K7 Antivirus

 In Feb-2023, Microsoft (MS) patched a vulnerability in Microsoft Word which, if successfully exploited, could allow an attacker to execute remote code without authentication on victims’ machines. This vulnerability has been assigned CVE-2023–21716 and has a CVSS score of 9.8, making it a critical issue. This vulnerability impacted MS word and the Outlook Preview Pane as well. Microsoft along with the patch released a work around for the vulnerability but did not release details about the vulnerability. While we were analysing to identify what was patched, on 06-March, the researcher who reported the bug released a PoC on Twitter . In this blog, we will be taking a look at some internals of CVE-2023–21716. So far there is no evidence to suggest exploitation of this vulnerability in the wild. Rich Text Format (RTF) is a document file format published by Microsoft. It uses control words to define various sections and properties of the document. CVE-2023–21716 exists in the way MS Wo...

 Recently, we came across a detection in our telemetry report named “com.goatmw” which gained our attention. We decided to investigate further and the malware was found to be a banking trojan. GoatRAT banking trojan is an Android Remote Administration Tool to gain access and control targeted devices which carries out fraudulent money transactions using PIX key. The domain goatrat[.]com (Fig.1) serves as the admin panel (which is not live as of writing this blog) and contains telegram ids in its contact (Fig.2 and Fig.3). Technical Analysis Once “com.goatmw” is installed, the malware initiates a service named “Server” (Fig.4) which establishes contact (Fig.5) with the C2 server (Fig.6) to obtain the PIX Key required to carry out fraudulent transactions. PIX key is used to make instant money transfer and is generated by encrypting personal data such as Taxpayer ID number (CPF for individuals, CNPJ for companies) telephone number and email address (Fig.7). The RAT then requests users ...

 Recently, we came across a tweet about DarkBit ransomware. An Iranian APT group, named MuddyWater, is reportedly behind the DarkBit ransomware. In this blog we will explore the ransomware’s initial access method, the use of Cobalt Strike and the final ransomware payload. Initial Access Method The initial lure was delivered as an ISO file. The payload included a shortcut file (with a .doc extension) and a zip file. The shortcut was using PrintBrm.exe to unpack the HR-Update.zip and run it as shown below. PrintBrm.exe is a windows inbuilt command line tool . cmd.exe /c xcopy .\HR-Update.zip %TEMP% /h /y && PrintBrm.exe -r -f %TEMP%\HR-Update.zip -d %TEMP%\unzip & %TEMP%\unzip\HR-Update.exe HR-Update.exe was a Cobalt Strike beacon. Cobalt Strike, a penetration testing tool, can also be used by attackers for gaining a foothold in the system. The final ransomware payload is downloaded with the help of Cobalt Strike. At the time of writing the blog, we were unable...

  Overview, Responsibilities, Challenges, And Penalties The Abu Dhabi — Healthcare Information and Cyber Security Standard (ADHICS) applies to all healthcare facilities and practitioners operating in the Emirate of Abu Dhabi. ADHICS has been created to ensure that Abu Dhabi’s digital healthcare infrastructure matches international standards in healthcare data security and enhances public trust in the digital transformation of healthcare. The standard was published on, and is effective from, 3rd February 2019, and can be downloaded here . Implementation guidelines can be found here . ADHICS Overview Control Domains ADHICS specifies control measures that are categorised into 11 domains; these are listed below along with their controls: Human Resource Security — Policy, Prior to Employment, During Employment, Termination or Change Asset Management — Policy, Management, Classification & Labelling, Handling, Disposal Physical and Environmental Security — Policy, Secure Areas, Equipm...

 Threat actors of late have started abusing sponsored ads on Facebook to deliver malware. Sponsored ads are advertisements that are paid for so that it reaches a wider user base. These posts are visible to all users even if they are not linked to the individual who posted the ad. These are usually done to promote a new product or venture but can be used for other purposes too. Why Facebook? Facebook is one of the most popular social media platforms. Because of its vast user base, it makes it ideal for threat actors to use this platform to spread malware. Since these ads are sponsored by a trustworthy organization such as Facebook, threat actors can easily exploit unsuspecting users. Since Facebook posts of an individual are typically viewed by followers or those who have liked the account, the sponsored posts feature allows threat actors to target even individuals who are not connected to the individual’s account thereby targeting a wider audience. Recently one of our colleagues en...

