CVE-2021-38934

Read Time:15 Second

IBM Engineering Test Management 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 210671.

Read More

CVE-2020-26938

Read Time:22 Second

In oauth2-server (aka node-oauth2-server) through 3.1.1, the value of the redirect_uri parameter received during the authorization and token request is checked against an incorrect URI pattern (“[a-zA-Z][a-zA-Z0-9+.-]+:”) before making a redirection. This allows a malicious client to pass an XSS payload through the redirect_uri parameter while making an authorization request. NOTE: this vulnerability is similar to CVE-2020-7741.

Read More

Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users

Read Time:5 Minute, 39 Second

Authored by Oliver Devane and Vallabh Chole 

A few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000

The extensions offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. The latter borrows several phrases from another popular extension called GoFullPage 

Apart from offering the intended functionality, the extensions also track the user’s browsing activity.  Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased.    

The users of the extensions are unaware of this functionality and the privacy risk of every site being visited being sent to the servers of the extension authors.  

The 5 extensions are  

Name 
Extension ID 
Users 

Netflix Party 
mmnbenehknklpbendgmgngeaignppnbe 
800,000 

Netflix Party 2 

flijfnhifgdcbhglkneplegafminjnhn 
300,000 

FlipShope – Price Tracker Extension 

 

adikhbfjdbjkhelbdnffogkobkekkkej 
80,000 

Full Page Screenshot Capture – Screenshotting 

 

pojgkmkfincpdkdgjepkmdekcahmckjp 
200,000 

AutoBuy Flash Sales 
gbnahglfafmhaehbdmjedfhdmimjcbed 
20,000 

 

Technical Analysis 

This section contains the technical analysis of the malicious chrome extension ‘mmnbenehknklpbendgmgngeaignppnbe’. All 5 extensions perform similar behavior.   

Manifest.json 

 

The manifest.json sets the background page as bg.html. This HTML file loads b0.js and this is responsible for sending the URL being visited and injecting code into the eCommerce sites. 

B0.js 

The b0.js script contains many functions. This blog will focus on the functions which are responsible for sending the visited URLs to the server and processing the response.  

Chrome extensions work by subscribing to events which they then use as triggers to perform a certain activity. The extensions analyzed subscribe to events coming from chrome.tabs.onUpdated. chrome.tabs.onUpdated will trigger when a user navigates to a new URL within a tab.

Once this event triggers, the extension will set a variable called curl with the URL of the tab by using the tab.url variable. It creates several other variables which are then sent to d.langhort.com. The POST data is in the following format:

Variable 
Description 

Ref 
Base64 encoded referral URL 

County 
The county of the device 

City 
The city of the device 

Zip 
The zip code of the device 

Apisend 
A random ID generated for the user. 

Name 
Base64 encoded URL being visited 

ext_name 
The name of the chrome extensions 

 

The random ID is created by selecting 8 random characters in a character set. The code is shown below: 

The country, city, and zip are gathered using ip-api.com. The code is shown below: 

Upon receiving the URL, langhort.com will check if it matches a list of websites that it has an affiliate ID for, and If it does, it will respond to the query. An example of this is shown below: 

The data returned is in JSON format. The response is checked using the function below and will invoke further functions depending on what the response contains. 

Two of the functions are detailed below: 

Result[‘c’] – passf_url 

If the result is ‘c’ such as the one in this blog, the extension will query the returned URL. It will then check the response and if the status is 200 or 404, it will check if the query responded with a URL. If it did, it would insert the URL that is received from the server as an Iframe on the website being visited.  

Result[‘e’] setCookie 

If the result is ‘e’, the extension would insert the result as a cookie. We were unable to find a response of ‘e’ during our analysis, but this would enable the authors to add any cookie to any website as the extensions had the correct ‘cookie’ permissions.  

Behavioral flow 

The images below show the step-by-step flow of events while navigating to the BestBuy website.  

The user navigates to bestbuy.com and the extension posts this URL in a Base64 format to d.langhort.com/chrome/TrackData/ 
Langhort.com responds with “c” and the URL. The “c” means the extension will invoke the function passf_url() 
passf_url() will perform a request against the URL 
the URL queried in step 3 is redirected using a 301 response to bestbuy.com with an affiliate ID associated with the Extension owners 
The extension will insert the URL as an Iframe in the bestbuy.com site being visited by the user 
Shows the Cookie being set for the Affiliate ID associated with the Extension owners. They will now receive a commission for any purchases made on bestbuy.com  

Here is a video of the events 

Time delay to avoid automated analysis 

We discovered an interesting trick in a few of the extensions that would prevent malicious activity from being identified in automated analysis environments. They contained a time check before they would perform any malicious activity. This was done by checking if the current date is > 15 days from the time of installation.  

Conclusion  

This blog highlights the risk of installing extensions, even those that have a large install base as they can still contain malicious code.  

