Saturday, 28 April 2018

GravityRAT - Evolution of APT! IOC’s and Preventive Measures.!!

GravityRAT is quickly evolving type of malware/trojan called a Remote Access Trojan. These threats are very insidious as they are lurking everywhere in virtual world. 

It first appeared in early 2016 and remained hard to detect. It has already been observed by National Computer Emergency Response Team and warned about the seriousness of this attack as it was affecting India,the UK and US.

The Malware authors using various techniques file exfiltration ,command and control execution capability and using testing files on virustotal to check antivirus capability to detect.

GravityRAT infects systems via social media tricks such as spam email with malicious documents, links, malvertising campaigns or exploits of vulnerable websites, and takes advantage of exploits kits, VB Macros etc.

Testing by the Author


The first image shows object frame that attacker has created for testing the AV on virustotal.

                                                    Testing by embedding a frame.

Downloading putty.exe for testing.

GravityRAT infection path.

Most of the word documents and xlsx are hewed in such a way by the attacker which makes it' hard to understand normal user. The malware author embedding macro inside the object of MS Document/XLSX.

The above image shows you the actual malicious doc embedded with macro with the specific code.

This doc is actually an archive file which you can extract through 7zip and can look what exactly that doc is embedded with.

Look into the above image where actual code which is inside the macro. 
  1. The first function which is highlighted above is executed when the document is opened which actually copies the active document in %TEMP% directory in file.
  2. The second function extract the .exe file stored in it.
  3. Third function creates a schedule task, named 'wordtest' to execute this malicious file everyday. 

So, there is no direct execution of the ,document in order to make itself undetected.

Extracted media files from the malicious doc archive.

The following extracted image4.exe is hazardous DOTnet file which is executing intelcorenew.exe which actually remote access trojan which is sending information to the server.

  • Firstly, Its looking for the internet connection and take a sleep of 60000 secs and then looking for PC information in order to fool the antivirus.
  • Creating files to save information about the root directory and other directories.
  • Creating an array to get the the path where they can store the specific ext files.

  • Steal information of the files with specific extensions.

  • Looking for the Specific active domains at the time.


List of CnC servers are communicating through the http connection.

Md5's and Sha's:



Malware stealing several information such as Username, ComputerName etc.

Malicious PowerShell scripts are a key ingredient to many fileless malware. Windows PowerShell is a built-in tool based on the .NET framework comprising a command-line shell, an interface that lets users access services of the operating system (OS), and a programming language that can be used to create scripts. PowerShell is designed to automate system administration tasks, such as view all USB devices, drives, and services installed in the system, schedule a series of commands and set it in the background, or terminate processes (like Task Manager).

Registry changes activity so that it can execute silently after every reboot or a day.

National CERT mentions that C2 server infrastructure of GravityRAT shows that author was specifically targeting Indian entities/Organizations.

The author has leaked the information within the samples how he has tested the sample in order to decrease the detection ratio across several AVengines . All the samples were uploaded from Pakistan to virustotal which clearly shows author was using VPN connection.

Precautionary Measures

Steps to follow:
  • Don't open any attachment from unknown source.
  • Verify it by using 7zip is it archive or normal doc by right clicking on the doc. if it's showing extract option which means it's an archive.
  • General names : Invoice.doc, Bank_payment.doc etc.
  • if any suspicious indicator found upload on and verify.
  • Update antivirus and your system everyday.

                             STAY AWAKE  STAY AWARE STAY CONNECTED
                                                   DON'T BE THE VICTIM

Friday, 17 March 2017

How one Pic can hack your WhatsApp and Telegram Accounts

Be Careful while clicking on photographs of a cute cat or chick because due to new vulnerability of WhatsApp your personal data can be leaked in seconds.

A new security vulnerability has recently been patched by two popular end-to-end encrypted messaging services — WhatsApp and Telegram — that could have allowed hackers to completely take over user account just by having a user simply click on a picture.

The Hack only affected the browser based versions of WhatsApp and Telegram, so users relying on apps don't have to be worry about this.

