Team behind Abuse.ch and ThreatFox launch new hub for scanning and hunting files using YARA

Team behind Abuse.ch and ThreatFox launch new hub for scanning and hunting files using YARA

Security teams have a new tool to hunt for malware, using open source YARA rules.

YARAify can scan files using public YARA rules, integrate public and non-public YARA rules from Malpedia, operated by Germany’s Fraunhofer Institute, and scan using open and commercial ClamAV signatures.

Researchers can set up hunting rules to match both YARA rules and ClamAV signatures, and link YARAify to other tools via APIs.

**Pattern matching**

YARAify was developed by security researchers at Abuse.ch, a project from the Institute for Cybersecurity and Engineering (ICE) at the University of Applied Sciences at Bern, Switzerland.

According to founder Roman Hüssy, YARA rules are powerful but difficult to handle.

For example, rules are spread across platforms and git repositories, and there is no simple way to share them. Nor is there a single, consistent naming convention for YARA rules, leading to duplication and difficulties in rule handling.

Hüssy has added both a unique identity, , and YARAhub to help researchers share rules.

**RECOMMENDED** GhostTouch: Hackers can reach your phone’s touchscreen without even touching it

Rule authors can also set up TLP classifications on YARAhub to allow others to use the YARA rule to hunt for threats, without seeing the rule itself.

“YARA is an open source tool for pattern matching,” Hüssy told _The Daily Swig_. “It allows anyone, usually security researchers or vendors of security software, to write their own rules to detect \[issues\] such as malicious or suspicious files.

“We decided to launch the YARAify platform to the public to allow anyone to share their YARA rules with the community in a structured way and to use those to hunt for suspicious and malicious files seen within the Abuse.ch universe.”

Hüssy hopes that YARAify will become the default platform for security researchers to share YARA rules. The response so far has been overwhelmingly positive, he said.

**Threat intel**

Security vendors are increasingly supporting YARA rules in their own applications, and YARA rules are used widely by SOCs and in threat hunting and threat intelligence.

Data protection and resilience vendor Rubrik, for example, has built support for YARA rules into its tools, to help IT teams with incident containment, and with threat hunting, especially to prevent a firm reinfecting its systems from compromised backups.

"When talking about YARA it is important to distinguish between YARA the tool and YARA rules,” James Blake, field CISO at Rubrik, told _The Daily Swig_.

“YARA rules are the descriptions of malware that the YARA tool creates when given a file to analyse. The adoption of YARA rules in open source and commercial preventative and detective controls, other standards such as STIX for threat intelligence exchange, as well as in threat intelligence platforms, have now extended way beyond just the YARA tool.”

Check out more of the latest hacking tools

YARA rules can be used to “allow a net to be cast wide and then gradually refined” during threat hunting, as researchers focus in on particular malware strains. But YARA rules are powerful because they can describe not just the content of an executable, but also its behavior. This helps researchers track malware families, even as they adapt.

“YARA rules are extensively used in mature SOCs and mature service provider organizations to improve detection and prevent some of the noise that’s generated by more simplified hash-based detections,” Martin Riley, director of managed security services at consulting firm Bridewell, told _The Daily Swig_.

Bridewell uses YARA rules to identify trends and carry out reverse map engineering on some malware.

“YARA rules essentially replace hash values of files, which can be easily manipulated by attackers,” Riley said.

“YARA rules provide a higher fidelity and more valuable detection mechanism for malicious objects within a network.” YARAify, he suggested, provides researchers with an alternative to tools such as Google’s VirusTotal.

**DON’T MISS** Rise in off-the-shelf ransomware kits continues

YARAify: Defensive tool scans suspicious files against a large repository of YARA rules

Malwarebytes found a family of forced Chrome extensions that can't be removed because of a policy change that tells users "Your browser is managed".
The post Forced Chrome extensions get removed, keep reappearing appeared first on Malwarebytes Labs.

In the continued saga of annoying search extensions we have a new end-of-level boss.

Victims have been reporting browser extensions that were removed by Malwarebytes, but “magically” came back later. Since the victims also complained about the message saying their browser was “managed”, we had a pretty good idea where to look.

_custom search bar_ is _one of the forced extensions_

**Search extensions**

The culprits turned out to be search extensions. Which is often the case when we spot potentially unwanted programs (PUPs) that use malware tactics to get installed and gain persistence.

The search hijackers “active search bar” and “custom search bar” were both available in the Chrome web store at the time of writing even though we reported them days ago.

_active search bar is also available in the webstore_

**PowerShell**

It took some digging to find the origin, since all we had were the extensions. And when the extensions were installed directly from the webstore, nothing happened out of the ordinary. However, some hunting on VirusTotal soon led me to a few recently uploaded PowerShell scripts that included the string “ExtensionInstallForcelist.” I looked for that string because we know from the past that these registry policies account for the “Your browser is managed” warnings.

