The IT Nerd

Researchers at Eset discovered downloads of the Evasive Panda backdoor, MgBot, had been included in the update channels of otherwise legitimate applications. The campaign appeared aimed at stealing credentials and data for cyber espionage purposes and has been ongoing for two years. The attacks were able to target specific individuals in China and Nigeria, otherwise delivering uninfected updates to everyone else. 

 “During our investigation, we discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses,” intelligence analyst Facundo Munoz wrote in the post.

Researchers observed the highest number of infected updates coming from an updater for the Tencent QQ Windows client:

 “Given the targeted nature of the attacks, we speculate that attackers would have needed to compromise the QQ update servers to introduce a mechanism to identify the targeted users to deliver them the malware, filtering out non-targeted users and delivering them legitimate updates,” Munoz wrote.

Roy Akerman, Co-Founder & CEO, Rezonate:

   “Despite increased investment in supply chain defenses, attackers continue to bypass controls and drop malware with legitimate processes and applications. Tencent’s QQ Windows client has been used for a long time now as a way to socially engineer and distribute malware in a targeted manner. This approach enables a wide reach across the entire platform as well as offering the shield of authenticity. 

   “We’re seeing the targeting of accounts happening more often vs. the traditional spray and pray, to meet a specific objective. A layered defense, continuous education of employees and monitoring of identity behavior for abuse of privileges are more critical than ever.”

This illustrates how dangerous some of these threat actor groups are as packaging this backdoor as part of a legitimate update is pretty crafty. It shows that more needs to be done at both the technology and human level to stop attacks like these from being successful.

 ESET, a global leader in digital security, today unveiled new research into corporate network devices that were disposed of and sold on the secondary market. After looking at configuration data from 16 distinct network devices, ESET found that over 56% – nine routers – contained sensitive company data.

Of the nine networks that had complete configuration data available:  

• 22% contained customer data
• 33% exposed data allowing third-party connections to the network
• 44% had credentials for connecting to other networks as a trusted party
• 89% itemized connection details for specific applications
• 89% contained router-to-router authentication keys
• 100% contained one or more of IPsec or VPN credentials, or hashed root passwords
• 100% had sufficient data to reliably identify the former owner/operator

Organizations often recycle aging tech through third-party companies that are charged with verifying the secure destruction or recycling of digital equipment and the disposal of the data contained therein. Whether an error by an e-waste company or the company’s own disposal processes, a range of data was found on the routers,

• Third-party data: As we have seen in real-world cyberattacks, a breach of one company’s network can proliferate to their customers, partners, and other businesses with whom they may have connections.
• Trusted parties: Trusted parties (which could be impersonated as a secondary attack vector) would accept certificates and cryptographic tokens found on these devices, allowing a very convincing adversary in the middle (AitM) attack with trusted credentials, capable of syphoning off corporate secrets, with victims unaware for extended periods.
• Customer data: In some cases, core routers point to internal and/or external information stores with specific information about their owners’ customers, sometimes stored on premises, which can open customers up to potential security issues if an adversary is able to gain specific information about them.
• Specific applications: Complete maps of major application platforms used by specific organizations, both locally hosted and in the cloud, were scattered liberally throughout the configurations of these devices. These applications range from corporate email to trusted client tunnels for customers, physical building security such as specific vendors and topologies for proximity access cards and specific surveillance camera networks, and vendors, sales and customer platforms, to mention a few. Additionally, ESET researchers were able to determine over which ports and from which hosts those applications communicate, which ones they trust, and which ones they do not. Due to the granularity of the applications and the specific versions used in some cases, known vulnerabilities could be exploited across the network topology that an attacker would already have mapped.
• Extensive core routing information: From core network routes to BGP peering, OSPF, RIP and others, ESET found complete layouts of various organizations’ inner workings, which would provide extensive network topology information for subsequent exploitation, were the devices to fall into the hands of an adversary. Recovered configurations also contained nearby and international locations of many remote offices and operators, including their relationship to the corporate office – more data that would be highly valuable to potential adversaries. IPsec tunneling can be used to connect trusted routers to each other, which can be a component of WAN router peering arrangements and the like.
• Trusted operators: The devices were loaded with potentially crackable or directly reusable corporate credentials – including administrator logins, VPN details, and cryptographic keys – that would allow bad actors to seamlessly become trusted entities and thus to gain access across the network.

