Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

Posted on April 17, 2024 by cybernewswire

By cybernewswire
Las Vegas, United States, April 17th, 2024, CyberNewsWire Zero Knowledge Networking vendor shrugs off firewall flaw In the…
This is a post from HackRead.com Read the original post: Xiid SealedTunnel: Unfazed by Yet Another Critic… Continue reading Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)→

GSMA releases Mobile Threat Intelligence Framework

Posted on April 10, 2024 by Help Net Security

GSM Association’s Fraud and Security Group (FASG) has published the first version of a framework for describing, in a structured way, how adversaries attack and use mobile networks, based on the tactics, techniques and procedures (TTPs) that they use. … Continue reading GSMA releases Mobile Threat Intelligence Framework→

CVE and NVD – A Weak and Fractured Source of Vulnerability Truth

Posted on April 3, 2024 by Kevin Townsend

MITRE is unable to compile a list of all new vulnerabilities, and NIST is unable to subsequently, and consequently, provide an enriched database of all vulnerabilities. What went wrong, and what can be done?
The post CVE and NVD – A Weak and Frac… Continue reading CVE and NVD – A Weak and Fractured Source of Vulnerability Truth→

Public anxiety mounts over critical infrastructure resilience to cyber attacks

Posted on March 18, 2024 by Help Net Security

With temporary failures of critical infrastructure on the rise in the recent years, 81% of US residents are worried about how secure critical infrastructure may be, according to MITRE and The Harris Poll. Public views cyberattacks as greatest risk to c… Continue reading Public anxiety mounts over critical infrastructure resilience to cyber attacks→

OpenARIA: Open-source edition of the Aviation Risk Identification and Assessment (ARIA)

Posted on March 8, 2024 by Mirko Zorz

MITRE now offers an open-source version of its Aviation Risk Identification and Assessment (ARIA) software suite, OpenARIA. This initiative is dedicated to enhancing aviation safety and efficiency through the active involvement of the aviation communit… Continue reading OpenARIA: Open-source edition of the Aviation Risk Identification and Assessment (ARIA)→

COM Objects Hijacking

Posted on March 7, 2024 by Joseliyo Sánchez

The COM Hijacking technique is often utilized by threat actors and various malware families to achieve both persistence and privilege escalation in target systems. It relies on manipulating Component Object Model (COM), exploiting the core architecture of Windows that enables communication between software components, by adding a new value on a specific registry key related to the COM object itself.

We studied the usage of this technique by different malware samples to pinpoint the most exploited COM objects in 2023.

Abused COM Objects

We identified the most abused COM objects by samples using MITRE’s T1546.015 technique during sandbox execution. In addition to the most abused ones, we will also highlight other abused COM objects that we found interesting.

The chart below shows the distribution of how many samples abused different COM objects for persistence:

You can find the most used COM / CLSIDs listed in the Appendix.

Berbew

One of the main malware families we have observed abusing COM for persistence is Padodor/Berbew. This Trojan primarily focuses on stealing credentials and exfiltrating them to remote hosts controlled by attackers. The main COM objects abused by this family are as follows:

{79ECA078-17FF-726B-E811-213280E5C831}
{79FEACFF-FFCE-815E-A900-316290B5B738}
{79FAA099-1BAE-816E-D711-115290CEE717}

The corresponding registry entries point to the malicious DLL. However, multiple samples of this family use a second registry key for persistence, which points to this previous CLSID we described, as in the following example :

In this case, the registry key …CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\(Default) points to the malicious DLL C:\Windows\SysWow64\Iimgdcia.dll. A second registry entry …Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger points to the previous CLSID {79ECA078-17FF-726B-E811-213280E5C831} which loads the malicious DLL.

The ShellServiceObjectDelayLoad registry entry (part of ShellServiceObjectDelayLoad), combined with the Web Event Logger subkey used here by Berbew, has frequently been utilized to initiate the loading of the genuine webcheck.dll. This DLL was tasked with monitoring websites within the Internet Explorer application.

The previously utilized CLSID by WebCheck registry key was {E6FB5E20-DE35-11CF-9C87-00AA005127ED} However, in certain instances today the CLSID {08165EA0-E946-11CF-9C87-00AA005127ED} is used. Both are responsible for loading the webcheck.dll DLL and are abused by malware samples.