$CPath = "HKLM:\SOFTWARE\\Policies\\Google\\Chrome\ExtensionInstallForcelist";

$EPath = "HKLM:\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist";

The description in the Chromium documentation about the ExtensionInstallForcelist states:

> “Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled nor disabled by the user.”

And to confirm this finding, the victims that provided logs all had one of these PowerShell script listed in their Scheduled Tasks.

_The Scheduled Task triggers the PowerShell script_

The Scheduled Task was set to run every four hours, which explained why the extensions kept coming back.

**Installer**

But Scheduled Tasks don’t install themselves either and dropping PowerShell scripts in the System32 folder requires Administrator privileges, so we needed to dig a little further to find an installer.

The domain wincloudservice.com was used as a download location in all the PowerShell scripts so we used that domain as a search parameter in our next stage of VirusTotal hunting. This search eventually returned three installers. What they had in common at first glance was that the filenames all ended with “\_x64LTS.exe” and that they were all signed by “Tommy Tech LTD.”

Upon further inspection we noticed that the installers all asked for Administrator privileges twice. The first part installs something that is called “Setup” and the second part installs an application that aligns with the name of the installer. So, it appears that the original installer files were “patched” to add the installer for our browser hijacker. It stands to reason that these installers are offered for download somewhere by the threat actors.

The EULA points to tommytechil.com which is unreachable. I was unable to find an installer that actually dropped an extension in Edge, but the “Your browser is managed by your organization” setting does get enforced.

_Edge managed by your organization_

**Javascripts**

Malwarebytes customers were protected against these extensions as Malwarebytes’ web protection module blocked the domain wincloudservice\[.\]com. On inspection, this domain hosted several javascripts including heavily obfuscated files called crypto.js and crypto-js.min.js.

**Detection and removal**

Malwarebytes detects these browser hijackers as PUP.Optional.ActiveSearchBar and PUP.Optional.CustomSearchBar. Included in the removal procedure are the extension, and the Scheduled Task, which is enough to permanently get rid of the extension.

Some Windows registry changes have been made that will take a system administrator to decide what they want to keep or not.

The registry keys to remove the “Your browser is managed” are:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForceList

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForceList

And another change made by the installer was the registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\\\\ExecutionPolicy

The installer set that to “Unrestricted” which may not be your favorite setting. If you are not sure or you have never actively set that policy, the default is “Restricted”. Please note that in some organizations PowerShell is required to run.

**IOCs**

**Domains:**

activesearchbar\[.\]me

customsearchbar\[.\]me

optimizerupdate\[.\]com

securedatacorner\[.\]com

wincloudservice\[.\]com

**Installers:**

4kvideodownloader\_5.22.371\_x64LTS.exe

AutoClicker\_x64LTS.exe

FPSUnlocker\_4.1\_x64LTS.exe

**PowerShell scripts:**

PrintWorkflowService.ps1

WindowsUpdater1.ps1

OptimizerWindows.ps1

**Extensions:**

custom search bar nniikbbaboifhfjjkjekiamnfpkdieng

active search bar pkofdnfadkamabkgjdjcddeopopbdjhg

Forced Chrome extensions get removed, keep reappearing

A new commercial spyware for governments, called Hermit, has spotted in the wild. It affects iOS and all Android versions.
The post Hermit spyware is deployed with the help of a victim’s ISP appeared first on Malwarebytes Labs.

Google’s Threat Analysis Group (TAG) has revealed a sophisticated spyware activity involving ISPs (internet service providers) aiding in downloading powerful commercial spyware onto users’ mobile devices. The spyware, dubbed Hermit, is reported to have government clients much like Pegasus.

Italian vendor RCS Labs developed Hermit. The spyware was spotted in Kazakhstan (to suppress protests against government policies), Italy (to investigate those involved in an anti-corruption case), and Syria (to monitor its northeastern Kurdish region), all deployed by their respective governments.

Hermit affects Android and iOS devices and is described as a modular spyware. This means it can download pieces of itself (modules) for additional functionalities, making it customizable to suit client needs, from a C2 (command and control) server.

Unlike NSO’s Pegasus, Hermit is not as stealthy. But at its core, it functions like any government-grade spyware. It can read SMS and chat messages, view passwords, intercept calls, record calls and ambient audio, redirect calls, and pinpoint precise locations of victims.

Hermit also roots all infected Android devices, giving itself deeper access to phone features and user data. On iOS, Hermit is packed with six exploits, two of which were targeting zero-day vulnerabilities. According to Google’s report, these are the following exploits:

*   CVE-2018-4344 internally referred to and publicly known as LightSpeed.
*   CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet
*   CVE-2020-3837 internally referred to and publicly known as TimeWaste.
*   CVE-2020-9907 internally referred to as AveCesare.
*   CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.
*   CVE-2021-30983 internally referred to as Clicked3, fixed by Apple in December 2021.

