9618
Group for Malware Analysts. Pinned message with resources and rules: https://t.me/MalwareResearch/38033
https://charlie.fish/posts/2023/10/creating-dark-web-tor-onion-service-website/
I think this should give some ideas for detection
I'm just curious how it would port over to Windows... since most infostealers are Windows malware 😬
you might see BYOS - Bring Your Own Servers 🫣
App bound encryption is already being targeted. A lot of stealers have updated their code. Some got forced by their customers to update it.
Читать полностью…
but whether there's undisclosed vulnerabilities around device based session credentials is unknown to me, since it's an open source project and everyone can study its codes for vulnerabilities
Читать полностью…
Some of the channel here in telegram claim that they have bypassed device bound session credentials. I am not sure how they have done it.
Читать полностью…
At some point they will catch it, even if not 100%
But whether you can answer questions your government throws at you is a different matter, especially for regulated or critical information operators, or in the case of data breaches, which would likely apply to all companies where there's relevant laws
And realistically speaking, attackers seldom just exfiltrate from one system
There's usually multiple systems that they exfiltrate from. So will there be multiple Tor servers created or just one?
If there's multiple Tor servers because every infected system will be installed with one server, then the TA needs a system to manage all the servers. It could present interesting incoming and outgoing paths
From network management view, if both incoming and outgoing Tor traffic, then this method might not work
But if only outgoing Tor traffic is blocked, it could make things interesting for detection and data analysis, e.g. why is there so much incoming traffic to this system?
From the interview, the impression i get is that they would start tor service on the system and make it available as an open directory. The attacker can browse all the files in the system and download them by making get request.
Читать полностью…
In the interview, 2 methods are mentioned tor and using preconfiged vpn.
As far as i know, one can detect and block tor network traffic in their environment.
Maybe one can check if a vpn is connection is being made. If they can then easily allow the ones that are used in the environment. I am not sure about this though.
Also, stealers these days need to bypass chromium's app bound encryption. To do that, you need to execute the code on the system. Some try to start chrome in headless mode and try to steal it.
So, I don't think you can get cookies using it. Passwords and files maybe. Although it needs to be decrypted using dpapi which is not possible to do so on server side.
It would be good if any vendor has caught this in action and can confirm. Otherwise it seems like a misdirection.
Have you guys read the latest interview of pryx by hudsonRock ? He talks about server side stealers where the victim's system is turned into an onion server. The attacker gets the onion addresses and then performs get request in order to exfiltrate files from it.
I wonder why would anyone openly talk about their new technique?
May I ask to download this file from VT? Big thanks
https://www.virustotal.com/gui/file/58ba4b98bb43ee953ef9fdb02bcc9594b368fe83963b1975130ba58a5112317e/detection
Hello Cho, welcome to the Malware Research group! Please read the pinned message before you post!
Читать полностью…
🚀 Unlock the Ultimate Capital Raising Resource! 🚀
Don’t miss this one-time deal:
Master List 360 + Capital Raising Blueprint
🔥 357,300+ Investors & LPs for just $885 (down from $1,885!) 🔥
🎯 Features include:
✅ 16,000+ Family Office records (US, Europe, Asia)
✅ 109,000+ Venture Capital records
✅ 8,000+ Private Equity records
✅ Tools for efficient fundraising: term sheets, pitch decks, and more!
📂 Explore the Sample Database here: [SAMPLE LINK]
💳 Secure Your Access Now: [PAYMENT LINK]
⏰ Offer valid until midnight tonight (Eastern U.S. Time, 12.24.2024).
📅 Prepare for 2025 with the most comprehensive and powerful investor database! Whether you're a founder, startup, or entrepreneur, this is your opportunity to start the new year with the tools to achieve your funding goals.
Start your journey to strategic and efficient fundraising today! 💼
yeah. when it was initially implemented by Chrome, I think I saw chatter about it
it's also where the confusion of device bound session credentials and app bound encryption came about
in short, your detection must account for various types of scenarios and users must still avoid falling for phishing
+ defense in depth
by the way, if session thefts are made impossible, then I suspect app bound encryption will be very heavily targeted, so attackers will create their own sessions instead, especially if MFA can't be enforced for legacy apps/protocols
this will totally eliminate the need for device bound session credentials, and you will need other detection rules, such as multiple logins from the same user from the different IPs
no idea. I have seen some confused between device bound session credentials and app bound encryption
I too initially was confused until I re-read all the relevant documentation and codes, only to find that they have bypassed app bound encryption, haha
on the Chromium part - https://redcanary.com/blog/threat-intelligence/google-chrome-app-bound-encryption/
I think there would likely be some detections around this area, since vendors have seen them, though I personally have not encountered any
in the worst case scenario where cookies are stolen, assuming that the browser has device bound session credentials enabled, it could likely limit the impact if it's successful
but I suspect your processes to contain and mitigate the threat of session thefts and hijacking will be more important, because if it's successfully decrypted and there's no device bound session credentials, anything could really happen, so speed is essential, especially for critical accounts
There are many questions that needs to be answered however i feel if an org has decent EDR and networking monitoring tool, then they might be able to catch it in action.
Читать полностью…
Forensically, assuming that it's an active data staging server, that means they can't delete away or hide artifacts effectively. So if IR or SOC contains the threat fast enough, impact could be limited
Читать полностью…
I thought they are making use of the infected system as a Tor server
So if it's a server, it becomes interesting because options are now available. But whether those options are quiet enough in an environment I don't know for sure. I'm not too sure how a Tor server works or how the TA intends for it to work to exfiltrate data
Depends on how the environment uses VPN I think
But I think this is where EDR could possibly help - detection of new processes and services. Where possible, they can block unauthorized VPN executables and flag them
In Windows, it's possible that you can block such executables and only allow specific VPN executables to run
The Tor exfiltration part is unclear and it seems like there's missing info as to how it will work. But for it to completely evade detection, perhaps it's more than just creating a Tor server
Could be a psychological tactic, especially if vendors are going to talk about it, so might as well
Two, from reading the interviews, it was mentioned that the aim is to dominate the market and change how it operates, so there's probably more to come and he/she is satisfied enough that revealing it wouldn't derail it from achieving its aim, even if other threat actors start copying
Hello @mahdi13968573, welcome to the Malware Research group! Please read the pinned message before you post!
Читать полностью…
https://x.com/TrendMicroRSRCH/status/1870725964285571250
Discover how ANEL, a backdoor malware from APT10, has resurfaced in a spear-phishing campaign by Earth Kasha.
New FedBan
Fed: Libra's Empire
FedAdmin: ❤🦦
User: 1 1
User ID: 510858141
Reason: spam