The routers in this research originated at organizations ranging from medium-sized businesses to global enterprises in a variety of industries (data centers, law firms, third-party tech providers, manufacturing and tech companies, creative firms, and software developers). As part of the discovery process, ESET, where possible, disclosed the findings to each identified organization – several of them household names – collaborating to ensure they were aware of the details potentially compromised by others in the chain of custody of the devices. Some of the organizations with compromised information were shockingly unresponsive to ESET’s repeated attempts to connect, while others showed proficiency, handling the event as a full-blown security breach.

Organizations are reminded to verify that they are using a trusted, competent third party to dispose of devices, or that they are taking all the necessary precautions if handling the decommissioning themselves. That should extend past routers and hard drives to any device that’s part of the network. Many organizations in this research probably felt that they were contracting with reputable vendors, but their data still leaked. With this in mind, it’s recommended that organizations follow the manufacturer’s guidelines for removing all data from a device before it physically leaves their premises, which is a simple step that many IT staff can handle.

Organizations are reminded to treat disclosure notifications seriously. Doing otherwise may leave them vulnerable to a costly data breach and significant reputational damage. 

At RSA 2023, this research called “We (Could Have) Cracked Open the Network for Under $100” will be presented on April 24, 2023, at 9:40 a.m. PT.

To read the white paper, which includes resources on secure device disposal, visit WeLiveSecurity.

ESET researchers have discovered dozens of copycat Telegram and WhatsApp websites targeting mainly Android and Windows users with trojanized versions of these instant messaging apps. Most of the malicious apps we identified are clippers — a type of malware that steals or modifies the contents of the clipboard. All of them are after victims’ cryptocurrency funds, with several targeting cryptocurrency wallets. This was the first time ESET Research had seen Android clippers focusing specifically on instant messaging. Moreover, some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on the compromised devices, which is another first for Android malware.

Based on the language used in the copycat applications, it seems that the operators behind them mainly target Chinese-speaking users. Because both Telegram and WhatsApp have been blocked in China for several years now, with Telegram being blocked since 2015 and WhatsApp since 2017, people who wish to use these services have to resort to indirect means of obtaining them.

The threat actors first set up Google Ads leading to fraudulent YouTube channels, which then redirected the viewers to copycat Telegram and WhatsApp websites. ESET Research immediately reported the fraudulent ads and related YouTube channels to Google, which promptly shuttered them all.

“The main purpose of the clippers we discovered is to intercept the victim’s messaging communications and replace any sent and received cryptocurrency wallet addresses with addresses belonging to the attackers. In addition to the trojanized WhatsApp and Telegram Android apps, we also found trojanized Windows versions of the same apps,” says ESET researcher Lukáš Štefanko, who discovered the trojanized apps.

Despite serving the same general purpose, the trojanized versions of these apps contain various additional functionalities. The analyzed Android clippers constitute the first instance of Android malware using OCR to read text from screenshots and photos stored on the victim’s device. OCR is deployed in order to find and steal a seed phrase, which is a mnemonic code composed of a series of words used for recovering cryptocurrency wallets. Once the malicious actors get hold of a seed phrase, they are free to steal all the cryptocurrency directly from the associated wallet.

In another instance, the malware simply switches the victim’s cryptocurrency wallet address for the attacker’s address in chat communication, with the addresses being either hardcoded or dynamically retrieved from the attacker’s server. In yet another instance, the malware monitors Telegram communication for certain keywords related to cryptocurrencies. Once such a keyword is recognized, the malware sends the full message to the attacker’s server.

ESET Research also found Windows versions of the wallet-switching clippers, as well as Telegram and WhatsApp installers for Windows bundled with remote access trojans (RATs). In a departure from the established pattern, one of the Windows-related malware bundles is not composed of clippers, but of RATs that enable full control of the victim’s system. This way, the RATs are able to steal cryptocurrency wallets without intercepting the application flow.

“Install apps only from trustworthy and reliable sources, such as the Google Play store, and do not store unencrypted pictures or screenshots containing sensitive information on your device. If you believe you have a trojanized version of Telegram or WhatsApp, manually remove it from your device and download the app either from Google Play or directly from the legitimate website,” advises Štefanko. “For Windows, if you suspect that your Telegram app is malicious, use a security solution to detect the threat and remove it for you. The only official version of WhatsApp for Windows is currently available in the Microsoft store.”

For more technical information about the clippers built into instant messaging apps, check out the blog post “Not-so-private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets” on WeLiveSecurity.

ESET researchers have uncovered a compromise of an East Asian data-loss prevention (DLP) company. During the intrusion, the attackers deployed at least three malware families and compromised internal update servers and third-party tools used by the affected company. As a result, two customers of the company were subsequently compromised. ESET attributes the campaign with high confidence to the Tick APT group. Based on Tick’s profile, the objective of the attack was most likely cyberespionage. The customer portfolio of the DLP company includes government and military entities, making the compromised company an especially attractive target for an APT group such as Tick.