Check Point researchers today revealed about this new vulnerability on WhatsApp and Telegram’s online web platforms. By exploiting this vulnerability, attackers could completely take over user accounts, and access user's personal and group conversations, photos, videos and other shared files, contact lists, and  many more.

Vulnerabilty Impact

The vulnerability allows an attacker to send the malicious code to user, hidden within an innocent looking image. As soon as the user clicks on the image, the attacker can gain full access to the victim’s WhatsApp or Telegram storage data, thus giving full access to the victim’s account
The Attacker then can steal all the data stored in WhatsApp such as images, Contact list, Videos, Chats etc.

Disclosure And Patching

Check Point disclosed this information to the WhatsApp and Telegram security teams on March 8, 2017. WhatsApp and Telegram acknowledged the security issue and developed fixes for worldwide web clients.
“Thankfully, WhatsApp and Telegram responded quickly and responsibly to deploy the mitigation against exploitation of this issue in all web clients,” said Oded Vanunu, head of product vulnerability research at Check Point. WhatsApp Web users wishing to ensure that they are using the latest version are advised to restart their browser.

Demo of WhatsApp Account Takeover

Demo of Telegram Account Takeover

Friday, 10 February 2017

Apple Mac Security Breached

Macro Malware Hits Mac Users

After hounding Windows users, macro malware has taken its first steps towards affecting the other operating system on which the Microsoft Office suite is available, and that's Apple's macOS.
One of the first macro malware attacks on macOS users was discovered this week, on Monday, by Snorre Fagerland, Senior Principal Security Researcher at Symantec, and later analyzed by Patrick Wardle, Director of Research at Synack.
The file in question was a word file named "U.S. Allies and Rivals Digest Trump's Victory - Carnegie Endowment for International Peace.docm," which at the time it was discovered, was only detected by four antivirus scanners on VirusTotal.
According to Wardle, this Word document contained a macro script that prompted Office to show Mac users a warning that most Windows users are very familiar with.
Office macro warning on macOS
Office macro warning on macOS (via Pattrick Wardle)
Allowing the macro scripts to execute when opening the Word file would result in an immediate infection, as the malicious code contained within was set to execute under an auto-open function.
Wardle, who extracted the macro script and analyzed it, says the macro contained a chunk of base64 data, which it extracted and executed as Python commands.
After a closer look at these commands, Wardle says the script would go through four stages:
  • Check if a Mac security app called LittleSnitch was running
  • Downloads another payload from a remote server (
  • Decrypts the payload via RC4
  • Execute the decrypted payload
Because the remote server was down when Wardle analyzed the macro script, he never got to verify the true capabilities and purpose of the second-stage payload.
Nevertheless, Wardle did identify the commands in the first-stage payload as snippets taken from EmPyre, a post-exploitation OS X/Linux agent written in Python 2.7.
Common sense says that the second-stage payload must have also borrowed some tricks from EmPyre, which includes modules for dumping the Apple keychain (password store), spying via the webcam, and stealing browser history files.
Wardle also discovered that the server from where the Word macro script downloaded the second-stage payload was located in Russia, on an IP address previously associated with other malware campaigns.
"Overall this malware sample isn't particularly advanced. [...] However let's be nice and give the attackers some credit," Wardle says. "By using a macros in Word [sic] document they are exploiting the weakest link; humans! And moreover since macros are 'legitimate' functionality (vs. say a memory corruption vulnerability) the malware's infection vector doesn't have to worry about crashing the system nor being 'patched' out."

Mac malware isn't as rare as it once was

In the past years, Mac users have been generally ignored by malware authors, similarly to Linux users. Nonetheless, attacks on both Mac and Linux users are now intensifying as both operating systems have become more popular.
On the same day the macro malware attack targeting Mac users was discovered, Claudio Guarnieri, security researcher for Citizen Lab, published research on an Iranian APT called iKittens, who developed and deployed a new Mac malware called MacDownloader.

Wednesday, 18 January 2017


Simple hack allows hackers to listen all your Facebook Messenger voice messages as well as Facebook own Whatsapp.

