The script is designed to automatically fill in the user
and password
fields in login forms, and if a totp
is present, it generates and copies the OTP code to the clipboard using the “oathtool” utility.
Before you begin, ensure the following tools are installed (e.g. on Debian-based Linux system using APT):
sudo apt-get install oathtool x11-tools xdotool libnotify-bin rofi pass
Follow the official guide for configuring “pass,” including synchronization with Git. You can find the guide here.
The script relies on a specific data format within “pass” for storing credentials. Each password file should adhere to the following structure:
<password>
login: <login>
url: <url>
totp: <totp secret>
Here is the Bash script that integrates “pass” into the i3 desktop environment:
#!/bin/bash
shopt -s nullglob globstar
# BETA - get current window name and use it to filter passwords list
wintit=$(xprop -id $(xdotool getactivewindow) | grep "WM_NAME" | tail -n1 | cut -d "\"" -f 2 | tr '[:upper:]' '[:lower:]' | cut -d " " -f 1)
# get all the saved password files
prefix=${PASSWORD_STORE_DIR-~/.password-store}
password_files=( "$prefix"/**/*.gpg )
password_files=( "${password_files[@]#"$prefix"/}" )
password_files=( "${password_files[@]%.gpg}" )
# shows a list of all password files and saves the selected one in a variable
password=$(printf '%s\n' "${password_files[@]}" | rofi -dmenu "$@" -filter "$wintit")
[[ -n $password ]] || exit
passshow=$(pass show $password)
passw=$(echo "$passshow" | head -n1 )
uname=$(echo "$passshow" | grep "login:" | cut -d " " -f 2)
totpsecret=$(echo "$passshow" | grep "totp:" | cut -d " " -f 2)
# xdotool types the username on the active field
xdotool type "$uname"
# type a TAB (for moving forward in browser input fields)
xdotool key Tab
# type the password in the active input
xdotool type "$passw"
xdotool key Tab
# if a totp is present, generate the code and copy it into clipboard
if [[ -n $totpsecret ]]; then
totp=$(oathtool -b --totp $totpsecret)
notify-send "OTP code $totp copied in clipboard!"
echo "$totp" | xclip -sel clip
fi
To integrate the script with i3, save the script in ~/.local/bin/pass.sh
and add the following line to your ~/.config/i3/config
file:
bindsym $mod+Shift+p exec ~/.local/bin/pass.sh
This configuration binds the script execution to a key combination ($mod+Shift+p
). Adjust it according to your preferences.
Now, you have successfully integrated “pass” into your i3 desktop environment, providing a seamless and secure password management solution.
]]>Most people don’t think much of them, but some technologists have started to pay more attention to them because of the technology. Earlier this year French developer David Libeau said users and developers were often unaware of how their apps emitted data to the U.S. tech giants via push notifications, calling them “a privacy nightmare”:
Push notification is a subscription based system. Your smartphone subscribe to a channel and everything needs to go through the smartphone constructor’s servers. By « constructor’s server », I actually mean Apple if you have an iPhone or Google if you have an Android phone.
When the app wants to send a push notification even when it is closed, it is the app’s server that trigger a notification by sending the information to the smartphone constructor’s servers. So potentially, Apple or Google could read your push notifications or at least know that you are receiving data from an app.
That gives, according Wyden’s letter, the two companies unique insight into the traffic flowing from those apps to their users, and in turn puts them “in a unique position to facilitate government surveillance of how users are using particular apps”. For this reason Wyden asked the Department of Justice to “repeal or modify any policies” that hindered public discussions of push notification spying.
Meanwhile, several companies that have made privacy their core business are starting to remove from their applications any features that use push notification services provided by Google or Apple.
For example, Tuta, a provider of secure email services, recently released a version of its app based on its own push notification server:
]]>GCM (or, how it’s called now, FCM, Firebase Cloud Messaging) is a service owned by Google. We at Tuta used FCM for our old Android app. Unfortunately, FCM includes Google’s tracking code for analytics, which we didn’t want to have in our secure app.
And, even more importantly: For being able to use FCM, you have to send all your notification data to Google - which should be a no go for any secure email service. You also have to use their proprietary libraries. Because of the privacy and security concerns that naturally go along with this, we did not send any information along with the notification messages with the old app (which, understandably, led to complaints by our users). Therefore, the push notification in the old Android app only mentioned that you received a new message without any reference to the email itself or to the mailbox the message has been placed in.
