When Lily from Human Resources develops BIOS code in her spare time.
Follow
Costin Raiu
@craiu
Technology-Security CompanyBucharestJoined October 2007
Costin Raiu’s posts
This is nuts. Solarwinds had a support page (now removed) advising users to DISABLE antivirus scanning for Orion products' folders.
23 years ago, I joined the Kaspersky team. Today, I am 46 and that makes it half my life dedicated to protecting the world. You probably know some of the research we did over the years in GReAT – looking back, I’m very proud of what we accomplished. It has been an incredible… Show more
Out of the 140 known C2 servers we are tracking at OVH that are used by APT and sophisticated crime groups, approximately 64% are still online. The affected 36% include several APTs: Charming Kitten, APT39, Bahamut and OceanLotus.
A sample of the iOS malware family described by Google and used in zero days attacks finally hit multi-scanner services today. sha256: 0d2ee9ade24163613772fdda201af985d852ab506e3d3e7f07fb3fa8b0853560
Wow, is that a floppy disk reader on this Emotet server in Ukraine? Also love the soldering iron next to it.
Interesting, Xiaomi browsers have different telemetry endpoints for Russia, India and "Intl". No "EU"? (for more details see the recent work from and the article from )
Thanks to the latest Whatsapp patch, we can now see stickers in full size. Also patching a RCE used in the wild to deploy malware, but who cares about that.
We found another 0day used in the wild, CVE-2019-0859. This one seems to have been developed by the prolific 0day maker and seller known as “Volodya”. Volodya sells 0days to both criminals and APTs
So far, we have recorded more than 45,000 attacks of the #WannaCry ransomware in 74 countries around the world. Number still growing fast.
Shared code between an early, Feb 2017 Wannacry cryptor and a Lazarus group backdoor from 2015 found by from Google.
Asus Live Updater was used in a big supply chain attack we dubbed Operation #ShadowHammer. We estimate this may have affected over 1 million computer users between June and Nov 2018.
In case this story gave you chills, search your network logs for: bin5y4muil.execute-api.us-east-1.amazonaws[.]com - 👇👇👇
Simple math problem. It takes 10 programmers 4 months to write a backdoor. How long does it take 1000 programmers to write the same backdoor? 🤔
#WannaCry infection distribution by the Windows version. Worst hit - Windows 7 x64. The Windows XP count is insignificant.
The following media includes potentially sensitive content. Change settings
View
"Apple is aware of a report that this issue may have been actively exploited" - iOS 14.4 is out, patching webkit+kernel 0-days:
Kudos to #Cisco for publishing details of their security breach by initial access broker (IAB) with ties to #UNC2447, #Lapsus$ and #Yanluowang. There are so many lessons to be drawn from this highlighted part about the initial access:
New MikroTik zero day attack patched yesterday installs mips malware that appears related to Luabot, fetches next stage from two hardcoded C2s.
Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild by an unknown APT:
While looking at the #SolarWinds #Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar, used by Turla. Our analysis: securelist.com/sunburst-backd #unc2452 #darkhalo
Giving back to the community is part of our work philosophy. Today we open source KLARA, our #yara scanning framework. Props to who made this possible. Cc
Possibly the most popular phrase of 2020: "Let me try to share my screen. Can you all see my screen?" #sasathome
A few days ago our technologies caught a new Chrome 0day exploit used in the wild and we reported it to Google. Just released-Chrome 78 patches it, credits to my colleagues and Alexey Kulaev for finding the bug.
My bad - finished analyzing all #Wannacry worm mods we have and they all have the kill switch inside. No version without a kill-switch yet.
Interesting opsec slip in one second stage loader used by UNC2452 / DarkHalo post abusing SolarWinds backdoor: sample has forgotten C++ header path pointing to: "c:\build\workspace\cobalt_cryptor_far (dev071)\farmanager\far\platform.concurrency.hpp"
The Lazarus APT group, known for targeting security researchers (between many other things), setup a few fake profiles on LinkedIn for what appears to be another round. One of these profiles was named, I kid you not, Sebastian “Lazarescue” 😅
Today, Singapore gov published a large, thorough, 450+ pages analysis report on the Health Services Private Ltd hack. Here's a summary analysis highlighting the most interesting findings. Full report is available at: mci.gov.sg/coireport
Today we release KTAE, the Kaspersky Threat Attribution Engine. I wrote a small blog describing how this went from an idea to a product: "Looking at big threats using code similarity - part 1":
Launched today: Learn how to become a GReAT Threat Hunting Ninja with our new online #Yara training.
