How to detect and prevent attackers from using these various techniques
Obfuscation is an important technique for protecting software that also carries risks, especially when used by malware authors. In this article, we examine obfuscation, its effects, and responses to it.
What Is Obfuscation?
Obfuscation is the technique of intentionally making information difficult to read, especially in

**How to detect and prevent attackers from using these various techniques**

Obfuscation is an important technique for protecting software that also carries risks, especially when used by malware authors. In this article, we examine obfuscation, its effects, and responses to it.

**What Is Obfuscation?**

Obfuscation is the technique of intentionally making information difficult to read, especially in computer coding. An important use case is data obfuscation, in which sensitive data is made unrecognizable to protect it from unauthorized access. Various methods are used for this.

For example, only the last four digits of a credit card number are often displayed, while the remaining digits are replaced by Xs or asterisks. In contrast, encryption involves converting data into an unreadable form that can only be decrypted using a special key.

**Obfuscation In Code**

When computer code is obfuscated, complex language and redundant logic are used to make the code difficult to understand. The aim? To deceive both human readers and programs such as decompilers. To do this, parts of the code are encrypted, metadata is removed, or meaningful names are replaced by meaningless ones. Inserting unused or meaningless code is also a common practice to disguise the actual code.

A so-called obfuscator can automate these processes and modify the source code so that it still works but is more difficult to understand.

Other methods of obfuscation include compressing the entire program, making the code unreadable, and changing the control flow to create unstructured, difficult-to-maintain logic.

Inserting dummy code that does not affect the logic or the program's result is also common.

Several techniques are often combined to achieve a multi-layered effect and increase security.

**The Flip Side**

Unfortunately, obfuscation is not only a protection, it is also a challenge. Obfuscation is not only used by legitimate software developers, but also by malicious software authors. The goal of obfuscation is to anonymize cyber attackers, reduce the risk of detection, and hide malware by changing the overall signature and fingerprint of the malicious code – even if the payload is a known threat. The signature is a hash, a unique alphanumeric representation of a malware element. Signatures are very often hashed, but they can also be another short representation of a unique code within a malware element.

Rather than trying to create a new signature by modifying the malware itself, obfuscation focuses on deployment mechanisms to fool antivirus solutions that rely on signatures. Compare this to the use of machine learning, predictive analysis, and artificial intelligence to improve defenses.

Obfuscation, or the disguising of code, can be both "good" and "bad". In the case of "bad" obfuscation, hackers combine various techniques to hide malware and create multiple layers of disguise. One of these techniques is packers. These are software packages that compress malware to hide its presence and make the original code unreadable. Then there are cryptographers who encrypt malware or parts of software to restrict access to code that could alert antivirus programs.

Another method is the insertion of dead code. This involves inserting useless code into the malware to disguise the program's appearance. Attackers can also use command modification, which involves changing the command codes in malware programs. This changes the appearance of the code, but not its behavior.

Obfuscation in the code is, as we have seen, only the first step because no matter how much work the hacker puts into obfuscating the code to bypass EDR, malware must communicate within the network and to the outside world to be "successful". This means that communication must also be obfuscated. In contrast to the past, when networks were scanned quickly, and attempts were immediately made to extract data in the terabyte range at once, attackers today communicate more quietly so that the sensors and switches for the monitoring tools do not strike.

The aim to get IP addresses via scanning, for example, is now followed more slowly to stay under the radar. Reconnaissance, in which the threat actors try to collect data about their targeted victims, e.g. via their network architecture, is also becoming slower and more obscure.

A common obfuscation method is Exclusive OR (XOR). This method hides data in such a way that it can only be read by people who link the code with 0x55 XOR. ROT13 is another trick in which letters are replaced by a code.

****Blasts From The Past:****

*   A well-known example of obfuscation is the SolarWinds attack in 2020. Hackers used obfuscation to bypass defenses and hide their attacks.
*   Another interesting example is PowerShell, a Microsoft Windows tool that attackers are abusing. Malware that uses PowerShell obscures its activities through techniques such as string encoding, command obfuscation, dynamic code execution, and more.
*   Another example is the XLS.HTML attack. Here, hackers used elaborate obfuscation techniques to hide their malicious activities. They changed their encryption methods at least ten times within a year to avoid detection. Their tactics included plain text, escape encoding, Base64 encoding, and even Morse code.
*   In another threat, attackers exploited vulnerabilities in ThinkPHP to execute remote code on servers. They installed a cloaked web shell called "Dama" that allowed permanent access and further attacks.

**Why You Should Not Rely On Signatures Alone**

Signature-based detection is like an old friend–it's reliable when it comes to known threats. But when it comes to new, unknown threats, it can sometimes be in the dark. Here are a few reasons why you shouldn't rely solely on signatures:

1.  Malware authors are true masters of hide and seek. They use various techniques to disguise their malicious programs. Even small changes to the code can cause signature detection to fail.
2.  With polymorphic malware, malware behaves like a chameleon. It constantly changes its structure to avoid detection. Every time it is executed, the code looks different.
3.  Static signatures? Not a chance! Metamorphic malware is even more tricky. It adapts during execution and changes its code dynamically, making it almost impossible to catch with static signatures.
4.  Also, zero-day exploits behave like the "new kid on the block": they are fresh and unknown, and signature-based systems have no chance of recognizing them.
5.  Besides that, when a signature-based solution returns too many false positives, it becomes inefficient. Too many false alerts in daily business affect your security team and waste valuable resources.

In short, signature detection, e.g., in an EDR, is a useful tool, but it's not enough on its own to ward off all threats. A more comprehensive security strategy that also includes behavioral analysis, machine learning, and other modern techniques is essential.