A Hermit spyware campaign starts off as a seemingly authentic messaging app users are deceived into downloading. A government actor also poses as a mobile carrier over SMS—sometimes with the help of the target’s ISP—to socially engineer targets into downloading the spyware masquerading as a tool to “fix” their internet connection.

Both Apple and Google have already notified their users regarding this spyware, and then some. Apple revoked the legitimate certificates Hermit abused to reside on iPhone devices, while Google beefed up its Google Play Protect security app to block Hermit from running. Google also pulled the plug on Hermit’s Firebase account, which it uses to communicate with its C2.

When questioned by TechCrunch, RCS Labs provided a statement, which we have replicated in part below:

> RCS Lab exports its products in compliance with both national and European rules and regulations. Any sales or implementation of products is performed only after receiving an official authorization from the competent authorities. Our products are delivered and installed within the premises of approved customers. RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers.

Providers of government-grade spyware like Pegasus and Hermit always claim to have legitimate reasons for creating malware. But as we’ve seen and heard from countless reports, they are mainly used to spy on journalists, activists, and human rights defenders.

Hermit spyware is deployed with the help of a victim’s ISP

The clever, interactive phishing campaign is a sign of increasingly complex social-engineering attacks, researchers warn.

A social-engineering campaign bent on stealing Facebook account credentials and victim phone numbers is targeting business pages via a savvy campaign that incorporates Facebook's Messenger chatbot feature.

That's according to an analysis from Trustwave SpiderLabs. Karl Sigler, senior security research manager there, tells Dark Reading that the campaign is notable for its interactivity, and how much more complex the social-engineering aspects of phishing campaigns have gotten.

"You don't just click on a link and then be prompted to download an executable — most people are going to understand that's an attack and not click on it," he explains. "In this attack, it's a link that leads you to a tech-support-type channel asking for information that you would expect tech support to ask for, and that ramping up of the social-engineering aspect is relatively new with these types of campaigns."

**Interactive & Seemingly Legitimate: A New Face of Phishing**

According to the research, the attacks start with emails, as they often do. The emails claim that user pages will be terminated in 48 hours due to a violation of Facebook's community standards — a savvy lure, researchers pointed out, given that the social-media giant has been vocal about its efforts to clamp down on rules-breakers.

The sender, purporting to be from Facebook's support team, claims to be giving users a chance to appeal, and offers an "Appeal Now" button to click directly from the email. If one hovers over the button, the URL uses Meta's legitimate URL-shortening service (which uses the convention "m.me"). If users click, they're taken to a real Messenger conversation with a chatbot.

The chatbot claims to be a representative of the Facebook support team, and presents another "Appeal Now" button to victims. The embedded link takes users to a new tab to a website hosted in Google Firebase.

"Firebase is an application development software that provides developers with a variety of tools to help build, improve, and grow the app \[making it\] easy for anyone to create and publish webpages," according to Trustwave's Tuesday analysis. "Spammers take advantage of this availability, and in this case, they built a website disguised as a Facebook 'Support Inbox,' where the user can purportedly appeal the supposed deletion of their page."

On this page, now-victims are asked to enter their email address or mobile number, first and last name, and page name. An additional text box for a phone number is displayed even though a mobile number is already being asked in the first text box. After pressing a "Submit" button, a pop-up window appears asking for the victims' passwords.

All of the data is of course sent directly to the cybercrooks' database.

The last link of the attack chain involves a bogus two-factor authentication gambit — users are presented with a pop-up box asking for a code, and are told they'll be sent a one-time password, which the attackers do since they've been able to capture victims' email and phone data.

Finally, the page will then redirect to the actual Facebook Help Center.

**Bolstering Trustability in Phishing**

One of the aspects that makes this campaign so effective is the fact that chatbots are a common feature of digital marketing and live support these days, and people are not inclined to be suspicious of their contents, especially if they come from a seemingly genuine source.

"The campaign uses the actual Facebook chat mechanism," Sigler says. "When you click the link in the email and it takes you literally to Facebook, and you can see your account profile up top, you can see that it's Facebook, you can look at the URL and it's got the nice little lock up-top that lends trust. The supporting says Page support. They've given me a case number. And that's often enough to break down those the barriers that a lot of people put up to identify the red flags associated with phishing."

Sigler warns that attacks like these can be especially risky for business-page owners in particular.

"This could be leveraged very well in a targeted-type of attack," he notes. "If I know an organization has standardized on specific messaging clients, whether it's Skype or Teams or Signal, I can start to craft a campaign specific to that messaging platform."

Cybercriminals can cause plenty of damage for business users with Facebook credentials and phone numbers, Sigler adds.

"If the person who is in charge of your social networking falls for this type of scam, suddenly, your entire business page may be defaced, or they could leverage access to that business page to gain access directly to your customers using the legitimacy of that Facebook presence," he explains. "They'll also probably go after additional network access and data."

