Target: Cybersecurity specialist

Tags:  Malware, Polymorphic, Generative AI (Artificial Intelligence), Zero-trust, Application Isolation

Polymorphic malware is a malicious software variant that possesses the capability to alter, or “morph,” its own code without affecting its core functionalities or characteristics. This special attribute enables it to slip past antivirus and other security software, positioning it as a particularly formidable and stealthy form of cyber threat. Here is a step-by-step overview of its operation:

1. Infiltration: Polymorphic malware usually initiates its attack similarly to conventional malware – it may coax a user into clicking a malicious link, downloading a compromised file, or opening a deceptive attachment harboring the malware.
2. Activation: Following successful infiltration, the malware springs into action, carrying out its malevolent deeds. These may span a wide spectrum, including pilfering confidential data, encrypting files for a ransom demand, or even establishing a backdoor for remote system access.
3. Metamorphosis: The distinguishing feature of polymorphic malware lies in its subsequent action. Post-activation, it employs a range of techniques to mutate its code. These can encompass changing variable names, adjusting execution paths, adopting varying encryption methods, or even rearranging the order of instructions, all while preserving the original malicious intent.
4. Proliferation: The malware, having metamorphosed, then disseminates its newly transformed variant to other systems. Its fresh code rendering is often unrecognizable to security software, thereby evading detection. With each new infection, the malware continues its process of transformation, thereby generating countless unique variants.

Central to the polymorphic malware’s operation is an intricate piece of code called the mutation engine. Its role is to rewrite the malware’s code with each propagation instance. As it persistently alters its identifiable traits while its malicious payload remains unchanged, the polymorphic malware can bypass traditional signature-based detection strategies. This attribute presents it as a persistent, ever-evolving threat in the cybersecurity realm.

The Past & Future of Polymorphic Malware

The first polymorphic virus, named 1260 or V2PX, was detected in the 1990s. It was part of a research program aiming to reveal the limitations of antivirus scanners at that time. While it was designed to serve as a warning, it inadvertently inspired a wave of criminal activity exploiting its capabilities. Since then, countless polymorphic viruses have been created [2].

Some well-known examples of polymorphic malware include:

1. The Storm Worm: This was a multi-layered attack where users were tricked into downloading a Trojan via social engineering techniques. The Trojan would infect the computer and turn the system into a bot. This campaign disrupted internet service to hundreds of thousands of users, infecting more than a million endpoints [2].
2. VirLock: Known as the first example of polymorphic ransomware, VirLock spread through shared applications and cloud storage. It acted as typical ransomware, restricting victim access to the endpoint and altering files [2].

Polymorphic viruses present a significant challenge to cybersecurity, as their mutating nature makes them difficult to detect with traditional security tools. As noted, nearly all malware attacks today involve some form of polymorphic techniques [2]. The continued evolution and proliferation of such viruses underline the need for robust and innovative cybersecurity measures.

The future of Polymorphic malware is here. Hyas [3] a Threat Intelligence company released a Proof of Concept for Polymorphic Generative AI malware called BlackMamba. This POC-Malware is a type of polymorphic keylogger created using ChatGPT, demonstrating the potential risk posed by artificial intelligence in the creation of polymorphic malware [3].

What can we do

While modern organizations are armed with advanced detection systems, the threat of zero-days and elusive malware remains a significant concern, affecting organizations worldwide. At BUFFERZONE®, we passionately believe in the power of simplicity and clarity in deploying effective security controls to protect an organization.

While it is possible to limit user access to activities such as browsing, file downloads, and opening attachments – all major potential attack vectors – this approach would drastically hinder the user experience at work. Thus, our security strategy takes a markedly different direction.

BUFFERZONE® Safe Workspace^® is a comprehensive suite of preventive tools rooted in application isolation technology. It comprises Safe Browsing, SafeBridge® (featuring Content Disarm and Reconstruction (CDR) capabilities), and Safe Removable (for USB attack prevention), all fortified with clipboard security. A kernel driver forms the Safe Workspace^® virtual container, which virtually bifurcates the operating system into two logical areas.

