Cyber security News
From Search Results to Malware Lures: SEO Poisoning
Qakbot: The Evil Duck Reappears
Structural Foundations of Windows Architecture
LockBit 3.0 and Citrix Bleed Vulnerability (CVE-2023-4966)
Generative AI and Cybersecurity: New Threat Landscape
LockBit Ransomware Surge in 2023: A Record-Breaking Menace
Microsoft’s November 2023 Patch:Confronts Five Zero-Day Threats
Threat of Malvertising in the Cybersecurity Landscape
Cybersecurity News: Nov 5-Nov 11
What it takes to be a proficient threat hunter

Secknowers

The one who knows Security

October 2023

News Threat Intel

StripedFly:Malware Hidden as a Cryptominer

StripedFly malware is a highly sophisticated and stealthy maware that has been in operation since at least 2017, affecting over a million victims globally. Initially masquerading as a cryptocurrency miner, deeper analysis unveiled its multifaceted capabilities extending far beyond cryptocurrency mining. Here are the key aspects of StripedFly malware based on various reports and additional insights.

Architecture

Based on the report published by Kaspersky, StripedFly operates as a monolithic binary executable with pluggable modules. This design allows for operational versatility often found in Advanced Persistent Threat (APT) operations. The modular nature of StripedFly enables the addition of various functionalities without altering the core structure of the malware, making it a flexible and adaptable threat.

StripedFly Windows execution flow (Kaspersky)

StripedFly Windows execution flow (Kaspersky)

Evolution

Initially functioning as a cryptocurrency miner, StripedFly was later discovered to have a complex, multifunctional wormable framework. This framework enables the malware to function as an APT, a crypto miner, and potentially even as a ransomware group, indicating a possible evolution in motives from financial gain to espionage over time.

Impact

StripedFly has had a significant impact with a global reach, affecting over a million Windows and Linux computers worldwide since 2016 or 2017. This global reach illustrates the significant threat posed by StripedFly to both individual and organizational cybersecurity, transcending geographical and platform boundaries.

Modus Operandi

StripedFly harvests credentials every two hours, collecting a range of sensitive data including site and WiFi login credentials, and personal information. It can capture screenshots, exert significant control over infected machines, and even record microphone input without detection, underlining its invasive and persistent nature.

Infection Vector

The initial infection vector was uncovered as a custom-made EternalBlue ‘SMBv1′ exploit used to infiltrate victims’ systems. Despite the public disclosure of the EternalBlue vulnerability in 2017 and the subsequent release of a patch by Microsoft, many users failed to update their systems, leaving a significant number of computers vulnerable to StripedFly exploitation.

Discovery and Analysis

StripedFly’s sophisticated nature allowed it to evade detection for a prolonged period, being misclassified as a mere cryptocurrency miner. The extensive analysis conducted by cybersecurity researchers unveiled the remarkable effort invested in creating this malicious framework and highlighted the necessity for continuous research and vigilance in the cybersecurity domain.

Cross-Platform Nature

StripedFly is identified as a cross-platform malware capable of infecting both Windows and Linux systems. Its cross-platform nature broadens the scope of potential victims and presents a challenge for cybersecurity measures across different operating environments .

Attack Mitre Techniques

Att&ck IDs
T1210 – Exploitation of Remote Services 
 T1564 – Hide Artifacts 
 TA0004 – Privilege Escalation 
 T1053 – Scheduled Task/Job 
 T1060 – Registry Run Keys / Startup Folder 
 T1094 – Custom Command and Control Protocol 
 T1573 – Encrypted Channel 

Alientvault OTX Pulse

Virustoatal Analysis

Learning

The Art of Malware Reverse Engineering

In the ever-changing realm of cybersecurity threats, there’s a constant need for innovative and resilient defense mechanisms. To confront and counteract malicious software effectively, cybersecurity experts often turn to the practice of malware reverse engineering. This intricate process involves dissecting and scrutinizing malicious code to unveil its functions, vulnerabilities, and potential strategies for mitigation. In this article, we will delve into the core steps of malware reverse engineering and explore the techniques employed by cybersecurity professionals to unveil the concealed aspects of malevolent software.

Step 1: Preparation

Before diving into the world of malware reverse engineering, it’s essential to prepare adequately. This step includes:

  1. Safe Environment: Set up a controlled, isolated environment for analysis. Use a dedicated virtual machine (VM) or an air-gapped computer to avoid infecting your primary system.
  2. Tools: Equip yourself with a set of essential tools, including disassemblers (e.g., IDA Pro or Ghidra), debuggers (e.g., OllyDbg or GDB), and sandboxing tools.
  3. Documentation: Gather information about the malware’s origin, behavior, and any known indicators of compromise (IOCs). This will provide context during analysis.

Step 2: Static Analysis

Static analysis involves examining the malware without executing it. Key activities in this phase include:

  1. File Analysis: Inspect the malware file, identifying its type, size, and any hidden data or resources.
  2. File Hashing: Calculate and compare the hash values of the malware to known malware databases to determine if it’s a known threat.
  3. Disassembly: Disassemble the binary code using a disassembler, allowing you to view the assembly code and identify key functions.
  4. Strings Analysis: Search for strings within the binary that may reveal information about the malware’s functionality or origin.
  5. Code Flow Analysis: Trace the code flow to identify entry points, subroutines, and potential vulnerabilities.