**Phishing Defense with User Awareness Training: Still Effective**

The use of valid infrastructure to propagate such attacks is a sign of things to come in phishing, Sigler notes.

"A lot of times, these types of attacks will use cloned sites or those typosquatted domains that look like Facebook, but it's actually 'Facebock,' let's say," he says. "Going forward, we're going to continue to see a trend of attacks coming from traditionally valid sources, and it's going to be harder and harder to distinguish these campaigns because of that legitimacy level that they're piggybacking on top of."

That said, it's worth noting that this particular campaign was not without its suspicious red flags. For instance, the emails have grammatical problems, such as the improper capitalization of the word "Page," and the missing period at the end of the third sentence, researchers pointed out. And in the email header, the sender is named as "Policy Issues," but the sender domain does not belong to Facebook. It is also evident in the email's Received headers and sender IP address that it was not sent by the social media platform.

There are also problems when users are taken to the purported support page.

"Closer inspection of the profile owning the page will reveal that this is not an actual support page," according to the research. "The profile used is just a normal business/fan page with zero followers and no posts. Even though this page may seem unused, it had a 'Very Responsive' badge which Facebook defines as having a response rate of 90% and responds within 15 minutes. It even sported a Messenger logo as its profile picture to appear legitimate."

"While this type of attack is a little bit clumsy from my point of view, and I think a lot of people would see through it because of the red flags, I think that this is a start and I think that they're going to get much more clever," Sigler warns.

Thus, the best defense is to focus on user phishing training, Sigler advocates.

"More than 95% of compromises are initially started with somebody clicking on the wrong link in a phishing email," Sigler notes. "Hopefully organizations are having ongoing security awareness training, because the only thing you can do to patch for this type of attack is educate your users. So, it's important to revisit your security-awareness program, to take a look at what you're currently teaching your employees and users about phishing attacks, and make sure that it's up-to-date and includes some of these more complex campaigns."

Facebook Business Pages Targeted via Chatbot in Data-Harvesting Campaign

Google Analytics has been found to be in violation of GDPR privacy laws by Italy — the third country to ban it.

Italian regulators have decided to ban the use of Google Analytics, citing the US government's easy access to consumer data, which puts the service in violation of European Union General Data Protection Regulation (GDPR) laws.

That means that millions of users' online behavior will no longer be visible to the SEO platform.

Italy's Privacy Guarantor found that a collection of user IP addresses, as well as browsing and operating system, screen resolution, and selected language, in addition to the date and time the user visited a site, was being transferred to the US by Google Analytics without GDPR\-mandated privacy protections.

Website operators inside Italy have 90 days to review their Google Analytics use to ensure data privacy compliance, the Privacy Guarantor ruled.

The ruling follows similar actions taken by French and Austrian authorities.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Google Analytics Continues to Lose SEO Visibility as Bans Continue

Researchers this week said they had observed criminals using a new and improved version of the prolific malware, barely three months after its authors announced they were quitting.

The authors of "Raccoon Stealer," one of the most prolific information stealers of 2021, have released a new and improved version of the malware just three months after shutting down operations following the death of its lead developer in Ukraine.

Researchers from French cybersecurity vendor Sekoia this week reported stumbling upon active servers hosting Raccoon Stealer files while searching for signs of the malware earlier this month. Sekoia's subsequent investigation showed the authors of the malware had been selling the new version via their Telegram channel since at least May 17.

Sekoia said its analysis showed the authors of Raccoon Stealer have rewritten the malware and administrative panel for it, from scratch. The focus of the effort appears to have been on improving the stealer’s performance and efficiency. At its core, the new Raccoon Stealer remains a classic information stealer, with an extra focus on cryptocurrency wallets. It is designed to steal passwords, cookies, credit card data, and autofill forms from most modern browsers. The malware can steal from a wide range of desktop crypto wallets including Electrum, Exodus, MetaMask, and Coinomi.

**New and Improved**

Sekoia found Raccoon Stealer V2 to also feature capabilities — such as a file grabber for all disks and a built-in file downloader — for exfiltrating files for compromised systems and loading other software on the systems. Additional capabilities include screenshot capturing, keystroke logging, and application enumeration. "It's worth noting that the malware implements almost no defense evasion techniques, such as anti-analysis \[or\] obfuscation,” Sekoia said in a report summarizing its analysis this week. However, expect the malware authors to add those capabilities soon, the security vendor said.

Several security researchers had fully expected Raccoon Stealer to resurface when its developers announced they were stopping operations on March 25. The malware, which first surfaced in 2019, is widely regarded as one of the most effective information stealers in recent memory. Racoon Stealer's developers initially distributed it via a malware-as-a-service model that allowed other criminals to rent and use the stealer for a portion of the profits.

