Windows Privilege Escalation – Windows Server 2012 R2
Generate a hash file for John using pwdump or samdump2. You can replace the binary, restart the service and get system. Note to check file permissions you can use cacls and icacls.
Using accesschk from Sysinternals or accesschk-XP. With root privileges Windows Subsystem micorsoft Linux WSL allows users to create a bind shell on any port no privioege needed.
Now start your bind rscalation or reverse. Binary bash. All Windows services have a Path to its executable. If that path microsoft windows server 2012 r2 standard local privilege escalation free download unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first. Use the cmdkey to list the stored credentials on the machine. The following example is calling a remote escalahion via an SMB share.
Using runas with a provided set of credential. Check if the patch is installed : wmic qfe list findstr “”. Home Exploit. Windows Privilege Escalation. By 0x1 LinuxHelpPrivilege-escalationComments.
Hot Potato – Windows Privilege Escalation.
For more details, see this administration guide. Administrators may also consider implementing Protected View for Office. In all, the company issued 75 fixes, with 61 rated important. Windows bit versions of Windows 7 and 8. I stopped counting the CVEs after a dozen. The March release is rounded out by patches for ASP. Folks with ASP.
A total of 20, could potentially lead to remote code execution. Targets convinced to open a specially crafted Office document could allow an adversary to take control of the affected system. NET Framework and. NET Core that prevents the components from completely validating a certificate. The flaw does not allow some versions Microsoft Office or Mac to handle the encoding and display of email addresses properly. A macOS High Sierra Win32k is the Windows kernel driver.
A race condition occurs when system attempts to perform two or more operations at the same time. During that time, the attacker would execute the function DiscardAllCompositionFrames; This condition leads to a use-after-free scenario, which is a type of memory-corruption flaw that can be leveraged by hackers to execute arbitrary code.
The vulnerability is an elevation-of-privilege flaw, rated important, affecting the Windows Win32k component. Windows 7, 8. In that case, the adversaries targeted CVE, tied to Windows graphics device interface. The bug has been patched multiple times over the years: in , and with the most recent update available Tuesday.
Microsoft said the problem is once again an issue as it relates to installations of Exchange Server As such, organizations are urged to update their systems immediately. Fourteen of the vulnerabilities are labeled as critical, 34 as important and two as moderate. A successful attack allows an adversary to run arbitrary code in the context of the current user. This bug is exploited via a maliciously crafted email that forces Outlook to load a pre-configured message once it is received.
An attack would use a specially crafted file delivered via email or through a malicious website. It is recommended to look into options like this. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.
The bug allows an attacker to manipulate the process of creating a window by sending specially crafted data sets to the Function ID field. That in turn executes a third and final stage, also a PowerShell script, which unpacks lightweight shellcode. As soon as we will find the initial vector of attack we will share this information.
They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.
The Win32k bugs are both elevation of privilege vulnerabilities, rated important, and tied to the way Windows handles objects in memory. Now all three zero-days have been patched. Fortunately, this requires authentication, which greatly reduces the chances of this occurring. The attack scenario includes a booby-trapped website where specially crafted content triggers the attack chain.
Microsoft discourages this behavior and considers it a major security risk. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The bug itself is relatively easy to trigger if you understand how Window messages work, but is a bit tricky to understand if your not familiar with this.
The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They aim to highlight the significant events and findings that we feel people should be aware of.
In our threat predictions for , we flagged this as a likely continuing attack vector; and we didn’t have to wait very long to see this prediction come true. The goal of the attack was to target with precision an unknown pool of users, identified by their network adapter MAC addresses. The attackers were found to have hardcoded a list of MAC addresses into the Trojanized samples, representing the true targets of this massive operation. We were able to extract over unique MAC addresses from more than samples discovered in this attack, although it’s possible that other samples exist that target different MAC addresses.
The spy program was spread by email and masqueraded as the VPN-client of a well-known Russian security company that, among other things, provides solutions to protect networks. At this point we can’t relate this activity to any known actor. This has continued into A recent indictment of two Chinese nationals by the US Department of Justice on charges of computer hacking, conspiracy to commit wire fraud and aggravated identity theft, alleged that they were members of the APT10 group, carrying out illegal activity on behalf of the Chinese Ministry of State Security.
