rats - X-Industry - Red Sky Alliance2024-03-29T15:30:02Zhttps://redskyalliance.org/xindustry/feed/tag/ratsSpyNote RAThttps://redskyalliance.org/xindustry/spynote-rat2024-02-22T13:00:00.000Z2024-02-22T13:00:00.000ZCyberDoghttps://redskyalliance.org/members/CyberDog189<div><p><a href="{{#staticFileLink}}12386253501,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}12386253501,RESIZE_400x{{/staticFileLink}}" alt="12386253501?profile=RESIZE_400x" width="250" /></a>Spynote is a Remote Access Trojan that initially surfaced in 2020. Since then, it has grown into one of Android's most common malware families, with multiple samples, integration of other RATs (e.g., CypherRat), and a large family of over 10,000 samples. There are numerous variants and integrations of other RATs, and since 2023, there has been a <a href="https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions">growing interest</a> in <a href="https://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions">financial institutions</a>.</p>
<p>On 1 February 2024, analysts found a malicious sample posing as a legitimate crypto wallet that included the SpyNote RAT with several exciting additions related to anti-analysis and cryptocurrencies.<a href="#_ftn1">[1]</a></p>
<table style="width:219.277%;height:50px;" width="100%">
<tbody>
<tr>
<td style="width:100%;">
<p>Affected Platform: Android</p>
<p>Impacted Users: Android users with mobile crypto wallet or banking applications</p>
<p>Impact: Financial Loss</p>
<p>Severity Level: Medium</p>
</td>
</tr>
</tbody>
</table>
<p>Accessibility API for Crypto Wallet injections - Like much Android malware today, this malware abuses the Accessibility API. This API is used to perform UI actions automatically. For example, the malicious sample uses the Accessibility API to record device unlocking gestures. Newer, this SpyNote sample uses the Accessibility API to target famous crypto wallets.</p>
<p>The following code recognizes the use of a legitimate crypto wallet and displays an overlay over it.<br /> <a href="{{#staticFileLink}}12386256473,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12386256473,RESIZE_710x{{/staticFileLink}}" alt="12386256473?profile=RESIZE_710x" width="628" /></a></p>
<p>The injected overlay consists of a WebView whose HTML is hard-coded in Base64.</p>
<p><a href="{{#staticFileLink}}12386258077,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12386258077,RESIZE_710x{{/staticFileLink}}" alt="12386258077?profile=RESIZE_710x" width="626" /></a></p>
<p>One gets an HTML page for cryptocurrency transfers if we decode the overlay. Notice that the page initiates a transfer between 2 hard-coded fake wallets. See below: the “…” between the alleged wallet addresses are precisely as in the code (note that we censored the complete addresses). For the malware analyst, it’s obvious they are fake. However, it is likely the victim won’t notice because (1) the wallet identifiers always have many characters and are therefore difficult to verify, and (2) this will look as if it were displayed by the victim’s legit crypto wallet application (in reality, it is displayed over the real crypto wallet app, but this is not detectable).</p>
<p><a href="{{#staticFileLink}}12386259259,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12386259259,RESIZE_710x{{/staticFileLink}}" alt="12386259259?profile=RESIZE_710x" width="628" /></a></p>
<p>In addition, the malicious code uses the Accessibility API to fill out a form automatically and transfer a given amount of cryptocurrency to the cybercriminals. Precisely, the code performs the following tasks:</p>
<ul>
<li>Reads and memorizes the destination wallet address (field input_value)</li>
<li>Reads and memorizes the amount (field input_general_amount)</li>
<li>Modifies the destination address and replaces it with the attacker’s crypto wallet address (initializeService.usdtadress). The remote server sends this address the malware communicates with.</li>
<li>Clicks on Max (action_max). This <a href="https://www.wikihow.com/Sell-on-Trust-Wallet">option requests to send the full amount</a>, not a portion.</li>
<li>Clicks on the Next/Continue button</li>
</ul>
<p><a href="{{#staticFileLink}}12386259877,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12386259877,RESIZE_710x{{/staticFileLink}}" alt="12386259877?profile=RESIZE_710x" width="618" /></a>These operations are performed automatically through the Accessibility API without the user’s intervention.</p>
<p>Permissions for the Accessibility API - To gain access to the Accessibility API, all malware lure victims one way or another into giving them the necessary rights. This sample follows the same strategy. Analysts remind end-users that they should never do this. While apps rightfully request the Accessibility API to help people with disabilities, they should always be treated as highly suspicious coming from alleged crypto wallets, PDF Readers, Video Players, etc. The 2 screenshots below show (1) the SpyNote malware requesting Accessibility Service and (2) how, when you grant the desired access, the Android OS displays an additional warning window explaining the risks. It is still possible at that point to click on “Deny,” and the malware won’t gain access.</p>