**Why NDR Tools Are So Important**

Anomaly-based IDS solutions are like detectives who keep an eye on a system's normal behavior and sound the alarm when they detect unusual activity. But Network Detection and Response (NDR) tools even go a step further: they constantly adapt to stay one step ahead of the changing cyber threat landscape and offer a significantly higher level of security than traditional signature-based approaches through their advanced analysis and integration. They are able to detect and defend against both known and unknown threats.

****Here's How They Do It:****

*   **Behavioral Analysis:** NDR tools monitor network traffic and analyze behavior. They detect unusual patterns that could indicate command-and-control (C&C) communication, such as irregular data transfers.
*   **Protocol Monitoring:** They examine HTTP requests, DNS traffic, and other protocols to detect suspicious behavior or communication that may be associated with obfuscated malware.
*   **Metadata Analysis:** NDR tools analyze metadata to detect unusual patterns that indicate suspicious activity. Machine learning models help identify typical obfuscation techniques that are visible through suspicious behavior in network traffic.
*   **Long-term Communication Monitoring:** As obfuscating communication is now crucial for hackers, as they adopt slower and stealthier techniques to evade detection and collect data within and outside networks, it is helpful that NDR also looks at longer periods of time, e.g. 3 days, in addition to its ability to perform batch runs, e.g. within minutes, in order to have comparative values and monitor and detect irregularities, and real-time alerting would lead to a large number of alerts if a scan with a ping is detected every minute or so. But is every ping an attack? Certainly not!
*   **Mitre ATT&CK and ZEEK**: These protocols provide valuable insights into threats that use obfuscation. Their integration with NDR tools significantly improves threat detection capabilities.
*   **Threat Data Sharing:** NDR tools share threat data with other security solutions. This enables faster detection of known obfuscation techniques and suspicious behavior. The integration with EDR tools allows them to correlate suspicious activity on endpoints with network traffic, which significantly improves security analysis.

For more on **why NDR is a crucial security tool** and how it detects even the most advanced threats and complex forms of obfuscation, download our whitepaper on Advanced Persistent Threat (APT) detection.

To see how NDR acts in your corporate network, and precisely how it detects and responds to APTs, watch our recorded APT detection video.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Obfuscation: There Are Two Sides To Everything

The RayV Lite will make it hundreds of times cheaper for anyone to carry out physics-bending feats of hardware hacking.

In modern microchips, where some transistors have been shrunk to less than a 10th of the size of a Covid-19 virus, it doesn't take much to mess with the minuscule electrical charges that serve as the 0s and 1s underpinning all computing. A few photons from a stray beam of light can be enough to knock those electrons out of place and glitch a computer's programming. Or that same optical glitching can be achieved more purposefully—say, with a very precisely targeted and well timed blast from a laser. Now that physics-bending feat of computer exploitation is about to become available to far more hardware hackers than ever before.

At the Black Hat cybersecurity conference in Las Vegas next week, Sam Beaumont and Larry “Patch” Trowell, both hackers at the security firm NetSPI, plan to present a new laser hacking device they're calling the RayV Lite. Their tool, whose design and component list they plan to release open source, aims to let anyone achieve arcane laser-based tricks to reverse engineer chips, trigger their vulnerabilities, and expose their secrets—methods that have historically only been available to researchers inside of well-funded companies, academic labs, and government agencies.

State-of-the-art commercial tools for light-based hacking techniques, such as the Riscure Laser Station, have typically cost as much as $150,000, and even lower-budget versions cost closer to $10,000. Yet through a combination of 3D printing, commodity component choices, and clever physics tricks, Beaumont and Trowell built theirs for less than $500.

Their goal in creating and releasing the designs for that ultra-cheap chip-hacking gadget, they say, is to make clear that laser-based exploitation techniques (known as laser fault injection or laser logic state imaging) are far more possible than many hardware designers—including clients for whom Beaumont and Trowell sometimes perform security testing at NetSPI—believe them to be. By demonstrating how inexpensively those methods can now be pulled off, they hope to both put a new tool in the hands of DIY hackers and researchers worldwide, and to push hardware manufacturers to secure their products against an obscure but surprisingly practical form of hacking.

“If we come to clients and say, ‘Your chip is vulnerable to laser fault injection,’ they tell us nobody's going to be able to do that because it's infeasible and it costs too much. We don't actually think that's true. So that got us started tinkering,” Beaumont says. “We're not discovering anything new, in the sense that other people have used lasers this way before. We're doing it at a lower cost, so that people can do this in their homes.”

The RayV Lite, shown here with no target chip mounted. Its laser and lens are visible in the circular opening on top.Photograph: Courtesy of NetSPI

Beaumont describes the RayV Lite as part of a larger trend she calls the “domestication of tooling”: Devices like the ChipWhisperer and HackRF have made electromagnetic or radio-based hacking techniques vastly cheaper and more accessible. The RayV Lite, she hopes, will do the same for lasers. “It’s significant,” says Adam Laurie, a longtime hardware hacker and current head of product security at electric vehicle charging firm Alpitronic, who reviewed Beaumont and Trowell's laser hacking work. “It moves the tools from the super-expensive academic or state-actor platform to the garage, where the really inventive stuff happens.”

As they built the RayV Lite, Beaumont and Trowell focused on two distinct laser hacking methods. One is laser fault injection, or LFI, which uses a brief blast of light to mess with the charges of a processor's transistors, “flipping bits” from 1 to 0 or vice versa. In some cases, carefully triggering those bit flips can cause far larger effects. For one automotive chip that Beaumont tested, for instance, glitching the chip with a laser at a certain moment can prevent a security check that puts the chip's firmware in a protected state, thus leaving it unprotected and letting her scan through its otherwise obfuscated code to find vulnerabilities.

