iOS Trustjacking – A Dangerous New iOS Vulnerability


An iPhone user’s worst nightmare is to have someone gain persistent control over his/her device, including the ability to record and control all activity without even needing to be in the same room. In this blog post, we present a new vulnerability called “Trustjacking”, which allows an attacker to do exactly that.

This vulnerability exploits an iOS feature called iTunes Wi-Fi sync, which allows a user to manage their iOS device without physically connecting it to their computer. A single tap by the iOS device owner when the two are connected to the same network allows an attacker to gain permanent control over the device. In addition, we will walk through past related vulnerabilities and show the changes that Apple has made in order to mitigate them, and why these are not enough to prevent similar attacks.

A recap of related past vulnerabilities / attacks

We saw several publications in the past that discuss leveraging unauthorized USB connections in order to get private information from mobile devices.

Prior to iOS 7, connecting an iOS device to a new computer didn’t require any authorization from the device owner. Juice jacking [1] [2] [3] uses this behavior and is able to steal sensitive information from devices and may install malware on the victim’s device. Apple solved this issue by adding the popup requesting the user to authorize new computers before allowing any sync operations.

Another publication discusses Videojacking, which utilizes the ability of Apple’s connector to be used as an HDMI connection and get a screen recording of iOS devices while connected to a malicious charger.

Both exploits allowed an attacker potential access to sensitive information, but their major limitation was that everything is possible only while the device is physically connected to the malicious hardware – disconnecting the device stops the attack flow.

Trustjacking allows an attacker to gain a more continuous and persistent hold of the device and retain the same abilities long after the device has been disconnected from the malicious hardware. To understand how this works, we first need to explain iTunes Wi-Fi sync.

What is iTunes Wi-Fi sync?

iTunes Wi-Fi sync is a very useful feature that allows iOS devices to be synced with iTunes without having to physically connect the iOS device to the computer.

Enabling this feature requires syncing the iOS device with iTunes first by connecting to a computer with a cable, then enabling the option to sync with the iOS device over Wi-Fi.

Trustjacking – how does it work?

Upon connecting an iOS device to a new computer, the users are being asked whether they trust the connected computer or not. Choosing to trust the computer allows it to communicate with the iOS device via the standard iTunes APIs.

This allows the computer to access the photos on the device, perform backup, install applications and much more, without requiring another confirmation from the user and without any noticeable indication. Furthermore, this allows activating the “iTunes Wi-Fi sync” feature, which makes it possible to continue this kind of communication with the device even after it has been disconnected from the computer, as long as the computer and the iOS device are connected to the same network. It is interesting to note that enabling “iTunes Wi-Fi sync” does not require the victim’s approval and can be conducted purely from the computer side.

Getting a live stream of the device’s screen can be done easily by repeatedly asking for screenshots and displaying or recording them remotely.

It is important to note that other than the initial single point of failure, authorizing the malicious computer, there is no other mechanism that prevents this continued access. In addition, there is nothing that notifies the users that by authorizing the computer they allow access to their device even after disconnecting the USB cable.


Imagine the following scenario: A victim connects his phone to a free charger in an airport; upon connecting his phone to the charger a popup message appears on his device, requesting him to approve the connected device. Approving this request might seem reasonable: the victim wants to charge his device, the service seems legitimate and it appears that nothing suspicious happens following the approval.

Demonstration Trustjacking

Attack Flow

From the user perspective, all he had to do is connect his device to a malicious charger / computer (might also be his own computer, as outlined later on) and choose to trust it.

Reading the text, the user is led to believe that this is only relevant while the device is physically connected to the computer, so assumes that disconnecting it will prevent any access to his private data. Even if the device is only connected for a very short period of time, it is enough for an attacker to execute the necessary steps to maintain visibility of all actions performed on the device after it is disconnected.

The attacker needs to take two steps:

  • Allow the device to connect to iTunes
  • Enable iTunes Wi-Fi sync

These steps can be automated by malicious software. They interestingly do not require any additional approval from the victim and don’t trigger any indication on the device that something is happening. Once these actions are completed, the device does not need to be physically connected to the attacking hardware anymore. Now the attacker can control the device remotely, as long as the victim and attacker are connected to the same network.

In order to be able to view the victim’s device screen, the attacker needs to install the developer image suitable for the victim’s device iOS version; then, he can take screenshots repeatedly and view the device’s screen in near real time. Installing the developer image can be conducted over Wi-Fi and does not require regaining physical access to the device. Although a restart may remove the developer image from the device, the hacker has continued access and can reinstall it easily.

Taking it to the next level

In addition to remotely viewing the victim’s device screen, Trustjacking also allows an attacker to do much more.

One of the features that an attacker can leverage is remote iTunes backup. By creating a backup of the device’s contents the attacker is able to get access to a lot of private information such as:

  •  Photos
  •  SMS / iMessage chats history
  •  App data

In order to get this information we had to parse the iTunes backup.

The backup consists of several metadata files and the backed up files themselves. Each file is stored in the path SHA1(“%domain%-%relativePath%”) and the directory with the name set to the first 2 hex digits of the hash.

For example, a photo with the path “Media/DCIM/100APPLE/IMG_0059.JPG” will be stored in the path “b1/b12bae0603700bdf7719c3a65b22ca2f12715d37” as “b12bae…” is the SHA1 hash of “CameraRollDomain-Media/DCIM/100APPLE/IMG_0059.JPG”.

All of the backed up files are listed on the “Manifest.db” file which is an SQLite3 DB and can be easily listed by querying it.

A simple query such as:

`SELECT * FROM Files WHERE relativePath like ‘%Media/DCIM%’ ORDER BY relativePath;` will list all of the pictures that have been backed up, including their hash.

Reading SMS / iMessage requires parsing another SQLite3 DB which can be found on the file “3d/3d0d7e5fb2ce288813306e4d4636395e047a3d28” (SHA1 equivalent of “HomeDomain-Library/SMS/sms.db”).

The two interesting tables are “chat” that lists all of the chats, and “message” that contains all of the messages for those chats, with “chat_message_join” to join them.

iOS Trustjacking – Backup and Restore Exploit

And there is more. An attacker can also use this access to the device to install malicious apps, and even replace existing apps with a modified wrapped version that looks exactly like the original app, but is able to spy on the user while using the app and even leverage private APIs to spy on other activities all the time. In the following video demonstration we demonstrate how they can identify the apps on the device and replace an app with a repackaged version of it. Notice the fraction of second in which the app is deleted and reinstalled.

iOS Trustjacking – Replace Apps Exploit

Is the attack confined to Wi-Fi only?

The attacks that we have described require the device and the attacking computer to be connected to the same network. Usually this means being in proximity to the victim’s device and connected to the same Wi-Fi, but this is not the only option.

By combining this attack with the malicious profile attack, we are able to connect the device to a VPN server and create a continuous connection between the victim’s device and the attacker’s computer and leverage this attack anytime and without the restriction of being in proximity with the device or connected to the same network.

iOS 11 – following our disclosure to Apple

Following our responsible disclosure process, Apple chose to add a mechanism that should make sure that only the real owner of the iOS device can choose to trust a connected new computer. This is done by requiring the user to enter his / her passcode when choosing to authorize and trust a computer.

As can be clearly seen in this screenshot, the user is still being told that this authorization is only relevant while the device is connected to the computer, making him believe that disconnecting his device guarantees that no one can access his private data.

While we appreciate the mitigation that Apple has taken, we’d like to highlight that it does not address Trustjacking in an holistic manner. Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work as described above.

What if the attacker infects the victim’s computer rather than using a malicious charger?

A limitation of the malicious-charger attack flow is the potentially short period of time the victim and the iOS device are in the same proximity/network as the malicious computer. It would be far more devastating if the user’s own computer becomes the malicious actor. This powerful use-case of Trustjacking can happen when the device owner’s own PC or Mac has been compromised by malware. In this case, the attacker can utilize the relation of trust the victim has between his iOS device and his computer, along with the fact one’s own computer is usually in close proximity to the mobile phone (e.g. home, office, etc.) to achieve deep insight not only to the actions on the infected computer, but also to the victim’s mobile phone activity over time.


Unfortunately, there is no way to list all of the trusted computers and revoke access selectively. The best way to ensure that no unwanted computers are being trusted by your iOS device is to clean the trusted computers list by going to Settings > General > Reset > Reset Location & Privacy, now you will need to re-authorize all previously connected computers next time you are connecting your iOS device to each device.

In order to protect device backups and avoid attackers leveraging Trustjacking in order to get their hands on additional private information, enable encrypted backups in iTunes and choose a strong password.

Installing a Mobile Threat Defense solution such as SEP Mobile or Norton Mobile Security will help to protect your device from other implications of such attacks. SEP Mobile will identify and protect the end user against the installation of malicious profile, apps or attempts to compromise the device via this technique, and leveraging integrations with the SEP product line, customers have full visibility into both mobile and desktop operating systems.

For app developers – avoid including sensitive data in iTunes backup as this will reduce the risk on attackers leveraging Trustjacking in order to get such data by accessing your app’s backup.


