Scammers are trawling dating apps again. But they're not out to capture hearts but personal details—and your money, of course.
The post Watch out! Tinder and Grinder users targeted by cruel scammers using real abuse photos appeared first on Malwarebytes Labs.

A horrible catfishing scam is using real abuse photos in order to lure in unsuspecting victims on sites like Tinder and Grinder. Recently unearthed by Bleeping Computer, it works like this:

Boy meets good-looking girl on dating site. The longer they talk, boy notices the conversation turning into a confession of abuse, with good-looking girl providing him pictures to back up her story. Good-looking girl then asks boy to “prove” his identity using an ID service which, you’ve guessed it, costs money.

Michael (not his real name) shared screenshots of a portion of his chat records with a “beautiful trans woman” with BleepingComputer.

“I almost fell victim to a uniquely cruel catfishing scheme,” he said.

Michael’s chat session included disturbing images of the alleged abuse. (Source: BleepingComputer)

The woman Michael was chatting with asked that he used a third-party “ID verification” service to prove that he’s not a former sex offender, backing up her request with “evidence” of abuse she’s suffered. “Cassey Queen” directed Michael on what website to use and what to do.

From one of the sites Bleeping Computer found:

> “We provide safety insurance in which both parties who are suppose to meet are being verified for safe meet up because some of our members complain that they are being harassed and sometimes ended up being robbed and beaten. We make sure that someone will be apprehended if he make some disrespectful acts.”

Many of the sites ask people to register with their card details and other information, including their full name, country of residence, ZIP code, and email address. The form where users enter their details is an HTML iframe, served by dot com sites with keysmash names. ntrfrnc.com is one of them.

One of the many keysmashed dot com sites that process payment details for scammy “ID verification” sites.

There are a handful of sites with the very same site template, and they all list the same office address in Cyprus.

**To verify or not to verify? No need to ask**

These “ID verification” services cost victims a lot of cash.

A sample listing of what daters would have to pay should they sign up for an ID check service. Those who sign up are also enrolled in a recurring subscription with membership options. (Source: BleepingComputer)

Additionally, all the details you give to these sites will be stored, processed, and used by these services however they like. This also means they could sell your details to third parties, use them to create synthetic profiles, or use them to pose as you online.

Users on Tinder and Grindr appear to be the targets of this scam, but keep in mind that tactics like this could easily spill over into social media sites and other watering holes that enable people to meet someone new.

Both Tinder and Grindr highly encourage their users to block and report profiles that appear to be a scam. So should you encounter one while looking for a potential date, you know what to do.

Stay safe!

Watch out! Tinder and Grinder users targeted by cruel scammers using real abuse photos

A recent phishing scam neatly illustrates some of the tactics scammers use to avoid human intuition and automatic detection.
The post If you get an email saying “Item stopped due to unpaid customs fee”, it’s a fake appeared first on Malwarebytes Labs.

Our spam traps recently caught a phishing scam that neatly illustrates some of the tactics scammers use routinely to avoid both human intuition, and automatic detection.

The scam starts with an unsolicited email, of course…

The scam email is ostensibly from the Post Office, an instantly recognisable postal service brand in the UK, and it tells recipients “There is a update in your parcel. item stopped due to unpaid customs fee.” \[sic\] This is an echo of an extremely popular SMS scam from 2021 that told recipients they had to pay a small postage fee to release a parcel waiting for delivery.

The spelling and grammar in the email is predictably awful, and a little weird—it looks like a bad scan by an optical character reader (OCR). However, despite decades of security advice highlighting poor spelling and grammar as an enormous red flag, the fact is it doesn’t seem to hurt the scammers. So while other tactics have evolved, poor English has persisted.

As simple as it is, and as bad as it seems, the message includes a number of features that help to avoid raising suspicions:

**It’s a familiar message from a trusted brand**

Half the email is taken up by a giant logo for an organisation that is instantly recognisable to anyone in the UK. The scammers are building trust in the sender and telling users this is about a postal delivery, without writing a word.

They are also piggybacking on a very familiar form of email communication. Delivery companies like DHL and Royal Mail regularly bombard us with email and SMS updates about deliveries, recipients are often asked to click through to websites to track parcels, and occasionally they have to pay postage or customs fees.

**The address looks good**

The from address starts “PostOffice.co.uk”, suggesting it’s come from the postoffice.co.uk domain. However, that’s the Display Name, a user-friendly name that can be anything the sender wants. The address is the part in angle brackets: support@subsecure-community.zendesk.com.

Some sharp-eyed users may spot that it’s actually a zendesk.com email address, but Zendesk itself is a trusted system that’s used by big brands, and getting an email from Zendesk isn’t unusual either.

Because Zendesk is an online business, it makes setting up new accounts very easy. And because it relies heavily on email, it uses features like DKIM to minimise the chances of its emails being forged or flagged by anti-spam tools. By setting up genuine Zendesk accounts, the scammers are able to benefit from those security features, and the trustworthiness of the zendesk.com domain.

Of course criminals don’t expect their accounts to last long, and this one was quickly shut down.

**The links don’t look bad**

Users who hover their pointer over the email’s links, hoping to see if they look nefarious, will be disappointed, as they’ll just see an impenetrably-complicated URL. A lot of emails use odd-looking and convoluted URLs, so it’s rare to see links that are obviously good or obviously bad, and these are unlikely to ring alarm bells.

The only oddity that might tip off knowledgeable users is that links go to Google. They look like this:

https://www.google.co**m**/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi2z4al48\_3AhUDgf0HHQYWA-sQFnoECAkQAQ&url=https%3A%2F%2Fexample.org%2Fbaby-music%2F&usg=AOvVaw2RWSxL7fWRChaS7EhY5OuA

This URL in the email is borrowed from a Google search results page. Why? Because the links in Google search results pages are open redirects that can be used by anyone to create a google.com URL that will redirect to a web page of their choice. Many companies regard open redirects as a security vulnerability, but Google does not.

The web page you end up on if you click the link in the phishing email is highlighted below, although we’ve replaced the name of the compromised website with example.org:

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi2z4al48\_3AhUDgf0HHQYWA-sQFnoECAkQAQ&url=https%3A%2F%2Fexample.org%2Fbaby-music%2F&usg=AOvVaw2RWSxL7fWRChaS7EhY5OuA

The Google open redirect helps to hide the real URL from curious users, but it may help to hide it from automatic detection too. The open redirect on google.com uses JavaScript rather than HTTP, so automated tools that follow chains of HTTP redirects won’t reach the scammer’s website, they’ll simply stop at google.com, which returns a status of 200 OK rather than 301 Redirect.