A Security Researcher Mohamed A. Baset has says that a Vulnerability in Facebook allows a hacker to your private Facebook voice messages sent over chat. This is possible due to the lack of proper authentication and HSTS policy on Facebook CDN servers. While Facebook has acknowledged bug, it's a yet to patch it.  The Company has also said that it's working to roll out HSTS to its sub domains.

How does a Hacker listen to your Facebook voice message?
Here’s a proof-of-concept video of the Facebook voice messages CDN hack:

Facebook Has Still Not Patched This Bug

Both Facebook Messenger and Whatsapp allow users to send voice messages  using the Mic icon in the chat bar.  Most users don't use Facebook Messenger voice message feature, it is still very popular. 

Whenever you are sending a message to anyone just be aware of that your messages might be sniffed by potential hackers(MITM Attack).

Egyptian Security Researcher Mohamed A. Baset has a found a Vulnerability in Facebook Messenger's audia clip recording feature that allows any hacker to listen the voice messages.

MITM attack allows any hacker to grab your audio clip files from Facebook Server.

How does a Hacker Listen to the Message?

The Facebook Messenger voice chat flaw is so simple that a hacker with minimum technical skill can exploit it. Whenever a person records an audio clip and sends it to some other person, the clip is uploaded to Facebook’s CDN server for example…, from where it serves the same audio file, over HTTPS, to both the sender as well as the receiver.

Now, any attacker sitting on your network, running MITM attack with SSL Strip, can actually extract absolute links (including secret authentication token embedded in the URL) to all audio files exchanged between sender and receiver during that process.
Then, the attacker downgrades those absolute links from HTTPS to HTTP, allowing the attacker to direct download those audio files without any authentication.
Baset explains that the issue lies in the way the chat is exchanged over HTTPS to HTTP servers. Facebook is yet to implement a highly secure transport protocol called HSTS. HSTS (HTTP Strict Transport Security) forces browsers to access a website only over an HTTPS connection while disallowing communication between a secured and unsecured web server. In this case, Facebook is yet to roll out HSTS policy for its chat servers. The issue is worsened due to the fact that Facebook also lacks proper authentication allowing any hacker to launch a MiTM attack and snoop on the voice chat.

Though the FB voice chat vulnerability looks critical, Facebook is yet to patch it. Baset has informed Facebook security engineers about the vulnerability long back. While Facebook engineers have acknowledged the bug, it didn’t offer any bug bounty to Baset neither has it patched the bug. “The fact that we have not rolled it (HSTS) out on particular subdomains does not constitute a valid report under our program,” the company said.
“In general, sending in reports that claim we should be using defense-in-depth mechanisms like HSTS will not qualify under our program. We make very deliberate decisions about when we roll out (or not) particular protections and so reports suggesting that we make changes there generally do not qualify,” It added.

Proof Of Concept :Bug Not Yet Fixed

Sunday, 8 January 2017

Ransomware Targeting to Linux now (Kill Disk Ransomware)

KillDisk(Disk Wiping Malware), which has previously been used in hack attacks tied to espionage operations, has been given an update. Now, the malware works on Linux as well as Windows systems and also includes the ability to encrypt files, demand a bitcoin ransom and leave Linux systems unbootable.
Multiple security firms have been tracking the use of the Kill Disk Malware, particularly against targets in Ukraine.
That includes an ongoing series of online attacks against multiple financial institutions that began on Dec. 6, 2016, according to security researchers at Slovakia-based IT security firm ESET. Since those attacks began, versions of KillDisk have emerged that can infect not only Windows, but also Linux workstations - and potentially Linux servers - with a ransomware variant, ESET says. But the Linux variant appears to create an encryption key that never gets saved to disk or relayed to attackers, meaning that even if victims pay the ransom demand, there's no way they would ever receive a decryption key.
The emergence of the Windows crypto link KillDisk variant was first spotted by Framingham, Mass.-based security firm CyberX The firm says it believes that the malware is tied to the Telebots group, which appears to have evolved from the Sandworm - aka BlackEnergy - gang. "We believe the malware is being distributed via malicious Office attachments," the firm says in a Dec. 27, 2016, blog post. It notes that some versions of the malware display a screen with imagery pulled from the "Mr. Robot" television show.
Crypto-Locked Linux Won't Boot
ESET, meanwhile, first spotted the Linux variant of the updated KillDisk malware. It says the Linux version overwrites the GRUB bootloader - the first code to run when a Linux system gets booted - to prevent it from booting, instead displaying only a ransom message. The Windows variant, meanwhile, encrypts files using a 256-bit AES encryption key, then encrypts the symmetric AES key - required to decrypt the data - using a 1024 bit RSA key.