RATs

The CLSID {89565275-A714-4a43-912E-978B935EDCCC} seems to be extensively used by various RATs . This CLSID has primarily been associated with families like RemcosRAT and AsyncRAT in our observations. However, we’ve also encountered instances where BitRAT samples have used it. Researchers at Cisco Talos found this CLSID activity associated with the SugarGh0st RAT malware.

In the majority of cases, the DLL used for persistence with this CLSID is dynwrapx.dll. This DLL was found in the wild in a GitHub repository, currently unavailable, however the DLL originates from a project named DynamicWrapperX (first seen in VirusTotal in 2010). It executes shellcode to inject the RAT into a process.

A similar case is CLSID {26037A0E-7CBD-4FFF-9C63-56F2D0770214}. The associated DLL for persistence is dbggame.dll. First uploaded to VirusTotal in 2012, this DLL is deployed by various types of malware, including ransomware such as XiaoBa.

RATs w/ vulnerabilities

To finish with RATs that use this technique, from late December 2023 to February 2024, there were various incidents linked to the CVE-2024-21412 vulnerability uncovered by the Trend Micro Zero Day Initiative team (ZDI). During these events, active campaigns were distributing the Darkme RAT. Throughout the infection process, a primary goal was to evade Microsoft Defender SmartScreen and introduce victims to the DarkMe malware.

The TrendMicro analysis highlights that the Darkme RAT sample utilizes the CLSID {74A94F46-4FC5-4426-857B-FCE9D9286279} to carry out the final load of the RAT. Yet, we’ve noted the utilization of other CLSIDs for persistence, including {D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4} in this sample.

Furthermore, to guarantee the DLL’s execution, they generate a registry key employing Autorun keys. This key’s objective is to initiate the CLSID using rundll32.exe and /sta parameter, which is used to load a COM object, in this case, the previous malicious COM object created.

EventID:13 
EventType:SetValue
Details:%windir%\SysWOW64\rundll32.exe /sta {D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4} "USB_Module"
TargetObject:HKU\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\CurrentVersion\Run\RunDllModule

Why use one when you can use many?

Some samples (like this Sality one) use multiple CLSIDs:

{EBEB87A6-E151-4054-AB45-A6E094C5334B}
{57477331-126E-4FC8-B430-1C6143484AA9}
{241D7F03-9232-4024-8373-149860BE27C0}
{C07DB6A3-34FC-4084-BE2E-76BB9203B049}

The sample drops two different DLLs during execution, three of the registry keys point to one of them, the remaining one to the other. The sample also turns off the Windows firewall and UAC to carry out additional actions while infecting the system.

The Allaple worm family deploys multiple COM objects pointing to the malicious DLL during execution, like in this example:

Adware

Citrio, an adware web browser designed by Catalina Group, uses in its more recent versions a COM object for persistence with CLSID {F4CBF20B-F634-4095-B64A-2EBCDD9E560E}. It drops several harmful DLLs, one masquerades as Google Update (goopdate.dll), also observed as psuser.dll, that possesses the capability to establish services on the system along using a COM object for persistence.

Common folders used to store the payloads

Most malicious DLLs we saw so far are typically stored in the C:\Users\<user>\AppData\Roaming\ directory. It’s also common to create subfolders within this directory, the most frequently found include:

\qmacro
\mymacro
\MacroCommerce
\Plugin
\Microsoft

In addition to these, we also found the following folders being frequently used to hide malicious DLLs:

The C:\Windows\SysWow64 is a folder found in 64-bit versions of Windows, containing legitimate 32-bit system files and
libraries, and is oftenly used to conceal malicious DLLs. Its prevalence makes it an attractive
hiding place, complicating detection efforts. However, permissions are required to create files in
it.
The
C:\Program Files (x86)
folder is another legitimate directory used to store malicious COM hijacking payloads. Similar to
\AppData\Roaming, in this case we have observed that the malicious DLLs are stored under specific
subfolders, such as “\Google”, “\Mozilla Firefox”, “\Microsoft”, “\Common Files” or “\Internet
Download Manager”.
C:\Users\<user>\AppData\Local
is another folder used for storing these payloads, including the “\Temp”, “\Microsoft” and “\Google”
subfolders.

Detection

In order to detect unusual modifications to registry COM objects, there are a couple of crowdsourced Sigma rules to identify this behavior.

Potential
Persistence Via COM Hijacking From Suspicious Locations
(high risk level). Detects suspicious when creating a registry key using COM objects.