The actor has quite likely relied on much the same codebase and implant variants for the past six years. However these have broadened substantially since The operators use penetration testing frameworks such as Cobalt Strike and Metasploit. While we believe that they exploit network services vulnerabilities as their main initial infection vector, we have also seen spear-phishing messages containing decoy documents.
We believe that, as in a previous LuckyMouse campaign internal database servers are among the targets. For the last stage of their attack they use different in-memory and bit Trojans injected into system process memory. It is worth highlighting that all the tools in the infection chain dynamically obfuscate Win32 API calls using leaked HackingTeam code. According to FireEye, the group has conducted operations in support of China’s naval modernisation effort since at least , specifically targeting engineering, transportation and defence industries, especially where these sectors overlap with maritime technologies.
This suggests a potential connection between both actors. We are currently unable to attribute this campaign to any known threat actor. The attackers rely on watering-holes and spear-phishing to infect their victims. Specifically, they were able to compromise a website belonging to a think tank related to warfare studies, using it to host a malicious document that distributed a variant of the Netwire RAT.
We also found evidence of a compromised welfare club for military personnel distributing the same malware during the same time period. The actor was discovered at the beginning of the year using freshly-compiled samples in a new wave of attacks.
In this operation, the group used a fake company with a backdoored product aimed at cryptocurrency businesses. One of the key findings was the group’s new ability to target Mac OS. Since then, Lazarus has expanded its operations for this platform. Lazarus isn’t the only APT group targeting cryptocurrency exchanges.
The Kimsuky group has also extended its activities to include individuals and companies in this sector, mainly in South Korea.
Even so, it was the target of several groups already discussed, such as Chafer and Bitter. Still, this can be considered part of their continued targeting of the region, showing nothing new in terms of operational or technical improvements. This is part of FinSpy Mobile, a product provided by the surveillance solutions developer, Gamma Group.
FinSpy for iOS implements extensive spyware features that allow someone to track almost everything on infected devices, including keypresses, messages and calls. A big limitation is that the current version can only be installed on jailbroken devices. We believe that Gamma Group does not provide an exploit tool to jailbreak victims’ phones, but it provides advice and support to customers on how to do the jailbreaking themselves.
Our telemetry shows implant traces in Indonesia and Mongolia. However, due to the large number of Gamma customers, this is probably only a fraction of the victims. While it is quite similar in terms of functionality, it implements unique capabilities specific to the platform such as obtaining root privileges by abusing the DirtyCow exploit CVE Just like the iOS version, this implant has features to exfiltrate data from Instant Messengers including Threema, Signal, Whatsapp and Telegram, as well as internal device information including, but not limited to, emails and SMS messages.
We reported this to Microsoft on 22 February. The company confirmed the vulnerability and assigned it CVE We believe that this exploit is being used by several threat actors – including, but possibly not limited to, FruityArmor and SandCat.
FruityArmor is known to have used zero-days before, while SandCat is a new APT actor that we discovered only recently. The exploit found in the wild was targeting bit operating systems in the Windows 8 to Windows 10 build range.
This seems to point to a third party providing both with such artefacts. There is an interesting wave of ransomware attacks that we have been following, as they seem to be mainly interested in big targets. It’s unclear who’s behind the attacks, what they want and the mechanism used to first infect its victims.
It’s not even clear if LockerGoga is ransomware or a wiper. The malware encrypts data and displays a ransom asking victims to get in touch to arrange decryption, in return for an unspecified payment in bitcoins. However, later versions were observed by researchers that forcibly log victims off infected systems by changing their passwords and removing their ability to log back into the system.
In such cases, the victims may not even get to see the ransom note. This is an advanced and targeted campaign using the supply-chain for distribution on an incredibly wide scale.
It involves several steps in a combined operation, including the initial collection of MAC addresses for their targets. This seems to be a new trend, as the actor also targeted other victims for malware distribution, showing how worrisome and difficult it is to fight supply-chain attacks.
We always have to keep in mind other sophisticated attacks that happen under our radar, but we continue to try and improve, to uncover every single one of them. We didn’t have to wait very long to see this prediction come true. The attackers behind Operation ShadowHammer added a backdoor to the utility and then distributed it to users through official channels.