“The attackers compromised the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanized installers of legitimate third-party tools used by the company, which eventually resulted in the execution of malware on the computers of its customers,” says ESET researcher Facundo Muñoz, who discovered Tick’s latest operation. “During the intrusion, the attackers deployed a previously undocumented downloader, which we’ve named ShadowPy, and also deployed the Netboy backdoor (aka Invader) as well as the Ghostdown downloader,” adds Muñoz.

The initial attack happened in March 2021, and ESET notified the company of the compromise. In 2022, ESET telemetry registered the execution of malicious code in the networks of two of the compromised company’s customers. Since trojanized installers were transferred via remote support software, ESET Research hypothesizes that this took place while the DLP company was providing technical support. The attackers also compromised two internal update servers, which delivered malicious updates for the software developed by this DLP company on two occasions to machines inside the network of the DLP company.

The previously undocumented downloader ShadowPy was developed in Python and  is loaded through a customized version of the open source project py2exe. ShadowPy contacts a remote server from where it receives new Python scripts that are decrypted and executed. The older Netboy backdoor supports 34 commands, including collecting system information, deleting a file downloading and executing programs, performing screen capture, and performing mouse and keyboard events requested by its controller.

Tick (also known as BRONZE BUTLER or REDBALDKNIGHT) is an APT group thought to have been active since at least 2006 and that mainly targets countries in the APAC region. This group is of interest for its cyberespionage operations, which focus on stealing classified information and intellectual property. Tick employs an exclusive custom malware toolset designed for persistent access to compromised machines, reconnaissance, data exfiltration, and download of tools.

For more technical information about the latest Tick campaign, check out the blogpost “The slow Tick-ing time bomb: Tick APT group compromise of a DLP software developer in East Asia” on WeLiveSecurity.

If this year’s International Women’s Day theme teaches us anything, it’s that in order to have true gender equity, it is essential for society to provide economic opportunity in spaces where women are underrepresented. 

To embrace women and support their journey, ESET, a global leader in IT security, will once again #EmbraceEquity with its eighth annual Women in Cybersecurity Scholarship, awarding the prize to four women in North America.

ESET will be providing $10,000 USD scholarships to two women in the United States and $5,000 CAD scholarships to two women in Canada. Applicants are required to be enrolled in a graduate or undergraduate program majoring in a STEM (science, technology, engineering and mathematics) field. In addition, the students will be asked to detail their career goals, and what steps they plan to take to “pay it forward” for other women pursuing careers in STEM.

Celeste Blodgett, Vice President of Human Resources at ESET is thrilled with how successful the scholarship has been over the years. “At ESET we believe in a culture of inclusion and a culture of equity – without opportunity, there can be no equity,” she said. “Year after year, we choose to support and empower women through the ESET Women in Cybersecurity Scholarship so they may pursue their passions in cybersecurity and STEM. This work is critical for us to break down barriers of entry into the field to support the next generation of female cybersecurity experts.”

Applications are now being accepted and are due by April 7, 2023, at 11:59 p.m. PT. Those who are ineligible to apply are encouraged to share this opportunity with friends and family.

A 2022 (ISC) Women in Cybersecurity Report found that women accounted for 30% of global cybersecurity workers who are under the age of 30; additionally, they accounted for just 14% of those 60 or older. Slowly and through every generation, there is progress being made but there is still so much more to do.

“Shifts are happening within the industry and while at first glance, they might seem dramatic, it is more of a trickle-down effect and there needs to be resources in place to speed up the culture of equity in the workplace,” said Blodgett. “I’ve been lucky enough to hear the stories of the inspiring women who have applied for the scholarship, showing both their passion in the technology field and desire to do good in the world. I look forward to awarding the ESET scholarships to another round of strong, inspiring candidates this year.” 

REQUIREMENTS, DETAILS AND HOW TO APPLY

ESET will award scholarship to a woman who is currently enrolled as a graduate/undergraduate student in North America, majoring in a STEM field of study.

How do I qualify for the scholarship?

You must be enrolled in or accepted to an accredited college or university within North America. (The graduate/undergraduate program does not have to be a cybersecurity program; however, in your application, you should make clear that you aspire to have a career in the cybersecurity industry.)

New this year: ESET has decided to forego minimum GPA requirements so anyone interested and passionate in science, technology and cybersecurity can apply.

What is the deadline for submission?

Submissions will be accepted from March 8, 2023 – April 7, 2023 at 11:59 p.m. EST.

ESET will announce the winner in May 2023.