The first area, known as the trusted zone, is linked to all an organization’s networks and the operating system’s files. The second area, deemed the untrusted zone, serves as a buffer where various applications can operate securely, isolated from the trusted zone’s memory, files, registry, and processes.

This innovative approach provides several benefits, including minimal CPU and memory usage, a high-quality user experience, and the ability to work seamlessly within the virtual container, oblivious to the protective shield against browsing and USB threats.

BUFFERZONE® stands alone as the only virtual containment solution operating based on six patented technologies. Utilizing Safe Workspace^® safeguards you from phishing attacks, malicious downloaded files, and potentially dangerous email attachments and links (via an outlook extension). In our view, security should be straightforward and user-friendly.

Security should be simple – do not pass what you do not trust!

Try us now!

References:

[1] The Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center, Top 10 Malware Q1 2023, https://www.cisecurity.org/insights/blog/top-10-malware-q1-2023.

[2] CrowdStrike, what is a polymorphic virus?
Detection and best practices, https://www.crowdstrike.com/cybersecurity-101/malware/polymorphic-virus/

[3] Jeff Sims, Blackmamba: using ai to generate polymorphic malware, https://www.hyas.com/blog/blackmamba-using-ai-to-generate-polymorphic-malware

Target: Cybersecurity specialist

Tags: OLE, PowerPoint, Excel, Word, Malware, Content Disarm and Reconstruction (CDR), Reverse Engineering.

Microsoft’s Object Linking and Embedding (OLE) [1] is an innovative technology framework that enables the creation of intricate documents across diverse applications. It empowers Windows applications to construct objects, which can then be linked to or embedded within other documents or applications. The OLE file format engenders a compound document structure, which significantly enhances user interactivity and provides a richer, more dynamic experience.

The OLE file format specification [1] served as the default file format for Microsoft Office applications such as Word (“.doc”), PowerPoint (“.ppt”), and Excel (“.xls”) from 1997 to 2003. However, from 2003 onwards, a new file format known as Office Open XML (OOXML) was introduced. We will delve into the intricacies of OOXML in future discussions. Nonetheless, both the OLE and OOXML file formats are still extensively utilized today due to their flexibility and compatibility. A comprehensive list of Microsoft Office supported file formats per file extension can be found in this link [2], indicating their continued relevance in the digital workspace.

However, the flexibility and complexity inherent in the OLE format are also exploited by malware authors for the following reasons:

1. Versatility and Concealment: OLE’s inherent capability to embed various object types, including executable codes, enables malware authors to disguise malicious code within harmless files. This can be used to take advantage of the parsing vulnerabilities in the Component Object Model (COM) [3] objects or to camouflage malicious code, making it more difficult for antivirus software to detect.
2. Broad Usage: The ubiquity of Microsoft Office applications, which extensively employ the OLE format, provides a large base of potential targets worldwide. Consequently, this wide usage makes them an attractive avenue for attackers. In many instances, users tend to open these documents without a second thought, especially when they come from seemingly trustworthy sources, making the spread of malware even easier.
3. Complexity and Obfuscation: The complexity of the OLE format can be utilized to obfuscate the true intent of malicious code, making its detection and analysis more challenging for cybersecurity tools and professionals. The format’s capacity to embed or link diverse object types can be manipulated to mask the presence of harmful elements within the compound structure of the document.
4. Trust Exploitation: Files created in familiar applications, such as Word or Excel, are often considered safe by users. This implicit trust can be exploited by malware authors who embed malicious elements within such documents. As a result, harmful content can potentially bypass initial security checks, leading to successful infiltration.

In response to these threats, there is a continuous development of advanced security measures and tools aimed at detecting and disarming such exploits. However, the intricate and versatile nature of the OLE format continues to present a significant challenge in the field of cybersecurity. These factors combined make OLE files an attractive medium for malware authors.

OLE File Format

There have been two main versions of OLE: OLE 1.0 and OLE 2.0. An OLE file is a compound file and it is structured as a file system within a file.

• OLE 1.0: This is Microsoft’s first version. It allowed documents created in one application to be embedded into another. But it only worked with Microsoft’s own applications and was limited in other ways. 0 is specified to allow only for backward-compatible implementations.
• OLE 2.0: Is an improved version of OLE. It works with more than just documents and can interact with software components. It improved user interaction with features like drag-and-drop, and it allowed users to edit embedded objects without leaving the original application.