✔️ 63 training videos.
✔️ 200 hours of virtual lab access.
✔️ Real-world APT hunting.
✔️ Trainer: yours truly
✔️ 6 months access.
Check it out:
xtraining.kaspersky.com/courses/hunt-a
GIF
110 mil usd in #Ripple (XRP) were sent from the Japanese cryptocurrency exchange Coincheck to an unknown address. Hacking suspected. twitter.com/xrpl_monitor/s
This Tweet is unavailable.
So, people with access to big chunks of network traffic should probably scout for HTTP POSTs to "/list/suc?name=". googleprojectzero.blogspot.com/2019/08/implan
45.155.205[.]233 at Selectel is possibly the top IP hitting our honeypots while trying to exploit #log4j #log4shell vuln. They are stepping up their game with various obfuscation attempts too. Seen this morning:
Our full analysis of #shadowhammer and related gaming companies attacks, including a new (2018) variant of the #ShadowPad backdoor:
We are releasing some new findings in the #Solarwinds #Sunburst #darkhalo #unc2452 story. Our analysis plus an opensource tool that decodes and matches the UIDs from the CNAME records against publicly available pDNS data:
The inherent design flaw in Whatsapp, Signal or Whatsapp is that your account is your phone number. This is making it easier for anyone to exploit bugs in these apps and target you through nothing but your phone number. Why bother remembering another username? A: “Security”
This new Bloomberg story be like: “alright guys, listen, we weren’t entirely correct about that supermicro bug, but we weren’t entirely wrong either because, Lenovo, and, intel, and chips encrypted in motherboard and did you btw hear about the bios thing at pentagon?”
According to a recent FBI report, Shlayer, an OSX trojan, is now the top most detected malware in K-12 educational institutions. Since February 2018, we have collected 32k different malicious samples of this Trojan.
Interesting spearphishing, "third_islamic_unity_conference.doc" - uploaded from Ukraine in May, matching Fireeye's Methodology_OLE_CHARENCODING_2 yara.
The Windows Defender telemetry and sample collection network is called - I kid you not - "SpyNet". Here's a good resource with all the URLs used for sending the telemetry and other data: docs.microsoft.com/en-us/windows/
The Turkish USOM (National Cybersecurity Intervention Center) publishes a list of URLs and hostnames to be blocked at ISP level. These are very interesting from a TI point of view - eg. the list included #Pegasus IOCs before they were publicly known: usom.gov.tr/url-list.txt
In some cases, the #shadowhammer backdoor checks both the NIC and WiFi adapter MACs to identify the victim for further exploitation. Second stage is deployed only if both addresses match. It was really that targeted.
Kaspersky #APT landscape 2019. Top 10 most relevant threat actors: #lazarus #barium #turla #bluenoroff #zebrocy #lamberts #apt10 #origamielephant #oilrig #honeymyte
So, it would appear someone got their hands on the ProxyLogon exploit chain before it was reported to Microsoft.
Need a _Windows_ tool to dump your BIOS for analysis? You can use TDSS Killer: TDSSKiller.exe -accepteula -qbios -qpath C:\tdsskiller
support.kaspersky.com/viruses/utilit
It appears the attackers behind #Badrabbit have been busy setting up their infection network on hacked sites since at least July 2017.
I wrote a follow up blog on the #Yara webinar from last week. If I missed any of your questions, please feel free to post them as reply.
Using #yara to hunt for malware or just curious to learn more about it? I'll be sharing some of our experience in developing #yara rules for #APT hunting (Hollywood style below, thanks ) on March 31, 14:00 GMT - join at kas.pr/gqr3
GIF
New Adobe Flash zero-day exploit used in targeted attacks by the BlackOasis APT - patch available now: helpx.adobe.com/security/produ
KTAE code similarity analysis for the malware used to target security researchers involved in 0day analysis and development. "Manuscrypt" (also known as FALLCHILL) is typically used by the Lazarus APT. 👉
Got an amazing hand painted chessboard from my friends to celebrate 20th work anniversary at 🙏thanks guys, you are amazing! #neverstophunting #weareheretosavetheworld
1/9 The French National Cybersecurity Agency released a report on Hades / Sandworm infecting Centreon servers with a PHP backdoor, followed by deploying the Exaramel Linux backdoor. Some notes:
Taking prices into account: iOS exploits are harder to find, but once you have one, it works everywhere with minimal adjustment. Android exploits are easier to find, but they require fine tuning for the myriad of versions and hardware out there.
