—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
Author: admin
Insider Threats Surge 14% Annually as Cost-of-Living Crisis Bites
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
‘Junk gun’ ransomware: Peashooters can still pack a punch
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
Other Attempts to Take Over Open Source Projects
After the XZ Utils discovery, people have been examining other open-source projects. Surprising no one, the incident is not unique:
The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.
[…]
The OpenJS team also recognized a similar suspicious pattern in two other popular JavaScript projects not hosted by its Foundation, and immediately flagged the potential security concerns to respective OpenJS leaders, and the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security (DHS).
The article includes a list of suspicious patterns, and another list of security best practices.
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
Using AI-Generated Legislative Amendments as a Delaying Technique
Canadian legislators proposed 19,600 amendments—almost certainly AI-generated—to a bill in an attempt to delay its adoption.
I wrote about many different legislative delaying tactics in A Hacker’s Mind, but this is a new one.
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
Redline Stealer: A Novel Approach
A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform malicious behavior.
Infection Chain
- GitHub is being abused to host the malware file at Microsoft’s official account in the vcpkg repository https[:]//github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
- McAfee Web Advisor blocks access to this malicious download
- Cheat.Lab.2.7.2.zip is a zip file with hash 5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610
- The zip file contains an MSI installer.
- The MSI installer contains 2 PE files and a purported text file.
- Compiler.exe and lua51.dll are binaries from the Lua project. However, they are modified slightly by a threat actor to serve their purpose; they are used here with readme.txt (Which contains the Lua bytecode) to compile and execute at Runtime.
- Lua JIT is a Just-In-Time Compiler (JIT) for the Lua programming language.
- The magic number 1B 4C 4A 02 typically corresponds to Lua 5.1 bytecode.
- The above image is readme.txt, which contains the Lua bytecode. This approach provides the advantage of obfuscating malicious stings and avoiding the use of easily recognizable scripts like wscript, JScript, or PowerShell script, thereby enhancing stealth and evasion capabilities for the threat actor.
- Upon execution, the MSI installer displays a user interface.
- During installation, a text message is displayed urging the user to spread the malware by installing it onto a friend’s computer to get the full application version.
- During installation, we can observe that three files are being written to Disk to C:program FilesCheat Lab Inc Cheat Lab path.
- Below, the three files are placed inside the new path.
-
- Here, we see that compiler.exe is executed by msiexec.exe and takes readme.txt as an argument. Also, the Blue Highlighted part shows lua51.dll being loaded into compiler.exe. Lua51.dll is a supporting DLL for compiler.exe to function, so the threat actor has shipped the DLL along with the two files.
- Here, we see that compiler.exe is executed by msiexec.exe and takes readme.txt as an argument. Also, the Blue Highlighted part shows lua51.dll being loaded into compiler.exe. Lua51.dll is a supporting DLL for compiler.exe to function, so the threat actor has shipped the DLL along with the two files.
-
- During installation, msiexec.exe creates a scheduled task to execute compiler.exe with readme.txt as an argument.
- Apart from the above technique for persistence, this malware uses a 2nd fallback technique to ensure execution.
- It copies the three files to another folder in program data with a very long and random path.
- Note that the name compiler.exe has been changed to NzUW.exe.
- Then it drops a file ErrorHandler.cmd at C:WindowsSetupScripts
- The contents of cmd can be seen here. It executes compiler.exe under the new name of NzUw.exe with the Lua byte code as a parameter.
- Executing ErrorHandler.cmd uses a LolBin in the system32 folder. For that, it creates another scheduled task.
-
- The above image shows a new task created with Windows Setup, which will launch C:Windowssystem32oobeSetup.exe without any argument.
- Turns out, if you place your payload in c:WINDOWSSetupScriptsErrorHandler.cmd, c:WINDOWSsystem32oobeSetup.exe will load it whenever an error occurs.
Source: Add a Custom Script to Windows Setup | Microsoft Learn
-
- c:WINDOWSsystem32oobeSetup.exe is expecting an argument. When it is not provided, it causes an error, which leads to the execution of ErrorHandler.cmd, which executes compiler.exe, which loads the malicious Lua code.
- We can confirm this in the below process tree.
We can confirm that c:WINDOWSsystem32oobeSetup.exe launches cmd.exe with ErrorHandler.cmd script as argument, which runs NzUw.exe(compiler.exe)
-
- It then checks the IP from where it is being executed and uses ip-API to achieve that.
- It then checks the IP from where it is being executed and uses ip-API to achieve that.
-
- We can see the network packet from api-api.com; this is written as a JSON object to Disk in the inetCache folder.
- We can see the network packet from api-api.com; this is written as a JSON object to Disk in the inetCache folder.
-
- We can see procmon logs for the same.
- We can see procmon logs for the same.
- We can see JSON was written to Disk.
C2 Communication and stealer activity
-
- Communication with c2 occurs over HTTP.
- Communication with c2 occurs over HTTP.
-
- We can see that the server sent the task ID of OTMsOTYs for the infected machine to perform. (in this case, taking screenshots)
- A base64 encoded string is returned.
- We can see that the server sent the task ID of OTMsOTYs for the infected machine to perform. (in this case, taking screenshots)
-
- An HTTP PUT request was sent to the threat actors server with the URL /loader/screen.
- IP is attributed to the redline family, with many engines marking it as malicious.
- Further inspection of the packet shows it is a bitmap image file.
- The name of the file is Screen.bmp
- Also, note the unique user agent used in this put request, i.e., Winter
- After Dumping the bitmap image resource from Wireshark to disc and opening it as a .bmp(bitmap image) extension, we see.
- The screenshot was sent to the threat actors’ server.
Analysis of bytecode File
- It is challenging to get the true decomplication of the bytecode file.