We would like to thank Apple’s security team for their cooperation and continued commitment to the security of Apple’s user base.

Go to Source

Over 2 Million Users Installed Malicious Ad Blockers From Chrome Store

If you have installed any of the below-mentioned Ad blocker extension in your Chrome browser, you could have been hacked.

A security researcher has spotted five malicious ad blockers extension in the Google Chrome Store that had already been installed by at least 20 million users.

Unfortunately, malicious browser extensions are nothing new. They often have access to everything you do online and could allow its creators to steal any information victims enter into any website they visit, including passwords, web browsing history and credit card details.

Discovered by Andrey Meshkov, co-founder of Adguard, these five malicious extensions are copycat versions of some legitimate, well-known Ad Blockers.

Creators of these extensions also used popular keywords in their names and descriptions to rank top in the search results, increasing the possibility of getting more users to download them.

“All the extensions I’ve highlighted are simple rip-offs with a few lines of code and some analytics code added by the authors,” Meshkov says.


After Meshkov reported his findings to Google on Tuesday, the tech giant immediately removed all of the following mentioned malicious ad blockers extension from its Chrome Store:

  • AdRemover for Google Chrome™ (10 million+ users)
  • uBlock Plus (8 million+ users)
  • [Fake] Adblock Pro (2 million+ users)
  • HD for YouTube™ (400,000+ users)
  • Webutation (30,000+ users)
Meshkov downloaded the ‘AdRemover’ extension for Chrome, and after analyzing it, he discovered that malicious code hidden inside the modified version of jQuery, a well-known JavaScript library, sends information about some websites a user visits back to a remote server.

The malicious extension then receives commands from the remote server, which are executed in the extension ‘background page’ and can change your browser’s behavior in any way.

To avoid detection, these commands send by the remote server are hidden inside a harmless-looking image.

“These commands are scripts which are then executed in the privileged context (extension’s background page) and can change your browser behavior in any way,” Meshkov says.

“Basically, this is a botnet composed of browsers infected with the fake Adblock extensions,” Meshkov says. “The browser will do whatever the command center server owner orders it to do.”

The researcher also analyzed other extensions on the Chrome Store and found four more extensions using similar tactics.

Since browser extension takes permission to access to all the web pages you visit, it can do practically anything.

So, you are advised to install as few extensions as possible and only from companies you trust.

Go to Source

Another Critical Flaw Found In Drupal Core—Patch Your Sites Immediately

For the second time within a month, Drupal has been found vulnerable to another critical vulnerability that could allow remote attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft.

Discovered by the Drupal security team, the open source content management framework is vulnerable to cross-site scripting (XSS) vulnerability that resides in a third-party plugin CKEditor which comes pre-integrated in Drupal core to help site administrators and users create interactive content.

CKEditor is a popular JavaScript-based WYSIWYG rich text editor which is being used by many websites, as well as comes pre-installed with some popular web projects.

According to a security advisory released by CKEditor, the XSS vulnerability stems from the improper validation of “img” tag in Enhanced Image plugin for CKEditor 4.5.11 and later versions.


This could allow an attacker to execute arbitrary HTML and JavaScript code in the victim’s browser and gain access to sensitive information.

Enhanced Image plugin was introduced in CKEditor 4.3 and supports an advanced way of inserting images into the content using an editor.

“The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses),” the Drupal security team said.

CKEditor has patched the vulnerability with the release of CKEditor version 4.9.2, which has also been patched in the CMS by the Drupal security team with the release of Drupal version 8.5.2 and Drupal 8.4.7.

Since CKEditor plugin in Drupal 7.x is configured to load from the CDN servers, it is not affected by the flaw.

However, if you have installed the CKEditor plugin manually, you are advised to download and upgrade your plugin to the latest version from its official website.

Drupal recently patched another critical vulnerability, dubbed Drupalgeddon2, a remote code execution bug that allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations under the privileges of the user, affecting all versions of Drupal from 6 to 8.

However, due to people’s laziness of patching their systems and websites timely, the Drupalgeddon2 vulnerability has been found exploiting in the wild by hackers to deliver cryptocurrency miners, backdoors, and other malware.

Therefore, users are highly recommended always to take security advisories seriously and keep their systems and software up-to-date in order to avoid become victims of any cyber attack.

Go to Source

Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege

Posted by James Forshaw, Project Zero
Previously I presented a technique to exploit arbitrary directory creation vulnerabilities on Windows to give you read access to any file on the system. In the upcoming Spring Creators Update (RS4) the abuse of mount points to link to files as I exploited in the previous blog post has been remediated. This is an example of a long term security benefit from detailing how vulnerabilities might be exploited, giving a developer an incentive to find ways of mitigating the exploitation vector.
Keeping with that spirit in this blog post I’ll introduce a novel technique to exploit the more common case of arbitrary file writes on Windows 10. Perhaps once again Microsoft might be able to harden the OS to make it more difficult to exploit these types of vulnerabilities. I’ll demonstrate exploitation by describing in detail the recently fixed issue that Project Zero reported to Microsoft (issue 1428).
An arbitrary file write vulnerability is where a user can create or modify a file in a location they could not normally access. This might be due to a privileged service incorrectly sanitizing information passed by the user or due to a symbolic link planting attack where the user can write a link into a location which is subsequently used by the privileged service. The ideal vulnerability is one where the attacking user not only controls the location of the file being written but also the entire contents. This is the type of vulnerability we’ll consider in this blog post.

A common way of exploiting arbitrary file writes is to perform DLL hijacking. When a Windows executable begins executing the initial loader in NTDLL will attempt to find all imported DLLs. The locations that the loader checks for imported DLLs are more complex than you’d expect but for our purposes can be summarized as follows:

  1. Check Known DLLs, which is a pre-cached list of DLLs which are known to the OS. If found, the DLL is mapped into memory from a pre-loaded section object.
  2. Check the application’s directory, for example if importing TEST.DLL and the application is in C:APP then it will check C:APPTEST.DLL.
  3. Check the system locations, such as C:WINDOWSSYSTEM32 and C:WINDOWS.
  4. If all else fails search the current environment PATH.


The aim of the DLL hijack is to find an executable which runs at a high privilege which will load a DLL from a location that the vulnerability allows us to write to. The hijack only succeeds if the DLL hasn’t already been found in a location checked earlier.
There are two problems which make DLL hijacking annoying:


  1. You typically need to create a new instance of a privileged process as the majority of DLL imports are resolved when the process is first executed.
  2. Most system binaries, executables and DLLs that will run as a privileged user will be installed into SYSTEM32.
The second problem means that in steps 2 and 3 the loader will always look for DLLs in SYSTEM32. Assuming that overwriting a DLL isn’t likely to be an option (at the least if the DLL is already loaded you can’t write to the file), that makes it harder to find a suitable DLL to hijack. A typical way around these problems is to pick an executable that is not located in SYSTEM32 and which can be easily activated, such as by loading a COM server or running a scheduled task.
Even if you find a suitable target executable to DLL hijack the implementation can be quite ugly. Sometimes you need to implement stub exports for the original DLL, otherwise the loading of the DLL will fail. In other cases the best place to run code is during DllMain, which introduces other problems such as running code inside the loader lock. What would be nice is a privileged service that will just load an arbitrary DLL for us, no hijacking, no needing to spawn the “correct” privileged process. The question is, does such a service exist?
It turns out yes one does, and the service itself has been abused at least twice previously, once by Lokihardt for a sandbox escape, and once by me for user to system EoP. This service goes by the name “Microsoft (R) Diagnostics Hub Standard Collector Service,” but we’ll call it DiagHub for short.
The DiagHub service was introduced in Windows 10, although there’s a service that performs a similar task called IE ETW Collector in Windows 7 and 8.1. The purpose of the service is to collect diagnostic information using Event Tracing for Windows (ETW) on behalf of sandboxed applications, specifically Edge and Internet Explorer. One of its interesting features is that it can be configured to load an arbitrary DLL from the SYSTEM32 directory, which is the exact feature that Lokihardt and I exploited to gain elevated privileges. All the functionality for the service is exposed over a registered DCOM object, so in order to load our DLL we’ll need to work out how to call methods on that DCOM object. At this point you can skip to the end but if you want to understand how I would go about finding how the DCOM object is implemented, the next section might be of interest.

