybercriminals In Social Engineering, and also that Russian Hacker Sells Terminator Tool That Is Allegedly Able To Bypass Any Antivirus Programs.

BatCloak is the basis for a batch file building tool called Jlaive that can bypass the Antimalware Scan Interface (AMSI) and compress and encrypt the main payload to increase evasion levels.

The Jlaive tool was published on GitHub and GitLab in September 2022 by a developer under the pseudonym ch2sh as “EXE to BAT crypter“. It has since been copied, modified and ported to other programming languages.

The final payload is a “three-layer loader” – a C# loader, a PowerShell loader, and a batch loader. The latter serves as the starting point for decoding and unpacking each stage, and ultimately launching the hidden virus.

BatCloak attack chain

BatCloak has received many updates and adaptations since it first appeared in the wild (ITW). Its latest version is called ScrubCrypt and was isolated by Fortinet experts during an investigation into a cryptojacking operation by the 8220 gang.

In addition, ScrubCrypt is designed to be compatible with various well-known malware families such as Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, and Warzone RAT.

The post BatCloak’s New Obfuscation Engine Outperforms 80% of Antiviruses appeared first on Gridinsoft Blog.

Trend Micro analysts talked about several services that offer CAPTCHA solving services for cybercriminals. According to the researchers, often these services do not use advanced character recognition and machine learning methods, instead CAPTCHAs are simply solved by real people.

Let me remind you that we also wrote that CAPTCHA in Discord Asks Users to Find Non-Existent Objects Created by AI, and also that GPT-4 Tricked a Person into Solving a CAPTCHA for Them by Pretending to Be Visually Impaired.

Advertisement for one of the services

Such services work by delegating customer requests to their CAPTCHA solvers and then sending the results back to users. This is implemented through an API to send a CAPTCHA and a second API to get the results.

In addition, it has been observed that attackers buy CAPTCHA cracking services and combine them with various proxyware to hide the original IP address and bypass anti-bot filters. For example, in one case, a CAPTCHA cracking service was targeted at the popular marketplace Poshmark, and requests for tasks coming from the bot were sent through a proxyware network.

Resources CAPTCHA solving services most often attack

As a result, Trend Micro recommends that administrators complement CAPTCHA and IP blocking with other protections against attacks and abuse.

By the way, the media write: CAPTCHA is Becoming Obsolete. What Will Take Its Place?

The post Real People Perform CAPTCHA Solving Services for Hackers appeared first on Gridinsoft Blog.

Vulnerability in Android Devices Touches Millions

According to the researchers, the production of gadgets is mainly outsourced to OEMs, and such outsourcing allows various parties involved in the production process (for example, firmware suppliers) to infect products with malware at the production stage.

It is worth saying that this problem has been known for a long time. For example, back in 2017, Check Point experts warned that 38 different smartphone models from well-known brands, including Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo, contained malware right out of the box. Now, representatives of Trend Micro described what is happening as “a growing problem for ordinary users and enterprises.”

Fedor Yarochkin, a senior researcher at Trend Micro, and his colleague Zhenyu Dong, said that the introduction of malware at such an early stage began with the fact that prices for firmware for mobile devices fell. The competition between firmware distributors has become so serious that in the end they generally lost the opportunity to charge money for their product.

Yarochkin notes that, of course, nothing is free, and as a result, “silent” plug-ins began to appear in the firmware. Researchers say they have scoured dozens of firmware images for malware and found more than 80 such plugins, although many of them have not been widely adopted.

As a rule, the purpose of such malware is stealing information, as well as making money on the collected or transmitted information. In essence, the malware turns infected devices into proxy servers that are used to steal and sell SMS messages, hijack accounts on social networks and instant messengers, and monetize through ads and click fraud.

For example, the team discovered a Facebook cookie plugin that was used to collect activity information from the Facebook app. Another type of plugin, proxy plugins, allows criminals to rent out infected devices for up to 5 minutes. As a result, those who rent access to the device can intercept data about keystrokes, geographic location of the victim, IP address and much more.

The researchers calculated that millions of devices infected in this way are working around the world, but Southeast Asia and Eastern Europe are the leaders in infections. According to experts, the statistical analysis confirms approximately 8.9 million of infected devices.

Analysts are evasive about where such threats come from, although the word “China” was often heard during the report, including when it came to the development of suspicious firmware. Yarochkin says users should think about the relationship between the location of the world’s OEMs, incidence of infected firmware discovery, and draw its own conclusions.

