GreyEnergy Malware

 

 

The GreyEnergy malware has no destructive capabilities at the moment, and it seems focused on espionage and reconnaissance operations on industrial control system workstations running SCADA software and servers.

However, it has a modular architecture, which means that its capabilities can be further expanded.

The plugins observed by security researchers provide capabilities such as backdoor access, file exfiltration, grabbing screenshots, logging keystrokes, and stealing credentials.

GreyEnergy deploys its malware according to the type of machine it infiltrates. According to ESET’s research, one method is to run the malware in the memory of the system. This approach is chosen with servers that have a high uptime, where reboots are rare.

The second type of systems targeted are those where the malware needs persistence because of higher reboot possibility. In this case, an existing service is selected and a new ServiceDLL registry key is added. This method may break the system, and to avoid this outcome the malware dropper needs to run a screening process in search of a service that meets a set of requirements.

Researchers say that GreyEnergy’s purpose is to infiltrate deep into the target’s network and collect information. Unlike TeleBots, it is not in the sabotage business, but this does not exclude the possibility of destructive capabilities to become available at one point.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against GreyEnergy malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2018-17468

 

 

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for remote code execution. Google Chrome is a web browser used to access the Internet. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute remote code in the context of the browser. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Source: Center for Internet Security

How do you protect yourself?

Security vulnerabilities are fixed in Google Chrome version 70.

 

Agent Tesla

 

 

A new attack technique which includes tampering with a well-known exploit chain to blind antivirus solutions has been uncovered which is spreading information-stealing malware.

Researchers from Cisco Talos said on Monday that the new malware campaign is spreading Agent Tesla, a virulent form of spyware.

The Trojan is able to monitor and collects the victim’s keyboard inputs, system clipboard, take screenshots, and exfiltrate credentials belonging to of a variety of software installed on a victim’s machine. This includes the Google Chrome and Mozilla Firefox browsers, as well as the Microsoft Outlook email client.

Alongside Agent Tesla, the campaign is also spreading Loki, another information and credential stealer.

While spyware and surveillance malware is often spread covertly through phishing attacks, bundled as Potentially Unwanted Programs (PUP) with other software, and downloaded through malicious links, the latest wave of attacks has revealed something unusual.

The hackers have created an infrastructure leveraging CVE-2017-11882 and CVE-2017-0199 — a remote code execution flaw in Microsoft Office and a memory handling bug which permits arbitrary code execution — to distribute Agent Tesla and Loki.

However, the infrastructure is also being used to distribute other forms of malware including the Gamarue Trojan, which has been connected to botnets in the past.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against malware campaigns and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from cryptomining malware. Avoid clicking unknown links and downloading suspicious attachments.