<p><a href="{{#staticFileLink}}12386259894,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12386259894,RESIZE_584x{{/staticFileLink}}" alt="12386259894?profile=RESIZE_584x" width="447" /></a>Unfortunately, once the victim clicks on “Allow,” it is basically “game over” because the malware can navigate, click, read, and modify any application.</p>
<p>Anti-analysis - Besides injecting crypto wallets, the sample features an attractive, simple, but efficient anti-analysis technique. Analysts remind users that Android Packages (APK) are ZIP files and usually contain a Dalvik executable (classes.dex), a manifest (AndroidManifest.xml), resources, and assets. In this particular case, the sample is malformatted: several resource files are meant to be present in the subdirectories of classes. dex and AndroidManifest.xml.</p>
<p><a href="{{#staticFileLink}}12386260099,RESIZE_710x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}12386260099,RESIZE_710x{{/staticFileLink}}" alt="12386260099?profile=RESIZE_710x" width="620" /></a>But classes.dex and AndroidManifest.xml are files, not directories. Consequently, standard unzip tools fail with many errors, which complicates the automated analysis of the sample.</p>
<p>Conclusion - After a growing interest in financial institutions, this new Android/SpyNote sample shows that malware authors are now considering cryptocurrencies. The malware's capabilities are beyond mere spying of credentials as they can initiate cryptocurrency transfers.</p>
<p>As for anti-analysis, while the implemented technique is simple and by-passable by a human analyst, it certainly defeats—or complicates—automated analysis, giving the malware author a little more time before detection. Our products detect The sample automatically, and we urge Android users to pay particular attention to any application requesting the Accessibility API.</p>
<p>IOCs</p>
<table width="100%">
<tbody>
<tr>
<td width="10%">
<p><strong>File</strong></p>
</td>
<td width="71%">
<p><strong>Hash</strong></p>
</td>
<td width="17%">
<p><strong>Detection</strong></p>
</td>
</tr>
<tr>
<td width="10%">
<p>Imtoken.apk</p>
</td>
<td width="71%">
<p>SHA1: 8eea235b26fadeecd0f817433c97747853c51a24<br /> SHA256: caac4681389b0af7998ba8fd2062d18050a0e5e8cb4c8d0006a1b3a921ee52c8</p>
</td>
<td width="17%">
<p>Android/SpyNote.F!tr</p>
</td>
</tr>
</tbody>
</table>
<p> </p>
<p><em>This article is presented at no charge for educational and informational purposes only.</em></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.redskyalliance.com/">https://www.redskyalliance.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941%C2%A0">https://www.linkedin.com/company/64265941 </a></li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5993554863383553632">https://attendee.gotowebinar.com/register/5993554863383553632</a></p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.fortinet.com/blog/threat-research/android-spynote-moves-to-crypto-currencies?lctg=141970831">https://www.fortinet.com/blog/threat-research/android-spynote-moves-to-crypto-currencies?lctg=141970831</a></p></div>Legitimate RATShttps://redskyalliance.org/xindustry/legitimate-rats2023-04-14T11:50:00.000Z2023-04-14T11:50:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}11027054077,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}11027054077,RESIZE_400x{{/staticFileLink}}" alt="11027054077?profile=RESIZE_400x" width="250" /></a>The purpose of this report is to detail the artifacts left by a third-party remote access tool during its setup and use. A third-party remote access tool allows people not physically in contact with a device to control, interact with it, and see its screen. Tools that do not allow visual interaction such as PsExec are not included in this study. </p>
<p>The motivation to do this study came from a tweet made by @IcsNick, listing "Remote Admin Tools that are abused by threat actors"1. Indeed, threat actors leverage these legitimate tools to perform several actions: obtaining remote access on the device and a persistence, pushing scripts and other tools, as well as performing lateral movement towards other devices of linked corporate information systems (e.g. between an IT provider and its customers). Therefore, based on IcsNick's comprehensive list and other public investigation reports, we decided to analyse a few of them - as a starter - in order to fully understand what artefacts are generated from these tools. The results are used to automating their detection during our investigations in order to speed up the process and spot interesting log files. Of course, the forensic or SOC analyst would still have the task to determine whether those tools have been used legitimately by the IT team, or by malicious actors. </p>