Reverse Engineering a DCOM Object

Let’s go through the steps I would take to try and find what interfaces an unknown DCOM object supports and find the implementation so we can reverse engineer them. There are two approaches I will typically take, go straight for RE in IDA Pro or similar, or do some on-system inspection first to narrow down the areas we have to investigate. Here we’ll go for the second approach as it’s more informative. I can’t say how Lokihardt found his issue; I’m going to opt for magic.
For this approach we’ll need some tools, specifically my OleViewDotNet v1.4+ (OVDN) tool from github as well as an installation of WinDBG from the SDK. The first step is to find the registration information for the DCOM object and discover what interfaces are accessible. We know that the DCOM object is hosted in a service so once you’ve loaded OVDN go to the menu Registry ⇒ Local Services and the tool will load a list of registered system services which expose COM objects. If you now find the  “Microsoft (R) Diagnostics Hub Standard Collector Service” service (applying a filter here is helpful) you should find the entry in the list. If you open the service tree node you’ll see a child, “Diagnostics Hub Standard Collector Service,” which is the hosted DCOM object. If you open that tree node the tool will create the object, then query for all remotely accessible COM interfaces to give you a list of interfaces the object supports. I’ve shown this in the screenshot below:
While we’re here it’s useful to inspect what security is required to access the DCOM object. If you right click the class treenode you can select View Access Permissions or View Launch Permissions and you’ll get a window that shows the permissions. In this case it shows that this DCOM object will be accessible from IE Protected Mode as well as Edge’s AppContainer sandbox, including LPAC.
Of the list of interfaces shown we only really care about the standard interfaces. Sometimes there are interesting interfaces in the factory but in this case there aren’t. Of these standard interfaces there are two we care about, the IStandardCollectorAuthorizationService and IStandardCollectorService. Just to cheat slightly I already know that it’s the IStandardCollectorService service we’re interested in, but as the following process is going to be the same for each of the interfaces it doesn’t matter which one we pick first. If you right click the interface treenode and select Properties you can see a bit of information about the registered interface.


There’s not much more information that will help us here, other than we can see there are 8 methods on this interface. As with a lot of COM registration information, this value might be missing or erroneous, but in this case we’ll assume it’s correct. To understand what the methods are we’ll need to track down the implementation of IStandardCollectorService inside the COM server. This knowledge will allow us to target our RE efforts to the correct binary and the correct methods. Doing this for an in-process COM object is relatively easy as we can query for an object’s VTable pointer directly by dereferencing a few pointers. However, for out-of-process it’s more involved. This is because the actual in-process object you’d call is really a proxy for the remote object, as shown in the following diagram:
All is not lost, however; we can still find the the VTable of the OOP object by extracting the information stored about the object in the server process. Start by right clicking the “Diagnostics Hub Standard Collector Service” object tree node and select Create Instance. This will create a new instance of the COM object as shown below:
The instance gives you basic information such as the CLSID for the object which we’ll need later (in this case {42CBFAA7-A4A7-47BB-B422-BD10E9D02700}) as well as the list of supported interfaces. Now we need to ensure we have a connection to the interface we’re interested in. For that select the IStandardCollectorService interface in the lower list, then in the Operations menu at the bottom select Marshal ⇒ View Properties. If successful you’ll now see the following new view:
There’s a lot of information in this view but the two pieces of most interest are the Process ID of the hosting service and the Interface Pointer Identifier (IPID). In this case the Process ID should be obvious as the service is running in its own process, but this isn’t always the case—sometimes when you create a COM object you’ve no idea which process is actually hosting the COM server so this information is invaluable. The IPID is the unique identifier in the hosting process for the server end of the DCOM object; we can use the Process ID and the IPID in combination to find this server and from that find out the location of the actual VTable implementing the COM methods. It’s worth noting that the maximum Process ID size from the IPID is 16 bits; however, modern versions of Windows can have much larger PIDs so there’s a chance that you’ll have to find the process manually or restart the service multiple times until you get a suitable PID.
Now we’ll use a feature of OVDN which allows us to reach into the memory of the server process and find the IPID information. You can access information about all processes through the main menu Object ⇒ Processes but as we know which process we’re interested in just click the View button next to the Process ID in the marshal view. You do need to be running OVDN as an administrator otherwise you’ll not be able to open the service process. If you’ve not done so already the tool will ask you to configure symbol support as OVDN needs public symbols to find the correct locations in the COM DLLs to parse. You’ll want to use the version of DBGHELP.DLL which comes with WinDBG as that supports remote symbol servers. Configure the symbols similar to the following dialog:
If everything is correctly configured and you’re an administrator you should now see more details about the IPID, as shown below:
The two most useful pieces of information here are the Interface pointer, which is the location of the heap allocated object (in case you want to inspect its state), and the VTable pointer for the interface. The VTable address gives us information for where exactly the COM server implementation is located. As we can see here the VTable is located in a different module (DiagnosticsHub.StandardCollector.Runtime) from the main executable (DiagnosticsHub.StandardCollector.Server). We can verify the VTable address is correct by attaching to the service process using WinDBG and dumping the symbols at the VTable address. We also know from before we’re expecting 8 methods so we can take that into account by using the command:
dqs DiagnosticsHub_StandardCollector_Runtime+0x36C78 L8
Note that WinDBG converts periods in a module name to underscores. If successful you’ll see the something similar to the following screenshot:
Extracting out that information we now get the name of the methods (shown below) as well as the address in the binary. We could set breakpoints and see what gets called during normal operation, or take this information and start the RE process.
The list of methods looks correct: they start with the 3 standard methods for a COM object, which in this case are implemented by the ATL library. Following those methods are five implemented by the StandardCollectorService class. Being public symbols, this doesn’t tell us what parameters we expect to pass to the COM server. Due to C++ names containing some type information, IDA Pro might be able to extract that information for you, however that won’t necessarily tell you the format of any structures which might be passed to the function. Fortunately due to how COM proxies are implemented using the Network Data Representation (NDR) interpreter to perform marshalling, it’s possible to reverse the NDR bytecode back into a format we can understand. In this case go back to the original service information, right click the IStandardCollectorService treenode and select View Proxy Definition. This will get OVDN to parse the NDR proxy information and display a new view as shown below.
Viewing the proxy definition will also parse out any other interfaces which that proxy library implements. This is likely to be useful for further RE work. The decompiled proxy definition is shown in a C# like pseudo code but it should be easy to convert into working C# or C++ as necessary. Notice that the proxy definition doesn’t contain the names of the methods but we’ve already extracted those out. So applying a bit of cleanup and the method names we get a definition which looks like the following:
struct IStandardCollectorService : IUnknown {
   HRESULT CreateSession(_In_ struct Struct_24* p0,
                         _In_ IStandardCollectorClientDelegate* p1,
                         _Out_ ICollectionSession** p2);
   HRESULT GetSession(_In_ GUID* p0, _Out_ ICollectionSession** p1);
   HRESULT DestroySession(_In_ GUID* p0);
   HRESULT DestroySessionAsync(_In_ GUID* p0);
   HRESULT AddLifetimeMonitorProcessIdForSession(_In_ GUID* p0, [In] int p1);
There’s one last piece missing; we don’t know the definition of the Struct_24 structure. It’s possible to extract this from the RE process but fortunately in this case we don’t have to. The NDR bytecode must know how to marshal this structure across so OVDN just extracts the structure definition out for us automatically: select the Structures tab and find Struct_24.
As you go through the RE process you can repeat this process as necessary until you understand how everything works. Now let’s get to actually exploiting the DiagHub service and demonstrating its use with a real world exploit.

Example Exploit

So after our efforts of reverse engineering, we’ll discover that in order to to load a DLL from SYSTEM32 we need to do the following steps:
  1. Create a new Diagnostics Session using IStandardCollectorService::CreateSession.
  2. Call the ICollectionSession::AddAgent method on the new session, passing the name of the DLL to load (without any path information).
The simplified loading code for ICollectionSession::AddAgent is as follows:
void EtwCollectionSession::AddAgent(LPWCSTR dll_path,
                                   REFGUID guid) {
 WCHAR valid_path[MAX_PATH];
 if ( !GetValidAgentPath(dll_path, valid_path)) {
 HMODULE mod = LoadLibraryExW(valid_path,
 dll_get_class_obj = GetProcAddress(hModule, “DllGetClassObject”);
 return dll_get_class_obj(guid);
We can see that it checks that the agent path is valid and returns a full path (this is where the previous EoP bugs existed, insufficient checks). This path is loading using LoadLibraryEx, then the DLL is queried for the exported method DllGetClassObject which is then called. Therefore to easily get code execution all we need is to implement that method and drop the file into SYSTEM32. The implemented DllGetClassObject will be called outside the loader lock so we can do anything we want. The following code (error handling removed) will be sufficient to load a DLL called dummy.dll.
IStandardCollectorService* service;
CoCreateInstance(CLSID_CollectorService, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&service));

SessionConfiguration config = {};
config.version = 1;
config.monitor_pid = ::GetCurrentProcessId();
config.path = ::SysAllocString(L”C:Dummy”);
ICollectionSession* session;
service->CreateSession(&config, nullptr, &session);

