Researchers at Blackberry and Intezer have revealed a malignant program dubbed Symbiote used to inject rootkits and backdoors into compromised Linux servers. This software has been targeting financial institutions throughout South America. To install the pest into the system, the malefactors need root access, which they can obtain via either exploiting unmended vulnerabilities or account data leakages. After the initial hacking, the malware gains a foothold in the system to conduct further attacks, cover the presence of other malicious programs, and intercept confidential data.

Symbiote’s specificity is that it spreads through a separating library, which loads during the launch of all processes via the ld_preload trick and substitutes some requests of the standard library. Processing of the replaced callings covers the backdoor-related activity. For example, it excludes particular elements from the processes list, blocks access to certain files in /proc, hides files in folders, excludes the malicious separating library from the lld output (the interception of the execve function and the analysis of the calls with the LD_TRACE_LOADED_OBJECT environment variable set to 1,) doesn’t show network sockets connected with the malicious activity. To defend against the traffic inspection, the functions of the libpcap library get reassigned, /proc/net/tcp reading gets filtered, and the substitution of additional bytecode into BPF-program loaded into the kernel. These techniques allow concealing the backdoor from the sniffers launched in the same system later on.

Symbiote can also manage to hide from the file system activity analyzers by stealing confidential data not on the file-opening level but via interception of these files read in legitimate applications (for instance, the replacement of library functions allows to intercept the input of the password by a user and the data with the access key uploaded from the file.) For remote access, Symbiote intercepts some Linux Pluggable Authentication Module calls. This allows connection to the system via a secure shell with certain attacking credentials. Privilege escalation is also provided for. Hackers can gain root privileges via modifying the environment variable HTTP_SETTHIS.

The post SYMBIOTE Backdoor and Rootkit Dropper Revealed appeared first on Gridinsoft Blog.

This is the fifth group of mercenary hackers identified by experts this year. So, back in the spring, Google Threat Analysis Group experts warned that the number of such groups is growing, and earlier this year, information security specialists have already talked about hired hackers BellTrox (aka Dark Basin), DeathStalker (aka Deceptikons), Bahamut and an unnamed hacker team.

Interestingly, many groups of this kind ended up being associated with India: BellTrox was connected with an Indian company and Bahamut is also suspected of similar connections. In this regard, the BlackBerry report specifically emphasizes that the origin and location of CostaRicto is still unknown.

But experts found that hackers organized attacks around the world, including in different countries of Europe, America, Asia, Australia and Africa. BlackBerry says that South Asia (especially India, Bangladesh and Singapore) is hardest hit by CostaRicto.

The BlackBerry report states that the CostaRicto group mainly uses specially designed and previously unknown malware, but at the same time does not use any innovative attack methods in its operations. For example, most of their group attacks revolve around stolen credentials or common spear phishing.

These malicious emails usually contain a backdoor Trojan that BlackBerry monitors as Sombra or SombRAT.

This Trojan provides CostaRicto operators with access to infected hosts, helps to detect confidential files on them and steal important documents. The stolen data is usually transmitted to the hacker’s control server, which is hosted on the darknet and is accessible only through Tor. In addition, infected hosts usually connect to attackers’ servers through multiple proxies and SSH tunnels to hide malicious traffic from prying eyes.

All of CostaRicto’s malware samples studied were dated October 2019, although other evidence found on the gang’s servers suggests that hackers may have been active since at least 2017.

The report also notes that the researchers found some similarities between CostaRicto’s attacks and previous campaigns by the Russian-speaking hack group APT28, which is associated with the Russian government. However, BlackBerry writes that this “overlap” was most likely an accident.

Let me remind you that recently Microsoft experts talked about an attack of Iranian hackers on participants of a security conference.

The post CostaRicto mercenary hackers target financial institutions around the world appeared first on Gridinsoft Blog.

Researchers believe Tycoon was used for targeted and very rare attacks, in favor of this theory says number of victims and applied delivery mechanism. Thus, the ransomware was clearly intended to attack small and medium-sized enterprises, as well as educational institutions and software developers.

“The use of Java and JIMAGE are unique. Java is very rarely used to write malware for endpoints, since Java Runtime Environment is required to execute the code. Image files are also rarely used for malware attacks”, — say BlackBerry experts.

In this case, the attack begins quite normally: the initial compromise is carried out through unsafe RDP servers that are “visible” from the Internet. However, the investigation showed that the attackers then use Image File Execution Options (IFEO) injection to ensure a stable presence in the system, launch a backdoor along with the Microsoft Windows On-Screen Keyboard (OSK), and disable anti-virus products using ProcessHacker.

Having gained a foothold in the company’s network, attackers launch a ransomware module in Java that encrypts all file servers connected to the network, including backup systems.

The encryptor itself is deployed from a ZIP archive containing a malicious Java Runtime Environment (JRE) assembly and a compiled JIMAGE image. This file format is typically used to store custom JRE images and is used by the Java Virtual Machine. Researchers note that this file format, first introduced along with Java 9, is poorly documented and developers overall rarely use it.

It is also noted that Tycoon deletes the source files after encryption, and overwrites them to accurately prevent information recovery. For this task is used the standard Windows utility cipher.ex. In addition, during encryption, the malware skips parts of large files to speed up the process, which leads to damage of these files and inability to use them.

In addition, each file is encrypted using a new AES key. The ransomware uses the asymmetric RSA algorithm to encrypt the generated AES keys, that is, to decrypt the information, a private attacker RSA key is required.

“However, one of the victims who asked for help on the Bleeping Computer forum published an RSA private key, allegedly obtained from the decryptor, which the victim acquired from the attackers. This key worked successfully to decrypt some files affected by the earliest version of Tycoon ransomware, which added the .redrum extension to encrypted files”, — write the experts, but warn that, unfortunately, for encrypted files with the .grinch and .thanos extensions, this tactics no longer work.

The researchers also identified a possible link between Tycoon and the Dharma/CrySIS ransomware, which, for example, also spread through infected pdf files. Their theory is based on the coincidence of email addresses, the similarity of texts from notes with a ransom demand, as well as the coincidence in the names that are assigned to encrypted files.

Interestingly that MyKingz botnet uses not exotic picture formats, but, for example, Taylor Swift to infect target machines.

The post Tycoon ransomware uses exotic JIMAGE format to avoid detection appeared first on Gridinsoft Blog.