FCM is quite convenient to use, over the years Google made changes to Android which made it harder not to use their service for notifications. On the other hand, giving up Google’s notification service would free us from requiring our users to have Google Play Services on their phones. The challenge to replace Google’s FCM
The Tuta apps are Libre software, and we want to provide a true open source alternative to Gmail, which to us includes publishing our Android app on F-Droid. We wanted our users to be able to use Tuta on every ROM and every device, without the interference of a third-party service like Google.
We decided to take on the challenge and to build our own push notification service.
[…]
We’ve made a research on how others (Signal, Wire, Conversations, Riot, Facebook, Mastodon) have been solving similar problems. We had several options in mind, including WebSockets, MQTT, Server Sent Events and HTTP/2 Server Push. Replacing FCM with SSE
We settled on the SSE (Server Sent Events) because it seemed like a simple solution. By that I mean “easy to implement, easy to debug”.
The LitterDrifter worm stands out for two main characteristics: its automatic spread via connected USB drives and communication with the threat actor’s command and control (C&C) servers. It is suspected to be an evolution of a PowerShell-based USB worm previously disclosed by Symantec in June 2023. Written in VBS, the propagation module is responsible for distributing the worm as a hidden file on a USB drive along with a deceptive LNK shortcut assigned random names.
Gamaredon’s approach to C&C servers is rather unique, using domains as placeholders for circulating IP addresses that are actually used as C2 servers. LitterDrifter is also capable of connecting to a C&C server retrieved from a Telegram channel, a tactic repeatedly employed since the beginning of the year. Symantec has detected signs of possible infections outside Ukraine, with VirusTotal submissions from the United States, Vietnam, Chile, Poland, Germany, and Hong Kong.
Gamaredon has had an active presence this year, continuously evolving its attack methods. In July 2023, the opponent’s rapid data exfiltration capabilities came to light, with the transfer of sensitive information within an hour of the initial compromise. “It’s clear that the LitterDrifter worm is designed to support a large-scale collection operation, and Gamaredon is an active part of it,” the company concluded. “It leverages simple yet effective techniques to target the widest possible range of objectives in the region.”
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains | Gamaredon Group has registered multiple domains to facilitate payload staging and C2. |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | Gamaredon Group has used HTTP and HTTPS for C2 communications. |
Enterprise | T1119 | Automated Collection | Gamaredon Group has deployed scripts on compromised systems that automatically scan for interesting documents. | |
Enterprise | T1020 | Automated Exfiltration | Gamaredon Group has used modules that automatically upload gathered documents to the C2 server. | |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence. |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell | Gamaredon Group has used obfuscated PowerShell scripts for staging. |
.003 | Command and Scripting Interpreter: Windows Command Shell | Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group’s backdoor malware has also been written to a batch file. | ||
.005 | Command and Scripting Interpreter: Visual Basic | Gamaredon Group has embedded malicious macros in document templates, which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros. | ||
Enterprise | T1485 | Data Destruction | Gamaredon Group has used tools to delete files and folders from victims’ desktops and profiles. | |
Enterprise | T1005 | Data from Local System | Gamaredon Group has collected files from infected systems and uploaded them to a C2 server. | |
Enterprise | T1039 | Data from Network Shared Drive | Gamaredon Group malware has collected Microsoft Office documents from mapped network drives. | |
Enterprise | T1025 | Data from Removable Media | A Gamaredon Group file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives. | |
Enterprise | T1491 | .001 | Defacement: Internal Defacement | Gamaredon Group has left taunting images and messages on the victims’ desktops as proof of system access. |
