Jerry, Author at Safernet

Tulsa City Services Taken Down by Ransomware Attack

Post On: 28 August, 2021 By : Jerry

The city of Tusla, Oklahoma, has undergone a ransomware infection that has forced the city to take critical services offline to protect them from the spreading virus. The attack occurred last weekend when hackers deployed a ransomware attack on the city’s network which led to a disruption of services and the decision to take further services offline. “We identified malware on our servers, and as soon as we did that, in an abundance of caution, we shut all of our systems down.” Tulsa Mayor GT Bynum told local media KRMG in an interview. The incident did not affect 911 services, and many employees are back to work.

However, the shutdown is affecting the day-to-day lives of Tusla citizens still, days later. Residents are unable to access the online bill payment system to pay their utility bills. Animal welfare, park services, and development services are also offline. The Tusla City Fire Service is using temporary numbers during the outage. Websites for the City of Tulsa, the Tulsa City Council, Tulsa Police, and the Tulsa 311 websites are also down for maintenance.

The phone systems are currently up and running, which is currently the only way to conduct business with the City.

In a Facebook post, the police department stated that customer information was not compromised. This statement is uncertain – The majority of ransomware operations steal data before deploying the malware, so some data may have been compromised.

“The City of Tulsa is experiencing technical difficulties on many outward facing programs that help serve the citizens of Tulsa due to a ransomware attack. No customer information has been comprised, but residents will not be able to access City websites and there will be delays in network services,” says a post to the Tulsa Police Department’s Facebook page.

To help combat the increasing threat of ransomware, a Ransomware Task Force has been created to analyze the problem and provide recommended solutions to lawmakers.

These solutions range from mandatory disclosure of ransom payments to an internationally coordinated effort to help organizations prevent and respond to ransomware attacks.

Ransomware Attacks On Infrastructure & Cities

Attacks on critical infrastructure have also become a significant concern in light of last week’s cyberattack on the largest US fuel pipeline by the DarkSide ransomware gang. However, Tusla has become yet another city that has been targeted by malware.

“It’s apparently the city of Tulsa’s turn. Essentially, they’ve settled on a playbook that seems to work” Tyler Moore, Tandy Professor of Cyber Security at the University of Tulsa, said.

Moore said ransomware has been around for more than a decade and these attacks tend to come from Eastern Europe and Russia.

“When Bitcoin came along, they found an easy way to actually monetize that and target, you know, random cities in America,” Moore said.

Ransomware gangs scan thousands of computer networks at any given time, searching for vulnerabilities. The malware could spread by clicking on an email, but Moore said more often than not, attackers capitalize on a weakness.

“It’s actually kind of scary, but the victims are selected by their willingness to pay,” Moore said.

He said cities are targeted because many are insured. The list of attacks is growing from Baltimore to Atlanta, and even smaller towns like Okema a few months back. Victims have a decision to make: to pay or not to pay. Something that would’ve cost thousands four or five years ago, may cost hundreds of thousands today. Moore said most of the time it’s paid, especially if the data is super sensitive.

“That just encourages the gangs to go target the next group,” Moore said.

Moore said the problem is preventable.

“Invest in cyber hygiene, ensure that software’s up to date, you have adequate backups, that your backups are kept offline,” Moore said.

Moore said it’s an encouraging sign the City of Tulsa took several computer systems offline, suggesting those systems have not been directly impacted by the ransomware.

Protection

Attacks like these are preventable, as Moore stated. Reactive tools act when it is far too late, which is why the key to prevention is using proactive tools. One of these tools is SaferNet.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Morgan Stanley Customers Fear Identity Theft After Accellion Data Breach

Post On: 28 August, 2021 By : Jerry

Identity Theft fears are on the minds of Morgan Stanley customers, as the investment banking firm has reported a data breach after attackers stole personal information belonging to its customers by hacking into the Accellion FTA server of a third-party vendor. Morgan Stanley is one of the leading global financial services firms, operating in 41 countries. The company serves corporations, governments, institutions, and individuals.

Guidehouse, a third-party maintenance service to Morgan Stanley, notified the company in May 2021 that hackers had breached an Accellion FTA server to steal information belonging to Morgan Stanley stock plan participants. The server was breached using an exploit that was highlighted by Accellion in January. It is believed the server was running unpatched, hence the attack working.

Initially, it was believed that because the data was encrypted, there was no fear of alarm with regard to identity theft. However, the hackers obtained the decryption keys during the attack.

Morgan Stanley says that the documents stolen during this incident contained:

Stock plan participants’ names
Addresses
Dates of birth
Social security numbers
Corporate company names

The company added that the files stolen from Guidehouse’s FTA server did not contain passwords information or credentials that the threat actors could use to gain access to impacted Morgan Stanley customers’ financial accounts.

“The protection of client data is of the utmost importance and is something we take very seriously,” a Morgan Stanley spokesperson told BleepingComputer. “We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”

While much of the information being leaked is trouble, SSNs in particular are the keys to identity theft.

While the attackers’ identity was not disclosed in Morgan Stanley’s data breach notification, a joint statement published by Accellion and Mandiant from February shed more light on the attacks, directly linking them to the FIN11 cybercrime group.

The Clop ransomware gang has also used an Accellion FTA zero-day vulnerability (disclosed in December 2020) to steal data from multiple companies.

Since the Accellion discovery in January, many corporations have been caught with exploits due to running legacy systems.

The Dangers of Identity Theft

Identity Theft can be absolutely devastating for an individual. Usually, in the world of malware, we know certain things can be harmed. Our devices may need to be replaced, we may lose access to accounts for a few days or even forever, we may even need to pay a ransom for access to our data. The point is, with most types of Malware, we can eventually rebuild, though it may take longer than we anticipate. The fallout from identity theft is much longer.

Once your stolen information is used once, it can take anywhere from a few days to six months for that one incident. But your information is out there for a very, very long time. This means you could end up dealing with identity theft for many years, even decades.

Identity Theft has been around for a very long time and predates our modern technology by thousands of years. There have always been individuals that try to impersonate others for their own gain, financial or otherwise. However, the internet’s birth and wide adoption have led to new attack vectors, dwarfing any possible past attempts.

Now more than ever do we have data tied into our personal identity. Email addresses, banking numbers, phone numbers, social security numbers, home addresses – All of these and more form a picture of us as lines in a database.