In this blog we will focus on OLE 2.0.

The OLE 2.0 contains data objects that are stored as files within the file and directory tables that provide reference information to the objects. The directories in the file are called storages and file objects are called streams.

Oletools [4] is a suite of static analysis tools. In this blog we will use: oleid, oledir olevba and oleobj will be used in this blog.

To emphasize the structure, we will use oleid by running  oledir <file>. Oledir is a script to display all the directory entries of an OLE file, including free and orphaned entries. We can observe it contains Status (used/ unused), Type (Root, Steam, Storage, Empty), the Name of the section and the structure in the file with size indication.

In this blog we will not go into the details of the Header file and File allocation Table (FAT) information [1].

Malware Investigation Research Steps:

Investigating OLE malware requires a careful and systematic approach. Below are highly suggested steps we conduct in our research:

1. Isolation: Always work in a safe environment when dealing with potential malware. This usually means using a sandbox or a dedicated, isolated system that is not connected to your network. In this blog we will work inside Ubuntu Virtual Machine.
2. Collection: The first step is gathering potentially malicious OLE files. These can be sourced from various locations like spam emails, suspicious websites, or shared through threat intelligence feeds. We will use MalwareBazaar [4] a public malware repository to receive interesting malware for analysis.
3. Static Analysis: Start by examining the OLE without executing it. This includes viewing the file metadata, the structure, the embedded objects, scripts, or unusual elements. In this blog we will use OleTools suite [4] and we will use oledir, oleid, olevba, and oleobj.
4. Dynamic Analysis: This involves monitoring the behavior of the OLE file when it is opened. You would typically use a sandbox environment for this, which can safely log the actions of the file, such as network connections, file system modifications, or registry changes. Many evasive behaviors are discovered during dynamic analysis that can highlight behavior that we missed during the static analysis, or we are unfamiliar with. This part will be outside of this blog’s focus.
5. Payload Extraction: If the OLE has an embedded payload, this will need to be extracted for further analysis. This could be another file, a script, or something else. Payload extraction can be done as part of the static analysis or part of the dynamic analysis features.
6. Code Analysis: If the OLE includes embedded or obfuscated code, such as macro or powershell, this will need to be analyzed. This involves de-obfuscating the code, understanding its functionality, and identifying any potential exploits or vulnerabilities it might use. This will be done as part of the static analysis investigation we will conduct.
7. Threat Intelligence Correlation: Correlate the information collected about the OLE malware with threat intelligence data. This can give information on the possible threat actors, campaigns, their methods, or whether this malware has been observed before. This step is done after the collection and during the static and dynamic analysis. When we discover Information of Compromise (IOC) which are a list of drop file (sha256 /MD5 hash representation), URL’s, IP addressed in the file we can enhance our understanding of the file capabilities based on threat intelligence.
8. Reporting: Finally, document your findings. This report should detail the characteristics of the malware, how it works, its impact, and recommended mitigation strategies.

Remember to always stay safe when investigating potential malware, and only do so in a controlled and isolated environment. It is important to keep systems and software up to date to protect against known vulnerabilities that malware often exploits. This tutorial is for educational purposes only. Please take full responsibility while handling dangerous malicious files.

OLE Research

In this blog we will investigate sha256: 91cf5e5060f254905b48d517addd966c3f43454de14c376e8cb3b45fbd3058c9

Threat Intelligence:

The first stage will be reviewing the file in VirusTotal to get reputation and information about the file.

We can observe that the file is detected as malicious by 44 engines and the popular threat is trojan type valyria/w97m

Dynamic Analysis:

From viewing the file in a Joe security sandbox environment (Link ) we can observe that the file has a lure image:

The image luring the user to “Enable editing” and “Enable Content” this is a classical lure content to enable the execution of dynamic content inside the document.

We can observe that the malware drops from the internet an executable (.png file which is an executable and not an image) and run it.

Now let’s do the same based on static analysis.

Static Analysis:

We will initiate our analysis using oleid, a script specifically designed to scrutinize OLE files. It can identify distinctive attributes associated with malicious files. Notably, it can detect the presence of VBA macros and embedded Flash objects.

