Qilin Targets VMware ESXi

Today, more and more businesses are adopting virtualization technologies for server hosting. For example, VMware ESXi has become popular due to its effectiveness. However, attackers have quickly adapted to this trend and developed specialized encryptors to compromise these virtualized servers. While many ransomware operations use existing source codes, others use encryptors specifically for Linux servers. Thus, a recent discovery has revealed a Linux ELF64 encryptor for Qilin. It’s highlighting its adaptability across Linux, FreeBSD, and VMware ESXi servers.

Qilin’s encryptor has embedded configurations that dictate file extension, process termination, file inclusion or exclusion, and folder encryption or exclusion. It also strongly emphasizes virtual machines that go beyond mere file encryption. The Qilin encryptor grants threat actors vast customization capabilities. These options range from enabling debug modes and performing dry runs to tailoring the encryption of virtual machines and their snapshots. Moreover, the encryptor allows threat actors to specify a list of virtual machines exempted from encryption.

What is Qilin Ransomware?

Initially launching as Agenda ransomware in August 2022, the Qilin ransomware operation rebranded in September and has been active under its current name. It is one of a few malware written in Golang, which can possibly grant it with some enhanced anti-detection capabilities. Running the typical modus operandi of enterprise-targeting ransomware, Qilin infiltrates networks, exfiltrates data, and subsequently deploys ransomware to encrypt all connected devices. Ransomware operation of the group has maintained a consistent victim count since its inception. However, it has notably intensified its activities in late 2023. Employing double-extortion tactics, the threat actors leverage stolen data and encrypted files to coerce victims into meeting ransom demands.

As for targets, Qilin opt for enterprises and high-value companies. It focuses on organizations in the healthcare and education sectors in Africa and Asia. TAs gain initial access using spear phishing and known exploitable apps/hardware pieces, such as Citrix and remote desktop protocol (RDP). The encryption setting supports several encryption modes that the ransomware operator can configure.

Safety Recommendations

Here are a few ways you can identify Agenda ransomware in your network:

• Employees Education & Training. The most effective method is to train employees in the basics of cyber hygiene. Forewarned is forearmed.
• Data Backup. The following measure is to back up your data regularly, offline if possible. This will prevent the offline data copies from being corrupted and help restore the data without much effort.
• Security Tools. We recommend using security tools that use signatures, heuristics, or AI algorithms to identify and block suspicious files or activities. It can detect and block known ransomware variants.
• Network Traffic. Monitoring network traffic for any signs of compromise, such as unusual traffic patterns or communication with known command-and-control servers, allows the detection of suspicious activity.
• Security Audits. We recommended regular security audits and assessments to identify network and system vulnerabilities to maintain up-to-date protection.

The post Qilin Ransomware Focuses on VMware ESXi Servers appeared first on Gridinsoft Blog.

HTML smuggling as a method to bypass network detection.

The PlugX activity targets foreign policy entities in Europe, mainly Eastern Europe, by using HTML Smuggling. HTML Smuggling is a method used by hackers to conceal harmful payloads within HTML documents. The SmugX email campaign uses HTML Smuggling to download a JavaScript or a ZIP file. This creates a long infection chain that ultimately results in the victim being infected with PlugX.

Adversaries have used HTML smuggling for a while. Still, it has become more common since Microsoft blocked other popular methods of sneaking malware onto systems, like default-blocking macros in Word documents.

Lure for European politicians

The Attackers primarily focused on European domestic and foreign policy and were mainly used by Eastern and Central European governmental organizations.

Most of the documents found had content related to diplomacy, with some specifically concerning China and human rights. Furthermore, the names of the files imply that the targets were likely government officials and diplomats.

Attack on the European government

The attackers implemented HTML smuggling to enable downloading a JavaScript or ZIP file onto a compromised system. In the case of a ZIP archive, it includes a harmful LNK file that triggers PowerShell. On the other hand, if a JavaScript file is utilized, it will download and activate an MSI file from the attackers’ server.

After infecting a system, the DLL decrypts the PlugX malware. This malware can conduct several harmful activities, such as capturing screenshots, logging keystrokes, executing commands, and extracting files. A legitimate executable is hijacked and downloaded during the infection process to ensure that the malware remains on the system. The malware then duplicates the fair program and DLL, storing them in a hidden directory. The malware adds the legitimate program to the Run registry key to maintain persistence.

Is it possible to evade PlugX infection?

Potential targets of such attacks must prioritize defense. In a significant cyber attack, resetting the organization’s cyber security approach and posture is recommended. Every organization must reflect on its actions and decisions following a considerable spell. Though, it should be a lesson not only for governmental services but also for companies.

• Regularly update the systems. It is essential to regularly update your operating systems, software, and applications with the latest security patches and updates to fix known vulnerabilities.
• To enhance your security measures, it is necessary to revamp the cybersecurity training provided to government officials.
• A unique role for such organizations is the Zero Trust principles, so you can completely change the state of affairs in security.
• Implementing strict access controls such as strong passwords, multi-factor authentication (MFA), and role-based access control is essential to prevent unauthorized access to sensitive data and systems.