And when this information falls into the wrong hands, it can do a lot of damage. Bank accounts can be drained, and your credit rating can get rattled; you can end up with medical bills or even a criminal record. The list of potential mishaps that can arise from identity theft is endless.

To hackers, identity theft represents a lucrative stream of income, and they can very easily cover their tracks. After they have seized personal information, they sell it on the dark web. This information can be sold over time, repeatedly, meaning that if you notice your identity has been stolen and used, it can be used in several instances over a long period of years.

There are some guidelines from the US government in discovering if you are a victim of identity theft if it is not immediately obvious:

You stop receiving your regular bills and credit card statements.
You receive statements for accounts you never opened.
Debt collectors start calling you day and night about debts you’ve never heard of.
The IRS alleges you failed to report income for a company you never worked for.
You see withdrawals/charges on your bank or credit card statement that you didn’t make.
You try to file your taxes only to discover that someone else beat you to it.
You try to file your taxes and find someone claimed your child as a dependent already.
Your credit report includes lines of credit you never opened.
Your credit score fluctuates wildly and for no apparent reason.
The most obvious sign—you receive a notification that you’ve been the victim of a data breach.
If you are unsure, it is always best to check with the authorities on the US government’s identity theft website.

Protection

In some cases, a victim cannot be faulted for identity theft. For example, those affected by the data breach handed their information over to companies in good faith in the story above. Unfortunately, these companies, or more specifically the vendor, failed in protecting this information. However, many other times, business owners and families are singled out and targeted in their offices and homes.

For times like these, it is critical that you have the right tools to protect yourself. One of these tools is SaferNet.

Joker Malware App Begins New Onslaught On Google Play Store

Post On: 28 August, 2021 By : Jerry

The Joker malware app, which specializes in billing fraud, has made a return to the Google Play Store. Researchers noticed an uptick in the amount of malicious Android apps that hide Joker malware, which stows away as a trojan in other applications. Joker has been around since 2017, disguising itself within common, legitimate apps like camera apps, games, messengers, photo editors, translators and wallpapers. Once installed, Joker apps silently simulate clicks and intercept SMS messages to subscribe victims to unwanted, paid premium services controlled by the attackers – a type of billing fraud that researchers categorize as “fleeceware.”

The malware also steals SMS messages, contact lists, and device information. In the majority of cases, the victim is in the dark until a mobile bill arrives.

The Joker malware and its associated apps are usually found outside of the official Google Play store, however, they’ve been known to bypass Google’s protections since 2019 too. This is due to the malware developers making small changes to the apps, and so there have been periodic waves of Joker malware infestations inside the official store. This includes two large attacks last year. According to researchers at Zimperium, more than 1,800 Android applications infected with Joker have been removed from the Google Play store in the last four years.

In the latest wave, at least 1,000 new samples have been detected just since September, many of them finding their way into the official marketplace, researchers said.

“Malicious actors have routinely found new and unique ways to get this malware into both official and unofficial app stores,” according to a Zimperium analysis, posted Tuesday. “While they are never long for life in these repositories, the persistence highlights how mobile malware, just like traditional endpoint malware, does not disappear but continues to be modified and advanced in a constant cat-and-mouse game.”

Joker Malware Flowchart. Source: Zimperium

The hackers behind the latest rendition of Joker Malware, which emerged late last year, are taking advantage of legitimate developer techniques to “try and hide the actual intent of the payload from traditional, legacy-based mobile security toolsets,” according to Zimperium — which helps them evade both device-based security and app store protections.

One such method is using Flutter, an app development kit designed by Google that allows developers to craft native apps for mobile, web, and desktop from a single codebase. “Due to the commonality of Flutter, even malicious application code will look legitimate and clean, whereas many scanners are looking for disjointed code with errors or improper assemblies,” explained the researchers.

Researchers also noted that another method is used is the practice of embedding the payload as a .DEX file that can be obfuscated in different ways, such as being encrypted with a number, or hidden inside an image using steganography. Sometimes in the latter case, the image is hosted in legitimate cloud repositories or on a remote command-and-control (C2) server.

Furthermore, the hackers have been using URL shorteners and a combination of native libraries to decrypt an offline payload.

Researchers said that the new samples also take extra precautions to remain hidden after a trojanized app is installed.

“After successful installation, the application infected with Joker will run a scan using Google Play APIs to check the latest version of the app in Google Play Store,” they explained. “If there is no answer, the malware remains silent since it can be running on a dynamic analysis emulator. But if the version found in the store is older than the current version, the local malware payload is executed, infecting the mobile device. If the version in the store is newer than the current one, then the C2s are contacted to download an updated version of the payload.”

“Sadly, the Joker malware is no joke,” Saryu Nayyar, CEO at Gurucul, said via email. “And even more depressing, no dark knight is going to ride in to save users from these malicious apps. Users have to manually clean their devices of this pesky malware. The good news is that it appears the only damage is financial, and likely temporary. Users who have been subscribed to premium mobile services as a result of this malware can request refunds for said services since the affected applications are known.”

Josh Bohls, CEO and founder at Inkscreen, noted earlier in the year that Joker Malware is also a problem for companies, not just individuals.

“These malicious applications can find their way into the enterprise when an infected device is enrolled in a company’s bring-your-own-device (BYOD) program, and suddenly you have a new threat vector,” he said via email. “We hope to see better app review processes by Apple and Google, and that consumer and business buyers continue to educate themselves on how to select appropriate mobile applications.”

Joker Malware Analysis

Note: This analysis of Joker Malware was carried out by CSIS Techblog.

In most of the apps the developers have inserted the Joker Malware initialization component into one or another advertisement framework. The little package of malicious code typically consists of:

• Target country checking via MCC
• Minimum C&C communication — just enough to report the infection and receive the encrypted configuration
• DEX decryption & loading
• A notification listener — when a new SMS message arrives, this listener captures it and sends out a broadcast for the Core (second stage) component to pick up.

Often, an app would contain a so-called “Splash” screen — an activity, which displays the app’s logo, while performing various initialization processes in the background. Some of the Joker apps use such activity for initialization as well.

