SIEM agent being used in SilentCryptoMiner attacks | Securelist

The most interesting action in this attack was the implementation of unusual techniques like using an SIEM agent as backdoor, adding the malicious payload to a legitimate digital signature, and hiding directories containing malicious files. The attackers distributed the malicious files using websites for downloading popular software (uTorrent, Microsoft Office, Minecraft, etc.) for free. The resulting file contains not only the executable code itself, but also additional malicious files which will be installed directly from the implant. It’s important to mention that the websites, videos, and Telegram channels created by the attackers primarily target users seeking free versions of popular software or videogame cheats. In a recent campaign starting in 2022, unknown malicious actors have been trying to mine cryptocurrency on victims’ devices without user consent; they’ve used large amounts of resources for distribution, but what’s more, used multiple unusual vectors for defense evasion and persistence. Even though the main goal of the attackers is to make profit by stealthily mining cryptocurrency, some variants of the malware can perform additional malicious activity, such as replacing cryptocurrency wallets in the clipboard and taking screenshots. The BAT file from autorun extracts the encrypted RAR archive and runs the “start” command with two DLL files as arguments — these were previously extracted from the archive. If the “start” command failed, the BAT file removes the entire directory with the installed files, including itself. The next stage of the infection chain consists of two DLL files, that use the same technique as the first stage: a legitimate AutoIt interpreter and another A3X implant, located in the signature of the legitimate dynamic library. Before compilation, this call just copies the file from its source path to its destination, but during the compilation the interpreter stores the files for installation right inside the compiled script. This behavior allows the attackers to hide their malicious payload anywhere in the file where it won’t be harmful for the container itself. The malicious payload is an A3X script which was compiled into an EXE file and injected right inside the second DLL file signature. In addition, using the icacls utility, the implant forbids all users across all domains to remove these folders, change their permissions, own them, add any files or subdirectories, write to them any attributes (including extended ones), or remove files from them. All these methods are used again for a better persistence by launching the “insta.bat” file right before the end of the A3X implant execution. After visiting the attackers’ website or channel, users might download a ZIP file being falsely advertised as popular software. Persistence is established not only through WMI; the implant also directly starts netcat, the “nun.bat” files, and the “start” command. After installing all the necessary files, the implant establishes persistence using WMI by creating filters which are activated by common events — common enough to guarantee filter activation. First, the A3X script is added to the signature in such a way that its validity remains intact and the whole file is still considered as signed, even with the payload. We’ve also seen some of the malware variants sending a screenshot of the user’s desktop or installing a malicious browser extension, which may replace cryptocurrency wallets in the clipboard. Some of these links redirected users immediately to malicious websites, while others led to the aforementioned Telegram channels. The file is scanned for a specific AutoIt signature which is present only in compiled scripts, and all other contents of the file are ignored. Users would see these malicious sites in the top results when searching for resources freely distributing popular software like uTorrent, MS Excel, MS Word, Minecraft, Discord and so on. This script launches a BAT file which extracts the next element of the attack chain from an encrypted archive. Malware was also distributed through Telegram channels targeted at crypto investors and in descriptions and comments on YouTube videos about cryptocurrency, cheats and gambling. In many cases, the instructions and the password are also provided on the websites and channels from which the user downloaded the malicious archive. But what makes this attack stand out is the bypass of signature verification, making it possible for the payload-bearing file to seem legitimate. To ensure that the attackers can execute any arbitrary command on the victim’s device, during the agent installation, the “remote_commands” option is set. Aside from its main purpose of generating cryptocurrency, SilentCryptoMiner can also hide its own activity from the processes specified in the “stealth-targets” argument and stop processes from the “kill-targets” process names list. As a result of the multistage infection chain, the attackers can establish persistence in users’ systems in multiple ways, gaining full access. While trying to deliver malware on victims’ devices and stay on them as long as they can, sometimes attackers are using quite unusual techniques. The attackers are running multiple Telegram channels distributing the malware in question. Most of the attacks with this infection chain targeted Russian users (87.63%). After that, the other top ten countries with the highest number of users affected by these attacks were Belarus, India, Uzbekistan, Kazakhstan, Germany, Algeria, Czech Republic, Mozambique, and Turkey. One of these files is a legitimate AutoIt interpreter and the second is a legitimate dynamic library with a valid digital signature. Such a malicious addition is almost impossible to detect without file content analysis. After that, it also abuses the registry keys “Image File Execution Options”, “Debugger” and “MonitorProcess” with the same goals.

This Cyber News was published on securelist.com. Publication date: Fri, 04 Oct 2024 09:13:06 +0000


Cyber News related to SIEM agent being used in SilentCryptoMiner attacks | Securelist