GUID agent_guid;
session->AddAgent(L”dummy.dll”, agent_guid);
All we need now is the arbitrary file write so that we can drop a DLL into SYSTEM32, load it and elevate our privileges. For this I’ll demonstrate using a vulnerability I found in the SvcMoveFileInheritSecurity RPC method in the system Storage Service. This function caught my attention due to its use in an exploit for a vulnerability in ALPC discovered and presented by Clément Rouault & Thomas Imbert at PACSEC 2017. While this method was just a useful exploit primitive for the vulnerability I realized it has not one, but two actual vulnerabilities lurking in it (at least from a normal user privilege). The code prior to any fixes for SvcMoveFileInheritSecurity looked like the following:
void SvcMoveFileInheritSecurity(LPCWSTR lpExistingFileName,
                               LPCWSTR lpNewFileName,
                               DWORD dwFlags) {
 PACL pAcl;
 if (!RpcImpersonateClient()) {
   // Move file while impersonating.
   if (MoveFileEx(lpExistingFileName, lpNewFileName, dwFlags)) {
     // Copy inherited DACL while not.
     InitializeAcl(&pAcl, 8, ACL_REVISION);
     DWORD status = SetNamedSecurityInfo(lpNewFileName, SE_FILE_OBJECT,
         nullptr, nullptr, &pAcl, nullptr);
       if (status != ERROR_SUCCESS)
         MoveFileEx(lpNewFileName, lpExistingFileName, dwFlags);
   else {
     // Copy file instead…
The purpose of this method seems to be to move a file then apply any inherited ACE’s to the DACL from the new directory location. This would be necessary as when a file is moved on the same volume, the old filename is unlinked and the file is linked to the new location. However, the new file will maintain the security assigned from its original location. Inherited ACEs are only applied when a new file is created in a directory, or as in this case, the ACEs are explicitly applied by calling a function such as SetNamedSecurityInfo.
To ensure this method doesn’t allow anyone to move an arbitrary file while running as the service’s user, which in this case is Local System, the RPC caller is impersonated. The trouble starts immediately after the first call to MoveFileEx, the impersonation is reverted and SetNamedSecurityInfo is called. If that call fails then the code calls MoveFileEx again to try and revert the original move operation. This is the first vulnerability; it’s possible that the original filename location now points somewhere else, such as through the abuse of symbolic links. It’s pretty easy to cause SetNamedSecurityInfo to fail, just add a Deny ACL for Local System to the file’s ACE for WRITE_DAC and it’ll return an error which causes the revert and you get an arbitrary file creation. This was reported as issue 1427.
This is not in fact the vulnerability we’ll be exploiting, as that would be too easy. Instead we’ll exploit a second vulnerability in the same code: the fact that we can get the service to call SetNamedSecurityInfo on any file we like while running as Local System. This can be achieved either by abusing the impersonated device map to redirect the local drive letter (such as C:) when doing the initial MoveFileEx, which then results in lpNewFileName pointing to an arbitrary location, or more interestingly abusing hard links. This was reported as issue 1428. We can exploit this using hard links as follows:
  1. Create a hard link to a target file in SYSTEM32 that we want to overwrite. We can do this as you don’t need to have write privileges to a file to create a hard link to it, at least outside of a sandbox.
  2. Create a new directory location that has an inheritable ACE for a group such as Everyone or Authenticated Users to allow for modification of any new file. You don’t even typically need to do this explicitly; for example, any new directory created in the root of the C: drive has an inherited ACE for Authenticated Users. Then a request can be made to the RPC service to move the hardlinked file to the new directory location. The move succeeds under impersonation as long as we have FILE_DELETE_CHILD access to the original location and FILE_ADD_FILE in the new location, which we can arrange.
  3. The service will now call SetNamedSecurityInfo on the moved hardlink file. SetNamedSecurityInfo will pick up the inherited ACEs from the new directory location and apply them to the hardlinked file. The reason the ACEs are applied to the hardlinked file is from the perspective of SetNamedSecurityInfo the hardlinked file is in the new location, even though the original target file we linked to was in SYSTEM32.
By exploiting this we can modify the security of any file that Local System can access for WRITE_DAC access. Therefore we can modify a file in SYSTEM32, then use the DiagHub service to load it. There is a slight problem, however. The majority of files in SYSTEM32 are actually owned by the TrustedInstaller group and so cannot be modified, even by Local System. We need to find a file we can write to which isn’t owned by TrustedInstaller. Also we’d want to pick a file that won’t cause the OS install to become corrupt. We don’t care about the file’s extension as AddAgent only checks that the file exists and loads it with LoadLibraryEx. There are a number of ways we can find a suitable file, such as using the SysInternals AccessChk utility, but to be 100% certain that the Storage Service’s token can modify the file we’ll use my NtObjectManager PowerShell module (specifically its Get-AccessibleFile cmdlet, which accepts a process to do the access check from). While the module was designed for checking accessible files from a sandbox, it also works to check for files accessible by privileged services. If you run the following script as an administrator with the module installed the $files variable will contain a list of files that the Storage Service has WRITE_DAC access to.
Import-Module NtObjectManager

Start-Service Name “StorSvc”
Set-NtTokenPrivilege SeDebugPrivilege | Out-Null
$files = Use-NtObject($p = Get-NtProcess ServiceName “StorSvc”) {
   Get-AccessibleFile Win32Path C:Windowssystem32 Recurse `
    MaxDepth 1 FormatWin32Path AccessRights WriteDac CheckMode FilesOnly
Looking through the list of files I decided to pick on the file license.rtf, which contains a short license statement for Windows. The advantage of this file is it’s very likely to be not be critical to the operation of the system and so overwriting it shouldn’t cause the installation to become corrupted.
So putting it all together:
  1. Use the Storage Service vulnerability to change the security of the license.rtf file inside SYSTEM32.
  2. Copy a DLL, which implements DllGetClassObject over the license.rtf file.
  3. Use the DiagHub service to load our modified license file as a DLL, get code execution as Local System and do whatever we want.
If you’re interested in seeing a fully working example, I’ve uploaded a full exploit to the original issue on the tracker.

Wrapping Up

In this blog post I’ve described a useful exploit primitive for Windows 10, which you can even use from some sandboxed environments such as Edge LPAC. Finding these sorts of primitives makes exploitation much simpler and less error-prone. Also I’ve given you a taste of how you can go about finding your own bugs in similar DCOM implementations.

Go to Source
Author: Ben

PBot: a Python-based adware

Recently, we came across a Python-based sample dropped by an exploit kit. Although it arrives under the disguise of a MinerBlocker, it has nothing in common with miners. In fact, it seems to be PBot/PythonBot: a Python-based adware.

Apart from a couple of posts on forums in Russian language and brief threat notes, we couldn’t find any detailed publication.

Some of its features are pretty interesting, so we decided to take a closer look. The malware performs MITB (man-in-the-browser) attacks and injects various scripts into legitimate websites. Its capabilities may go beyond simple injections of ads, depending on the intentions of its distributors.

Analyzed samples

Distribution method

The described sample was dropped by the RIG exploit kit:

Behavioral analysis


The main executable, dropped by the exploit kit, is a downloader. The downloader is pretty simple and not obfuscated. We can see the scripts in the resources:

Its role is to fetch the second installer that has all the malicious Python scripts inside. The second component is named MinerBlocker.

The interesting thing is, if the downloaded component is run as a standalone, it behaves like a normal, legitimate installer, displaying a EULA and installation wizard. We can see the following information:

It pretends to be a legitimate application dedicated to blocking malicious miners. However, we could not find any website corresponding to the mentioned product, so at the moment we suspect that it is fully made up.

When the same component is run by the original downloader, the installation is fully stealthy instead. It drops the package in %APPDATA%.


The dropped application consists of multiple elements. We can see a full installation of Python prepared in order to run the dropped scripts. The bundle has also its own uninstaller (uninstall.exe) that, once deployed, fully removes the package.

In the directory js, as the name suggests, we can find a file with JavaScript, i.js:

In configs, there are two configuration files: rules.ini and settings.ini.

The configuration file rules.ini specifies the path to the JavaScript and suggests that it will be injected somewhere:

The file settings.ini contains various interesting parameters. It contains, among others:

1) The ports on which the service will be running, and the issuer of the used certificate:

2) A list of processes (browsers) that will possibly be attacked:

3) A set of whitelisted IPs and domains. The domains are in Base64 format and, after decoding them, we can see various Russian banking sites. The full list of the decoded sites is available here. As we later confirmed, those sites are exempted from the infection.

Persistence is achieved by Run keys in the registry:

They lead to one of the scripts called “” Once this script is run, it deploys another Python component: “” with the dropped .ini files:


If we look at the packaging, which contains an uninstaller, the application could look legitimate. However, its functionality is far form something that any user would desire to have on his/her computer. First of all, it injects scripts into each website you visit. The injected script comes from the path specified in the configuration, however, it further loads a second stage from the remote server (captured content of the second stage available here).

So, once it is injected, the attackers are in control of the contents displayed in our browser. They can inject ads, but also any other much more malicious content.

Example of a site with the script injected by the malware that impersonates a domain belonging to Google:

Compare it with the script that was in the directory js, i.js (formatted version available here):

Also, the malware forges certificates and performs the man-in-the-browser attack. The legitimate certificates on the sites with HTTPS are replaced by fake certificates issued by “The Filter” that is a malicious entity:

Looking at the sockets opened by a browser (i.e. by ProcessExplorer) and comparing them with the sockets opened by the Python instance, we find that they are paired together. It is an indicator that the browser communicates with the malware and works under its control.

Example: Internet Explorer connected to a socket 24681. We can see that this socket was opened by the Python process running the malware:


The loader (written in Python)

The first layer of the malware is the obfuscated Python scripts.

