company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO/CTO

DevOps Engineer

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Ransomhub

loading..
loading..
loading..

Halliburton Faces $35 Million Loss Due to Ransomware Attack: Severe Ongoing Risks Threaten Stability

Halliburton faces a $35 million loss after a ransomware attack, with ongoing risks threatening stability and reputation.

12-Nov-2024
6 min read

Related Articles

loading..

macOS

Flutter

Discover how DPRK-backed actors use Flutter apps to bypass Apple security and ta...

A newly discovered macOS app, linked to DPRK, conceals sophisticated malware designed to breach system defenses. The malware uses advanced obfuscation tactics, such as packing the code and encrypting certain components, to evade detection. This campaign, discovered by Jamf Threat Labs, highlights the evolving threat posed by DPRK-backed actors, who often target sensitive data and use techniques such as social engineering and code obfuscation. This advanced persistent threat (APT) utilizes Flutter-built applications. Flutter's inherent obfuscation capabilities make it highly effective at evading detection. Features like hiding dynamic library calls and obscuring code flow complicate the analysis process, effectively aiding in concealing malicious activity. The findings mark a concerning escalation in novel methodologies used to breach macOS defenses, including cross-platform tools and techniques to bypass Apple notarization. ### DPRK Targets macOS Using Flutter-Built Malware In October, Jamf Threat Labs detected several malware samples uploaded to VirusTotal, a widely used malware analysis platform, that initially evaded detection despite exhibiting malicious behavior. Analysis of these samples pointed toward DPRK actors, with techniques aligning closely with previously observed malware campaigns. Disturbingly, some malware versions had even managed to pass Apple's notarization process temporarily, indicating sophisticated obfuscation and manipulation tactics. ### Complexity of the Flutter Packaging The malware was discovered in three different packaging forms: Go, Python, and Flutter. Among these, the Flutter variant stood out due to its complexity in reversing and analysis. Flutter, a cross-platform framework developed by Google, is typically used for consistent app design across platforms like macOS, iOS, and Android. For legitimate developers, Flutter's ability to write once and deploy across multiple platforms saves significant development time and resources, making it an attractive option. These same benefits also appeal to attackers, as they can create malware with broader reach and less effort. For example, popular apps like Google Ads and Alibaba are built using Flutter, demonstrating its versatility for creating high-performance cross-platform solutions. Its cross-platform capabilities are appealing to attackers because they can create malware that works across multiple operating systems with minimal adjustments, broadening the scope of potential targets. Its use makes malware more challenging to analyze due to the obfuscation capabilities inherent in how Flutter compiles its applications. Its unique structure, particularly the use of the Dart programming language compiled into dynamic library (dylib) files, makes the code inherently obscure, providing a natural avenue for obfuscation. In standard Flutter applications, the app logic is encapsulated in a dylib, loaded by the Flutter engine rather than directly by the primary executable. This level of abstraction complicates the analysis process as the dylib is not explicitly referenced in the main application executable. While this architecture is designed to optimize cross-platform compatibility, it inadvertently serves as a highly effective method for concealing malicious logic. ![Flutter Layout](https://sb-cms.s3.ap-south-1.amazonaws.com/flutter_0c0702e574.jpg) ***Flutter Layout (Source: Jamf)*** ### Anatomy of the Discovered Malware The identified malware functions as a stage-one payload, meaning it serves as the initial component in a multi-stage attack designed to establish a foothold, gather information, or prepare the system for more complex payloads that follow. Among the samples, six infected applications were detected, with five bearing valid developer signatures that had already been revoked by Apple at the time of discovery. One such app, titled _"New Updates in Crypto Exchange,"_ presented itself as a functional minesweeper game. However, upon execution, it initiated a network request to a domain (_“mbupdate[.]linkpc[.]net”_) previously linked to DPRK malware campaigns. The malicious code was deeply embedded within the application, with pre-compiled Dart snapshots complicating any decompilation or analysis attempts due to the need for specialized tools and the extra layer of abstraction that Dart introduces. Further investigation revealed that the malware could execute remote AppleScript commands, such as launching applications, modifying system settings, or downloading additional malicious components. This capability allows attackers to take control of infected devices using sophisticated