So where does it end up? Right now, nowhere. Whatever was waiting for victims on the compromised website—malware, malvertising, a payment form, or some other equally unpleasant thing—has been removed by the site owner. All that’s left is an empty directory.

The scammers, no doubt, have already moved on to a new compromised website, a new “burner” Zendesk account, and a different Google URL.

If you get an email saying “Item stopped due to unpaid customs fee”, it’s a fake

GoodWill ransomware has victims do something other than pay a ransom to recover their files.
The post Eerie GoodWill ransomware forces victims to publish videos of “good” deeds on social media appeared first on Malwarebytes Labs.

Ransomware does what the name implies: holds your files or network to ransom. Pay the authors, typically in cryptocurrency, and you may get your files back. Refuse, and the files could be lost forever or even leaked to the far corners of the net.

Sometimes creators of ransomware try different things. In this case, a proof of concept called GoodWill ransomware’s approach is to force victims into performing seemingly nice tasks instead of pay a ransom.

**Hunting for GoodWill**

GoodWill ransomware functions like any other, at least in terms of basic functionality. It encrypts the most common file types: videos, documents, photos, databases. Without the decryption key, you won’t be able to recover your locked files.

There’s one key difference, however. The people behind this attack want victims to get out there and do some public good. Perform three good deeds, and you get your files back. That’s right: No cryptocurrency payment, no gift card codes required.

**Hoop jumping as kindness**

Things quickly become a bit disturbing.

Imagine: you’ve just had your computer locked up with ransomware. You’re told you must perform three acts of kindness to get your files back. The catch: you have to film and upload these good deeds to social media. Is this already beginning to creep you out? Because it should.

To be clear: criminals are asking victims of crime to humiliate themselves on social media to recover things stolen from them.

The three “activities” that victims are asked to do in order to get their files back are as follows:

**“Activity 1”**

> _“That we all know Thousands of people die due to sleeping on the roadside in the cold because they do not have clothes to cover their body.  
> **So, your 1st task is to provide new clothes/blankets to needy people of road side and make a video of this event.**  
> Later post this video/photo to your Facebook, Instagram and WhatsApp stories by using photo frame provided by us and encourage other people to help needy people in winters. Take a screen shot of your post and send email to us with valid post link, later our team will verify the whole case and promotes you for the next activity.  
> It’s Does not costs you high but matters for humanity.”_

**“Activity 2”**

> _“Thousands of poor children have to sleep hungry in the long cold nights, because those ill-fated people have no luxury to have dinner every night in this cruel world. You cannot feed them food for life, but you can give them 2 moments of happiness!  
> How!! Hmm, Listen. In the evening, pick any 5 poor children (under 13 years) of your neighborhood and take them to Dominos Pizza Hut or KFC, then allow them to order the food they love to eat and try to make them feel happy. Treat those kids as your younger brothers. Take some Selfies of them with full of smiles and happy faces, Make a beautiful video story on this whole event and again post it on your Facebook and Instagram Stories with photo frame and caption provided by us. Take a screen shot of your posts, snap of restaurant’s bill and send email to us with valid post link, later our team will verify the whole case and promotes you for the next activity.  
> Help those less fortunate than you, for it is real human existence.”_

**“Activity 3”**

> _There are so many people in the world who have suffered the pain of losing their loved ones due to lack of money. Lack of money is the biggest misfortune to get medical treatment at the right time.  
> Hmm, what’s your duty now! Hmm, Listen again! Visit the nearest hospital in your area and observe the crowd around you inside the hospital premises. You will see that there will be some people who need certain amount of money urgently for their medical treatment, but they are unable to arrange due to any reason. You have to go near them and talk to them that they have been supported by you and they do not need to worry now, Finally Provide them maximum part of required amount. Again, Take some Selfies of them with full of smiles and happy faces,  
> Record Audio while whole conversation between you and them and send it to us.  
> Write a beautiful article in your Facebook and Instagram by sharing your wonderful experience to other peoples that how you transform yourself into a kind human being by becoming Victim of a Ransomware called Good Will._

Once the victim has performed all three tasks, they must send the links and the gang promises to “verify the whole case” and hand over the decryption keys.

**No good will for GoodWill**

Aside from anything else, this is incredibly invasive of people’s privacy. Do the people in the videos get a say in this? It seems they do not.

This is genuinely one of the most disturbing infection-themed attacks I’ve seen in a long time. Turning people into some sort of game show contestant, complete with performative acts of kindness which are _only_ occurring because of blackmail, flies in the face of their alleged intended goal.

We also have no indication if the authors intend to change their tasks at a later date. Reports mention the file attempts to geolocate victims. Could we see location-themed tasks which account for differences in rules, funding, social norms? Or is it a dice-roll in terms of hoping you’re assigned tasks you’re actually able to complete?

Despite the file name, there’s not a lot to feel good about here. Asking for cryptocurrency payments to release files and hope they’re not leaked is bad. Making people upload videos of themselves performing baffling and potentially dangerous tasks feels even worse.

Malwarebytes detects GoodWill as Ransom.FileCryptor.MSIL.Generic.

We are yet to see anyone being infected with the ransomware, so can only hope this never makes it off the drawing board in any significant capacity.

Eerie GoodWill ransomware forces victims to publish videos of “good” deeds on social media

Malware attacks against Linux systems are on the rise. And when it comes to bot malware, XorDDoS is the frontrunner.
The post Massive increase in XorDDoS Linux malware in last six months appeared first on Malwarebytes Labs.

Microsoft says it’s recorded a massive increase in XorDDoS activity (254 percent) in the last six months. XorDDoS, a Linux Trojan known for its modularity and stealth, was first discovered in 2014 by the white hat research group, MalwareMustDie (MMD).

MMD believed the Linux Trojan originated in China. Based on a case study in 2015, Akamai strengthened the theory that the malware may be of Asian origin based on its targets.

Microsoft said that XorDDoS continues to home on Linux-based systems, demonstrating a significant pivot in malware targets. Since Linux is deployed on many IoT (Internet of Things) devices and cloud infrastructures, we are likely to see DDoS (distributed denial-of-system) attacks from botnets that have compromised such devices.

