Malware adds Sandboxing to evade analysis

Any.Run is a malware analysis sandbox service that lets researchers and users safely analyze malware without risk to their computers.

When an executable is submitted to Any.Run, the sandbox service will create a Windows virtual machine with an interactive remote desktop, and execute the submitted file within in it.

Researchers can utilize the interactive Windows desktop to see what behavior the malware is exhibiting, while Any.Run records its network activity, file activity, and registry changes.

In a new password-stealing trojan spam campaign discovered, malicious PowerShell scripts are downloading and installing malware onto a computer.

If it detects that the program is running on Any.Run, it will display the message ‘Any.run Deteceted!’ and exit. This will cause the malware to not be executed so that the sandbox cannot analyze it

Using this method, threat actors make it more difficult for researchers to analyze their attacks using an automated system.

When executed on a normal virtual machine, or a live system, the password-stealing Trojan would be allowed to execute and steal saved login credentials in browsers, FTP programs, and other software.

While this will not prevent a researcher from analyzing a particular malware using other methods, it does cause them to have to put more effort into the analysis.

With online malware analysis sandbox platforms becoming more commonly used by security researchers, we can expect to see more malware continue to target them.

Malicious Google Plugins ! Be cautious.

Internet users should exercise caution while installing Google Chrome extensions as the company has removed over 100 malicious links after they were found collecting “sensitive” user data.

The Computer Emergency Response Team of India (CERT-In), the national technology arm to combat cyberattacks and guard the Indian cyberspace, said it has also been found that these extensions contained code to bypass Google Chrome’s web store security scans. The malicious extensions had the ability to take screenshots, read the clipboard, harvest authentication cookies or grab user keystrokes to read passwords and other confidential information, .

“It has been reported that Google has removed 106 extensions of the Google Chrome browser from the chrome web store which were found collecting sensitive user data,” the agency said in the advisory. “These extensions reportedly posed as tools to improve web searches, convert files between different formats as security scanners and more,” .

The federal cybersecurity agency suggested users uninstall Google Chrome extensions. Users can visit the chrome extensions page and subsequently enable developer mode to see if they have installed any of the malicious extensions and then remove them from their browsers,

The agency advised Internet users to only install extensions which are absolutely needed and refer user reviews before doing so. They should uninstall extensions which are not in use, it said, adding that users should not install extensions from unverified sources.