payload delivery mechanisms. ### Golang and Python Variants In addition to the Flutter version, Jamf Threat Labs also [identified](https://www.jamf.com/blog/jamf-threat-labs-apt-actors-embed-malware-within-macos-flutter-applications/) Go and Python variants of the malware. The [Golang](https://www.secureblink.com/cyber-security-news/chinese-hackers-dragon-spark-use-golang-to-launch-espionage-attacks) variant, similarly signed and notarized by Apple, mirrored the network request and payload execution seen in the Flutter version. This included making HTTPS requests to command-and-control servers and executing payloads, using comparable obfuscation and scripting techniques. The use of different programming languages, such as Golang and Flutter, highlights the attackers' adaptability and their ability to exploit various ecosystems, which complicates detection and mitigation by requiring different analysis tools and expertise for each language. This further demonstrated the attackers' adeptness at exploiting different programming ecosystems to maintain their campaign's adaptability. ![https://www.bleepstatic.com/images/news/u/1220909/2024/Phishing/24/signed.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/signed_6f8ba5bc61.jpg) ***Trojanized Mindsweeper (Source: Jamf)*** The Python variant, built using Py2App, was crafted as a standalone application. While it appeared to be a functional notepad app, malicious components were embedded within the Python script, enabling it to send and execute commands from a remote server. The consistent use of 'osascript' across these variants suggests a preference for exploiting native macOS features to achieve execution. Leveraging native features like 'osascript' allows attackers to exploit macOS's trusted components, such as built-in automation tools like Automator, making the malware more difficult to detect and resist. By leveraging its trusted status within macOS environments, attackers make detection even more challenging. For instance, 'osascript' has been previously used in malware attacks to execute AppleScript commands, which are often trusted by the system and less likely to trigger traditional antivirus alerts, making this technique particularly effective in avoiding detection. ### A New Testing Ground for Future Attacks? The findings suggest that this malware campaign could be a test run for future, more extensive attacks. The use of legitimate-looking applications, such as those with similar names to popular software or polished user interfaces, along with signed developer accounts and advanced obfuscation techniques, suggests a deliberate effort to bypass security measures. This points towards a strategic probing of macOS's security architecture, indicating attackers' intent to identify and exploit weaknesses in the system. DPRK's history of leveraging sophisticated social engineering campaigns further raises concerns about the potential evolution of these malware tools. The clear mismatch between the content of these apps and their filenames—where the app names suggest legitimate functionality, but the actual code contains malicious behavior—implies an attempt to test whether Apple’s notarization process could be circumvented with carefully concealed malicious components. Additionally, the use of Flutter as a delivery mechanism is a novel approach for DPRK actors, demonstrating their willingness to experiment with different frameworks and methodologies to evade security measures. ### Conclusion and Implications for macOS Security The discovery of DPRK-backed malware utilizing Flutter-built applications to target macOS users highlights the evolving threat landscape. This sophisticated campaign illustrates how attackers refine their tactics to exploit legitimate development frameworks and leverage vulnerabilities in Apple's notarization process. Although it remains uncertain whether this specific malware campaign was intended for broad deployment or as a proof of concept, it underscores the need for heightened vigilance and more robust security defenses for macOS. To counter these threats effectively, measures could include stricter application signing requirements, enhancing behavioral detection systems using machine learning-based anomaly detection tools (e.g., CrowdStrike Falcon, Microsoft Defender for Endpoint), and employing advanced threat-hunting tools like Splunk or Carbon Black to identify unusual patterns and vulnerabilities. Jamf Threat Labs remains committed to monitoring and analyzing further developments in this campaign, ensuring that macOS users are well-protected against emerging threats. ### Indicators of Compromise (IOCs) The following domains, signatures, and application identifiers have been flagged as part of this investigation: - Domain: mbupdate[.]linkpc[.]net - Applications: "New Updates in Crypto Exchange (2024-08-28).app" - Malware signatures: Flutter dylib containing Dart snapshots (_kDartVmSnapshotData, _kDartIsolateSnapshotInstructions) For detailed technical insights and mitigations, Jamf Threat Labs has your back—while Jamf solutions ensure macOS security for everything else.

loading..   13-Nov-2024
loading..   7 min read
loading..

