11.6 C
New York
Wednesday, April 2, 2025
Home Blog Page 3821

Exploiting the EvilVideo vulnerability on Telegram for Android

codesanitize
-
0
Exploiting the EvilVideo vulnerability on Telegram for Android


ESET Analysis

ESET researchers found a zero-day Telegram for Android exploit that enables sending malicious information disguised as movies

Lukas Stefanko

22 Jul 2024
 • 
,
6 min. learn

Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android

ESET researchers found a zero-day exploit that targets Telegram for Android, which appeared on the market for an unspecified value in an underground discussion board publish from June 6th, 2024. Utilizing the exploit to abuse a vulnerability that we named EvilVideo, attackers might share malicious Android payloads through Telegram channels, teams, and chat, and make them seem as multimedia information.

We had been in a position to find an instance of the exploit, permitting us to investigate it additional, and report it to Telegram on June 26th, 2024. On July 11th, they launched an replace that fixes the vulnerability in Telegram variations 10.14.5 and above.

Determine 1 is a video demonstration and clarification of the EvilVideo vulnerability.

Determine 1. Clarification of the EvilVideo vulnerability

Key factors of the blogpost:

  • On June 26th, 2024 in an underground discussion board, we discovered an commercial for a zero-day exploit that targets Telegram for Android.
  • We named the vulnerability it exploits EvilVideo and reported it to Telegram; their staff patched it on July 11th, 2024.
  • EvilVideo permits attackers to ship malicious payloads that seem as video information in unpatched Telegram for Android.
  • The exploit solely works on Android Telegram variations 10.14.4 and older.

Discovery

We discovered the exploit being marketed on the market on an underground discussion board: see Determine 2.

Figure 2. Post on an underground forum
Determine 2. Put up on an underground discussion board

Within the publish, the vendor reveals screenshots and a video of testing the exploit in a public Telegram channel. We had been in a position to establish the channel in query, with the exploit nonetheless accessible. That allowed us to get our fingers on the payload and take a look at it ourselves.

Evaluation

Our evaluation of the exploit revealed that it really works on Telegram variations 10.14.4 and older. We speculate that the particular payload is almost definitely crafted utilizing the Telegram API, because it permits builders to add particularly crafted multimedia information to Telegram chats or channels programmatically.

The exploit appears to depend on the menace actor with the ability to create a payload that shows an Android app as a multimedia preview and never as a binary attachment. As soon as shared in chat, the malicious payload seems as a 30-second video (Determine 3).

Figure 3. Example of exploit
Determine 3. Instance of the exploit

By default, media information acquired through Telegram are set to obtain routinely. Which means that customers with the choice enabled will routinely obtain the malicious payload as soon as they open the dialog the place it was shared. The choice might be disabled manually – in that case, the payload can nonetheless be downloaded by tapping the obtain button within the prime left nook of the shared, obvious video, as is seen in Determine 3.

If the person tries to play the “video”, Telegram shows a message that it’s unable to play it and suggests utilizing an exterior participant (see Determine 4). That is an unique Telegram warning we discovered within the supply code of the legit Telegram for Android app; it’s not crafted and pushed by the malicious payload.

Figure 4. Telegram warning that it can’t play the “video”
Determine 4. Telegram warning that it could’t play the “video”

Nevertheless, if the person faucets the Open button within the displayed message, they are going to be requested to put in a malicious app disguised because the aforementioned exterior participant. As seen in Determine 5, earlier than set up, Telegram will ask the person to allow the set up of unknown apps.

Figure 5. Telegram requests the user to allow it to install unknown apps
Determine 5. Telegram requests the person to permit it to put in unknown apps

At this level, the malicious app in query has already been downloaded because the obvious video file, however with the .apk extension. Curiously, it’s the nature of the vulnerability that makes the shared file seem like a video – the precise malicious app was not altered to pose as a multimedia file, which means that the add course of was almost definitely exploited. The malicious app’s set up request might be seen in Determine 6.

Figure 6. Request to install malicious payload, detected as AndroidSpy.SpyMax.T after exploitation
Determine 6. Request to put in malicious payload, detected as Android/Spy.SpyMax.T after exploitation

Sadly, we had been unable to copy the exploit, solely examine and confirm the pattern shared by the vendor.