<p>In this report, the artefacts of four remote admin tools will be described: TeamViewer, AnyDesk, Atera, and SplashTop. Also, the focus will be on the Windows platform. There might be a part 2 of this article describing other tools, and artefacts left on other platforms. </p>
<p>Link to full report: <a href="{{#staticFileLink}}11027054681,original{{/staticFileLink}}">IR-23-102-001_LegitRATS.pdf</a></p></div>Parlez-vous Français ?https://redskyalliance.org/xindustry/parlez-vous-francais2022-11-08T19:00:00.000Z2022-11-08T19:00:00.000ZJim McKeehttps://redskyalliance.org/members/JimMcKee<div><p><a href="{{#staticFileLink}}10872425495,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10872425495,RESIZE_400x{{/staticFileLink}}" width="202" alt="10872425495?profile=RESIZE_400x" /></a>According to a new report published by cybersecurity firm Group-IB, a French-speaking cybercrime group may have stolen more than $30 million from banks and other types of organizations in the past years. The threat actor has been named Opera1er. Some of its activities were previously investigated by others, who have named it Common Raven, Desktop-Group, and NXSMS.</p>
<p>The cyber threat investigators are aware of 30 successful attacks between 2019 and 2021. In many cases, the same victim was attacked multiple times. Most of the attacks targeted African banks. Recent attacks in 2021 and 2021 have singled out five banks in Burkina Faso, Benin, Ivory Coast, and Senegal. Many of the victims identified are said to have been compromised twice, and their infrastructure subsequently weaponized to strike other organizations. The list of victims also includes financial services, mobile banking services, and telecom firms. Victims were spotted across 15 countries in Africa, Latin America, and Asia.<a href="#_ftn1">[1]</a></p>
<p>Researchers have confirmed the theft of $11 million from victims since 2019, but they believe the cybercriminals could have made more than $30 million. Opera1er attacks typically start with a spear-phishing email sent to a limited number of people within the targeted organization. The goal is to obtain access to domain controllers and banking back-office systems. After gaining access to an organization’s systems, the hackers waited for 3-12 months before stealing funds. In the final phase of the operation, the cybercriminals used the banking infrastructure to transfer money from the bank’s customers to mule accounts, from where they would be withdrawn at ATMs by money mules, typically over weekends and public holidays.</p>
<p>Opera1er got access to the SWIFT messaging interface in at least two banks. In one incident, the hackers obtained access to an SMS server that could bypass anti-fraud or cash out money via payment or mobile banking systems. In another incident, Opera1er used an antivirus update server deployed in the infrastructure as a pivoting point.</p>
<p>Opera1er does not appear to rely on any zero-day vulnerabilities or custom malware. They have been leveraging old software flaws and widely available malware and tools. The group's "entire arsenal is based on open-source programs and trojans, or free published RATs that can be found on the dark web." This includes off-the-shelf malware such as Nanocore, Netwire, Agent Teslam Venom RAT, BitRAT, Metasploit, Cobalt Strike Beacon, and others.</p>
<p>Analysts found that most of the attackers’ emails were written in French, and researchers determined that their English and Russian are “quite poor.” Based on the oldest domain registered by the group, Opera1er has been active since at least 2016.</p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>. </p>
<p> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.securityweek.com/french-speaking-cybercrime-group-stole-millions-banks">https://www.securityweek.com/french-speaking-cybercrime-group-stole-millions-banks</a></p></div>Did you pick-up anything extra from Discord or Slack meeting?https://redskyalliance.org/xindustry/did-you-pick-up-anything-extra-from-discord-or-slack-meeting2021-04-22T16:52:26.000Z2021-04-22T16:52:26.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}8823881886,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}8823881886,RESIZE_400x{{/staticFileLink}}" width="250" alt="8823881886?profile=RESIZE_400x" /></a>Recently, one Discord network search turned up 20,000 virus results, researchers found. Workflow and collaboration tools like Slack and Discord have been infiltrated by threat actors, who are abusing their legitimate functions to evade security and deliver info-stealers, remote-access trojans (RATs) and other malware.</p>