Security experts say that the ransom messages display the exact same content: the ransom amount, bitcoin address for paying the ransom as well as a contact email for the attacker registered with, a secure, anonymous email service. A message sent to the listed email address wasn't immediately returned.
The ransom demand is the same for both Linux and Windows systems: 222 bitcoins, currently worth about $210,000.

Not paying the ransom, however, is a good move.
For starters, as law enforcement agencies and cybercrime experts have long advised, victims should ideally never pay ransoms because they fund continuing cybercrime operations and are no guarantee that attackers will actually decrypt files.

In the case of KillDisk, however, it's not even clear if attackers would be able to provide a decryption key - at least for the Linux version. "It is important to note that paying the ransom demanded for the recovery of encrypted files is a waste of time and money. The encryption keys generated on the affected host are neither saved locally nor sent to a C&C server," ESET security researchers Robert Lipovsky and Peter Kálnai say in a blog post. "Let us emphasize that - the cyber criminals behind this [Linux] KillDisk variant cannot supply their victims with the decryption keys to recover their files, despite those victims paying the extremely large sum demanded by this ransomware."
The evolution of KillDisk from disk-wiping malware to also functioning as crypto-locking ransomware appears to be a cynical, psychological ploy by attackers. Instead of simply wiping systems, as KillDisk has previously done, attackers can encrypt them - still effectively putting the data beyond reach - while taunting victims with the possibility of getting their data restored if they send attackers a massive payoff.
To date, however, no one appears to have paid the ransom, at least based on the blockchain record for the bitcoin address published in ESET's report. So far, the account has only recorded one transaction, of 0.0001 bitcoins - worth just $0.10 - which was likely attackers testing the account before listing it in their ransomware.
One upside for Linux - but not Windows - victims of KillDisk, ESET adds, is that attackers appear to have slightly fumbled their crypto, "which makes recovery possible, albeit difficult." But don't count on future versions to have the same flaw.
Linux Ransomware: Unexpected Move
The move to target Linux systems with crypto-locking ransomware is an unusual evolution on two fronts, the ESET security researchers say. First, attackers seeking to maximize the bang for their buck don't typically target Linux servers.
Second, whereas ransomware is a hallmark of cybercrime gangs, KillDisk has previously been tied to apparent cyber-espionage operations, including November 2015 attacks against Ukrainian news agencies. After parts of Ukraine's power grid experienced blackouts in December 2015, furthermore, investigators also reported that both the BlackEnergy 3 cyber-espionage Trojan and KillDisk disk-wiping malware were recovered from at least one of the affected power provider's Windows PCs, meaning that attackers have also been targeting industrial control and SCADA systems.
It's not clear if attacks against Ukrainian energy providers have been continuing. Last month, Ukraine's national power company, Ukrenergo, reported that it was investigating whether Dec. 17, 2016, blackouts were the result of a hack attack. Ukrenergo has yet to comment further on the results of its investigation, however, so the blackout might not have been the result of a hack attack.
Separately, several security firms have noted that the Sandworm - aka BlackEnergy - group may have morphed into TeleBots. ESET says TeleBots last month was using attack tools that relied on the popular Telegram messenger service to relay command-and-control instructions between attackers and infected devices and continuing to target Ukrainian organizations. The security firm says TeleBots was also behind last month's attacks against multiple Ukrainian financial services firms, which it declined to name.
But it's not clear if KillDisk is used solely by one group of attackers, or what their motives might be. As the ESET researchers note: "Any ties between orchestrators of these attacks remain unclear and purely circumstantial."