Telegram Internet and Desktop

Although the payload was made solely to focus on Telegram for Android, we nonetheless tried to check its conduct on different Telegram purchasers. We examined each the Telegram Internet shopper and the Telegram Desktop shopper for Home windows – as anticipated, the exploit didn’t work on both of them.

Within the case of Telegram Internet, after we tried enjoying the “video”, the shopper displayed an error message saying to attempt opening the video with the desktop app as an alternative (see Determine 7). Downloading the hooked up file manually revealed its identify and extension to be Teating.mp4. Whereas the file itself was really an Android executable binary (APK), Telegram treating it as an MP4 file stopped the exploit from working: to ensure that it to achieve success, the attachment would have needed to have the .apk extension.

A really comparable factor occurred with the Telegram Desktop shopper for Home windows: the downloaded file was named Teating.apk.mp4, so it was as soon as once more an APK binary file with a .mp4 extension. This means that even when an attacker crafted a Home windows executable for use as an alternative of the Android APK, it might nonetheless be handled as a multimedia file and the exploit wouldn’t work.

Figure 7. Error message from Telegram Web when triggering the exploit
Determine 7. Error message from Telegram Internet when triggering the exploit

Risk actor

Whereas we have no idea a lot in regards to the menace actor, we managed to search out one other shady service they’re offering primarily based on the Telegram deal with the vendor shared of their discussion board publish. Along with the exploit, they’ve been utilizing the identical underground discussion board to promote an Android cryptor-as-a-service that they declare is totally undetectable (FUD) since January 11th, 2024. The discussion board publish might be seen in Determine 8.

Figure 8. Underground forum post advertising an Android cryptor-as-a-service
Determine 8. Underground discussion board publish promoting an Android cryptor-as-a-service

Vulnerability report

After discovering the EvilVideo vulnerability on June 26th, 2024, we adopted our coordinated disclosure coverage and reported it to Telegram, however acquired no response on the time. We reported the vulnerability once more on July 4th, and that point, Telegram reached out to us the identical day to substantiate its staff was investigating EvilVideo. They mounted the problem, delivery model 10.14.5 on July 11th, and knowledgeable us through e-mail.

The vulnerability affected all variations of Telegram for Android as much as 10.14.4, however has been patched as of model 10.14.5. As we verified, the chat multimedia preview now accurately shows that the shared file is an software (Determine 9) and never a video.

Figure 9. Telegram version 10.14.5 chat correctly displaying the nature of shared binary file
Determine 9. Telegram model 10.14.5 chat accurately displaying the character of shared binary file

Conclusion

We found a zero-day Telegram for Android exploit on the market on an underground discussion board. The vulnerability it exploits permits sending malicious payloads that seem like multimedia information through Telegram chat. If a person tries to play the obvious video, they’ll obtain a request to put in an exterior app, which really installs the malicious payload. Fortunately, the vulnerability has been mounted as of July 11th, 2024, after we reported it to Telegram.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com
ESET Analysis provides non-public APT intelligence reviews and knowledge feeds. For any inquiries about this service, go to the ESET Risk Intelligence web page.

IoCs

A complete checklist of Indicators of Compromise (IoCs) and samples might be present in our GitHub repository.

Recordsdata

SHA-1

Filename

Detection

Description

F159886DCF9021F41EAA
2B0641A758C4F0C4033D

Teating.apk

Android/Spy.SpyMax.T

EvilVideo payload.

Community

IP

Area

Internet hosting supplier

First seen

Particulars

183.83.172[.]232

infinityhackscharan.
ddns[.]internet

Administrator Beam Cable System

2024‑07‑16

C&C server of EvilVideo payload.

MITRE ATT&CK methods

This desk was constructed utilizing model 15 of the MITRE ATT&CK cell methods.

Tactic

ID

Identify

Description

Preliminary Entry

T1664

Exploitation for Preliminary Entry

The EvilVideo vulnerability might be abused by Android malware to realize preliminary system entry.

Execution

T1658

Exploitation for Shopper Execution

The EvilVideo vulnerability tips the sufferer into putting in a malicious app that impersonates a multimedia file.

