Zacinlo is an adware trojan that uses rootkit functionality to gain persistence across operating system re-installations.
At the time of publication, Zacinlo is delivered through a seemingly legitimate VPN application. When installed this application instead acts as a proxy and downloader, initiating communications with a command and control server (C2) and retrieving the malware packages. The rootkit also comes with a self-upgrade feature which helps it to update itself to the latest version of the software.
When installed, Zacinlo’s modules provide it with a wide range of capabilities including advert injection using man-in-the-middle attacks over HTTPS, traffic redirection and installing other malware.
Zacinlo’s main functions appear to be to display advertisements and to run a hidden browser to generate income for the attackers by clicking on more advertisements. It’s also capable of removing competing adware.
The vast majority of Zacinlo victims are in the US, with 90 percent of those infected running Microsoft Windows 10. There are also victims in other regions of the world, including Western Europe, China and India. A small percentage of victims are running Windows 7 or Windows 8.
Zacinlo’s rootkit module is also used to prevent or disable processes deemed dangerous to its operation, such as anti-virus programs or security services.
Kardon Loader is a malware downloader advertised on underground forums as a paid open beta product. This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.
Kardon Loader appears to be distributed through the popular ‘Pink Panther’s’ botshop, although the total number of infections is low.
Currently, most Kardon Loader instances act as a simple loader, however newer variants include greater functionality including adding or removing applications, file transferal and botnet features. There are also indications that Tor and domain generation algorithm support will be implemented for command and control communications.
Kardon Loader uses HTTP based C2 infrastructure with URL parameters that are base64 encoded.
Mylobot is a botnet that targets and takes control of devices running Microsoft Windows.
Mylobot employs a variety of other techniques to evade detection or analysis. When it infects a new host, Mylobot waits for two weeks before contacting Command and Control (C2) servers. It terminates Windows Defender and Windows Update, while attempting to delete other malware which has previously been installed. It can also execute files directly from memory, without them being written to storage media.
It also shuts down and deletes any EXE file running from %APPDATA% folder. That action can cause a loss of data. The main function of the botnet is to take complete control of the user’s computer and damage to the computer depends on the payload the attackers decide to distribute.
Mylobot gives the threat actors full control over infected hosts, and allows them to install additional malware. The C2 servers have been previously linked to the Locky ransomware.After examining the C&C server in use, it turns out that it has been used by other malware campaigns, all of which emanate from the Dark Web – so the threat actors behind Mylobot are likely involved in a range of activities. With the C&C having been active for two and a half years, it indicates those behind Mylobot have been active for some time, and they use tactics which suggest a well-resourced operation.
First observed in 2008, Asprox is a Windows-based botnet used to perform SQL injection and phishing campaigns.
Once installed, Asprox will spawn a process to connect to its command and control infrastructure and edit registry entries to maintain persistence. It also contains a secondary backdoor known as Kuluoz (AKA Cidox or Rerdom), which is used to download and install further malware.
Palo Alto Networks released a report stating that in October 2014, Kuluoz, the latest version of the Asprox malware, accounted for approximately 80 percent of all malware sessions recorded by their WildFire threat intelligence service.
Vulnerabilities discovered by Claudio Bozzato of Cisco Talos
Talos is disclosing twelve new vulnerabilities in Insteon Hub, ranging from remote code execution, to denial of service. The majority of the vulnerabilities have their root cause in the unsafe usage of the strcpy() function, leading either to stack overflow or global overflow.
Insteon Hub is a central controller, which allows an end user to use a smartphone to connect to and manage devices in their home remotely. To enable remote interaction via the internet, Insteon Hub uses an online service called PubNub.
End users install the “Insteon for Hub” application on their smartphone. Both the smartphone application and Insteon Hub include the PubNub software development kit, which allows for bidirectional communication using PubNub’s REST API.
Unless stated otherwise, the vulnerabilities were found in Insteon Hub 2245-222 running firmware version 1012. As of firmware version 1016, these vulnerabilities are fixed, versions previous to this may be vulnerable.
An exploitable buffer overflow vulnerability exists in the way the device handles commands sent through the PubNub service. Specially crafted commands can cause a stack-based buffer overflow, which overwrites arbitrary data due to the use of the strcpy() function while handling the JSON request. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.
Note. CVE rules require that we assign a separate CVE to each instance of a vulnerability that can be fixed independently.
An exploitable buffer overflow vulnerability exists in the way the device handles commands sent through the PubNub service. Specially crafted commands can cause a buffer overflow on a global section overwriting arbitrary data, due to the use of the strcpy() function while handling the JSON request. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.
TALOS-2017-0485 – Reboot Task Denial Of Service Vulnerability
An exploitable DoS vulnerability exists in the device firmware, which allows an attacker to arbitrarily reboot the device without authentication. An attacker can send an UDP packet to trigger this vulnerability.
TALOS-2017-0492 – HTTPExecuteGet Firmware Update Information Leak Vulnerability
The HTTP server implementation incorrectly checks the number of GET parameters supplied, leading to an arbitrarily controlled information leak on the device’s memory. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.
The HTTP server implementation incorrectly handles the URL parameter during a firmware update request, leading to a buffer overflow on a global section. The library used by the vendor does provide some level of protection against buffer overflows, however. By using vulnerability TALOS-2017-0492, it is possible to bypass this protection and achieve code execution. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.
The HTTP server implementation incorrectly handles the host parameter during a firmware update request, leading to a buffer overflow on a global section. The library used by the vendor does provide some level of protection against buffer overflows, which in this case, cannot be circumvented. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.
The HTTP server implementation unsafely extracts parameters from the query string, leading to a buffer overflow on the stack. The vulnerability exists because the extraction of the arguments is made without ensuring size constraints. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.