Enterprise | T1140 | Deobfuscate/Decode Files or Information | Gamaredon Group tools decrypted additional payloads from the C2. Gamaredon Group has also decoded base64-encoded source code of a downloader. | |
Enterprise | T1568 | Dynamic Resolution | Gamaredon Group has incorporated dynamic DNS domains in its infrastructure. | |
Enterprise | T1041 | Exfiltration Over C2 Channel | A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server. | |
Enterprise | T1083 | File and Directory Discovery | Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system. | |
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window | Gamaredon Group has used hidcon to run batch files in a hidden console window. |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools | Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings. |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion | Gamaredon Group tools can delete files used during an operation. |
Enterprise | T1105 | Ingress Tool Transfer | Gamaredon Group has downloaded additional malware and tools onto a compromised host. | |
Enterprise | T1559 | .001 | Inter-Process Communication: Component Object Model | Gamaredon Group malware can insert malicious macros into documents using a Microsoft.Office.Interop object. |
Enterprise | T1534 | Internal Spearphishing | Gamaredon Group has used an Outlook VBA module on infected systems to send phishing emails with malicious attachments to other employees within the organization. | |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location | Gamaredon Group has used legitimate process names to hide malware including svchosst. |
Enterprise | T1112 | Modify Registry | Gamaredon Group has removed security settings for VBA macro execution by changing registry values HKCU\Software\Microsoft\Office<version><product>\Security\VBAWarnings and HKCU\Software\Microsoft\Office<version><product>\Security\AccessVBOM. | |
Enterprise | T1106 | Native API | Gamaredon Group malware has used CreateProcess to launch additional malicious components. | |
Enterprise | T1027 | Obfuscated Files or Information | Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments. | |
.001 | Binary Padding | Gamaredon Group has obfuscated .NET executables by inserting junk code. | ||
.004 | Compile After Delivery | Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in Microsoft.CSharp.CSharpCodeProvider class. | ||
.010 | Command Obfuscation | Gamaredon Group has used obfuscated or encrypted scripts. | ||
Enterprise | T1137 | Office Application Startup | Gamaredon Group has inserted malicious macros into existing documents, providing persistence when they are reopened. Gamaredon Group has loaded the group’s previously delivered VBA project by relaunching Microsoft Outlook with the /altvba option, once the Application.Startup event is received. | |
Enterprise | T1120 | Peripheral Device Discovery | Gamaredon Group tools have contained an application to check performance of USB flash drives. Gamaredon Group has also used malware to scan for removable drives. | |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment | Gamaredon Group has delivered spearphishing emails with malicious attachments to targets. |
Enterprise | T1057 | Process Discovery | Gamaredon Group has used tools to enumerate processes on target hosts including Process Explorer. | |
Enterprise | T1021 | .005 | Remote Services: VNC | Gamaredon Group has used VNC tools, including UltraVNC, to remotely interact with compromised hosts. |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task | Gamaredon Group has created scheduled tasks to launch executables after a designated number of minutes have passed. |
Enterprise | T1113 | Screen Capture | Gamaredon Group’s malware can take screenshots of the compromised computer every minute. | |
Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware | Gamaredon Group has registered domains to stage payloads. |
Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta | Gamaredon Group has used mshta.exe to execute malicious HTA files. |
.011 | System Binary Proxy Execution: Rundll32 | Gamaredon Group malware has used rundll32 to launch additional malicious components. | ||
Enterprise | T1082 | System Information Discovery | A Gamaredon Group file stealer can gather the victim’s computer name and drive serial numbers to send to a C2 server. | |
Enterprise | T1016 | .001 | System Network Configuration Discovery: Internet Connection Discovery | Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as CSIDL_SYSTEM\cmd.exe /c ping -n 1. |