AWS

PyPl

Fabric

Fabrice malware, a PyPI typosquatting supply chain attack, steals AWS credential...

A malicious Python package named `fabrice` has infiltrated the Python Package Index (PyPI) since 2021. It targets developers by impersonating the legitimate 'fabric' library—a widely-used tool for SSH automation. This type of attack, known as typosquatting, tricks users into installing a harmful package with a similar name. This attack exploits the trust developers place in commonly used libraries, allowing attackers to easily infiltrate projects with minimal effort. Typosquatting is a particularly effective technique because it relies on human error—developers might mistype the name of a package or fail to notice a subtle difference in spelling. By mimicking the legitimate package name, attackers create a situation where unsuspecting users unknowingly introduce malicious software into their environments. The 'fabrice' package was downloaded over 37,000 times, indicating how successful such attacks can be. ### Platform-Specific Malicious Actions Once installed, 'fabrice' carries out platform-specific malicious actions on both Linux and Windows systems, primarily aimed at stealing credentials and maintaining long-term access. The malware behaves differently depending on the host operating system, tailoring its actions to maximize impact and avoid detection. #### Malicious Actions on Linux On Linux, `fabrice` creates hidden directories and downloads obfuscated payloads (payloads that are intentionally made difficult to understand in order to hide malicious actions), ensuring persistence while evading detection. Specifically, it sets up hidden directories in the user's home directory, such as `~/.local/bin/vscode`, to store malicious files. These files are downloaded from an external server controlled by the attacker, making it difficult for traditional security [tools](http://github.com/apps/socket-security) to detect [them](https://socket.dev/blog/malicious-python-package-typosquats-fabric-ssh-library). The obfuscated payloads are designed to execute commands with the same privileges as the user, allowing the attacker to establish a foothold in the system. By using obfuscation techniques, the malware makes it challenging for security analysts to analyze its true intent. These hidden directories are rarely inspected by users, which helps the malware maintain a low profile and persist on the system for extended periods. #### Malicious Actions on Windows On Windows, `fabrice` takes a slightly different approach. It downloads an encoded payload (in base64 format) that contains a VBScript (`p.vbs`). This VBScript is responsible for launching another hidden Python script (`d.py`). The use of VBScript helps maintain stealth, as it allows the malware to execute Python code without opening a visible command prompt window. The Python script (`d.py`) downloads a malicious executable (`chrome.exe`), which is stored in the user's Downloads folder. The executable's purpose is to establish persistence by creating a scheduled task that runs every 15 minutes. This ensures that even if the system reboots, the malware will continue to execute and maintain control. By using legitimate Windows features like scheduled tasks, 'fabrice' blends in with typical system behavior, making it more difficult for traditional antivirus solutions to detect its presence. ### The Risks of Supply Chain Attacks With over 37,000 downloads, largely due to the popularity of the legitimate 'fabric' library, this sophisticated supply chain attack highlights the risks inherent in open-source dependencies. Attackers leverage typosquatting to compromise unsuspecting developers, exfiltrate sensitive credentials, and establish backdoors for long-term system access. Open-source software is a cornerstone of modern development, offering flexibility, cost savings, and community-driven innovation. However, it also presents a significant risk when malicious actors exploit the open nature of these ecosystems. By targeting widely used packages like 'fabric', attackers can infiltrate numerous projects and organizations with a single malicious package. This highlights the importance of verifying package authenticity before installation. The consequences of such supply chain attacks are severe. In the case of 'fabrice', the primary objective is to steal AWS credentials. These credentials are invaluable to attackers, as they can provide access to sensitive cloud resources, allowing them to exfiltrate data, run costly operations, or even take control of cloud infrastructure. The use of the official Python SDK (`boto3`) to access AWS credentials means that any system running 'fabrice' could inadvertently leak cloud access keys, leading to substantial security breaches and financial losses. The success of 'fabrice' also points to the need for enhanced monitoring and proactive defense mechanisms in the software development lifecycle. Developers and organizations must adopt best practices, such as using package management tools that verify the integrity of software components, implementing multi-factor authentication for cloud accounts, and conducting regular security audits of dependencies. ### Mitigation Strategies Mitigating the risk of typosquatting and supply chain attacks requires a combination of vigilance and proactive measures. Here are some strategies that developers and organizations can adopt to protect themselves from similar threats: 1. **Verify Package Authenticity**: Always verify the source and authenticity of packages before installing them. Tools like `pip` offer features to check the package signatures, and developers should take advantage of these features. 2. **Use Trusted Repositories**: Stick to well-known and trusted repositories. When possible, use verified versions of packages or direct links from official project pages to minimize the risk of installing compromised packages. 3. **Enable Multi-Factor Authentication (MFA)**: Protect your cloud accounts, such as AWS, with MFA. This additional layer of security can prevent unauthorized access, even if credentials are compromised. 4. **Monitor Dependencies**: Use automated tools to monitor dependencies for vulnerabilities. Tools like Dependabot or Snyk can help keep track of outdated or potentially malicious dependencies and recommend updates or patches. 5. **Conduct Regular Audits**: Perform regular audits of all dependencies in your projects. This involves checking the list of installed packages, ensuring they are from reputable sources, and removing any that are unnecessary or untrusted. 6. **Use Runtime Application Self-Protection (RASP)**: Implementing RASP solutions can help detect and block malicious behavior during runtime, providing an additional layer of security beyond static code analysis. The popularity of open-source libraries like `fabric` makes them an attractive target for cybercriminals. With over 37,000 downloads, `fabrice` demonstrates how quickly malicious packages can spread within the developer community. Developers and organizations must remain vigilant, adopt best practices for dependency management, and take proactive steps to secure their software supply chains. To learn more about how to secure your systems and protect against similar attacks, discover the comprehensive analysis of the **Fabrice Malware Threat Research** [here](https://www.secureblink.com/threat-research/fabrice-malware-python-typosquatting-targeting-aws-via-supply-chain-on-linux-and-windows-1).

