New RUSTBUCKET Malware With Zero Detections on VirusTotal

The DPRK campaign is utilizing a recently updated version of Rustbucket malware to avoid being detected.

This variant of RUSTBUCKET, targets macOS systems, adds persistence capabilities not previously observed and, at the time of reporting, is undetected by VirusTotal signature engines.

Read moreBuilding cyber skills and roles from CyBOK foundations

The Elastic Security Labs team has detected a new variant of the RUSTBUCKET malware, a family that has been previously attributed to the BlueNorOff group by Jamf Threat Labs in April 2023. 

The DPRK conducts malicious cyber activities and deploys information technology (IT) workers who fraudulently obtain employment to generate revenue.

RUSTBUCKET Malware Infection Chain

Read moreAccessibility as a cyber security priority

As per the research RUSTBUCKET family of malware is under active development. Additionally, at the time of publication, this new variant has zero detections on VirusTotal and is leveraging a dynamic network infrastructure methodology for command and control.

The command /usr/bin/osascript  has been used to execute the AppleScript which is responsible for downloading  Stage 2 binary from the C2 using cURL. 

Read moreNew interactive video - and related downloads - to help secondary school kids stay safe online

This session includes the string pd in the body of the HTTP request and cur1-agent as the User-Agent string which saves the Stage 2 binary to /users/shared/.pd, 

The Stage 2 binary (.pd) is compiled in Swift and operates based on command-line arguments. The binary expects a C2 URL to be provided as the first parameter when executed. 

Read moreNigerian Cybercrime Ring's Phishing Tactics Exposed

Upon execution, it invokes the downAndExec function, which is responsible for preparing a POST HTTP request. 

To initiate this request, the binary sets the User-Agent string as mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) and includes the string pw in the body of the HTTP request.

Read moreS3 Ep135: Sysadmin by day, extortionist by night

During execution, the malware utilizes specific macOS APIs for various operations. It begins with NSFileManager’s temporaryDirectory function to obtain the current temporary folder, then generates a random UUID using NSUUID’s UUID.init method. 

Finally, the malware combines the temporary directory path with the generated UUID to create a unique file location and writes the payload to it.

Read moreUS offers $10m bounty for Russian ransomware suspect outed in indictment

Once the payload is written to disk, the malware utilizes NSTask to initiate its execution.

Gathers System Information

The malware initiates its operations by dynamically generating a 16-byte random value at runtime. This value serves as a distinctive identifier for the specific instance of the active malware. Subsequently, the malware proceeds to gather comprehensive system information, including:

Read moreBelkin Wemo Smart Plug V2 – the buffer overflow that won’t be patched

Computer name

List of active processes

Read moreZut alors! Raclage crapuleux! Clearview AI in 20% more trouble in France

Current timestamp

Installation timestamp

Read moreHeads Up CEO! Cyber Risk Influences Company Credit Ratings

System boot time

Status of all running processes within the system

Read moreCISA, NSA Issue New IAM Best Practice Guidelines

The malware establishes its initial connection to the C2 server by transmitting the gathered data via a POST request. The request is accompanied by a User-Agent string formatted as Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0).

Upon receiving the request, the C2 server responds with a command ID, which serves as an instruction for the malware. The malware is designed to handle only two commands.

Command ID 0x31-to self-terminate

Read more6 Ways to Mitigate Risk While Expanding Access

Command ID 0x30-This command enables the operator to upload malicious Mach-O binaries or shell scripts to the system and execute them.

The malware proceeds by granting execution permissions to the uploaded file using the chmod API.After executing the payload, the malware sends a status update to the server, notifying it of the completed execution, and then sleeps for 60 seconds. 

Read moreHypervisors and Ransomware: Defending Attractive Targets

Following this delay, the malware loops to collect system information once again and remains in a waiting state, anticipating the arrival of the next command from the server.

The multi-stage composition of the malware, in addition to the use of Rust programming language and the targeting of macOS, make detection and prevention a significant challenge. 

Indicator of compromise:

Read moreNIST Launches Cybersecurity Initiative for Small Businesses

9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c7477fccc871c889a4f4c13a977fdd5f062d6de23c3ffd27e72661c986fae6370387ec8f97d5595d92ec678ffbf5ae1f60ce90e620088927f751c76935c46aa7dc41de81e5246978775a45f3dbda43e2716aaa1b1c4399fe7d44f918fccecc4dd5004f49514ab1794177a61c50c63b93b903c46f9b914c32ebe9c96aa3cbc1f99b16fe8c0e881593cc3dfa7a66e314b12b322053c67cbc9b606d5a2c0a12f097ef697887638bcafd57e2896c7c16698e927ce92fd7d409aae698d33cdca3ce8d25b8

“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.