Enterprise | T1033 | System Owner/User Discovery | A Gamaredon Group file stealer can gather the victim’s username to send to a C2 server. | |
Enterprise | T1080 | Taint Shared Content | Gamaredon Group has injected malicious macros into all Word and Excel documents on mapped network drives. | |
Enterprise | T1221 | Template Injection | Gamaredon Group has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads.[10] Gamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems. | |
Enterprise | T1204 | .002 | User Execution: Malicious File | Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded. |
Enterprise | T1102 | Web Service | Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group’s .NET executable on the compromised system. | |
Enterprise | T1047 | Windows Management Instrumentation | Gamaredon Group has used WMI to execute scripts used for discovery. |
HASH/Domain |
---|
cbeaedfa84b02a2bd41a70fa92a46c36 |
6349dd85d9549f333117a84946972d06 |
2239800bfc8fdfddf78229f2eb8a7b95 |
42bc36d5debc21dff3559870ff300c4e |
4c2431e5f868228c1f286fca1033d221 |
1536ec56d69cc7e9aebb8fbd0d3277c4 |
49d1f9ce1d0f6dfa94ad9b0548384b3a |
83500309a878370722bc40c7b83e83e3 |
8096dfaa954113242011e0d7aaaebffd |
bbb464b327ad259ad5de7ce3e85a4081 |
cdae1c55ec154cd6cef4954519564c01 |
2996a70d09fff69f209051ce75a9b4f8 |
9d9851d672293dfd8354081fd0263c13 |
96db6240acb1a3fca8add7c4f9472aa5 |
1c49d04fc0eb8c9de9f2f6d661826d24 |
88aba3f2d526b0ba3db9bc3dfee7db39 |
86d28664fc7332eafb788a44ac82a5ed |
1da0bf901ae15a9a8aef89243516c818 |
579f1883cdfd8534167e773341e27990 |
495b118d11ceae029d186ffdbb157614 |
ozaharso[.]ru |
nubiumbi[.]ru |
acaenaso[.]ru |
atonpi[.]ru |
suizibel[.]ru |
dakareypa[.]ru |
ahmozpi[.]ru |
nebtoizi[.]ru |
squeamish[.]ru |
nahtizi[.]ru |
crisiumbi[.]ru |
arabianos[.]ru |
gayado[.]ru |
quyenzo[.]ru |
credomched[.]ru |
lestemps[.]ru |
urdevont[.]ru |
hoanzo[.]ru |
absorbeni[.]ru |
aethionemaso[.]ru |
aychobanpo[.]ru |
ayzakpo[.]ru |
badrupi[.]ru |
barakapi[.]ru |
boskatrem[.]ru |
brudimar[.]ru |
decorous[.]ru |
dumerilipi[.]ru |
heartbreaking[.]ru |
judicious[.]ru |
karoanpa[.]ru |
lamentable[.]ru |
procellarumbi[.]ru |
ragibpo[.]ru |
raidla[.]ru |
ramizla[.]ru |
samiseto[.]ru |
superficial[.]ru |
talehgi[.]ru |
undesirable[.]ru |
valefgo[.]ru |
vasifgo[.]ru |
vilaverde[.]ru |
vloperang[.]ru |
zerodems[.]ru |
geminiso[.]ru |
vilaverde[.]ru |
lamentable[.]ru |
raidla[.]ru |
boskatrem[.]ru |
heartbreaking[.]ru |
sabirpo[.]ru |
valefgo[.]ru |
vasifgo[.]ru |
absorbeni[.]ru |
vloperang[.]ru |
decorous[.]ru |
ramizla[.]ru |
procellarumbi[.]ru |
andamanos[.]ru |
triticumos[.]ru |
Given Google’s prominent role in the advertising business, where the bulk of its revenue is generated, it can be challenging to reconcile the idea of data collection with the desire for carefully controlled information. In this article, I’d like to delve into some reflections on privacy concerning Android phones and share some suggestions on how to fortify it.
Rooting Android phones can significantly compromise security, as it undermines the entire Android security model. This poses a threat to privacy, especially in the event of an exploit taking advantage of weakened security. Common rooting methods involve tampering with the boot partition, making successful Verified Boot impossible. Apps that demand root access also modify the system partition, keeping Verified Boot disabled. Having root exposed in the user interface expands the attack surface, potentially aiding in privilege escalation vulnerabilities and SELinux policy bypasses.
For instance, Adblockers such as AdAway, which modifies the hosts file, and firewalls like AFWall+, requiring root access persistently, are deemed unsafe and should be avoided. Instead, I recommend steering clear of these methods and opting for encrypted DNS blocking solutions like NextDNS or a custom solution using Cloudflare to enhance security without compromising the integrity of the Android system.
Using an end-of-life version of Android poses a significant security risk, as it not only denies you crucial operating system security updates but also misses out on vital privacy enhancements. The importance of upgrading to newer Android versions is underscored by the example of changes made prior to Android 10. Previously, apps with the READ_PHONE_STATE
permission could access sensitive phone information like IMEI, MEID, or IMSI. With newer Android versions, such access is restricted to system apps provided by the OEM or Android distribution.
