Cyber security News
From Search Results to Malware Lures: SEO Poisoning
Qakbot: The Evil Duck Reappears
Structural Foundations of Windows Architecture
LockBit 3.0 and Citrix Bleed Vulnerability (CVE-2023-4966)
Generative AI and Cybersecurity: New Threat Landscape
LockBit Ransomware Surge in 2023: A Record-Breaking Menace
Microsoft’s November 2023 Patch:Confronts Five Zero-Day Threats
Threat of Malvertising in the Cybersecurity Landscape
Cybersecurity News: Nov 5-Nov 11
What it takes to be a proficient threat hunter

Secknowers

The one who knows Security

malware

News

From Search Results to Malware Lures: SEO Poisoning

As search engines became the first point of contact for internet, threat actors are leveraging it for their advantage to spread malware using SEO Poisoning. Loopholes and vulnerabilities in SEO algorithms are used to improve ranking of fake or compromised websites to deceive search engines and unsuspecting users. Malvertising are also used to trick users into these websites.

What is SEO?

SEO, or Search Engine Optimization, is like the secret sauce for getting noticed online. It’s all about making your website show up higher in search results, so more people can find you when they’re looking for what you offer. Think of it as giving your online presence a boost so that you stand out in the crowd. You tweak your website’s content, structure, and technical bits to make search engines love it, which means more folks stumble upon your corner of the internet. It’s like waving a big, flashy sign that says, “Hey, come check me out!” SEO is the key to getting your voice heard amidst the noise of the internet, helping you connect with the right people at the right time.

SEO Poisoning

SEO poisoning is like a digital trap set by cyber tricksters, waiting for unsuspecting users to stumble into it. Picture yourself scrolling through search results, looking for answers or cool stuff online. You click on what seems like a legit link, expecting to find what you’re after—a great blog, a handy tutorial, or maybe a sweet deal. But instead of landing where you wanted, you’re whisked away to a sketchy website, like a back alley in the internet world.How

How it Works

  • Exploiting Hot Keywords: Malicious actors identify popular keywords and sneak them into compromised web pages. When users search for these terms, they get directed to malicious sites instead of the legitimate ones they’re expecting.
  • Compromising Legitimate Sites: Threat actors exploit vulnerabilities in websites, like outdated software or missing security measures, to insert malicious code or links. These unsuspecting sites then become unwitting vehicles for spreading malware to innocent visitors.
  • Cloaking Techniques: SEO poisoners use cloaking to show search engines one thing while displaying something else to users. This deceitful tactic lets them manipulate search rankings while keeping their malicious activities hidden.
  • Phishing and Malware Distribution: Once users land on these rogue websites, they might encounter phishing scams, bogus software downloads, or malware-laden content. The aim? To steal personal info, install malware on devices, or hijack browsers for further exploitation.

Recent Cyber Attacks that weaponized SEO Poisoning

  • SEO Poisoning to Domain Control: In this article by DFIR Report, SEO Poisoning was used for Gootloader infection. The Gootloader deployed Cobalt strike beacons to the registry of the infected machine and executed it in memory. The attacker also gained RDP access to the system and compromised domain controllers.
  • SEO#LURKER Attack Campaign: WinSCP lures were used to trick the users to download the infected software. It installed the malware along with the legitimate WinSCP. Winscp is an open source file manger software which is very popular among IT administrators. Given below is the attack chain
SEO Poisoning: SEO#LURKER attack chain example
SEO#LURKER attack chain example(securonix)

Detect and Stop

  • Be Cautious with Search Results: When searching for information online, be cautious of search results. Be careful when it is too good to be true. Beware of unfamiliar websites that appear at the top of the list. Stick to reputable websites and sources you trust.
  • Verify Website Authenticity: Pay attention to the website’s domain name and URL. Make sure it matches the legitimate source you intended to visit. Be cautious of misspelled URLs or slight variations that may indicate a phishing scam or spoofed website.
  • Watch Out for Suspicious Pop-ups: If you encounter unexpected pop-up windows or advertisements while browsing the web, proceed with caution. Close any suspicious pop-ups immediately to avoid potential malware infections.
  • Use Security Software: Install reputable antivirus and antimalware software on your devices. This will detect and block malicious threats, including those spread through SEO poisoning. Keep your security software up to date and perform regular scans to identify and remove any malware infections.
News Threat Intel

Qakbot: The Evil Duck Reappears

Qakbot malware also known as Qbot has remained a persistent and formidable adversary since mid-2000s, it emerged as a banking Trojan. It has evolved and adapted itself against cyber defences to remain in the list of top malwares over a decade.

The Genesis of Qakbot

First identified in 2008, Qakbot was designed to steal financial data and confidential information from compromised system. Earlier versions used key-logging and web traffic analysis to get hold of these sensitive data. It’s also known as Pinkslipbot. It is a second stage malware which requires an initial access technique like phishing as a first stage .

Infrastructure

Qakbot uses a layered infrastructure for its Command and Control servers. Threat actors typically host these servers through providers who lease them out; consequently, these providers generally avoid cooperating with law enforcement agencies to shut them down. The graph below depicts the malware’s C2 structure. Tier1 nodes represent a subset of infected systems chosen as supernodes to establish communication with victim computers. Supernodes had it’s presence in 63 countries. The intermediary nodes acts as proxies between the main C2 server and the infected machines to cover the tracks.