DDoS attacks—where normal Internet traffic to a targeted server, service, or network is overwhelmed with a flood of extra traffic from compromised machines—have become part of a greater attack scheme. Such powerful attacks are no longer conducted just to disrupt. DDoS attacks have become instrumental in successfully distracting organizations and security experts from figuring out threat actors’ end goal: Malware deployment or system infiltration. XorDDoS, in particular, has been used to compromise devices using Secure Shell (SSH) brute force attacks.

XorDDoS is as sophisticated as it gets. The only simple (yet effective) tactic it uses is to brute force its way to gain root access to various Linux architectures.

As Microsoft said in the report:

> “Adept at stealing sensitive data, installing a rootkit device, using various evasion and persistence mechanisms, and performing DDoS attacks, XorDdos enables adversaries to create potentially significant disruptions on target systems. Moreover, XorDdos may be used to bring in other dangerous threats or to provide a vector for follow-on activities.”

XorDDos’s attack vector (Source: Microsoft)

**Security IoT devices**

If you have an IoT device at home, know there are ways to secure it. Note that you may need some assistance from the company who built your IoT device if you’re unfamiliar or unsure how to do any of the below.

*   Change your device’s default password to a strong one
*   Limit the number of IP addresses your IoT device connects to
*   Enable over-the-air (OTA) software updates
*   Use a network firewall
*   Use DNS filtering
*   Consider setting up a separate network for your IoT device(s)
*   When you’re not using your IoT device, turn it off.

If you plan to get an IoT device soon, buy from a well-known brand. You’re much more likely to get assistance from your supplier in beefing up your IoT device’s security.

Stay safe!

Massive increase in XorDDoS Linux malware in last six months

A walkthrough of one of the stealthy communication techniques employed in a recent attack using APT34's Saitama backdoor. 
The post How the Saitama backdoor uses DNS tunnelling appeared first on Malwarebytes Labs.

_Thanks to the Malwarebytes Threat Intelligence Team for the information they provided for this article._

Understandably, a lot of cybersecurity research and commentary focuses on the act of breaking into computers undetected. But threat actors are often just as concerned with the act of breaking _out_ of computers undetected too.

Malware with the intent of surveillance or espionage needs to operate undetected, but the chances are it also needs to exfiltrate data or exchange messages with its command and control infrastructure, both of which could reveal its presence to threat hunters.

One of the stealthy communication techniques employed by malware trying to avoid detection is DNS Tunnelling, which hides messages inside ordinary-looking DNS requests.

The Malwarebytes Threat Intelligence team recently published research about an attack on the Jordanian government by the Iranian Advanced Persistent Threat (APT) group APT34 that used its own innovative version of this method.

The payload in the attack was a backdoor called Saitama, a finite state machine that used DNS to communicate. Our original article provides an educational deep dive into the operation of Saitama and is well worth a read.

Here we will expand on the tricks that Saitama used to keep its DNS tunelling hidden.

**Saitama’s DNS tunnelling**

DNS is the Internet’s “address book” that allows computers to lookup human-readable domain names, like malwarebytes.com, and find their IP addresses, like 54.192.137.126.

DNS information isn’t held in a single database. Instead it’s distributed, and each domain has name servers that are responsible for answering questions about them. Threat actors can use DNS to communicate by having their malware make DNS lookups that are answered by name servers they control.

DNS is so important it’s almost never blocked by corporate firewalls, and the enormous volume of DNS traffic on corporate networks provides plenty of cover for malicious communication.

Saitama’s messages are shaped by two important concerns: DNS traffic is still largely unencrypted, so messages have to be obscured so their purpose isn’t obvious; and DNS records are often cached heavily, so identical messages have to look different to reach the APT-controlled name servers.

**Saitama’s messages**

In the attack on the Jordanian foreign ministry, Saitama’s domain lookups used the following syntax:

domain = **message**, **counter** '.' **root domain**

The root domain is always one of uber-asia.com, asiaworldremit.com or joexpediagroup.com, which are used interchangeably.

The sub-domain portion of each lookup consists of a message followed by a counter. The counter is used to encode the message, and is sent to the command and control (C2) server with each lookup so the C2 can decode the message.

Four types of message can be sent:

**1\. Make contact**

The first time it is executed, Saitama starts its counter by choosing a random number between 0 and 46655. In this example our randomly-generated counter is 7805.

The DNS lookup derived from that counter is:

**nbn4vxanrj.joexpediagroup.com**

The counter itself is encoded using a hard-coded base36 alphabet that is shared by the name server. In base36 each digit is represented by one of the 36 characters 0-9 and A-Z. In the standard base36, alphabet 7805 is written 60t (6 x 1296 + 0 x 36 + 30 x 1). However, in Saitama’s custom alphabet 7805 is **nrj**.

The counter is also used to generate a custom alphabet that will be used to encode the message using a simple substitution. The first message sent home is the command 0, base36-encoded to a, which tells the server it has a new victim, prepended to the string haruto, making aharuto.

A simple substitution using the alphabet generated by the counter yields the message **nbn4vxa**.

**a** b c d e f g **h** i j k l m n **o** p q **r** s **t u** v w x y z 0 1 2 3 4 5 6 7 8 9
↓             ↓             ↓     ↓   ↓ ↓             
**n** j 1 6 9 k p **b** h d 0 7 y i **a** 2 g **4** u **x** **v** 3 e s w f 5 8 r o c q t l z m

The C2 name server decodes the counter using the shared, hard-coded alphabet, and then uses the counter to derive the alphabet used to encode aharuto.

It responds to the contact request with an IP address that contains an ID for Saitama to use in future communications. The first three octets can be anything, and Saitama ignores them. The final octet contains the ID. In our example we will use the ID 203:

75.99.87.**203**

**2\. Ask for a command**

Now that it has an ID from the C2 server, Saitama increments its counter to 7806 and signals its readiness to receive a command as follows: The counter is used to generate a new custom alaphabet, which encodes the ID, 203, as **ao**. The counter itself is encoded using the malware’s hard-coded base36 alphabet, to **nrc**, and one of Saitama’s three root domains is chosen at random, resulting in:

**aonrc.uber-asia.com**

The C2 server responds to the request with the size of the payload Saitama should expect. Saitama will use this to determine how many requests it will need to make to retrieve the full payload.