Firmware updates are critical for maintaining device security, but OEMs have support agreements to provide closed-source components for a limited period. For components relying on closed-source technologies, updates must come from manufacturers like Qualcomm and Samsung, who support their devices for 4 years and, in the case of Google’s Pixel, provide a minimum of 5 years of support (beginning with the Pixel 8 and 8 Pro, Pixel devices receive a minimum of 7 years of guaranteed security updates).
It’s crucial to purchase devices within an active support cycle, as cheaper products often have shorter support periods. Devices that reach end-of-life and are no longer supported by the System on Chip (SoC) manufacturer miss out on firmware updates, leaving security vulnerabilities unaddressed. Therefore, ensuring your device receives regular updates is essential for safeguarding against potential security issues.
Verified Boot plays a crucial role in fortifying the Android security model, acting as a bulwark against various threats like evil maid attacks, persistent malware, and preventing the downgrade of security updates through rollback protection.
With Android 10 and later versions, there’s a shift from full-disk encryption to more adaptable file-based encryption. This involves encrypting data with unique keys while leaving the operating system files unencrypted. Verified Boot becomes pivotal in this context by ensuring the integrity of these OS files, thwarting any attempts at tampering or malware installation by an adversary with physical access. Even if malware manages to exploit other system parts and gain elevated access, Verified Boot steps in to prevent and reverse changes to the system partition upon device reboot.
However, it’s worth noting that OEMs are only obligated to support Verified Boot on their stock Android distribution. Limited OEMs, such as Google, allow custom AVB key enrollment on their devices. On the flip side, some AOSP derivatives like LineageOS or /e/ OS may lack Verified Boot support, even on hardware designed for third-party operating systems. To safeguard against this, it’s advisable to check for Verified Boot support before purchasing a new device. AOSP derivatives without Verified Boot support are not recommended. Additionally, some OEMs may have flawed implementations of Verified Boot, emphasizing the importance of scrutiny beyond marketing claims.
Source: NordVPN
Permissions on Android empower users with control over app access, and Google consistently enhances this system in each new version. Following, some examples of the new permissions introduced between Android 10 and Android 14.
Android 10:
ACCESS_BACKGROUND_LOCATION
permission. This new permission is a significant step towards tighter control over app access to device location, specifically when running in the background. Its introduction ensures that apps cannot access location data in the background without explicit permission from the user.Android 11:
Android 12:
Android 13:
BODY_SENSORS
permission: this change ensures that apps utilizing sensors in the background, such as those for fitness tracking or health monitoring, must explicitly request permission from the user.Android 14:
READ_MEDIA_IMAGES
or READ_MEDIA_VIDEO
, first introduced in Android 13.Some apps can request more permissions than they need, so whenever you’re installing a new app on your Android device, it’s crucial to check its permissions. Take a moment to see exactly what kind of access the app is requesting. If, for example, a seemingly innocent app like a wallpaper or game is asking for extensive permissions—like access to your accounts, SMS, microphone, location, or unlimited internet—that’s a red flag.
During installation, make sure to review the list of permissions displayed on the screen. Click on the ‘See Permissions’ link at the bottom of the app page for a more detailed view.
]]>Octo Tempest generally relies on social engineering for corporate account access credentials. After making contact with an employee, particularly IT administrators, cybercriminals make requests for password changes or installation of remote access tools. Alternatively, they may have procured credentials from the dark web, sent text message links to phishing sites or conducted SIM swapping attacks.
Upon gaining entry, Octo Tempest commences the collection of information pertaining to corporate resources, including users, groups, devices, network architecture, backup systems, code repositories, cloud environments and servers amongst others. The attackers proceed by utilising different tools to increase privileges and obtain administrator permissions. They bypass security measures by disabling solutions and obstructing notifications related to changes. Persistence is maintained through manipulation of existing accounts or the installation of backdoors.
The final step consists of data theft and double extortion, in which BlackCat ransomware is installed, and ransom is demanded to avoid information disclosure. In some instances, cryptocurrency theft may also occur.
