ESET research Profile picture
Sep 30 β€’ 6 tweets β€’ 5 min read
#ESETresearch has discovered #Lazarus attacks against targets in πŸ‡³πŸ‡± and πŸ‡§πŸ‡ͺ, spreading via spearphishing emails and exploiting the CVE-2021-21551 vulnerability to disable the monitoring of all security solutions on compromised machines @pkalnai welivesecurity.com/2022/09/30/ama…
@pkalnai The attack started with spearphishing emails connected to fake job offers, targeting an aerospace company in the Netherlands, and a political journalist in Belgium. The attackers then deployed a VMProtect-ed version of #BLINDINGCAN, a fully featured HTTP(S) backdoor. 2/6
@pkalnai Notably, the attackers used a rootkit named FudModule.dll, that modifies kernel variables and removes kernel callbacks to disable monitoring of all security solutions on the system. This is the first recorded abuse of the CVE-2021-21551 vulnerability in Dell DBUtil drivers. 3/6
@pkalnai We also detected a 32-bit dropper, a trojanized version of the sslSniffer from the wolfSSL project. At the time of the attack, the dropper was validly signed with a certificate issued to "A" MEDICAL OFFICE, PLLC., which has since expired. 4/6
@pkalnai Interestingly, this component uses an unusual decryption algorithm HC-128 with a 128-bit key as the first parameter and, for its 128-bit initialization vector, the string ffffffffffffffff. 5/6
@pkalnai This research was presented at @virusbtn in Prague. #VB2022 abstract: virusbulletin.com/conference/vb2…
IoCs available on our GitHub: github.com/eset/malware-i… 6/6

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with ESET research

ESET research Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ESETresearch

Sep 28
In July, #ESETresearch reported on macOS spyware we dubbed CloudMensis. In the blogpost, we left the malware unattributed. However, further analysis showed similarities with a Windows malware called #RokRAT, a #ScarCruft tool. @marc_etienne_, @pkalnai 1/9
The Windows and macOS malware variants are not copycats of each other, but share the following similarities: ➑️ 2/9
1️⃣ Both variants are spyware with functionality such as keylogging and taking screenshots. Each supported command is identified by a number. Its value is in a similar range for both: macOS has 39 commands ranging from 49 to 93, while Windows has 42, ranging from 48 to 90. 3/9
Read 9 tweets
Aug 16
#ESETresearch #BREAKING A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil πŸ‡§πŸ‡·. This is an instance of Operation In(ter)ception by #Lazarus for Mac. @pkalnai @dbreitenbacher 1/7
Malware is compiled for both Intel and Apple Silicon. It drops three files: a decoy PDF document Coinbase_online_careers_2022_07.pdf, a bundle FinderFontsUpdater.app and a downloader safarifontagent. It is similar to #ESETresearch discovery in May. 2/7
However, this time the bundle is signed July 21 (according to the timestamp) using a certificate issued in February 2022 to a developer named Shankey Nohria and team identifier 264HFWQH63. The application is not notarized and Apple has revoked the certificate on August 12. 3/7
Read 7 tweets
Jul 19
#ESETresearch uncovers #CloudMensis, spyware for macOS using cloud storage as a way to communicate back and forth its operators. @marc_etienne_
welivesecurity.com/2022/07/19/i-s… 1/7
We’ve analysed two #CloudMensis stages, the first download and runs the featureful spy agent. Both uses cloud storage using an authentication token. 2/7
On vulnerably Macs, CloudMensis exploits a known vulnerability known as CVE-2020-9934, to bypass TCC and gain access to keyboard events and screen captures. 3/7
Read 7 tweets
Jul 15
#ESETResearch warns of a new campaign using a fake Salesforce update as a lure to deploy the Sliver malware for macOS and Windows 1/9
The Mac infection chain is very similar to a COVID-19-themed campaign documented by SentinelOne last week. sentinelone.com/blog/from-the-… 2/9
This new campaign uses an additional GoLang Mach-O executable that downloads and runs the bash script used to deploy Sliver. 3/9
Read 9 tweets
Jul 13
#ESETresearch discovered and reported to the manufacturer three buffer overflow vulnerabilities in UEFI firmware of several #Lenovo Notebook devices, affecting more than 70 various models including several ThinkBook models. @smolar_m 1/6
The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features. 2/6
These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call. 3/6
Read 6 tweets
May 20
#BREAKING #Sandworm continues attacks in Ukraine πŸ‡ΊπŸ‡¦. #ESETresearch found an evolution of a malware loader used during the #Industroyer2 attacks. This updated piece of the puzzle is malware
@_CERT_UA calls #ArguePatch. ArguePatch was used to launch #CaddyWiper. #WarInUkraine 1/6 Image
The #Industroyer2 attacks used a patched version of @HexRaysSA IDA Pro’s remote debug server (win32_remote.exe). It was modified to include code to decrypt and run #CaddyWiper from an external file. 2/6 ImageImage
This time, #Sandworm chose an official @ESET executable to hide #ArguePatch. It was stripped of its digital signature and code was overwritten in a function called during the MSVC runtime initialization. 3/6 ImageImage
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(