Tag Archives: Malware and Virus Protection

Posted on Author Atlantic Computer Services Categories Blog

Researchers Warn About Symbiote Malware Which Attacks Linux Machines

Are you a Linux user?  If so, be aware that there is a new kind of malware to be concerned about. The BlackBerry Threat Research and Intelligence team, in concert with Joakim Kennedy (an Intezer Analyze security researcher), have announced the discovery of a new strain of malware.

They’ve dubbed it Symbiote, and it was named because of its parasitic nature.

Actual discovery of the strain occurred a few months ago but the team has been studying it since.  It is markedly different from most of the Linux malware you see today, as it acts as a shared object library that is loaded on all running processes via LD_PRELOAD.

Once the malicious code has its hooks in a target machine, it provides the hackers controlling it with rootkit functionality.

The earliest samples of this strain date back to November 2021, and based on an analysis of its code, its primary targets were intended to be financial institutions located in Latin America.

The researchers had this to say about their recent discovery:

“When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured.  In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see. When we first analyzed the samples with Intezer Analyze, only unique code was detected.  As no code is shared between Symbiote and Ebury/Windigo or any other known [Linux] malware, we can confidently conclude that Symbiote is a new, undiscovered Linux malware.”

The Linux ecosystem isn’t targeted as often as Apple, Windows, or Android. So the fact that this new threat has emerged is noteworthy indeed.  If you have any Linux infrastructure on your network, be sure to stay aware of this new potential threat.

0
Posted on Author Atlantic Computer Services Categories Blog

New Malware Uses Word Documents To Get On Your System

Researchers at HP have discovered a new malware loader that they’ve dubbed SVCReady.  While new malware strains are common, this one is distinct for a couple of different reasons.

Like many malicious programs, this spreads primarily via phishing email campaigns.  One way that this new strain differs however, is the fact that the malware is loaded onto the target machine via specially crafted Word documents attached to the email.

The idea is that these Word documents leverage VBGA macro code to execute shellcode that’s stored in the properties of the Word document.  That’s both new and dangerous.

The HP researchers found evidence that tracks the malicious code back to its origin in April of 2022, with the developers releasing several updates just one month later in May.  The number of updates is suggestive of a large, well-organized team that is committed to continued development of their new toy.

Currently, SVCReady boasts the following capabilities:

  • Download a file to the infected client
  • Take a screenshot
  • Run a shell command
  • Check if it is running in a virtual machine
  • Collect system information (a short and a “normal” version)
  • Check the USB status, i.e., the number of devices plugged-in
  • Establish persistence through a scheduled task
  • Run a file
  • And run a file using RunPeNative in memory

In addition to these capabilities, SVCReady can also fetch additional payloads from the command-and-control server.  While the bullet points above are dangerous in their way, it is the last, recently added capability that makes the new malware strain especially dangerous.  It enables the hackers to tailor the level of destruction for each infected target.

Worse, the new strain contains bits of code that lead the HP researchers to conclude that the threat actor TA551 may be behind it.  This is a large, well-organized group with ties to multiple other hacking organizations and ransomware affiliates. That implies that SVCReady may soon become much more widely available than it is now.

You will want to be sure this one stays on your radar.

0
Posted on Author Atlantic Computer Services Categories Blog

Emotet Malware Will Include Credit Card Theft In Attacks

If you’re involved in information security in any capacity, you’re probably quite familiar with the infamous Emotet botnet.  It’s one of the most dangerous and prolific botnets out there and it is a dire threat to organizations of all sizes.

The bad news is that the botnet is still being actively enhanced and is gaining new capabilities at regular intervals.

Most recently, its developers have added a new credit card stealing module that is designed to harvest saved credit card information stored in Google Chrome profiles.

Once it harvests information (name on the card, card number, security code, and expiration month and year), the malicious code will send that data to a command-and-control server controlled by the Emotet group.

The new capabilities were discovered by researchers at Proofpoint, and they reported being somewhat surprised that the new module was designed specifically to target Chrome users.  No other browsers are impacted by it.

Emotet has a fascinating history.  It first hit the internet in 2014 and when it first appeared, it was a simple banking trojan.

A concerted effort by law enforcement nearly destroyed the botnet. They took it offline as law enforcement officers pulled the plug on most of the botnet’s infrastructure.

Things were quiet for several months, but then in November 2021, Emotet returned like a malicious phoenix and has been causing trouble for IT professionals around the world ever since.

Controlled by the TA542 threat group also known as Mummy Spider, it can be used to deliver any number of second-stage payloads which makes it incredibly dangerous.

This is one malware you will have to stay on the alert for.  There’s no telling what new features the threat group will add next, and you may find yourself in Mummy Spider’s crosshairs.

0
Posted on Author Atlantic Computer Services Categories Blog

Beware New Windows Vulnerability With Remote Search Window Access

You may not know the name Matthew Hickey, but you should thank him for a recent discovery that could save you a lot of grief.

Hickey is the co-founder of a company called Hacker House.  He recently discovered a flaw that could allow for the opening of a remote search window simply by opening a Word or RTF document.

This newly discovered zero-day vulnerability is about as serious as it gets.

Here’s how it works:

A specially crafted Word Document or RTF is created which, when launched, will automatically launch a “search-MS” command, which opens a Windows Search window.

This window lists executable files on a remote share and the share can be given any name the attacker desires such as “Critical Updates” and the like. That would naturally prompt an unsuspecting user to click the file name to run that file.

Naturally, clicking the file name wouldn’t do anything other than install malware, which is exactly what the hackers are trying to do.

Although not quite as dangerous as the MS-MSDT remote code execution security flaw, this one is still incredibly serious. Even worse, there is not currently a patch that will make your system safer.

The good news however, is that there are steps you can take to minimize your risks.

If you’re worried about this security flaw, here’s what you can do:

  • Run Command Prompt as Administrator.
  • To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOTsearch-ms search-ms.reg”
  • Execute the command “reg delete HKEY_CLASSES_ROOTsearch-ms /f”

Kudos to the sharp eyes of Matthew Hickey for first spotting this flaw.  We can only hope when the next zero-day rears its head, researchers like Mr. Hickey will be there to help point them out and show us how to defeat them.

0
Posted on Author Atlantic Computer Services Categories Blog

Some Carrier Embedded Android Apps May Have Security Vulnerabilities

Recently, Microsoft reported high severity security vulnerabilities in multiple apps offered by large international mobile service providers.  What makes this especially noteworthy is the fact that these vulnerabilities aren’t app specific, but framework specific.  Many carriers use the same basic framework to construct their apps and now all have been found to contain vulnerabilities.

The vulnerabilities discovered to this point are being tracked as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, respectively.

The framework is owned by a company called mce Systems.  All vulnerabilities center around command injection and privilege escalation type attacks.  Carriers with apps that are impacted include AT&T, TELUS, Rogers Communications, Bell Canada, and Freedom Mobile.

Members of the Microsoft 365 Defender team had this to say about the issue:

“The apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers.

All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues.

As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device.”

This is a problem with a truly vast scope.  Just counting the number of downloads from the Google Play Store, the number runs into the millions.  Add to that the number of installed instances that were pre-installed on phones sold by the vendors above, and the scope and scale is simply mindboggling.

If there’s a silver lining to be found, it lies in the fact that all the vendors who have had apps impacted by this issue have already issued updates to fix the problem.

If you have a phone sold to you by any of the providers above, check all your installed apps and make sure you’re running the latest versions.  Better safe than sorry.

0
1 3 4 5 6 7 43