  • acmnokigkgihogfbeooklgemindnbine
  • apgohnlmnmkblgfplgnlmkjcpocgfomp
  • apjnadhmhgdobcdanndaphcpmnjbnfng
  • bahkljhhdeciiaodlkppoonappfnheoi
  • bannaglhmenocdjcmlkhkcciioaepfpj
  • bgffinjklipdhacmidehoncomokcmjmh
  • bifdhahddjbdbjmiekcnmeiffabcfjgh
  • bjpknhldlbknoidifkjnnkpginjgkgnm
  • blngdeeenccpfjbkolalandfmiinhkak
  • ccdfhjebekpopcelcfkpgagbehppkadi
  • cceejgojinihpakmciijfdgafhpchigo
  • cebjhmljaodmgmcaecenghhikkjdfabo
  • chbpnonhcgdbcpicacolalkgjlcjkbbd
  • cifafogcmckphmnbeipgkpfbjphmajbc
  • clopbiaijcfolfmjebjinippgmdkkppj
  • cpgoblgcfemdmaolmfhpoifikehgbjbf
  • dcmjopnlojhkngkmagminjbiahokmfig
  • deiiiklocnibjflinkfmefpofgcfhdga
  • dipecofobdcjnpffbkmfkdbfmjfjfgmn
  • dopkmmcoegcjggfanajnindneifffpck
  • dopmojabcdlfbnppmjeaajclohofnbol
  • edcepmkpdojmciieeijebkodahjfliif
  • ekbecnhekcpbfgdchfjcfmnocdfpcanj
  • elflophcopcglipligoibfejllmndhmp
  • eogfeijdemimhpfhlpjoifeckijeejkc
  • fcobokliblbalmjmahdebcdalglnieii
  • fgafnjobnempajahhgebbbpkpegcdlbf
  • fgcomdacecoimaejookmlcfogngmfmli
  • fgmeppijnhhafacemgoocgelcflipnfd
  • fhanjgcjamaagccdkanegeefdpdkeban
  • flfkimeelfnpapcgmobfgfifhackkend
  • fmahbaepkpdimfcjpopjklankbbhdobk
  • foebfmkeamadbhjcdglihfijdaohomlm
  • fpngnlpmkfkhodklbljnncdcmkiopide
  • gdifegeihkihjbkkgdijkcpkjekoicbl
  • gfcmbgjehfhemioddkpcipehdfnjmief
  • gfdefkjpjdbiiclhimebabkmclmiiegk
  • ggijmaajgdkdijomfipnpdfijcnodpip
  • ghgjhnkjohlnmngbniijbkidigifekaa
  • gllihgnfnbpdmnppfjdlkciijkddfohn
  • gmmohhcojdhgbjjahhpkfhbapgcfgfne
  • gofhadkfcffpjdbonbladicjdbkpickk
  • hapicipmkalhnklammmfdblkngahelln
  • hijipblimhboccjcnnjnjelcdmceeafa
  • hmamdkecijcegebmhndhcihjjkndbjgk
  • hodfejbmfdhcgolcglcojkpfdjjdepji
  • hpfijbjnmddglpmogpaeofdbehkpball
  • ianfonfnhjeidghdegbkbbjgliiciiic
  • ibfjiddieiljjjccjemgnoopkpmpniej
  • inhdgbalcopmbpjfincjponejamhaeop
  • iondldgmpaoekbgabgconiajpbkebkin
  • ipagcbjbgailmjeaojmpiddflpbgjngl
  • jagbooldjnemiedoagckjomjegkopfno
  • jdheollkkpfglhohnpgkonecdealeebn
  • jfefcmidfkpncdkjkkghhmjkafanhiam
  • jfgkpeobcmjlocjpfgocelimhppdmigj
  • jghiljaagglmcdeopnjkfhcikjnddhhc
  • jgjakaebbliafihodjhpkpankimhckdf
  • jiiinmeiedloeiabcgkdcbbpfelmbaff
  • jkdngiblfdmfjhiahibnnhcjncehcgab
  • jkofpdjclecgjcfomkaajhhmmhnninia
  • kbdbmddhlgckaggdapibpihadohhelao
  • keceijnpfmmlnebgnkhojinbkopolaom
  • khhemdcdllgomlbleegjdpbeflgbomcj
  • kjdcopljcgiekkmjhinmcpioncofoclg
  • kjgaljeofmfgjfipajjeeflbknekghma
  • labpefoeghdmpbfijhnnejdmnjccgplc
  • lameokaalbmnhgapanlloeichlbjloak
  • lbeekfefglldjjenkaekhnogoplpmfin
  • lbhddhdfbcdcfbbbmimncbakkjobaedh
  • ldoiiiffclpggehajofeffljablcodif
  • lhjdepbplpkgmghgiphdjpnagpmhijbg
  • ljddilebjpmmomoppeemckhpilhmoaok
  • ljnfpiodfojmjfbiechgkbkhikfbknjc
  • lnedcnepmplnjmfdiclhbfhneconamoj
  • lnlkgfpceclfhomgocnnenmadlhanghf
  • loigeafmbglngofpkkddgobapkkcaena
  • lpajppfbbiafpmbeompbinpigbemekcg
  • majekhlfhmeeplofdolkddbecmgjgplm
  • mapafdeimlgplbahigmhneiibemhgcnc
  • mcfeaailfhmpdphgnheboncfiikfkenn
  • mgkjakldpclhkfadefnoncnjkiaffpkp
  • mhinpnedhapjlbgnhcifjdkklbeefbpa
  • mihiainclhehjnklijgpokdpldjmjdap
  • mmkakbkmcnchdopphcbphjioggaanmim
  • mopkkgobjofbkkgemcidkndbglkcfhjj
  • mpifmhgignilkmeckejgamolchmgfdom
  • nabmpeienmkmicpjckkgihobgleppbkc
  • nahhmpbckpgdidfnmfkfgiflpjijilce
  • ncepfbpjhkahgdemgmjmcgbgnfdinnhk
  • npaklgbiblcbpokaiddpmmbknncnbljb
  • npdfkclmbnoklkdebjfodpendkepbjek
  • nplenkhhmalidgamfdejkblbaihndkcm
  • oalfdomffplbcimjikgaklfamodahpmi
  • odnakbaioopckimfnkllgijmkikhfhhf
  • oklejhdbgggnfaggiidiaokelehcfjdp
  • omgeapkgiddakeoklcapboapbamdgmhp
  • oonbcpdabjcggcklopgbdagbfnkhbgbe
  • opahibnipmkjincplepgjiiinbfmppmh
  • pamchlfnkebmjbfbknoclehcpfclbhpl
  • pcfapghfanllmbdfiipeiihpkojekckk
  • pchfjdkempbhcjdifpfphmgdmnmadgce
  • pdpcpceofkopegffcdnffeenbfdldock
  • pgahbiaijngfmbbijfgmchcnkipajgha
  • pidohlmjfgjbafgfleommlolmbjdcpal
  • pilplloabdedfmialnfchjomjmpjcoej
  • pklmnoldkkoholegljdkibjjhmegpjep
  • pknkncdfjlncijifekldbjmeaiakdbof
  • plmgefkiicjfchonlmnbabfebpnpckkk
  • pnciakodcdnehobpfcjcnnlcpmjlpkac
  • ponodoigcmkglddlljanchegmkgkhmgb

Anarchy grabber ! Password Stealer

Hackers have updated the AnarchyGrabber trojan to a new version which is capable of stealing passwords and user tokens, disabling 2FA and spreading malware

This is the second update the trojan has received this year as it was also updated back in April to modify Discord client files in order to evade detection by antivirus software and steal user accounts every time someone logs into the popular chat service.