Overall, the researchers say the malware was found on devices from at least 10 unnamed vendors and likely affected about 40 more. To avoid buying infected mobile phones out of the box, experts say users can opt for higher-end devices. In other words, malware is more likely to be found on cheaper devices in the Android ecosystem, and it’s best to stick with the big brands, although that’s no guarantee of security either.

See also: Vulnerabilities in the Firmware of Some HP Computers Cannot Be Fixed for a Year.

The post Trend Micro: Millions of Android Devices Contain Malware Right in the Firmware appeared first on Gridinsoft Blog.

Trend Micro reports that the GitHub Codespaces cloud development environment, available to the public use since November 2022, can be used to store and deliver malware, as well as malicious scripts.

Let me remind you that we also talked about Hackers Bypass CAPTCHA on GitHub to Automate Account Creation, and also that Hackers compromised Slack private GitHub repositories.

And also, the media reported that Many Repositories on GitHub Are Cloned and Distribute Malware.

In their report, the researchers demonstrate how easy it is to set up GitHub Codespaces to act as a web server to distribute malicious content while avoiding detection as the traffic originates from Microsoft servers.

The fact is that GitHub Codespaces allows developers to share forwarded ports from a virtual machine both privately and publicly for the purpose of real-time collaboration.

When forwarding ports on a virtual machine, Codespaces will generate a URL to access the application running on that port, which can be configured as private or public. Access to the private port URL will require authentication in the form of a token or cookies. However, the public port will be available to anyone without authentication if they know the URL.

Trend Micro analysts write that attackers can easily use this functionality to place malicious content on the platform. For example, an attacker can run a simple Python web server, upload malicious scripts or malware into their Codespace, open a web server port on a virtual machine and make it public.

The generated URL can then be used to access hosted files that could be used in phishing campaigns or become malicious executables downloaded by other malware. This is how attackers commonly abuse other well-known services, including Google Cloud, Amazon AWS, and Microsoft Azure.

Also, Trend Micro analysts write that an attacker can create a simple script to create a Codespace with a public port and use it to host malicious content, and set it to automatically self-delete after the URL has been accessed.

So far, no cases of abuse of GitHub Codespaces have been found in this way, but analysts are confident that attackers are unlikely to miss this opportunity.

The post Attackers Can Use GitHub Codespaces to Host and Deliver Malware appeared first on Gridinsoft Blog.

Malware operators and other hackers are increasingly abusing Google Ads to distribute malware to users who are looking for popular software. So, you can encounter malicious ads when searching for Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave.

Let me remind you that we also wrote that Fraudsters Are Running a Malicious Advertising Campaign through Google Search.

Specialists from Trend Micro and Guardio Labs described the problem in detail. According to them, hackers are increasingly using typesquatting, cloning the official websites of the above programs and manufacturers, and then distributing trojanized versions of software through them, which users eventually download.

Among the malware delivered in this way, there are versions of the Raccoon stealer, a custom version of the Vidar stealer, as well as the IcedID malware loader. For example, we recently wrote about one of these campaigns, in which attackers distributed miners and the RedLine infostealer using fake MSI Afterburner utility sites.

Fake and real site

However, until recently, it was not clear exactly how users get to such malicious sites. It turned out that the key is in the abuse of advertising in Google.

Trend Micro and Guardio Labs experts say that Google, of course, has protective mechanisms for such a case, but attackers have learned how to bypass them. The thing is, if Google detects that the landing page behind the ad is malicious, the campaign will be immediately blocked and the ad removed.

Therefore, attackers act cautiously: first, users who click on ads are redirected to an irrelevant but safe site, also prepared by hackers. Only from there will the victim be redirected directly to a malicious resource masquerading as the official website of some kind of software.

How redirects work

As for payloads, they are usually in ZIP or MSI formats and are downloaded from reputable file sharing and code hosting services, including GitHub, Dropbox, or CDN Discord. Due to this, the anti-virus programs running on the victim’s computer are unlikely to object to such downloads.

Guardio Labs experts say that during one campaign they observed in November of this year, attackers distributed a trojanized version of Grammarly to users, which contained the Raccoon stealer. At the same time, the malware was “bundled” with legitimate software, that is, the user received the program that he was looking for, and the malware was installed “in the appendage”, automatically.

Guardio Labs, which has named these attacks MasquerAds, attributes most of this malicious activity to the Vermux group, noting that the hackers “abuse a lot of brands and continue to evolve.” According to them, Vermux mainly attacks users in Canada and the United States, using fake sites to distribute malicious versions of AnyDesk and MSI Afterburner infected with cryptocurrency miners and the Vidar stealer.