The Joker Malware employs custom string obfuscation schemes for all of the configuration/payload/communication parsing procedures. The code listing below displays an example of an obfuscated MCC code list, (DEFAULT_COUNTRY_ISO) separated by the underscore symbol.

After the initialization is done, the malware will download an obfuscated and AES-encrypted configuration from the payload distribution C&C server. Joker Malware composes the AES key for the configuration string decryption using yet another string scheme, which would concatenate the app’s package name with MCC code string and shuffle the symbols around in a specific way.

The configuration string above contains the necessary information about the second stage code — the core component of the Joker. Being split by a 3-symbol delimiter, the configuration string above contains (ordered):
1. The URL for the Joker Core DEX file — this file is obfuscated
2. The de-obfuscation “keys” — indexes of the obfuscated read buffer
3. The initialization class name — the class, which implements the initialization method
4. The initialization method name — which method to call upon loading
5. The C&C URL
6. The campaign tag

The Loader downloads the DEX and starts the de-obfuscation routine. The said routine reads the DEX file in a buffer 128 bytes at a time. The de-obfuscation “keys” are the positional indexes for this buffer. For each iteration, the routine reads the bytes of the obfuscated buffer only between these positions and writes them into a file, producing a valid DEX file in the end.

This Joker malware kit stands out as a small and a silent one. It is using as little Java code as possible and thus generates as little footprint as possible. After all of the Loader’s MCC checks and payload loading — the Core component begins its work.

It is designed in a job-scheduler fashion, meaning that it periodically requests new commands from the C&C server. When found, it executes them in strict order and then reports the results, depending on the type of the given task. The below figure is an example of a command (truncated).

When Joker Malware receives such message, it proceeds to open the offer URL, injects the JavaScript commands one by one and waits for an authorization SMS (if any). When the SMS message arrives, the malware extracts the necessary authorization code using case-specific regular expressions. At other times, it simply sends a SMS message to a premium number, with a specific code from the offer page.

Whenever the Joker malware extracts a code from a SMS message — it also reports it to the C&C after the job is complete. Hypothetically, the botnet operator can craft a job, which would result in all incoming SMS messages being stolen.

The final important thing worth mentioning about the Joker Malware is the phone book contact list theft. The core component collects all numbers in the contact list and sends them over to the C&C in an encrypted form:

A total of 12 unique builds of the second stage payload were observed among the 24 infected apps. The version names come from the payload URLs and data inside the sample’s configuration class:

Protection

Rogue Military-Grade Pegasus Spyware Targets Journalists Globally

Post On: 28 August, 2021 By : Jerry

Pegasus Spyware has been discovered to be the culprit behind human rights violations after a sweeping probe into a data leak of more than 50,000 phone numbers revealed surveillance affecting heads of state, activists, journalists, and lawyers around the world. Pegasus was created by the Israeli company NSO Group who claims the software is “military-grade spyware”. The “Pegasus Projection” is a collaborative investigation by more than 80 journalists from a consortium of 17 media organizations in 10 countries coordinated by Forbidden Stories, a Paris-based media non-profit, along with the technical support of Amnesty International.

“The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists, and crush dissent, placing countless lives in peril,” Amnesty International’s Secretary-General, Agnès Callamard, said.

“These revelations blow apart any claims by NSO that such attacks are rare and down to rogue use of their technology. While the company claims its spyware is only used for legitimate criminal and terror investigations, it’s clear its technology facilitates systemic abuse. They paint a picture of legitimacy while profiting from widespread human rights violations,” Callamard added.

NSO Group is the creator of Pegasus Spyware, which when installed on victims’ iPhone and Android devices, enables an attacker to harvest emails, SMS messages, media, calendars, calls, and contact information, as well as chat content from messaging apps like WhatsApp, Telegram and Signal, and stealthily activate the phone’s microphone and camera.

The company is a surveillance vendor and sells to a number of governments worldwide. NSO Group calls itself “the world leader in precision cyber intelligence solutions for the sole use of vetted-and-approved, state-administered intelligence and law enforcement agencies.”

The list of numbers in the probe does not include names but is said to contain hundreds of business executives, religious figures, academics, NGO employees, union officials, and government officials, with the probe uncovering NSO Group clients in at least 11 countries, including Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the U.A.E.

The investigation has identified 180 journalists and over 600 politicians in over 50 countries. The timeline of the attacks spread over a seven-year period from 2014 up to as recently as July 2021. Rwanda, Morocco, India, and Hungary denied having used Pegasus Spyware to hack the phones of the individuals named in the list.

A forensic analysis of 67 mobile devices showed the intrusions involved the ongoing use of so-called “zero-click” exploits — which do not require any interaction from the target — dating all the way back to May 2018. Many “zero-click” exploits are carried out by leveraging multiple zero-day vulnerabilities in popular apps like iMessage. iMessage was one of the most targeted apps by Pegasus Spyware.

“All this indicates that NSO Group can break into the latest iPhones,” Citizen Lab’s Bill Marczak said in a series of tweets. “It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain’t solving.”

Of the tested smartphones, 23 devices had been successfully infected with Pegasus Spyware, and 15 exhibited signs of attempted penetration, the Washington Post said in an in-depth report.

“The coming week’s stories about the global hacking of phones identical to the one in your pocket, by for-profit companies, make it clear that export controls have failed as a means to regulate this industry,” U.S. whistleblower Edward Snowden tweeted. “Only a comprehensive moratorium on sales can remove the profit motive.”

This is not the first time Pegasus Spyware has been in the spotlight. In October 2019, Facebook-owned WhatsApp revealed that at least two dozen academics, lawyers, Dalit activists, and journalists in India were the target of unlawful surveillance by taking advantage of a then-unpatched vulnerability in the messaging service.

WhatsApp has since taken the company to court in the U.S., citing evidence that “the attackers used servers and Internet-hosting services that were previously associated with NSO.”

NSO has disputed the allegations, stating the investigation is “full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources,” while stressing that it’s on a “life-saving mission” to “break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.”

“After checking their claims, we firmly deny the false allegations made in their report,” the company added. “Their sources have supplied them with information which has no factual basis, as evident by the lack of supporting documentation for many of their claims. In fact, these allegations are so outrageous and far from reality, that NSO is considering a defamation lawsuit.”

Pegasus Spyware Analysis

Note: This Analysis was carried out by LookOut.

