When we think about cyber attacks our minds go to ransomware, capable of holding data hostage or malware used to exfiltrate data and this makes sense in many scenarios. But what if an entirely legitimate kernel driver with a valid digital signature, embedded deep into the system is abused to launch an attack? This is exactly what happened with RobbinHood a living-off-the-land attack, which lowers considerably the detection profile of an attacker. RobbinHood was discussed by ReaQta CEO Alberto Pelliccione in his recent LinkedIn post – he pointed out that, in the hands of a sophisticated threat actor this is a very useful weapon: legit and ready to be used.
He explains: “Normally ransomware such as Ryuk or Sodinokibi are plain applications doing some dirty work, RobbinHood instead does its deed from a driver, deep into the system. To use such a driver one needs a specific Digital Certificate with a high level of verification, which normally criminals don’t try to obtain, because they can reuse an existing driver. Bugs are everywhere and drivers are no exception, a bugged driver can allow a malicious party to run code at the highest possible level on an endpoint. This is what RobbinHood does: it uses a bug, in a legitimate driver, to load a malicious (unsigned) driver and wreak havoc. To make matters worse: there are a LOT of legitimate bugged drivers that can be used for this purpose! RobbinHood uses one to avoid anti-ransomware solutions, and it works quite well, normally ransomware analysis is not done on kernel operations (mostly for performance reasons). A good practice is, when possible, to block all known bugged drivers, as many are widely reported and still valid. As usual below how RobbinHood behaviour looks like, hopefully the only place where you’ll see it active.”
Team ReaQta ran an analysis to find out how common such vulnerable drivers are within the enterprise. Below ReaQta-Hive shows a support utility from HP that comes by default with certain laptops. The application installs a driver called “activehealth.sys”, ReaQta cloud analysis reports it as safe (because it is) but this driver, signed with a high level certificate, is actually vulnerable and it can be abused to run code with high privileges on a machine. From the point of view of an attacker this is an advantage: there is no need to carry the driver – unlike what RobbinHood does – as it’s already there, and companies cannot just revoke their certificates as the impact on the user base can be severe. Thus an attacker finds itself with a convenient way to run dangerous code, just by reusing what already exists on a computer, this living-off-the-land technique works extremely well for the attacker as it lowers their detection profile- a powerful tool in the hands of a sophisticated threat actor. We can expect to find interesting cases in the near future with more than “just” a ransomware.
[Find out if ReQta-Hive platform can help your organisation detect and block sophisticated threats – from fileless to in-memory. Get a free demo today.]
AVE_MARIA, a malware used in phishing campaigns and so far identified only as an info-stealer, appears to be more complex and insidious, offering a wide range of capabilities, from privilege escalation to camera exfiltration, RDP connections, email extraction and more. For the past few months we have been monitoring various phishing campaign delivering AVE_MARIA and we are now able to prove that AVE_MARIA is in fact a complete and multi-purpose malware. Continue reading “Ave_Maria Malware: there's more than meets the eye”
Fileless malware attacks are a growing concern in cyber-security with an interesting history that dates back to 2001. After remaining almost silent for several years, this type of threat began to gain fresh traction in 2014 with new concepts introduced at a fast pace. Today such attacks are so common that new strategies had to be developed to identify and contain them. Continue reading “Hunting Fileless Malware: Invisible but not Undetected”
In November 2018 we followed up on a tweet mentioning a potential malicious code disseminated in CHM (Microsoft Compiled HTML Help). A preliminary analysis caught the attention of our Threat Analysis and Intelligence team as it yielded interesting data that, among other things, shows that the attack campaign was targeting employees from financial entities, specifically in the Russian Federation and the Republic of Belarus. We conclude that the actor behind the attack is Silence group, a relatively new threat actor that’s been operating since mid-2016. Continue reading “Silence group targeting Russian Banks via Malicious CHM”
Over the past 3 months ReaQta has been working closely with VirusTotal to integrate ReaQta-Hive‘s behavioral engine, today we are excited to announce that the integration is complete and available to the public. VirusTotal is a free service that analyzes files and URLs to detect malicious content, the platform is well-known among security researchers as it offers powerful threat hunting features and automated scanning over a multitude of Antivirus solutions. Continue reading “ReaQta Behavioral Engine and Virustotal”
Proactive Threat Hunting helps in the early detection of new threats and in the discovery of weak spots that can be leveraged by an attacker to gain or maintain access to an infrastructure. Traditional IOCs, combined with ATT&CK MitreTTPs and Artificial Intelligence for discovery of new behaviors raises the bar for the attackers, helping responders to identify breaches at a very early stage, enabling them to contain and mitigate the attacks quickly and effectively. Continue reading “Proactive Threat Hunting with A.I.”
On the 9th of Octoberour customers started reportingthe same kind of incident over the span of a few hours. The identifiedactivity appears to be linked to the banking Trojan Ursnif, a long active malware, whose roots can be traced back to 2007 together with ZeuS and SpyEye, still with strong infection capabilities in each of its campaigns. The attack vector was a malicious email with a Word document attached. Continue reading “Ursnif reloaded: tracing the latest trojan campaigns”
For the past weeks our Threat Intelligence team has been following an enxtesive campaign, possibly operated by the same group, targeting a large amount of financial institutions, cyptocurrency wallets and the occasional Google and Apple accounts. The attackers target their victims both with Phishing emails, typo-squatted domains and malicious attachments that eventually lead to the installation of Zeus/Panda banking malware. The group appears to be active since at least 2015 and it’s most likely related to several campaigns identified by the security community in the past 3 years. Continue reading “Banks and crypto wallets: unveiling a global malware campaign using Zeus/Panda”