Category Archives: Virus & Malware

Stay alert: Recently, an unknown trojan attack in the Linux environment, a malicious ELF file with UPX compression (11th Oct, 2021)

Preface: Antivirus software isn’t entirely useless on Linux. If you are running a Linux-based file server or mail server, you will probably need antivirus help.

Background: ELF file extension, an acronym for Executable and Linkable Format, is a common standard file extension used for executable, object code, core dumps and shared libraries. It was being chosen as the standard binary file format for Unix and Unix-based systems.

Observation and synopsis: Cyber criminal will send a email to you lure that to download a ELF binary file because of the following reason. An ELF file is an executable file meant to be used with a Nintendo Wii or Nintendo Wii emulator. It contains a video game or other Wii application. ELF files may contain official Wii applications or homebrew applications. For above reasons, you will click to downloading ELF binary files.

Perhaps, you have not installed antivirus software on the Linux platform. But you can use a simple Linux command to check whether the ELF binary file is embedded with UPX compression. Maybe this is a malicious file.

Hints: Suspicious ELF binary with UPX compression
In the source code to UPX, there’s a function int PackW32Pe::canUnpack() which is first ran as a test right when you do a upx -d (unpack executable). Magic or strings can detect whether UPX compressed file is embedded in elf binary file. It shows which offsets are to be tested to detect if a file was packed with UPX.

Reference: For more information, see Virustotal – https://www.virustotal.com/gui/file/efbd281cebd62c70e6f5f1910051584da244e56e2a3228673e216f83bdddf0aa/detection

About GriftHorse Malware (30th Sep 2021)

Preface: Large portion of smartphone will not installed antivirus software. Even though it is installed. The antivirus vendor similar doing racing campaign with cyber criminals. Nowadays, vendor established malware sinkhole to find zero day vulnerability and existing cyber attack. If cyber criminals relies on software design limitation hiding itself on phone. Perhaps sinkhole not easy to figure it is a malicious acclivities. Therefore certain amount of personal data will be go to unknown area.

Ref: Sinkholes are most often used to seize control of botnets by interrupting the DNS names of the botnet that is used by the malware.

Background: Headline News (Bleepingcomputer) report today that there is a malware nickname GriftHorse. It did the infiltration to Android and causes hundred of million smartphones become a victims. According to the article by Bleepingcomputer expert. A mobile security solution firm (Zimperium) observe malware (GriftHorse) exploiting the software flexibility of Apache Cordova. And hunting over 10 million victims globally.

Details: The Trojans are developed using the mobile application development framework named Apache Cordova, Zimperium said. They uncovered more than 130 GriftHorse apps being distributed through both Google Play and third-party application stores, across all categories. Some of them have basic functionality, and some of them do nothing. Before you read the details of the article. Perhaps you can quickly read the attached picture to understand that there are many ways to exploits Apache Cordova feature to sniff the data on the endpoint.

Ref: Cordova wraps your HTML/JavaScript app into a native container which can access the device functions of several platforms. Apache Cordova is an open source framework that enables web developers to use their HTML, CSS, and JavaScript content to create a native application for a variety of mobile platforms.

Reference article, please refer to the link:

Bleepingcomputer – https://www.bleepingcomputer.com/news/security/new-android-malware-steals-millions-after-infecting-10m-phones/

Zimperium – https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/

Stealth attack of UEFI bootkit (29th Sep 2021)

Preface: Digital spyware and monitoring tech that allows the user to covertly monitor a target’s communications, or collect personal data emitted from their devices.

Background: FinFisher, also known as FinSpy, is surveillance software marketed by Lench IT Solutions plc, which markets the spyware through law enforcement channels. On August 6, 2014, FinFisher source code, pricing, support history, and other related data were retrieved from the Gamma International internal network and made available on the Internet.

Synopsis: Found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit.

Impact:
– Bypasses kernel protections (NX and Patch guard)
– Bypasses local authentication
– Elevated process privileges

Technical details: Found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. Kaspersky said.

Ref: FinSpy is a full-fledged surveillance software suite, capable of intercepting communications, accessing private data, and recording audio.