As mentioned before, at the beginning, the script is run. This script is obfuscated. Its role is to run the second Python layer that is

The script is supposed to decrypt a DLL stored in the file httpfilter.bin.

Then, it injects the DLL into the Python executable. It is interesting because PE injectors written in Python are not so common.

The injector (DLL)

The DLL injected in Python (e5ba5f821da68331b875671b4b946b56) is the main component of the malware. This component expects to be injected into Python executable:

It also fetches the passed parameters (settings.ini and rules.ini). So we can see that they were not meant to be parsed by the script to which they were previously passed.

The authors left some debug strings that makes the execution flow easy to follow. For example:

This DLL is responsible for parsing the configuration and setting up the malicious proxy.

It comes with two hardcoded DLLs: one 32-bit and one 64-bit (both stored in overlay of the PE file and not obfuscated). Those DLLs are the components that are further injected into browsers that are selected by the configuration. Their names are appropriately: injectee-x86.dll and injectee-x64.dll:

The injectee (DLL)

The execution of injectee DLL starts in the exported function, InjectorEntry:

The injectee is implanted in a browser and responsible for hooking its DLLs. Here’s the beginning of the hooking function:

The hooking function is pretty standard for this type of event. It retrieves the addresses of the specified exported functions, then it overwrites the beginning of each function redirecting it to the corresponding function within the malicious DLL.

The targets are functions responsible for parsing certificates (in Crypt32.dll), as well as functions responsible for sending and receiving data (in ws32_dll):

When we dump the hooks via PE-sieve, we can directly see how those functions have been redirected to the malware. Here is the list of tags gathered from the appropriate DLLs:

From Crypt32:


From ws32_dll:


In both cases, we can see that the addresses have been redirected to the injectee DLL that was loaded at the base 50000.

So, for example, the function WSASend gets intercepted and the execution is redirected to a function at RVA 0xd90 in the injectee dll:

The beginning of the intercepting function:

By this way, all the requests are redirected to the malware. It can work as a proxy, altering data on the way.

After the proxy function finishes, it jumps back to the original function, so the user doesn’t realize any change in the functionality.


This malware is pretty simple, does not contain much obfuscation and was probably not intended to be stealthy. Rather than hiding, it tries to look harmless and legitimate. However, the functionality that it delivers is powerful enough to cause serious harm. It may be configured to display harmless ads, but it could also be configured to display phishing pop-ups, such as it was implemented in Kronos. Also, the fact that it forges certificates of the sites should raise concerns.

The post PBot: a Python-based adware appeared first on Malwarebytes Labs.

Go to Source
Author: hasherezade

SquirtDanger: The Swiss Army Knife Malware from Veteran Malware Author TheBottle

Finding and investigating new malware families or campaigns is a lot like pulling a loose thread from an article of clothing. Once you start tugging gently on the thread, everything starts to unravel. In this particular case we began by investigating a new malware family, which we are calling SquirtDanger based on a DLL, SquirtDanger.dll, used in the attacks. There is strong evidence to indicate that this malware family was created by a prolific Russian malware author that goes by the handle of ‘TheBottle’. By pulling on a few strings we were eventually led to TheBottle’s unraveling. In this post we will delve into how we unraveled TheBottle’s activities and his newest malware family.

Malware Overview

SquirtDanger is a commodity botnet malware family that comes equipped with a number of characteristics and capabilities. The malware is written in C# (C Sharp) and has multiple layers of embedded code. Once run on the system, it will persist via a scheduled task that is set to run every minute. SquirtDanger uses raw TCP connections to a remote command and control (C2) server for network communications.

SquirtDanger comes with a wealth of functionality, including the following:

  • Take screenshots
  • Delete malware
  • Send file
  • Clear browser cookies
  • List processes
  • Kill process
  • List drives
  • Get directory information
  • Download file
  • Upload file
  • Delete file
  • Steal wallets
  • Steal browser passwords
  • Swap identified wallets in the victim’s clipboard
  • Execute file

The ability to swap out identified wallets with a predetermined wallet owned by the attacker is not a new one, as we have previously reported on it when analyzing the ComboJack malware family. For more information on how the SquirtDanger malware family operates, please refer to an in-depth analysis within the Appendix of this post.

Using various analytic techniques, Palo Alto Networks Unit 42 researchers were able to extract an embedded identifier from roughly 400 SquirtDanger samples, which we attribute to separate campaigns. Broadly, we identify two subsets of this malware which are divided by distinct mutexes and other indicators that we observed in WildFire. As we dug into this malware, we discovered a code repository which coincided with the capabilities and style of the samples we had observed. A screenshot of this repository’s base page is reproduced in figure 1 below:


Figure 1 Source code of SquirtDanger hosted on GitHub

Further analysis of the code in this repository indicated that our initial assessment was correct, and that this repository was the source code for SquirtDanger. While exploring the code, we discovered that TheBottle had posted this repository (and others) as a companion to a “confession” blog posted on

TheBottle Connection

TheBottle, a well-known Russian cybercriminal has been active on global underground marketplaces for years. Distributing, selling, and trading malware and source code has been TheBottle’s modus operandi on underground marketplaces and forums. It appears, however, that TheBottle has encountered several issues throughout his career as a malware author. According to Vitali Kremz of Flashpoint:

Previously, TheBottle was banned unanimously by the underground arbitrators for customer infractions. His underground infractions were very costly leading to multiple disputes accusing him of not delivering malware support that was needed for long-term criminal operations.

While investigating SquirtDanger, we came across a confessional blog post claiming to be TheBottle. In the post, the individual claimed responsibility for creating several malware families, including Odysseus Project, Evrial, Ovidiy Stealer, and several others. Again, Vitali of Flashpoint:

“In his latest confession on telegraph, the actor walks through their life in underground lamenting on his challenges of being a malware developer with real-life issues… His sense of guilt pushed him to release all of his malware creations that were used in many cybercrime operations in the past from “Ovidiy Stealer” to “Reborn Stealer.”

Below is a screenshot of TheBottle’s original post in his native Russian:


Figure 2 Screenshot of TheBottle’s blog post, confessing to authorship of malware families. TheBottle is ultimately expressing regret for creating many of the malware families.

Looking closer at TheBottle’s blog posting revealed a Telegram channel exposing a group of roughly 900 individuals most of whom appear to be Russian. Here the channel members are coordinating attacks, developing code, and trading/selling access to several different botnets and builders. Additionally, this Telegram group appears to be a common haunt of some interesting prolific actors,  some with high-profile ties; such as foxovsky, an underground actor who is famous in underground communities for developing malware. Readers may recall foxovsky as being the author of a previously reported malware family called Rarog. Additionally, the ‘1MSORRY‘ actor was identified as being a member of this community, who is behind the 1MSORRY cryptocurrency botnet and other malware families being distributed around the globe.


Figure 3 Screenshot of Telegram channel with prolific underground actors communicating

After some online sleuthing, we were able to find additional accounts across several social media sites TheBottle frequented. Across most of the social media sites we located, it was apparent TheBottle took his hacking persona seriously.


Figure 4 Screenshot of TheBottle’s Twitter feed

Also, looking closer into TheBottle’s Twitter conversations helped shed some light on how TheBottle feels about individuals using their malware.


Figure 5 Screenshot of TheBottle’s conversation with @malwarhunterteam

Infection Vector/Victimology

In total, we saw 1,277 unique SquirtDanger samples used across multiple campaigns. SquirtDanger is likely delivered via illicit software downloads also known as “Warez”.

As of the time of writing, we witnessed 119 unique C2 servers that were geographically dispersed:


Figure 9 Geographic distribution of identified C2 servers

Additionally, in the wild, we were able to identify 52 unique IP’s or domains acting as delivery infrastructure. This infrastructure acts as a dissemination point for this malware. Some of this delivery infrastructure appeared to be compromised legitimate websites unwittingly distributing SquirtDanger.

We have witnessed SquirtDanger being used against individuals across the globe, such as a Turkish university, an African telecommunications company, and a Singaporean Internet service provider.


The SquirtDanger malware family is just one of many commodity families being created today. It comes equipped with a wealth of features that allow attackers to quickly perform various actions on a compromised machine. While the malware itself proved to be interesting, it was the actor behind it that provided a much more interesting story.

As we pulled on TheBottle’s thread, we slowly started to realize that what we’ve found is just the tip of the proverbial iceberg. As we looked deeper into TheBottle’s malware and online activity, we noticed this was just minor activity taking place in a larger web of criminals working together. In fact, just recently, one of TheBottle’s allies was outed by the researcher known as Benkow.

Ultimately, as we unraveled a small portion of criminal activity, we were able to observe a malware author evolve into what seemed a somewhat remorseful individual, posting on a near personal level. Ultimately, will TheBottle change his ways? We will watch and see.

Using several sources of intelligence were key to the investigation of this actor and malware, and Palo Alto Networks customers are protected from this threat by:

  1. WildFire detects all SquirtDanger files with malicious verdicts
  2. AutoFocus customers can track these samples with the SquirtDanger tag
  3. Traps blocks all of the files associated with SquirtDanger


Malware Analysis

The SquirtDanger malware family comes equipped with a wealth of features by the author. The malware is coded using C#. The malware author chose to make use of the Costura add-in to embed the SquirtDanger payload into the compiled executable.