loading..   11-Nov-2024
loading..   6 min read
loading..

MacOS

BlueNoroff

BlueNoroff APT group targets macOS with fake crypto news and novel persistence, ...

In recent years, the cybersecurity community has observed a surge in state-sponsored attacks focusing on the financial sector, particularly targeting cryptocurrency enterprises. The BlueNoroff APT group, a subdivision of North Korea's Lazarus Group, has been at the forefront of these activities. Demonstrating advanced capabilities, BlueNoroff has developed sophisticated macOS malware that exploits fake cryptocurrency news to deceive targets and employs novel persistence mechanisms to maintain long-term access. This technical report provides an exhaustive analysis of BlueNoroff's recent campaigns up to October 2023. It delves into their tactics, techniques, and procedures (TTPs), offering insights into the malware's architecture and providing recommendations for mitigation. --- ## Campaign Overview ### Background Active since at least 2016, BlueNoroff has primarily targeted financial institutions and cryptocurrency exchanges. Their operations are financially motivated, aiming to circumvent international sanctions by stealing funds to support North Korea's economic objectives. ### Recent Activities BlueNoroff has intensified its efforts against macOS platforms, acknowledging the increasing use of Apple devices in corporate settings. Notable campaigns include: - **RustBucket Campaign (April 2023):** Deployed multi-stage malware written in Rust, targeting macOS users and establishing backdoors for executing arbitrary code. - **KandyKorn Malware (May 2023):** Focused on blockchain engineers, delivering malware designed for persistent system access. --- ## Infection Vector ### Phishing Emails Leveraging Fake Cryptocurrency News The primary infection method involves phishing emails containing links to malicious applications disguised as legitimate PDF documents discussing cryptocurrency trends. - **Email Characteristics:** - **Sender Impersonation:** Often uses names of reputable individuals in the crypto industry or unrelated fields to appear credible. - **Subject Matter:** Topics like "Hidden Risks Behind New Surge of Bitcoin Price" or "Altcoin Season 2.0: The Hidden Gems to Watch." - **Attachments:** Instead of PDFs, the attachments are macOS application bundles posing as documents. ### Execution Flow 1. **Email Delivery:** The target receives a phishing email with a link to a supposed PDF document. 2. **Malicious Application Download:** Clicking the link downloads a macOS application bundle with a misleading name and icon. 3. **Decoy Document Display:** Upon execution, the application opens a legitimate-looking PDF to avoid suspicion. 4. **Background Malware Installation:** Concurrently, the application downloads and executes the next-stage payload. --- ## Technical Analysis ### Stage 1: The Dropper Application - **Implementation:** Written in Swift, designed to appear as a legitimate document viewer. - **Code Signing:** Often signed with valid Apple Developer IDs to bypass Gatekeeper protections. These IDs may be acquired through fraudulent means. - **Execution Details:** - **Decoy Presentation:** Downloads a benign PDF from a remote server and opens it using the default PDF viewer. - **Payload Retrieval:** Fetches the second-stage malware from a hard-coded URL using insecure HTTP connections, bypassing default macOS security settings via `Info.plist` modifications. - **Bypassing Security Measures:** - **App Transport Security Exception:** Alters `Info.plist` to allow insecure connections to specific