The first octet of the IP address the C2 responds with is any number between 129 and 255, while the second, third and fourth octets signify the first, second, and third bytes of the size of the payload. In this case the payload will be four bytes.

129.**0**.**0**.**4**

**3\. Get a command**

Now that it knows the size of the payload it will receive, Saitama makes one or more RECEIVE requests to the server to get its instructions. It increments its counter by one each time, starting at 7807. Multiple requests may be necessary in this step because some command names require more than the four bytes of information an IP address can carry. In this case it has been told to retrieve four bytes of information so it will only need to make one request.

The message from Saitama consists of three parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the payload is required. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7807, giving us the message **k7myyy**.

The counter is encoded using the hard-coded alphabet to **nr6**, and one of Saitama’s three root domains is chosen at random, giving us:

**k7myyynr6.asiaworldremit.com**

The C2 indicates which function it wants to run using two-digit integers. It can ask Saitama to run any of five different functions:

C2

Saitama

43

Static

70

Cmd

71

CompressedCmd

95

File

96

CompressedFile

Saitama functions

In this case the C2 wants to run the command ver using Saitama’s Cmd function. (In the previous request the C2 indicated that it would be sending Saitama a four byte payload: One byte for 70, and three bytes for ver.)

In its response, the C2 uses the first octet of the IP address to indicate the function it wants to run, 70, and then the remaining three octets to spell out the command name ver using the ASCII codepoints for the lowercase characters “v”, “e”, and “r”:

**70**.**118**.**101**.**114**

**4\. Run the command**

Saitama runs the command it has been given and sends the resulting output to the C2 server in one or more DNS requests. The counter is incremented by one each time, starting at 7808 in our example. Multiple requests may be necessary in this step because some command names require more than the four bytes an IP address can carry.

**p6yqqqqp0b67gcj5c2r3gn3l9epztnrb.asiaworldremit.com**

The counter is encoded using the hard-coded alphabet to **nrb**, and one of Saitama’s three root domains is chosen at random.

In this case the message consists of five parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the response is being sent; the size of the buffer; and a twelve-byte chunk of the output. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7808, giving us the message **p6yqqqqp0b67gcj5c2r3gn3l9epzt**.

**Detection**

Malwarebytes customers are protected from this attack via our Anti-Exploit layer. To learn more about the recent attack involving Saitama, read APT34 targets Jordan Government using new Saitama backdoor.

**IOCs******Maldoc****

Confirmation Receive Document.xls  
26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b

**Saitama backdoor**

update.exe  
e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d

**C2s**

uber-asia.com  
asiaworldremit.com  
joexpediagroup.com

How the Saitama backdoor uses DNS tunnelling

Google has issued an update for the Chrome browser to patch 32 security issues . One of the vulnerabilities is rated as critical, so install that update as soon as you can.
The post Update now! Multiple vulnerabilities patched in Google Chrome appeared first on Malwarebytes Labs.

Google has announced an update for the Chrome browser that includes 32 security fixes. The severity rating for one of the patched vulnerabilities is **Critical**.

The stable channel was promoted to 102.0.5005.61/62/63 for Windows, and 102.0.5005.61 for Mac and Linux.

**Critical**

Google rates vulnerabilities as critical if they allow an attacker to run arbitrary code on the underlying platform with the user’s privileges in the normal course of browsing.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).

This update patches the critical vulnerability listed as CVE-2022-1853: Use after free in Indexed DB.

Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

IndexedDB is a low-level Application Programming Interface (API) for client-side storage of significant amounts of structured data, including files. This API uses indexes to enable high performance searches of this data. While Document Object Model (DOM) Storage is useful for storing smaller amounts of data, IndexedDB provides a solution for storing larger amounts of structured data.

Each IndexedDB database is unique to an origin (typically, this is the site domain or subdomain), meaning it should not be accessible by any other origin.

Google does not disclose details about vulnerabilities until users have had ample opportunity to install the patches, so I could be reading this wrong. But my guess is that an attacker could construct a specially crafted website and take over the visitor’s browser by manipulating the IndexedDB.

**Other vulnerabilities**

Of the remaining 31 vulnerabilities, Google has rated 12 as **High**. High severity vulnerabilities allow an attacker to execute code in the context of, or otherwise impersonate, other origins.

Another 13 vulnerabilities were rated as **Medium**. Medium severity bugs allow attackers to read or modify limited amounts of information, or which are not harmful on their own but potentially harmful when combined with other bugs.

Which leaves six vulnerabilities that were rated as **Low**. Low severity vulnerabilities are usually bugs that would normally be a higher severity, but which have extreme mitigating factors or a highly limited scope.

**How to update**

If you’re a Chrome user on Windows, Mac, or Linux, you should update to version 101.0.4951.41 as soon as possible.

The easiest way to update Chrome is to allow it to update automatically, which uses the same method as outlined below but doesn’t need you to do anything. But you can end up blocking automatic updates if you never close the browser, or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities listed.

My preferred method is to have Chrome open the page **chrome://settings/help** which you can also find by clicking **Settings > About Chrome**.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

You should then see the message, “Chrome is up to date”.

Affected systems:

*   Google Chrome for Windows versions prior to 102.0.5005.61/62/63
*   Google Chrome for Mac and Linux versions prior to 102.0.5005.61

Stay safe, everyone!

Update now! Multiple vulnerabilities patched in Google Chrome

We take a look at services claiming to offer verification of Instagram accounts, along with the many ways it can go wrong.
The post Instagram verification services: What are the dangers? appeared first on Malwarebytes Labs.

Instagram, like other social platforms, has a verification system for high profile accounts. A verified badge means **I**nstagram has confirmed that the account is the authentic presence of a public figure, celebrity or brand.

Have you ever wanted to get your own account verified? We noticed a large number of Instagram accounts all claiming to offer this as a service. Quick, easy, guaranteed. Or so they claim. After digging into it, we had a few questions of our own.

**Setting the scene**

Here’s just some of the identical profiles we’ve seen promoting one specific verification service.

Most of the profiles contain the same information in the bio section. Here’s a typical example:

The verification process “takes 1-2 hrs”, has a 100% success rate, and payment is required before processing. You can send a direct message, or visit their shortened link for more information.

**Forming an orderly line**

The link in the bio section leads to a Google Docs form. Unless you view the document while signed into a Google account, you won’t be able to see the content or fill it in.