Quote
Buyers debating buying exploits for their Android malware: “There are a lot of Android OS versions and the hardware differences between devices is making it a pain to use these exploits. They need tuning for each targeted environment!” - nice point from blog.lookout.com/shmoocon-2019
Interesting story, curious to see some IOCs and how it develops:
This is our cat Luna, we adopted her three months ago, she was very sick and dying. Two surgeries later, antibiotics and great care and love, she is finally well!
I put together a list of telemetry domains and URLs used by mobile location tracking libraries. Will add more as I reverse other APKs. Suitable for use with
Hah, looks like somebody setup a fake (scam) site at hxxp://solarleak[.]net/ - it has the same message as the original one, but a different Monero ID. Also, original site's DNSes at Njalla, new one at Qhoster #nohonoramongthieves
Here's our new research on #MosaicRegressor - an in the wild, UEFI bootkit that installs a custom made malware framework:
KTAE (Kaspersky Threat Attribution Engine) similarity analysis for the samples posted today by US Cybercom. #lazarus #andariel #bluenoroff
Don't miss it: Hunting APTs with Yara - March 31, 2020 14:00GMT -
So many public IOCs, including from reliable sources (eg. security agencies, Govcert's) contain unreliable information. In this case below, 192.64.119[.]190 is a Namecheap Parking IP with over 6000 distinct hosts on it. Import into an IDS to generate tons of false hits.
Checkpoint clears some of the mystery surrounding APT3 with their awesome analysis of the Bemstour exploitation tool:
Replying to
Here's the full list of hashes and their associated domains which are skipped by the backdoor:
The fast-spreading Petrwrap/Petya ransomware sample we have was compiled on June 18, 2017 according to its PE timestamp.
The following media includes potentially sensitive content. Change settings
View
New Petrwrap/Petya ransomware has a fake Microsoft digital signature appended. Copied from Sysinternals Utils.
The following media includes potentially sensitive content. Change settings
View
Back in 2016, Gdata published about a mysterious APT and their malware named COMPfun. For years, we couldn’t find anything connected. Using code similarity, we discovered a new, related implant that patches RNG libraries to subvert SSL crypto securelist.com/compfun-succes
Beware of pivoting on parking IPs, it's easy to go down the wrong rabbit hole. (208.91.198[.]23 and 209.99.40[.]223 host hundreds of thousands of random, expired domains)
New zero day exploit ItW caught by Kaspersky technologies - securelist.com/cve-2018-8453- likely used by #FruityArmor APT
Wondering what "happend" here. Did Babuk copy the DarkSide ransom text, or is it an indication of some form of cooperation between them?
Weekend project: combined tweettioc.com/feed/ with vt_downloader.py and github.com/KasperskyLab/k to create a daily updated collection of hot malware being discussed on Twitter that can be easily and quickly scanned with #Yara rules.
What are the most devastating malware developments during the past years? My top 3: 1. Golang 2. Fileless 3. Powershell
iOS 14.7 is out, fixing a number of unspecified vulnerabilities in Safari and the OS itself. Details to be added “soon”. Given recent happenings, this looks most welcome. 👌
During the last months, I've been going through many of my old #Yara rules, optimizing and polishing. You know, "MZ" to uint16(0), "string caused too many matches" or "$a1 is slowing down scanning". I'm thinking of putting together an overview, interesting or not? #100DaysofYARA
We published a technical analysis of the WastedLocker sample (2cc4534b0dd0e1c8d5b89644274a10c1) that allegedly hit Garmin:
In addition to known vectors, ExPetr/PetrWrap/Petya was also distributed through a waterhole attack on bahmut.com.ua/news/
The Kaspersky name for #DarkHydrus APT is #LazyMeerkat. This is an actor we've been tracking since Jan 2018. Their focus is mostly Middle East, governments and aviation. Unusually sneaky, creative.
Quote
#DarkHydrus is launching attacks to targets in Middle East. DNS tunneling is used for C2 communication
Dropper:الفهارس.xlsm
VT Link
virustotal.com/#/file/513813a
C2:
edgekey.live
akdns.live
trafficmanager.live
akamaized.live
akamaiedge.live