Friday, 6 January 2017

Golden Eye Ransomware targets HR departments with fake job applications

Spam Campaign targets those who most often need to open attachments from unknown sources.

Attackers are posing as job applicants as part of a new campaign to infect victims in corporate human resources departments with GoldenEye ransomware -- and they're even providing covering letters in an effort to lull targets into a false sense of security.
A variant of the Petya ransomware, GoldenEye targets human resources departments in an effort to exploit the fact that HR employees must often open emails and attachments from unknown sources.
Cybersecurity researchers at Check Point have been monitoring the campaign, which attempts to deliver ransomware to German targets using emails and attachments claiming to be from job applicants. The initial email contains a short message from the fake applicant, directing the victim to two attachments.
The first is a covering letter within a PDF which doesn't actually contain any malicious software, but is intended to reassure the target that they're dealing with a standard job application. However, the second attachment is an Excel file supposedly containing an application form but which in fact contains the malicious GoldenEye payload.
Upon opening the Excel attachment, the target is presented with a document which claims to be 'Loading' and requires them to enable Macros to view the file. When Macros are enabled, GoldenEye executes a code and begins encrypting the users' files before presenting them with a ransom note using yellow text -- rather than the red or green used by other Petya variants.
The note demands the victim pays a ransom of 1.3 bitcoins - around $1,000 - in order to retrieve their files. Much like other increasingly professional ransomware and cybercriminal campaigns, the perpetrators detail how the victim can acquire bitcoin on the dark web and even offer the option of exchanging messages with a GoldenEye admin if they're having trouble with the payment or decryption process.
It's believed by researchers that the developer behind Petya ransomware is going by the alias Janus -- apparently borrowing the name of a cybercrminal group in the 1995 James Bond film GoldenEye.
The cybercriminal operation behind the GoldenEye campaign has also been known to offer ransomware-as-a-service schemes which allow almost any wannabe hacker to cash-in on cyber extortion.

One way users can avoid falling victim to GoldenEye and other ransomware variants is by never enabling Macros within Microsoft Office documents and being mindful of unexpected or overly generic email messages.


Thursday, 5 January 2017

Apple iPhone bug causes iMessage app to freeze, crash

A new bug has been revealed for Apple iMessage that causes the app to freeze. YouTube user vincedes3 posted a video on his channel demonstrating how a vcf attachment sent on iPhone running on iOS 8 to 10.2.1 makes your iMessage vulnerable to the bug. Clicking on the malicious message, which is basically a large vcf file, will cause iMessage app to freeze. You can dismiss iMessage from recently used apps on your iPhone, but reopening will cause it to crash.
“When you click, iOS want to read the text, the text in the file is very complicated for the system and cause a CPU average: the app freeze. You close the app, want to reopen but iOS want to reload the previous message but can’t because it’s the vcf file,” vincedes3 explains on his site.

However, he has provided a ‘magical link’ on the site, which he claims will make the bug go away, restoring iMessage app to normal. However, he has warned the fix (link) doesn’t work for some iPad devices. Users will need to open the given link on Safari browser. The link then starts to fix your app and you receive a message in the end that says, “‘I have just save you’re iPhone bro ;-)”
The exploit is particularly destructive in that restarting the Messages app, or even the iPhone, is ineffective, unless the owner looks to Vincedes3’s blog post for a solution.
Along with access to a copy of the vCard, Vincedes3 has thankfully detailed multiple ways of restoring the iOS device to normal. The exploit works on the premise that Apple’s iOS will always try to open the most recently opened text. By sending yourself a message and then opening it via Siri, the exploit will move down the list of messages and become ineffective. Alternatively, the hacker has supplied a link which can be opened in Safari to restore the iOS device to normal.
This is not the first bug facing iOS devices in recent times. A five-second video was shared by YouTube channel EverythingApplePro, and viewing it on Safari caused iOS to crash. However, the bug wasn’t limited to one iOS build.
In May last year there was a bug which caused iPhones running iOS 8.3 to crash when a message containing a specific string of text was received. Apple had later issued a software fix for the bug. The Cupertino giant is likely to do the same this time around as well.