Attack scheme

Interestingly, activity of hackers, which experts have now described in detail, recently forced the FBI to publish a warning and recommendation on the use of ad blockers (so as not to see potentially dangerous ads in search engines at all).

The post Hackers Are Misusing Google Ads to Spread Malware appeared first on Gridinsoft Blog.

The Raspberry Robin worm uses new tactics to evade detection and seeks to confuse security experts if it runs in a sandbox or notices debugging tools.

To do this, the malware uses fake payloads, Trend Micro experts say.

Let me remind you that Raspberry Robin is a dropper that has the functionality of a worm, the authors of which sell access to compromised networks to extortion groups and operators of other malware. Experts have previously associated it with hack groups such as FIN11 and Clop, as well as payload distributions of Bumblebee, IcedID and TrueBot.

The first Raspberry Robin was found by analysts from Red Canary. In the spring of this year, it became known that the malware is distributed using USB drives (it infects devices with malware after clicking on the .LNK. file) and has been active since at least September 2021. The cybersecurity company Sekoia even observed that back in November last year, malware used Qnap NAS devices as control servers.

It was previously noted that the malware is heavily obfuscated to protect its code from antiviruses and researchers, and also has several layers containing hard-coded values to decrypt the next one.

To make things even more difficult for security professionals, Raspberry Robin recently began using different payloads depending on how it runs on the device, Trend Micro researchers now report. So, if the malware detects that it is running in a sandbox or they try to analyze it, the loader resets the fake payload. If nothing suspicious is found, the real Raspberry Robin malware is launched.

The fake fake payload has two additional layers: a shellcode with an embedded PE file and a PE file with the MZ header and PE signature removed. Once executed, it examines the Windows registry for signs of infection and then proceeds to collect basic information about the system.

The fake then tries to download and run the BrowserAssistant adware to make the researchers think it is the final payload. In fact, in truly infected systems that did not arouse suspicion in the malware, a real Raspberry Robin payload is loaded with a built-in customized Tor client for communication. Trend Micro’s report highlights that even with the fake payload being used as a distraction, the real payload is still packaged with ten levels of obfuscation, making it much more difficult to analyze.

The real payload is also said to check if the user is an administrator on startup, and if not, it uses the ucmDccwCOMMethod privilege escalation technique in UACMe to gain administrator rights. The malware also makes changes to the registry to maintain its presence in the system between reboots, using two different methods for this (for a user with and without administrator rights).

The malware then attempts to connect to hard-coded Tor addresses and establishes a communication channel with its carriers. However, the Tor client process uses names that mimic standard Windows system files, including dllhost.exe, regsvr32.exe, and rundll32.exe.

It is noteworthy that the main procedures are performed within Session 0, that is, in a specialized session reserved by Windows exclusively for services and applications that do not need or should not interact with the user.

Also Raspberry Robin still copies itself to any connected USB drives to infect other systems. At the same time, the researchers believe that the current campaign is more of a reconnaissance operation and an attempt to evaluate the effectiveness of new mechanisms, and not the initial stage of real attacks.

Let me remind you that we also wrote that Microsoft Links Raspberry Robin Worm to Evil Corp.

The post Raspberry Robin Worm Uses Fake Malware to Trick Security Researchers appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Tencent and Chinese police conducted a joint operation against game cheat developers.

The mhypro2.sys problem has been known since at least 2020, and information security experts have long been appealing to manufacturers of anti-cheat systems in general, since most of these solutions work at the ring 0 level, which can hardly be considered safe.

In the case of mhypro2.sys, the appeals of experts had no effect, the code signing certificate was not revoked, and therefore the program can still be installed on Windows without raising alarm. Worse, since 2020, two PoC exploits are available on GitHub at once and a detailed description of how you can use anti-cheat from user mode to read/write kernel memory with kernel mode privileges, terminate specific processes, and so on.

A recent Trend Micro report states that hackers have been abusing the driver since July 2022 and using it to disable properly configured security solutions.

Analysts write that in the example they studied, the attackers used secretsdump and wmiexec against the target machine, and then connected to the domain controller via RDP using stolen administrator credentials.

The first action taken by the hackers on the compromised machine was to transfer mhyprot2.sys to the desktop along with the malicious executable kill_svc.exe that was used to install the driver. The attackers then downloaded the avg.msi file, which in turn downloaded and executed the following four files:

1. logon.bat – launches HelpPane.exe, “kills” the antivirus and other services, launches svchost.exe;
2. HelpPane.exe – disguises itself as the Microsoft Help and Support executable file, similar to kill_svc.exe, as it installs mhyprot2.sys and “kills” anti-virus services;
3. mhyprot2.sys – Genshin Impact anti-cheat driver;
4. svchost.exe – An unnamed ransomware payload.