For more detailed information on the findings of this survey, please visit the Kaspersky website for details – https://securelist.com/finspy-unseen-findings/104322/#iocs

Another flaw prompted an urgent U.S. government warning and providing Guidance (Azure Cosmos DB) – 29th Aug 2021

Preface: Data scientists are big data wranglers, gathering and analyzing large sets of structured and unstructured data. Jupyter Notebooks allow data scientists to create and share their documents, from codes to full blown reports (Help them streamline their work).

Background: Azure Cosmos DB built-in Jupyter Notebooks are directly integrated into the Azure portal and Azure Cosmos DB accounts, let data scientists easy to use. The Jupyter Notebook is an open-source web application that allows you to create and share documents that contain live code, equations, visualizations and narrative text. Uses include: data cleaning and transformation, numerical simulation, statistical modeling, data visualization, machine learning, and much more.

Speculation related to this matter: A trojan malware campaign found November last year (2020) is targeting businesses and higher education in what appears to be an effort to steal usernames, passwords and other private information as well as creating a persistent backdoor onto compromised systems.

Vulnerability details: A misconfiguration vulnerability in Microsoft’s Azure Cosmos DB that may have exposed customer data. In the first step, the attacker will gained access to the client’s Cosmos DB primary key. For example, exploit the vulnerability on Jupyter Notebook (virtual machine) to get the key.

Ref: Primary keys are long-lived and allow full READ/WRITE/DELETE access to customer data.

Workaround: Navigate to your Azure Cosmos DB account on the Azure portal and Regenerate Secondary Key. Please refer to url for details – https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key#primary-keys

CISA announcement – https://us-cert.cisa.gov/ncas/current-activity/2021/08/27/microsoft-azure-cosmos-db-guidance

Are there other ways to avoid ransomware infection? (6th Jul, 2021)

Preface: A ransomware attack paralyzed the networks of at least 200 U.S. companies, said headline News. President Biden announces investigation into international ransomware attack on 3rd Jul, 2021.

Background analysis: Cyber criminals are turning to fileless attacks to bypass firewalls. These attacks embed malicious code in scripts or load it into memory without writing to disk.

  • Malware tricks you into installing software, allowing scammers to access your files and track your actions.
  • Ransomware is a form of malware goal to locks the user out of their files or their device.

However, whether it is malware or ransomware, they all rely on working with C&C servers. Cybercriminals use C&C servers to host ransomware. If the computer cannot access the infected server and/or malicious website. Therefore, ransomware infections will be reduced.

How DNS Sinkholing reduce the infection hit rate? In fact, the firewall cannot see the originator of the DNS query. When the client tries to connect to a malicious domain, the existing solution is likely to wait for the download and let the anti-virus and malware protection mechanisms isolate the malicious file.

Sinkholing can be done at different levels. Both ISPs and Domain Registrars are known to use sinkholes to help protect their clients by diverting requests to malicious or unwanted domain names onto controlled IP addresses.

Question: If the solution is mature and well-defined. But why the service provider does not implement it. Is it a cost factor?

Closer to reality: one of the ways of ransomware infection (15th June, 2021)

Preface: Ransomware infection not merely boots by vulnerability of the windows OS and or products components. Web site programming technique is the accomplice. Perhaps we can say, how successful of ransomware attacks will depends on the total number of compromised web server. What I call the trigger point.

Background: Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.

Ransomware is a type of malware attack. The encryption process will performs a key exchange with the Command and Control Server, using the encryption key to scramble all files discovered during the Execution step. It also locks access to the data. For cyber criminals view point, it is not possible to rent a web hosting service. Therefore, the possible way is find the online web portal which contained vulnerability. If they can compromised the online web. They can setup the phishing attack and evade traditional domain black list filter. So they can do their job silently.

Traditional corrective control not address the problem in effective way: A corrective control is an aftermath of detective and preventive. You can only restore from a backup after an incident. According to historical of attack, ransomware will be exploit operation system and or component vulnerability to conducting the infection. So traditional full backup may not use here because victim will be concerning what is exact time they receiving the attack. As a matter of fact, the correct way to proceed the restore procedure is wait for the digital forensic investigation result. Till today such attack still bother the whole world.

Maybe when something happens, the term phishing is on your side. See if you can learn more with the attached diagram.

