Transparent Tribe ! ⛓️ Espionage on Government

Recent espionage campaign targetting government authorities of India , Afganistan and other Asian countries . As named as Transparent tribe originally in operation form 2013 also called as ProjectM

Transparent Tribe is focused on surveillance and spying, and to accomplish these ends, the group is constantly evolving its toolkit depending on the intended target.

The attack chain starts off in a typical way, via spear-phishing emails. Fraudulent messages are sent together with malicious Microsoft Office documents containing an embedded macro that deploys the group’s main payload, the Crimson Remote Access Trojan (RAT).

If a victim falls for the scheme and enables macros, the custom .NET Trojan launches and performs a variety of functions, including connecting to a command-and-control (C2) server for data exfiltration and remote malware updates, stealing files, capturing screenshots, and compromising microphones and webcams for audio and video surveillance.

Trojan is also able to steal files from removable media, key log, and harvest credentials stored in browsers.

The Trojan comes in two versions that have been compiled across 2017, 2018, and at the end of 2019, suggesting the malware is still in active development.

Transparent Tribe also makes use of other .NET malware and a Python-based Trojan called Peppy, but a new USB attack tool is of particular interest.

USBWorm is made up of two main components, a file stealer for removable drives and a worm feature for jumping to new, vulnerable machines.

If a USB drive is connected to an infected PC, a copy of the Trojan is quietly installed on the removable drive. The malware will list all directories on a drive and then a copy of the Trojan is buried in the root drive directory. The directory attribute is then changed to “hidden” and a fake Windows directly icon is used to lure victims into clicking on and executing the payload when they attempt to access directories.

“This results in all the actual directories being hidden and replaced with a copy of the malware using the same directory name,” .

Over 200 samples of Transparent Tribe Crimson components were detected between June 2019 and June 2020.”We don’t expect any slowdown from this group in the near future.”

EmoCrash ! Effective Emotet kill switch

Emotet, a notorious email-based malware behind several botnet-driven spam campaigns and ransomware attacks, contained a flaw that allowed cybersecurity researchers to activate a kill-switch and prevent the malware from infecting systems for six months.

Just as attackers can exploit flaws in legitimate software to cause harm, defenders can also reverse-engineer malware to discover its vulnerabilities and then exploit those to defeat the malware.”

The kill-switch was alive between February 6, 2020, to August 6, 2020, for 182 days, before the malware authors patched their malware and closed the vulnerability.
cybersecurity

Early this February, it developed a new feature to leverage already infected devices to identify and compromise fresh victims connected to nearby Wi-Fi networks.

Along with this feature update came a new persistence mechanism, according to Binary Defense, which “generated a filename to save the malware on each victim system, using a randomly chosen exe or dll system filename from the system32 directory.”
The change in itself was straight-forward: it encrypted the filename with an XOR key that was then saved to the Windows registry value set to the victim’s volume serial number.

The first version of the kill-switch developed by Binary Defense, which went live about 37 hours after Emotet unveiled the above changes, employed a PowerShell script that would generate the registry key value for each victim and set the data for each value to null

This way, when the malware checked the registry for the filename, it would end up loading an empty exe “.exe,” thus stopping the malware from running on the target system.

When the malware attempts to execute ‘.exe,’ it would be unable to run because ‘.’ translates to the current working directory for many operating systems,” Quinn noted.

EmoCrash to Thwart Emotet

That’s not all. In an improvised version of the kill-switch, called EmoCrash, Quinn said he was able to exploit a buffer overflow vulnerability discovered in the malware’s installation routine to crash Emotet during the installation process, thereby effectively preventing users from getting infected.

So instead of resetting the registry value, the script works by identifying the system architecture to generate the install registry value for the user’s volume serial number, using it to save a buffer of 832 bytes.

Agent Tesla ! Upgraded & sophisticated of Stealing..

Upgraded version of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients.

Agent Tesla is a commercially available .Net-based infostealer with both remote access Trojan (RAT) and with keylogging capabilities active since at least 2014.

This malware is currently very popular with business email compromise (BEC) scammers who use it to infect their victims for recording keystrokes and taking screenshots of compromised machines.

It can also be used for stealing victims’ clipboard contents data, for collecting system information, and for killing anti-malware and software analysis processes.

Credentials are not so safe

After analyzing recently collected samples of the infostealer malware, Walter discovered dedicated code used for collecting both app configuration data and user credentials from multiple applications.

“The malware has the ability to extract credentials from the registry as well as related configuration or support files,”.

Google Chrome, Chromium, Safari, Brave, FileZilla, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, and Outlook are just a small sample of all the apps targeted by the latest Agent Tesla RAT variants.

Once it harvests credentials and app config data, the infostealer will deliver it to its command-and-control (C2) server via FTP or STMP using credentials bundled within its internal configuration.

“Current variants will often drop or retrieve secondary executables to inject into, or they will attempt to inject into known (and vulnerable) binaries already present on targeted hosts,”.

Agent Tesla one of the most actively used malware in attacks targeting both businesses and home users as shown by a list of the top 10 malware strains analyzed on the interactive malware analysis platform Any.Run during the last week.

While far behind Emotet in the number of samples submitted for analysis on the platform, Agent Tesla takes second place in last week’s threats by the number of uploads.

Conclusion

Noting is safe untill proper process is put in place to overlook security.

Manage Engine hits with a critical flaw

A critical vulnerability (CVE-2020-11552) in ManageEngine ADSelfService Plus, an Active Directory password-reset solution, could allow attackers to remotely execute commands with system level privileges on the target Windows host.

CVE-2020-11552

ManageEngine ADSelfService Plus is developed by ManageEngine, a division of Zoho Corporation, a software development company that focuses on web-based business tools and information technology.

“ADSelfService Plus supports self-service password reset for WFH and remote users by enabling users to reset Windows password from their own machines and updating the cached credentials through a VPN client,” the company touts.

It also supports sending password expiration notifications to remote users through email, SMS, and push notifications; provides admins with a way to force 2-factor authentication for Windows logons; and provides users with secure access to all SAML-supported enterprise applications (e.g., Office 365, G Suite, Salesforce) through AD-based single sign-on.

The ManageEngineADSelfService Plus thick client software enables users to perform a password reset or an account unlock action by using self-service option on the Windows login screen. When one of these options is selected, the client software is launched and connects to a remote ADSelfServicePlus server to facilitate the self-service operations.

“A security alert can/will be triggered when ‘an unauthenticated attacker having physical access to the host issues a self-signed SSLcertificate to the client’. Or, ‘a (default) self-signed SSLcertificate is configured on ADSelfService Plus server’.

“‘ViewCertificate’ option from the security alert will allow an attacker with physical access or a remote attacker with RDP access, to export a displayed certificate to a file. This will further cascade to the standard dialog/wizard which will open file explorer as SYSTEM. By navigating file explorer through ‘C:\windows\system32\’, acmd.exe can be launched as a SYSTEM.”

ManageEngine patched CVE-2020-11552 twice, because the first patch only fixed the issue partially. Admins are advised to upgrade to ADSelfService Plus build 6003, which contains the complete security fix.