Potential
Persistence Via COM Search Order Hijacking
(medium risk level). Similar to the previous rule, it also filters out paths associated with
legitimate behaviors.

These rules will detect uncommon registry modifications related to COM objects. You can use the following queries to retrieve samples triggered by the previous rules, respectively: VTI query for sigma1 and VTI query for sigma2.

You can also identify this behavior using Livehunt rules that target the creation of registry keys utilized for this purpose, for instance with the vt.behaviour.registry_keys_set modifier.

import "vt"

rule CLSID_COM_Hijacking:  {
  meta:
    target_entity = "file"
    hash = "a19472bd5dd89a6bd725c94c89469f12cdbfee3b0f19035a07374a005b57b5e0"
    author = "@Joseliyo_Jstnk"
    mitre_technique = "T1546.015"
    mitre_tactic = "TA0003"

  condition:
    vt.metadata.new_file and vt.metadata.analysis_stats.malicious >= 5 and 
    for any vt_behaviour_registry_keys_set in vt.behaviour.registry_keys_set: (
      vt_behaviour_registry_keys_set.key matches /\\CLSID\\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\}\\InProcServer32\\\(Default\)/
    )  
}

The rule above might generate some noise, so we suggest considering polishing it by excluding certain common families like Berbew, which as mentioned, heavily relies on this technique:

and not 
    (
        for any engine, signature in vt.metadata.signatures : (  
        signature icontains "berbew"  
        )  
    )

You can also use the paths listed in Appendix to identify suspicious samples using them.

A final idea is including interesting existing Sigma rules into our Livehunt. Given that these rules already cover the targeted registry keys, we don’t need to use vt.behaviour.registry_keys_set in our condition.

import "vt"

rule CLSID_COM_Hijacking:  {
  meta:
    target_entity = "file"
    hash = "a19472bd5dd89a6bd725c94c89469f12cdbfee3b0f19035a07374a005b57b5e0"
    author = "@Joseliyo_Jstnk"
    sigma_authors = "Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien"
    mitre_technique = "T1546.015"
    mitre_tactic = "TA0003"

  condition:
    vt.metadata.new_file and vt.metadata.analysis_stats.malicious >= 5 and 
    for any vt_behaviour_sigma_analysis_results in vt.behaviour.sigma_analysis_results: (
      vt_behaviour_sigma_analysis_results.rule_id == "7f5d257abc981b5eddb52d4a9a02fb66201226935cf3d39177c8a81c3a3e8dd4"
    )
}

Wrapping up

The T1546.015 – Event Triggered Execution: Component Object Model Hijacking is just one of several techniques employed for persistence. Leveraging COM objects for this task is frequently straightforward for threat actors. The analysis of how malware abuses this technique helps us get a better understanding in how to identify different families and develop protection methods. Although the technique is not the most popular for persistence (that would be T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), it is widely abused by many malware families.

Identifying some of the most abused CLSIDs can help us generate detection rules that identify possible malware abuses in our infrastructure. It can also serve as a good guide for prevalence in order to detect any anomalies for new suspicious activity.

The use of VirusTotal sandbox reports provides a very powerful tool to translate TTPs into actionable queries and monitoring. In this example we used it to better understand how attackers use COM objects, but could be used for any techniques employed by different threat actors.

We hope you join our fan club of Sigma and VirusTotal, and as always we are happy to hear your feedback.

APPENDIX

Abused CLSIDs

Next, you’ll find a list of the main CLSIDs described in the blog, along with a chart to show which ones were used the most.

CLSID
– COM Objects

79FAA099-1BAE-816E-D711-115290CEE717

EBEB87A6-E151-4054-AB45-A6E094C5334B

241D7F03-9232-4024-8373-149860BE27C0

C07DB6A3-34FC-4084-BE2E-76BB9203B049

79ECA078-17FF-726B-E811-213280E5C831

22C6C651-F6EA-46BE-BC83-54E83314C67F

F4CBF20B-F634-4095-B64A-2EBCDD9E560E

57477331-126E-4FC8-B430-1C6143484AA9

C73F6F30-97A0-4AD1-A08F-540D4E9BC7B9

89565275-A714-4a43-912E-978B935EDCCC

26037A0E-7CBD-4FFF-9C63-56F2D0770214

16426152-126E-4FC8-B430-1C6143484AA9

33414471-126E-4FC8-B430-1C6143484AA9

23716116-126E-4FC8-B430-1C6143484AA9

D4D4D7B7-1774-4FE5-ABA8-4CC0B99452B4

79FEACFF-FFCE-815E-A900-316290B5B738

74A94F46-4FC5-4426-857B-FCE9D9286279

Common paths

Below you will find a list with some of the most common paths used during the creation of the COM objects for persistence. The table contains the ‘parent’ paths as well, while the chart includes only the ‘subpaths’.