Step 3: Dynamic Analysis

Dynamic analysis involves executing the malware in a controlled environment to observe its behavior. Key steps in this phase include:

  1. Sandbox Analysis: Execute the malware within a controlled sandbox environment, monitoring its interactions with the system.
  2. API Monitoring: Observe system calls and API function calls made by the malware to understand its actions and potential network communication.
  3. Memory Analysis: Analyze the malware’s memory to identify any encryption or packing techniques used to obfuscate its code.
  4. Network Traffic Analysis: Capture and analyze network traffic generated by the malware to identify communication with command and control (C2) servers.

Step 4: Code Analysis

Code analysis is the heart of malware reverse engineering, focusing on dissecting the malware’s core functionality. It involves:

  1. Function Identification: Identify critical functions, such as those related to network communication, data exfiltration, and persistence mechanisms.
  2. Vulnerability Assessment: Search for vulnerabilities or weaknesses that could be exploited for defense or mitigation.
  3. Code Reversing: Reverse-engineer critical functions and algorithms to understand how they work.
  4. Behavior Mapping: Map out the malware’s behavior and logic to gain a comprehensive understanding of its operations.

Step 5: Report Generation

Compile your findings into a comprehensive report that includes:

  1. Analysis Summary: Provide an overview of the malware’s origin, behavior, and potential impact.
  2. Indicators of Compromise (IOCs): Document any IOCs, such as file names, registry keys, or network addresses, that can be used for threat detection.
  3. Mitigation Strategies: Suggest strategies for mitigating the threat, including signatures for intrusion detection systems (IDS) and firewall rules.
  4. Recommendations: Offer recommendations for improving security measures and defenses based on the malware’s characteristics.

Conclusion

Malware reverse engineering is a vital tool in the arsenal of cybersecurity experts. By dissecting malicious software and understanding its inner workings, security professionals gain valuable insights that help protect systems and networks from future threats. As the threat landscape continues to evolve, the importance of effective malware reverse engineering cannot be overstated in the ongoing battle for cybersecurity.

Threat Intel

MITRE ATT&CK: A Roadmap to Effective Cybersecurity Defence

In an age where digital threats and cyberattacks continue to evolve, organizations and security professionals need effective tools and strategies to defend against adversaries. One such tool that has gained prominence in the world of cybersecurity is MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge). ATT&CK is not just a framework but a comprehensive resource that empowers defenders to better understand and mitigate threats by adopting a proactive and adversary-focused approach. This article explores the essence of MITRE ATT&CK, its importance, and its role in enhancing cybersecurity.

Understanding MITRE ATT&CK

MITRE ATT&CK is a knowledge base and framework that catalogues tactics, techniques, and procedures employed by adversaries in their campaigns. It was developed by MITRE Corporation, a not-for-profit organization, and is widely recognized and adopted in the cybersecurity community.

The ATT&CK framework is structured into two primary matrices: Enterprise and Mobile. Each matrix consists of a range of tactics and techniques employed by adversaries during different stages of a cyberattack. The tactics represent the adversary’s goals, while the techniques are specific methods or procedures used to achieve those goals. ATT&CK also provides information on how the tactics and techniques have been observed in real-world attacks.

Why is MITRE ATT&CK Important?

  1. Common Language: ATT&CK serves as a common language for security teams, enabling them to communicate more effectively about threats and vulnerabilities. By referencing specific tactics and techniques, security professionals can better understand and address security issues.
  2. Proactive Threat Mitigation: Rather than focusing solely on known vulnerabilities or malware signatures, ATT&CK encourages a proactive approach. Organizations can identify potential threats and vulnerabilities based on the tactics and techniques used by adversaries.
  3. Knowledge Sharing: The MITRE ATT&CK framework encourages knowledge sharing within the cybersecurity community. Security researchers, vendors, and organizations can contribute to the framework, ensuring that it remains up-to-date and reflective of the evolving threat landscape.
  4. Improved Defenses: By understanding how adversaries operate, organizations can enhance their defenses. They can design more effective security strategies, create better threat detection rules, and prioritize security measures based on the likelihood of specific tactics being employed.
  5. Red and Blue Teaming: ATT&CK supports red teaming (simulated adversarial attacks) and blue teaming (defensive exercises). These activities help organizations assess their security posture, identify weaknesses, and improve their incident response capabilities.

Practical Applications of MITRE ATT&CK

  1. Threat Intelligence: Security teams can use ATT&CK to better understand threat intelligence reports. By mapping reported threats to the framework, organizations can assess the relevance and potential impact of the threat.
  2. Security Assessments: During security assessments, organizations can use the framework to evaluate their security controls and identify gaps in their defenses. This helps in creating more robust security postures.
  3. Incident Response: ATT&CK aids in incident response by allowing organizations to trace the tactics and techniques used by adversaries during an attack. This information can guide the response efforts and improve recovery procedures.
  4. Cybersecurity Training and Education: ATT&CK is a valuable resource for training security professionals. It provides a structured way to learn about adversary behaviors and tactics.

MITRE ATT&CK is a powerful resource in the fight against evolving cyber threats. By providing a common language, fostering a proactive approach to defense, and facilitating knowledge sharing, it enhances the capabilities of organizations and security professionals. As cyber adversaries continue to adapt and innovate, MITRE ATT&CK remains an invaluable tool for understanding and mitigating their tactics and techniques, making the digital world a safer place for all.