The attackers hardcoded a list of MAC addresses into the Trojanized samples, representing the true targets of this massive operation. They shared several files via Telegram that supposedly belonged to the OilRig threat actor. The targeting and TTPs are consistent with the OilRig threat actor, but it was impossible to confirm the origins of the tools included in the dump.
If the data in the dump is accurate, it would also show the global reach of the OilRig group, which most researchers had thought operates primarily in the Middle East. On April 27, three screenshots were posted in the GreenLeakers Telegram channel containing alleged screenshots from a MuddyWater C2 server. On May 1, the channel was closed to the public and its status was changed to private.
The reason for the closure is still unclear. It was the third leak in two months disclosing details of alleged Iranian threat actors and groups. Interestingly, this leak differed from the others by employing a website that allowed anyone to browse the leaked documents.
The Hidden Reality website contains internal documents, chat messages and other data related to the RANA institute’s CNO computer network operations capabilities, as well as information about victims. Previous leaks had focused more on tools, source code and individual actor profiles. Although some checks are empty, sigs. We assess with medium confidence that DarkUniverse is connected with the ItaDuke set of activities due to unique code overlaps.
We found about 20 victims in Western Asia and Northeastern Africa, including medical institutions, atomic energy bodies, military organizations and telecommunications companies. To exploit the vulnerability, the attacker simply needed to call the victim via WhatsApp. This specially crafted call triggered a buffer overflow in WhatsApp, allowing the attacker to take control of the application and execute arbitrary code in it. The hackers apparently used this, not only to snoop on people’s chats and calls, but also to exploit previously unknown vulnerabilities in the operating system, which allowed them to install applications on the device.
WhatsApp claims that the technology sold by NSO was used to target the mobile phones of more than 1, of its customers in 20 different countries, including human rights activists, journalists and others.
NSO denies the allegations. The developers of FinSpy sell the software to government and law enforcement organizations all over the world, who use it to collect a variety of private user information on various platforms.
The mobile implants are similar for iOS and Android. They are capable of collecting personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers.
The Android implant includes functionality to gain root privileges on an unrooted device by abusing known vulnerabilities. It seems that the iOS solution does not provide infection exploits for its customers, but is fine-tuned to clean traces of publicly available jailbreaking tools: this suggests that physical access to the victim’s device is required in cases where devices are not already jailbroken.
The latest version includes multiple features that we have not observed before. During our recent research, we detected up-to-date versions of these implants in the wild in almost 20 countries, but the size of the customer base would suggest that the real number of victims could be much higher. The lack of victim discrimination points to a relatively non-targeted attack. However, the not-so-high estimate of the number of visitors to the water-holed sites, and the capabilities needed to deliver and install this malware, and keep the exploitation chains up-to-date for more than two years, shows a high level of resources and dedication.
By contrast, Zerodium has also reduced payouts for Apple one-click exploits. On the same day, someone found a high-severity zero-day in the v Video4Linux driver, the Android media driver. This vulnerability, which could enable privilege escalation, was not included in Google’s September security update. A few days later, an Android flaw was identified that left more than a billion Samsung, Huawei, LG and Sony smartphones vulnerable to an attack that would allow an attacker to gain full access to emails on a compromised device using an SMS message.
Whatever the relative value of Android and iOS exploits, it’s clear that mobile exploits are a valuable commodity. This is. NET-based malware with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the threat actor has built its C2 infrastructure with vulnerable WordPress installations.
NET file that the threat actor is using to distribute and drop KopiLuwak through infected installation packages for legitimate software programs such as VPNs. The malware is almost completely ‘fileless’: the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer’s registry for the malware to access when ready.
Moreover, the attackers use the original COMpfun as a downloader in one of the spreading mechanisms. We named the newly identified modules Reductor after a. We believe the same COMPfun authors, who we tentatively associate with Turla based on victimology, developed this malware.
One striking aspect of Reductor is that the threat actors put a lot of effort into manipulating installed digital root certificates and marking outbound TLS traffic with unique host-related identifiers. The malware adds embedded root certificates to the target host and allows operators to add additional ones remotely through a named pipe.