McAfee advises its customers to be cautious when installing Chrome extensions and pay attention to the permissions that they are requesting.   

The permissions will be shown by Chrome before the installation of the extension. Customers should take extra steps to verify the authenticity if the extension is requesting permissions that enable it to run on every website you visit such as the one detailed in this blog  

McAfee customers are protected against the malicious sites detailed in this blog as they are blocked with McAfee WebAdvisor as shown below.   

The Malicious code within the extension is detected as JTI/Suspect. Please perform a ‘Full’ scan via the product.  

Type 
Value 
Product 
Detected 

Chrome Extension 
Netflix Party – mmnbenehknklpbendgmgngeaignppnbe 
Total Protection and LiveSafe 
JTI/Suspect 

Chrome Extension 
FlipShope – Price Tracker Extension – adikhbfjdbjkhelbdnffogkobkekkkej 
Total Protection and LiveSafe 
JTI/Suspect 

Chrome Extension 
Full Page Screenshot Capture 

pojgkmkfincpdkdgjepkmdekcahmckjp 

Total Protection and LiveSafe 
JTI/Suspect 

Chrome Extension 
Netflix Party 2 – flijfnhifgdcbhglkneplegafminjnhn 
Total Protection and LiveSafe 
JTI/Suspect 

Chrome Extension 
AutoBuy Flash Sales  gbnahglfafmhaehbdmjedfhdmimjcbed 
Total Protection and LiveSafe 
JTI/Suspect 

URL 
www.netflixparty1.com 
McAfee WebAdvisor 
Blocked 

URL 
netflixpartyplus.com 
McAfee WebAdvisor 
Blocked 

URL 
flipshope.com 
McAfee WebAdvisor 
Blocked 

URL 
goscreenshotting.com 
McAfee WebAdvisor 
Blocked 

URL 
langhort.com 
McAfee WebAdvisor 
Blocked 

URL 
Unscart.in 
McAfee WebAdvisor 
Blocked 

URL 
autobuyapp.com 
McAfee WebAdvisor 
Blocked 

The post Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users appeared first on McAfee Blog.

Read More

Levels of Assurance for DoD Microelectronics

Read Time:37 Second

The NSA has has published criteria for evaluating levels of assurance required for DoD microelectronics.

The introductory report in a DoD microelectronics series outlines the process for determining levels of hardware assurance for systems and custom microelectronic components, which include application-specific integrated circuits (ASICs), field programmable gate arrays (FPGAs) and other devices containing reprogrammable digital logic.

The levels of hardware assurance are determined by the national impact caused by failure or subversion of the top-level system and the criticality of the component to that top-level system. The guidance helps programs acquire a better understanding of their system and components so that they can effectively mitigate against threats.

The report was published last month, but I only just noticed it.

Read More

Facebook agrees to settle class action lawsuit related to Cambridge Analytica data breach

Read Time:41 Second

Facebook parent Meta Platforms agreed Friday to settle a class action lawsuit seeking damages for allowing British political consulting firm Cambridge Analytica access to the private data of tens of millions of Facebook users. The settlement will spare CEO Marc Zuckerberg an embarrassing court appearance to defend his company.

Lawyers acting for the plaintiffs and for Facebook filed a joint request with the US District Court for the Northern District of California on Friday, asking the judge to put the class action on hold for sixty days while the two parties finalized a written settlement for an as-yet undisclosed amount. The high profile lawsuit has been running for over four years and claims that Facebook shared data of millions of US voters with Cambridge Analytica.

To read this article in full, please click here

Read More

Crypto miners’ latest techniques

Read Time:8 Minute, 57 Second

Executive summary

Crypto miners are determined in their objective of mining in other people’s resources. Proof of this is one of the latest samples identified with AT&T Alien Labs, with at least 100 different loaders and at least 4 different stages to ensure their miner and backdoor run smoothly in the infected systems.

Key takeaways:

Attackers have been sending malicious attachments, with a special emphasis on Mexican institutions and citizens.
The techniques observed in these samples are known but still effective to keep infecting victims with their miners. Reviewing them assists in reminding defenders the current trends and how to improve their defenses.
The wide variety of loaders in conjunction with the staged delivery of the miner and backdoor malwares, shows how determined the attackers are to successfully deliver their payloads.

Analysis

Crypto miners have been present in the threat landscape for some years, since an attacker identified the opportunity of leveraging victim’s CPUs to mine cryptocurrencies for them. Despite the current rough patch in the world of cryptocurrencies, these miners are still present and will be in the foreseeable future.

As seen in the current analysis, unlike IoT malwares, which also attempt to reach the biggest number of infected devices as possible, these miners  target victims through phishing samples. The techniques used by these malwares are usually focused on reaching execution, avoiding detection to run under the radar and gaining persistence to survive any reboot.