domains. - **Universal Binary:** Compiled for both Intel and Apple Silicon architectures to maximize compatibility. ### Stage 2: The Backdoor Payload - **File Details:** - **Name:** `growth` - **Architecture:** x86_64, requiring Rosetta 2 on Apple Silicon Macs. - **Language:** Written in C++, focusing on functionality over stealth. - **Functionalities:** - **Persistence Installation:** Installs a novel persistence mechanism via the `~/.zshenv` file. - **System Reconnaissance:** Collects system information such as OS version, hardware model, and process lists. - **Unique Identifier Generation:** Creates a random UUID to identify the infected machine. - **C2 Communication:** - **Protocol:** Communicates with the command and control server using HTTP POST requests. - **Data Transmission:** Sends collected data and awaits commands. - **Command Execution:** Processes C2 responses to execute arbitrary commands or download additional payloads. - **Code Characteristics:** - **Minimal Obfuscation:** Relies on deceptive practices rather than heavy code obfuscation. - **Persistence Logic:** Encapsulated in specific functions for installing and verifying persistence mechanisms. ### Novel Persistence Mechanism: Abusing `~/.zshenv` - **Mechanism Details:** - **File Modification:** The malware appends execution commands to the `~/.zshenv` file. - **Execution Scope:** Since `~/.zshenv` is sourced in all Zsh sessions—including non-interactive ones—the malware gains execution whenever a shell is invoked, which can occur during various system processes. - **Advantages Over Traditional Methods:** - **Stealth:** This method does not trigger user notifications introduced in macOS Ventura for Login Items, making it less noticeable. - **Reliability:** Ensures consistent execution without relying on Launch Agents or Daemons, which are more likely to be monitored or removed. - **Persistence Installation Function:** - **Verification:** Checks for a marker file (e.g., `.zsh_init_success`) to prevent redundant installations. - **Implementation:** Uses shell commands within the malware code to modify the `~/.zshenv` file. --- ## Network Infrastructure Analysis ### Command and Control Servers - **Domain Mimicry:** Domains are crafted to resemble legitimate cryptocurrency or financial services (e.g., `delphidigital[.]org`, `arkinvest[.]com`). - **Hosting Providers:** Utilizes services known for lax enforcement to host malicious domains and servers. - **SSL Certificates:** May reuse self-signed certificates across multiple domains, aiding in attribution. ### Communication Protocols - **HTTP POST Requests:** Malware communicates using standard HTTP protocols to blend in with normal traffic. - **Custom User-Agent Strings:** Employs unique or spoofed User-Agent strings to avoid detection by security tools. ### Infrastructure Linkage - **WHOIS Data and Registrar Patterns:** Consistent use of certain domain registrars and overlapping registration details. - **Shared Resources:** Reuse of IP addresses and hosting services across different campaigns. --- ## Attribution to BlueNoroff Attribution is based on multiple factors: - **Tactics, Techniques, and Procedures (TTPs):** - **Malware Similarities:** Overlaps with previous BlueNoroff malware, including code structure and functionality. - **Persistence Methods:** Novel use of `~/.zshenv` aligns with the group's history of exploiting macOS features. - **Infrastructure Connections:** - **Domain Themes:** Consistent focus on cryptocurrency and financial entities. - **Technical Overlaps:** Shared IP addresses and SSL certificates with known BlueNoroff