Forwarded from UNDERCODE NEWS (Copyright & Fact Checker)
🌐 #Firefox 133: A Leap Forward in Web Browsing
https://undercodenews.com/firefox-133-a-leap-forward-in-web-browsing/
@Undercode_News
https://undercodenews.com/firefox-133-a-leap-forward-in-web-browsing/
@Undercode_News
UNDERCODE NEWS
Firefox 133: A Leap Forward in Web Browsing - UNDERCODE NEWS
Undercode News was founded in order to provide the most useful information in the world of hacking and technology. Staffed 24/24 hours, seven days a week by a dedicated team in undercode around the world, so it can provide an environment of information and…
Forwarded from UNDERCODE NEWS (Copyright & Fact Checker)
⚡️ #GitHub Strengthens Security Posture with New SOC 2 Reports for Enterprise Cloud, #Copilot, and More
https://undercodenews.com/github-strengthens-security-posture-with-new-soc-2-reports-for-enterprise-cloud-copilot-and-more/
@Undercode_News
https://undercodenews.com/github-strengthens-security-posture-with-new-soc-2-reports-for-enterprise-cloud-copilot-and-more/
@Undercode_News
UNDERCODE NEWS
GitHub Strengthens Security Posture with New SOC 2 Reports for Enterprise Cloud, Copilot, and More - UNDERCODE NEWS
Undercode News was founded in order to provide the most useful information in the world of hacking and technology. Staffed 24/24 hours, seven days a week by a dedicated team in undercode around the world, so it can provide an environment of information and…
Forwarded from UNDERCODE NEWS (Copyright & Fact Checker)
#GitHub Actions: A Deeper Dive into Runner Labels
https://undercodenews.com/github-actions-a-deeper-dive-into-runner-labels/
@Undercode_News
https://undercodenews.com/github-actions-a-deeper-dive-into-runner-labels/
@Undercode_News
UNDERCODE NEWS
GitHub Actions: A Deeper Dive into Runner Labels - UNDERCODE NEWS
Undercode News was founded in order to provide the most useful information in the world of hacking and technology. Staffed 24/24 hours, seven days a week by a dedicated team in undercode around the world, so it can provide an environment of information and…
Forwarded from UNDERCODE NEWS (Copyright & Fact Checker)
📱 #Microsoft Expands #Windows Recall #AI Feature: A Measured Approach
https://undercodenews.com/microsoft-expands-windows-recall-ai-feature-a-measured-approach/
@Undercode_News
https://undercodenews.com/microsoft-expands-windows-recall-ai-feature-a-measured-approach/
@Undercode_News
UNDERCODE NEWS
Microsoft Expands Windows Recall AI Feature: A Measured Approach - UNDERCODE NEWS
Undercode News was founded in order to provide the most useful information in the world of hacking and technology. Staffed 24/24 hours, seven days a week by a dedicated team in undercode around the world, so it can provide an environment of information and…
Forwarded from UNDERCODE NEWS (Copyright & Fact Checker)
💻 Evernote: A #Digital Notebook for Your Thoughts
https://undercodenews.com/evernote-a-digital-notebook-for-your-thoughts/
@Undercode_News
https://undercodenews.com/evernote-a-digital-notebook-for-your-thoughts/
@Undercode_News
UNDERCODE NEWS
Evernote: A Digital Notebook for Your Thoughts - UNDERCODE NEWS
Undercode News was founded in order to provide the most useful information in the world of hacking and technology. Staffed 24/24 hours, seven days a week by a dedicated team in undercode around the world, so it can provide an environment of information and…
Forwarded from UNDERCODE NEWS (Copyright & Fact Checker)
Informative The Rise of VK: A Social Media Giant in Russia and Beyond
https://undercodenews.com/informative-the-rise-of-vk-a-social-media-giant-in-russia-and-beyond/
@Undercode_News
https://undercodenews.com/informative-the-rise-of-vk-a-social-media-giant-in-russia-and-beyond/
@Undercode_News
UNDERCODE NEWS
Informative The Rise of VK: A Social Media Giant in Russia and Beyond - UNDERCODE NEWS
Undercode News was founded in order to provide the most useful information in the world of hacking and technology. Staffed 24/24 hours, seven days a week by a dedicated team in undercode around the world, so it can provide an environment of information and…
Forwarded from UNDERCODE NEWS (Copyright & Fact Checker)
🤖 Informative Navigating Tumblr's Login Process: A Step-by-Step Guide
https://undercodenews.com/informative-navigating-tumblrs-login-process-a-step-by-step-guide/
@Undercode_News
https://undercodenews.com/informative-navigating-tumblrs-login-process-a-step-by-step-guide/
@Undercode_News
UNDERCODE NEWS
Informative Navigating Tumblr's Login Process: A Step-by-Step Guide - UNDERCODE NEWS
Undercode News was founded in order to provide the most useful information in the world of hacking and technology. Staffed 24/24 hours, seven days a week by a dedicated team in undercode around the world, so it can provide an environment of information and…
🦑Exploitation of the Microsoft Exchange Vulnerability:
During the IR investigation, the Nocturnus Team was able to identify the initial compromise vector, in which the attackers exploited the recently discovered vulnerabilities in Microsoft Exchange server, which allowed them to perform remote code execution by exploiting the following CVEs: CVE-2021-27065 and CVE-2021-26858.