The attack is very simple in its delivery and silent in delivering its payload. The attack starts when the attacker sends a website URL (through SMS, email, social media, or any other message) to an identified target. The user only has to take one action–click on the link. Once the user clicks the link, the software silently carries out a series of exploits against the victim’s device to remotely jailbreak it so that the espionage software packages can be installed.

The user’s only indication that anything happened will be that the browser closes after the link is clicked. The espionage software contains malicious code, processes, and apps that are used to spy, collect data, and report back what the user does on the device. Pegasus spyware can access and exfiltrate messages, calls, emails, logs, and more from apps including, but not limited to:

In order to accomplish this, the spyware, once it jailbreaks the user’s phone, does not download malicious versions of these apps to the victim’s device in order to capture data, rather it compromises the original apps already installed on the device. This includes pre-installed apps such as Facetime and Calendar and those from the official App Store.

Usually, iOS security mechanisms prevent normal apps from spying on each other, but spying “hooks” can be installed on a jailbroken device. Pegasus Spyware takes advantage of both the remote jailbreak exploit and a technique called “hooking.” The hooking is accomplished by inserting Pegasus Spyware’s dynamic libraries into the legitimate processes running on the device. These dynamic libraries can be used to hook the apps using a framework called Cydia Mobile Substrate, known to the iOS jailbreak community, and which Pegasus Spyware uses as part of the exploit.

A user infected with pegasus spyware is under complete surveillance by the attacker because, in addition to the apps listed above, it also spies on:
• Phone calls
• Call logs
• SMS messages the victim sends or receives
• Audio and video communications that (in the words a founder of NSO Group) turns the phone into a “walkie-talkie”

Access to this content could be used to gain further access into other accounts owned by the target, such as banking, email, and other services he/she may use on or off the device. The attack is comprised of three separate stages that contain both the exploit code and the espionage software. The
stages are sequential; each stage is required to successfully decode, exploit, install, and run the subsequent stage. Each stage leverages one of the Trident vulnerabilities in order to run successfully.

STAGE 1 Delivery and WebKit vulnerability
STAGE 2 Jailbreak
STAGE 3 Espionage software

The third stage deploys a number of files deployed in a standard unix tarball (test222.tar), each of which has its own purpose:

• ca.crt – root TLS certificate that is added to keystore (see Appendix A)
• ccom.apple.itunesstored.2.csstore – Standalone javascript that is run from the command line at reboot and is used to run unsigned code and jailbreak the kernel on device reboot
• converter – injects dylib in a process by pid. It is a renamed version of the cynject from the Cydia open-source library
• libaudio.dylib – The base library for call recording
• libdata.dylib – A renamed version of the Cydia substrate open-source library
• libimo.dylib – imo.im sniffer library
• libvbcalls.dylib – Viber sniffer
• libwacalls.dylib – Whatsapp sniffer
• lw-install – Spawns all sniffing services
• systemd – Sends reports and files to server
• watchdog
• workerd – SIP module

The attack investigated works on iOS up to 9.3.4. The developers maintain a large table in their code that attacks all iOS versions from 7.0 up to and including iOS 9.3.3. While the code we investigated did not contain the appropriate values to initially work on iOS 9.3.4, the exploits we investigated would still work, and it is trivial for the attackers to update the table so that the attack will work on 9.3.4.

Protection

XLoader Malware Targets macOS and Windows Passwords

Post On: 28 August, 2021 By : Jerry

A notorious malware or stealing information from Windows systems has been modified and upgraded into a new strain named Xloader, which can now also hit macOS computers. Xloader Malware is being sold on a Dark Web forum as a botnet loader that can “recover” passwords from web browsers and some email clients (Chrome, Firefox, Opera, Edge, IE, Outlook,Thunderbird, Foxmail). It is considered MaaS (Malware-as-a-Service). Xloader is derived from Formbook, which gained a reputation as an info-stealer for Windows.

Xloader Malware emerged in February and its popularity skyrocketed. It is advertised by its creators as a cross-platform botnet with no dependencies.

The connection between the two strains was confirmed after a member of the hacking community reverse-engineered Xloader and discovered it had the same executable as Formbook.

The developers explained that the creators of Formbook contributed a lot to Xloader, and the two malware had similar functionality (steal login credentials, capture screenshots, log keystrokes, and execute malicious files).

Would-be hackers can rent the macOS version of Xloader Malware for $49 a month, and get access to a server that the seller provides. Because the authors keep a centralized c2 infrastructure, they can control how the malware is used. This kind of architecture has become more common in an age where malware authors are getting unwanted spotlight when their clients use the product recklessly.

The Windows version, which is more popular, sells for $59 a month, and $129 for three months.

The authors also provide a Java binder for free, which allows customers to create a standalone JAR file with the Mach-O and EXE binaries used by macOS and Windows.

Cybersecurity researchers at CheckPoint saw requests from 69 countries, indicating a significant spread across the globe, with more than half of the victims being in the United States.

Although Formbook is no longer advertised on underground forums, it continues to be a prevalent threat. It was part of at least 1,000 malware campaigns over the past three years and according to AnyRun’s malware trends, the info-stealer takes fourth place over the past 12 months, after Emotet.

Judging by how popular Formbook has been, XLoader is likely to even be more prevalent due to it having cross-platform capability.

CheckPoint researchers say that XLoader Malware is stealthy enough to make it difficult for a regular, non-technical user to spot it.

Yaniv Balmas, Head of Cyber Research at Check Point Software, says that XLoader Malware is “is far more mature and sophisticated than its predecessors [i.e. Formbook].”

macOS’s growing popularity exposed it to unwanted attention from cybercriminals, who are now seeing the OS as an attractive target.

“While there might be a gap between Windows and MacOS malware, the gap is slowly closing over time. The truth is that MacOS malware is becoming bigger and more dangerous”, Balmas said.

The researcher believes that more malware families will adapt and add macOS to the list of supported operating systems.

XLoader Malware Analysis

Note: This Analysis was carried out by VMray. The analysis was focused on Formbook, but the code base is mostly identical.

XLoader Malware uses multiple techniques to evade automatic analysis and debugging. Combined with an evasive packer it has fairly comprehensive methods at its disposal. We can observe that the packer detects attached debuggers using CheckRemoteDebuggerPresent and IsDebuggerPresent function calls. It also tries to detect VirtualBox and VMware. If the checks pass the actual payload is extracted. Otherwise, the execution stops and the process exits before the explorer.exe injection.