infrastructure. - **Historical Context:** - **Financial Motive:** Aligns with North Korea's strategy of using cyber operations for economic gain. - **Prior Campaigns:** Continuation of methods observed in operations like AppleJeus and previous RustBucket incidents. --- ## Mitigation Strategies ### User Awareness and Training - **Phishing Education:** Regular training to recognize and report suspicious emails, especially those related to financial topics. - **Policy Enforcement:** Implement strict policies regarding the opening of email attachments and execution of downloaded files. ### Technical Controls - **Endpoint Protection:** - **Anti-Malware Solutions:** Deploy advanced security software capable of detecting and blocking known threats and suspicious behaviors. - **Application Whitelisting:** Restrict execution to approved applications, preventing unauthorized code from running. - **System Monitoring:** - **File Integrity Monitoring:** Watch for changes to critical files like `~/.zshenv` and system binaries. - **Process Monitoring:** Alert on the execution of unexpected processes or scripts. - **Network Security:** - **Firewall Rules:** Block known malicious IP addresses and domains associated with BlueNoroff. - **Network Traffic Analysis:** Inspect outbound traffic for anomalies, such as unusual HTTP POST requests. ### Incident Response Preparedness - **Response Planning:** Develop and regularly update incident response plans specific to malware infections. - **Backup and Recovery:** Maintain regular backups of critical systems and data to enable restoration in case of compromise. - **Threat Intelligence Integration:** Incorporate the latest threat intelligence feeds to stay updated on emerging threats. --- ## Conclusion The BlueNoroff APT group's ongoing targeting of macOS systems within the cryptocurrency sector highlights the evolving tactics of state-sponsored actors. Their innovative methods—such as abusing the `~/.zshenv` file for persistence and leveraging convincing phishing lures—underscore the need for heightened vigilance and robust security measures. Organizations in the financial and cryptocurrency industries must adopt a comprehensive security posture, combining user education, advanced technical defenses, and proactive monitoring to mitigate the risks posed by such sophisticated threats. --- ## Indicators of Compromise (IOCs) ### File Hashes (SHA-1) - **Dropper Applications:** - `3f17c5a7d1e7fd138163d8039e614b8a967a56cb` - `e5d97afa5f1501b3d5ec1a471dc8a3b8e2a84fdb` - **Backdoor Payload:** - `7e07765bf8ee2d0b2233039623016d6dfb610a6d` ### Malicious Domains - `delphidigital[.]org` - `matuaner[.]com` - `arkinvst[.]com` - `solanalab[.]org` - `zoom-client[.]com` - Additional domains listed in the campaign's indicators. ### IP Addresses - `23.254.253[.]75` - `45.61.135[.]105` - `172.86.108[.]47` - `216.107.136[.]10` - Additional IPs associated with the C2 infrastructure. --- ## References - **SentinelLabs Report on Hidden Risk Campaign:** [Link to Original Report](https://www.sentinelone.com/labs/bluenoroff-hidden-risk-threat-actor-targets-macs-with-fake-crypto-news-and-novel-persistence/) - **ESET Research on RustBucket Malware:** [ESET Blog](https://www.welivesecurity.com/) - **Apple Documentation on Zsh Startup Files:** [Apple Support](https://support.apple.com/en-us/HT208050) - **MITRE ATT&CK Framework - Lazarus Group:** [MITRE ATT&CK](https://attack.mitre.org/groups/G0032/) --- **Disclaimer:** This document is based on information available up to October 2023. Subsequent developments may not be reflected.

loading..   09-Nov-2024
loading..   7 min read