Once the main module is loaded and subsequently executed, it will begin by creating an installation directory, where the malware will copy itself. The following directories and their corresponding installation executables have been observed in the samples analyzed:

  • %TEMP%Microsoft_SQL_SDKsAzureService.exe
  • %TEMP%MonoCecilFazathron.exe

After SquirtDanger is copied to the necessary path, a new instance of this malware will be spawned prior to killing the current process.

Once the installation phase has completed and the malware is found to be executed from the correct location, a new mutex will be created to ensure only one instance of the malware is run at a given time. The following two mutexes have been observed across all analyzed samples:

  • Omagarable
  • AweasomeDendiBotnet

After the mutex has spawned, SquirtDanger will proceed to check for the existence of another executable, which will act as a persistence mechanism. This simple executable will simply check for the existence of the SquirtDanger payload, and if the payload cannot be found, a new copy is written to disk and a new instance will be spawned. This executable is embedded within the SquirtDanger payload, and has been observed dropped to the following location:

  • %TEMP%MSBuild.exe
  • %TEMP%OmagarableQuest.exe

This dropped file is given both SYSTEM and HIDDEN attributes to prevent victims from discovering it. A new scheduled task is created with a name of ‘CheckUpdate’ to run this file. This scheduled task checks every minute after it is initially setup.

SquirtDanger proceeds to communicate with the remote C2 server using raw TCP sockets. Data sent between the client and server is serialized, however, it is not obfuscated. When the malware initially communicates with the remote server, it will attempt to obtain a list of additional modules to install. An example of this communication may be seen below:


Figure 6 Example communication between malware client and C2 server

After the list of modules and their associated URLs are collected, SquirtDanger will download these modules via HTTP communication.

SquirtDanger comes with a wealth of functionality, including the following:

  • Take screenshots
  • Delete malware
  • Send file
  • Clear browser cookies
  • List processes
  • Kill process
  • List drives
  • Get directory information
  • Download file
  • Upload file
  • Delete file
  • Steal wallets
  • Steal browser passwords
  • Swap identified wallets in the victim’s clipboard
  • Execute file

In the case of stealing passwords from browsers, a number of browsers are supported, including the following:

  • Chrome
  • Firefox
  • Yandex Browser
  • Kometa
  • Amigo
  • Torch
  • Opera


Figure 7 Malware attempting to collect passwords from various popular browsers

SquirtDanger also has the ability to seek out wallets for various cryptocurrencies, including the following:

  • Litecoin
  • Bitcoin
  • Bytecoin
  • Dash
  • Electrum
  • Ethereum
  • Monero


Figure 8 Malware attempting to identify various cryptocurrency wallets on the victim machine

In addition to stealing wallets, the malware contains the ability to swap a victim’s clipboard data in the event a specific regular expression is encountered. The following regular expressions were present within the malware:

Type Regular Expression
QIWI (^+d{1,2})?(((d{3}))|(-?d{3}-)|(d{3}))((d{3}-d{4})|(d{3}-dd-dd)|(d{7})|(d{3}-d-d{3}))
BTC ^([13][a-km-zA-HJ-NP-Z1-9]{25,34})$
ETH ^(0x[0-9a-fA-F]{40})$
LTC ^(L[a-zA-Z0-9]{26,33})$
XRP ^(r[rpshnaf39wBUDNEGHJKLM4PQRST7VWXYZ2bcdeCg65jkm8oFqi1tuvAxyz]{27,35})$
DOGE ^(t[0-9a-zA-Z]{34})$
ZEC ^(D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32})$
XMR ^(4[0-9AB][1-9A-Za-z]{93,104})$

In the event one of these digital currency addresses are encountered, the malware is configured to swap the value with one that is pre-determined. A number of digital currency addresses were able to be retrieved from our sample set, which have been included in the Appendix of this blog post. This feature is not a new one, as we have previously reported on it when analyzing the ComboJack malware family.

SquirtDanger Samples

For a full list of SquirtDanger hashes, as well as their first seen timestamps, please refer to the following link.

C2 Servers

For a full list of C2 servers, as well as their first seen timestamps, please refer to the following link.

Distribution Servers

For a full list of distribution servers, as well as their first seen timestamps, please refer to the following link.

The post SquirtDanger: The Swiss Army Knife Malware from Veteran Malware Author TheBottle appeared first on Palo Alto Networks Blog.

Go to Source
Author: Josh Grunzweig

Magnitude exploit kit switches to GandCrab ransomware

The GandCrab ransomware is reaching far and wide via malspam, social engineering schemes, and exploit kit campaigns. On April 16, we discovered that Magnitude EK, which had been loyal to its own Magniber ransomware, was now being leveraged to push out GandCrab, too.

While Magnitude EK remains focused on targeting South Koreans, we were able to infect an English version of Windows by replaying a previously recorded infection capture. This is an interesting departure from Magniber, which was extremely thorough at avoiding other geolocations.

Magnitude is now also using a fileless technique to load the ransomware payload, making it somewhat harder to intercept and detect. The variations of this technique have been known for several years and used by other families such as by Poweliks, but they are a new addition to Magnitude.

Figure 1: Magnitude EK traffic capture with the GandCrab payload

Magnitude has always experimented with unconventional ways to load its malware, for example via binary padding, or more recently via another technique, but still exposing it “in the clear” from traffic or network packet capture.

Figure 2: Magnitude EK dropping Magniber on April 4, 2018

The payload is encoded (using VBScript.Encode/JScript.Encode) and embedded in a scriplet that is later decoded in memory and executed.

"C:WindowsSystem32rundll32.exe" javascript:"..mshtml,RunHTMLApplication ";

Figure 3: Innocuous scriptlet hides the payload

After the payload is injected into explorer.exe, it immediately attempts to reboot the machine. If we suspend that process and use @hasherezade‘s PE-Sieve, we can actually dump the GandCrab DLL from memory:

Figure 4: Extracting the payload from memory using PE-Sieve

Upon successful infection, files will be encrypted with the .CRAB extension while a ransom note is left with instructions on the next steps required to recover those files.

Figure 5: GandCrab’s ransom note

A recent law enforcement operation provided victims with a way to recover their files from previous GandCrab infections. However, the latest version cannot be decrypted at the moment.

Malwarebytes users are protected against this attack when either the Internet Explorer (CVE-2016-0189) or Flash Player (CVE-2018-4878) exploits are fired.

Time will tell if Magnitude sticks to GandCrab, but this is a noteworthy change for an exploit kit that solely used its own Magniber ransomware for about 7 months, after having replaced the trusted Cerber.

Indicators of compromise

Dumped GandCrab DLL


The post Magnitude exploit kit switches to GandCrab ransomware appeared first on Malwarebytes Labs.

Go to Source
Author: Jérôme Segura

RAT Gone Rogue: Meet ARS VBS Loader

Malicious VBScript has long been a fixture of spam and phishing campaigns, but until recently its functionality has been limited to downloading malware from an attacker-controlled server and executing it on a compromised computer.

Researchers at Flashpoint have seen and analyzed a unique departure from this norm in ARS VBS Loader, a spin-off of a popular downloader called SafeLoader VBS that was sold and eventually leaked in 2015 on Russian crimeware forums.

ARS VBS Loader not only downloads and executes malicious code, but also includes a command and control application written in PHP that allows a botmaster to issue commands to a victim’s machine. This behavior likens ARS VBS Loader to a remote access Trojan (RAT), giving it behavior and capabilities rarely seen in malicious “loaders”, i.e. initial infection vector malware families used to install subsequent payloads.

Image 1: ARS VBS Loader's administrative login portal.

Image 1: ARS VBS Loader’s administrative login portal.

The new loader has been spammed out in email attachments enticing victims with lures in subject lines related to personal banking, package shipments, and toll road notifications. Should a victim interact with the attachment and launch it, analysts say numerous types of commodity malware could be installed, including the AZORult information-stealing malware. AZORult was also used in campaigns targeting more than 1,000 Magento admin panels; in those attacks, the malware was used to scrape payment card information from sites running the popular free and open source ecommerce platform.

ARS VBS Loader targets only Windows machines and supports Windows 10, according to posts to a Russian-speaking forum going back to December. Previously, another loader called FUD ASPC Loader, first advertised in May 2017, contained similar functionality but not Windows 10 support.

The loader is also likely to side-step detection by signature-based antivirus and intrusion detection systems because of the relative ease in which attackers can obfuscate VBScript, Flashpoint analysts said. Obfuscation through a variety of means allows attackers to hide malware; if the malware is obfuscated with encryption or packing, it’s exponentially more difficult for antivirus to sniff out malicious code, for example.

Once the ARS VBS Loader executes on a victim’s computer, it immediately creates a number of entries in nearly a dozen autorun locations, including registry, scheduled tasks, and the startup folder, ensuring persistence through reboots. ARS VBS Loader will connect to the attacker’s server, sending it system information such as the operating system version name, computer user name, RAM, processor and graphics card information, a randomly generated ID for infection tracking, and machine architecture information.