STAGE | Tactic ID | Technique Name |
---|---|---|
INITIAL ACCESS | TA0003 | Social Engineering |
TA0006 | Masquerading and Impersonation | |
DISCOVERY | TA0010 | Enumerating Internal Documentation |
TA0016 | Continuing Environmental Reconnaissance | |
CREDENTIAL ACCESS, LATERAL MOVEMENT | TA0008 | Identifying Tier-0 Assets |
TA0011 | Accessing Enterprise Environments via VPN | |
TA0012 | Collecting Additional Credentials | |
DEFENSE EVASION, EXECUTION | TA0015 | Leveraging EDR and Management Tooling |
TA0018 | Circumventing Conditional Access | |
PERSISTENCE | TA0014 | Installing a Trusted Backdoor |
TA0021 | Manipulating Existing Accounts | |
TA0040 | Establishing Access to Resources | |
ACTIONS ON OBJECTIVES | TA0013 | Staging and Exfiltrating Stolen Data |
TA0031 | Deploying BlackCat Ransomware |
IP/HASH |
---|
45.132.227.213 |
144.76.136.153 |
119.93.5.239 |
146.70.103.228 |
159.223.213.174 |
169.150.203.51 |
185.195.19.206 |
198.54.133.45 |
198.54.133.52 |
217.138.198.196 |
217.138.222.94 |
45.134.140.177 |
45.86.200.81 |
45.91.21.61 |
89.46.114.66 |
18.206.107.24/29 |
1e5ad5c2ffffac9d3ab7d179566a7844 |
56fd7145224989b92494a32e8fc6f6b6 |
6639433341fd787762826b2f5a9cb202 |
828699b4133acb69d34216dcd0a8376e |
0272b018518fef86767b01a73213716708acbb80 |
10b9da621a7f38a02fea26256db60364d600df85 |
d8cb0d5bbeb20e08df8d2e75d7f4e326961f1bf5 |
ec37d483c3c880fadc8d048c05777a91654e41d3 |
3ea2d190879c8933363b222c686009b81ba8af9eb6ae3696d2f420e187467f08 |
4188736108d2b73b57f63c0b327fb5119f82e94ff2d6cd51e9ad92093023ec93 |
443dc750c35afc136bfea6db9b5ccbdb6adb63d3585533c0cf55271eddf29f58 |
53b7d5769d87ce6946efcba00805ddce65714a0d8045aeee532db4542c958b9f |
982dda5eec52dd54ff6b0b04fd9ba8f4c566534b78f6a46dada624af0316044e |
acadf15ec363fe3cc373091cbe879e64f935139363a8e8df18fd9e59317cc918 |
cce5e2ccb9836e780c6aa075ef8c0aeb8fec61f21bbef9e01bdee025d2892005 |
100.35.70.106 |
136.144.19.51 |
136.144.43.81 |
142.93.229.86 |
143.244.214.243 |
146.70.107.71 |
146.70.112.126 |
146.70.127.42 |
146.70.45.166 |
146.70.45.182 |
152.89.196.111 |
162.118.200.173 |
172.98.33.195 |
173.239.204.129 |
173.239.204.130 |
173.239.204.131 |
173.239.204.132 |
173.239.204.133 |
173.239.204.134 |
180.190.113.87 |
185.120.144.101 |
185.123.143.197 |
185.123.143.201 |
185.123.143.205 |
185.123.143.217 |
185.156.46.141 |
185.163.109.66 |
185.181.102.18 |
185.195.19.207 |
185.202.220.239 |
185.202.220.65 |
185.240.244.3 |
185.247.70.229 |
185.45.15.217 |
185.56.80.28 |
188.166.101.65 |
188.166.117.31 |
188.214.129.7 |
192.166.244.248 |
193.27.13.184 |
193.37.255.114 |
194.37.96.188 |
195.206.105.118 |
198.44.136.180 |
23.106.248.251 |
31.222.238.70 |
37.19.200.142 |
37.19.200.151 |
37.19.200.155 |
45.132.227.211 |
45.134.140.171 |
5.182.37.59 |
51.210.161.12 |
51.89.138.221 |
62.182.98.170 |
64.190.113.28 |
67.43.235.122 |
68.235.43.20 |
68.235.43.21 |
82.180.146.31 |
89.46.114.164 |
91.242.237.100 |
93.115.7.238 |
98.100.141.70 |
2a01:4f8:200:1097::2 |
45.132.227.211 |
Courtesy of CrowdStrike |
IoC | IoA |
---|---|
Artifacts that suggest a system has been breached. | Patterns of behavior that indicate that an attack is in progress. |
Based on known malicious activity. | Based on the tactics, techniques, and procedures used by attackers. |
Reactive | Proactive, and can identify potential threats before an attack. |
Always static, footprints don’t change over time. | Mostly based on cybercriminal movements that are dynamic. |
IoCs are used after an attack has been contained, when the organization requires information about the location, nature, and methods of the incident.
