Cisco Talos analysts say that hackers are now using Excel add-ins to infiltrate victims’ systems and networks.

After Microsoft began blocking VBA macros in Office documents downloaded from the Internet (marked as Mark Of The Web), attackers had to rethink their attack chains: for example, now hackers are increasingly using Excel add-in files (.XLL) as an initial compromise vector.

According to experts, Office documents distributed using phishing emails and other social engineering remain one of the most popular attack vectors for attackers. Such documents traditionally suggest that victims enable macros to view supposedly harmless content, but in fact activate hidden malware execution in the background.

To address these abuses, earlier this year, Microsoft began blocking VBA macros in Office documents downloaded from the Internet. Although the company admitted that they received negative feedback from users because of this and were even forced to temporarily reverse this decision, as a result, the blocking of VBA macros was still continued.

We also wrote that Hackers use the .NET library for creating malicious Excel files, and also that Weak Block Cipher in Microsoft Office 365 Leads to Message Content Disclosure.

Despite the fact that the blocking only applies to the latest versions of Access, Excel, PowerPoint, Visio, and Word, attackers have begun experimenting with alternative ways to infect and deploy malware. One such “innovation” is the use of XLL files, which Microsoft describes as “a kind of DLL file that can only be opened in Excel,” the researchers report.

Although Excel warns about the potential dangers of XLLs, these warnings are usually overlooked by users.

According to experts, hackers combine add-ons written in C++ with add-ons developed using the free tool Excel-DNA. And if the first such experiments of hackers were noticed a few years ago, then in 2021-2022 such attacks began to develop much more actively.

The researchers write that the Chinese hack groups APT10 and TA410 (and they started back in 2017), the Russian-speaking group FIN7, which began using add-on files in their campaigns last summer, famous Dridex malware loader and FormBook loader; as well as other major malware families, including AgentTesla, Ransomware Stop, Vidar, Buer Loader, Nanocore, IceID, Arkei, AsyncRat, BazarLoader, and so on are already abusing XLL.

The post Hackers Use Excel Add-Ins as Initial Penetration Vector appeared first on Gridinsoft Blog.

Information security experts warned of an increase in the number of infections with the new version of TrueBot, primarily targeting users from Mexico, Brazil, Pakistan and the United States.

According to Cisco Talos, malware operators have now moved from using malicious emails to alternative delivery methods, including exploiting an RCE vulnerability in Netwrix Auditor, as well as using the Raspberry Robin worm.

Let me remind you that experts attribute the authorship of TrueBot to the Russian-speaking hack group Silence, which is known due to the major robberies of financial institutions.

As reported now, the attackers not only switched to new methods of delivering malware, but also began to use the custom tool Teleport to steal data, and also distribute the Clop encryptor, which is usually used by hackers from the TA505 group associated with another Russian-speaking hack group – FIN11.

Cisco Talos researchers write that they discovered several new attack vectors back in August 2022. According to their observations, Silence participants introduced their malware into 1500 systems around the world, “bringing with them” shellcodes, Cobalt Strike beacons, Grace malware, Teleport data theft tool and Clop ransomware.

It is noted that in most of the attacks detected during the period from August to September, hackers infected the systems of victims of Truebot (Silence.Downloader) using the critical vulnerability of Netwrix Auditor servers, tracked as CVE-2022-31199.

In October 2022, hackers completely switched to using malicious USB drives and the Raspberry Robin worm, which delivered IcedID, Bumblebee, and Truebot payloads to victims’ machines.

Let me remind you that in the October Microsoft report, this worm was associated with the spread of the Clop ransomware and the DEV-0950 hack group, whose malicious activity is associated with the activity of the FIN11 and TA505 groups.

As Cisco Talos now notes, Truebot operators used Raspberry Robin to infect more than 1,000 hosts, many of which were not accessible via the Internet. Most of the victims of hackers are in Mexico, Brazil and Pakistan.

In November, hackers targeted Windows servers, whose SMB, RDP, and WinRM services can be found over the Internet. The researchers counted more than 500 cases of such infections, about 75% of them in the United States.