Qakbot malware
Qakbot C2 Server Tires (CISA)

Evolutionary Phases

Over the years, the malware has undergone several evolutionary phases, showcasing its adaptability and resilience to security measures. It evolved from a basic banking Trojan to a multifunctional threat capable of employing various attack vectors, including exploit kits, phishing emails, and lateral movement within networks. One significant evolutionary leap involved the integration of worm-like capabilities, enabling Qakbot to propagate across networks swiftly. It utilized brute force techniques to spread laterally, infecting interconnected devices and networks, amplifying its impact and complicating mitigation efforts.

Ransomware Gangs using Qakbot

Various financially motivated ransomware groups are known to utilize Qakbot as an infection vector. These list includes Conti, ProLock, Egregor, REvil, MegaCortex, Black Basta, Royal.

FBI-Led Law Agencies takes down Qakbot

In August 2023, FBI in collaboration with other Law enforcement agencies were able to take down the infrastructure of Qakbot and seize bitcoins worth about $8.6 million. The operation identified over 700,000 infected machines with the malware, of which 200,000 were in the US. Redirecting the malicious traffic to a controlled environment facilitated taking down the malware network, instructing the infected machines to download an uninstaller.

Qakbot Returns

About 3 months after the take down in December 2023, Microsoft Threat intelligence reported phishing campaigns connected to Qakbot. On it’s return the primary targets were hospitality sector. The phishing email was masquerading IRS as shown in the image below.

Qakbot phishing Email

Qakbot Phishing Email (Microsoft)

Conclusion

Qakbot has been around for a long time and it’s roots are strong. Cyber criminals from Eastern European operates it. According to a report published by Checkpoint, Qakbot was the most prevalent malware in multiple regions globally.

Qakbot attack regions

Top Malware Groups (Checkpoint)

The Maware targeted multiple sectors.

Qakbot attack sectors

Impacted Sectors (Checkpoint)

Although the infrastructure has been taken down, the individuals responsible for the malware and their connections continue to persist. They will learn their lessons and make a comeback. As cybercriminals grow stronger, the security solutions also advance. Therefore, prepare for such attacks by implementing and maintaining robust security measures.

News Threat Intel

StripedFly:Malware Hidden as a Cryptominer

StripedFly malware is a highly sophisticated and stealthy maware that has been in operation since at least 2017, affecting over a million victims globally. Initially masquerading as a cryptocurrency miner, deeper analysis unveiled its multifaceted capabilities extending far beyond cryptocurrency mining. Here are the key aspects of StripedFly malware based on various reports and additional insights.

Architecture

Based on the report published by Kaspersky, StripedFly operates as a monolithic binary executable with pluggable modules. This design allows for operational versatility often found in Advanced Persistent Threat (APT) operations. The modular nature of StripedFly enables the addition of various functionalities without altering the core structure of the malware, making it a flexible and adaptable threat.

StripedFly Windows execution flow (Kaspersky)

StripedFly Windows execution flow (Kaspersky)

Evolution

Initially functioning as a cryptocurrency miner, StripedFly was later discovered to have a complex, multifunctional wormable framework. This framework enables the malware to function as an APT, a crypto miner, and potentially even as a ransomware group, indicating a possible evolution in motives from financial gain to espionage over time.

Impact

StripedFly has had a significant impact with a global reach, affecting over a million Windows and Linux computers worldwide since 2016 or 2017. This global reach illustrates the significant threat posed by StripedFly to both individual and organizational cybersecurity, transcending geographical and platform boundaries.

Modus Operandi

StripedFly harvests credentials every two hours, collecting a range of sensitive data including site and WiFi login credentials, and personal information. It can capture screenshots, exert significant control over infected machines, and even record microphone input without detection, underlining its invasive and persistent nature.

Infection Vector

The initial infection vector was uncovered as a custom-made EternalBlue ‘SMBv1′ exploit used to infiltrate victims’ systems. Despite the public disclosure of the EternalBlue vulnerability in 2017 and the subsequent release of a patch by Microsoft, many users failed to update their systems, leaving a significant number of computers vulnerable to StripedFly exploitation.

Discovery and Analysis

StripedFly’s sophisticated nature allowed it to evade detection for a prolonged period, being misclassified as a mere cryptocurrency miner. The extensive analysis conducted by cybersecurity researchers unveiled the remarkable effort invested in creating this malicious framework and highlighted the necessity for continuous research and vigilance in the cybersecurity domain.

Cross-Platform Nature

StripedFly is identified as a cross-platform malware capable of infecting both Windows and Linux systems. Its cross-platform nature broadens the scope of potential victims and presents a challenge for cybersecurity measures across different operating environments .

Attack Mitre Techniques

Att&ck IDs
T1210 – Exploitation of Remote Services 
 T1564 – Hide Artifacts 
 TA0004 – Privilege Escalation 
 T1053 – Scheduled Task/Job 
 T1060 – Registry Run Keys / Startup Folder 
 T1094 – Custom Command and Control Protocol 
 T1573 – Encrypted Channel 

Alientvault OTX Pulse

Virustoatal Analysis