Over time, criminals began distributing it in other ways as well, including by planting it on websites selling pirated software. Last August, researchers from Sophos reported criminals dropping the malware from sites that were optimized to surface high on Google search engine results when people searched for sources of pirated software. In that campaign, Sophos concluded the criminals distributing Raccoon Stealer were likely using "droppers-as-a-service" to distribute the malware. Sophos researchers also observed attackers using a Telegram channel to deliver the address of the command-and-control gateway to systems infected with Raccoon Stealer. The security vendor surmised that Raccoon Stealer attackers had begun using the Telegram channel to make it harder to locate the malware's command and control infrastructure.

**Resurfacing on Cue**

In January 2022, Bitdefender's Cyber Threat Intelligence Lab observed the operators of the widely used RIG Exploit Kit include Raccoon Stealer in their kit. However, when Raccoon Stealer's developers announced they were quitting, the authors of RIG quickly swapped out the malware for the older but still popular Dridex banking Trojan. Recently, criminals have also used fake installers for legitimate software — such as VPNs from F-Secure and Proton — to distribute Raccoon Stealer.

In a report last week, Bitdefender predicted that Raccoon Locker would return despite the setback that pushed the developers to ceasing operations in March. It's an assessment that Sekoia shared this week. "We expect a resurgence of Raccoon Stealer v2 as developers implemented a version tailored to the needs of cybercriminals and scaled their backbone servers to handle large loads," Sekoia said.

'Raccoon Stealer' Scurries Back on the Scene After Hiatus

On December 7, 2021, Google announced it had sued two Russian men allegedly responsible for operating the Glupteba botnet, a global malware menace that has infected millions of computers over the past decade. That same day, AWM Proxy -- a 14-year-old anonymity service that rents hacked PCs to cybercriminals -- suddenly went offline. Security experts had long seen a link between Glupteba and AWM Proxy, but new research shows AWM Proxy's founder is one of the men being sued by Google.

On December 7, 2021, **Google** announced it was suing two Russian men allegedly responsible for operating the **Glupteba** botnet, a global malware menace that has infected millions of computers over the past decade. That same day, **AWM Proxy** — a 14-year-old anonymity service that rents hacked PCs to cybercriminals — suddenly went offline. Security experts had long seen a link between Glupteba and AWM Proxy, but new research shows AWM Proxy’s founder is one of the men being sued by Google.

AWMproxy, the storefront for renting access to infected PCs, circa 2011.

Launched in March 2008, AWM Proxy quickly became the largest service for crooks seeking to route their malicious Web traffic through compromised devices. In 2011, researchers at **Kaspersky Lab** showed that virtually all of the hacked systems for rent at AWM Proxy had been compromised by **TDSS** (a.k.a TDL-4 and Alureon), a stealthy “rootkit” that installs deep within infected PCs and loads even before the underlying Windows operating system boots up.

In March 2011, security researchers at **ESET** found TDSS was being used to deploy Glupteba, another rootkit that steals passwords and other access credentials, disables security software, and tries to compromise other devices on the victim’s network — such as Internet routers and media storage servers — for use in relaying spam or other malicious traffic.

A report from the Polish computer emergency response team (CERT Orange Polksa) found Glupteba was by far the biggest malware threat in 2021.

Like its predecessor TDSS, Glupteba is primarily distributed through “pay-per-install” or PPI networks, and via traffic purchased from traffic distribution systems (TDS). Pay-per-install networks try to match cybercriminals who already have access to large numbers of hacked PCs with other crooks seeking broader distribution of their malware.

In a typical PPI network, clients will submit their malware—a spambot or password-stealing Trojan, for example —to the service, which in turn charges per thousand successful installations, with the price depending on the requested geographic location of the desired victims. One of the most common ways PPI affiliates generate revenue is by secretly bundling the PPI network’s installer with pirated software titles that are widely available for download via the web or from file-sharing networks.

An example of a cracked software download site distributing Glupteba. Image: Google.com.

Over the past decade, both Glupteba and AWM Proxy have grown substantially. When KrebsOnSecurity first covered AWM Proxy in 2011, the service was selling access to roughly 24,000 infected PCs scattered across dozens of countries. Ten years later, AWM Proxy was offering 10 times that number of hacked systems on any given day, and Glupteba had grown to more than one million infected devices worldwide.

There is also ample evidence to suggest that Glupteba may have spawned **Meris**, a massive botnet of hacked Internet of Things (IoT) devices that surfaced in September 2021 and was responsible for some of the largest and most disruptive distributed denial-of-service (DDoS) attacks the Internet has ever seen.

But on Dec. 7, 2021, Google announced it had taken technical measures to dismantle the Glupteba botnet, and filed a civil lawsuit (PDF) against two Russian men thought to be responsible for operating the vast crime machine. AWM Proxy’s online storefront disappeared that same day.