Examples According to Kasperky:
IoA focuses on attacks that are ongoing, active, and require an immediate response.
According to CrowdStrike: Indicators of attack (IOA) focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack.
In a nutshell:
Examples According to GBHackers on Security:
Cybersecurity firm Red Sense collected some information on major ransomware groups this summer, and created this useful chart showing the main changes they made to their kill chains to stay in the top league.
Some hightlights:
Analyzing the graph is also possibile collect a detailed look at the changes in the kill chains of some of the top-tier ransomware groups:
This is why I have always been fascinated by the possibility of reproducing a similar service using free tools, in particular the gateway functionality of Cloudflare’s Zero-Trust platform.
Zero-Trust Gateway does indeed allow you to create blocking rules at the DNS level, but it has a limitation that makes it difficult to use as an adblocker: the lists can only contain 1000 entries, whereas the blocking lists used by NextDNS can usually contain up to 100,000 domains.
So I tried to put together some Python code with the following goal
The result was lean enough to be packaged into a GitHub action to be run periodically to keep the lists up to date.
A first working draft is available on GitHub, the use is quite simple:
Account.Zero Trust : Edit
Account.Account Firewall Access Rules : Edit
Account.Access: Apps and Policies : Edit
CF_IDENTIFIER
with Account IDCF_API_TOKEN
with API Tokenconfig.ini
with your preferred blocking listsI hope it is useful!
]]>It gained notoriety after announcing that it had violated SONY:
The singular attribute that separates this group from other ransomware groups is the warning to litigate victims for violating the General Data Protection Regulation (GDPR), albeit the rationale behind this warning remains unclear:
The group refers to the ransom demand as a “digital tax for peace”, indicating that their actions are driven by a desire to fight for a greater cause. However, as mentioned in an interview provided to DailyDarkWeb:
- What are the primary motivations behind your attacks? Is it for financial gain, ideological reasons, or something else?
- Financial gain and sometimes political reason.
URL | Type | Status |
---|---|---|
http://f6amq3izzsgtna4vw24rpyhy3ofwazlgex2zqdssavevvkklmtudxjad.onion | Leak Site | Online |
https://twitter.com/RansomedVC | X account | Suspended |
https://t.me/Ransomed2 | Telegram channel | Online |
Cybersecurity researchers from ESET have discovered a previously undocumented advanced backdoor called Deadglyph, which is employed by the threat actor for cyber espionage campaigns against a government agency in the Middle East.
Deadglyph’s architecture is unusual as it consists of cooperating components – one a native x64 binary and the other a .NET assembly.
This unique combination is believed to be a deliberate strategy to obfuscate and complicate analysis. The backdoor employs multiple evasion techniques to avoid detection, including a homoglyph attack impersonating Microsoft in the Registry shellcode loader’s VERSIONINFO resource.
The malware is modular, allowing the threat actors to create new modules as needed to tailor attacks and perform additional malicious functionality. Traditional backdoor commands are implemented via dynamically loaded .NET assemblies, further complicating analysis.
