Hackers have learned to use fake error logs to collect ASCII characters disguised as hexadecimal numbers that are decoded into a dangerous payload to set the stage for script-based attacks.
This trick adds to a longer chain of intermediate PowerShell commands, eventually providing a script for recognition purposes.
Read Between The Lines
Can Windows Update be hacked?
Microsoft encourages formathacker.com users to install new application software after using asset hacking. The vulnerabilities, known as “PrintNightmare”, are in a feature of the Windows print spooler. Sensitive user data could be changed or exposed if cyberpunk discovers this vulnerability.
MSP detection vendor Huntress Labs has uncovered an attack scenario in which a persistent attacker on a promising machine tried to use an extraordinary trick to continue his routine attack.
The attacker has already gained access to the target system, but managed to hold on. From this position, these companies have used a file called “a.chk” which accurately mimics the Windows error log for each application. The last column displays all apparent sixteenthsteric values.
They were created as decimal representations of ASCII characters. Deciphered after they write something that communicates with the control and mastery server for the next stage of the attack.
A quick look at the available bogus log file will likely raise some flags as the advice includes timestamps and references based on the Windows internal version number,” says John Ferrell, VP of ThreatOps at Huntress Today Labs, in good shape. strong mutual understanding.
“At first glance it looks like an application log. It has timestamps but references to OS 6.2, each of our five windows internal version numbers, and Windows Server 2012, John Ferrell
A closer look reveals what trick the actor chose to extract the appropriate block of data (math symbols) and create a secure payload. This is how my numbers can be converted to text to sort the script.
Has Microsoft Been Hacked 2021?
The wave of cyberattacks and data breaches began in January 2021 after about four zero-day exploits were found on local Microsoft Exchange servers, which gave attackers wide access to the security of email and user passwords on the respective servers, directly with administrator rights on the server. . and access devices connected to it on the same
Ferrell explains that the payload is achieved through a planned impersonation processLove on your host (one letter counts) and publish your description. Two executables are involved, both renaming copies of legitimate files to appear harmless.
Use Legal Filenames
One of them is called “BfeOnService.exe” and is a copy of “mshta.exe”, a utility that launches Microsoft HTML Applications (HTAs) that was recently used to deliver malicious HTA data. In this case, it runs a huge To vbscript, fires up PowerShell, and runs the command there.
The other one is called engine.exe and is a perfect copy of powershell.exe. Its purpose is to extract the ASCII numbers related to the fake protocol and convert people today to get the payload. How it works:
Ferrell, noticing software decoded in this way, applies an in-memory patch to the Malware Scanning Interface (AMSI) to bypass it. AMSI allows antivirus programs to detect script-based attacks.
Run later command as bootloader to get another powershell command with the same functionalityHey. At the end of the stream is a payload that collects information about the compromised system.
It’s not clear what the enemy is hiding behind, but the latest zeroed program collects data on installed browsers, general and specific tax preparation and security applications (Lacerte, ProSeries, Kaspersky, Comodo, Defender), as well as point-of-sale software.
While this is not a sophisticated attack, it shows that cybercriminals will learn most ways to gain a foothold in a specific target network and creatively expand their target, which in some cases will really pay off.
A new fileless attack using the Microsoft Windows Error Reporting (WER) service is undoubtedly the work of an as-yet unidentified hacker.
According to Malwarebytes security researchers Hossein Jasi and Jérôme Segura, the attack vector relies on injecting malware into WER-based executables so as not to arouse suspicion.
In a blog post on Tuesday, most of the duo revealed that they opposedThe Kraken’s discovery—though not exactly an unusual method—was discovered on September 17th.
The blocking phishing document found by the team has been included in a new ZIP file. The exact file called Compensation manual.doc claims to contain policies related to workers’ compensation rights, but if opened, it can trigger a beautiful malicious macro.
The macro uses a custom version of the CactusTorch VBA module to launch a fileless shellcode attack.
CactusTorch can literally load a compiled .Net binary called “Kraken.dll” into memory and execute it with VBScript. This payload directly injects the embedded shellcode WerFault.exe, the process for WER join service and is used by Microsoft to monitor and troubleshoot operating system issues.
“This confirmation service, WerFault.exe, is usuallyIt is called when an error occurs with the Windows management system, features, or services,” explains Malwarebytes. “When victims see that WerFault.exe is running on their computer, they think there must have been an error, in which case they either believe it or not. Target of the attack.
This method can also be used by the NetWire Remote Access Trojan (RAT) and the Cerber ransomware that steals cryptocurrencies.
Do hackers use Windows to hack?
Windows can be a mandatory but dangerous target for most hackers becausethis business must run in a clean Windows environment. It is much more restrictive than Linux, but still vulnerable because exploits typically target roaming targets on Windows operating systems.
The shellcode is also prompted to make an HTTP request to a hard-coded domain, which may receive additional malware.
Can Windows be hacked?
The hack can affect Mac computers, Windows 7 PCs, Windows 10 computers, and Android operating systems and devices. We explain why you must prevent hacking and stop cyberpunks when they invade your life.
Kraken flyers follow several anti-analysis techniques during flight, including code obfuscation, forcing DLLs to run in multiple threads, sandbox or debug environment checks, and registry scans for virtual machines from VMWare or Oracle VirtualBox. The developers maliciously programmed the code to stop running when it detects signs of scanning activity. Octopuses
Currently it is difficult to identifyCall an attack. The malware’s hard-coded target URL was removed during my analysis, and without it, empty tags pointing to one or more APTs are not possible.
However, Malwarebytes reports that researchers have been told something about APT32, also known as OceanLotus, a Vietnamese APT believed to be responsible for attacks on BMW and Hyundai in 2019.
Previous And Related Reports
Do you have the right advice? Secure communication via WhatsApp | Signal +447713 025 499 or more in Keybase: charlie0