The service says it will submit your profile to Instagram for verification. Given the only way to do this as a regular user is submit it yourself via the app, this means the service would presumably need your login details to do it. This is highly relevant to our next line of investigation.

**Of media partners and promotional agencies**

One section of the form notes the slick, professional approach it has in relation to verification and third-parties:

*   We would like to share everything about our service and marketing strategy. We are the only legitimate agency that provides a guarantee of verification. If we are not able to get you the blue badge, we will refund your entire payment.
*   As you know we have a few talented Instagram media partners agencies. They will do everything for your verification with maintaining all the terms of Instagram authority. They are highly qualified to do that and have a high success rate.

As this article mentions, celebrities may work with agencies with access to Facebook’s Media Partner Support for verification instead. Incidentally, that’s another approach filled with booby-traps. Do we think any of these identical profiles are working to that level?

The form also lists several Instagram accounts which have been “successfully verified” as a result of its guidance. This includes one account which no longer exists, and a well known brand of cheese spread which doesn’t appear to post content anymore. We reached out to the two Instagram accounts which accept direct messages, but didn’t receive a reply.

With all of this in mind, it’s time to ask one of these accounts some questions directly.

**Question time for an Instagram verification service**

I sent a message to the profile highlighted up above.

I asked the following:

_Hi, I have some questions about the verification process and was hoping you could answer before I sign up._

> _1) What are the fees, and which payment method do you use_
> 
> _2) The form says you use a “few talented Instagram media partner agencies”. Who are the agencies?_
> 
> _3) If there’s a 100% success rate, why is there a money back guarantee for unsuccessful applications?_
> 
> _4) How did you help to verify several accounts which are much older than your own?_
> 
> _5) Why is your own account not verified?_
> 
> _Thanks!_

Question 5 is particularly important: with so many identical profiles, _how do we even know which one is the real deal_? If verification is so easy, _where is their own verified profile badge_?

At any rate, they only replied after a follow-up message, promised to answer my questions immediately, and promptly disappeared again. It seems my verified status is not to be, but on the evidence seen so far, I think I can live without paying someone money for the privilege.

**How verify me scams on social media usually end**

There’s a few likely final destinations for respondents of detail-free, evasive operations nestled inside dozens of spam accounts.

1.  They (eventually) send you a request for payment and a link to their processing tool of choice. Once you pay, you never see them or the money again. If you had as much difficulty as I did trying to get basic information from a supposed Instagram verifier, would you trust them with your money?
2.  You’re sent a link to a website asking you to fill in your details. The website is nothing more than a phishing page, grabbing personal details and login information. Worth noting that although the “service” I encountered above made use of a Google Docs form, it did _not_ ask for logins.

> @instagram our business page gets many scam imposter accts a week pretending to be us & asks our customers for money. We have tried 4 times to get verified without success. We tried again & got this. I assume this isn’t real but at this point I’m almost desperate enough. Fake? pic.twitter.com/8LuamvPnHI
> 
> — Sharpie (@itsmesharpie) March 24, 2021

3.  Either of these methods may involve a request for scans of identification. Sending scammers copies of your passport pages is never going to be a good idea. One of the most brazen combinations of most of these tactics can be seen in this CNET article from last year.

**Safe verification practices**

There’s a bit of mystery as to how certain sites verify individuals. Instagram is refreshingly straightforward and direct in its approach. It pretty much all boils down to preventing impersonation of “notable” individuals. If you’re in a big pile of press links, articles about you, things which have gained column inches somewhere, then you’re probably going to be verified.

Here’s some more information from the Head of Instagram, Adam Mosseri:

Follower count doesn’t matter. If you see someone claiming to offer verification based on follower count, you can safely disregard that entity. If you’re asked to login somewhere then don’t do it. And don’t send scans of identification documentation either.

The allure of verification on social media is too powerful for many people to resist, and that’s what scammers are banking on. If you believe you need it, by all means send in an application to your platform of choice. By the same token, think very carefully about entrusting non-verified spam accounts with your personal details, money, or even identity documents. It almost certainly won’t turn out to have been worth it.

Instagram verification services: What are the dangers?

US car producer General Motors says its Rewards platform was the victim of a credential stuffing attack last month.
The post General Motors suffers credential stuffing attack appeared first on Malwarebytes Labs.

American car manufacturer General Motors (GM) says it experienced a credential stuffing attack last month. During the attack customer information and reward points were stolen.

The subject of the attack was an online platform, run by GM, to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles to manage their bills, services, and redeem rewards points.

**Credential stuffing**

Credential stuffing is a special type of brute force attack where the attacker uses existing username and password combinations, usually ones that were stolen in a data breach on another service.

The intention of such an attack is not to take over the website or platform, but merely to get as many valid user account credentials and use that access to commit fraud, or sell the valid credentials to other criminals.

To stop a target from just blocking their IP address, an attacker will typically use rotating proxies. A rotating proxy is a proxy server that assigns a new IP address from the proxy pool for every connection.

**The attack**

GM disclosed that it detected the malicious login activity between April 11 and April 29, 2022, and confirmed that the threat actors exchanged customer reward bonuses of some customers for gift certificates.

The My GM Rewards program allows members to earn and redeem points toward buying or leasing a new GM vehicle, as well as for parts, accessories, paid Certified Service, and select OnStar and Connected Services plans.

GM says it immediately investigated the issue and notified affected customers of the issues.

**Victims**

GM contacted victims of the breach, advising them to follow instructions to recover their GM account. GM is also forcing affected users to reset their passwords before logging in to their accounts again. In the notification for affected customers, GM said it will be restoring rewards points for all customers affected by this breach.

GM specifically pointed out that the credentials used in the attack did not come from GM itself.

> “Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself. We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”

**Stolen information**

Attackers could have accessed the following Personally Identifiable Information (PII) of a compromised user:

*   First and last name
*   Email address
*   Physical address
*   Username and phone number for registered family members tied to the account
*   Last known and saved favorite location information
*   Search and destination information

Other information that was available was car mileage history, service history, emergency contacts, Wi-Fi hotspot settings (including passwords), and currently subscribed OnStar package (if applicable).

GM is offering credit monitoring for a year.

**Mitigation**

What could GM have done to prevent the attack? It doesn’t currently offer multi-factor authentication (MFA)which would have stopped the attackers from gaining access to the accounts. GM does ask customers to add a PIN for all purchases.