Analysts remind that in fact Truebot is a first-level module that collects basic information about the victim’s system and takes screenshots. It also extracts information about Active Directory, which helps hackers plan their next steps after an infection.

The attacker’s command and control server can then instruct Truebot to load shellcode or DLLs into memory, execute additional modules, remove itself, or load DLLs, EXEs, BATs, and PS1 files.

Also, after being compromised, hackers use Truebot to inject Cobalt Strike beacons or Grace malware (FlawedGrace, GraceWire) into victim systems. The attackers then deploy Teleport, which Cisco describes as a new custom tool written in C++ that helps to steal data silently.

The communication channel between Teleport and the C&C server is encrypted. Operators can limit download speeds, filter files by size (to steal more), or remove payloads. Teleport is also capable of stealing files from OneDrive folders, collecting victim mail from Outlook, and looking for specific file extensions.

It is noted that after lateral movement, infection of the maximum number of systems using Cobalt Strike and data theft, in some cases hackers deploy the Clop ransomware already mentioned above in the systems of victims.

The post New Version of Truebot Exploits Vulnerabilities in Netwrix Auditor and Raspberry Robin Worm appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Hacker groups split up: some of them support Russia, others Ukraine, and that TrickBot Hack Group Systematically Attacks Ukraine.

Experts remind that the Gamaredon group is known for using only proprietary tools in its campaigns, including malicious scripts, backdoors and infostealers.

As part of the new campaign, which began in August 2022 and is still active, hackers began to use a new information theft tool that is able to extract certain types of files from victims’ computers, as well as deploy additional payloads.

The new malware has not yet received its own name, but it is known that it has clear instructions for stealing files with the following extensions: .doc, .docx, .xls, .rtf, .odt, .txt, .jpg, . jpeg, .pdf, .ps1, .rar, .zip, .7z and .mdb. The new Gamaredon stealer can steal files from connected devices (local and remote) by creating a POST request for each stolen file with metadata and its contents.

Experts say that this infostealer is spread via phishing emails containing Microsoft Office documents with malicious VBS macros. The VBS code is hidden in remote templates and is executed when the document is opened, after which it loads the RAR archive with LNK files.

LNK files are designed to run mshta.exe to download and parse a remote XML file that executes a malicious PowerShell script that Gamaredon has previously used in its spy campaigns.

Another PowerShell script is loaded and executed to collect data about the infected system (computer name, VSN, base64 encoded screenshot) and then send this information to a remote server.

The post Gamaredon Hack Group Uses New Malware to Attack Ukrainian Organizations appeared first on Gridinsoft Blog.

Let me remind you that we also reported that Microsoft accused Russia and North Korea of attacks on pharmaceutical companies, and also that Cybersecurity researchers discovered the Chinese hack group Earth Lusca.

Cisco Talos experts talk about the new campaign, according to which, the goal of Lazarus was “to infiltrate organizations around the world to establish long-term access and subsequent theft of data of interest to the enemy state.”

Whereas earlier Lazarus attacks resulted in the use of Preft (Dtrack) and NukeSped (Manuscrypt) malware, the new campaign was notable for the use of a number of other malware: the VSingle HTTP bot, which executes arbitrary code on a remote network; YamaBot backdoor written in Go; as well as the previously unknown Remote Access Trojan (RAT) MagicRAT, which has been used to find and steal data from infected devices, but can also be used to launch additional payloads on infected systems.

It is worth saying that Symantec and AhnLab analysts have already written about this activity of Lazarus, but the latest Cisco report turned out to be more in-depth and reveals much more details about the activities of hackers.

It is known that Lazarus obtained initial access to the corporate networks of its victims by exploiting vulnerabilities in VMware products (for example, Log4Shell). These problems have been used to run shellcode, create reverse shells, and execute arbitrary commands on a compromised machine.

Thus, the use of VSingle malware in one of the attacks allowed the attackers to perform various actions, including reconnaissance, data theft, and manual installation of backdoors, which gave them a clear understanding of the victim’s environment. In essence, this malware sets the stage for credential theft, creates new admin users on the host, and installs a reverse shell to communicate with the command and control server and download plugins that extend its functionality.