AWM Proxy quickly alerted its customers that the service had moved to a new domain, with all customer balances, passwords and purchase histories seamlessly ported over to the new home. However, subsequent takedowns targeting AWM Proxy’s domains and other infrastructure have conspired to keep the service on the ropes and frequently switching domains ever since.

Earlier this month, the United States, Germany, the Netherlands and the U.K. dismantled the “**RSOCKS**” botnet, a competing proxy service that had been in operation since 2014. KrebsOnSecurity has identified the owner of RSOCKS as a 35-year-old from Omsk, Russia who runs the world’s largest forum catering to spammers.

The employees who kept things running for RSOCKS, circa 2016.

Shortly after last week’s story on the RSOCKS founder, I heard from **Riley Kilmer**, co-founder of Spur.us, a startup that tracks criminal proxy services. Kilmer said RSOCKS was similarly disabled after Google’s combined legal sneak attack and technical takedown targeting Glupteba.

“The RSOCKS website gave you the estimated number of proxies in each of their subscription packages, and that number went down to zero on Dec. 7,” Kilmer said. “It’s not clear if that means the services were operated by the same people, or if they were just using the same sources (i.e., PPI programs) to generate new installations of their malware.”

Kilmer said each time his company tried to determine how many systems RSOCKS had for sale, they found each Internet address being sold by RSOCKS was also present in AWM Proxy’s network. In addition, Kilmer said, the application programming interfaces (APIs) used by both services to keep track of infected systems were virtually identical, once again suggesting strong collaboration.

“One hundred percent of the IPs we got back from RSOCKS we’d already identified in AWM,” Kilmer said. “And the IP port combinations they give you when you access an individual IP were the same as from AWM.”

In 2011, KrebsOnSecurity published an investigation that identified one of the founders of AWM Proxy, but Kilmer’s revelation prompted me to take a fresh look at the origins of this sprawling cybercriminal enterprise to determine if there were additional clues showing more concrete links between RSOCKS, AWM Proxy and Glupteba.

**IF YOUR PLAN IS TO RIP OFF GOOGLE…**

Supporting Kilmer’s theory that AWM Proxy and RSOCKS may simply be using the same PPI networks to spread, further research shows the RSOCKS owner also had an ownership stake in **AD1\[.\]ru**, an extremely popular Russian-language pay-per-install network that has been in operation for at least a decade.

Google took aim at Glupteba in part because its owners were using the botnet to divert and steal vast sums in online advertising revenue. So it’s more than a little ironic that the critical piece of evidence linking all of these operations begins with a Google Analytics code included in the HTML code for the original AWM Proxy back in 2008 (**UA-3816536**).

That analytics code also was present on a handful of other sites over the years, including the now-defunct Russian domain name registrar **Domenadom\[.\]ru**, and the website **web-site\[.\]ru**, which curiously was a Russian company operating a global real estate appraisal business called American Appraisal.

Two other domains connected to that Google Analytics code — Russian plastics manufacturers **techplast\[.\]ru** and **tekhplast.ru** — also shared a different Google Analytics code (**UA-1838317**) with web-site\[.\]ru and with the domain “**starovikov\[.\]ru**.”

The name on the WHOIS registration records for the plastics domains is an “**Alexander I. Ukraincki**,” whose personal information also is included in the domains tpos\[.\]ru and alphadisplay\[.\]ru, both apparently manufacturers of point-of-sale payment terminals in Russia.

Constella Intelligence, a security firm that indexes passwords and other personal information exposed in past data breaches, revealed dozens of variations on email addresses used by Alexander I. Ukraincki over the years. Most of those email addresses start with some variation of “**uai@**” followed by a domain from one of the many Russian email providers (e.g., yandex.ru, mail.ru). \[Full disclosure: Constella is currently an advertiser on this website\].

But Constella also shows those different email addresses all relied on a handful of passwords — most commonly “**2222den**” and “**2222DEN**.” Both of those passwords have been used almost exclusively in the past decade by the person who registered more than a dozen email addresses with the username “**dennstr**.”

The dennstr identity leads to several variations on the same name — Denis Strelinikov, or Denis Stranatka, from Ukraine, but those clues ultimately led nowhere promising. And maybe that was the point.

Things began looking brighter after I ran a search in DomainTools for web-site\[.\]ru’s original WHOIS records, which shows it was assigned in 2005 to a “private person” who used the email address **lycefer@gmail.com**. A search in Constella on that email address says it was used to register nearly two dozen domains, including starovikov.ru and **starovikov\[.\]com**.

A cached copy of the contact page for Starovikov\[.\]com shows that in 2008 it displayed the personal information for a **Dmitry Starovikov**, who listed his Skype username as “lycefer.”

Finally, Russian incorporation documents show the company LLC Website (web-site\[.\]ru)was registered in 2005 to two men, one of whom was named **Dmitry Sergeevich Starovikov**.

