Displaying items by tag: Malware

Back in the late 90s’ the first macro viruses appeared on the scene. The leveraged a feature of Microsoft Office that allowed a malware developer to execute programmed instructions via the office interface. This new option opened a lot of avenues for inserting a malicious payload on to a target system. Now some 20+ years later Microsoft is finally really doing something about this hole in their Office product. The are blocking all downloaded/external macros by default.

The Go Programing Language (Go or Golang) was developed back in 2007 by a few engineers who were working at Google at the time. Go was launched in 2009 as an open-source programing language and it is primarily used in Google’s own production systems. It has been described as Python meets C and has syntax similarities with C and procedural similarities with Python (dynamic-typing etc.). So, you end up with a language that has quickness, security, and structure of a compiled programing language along with the development speed and simplicity of a dynamic language.

On February 23rd, 2017, Google published a paper on their security blog that showed how a SHA-1 collision was possible. It proved that the aging cryptographic and hashing standard was no longer a safe or secure method. Google showed that they could produce two different files yet have them show the same hash, thus causing a collision and getting around some of the file hashing systems in place at the time. The problem is that SHA-1 hashing is still in use today by many tools.

Universal Plug and Play UPnP) is one of those technology decisions that make you wonder what people were thinking. The concept is fairly clear, find a way to make things easy for someone to just connect a device to a network and have it function without interaction. Devices like the Xbox Series X|S require this for their remote play feature as the ports and IP addresses needed to function would be overly complicated for most users to set up. So, you enable UPnP on your router and just plug the Xbox in. Sound great, but as with anything that create convenience, it also brings about risk.

Microsoft’s Threat Intelligence team has recently disclosed their discovery and analysis of a new malware family. The malware in question is being tracked as a Trojan named UpdateAgent. The team has been watching as it progressed from a simple information stealer for the macOS to much more sophisticated capabilities including being able to bypass the macOS Gatekeeper security function.

The SolarWinds supply chain attack was and still is one of the most complex and ingenious attacks that has come to light. How it was discovered is also an interesting topic for another conversation. The attack group in question is still being speculated on although one most people tend to gravitate towards is the Russian APT group COZY BEAR (APT29). The actual attack and compromise of the software repository at SolarWinds is the stuff of legend. Once that was completed it allowed the attackers access to a wide swath of business verticals along with government agencies from a single trusted source. They could, almost on a whim, compromise anyone that leveraged the SolarWinds product. Of course, supply chain attacks are nothing new and are not going anywhere. They are complicated to set up and maintain, but once in place they can yield amazing results.

We first talked about the using the UEFI firmware as an attack vector (At Def Con 22 in 2014). Since that time there have been three identified and disclosed versions of malware that directly targeted this critical subsystem. That would seem to be a relatively small percentage given the time since it was first uncovered, the number of devices that operate using the UEFI firmware subsystem, and the time between then and now. However, this is only ones identified and in most of the identified cases were found because of the method of delivery for the OS payload. This begs the question, are there more out there that just have not been found?

Scammers and threat groups are nothing if not creative. They have time and quite a bit of talent on their hands to figure out ways around security features and gateways to get what they want. Take the recent discovery of Dark Hearing; this lovely mobile malware/scam gem was discovered by Zimnperium and was inserted into several seemingly benign apps. These apps were pushed to Google Play where they were downloaded by hundreds of millions of people.

Mobile device security is not where is should be. There is just no way around this fact. The vas majority of people simple download and install an app on their phone or tablet thinking that they are not going to get something nasty. They never review the permissions that new app is asking for or what those permissions might allow it to do. Now it seems that clever threat actors have slipped a malware into a Multi-Factor Authentication (MFA) App.

Researchers at Morphisec have detailed a new delivery type for AsyncRAT (Remote Access Trojan) used in part of a phishing campaign that has been running since at least September 2021. The phishing part of the campaign is routine, an email with an HTML attachment. The attachment looks like a receipt. When opened, the victim is directed to a webpage that asked them to save a file (an ISO file). On the surface it looks like it would be a regular file download that will go through common security channels. However, things turn out not to be what they expected (read that in Morgan Freeman’s voice).