The authors don’t touch the network packets at all. Instead, they analyze Firefox source and Chrome binary code to patch the corresponding system pseudo-random number generation PRNG functions in the process’s memory. Reductor adds the victims’ unique encrypted hardware- and software-based identifiers to this ‘client random’ field.
We found Zebrocy deploying a compiled Python script, which we call PythocyDbg, within a Southeast Asian foreign affairs organization. This module primarily provides for the stealthy collection of network proxy and communications debug capabilities. Both the Nim downloaders that the group mainly uses for spear phishing, and other Nim backdoor code, are currently being produced by Zebrocy and delivered alongside updated compiled AutoIT scripts, Go, and Delphi modules. In September, Zebrocy spear-phished multiple NATO and alliance partners throughout Europe, attempting to gain access to email communications, credentials and sensitive documents.
This campaign is similar to past Zebrocy activity, with target-relevant content used within emails, and ZIP attachments containing harmless documents alongside executables with altered icons and identical filenames. The group also makes use of remote Word templates pulling contents from the legitimate Dropbox file-sharing site.
In this campaign, Zebrocy targeted defense and diplomatic targets located throughout Europe and Asia with its Go backdoor and Nimcy variants. In this campaign, the attackers used an elaborate, previously unseen steganographic technique to conceal communication. A couple of years ago, we predicted that more and more APT and malware developers would use steganography, and this campaign provides proof.
Interestingly, we found certain similarities between this malware and a toolset that we called ProjectC. We detected ProjectC in being used as a toolset for lateral movement and we attributed it with low confidence to CloudComputating.
Our new findings lead us to believe that the CloudComputating set of activities can be attributed to Platinum and that ProjectC was one of its toolsets. This year, we discovered a new operation, active for at least a year, which utilizes PowerShell to control Windows systems and Mac OS malware to target Apple customers.
Lazarus also targeted a mobile gaming company in South Korea that we believe was aimed at stealing application source code. It’s clear that Lazarus keeps updating its tools very quickly. In particular, we identified a bank in Myanmar that this threat actor compromised. We promptly contacted the bank, to share the IoCs we had found. Our collaboration allowed us to obtain valuable information on how the attackers move laterally to access high-value hosts, such as those owned by the bank’s system engineers interacting with SWIFT.
They use a public login credential dumper and homemade PowerShell scripts for lateral movement. BlueNoroff also employs new malware with an uncommon structure, probably to slow down analysis.
Depending on the command line parameters, this malware can run as a passive backdoor, an active backdoor or a tunneling tool; we believe the group runs this tool in different modes depending on the situation. Moreover, we found another type of PowerShell script used by this threat actor when it attacked a target in Turkey.
This PowerShell script has similar functionality to those used previously, but BlueNoroff keeps changing it to evade detection. We observed new efforts by this actor to build a new C2 infrastructure targeting vulnerable Weblogic servers, in this case exploiting CVE Following a successful breach, the attackers implanted malware signed with a legitimate signature belonging to a South Korean security software vendor.
The malware is a brand new type of backdoor, called ApolloZeus, which is started by a shellcode wrapper with complex configuration data. This backdoor uses a relatively large shellcode in order to make analysis difficult. In addition, it implements a set of features to execute the final payload discreetly. The discovery of this malware allowed us to find several related samples, as well as documents used by the attackers to distribute it, providing us with a better understanding of the campaign.
Almost all of the decoys contain content regarding the national holiday of the Korean Peninsula and the national day of North Korea. The lure content was also related to diplomatic issues or business relationships.
Alongside the additional data from our telemetry, we believe that this campaign is aimed at targets with a relationship with North Korea, such as business people, diplomatic entities and human rights organizations. The actor behind this campaign used high-profile spear phishing and multi-stage infection in order to implant tailored Ghost RAT malware that can fully control the victim.
We believe that the threat actor behind this campaign, which has been ongoing for more than three years, speaks Korean; and we believe that the DarkHotel APT group is behind it.
The arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools and wipers for carrying out destructive attacks. We created a colour scheme to distinguish the various tools and implants used against different victims around the world. This year, we added several new colours to the Lamberts palette. We observed victims of Silver Lambert in China, in the Aeronautics sector. We observed victims of Violet Lambert in the Middle East. We also found other new Lamberts implants on computers belonging to a critical infrastructure victim in the Middle East.