Microchip Expertise discloses cyberattack impacting operations

codesanitize
-
0
Microchip Expertise discloses cyberattack impacting operations


Microchip Expertise discloses cyberattack impacting operations

American chipmaker Microchip Expertise Integrated has disclosed {that a} cyberattack impacted its techniques over the weekend, disrupting operations throughout a number of manufacturing services.

Headquartered in Chandler, Arizona, the corporate has roughly 123,000 clients throughout a number of trade sectors, together with industrial, automotive, client, aerospace and protection, communications, and computing markets.

As a result of an incident, some Microchip Expertise manufacturing services function at diminished capability, affecting the corporate’s means to fulfill orders. Microchip Expertise additionally needed to take steps to handle the state of affairs, resembling shutting down some techniques and isolating the affected ones following the breach.

“On August 17, 2024, Microchip Expertise Integrated (the “Firm”) detected doubtlessly suspicious exercise involving its info know-how (“IT”) techniques. Upon detecting the problem, the Firm started taking steps to evaluate, comprise and remediate the possibly unauthorized exercise,” Microchip Expertise revealed in a SEC submitting on Tuesday.

“On August 19, 2024, the Firm decided that an unauthorized celebration disrupted the Firm’s use of sure servers and a few enterprise operations.”

Microchip Expertise is presently evaluating the extent and affect of the cyberattack with the help of exterior cybersecurity specialists. The corporate can be working to revive affected IT techniques and return to regular enterprise operations.

“Because the Firm’s investigation is ongoing, the complete scope, nature and affect of the incident aren’t but identified,” it added in in the present day’s submitting. “As of the date of this submitting, the Firm has not but decided whether or not the incident in all fairness more likely to materially affect the Firm’s monetary situation or outcomes of operations.”

Whereas the corporate has not but disclosed the character of the incident, the SEC submitting suggests it was ransomware. Nonetheless, no ransomware operation has claimed duty for the assault.

A Microchip Expertise spokesperson was not instantly accessible for remark when contacted by BleepingComputer earlier in the present day.

Make marvelous diagrams with PC app

codesanitize
-
0
Make marvelous diagrams with PC app



Make marvelous diagrams with PC app

Whether or not for flowcharts, ground plans or org charts, diagrams show extremely helpful for illustrating how information matches collectively. Microsoft Visio Skilled 2021 helps you construct polished visualizations quicker.

An unimaginable limited-time deal means you’ll be able to seize lifetime entry to this Home windows app for less than $19.97 (recurrently $249.99).

Microsoft Visio: Create diagrams, flowcharts and visualizations

If you happen to work for a giant group like Apple, you’ll know the way advanced processes and constructions could be. Understanding how the varied components match collectively is nearly unattainable with no visible reference. That’s what Visio Skilled will help with.

In essence, this software program is the last word toolkit for creating visible representations. Whether or not it’s the move of information, the hierarchy inside what you are promoting or the steps in an automatic workflow — Visio Skilled helps you illustrate it extra clearly.

Use templates and shapes for polished diagrams

The Professional model of Microsoft’s app features a huge library of templates and greater than 250,000 shapes you should utilize in your diagrams. You may as well entry stencils and preset constructions to construct customized flowcharts, develop community diagrams and generate org charts from information sources like Excel, Change or Microsoft Entra ID. Visio can deal with ground plans, too.

Placing collectively these visualizations is simple, and you’ll collaborate in your designs with co-workers. Together with diagramming, Visio Skilled gives useful brainstorming instruments like templates for visualizing issues and mapping options. Select something from fishbone diagrams to SWOT evaluation to map out concepts or points.

Save on Microsoft Visio Skilled 2021

With this deal, you get a lifetime license to Microsoft Visio Skilled 2021. The software program is delivered by means of an immediate obtain from a certified Microsoft Associate, with future updates included. Simply you’ll want to test in case your Home windows gadget meets system necessities, i.e., adequate reminiscence and exhausting disk house, and the minimal OS requirement.

Create easy-to-understand visuals with confidence while you get Microsoft Visio Skilled 2021 for simply $19.97. That’s an unimaginable 92% off the checklist value of $249.99.