Bringing this full circle, Google says Starovikov is one of the two operators of the Glupteba botnet:

The cover page for Google’s lawsuit against the alleged Glupteba botnet operators.

Mr. Starovikov did not respond to requests for comment. But attorneys for Starovikov and his co-defendant last month filed a response to Google’s complaint in the Southern District of New York, denying (PDF) their clients had any knowledge of the scheme.

Despite all of the disruption caused by Google’s legal and technical meddling, AWM is still around and nearly as healthy as ever, although the service has been branded with a new name and there are dubious claims of new owners. Advertising customer plans ranging from $50 a day to nearly $700 for “VIP access,” AWM Proxy says its malware has been running on approximately 175,000 systems worldwide over the last 24 hours, and that roughly 65,000 of these systems are currently online.

AWM Proxy, as it exists today.

Meanwhile, the administrators of RSOCKS recently alerted customers that the service and any unspent balances will soon be migrated over to a new location.

Many people seem to equate spending time, money and effort to investigate and prosecute cybercriminals with the largely failed war on drugs, meaning there is an endless supply of up-and-coming crooks who will always fill in any gaps in the workforce whenever cybercriminals face justice.

While that may be true for many low-level cyber thieves today, investigations like these show once again how small the cybercriminal underground really is. It also shows how it makes a great deal of sense to focus efforts on targeting and disrupting the relatively small number of established hackers who remain the real force multipliers of cybercrime.

The Link Between AWM Proxy & the Glupteba Botnet

Creating temporary keys that are not stored in central repositories and time out automatically could improve security for even small businesses.

While multifactor authentication, single-sign-on infrastructure, and stronger password requirements have improved the security of most enterprise identity and access management (IAM) environments, the longevity of passwords continues to pose problems for businesses, especially in granting temporary access to contractors and third-party partners.

A variety of vendors are trying to solve this problem. Last week, for example, data-security firm Keeper Security announced one-time shared passwords that allow companies to grant third-party partners temporary access to data and resources without adding them to the company's overall IT environment. The approach allows specific types of documents to be shared to a single user device, automatically removing access when the time expires.

The business case is all about securing access granted to contractors, says Craig Lurey, chief technology officer and co-founder of Keeper Security.

"We get asked constantly to allow short term, temporary access to third parties without requiring them to onboard as a licensed user," he says. "With this new feature, there is not 20 steps anymore. It is just instant, but preserving that encryption, simplifying the secure-sharing process, and eliminating the need to send private information over text messages."

**Credential Theft Is Big Business**

Supply chain breaches, stolen credentials, and the proliferation of software keys and secrets continue to undermine IT and data security. In March, secrets-detection firm GitGuardian found that developers leaked 50% more credentials, access tokens, and API keys in 2021, compared to 2020. Overall, 3 out of every 1,000 commits exposed a sensitive password, key, or credential, the company said at the time.

Failing to protect software secrets, user passwords, and machine credentials can lead to compromises of application infrastructure and development environments. Attackers have increasingly targeted identities and credentials as a way to gain initial access to corporate networks. Last week, for example, software security firm Sonatype discovered that at least five malicious Python packages attempt to exfiltrate secrets and environment variables for Amazon environments.

"It remains yet to be known who the actors behind these packages are and what is their ultimate goal," Sonatype stated in an advisory on the issue. "Were the stolen credentials being intentionally exposed on the web or a consequence of poor OpSec practices?"

**How Zero-Knowledge Encryption Protects Credentials**

Managing the access credentials for data means avoiding centralized storage of sensitive keys — a security advantage of zero-knowledge encryption (ZKE) — and regularly expiring keys so that former contractors, partners, and employees no longer have access to data. ZKE breaks up keys in specific ways, using both cryptography and tokenization, to prevent any device or database from having all the necessary information to reconstitute the master keys to unlock data.

    

Source: Keeper Security

The move to de-emphasize master passwords and keys is part of the cybersecurity industry's effort to create a passwordless security infrastructure. Yet, in the end, most enterprises rely on some sort of password to secure massive stores of keys or unlock cloud IAM services, says Lurey.

"Every year, the platforms try to come up with new schemes to bury the password, \[but\] at the end of the day, those platforms still rely on passwords, especially for account recovery," he says. "There is a growing number of passwords and secrets that everyone has to deal with, whether you are on the tech side and you have to deal with API keys and software secrets, or on the personal side and the growing number of sites that require personal or private information."

Creating a zero-knowledge way of managing secrets and offering one-use, temporary passwords requires significant design effort and a move away from the consolidation among large brands that are assuming the mantles of identity providers, Lurey says.

"The reason why the password continues to be popular is because it is something that you have that can be used to encrypt and decrypt data at the end of the day," he says. "The passkeys, which are just passwords, are being stored by Apple, Google, and Microsoft, so those are being synched with other devices and onboard devices, but how do you sync those secrets — it is basically a rabbit hole of authentication issues."