<p>The pandemic-induced shift to remote work drove business processes onto these collaboration platforms in 2020, and predictably, 2021 has ushered in a new level cybercriminal expertise in attacking them. Cisco’s Talos cybersecurity team said in a report on <a href="https://blog.talosintelligence.com/2021/04/collab-app-abuse.html">collaboration app abuse</a> this week that during the past year threat actors have increasingly used apps like Discord and Slack to trick users into opening malicious attachments and deploy various RATs and stealers, including <a href="https://threatpost.com/agent-tesla-microsoft-asmi/163581/">Agent Tesla</a>, AsyncRAT, Formbook and others. “One of the key challenges associated with malware delivery is making sure that the files, domains or systems don’t get taken down or blocked,” Talos researchers explained in their report. “By leveraging these chat applications that are likely allowed, they are removing several of those hurdles and greatly increase the likelihood that the attachment reaches the end user.”</p>
<p>The researchers explained that Slack, Discord and other <a href="https://threatpost.com/beyond-zoom-safe-slack-collaboration-apps/154446/">collaboration app platforms</a> use content delivery networks (CDNs) to store the files shared back and forth within channels. As an example, Talos uses the Discord CDN, which is accessible by a hardcoded CDN URL from anywhere, by anyone on the internet. “This functionality is not specific to Discord. Other collaboration platforms like Slack have similar features,” Talos reported. “Files can be uploaded to Slack, and users can create external links that allow the files to be accessed, regardless of whether the recipient even has Slack installed.”</p>
<p>The trick, the team said, is to get users to click on a malicious link. Once it <a href="https://threatpost.com/critical-slack-bug-access-private-channels-conversations/158795/">has evaded detection</a> by security, it’s just a matter of getting the employee to think it’s a genuine business communication, a task made easier within the confines of a collaboration app channel.</p>
<p>This also means attackers can deliver their malicious payload to the CDN over encrypted HTTPS, and that the files will be compressed, further disguising the content, according to Talos. Over the past year, they observed many common compression algorithms being used, including .ACE, .GZ, .TAR and .ZIP, and several less common types, like .LZH.</p>
<p>“In most cases, the [messages] themselves are consistent with what we have grown accustomed to seeing from malspam in recent years,” Talos said. “Many of the [messages] purport to be associated with various financial transactions and contain links to files claiming to be invoices, purchase orders and other documents of interest to potential victims.” Messages were delivered by attackers in several languages, including English, Spanish, French, German and Portuguese, they added.</p>
<p>CDNs are also handy tools for cybercriminals to deliver additional bugs with multi-stage infection tactics. The researchers saw this behavior across malware, adding that one Discord CDN search turned up almost 20,000 results in VirusTotal. “This technique was frequently used across malware distribution campaigns associated with RATs, stealers and other types of malware typically used to retrieve sensitive information from infected systems,” the Talos team explained.</p>
<p>The data from the Discord CDN is converted into the final malicious payload and injected remotely, the report said. “As is common with Remcos infections, the malware communicated with a command-and-control server (C2) and exfiltrated data via an attacker-controlled DNS server,” the report added. “The attackers achieved persistence through the creation of registry run entries to invoke the malware following system restarts.”</p>
<p>In another campaign using AsyncRAT, the malware downloader looked like a blank Microsoft document, but when opened used macros to deliver the bug. The Discord API has turned into an effective tool for attackers to exfiltrate data from the network. The C2 communications are enabled through webhooks, which the researchers explained were developed to send automated messages to a specific Discord server, which are frequently linked with additional services like GitHub or DataDog.</p>
<p>“Webhooks are essentially a URL that a client can send a message to, which in turn posts that message to the specified channel — all without using the actual Discord application,” they said. The Discord domain helps attackers disguise the exfiltration of data by making it look like any other traffic coming across the network, they added. “The versatility and accessibility of Discord webhooks makes them a clear choice for some threat actors, according to the analysis: “With merely a few stolen access tokens, an attacker can employ a truly effective malware campaign infrastructure with very little effort. The level of anonymity is too tempting for some threat actors to pass up.”</p>