- Many open source decompilers were used, giving a slightly different Lua script.
- The script file was not compiling and throwing some errors.
- The script file was sensitized based on errors so that it could be compiled.
- Debugging process
- One table (var_0_19) is populated by passing data values to 2 functions.
- In the console output, we can see base64 encoded values being stored in var_0_19.
- These base64 strings decode to more encoded data and not to plain strings.
- All data in var_0_19 is assigned to var_0_26
-
- The same technique is populating 2nd table (var_0_20)
- It contains the substitution key for encoded data.
-
- The above pic is a decryption loop. It iterates over var_0_26 element by element and decrypts it.
- This loop is also very long and contains many junk lines.
- The loop ends with assigning the decrypted values back to var_0_26.
-
- We place the breakpoint on line 1174 and watch the values of var_0_26.
- We place the breakpoint on line 1174 and watch the values of var_0_26.
-
- As we hit the breakpoint multiple times, we see more encoded data decrypted in the watch window.
- As we hit the breakpoint multiple times, we see more encoded data decrypted in the watch window.
- We can see decrypted strings like Tamper Detected! In var_0_26
Loading luajit bytcode:
Before loading the luajit bytecode, a new state is created. Each Lua state maintains its global environment, stack, and set of loaded libraries, providing isolation between different instances of Lua code.
It took table values and processed them using the below floating-point arithmetic and xor instruction.
- In this blog, we saw the various techniques threat actors use to infiltrate user systems and exfiltrate their data.
Indicators of Compromise
Cheat.Lab.2.7.2.zip | 5e37b3289054d5e774c02a6ec4915a60156d715f3a02aaceb7256cc3ebdc6610 |
Cheat.Lab.2.7.2.zip | https[:]//github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip
|
lua51.dll | 873aa2e88dbc2efa089e6efd1c8a5370e04c9f5749d7631f2912bcb640439997 |
readme.txt | 751f97824cd211ae710655e60a26885cd79974f0f0a5e4e582e3b635492b4cad |
compiler.exe | dfbf23697cfd9d35f263af7a455351480920a95bfc642f3254ee8452ce20655a |
Redline C2 | 213[.]248[.]43[.]58 |
Trojanised Git Repo | hxxps://github.com/microsoft/STL/files/14432565/Cheater.Pro.1.6.0.zip |
The post Redline Stealer: A Novel Approach appeared first on McAfee Blog.
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
How to Protect Yourself Against AI Voice Cloning Attacks
Imagine receiving a call from a loved one, only to discover it’s not them but a convincing replica created by voice cloning technology. This scenario might sound like something out of a sci-fi movie, but it became a chilling reality for a Brooklyn couple featured in a New Yorker article who thought their loved ones were being held for ransom. The perpetrators used voice cloning to extort money from the couple as they feared for the lives of the husband’s parents.
Their experience is a stark reminder of the growing threat of voice cloning attacks and the importance of safeguarding our voices in the digital age. Voice cloning, also known as voice synthesis or voice mimicry, is a technology that allows individuals to replicate someone else’s voice with remarkable accuracy. While initially developed for benign purposes such as voice assistants and entertainment, it has also become a tool for malicious actors seeking to exploit unsuspecting victims.
As AI tools become more accessible and affordable, the prevalence of deepfake attacks, including voice cloning, is increasing. So, how can you safeguard yourself and your loved ones against voice cloning attacks? Here are some practical steps to take:
- Verify Caller Identity: If you receive a call or message that raises suspicion, take steps to verify the caller’s identity. Ask questions that only the real person would know the answer to, such as details about past experiences or shared memories. Contact the person through an alternative means of communication to confirm their identity.
- Establish a Unique Safe Word: Create a unique safe word or phrase with your loved ones that only you would know. In the event of a suspicious call or message, use this safe word to verify each other’s identity. Avoid using easily guessable phrases and periodically change the safe word for added security.
- Don’t Transfer Money Through Unconventional Methods: Fraudsters often employ tactics that make retrieving your funds difficult. If you’re asked to wire money, use cryptocurrency, or purchase gift cards and disclose the card numbers and PINs, proceed with caution as these are common indicators of a scam.
- Use Technology Safeguards: While technology can be used for malicious purposes, it can also help protect against voice cloning attacks. Tools like Project Mockingbird, currently in development at McAfee, aim to detect AI-generated deepfakes, including audio-based clones. Stay informed about advancements in security technology and consider utilizing such tools to bolster your defenses.
- Educate Yourself and Others: Knowledge is your best defense against emerging threats. Take the time to educate yourself and those around you about the dangers of voice cloning and other forms of social engineering attacks. Encourage your loved ones to be skeptical of unsolicited calls or messages, especially if they involve urgent requests for money or personal information.
- Report Suspicious Activity: If you believe you’ve been targeted by a voice cloning attack, report it to the appropriate authorities immediately. Organizations like the Federal Trade Commission (FTC) and the Internet Crime Complaint Center (IC3) are equipped to investigate and address cybercrimes.
Voice cloning attacks represent a new frontier in cybercrime. With vigilance and preparedness, it’s possible to mitigate the risks and protect yourself and your loved ones. By staying informed, establishing safeguards, and remaining skeptical of unexpected communications, you can thwart would-be attackers and keep your voice secure in an increasingly digitized world.
The post How to Protect Yourself Against AI Voice Cloning Attacks appeared first on McAfee Blog.
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
Report Suggests 93% of Breaches Lead to Downtime and Data Loss
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
LeakyCLI Flaw Exposes AWS and Google Cloud Credentials
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains
Cybersecurity Pros Urge US Congress to Help NIST Restore NVD Operation
—————
Free Secure Email – Transcom Sigma
Boost Inflight Internet
Transcom Hosting
Transcom Premium Domains