BlackByte Ransomware Targets Windows Driver Vulnerability

BlackByte, MSI Afterburner utility, Ophtek, Ransomware, RTCore64.sys, update drivers, , , , ,
25
Oct 2022

A vulnerable Windows driver has been revealed to be the ‘hole in the fence’ that the BlackByte ransomware needs to breach your IT infrastructure.

The attack is interesting in that it uses a relatively new attack strategy known as Bring Your Own Vulnerable Driver (BYOVD). It’s an attack method which targets vulnerabilities in drivers to take control of the victim’s PC. And, to maximize the impact of the breach, the ransomware goes on to disable more than 1,000 drivers associated with security software.

The ransomware involved in this recent attack is believed to have been brewed by the BlackByte threat actors, a hacking group whose origins can be traced to the infamous Conti hacking team. Clearly, the BlackByte team know what they are doing and it’s vital that you are aware of their strategies.

What is BlackByte?

The vulnerable driver in the sights of BlackByte’s target is RTCore64.sys, a driver associated with the MSI Afterburner utility found in countless graphics cards. To be specific, RTCore64.sys is a kernel driver, and this means that it’s involved in the transfer of data between a piece of hardware and a PC’s operating system. The problem with RTCore64.sys is that it’s associated with the CVE-2019-16098 vulnerability.

Once BlackByte has exploited the CVE-2019-16098 vulnerability, the threat actors can access the arbitrary memory of that PC. Access to this area gives BlackByte the opportunity to assume administration privileges, execute commands and transmit data. The ransomware also prides itself on its ‘anti-analysis’ strength, a fact most evidenced by its ability to disable numerous security products and remain undetected.

The Importance of Updating Drivers

The vulnerability at the heart of BlackByte’s attack, CVE-2019-16098, is far from new and, therefore, is a very different attack to that of a zero-day vulnerability. In fact, the CVE-2019-16098 vulnerability has been known of since 2019. This underlines the fact that hackers will focus on known vulnerabilities – after all, it’s much easier to attack an existing vulnerability than to spend time trying to find new ones. As a result, it’s crucial that you update any drivers when prompted to or, more simply, you activate automatic updates.

Not all driver vulnerabilities, however, have updates available due to a variety of reasons such as support being discontinued for a product. Thankfully, it’s still possible to minimize the risk of these vulnerable drivers. As long as your organization keeps a log of all the authorized drivers used within your IT infrastructure, you can regularly check the security status of these drivers. If one is found to be vulnerable with no patch available, you can simply apply block rules to these drivers.

Final Thoughts

The threat presented by BlackByte’s ransomware has the potential to create chaos across your IT network and needs to be taken seriously. And it’s not the only risk which utilizes these methods as, for example, the Avos Locker ransomware uses similar strategies. Accordingly, the importance of applying updates and monitoring vulnerable drivers has never been stronger.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

USB Malware is Being Delivered by Mail

BadUSB, malware, Ophtek, UPS, USB Flash Drives, USB Malware, USPS, , , , , ,
18
Oct 2022

It may sound like a backwards step, but a group of cyber criminals have decided to enlist the help of the postal service to deliver their malware.

Snail mail may feel like an archaic method of attack for cyber criminals, but it’s surprisingly effective as a series of attacks – using the BadUSB malware – have proven. We all deal with traditional mail daily, so it’s easy to take it for granted, and it’s this familiarity that the hackers are targeting. This particular attack, as the name suggests, involves a malicious USB drive. These attacks have proved successful in the past and the BadUSB campaign has the potential to cause significant damage.

How Does BadUSB Work?

Delivered through the United Parcel Service and United States Postal Service, the malicious USB drives come loaded with malware and allow a threat actor to take control of a victim’s USB port. Activating the malware is simple: all it needs is to be plugged into a USB port.

However, there needs to be a reason why a victim decides to plug the device into their PC. And the minds behind BadUSB do this by instilling a sense of urgency in the recipient. This is achieved by claiming that the USB drive contains official Covid-19 warnings or that the drive is an Amazon gift from a friend.

Once plugged into a PC, the affected USB port can be manipulated to believe that an alternate device is installed e.g. a keyboard or mouse. These fake devices can then be controlled by remote cyber criminals and used to cause untold damage. For example, a keyboard and mouse could be used to take full control of a PC and download further malware. In 2020, the BadUSB malware was involved in a series of attacks which downloaded ransomware to exploit the finances of those attacked, and this could easily happen again.

Staying Safe from Malicious USB Drives

BadUSB has the potential to cause you a serious headache, both in terms of your data and your finances. As a result, it’s crucial that you steer clear of this and similar attacks, an outcome which is possible if you do the following:

  • Be wary of USB drives: while they are not one of the ‘go to’ options for hackers, infected USB drives (and the USB killer) have the capacity to cause real damage. Therefore, if you are presented (or even find) a USB drive which doesn’t belong to your company, do not plug it in to your PC. Instead, ask an IT professional to safely analyze it.
  • Disable USB ports: there’s not a pressing need for your employees to be plugging additional devices into their PC, so it makes sense to disable access to USB ports. Sometimes, this is as simple as blocking any unused ports and, in other scenarios, you may want to restrict access to these ports through administration privileges.
  • Disable Autorun: if your employees do need access to their USB ports, then it may be worth disabling the autorun feature associated with them. This feature allows USB drives to automatically open – and activate their contents – once plugged in. However, with autorun disabled, there is a chance to view the drive’s contents before running it.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

Stealer Malware Hidden in Fake Zoom Sites

Cyber Security, Data Security, malware, Ophtek, stealer malware, zoom, , , , , ,
11
Oct 2022

Six malicious websites have been discovered which claim to offer downloads of Zoom, but contain nothing but the Vidar stealer malware.