This incident demonstrates how dangerous it is to re-use your passwords for sites, services and platforms. Even if the account doesn’t seem that important to you, the information obtainable by accessing the account could very well be something you wish to keep private.

Always use a different password for every service you use, and consider using a password manager to store them all. You can read some more of our tips on passwords in our blog dedicated to World Password Day.

Stay safe, everyone!

General Motors suffers credential stuffing attack

A spyware vendor called Cytrox was found to be using several zero-day vulnerabilities in Google's Chrome browser and the Android kernel component. 
The post Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware appeared first on Malwarebytes Labs.

The Google Threat Analysis Group (TAG) has revealed that of the nine zero-day vulnerabilities affecting Chrome, Android, Apple and Microsoft that it reported in 2021, five were in use by a single commercial surveillance company.

Did I hear someone say Pegasus? An educated guess, but wrong in this case. The name of the surveillance company—or better said, professional spyware vendor—is Cytrox and the name of its spyware is Predator.

**Google**

TAG routinely hunts for zero-day vulnerabilities exploited in-the-wild to fix the vulnerabilities in Google’s own products. If the group finds zero-days outside of its own products, it reports them to the vendors that own the vulnerable software.

Patches for the five vulnerabilities TAG mentions in its blog are available. Four of them affected the Chrome browser and one the Android kernel component.

**Vulnerabilities**

By definition, zero-day vulnerabilities are vulnerabilities for which no patch exists, and therefore potentially have a high rate of success for an attacker. That doesn’t mean that patched vulnerabilities are useless to attackers, but they will have a smaller number of potential targets. Depending on the product and how easy it is to apply patches, vulnerabilities can be useful for quite a while.

In the campaign uncovered by TAG, the spyware vendor used the zero-days in conjunction with other already-patched vulnerabilities. The developers took advantage of the time difference between the availability of patches for some of the critical bugs, as it can take a while before these patches are fully deployed across the Android ecosystem.

TAG says Cytrox abused four Chrome zero-days (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, and CVE-2021-38003) and a single Android zero-day (CVE-2021-1048) last year in at least three campaigns conducted on behalf of various governments.

**Cytrox**

TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Cytrox is one of these vendors, along with the NSO Group—undoubtedly the best known one among them and responsible for Pegasus spyware.

Citizenlab at the University of Toronto published information about Cytrox in December 2021. It says that Cytrox describes its own activities as providing governments with an “operational cyber solution” that includes gathering information from devices and cloud services. It also says it assists with “designing, managing, and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services.”

Cytrox reportedly began life as a North Macedonian start-up and appears to have a corporate presence in Israel and Hungary. As such, Cytrox is believed to be part of the so-called Intellexa alliance, a marketing label for a range of mercenary surveillance vendors that emerged in 2019. The consortium of companies includes Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, along with other unnamed entities, purportedly seeking to compete against other players in the cyber surveillance market such as NSO Group (Pegasus) and Verint.

**Government spyware**

Spyware packages such as Predator and Pegasus create problematic circumstances for the security teams at Google, Apple, and Microsoft, and it seems like they will not stop any time soon.

Whatever arguments these vendors use about how they are working for governments, and therefore not doing anything illegal, we all know the legitimacy of some governments lies in the eye of the beholder. And it is not always easy to find out who actually controls the data received from the spyware.

It is for good reason that the European Data Protection Supervisor (EDPS) has urged the EU to ban the development and deployment of spyware with the capabilities of Pegasus to protect fundamental rights and freedoms. The EDPS argues that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.

Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware

An in-depth look at the attack chain used by an unknown APT group that has launched four campaigns against Russian targets since February.
The post Unknown APT group has targeted Russia repeatedly since Ukraine invasion appeared first on Malwarebytes Labs.

An unknown Advanced Persistent Threat (APT) group has targeted Russian government entities with at least four separate spear phishing campaigns since late February, 2022.

The campaigns, discovered by the Malwarebytes Threat Intelligence team, are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely. The malware uses a number of advanced tricks to hide what it does and how it works, but our analysts have been able to reverse engineer the malware, reveal its inner workings, and uncover some clues about its possible origins.

Attribution is always difficult, and there is no shortage of countries or agencies with an interest in getting covert access to Russian government computers—and the recent invasion of Ukraine has simply increased the stakes. Although our analysis and attribution efforts are ongoing, we have discovered some indicators that suggest the threat actor may be a Chinese group.

**The campaigns**

The APT group has launched at least four campaigns since late February, using a variety of lures, detailed below.

**1\. Interactive map of Ukraine**

The threat actor started this campaign around February 26, 2022, and distributed its custom malware with the name interactive_map_UA.exe, trying to disguise it as an interactive map of Ukraine. This campaign began a few days after Russia invaded Ukraine, which shows the threat actor was monitoring the situation between Ukraine and Russia and took advantage of it to lure targets in Russia.

**2\. Log4j patch**

In this campaign the threat actor packaged its custom malware in a tar file called Patch_Log4j.tar.gz, a fake fix for December’s high-profile Log4j vulnerability.

This campaign ran in early March and was primarily aimed at RT TV (formerly Russia Today or Rossiya Segodnya, a Russian state-controlled international television network funded by the Russian government). The APT group had access to almost 100 RT TV employees’ email address.

The emails were sent with the subject “Ростех. ФСБ РФ. Роскомнадзор. Срочные сиправления уязвимостей”, which translates into “Rostec. FSB RF. Roskomnadzor. Urgent Vulnerability Fixes”. (Rostec is a Russian state-owned defense conglomerate founded by Putin.)

The emails also come with a number of image files and a PDF attached, perhaps to make the email less suspicious, and to bypass any systems that flag emails by number of attachments.

A spear phishing email from an unknown APT group claims to have “urgent vulnerability fixes”

The PDF attachment—О кибербезопасности 3.1.2022.pdf—pretends to be from the “Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation”. It contains instructions about how to execute the fake patch, as well as a bulleted list of security advice such as “Use two-factor authentication”, “Issue separate credit cards for purchases”, and “Use Kaspersky antivirus”.

A PDF attachment tries to build trust with security advice and instructions on how to run the fake Log4j patch

In a confident demonstration of just how little attention people pay to such lists it ends “Do not open or reply to suspicious emails.”

