Abaddon RAT ! Sophisticated C2C

The new ‘Abaddon‘ remote access trojan may be the first to use Discord as a full-fledged command and control server that instructs the malware on what tasks to perform on an infected PC.

Threat actors abusing Discord for malicious activity is nothing new.

A new ‘Abaddon’ remote access trojan (RAT) could be the first malware that uses Discord as a full-fledge command and control server.

When started, Abaddon will automatically steal the following data from an infected PC:

  • Chrome cookies, saved credit cards, and credentials.
  • Steam credentials and list of installed games
  • Discord tokens and MFA information.
  • File listings
  • System information such as country, IP address, and hardware information.

Abaddon will then connect to the Discord command and control server to check for new commands to execute, as shown by the image below.

Receive a task from the Discord server

These commands will tell the malware to perform one of the following tasks:

  • Steal a file or entire directories from the computer
  • Get a list of drives
  • Open a reverse shell that allows the attacker to execute commands on the infected PC.
  • Launch in-development ransomware (more later on this).
  • Send back any collected information and clear the existing collection of data.

The malware will connect to the C2 every ten seconds for new tasks to execute.

Using a Discord C2 server, the threat actor can continually monitor their collection of infected PCs for new data and execute further commands or malware on the computer like encryption and decryption after paying ransom

With ransomware being extremely lucrative, it would not be surprising to see this feature completed in the future.

Mac ,Linux Malwares are like Sweet Pancakes

Threat actors continuously updating their code with new threat vectors and obfuscation techniques is nothing new. A surge in malware targeting particular device groups reveals much about the shifting paradigm.

TeamTNT reinforces Black-T

TeamTNT is known to exfiltrate AWS credential files on compromised cloud systems and mine for Monero (XMR). 

  • Unit 42 researchers came with a new variant of cryptojacking malware named Black-T, the brainchild of the TeamTNT cybercrime group, boosting its capabilities against Linux systems.
  • The added potential includes memory password scraping via mimipy (works on Windows/Linux/OSX) and mimipenguin (Linux desktop)—two open-source Mimikatz equivalents targeting *NIX desktops.

IPStorm prepares for thunders

The IPStorm botnet has been targeting Windows systems until now. Its size has quadrupled from around 3,000 systems in May 2019 to more than 13,500 devices by September end.

  • IPStorm now boasts of newer versions targeting Android, Linux, and Mac devices.
  • Linux and Mac devices are infected after the gang performs a brute-force technique against SSH services.
  • However, the Android systems are infected when the malware scans the internet for devices that had left their ADB (Android Debug Bridge) port exposed online.

FinSpy’s malware spin

A new surveillance campaign was reported targeting Egyptian civil society organizations.

  • FinSpy, also known as FinFisher, used new variants that target macOS and Linux users. The spyware already had tools for Windows, iOS, and Android users.
  • Besides keylogging, call interception, and screen recording, the malware’s additional capabilities included stealing emails by installing a malicious add-on to Apple Main and Thunderbird and collecting Wi-Fi network information.

Concluding phrase

Cybercriminals unfurling tools targeting Linux and Mac devices put a dent in the broadly held opinion that those operating systems are more secure and not susceptible to malicious code, unlike others. Experts recommend checking network settings and avoiding using unnecessary online applications to ensure safety. Other useful tips include configuring the firewall, filtering traffic, and protecting locally stored SSH keys used for network services.

WaterBear ! The Malware

WaterBear

A number of Taiwanese government entities have been recently targeted by a fresh Waterbear campaign in sophisticated cyberattacks. Associated with the Blacktech threat group , the malware has been observed utilizing leftovers from previous attacks on the same targets in April 2020 that had not been fully eradicated.

Researchers of Cycraft the latest Waterbear malware has been featuring different capabilities allowing the Waterbear loader to deploy additional malicious packages. 

  • The campaign has leveraged a vulnerability in a common and trusted Data Loss Prevention (DLP) tool to load Waterbear malware, perform DLL hijacking, and stealthily trigger next stage malware.
  • With a decade-old antivirus evasion technique known as Heaven’s Gate, the attackers have been successfully tricking Windows to hide and bypass Waterbear’s network behaviors from security engines.
  • In addition, the attackers used enlarged binary size to bypass scanning protocols altogether, forced DLLs to unload to obfuscate malware, and padded memory with Kernel32 content to confuse analyses.
  • The threat actor leveraged Windows IKEEXT Service, and system services such as Winmgmt, System Event Notification Service (SENS), Wuauserv, and LanmanServer in their attacks.

Precautions

The chances of the success of malware campaigns have been increasing with better stealthy . Experts advise adding listed IOCs to create blacklists for detection and response solutions. Organizations and users are recommended to use firewalls, antivirus, and DLP solutions, as well as AI-driven detection and response solutions to increase SOC efficiency, automate investigations, and reduce alert fatigue.

Malwares of Malware | Valak shows up again

An updated variant of the Valak malware family earned a place on a security firm’s “most wanted malware” list for the first time.

First detected back in 2019, Valak garnered the attention of Cybereason in May 2020 for its ability to function beyond a malware loader and independently operate as an information stealer.

That was just a month before SentinelOne observed Valak using “clientgrabber,” a plugin which enabled the malware to steal email credentials from the registry.

At the beginning of July 2020,Valak using stolen email threads and password-protected .ZIP archives to target organizations in the financial, manufacturing, health care and insurance sectors.

September 2020 marked the third successive month of Emotet’s run at the top of Check Point’s Global Threat Index. Meanwhile, the Qbot trojan rose from 10th place to 6th place that same month.

These new campaigns spreading Valak are another example of how threat actors look to maximize their investments in established, proven forms of malware. Together with the updated versions of Qbot which emerged in August,

Valak is intended to enable data and credentials theft at scale from organizations and individuals. Businesses should look at deploying anti-malware solutions that can prevent such content reaching end-users, and advise their employees to be cautious when opening emails, even when they appear to be from a trusted source.