Image 2: ARS VBS Loader submits check in information to the C2 in GET and POST parameters.

Image 2: ARS VBS Loader submits check in information to the C2 in GET and POST parameters.

The botmaster, meanwhile, can remotely administer commands to bots through the PHP command-and-control application. Communication with the command-and-control server is carried out in plaintext over HTTP, making it easy to spot, Flashpoint analysts said.
The malicious code that runs on the victim’s machine is written entirely in VBScript and contains functionality for updating and deleting itself, and deploying plugins such as a credentials stealer, or launching application-layer denial-of-service (DoS) attacks against websites, and loading additional malware from external websites.

The most common command spotted by analysts is download, which instructs bots to download and execute malware from a supplied URL. There is also the plugin command where plugins that steal passwords or capture desktop screenshots can be pushed to compromised computers.

The DDoS command is also noteworthy because it’s a unique capability; analysts said they have not seen this command used in the wild. The command tells bots to send a specified amount of HTTP POST requests to a particular URL. Since this is a simple application layer flooding attack, it is currently unknown how successful this attack would be against targets in the wild, analysts said, adding that it would be easy to spot such traffic because the same hardcoded POST values are sent in the HTTP flood.

Image 3: Example DDoS HTTP flooding traffic from an infected bot.

Image 3: Example DDoS HTTP flooding traffic from an infected bot.

Analysts caution that users should be vigilant about not opening email attachments from unknown sources, and that it’s likely ARS VBS Loader will continue to be an effective initial infection vector for spam campaigns.

To download the indicators of compromise (IOCs) for the ARS VBS Loader, click here.

To download the Yara rule for the ARS VBS Loader, click here.

The post RAT Gone Rogue: Meet ARS VBS Loader appeared first on Flashpoint.

Go to Source
Author: Flashpoint

Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files


ASERT recently identified a campaign targeting commercial manufacturing  in the US and potentially Europe in late 2017.   The threat actors used phishing and downloader(s) to install a Remote Access Trojan (RAT) ASERT calls InnaputRAT on the target’s machine.  The RAT contained a series of commands that includes machine profiling and the ability to exfiltrate documents from the victims’ machines.

We believe this activity ties to a specific set of actors with defined campaign goals. We’ve also observed similarities in binaries dating back to 2016, a clear indication that these threat actors have operated for nearly two years.


Key Findings

  • InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader.
  • The RAT has evolved through multiple variants dating back to 2016.
  • Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.

Figure 1: InnaputRAT communicating to TOP domains.


ASERT identified potential actors, or personas, tied to this campaign through domains registrations, Facebook, and Twitter accounts possibly tied to an email address used. We initially identified the campaign through several phishing attempts that led to additional infrastructure within the same campaign. This campaign shared a common malware payload, InnaputRAT. Some of the recent malware samples were attributed to the campaign through similarities in the binary rather than connected infrastructure.

The phishing emails appear to lure victims with a geopolitical-theme.  Sender email addresses and subject lines often reference the United Nations (UN).  Further, while most of the domains associated with Aigul(Aygul) Akulova and Slabodan Miloshevich attempt to mimic Google or Microsoft products, a few of them were more specific in mimicking diplomacy related targets, notably un-booklet[.]com and us-embassy-report[.]com, suggesting a more specific audience.

We identified the initial campaign through domains highlighted in the Phishing Domains section below. After analysis of the original infrastructure, we identified the InnaputRAT payload on additional infrastructure highlighted in the Additional Domains Section.

Phishing Domains

  1. mfa-events[.]com
  2. officeonlaine[.]com
  3. blockhain[.]name
  4. iceerd[.]com

All of these domains are tied to the email address s.miloshevich[@] with the registration name Slabodan Miloshevich. Each of the domains used Kazakhstan as the registrant’s country.  Additional domains registered by the same entity resolved to 4 distinct IP addresses (as of March 24. 2017).

Figure 2: Domains registered by s.miloshevich[@]

Additional Domain Analysis

  1. mfa-events[.]top
  2. officemicroupdate[.]com
  3. ico-investmen[.]com

In the prior section we associated the first domain with s.miloshevich[@]  The actor behind innaput69[@] registered domains two and three.  All three domains hosted either a variant or the primary sample we analyzed, thus tying them together as part of the same activity.

Looking at the domains registered by innaput69[@], the names on the account use the same last name but use two different first names.  Notice all but one list the registrant contact country as RU.

Figure 3: Domains tied to innaput69@gmail[.]com

To find officemicroupdate[.]com we must dig through some historical domain registrar information.  From March 1, 2017 – November 2, 2017 the registrant email was innaput69[@] (according to Domain Tools) before the URL was taken over by Microsoft.  Prior to March 1st of 2017 the registrant info was hidden behind a Privacy Protected Record so it is possible it was registered at one time by someone other than the actor behind innaput69[@]

GodZilla Loader Link

Pivoting off of the phone number for “Aygul A Akulova” in figure 3 we find another email address, jemesn[@]  This email address is tied to a couple of other domains as well.

Figure 4: Registrant info for jemesn[@]

One of the domains associated with jemesn[@], update-app[.]top, hosted a copy of Godzilla Loader which we observed distributing InnaputRAT late March 2018.


InnaputRAT Evolution

All of the infrastructure and registrants were tied together with a common malware payload, InnaputRAT. We identified a recent version of the InnaputRAT through the initial phishing campaigns, infastructure correlation, and binary analysis. We then found several variations of the malware dating back to 2016.  The binaries are listed below in chronological order.

Our starting sample (5249a165de139c62cb9615c0e787a856) is listed as Sample 3 (below). We compared the binaries using Diaphora, an open source tool for comparing programs in a decompiler, and extracted relevant information showing the RAT’s evolution.


Sample 1 – May, 29 2016

MD5 2939d7350f611263596bdc0917296aa3
Compile date 2016-05-29 13:38:07
C2s: officemicroupdate[.]com
Communication Port: 5876
File Name: msupdate.exe
Persistence: Maldoc (27dac1fa017006933eaf2b044df0b443) drops a Dropper that creates a Windows Service (OfficeUpdateService) and executes the payload
Command Options Function Name: sub_401737

  1. GetDriveAndVolInfo
  2. GetFileAttributeW
  3. EnumDirectory
  4. ReadFile (CreateFileMapping -> MapViewOfFile)
  5. WriteFile
  6. DeleteFile
  7. ShellExecuteW
  8. GetSystemInfo
Diaphora Function Match Stats Matches: 14
Unmatched: 30  – Includes sub_401737
  • Dropped via: 27dac1fa017006933eaf2b044df0b443
  • Linked to officemicroupdate[.]com via 185[.]61[.]151[.]110

Table 1: Sample 1 Analysis


We believe this to be an earlier variant of for the following reasons:

  • The “Command Options” used reflect later variants. The order of the options also reflects other variants.
  • Although it doesn’t share as many matching functions as other samples, some of the binary structure matched newer variants.


While we believe this sample is from the same family as Samples 2 through 5 (below), there are some notable differences that suggest the malware evolved over time:

  • Persistence method
    • This sample makes use of a service installed by a dropper file. In contrast, other samples use the Windows registry to install an Autorun key.
    • Notably, the payload requires the dropper for execution and remains dormant if it is not present on the victim machine.
  • Windows API Calls
    • The Read File command for this sample used CreateFileMapping and MapViewOfFile while newer samples used CreateFileW and ReadFile.

The key functionality of the payload remains the same across all binaries: browse the victim file system with the intent to exfiltrate desired data.


Sample 2 – June 5, 2017

Sample 2 looks more like our starting point (Sample 3).

MD5 8c3d37676f8f7711b381abf00155ef25
Compile date 2017-06-05 16:57:38
PDB D:\Arena\RobotNet\FileTransferStream\Release\FileTransfer.pdb
ITW hxxp://best-online-tv[.]com/1.exe
C2s: worlwidesupport[.]top
Communication Port: 52100
File Name: SafeApp.exe
Persistence: HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Run: %appdata%\SafeApp\SafeApp.exe
Command Options: Function Name: sub_401B46

  1. GetDriveVolInfo
  2. GetFileAttributesW
  3. EnumDirectory
  4. ReadFile (CreateFileW + ReadFile)
  5. WriteFile
  6. DeleteFile
  7. ShellExecuteW
  8. GetSystemInfo
Diaphora Function Match Stats Matches: 36   – Includes sub_401B46
Unmatched: 4

Table 2: Sample 2 Analysis


Performing a diffing operation using Diaphora, most of the functions in the binary matched, including “Command Options” and C2s used.  This provides an increased level of confidence that Sample 2 is a variant of the “ground zero” binary in Sample 3 (below).

The key difference between later variants and Sample 1, involve the persistence mechanism used and a change in the Read File “Command Option”. Later variants no longer rely on the dropper to set persistence via Windows Service, but instead create the Windows Registry key as seen in Table 2 and execute the malware.