The list even includes a link to a page on VirusTotal that proclaims in bright green letters that “No security vendors and no sandboxes flagged this file as malicious”. This is just another effort to convince the victims that the attachment is not malicious—the file on VirusTotal has nothing to do with the attachment and appears to be a legitimate OpenVPN file.

The PDF attachment links to a VirusTotal entry for an unrelated file

In another effort to build trust, the spear phishing email links to the website rostec.digital, a domain registered by the threat actor, hosting a site made look like the official Rostec website.

This email also contains links to fake Instagram and Facebook accounts. Interestingly, the threat actor created the Facebook page in June 2021, nine months before it was used in this campaign. This was probably an attempt to attract followers, to make the page look more legitimate, and it suggests the APT group were planning this campaign long before the invasion of Ukraine.

The rostec.digital website  

The rostec.digital facebook account

The rostec.digital Instagram account

**3\. Build Rostec**

The Rostec defense conglomerate also appears in the third campaign. This time the threat actor used the file name build_rosteh4.exe for its malware—an apparent attempt to make it look like software from Rostec.

**4\. Saudi Aramco job**

The most recent campaign occured in mid April and used a Word document containing a fake job advert for a “Strategy and Growth Analyst” position at Saudi Aramco as a lure.

(We also discovered a self-extracting archive file that belonged to this campaign—the archive file used a Jitsi video conferencing software icon as decoy, and created a directory named Aramco under C:\ProgramData.)

Although the job advert is written in English, it also contains a message in Russian, asking users to enable macros.

A malicious job advert urges Russian readers to enable macros

The document uses remote template injection to download a macro-embedded template, which executes a macro that drops a VBS script called HelpCenterUpdater.vbs in the %USER%\Documents\AdobeHelpCenter directory.

The template also seems to do a redundant check for the existence of %USER%\Documents\D5yrqBxW.txt and only if it doesn’t exist, will it drop the script and execute it.

Macros embedded in the remote template

The obfuscated HelpCenterUpdater.vbs script drops another obfuscated VBS file named UpdateRunner.vbs and downloads the main payload—a DLL named GE40BRmRLP.dll—from its command and control (C2) server. (Interestingly, some anti-analysis code, and code responsible for persistence, seems to be commented out in UpdateRunner.vbs and isn’t executed.)

In another payload related to this campaign, the script seems to drop an EXE instead of a DLL, but after analyzing both it seems they share the same code.

Deobfuscated HelpCenterUpdater.vbs

The job of the UpdateRunner.vbs script is to execute the DLL through rundll32.exe.

Deobfuscated UpdateRunner.vbs

The malicious DLL contains the code that communicates with the C2 server and executes the commands it receives from it.

The attack chain for the Saudi Aramco-themed APT campaign

The malware, which is common to all four campaigns, is explained in detail in the next section.

**Payload analysis**

This analysis focuses on the GE40BRmRLP.dll payload from the Saudi Aramco campaign, but the malware used in all four campaigns is essentially the same, with small differences in the code.

The DLL is heavily obfuscated and most of the library functions are statically linked. IDA is barely able to recognize any functions, though it was able to recognize a few that indicate the DLL was most likely compiled with LLVM. The DLL’s original name is supposed to be simpleloader.dll, as we can see after analyzing it a bit.

The DLLMain function from GE40BRmRLP.dll

Before we dive into the functionality and capabilities of this malware, let’s look at various methods it uses to make the analysis difficult for us.

**Anti-analysis techniques****Control Flow Flattening**

All of the samples used in these campaigns use control flow flattening heavily, a technique that flattens the nested structure of a program, making analysis very difficult. We used the D810 plugin for IDA which has the capability to deobfuscate flattened code and make the decompilation more readable.

Although there are many tools that can perform control flow flattening, in this case we suspect OLLVM—an obfuscator for LLVM—was used. The different samples had different levels of flattening and OLLVM allows users to specify this. Additionally we also saw what looks like the Bogus Control Flow LLVM pass being used.

Control Flow Flattening used by the malware

**String obfuscation**

The payload’s strings are obfuscated with simple XOR encoding. The decode_string function which is used to decode a string takes 3 arguments: The encoded string, the destination of the decoded string, and the byte that is used while decoding the string.

Each string is decoded every time it’s required by the malware.

The decode_string function from GE40BRmRLP.dll

**Command and control**

Before contacting its C2 server the malware derives an ID which is unique to every machine, which could be used to differentiate infections. It uses the data from the following APIs to construct the ID:

*   GetFileAttributesA on the C:\Windows directory
*   GetComputerNameA
*   GetVolumeInformationA on the C:\ drive

It then calculates a hash of this data using the Blake2b-256 algorithm and sends it when it makes the first contact with its C2.

Deriving the ID

The C2 address is decoded every time the malware sends a request. To communicate with the C2 the malware uses GET requests in the form url/?wSR=_data_, where _data_ contains the encoded information.

Interestingly Any.run and Fiddler fail to capture the HTTPS requests made by the malware. To make them, the malware doesn’t use any library functions but instead implements everything over raw sockets, and it uses the WolfSSL library to implement SSL itself. Our analysis also uncovered traces of http-parser from ZephyrOS. The certificate used for the SSL communication is stored inside the binary as chunks of encoded strings. Initially the malware decodes this data and stores it. Later, while making the HTTPS request, it loads this data using WolfSSL’s loadX509orX509REQFromBuffer.

After making every request the malware sleeps for a random amount of time.

HTTPS GET request

Based on the response to the above request, the malware decides which of command to execute:

1.  **getcomputername**. This retrieves the computer name using GetComputerNameA and sends a response to the C2 containing the unique id and the computer name.
2.  **upload**. This receives a file name and file contents from the C2 which it writes to the local file system.
3.  **execute**. This receives a command line instruction from the C2 and executes it using CreateProcessA. If the command is successful then the malware sends the UID with the “OK” string to the C2, or the output of GetLastError if it fails.
4.  **exit**. This is used to terminate the malware process.
5.  **ls**. This command uses a directory name from the C2, or the name of the current directory if one isn’t provided. It uses the FindFirstFile and FindNextFile function to retrieve a list of all the files under the directory and sends it back to the C2.

The upload command

The List Files command

**Attribution**

Attribution is difficult, and threat actors are known to use indicators from other groups as false flags. The attribution of the APT behind these campaigns is ongoing, but based on the infrastructure used we assess with low confidence that this group is a Chinese actor.

