![]() ![]() ![]() In 2022, Malwarebytes researchers detected a change in tactic with MakeMoney displaying a fake update to trick users into activating a loader leading to the BrowserAssistant adware infection.Īnalyst Comment: Network defenders should block the known MakeMoney infrastructure as the group was often reusing the same servers. The final payload was typically some kind of infostealer malware such as RedLine or KPOT. Through the years it was mostly engaging in drive-by exploits via RIG exploit kit (EK), although it was also observed serving Fallout EK in a 2020 campaign. MakeMoney malvertising campaign has been active since December 2019. MakeMoney Malvertising Campaign Adds Fake Update Template MITRE ATT&CK: External Remote Services - T1133 | Exploit Public-Facing Application - T1190 | Valid Accounts - T1078 | Credentials from Password Stores - T1555 | Automated Collection - T1119 | Automated Exfiltration - T1020 | Protocol Tunneling - T1572 | System Network Configuration Discovery - T1016 Disable unused or unnecessary network services, ports, protocols, and devices. Similarly, routers in IT and Telecom companies are targeted for initial access by China-sponsored groups, this time using open-source router specific software frameworks, RouterSploit and RouterScan.Īnalyst Comment: When planning your company update strategy and automation, do not leave out network devices. Attackers compromise unpatched network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, to serve as “hop points” to obfuscate their China-based IP addresses in preparation and during the next intrusion. Several US federal agencies issued a special Cybersecurity Advisory regarding China-sponsored activities concentrating on two aspects: compromise of unpatched network devices and threats to IT and telecom. People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices Tags: Symbiote, target-region:Latin America, Brazil, target-country:BR, Financial, Linux, Berkeley Packet Filter, eBPF, LD_PRELOAD, Exfiltration over DNS, dnscat2Īlert (AA22-158A). MITRE ATT&CK: Hijack Execution Flow - T1574 | Hide Artifacts - T1564 | Exfiltration Over Alternative Protocol - T1048 | Data Staged - T1074 Security solutions could be deployed as statically linked executables so they don’t expose themselves to this kind of compromise by calling for additional libraries. All these evasion measures can lead to Symbiote being hidden during a live forensic investigation.Īnalyst Comment: Defenders are advised to use network telemetry to detect anomalous DNS requests associated with Symbiote exfiltration attempts. For UDP, Symbiote hooks two libpcap functions filtering out packets containing certain domains and fixing the packet count. For TCP, Symbiote hides traffic related to some high-numbered ports and/or certain IP addresses using two techniques: (1) hooking fopen and fopen64 and passing a scribbed file content for /proc/net/tcp that lists current TCP sockets, and (2) hooking extended Berkeley Packet Filter (eBPF) code to hide certain network traffic from packet capture tools. ![]() Additionally, Symbiote uses three methods to hide its network traffic. It uses hardcoded lists to hide associated processes and files, and affects the way ldd displays lists of SOs to remove itself from it. Symbiote is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD before any other SOs. It is a very stealthy Linux backdoor and credential stealer that has been targeting financial and other sectors in Brazil since November 2021. Intezer and BlackBerry researchers described a new, previously unknown malware family dubbed Symbiote. Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |