We’ve analysed two #CloudMensis stages, the first download and runs the featureful spy agent. Both uses cloud storage using an authentication token. 2/7
On vulnerably Macs, CloudMensis exploits a known vulnerability known as CVE-2020-9934, to bypass TCC and gain access to keyboard events and screen captures. 3/7
We think CloudMensis may have been distributed using Safari exploit in the past because unexecuted code is present to cleanup traces after a successful exploit. 4/7
According to the file extensions in the default configuration, operators of CloudMensis are interested in documents, spreadsheets, audio recordings, pictures, and email messages. 5/7
Metadata from the cloud storage used by CloudMensis suggest there were at most 51 victims using this configuration between February 4th
and April 22nd. 6/7
#ESETresearch discovered and reported to the manufacturer three buffer overflow vulnerabilities in UEFI firmware of several #Lenovo Notebook devices, affecting more than 70 various models including several ThinkBook models. @smolar_m 1/6
The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features. 2/6
These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call. 3/6
The #Industroyer2 attacks used a patched version of @HexRaysSA IDA Pro’s remote debug server (win32_remote.exe). It was modified to include code to decrypt and run #CaddyWiper from an external file. 2/6
This time, #Sandworm chose an official @ESET executable to hide #ArguePatch. It was stripped of its digital signature and code was overwritten in a function called during the MSVC runtime initialization. 3/6
#ESETresearch In November 2020, a Windows executable called mozila.cpl was submitted to VirusTotal from Germany 🇩🇪. At that time, it had zero detection rate and it is still very low now. The file is a trojanized sqlite-3.31.1 library and we attribute
it to #Lazarus. @pkalnai 1/4
The library contains an embedded payload. A command line argument S0RMM-50QQE-F65DN-DCPYN-5QEQA must be provided for its decryption and additional parameters are passed to the payload. 2/4
The payload is an instance of the HTTP(s) uploader mentioned in the report by HvS-Consulting from December 2020. Its main purpose is to exfiltrate RAR archives from a victim’s system. hvs-consulting.de/public/ThreatR… 3/4
Code similarity is a common and powerful way to cluster malware samples and make connections between seemingly unrelated malware families. Although it sounds simple, it is actually a complex problem and is hard to automate at scale without generating false positives. 1/
Blindly trusting code similarity can get one to make connections when there are none. This yields erroneous conclusions and can create very wrong media headlines. 2/
An example of wrong use of code similarity was published by Cluster25 recently, where they connect #IsaacWiper to various other malware families. cluster25.io/2022/05/03/a-s… 3/
#ESETresearch A year ago, a signed Mach-O executable disguised as a job description was uploaded to VirusTotal from Singapore 🇸🇬. Malware is compiled for Intel and Apple Silicon and drops a PDF decoy. We think it was part of #Lazarus campaign for Mac. @pkalnai@marc_etienne_ 1/8
The document, named BitazuCapital_JobDescription.pdf, reminds a strong similarity with a lure from Lazarus attacks using 2 TOY GUYS code-signing certificates for Windows, targeting aerospace and defense industries. welivesecurity.com/wp-content/upl… 2/8
Both decoys are PDF v1.5 documents produced by Microsoft Word 2016. They are obviously not identical, as one uses Colonna MT font while the other uses Calibri, but the title and ornaments on the front page have the same colors (#569bd5 and #aacc5db). 3/8