In this incident, the hackers tried three times to encrypt the files on the compromised workstation, but were unsuccessful, but the anti-virus services were successfully disabled. In the end, the attackers simply moved logon.bat to the desktop, running it manually, and it worked.

By the end of the attack, the hackers uploaded the driver, ransomware, and the kill_svc.exe executable to a network share for mass deployment, aiming to infect as many workstations as possible.

Trend Micro warns that hackers may continue to use the anti-cheat module, because even if the vendor does fix the vulnerability, old versions of mhypro2.sys will still be in use, and the module can be integrated into any malware. At the same time, experts note that while code-signing modules that act as device drivers that can be abused are still quite rare.

In response to the publication of this report, well-known information security expert Kevin Beaumont noted on Twitter that administrators can protect against this threat by blocking the hash “0466e90bf0e83b776ca8716e01d35a8a2e5f96d3”, which corresponds to the vulnerable mhypro2.sys driver.

The post Genshin Impact Game’s Anti-Cheat Driver Is Used to Disable Antiviruses appeared first on Gridinsoft Blog.

The attackers have created a cross-platform malicious version of the Chinese messenger MiMi (秘密, “secret” in Chinese), and use it to attack Windows, Linux, and macOS users.

Let me remind you that we also wrote that Chinese Hackers Use Ransomware As a Cover for Espionage, and also that Chinese hackers use Zimbra 0-day vulnerability to hack European media and authorities.

So, SEKOIA researchers write that MiMi for macOS version 2.3.0 was hacked almost four months ago, on May 26, 2022. The compromise was discovered during the analysis of the infrastructure of the HyperBro remote access trojan associated with APT27: the malware contacted the application, which seemed suspicious to the experts.

Trend Micro analysts have also noticed this campaign (independently of their colleagues) and now report that they have identified old trojanized versions of MiMi targeting Linux (rshell backdoor) and Windows (RAT HyperBro).

At the same time, the oldest sample of rshell for Linux is dated June 2021, and the first victim of this campaign became known back in mid-July 2021. In total, at least 13 different organizations in Taiwan and the Philippines were attacked, of which eight were affected by shell.

Experts say that in the case of macOS, the malicious JavaScript code injected into MiMi checks if the app is running on the Mac and then downloads and runs the rshell backdoor. After launch, the malware collects and sends system information to its operators and waits for further commands.

Hackers can use the malware to list files and folders and read, write, and download files on compromised systems. In addition, the backdoor can steal data and send specific files to its control server.

According to experts, the connection of this campaign with APT27 is obvious. Thus, the cybercriminals’ infrastructure uses a range of IP addresses already known to information security specialists. In addition, similar campaigns have already been observed before. For example, a backdoor was introduced into the Able Desktop messenger (Operation StealthyTrident), and malicious code was packaged using the already known tool associated with APT27.

It is worth emphasizing that it is impossible to say that we are discussing an attack on the supply chain. The fact is that according to Trend Micro, hackers control the servers hosting the MiMi installers, and experts suggest that they are dealing with a compromise of a legitimate and not too popular messenger targeted at the Chinese audience.

In turn, SEKOIA analysts say that MiMi looks very suspicious: the site associated with the messenger (www.mmimchat[.]com) does not contain a detailed description of the application, terms of use and links to social networks. Check of the legitimacy of the developer company Xiamen Baiquan Information Technology Co. Ltd. also failed. As a result, SEKOIA experts write that hackers could have developed the messenger, which is initially a malicious tool for tracking specific targets.”

The post Chinese Hackers Injected a Backdoor into the MiMi Messenger appeared first on Gridinsoft Blog.

A new version of LockBit 3.0 (LockBit Black) was released in June 2022, along with a new leak site and the first Bug Bounty program on the dark web.

You may also be interested in reading: Conti vs. LockBit 2.0 – a Trend Micro Research in Brief.

The encryption process includes adding the extension “HLJkNskOq” or “19MqZqZ0s” to each file and changing the icons of the locked files to the icon of the “.ico” file that was removed by the LockBit sample to trigger the infection.

According to a report by Trend Micro researchers, the ransomware then displays a ransom note that mentions Elon Musk and the EU General Data Protection Regulation (GDPR). LockBit 3.0 then changes the wallpaper on the victim’s computer to report a ransomware attack.