A new miner sample showed up in April on AT&T Alien Labs radar, with a wide range of different loaders aiming to execute it in infected systems up to this day. The loaders were initially delivered to the victims through an executable disguised like a spreadsheet. For example, one of the samples (fd5131645025e199caa142c12cef34b344437a0f58306f9b66c35d32618665ba) carries a Microsoft Excel icon, but its file extension corresponds to an executable.

A wide range of decoy documents were found associated with this miner, many of them associated with Mexican civilians: exam results, dentist results, Mexican Governmental documents, Mexican Social Security, Tax returns, etc. Figure 1 corresponds to one of the spreadsheets observed. The campaign identified in this report materialized most of its attacks during the second half of June 2022. For example, the mentioned file above was compiled in late May 2022 and was first observed in the wild a month after, on June 20, 2022.

Figure 1. Decoy spreadsheet ‘ppercepciones anuales.xlsx’.

At the time of execution, the first activities performed are registry changes to cloak the malware samples. For example, by setting ‘HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHideFileExt’ to 1, the attackers are hiding the file extensions and camouflaging the executables as documents. Additionally, the registry key ‘HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden’ is set to 0 to avoid displaying in explorer the hidden files dropped during execution. Finally ‘ HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemConsentPromptBehaviorAdmin’ is set to 0 in order to execute any future samples with elevated privileges without explicit consent in the form of a pop up or inserting credentials.

The initial payload drops another executable file while opening the spreadsheet in Figure 1. This additional executable attempts to look like a legitimate executable. It is named ‘CmRccService.exe’ and has the same filename as the metadata associated with the product’s name, description and comments. It is probably an attempt to masquerade the process by making it similar to the legitimate Microsoft process ‘CmRcService.exe’ (Configuration Manager Remote Control Service) (T1036.004). However, the legitimate files owned by Microsoft would have been signed with Microsoft certificate, which is not the case for these files – which have not been signed at all.

Pivoting by this indicator, returns over a hundred different samples that have been created and delivered during the last three months, most of them in the last weeks. In addition to the product name ‘CmRccService.exe’, a similar decoy name was observed in this campaign ‘RegistryManager.exe’, which showed up in at least 6 different samples. The RegistryManager samples even carry a Copyright flag associated with Microsoft Corporation, lacking once again the corresponding file signature. These files are allocated under the folder ‘C:WindowsImmersiveControlPanel’ in an attempt to make the processes look as legitimate as possible.

Persistence of the whole process is attempted during the execution of ‘CmRccService.exe’. A new service is registered in the system (T1543.003), to be run with highest privileges each time the user logs on.

Figure 2. Persistence mechanism.

This loader reaches out to several domains hosting the payloads for next stages, configuration files and one-line commands to be executed.

One of these domains is ‘bekopgznpqe[.]is’. Initially created on February 22, 2022 with the name server 1984 Hosting Company, who offers domain names registration free of charge. However, since this behavior indicator makes the domain look suspicious to security companies, the domain was moved to Cloudflare on April 21 (a different nameserver with a better reputation due to its popularity and absence of free offerings). This technique has historically been used to improve the reputation of domains right before they are used during a campaign.

Additionally, the malware attempts to contact a supplemental domain ​​’dpwdpqshxux[.]ru,’ which does not yet resolve but was created on February 21, 2022, a day before ‘bekopgznpqe’ domain. There is no historical data of it ever resolving to any IP. For this reason, the domain is probably a backup plan, to be used if the first stops working.

The third and last domain identified during analysis did not follow the above pattern. The domain ‘2vkbjbpvqmoh[.]sh‘ was created in January 2022 in the Njalla name server, known and marketed as a great offering for ‘Privacy as a Service’ for domains and VPNs. After some time operating, the domain was marked for deletion in May 2022.

Before executing the third stage payload, Cmrcservice performs several modifications to the FireWall to allow inbound and outbound connections to the files it will drop afterwards. The executed command for these changes is ‘’C:WindowsSystem32cmd.exe’ /C powershell New-NetFirewallRule -DisplayName ‘RegistryManager’ -Direction Inbound -Program ‘C:WindowsImmersiveControlPanelRegistryManager.exe’ -Action Allow’.

Furthermore, the malware includes exclusions to the Microsoft Windows Defender for the folders from where the malware will be executing or the files it intends to execute (T1562). The command used for this purpose is ‘powershell.exe $path = ‘C:WindowsBrandingoidz.exe’ ; Add-MpPreference -ExclusionPath $path -Force’. The excluded folders and files include:

C:Users
C:Windows
C:WindowsTemp
C:WindowsImmersiveControlPanel
C:WindowsImmersiveControlPanelCmRccService.exe
C:WindowsBranding
C:WindowsBrandingumxn.exe
C:WindowsBrandingoidz.exe
C:WindowsHelpWindows
C:WindowsHelpWindowsMsMpEng.exe
C:WindowsIME

The third stage payload is formed by the ‘p.exe’ executable, which doesn’t hide its contents, since the file’s metadata claims the filename is ‘payload.exe’. During execution, p drops two additional files: ‘oidz.exe‘ and ‘umxn.exe’, which correspond to the final payloads. Figure 3 recaps the execution flow until this point.