Many cryptocurrency wallets, too, are vulnerable to forms of LFI, Beaumont and Trowell say, such as glitching the chip at the moment it's asking for a PIN to unlock the cryptographic key to access the owner's funds. “You take the chip off the crypto wallet, hit it with a laser at the right time, and it will just assume you have the PIN,” says Trowel. “It just jumps through the instructions and gives the key back.”

A second laser-hacking technique, known as laser logic state imaging, focuses instead on surveilling a chip's architecture and activity in real time, bouncing laser light off of it, and capturing the results (much like a camera or microscope), and then analyzing them—in Beaumont and Trowell's work, this was often done with the help of machine learning tools. Because a laser's light bounces off silicon differently based on its electrical charge, that trick allows hackers to map out not only the physical layout of a processor but also the data its transistors store, essentially vivisecting the chip to pull out hints about the data and code it's handling, which could include sensitive secrets.

In the first iteration of RayV Lite, Beaumont and Trowell are building designs for the tool in two different versions, one for each of those two laser hacking techniques. They're releasing only the laser fault injection model for now, and hope to debut the laser logic state imaging version in a matter of months. Both will use the same fundamental components and the same DIY cost-cutting tricks. The body of the tool, for instance, is ba

sed on an open source 3D-printable microscope model called OpenFlexure, which uses the flexibility of 3D-printable PLA plastic to achieve precise aiming of the laser. The target chip is mounted on a chassis fixed to printed plastic levers that are bent to small degrees by stepper motors, allowing tiny, precise movements in three dimensions. With that plastic bending trick and a laser focused through a lens, Beaumont and Trowell say, the RayV can target transistors—or rather, groups of them—down to the nanometer scale. (PLA plastic does wear out, Beaumont admits. But she also notes that the entire body of the RayV Lite can simply be printed again for a few dollars.)

Another innovation that allowed Beaumont and Trowell to vastly reduce the RayV Lite's cost, first implemented by a group of academic researchers at Royal Holloway University of London who built their own low-cost laser fault injection tool, was the discovery that laser-based chip hacking can be performed with far cheaper lasers than previously believed. That's in part because a lower-powered laser fired at a chip for a longer time interval—still so quick as to be measured in milliseconds—can have an equivalent effect to a higher-powered laser fired for a shorter time, just as a traditional camera can expose film to less light for a longer time to achieve the same exposure.

The RayV Lite with a target chip attached to a circuit board mounted on top of its 3D-printed chassis.Photograph: Courtesy of NetSPI

That realization allowed Beaumont and Trowell to use a laser in the RayV Lite that costs less than $20 and also saves enormously on the equipment and electricity used for powering the laser. “People don't have freaking massive lasers sitting around,” says Beaumont. “But you can do this with a laser pointer, which is actually what we're doing right now.” (Beaumont and Trowell nonetheless warn that anyone using even lower-powered lasers should be careful to wear eye protection.)

In fact, the most expensive components of the RayV Lite are the lens used for focusing its relatively cheap laser and an FPGA chip that serves as its timing mechanism, each of which costs close to $100, as well as the $68 Raspberry Pi minicomputer that allows it to be controlled and programmed.

Aside from the general sense that “lasers are cool,” as Trowell puts it, it was the growing body of research in more accessible laser hacking techniques that drove her and Trowell to conceive the RayV Lite, as well as what they saw as a disconnect between that accessibility and their clients' out-of-date perceptions of the difficulty of laser-based hacking. Some highly sensitive devices used in industrial control systems, automobiles, and medical devices will be vulnerable to laser fault injection of laser logic state imaging, they say. And those manufacturers need to understand that the notion of hacking the chips inside those critical devices with lasers isn't as arcane or out-of-reach as they might believe.

“Security through obfuscation isn't something we can kind of rely upon over time, especially when we're working with critical infrastructure, or when we're working with devices that are literally in our homes and our hearts,” says Beaumont.

More practically, she says, the RayV Lite will make her own job—and no doubt that of many other hardware hackers who will use her optical exploitation toolkit—far easier. “Selfishly, it's very nice,” she says. “Especially when I have to do expense reports.”

A $500 Open-Source Tool Lets Anyone Hack Computer Chips With Lasers

In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats.

Thursday, August 1, 2024 06:00

_By Chris Morrison._

*   Cisco Talos is actively tracking multiple malware campaigns that utilize NetSupport RAT for persistent infections. 
*   These campaigns evade detection through obfuscation and updates. 
*   Snort can provide a strong defense before this malware reaches endpoints. 
*   In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats. 

In November 2023, security vendors identified a new NetSupport RAT campaign that used fake browser updates from compromised and malicious websites to trick users into downloading a stager that downloads and invokes PowerShell commands to install the NetSupport manager agent onto the victim’s machine and establish persistence. 

In January 2024, security researchers published another analysis of the same campaign, although with some differences in the initial JavaScript payload, which demonstrates a threat actor re-focusing on the obfuscation of the initial stager. There are also modifications observed in the agent installation including new paths for the randomized installation. 

So, Cisco Talos followed suit with our own in-depth analysis. We identified multiple obfuscation and evasion techniques being used by the campaign and created appropriate detection to keep users protected. By identifying specific weaknesses in the campaign’s obfuscation techniques and identifying indicators of compromise (IOCs), we can create highly accurate detection of this campaign. Talos is also in a unique position of having primarily open-source detection tools such as Snort and ClamAV. To highlight these capabilities, we will provide a detailed explanation of our detection methodology. 

**Campaign history **

NetSupport Manager has been commercially available for remote device administration since 1989. Like many tools in the IT remote support industry, NetSupport Manager has been weaponized by threat actors who either cannot or do not wish to develop their own RAT. Adversaries first started using NetSuport for malicious purposes in 2017, and at this point, most security vendors widely recognize this software as a RAT. The 2020s' shift to remote work for many office workers marked an increased use of NetSupport RAT in more phishing and drive-by download campaigns, as well as being used alongside other loaders. This campaign is the most notable use of NetSupport RAT in recent years, with hundreds of known stager variants across dozens of domains used in a large-scale malicious advertising campaign. 