In another case, after gaining initial access and conducting reconnaissance, the hackers used not only VSingle, but also MagicRAT, to which the researchers paid special attention and devoted a separate post.

The Trojan is able to fix itself in the victim’s system by executing hard-coded commands and creating scheduled tasks, conduct reconnaissance and extract additional malware from the command-and-control server (such as TigerRAT).

In the third case, Lazarus deployed the YamaBot malware to the affected systems, written in Go and having standard RAT features:

1. listing files and directories;
2. transferring information about processes to the control server;
3. downloading remote files;
4. execution of arbitrary commands and self-destruction.

It is also noted that the group often used not only its own tools, but also collected credentials in the victim’s networks using such well-known solutions as Mimikatz and Procdump, disabled anti-virus components and Active Directory services, and also took measures to cover up traces after backdoors were activated.

The post North Korean Group Lazarus Attacks Energy Companies appeared first on Gridinsoft Blog.

As you know, at the beginning of 2021, support for Adobe Flash Player was finally discontinued. A special self-destructing code was pre-built into the software code, and starting from January 12, 2021, Adobe blocks the launch of any Flash content.

However, in China, Adobe has allowed local Zhong Cheng Network to continue Flash support, as it is still an important part of the local IT ecosystem and is widely used in both the public and private sectors. For example, at the beginning of the year, due to the termination of support for Flash, Chinese railway workers faced serious problems.

A special Chinese version of Flash is distributed through the flash[.]сn website and Minerva Labs recently discovered that it is insecure.

According to the researchers, in addition to Flash itself, other payloads also penetrate users’ machines. In particular, the application downloaded and launched the nt.dll file inside the FlashHelperService.exe process, which opens a new browser window at regular intervals and shows various sites with a lot of ads and pop-ups.

The suspicious behavior of this process was also noticed by Cisco Talos analysts, who noted that FlashHelperService.exe became one of the leading threats in January, and then in February.

Users noticed this problem too. Numerous complaints can already be found on the Adobe Support Forum, local blogs, and more.

Let me remind you that the Authorities of South Africa create their own browser to continue to use Flash.

The post A special version of Flash for China turned into adware appeared first on Gridinsoft Blog.

The malware mainly attacks users from the USA, Brazil, Pakistan, China, Mexico and Chile. During four months of activity, the botnet operators “earned” about $5,000, that is, an average of about $1,250 per month.

Do you know who else is focused on mining Monero and manipulates a variety of exploits? Lucifer! (don’t be alarmed – this is such malware)

“The malware uses several techniques for distribution, including LOLbins (living off the land) to use legitimate Windows processes to execute malicious code (including PsExec and WMI), SMB exploits (including EternalBlue), and stolen credentials”, – write Cisco Talos experts.

In total, the researchers counted more than 15 ingredients in Prometei. All of them are controlled by the main module, which encrypts (RC4) the data before sending it to the management server via HTTP.

Auxiliary modules can be used to establish communication over Tor or I2P, collect system information, check open ports, spread via SMB, and scan the infected system for any cryptocurrency wallets.

For example, a botnet steals passwords using a modified version of Mimikatz (miwalk.exe), and then passwords are passed to the spreader module (rdpclip.exe) for analysis and authentication via SMB. If that doesn’t work, the EternalBlue exploit is used for propagation.

The final payload delivered to the compromised system is SearchIndexer.exe, which is simply an XMRig version 5.5.3.

However, experts write that Prometei is not just a miner, the malware can also be used as a full-fledged Trojan and info-stealer.

“The botnet is split into two main branches: the C ++ branch is dedicated to cryptocurrency mining operations, and the .NET-based branch focuses on credential theft, SMB attacks and obfuscation. At the same time, the main branch can work independently from the second one, since it can independently communicate with the control server, steal credentials and engage in mining”, – say the researchers.

Cisco Talos experts point out that Prometei is unlike most mining botnets. Its authors not only divided their tools according to their purpose, it also “taught” malware to avoid detection and analysis. In particular, even in earlier versions, you can find several layers of obfuscation, which have become much more difficult in later versions.

The post Prometei botnet uses SMB for distribution appeared first on Gridinsoft Blog.