To minimize the risk of attacks, companies should implement various security measures. These include adopting robust security strategies, such as the Zero Trust model, regularly updating and patching systems, providing thorough security awareness training, implementing strict access controls, segmenting networks, using advanced threat detection tools, regularly backing up data, conducting security assessments, and utilizing third-party security services. By taking these steps, companies can significantly reduce their vulnerability to attacks.

The post PlugX malware attacks European diplomats appeared first on Gridinsoft Blog.

By the way, also read our article: Top Facebook Scams 2024: How to Avoid Them.

According to court documents shared by Bleeping Computer journalists, malicious applications, in particular, were available for download from the websites of the companies themselves, as well as through the Google Play Store, APK Pure, APKSFree, iDescargar and Malavida.

After installing applications (including AppUpdater for WhatsPlus 2021 GB Yo FM HeyMods and Theme Store for Zap), they used the built-in malware to collect sensitive user information, including authentication data, and then took over other people’s WhatsApp accounts to send spam.

At the same time, according to the official statistics of the Google Play Store, only the AppUpdater for WhatsPlus application has been installed more than a million times.

A gambling site that spammers advertised on WhatsApp

It is worth noting that last summer, the head of WhatsApp, Will Cathcar, warned users not to download modified versions of WhatsApp, and cited HeyMods and HeyWhatsApp as examples. Cathcart wrote that the company’s security service discovered hidden malware in these applications, and their main goal is to steal users’ personal information.

Interestingly, at the same time that the media learned about this lawsuit, Meta published an official press release in which it also stated that it had discovered more than 400 malicious applications that stole user data. However, here we are talking not only about applications for Android (355 pieces), but also about applications for iOS (47 pieces), and theft of credentials from Facebook accounts was named as their purpose.

By prompting victims to “Log in with Facebook,” the apps ended up stealing user credentials, hijacking other people’s accounts, and being able to “perform activities such as sending messages to friends and gaining access to personal information.”

More than a million users have reportedly been notified of the potential compromise and are now urged to change their passwords and enable two-factor authentication.

The post Meta Finds over 400 Chinese Apps That Stole Data from 1 million Users appeared first on Gridinsoft Blog.

The plot thickens as the adversaries deploy cunning tactics, leveraging phishing emails as Trojan horses, delivering malevolent Office documents armed with Bisonal—the underworld’s go-to Remote Access Trojan (RAT). Like a cyber echo, these same techniques reverberated across borders, targeting unsuspecting victims in Pakistani organizations, a sinister symphony meticulously observed by the sharp minds at SentinelLabs.

In the grand theater of digital warfare, China takes center stage, orchestrating a myriad of campaigns against Russia, a retaliatory crescendo following its invasion of Ukraine.

On June 22nd 2022 CERT-UA made a public release of Alert #4860 that presents several documents built with the help of Royal Road malicious document builder and constructed to reflect Russian government interests. Specialists from SentinelLabs analyzed further the report by CERT-UA and confirmed the involvement of a Chinese APT group.

The malicious activity comes amidst other Chinese attacks against Russia such as Space Pirates, Mustang Panda, Scarab, but here it is separate Chinese activity. The specific actor’s identity is unclear so far, although it remains clear that Chinese APT groups aim to target a wide range of different Russian organizations.

Who may be behind the attack?

SentinelLabs specialists speculate that the Tonto Team APT (“Earth Akhlut”, “CactusPete”) group, reported for nearly a decade, might be the potential culprit behind the attacks. However, they emphasize that it is premature to draw definitive conclusions based on the current available data.

The malicious documents are generally used for the delivery of custom malware, such as the Bisonal RAT, which as noted by CERT-UA, is unique to Chinese groups, including Tonto Team. Bisonal has a uniquely long history of use and continued development by its creators, such as expanding features for file searching and exfiltration, anti-analysis and detection techniques, and maintaining generally unrestricted system control,” goes in a report published by SentinelLabs.

Tonto Team APT group also targeted multiple victims across the globe including the targets of their particular interest in Northeast Asia such as private businesses, critical infrastructure, governments, etc. The group has been particular in their interests in Russian targets for the past years but recently in this direction specialists observed a significant spike of activity.

We assess with high confidence that the Royal Road-built malicious documents, delivered malware, and associated infrastructure are attributable to Chinese threat actors. Based on our observations, there’s been a continued effort to target Russian organizations by this cluster through well-known attack methods– the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organizations,” also goes in a report by researchers.

On the whole the purpose of the attacks seems to be espionage-related, but that’s a limited assumption because of external visibility of the researchers’ standpoint.

The post Russian Organizations Under Attack By Chinese APTs appeared first on Gridinsoft Blog.