The attackers used this vulnerability to install and execute the China Chopper webshell via the following commands:
During the IR investigation, the Nocturnus Team was able to identify the initial compromise vector, in which the attackers exploited the recently discovered vulnerabilities in Microsoft Exchange server, which allowed them to perform remote code execution by exploiting the following CVEs: CVE-2021-27065 and CVE-2021-26858.
The attackers used this vulnerability to install and execute the China Chopper webshell via the following commands:
Once the attackers gained access to the network, they deleted the .aspx webshell file to cover their tracks:
cmd.exe /c del "C:\Program Files\Microsoft\Exchange Server\V15\\frontend\httpproxy\owa\auth\<file_name>.aspx"
cmd.exe /c del "C:\Program Files\Microsoft\Exchange Server\V15\\frontend\httpproxy\owa\auth\<file_name>.aspx"
Using the webshell, the attackers launched a PowerShell that was then used to download a payload from the following URL:
http://178.21.164[.]68/dwn.php?b64=1&d=nethost64C.exe&B=_AMD64,<machine_name>
The payload is then saved as C:\windows\zsvc.exe and executed. This is the start of the Prometei botnet execution:
http://178.21.164[.]68/dwn.php?b64=1&d=nethost64C.exe&B=_AMD64,<machine_name>
The payload is then saved as C:\windows\zsvc.exe and executed. This is the start of the Prometei botnet execution:
The Prometei Botnet :
When the first module of the botnet, zsvc.exe, is executed, it starts to “prepare the ground” for the other modules:
It copies itself into C:\Windows with the name “sqhost.exe”
It uses Netsh commands to add a firewall rule that will allow sqhost.exe to create connections over HTTP
It checks if there is a registry key named “UPlugPlay”, and if present it deletes it
It sets a registry key for persistence as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay with the image path and command line c:\windows\sqhost.exe Dcomsvc
It creates several registry keys under SOFTWARE\Microsoft\Fax\ and SOFTWARE\Intel\support\ with the names MachineKeyId, EncryptedMachineKeyId and CommId, for later use by the different components for C2 communication.
Sqhost.exe:
Sqhost.exe is the main bot module, complete with backdoor capabilities that support a wide range of commands. Sqhost.exe is able to parse the prometei.cgi file from 4 different hardcoded command and control servers. The file contains the command to be executed on the machine. The commands can be used as “stand-alone” native OS commands (cmd commands, WMI, etc.) or can be used to interact with the other modules of the malware located under C:\Windows\dell
When the first module of the botnet, zsvc.exe, is executed, it starts to “prepare the ground” for the other modules:
It copies itself into C:\Windows with the name “sqhost.exe”
It uses Netsh commands to add a firewall rule that will allow sqhost.exe to create connections over HTTP
It checks if there is a registry key named “UPlugPlay”, and if present it deletes it
It sets a registry key for persistence as HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPlugPlay with the image path and command line c:\windows\sqhost.exe Dcomsvc
It creates several registry keys under SOFTWARE\Microsoft\Fax\ and SOFTWARE\Intel\support\ with the names MachineKeyId, EncryptedMachineKeyId and CommId, for later use by the different components for C2 communication.