Sample 3 – August 22, 2017

Sample 3, our starting sample , is a near exact match with Sample 2, but seen hosted on a different server.

MD5 5249a165de139c62cb9615c0e787a856
Compile date 2017-08-22 15:58:14
ITW hxxp://mfa-events[.]com/upd.exe
C2s: worlwidesupport[.]top
Communication Port 52100
File Name NeutralApp.exe
Persistence HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Run: %appdata%\NeutralApp\NeutralApp.exe
Command Options Function Name: sub_401E39

  1. GetDriveVolInfo
  2. GetFileAttributesW
  3. EnumDirectory
  4. ReadFile (CreateFileW + ReadFile)
  5. WriteFile
  6. DeleteFile
  7. ShellExecuteW
  8. GetSystemInfo
Diaphora Function Match Stats Not done as this is the starting sample.

Table 3: Sample 3 Analysis

The primary difference between Sample 2 and this sample is the file name used by the payload.  The prior version used the name SafeApp.exe and installed the binary into %AppData% and added a Windows auto run registry entry against that file.  Sample 3 does the same thing but makes the file name NeutralApp.exe. This is notable, because the malware checks for a copy of itself, and the name is static making it simple to identify infection.  Due to the name change, the newer version runs even if SafeApp.exe is currently running on the victim machine.


Sample 4 – January 22, 2018

Continuing binary matching and infrastructure analysis, we found a fourth sample that showed more evolution of the binary by obfuscating some of the API names and strings. This binary also shared the same NeutralApp.exe file name and the same C2s as the prior variant. The “Command Options” also remained the same in this variant.

MD5 4e61d5d9c2e0386a872232f8d33e76bc
Compile date 2018-01-22 20:46:41
PDB D:\Arena\RobotNet\FileTransferStream\Release\FileTransfer.pdb
ITW hxxp://ico-investmen[.]com/1.exe
C2s: worlwidesupport[.]top
Communication Port: 52100
File Name: NeutralApp.exe
Persistence: HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Run: %appdata%\NeutralApp\NeutralApp.exe
Command Options Function Name: sub_401F95
No change
Diaphora Function Match Stats Matches: 33  – sub_401F95
Unmatched: 13
Notes: Some API names and registry strings are obfuscated.

Table 4: Sample 4 Analysis

The PDB string contained in this fourth sample is identical to Sample 2, further lending credence to the evolution of the InnaputRAT.

API & String Obfuscation

This variant uses an 8-byte XOR key to obfuscate API names and other strings within the payload (Figure 5).

Figure 5: 8-Byte XOR Key for obfuscation


Sample 5 – March 13, 2018

The most recent variant of the InnaputRAT also shared the same C2s as the previous two samples, the same NeutralApp.exe name, and the same Registry Key creation.

At the time of our analysis of this sample, the payload was being distributed by Godzilla Loader (Figure 6), a tool sold in underground forums and used in multiple campaigns to distribute malware such as Dridex, Trickbot, and Panda Banker.

MD5 eec8e585ffdefb79a40ddb337ea852c6
Compile date 2018-03-13 18:45:45
C2s: worlwidesupport[.]top
Communication Port: 52100
File Name: NeutralApp.exe
Persistence: HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Run: %appdata%\NeutralApp\NeutralApp.exe
Command Options Function Name: sub_401DA0
No change
Diaphora Function Match Stats Best Matches: 26  – sub_401DA0
Unmatched: 27
Notes: More string and API Name obfuscation

Table 5: Sample 5 Analysis

Figure 6: GodZilla Loader Login Panel

Primary differences between this sample and the previous two are diminishing matched functions using Diaphora (likely a result of the attackers obfuscating more API calls and strings) and a change in the 8-Byte XOR key used to obfuscate the API names and other strings.

Figure 7: 8-Byte XOR key change


ASERT believes the attackers behind the InnaputRAT are primarily targeting files for exfiltration from victim machines. The initial targeting of commercial manufacturing entities possibly suggests a goal of intellectual property theft. Since 2016 the malware has undergone significant changes.  The attackers continue to improve the sophistication of the bot and its operation with the inclusion of an intermediary loader, Godzilla Loader, and obfuscation of key elements in the binary. We assess with moderate confidence that this operation will continue and the InnaputRAT will continue to evolve.

Appendix A:


  • alert-login-gmail[.]com
  • blockhain[.]name
  • best-online-tv[.]com
  • dockooment[.]com
  • docsautentification[.]com
  • g000glemail[.]com
  • googldraive[.]com
  • googledockumets[.]com
  • googledraive[.]com
  • googlesuport[.]com
  • googlmaile[.]com
  • googlsupport[.]com
  • govreportst[.]com
  • iceerd[.]com
  • login-googlemail[.]com
  • mfa-events[.]com
  • msoficceupdate[.]com
  • officemicroupdate[.]com
  • officeonlaine[.]com
  • osc-e[.]com
  • pwdrecover[.]com
  • suporteng[.]com
  • un-booklet[.]com
  • update-app[.]top
  • usaid[.]info
  • us-embassy-report[.]com
  • worlwidesupport[.]top


The activity described in this blog was derived from the ATLAS Intelligence Feed and original research by the ASERT Team. The indicators and signatures related to the activity enable Arbor APS to block the activity.

Go to Source
Author: ASERT team

Panda Banker Zeros in on Japanese Targets

Key Findings

  • A threat actor using the well-known banking malware Panda Banker (a.k.a Zeus Panda, PandaBot) has started targeting financial institutions in Japan.
  • Based on our data and analysis this is the first time that we have seen Panda Banker injects targeting Japanese organizations.
  • It is likely a new campaign or actor started using Panda Banker since in addition to the previously unseen Japanese targeting, Arbor has not seen any indicator of compromise (IOC) overlaps with previous Panda Banker campaigns.
  • The sample used in this campaign was the first sample we observed in the wild to use the newest version of Panda Banker, version 2.6.6.


Panda Banker is based on the Zeus malware family. One of its main functions is stealing user credentials, account numbers, and ultimately money from financial institutions. It does this by using a technique known as “man in the browser” along with “webinjects” that specify what websites to target and how.

This banking malware was first seen in the wild in the beginning of 2016 (version 2.1.x) and has had consistent, incremental development since then. While some details have changed, our “Who Let the Pandas Out? Zeus, Zeus, Zeus, Zeus” blog post is still a good introduction to the technical details of the malware.

Panda Banker is sold as a kit on underground forums so there are multiple users of the malware. Cybercrime threat actors tend to focus their campaigns on particular countries—usually dependent on their ability to convert stolen credentials and account details from those locations into real money. Over the years we’ve seen Panda Banker campaigns focus on financial institutions in: Italy, Canada, Australia, Germany, United States, United Kingdom, and now Japan.

Campaign Analysis

A new version of Panda Banker, version 2.6.6, was observed being distributed in the wild on March 26th:


Compilation date: 2018-03-26 09:54:57

While we didn’t see any significant changes to the malware itself (possibly just a “bug fix” release), the campaign using this sample stood out for two reasons:

  1. No IOC overlap with any previous Panda Banker campaigns that we’ve seen.
  2. Webinjects targeting Japan, a country we haven’t seen targeted by Panda Banker before.

Command & Control (C2)

The C2 servers configured for this sample are listed below:

  • https://hillaryzell[.]xyz/1wekenauhivwauvaxquor.dat
  • https://buscamapa1[.]top/2yrfuupcovylaawubitvy.dat
  • https://buscamapa2[.]top/3toaxkatoindyepidikuv.dat
  • https://buscamapa3[.]top/4heequktuepahvoyfofit.dat
  • https://buscamapa4[.]top/5ufyfegtuobekpykobeul.dat
  • https://buscamapa5[.]top/6lubanuoxapywinlaokow.dat

At the time of research, only hillaryzell[.]xyz was operational and it was registered to a “Petrov Vadim” using an email address of “”.

Campaign Name

The threat actor named this campaign “ank”.


At the time of research, the C2 server returned 27 webinjects that can be broken down into the following categories:

  • 17 Japanese banking web sites mostly focusing on credit cards
  • 1 US based web email site
  • 1 US based video search engine
  • 4 US based search engines
  • 1 US based online shopping site
  • 2 US based social media sites
  • 1 US based adult content hub

An example, redacted webinject for this campaign looks like the following:

Example webinject targeting Japan.

The webinjects in this campaign make use of a “grabber” / automated transfer system (ATS) system known as “Full Info Grabber” to capture credentials and account information. As can be seen in figures above, the threat actor is using a path of “jpccgrab” possibly meaning “Japanese credit card grabber”. Given the targeting, this name makes some sense.

Distribution (update March 28, 2018)

Security researcher kafeine has released more details on how this threat is being distributed in the wild: a malicious advertisement (malvertising) is redirecting victims to a RIG exploit kit which is distributing the Panda Banker malware.


Japan is no stranger to banking malware. Based on recent reports, the country has been plagued by attacks using the Ursnif and Urlzone banking malware. This post was our first analysis of the first Panda Banker campaign that we’ve seen to target financial institutions in Japan.

Go to Source
Author: Dennis Schwarz