Share this page!

ESET research Profile picture
Twitter logo
1 Dec, 7 tweets, 6 min read
#ESETresearch has published a comprehensive whitepaper comparing all known malware frameworks designed to breach air-gapped networks. Read more: welivesecurity.com/2021/12/01/jum… @adorais @0xfmz 1/7
@adorais @0xfmz In the first half of 2020 alone, 4 previously unknown malicious frameworks emerged, bringing the total, by our count, to 17. This sparked our interest into doing this research. 2/7
@adorais @0xfmz This work allowed us to formalize what defines an air-gapped network malware and to propose a terminology to accurately describe the various components at play. 3/7
@adorais @0xfmz We also examined the 4 main sets of characteristics relevant to this special type of malware: connected side & air-gapped side execution vectors, air-gapped side functionalities, and of course, communication & exfiltration channels. 4/7
@adorais @0xfmz Three key findings of our research:
-USB drives have been the ONLY medium used by malware to transfer data across air gaps. We found no evidence of malware using other covert transmission mediums such as acoustic or electromagnetic signals. 5/7
@adorais @0xfmz -All frameworks were designed for espionage purposes and only targeted Windows systems
-Some techniques to compromise the initial system in air-gapped networks required user interaction, some didn’t, and some relied on assets with physical access to the system. 6/7
@adorais @0xfmz Read the full white paper at welivesecurity.com/wp-content/upl… @adorais @0xfmz 7/7

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ESET research

ESET research Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ESETresearch

ESET research Profile picture
10 Nov
#ESETresearch discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group. Attackers bundled the original IDA Pro 7.5 software developed by @HexRaysSA with two malicious components. @cherepanov74 1/5
Attackers replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL. The malicious win_fw.dll creates a Windows scheduled task that starts a second malicious component, idahelper.dll, from the IDA plugins folder. 2/5
Once started, the idahelper.dll attempts to download and execute a next-stage payload from https://www[.]devguardmap[.]org/board/board_read.asp?boardid=01 3/5
Read 5 tweets
ESET research Profile picture
8 Oct
#ESETresearch analyzed #FontOnLake, a previously unknown #malware family that utilizes custom and well-designed modules, targeting #Linux systems.
welivesecurity.com/2021/10/07/fon…
@HrckaVladislav 1/6
Modules are under development and provide #remoteaccess to the operators, collect credentials + serve as a proxy server. To do this, #FontOnLake uses modified legitimate binaries adjusted to load further components, its presence is always accompanied by a #rootkit. 2/6
The sneaky nature of #FontOnLake tools, along with advanced design and low prevalence suggest usage in targeted attacks. #ESETresearch believes its operators are extra cautious as almost all samples seen use unique C&C servers with varying non-standard ports. 3/6
Read 6 tweets
ESET research Profile picture
7 Oct
Join #ESETresearch at #vblocalhost! Starting today, you can watch @RighardZw in a live presentation looking at internal attack scenarios and highlighting issues that have remained “foolishly ignored” for years (Thu 20:00 - 20:30 UTC). 1/4
On Friday, @zuzana_hromcova will walk the audience through the current landscape of IIS threats – ranging from traffic redirectors to backdoors – and share the essentials of reverse-engineering native IIS malware (Fri 17:45 - 18:15 UTC). 2/4
On demand you can watch @cherepanov74 and @Robert_Lipovsky as they guide you through the US #Sandworm indictment; @LukasStefanko will discuss the hidden cost of #Android #stalkerware. Finally, there is @RighardZw again in the panel debate. 3/4
Read 4 tweets
ESET research Profile picture
24 Aug
#ESETresearch has recently discovered a new undocumented modular backdoor, SideWalk, that was used by an APT group we named SparklingGoblin during one of its recent campaigns targeting a US-based computer retail company 🇺🇸. welivesecurity.com/2021/08/24/sid… @passil_t @mathieutartare 1/6
SideWalk is a modular backdoor that can dynamically load additional modules sent from the C&C server, makes use of Google Docs as a dead drop resolver, and @Cloudflare workers as a C&C server. It can also properly handle communication behind a proxy. 2/6
This backdoor shares multiple similarities with another backdoor used by the group: CROSSWALK, which FireEye was first to attribute to #APT41. This backdoor is referenced as ScrambleCross by Trend Micro 3/6
Read 6 tweets
ESET research Profile picture
30 Apr
#ESETresearch confirms that malicious digitally signed AnyDesk installers are distributed from anydesk.s3-us-west-1.amazonaws[.]com. Our telemetry shows that victims are redirected there from three attacker-controlled domains: zgnuo[.]com, clamspit[.]com and domohop[.]com. 1/4 Image
The three domains resolve to 176.111.174[.]127, 176.111.174[.]129 and 176.111.174[.]130, in the same IP range as the C&C server, 176.111.174[.]125. It seems victims, mainly located in North America, are redirected through malicious ads from different legitimate websites. 2/4
The fake installers are malicious downloaders that download a PowerShell script b.ps1 leading, in a few cases, to Cobalt Strike, as mentioned in the analysis of a past campaign: inde.nz/blog/different…. We also observed further recon activity using BloodHound and AdFind. 3/4
Read 5 tweets
ESET research Profile picture
2 Mar
We have received a lot questions about the Silver Sparrow malware for macOS after a publication by @redcanary. #ESETresearch has investigated and found that, far from speculations about nation-state malware, it is likely related to adware and pay-per-install schemes. 1/10
We have first seen Silver Sparrow in the wild early September. Our telemetry (although limited) showed under 50 instances of this threat, spread all around the globe. We have monitored the configuration file and never seen any actual payload delivered. 2/10
The fact that the configuration file is hosted in AWS S3 bucket means there is no way for the attackers to send different configuration to specific targets. S3 only supports serving static content and cannot generate a dynamic response based on IP or any request parameters. 3/10
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ESETresearch has new unrolls!

Check out other threads from @ESETresearch!

Read all threads by @ESETresearch

:(