**Component summary **

Components in VirusTotal graph. 

1.  Stage 1 is a JavaScript file that is downloaded from one of several malicious advertisements or compromised websites. It’s an obfuscated downloader, keeping a Stage 2 JavaScript and PowerShell payload in memory, which is the actual meat of the dropper. Stage 1 is obfuscated and embedded within otherwise benign JavaScript libraries. 
2.  In Stage 2, a PowerShell script is run via JavaScript. Both are obfuscated, and the PowerShell is embedded in the JavaScript, and the JavaScript is embedded within large comment blocks of random ASCII hex. The PowerShell makes another HTTP GET to retrieve the base64-encoded ZIP. On receipt, the PowerShell extracts the payload into a semi-random path, starts execution, and then establishes basic registry persistence. 
3.  The end payload is a completely portable install of the commercial NetSupport Manager RAT utility. Some of the installs come with additional scripts or slight filename changes to avoid more narrow detection. 

**Stage 1: JavaScript stager **

From 3b587d0c311e8ebc3bb104d564235c41ef8e64592c7419f17f48e0cee9ebc878. 

The screenshot above shows the normalized inner payload for an older version of the JavaScript Stage 1. In this older sample, the actual malicious code is embedded within an otherwise benign JavaScript library. Several libraries are used, including jQuery, moment.js and SheetJS. However, this stage's actual malicious payload is barely obfuscated. The next stage download URL is in plain text. The call to “activeXObject” to create the HTTP connection is in plain text. And similarly, the eval call is in plain text. 

From 01d867d552a06bd778c812810a476441681c4bebabf967e80f8024b3856cb03e 

Here, we have the normalized content of a very recent (first seen 2024.03.09) sample of the stager from the same campaign. Similarly to the older version, the malicious payload is wrapped in an otherwise benign library. Improving over the previous versions, the malicious payload within is further obfuscated with the open-source tool javascript-obfuscator. This results in the removal of the plaintext “activeXObject” and “eval,” however, the output pattern of JavaScript-obfuscator is highly identifiable, as every variable and function name is a random hexadecimal value prefixed by an underscore. 

Deobfuscated 01d867d552a06bd778c812810a476441681c4bebabf967e80f8024b3856cb03e 

The old and new samples shared two major features: All the obfuscation is pre-computed and not done on a per-download basis. This is observable through the fact that so many of the stages can be identified with common entry point functions after having been obfuscated with javascript-obfuscator. Also, the pre-obfuscated stagers are reused by stamping them with a new random download URL. This URL then ends up being in plain text as well so from identifying the highly unique function names from one stager, we can find many more and then automatically extract the download URLs from them statically, which is much faster than throwing them all in analysis sandboxes.  

Fast pattern-only rule for detection. 

**Stage 1 detection **

From a detection standpoint, we can use Snort to leverage a fast\_pattern-only file rule. This simple rule will only detect the given cluster of stagers being downloaded. However, since this is a fast\_pattern-only rule on highly unique text, we can put it in the more general Snort policy configurations since there is little overhead to running this rule. Additionally, the Snort 3 file rule will do all the abstraction from other protocols that can carry files, such as FTP and SMTP, letting us cast our coverage net over a broader attack surface in case this file is being transmitted through more ways than just the known malicious advertisement. 

**Stage 2: JavaScript & PowerShell dropper **

The second stage of the campaign is an in-memory payload downloaded by the on-disk JavaScript. This stage consists of a JavaScript function that then calls PowerShell. 

From 6f3681cd91f7a19c1cf2699e1f9f7b550dfe46841ab5171124e79979fae5424a 

 The JavaScript content is padded on either side by large, repeating, random comment blocks. The actual JavaScript is quite simple, a slightly obfuscated call to ActiveXObject(“WScript.Shell”), which allows the PowerShell command-line to be run. 

Deobfuscated from 6f3681cd91f7a19c1cf2699e1f9f7b550dfe46841ab5171124e79979fae5424a 

The PowerShell invocation is where most of the dropper’s work happens. PowerShell is run with the command line flags “-Ex Bypass” which sets the execution policy to “Bypass”, enabling unsigned execution, “-NoP” which is short for “-NoPolicy” and avoids the current user’s startup script, and “-C” which is short for “-command” and will run the following command line string as a PowerShell script. The commands themselves are a straightforward download of the next stage, which is a base64-encoded ZIP file that contains a portable installation of NetSupport Manager Agent. After downloading the payload, it is base64-decoded, written to disk, and then extracted to the target install folder. A check is run to make sure “client32.exe,” the main executable of the agent, exists in the output directory and then this file is run. Finally, a registry entry is made to establish user-level persistence of the agent on login. 

Interestingly, this stage is not obfuscated with the same techniques as the Stage 1 file. The PowerShell file is only slightly obfuscated through random variable names and string concatenations, and the JavaScript obfuscation uses the same techniques in addition to the mentioned large random comment blocks. Because this obfuscation is so limited, we can rely on static signatures in this case. If future versions of this stager are further obfuscated, using normalized content buffers in Snort such as js\_data can provide a consistent view into the payload. However, this payload has remained largely unchanged besides the payload URLs from November 2023 to March 2024. 

**Stage 2 detection **

For Snort detection, we can use a simple series of content that matches the content of the PowerShell script. The unobfuscated registry key for persistence combined with the PowerShell flags makes a great rule for potential malware dropper detection. We can narrow this even further with the inclusion of the client32.exe filename so that we know we are only alerting on this campaign and similar uses of NetSupport RAT. 

