fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Hackers Abuse Windows Error Service In Fileless Malware Attack

Hackers Abuse Windows Error Service In Fileless Malware Attack

An unknown hacking group injected malicious code within the legitimate Windows Error Reporting (WER) service to evade detection as part of a fileless malware attack as discovered by Malwarebytes researchers last month.

Exploiting the WER service in attacks for defense evasion is not a new tactic but, as Malwarebytes Threat Intelligence Team researchers Hossein Jazi and Jérôme Segura said, this campaign is most likely the work of a yet unknown cyber espionage group.

“The threat actors compromised a website to host its payload and used the CactusTorch framework to perform a fileless attack followed by several anti-analysis techniques,” the report, shared in advance with BleepingComputer, explains.

Spear-phishing used to drop the payload

The attack was first observed on September 17 after the researchers spotted phishing emails containing a malicious document encased in a ZIP archive.

Initial malicious payloads were onto the targets’ computers via spear-phishing with emails using a worker’s compensation claim as the bait.

Once opened, the document will execute shellcode via a malicious macro identified as a CactusTorch VBA module which loads a .NET payload straight into the now infected Windows device’s memory.

In the next step, this binary is executed from the computer’s memory leaving no traces on the hard drive, injecting embedded shellcode into the WerFault.exe, the WER service’s Windows process.

Also Read: 10 Practical Benefits of Managed IT Services

Phishing email sample
Phishing email sample (Malwarebytes)

The same process injection technique is used by other malware to bypass detection, including both Cerber ransomware and NetWire RAT.

The newly created Windows Error Reporting service thread injected with malicious code will go through several anti-analysis checks to see if it’s being debugged or if it’s running in a virtual machine or a sandbox environment, all signs of being examined by a malware researcher.

If all checks are passed and the malware loaded feels safe enough to get to the next step, it will decrypt and load the final shellcode in a newly created WER thread, which will get executed in a new thread.

The final malware payload hosted on the asia-kotoba[.]net in the form of a fake favicon will then be downloaded and injected into a new process.

Unfortunately, Malwarebytes was unable to analyze this final payload since the host URL was down at the time the researchers analyzed the attack.

Potential APT32 fingerprints

While the Malwarebytes researchers were not able to attribute the attack to any hacking group with enough confidence, some of the indicators of compromise and tactics used point to the Vietnamese-backed APT32 cyber espionage group (also tracked as OceanLotus and SeaLotus).

One of them is the fact that APT32 is known for using the CactusTorch VBA module to drop variants of the Denis Rat in their attacks.

Sadly, Malwarebytes did not manage to obtain a copy of the final payload after investigating this attack to make a direct connection.

The other hint that could potentially link this attack to the Vietnamese hacking group is the domain (yourrighttocompensation[.]com) registered in Ho Chi Minh City, Vietnam, that was used to host and deliver the phishing document and malicious payloads.

APT32 has previously targeted “foreign companies investing in Vietnam’s manufacturing, consumer products, consulting and hospitality sectors” by delivering malicious attachments via spear-phishing emails according to cybersecurity firm FireEye.

They are also known to be behind targeted attacks on research institutes from all over the world, media and human rights organizations, as well as Chinese maritime construction firms. [1234567]

Also Read: Limiting Location Data Exposure: 8 Best Practices

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us