The first two we dubbed Cyan Lambert including Light and Pro versions. The third, which we called Magenta Lambert, reuses older Lamberts code and has multiple similarities with the Green, Black and White Lamberts. This malware listens on the network, waiting for a magic ping, and then executes a very well-hidden payload that we have been unable to decrypt. All the infected computers went offline shortly after our discovery.
We believe that this activity, which we call SpoiledLegacy, is the successor to the IronTiger campaign because of the similar tools and techniques it uses. While we believe that they exploit network service vulnerabilities as their main initial infection vector, we have also observed executables prepared for use in spear-phishing messages containing decoy documents, showing the operator’s flexibility.
Some NetBot configuration data contains LAN IPs, indicating that it downloads the next stage from another infected host in the local network.
Based on our telemetry, we believe that internal database servers are among the targets, as in a previous LuckyMouse Mongolian campaign. As the last stage, the attackers use different in-memory and bit Trojans injected into system process memory. Interestingly, all the tools in the infection chain dynamically obfuscate Win32 API calls using leaked HackingTeam code. For these new campaigns, the attackers seem to focus on telecommunications operators, universities and governments.
The infection vectors are direct compromise, spear phishing and, possibly, watering holes. Despite different open-source publications discussing this actor’s TTPs during the last year, LuckyMouse hasn’t changed any of them.
The threat actor still relies on its own tools to get a foothold in the victim’s network, which in the new campaigns consists of using HTTPBrowser as a first stager, followed by the Soldier Trojan as a second stage implant. The group made a change to its infrastructure, as it seems to rely uniquely on IPv4 addresses instead of domain names for its C2s, which we see as an attempt to limit correlation.
The group has adopted different techniques to perform its attacks over the past couple of years, and has targeted governments in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh, along with remote foreign embassies located in Pakistan, South Korea, the US, the UK, Belgium, Nepal, Australia and Singapore. This year, the group has targeted government organizations related to natural resource management in Myanmar and a major continental African organization, suggesting that one of the main motivations of HoneyMyte is gathering geopolitical and economic intelligence.
While the group targeted a military organization in Bangladesh, it’s possible that the individual targets were related to geo-political activity in the region.
We observed a slight increase in ; then, beginning in , Icefog began conducting large waves of attacks against government institutions and military contractors in Central Asia, which are strategically important to China’s Belt and Road Initiative.
In the latest wave of attacks, the infection began with a spear-phishing email containing a malicious document that exploits a known vulnerability and ultimately deploys a payload. From to the beginning of , the final payload was the typical Icefog backdoor. Since May , the actors appear to have switched and are now using Poison Ivy as their main backdoor.
The Poison Ivy payload is dropped as a malicious DLL and is loaded using a signed legitimate program, using a technique called load order hijacking. This technique is very common with many actors and it was also used in previous Icefog campaigns. During our investigation, we were also able to detect artefacts used in the actor’s lateral movement. We observed the use of a public TCP scanner downloaded from GitHub, a Mimikatz variant to dump credentials from system memory, a customized keylogger to steal sensitive information, and a newer version of another backdoor named Quarian.
The Quarian backdoor was used to create tunnels inside the victim infrastructure in an attempt to avoid network detections. The functionality of Quarian includes the ability to manipulate the remote file system, get information about the victim, steal saved passwords, download or upload arbitrary files, create tunnels using port forwarding, execute arbitrary commands, and start a reverse shell.
Related activities date back to more than a decade ago, with similar code maintaining compilation timestamps from The newer and backdoor code maintains a new layer of obfuscation and no longer maintains clear-text C2 strings. SinoChopper not only performs host identification and backdoor delivery but also email archive theft and additional activity. Although not all incidents can be traced back to server-side exploitation, we did detect a couple of cases and obtained information about their staged install process.
In , we observed ShaggyPanther targeting Windows servers. This is a highly sophisticated spyware framework that includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents, and cryptography key stealers; and even its own file indexer for the victim’s computer. The malware features its own indexer, emergency C2s, the ability to steal specific files from external drives when they become available again, and much more.