All of the C2s are from BL Networks, which has been used by Chinese APTs in the past. Also, we discovered infrastructure overlap between the malware we analyzed and the Sakula Rat malware used by the Deep Panda APT.

Infrastructure overlap between Sakula RAT and the malware analzed in this article

Another interesting indicator we found was that the macro used in the Aramco campaign is almost identical to some macros used by TrickBot and BazarLoader in the past. We think the actor may have used the same macro builder to generate its macro, and they may have used it as a false flag. There are some other weak indicators, such as WolfSSL, which has been used by Lazarus and Tropic Troopers, but they are not enough to help attribute the attack to any specific actor.

Malwarebytes customers were proactively protected against these campaigns thanks to our heuristic detection engines.

**IOCs****C2 Domains**

windowsipdate\[.\]com  
microsoftupdetes\[.\]com  
mirror-exchange\[.\]com

**C2 IPs**

168.100.11.142  
192.153.57.83  
45.61.137.211  
206.188.197.35

**Download Domain**

fatobara\[.\]com

**Download IP**

91.210.104.54

****Hashes****

Name

Hash

Final payload

cbde42990e53f5af37e6f6a9fd14714333b45498978a7971610acb640ddd5541  
86ecd536c84cec6fc07c4cb3db63faa84f966a95763d855c7f6d7207d672911e  
917820338751b08cefc635090fc23b4556fa77b9007a8f5d72c11e0453bfec95  
22bdc42a86d3c70a01c51f20f5b7cfb353319691a8102f0fe3ea02af9079653e  
12c20f9dbdb8955f3f88e28dc10241f35659dbcd74dadc9a10ca1b508722d69a  
3f16055dc0f79f34f7644cae21dfe92ffc80f2c3839340a7beebd9436da5d0eb  
f5658588c36871421f287f12e7e9ba5afba783a7003da1043a9c52d10354b909  
ca95e8a8b6fb11b5129821f034b337b06cdf407fa9516619f3baed450ac1cf2d  
bac1790efe7618c5b2b9e34e6e1d36ec51592869bcc5fb304dd7554c32731093  
5d039f4368f88a2299be91303c03143e340f700f1fc8aa0a8cdbfbc5a193c6be

patch\_Log4j.tar.gz

4b622d63e6886b1430f6ca9cba519cbefde60cd8b6dbcade7c3a152c3930e7c7

PDF attachment

f4db6fa3a83052152b5d16dc6a4e9749afafc026612ff5c3ad735743736ac488

Emails

0625566ec55f0a083d1c1a548a2631502f17e455066b29731e29d372918e6541 0925b3c05cef6d3476a97b7d4975e9e3ceefedf62f42663b9c02070e587b3f2d 111fef44ba63f11279572f1e7e4d6ce5613ef8fe3b76808355cdcbed47b49fec 1c886a9138f3b0e0b18f1c0da83719a9b5351db7ce24baa13c0e56ef65d96d02 1fb0cd76ec5ae70f08a87f9e81cb5e9b07f9b3306772ae723fa63ff5abfa0d07 27d19efedb6a7c8d3c65fe06fd5be9c3e236600e797e5058705db1e2335ec2ad 310fa9c65aa182a59e001e8f61c079e27d73b8eb5f8f8965509cb781d97ba811 3627b37b341efa0b36352d76480dce994f481e672ebf9fa2da114a1339cf6c01 3655420f72d0c14cfb113ccb53e9ac85b87883913c3844b3e0bfb7bd7230a9bd 3b2ef76ec2eb3b4db4b7efe14d88c5338f1dc4eb9a9cf309989362d193c25403 3e9254d8cb25b2abf4fb755feaaf41c0059c68067e64de01a9242e5d9e47ab33 3ff96e73aeb0419df67bc5fec786a4dc82e4a9051274b4fc3cbc3ae3af7fdf94 44118322165be32de86569972e9f599a3c79a2336ca6f76c29861b40905cd067 4b6b0c29ece1c4719ec4d5186fb6247603fa1f03bd473bf6ef6367995e8c1121 4f28db1131ace2fce96e84172e0a861eb471ea054799e1132eb4945e4dca550b 4f8c2079ac98a3e8e085be8e88ff7b53ea70cb131cba4bfd2784e391d24c27e9 5a662050df51863575700a8e21efe605f4e789404d4bb53b4299f32b93e8d20f 5aa0a15e052fea2a2d445940ef751ddf3d3ae7c43c095a738b9bd603efc7df8b 5b9c7fe8ee5756dbd8563b3efe8dbc0966ad9044ff223b8797940f9e4e47333e 5ccf98699b96c811f4dab768cf486dc0f31b098dba30e031ba4ab2a5a5a3aba8 7ee7b2193b1e53f93dc2ed573d8f927cfa0916ccf111ff35faef9c4b153456f2 80a3de79f6c859d6c4667f705588c7c254d24fca2f44704123a2ba38e7c285a9 810d6566d9879c10a6a8581bb6ea6bed83a14a869383ad7e1ee16eadfd5bbb54 811827026414bdd400257cd3f048a1c75a2b211d02ac790510b800baa0702de4 81f24d1c310214b8f66345f250a6d5493e5e1cdf06d39d18a96cd9f93a1e7655 ac328efa54b6dd4497ba5dc6195474b8b9e5a7bcd32d5733e5006be9bbd0dc22 b63ef28fc1b0b1180fe9f476fe2ef3970b9928b009354e996bb2bf4ece223031 b99580152dde60622c1a962cd7cee1834d0ee86490785ac02d8ee51b73be008f c9623e83d875d6b9ca1a80087151b59a4037159c605ee92c6c795252ccf89596 cd277299ed849de71e88f698c1c06b0cfa65f166b0e90fc620aa50f6efe70161 d4062c6fd3813299ac721309fe0385a5337cea8b8e3605b05458467aeb23d8c0 e19b7dfe0e693c468c73f0a9e4c751216787daeff7d933cedcc10c932bd2835e e444303f1888b1ee5eeb69a0c4c3372b0cd2276b6987b0b18ea2267ff7ba19ad f15d90da5e253aaf570d29ffb9bf87ce7d8292b953d13e5a0f86b8671a4c57e7 fa800e6e16444894455b2a8f9e245efbe8b298fc8af9d7f8e155bb313ca9e7bb fc4af16fed48bd3a029ce8bfc4158712f9ab0cd8b82ca48cb701923d0a792015