An additional trick would be the use of an HTTP service rule. In Snort 3, the service inspector can identify known services regardless of the port they are on, in contrast to Snort 2 where you will need to define HTTP\_PORTS ahead of time. Regardless of what port the attacker is hosting the HTTP payload on, our rule can detect the malicious content. 

This Snort rule identifies and prevents the current iteration of dropper payloads. A more holistic approach to defense would also include behavioral detection. Since we can observe this dropper’s behavior regardless of any text obfuscation, we will effectively forbid this technique on any protected endpoint and force the threat actor to change tactics. 

Example Sigma detection. 

 The Sigma behavioral rule language can encapsulate this detection quite well. This rule can detect most installs but will fail to identify obfuscations through renames or different registry keys. 

**Obfuscated NetSupport manager download **

Retreading a little bit, the PowerShell invocation downloads a base64-encoded ZIP file of an entire installation of NetSupport Manager agent. For NetSupport Manager and most other legitimate software packages, this is a highly unusual way for the package to be distributed. Most applications are installed via an MSI package or an EXE installer that downloads the full application without obfuscation. The client binaries are not obfuscated by the threat actor since obfuscating an existing compiled binary is more challenging than obfuscating the source code scripts identified in stage 1 and stage 2 files. Because of this, the unique DLLs that encompass most of the NetSupport Manager Client’s actual logic are not renamed. 

It might seem we will have to stream decode the base64 content and unzip it in memory to scan for malicious file contents; we can exploit two specific features of the ZIP in base64 format. The highly unique DLL names will all be close together in the ZIP archive central directory, the structure that holds the information on what files are in the archive. Second, base64 is not a random encoding, and we can pre-compute all three possible base64-encoded strings that represent any one given input. CyberChef has an excellent demonstration of how this works. This method involves the possible two-bit alignment positions within the six-bit encoding size of a given base64 character. Putting all this together means that we can pre-compute all the combinations of the base64-encoded DLL names as high-speed rules that are only looking for static content matches.  

The threat actors using NetSupport RAT in this campaign are typically looking for the fastest way to get a RAT agent into deployment. The threat actors who use NetSupport Manager are not putting a strong amount of effort into obfuscation of droppers, let alone the agents, so this is an effective rule for their non-standard download paths.  

**Additional Snort detections **

Talos has existing Snort coverage for NetSupport Manager Agent’s network activity leveraging SID 44678, which was created back in 2017. We also expanded this coverage in 2020, with the creation of SIDs 53539 - 53544 as the usage by malicious actors increased. For the latest campaign, we increased our coverage through a Snort feature that was not available before. File Rules are a feature only available in Snort 3 that allows the abstraction of file contents from the protocols that carry them, allowing us to write wider-reaching signatures. 

As the NetSupport RAT files are not typically obfuscated by threat actors and it is a legitimate commercial product with many specialized features, there are many opportunities to create detection against the files. For example, in both the EXE and DLLs, the full manufacturer and product information for NetSupport Manager Client is detailed. 

As other legitimate software binaries are unlikely to include the full metadata for NetSupport Manager, this gives us a great signature to work with that lets us cleanly identify the binaries without any heavy reverse engineering needed. Although Snort does not have a modifier for Unicode strings, Unicode text byte strings can be leveraged for detection. Once again, we can use the “file” rule target to throw our detection net over a much larger surface than just HTTP downloads. Other campaigns using NetSupport Manager RAT will be observable from this rule through Snort’s ability to inspect file streams from multiple protocols. 

Although NetSupport RAT continues to be used by malicious campaigns, its widespread use hinders those threat actors who are not willing to dedicate the resources to develop their own tools or more evasive techniques. And since this campaign is still active and updated, we may still observe these techniques being developed and deployed by this threat actor. For now, this gives us an example of when a threat is persistent but not advanced. 

**Indicators of Compromise **

Indicators of Compromise associated with this threat can be found here.

Detecting evolving threats: NetSupport RAT campaign

Google has announced that it's adding a new layer of protection to its Chrome browser through what's called app-bound encryption to prevent information-stealing malware from grabbing cookies on Windows systems.
"On Windows, Chrome uses the Data Protection API (DPAPI) which protects the data at rest from other users on the system or cold boot attacks," Will Harris from the Chrome security team

Data Encryption / Browser Security

Google has announced that it's adding a new layer of protection to its Chrome browser through what's called app-bound encryption to prevent information-stealing malware from grabbing cookies on Windows systems.

"On Windows, Chrome uses the Data Protection API (DPAPI) which protects the data at rest from other users on the system or cold boot attacks," Will Harris from the Chrome security team said. "However, the DPAPI does not protect against malicious applications able to execute code as the logged in user – which info-stealers take advantage of."

App-bound encryption is an improvement over DPAPI in that it interweaves an app's identity (i.e., Chrome in this case) into encrypted data to prevent another app on the system from accessing it when decryption is attempted.

"Because the app-bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app," Harris said. "Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing."

Given that the method strongly binds the encryption key to the machine, it will not function correctly in environments where Chrome profiles roam between multiple machines. Organizations that support roaming profiles are encouraged to follow its best practices and configure the ApplicationBoundEncryptionEnabled policy.

The change, which went live last week with the release of Chrome 127, applies only to cookies, although Google said it intends to expand this protection to passwords, payment data, and other persistent authentication tokens.

Back in April, the tech giant outlined a technique that employs a Windows event log type called DPAPIDefInformationEvent to reliably detect access to browser cookies and credentials from another application on the system.

It's worth noting that the web browser secures passwords and cookies in Apple macOS and Linux systems using Keychain services and system-provided wallets such as kwallet or gnome-libsecret, respectively.

