Category Archives: Virus & Malware

Would it be possible? Malware attack Apple M1 chip? – 21st Feb 2021

Preface: Can M1 chip run Windows? It is unsupported. the M1 decided not to use Boot Camp. Therefore it is not possible running Windows on Macs!

Background: So called “System on a Chip”, M1 integrates several different components, including the CPU, GPU, unified memory architecture (RAM), Neural Engine, Secure Enclave, SSD controller, image signal processor, encode/decode engines, Thunderbolt controller with USB 4 support.

Malware attack Apple M1 chip? Would it be possible?
According to record, GoSearch22 has signed with an Apple developer ID on November 23rd, 2020. GoSearch22 is the name of a potentially unwanted application (PUA) that functions as adware. Apple has (now) revoked the certificate. Since M1 systems will be running Big Sur which requires code to be signed, we assume the malware will be signed (and thus leverage the “signed” tag).

Alert: Security expert confirm that malware/adware authors are working out ways to attack M1. He found that if malware authors are natively compiling code for M1 systems. This code will be found within a universal/fat binary such their malicious creations will retain compatibility with older (Intel-based).

Reference: https://objective-see.com/blog/blog_0x62.html

Stack-based buffer overflow – the biggest enemy of IoT world

Preface:ASLR, NX Zones, and Stack Canaries is hard to avoid such memory design weakness exploit by malware authors.

Background: EIP is a register in x86 architectures (32bit). It is a register that points to the next instruction. In order to avoid malware infiltration. How to keep track of memory location when instructions that are being executed is very important.The EIP register cannot be accessed directly by software; it is controlled implicitly by control-transfer instructions (such as JMP, Jcc, CALL, and RET), interrupts, and exceptions. The only way to read the EIP register is to execute a CALL instruction and then read the value of the return instruction pointer from the procedure stack.

Potential cyber attack: Refer to diagram,the malware listens on TCP port 80, sending an HTTP GET request with 300 or more bytes will trigger buffer overflow overwriting EIP. When malware reach the EIP and overwrite it with a new address that points to his shell code, then it will add something called NOP (No Operation) , then finally the shellcode. And breakdown everything espcially access control of priviliges.

Status: under observation.

To avoid malware misuse “PACKET_MMAP” function,from Linux environment. CISA Releases Free Detection Tool for Azure/M365 Environment (29th Dec 2020)

Preface: Neither shellcode or shellcode injection have anything to do with shell scripting. It is a sophisticated way of finding a vulnerable spot on the cyber security layer of an organization and exploiting it for malicious purposes.

Background: Azure Sphere is a secured, high-level application platform with built-in communication and security features for internet-connected devices. The platform consists of the integration of hardware built around a secured silicon chip; the Azure Sphere OS (operating system), a custom high-level Linux-based operating system; and the Azure Sphere Security Service, a cloud-based security service….

About “PACKET_MMAP” function: From official article, it illustrated below:
PACKET_MMAP provides a size configurable circular buffer mapped in user space that can be used to either send or receive packets. However a design weakness has occured! The mmap‘ed memory buffer will be filled by the kernel when using PACKET_RX_RING. As a result, the user’s process, it’s enough to mmap a buffer with PROT_READ|PROT_EXEC permissions flags, and let the kernel fill the buffer.

Remedy: Perhaps shellcode injection sometimes can evade your malware protection mechanism. In certain point of view, use SIEM is one of the cost effective solution. Meanwhile, CISA Releases Free Detection Tool for Azure/M365 Environment. Reference link – https://us-cert.cisa.gov/ncas/current-activity/2020/12/24/cisa-releases-free-detection-tool-azurem365-environment

CISA Insights for ongoing APT Cyber Activity One of the key topics: CISA Issues Emergency Directive to Mitigate the Compromise of SolarWinds Orion Network Management Products. (24th Dec 2020)

Design weakness on SolarWinds Patch Manager found April, 2019. The flaw is that when Notepad++ and 7-Zip do not requiure trust sign verification. Fundamentally, 7-Zip has never signed their packages. Meanwhile the certificate to sign Notepad++ is expired at that time. SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2019.4 HF 5 to update to Orion Platform 2019.4 HF 6, which is available at https://customerportal.solarwinds.com/

Quick verification – CHECK FILES AND HASHES:
The presence of any of the following files indicates that a trojanized version of SolarWinds is installed.

1.File Name: SolarWinds.Orion.Core.BusinessLayer.dll, File Hash (MD5): b91ce2fa41029f6955bff20079468448

2.File Path and Name: C:[\]WINDOWS[\]SysWOW64[\]netsetupsvc.dll

Remedy: https://www.solarwinds.com/securityadvisory

Reference: http://www.antihackingonline.com/potential-risk-of-cve/fireeye-detected-apt-activities-go-through-solarwinds-product-13th-dec-2020/

New variant of the Zebrocy (smqft_exe & sespmw_exe). They are design to perform various functions on the compromised system, said USCERT (3rd Nov 2020)

Preface: Some expert comment that because of Go language programming file will be large than usual. It might have possibilities to evade virus scanning. So malware author like to use. Perhaps this is not the major factor.

Background: In July 2019, a security researcher found nearly 10,700 unique samples of malware written in Go programming language, also known as GoLang.
According to the analysis conducted by Imperva. As of 2019 37.97% attack use Python language develop the tool and 31.53% was used Go language. Go language really a compiler (in fact it embeds 2 compilers) and it makes totally self sufficient executable. You don’t need any supplementary library or any kind of runtime to execute it on your server.

Technical highlights: Go or Golang attempts to reclaim the memory occupied by other objects that are no longer needed which makes Go a highly garbage collected language. Because of this reclaim feature, so it is easy to let antivirus/malware detection screw up.