Read moreEducating Your Board of Directors on Cybersecurity

The post New RUSTBUCKET Malware With Zero Detections on VirusTotal appeared first on Cyber Security News.

   Read More 

Read morePersonal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack

Cyber Security News 

Related Posts

Multiple Palo Alto Networks Firewall Flaws Let Attackers Cause Disruption

Multiple Palo Alto Networks Firewall Flaws Let Attackers Cause Disruption

[[{“value”:”

Palo Alto Networks has recently disclosed four high-severity vulnerabilities in its firewall products.

If exploited, these flaws could allow attackers to disrupt services by causing a denial of service (DoS) or manipulating user access controls. The vulnerabilities are tracked as CVE-2024-3382, CVE-2024-3383, and CVE-2024-3384.

CVE-2024-3382: Denial of Service via Crafted Packets

The first vulnerability, CVE-2024-3382, affects the PAN-OS operating system and can lead to a denial of service (DoS) condition when the firewall processes a burst of specially crafted packets. This issue specifically impacts PA-5400 Series devices with the SSL Forward Proxy feature enabled. Palo Alto Networks has addressed this flaw in PAN-OS versions 10.2.7-h3, 11.0.4, 11.1.2, and later.

CVE-2024-3383: Improper Group Membership Change

CVE-2024-3383 is a vulnerability in the Cloud Identity Engine (CIE) component of PAN-OS, which could allow unauthorized changes to User-ID groups. This flaw could lead to inappropriate access control decisions, affecting the security of network resources. The company has fixed this issue in PAN-OS versions 10.1.11, 10.2.5, 11.0.3, and all subsequent releases.

CVE-2024-3384: DoS via Malformed NTLM Packets

The third vulnerability, CVE-2024-3384, involves the handling of malformed NTLM packets, which could cause PAN-OS firewalls to reboot and potentially enter maintenance mode. This vulnerability requires manual intervention to restore the firewall to operational status. Fixes have been released in PAN-OS versions 8.1.24, 9.0.17, 9.1.15-h1, and 10.0.12, among others.

CVE-2024-3385: Denial of Service when GTP Security is Disabled

The third vulnerability, CVE-2024-3385, affects hardware-based firewalls in the PA-5400 and PA-7000 series. It allows remote attackers to reboot the firewalls through a specific packet processing mechanism when GTP Security is disabled. Like the others, this vulnerability is rated with high severity, having a CVSSv4.0 Base Score of 8.2.

Affected Versions and Solutions

Palo Alto Networks has not observed any malicious exploitation of these vulnerabilities. However, given their high severity ratings, customers are urged to apply the provided patches or follow recommended mitigation strategies.

Below is a summary table of the affected versions for each CVE:

CVE IDAffected VersionsUnaffected VersionsCVE-2024-3382PAN-OS 11.1 < 11.1.2, PAN-OS 11.0 < 11.0.4, PAN-OS 10.2 < 10.2.7-h3PAN-OS 11.1 >= 11.1.2, PAN-OS 11.0 >= 11.0.4, PAN-OS 10.2 >= 10.2.7-h3CVE-2024-3383PAN-OS 11.0 < 11.0.3, PAN-OS 10.2 < 10.2.5, PAN-OS 10.1 < 10.1.11PAN-OS 11.0 >= 11.0.3, PAN-OS 10.2 >= 10.2.5, PAN-OS 10.1 >= 10.1.11CVE-2024-3384PAN-OS 10.0 < 10.0.12, PAN-OS 9.1 < 9.1.15-h1, PAN-OS 9.0 < 9.0.17, PAN-OS 8.1 < 8.1.24PAN-OS 10.0 >= 10.0.12, PAN-OS 9.1 >= 9.1.15-h1, PAN-OS 9.0 >= 9.0.17, PAN-OS 8.1 >= 8.1.24CVE-2024-3385PAN-OS 11.0 < 11.0.3, PAN-OS 10.2 < 10.2.8, PAN-OS 10.1 < 10.1.12, PAN-OS 9.1 < 9.1.17, PAN-OS 9.0 < 9.0.17-h4PAN-OS 11.0 >= 11.0.3, PAN-OS 10.2 >= 10.2.8, PAN-OS 10.1 >= 10.1.12, PAN-OS 9.1 >= 9.1.17, PAN-OS 9.0 >= 9.0.17-h4

Along with these high-severity flaws, Palo Alto fixed some medium security flaws; a complete advisory can be found here.

For detailed mitigation instructions and to ensure the security of their networks, customers are advised to consult the official Palo Alto Networks documentation or contact their support services.

Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.

The post Multiple Palo Alto Networks Firewall Flaws Let Attackers Cause Disruption appeared first on Cyber Security News.