Common
paths used during COM object persistence

C:\Users\<user>\AppData\Roaming

C:\Users\<user>\AppData\Roaming\qmacro

C:\Users\<user>\AppData\Roaming\mymacro

C:\Users\<user>\AppData\Roaming\MacroCommerce

C:\Users\<user>\AppData\Roaming\Plugin

C:\Users\<user>\AppData\Roaming\Microsoft

C:\Windows\SysWow64

C:\Program
Files (x86)

C:\Program
Files (x86)\Google

C:\Program
Files (x86)\Mozilla Firefox

C:\Program
Files (x86)\Microsoft

C:\Program
Files (x86)\Common Files

C:\Program
Files (x86)\Internet Download Manager

C:\Users\<user>\AppData\Local

C:\Users\<user>\AppData\Local\Temp

C:\Users\<user>\AppData\Local\Microsoft

C:\Users\<user>\AppData\Local\Google

C:\Windows\Temp

Continue reading COM Objects Hijacking→

Following MITRE’s footsteps in analyzing malware behavior

Posted on February 21, 2024 by Alexandra Martin

The MITRE framework helps all defenders speak the same language regarding attackers’ modus operandi. VirusTotal provides multiple data points where MITRE’s Tactics and Techniques are dynamically extracted from samples when detonated in our sandboxes.
In particular, samples’ MITRE mapping can be found under the BEHAVIOR tab of a file’s report. This data is searchable in VirusTotal Intelligence (VTI) with the help of a set of specific file search modifiers.

In this article, we’ll illustrate how security analysts can leverage MITRE for malware detection and behavior-based hunting for ransomware and keylogger samples.

Hunting for Ransomware

The security industry historically identified a set of commonly used techniques in Ransomware campaigns, including inhibiting the system recovery and discovering local files and network shares for later data encryption, usually combined with exfiltration and/or Command and Control techniques.

Common TTPs of modern ransomware groups by Kaspersky

In VT Intelligence we can use 2 search modifiers to query files behavior mapped to MITRE ATT&CK:

“attack_tactic” search modifier followed by the MITRE Tactic ID returns the list of files that, based on our sandboxes analysis reports, execute techniques under the specified tactic. For example:
“attack_technique” search modifier followed by the MITRE Technique ID returns the list of files that, based on our sandboxes analysis reports, execute the specified technique. For example:

In addition to the “attack_tactic” and “attack_technique” modifiers, VirusTotal provides extra modifiers listed on the Appendix I – Behavior search modifiers for procedures-based queries at the end of this post.

Let’s do an example. We want to find samples given a set of ransomware-related techniques combined with the “behavior:CryptEncrypt” operating system API call (check Appendix I for details). Additionally, we specify the entity we are interested in (files) and the first submission date (fs) to filter out files submitted before 2024-01-01.

The resulting query is as follows:

entity:file attack_technique:T1490 and attack_technique:T1083 and attack_technique: T1135 behavior:CryptEncrypt fs:2024-01-01+

Let’s analyze in more detail one of the query’s resulting files (35619594724871138875db462eda6cf24f2a462e1f812ff27d79131576cd73ab).
According to the community, the file belongs to a BlackHunt Ransomware campaign threat that compromised multiple companies in Paraguay.

Its BEHAVIOR report tab, provides details on the techniques detected during sample’s detonation:

T1490 (Inhibit System Recovery), the sample deletes the shadow copies (as highlighted in the Capabilities section below) and it also modifies Windows boot settings via bcdedit.
T1083 and T1135: The sample runs discovery processes to get system local files and directories, and also network shares.
The encryption process is visible by the CryptEncrypt operating system API call, functionality provided by the Advapi32.dll, and visible under the file’s DETAILS tab.

Hunting for Keyloggers

Keyloggers are a particular form of Spyware designed for stealing user data, that commonly share some MITRE Tactics, including collecting data and/or discovering data for later exfiltration and/or Command and Control communication.

