Examining the trove of data exposed in Autonomous System Numbers (ASNs) can identify and mitigate complex malware campaigns in novel ways. Using these technique, HYAS has just published Tracking An Active Remcos Malware Campaign.
Remcos is a commercially available application used for remotely controlling Windows computers. When used covertly, it operates as a fully functional remote access trojan, able to monitor keystrokes, exfiltrate data, passwords, or screenshots, and monitor cameras.
The campaign HYAS is tracking began on May 14, 2024, and is operated out of Maiduguri, Nigeria. Recent malware detonations have indicated Remcos C2 communication with two domains, taker202.ddns[.]net (port 3017) and taker202.duckdns[.]org (port 5033). Both domains resolve to Lithuania, and are hosted on the ISP “Silent Connection Ltd”.
The report details the threat actor’s use of dynamic DNS services (DDNS and DuckDNS) for Command and Control (C2) communications which — combined with hosting on a Lithuanian ISP — obfuscates the true origin of the attack and also leverages international resources to evade localized law enforcement. The use of DDNS allows for rapid changes in IP addresses, complicating traditional IP-based blocking and tracking methods.
HYAS’ report provides real-time tracking and attribution, the impacts and risks of Remcos, and detection and removal recommendations.
About HYAS’ Novel Research Process: ASNs are unique identifiers of networks participating in the global routing system, and can offer insight into the infrastructure threat actors are using. HYAS collects IOCs such as IP addresses, domain names, file hashes, and other artifacts associated with a suspected malware campaign and uses specialized tools, databases, and techniques to map the collected IP addresses to their corresponding ASNs. This enumeration helps ID the ownership and affiliations of networks involved in the campaign. HYAS then:
- identifies the origins of malicious traffic,
- pinpoints hosting providers associated with malware distribution,
- surfaces and traces connections between threats and entities that otherwise seem unaffiliated, and
- attributes malware campaigns to specific threat actors or groups, defend against active campaigns and thwart future ones.
Security Researcher Finds That Microsoft Recall Is A Bigger Disaster Than We All Thought
Posted in Commentary with tags Microsoft, Privacy on June 3, 2024 by itnerdAlong with the release of Windows laptops using the Snapdragon X Elite processor, Microsoft released a bunch of new AI features for Windows 11. Including something called Microsoft Recall which literally takes snapshots of everything that you do on the PC. At the time, I said this:
Here’s where things get sketchy. While Recall apparently encrypts everything that it is taking a picture of, Recall with the default settings is taking pictures of everything. So if you do online banking, enter your SIN number online, or do anything else that is sensitive, Recall will likely know about it. Think of the fun a threat actor could have if they somehow managed to pwn the PC and got access to that data. And don’t think that threat actors aren’t thinking about giving that a shot as they know that it’s a potential gold mine of information that they can sell on the dark web. Never mind use against you. Now at this point a threat actor would likely have to have physical access to the device as this info is stored locally. But the one thing that I have learned over the years is that threat actors are creative and crafty individuals. So if there’s another attack vector out there that will allow them to grab this data, they will find it. And exploit it.
Well, it now seems that this might be worse than previously thought. The Verge has surfaced just how vulnerable Recall actually is:
Despite Microsoft’s promises of a secure and encrypted Recall experience, cybersecurity expert Kevin Beaumont has found that the AI-powered feature has some potential security flaws. Beaumont, who briefly worked at Microsoft in 2020, has been testing out Recall over the past week and discovered that the feature stores data in a database in plain text. That could make it trivial for an attacker to use malware to extract the database and its contents.
“Every few seconds, screenshots are taken. These are automatically OCR’d by Azure AI, running on your device, and written into an SQLite database in the user’s folder,” explains Beaumont in a detailed blog post. “This database file has a record of everything you’ve ever viewed on your PC in plain text.”
Beaumont shared an example of the plain text database on X, scolding Microsoft for telling media outlets that a hacker cannot exfiltrate Recall activity remotely. The database is stored locally on a PC, but it’s accessible from the AppData folder if you’re an admin on a PC. Two Microsoft engineers demonstrated this at Build recently, and Beaumont claims the database is accessible even if you’re not an admin.
Well that’s just incredibly horrible. Because now that we know that pwnage is possible, threat actors around the globe will be figuring out how to pwn anyone who is running this feature. Even if technical details are being withheld.
But I am not done yet. It actually gets worse:
Beaumont has exfiltrated his own Recall database and created a website where you can upload a database and instantly search it. “I am deliberately holding back technical details until Microsoft ship the feature as I want to give them time to do something,” he says.
You would think a company the size of Microsoft would have had a few security researchers try to find vulnerabilities in this feature before even announcing it? But I guess not. It truly sounds like to me that Microsoft needs to do a recall of Recall, because it’s simply not something that users can trust to be secure. Thus it’s not ready for primetime.
1 Comment »