Sqhost.exe:
Sqhost.exe is the main bot module, complete with backdoor capabilities that support a wide range of commands. Sqhost.exe is able to parse the prometei.cgi file from 4 different hardcoded command and control servers. The file contains the command to be executed on the machine. The commands can be used as “stand-alone” native OS commands (cmd commands, WMI, etc.) or can be used to interact with the other modules of the malware located under C:\Windows\dell
Sqhost supports the following commands:
Call - Execute a program or a file
Start_mining - launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Start_mining1 - request C:\windows\dell\Desktop.dat from the C2, and then launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Stop_mining - runs cmd.exe with command: “/c taskkill -f -im SearchIndexer.exe”
Wget - download a file
Xwget - download a file, save it, and use XOR to decrypt it
Quit - terminate the bot execution using TerminateProcess
Quit2 - terminate the bot execution without using TerminateProcess
Sysinfo - collect information about the machine (using native APIs and WMIC)
Exec - execute a command
Ver - return the bot version
Enc - get/set the RC4 encryption key
Extip - return the bot's external IP address
Chkport - check if a specific port is open
Search - search for files by name (potentially crypto currency wallets)
Set_timeout - set a period of time for connecting to C2 server
Touch - open a file
Touch_internal - edit a file with a single byte to change access times
Touch_stop - close a file
Update - update the bot version
Set_Autoexec2 - set an automatic execution
Set_Autoexec1 - set an automatic execution
Set_cc1 - set a C2 server
Set_cc0 - set a C2 server
Call - Execute a program or a file
Start_mining - launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Start_mining1 - request C:\windows\dell\Desktop.dat from the C2, and then launch SearchIndexer.exe (the miner) with the file C:\windows\dell\Desktop.dat as its parameters
Stop_mining - runs cmd.exe with command: “/c taskkill -f -im SearchIndexer.exe”
Wget - download a file
Xwget - download a file, save it, and use XOR to decrypt it
Quit - terminate the bot execution using TerminateProcess
Quit2 - terminate the bot execution without using TerminateProcess
Sysinfo - collect information about the machine (using native APIs and WMIC)
Exec - execute a command
Ver - return the bot version
Enc - get/set the RC4 encryption key
Extip - return the bot's external IP address
Chkport - check if a specific port is open
Search - search for files by name (potentially crypto currency wallets)
Set_timeout - set a period of time for connecting to C2 server
Touch - open a file
Touch_internal - edit a file with a single byte to change access times
Touch_stop - close a file
Update - update the bot version
Set_Autoexec2 - set an automatic execution
Set_Autoexec1 - set an automatic execution
Set_cc1 - set a C2 server
Set_cc0 - set a C2 server
the attackers attempted to execute C:\Windows\svchost.exe, which is the same file as sqhost.exe, and the attackers named it as svchost in earlier versions, but it wasn’t downloaded in the attack or in existence by this name. The reference for “svchost.exe” resides in different components of the malware, sometimes even in addition to “sqhost”. Our assumption is that it is used either for backwards-compatibility or it is the case that the attackers didn’t bother to change it in some places after renaming the main bot module to “sqhost.exe”.
Sqhost.exe: executed with “-watchdog” parameter, to make sure that it will keep running on the system.
Wmic.exe: was used to perform reconnaissance commands:
- wmic ComputerSystem get Model
- wmic OS get lastbootuptime
- wmic baseboard get product
- wmic os get caption
ExchDefender.exe
Exchdefender tries to masquerade as a “Microsoft Exchange Defender”, a non-existent program that masquerades as a legitimate Microsoft product.
When first executed, it creates a service named “Microsoft Exchange Defender” [MSExchangeDefenderPL] that is set to execute the binary (from C:\Windows) with the same command line as seen used with sqhost.exe - “Dcomsvc”:
Sqhost.exe: executed with “-watchdog” parameter, to make sure that it will keep running on the system.
Wmic.exe: was used to perform reconnaissance commands:
- wmic ComputerSystem get Model
- wmic OS get lastbootuptime
- wmic baseboard get product
- wmic os get caption
ExchDefender.exe
Exchdefender tries to masquerade as a “Microsoft Exchange Defender”, a non-existent program that masquerades as a legitimate Microsoft product.
When first executed, it creates a service named “Microsoft Exchange Defender” [MSExchangeDefenderPL] that is set to execute the binary (from C:\Windows) with the same command line as seen used with sqhost.exe - “Dcomsvc”:
Exchdefender constantly checks the files within the directory C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth, a known directory to be used to host WebShells. The malware is specifically interested in the file “ExpiredPasswords.aspx” which was reported to be the name used to obscure the HyperShell backdoor used by APT34 (aka. OilRig). If the file exists, the malware immediately deletes it.
Our assessment is that this tool is used to “protect” the compromised Exchange Server by deleting potential WebShells so Prometei will remain the only malware using its resources.
Our assessment is that this tool is used to “protect” the compromised Exchange Server by deleting potential WebShells so Prometei will remain the only malware using its resources.