For our VTI query we will specify the T1056.001: Input Capture: Keylogging sub-technique of the Collection tactic, which identifies keystrokes interception. Additionally, we use the first submitted time condition (fs) and both Command and Control or Exfiltration tactics (attack_tactic), since we are not really interested in restricting the way the data gets outside of the victim environment.

attack_technique:T1056.001 (attack_tactic:TA0011 OR attack_tactic:TA0010) fs:2024-02-15+

One of the retrieved files (975b67e75c046e95b1f418c2db85a726dc5d38c21853c5446393b9805c6d1bd5) with a 25 out of 71 AV detection ratio is cataloged as Remcos, a commercial Remote Access Tool with keylogger capabilities among many others, which has been used by several Threat Actors.

On its BEHAVIOR tab, we can see details on the keystrokes interception performed via polling method. The report also reveals additional functionality, including capturing screenshots, reading victims’ clipboard and geographical location of the abused device.

Conclusions

In this post we have seen using a couple of examples how present the MITRE framework is on VirusTotal and how it can be used to search for files with a particular TTP-based behavior using VirusTotal Intelligence searches. MITRE-related data is based on behavior detected during samples’ sandbox detonation.

We have additionally created an Appendix I (below) detailing some of the most interesting behavior-search modifiers you can use in your queries. This fits particularly well with other TTP-based modifiers, allowing you to refine results by adding particular technical characteristics specific for the malware under analysis.

We hope you found this post interesting and useful. For suggestions or feedback please feel free to reach out here, we will be happy to hear from you.

Happy hunting!

Appendix I – Behavior search modifiers

The following search modifiers provide a more granular way of searching files based on their behavior, allowing more restrictive queries while using Tactics/Techniques (“attack_tactic”, “attack_technique”) search modifiers.

“behavior_processes”: followed by the executable and parameters used to run during the sample dynamic analysis:

“behavior_injected_processes”: followed by the executable name with or without extension:

“behavior_created_processes”: followed by the executable name with or without extension:

behavior_created_processes: Wininit.exe NOT name:Wininit.exe

“behavior_services”: followed by the service name to get files opening or deleting internal services:

behavior_services: sysmon

“behavior_registry”: followed by a system registry key to check for new, deleted or modified registry keys:

behavior_registry:”\Software\Microsoft\Windows\CurrentVersion\Run”

“behavior_network”: followed by an URL, domain or IP address to identify files communicating with those network elements:

behavior_network:ip-api.com

“behavior_files”: followed by the file name with or without extension and/or path to identify files that were opened, written, deleted or dropped:

“behavior”: all the previous search modifiers in the appendix can be replaced by this one. It matches against the whole file behavior report and provides a way to check for other data that doesn’t have a specific search modifier assigned:

API calls: Calls Highlighted subsection under Highlighted actions section of a file behavior report:

Mutexes created or opened, under the Synchronization mechanisms & Signals section of a file behavior report:

behavior:BLACK_HUNT_MUTEX

Modules loaded section of a file behavior report:

behavior:CRYPTSP.DLL

“behavior_tags”: followed by the tag of your interest to get files assigned with the indicated tag that you can check here.

behavior_tags:detect_debug_environment

Continue reading Following MITRE’s footsteps in analyzing malware behavior→

Hunter-Killer Malware Tactic Growing: Stealthy, Persistent and Aggressive

Posted on February 13, 2024 by Kevin Townsend

A malware tactic dubbed ‘hunter-killer’ is growing, based on an analysis of more than 600,000 malware samples. This may become the standard approach for advanced attacks.
The post Hunter-Killer Malware Tactic Growing: Stealthy, Persistent and Aggressiv… Continue reading Hunter-Killer Malware Tactic Growing: Stealthy, Persistent and Aggressive→

Hunter-Killer Malware Tactic Growing: Stealthy, Persistent and Aggressive

Posted on February 13, 2024 by Kevin Townsend

EMB3D Threat Model: Understand threats to embedded devices in critical infrastructure

Posted on December 14, 2023 by Industry News

Critical infrastructure depends on embedded devices across industries such as oil and natural gas, electric, water management, automotive, medical, satellite, autonomous systems, and unmanned aircraft systems. However, these devices often lack proper s… Continue reading EMB3D Threat Model: Understand threats to embedded devices in critical infrastructure→