What do I submit / How do I submit my application?

Applicants can apply and learn more about the scholarships by visiting our application pages. If you’re a US student, you can apply here; if you’re a Canadian student, apply here.

Additional details

• Essays may be submitted in English or Spanish for US students.
• Essays may be submitted in English or French for Canadian students. 
• Finalists may be required to supply additional personal or professional references.
• Judging is conducted by a panel of ESET staff, including cybersecurity experts.
• Winners will be asked to provide a photo of themselves, which may be used for promotional purposes.
• If the application or essays are incomplete, they will not be considered.
• Immediate family members or dependents of ESET employees are not eligible to participate.

Questions? Email us at US-scholarship@eset.com [US-only inquiries] or CA-scholarship@eset.com [Canada-only inquiries] with any questions, and we’ll get back to you as soon as possible.

ESET researchers have just analyzed MQsTTang, a new custom backdoor that they attribute to the China-aligned Mustang Panda APT group. This backdoor is part of an ongoing campaign that ESET can trace back to early January 2023. ESET Research has seen unknown entities in Bulgaria and Australia in their telemetry as targets. ESET also has information indicating that Mustang Panda is targeting a governmental institution in Taiwan. Due to the nature of the decoy filenames used, ESET researchers believe that political and governmental organizations in Europe and Asia are also being targeted. The Mustang Panda campaign is still ongoing as of this writing, and the group has increased its activity in Europe since Russia’s invasion of Ukraine.

Based on their telemetry, ESET Research can confirm that unknown entities in Bulgaria and Australia are being targeted. In addition, a governmental institution in Taiwan appears to be a target. The victimology is unclear, but the decoy filenames make ESET believe that political and governmental organizations in Europe and Asia are also being targeted. This would also be in line with the targeting of the group’s latest campaigns. 

MQsTTang is a barebones backdoor that allows the attacker to execute arbitrary commands on a victim’s machine and capture the output. The malware uses the MQTT protocol for Command and Control communication. MQTT is typically used for communication between IoT devices and controllers, and the protocol hasn’t been used in many publicly documented malware families.

MQsTTang is distributed in RAR archives that only contain a single executable. These executables usually have filenames related to diplomacy and passports.

For more technical information about MQsTTang, check out the blog post “MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT” on WeLiveSecurity.

ESET researchers have discovered the WinorDLL64 backdoor, one of the payloads of the Wslink downloader. The targeted region, and overlap in behavior and code, suggest the tool is used by the infamous North Korea-aligned APT group Lazarus. Wslink’s payload can exfiltrate, overwrite, and remove files, execute commands, and obtain extensive information about the underlying system.

WinorDLL64 contains overlaps in both behavior and code with several Lazarus samples, which indicates that it might be a tool from the vast arsenal of this North Korea-aligned APT group.

The initially unknown Wslink payload was uploaded to VirusTotal from South Korea shortly after the publication of an ESET Research blog post on the Wslink loader. ESET telemetry has seen only a few detections of the Wslink loader in Central Europe, US, Canada, and the Middle East. Researchers from AhnLab confirmed South Korean victims of Wslink in their telemetry, which is a relevant indicator, considering the traditional Lazarus targets and that ESET Research observed only a few detections.

Active since at least 2009, this infamous North Korea-aligned group is responsible for high-profile incidents such as the Sony Pictures Entertainment hack, the tens-of-millions-of-dollars cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, and a long history of disruptive attacks against South Korean public and critical infrastructure since at least 2011. US-CERT and the FBI call this group HIDDEN COBRA.

You can read more here.

The technology in our cars is advancing by leaps and bounds, but as far as vehicles have come with automated features and expanded entertainment options, thwarting the car thief has proven to be an elusive endeavor. 

York Regional Police recently reported more than 2,000 vehicles have been stolen in their jurisdiction over the past year, and they are noting the criminals are using technology to their advantage. They start by identifying high-end vehicles in public places — like a shopping mall parking lot — and place an “AirTag” tracking devices discreetly on the vehicle. This allows them to follow the vehicle to the owner’s house where they use more technology — an electronic device used to reprogram a car’s factory setting — to hack into a car’s computer and re-program it to accept the key they brought with them. 

The car thieves then simply drive the car away. 

Car thieves have also been known to steal a car by relaying the signals of the contactless key to give them a method to gain access to and start the car without having the key present. Two thieves work in tandem — one uses a transmitter in close proximity to the car key and the other has a receiver beside the car. If a vehicle owner stores their keys just inside the front door (quite a common practice), the transmitter will pick up that signal and relay it to the accomplice at the car, allowing them to get the door open and start the vehicle without causing it any damage.