An exploitable buffer overflow vulnerability exists in the PubNub message handler for the “ad” channel. A specially crafted command sent through the PubNub service can cause a stack-based buffer overflow, overwriting arbitrary data. In order to be able to send such commands, the attacker needs to be authenticated in the PubNub service.
An exploitable buffer overflow vulnerability exists in the way the Hub handles the replies from PubNub, leading to the overwriting of arbitrary data in a global section. The attacker would need to impersonate PubNub and answer an HTTPS GET request to trigger this vulnerability.
The HTTP server allows for uploading arbitrary MPFS binaries that could be modified to enable access to hidden resources which allow for uploading unsigned firmware images to the device. To trigger this vulnerability, an attacker needs to have credentials that will be used to upload an MPFS binary via the “/mpfsupload” HTTP form and, later, upload the firmware via a POST request to “firmware.htm.”
This vulnerability was found on firmware version 1013.
An exploitable firmware downgrade vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn’t check the firmware version that is going to be installed, and thus allows for flashing older firmware images. To trigger this vulnerability, an attacker needs to impersonate the remote server “cache.insteon.com” and serve any signed firmware image.
TALOS-2018-0513 – Insteon Hub PubNub Firmware Upgrade Confusion Permanent Denial Of Service Vulnerability
An exploitable permanent DoS vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn’t check the kind of firmware image that is going to be installed, and thus allows for flashing any signed firmware into any MCU. Since the device contains different and incompatible MCUs, flashing one firmware to the wrong MCU will result in a permanent unusable condition. To trigger this vulnerability, an attacker needs to impersonate the remote server “cache.insteon.com” and serve a signed firmware image.
An exploitable heap corruption exists in the LoadIntegrityInfo function of wimgapi version 10.0.16299.15 (WinBuild.160101.0800). A crafted WIM image can lead to a heap corruption, resulting in direct code execution.
This vulnerability is present in the wimgapi DLL, which is used for performing operations on Windows Imaging Forma (WIM) files. WIM is a file-based disk image format created by Microsoft to simplify the deployment of Windows systems. There is a vulnerability in the LoadIntegrityInfo function that manifests during the parsing of the WIM file header. A specially crafted WIM file can lead to a heap corruption and remote code execution. The vulnerability triggers even on the simplest operations performed on malformed WIM file because its related to file header parsing.
Discovered by Marcin ‘Icewall’ Noga of Cisco Talos.
A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles specially crafted OpenType fonts. An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.
When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers. Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.
The majority of customers have automatic updating enabled and will not need to take any action because the update will be downloaded and installed automatically.
This issue is known as Microsoft Security Bulletin MS15-078
One of the reasons they aredoing this is to help developers reach a wider audience, particularly in countries where peer-to-peer app sharing is common because of costly data plans and limited connectivity.
In the future, for apps obtained through Play-approved distribution channels, Google will be able to determine app authenticity while a device is offline, add those shared apps to a user’s Play Library, and manage app updates when the device comes back online. This will give people more confidence when using Play-approved peer-to-peer sharing apps.
This also benefits you as a developer as it provides a Play-authorized offline distribution channel and, since the peer-to-peer shared app is added to your user’s Play library, your app will now be eligible for app updates from Play.
No action is needed by developers or by those who use your app or game. Google are adjusting Google Play’s maximum APK size to take into account the small metadata addition, which is inserted into the APK Signing Block. In addition to improving the integrity of Google Play’s mobile app ecosystem, this metadata will also present new distribution opportunities for developers and help more people keep their apps up to date.
This malware can turn the affected computer into a video camera, letting the attackers see and hear what’s going on in the victim’s office or wherever their device may be. Uninvited, InvisiMole’s operators access the system, closely monitoring the victim’s activities and stealing the victim’s secrets.
At the time of publication, it is unclear how InvisiMole is distributed, although there are unconfirmed reports indicating it is manually delivered to targeted systems. The small number of available samples of the malware – combined with the secrecy with which it has been created and deployed – make it difficult to accurately determine delivery mechanism.
InvisiMole is comprised of two modules, RC2FM and RC2CL, with both being capable of collecting user data. RC2FM, the smaller of the two modules, can record audio from a device’s microphone, extract proxy browser settings and alter system files. The more advanced module, RC2CL, can execute files and commands, manipulate registry keys, disable security services and record audio or video.
A couple of days after the opening ceremony of the Winter Olympics in Pyeongchang, South Korea, news reports came from several people, on the condition of a devastating malware attack on the Olympic infrastructure. A look inside the malware revealed a destructive self-modifying password-stealing self-propagating malicious program, which by any definition sounds pretty bad.
According to media reports, the organizers of the Pyeongchang Olympics confirmed they were investigating a cyberattack that temporarily paralyzed IT systems ahead of official opening ceremonies, shutting down display monitors, killing Wi-Fi, and taking down the Olympics website so that visitors were unable to print tickets.
The deceptive behavior of Olympic Destroyer, and its excessive use of various false flags, which tricked many researchers in the infosecurity industry. Based on malware similarity, the Olympic Destroyer malware was linked by other researchers to three Chinese speaking APT actors and the allegedly North Korean Lazarus APT; some code had hints of the EternalRomance exploit, while other code was similar to the Netya (Expetr/NotPetya) and BadRabbit targeted ransomware. Kaspersky Lab managed to find lateral movement tools and initial infection backdoors, and has followed the infrastructure used to control Olympic Destroyer in one of its South Korean victims.
In May-June 2018 security researches discovered new spear-phishing documents that closely resembled weaponized documents used by Olympic Destroyer in the past. This and other TTPs led them to believe that they were looking at the same actor again.