WAPDropper bypasses CAPTCHA

Researchers have recently came across a multi-function dropper named WAPDropper that downloads and executes an additional payload and uses a machine learning solution to bypass image-based CAPTCHA challenges.

The obfuscation technique

WAPDropper uses many reflection techniques and heavily obfuscated strings to hide its malicious motives. 

  • The malware consists of two different modules – the dropper module and a premium dialer module.
  • The dropper module is responsible for downloading a second stage malware and has the potential to spread and initiate different attack vectors to steal victims’ data.
  • The WAP premium dialer module subscribes victims to premium services offered by legitimate sources such as telecommunication providers in Thailand and Malaysia to manipulate money transactions.

Ditching the CAPTCHA

Normally, to offer the subscription, it must undergo a CAPTCHA test. However, WAPDropper malware is capable of bypassing CAPTCHA by using the services of a Chinese company Super Eagle that offers an ML solution for image recognition.

Conclusion

Hackers have been using third-party Android stores to distribute WAPDropper malware. Avoiding these marketplaces can reduce the risk of compromise. Due to the fact that text distortion-based and image recognition CAPTCHAs are vulnerable to machine learning-based attacks, the need for alternatives security methods has grown immensely.

Bandook Malware …Digital infection

A cyberespionage group with suspected ties to the Kazakh and Lebanese governments has unleashed a new wave of attacks against a multitude of industries with a retooled version of a 13-year-old Windows backdoor Trojan Bandook targetting government, financial, energy, food industry, healthcare, education, IT, and legal institutions

This group, which has operated at least since 2012, has been linked to the Lebanese General Directorate of General Security (GDGS), deeming it a nation-state level advanced persistent threat.

Now the same group is back at it with a new strain of Bandook, with added efforts to thwart detection and analysis, hosting various espionage campaign

A Three-Stage Infection Chain

The infection chain is a three-stage process that begins with a lure Microsoft Word document (e.g. “Certified documents.docx”) delivered inside a ZIP file that, when opened, downloads malicious macros, which subsequently proceeds to drop and execute a second-stage PowerShell script encrypted inside the original Word document.

In the last phase of the attack, this PowerShell script is used to download encoded executable parts from cloud storage services like Dropbox or Bitbucket in order to assemble the Bandook loader, which then takes the responsibility of injecting the RAT into a new Internet Explorer process.

The Bandook RAT — commercially available starting in 2007 — comes with all the capabilities typically associated with backdoors in that it establishes contact with a remotely-controlled server to receive additional commands ranging from capturing screenshots to carrying out various file-related operations. Earlier version supports nearly 120 commands.. Refurbished one supports only the 11 commands

Full-fledged digitally-signed and unsigned variants are the two new samples found by researchers which will improve over time and grow as Sophisticate Malware

Crowd Strikes with Claroty for ICS

A partnership has been announced between Claroty and CrowdStrike, resulting in an integration between the Claroty Platform and the CrowdStrike Falcon platform.

The integration will deliver visibility into industrial control system (ICS) networks and endpoints. ICS threats can be detected across the IT/OT boundary without the need for added connectivity, signature reconfiguration, or manual updates — resulting in more efficient IT/OT security governance, according to the two partnering companies.

IT and OT have converged even further, and digital transformation has caused once-isolated OT networks to become interconnected with the rest of the enterprise through the IT network. Resulting in attack surface widen

The integration delivers IT/OT visibility and threat detection for ICS networks through Claroty’s OT expertise and monitoring technology, as well as CrowdStrike’s IT endpoint telemetry.

“This integration with Claroty allows our customers to leverage the CrowdStrike Falcon platform to improve the security posture of their OT environments, bridging the gap between IT and OT.”

Key capabilities include:

Threat detection

Asset discovery and enrichment

Zeroday in Windows 7 & Server 2008 R2

A French security researcher has accidentally discovered a zero-day vulnerability that impacts the Windows 7 and Windows Server 2008 R2 operating systems residing in the registry

HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache

An attacker that has a foothold on vulnerable systems can modify these registry keys to activate a sub-key usually employed by the Windows Performance Monitoring mechanism.

“Performance” subkeys are usually employed to monitor an app’s performance, and, because of their role, they also allow developers to load their own DLL files to track performance using custom tools. These DLL on recent Windows versions are restricted

Labro said he discovered the zero-day after the released an update to PrivescCheck last month, a tool to check common Windows security misconfigurations that can be abused by malware for privilege escalation. he disclosed the investigation report in his personal site

Both Windows 7 and Windows Server 2008 R2 have officially reached end of life (EOL) and Microsoft has stopped providing free security updates. Some security updates are available for Windows 7 users through the company’s ESU (Extended Support Updates) paid support program, but a patch for this issue has not been released yet.

It is unclear if Microsoft will patch Labro’s new zero-day; however, ACROS Security has already put together a micro-patch, which the company released earlier today. The micro-patch is installed via the company’s 0patch security software and prevents malicious actors from exploiting the bug through ACROS’ unofficial patch.