The development comes amid a slew of security improvements added to Chrome in recent months, including enhanced Safe Browsing, Device Bound Session Credentials (DBSC), and automated scans when downloading potentially suspicious and malicious files.

"App-bound encryption increases the cost of data theft to attackers and also makes their actions far noisier on the system," Harris said. "It helps defenders draw a clear line in the sand for what is acceptable behavior for other apps on the system."

It also follows Google's announcement that it no longer plans to deprecate third-party cookies in Chrome, prompting the World Wide Web Consortium (W3C) to reiterate that they enable tracking and that the decision undermines the progress achieved so far to make the web work without third-party cookies.

"Tracking and subsequent data collection and brokerage can support micro-targeting of political messages, which can have a detrimental impact on society," it said. "The unfortunate climb-down will also have secondary effects, as it is likely to delay cross-browser work on effective alternatives to third-party cookies."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Chrome Adds App-Bound Encryption to Protect Cookies from Malware

DEV#POPPER is back, looking to deliver a comprehensive, updated infostealer to coding job seekers by way of a savvy social engineering gambit.

Source: sakkmesterke via Alamy Stock Photo

The North Korea-based DEV#POPPER campaign is back, with an updated malware and social engineering arsenal that it's using to target software developers worldwide for data theft.

That's according to research from the Securonix Threat Research team, which found in an analysis today that the known threat group is casting a wider net than ever before, having added Linux and macOS variants to its malware toolbox in addition to its existing Windows binary.

The campaign, which focused primarily on South Korea before, has spread out globally, and is also active in Europe, the Middle East, and North America.

It's unclear as to the level of specific targeting the campaign is using, but there are overlaps with other efforts by North Korean actors to use fake recruiting in state-sponsored attacks.

"I would imagine that the ultimate goal for the attackers is conducting a successful operation against an individual on a corporate or company-owned endpoint," says Tim Peck, senior threat researcher at Securonix. "Based on the malware used, its primary purpose is theft. Typically, with financially motivated attacks, we see either ransomware or cryptominers being used."

**Targeting Developers With Social Engineering**

To lure in their victims, DEV#POPPER threat actors pose as interviewers looking to hire software developers for nonexistent positions. When someone applies, they send off a .ZIP file to the target that purports to be an npm package to be used for testing the applicant's coding skills.

"The use of practical-style interviews makes for an easy medium for the attackers to run malicious code on the interviewee's system," Peck notes. "Given the practical nature of developer interviews, it would not be uncommon to be asked to compile or execute code, as opposed to most other types of interviews. In such a use case, it would generally not raise suspicions for the interviewee."

When the interviewee extracts and executes the contents of the package, a well-hidden line of JavaScript code executes, which kicks off the infection chain, the researchers explained in their analysis of the campaign. "The .ZIP file contains dozens of legitimate files, making identifying potential foul play difficult to spot if it's missed by any installed antivirus."

Antivirus, by way, may indeed miss it: the malicious file, which is obfuscated in multiple ways, has just a 3/64 vendor detection rate on VirusTotal as of the Securonix blog post being published today.

The level of savvy scamming is notable: "In this particular attack, the lengths that the threat actors go through to pull off their social engineering scheme is quite bold," says Peck. "If you think about it, the amount of work needed to host fake job interviews goes way beyond traditional compromise actions such as blasting out phishing emails, for example."

**DEV#POPPER's Cyberattack Routine & Updated Malware**

The malware strategy is not just now multiplatform, but is also more sophisticated than its predecessor, according to Securonix.

After deobfuscating the script, the researchers were able to detect the campaign's command-and-control address (C2), as well as a number of malicious functions. The latter includes a fresh main function, dubbed "M," which orchestrates data extraction and code execution on different operating systems.

"It begins by identifying the platform, constructs paths and variables, and then calls appropriate extraction functions based on the detected OS," according to the analysis.

Other functions are in charge of sending the stolen data to the C2, collecting system and geolocation information, and assigning unique identifiers to each infected host (which allows the server to track which data came from which machine). Another function downloads next-stage payloads, while another new addition performs directory traversal, which includes filters to exclude certain files and directories from extraction (in order to appear more legitimate).

Securonix researchers noted that after the script was executed on a compromised host, the attackers then fetched a series of additional payloads culminating in an updated version of a Python script that DEV#POPPER has used before. This performs the actual theft of various sensitive files, plus keylogging and surveillance; one new capability is the ability to steal browser cookies, credit-card information entered into websites, and data for any installed browser extensions.

"The risk of running this kind of information-stealer malware on a business endpoint could be catastrophic," Peck says. "Considering the information stolen, the threat actors would almost immediately have access to all of the user's active browser sessions, cookies, and passwords. Additionally, they would have remote access to the endpoint allowing them to embed themselves deeper or attempt to move laterally into other systems that the user might have access to."

While it's difficult for businesses to protect against this type of attack, given that they might not be aware that a target is job-hunting, awareness training is always an option on the defensive side.

"First, if you're employed and actively interviewing, never conduct the interview on a company-owned appliance," Peck warns. "Second, though job interviews are oftentimes stressful situations, maintain a security-focused mindset. Social engineering attacks can be difficult to spot, however if the request seems odd or out of the norm, don't be afraid to back out of a request for fear of rejection or making a situation awkward."

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

North Koreans Target Devs Worldwide With Spyware, Job Offers

Malicious actors could potentially exploit this vulnerability if they gain physical access to a user's device.

Source: Anatolii Babii via Alamy Stock Photo

Apple released updates for a variety of its products to patch recent vulnerabilities found in Siri, the Apple iOS digital assistant.

The vulnerabilities could allow an attacker to steal information through a locked device because when a device is locked, there are still voice commands that the digital assistant can process and may allow access to contacts and other sensitive data.

