We saw this malware family used in a targeted attack against a high profile company in 🇯🇵 Japan in May 2021. We recovered 2 samples that match FireEye's description of PRIVATELOG and STASHLOG, along with a previously unknown sample we call SPARKLOG 2/11
With STASHLOG being the installer and PRIVATELOG a loader, SPARKLOG is the launcher component for PRIVATELOG. Its main purpose is to retrieve PRIVATELOG from the log file, decrypt it, and get it loaded into legitimate service which varies from one OS version to another. 3/11
From Windows Server 2012 to Windows 10, SPARKLOG drops PRIVATELOG as %SYSTEM32%\spool\drivers\x64\3\prntvpt.dll (mimicking a legitimate Windows DLL) then stops and starts an existing PrintNotify service to load the DLL. PrintNotify is a legitimate Windows service. 4/11
From Windows Vista to Windows 7, SPARKLOG uses a well-known DLL hijacking technique that involves dropping PRIVATELOG as %SYSTEM32%\WindowsPowershell\v1.0\wlbsctrl.dll, then stops and starts the legitimate Windows’ IKEEXT service to load it. 5/11
Depending on the command line, unlike with printpvt.dll, the file is wiped if the service is started successfully. 6/11
We believe that there should exist a version of PRIVATELOG that, as in the case of prntvpt.dll, mimics or attempts to look as wlbsctrl.dll, another legitimate Windows DLL. 7/11
Interestingly, SPARKLOG executable contains an icon (doesn’t seem to belong to a specific software), and it creates a non-visible window to which it posts a message that triggers the execution of a thread to launch PRIVATELOG. 8/11
We are sharing the following IoCs in hope that the community can use them to continue to research and find the missing components of the malware: 9/11
#ESETresearch identified malicious MS Excel documents automatically downloaded upon visiting the websites of cryptocurrencies #HotDoge, www.hotdogetoken[.]com, and #DonutCatBSC, www.donutcatbsc[.]com. Opening the document led to stealing the victim’s private information. 1/6
We contacted @HotDogeTokenBSC and provided them with the information to remediate the threat. They resolved the issue and the websites no longer serve the malicious documents. 2/6
We attribute this campaign to the 🇰🇵North Korea-linked APT group #Kimsuky. The Excel document contains a malicious Excel V4.0 macro that uses the #Squiblydoo technique to download and execute an XML file with a VBS scriptlet. 3/6
@adorais@0xfmz In the first half of 2020 alone, 4 previously unknown malicious frameworks emerged, bringing the total, by our count, to 17. This sparked our interest into doing this research. 2/7
@adorais@0xfmz This work allowed us to formalize what defines an air-gapped network malware and to propose a terminology to accurately describe the various components at play. 3/7
#ESETresearch discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group. Attackers bundled the original IDA Pro 7.5 software developed by @HexRaysSA with two malicious components. @cherepanov74 1/5
Attackers replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL. The malicious win_fw.dll creates a Windows scheduled task that starts a second malicious component, idahelper.dll, from the IDA plugins folder. 2/5
Once started, the idahelper.dll attempts to download and execute a next-stage payload from https://www[.]devguardmap[.]org/board/board_read.asp?boardid=01 3/5
Modules are under development and provide #remoteaccess to the operators, collect credentials + serve as a proxy server. To do this, #FontOnLake uses modified legitimate binaries adjusted to load further components, its presence is always accompanied by a #rootkit. 2/6
The sneaky nature of #FontOnLake tools, along with advanced design and low prevalence suggest usage in targeted attacks. #ESETresearch believes its operators are extra cautious as almost all samples seen use unique C&C servers with varying non-standard ports. 3/6
Join #ESETresearch at #vblocalhost! Starting today, you can watch @RighardZw in a live presentation looking at internal attack scenarios and highlighting issues that have remained “foolishly ignored” for years (Thu 20:00 - 20:30 UTC). 1/4
On Friday, @zuzana_hromcova will walk the audience through the current landscape of IIS threats – ranging from traffic redirectors to backdoors – and share the essentials of reverse-engineering native IIS malware (Fri 17:45 - 18:15 UTC). 2/4
#ESETresearch has recently discovered a new undocumented modular backdoor, SideWalk, that was used by an APT group we named SparklingGoblin during one of its recent campaigns targeting a US-based computer retail company 🇺🇸. welivesecurity.com/2021/08/24/sid…@passil_t@mathieutartare 1/6
SideWalk is a modular backdoor that can dynamically load additional modules sent from the C&C server, makes use of Google Docs as a dead drop resolver, and @Cloudflare workers as a C&C server. It can also properly handle communication behind a proxy. 2/6
This backdoor shares multiple similarities with another backdoor used by the group: CROSSWALK, which FireEye was first to attribute to #APT41. This backdoor is referenced as ScrambleCross by Trend Micro 3/6