<p>This communication flow can also be used to alert attackers when there are new systems available to be hijacked, and delivers updated information about those they’ve already infiltrated, Talos said. The team also observed campaigns associated with Pay2Decrypt LEAKGAP ransomware, which used the Discord API for C2, data exfiltration and bot registration, in addition to Discord webhooks for communications between attacker and systems.</p>
<p>“Following successful infection, the data stored on the system is no longer available to the victim and the following ransom note is displayed,” the report said. They provided a screenshot of the ransom note received by users after infection:</p>
<p> <a href="{{#staticFileLink}}8823882292,RESIZE_584x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}8823882292,RESIZE_400x{{/staticFileLink}}" width="300" alt="8823882292?profile=RESIZE_400x" /></a></p>
<p>Discord generates an alphanumeric string for each user, or access token, according to Talos, which attackers can steal to hijack accounts, they added they saw this frequently targeting online gaming. “At the time of writing, Discord does not implement client verification to prevent impersonation by way of a stolen access token,” according to Talos. “This has led to a large amount of Discord token-stealers being implemented and distributed on GitHub and <a href="https://threatpost.com/discord-stealing-malware-npm-packages/163265/">other forums</a>. In many cases, the token stealers pose as useful utilities related to online gaming, as Discord is one of the most prevalent chat and collaboration platforms in use in the gaming community.”</p>
<p>These accounts are then used to anonymously deliver malware and for social-engineering purposes, they add.</p>
<p>The solutions, much like the threats themselves, need to be multi-faceted, according to experts. But the primary responsibility to put more security in place is on the platforms themselves, according to Oliver Tavakoli, CTO of Vectra. “This trend will continue until suppliers of such collaboration tools put more effort into providing more policy controls to lock down the environment and add more telemetry to monitor it,” Tavakoli told Threatpost. “It will also require security vendors to step up and use the telemetry to detect and block attacks within these communication channels.”</p>
<p>On the business side, Mark Kedgley, CTO at New Net Technologies, recommends focusing on user privileges. “To mitigate the risks, more focus on least privilege is needed, as it’s still too common for users to run with local admin rights,” Kedgley recommended. “Email and office applications provide a number of hardened settings to combat malware and phishing; however, not enough organizations make use of them. Change control and vulnerability management as core security controls should be in place as well.”</p>
<p>But fundamentally, how can any business or any user be expected to stay on top of the glut of communications channels today’s workers are feverishly trying to maintain? Simplification is one way to narrow the attack surface and make it reasonable for users to be mindful of the security of their interactions, Chris Hazelton with Lookout advised.</p>
<p>“Most organizations have too many communication tools: email, collaboration and messaging platforms, web conferencing chats, and text messages on phones and tablets,” Hazelton said. “This means users are overwhelmed as they communicate with different or sometimes the same people across multiple platforms. This leads to lesser awareness of risks in sharing across collaboration platforms and other communications tools.”</p>
<p>Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at <a href="https://redskyalliance.org/">https://redskyalliance.org</a> at no charge. Many past tactics are reused in current malicious campaigns.</p>
<p><br /> Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at <a>1-844-492-7225</a>, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p><br /> </p>
<p><strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<ul>
<li><br /> Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a><br /> • Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a><br /> • LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a></li>
</ul>
<p><br /> <strong>Weekly Cyber Intelligence Briefings</strong>:</p>
<p><br /> REDSHORTS - Weekly Cyber Intelligence Briefings<br /> <a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee.gotowebinar.com/register/3702558539639477516</a></p>
<p> </p>
<p><a href="{{#staticFileLink}}8823882875,original{{/staticFileLink}}">TR-21-112-001_Slack_Discord.pdf</a></p>
<p> </p>
<p><span style="font-size:8pt;"><a href="https://threatpost.com/attackers-discord-slack-malware/165295/">https://threatpost.com/attackers-discord-slack-malware/165295/</a></span></p>
<p> </p></div>