Tactic | ID | Name | Description |
---|---|---|---|
Resource Development | T1583.001 | Acquire Infrastructure: Domains | Stealth Falcon has registered domains for C&C servers and to obtain a code-signing certificate. |
T1583.003 | Acquire Infrastructure: Virtual Private Server | Stealth Falcon has used VPS hosting providers for C&C servers. | |
T1587.001 | Develop Capabilities: Malware | Stealth Falcon has developed custom malware, including custom loaders and the Deadglyph backdoor. | |
T1588.003 | Obtain Capabilities: Code Signing Certificates | Stealth Falcon has obtained a code-signing certificate. | |
Execution | T1047 | Windows Management Instrumentation | Deadglyph uses WMI to execute its loading chain. |
T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Shellcode downloader uses cmd.exe to delete itself. | |
T1106 | Native API | A Deadglyph module uses CreateProcessW and CreateProcessAsUserW API functions for execution. | |
T1204.002 | User Execution: Malicious File | The shellcode downloader chain requires the user to double-click and execute it. | |
Persistence | T1546.003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription | The initial Deadglyph loader is persisted using WMI event subscription. |
Defense Evasion | T1027 | Obfuscated Files or Information | Deadglyph components are encrypted. Deadglyph Orchestrator and embedded modules are obfuscated with .NET Reactor. The shellcode downloader is obfuscated with ConfuserEx. |
T1070.004 | Indicator Removal: File Deletion | Deadglyph can uninstall itself. The shellcode downloader chain deletes itself and deletes files in the WebDAV cache. | |
T1112 | Modify Registry | Deadglyph stores its configuration and encrypted payload in the registry. | |
T1134 | Access Token Manipulation | Deadglyph can impersonate another user. | |
T1140 | Deobfuscate/Decode Files or Information | Deadglyph decrypts encrypted strings. The shellcode downloader chain decrypts its components and configurations. | |
T1218.011 | System Binary Proxy Execution: Rundll32 | The initial Deadglyph loader is executed using rundll32.exe. | |
T1480.001 | Execution Guardrails: Environmental Keying | Deadglyph is encrypted using a machine-specific key derived from the system UUID. | |
T1562.001 | Impair Defenses: Disable or Modify Tools | The shellcode downloader avoids AMSI scanning by patching clr.dll in memory . | |
T1620 | Reflective Code Loading | Deadglyph reflectively loads its modules using a custom PE loader. | |
Discovery | T1007 | System Service Discovery | A Deadglyph module discovers services using the WMI query SELECT * FROM Win32_Service. |
T1012 | Query Registry | The shellcode downloader chain queries the registry for the default browser. | |
T1016 | System Network Configuration Discovery | A Deadglyph module discovers network adapters using WMI queries SELECT * FROM Win32_NetworkAdapter and SELECT * FROM Win32_NetworkAdapterConfiguration where InterfaceIndex=%d. | |
T1033 | System Owner/User Discovery | A Deadglyph module discovers users with the WMI query SELECT * FROM Win32_UserAccount. | |
T1057 | Process Discovery | A Deadglyph module discovers processes using WMI query SELECT * FROM Win32_Process. | |
T1082 | System Information Discovery | A Deadglyph module discovers system information such as OS version, drives, environment variables, and drivers using WMI queries. | |
T1518 | Software Discovery | A Deadglyph module discovers installed software using WMI query SELECT * FROM Win32_Product. | |
T1518.001 | Software Discovery: Security Software Discovery | A Deadglyph module discovers security software using WMI queries SELECT * FROM AntiVirusProduct, SELECT * FROM AntiSpywareProduct and SELECT * FROM FirewallProduct. The shellcode downloader chain checks running processes for a security solution. | |
Collection | T1005 | Data from Local System | Deadglyph has a module for reading files. |
Command and Control | T1071.001 | Application Layer Protocol: Web Protocols | Deadglyph and the shellcode downloader communicate with the C&C server via the HTTP protocol. |
T1090 | Proxy | Deadglyph and the shellcode downloader can use HTTP proxy for C&C communication. | |
T1573.001 | Encrypted Channel: Symmetric Cryptography | Deadglyph uses AES to encrypt C&C communications. | |
Exfiltration | T1041 | Exfiltration Over C2 Channel | Deadglyph uses the C&C channel for exfiltration. |
SHA1/Domain/IP |
---|
C40F1F46D230A85F702DAA38CFA18D60481EA6C2 |
740D308565E215EB9B235CC5B720142428F540DB |
1805568D8362A379AF09FD70D3406C6B654F189F |
9CB373B2643C2B7F93862D2682A0D2150C7AEC7E |
F47CB40F6C2B303308D9D705F8CAD707B9C39FA5 |
3D4D9C9F2A5ACEFF9E45538F5EBE723ACAF83E32 |
3D2ACCEA98DBDF95F0543B7C1E8A055020E74960 |
4E3018E4FD27587BD1C566930AE24442769D16F0 |
7F728D490ED6EA64A7644049914A7F2A0E563969 |
chessandlinkss[.]com |
easymathpath[.]com |
joinushealth[.]com |
135.125.78[.]187 |
45.14.227[.]55 |
185.25.50[.]60 |