After running oleid <file>:

The oleid analysis reveals the presence of a VBA macro within our system, with the additional detail that it contains certain suspicious keywords. As a result, we will be executing the olevba <file> command.

The output uncovers pertinent details regarding the VBA macro detected. It is evident that there is an auto execution command within the document, identified through the keyword ‘Document_open’. A series of suspicious keywords have also been flagged: ‘Open’, ‘write’, ‘savetofile’, ‘shell’, ‘WScript.Shell’, and ‘CreateObject Microsoft.XMLHTTP’, suggesting substantial activity within this VBA macro.

Additionally, we have received an Indication of Compromise (IOC) that pinpoints a URL. Upon conducting a dynamic analysis, we discovered that despite being expected to be a PNG file, it was, in fact, executable.

The use of Olevba allows us to inspect the macro more closely. It reveals that upon opening the document, the script instantaneously downloads the faux PNG file, stores it, and subsequently executes it. This behavior corresponds precisely to what we observed during our dynamic analysis.

At the time of this blog writing the website is already down and we cannot download the malicious file manually (only inside secure virtual machine). But from the dynamic analysis of the document file, we can search its sha256 in VirtusTotal:

We can observe that the downloaded executable is recognized by most detection engines:

From VirusTotal we can observe the behavior and community sections that contains different sandbox vendors that analyze the executable from their analysis we can learn that the file is a sample of Agent Tesla spyware. We strongly recommend visiting the Community section of VirusTotal to explore the diverse dynamic analyses conducted on this file.

References

[1] Object Linking and Embedding (OLE) Data Structures, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-oleds/85583d21-c1cf-4afe-a35f-d6701c5fbb6f

[2] File format reference for Word, Excel, and PowerPoint, https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference

[3] Component Object Model (COM), https://learn.microsoft.com/en-us/windows/win32/com/component-object-model–com–portal

[4] OleTools, https://github.com/decalage2/oletools

Target: Consumers

Tags: Threat Intelligence, Malware, Phishing, Insider Threat, Vulnerabilities, Ransomware, Credentials

The 2023 Data Breach Investigations Report (DBIR) by Verizon Business has yielded several important insights into the current state of cybersecurity. The report is based on data collected from November 1, 2021, till October 31, 2022.

The report indicates that 83% of the breaches involve external actors, most of whom are financially motivated. The report emphasizes that the human element is a key contributor that is responsible for 74% of all breaches. Those human element faults are caused by social engineering attacks, errors, or misuse while social engineering nearly doubled since last year. When analyzing the percentage of non-error and non-misuse breaches we can learn that stolen credentials, phishing and vulnerability exploitation lead the category.

The report highlights that the cost of ransomware incidents has more than doubled over the past two years and 24% of all breaches are caused by ransomware while the cost to the organization ranges between $1 to $2.25 million.

The report reveals that Denial of Service (DOS), Ransomware, and instances of lost or stolen credentials – typically through phishing attacks – are the predominant security incident threats. Moreover, the report highlights that web applications, email, carelessness, and desktop sharing emerge as the most significant breach-related attack vectors.

At BUFFERZONE®, we are driven by the conviction that establishing a straightforward, uncomplicated set of controls is the optimal path towards safeguarding an organization. Admittedly, we could restrict user access to browsing, file downloads, and opening attachments – all of which are recognized as potent attack vectors. However, such measures would severely compromise the user experience at work. Therefore, our security approach takes a distinctively different route.

BUFFERZONE® Safe Workspace^® is a suite of prevention capabilities based on application isolation technology that includes Safe Browsing, SafeBridge® (Content Disarm and Reconstruction capabilities), Safe Removable (USB attack prevention), all combined with clipboard security. Safe Workspace^® virtual container is created by a kernel driver, which virtually separates the operating system into two logical zones. The first zone is the trusted zone, which is connected to all the organization’s networks and the operating system’s files. The second zone is called the untrusted zone, which acts as a buffer zone where different applications can securely run isolated from the trusted zone’s memory, files, registry, and processes. This method offers advantages such as low CPU and memory footprint, high quality of experience, and the ability to seamlessly work inside the virtual container without noticing that you are protected from browsing and USB threats. BUFFERZONE® is the only virtual containment solution that works based on six patented technologies. By using Safe Workspace^® you are protected against phishing attacks, malicious downloaded files, and Email attachments and links (using outlook extension). Security must be simple and intuitive.