Much of LockBit’s similarity to BlackMatter comes from the repetition of privilege escalation and data collection to identify APIs needed to terminate other processes, and the use of anti-debugging and multi-threading techniques to prevent parsing. In addition, LockBit 3.0 checks the interface language of the victim’s computer to avoid compromising systems related to the countries of the former USSR.

The findings come after LockBit programs became the most active ransomware-as-a-service (RaaS) groups in 2022. The latest attack on the RaaS model was carried out on the Italian tax office. According to the Palo Alto Networks 2022 Unit 42 report, out of 600 incidents between May 2021 and April 2022, the ransomware family accounted for 14% of intrusions, second only to Conti at 22%.

The development also highlights the continued success of the RaaS business model, lowering the barrier to entry for hackers and expanding the opportunitiesm of ransomware.

According to the Check Point Cyberattack Trends Report Q2 2022, on average, 1 in 40 organizations are attacked weekly, up 59% from 2021. Latin America saw the largest increase in attacks, with 1 in 23 organizations attacked each week, up 43% from 2021. Asia also saw growth of 33% (1 in 17 organizations).

The post Experts Find Similarities Between LockBit and BlackMatter appeared first on Gridinsoft Blog.

Conti and LockBit 2.0 are outstanding operators regarding how many targets they managed to attack. The period analyzed is from November 2019 to March 2022. Within that timespan, Conti went offensive on 805 companies while LockBit 2.0 reached the ominous 666. These two ransomware operators are responsible for almost 45% of all the extortion attacks worldwide within the named period. And that is considering that LockBit reached its current activity level only in July 2021. Taking into account the rumors about the Conti group end, LockBit 2.0 might beat Conti in numbers of successful attacks even sooner than in August 2022, which was the earlier assessment.

Victim Companies Locations

Location-wise, the strategies of the two gangs show significant differences. Although North American and Western European companies lead by the number of enterprises targeted by both racketeering groups, that’s where the similarities end and differences begin. Conti’s much more focused on North America: more than two-thirds of this operator’s victims are there. The second position goes to Europe, and the rest, which is 7%, are all other regions.

As for LockBit 2.0, everything’s different. Both Western Europe and North America occupy roughly four-sixths of targets on LockBit’s victim list; America takes a larger part, of course. But unlike in the Conti case, the remaining number of victims (more than Western Europe, around 20% of the total) is distributed in favor of Asia and the Pacific, another considerable part goes to South America, and the remaining targets are in the Middle East, Eastern Europe, and Africa.

The distribution of targets in the case of LockBit is much closer to the distribution of the gross domestic product worldwide. Except for the Asian region. China‘s economy obviously dominates there, and China’s GDP is the world’s highest. However, this country is seemingly “spared” by ransomware actors in question. In the Asia and Pacific region, Conti makes a clear accent on victimizing English-speaking countries: Australia, New Zealand, Singapore, and India. We will reflect on the reasons for that in the conclusions to this item.

Industries and Company Sizes

Victimized industries are mostly the same for both operators, and no specific sphere is targeted purposefully by either ransomware group. The top most attacked industries are the same for LockBit and Conti: financial, IT, manufacturing, materials, professional services, and construction.

What is more curious is the difference between the size of attacked companies. Conti concentrates on enterprises with a relatively large number of employees. For instance, 237 attack cases (the highest number, considering Trend Micro’s selection of company sizes) fall under enterprises with 51-200 employees. LockBit’s maximum (222 attacks) is directed against companies employing 11-50 people. As for larger entities (201-500 employees), Conti’s haul here is 182 attacks and LockBit’s – 89. One of LockBit’s victims, according to Trend Micro, is a company consisting of one person.

Conclusions

The fact that Hong Kong is an alleged location of the LockBit gang leader might explain the group’s discretion in attacking China. An official investigation might critically jeopardize the group’s commander, his haven, and further operations.

In the case of Conti, everything is different. This ransomware group declared its support of Russia in the context of Russia’s invasion of Ukraine. Therefore, Conti attacks Russia’s opponents, mainly the USA, and holds its hand from victimizing Russia’s allies, such as China and most of the former Soviet Republics.

The distribution of LockBit’s victims and companies arguably proves the group’s claims to be out of politics and only financially motivated. Earlier, LockBit 2.0 even made a media performance promising to disclose data stolen from Mandiant, a cyber security giant, at the full tilt of the RSA cybersecurity conference. What preceded this prank was Mandiant report on LockBit’s connection with the Russian ransomware gang Evil Corp, which LockBit strictly denied.

The post Conti vs. LockBit 2.0 – a Trend Micro Research in Brief appeared first on Gridinsoft Blog.