bitdefender - X-Industry - Red Sky Alliance2024-03-28T18:16:29Zhttps://redskyalliance.org/xindustry/feed/tag/bitdefenderTrickbot Malware is Tricky, having New Devious Versionshttps://redskyalliance.org/xindustry/trickbot-malware-is-tricky-having-new-devious-versions2020-11-29T17:53:10.000Z2020-11-29T17:53:10.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}8226972266,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8226972266,RESIZE_400x{{/staticFileLink}}" width="250" alt="8226972266?profile=RESIZE_400x" /></a>Despite attempted to stop the criminal hacking group responsible for managing the Trickbot trojan, they continue malicious activities by introducing new versions that make this malware more difficult terminate. Trickbot now can offer other malware with Access-as-a Service capabilities (AaaS). Many cyber threat attacks start with a successful phishing campaign. This allows for the Trickbot malware trojan to be used as a pathway for ransomware infections and Denial-of-Service Attacks (DDoS attacks). <span style="font-size:8pt;">Image: CRN Australia.</span></p>
<p>The latest Trickbot versions 2000016 and 100003 were introduced on 3 November and 18 November 2020 respectively, with changes that include using a new command-and-control infrastructure based on MikroTik routers and only using packed modules. Researchers claim that the malware was last updated in August of 2020. </p>
<p>Version 2000016 was active for only about three weeks after Microsoft collaborated with other cybersecurity companies and government agencies to take down the 1 million-device Trickbot botnet, as noted by Bitdefender<a href="#_ftn1">[1]</a> in a recent report.<a href="#_ftn2">[2]</a> "Completely dismantling Trickbot has proven more than difficult, and similar operations in the past against popular Trojans has proven that the cybercriminal community will always push to bring back into operation something that's profitable, versatile and popular." Trickbot might have suffered a serious setback, but its operators seem to be working in earnest to bring it back, potentially more resilient and difficult to extirpate than ever before." The newest Trickbot versions have been used in attacks in the US, Malaysia, Romania, Russia and Malta. "When Microsoft decided to take down Trickbot before the US elections, fearing the massive botnet could be used to inhibit the voting process in some way, the endeavor proved to be more like a 'kneecapping' operation rather than cutting the hydra's heads," says Bitdefender. "This was likely a short-term tactic, potentially just to make sure that Trickbot would not cause any issues during the elections."<a href="{{#staticFileLink}}8226974099,RESIZE_400x{{/staticFileLink}}"><img class="align-right" src="{{#staticFileLink}}8226974099,RESIZE_400x{{/staticFileLink}}" width="250" alt="8226974099?profile=RESIZE_400x" /></a></p>
<p>The latest version of the malware contains the same full list of modules that was used before the takedown attempt, along with a few changes. An example is it no longer uses a share.dll, or mshare.dll, in its packed version. The researchers believe this likely indicates that Trickbot's operators are moving away from unpacked modules and cleaning up their list of lateral movement modules to only use packed ones.</p>
<p>The action against Trickbot's infrastructure forced its owners to take some additional steps to help ensure that any further efforts to take down the malware were unsuccessful. For communications between victims and the command-and-control servers, the 2000016 version of TrickBot is digitally signed using the password hashing function bcrypt. This usage was removed with the release of version 100003. That version of the malware only uses MikroTik for its command-and-control efforts. Another safeguard put in place is the use of an EmerDNS domain as a backup in case no known command-and-control server responds. </p>
<p>Researchers noted, "What's interesting about this particular domain is that the EmerCoin key (EeZbyqoTUrr4TpnBk67iApX2Wj3uFbACbr) used to administer the server also administers some [command-and-control] servers that belong to the Bazar backdoor. The analyzed sample (82e2de0b3b9910fd7f8f88c5c39ef352) uses the morganfreeman.bazar domain, which has the 81.91.234.196 IP address and running MikroTik v6.40.4."</p>
<p>Microsoft reported on 12 Oct0ber 2020 that it had obtained a court order from the US District Court for the Eastern District of Virginia which permitted Microsoft to disable the servers that hosted Trickbot.<a href="#_ftn3">[3]</a> Yet within a few days, security firms CrowdStrike and Malwarebytes reported the botnet was being reassembled, although activity levels were much lower than before the take-down effort.<a href="#_ftn4">[4]</a></p>
<p>The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to a successful cyber security program. Yet are not enough. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.</p>
<p>Red Sky Alliance has been tracking cyber criminals for years. Throughout our research we have painfully learned through our clients that the installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to success, yet woefully not enough. Our current tools provide a valuable look into the underground, where malware like Trickbot are bought and sold, and help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.</p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns. </p>
<p style="text-align:left;">Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or:</p>
<p style="text-align:left;"><a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings:<br /> <a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<p> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p><a href="#_ftnref1">[1]</a> <a href="https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/">https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/">https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/</a></p>
<p><a href="#_ftnref3">[3]</a> <a href="https://www.databreachtoday.com/microsoft-others-dismantle-trickbot-botnet-a-15156">https://www.databreachtoday.com/microsoft-others-dismantle-trickbot-botnet-a-15156</a></p>