Cyber attack shuts down U.S. fuel pipeline ‘jugular,’ said Headline News – 9th May 2021

Preface: The hacker group claimed that its ransomware attacks were only used for “right targets.” The organization claimed that they only targeted ransomware attacks and large profitable companies to “make the world a better place.”

Background: Cyber attacks in the oil and gas industry can threaten an organisation’s information technology (IT), its operational technology (OT) and any internet of things (IoT) systems in place.
Last year, the security department expressed such concerns.

Security Focus: The hacking team is very active on hack forums and keeps its customers updated with news related to the ransomware. Speculated that attacker gaining an initial foothold in the network not limited to email phishing. Perhaps they exploit SSL VPN design weakness or Microsoft Zero day. In the Oil and Gas Industry . It is common of the implementation of OPC UA technology. It is hard to avoid to using Microsoft product. Even though their OPC UA is running on a linux base machine.But Darkside 2.0 has fastest encryption speed on the market, and it capable for Windows and Linux versions. So this related thing started the story.

Headline News – https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/

Highly Evasive Leverages (16the March, 2021)

Preface: There is a registry key in your system that can be set to prevent certain applications from running, including security software.

Background: If the software developer creates a buffer and reserves 1024 bytes then tries to copy anything more than 1023 bytes (computers start counting at 0 remember) it will overflow out from the buffer and overwrite other memory locations on the stack.
When problem occurred. It will overwrite is the saved EBP (base pointer) and then the saved EIP (saved return address) and then the function parameters.
The function gets called it first creates a new Stack Frame. Then pushes the base pointer onto the stack so that it can retrieve it later and then it pushes the return address (saved EIP) onto the stack, this is so that when the function finishes it can return to the previous function that called it.

Reference: If interested to know the detail, you can read the details through the link – https://malvuln.com/advisory/8936c97e99799809812fa740076a2d7f.txt
It was interested that the Portable executor not new. The historical record shown that the first submission of PE file is on 2016.
This malware/Torjan activities keep going on for 6 years.

Would it be possible? Malware attack Apple M1 chip? – 21st Feb 2021

Preface: Can M1 chip run Windows? It is unsupported. the M1 decided not to use Boot Camp. Therefore it is not possible running Windows on Macs!

Background: So called “System on a Chip”, M1 integrates several different components, including the CPU, GPU, unified memory architecture (RAM), Neural Engine, Secure Enclave, SSD controller, image signal processor, encode/decode engines, Thunderbolt controller with USB 4 support.

Malware attack Apple M1 chip? Would it be possible?
According to record, GoSearch22 has signed with an Apple developer ID on November 23rd, 2020. GoSearch22 is the name of a potentially unwanted application (PUA) that functions as adware. Apple has (now) revoked the certificate. Since M1 systems will be running Big Sur which requires code to be signed, we assume the malware will be signed (and thus leverage the “signed” tag).

Alert: Security expert confirm that malware/adware authors are working out ways to attack M1. He found that if malware authors are natively compiling code for M1 systems. This code will be found within a universal/fat binary such their malicious creations will retain compatibility with older (Intel-based).

Reference: https://objective-see.com/blog/blog_0x62.html

Stack-based buffer overflow – the biggest enemy of IoT world

Preface:ASLR, NX Zones, and Stack Canaries is hard to avoid such memory design weakness exploit by malware authors.

Background: EIP is a register in x86 architectures (32bit). It is a register that points to the next instruction. In order to avoid malware infiltration. How to keep track of memory location when instructions that are being executed is very important.The EIP register cannot be accessed directly by software; it is controlled implicitly by control-transfer instructions (such as JMP, Jcc, CALL, and RET), interrupts, and exceptions. The only way to read the EIP register is to execute a CALL instruction and then read the value of the return instruction pointer from the procedure stack.

Potential cyber attack: Refer to diagram,the malware listens on TCP port 80, sending an HTTP GET request with 300 or more bytes will trigger buffer overflow overwriting EIP. When malware reach the EIP and overwrite it with a new address that points to his shell code, then it will add something called NOP (No Operation) , then finally the shellcode. And breakdown everything espcially access control of priviliges.

Status: under observation.