Analysts often rename the sample to their hash values and such a hash is usually 32 characters or longer. One of the other evasions used by XLoader Malware is verifying that the length of the sample’s name is less than 32 characters.

To circumvent the behavior monitoring of sandboxes that relies on hooking, XLoader Malware uses a technique its author(s) referred to as Lagos Island method. These sandboxes typically establish hooks on functions exported by the native dll (ntdll.dll) to intercept the control flow and log the behavior.

Instead of using API functions exported by an already loaded ntdll, which can contain hooks, a new copy is manually mapped from the filesystem and its functions are used.

XLoader Malware uses a process started from a Windows built-in tool to hide itself. We notice the usual pattern it uses to achieve the migration. First, process #6 injects a section into explorer.exe using a combination of the function NtOpenProcess, NtCreateSection and NtMapViewOfSection.

Subsequently, the injected code is executed by hijacking the process #7 explorer.exe’s main thread. This injected code starts execution by creating a new process of C:\Windows\SysWOW64\netsh.exe which is a Windows tool. After finishing, process #6 uses the same injection method as with process #7, explorer.exe, to map itself and migrate into process #8 netsh.exe

XLoader Malware intercepts the Windows Messaging System by hooking API functions in the injected processes which allows it to monitor keystrokes.

Protection

Gallium and 2 Other Hacker Groups Target Major Telecom Companies

Post On: 27 August, 2021 By : Jerry

Gallium and 2 other hacking groups have been operating on behalf of the Chinese State by staging a series of attacks against five major telecommunications companies located in Southeast Asian countries. The attacks by Gallium and the others have been on-going since 2017.

“The goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers,” Cybereason’s Lior Rochberger, Tom Fakterman, Daniel Frank, and Assaf Dahan revealed in a technical analysis published last week.

Gallium and the other groups collectively make up a group named “DeadRinger”. Aside from Gallium (aka Soft Cell), the group is also made up of Naikon APT (aka APT30 or Lotus Panda), and TG-3390 (aka APT27 or Emissary Panda).

Gallium and Naikon attacks were first observed in Q4 2020, while TG-3390 was first reported attacking the telecom companies in 2017. The three espionage operations are believed to have continued until at least the middle of 2021.

Researchers noted that Gallium is “highly adaptive” and called out their diligent efforts to stay under the radar and maintain persistence on the infected endpoints, while simultaneously shifting tactics and updating their defensive measures to compromise and backdoor unpatched Microsoft Exchange email servers using the ProxyLogon exploits that came to light earlier this March.

“Each phase of the operation demonstrates the attackers’ adaptiveness in how they responded to various mitigation efforts, changing infrastructure, toolsets, and techniques while attempting to become more stealthy,” the researchers noted.

Naikon was found to leverage a backdoor named “Nebulae” and a keylogger named “EnrollLoger”. Nebulae has been used by the group in several separate attacks this year.

Regardless of the attack chain, a successful compromise triggered a sequence of steps, enabling the threat actors to perform network reconnaissance, credential theft, lateral movement, and data exfiltration.

TG-3390 has been active the longest in this campaign, and primarily used a custom .NET-based OWA (Outlook Web Access) backdoor, which is used to pilfer credentials of users logging into Microsoft OWA services, granting the attackers the ability to access the environment stealthily.

There is some overlap in the tools used between the groups, especially with generic tools such as Minikatz.

“At this point, there is not enough information to determine with certainty the nature of this overlap — namely, whether these clusters represent the work of three different threat actors working independently, or whether these clusters represent the work of three different teams operating on behalf of a single threat actor,” the researchers said.

“A second hypothesis is that there are two or more Chinese threat actors with different agendas/tasks that are aware of each other’s work and potentially even working in tandem.”

History and Methodology of Gallium

Note: This Analysis was based on research from Microsoft and reporting by DarkReading

In 2018, researchers identified an advanced, persistent attack targeting telecommunications providers and using techniques associated with Chinese-affiliated threat actors. Researchers report the attackers, believed to be active since 2012, was attempting to steal data stored in Active Directory, compromise credentials, and access personally identifiable information, billing data, call records, email servers, and users’ geolocations. This threat was later identified as Gallium.

The bulk of Gallium’s activity, which primarily targeted telecommunication providers, was observed throughout 2018 into mid-2019, researchers with the Microsoft Threat Intelligence Center (MSTIC) reported today. While the group is still an active threat, they say, its activity levels have fallen in comparison to what they saw earlier in their research.

To gain access into a target network, Gallium detects and exploits Internet-facing services. The group has been spotted exploiting unpatched Web services; for example, WildFly/JBoss, for which exploits are widely accessible. While it’s often tough to determine a group’s reconnaissance methods, MSTIC says Gallium’s targeting of Internet-facing services is a sign the group uses open-source research and network scanning tools to pinpoint its new targets.

“MSTIC investigations indicate that Gallium modifies its tooling to the extent it evades antimalware detection rather than develop custom functionality,” researchers write in a blog post. “This behavior has been observed with Gallium across several operational areas.”

Gallium’s commonly used tools include Mimikatz, NBTScan, Netcat, WinRAR, and Windows Credential Editor. The group mostly relies on compromised domain credentials to move across a network; once they have credentials, attackers use PsExec to move from host to host.

Researchers point out Gallium does little to hide its intent and often uses common versions of malware and publicly available toolkits with slight modifications. The group has used the Poison Ivy RAT, which is widely accessible, and QuarkBandit, an altered version of Gh0st RAT. Poison Ivy RAT, Gh0st RAT, and the China Chopper Web shell are the foundation of its toolkit.

Gallium mostly uses dynamic DNS subdomains for its C2 infrastructure. Analysis shows the group tends to favor low-cost, low-effort operations, as indicated by its use of dynamic DNS providers instead of registered domains. Its domains have been seen hosted on infrastructure in mainland China, Hong Kong SAR, and Taiwan. Observed IP addresses seem to be exclusive to this group, have minimal or no legitimate activity, and are used in several operations.