<p><a href="#_ftnref4">[4]</a> <a href="https://www.bankinfosecurity.com/updated-trickbot-malware-more-resilient-a-15449">https://www.bankinfosecurity.com/updated-trickbot-malware-more-resilient-a-15449</a></p></div>Chinese Hacking Group “FunnyDream” is a True Nightmarehttps://redskyalliance.org/xindustry/chinese-hacking-group-funnydream-is-a-true-nightmare2020-11-22T15:26:09.000Z2020-11-22T15:26:09.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}8204394459,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8204394459,RESIZE_400x{{/staticFileLink}}" alt="8204394459?profile=RESIZE_400x" width="250" /></a>I am sure everyone reading this post has had a dream where you wake up laughing. You sit on the edge of your bed and think about what was so funny that made you laugh. Well a recently identified Chinese hacking group called ‘FunnyDream’ (FD) ain’t so funny. In fact, FD has targeted over 200 government units in Southeast Asia since 2018 as part of an ongoing cyberespionage campaign. This according to research from the security firm Bitdefender. The FunnyDream campaign, active since 2018, mainly targets organizations conducting reconnaissance, gather data and documents and then exfiltrate the information. This is not good for any government. Researchers explain that many of the command-and-control servers associated with this campaign are inactive, although some remain operational. </p>
<p>Based on FD’s use of malware previously linked to other Chinese advanced persistent threat groups (APT) and the concentration of the targets around Southeast Asia, this group is likely part of Chinese-state sponsored espionage activities intended to further the country's geopolitical interests. Countries in Southeast Asian have long been a Chinese interest. "Attack artifacts shows signs of a Chinese APT group that we believe to be state-sponsored," says a researcher with Bitdefender. "Geopolitical tensions in the region are always present, and information exfiltrated by an APT campaign can yield commercial and military advantages to various adversaries and could compromise government actors should embarrassing political or personal information be revealed."</p>
<p>The recent findings detected malware infrastructure used by this group in Hong Kong, South Korea and Vietnam. Of recent note, Vietnam, a communist country, is not real happy with China. Researchers at Kaspersky also found traces of malware and other malicious tools associated with FD used in campaigns that targets organizations in Malaysia, Taiwan, the Philippines and Vietnam. FD became active in late 2018 and has targeted more than 200 victims in 2 years. In these the hackers mainly use a combination of three malware variations: Chinoxy, PCShare and FunnyDream. These malware strains are then used in spying attacks, backdoors, to achieve persistence within devices and networks / document collection.<a href="#_ftn1">[1]</a></p>
<p>The FD backdoor, which comes with a number of capabilities to amass personal information, clear traces of malware deployment, thwart detection and execute malicious instructions, the outcomes of which had been transmitted again to command-and-control (C2) servers located in Hong Kong, China, South Korea, and Vietnam. “Attributing APT model assaults to a specific group or nation will be extraordinarily tough, largely as a result of forensic artefacts can typically be planted deliberately, C2 infrastructure can reside anyplace on the earth, and the instruments used will be repurposed from different APT teams,” the researchers warned.</p>
<p>Bitdefender says that the hacking group uses distributed command-and-control servers for each of the backdoors to help evade detection. "The distributed [command-and-control] infrastructure primarily controls the three backdoors," the report says. "Having [command-and-control] infrastructure in the same region as the likely attack targets tends to draw less suspicion to the IP traffic than remote communications from outside the region."</p>
<p><a href="{{#staticFileLink}}8204395070,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8204395070,RESIZE_400x{{/staticFileLink}}" alt="8204395070?profile=RESIZE_400x" width="250" /></a></p>
<table style="height:24px;width:100%;" width="770">
<tbody>
<tr>
<td>
<p>Figure 1. Bitdefender</p>
</td>
</tr>
</tbody>
</table>
<p>FD also employs other malicious tools, such as Filepak for file collection, ScreenCap for taking screenshots and Keyrecord for logging keystrokes on the victims' systems. Once the attackers infect a victim's device, FD proceeds to compromise the domain controllers within the victim's network for lateral movement. The attackers then attempt to gain control over numerous devices within that victim's network.</p>
<p>This report did not explain how these initial attacks against targeted networks began, such as whether the hackers used social engineering lures in phishing emails as part of the initial compromise or took advantage of vulnerabilities in applications or devices.</p>
<p>Bitdefender cautions FD ‘could’ be a Chinese state-sponsored entity based on its use of Chinese language binaries and the Chinoxy backdoor, a remote access Trojan known to have been used by Chinese-speaking threat actors during previous campaigns. Chinoxy, which other security researchers have linked to another Chinese APT group called "Roaming Tiger," has been active since 2014 and targeted defense organizations, critical infrastructure and universities throughout east Asian countries.<a href="#_ftn2">[2]</a></p>
<p>In March 2020, independent security researcher Sebdraven, who has been tracking Chinoxy's activities, says the malware was being spread as malicious documents in a COVID-19 themed phishing campaign.<a href="#_ftn3">[3]</a> A popular lure since the Spring of 2020.</p>
<p>Red Sky Alliance has been tracking Chinese APT and lower tier threat actors for years. Throughout our research we have painfully learned through our clients at the installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to success, yet woefully not enough. Our current tools provide a valuable look into the underground and help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.</p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns. </p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p>Weekly Cyber Intelligence Briefings: <a href="https://attendee.gotowebinar.com/register/8782169210544615949">https://attendee.gotowebinar.com/register/8782169210544615949</a></p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.bankinfosecurity.com/chinese-hacking-group-suspected-far-reaching-campaign-a-15396">https://www.bankinfosecurity.com/chinese-hacking-group-suspected-far-reaching-campaign-a-15396</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.zdnet.com/article/more-than-200-systems-infected-by-new-chinese-apt-funnydream/">https://www.zdnet.com/article/more-than-200-systems-infected-by-new-chinese-apt-funnydream/</a></p>
<p><a href="#_ftnref3">[3]</a> <a href="https://securityboulevard.com/2020/04/covid-19-chinoxy-backdoor-a-network-perspective/">https://securityboulevard.com/2020/04/covid-19-chinoxy-backdoor-a-network-perspective/</a></p></div>