In its latest round of fixes, Apple restricted these options to prevent malicious actors from exploiting the vulnerability, even if they have physical access to a device.

In addition to the iPhone, the company patched a similar vulnerability in Apple Watch, iOS, iPadOS, and the macOS Ventura.

Users should update to the latest software version of iOS and iPadOS, iOS 17.6, or iPadOS 17.6, to mitigate these bugs by going to settings, general, and then software update.

**About the Author(s)**

Siri Bug Enables Data Theft on Locked Apple Devices

### Impact

Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions.

Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code.

### Patches

The problem has been fixed with PRs deepset-ai/haystack#8095 and deepset-ai/haystack#8096.

Both have been released with Haystack `2.3.1`.

### Workarounds

Prevent users from running the affected Components, or only let users use preselected templates.

### References

The list of impacted Components can be found in the release notes for `2.3.1`.
https://github.com/deepset-ai/haystack/releases/tag/v2.3.1

**Package**

pip haystack-ai (pip)

**Affected versions**

< 2.3.1

**Patched versions**

2.3.1

**Description**

**Impact**

Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions.

Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code.

**Patches**

The problem has been fixed with PRs deepset-ai/haystack#8095 and deepset-ai/haystack#8096.

Both have been released with Haystack 2.3.1.

**Workarounds**

Prevent users from running the affected Components, or only let users use preselected templates.

**References**

The list of impacted Components can be found in the release notes for 2.3.1.  
https://github.com/deepset-ai/haystack/releases/tag/v2.3.1

**References**

*   GHSA-hx9v-6r9f-w677
*   https://nvd.nist.gov/vuln/detail/CVE-2024-41950
*   deepset-ai/haystack#8095
*   deepset-ai/haystack#8096
*   deepset-ai/haystack@3fed136
*   deepset-ai/haystack@6c25a5c
*   https://github.com/deepset-ai/haystack/releases/tag/v2.3.1

 silvanocerza published to deepset-ai/haystack

Jul 31, 2024

Published by the National Vulnerability Database

Jul 31, 2024

Published to the GitHub Advisory Database

Jul 31, 2024

Reviewed

Jul 31, 2024

Last updated

Jul 31, 2024

GHSA-hx9v-6r9f-w677: Insecure Jinja2 templates rendered in Haystack Components can lead to RCE

A binary in Apple macOS could allow an adversary to execute an arbitrary binary that bypasses SIP.

Wednesday, July 31, 2024 12:00

Cisco Talos’ Vulnerability Research team has helped to disclose and patch six new vulnerabilities over the past three weeks, including one in a driver that powers certain NVIDIA graphics cards.  

The majority of the vulnerabilities that Talos disclosed during this period exist in Ankitects Anki, an open-source program that allows users to study information using flashcards. The most serious of these issues has a CVSS score of 9.6 out of 10. 

All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Out-of-bounds read vulnerability in NVIDIA GPU Compiler Driver **

_Discovered by Piotr Bania._ 

A compiler driver in some NVIDIA graphics cards contains an out-of-bounds read vulnerability that could allow an adversary to read an arbitrary memory region. 

An adversary could exploit TALOS-2024-1956 (CVE-2024-0107) by sending a targeted device a specially crafted executable/shader file, leading to an out-of-bounds read. 

This vulnerability could be triggered from guest machines running virtualization environments to perform a guest-to-host escape — as previously demonstrated in other GPU vulnerabilities like TALOS-2018-0533. 

Talos researchers were able to trigger this vulnerability from a Hyper-V guest using the RemoteFX feature, which led to being able to execute the vulnerable code on the Hyper-V host. While Microsoft has deprecated RemoteFX, this feature may still be present in older versions of the Windows operating system. 

**Multiple vulnerabilities in Ankitects Anki flashcard software **

_Discovered by Autumn Bee Skerritt of Cisco Duo Security and Jacob B._ 

The Ankitects Anki flashcard software contains multiple vulnerabilities, one of which could lead to arbitrary code execution. This open-source tool allows users to create and share flashcards to study information.  

An adversary could exploit all these vulnerabilities by sharing a specially crafted, malicious flashcard with a targeted user.  

TALOS-2024-1994 (CVE-2024-32152) could lead to the creation of an arbitrary file along a fixed path. This vulnerability exists because a malicious user could manipulate a blocklist that normally prevents the use of certain malicious commands.  

TALOS-2024-1992 (CVE-2024-29073) also involves manipulating the command blocklist, but in this case, could lead to arbitrary file read. 

An adversary could also exploit TALOS-2024-1995 (CVE-2024-32484), a cross-site scripting vulnerability, in the software to inject JavaScript code into a flashcard and read a normally inaccessible file.  

The most serious among this group of vulnerabilities is TALOS-2024-1993 (CVE-2024-26020), a script injection vulnerability that could lead to arbitrary code execution. This vulnerability has a CVSS score of 9.6 out of 10. In Talos’ testing, researchers could exploit this vulnerability to obtain full command injection on the targeted user’s system.

Out-of-bounds read vulnerability in NVIDIA driver; Open-source flashcard software contains multiple security issues

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

Posted Jul 31, 2024

Authored by indoushka

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 760d2e5184238b42e8f1ba299d632f9a683af578d5af3fd433dd135eb0ceb06b

Download | Favorite | View

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : AccPack Khanepani v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : leads to the creation of a new file in the list.[+] use payload : cms/gallery/insert.php[+] http://127.0.0.1/jamiatulamanepalorgnp/cms/gallery/insert.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,223)
*   Arbitrary (16,842)
*   BBS (2,859)
*   Bypass (1,855)
*   CGI (1,033)
*   Code Execution (7,784)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,384)
*   DoS (25,024)
*   Encryption (2,389)
*   Exploit (53,098)
*   File Inclusion (4,257)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,885)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (896)
*   Kernel (7,184)
*   Local (14,788)
*   Magazine (586)
*   Overflow (13,165)
*   Perl (1,435)
*   PHP (5,221)
*   Proof of Concept (2,381)
*   Protocol (3,724)
*   Python (1,631)
*   Remote (31,625)
*   Root (3,633)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,024)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,594)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,921)
*   Web (9,953)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,239)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,580)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,432)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,710)
*   UNIX (9,432)
*   UnixWare (187)
*   Windows (6,668)
*   Other

AccPack Khanepani 1.0 Insecure Direct Object Reference

If paying a ransom is prohibited, organizations won't do it — eliminating the incentive for cybercriminals. Problem solved, it seems. Or is it?