“}]]   Read More 

Cyber Security News 

ChatGPT for Malware Analysis: Enhancing GPT’s Ability to Guide Malware Analyst
ChatGPT for Malware Analysis: Enhancing GPT’s Ability to Guide Malware Analyst

ChatGPT for Malware Analysis: Enhancing GPT’s Ability to Guide Malware Analyst

GPT excels in verbal thinking, skillfully choosing precise words for optimal responses. Understanding this key property is crucial, as much of its subsequent behavior stems from this ability.

This AI model taps into an extensive cheat sheet; any historical answer in its training data can be reproduced with strange accuracy.

Cybersecurity researchers at CheckPoint recently affirmed that security analysts could use ChatGPT for malware analysis by enhancing the GPT’s ability.

ChatGPT for Malware Analysis

GPT may not recall answers that seem expected on its cheat sheet. For instance, in a malware analysis context, GPT struggled when a Google Scholar search failed to yield proof on the first page. 

Speculating and completing a sentence about the search results led to a natural response failure.GPT excels in summarizing large inputs, showcasing its grammar understanding, and prioritizing key facts. Trustworthy in filtering the big picture, like summarizing extensive malware-related API call logs.

Here’s what GPT presented when asked to summarize the log:-

Malware-related API call log summary (Source – Checkpoint)

The sentence completion power of GPT enables remarkable logical reasoning, but caution is needed. Overloading it with complex and verbose conditions can lead to misunderstandings and forgotten requirements.

Applying GPT to malware analysis reveals oddly human-like challenges. Check Point said examples abound as GPT grapples with tasks categorized into broader challenges.

Principal Obstacles

Here below, we have mentioned all the 6 general principal obstacles:-

Memory Window Drift: GPT breaks texts into tokens with a fixed window size. This limits large inputs, especially as the window moves beyond the initial conversation instructions. Then, it relies on second-hand task descriptions, losing information once it’s out of the window, and this stumbling block is a common challenge, even with API call logs.

Gap between Knowledge and Action: Feynman criticized memorization without understanding, a sentiment echoed in GPT challenges for malware analysis. Completing sentences isn’t enough; attention to knowledge integration is crucial. Problem-solving involves implicit questions, and accidentally hindering this process is a hurdle. Self-awareness acts as a failsafe, revealing gaps between knowledge and action, leading to other difficulties in GPT’s application.

Logical Reasoning Ceiling: In applying GPT to malware analysis, researchers discovered challenges in managing its logical reasoning capacity. Overcoming issues, three best practices emerged:- 

Preferring lists over demanding a single ‘right answer’ 

Using terse instructions

Recognizing GPT’s varying capabilities in logical reasoning

Detachment from Expertise: GPT’s implicit web-weaving via sentence completion is powerful, but output quality may suffer if reason alone is forced. While basic characterizations are accurate in malware analysis, expert insights emphasize context, API call order, anti-analysis techniques, and tailored search strategies, challenging common wisdom and optimizing outcomes.

Goal Orientation: In tests, GPT often provided theoretically perfect but impractical advice, ignoring practical constraints. Triage tasks saw model recommendations emphasizing theoretical correctness over efficient solutions. GPT’s potential falls short when induced to focus solely on immediate input, hindering its ability to mimic the subtle work of a malware analyst.

Spatial Blindness: GPT demonstrated its distinct nature in malware analysis testing. Notably, its dependence on precisely configured prompts for effective Google searches revealed its unique behavior. In tasks like GandCrab, GPT struggled with poorly engineered prompts, requiring adjustments to induce a proper understanding.

Despite appearing trivial, these steps simulate a beginner analyst’s 3-day experience. The effort is necessary to guide GPT past potential obstacles in task processing.

Besides the focus on challenges, don’t overlook GPT’s main advantage:- 

“It operates faster and more cost-effectively than a human analyst.” 

Before embracing automation, ensuring GPT matches a newbie analyst in basic tasks is essential for future advancements.

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.

The post ChatGPT for Malware Analysis: Enhancing GPT’s Ability to Guide Malware Analyst appeared first on Cyber Security News.

   Read More 

Cyber Security News 

A week in security (November 20 – November 26)

A week in security (November 20 – November 26)

Last week on Malwarebytes Labs:

Windows Hello fingerprint authentication can be bypassed on popular laptops

Citrix Bleed widely exploitated, warn government agencies

Chrome pushes forward with plans to limit ad blockers in the future

$19 Stanley cup deal is a Black Friday scam

Malwarebytes consumer product roundup: The latest

Explained: Privacy washing

Nothing Chats pulled from Google Play

How to stop fake System notifications on macOS

Why less is more: 10 steps to secure customer data

Atomic Stealer distributed to Mac users via fake browser updates

Scattered Spider ransomware gang falls under government agency scrutiny

Student discount: Get 50% off Malwarebytes

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

   Read More 

Malwarebytes