Try us now!

Target: Cybersecurity specialist

Tags: Adobe PDF, Malware, Content Disarm and Reconstruction (CDR), Reverse Engineering

An Adobe PDF (Portable Document Format) file is a file format developed by Adobe Systems. It is a versatile file format that provides an easy, reliable way to present and exchange documents digitally, regardless of the software, hardware, or operating system being used by anyone who views the document [1]. According to the detected MIME type as captured in the latest Common Crawl database, PDF is the 3rd most popular file-format on the web (after HTML and XHTML); more popular than JPEG, PNG, or GIF files [2].

The popularity of Adobe PDF files among malware authors can be attributed to several factors:

1. Universal Use: PDF files are commonly used around the world for sharing documents. This widespread use increases the potential pool of victims for malware authors.
2. Complexity: The PDF format is complex and can contain several types of embedded content, including JavaScript code, images, audio, video, and other types of media. This complexity provides many opportunities for hiding malicious code
3. Exploitable Vulnerabilities: PDF readers, including Adobe’s own Acrobat Reader, have had vulnerabilities in the past that can be exploited. For instance, a buffer overflow vulnerability in a PDF reader can potentially be exploited by a specially crafted PDF file.[3]
4. User Trust: Many users trust PDF files and consider them safe. This trust can be exploited by malware authors who hide their malicious code in a harmless document [1]
5. Phishing: PDFs can contain hyperlinks, which can be used in phishing attacks. An unsuspecting user may be tricked into clicking a link that takes them to a malicious website.[3]

These factors combined make PDF files an attractive medium for malware authors.

PDF File Format

A PDF file, often utilized across various industries due to its compatibility and versatility, is a sophisticated amalgamation of elements. The file structure is as follows:

1. Header: This segment encapsulates the PDF version number, acting as a concise introduction to the file’s format.
2. Body: The body of a PDF file is a dynamic constellation of objects forming the document’s substance. This may include elements such as text, images, annotations, and form fields among others, each contributing to the file’s comprehensive information.
3. Cross-reference Table: This intricate portion of a PDF file holds crucial details regarding the indirect objects, marking the byte offset for each from the file’s onset. This in-built mechanism enables PDF readers to swiftly locate, access, and render the PDF’s contents.
4. Trailer: The trailer houses a specific pointer leading to the cross-reference table and other exceptional objects, acting as a guide to navigate through the document’s structure.

Beyond these primary elements, a PDF file may be enriched with further components like metadata, interactive aspects (such as hyperlinks and form fields), and security settings. Notably, a PDF file’s capacity to encapsulate rich media content—encompassing graphics, fonts, text, and interactive elements like buttons and forms—is what sets it apart. Regardless of the device or software deployed for viewing, this ensures uniform display of the document.

The remarkable flexibility offered by the PDF file format has made it a universally adopted standard for document sharing and archiving, underlining its wide-ranging adaptability across diverse platforms. A comprehensive description of the PDF structure can be found here and contains advanced information about the PDF structure [3].

Malware Investigation Research Steps:

Investigating PDF malware requires a careful and systematic approach. Below are highly suggested steps we conduct in our research:

1. Isolation: Always work in a safe environment when dealing with potential malware. This usually means using a sandbox or a dedicated, isolated system that is not connected to your network. In this blog we will work inside Ubuntu Virtual Machine.
2. Collection: The first step is gathering potentially malicious PDF files. These can be sourced from various locations like spam emails, suspicious websites, or shared through threat intelligence feeds. We will use MalwareBazaar [4] a public malware repository to receive interesting malware for analysis.
3. Static Analysis: Start by examining the PDF without executing it. This includes viewing the file metadata, the structure, the embedded objects, scripts, or unusual elements. Tools like PDFiD, PDF-Parser and Pdfalyze are great sources for static analysis information. This is the focus of our blog.
4. Dynamic Analysis: This involves monitoring the behavior of the PDF file when it is opened. You would typically use a sandbox environment for this, which can safely log the actions of the file, such as network connections, file system modifications, or registry changes. Many evasive behaviors are discovered during dynamic analysis that can highlight behavior that we missed during the static analysis, or we are unfamiliar with. This part will be outside of this blog’s focus.
5. Payload Extraction: If the PDF has an embedded payload, this will need to be extracted for further analysis. This could be another file, a script, or something else. Payload extraction can be done as part of the static analysis or part of the dynamic analysis features.
6. Code Analysis: If the PDF includes embedded or obfuscated code, such as JavaScript or shellcode, this will need to be analyzed. This involves de-obfuscating the code, understanding its functionality, and identifying any potential exploits or vulnerabilities it might use. This will be done as part of the static analysis investigation we will conduct.
7. Threat Intelligence Correlation: Correlate the information collected about the PDF malware with threat intelligence data. This can give information on the possible threat actors, campaigns, their methods, or whether this malware has been observed before. This step is done after the collection and during the static and dynamic analysis. When we discover Information of Compromise (IOC) which are a list of drop file (sha256 /MD5 hash representation), URL’s, IP addressed in the file we can enhance our understanding of the file capabilities based on threat intelligence.
8. Reporting: Finally, document your findings. This report should detail the characteristics of the malware, how it works, its impact, and recommended mitigation strategies.

Remember to always stay safe when investigating potential malware, and only do so in a controlled and isolated environment. It is important to keep systems and software up to date to protect against known vulnerabilities that malware often exploits. This tutorial is for educational purposes only. Please take full responsibility while handling dangerous malicious files.

Collection:

In this blog, we will fetch a potentially suspicious file from MalwareBazaar and examine the PDF file jointly (remember to operate within a virtual machine). Utilizing the “file_type:pdf” filter, we will obtain the most recently uploaded PDF files within the framework. Let us proceed with the download of the latest file, with the sha256 hash: d0265161d0ed290ff81ff99e4571de9b709b357c9e663ad2b4519b68497705f5.

This file has a low detection rate now in VirusTotal [7]:

This indicates that the file is a new attack or could be a false positive. To verify we will start our static analysis.

Reverse Engineering PDF File Using Static Analysis

In this blog we will focus on PDFiD and PDF-Parser from Didier Stevens [5] that created a well-known suite of research tools. We encourage you to follow him and check his website and tutorials. Furthermore, we will use a new tool called Pdfalyzer [6] that automates PDF research process and provides highly detailed and visible information.

PDFiD

PDFiD will scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain JavaScript or execute an action when opened for example. PDFiD will also handle name obfuscation. However, PDFiD is not a detection tool it is a visibility tool, and it is a great first step to start our investigation.

By running python pdfid.py <file> we will get the following output:

We can learn that there are 73 objects, 27 streams, 5 pages and 2 URI. Since URI are common in PDF files we will drill down on the objects and investigate further.

Pdfalyze

Pdfalyze is a new tool in the research community and has a lot of value. It visualizes the PDF file structure and using Yara signatures and many more forensic capabilities.

By running Pdfalyze  <file>

We will get the tree of the file structure and since we have multiple objects and streams, we will start the investigation with the URI.

We can observe that in object 2 we have /Annots stream that contains a link. This link is downloaded when the user clicks on the button in the document. Although this file is new from today the link is already down by the hosting site so we cannot download the zip file for investigation, but it could be a malicious object. To lure the user to download the file it uses a lure image:

This is a classical attack vector in PDF files. The user is not aware of what content is hidden behind the button.

Pdf-parser.py

It is a simple and efficient tool for object extraction from PDF files.

Although in this case Pdfalyze  showed us the object we wanted. For some use cases it is simpler to use pdf-parser.

The usage is as follows:

python pdf-parser.py -f -o 4 -d extract_URLl <file>

Were the object we extract is 4 and we saved the object if it exists in extract_URL as a file.

We trust you found the novice’s PDF guide Part-1 informative, and we will soon release Part-2. Kindly visit our website for upcoming blog entries.