Protection

SolarMarker Malware Targets Healthcare and Education Sectors

Post On: 27 August, 2021 By : Jerry

A new surge of attacks against the Healthcare and education sectors has been attributed to SolarMarker Malware, a .NET-based information stealer and keylogger. The attacks have gone under the radar, for the most part, owing to the threat actors skills in obfuscation. SolarMarker Malware is believed to have been active since September 2020, with telemetry data pointing to malicious actions as early as April 2020, according to Cisco Talos.

“At its core, the Solarmarker Malware campaign appears to be conducted by a fairly sophisticated actor largely focused on credential and residual information theft,” Talos researchers Andrew Windsor and Chris Neal said in a technical write-up published last week.

According to the report, a Solarmarker Malware infection consists of multiple moving parts, primarily a .NET assembly module that serves as a system profiler and staging ground on the victim host for command-and-control (C2) communications and further malicious actions, including the deployment of information-stealing components like Jupyter and Uran.

The assembly module is capable of stealing personal data, credentials, and form submission values from a targets Firefox or Chrome browsers. The latter acts as a keylogger to capture the victim’s keystrokes.

The renewed use of SolarMarker Malware has been accompanied by a shift in tactics and multiple iterations to the infection chain. Still, the hackers behind the virus still latch to the tactic of SEO poisoning, which refers to the abuse of search engine optimization (SEO) to gain more eyeballs and traction to malicious sites or make their dropper files highly visible in search engine results.

“Operators of the malware known as SolarMarker Malware, Jupyter, [and] other names are aiming to find new success using an old technique: SEO poisoning,” the Microsoft Security Intelligence team disclosed in June. “They use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware.

Talos’ static and dynamic analysis of Solarmarker Malware’s artifacts points to a Russian-speaking adversary, although the threat intelligence group suspects the malware creators could have intentionally designed them in such a manner in an attempt to mislead attribution.

“The actor behind the Solarmarker Malware campaign possesses moderate to advanced capabilities,” the researchers concluded. “Maintaining the amount of interconnected and rotating infrastructure and generating a seemingly limitless amount of differently named initial dropper files requires substantial effort.”

“The actor also exhibits determination in ensuring the continuation of their campaign, such as updating the encryption methods for the C2 communication in the Mars DLL after researchers had publicly picked apart previous components of the malware, in addition to the more typical strategy of cycling out the C2 infrastructure hosts.”.

SolarMarker Malware Analysis

Note: This analysis was carried out by CrowdStrike.

Based on observed filenames in public malware repositories (e.g., Advanced-Mathematical-Concepts-Precalculus-With-Applications-Solutions.exe) and Falcon telemetry, the hypothesis is that the malware is delivered as a fake document download targeting users performing web searches for document files. CrowdStrike has observed a number of Google Sites hosted pages as lure sites for malicious downloads. These sites advertise document downloads and are often highly ranked in search results. The use of Google Sites suggests attempts by the threat actors to increase search ranking.

The malware installer filenames and lure sites have only been observed in English so far, and based on Falcon telemetry, it is clear that SolarMarker Malware is most prevalent in Western countries, especially in the U.S.

The executable with SHA256 hash

3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01

is an Inno Setup Installer. This program is the first stage in a multi-stage dropper chain leading to the SolarMarker backdoor. Figure 10 gives an overview of the malware’s dropper chain

The installer uses Inno Setup’s Pascal Scripting feature to customize its actions. It will first extract two temporary files to %Tmp%\.tmp\, where is a unique directory name.

Both files will be deleted once the installer completes. The file Docx2Rtf.exe is the document converter Docx2Rtf version 4.4, a benign file. The file waste.dat is 112 MB in size, but contains only zero bytes, indicating that the file was only included in the installer to increase its size, which is known to prevent detection by some security products. Once these two files are extracted, Docx2Rtf.exeis executed and the installer sleeps for five seconds.

The installer then checks if it is executed on one of its targeted operating system (OS) versions and exits if not. The targeted versions are Windows 8.1, Windows Server 2012 R2, Windows 10 and Windows Server 2016. After being certain about the OS, the installer decrypts a third stage and writes it to %Temp%\.txt, where is a random 32-character hexadecimal string.

The third stage is encrypted twice with different keys, and the installer will only decrypt it once. The decryption function named DECRYPTPS takes in a hex-encoded-encrypted blob and a string-based key and performs a simple XOR operation.

Protection

FlyTrap Malware Compromises Over 10000 Facebook Accounts

Post On: 27 August, 2021 By : Jerry

FlyTrap Malware is the name given to a new threat facing Android users with Facebook accounts in more than 140 countries. FlyTrap Malware works by stealing sessions cookies and simple social engineering tricks to get its victim’s credentials. This is carried over malicious apps, where users are asked for their Facebook credentials to log in. Researchers at mobile security company Zimperium detected the new malware and noted that the stolen information was accessible to anyone who discovered FlyTrap’s command and control (C2) server.

FlyTrap Malware campaigns have been active since at least march. The hackers behind the malicious application used high-quality design and managed to distribute the apps through the Google Play store, as well as third-party Android stores.

The lure within the apps consists of offers for free coupon codes (for Netflix, Google AdWords) and voting for the favorite soccer team or player, in tune with the delayed UEFA Euro 2020 competition.

In order to get the reward, the user must log in to the app using Facebook credentials, and the authentication occurs on the legitimate social media domain.

Some of the malicious apps FlyTrap Malware relies on

Due to the apps using the real Facebook single sign-on (SSO) service, they can’t collect users’ credentials. However, FlyTrap Malware uses a JavaScript injection to gather other sensitive information.

“Using this technique, the application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious JS code”

The information is fed into the hackers C2 server. Over 10,000 Android users in more than 140 countries have fallen for the ploy.

Countries affected by FlyTrap Malware. Source: Zimperium

Researchers found the numbers by looking through FlyTrap Malware’s C2 server. The server is not secured, and the stolen Facebook session cookies are open to anyone on the Internet who knows where to look.

Zimperium’s Aazim Yaswant says in a blog post today that FlyTrap Malware’s C2 server had multiple security vulnerabilities that facilitated access to the stored information.

The researcher notes that accounts on social media platforms are a common target for threat actors, who can use them for fraudulent purposes like artificially boosting the popularity of pages, sites, products, misinformation, or a political message.