Ilia Sotnikov, Security Strategist & Vice President of User Experience, Netwrix

July 31, 2024

4 Min Read

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY

Ransomware and other malware attacks are among the top three types of security incidents that organizations experience, according to Netwrix's "2024 Hybrid Security Trends Report." In a bid to curb this menace, for several years now there have been discussions around a radical approach: making ransomware payments illegal. The rationale is straightforward. If paying a ransom is prohibited, organizations won't do it — thus eliminating the incentive for cybercriminals to launch ransomware attacks. Problem solved. Or is it?

**All Ransoms Are Not Equal**

We must first recognize that there are multiple types of extortion. Ransomware is generally different from physical extortion cases like kidnappings, hostage situations, and threats of violence against individuals or public spaces. However, a ransomware attack, for example, on a hospital, literally endangers patients' lives. 

In scenarios where human lives are directly at stake, the ethical and legal considerations surrounding ransom payments are more complex than a simple ban allows for. Given the adaptability and resourcefulness of ransomware attackers, it is highly likely that they will push the boundaries of such a ban and test the limits of enforcement. As a result, a blanket ban on all ransom payments could force decision-makers into impossible moral dilemmas.

**The Law of Unintended Consequences**

Let's suppose for a moment that ransom payments have been legally prohibited, and a ransomware attack has just crippled your business. You need to get back online quickly or your business may go under. While the law forbids you from paying the ransom, enforcement agencies cannot stop what they don't know about. Almost certainly, some companies would quietly pay the ransom and simply not report the incident. This hesitancy to report attacks affects visibility into the actual scope of the problem and hinders law enforcement from acting accordingly. If the challenge is unknown, it cannot be addressed. 

In addition, there would be a disproportionate impact on small and medium-sized businesses. While large organizations might possess the resources to endure a ransomware attack without caving in to ransom demands, small businesses could face existential threats. A blanket ban on ransom payments could leave them in a precarious position of having to choose between resorting to illegal payments or risking going out of business.

**Case in Point: Cyber Insurance **

No legislative action or policy change occurs in isolation; it inevitably has ripple effects and unintended consequences. Cyber insurance provides a prime example in the arena of ransomware. By securing a cyber-insurance policy, businesses aim to protect themselves from the financial fallout of a ransomware attack, as the insurance provider would cover the ransom payment. 

Indeed, this is how it worked just several years ago. However, cybercriminals quickly recognized that insured organizations are more likely to pay ransoms, since their insurance company covers these expenses. It is reasonable to assume that threat actors started conducting reconnaissance on the cyber-insurance coverage of potential victims to tailor their attacks and maximize their profits. This is how cyber insurance might have contributed to the growth of the ransomware epidemic. 

Currently, one can hardly find an insurance company ready to reimburse the ransom payment.

**A Better Model: Follow the Banking Industry**

Bank robberies were once a prevalent threat, but they have significantly declined in recent decades. This reduction was not achieved by banning bank tellers from handing over cash. Instead, banks have adopted a multifaceted approach to mitigate the risk. To deter potential robbers, they use measures such as reduced cash handling, time-lock safes, enhanced security cameras, and alarm systems. Dye packs, decoy money, and GPS trackers reduce the risk of financial loss in cases where cash is ultimately handed over. What's more, appropriate security measures are a must to obtain and keep the license to operate. 

A similar approach may prove equally effective for other high-risk industries. Governments can establish cybersecurity benchmarks and recommend risk mitigation strategies, just as they have for the public sector and critical infrastructure. Such standards offer essential guidance for organizations that lack the strategic leadership necessary to develop an effective ransomware defense strategy independently. 

Finally, law enforcement agencies take their share of the responsibility and increase international collaboration to dismantle ransomware networks. The benefits of this approach are already paying off, as evidenced by the recent takedown of the LockBit ransomware gang. Agencies from more than half a dozen countries issued a detailed joint cybersecurity advisory that outlined LockBit's tactics and tools. They also seized some of the group's attack assets, significantly hindering their ability to initiate attacks.

**Conclusion**

Frustration is understandable as ransomware attacks continue around the globe, but simply denying victim organizations the option of paying the ransom is neither realistic nor practical. There will always be exceptions to the law, and unanticipated repercussions could make the cure worse than the disease. Instead, an effective response will require organizations to take greater responsibility for cybersecurity and government agencies to engage in good old-fashioned police work. This strategy may not be as straightforward as a ban on ransom payments, but the war against ransomware is winnable through a comprehensive, nuanced approach.

**About the Author(s)**

Security Strategist & Vice President of User Experience, Netwrix

An accomplished expert in cybersecurity and IT management, Ilia Sotnikov is security strategist and vice president of user experience at Netwrix, a vendor of information security and governance software. Netwrix is based in Frisco, Texas. 

Ilia has more than 20 years of experience in cybersecurity as well as IT management experience during his time at Netwrix, Quest Software, and Dell. In his current role, Ilia is responsible for technical enablement, UX design, and product vision across the entire product portfolio. Ilia’s main areas of expertise are data security and risk management.

Tag

#mac