Official details: If you are interested in the above matters. Please refer to the link – https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b

Official alert – APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations (9th Oct 2020)

Preface: Zero-day attacks don’t have signatures; no one in the security community has analyzed the exploited vulnerability yet. It was probably only discovered after the victim reported it. And therefore we should setup a comprehensive vulnerability management program.

Risk management – In reality, it’s not easy applying every patch as soon as it comes out. This is why it’s important for us to craft a comprehensive vulnerability management program through which we can use a risk profile to prioritize security flaws.

How to detect zero day vulnerability?
DNS sink hole setup can assists systems evaluate programs and try to anticipate whether their actions are actually intended, or linked to a deliberate change in function. With time, these systems are exposed to the entire operations profile of programs and are able to raise alerts when they detect suspicious data access attempts.

Within this year, we are noticed that there are critical vulnerabilities found. Perhaps we cannot imagine that famous secuirty solution vendor also become a victim (see below):
– Citrix NetScaler CVE-2019-19781
– MobileIron CVE-2020-15505
– Pulse Secure CVE-2019-11510
– Palo Alto Networks CVE-2020-2021
– F5 BIG-IP CVE-2020-5902
– Fortinet FortiOS VPN vulnerability CVE-2018-13379
The federal and state, local, tribal, and territorial (SLTT) government networks, critical infrastructure are also make use of their products.
On 9th October 2020, CISA and FBI Release Joint Advisory Regarding APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations.

Offical announcement, please refer to link – https://us-cert.cisa.gov/ncas/alerts/aa20-283a

Remote Access Trojan: BLINDINGCAN – 19th Aug 2020

Preface: The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have identified a malware variant—referred to as BLINDINGCAN—used by North Korean actors.

Techincal details: Perhaps the official report already provide the details. In short, the key point is that APT group exploit the Microsoft Word vulnerability (CVE-2017-0199). As such, APT attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The report described that malware will download [.]dll file from C&C server. The aim is to replace the local workstation iconcache[.]dll. Replace the iconcache[.]dll require privileges access right. So the specifics attack is targeting the machine which do not have patch installed. If it is successful. The unpack iconcache[.]dll will be transformed a variant of Hidden Cobra RAT.

Official announcement: https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a

Recommendation: Check your MS office Patch – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

Reference: Perhaps you have doubt that why do the cyber security organization aware the cyber attack in earlier phase. Does it a conspricy? They do a sniffing of your traffic? Or doing surveillance?
No. they have several ways to protect the internet world. For example, relies on DNS Sink Hole activity record in service provider side, cyber crime activities reporting by computer users. Or, through alerts issued by law enforcement agencies, alerting of special types of cyber attacks from hostile entities.

intel new processor embedded anti malware feature – 15th june 2020

Preface: Starting with Oracle 11g release 1 (11.1), there is a just-in-time (JIT) compiler for Oracle JVM environment. A JIT compiler for Oracle JVM enables much faster execution because, it manages the invalidation, recompilation, and storage of code without an external mechanism.

Background: A way to prevent attack code execution by stack and heap. It marking stack and heap as non-executable. However some apps need executable heap (For instance JIT compiler), so it does not defend against `Return Oriented Programming’ exploits.

What is ROP exploit technique: Returnoriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.

New Intel processor implement new preventive architecture: New Tiger Lake processors provides two new key capabilities to help guard against control-flow hijacking malware: Shadow Stack (SS) and Indirect Branch Tracking (IBT). For more details, please see follow link – https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

data breach spread to banking enterprise. no exception to bank of America – 28th may 2020.

Background: The PPP provides small businesses with forgivable loans of up to $10 million per company (8 weeks of payroll). This program was launched on April 3, 2020; it is a forgivable loan program offered primarily to help businesses deal with the adverse consequences COVID- 19.

Point of view: Cybercrooks have been leveraging malicious macros hidden inside XML files to distribute the Dridex financial malware few years ago. But it was happened on 2015. Form my point of view, the incident happen this time have similarity.

Possibility: We can based on below feature and predict that attacker may relies of this feature design weakness to conduct the attack.

Accessing E-TranE-Tran Options
•loan data file transfer in XML format (from a software vendor’s product or from a bank’s proprietary system) to the SBA’s E-Tran database
•A Web page where lenders can enter loan information on individual loans

One of the ways: XML injection attacks typically occur in this way: An attacker injects malicious JavaScript markup code as escaped text in an XML document. The XML document is then parsed by an XML application. Later, content of the XML element that contains malicious JavaScript markup code is used as input data for a website.

Official announcement – Please refer follow link : https://oag.ca.gov/system/files/2020-3523_Privacy_Notification_Final_Template%20%28P%29.pdf

Hacker target EU supercomputer – 19th May 2020

Preface: What if your computer is slow? Perhaps it is a sign of malware infection. This scenario also apply to modern supercomputer. Perhaps it is powerful. So no one aware. This is only a assumption. However modern supercomputer will be infected by malware. Why? Because part of the modern supercomputer has deployed a Linux OS system.

Details: It is true. For instance, Cray has Cluster compatibility mode.It is a standard x86/Linux environment. Several affected labs said that only the login portal to the supercomputer were affected, said Swissinfo.ch. Because hacker will be more interested of scientific research result in this period of time. In this case, how the attacker tried to infect the supercomputer. Please refer to the attached drawing. As usual, the attack entry point is the login portal. But the attacker should infect the client workstation on the beginning phase. For example Cryptocurrency mining malware shell script will be saved as /bin/httpdns. A scheduled task is created to run /bin/httpdns every hour. But it need to take the right time to land the script.

Headline Newshttps://www.swissinfo.ch/eng/bloomberg/hackers-target-european-supercomputers-researching-covid-19/45764250