The popularity of Zoom – a video meeting application – has exploded in the post-Covid landscape we find ourselves living in. No longer do people need to travel for face-to-face meetings, they can now be conveniently arranged and carried out over video. Accordingly, the demand for Zoom is huge, with around 485 million downloads completed since 2020. Due to this popularity, a gang of cybercriminals have decided to use Zoom as the bait for downloading the Vidar stealer.

As your employees are likely to consider a Zoom install safe, it’s important that we delve a little deeper and demonstrate why it may be far from safe.

Beware of Fake Zoom Sites

Vidar has been an active threat for some time now, but this latest attack is a new campaign and carries a number of unique threats. The six sites, discovered by Cyble Research, use a variety of URLs such as ‘zoom-download’ and ‘zoomus’ to appear legitimate. And, if you visit one of these sites, the visual aesthetics are remarkably similar to the official Zoom website, but this is where all similarities end.

Attempting to download the Zoom application from these malicious sites will, instead, redirect you to a GitHub file depository. From here, two files will be downloaded to your temporary folder:

  • ZOOMIN~1.exe: this is a genuine Zoom installer which is included to create a front that nothing untoward is taking place.
  • Decoder.exe: this is the malicious file which injects Vidar’s ability to steal into the Microsoft Build Engine. With this infection in place, Vidar is then able to contact remote Command and Control servers and begin transmitting data from the infected PC.

Like most stealer malware, Vidar concentrates on extracting confidential data such as login credentials, network details and whether any further vulnerabilities are present in the IT infrastructure. If vulnerabilities are detected, then it’s highly likely these will be logged and sold by criminal gangs. Protecting yourself against Vidar, therefore, is crucial.

How to Avoid Having Your Data Stolen

The mechanics of the Vidar Zoom threat are relatively common in the world of malware, so it’s likely you will run into a similar threat at some point. The best way to protect your PCs is by following these practices:

  • Always Verify Websites: Vidar’s latest attack relies on poor judgement from its intended victims, the main error coming when they assume that the malicious website is genuine. Many antivirus suites contain tools which allow search results to be rated as to their level of safety, and there is also the option for these tools to present warning screens before accessing sites deemed unsafe. If these are unavailable, and you need to download some software, reach out to your IT team instead.
  • Install Updates: Vidar is keen on logging any vulnerabilities contained within your PC, so it makes sense to limit these vulnerabilities. The best way to achieve this is by always installing updates as soon as they are available.
  • Segment Your Network: to protect your data, it makes sense to adopt network segmentation. This procedure divides your network into different segments and allows you to keep them separate. Therefore, if one segment is breached, the others will remain protected, and this allows you to limit the spread of the malware.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

YouTube Channels Are Being Used to Spread Malware

Cryptominer, malicious videos, malware, NirCmd, Ophtek, redline stealer, YouTube, , , , , ,
04
Oct 2022

Following the discovering of a malware campaign spreading through YouTube channels, it appears that no corner of the internet is immune from hackers.

It’s increasingly common for businesses to run a YouTube channel as part of their marketing efforts, with over 60% of businesses regularly uploading videos. And with YouTube regularly attracting 5 billion daily video views, you can see why it’s an attractive target for threat actors. Thankfully, you can’t be hacked simply by watching a video on YouTube. However, you do need to consider the legitimacy of each video’s content and, more importantly, how safe the embedded links within these videos are.

How Does YouTube Spread Malware?

This latest threat to online safety appears, at present, to be concentrating on YouTube gaming channels, with a specific focus on those which cover games including Final Fantasy, FIFA and Spider-Man. The malware involved is what’s known as a malware bundle i.e. it contains several different strains of malware, with RedLine being the most dominant piece of malware.

The malware spreads through YouTube by uploading malicious videos to infected channels. These malicious videos may appear to be on-brand with the channel e.g. links to cheats for FIFA, but the payload will actually be the same malware which has infected the channel. Therefore, this malware bundle can spread through numerous niche-specific channels by using the same content.

What Does the Malware Bundle Do?

The malware contained within this attack comprises several different attack methods:

  • RedLine: the most substantial piece of malware found in the attack, RedLine harvests confidential data from those it infects e.g. downloading login credentials, accessing cryptocurrency wallets and extracting data entered into web browsers.
  • NirCmd: this application is, in fact, a genuine piece of software, but it’s one which provides the threat actors with a layer of stealth. Once activated, NirCmd conceals the activities of the malware it’s bundled with and makes the attack difficult to identify.
  • Cryptominer: interestingly, a cryptominer which hijacks the resources of the victim’s graphics card is also included. This is considered interesting as the attack targets gamers, a demographic who are likely to possess powerful graphics cards.

Staying Safe on YouTube

YouTube is a crucial asset in the business world, but this recent attack demonstrates it also carries security risks. Your organization may not run a gaming channel, but it’s likely this template will soon be replicated in other niches. Accordingly, it’s essential that you follow these two important practices:

  • Doublecheck links: when viewing videos on YouTube, it’s vital that you treat their links in the same way you would in an email. Always hover your mouse over any links (and that includes those in the video description) to reveal the true destination, copy and paste links into Google to highlight any existing concerns and, finally, ask an IT professional to verify them before clicking.
  • Regularly check your video library: if your organization hosts a YouTube channel, it’s recommended you keep an eye on the videos uploaded to it. The sudden appearance of videos you have no record of uploading may be the only indicator you have that your channel has been hacked.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More