**The Passwordless Path Ahead**

The focus on ZKE is relatively new, and the vast majority of companies protect their secrets using key management systems, says Andras Cser, vice president and principal analyst for security and risk at Forrester Research. The focus on passwordless technologies typically involves biometrics, QR-code-based authentication, pushing authentication tokens to mobile devices, and sending one-time passwords via e-mail or text message, he says.

"Because of phishing issues, OTP and passwordless is slowly replacing the static password for authentication. Identity management and governance (IMG) to onboard, review, and off-board contractors and third parties for access is very important in this flow," Cser says.

Whether ZKE takes off will likely depend on whether third-party identity services using de facto standards, such as the FIDO2 and WebAuthn passwordless standards, gain popularity. In a white paper acknowledging the slow adoption of FIDO and the future integration with WebAuthn, the FIDO Alliance outlined what its passwordless future would look like, using mobile devices as standardized authenticators and allowing credentials to be synced across devices.

The changes will make "FIDO the first authentication technology that can match the ubiquity of passwords, without the inherent risks and phishability," the white paper stated.

Can Zero-Knowledge Crypto Solve Our Password Problems?

Google's American Fuzzy Lop is a brute-force fuzzer coupled with an exceedingly simple but rock-solid instrumentation-guided genetic algorithm. afl++ is a superior fork to Google's afl. It has more speed, more and better mutations, more and better instrumentation, custom module support, etc.

American Fuzzy Lop plus plus 4.01c

AnyDesk version 7.0.9 suffers from an arbitrary file write vulnerability via a symlink attack.

    # Exploit Title: AnyDesk allow arbitrary file write by symbolic link attack lead to denial-of-service attack on local machine# Google Dork: [if applicable]# Date: 24/5/2022# Exploit Author: Erwin Chan# Vendor Homepage: https://anydesk.com/en# Software Link: https://anydesk.com/en# Version: 7.0.9# Tested on: Windows 11It was found that AnyDesk (version 7.0.9) was vulnerable to arbitrary filewrite by symbolic link attack leading to denial-of-service attack on localmachine. It was noted that two functions were affected.*Affected function A*When there was a remote connection come in, a directory under AppData ofcurrent user (without admin privilege) and a "ad.trace" file (i.e.,"C:\Users\<user>\AppData\Roaming\AnyDesk") will be created by "AnyDesk.exe"with "NT Authority\SYSTEM" privilege.*Affected function B*After a connection was made, local or remote user could use the chat room.The chat log was written to folder"C:\Users\<user>\AppData\Roaming\AnyDesk\chat\" by "AnyDesk.exe" with "NTAuthority\SYSTEM" privilege. Or the local user (without admin privilege)could change the location of the chat log to anywhere that he/she has"Modify" privilege.*Vulnerability Summary*Since the directories (i.e., "C:\Users\<user>\AppData\Roaming\AnyDesk\","C:\Users\<user>\AppData\Roaming\AnyDesk\chat\") were assigned with"Modify" privilege for current user, current user could modify the entiredirectory. With this setup, an unprivileged user is able to achievearbitrary file write by creating a symbolic link to a privileged location(e.g., C:\Windows\System32). As a result, a malicious user couldpotentially deny any service by overwriting the configuration or systemfile of applications such as Anti Virus solutions. It was noted that thefile content could be manipulated in affected function B such that a lowprivileged user could write an arbitrary file to an arbitrary location.*Affected function A: Exploit steps by local user (without admin privilege)*   1. Remove the directory "C:\Users\<user>\AppData\Roaming\AnyDesk"   2. Create symbolic link of "ad.trace" file to a privileged location   (e.g., C:\Windows\System32\test.file) (PoC binary could be found here:   https://github.com/googleprojectzero/symboliclink-testing-tools/blob/main/CreateSymlink/CreateSymlink_readme.txt   )   1. Connect to local machine (target machine) from a remote machine.   After the connection was initiated, the content of "ad.trace" file would be   written to target file (e.g., C:\Windows\System32\test.file)*Affected function B: Exploit steps by local user (without admin privilege)*   1. edit username of remote connector   1. Establish a AnyDesk connection from remote. Enter arbitrary text into   the chat box. Mark down the filename of chat log   1. Remove the directory "C:\Users\<user>\AppData\Roaming\AnyDesk\chat"   2. Create symbolic link of chat log file (e.g., 657584961.txt) to a   privileged location (e.g., C:\Windows\test.conf) (PoC binary could be found   here:   https://github.com/googleprojectzero/symboliclink-testing-tools/blob/main/CreateSymlink/CreateSymlink_readme.txt   )   1. Open the chat room and enter arbitrary content into it. After that,   the content of chat room would be written to target file (e.g.,   C:\Windows\test.conf)Please let me know if any detail need further. ThanksRegards,Erwin

Tag

#google