References

[1] Adobe PDF, https://www.adobe.com/acrobat/about-adobe-pdf.html

[2] Common Crawl data statistics, https://commoncrawl.github.io/cc-crawl-statistics/plots/mimetypes.

[3] Dubin, Ran. “Content Disarm and Reconstruction of PDF Files.” IEEE Access (2023).‏

[4] MalwareBazaar, Public Malware Repository, https://bazaar.abuse.ch/

[5] Didier Stevens, PDF tools, https://blog.didierstevens.com/programs/pdf-tools/

[6] Pdfalyzer,https://github.com/michelcrypt4d4mus/pdfalyzer

[7] VirusTotal, https://www.virustotal.com/gui/file/d0265161d0ed290ff81ff99e4571de9b709b357c9e663ad2b4519b68497705f5[8] Yara, https://virustotal.github.io/yara/

Target: IT Professionals

Tags: Malware, Clipboard attack

Computer clipboard hijacking attacks occur when an attacker gains unauthorized access to the clipboard of a computer to intercept or modify the data being copied and pasted. This type of attack can be carried out through various means, such as by exploiting vulnerabilities in the operating system or by using a malicious program or script.

One common type of clipboard hijacking attack involves a Trojan or malware program. The malware may be disguised as a legitimate application or downloaded unknowingly by the user through a phishing email or website. Once installed on the computer, the malware can monitor the clipboard activity, and intercept or modify the data being copied and pasted.

Here are some examples of malware that have been known to use clipboard hijacking techniques:

1. Zeus Panda: This is a banking Trojan that is capable of stealing login credentials and other sensitive information by intercepting the data on the clipboard. When the user copies their login information into the clipboard, the Trojan replaces it with a fake set of login credentials, which are then sent to the attacker.
2. TrickBot: This is another banking Trojan that uses clipboard hijacking to steal sensitive information such as credit card numbers and login credentials. The malware monitors the clipboard activity and intercepts the data being copied and pasted, which is then sent to the attacker.
3. CryptoShuffler: This is a type of malware that targets cryptocurrency wallets by intercepting the clipboard data and replacing the legitimate wallet address with a fake one. When the user tries to transfer cryptocurrency to the wallet address, it is instead sent to the attacker’s wallet.
4. Clipboard Ghost: This is a clipboard hijacking malware that can intercept data being copied and pasted and replace it with malicious code or links. The malware can also inject code into the clipboard data to execute malicious commands on the user’s computer.
5. Malicious Tor Browser– Recently malicious Tor Browser installers targets Russians and Eastern Europeans with clipboard-hijacking malware that steals infected users’ cryptocurrency transactions.

Another type of clipboard hijacking attack involves the use of a website or web application. In this case, the attacker may embed malicious code into a webpage, which can then access the clipboard data of the user’s computer when the user copies or pastes information from the webpage. This can allow the attacker to steal sensitive information such as login credentials, credit card numbers, or other personal data.

To protect against clipboard hijacking attacks, it is important to take several measures, such as:

1. Use an antivirus or anti-malware program to detect and remove any malicious software on your computer.
2. Be cautious when downloading and installing software from untrusted sources and avoid clicking on links in suspicious emails or websites.
3. Keep your operating system and software up to date with the latest security patches to minimize the risk of vulnerabilities being exploited.
4. Use a password manager to store and automatically enter login credentials, rather than copying and pasting them from a clipboard.
5. Clear your clipboard regularly to remove any sensitive data that may have been copied and prevent it from being accessed by unauthorized parties.
6. Use Isolation technologies (Please see our blog)

BUFFERZONE® Safe Workspace^® is a suite of prevention capabilities based on application isolation technology that includes Safe Browsing, SafeBridge® (Content Disarm and Reconstruction capabilities), Safe Removable (USB attack prevention), all combined with clipboard security. Safe Workspace^® virtual container is created by a kernel driver, which virtually separates the operating system into two logical zones. The first zone is the trusted zone, which is connected to all the organization’s networks and the operating system’s files. The second zone is called the untrusted zone, which acts as a buffer zone where different applications can securely run isolated from the trusted zone’s memory, files, registry, and processes. This method offers advantages such as low CPU and memory footprint, high quality of experience, and the ability to seamlessly work inside the virtual container without noticing that you are protected from browsing and USB threats. BUFFERZONE® is the only virtual containment solution that works based on six patented technologies.