He highlights the fact that phishing pages that steal credentials are not the only way to log into the account of an online service. Logging onto the legitimate domain can also come with risks.

“Just like any user manipulation, the high-quality graphics and official-looking login screens are common tactics to have users take action that could reveal sensitive information. In this case, while the user is logging into their official account, the FlyTrap Malware is hijacking the session information for malicious intent” said Aazim Yaswant, Android malware researcher, Zimperium.

FlyTrap Malware Analysis

Note: This analysis is from the Zimperium Report.

Contrary to popular belief that a phishing page is always at the forefront for compromising or hijacking an account, there are ways to hijack sessions even by logging into the original and legit domain. This Trojan exploits one such technique known as JavaScript injection.

Using this technique, the application opens the legit URL inside a WebView configured with the ability to inject JavaScript code and extracts all the necessary information such as cookies, user account details, location, and IP address by injecting malicious JS code.

The manipulation of web resources is addressed as cross-principal manipulation (XPM) in the research “An Empirical Study Of Web Resource Manipulation In Real-world Mobile Applications.” Successful login into Facebook by the victim initiates the data exfiltration process and can be seen in the below screenshots of the communication with the C&C server.

Several of the Trojans have the same malicious script and therefore identifies the source of data by the parameter “from_app” as seen in the screenshots below.

The Command & Control server makes use of login credentials for authorizing access to the harvested data. Security vulnerabilities in the C&C server expose the entire database of stolen session cookies to anyone on the internet, further increasing the threat to the victim’s social credibility.

Malicious threat actors are leveraging common user misconceptions that logging into the right domain is always secure irrespective of the application used to log in. The targeted domains are popular social media platforms and this campaign has been exceptionally effective in harvesting social media session data of users from 144 countries. These accounts can be used as a botnet for different purposes: from boosting the popularity of pages/sites/products to spreading misinformation or political propaganda.

Just like any user manipulation, the high-quality graphics and official-looking login screens are common tactics to have users take action that could reveal sensitive information. In this case, while the user is logging into their official account, the FlyTrap Malware is hijacking the session information for malicious intent.

FlyTrap Malware is just one example of the ongoing, active threats against mobile devices aimed at stealing credentials. Mobile endpoints are often treasure troves of unprotected login information to social media accounts, banking applications, enterprise tools, and more. The tools and techniques used by FlyTrap are not novel but are effective due to the lack of advanced mobile endpoint security on these devices. It would not take much for a malicious party to take FlyTrap or any other Trojan and modify it to target even more critical information.

Protection

Crytek Hit With Egregor Ransomware And Suffers Data Theft

Post On: 27 August, 2021 By : Jerry

Game developer Crytek has confirmed that Egregor Ransomware hit their network a few months ago, and has now sent information to customers whose personal information was stolen. The company acknowledged the attack in breach notification letters sent to impacted uses last week. The details from the letter have been leaked by several victims online.

“We want to inform you that Crytek was the victim of a ransomware attack by some unknown cyber-criminals,” Crytek said in a letter mailed to one of their customers impacted in the incident.

“During that attack, certain data had been encrypted and stolen from our network. We took immediate action to prevent the encryption of our systems, further secure our environment, and initiate an internal and external investigation into the incident. Based on our investigation, the information in some cases included individuals’ first and last name, job title, company name, email, business address, phone number, and country”

Crytek tried reassured customers affected by the Egregor Ransomware breach, stating “the website itself was difficult to identify so that in our estimation, only very few people will have taken note of it.”

Crytek added downloading the leaked data would’ve also taken too long, which would have also likely represented a significant hurdle that stopped people from trying to grab it.

Most in the cybersecurity community consider this as the company downplaying the impact of the Egregor Ransomware attack, and such reassurances would only rest easily with individuals with little to no experience in using computers.

Crytek also believes that those who attempted downloading the stolen data were discouraged by the “huge risk” of compromising their systems with malware embedded in the leaked documents.

“While we are not aware of misuse of any information potentially impacted, we are providing this notice as part of our precautions,” Crytek added.

While it is unknown how many Crytek systems were encrypted, it is known the Egregor Ransomware attack had some degree of personalization by the hackers, as the encrypted was renamed to include the ‘.CRYTEK’ extension.

Egregor Ransomware Analysis

Note: This analysis was carried out by Minerva Labs.

The obfuscation Egregor Ransomware uses is similar to the one used in Maze ransomware. Researchers were able to modify Blueliv’s Maze deobfuscation script to fit Egregors obfuscation patterns, which allowed for easier analysis of the ransomware.

TheEgregor Ransomware loader checks for the command line “–nop” and exits if it exists.

As for further unpacking, a large blob of data is decrypted with the following steps:

The blob is xor decoded with a hardcoded key (0x4 in our sample).
The xor’ed data is then Base64 decoded using the windows API function CryptStringToBinaryA.
A hardcoded key and IV is initialized for the ChaCha20 algorithm, which is then used for the final decryption of the payload. The malware authors decided to change the number of rounds of key rotations from the default of 20 to only 4.
After decrypting the second payload, a DLL file, it is copied to a new allocation that is created using VirtualAlloc with the page permissions RWX.

The last stage of the initial loader is the preparation of the payload in memory.Egregor Ransomware reflectively loads the decrypted payload and uses the function CreateThread to transfer execution to its next stage.

The next stage parses the command line, looking specifically for the parameter -p, which contains a password that is used for the decryption of the ransomware binary. The ransomware is decrypted using a stream cipher that shares some of its constants with Rabbit cipher:

Egregor Ransomware is compiled as a DLL file with only one export named “DllEntryPoint”. The function creates a thread that executes the main subroutine of the ransomware.

Before starting the ransomware’s malicious procedure, a function is called to determine the locale of the workstation. The ransomware uses three different Windows API functions to make sure it is not encrypting a computer located in Russia or any other CIS country:

After the locale check, the ransom configuration will be decrypted from a buffer located in the data section of the executable. The first 8 bytes of the encrypted configuration starts with a PNG header which is skipped by the parser before its decryption. The subsequent DWORD contains the size of the configuration to decrypt. Starting from offset 12, the configuration will be decrypted using round-modified ChaCha20 and a hardcoded key and IV.

The ransomware uses the API functions GetLogicalDriveStrings and GetDiskFreeSpace to identify the names and types of the logical disks connected to the device in addition to the amount of free space available in them.

