Search the Community
Showing results for tags 'rootkit'.
vissha posted a news in Security & Privacy NewsMicrosoft admits to signing rootkit malware in supply-chain fiasco Microsoft has now confirmed signing a malicious driver being distributed within gaming environments. This driver, called "Netfilter," is in fact a rootkit that was observed communicating with Chinese command-and-control (C2) IPs. G Data malware analyst Karsten Hahn first took notice of this event last week and was joined by the wider infosec. community in tracing and analyzing the malicious drivers bearing the seal of Microsoft. It turns out, the C2 infrastructure belongs to a company classified under "Communist Chinese military" by the US Department of Defense. This incident has once again exposed threats to software supply-chain security, except this time it stemmed from a weakness in Microsoft's code-signing process. "Netfilter" driver is rootkit signed by Microsoft Last week, G Data's cybersecurity alert systems flagged what appeared to be a false positive, but was not—a Microsoft signed driver called "Netfilter." The driver in question was seen communicating with China-based C&C IPs providing no legitimate functionality and as such raised suspicions. This is when G Data's malware analyst Karsten Hahn shared this publicly and simultaneously contacted Microsoft: The malicious binary has been signed by Microsoft (VirusTotal) "Since Windows Vista, any code that runs in kernel mode is required to be tested and signed before public release to ensure stability for the operating system." "Drivers without a Microsoft certificate cannot be installed by default," states Hahn. At the time, BleepingComputer began observing the behavior of C2 URLs and also contacted Microsoft for a statement. The first C2 URL returns a set of more routes (URLs) separated by the pipe ("|") symbol: Navigating to the C2 URL presents more routes for different purposes Source: BleepingComputer Each of these serves a purpose, according to Hahn: The URL ending in "/p" is associated with proxy settings, "/s" provides encoded redirection IPs, "/h?" is for receiving CPU-ID, "/c" provided a root certificate, and "/v?" is related to the malware's self-update functionality. As seen by BleepingComputer, for example, the "/v?" path provided URL to the malicious Netfilter driver in question itself (living at "/d3"): Path to malicious Netfilter driver Source: BleepingComputer The G Data researcher spent some time sufficiently analyzing the driver and concluded it to be malware. The researcher has analyzed the driver, its self-update functionality, and Indicators of Compromise (IOCs) in a detailed blog post. "The sample has a self-update routine that sends its own MD5 hash to the server via hxxp://18.104.22.168:2081/v?v=6&m=," says Hahn. An example request would look like this: hxxp://22.214.171.124:2081/v?v=6&m=921fa8a5442e9bf3fe727e770cded4ab "The server then responds with the URL for the latest sample, e.g. hxxp://126.96.36.199:2081/d6 or with 'OK' if the sample is up-to-date. The malware replaces its own file accordingly," further explained the researcher. Malware's self-update functionality analyzed by G Data During the course of his analysis, Hahn was joined by other malware researchers including Johann Aydinbas, Takahiro Haruyama, and Florian Roth. Roth was able to gather the list of samples in a spreadsheet and has provided YARA rules for detecting these in your network environments. Notably, the C2 IP 188.8.131.52 that the malicious Netfilter driver connects to belonged to Ningbo Zhuo Zhi Innovation Network Technology Co., Ltd, according to WHOIS records. The U.S. Department of Defense (DoD) has previously marked this organization as a "Communist Chinese military company," another researcher @cowonaut observed. Microsoft admits to signing the malicious driver Microsoft is actively investigating this incident, although thus far, there is no evidence that stolen code-signing certificates were used. The mishap seems to have resulted from the threat actor following Microsoft's process to submit the malicious Netfilter drivers, and managing to acquire the Microsoft-signed binary in a legitimate manner: "Microsoft is investigating a malicious actor distributing malicious drivers within gaming environments." "The actor submitted drivers for certification through the Windows Hardware Compatibility Program. The drivers were built by a third party." "We have suspended the account and reviewed their submissions for additional signs of malware," said Microsoft yesterday. According to Microsoft, the threat actor has mainly targeted the gaming sector specifically in China with these malicious drivers, and there is no indication of enterprise environments having been affected so far. Microsoft has refrained from attributing this incident to nation-state actors just yet. Falsely signed binaries can be abused by sophisticated threat actors to facilitate large-scale software supply-chain attacks. The multifaceted Stuxnet attack that targeted Iran's nuclear program marks a well-known incident in which code-signing certificates were stolen from Realtek and JMicron to facilitate the attack. This particular incident, however, has exposed weaknesses in a legitimate code-signing process, exploited by threat actors to acquire Microsoft-signed code without compromising any certificates. Source