There are two different packages, self-named Tokyo and Yokohama and the targeted computers we found include both packages. We think the attackers used Tokyo as the first stage infection, deploying the fully functional Yokohama package on interesting victims, and then leaving Tokyo in place for backup purposes.
Our telemetry revealed just a single victim, a diplomatic body from a country in Central Asia. This begs the question, why go to all that trouble for just one victim?
We think there may be other victims that we haven’t found yet. This theory is supported by the fact that we couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected. Further analysis led us to uncover a zero-day vulnerability in win32k. We think that several threat actors, including FruityArmor and SandCat, used this exploit. Interestingly, FrutiyArmor and SandCat seem to follow parallel paths, both having the same exploits available at the same time.
This seems to point to a third party providing both groups with such artefacts. This spy program spread via email and masqueraded as the VPN client of a well-known Russian security company that, among other things, provides solutions to protect networks. So far, we have been unable to relate this activity to any known actor. The malware itself is a simplistic document stealer. However, given its victimology and the targeted nature of the attack, we considered it relevant enough to monitor, even though we were unable to attribute this set of activities to any known actor.
The low OPSEC and simplistic malware involved in this operation does not seem to point to an advanced threat actor.
The attackers rely on watering holes and spear phishing to infect their victims. We also found evidence of a compromised welfare club for military personnel distributing the same malware during the same period. This malware was first used in the wild in January and subsequently underwent constant development. We have only seen this malware used in a small number of active campaigns since January, all targeting government, military and diplomatic entities in the Southeast Asia region.
The latest campaign, conducted in August, seems to have targeted only a select few individuals working for a military organization. Collection 1 is just a small part of a bigger leak of about 1 TB of data, split into seven parts and distributed through a data-trading forum. The full package is a collection of credentials leaked from different sources during the past few years, the most recent being from , so we were unable to identify any more recent data in this ‘new’ leak.
It turned out that Collection 1 was just part of a [larger dump of leaked credentials comprising 2. The new data dump, dubbed Collection , was discovered by researchers at the Hasso Plattner Institute in Potsdam.
The theft of such ‘traditional’ forms of authentication is bad enough, but the effects of using alternative methods of authentication can be much more serious. The exposure of biometric data is of particular concern. A compromised password can be changed, but a biometric characteristic is for life.
Consider, for example, the potential impact of smart speakers for listening in on unguarded conversations in the home. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.
We reported it to Microsoft on February 22, This condition leads to a use-after-free scenario. The exploitation process for all those operating systems does not differ greatly and is performed using heap spraying palettes and accelerator tables with the use of GdiSharedHandleTable and gSharedInfo to leak their kernel addresses.
In exploitation of Windows 10 build and higher windows are used instead of palettes. Besides that, that exploit performs a check on whether it’s running from Google Chrome and stops execution if it is because vulnerability CVE can’t be exploited within a sandbox. However, the collection of cases where this tool has been used mean that we consider it a subset of activity in its own right.
On the basis of this threat actor’s past behaviour, we predicted last year that Zebrocy would continue to innovate in its malware development. The group has developed using Delphi, AutoIT,. The group also continued to innovate. Kaspersky Lab researchers have detailed how both groups shared the same C2 command-and-control server infrastructure for a certain period of time and how both targeted the same organization almost simultaneously, which more or less confirms the relationship between the two.
The attackers used an improved version of the Remexi malware, previously associated with an APT threat actor that Symantec calls Chafer. This group has been observed since at least , but based on things such as compilation time-stamps, and C2 registration, it’s possible that the group has been active for even longer. Traditionally, Chafer has focused on targets inside Iran, although its interests clearly include other countries in the Middle East.
This data includes keystrokes, screenshots, and browser-related data such as cookies and history, decrypted where possible. The C2 is based on IIS using.
We reported this to Microsoft on February 22, who confirmed the vulnerability and assigned it CVE Microsoft released a patch on March 12, , crediting Kaspersky Lab researchers Vasiliy Berdnikov and Boris Larin with the discovery.