  How I wish I can decide if the apps that I am executing are safe, malicious, or from an untrusted source? Well, Microsoft has heard mine, I guess. They have come up with a feature called the  “Smart App Control”  which does just that. However, this feature is available only on clean installations of the Windows 11 22H2 update. That said, let us hope they will roll out for other versions of Windows that have active support.   Want to know more? Read on. What is a Signed App? The developers do app signing to identify the app author. This helps the developers to update their app without any need for complicated permissions. Read more in this  blog post . Can malicious or untrusted apps be signed? Hope this is not true. But the fact is yes. Threat actors can use stolen signatures or create a legitimate signature for their malicious app. This would then bypass any signature validations. Read more in this  blog post . What is Smart App Control (SAC)? SAC i...

  Enterprise IT ecosystems can be considered to be an amalgamation of digital technology and people. Enterprise cybersecurity largely focuses on the technology layer – various forms of hardware and software. The human layer, however, is now receiving increasing attention from cybersecurity leaders because humans can do what hardware and software cannot – act independently and override hardware and software controls based on their judgement which may be flawed or misguided. Verizon’s 2022 Data Breach Investigations Report reveals that 82% of breaches involve the human element . Strengthening the human layer in enterprise cybersecurity presents a unique challenge as, unlike hardware or software which are available as identical copies with identical weaknesses and solutions when procured in large volumes, people are individuals with varying degrees of awareness, interest, comprehension, conscientiousness, and other attributes that influence their ability to always do the right thing a...

  Software-as-a-Service (SaaS) is fairly common in the world of legitimate enterprise software where vendors offer their software products through a subscription model, usually to obtain a distributed cash inflow and to improve the affordability of their products by allowing their customers to match their expenditure on the product with their use of the product. Threat actors are now adopting this business model, seeking different benefits, to provide cyberthreats, especially ransomware, as a service with frightening consequences for the enterprise world. How Ransomware Works Ransomware is a form of malware that encrypts data on the victim’s IT network, paralysing business operations until a decryption key is obtained by payment of ransom that is usually demanded in cryptocurrency. Data is the key to ransomware’s potency and the success of the attack model; every enterprise needs data to function, even if that data is internal administrative data that is of no value to anyone else,...

  Every business, from startup to enterprise, fears ransomware with good reason. We have heard about the ransomware attack on Colonial Pipeline in the USA which caused fuel scarcity, and Costa Rica declared a national emergency following a ransomware attack which affected 27 government institutions. What could be worse than a cyberthreat that has the potential to be classified as a national security event? Phishing, the mechanism through which ransomware and many other cyberattacks are often delivered. What Is Phishing? Phishing is a form of social engineering that is carried out through persuasive messages that convince an individual to perform an action that is against the best interests of the individual or the organisation they work for. A common example of phishing is an email that appears to be from a vendor with an infected attachment disguised as an invoice that needs to be paid; opening the attached file will launch a cyberattack such as ransomware. Why Is Phishing A Mor...

  Every enterprise that makes use of computing resources, which is every enterprise in today’s world, relies on several forms of network-based communication, such as LAN and WAN. Devices within a facility use a Local Area Network (LAN) to talk to each other e.g., a desktop uses a LAN to connect to a printer. A LAN is relatively easy to manage as it is entirely within the control of the organisation and is located within a distinct physical entity such as a bank office, hospital, academic institution, or data centre. These facilities may be a part of a larger organisation that has multiple branches of banks, hospitals, or educational institutions and each of these branches will need to be able to communicate with each other and a head office, which is accomplished through a Wide Area Network (WAN), which connects the LAN in one facility to a LAN in another facility. Private WAN Constraints Interbranch connectivity is very convenient and helps improve the organisation’s productivity ...