mood posted a topic in Security & Privacy NewsNew Moriya rootkit used in the wild to backdoor Windows systems An unknown threat actor used a new stealthy rootkit to backdoor targeted Windows systems what looks like an ongoing espionage campaign dubbed TunnelSnake going back to at least 2018. Rootkits are malicious tools designed to evade detection by burying deep into the operating system and used by attackers to fully take over infected systems while avoiding detection. The previously unknown malware, dubbed Moriya by Kaspersky researchers who discovered it in the wild, is a passive backdoor that enables attackers to covertly spy on their victims' network traffic and send commands to compromised hosts. Unusually evasive espionage backdoor Moriya allowed TunnelSnake operators to capture and analyze incoming network traffic "from the Windows kernel's address space, a memory region where the operating system's kernel resides and where typically only privileged and trusted code runs." The way the backdoor received commands in the form of custom-crafted packets hidden within the victims' network traffic, without needing to reach out to a command-and-control server, further added to the operation's stealth showing the threat actor's focus on evading detection. "We see more and more covert campaigns such as TunnelSnake, where actors take additional steps to remain under the radar for as long as possible, and invest in their toolsets, making them more tailored, complex and harder to detect," Mark Lechtik, a senior security researcher at Kaspersky's Global Research and Analysis Team, said. Moriya rootkit architecture (Kaspersky) According to Kaspersky's telemetry, the malware was deployed on the networks of less than 10 entities in highly targeted attack The threat actor used backdoored systems belonging to Asian and African diplomatic entities and other high-profile organizations to gain control of their networks and maintain persistence for months without being detected. The attackers also deployed additional tools (including China Chopper, BOUNCER, Termite, and Earthworm) during the post-exploitation stage on the compromised systems (custom-made and previously used by Chinese-speaking actors). This enabled them to move laterally on the network after scanning for and finding new vulnerable hosts on the victims' networks. All evidence points to Chinese-speaking threat actors Although Kaspersky researchers weren't able to attribute the campaign to a specific threat actor, the Tactics, techniques and procedures (TTPs) used in the attacks and the entities targeted suggest that the attackers are likely Chinese-speaking. "We also found an older version of Moriya used in a stand-alone attack in 2018, which points to the actor being active since at least 2018," Giampaolo Dedola, a senior security researcher at Kaspersky's Global Research and Analysis Team, added. "The targets' profile and leveraged toolset suggest that the actor's purpose in this campaign is espionage, though we can only partially attest to this with lack of visibility into any actual siphoned data." Further technical details on the Moriya rootkit and indicators of compromise associated with the TunnelSnake campaign can be found in Kaspersky's report. In October, Kaspersky also found the second-ever UEFI rootkit used in the wild (known as MosaicRegressor) while investigating attacks from 2019 against two non-governmental organizations (NGOs). The previous UEFI bootkit used in the wild is known as LoJax and was discovered by ESET in 2018 while being injected by the Russian-backed APT28 hacking group within the legit LoJack anti-theft software. Source: New Moriya rootkit used in the wild to backdoor Windows systems
FukenGruven posted a topic in Software UpdatesTDSSKillerPortable_x .x_English_o nline.paf.exe PortableApps.comFormatMakes application portableMakes application stealthDependencies: Administrative PrivilegesUNC: YesCompatible: WinAllCRC: 70AD6C73Size: 253 KB (259,642 bytes)Note: when an update is released, simply re-run installer to update. Why post an app. that's already posted by PortableApps.com? Because their version is faulty, leaves trash behind in the registry & file system.