SIEM agent being used in SilentCryptoMiner attacks | Securelist - The most interesting action in this attack was the implementation of unusual techniques like using an SIEM agent as backdoor, adding the malicious payload to a legitimate digital signature, and hiding directories containing malicious files. The ...
2 months ago Securelist.com
The Noticeable Shift in SIEM Data Sources - SIEM solutions didn't work perfectly well when they were first introduced in the early 2000s, partly because of their architecture and functionality at the time but also due to the faults in the data and data sources that were fed into them. While ...
10 months ago Feeds.dzone.com
Generative AI Takes on SIEM - With more vendors adding support for generative AI to their platforms and products, life for security analysts seems to be getting deceptively easier. While adding generative AI capabilities to security information and event management is still in ...
1 year ago Darkreading.com
CVE-2023-3440 - Incorrect Default Permissions vulnerability in Hitachi JP1/Performance Management on Windows allows File Manipulation.This issue affects JP1/Performance Management - Manager: from 09-00 before 12-50-07; JP1/Performance Management - Base: from 09-00 ...
1 year ago
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
Exploring the SIEM Environment Identifying and Overcoming Vendor Tricks - Are you fed up with the never-ending games and deceptive tactics used by security information and event management vendors? It's time to take control and make informed decisions. That's why we have decided to launch a series of blog posts to help ...
1 year ago Exabeam.com
CISOs Grapple With IBM's Unexpected Cybersecurity Software Exit - IBM's surprise departure from cybersecurity software this week didn't just rearrange the competitive landscape - it also reshuffled the procurement plans and vendor relationships for many CISOs rebuilding their SOCs. IBM has agreed to sell the QRadar ...
7 months ago Darkreading.com
From the SIEM to the Lake: Bridging the Gap for Splunk Customers Post-Acquisition - The smoke has cleared on Cisco's largest acquisition ever: that of Splunk for $28 billion in September. This acquisition has added a new layer of uncertainty for users, many of which were already wondering what the future holds for threat detection ...
10 months ago Cyberdefensemagazine.com
5 Ways Exabeam Delivers Better Security Outcomes Than Microsoft Sentinel - Security information and event management is one of the most important tools in the fight against cyberthreats, but not all SIEMs are created equal. Native SIEM solutions can be difficult to customize and maintain, and their advertised "Low or free" ...
1 year ago Exabeam.com
CVE-2022-0014 - An untrusted search path vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables a local attacker with file creation privilege in the Windows root directory (such as C:\) to store a program that can then be unintentionally ...
2 years ago
CVE-2022-0013 - A file information exposure vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables a local attacker to read the contents of arbitrary files on the system with elevated privileges when generating a support file. This issue ...
2 years ago
CVE-2022-0012 - An improper link resolution before file access vulnerability exists in the Palo Alto Networks Cortex XDR agent on Windows platforms that enables a local user to delete arbitrary system files and impact the system integrity or cause a denial of ...
2 years ago
CVE-2023-22497 - Netdata is an open source option for real-time infrastructure monitoring and troubleshooting. Each Netdata Agent has an automatically generated MACHINE GUID. It is generated when the agent first starts and it is saved to disk, so that it will persist ...
1 year ago
The year of Mega Ransomware attacks with unprecedented impact on global organizations - A Staggering 1 in every 10 organizations worldwide hit by attempted Ransomware attacks in 2023, surging 33% from previous year, when 1 in every 13 organisations received ransomware attacks Throughout 2023, organizations around the world have each ...
11 months ago Blog.checkpoint.com
Social Engineering Attacks: Tactics and Prevention - Social engineering attacks have become a significant concern in today's digital landscape, posing serious risks to the security and sensitive information of individuals and organizations. By comprehending these tactics and implementing preventive ...
10 months ago Securityzap.com
What SOCs Need to Know About Water Dybbuk - According to the Federal Bureau of Investigation, BEC costs victims more money than ransomware, with an estimated US$2.4 billion being lost to BEC in the US in 2021. Recently, BEC scammers have been using stolen accounts from legitimate Simple Mail ...
1 year ago Trendmicro.com
Security Series: Protecting the Edge Against DDoS Attacks with a Simplified Integrated Solution - An unprecedented increase in distributed-denial-of-service attacks in recent years has resulted in lost revenue and productivity, increased ransomware costs, and impacted service-level agreements for network operators. According to Zayo Group's ...
1 year ago Feedpress.me
Survey Surfaces Wasted Efforts Collecting Cybersecurity Data - A survey of 500 full-time security decision-makers and practitioners published today found that security teams are wasting time and resources normalizing data to store and analyze it in a separate platform instead of relying on the same data IT teams ...
1 year ago Securityboulevard.com
Wazuh: Building robust cybersecurity architecture with open source tools - Building a cybersecurity architecture requires organizations to leverage several security tools to provide multi-layer security in an ever-changing threat landscape. Leveraging open source tools and solutions to build a cybersecurity architecture ...
11 months ago Bleepingcomputer.com
Wazuh: Building robust cybersecurity architecture with open source tools - Building a cybersecurity architecture requires organizations to leverage several security tools to provide multi-layer security in an ever-changing threat landscape. Leveraging open source tools and solutions to build a cybersecurity architecture ...
11 months ago Bleepingcomputer.com
CVE-2021-3041 - A local privilege escalation vulnerability exists in the Palo Alto Networks Cortex XDR agent on Windows platforms that enables an authenticated local Windows user to execute programs with SYSTEM privileges. This requires the user to have the ...
3 years ago
CVE-2023-34254 - The GLPI Agent is a generic management agent. Prior to version 1.5, if glpi-agent is running remoteinventory task against an Unix platform with ssh command, an administrator user on the remote can manage to inject a command in a specific workflow the ...
1 year ago
CVE-2021-28827 - The Administration GUI component of TIBCO Software Inc.'s TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition, TIBCO Administrator - Enterprise Edition Distribution for TIBCO Silver Fabric, TIBCO Administrator - ...
3 years ago
What Is an Axon Agent, and Why Do You Need One? - A common oversight that undermines these security efforts is the misconception about data volume versus the necessity for comprehensive data collection. Endpoint security does not need to be an insurmountable task. Fortra's Tripwire Axon agent ...
8 months ago Tripwire.com
CVE-2021-41090 - Grafana Agent is a telemetry collector for sending metrics, logs, and trace data to the opinionated Grafana observability stack. Prior to versions 0.20.1 and 0.21.2, inline secrets defined within a metrics instance config are exposed in plaintext ...
2 years ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)