The solution prevents clipboard data from coping from the trusted zone to the untrusted zone where the user is browsing and opening new attachments. By using an advanced isolation solution, the organization’s content is secure. Downloaded attachments are isolated, while antivirus and EDR (Endpoint Detection and Response) solutions can always scan the untrusted virtual zone. The virtual environment can be cleaned in one click, eliminating any malicious traces.

In summary, clipboard hijacking attacks can pose a serious threat to the security of your personal and sensitive information. By taking the appropriate precautions and staying vigilant, you can help protect yourself from these types of attacks.

Target: Executives and business leaders

Keywords: Coin miners, malware, bitcoin

Cryptojacking is a type of cybercrime in which a hacker gains unauthorized access to a victim’s computer or device and uses its resources to mine cryptocurrency.

The term “cryptojacking” combines “cryptocurrency” and “hijacking.” Unlike traditional hacking methods that directly steal cryptocurrencies or sensitive information, cryptojacking focuses on leveraging the victim’s processing power for mining purposes. Mining involves solving complex mathematical problems to validate and record transactions on a blockchain network.

Cryptojacking can be done in a variety of ways, including:

• Through malicious software: Hackers can infect a victim’s computer with malware that contains a cryptojacking payload. Once the malware is installed, it will begin mining cryptocurrency in the background (utilizing the device’s CPU or GPU), without the victim’s knowledge or consent.
• Through drive-by downloads: Hackers can exploit vulnerabilities in a victim’s web browser to deliver a cryptojacking payload. When the victim visits a compromised website, the payload will be downloaded and executed, without the victim’s knowledge.
• Through social engineering: Hackers can trick victims into downloading a cryptojacking payload by sending them a malicious email or link. Once the payload is downloaded, it will begin mining cryptocurrency in the background.

Cryptojacking can have several negative consequences for victims. It can significantly slow down their devices, consume excessive electricity, and lead to higher utility bills. Additionally, prolonged use of system resources may cause overheating and hardware damage.

What are the risks of cryptojacking?

There are several risks associated with cryptojacking, including:

• Performance problems: Cryptojacking can consume a significant amount of CPU resources, which can lead to performance problems, such as slowness, crashes, and overheating.
• Increased electricity bills: Cryptojacking can also increase a victim’s electricity bill, as the computer will be using more power to mine cryptocurrency.
• Security risks: Cryptojacking malware can also pose a security risk, as it can be used to steal personal information or to install other malware on a victim’s computer.

How can I protect myself from cryptojacking?

There are several things that users can do to protect themselves from cryptojacking, including:

• Keep their software up to date: Software updates often include security patches that can help to protect against cryptojacking attacks.
• Use a security solution: A security solution can help to detect and block cryptojacking threats.
• Be careful about what they click on: Avoid clicking on links in emails or on websites that they are not familiar with.
• Use a VPN: A VPN can help to protect your privacy and security when you are using public Wi-Fi networks.
• Use Isolation technology.

How BUFFERZONE® Safe Workspace^® eliminate the problem:

BUFFERZONE virtual container is created by a kernel driver, which virtually separates the operating system into two zones. The first zone is the trusted zone, which is connected to all the organization networks. The second zone is called the untrusted zone, which acts as a buffer zone where various applications including browsers run isolated from the trusted zone’s memory, files, registry, and processes. This method offers advantages such as low CPU and memory footprint, high quality of experience, and the ability to seamlessly work inside the virtual container without noticing that you are protected from browsing and USB threats.

BUFFERZONE® Safe Workspace^® is the only virtual containment solution, working based on 6 patented technologies. For business continuity as needed, Safe Workspace^® incorporates SafeBridge® – local CDR (Content Disarm & Reconstruct) disarming, right there on the endpoint. SafeBridge® can also utilize server-based CDR as needed.

When the user uses BUFFERZONE the malicious cryptojacking malware is locked inside the virtual container and cannot escape and lateral movement inside the organization and organization servers as a result the organization stay safe.