AnarchyGrabber is distributed for free on hacking forums and in YouTube videos and the trojan is used by cybercriminals on Discord who claim it is a game cheat, hacking tool or copyrighted software. Instead it modifies the Discord client’s JavaScript files to turn it into malware that can steal a victim’s Discord user token which is then used by an attacker to log into the popular chat service as the victim.

Hackers have now released a modified version of the AnarchyGrabber trojan with updated and more powerful features.

AnarchyGrabber3

AnarchyGrabber3 is a new variant of the popular malware which can steal a victim’s plain text passwords and even command an infected client to spread malware to a victim’s Discord friends. Since the attackers are now stealing plain text passwords, they can also use them in credential stuffing attacks in order to compromise a victim’s other online accounts as well.

When installed, AnarchyGrabber3 will modify the Discord client’s index.js file to load additional JavaScript files including a custom inject.js from a 4n4rchy folder as well a malicious file called discordmod.js. The malicious scrips will then log the user out of Discord and ask them to log in again.

When a victim logs in, the modified Discord client will try to disable 2FA on their account. The client then uses a Discord webhook to send the user’s email address, login name, user token, plain text password and IP address to a Discord channel controlled by the attacker. The modified client will also listen for commands sent by the attacker once the victim is logged in. One of these commands can even be used to send a message to all of the victim’s friends that contains malware the attackers want to spread.

This trojan is particularly dangerous because it makes it hard for average users to know they’re infected as the AnarchyGrabber3 executable does not stay on a user’s system or run again after it has modified the Discord client files.

Thankfully, it is quite easy to see if your system has been infected with AnarchyGrabber3.

Simply open Discord’s index.js file in %AppData%\Discord[version]\modules\discord_desktop_core with Notepad and look for a single line of code that looks like this: “module.exports = require(‘./core.asar’)”. If your client contains no other code, then it likely hasn’t been infected with the trojan.

Blue Mockingbird ! Juicy Potato 🥔 …

Thousands of enterprise systems are believed to have been infected with a cryptocurrency-mining malware operated by a group tracked under the codename of Blue Mockingbird.

Discovered earlier this month by malware analysts from cloud security firm Red Canary, the Blue Mockingbird group is believed to have been active since December 2019.

Researchers say Blue Mockingbird attacks public-facing servers running ASP.NET apps that use the Telerik framework for their user interface (UI) component.

Hackers exploit the CVE-2019-18935 vulnerability to plant a web shell on the attacked server. They then use a version of the Juicy Potato technique to gain admin-level access and modify server settings to obtain (re)boot persistence.

Once they gain full access to a system, they download and install a version of XMRRig, a popular cryptocurrency mining app for the Monero (XMR) cryptocurrency.

Some attacks pivot to internal networks
if the public-facing IIS servers are connected to a company’s internal network, the group also attempts to spread internally via weakly-secured RDP (Remote Desktop Protocol) or SMB (Server Message Block) connections.

Crypto Mining

The dangerous Telerik UI vulnerability

This is because the vulnerable Telerik UI component might be part of ASP.NET applications that are running on their latest versions, yet, the Telerik component might be many versions out of date, still exposing companies to attacks.

Many companies and developers may not even know if the Telerik UI component is even part of their applications, which, again, leaves companies exposed to attacks.

And this confusion has been ruthlessly exploited by attacks over the past year, ever since details about the vulnerability became public.

For example, in an advisory published in late April, the US National Security Agency (NSA) listed the Telerik UI CVE-2019-18935 vulnerability as one of the most exploited vulnerabilities used to plant web shells on servers.

In many cases, organizations may not have an option to update their vulnerable apps. In these cases, many companies would need to ensure that they block exploitation attempts for CVE-2019-18935 at their firewall level.

In case they don’t have a web firewall, companies need to look for signs of a compromise at the server and workstation level.

“As always, our primary purpose in publishing information like this is to help security teams develop detection strategies for threat techniques that are likely to be used against them. In this way, we think that it’s important for security to evaluate their ability to detect things like COR_PROFILER-based persistence and initial access via Telerik vulnerability exploitation,”.