Researchers Warn About Symbiote Malware Which Attacks Linux Machines

Are you a Linux user?  If so, be aware that there is a new kind of malware to be concerned about. The BlackBerry Threat Research and Intelligence team, in concert with Joakim Kennedy (an Intezer Analyze security researcher), have announced the discovery of a new strain of malware.

They’ve dubbed it Symbiote, and it was named because of its parasitic nature.

Actual discovery of the strain occurred a few months ago but the team has been studying it since.  It is markedly different from most of the Linux malware you see today, as it acts as a shared object library that is loaded on all running processes via LD_PRELOAD.

Once the malicious code has its hooks in a target machine, it provides the hackers controlling it with rootkit functionality.

The earliest samples of this strain date back to November 2021, and based on an analysis of its code, its primary targets were intended to be financial institutions located in Latin America.

The researchers had this to say about their recent discovery:

“When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured.  In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see. When we first analyzed the samples with Intezer Analyze, only unique code was detected.  As no code is shared between Symbiote and Ebury/Windigo or any other known [Linux] malware, we can confidently conclude that Symbiote is a new, undiscovered Linux malware.”

The Linux ecosystem isn’t targeted as often as Apple, Windows, or Android. So the fact that this new threat has emerged is noteworthy indeed.  If you have any Linux infrastructure on your network, be sure to stay aware of this new potential threat.

Emotet Malware Will Include Credit Card Theft In Attacks

If you’re involved in information security in any capacity, you’re probably quite familiar with the infamous Emotet botnet.  It’s one of the most dangerous and prolific botnets out there and it is a dire threat to organizations of all sizes.

The bad news is that the botnet is still being actively enhanced and is gaining new capabilities at regular intervals.

Most recently, its developers have added a new credit card stealing module that is designed to harvest saved credit card information stored in Google Chrome profiles.

Once it harvests information (name on the card, card number, security code, and expiration month and year), the malicious code will send that data to a command-and-control server controlled by the Emotet group.

The new capabilities were discovered by researchers at Proofpoint, and they reported being somewhat surprised that the new module was designed specifically to target Chrome users.  No other browsers are impacted by it.

Emotet has a fascinating history.  It first hit the internet in 2014 and when it first appeared, it was a simple banking trojan.

A concerted effort by law enforcement nearly destroyed the botnet. They took it offline as law enforcement officers pulled the plug on most of the botnet’s infrastructure.

Things were quiet for several months, but then in November 2021, Emotet returned like a malicious phoenix and has been causing trouble for IT professionals around the world ever since.

Controlled by the TA542 threat group also known as Mummy Spider, it can be used to deliver any number of second-stage payloads which makes it incredibly dangerous.

This is one malware you will have to stay on the alert for.  There’s no telling what new features the threat group will add next, and you may find yourself in Mummy Spider’s crosshairs.

Beware New Windows Vulnerability With Remote Search Window Access

You may not know the name Matthew Hickey, but you should thank him for a recent discovery that could save you a lot of grief.

Hickey is the co-founder of a company called Hacker House.  He recently discovered a flaw that could allow for the opening of a remote search window simply by opening a Word or RTF document.

This newly discovered zero-day vulnerability is about as serious as it gets.

Here’s how it works:

A specially crafted Word Document or RTF is created which, when launched, will automatically launch a “search-MS” command, which opens a Windows Search window.

This window lists executable files on a remote share and the share can be given any name the attacker desires such as “Critical Updates” and the like. That would naturally prompt an unsuspecting user to click the file name to run that file.

Naturally, clicking the file name wouldn’t do anything other than install malware, which is exactly what the hackers are trying to do.

Although not quite as dangerous as the MS-MSDT remote code execution security flaw, this one is still incredibly serious. Even worse, there is not currently a patch that will make your system safer.

The good news however, is that there are steps you can take to minimize your risks.

If you’re worried about this security flaw, here’s what you can do:

  • Run Command Prompt as Administrator.
  • To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOTsearch-ms search-ms.reg”
  • Execute the command “reg delete HKEY_CLASSES_ROOTsearch-ms /f”

Kudos to the sharp eyes of Matthew Hickey for first spotting this flaw.  We can only hope when the next zero-day rears its head, researchers like Mr. Hickey will be there to help point them out and show us how to defeat them.

Some Carrier Embedded Android Apps May Have Security Vulnerabilities

Recently, Microsoft reported high severity security vulnerabilities in multiple apps offered by large international mobile service providers.  What makes this especially noteworthy is the fact that these vulnerabilities aren’t app specific, but framework specific.  Many carriers use the same basic framework to construct their apps and now all have been found to contain vulnerabilities.

The vulnerabilities discovered to this point are being tracked as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601, respectively.

The framework is owned by a company called mce Systems.  All vulnerabilities center around command injection and privilege escalation type attacks.  Carriers with apps that are impacted include AT&T, TELUS, Rogers Communications, Bell Canada, and Freedom Mobile.

Members of the Microsoft 365 Defender team had this to say about the issue:

“The apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers.

All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues.

As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device.”

This is a problem with a truly vast scope.  Just counting the number of downloads from the Google Play Store, the number runs into the millions.  Add to that the number of installed instances that were pre-installed on phones sold by the vendors above, and the scope and scale is simply mindboggling.

If there’s a silver lining to be found, it lies in the fact that all the vendors who have had apps impacted by this issue have already issued updates to fix the problem.

If you have a phone sold to you by any of the providers above, check all your installed apps and make sure you’re running the latest versions.  Better safe than sorry.

Intel Users Should Update Firmware To Avoid This Ransomware

Not long ago, researchers at Eclypsium got a lucky break.  An unknown and unidentified individual began leaking communications from inside the Conti ransomware organization.

These leaked communications seemed to confirm what has long been suspected:  That there are strong ties between the Conti gang and Russia’s FSB (military intelligence).

This sounds like something right out of a spy movie, but it’s not.  The leaked messages indicate that several members of the Conti gang have been actively working on developing a new attack vector that specifically targets Intel firmware, allowing Conti to launch its ransomware attack.  Some of the black hat developers even got as far as to develop a working proof of concept for others to review.

Firmware attacks are fairly rare, but they do happen.  To pull it off, the attacker would first need to access the system via a conventional in-road.  For example, a phishing email where the victim would unwittingly give the hackers access, or perhaps by exploiting some other known vulnerability.

In one particularly exotic scenario, they could even make this attack work without prior access. They can do this by leveraging Intel’s Management Engine to force the target machine to reboot, then supply virtual media to draw from on the reboot.

It’s unlikely and would take a tremendous amount of skill, but Conti has shown in recent months that they have the expertise to pull something like that off.

Fortunately, word of the new attack vector has gotten out, the details have made their way to Intel, and Intel has updated their firmware.

If you’re using an Intel machine, you should grab the latest update as soon as possible.  Conti is a well-known, notorious gang with ties to Russia.  You don’t want your company in their crosshairs, so do everything you can do minimize that risk.