“These acts may seem like technological voodoo, but they can actually be quite easy for criminals to pull off,” says Tony Anscombe, Chief Security Evangelist with ESET Canada. “All it takes is the right equipment, which is easily accessible, and as technology advances, this equipment becomes cheaper and cheaper.”

Car owners are not powerless against this, but interestingly enough many of the solutions against these high-tech crimes are decidedly low-tech: 

• Protect your keys. Key to thwarting the thieves is to deny them access to the signal from your key fob. This can be accomplished with something as simple as a tin box for storing keys, or storing your keys away from the front door of your home. A secure faraday pouch or bag will also block theft of the fob’s signal, especially if you are out and about. 
• Conceal your vehicle. It is a wise idea to store your expensive car in a locked garage. 
• Secure your vehicle. If a garage is not an option, simply locking your doors will not be enough of a deterrent for a determined criminal. An alarm system helps, and a steering wheel lock is not only effective, but it is also a visual deterrent from even trying to steal your car. 
• Lock the data port. The car’s OBD data port is where thieves will access your car’s computer. A simple lock can be purchased online that will protect this port from being accessed by unauthorized folks. 
• Get it on video. Surveillance cameras trained on your driveway will record any activity there. Today’s systems are advanced elements of your smart home, and many allow remote access so you can keep an eye on your property from a far. 

ESET researchers have identified an active campaign targeting Android users, conducted by the Bahamut APT group. This campaign has been ongoing since the start of this year. Malicious spyware apps are distributed through a fake SecureVPN website that provides only trojanized Android apps to download. This website has no association whatsoever with the legitimate, multiplatform SecureVPN software and service. Malicious apps used in this campaign are able to exfiltrate contacts, SMS messages, recorded phone calls, and even chat messages from apps such as WhatsApp, Facebook Messenger, Signal, Viber, and Telegram. ESET researchers discovered at least eight versions of the Bahamut spyware, which could mean the campaign is well-maintained. The malicious apps were never available for download from Google Play. 

All exfiltrated data is stored in a local database and then sent to the Command and Control (C&C) server. The Bahamut spyware functionality includes the ability to update the app by receiving a link to a new version from the C&C server.

If the Bahamut spyware is enabled, then it can be remotely controlled by Bahamut operators and can exfiltrate various sensitive device data, such as contacts, SMS messages, call logs, a list of installed apps, device location, device accounts, device info (type of internet connection, IMEI, IP, SIM serial number), recorded phone calls, and a list of files on external storage. By misusing accessibility services, the malware can steal notes from the SafeNotes application and actively spy on chat messages and information about calls from popular messaging apps, such as imo-International Calls & Chat, Facebook Messenger, Viber, Signal Private Messenger, WhatsApp, Telegram, WeChat, and Conion apps.

The Bahamut APT group typically uses spearphishing messages and fake applications as the initial attack vector, against entities and individuals in the Middle East and South Asia. Bahamut specializes in cyberespionage, and ESET Research believes that its goal is to steal sensitive information from its victims. Bahamut is also referred to as a mercenary group offering hack-for-hire services to a wide range of clients. The name was given to this threat actor, which appears to be a master in phishing, by the Bellingcat investigative journalism group. Bellingcat named the group after the enormous fish floating in the vast Arabian Sea mentioned in the Book of Imaginary Beings written by Jorge Luis Borges. Bahamut is frequently described in Arabic mythology as an unimaginably enormous fish.

For more technical information about the latest Bahamut APT group campaign, check out the blog post “Bahamut cybermercenary group targets Android users with fake VPN apps” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Amidst the work-from-home mandates throughout the past two years of the COVID-19 pandemic, ESET moved its Canadian headquarters from downtown Toronto to Commerce Valley Drive West in Thornhill. As staff begin returning to in-office work, ESET Canada will mark the official opening of its new location on April 11^th with a private event for team members from across the country.

The new location is part of the second-largest tech hub in Canada, offers more square footage to accommodate a growing ESET Canada team and is accessible with both public transit and major arterial roads. 

Regardless of its physical location, ESET remains committed to providing the expertise and products that help people and organizations stay safe in the cyberworld.

The move also coincides with a brand refresh for ESET, which represents the role it has played in the progress that digital technology has enabled – in short, a force for progress. 

For more than 30 years, ESET has been providing digital protection as technology has advanced and progressed to change people’s lives, day-to-day activities and the way we do business. Progress in technology means the potential for a better world and society, but it is not without risk. As technology progresses, so too do those with malicious intentions; with every innovation comes someone who wants to exploit it for nefarious means.