For each execution, a pair of private and public keys are generated. The public key is used for encrypting the symmetrical keys that would later be used for encrypting each file. A unique symmetrical key is generated for every file to be encrypted.

Egregor’s key generation scheme is as follows:

A 2048-bit RSA key pair is generated using CryptGenKey – this is the session key.
The key is then exported using the API CryptExportKey.
The exported private key is encrypted with ChaCha using a randomly generated key and IV.
The ChaCha keys are encrypted using the function CryptEncrypt and the configuration-embedded RSA public key.
The encrypted ChaCha key and the encrypted session key are saved to disk in a hardcoded path, which in our case is %ProgramData%\dtb.dat.
It is worth noting that the ransomware encrypts the session key with the same protocol that is used to decrypt the ransomware payload (Rabbit Cipher).

The ransomware will stop certain processes and services before encrypting the machine. A list of hardcoded process names is stored in the encrypted configuration file and the malware uses NtQuerySystemInformation to enumerate the running processes and terminates them using the function NtTerminateProcess.

Egregor has the capability to contact hardcoded HTTP URLs. If the offset 0x3a31e and 0x32fb in the configuration does not contain 0, the ransomware will contact IP address/DNS names (which are also embedded in the configuration), and decode their content using the same modified-ChaCha20/Base64 combination used before.

Protection

Australian Government Warn Of Increase in LockBit Ransomware Attacks

Post On: 27 August, 2021 By : Jerry

LockBit Ransomware is posing a serious threat to Australian and global organizations as of July 2021, according to a new report by the Australian Cyber Security Centre (ACSC). “ACSC has observed an increase in reporting of LockBit ransomware incidents in Australia,” The ACSC said in a report published earlier this month.

According to the ACSC, LockBit Ransomware victims are also reporting threats of having their data stolen during the attacks leaked online. This tactic, known as Double Extortion, is a popular tactic amongst ransomware gangs to force their targets into meeting payment demands.

“The majority of victims known to the ACSC have been reported after July 2021, indicating a sharp and significant increase in domestic victims in comparison to other tracked ransomware variants,” the ACSC added.

“The ACSC has observed LockBit affiliates successfully deploying ransomware on corporate systems in a variety of sectors including professional services, construction, manufacturing, retail, and food.”

The ACSC included a ransomware profile with additional information on the LockBit Ransomware gang, including initial access indicators, targeted sectors, and mitigation measures.

The group pointed out that the LockBit Ransomware gang is opportunistic and could target organizations from any industry sector. This means that just because a sector is not being actively warned of attacks, it doesn’t mean the gang won’t strike.

Since January 2020, the LockBit operators have appeared on Russian-language cybercrime forums. In June 2021, version two of the LockBit RaaS was advertised as ‘LockBit 2.0’ and was allegedly bundled with a built-in information stealing function known as ‘StealBit’.

The ACSC has observed LockBit threat actors actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products identified as CVE-2018-13379 in order to gain initial access to specific victim networks.

The LockBit RaaS operators have previously advertised partnership opportunities for threat actors that could provide credential-based accesses to Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) remote access solutions. Additional advertisements sought to recruit threat actors proficient in the use of threat emulation software Cobalt Strike and Metasploit. Threat emulation software is often used in penetration testing environments and by threat actors seeking to gain unauthorized access to or move laterally within target networks.

LockBit Ransomware Analysis

NOTE: This analysis of Lockbit Ransomware was carried out by McAfee

The file found in the investigation of Lockbit Ransomware was a dropper renamed as a .png file. When first opening the .png files we were expecting a real image file, with perhaps some steganography inside, but what we saw instead was the header of a portable executable, so no steganography pictures this time. The PE was compiled in Microsoft Visual C# v7.0 / Basic .NET, .NET executable -> Microsoft.

This encrypted string is decrypted using the key ENCRYPTION29942. The first 32 bytes of the long ExeBuffer string are used as the salt in the encryption scheme, where ENCRYPTION29942 is the passphrase.

The script checks for the existence of vbc.exe on its designated host. Usually, this binary is a digitally signed executable from Microsoft; however, in this case, the malware uses it for process hollowing.

By statically analyzing the file we can spot the usage of:

NtUnmapViewOfSection
LockBit Ransomware uses this API in order to unmap the original code in execution
NtWriteVirtualMemory
The malware writes the base address of the injected image into the PEB via NtWriteVirtualMemory
VirtualAllocEx
To allocate the space before injecting the malicious code
The VBC utility is the visual basic compiler for Windows and LockBit Ransomware uses it to compile and execute the code on the fly directly in execution. If the vbc utility does not exist on the system, the malware downloads the original vbc.exe file from the same malicious URL as seen before. After executing vbc.exe, the malware replaces the objects in memory with the code for deploying the ransomware (as deduced from the exeBuffer).

The list of services LockBit Ransomware tries to stop are:

DefWatch (Symantec Antivirus)
ccEvtMgr (Norton AntiVirus Event Manager)
ccSetMgr (Common Client Settings Manager Service of Symantec)
SavRoam (Symantec Antivirus)
sqlserv
sqlagent
sqladhlp
Culserver
RTVscan (Symantec Antivirus Program)
sqlbrowser
SQLADHLP
QBIDPService (QuickBooksby Intuit.)
QuickBoooks.FCS (QuickBooksby Intuit.)
QBCFMonitorService (QuickBooksby Intuit.)
sqlwriter
msmdsrv (Microsoft SQL Server Analysis or Microsoft SQL Server)
tomcat6 (Apache Tomcat)
zhundongfangyu (this belongs to the 360 security product from Qihoo company)
vmware-usbarbitator64
vmware-converter
dbsrv12 (Creates, modifies, and deletes SQL Anywhere services.)
dbeng8 (Sybase’s Adaptive Server Anywhere version 8 database program)
wrapper (Java Service?)

If one of these services is found by the malware querying the status of it, with the function “QueryServiceStatusEx”, LockBit will get all the depending modules when correct and safe and it will stop the service with the function “ControlService”.

The ransom note is rather compact because the author hardcoded the content right in the code without using any obfuscation or encryption. The text file containing the ransom note is created in every directory after encryption and called Restore-My-Files.txt.