Just as with CVE, we believe that this exploit is being used by several threat actors, including, but possibly not limited to, FruityArmor and SandCat. We would urge organizations involved in the booming crypto-currency or technological startup industry to exercise extra caution when dealing with new third parties or installing software. You should never set ‘Enable Content’ macro scripting in Microsoft Office documents received from new or untrusted sources. If you need to try out new applications, it’s better to do so offline or on an isolated network virtual machine which you can erase with a few clicks.
The attackers added a backdoor to the utility and then distributed it to users through official channels. The compromised version of the utility was distributed to a large number of people between June and November Our telemetry shows that 57, Kaspersky Lab customers downloaded and installed it, although we believe the real scale of the problem is much bigger, possibly affecting over a million users worldwide.
The attackers hardcoded a list of MAC addresses in the Trojanized samples, which identifies the true targets of this massive operation. We were able to extract over unique MAC addresses from more than samples discovered in this attack, although it’s possible that other samples exist which target different MAC addresses.
Some are even designed to steal money. To do so, it disables the integrity check for installed extensions and automatic updates for the targeted browser. The Trojan works with Google Chrome, Mozilla Firefox and Yandex browsers, though it has different infection scenarios for each browser type. Razy spreads via advertising blocks on websites and is distributed from free file-hosting services under the guise of legitimate software.
Razy serves several purposes, mostly related to the theft of crypto-currency. Its main tool, the script ‘main.
One recent example is the WinPot malware. The malware window displays the denomination of banknotes for each cassette, so that the money mule operating the malware just needs to select the cassette with the most money in it and press ‘Spin’.
The ‘Scan’ button can be used to recount the notes. The authors also include an emergency ‘Stop’ button, to allow the mule to cut short the pay out so as not to arouse suspicion. For example, some versions will only dispense cash for a limited period of time and then they deactivate themselves.
Earlier this year we detected one such campaign, when The Pirate Bay TPB tracker filled up with harmful files used to distribute malware under the guise of cracked copies for paid programs. The tracker contained malicious torrents created from dozens of different accounts, including those registered on TBP for quite some time. This page opens directly in the installation window and requests the user’s TBP account credentials, supposedly to continue the process.
The second downloaded component is also a SetupFactory installer, used to decrypt and run four PE files in sequence. These usually find their way on to people’s computers through file sharing sites.
Besides downloading the required content, their goal is to install additional software while carefully hiding the option to cancel. The auto-clickers are run before the installers: when the installer windows are detected, they check the boxes and click the buttons needed to give the user’s consent to install the unnecessary software. The botnet is now equipped with a much wider range of exploits, which makes it even more dangerous and allows it to spread faster.
If we can know ahead of time which hostname a target machine in this case our target is We can overcome this by flooding quickly and iterating over all possible values. What if the network we are targeting has a DNS record for the host we want to spoof? This also surprisingly applies to some Windows services such as Windows Update, but exactly how and under what conditions seems to be version dependent. However as we saw above, we can spoof host names using NBNS spoofing.
At the same time, we run an HTTP server locally on This will cause all HTTP traffic on the target to be redirected through our server running on Interestingly, this attack when performed by even a low privilege user will affect all users of the machine. This includes administrators and system accounts. The following screenshot shows two users simultaneously logged into the same machine, the low privilege user is performing local NBNS spoofing, the high privilege user is affected in the second screenshot.
The NTLM protocol is vulnerable to man-in-the-middle attacks. If an attacker can trick a user into trying to authenticate using NTLM to his machine, he can relay that authentication attempt to another machine! The old version of this attack had the victim attempting to authenticate to the attacker using the SMB protocol with NTLM authentication.
Microsoft patched this by disallowing same-protocol NTLM authentication using a challenge that is already in flight. It is also a bit flaky sometimes, due to the quirks in how Windows handles proxy settings and the WPAD file.
It is necessary to leave the exploit running and try to trigger it again later, after this time has elapsed. The techniques listed here are ordered from least to most complex. Any technique later in the list should work on all versions previous.
Videos and screenshots are included for each. This seems to work pretty reliably on Windows 7. The following is an example usage:. After this runs successfully, simply check for Windows updates.
You would have to nail the timing JUST right to get it working in this case. It appears that this part of Windows still uses WPAD, even when the winhttp proxy setting is set to direct.
Why is a bit of a mystery…. You can try port exhaustion but it might be tricky.