[1]

Figure 3. Execution tree.

‘Oidz.exe‘ runs an infinite loop, as seen in Figure 4, that will reach out to the Command & Control (C&C) looking for new commands to execute. After execution, it includes a sleep command to separate the requests for additional commands as well as its executions. In other words, this executable corresponds to the backdoor installed in the system.

The commands to be executed are uploaded by the attackers to the C&C servers, and oidz reaches out to specific files in the server and executes them, allowing the attackers to maintain any payload updated or modify its capabilities (T1102.003). This file does not aim to be persistent in the system since the grandparent process ‘Cmrcservice.exe’ already is. The C&C servers list seen in Figure 5, has a first parameter corresponding to the command to execute, while the second parameter corresponds to the flag of the command to be executed. This list of domains corresponds to the one used previously by ‘CmRccService’.

Figure 4. Oidz infinite loop.

Figure 5. C&C list.

Finally, ‘umxn.exe’ corresponds to the crypto miner that will run with the configuration pulled from one of the C&C and stored in ‘%windir%HelpWindowsconfig.json’. All the other files were preparing the environment for the miner, avoiding issues with execution, network communications or enabling modifications during the execution with the backdoor.

Since it was first observed in April 2022, some of the executables have changed names or had some variations but have been excluded throughout the report to avoid confusion. The execution line in this report and observed in Figure 3 is the most common one observed. One of the most remarkable mentioned variations, include file ‘MsMpEng.exe’ or ‘McMpEng.exe’, which is an additional stage executed by ‘umxn.exe’. This sample claims in its PE metadata to be ‘Antimalware Service Executable’ to disguise its true nature.

Figure 6. MsMpEng.exe metadata.

Conclusion

AT&T Alien Labs has provided an overview on an ongoing crypto mining campaign that caught our eye due to the big number of loaders that have shown up during the month of June, as well as how staged the execution is for a simple malware like a miner. Alien Labs will continue to monitor this campaign and include all the current and future IOCs in the pulse in Appendix B.

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE

INDICATOR

DESCRIPTION

SHA256

fd5131645025e199caa142c12cef34b344437a0f58306f9b66c35d32618665ba

ppercepciones anuales.xlsx

SHA256

00ba928455d7d8a92e5aeed3146925086c2451501e63a0d8ee9b7cbaaf1007de

CmRccService.exe

SHA256

8f0dc8c5e23ee42209e222db5a8cf8ee6e5d10b5dde32db5937d4499deef0302

RegistryManager.exe

SHA256

f77522d8476969ae13f8823b62646a9f2cec187e2d0e55298389b8ced60dd0c8

p.exe

SHA256

ec4c48ac55139c6e4f94395aca253d54e9bbc864cc0741f8e051d31cd7545620

umxn.exe

SHA256

c0dc67bfcefa5a74905f0d3a684e7c3214c5b5ca118e942d2f0cc2f53c78e06c

oidz.exe

SHA256

18493e0492eb276af746e50dee626f4d6a9b0880f063ebb77d8f3b475669bf65

Sample miner configuration

DOMAIN

2vkbjbpvqmoh[.]sh

Malware and config server

DOMAIN

bekopgznpqe[.]is

Malware and config server

DOMAIN

dpwdpqshxux[.]ru

Unresolved domain

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

TA0001: Initial Access

T1566: Phishing

T1566.001: Spearphishing Attachment

TA0002: Execution

T1059: Command and Scripting Interpreter

T1059.001: PowerShell
T1059.003: Windows Command Shell

T1204: User Execution

T1204.002: Malicious File

T1569: System Services

T1569.002: Service Execution

TA0003: Persistence

T1543: Create or Modify System Process

T1543.003: Windows Service

TA0004: Privilege Escalation

T1543: Create or Modify System Process

T1543.003: Windows Service

TA0005: Defense Evasion

T1027: Obfuscated Files or Information

T1027.002: Software Packing

T1036: Masquerading

T1036.004: Masquerade Task or Service

T1562: Impair Defenses

T1562.001: Disable or Modify Tools
T1562.004: Disable or Modify System Firewall

TA0011: Command and Control

T1102: Web Service

T1102.003: One-Way Communication

TA0040: Impact

T1496: Resource Hijacking

TA0042: Resource Development

T1583: Acquire Infrastructure

T1583.006: Domains

[1]EXE icon by Icons8; Cog icon by Icons8; XLS icon by Icons8

Read More