New Stealthy Universal Rootkit Let Attacker Load second-stage Payload Directly

New Stealthy Universal Rootkit Let Attacker Load second-stage Payload Directly

A self-signed China-originated Rootkit acts as a universal downloader targeting gaming sectors to exfiltrate sensitive information.

The threat actors abuse Microsoft signing portals to sign their drivers in order to pass the security check.

Read moreBuilding cyber skills and roles from CyBOK foundations

As per the analysis of Trend Micro, the main binary of the malware acts as a universal downloader that downloads a second-stage unsigned kernel module to communicate with C&C.

Stealthy Universal Rootkit Loader

Basically, malicious actors use the below approaches to sign their malicious kernel drivers, Abusing Microsoft signing portals, Using leaked and stolen certificates, and Using underground services.

Read moreAccessibility as a cyber security priority

“Hunting for 64-bit signed rootkits now is not as easy in the days when kernel mode code signing (KMCS) policies mechanisms were introduced as the number of 64-bit signed drivers has increased,” reads Trend Micro report.

Initially, a 64-bit signed driver was installed, which disables the User Account Control (UAC) and Secure Desktop mode by editing the registry and initializing Winsock Kernel (WSK) objects for initiating a network activity with the C&C server.

Read moreNew interactive video - and related downloads - to help secondary school kids stay safe online

Subsequently, it uses a Domain Generating Algorithm (DGA) algorithm to generate different domains. It connects to the driver on port 80 and creates a TCP socket for communication.

This downloader receives the data byte from C&C and decrypts the received data, then loads the Portable executable file into memory without writing to the disk.

Second-stage Driver

Read moreNigerian Cybercrime Ring's Phishing Tactics Exposed

The downloaded second-stage driver was unsigned and reads the first-stage driver from the disk and, write it to the registry, then deleted it from the disk

In addition to that, it stops Windows Defender software and disables the anti-spyware detection from the registry key“ and SecurityHealthService” in order to evade detection

Read moreS3 Ep135: Sysadmin by day, extortionist by night

Finally, the proxy plug-in installs a proxy on the machine and redirects web browsing traffic to a remote proxy machine. 

It first edits the Windows proxy configuration, and then it injects JavaScript inside the browser based on the URL, which might redirect it to another server.

Read moreUS offers $10m bounty for Russian ransomware suspect outed in indictment

These rootkits will see heavy use from sophisticated groups that have both the skills to reverse-engineer low-level system components and the required resources to develop such tools.

The post New Stealthy Universal Rootkit Let Attacker Load second-stage Payload Directly appeared first on Cyber Security News.

Read moreBelkin Wemo Smart Plug V2 – the buffer overflow that won’t be patched

   Read More 

Cyber Security News 

Related Posts

Chinese Hackers Target Semiconductor Firms in East Asia with Cobalt Strike
Chinese Hackers Target Semiconductor Firms in East Asia with Cobalt Strike

Chinese Hackers Target Semiconductor Firms in East Asia with Cobalt Strike

Threat actors have been observed targeting semiconductor companies in East Asia with lures masquerading as Taiwan Semiconductor Manufacturing Company (TSMC) that are designed to deliver Cobalt Strike beacons.
The intrusion set, per EclecticIQ, leverages a backdoor called HyperBro, which is then used as a conduit to deploy the commercial attack simulation software and post-exploitation toolkit.   Read More 

The Hacker News | #1 Trusted Cybersecurity News Site 

Stack Overflow suspends user for editing posts in OpenAI protest

Stack Overflow suspends user for editing posts in OpenAI protest

OpenAI and Stack Overflow recently teamed up to improve AI models. OpenAI will have access to Stack Overflow’s API and feedback from developers. In return, OpenAI will link to Stack Overflow’s content in ChatGPT. […]    Read More 

 

Behind the Google shopping ad masks.
Behind the Google shopping ad masks.

Behind the Google shopping ad masks.

Maxim Zavodchik from Akamai joins Dave to discuss their research on “Xurum: New Magento Campaign Discovered.” Akamai researchers have discovered an ongoing server-side template injection campaign that is exploiting digital commerce websites. This campaign targets Magento 2 shops, and was dubbed Xurum in reference to the domain name of the attacker’s command and control (C2) server.

The research states “The attacker uses an advanced web shell named “wso-ng” that is activated only when the attacker sends the cookie “magemojo000” to the backdoor “GoogleShoppingAds” component.”   Read More 

The CyberWire