Purchase from: Cult of Mac Offers

Costs topic to alter. All gross sales dealt with by StackSocial, our associate who runs Cult of Mac Offers. For buyer help, please e-mail StackSocial instantly We initially revealed this submit on Microsoft Microsoft Visio Skilled 2021 on February 8, 2024. We up to date the pricing data..



Ransomware attackers introduce new EDR killer to their arsenal – Sophos Information

codesanitize
-
0
Ransomware attackers introduce new EDR killer to their arsenal – Sophos Information


Sophos analysts lately encountered a brand new EDR-killing utility being deployed by a prison group who have been attempting to assault a corporation with ransomware known as RansomHub. Whereas the ransomware assault finally was unsuccessful, the postmortem evaluation of the assault revealed the existence of a brand new software designed to terminate endpoint safety software program. We’re calling this software EDRKillShifter. 

Since 2022, we’ve seen a rise within the sophistication of malware designed to disable EDR techniques on an contaminated system, as clients more and more undertake EDR tooling to guard endpoints. Sophos beforehand revealed analysis about AuKill, an EDR killer software Sophos X-Ops found final 12 months that was being bought commercially inside prison marketplaces. 

Through the incident in Might, the risk actors – we estimate with average confidence that this software is being utilized by a number of attackers — tried to make use of EDRKillShifter to terminate Sophos safety on the focused laptop, however the software failed. They then tried to run the ransomware executable on the machine they managed, however that additionally failed when the endpoint agent’s CryptoGuard function was triggered. 

How EDRKillShifter works 

The EDRKillShifter software is a “loader” executable – a supply mechanism for a legit driver that’s susceptible to abuse (often known as a “deliver your individual susceptible driver,” or BYOVD, software).  Relying on the risk actor’s necessities, it could actually ship quite a lot of totally different driver payloads. 

There are three steps to the execution strategy of this loader. The attacker should execute EDRKillShifter with a command line that features a password string. When run with the proper password, the executable decrypts an embedded useful resource named BIN and executes it in reminiscence. 

The BIN code unpacks and executes the ultimate payload. This last payload, written within the Go programming language, drops and exploits one among quite a lot of totally different susceptible, legit drivers to realize privileges ample to unhook an EDR software’s safety. 

A diagram shows a High-level overview of the EDRKillShifter loader execution process.
Excessive-level overview of the loader execution course of

Peeling off the primary layer 

A superficial evaluation reveals that every one samples share the identical model information. The unique filename is Loader.exe and its product identify is ARK-Sport. (Some members of the analysis crew speculated that the risk actor tries to masquerade the ultimate payload as a well-liked laptop sport named ARK: Survival Advanced.)  

The binary’s language property is Russian, indicating that the malware creator compiled the executable on a pc with Russian localization settings. 

Version info of EDRKillShifter as shown in CFF Explorer
Model data of EDRKillShifter as proven in CFF Explorer

All samples require a singular 64-character password handed to the command line. If the password is incorrect (or not offered), it received’t execute. 

Execution fails if the user doesn't provide the correct password. A screenshot of the command line with the password added as a command flag
Execution fails if the consumer doesn’t present the proper password into the console as this system executes

When executed, EDRKillShifter masses an encrypted useful resource named BIN, embedded inside itself, into reminiscence. It additionally copies that information into a brand new file named Config.ini and writes that file to the identical filesystem location the place the binary was executed.  

The loader code then allocates a brand new reminiscence web page utilizing VirtualAlloc, and writes the encrypted content material into the newly allotted web page. The malware then deletes the config.ini file and proceeds with decrypting the subsequent set of payloads – the abusable driver and a Go binary. The loader makes use of a SHA256 hash of the enter password because the decryption key of the second-layer payloads. 

Pseudocode of the EDRKillShifter malware second-layer decryption routine 
Pseudocode of the EDRKillShifter malware second-layer decryption routine

If the malware efficiently decrypts the second-layer payloads, it creates a brand new thread and begins execution in that thread. 

Loading the ultimate EDR killer into reminiscence 

The second stage is obfuscated via using a self-modifying code approach. Throughout runtime, the second layer alters its personal directions. Because the precise executed directions are solely revealed throughout execution, further tooling or emulation is required for evaluation.  

The determine under additional illustrates the approach. The primary part exhibits the start of the self-modifying code layer. All directions after the primary name within the disassembly are nonsense at this level. If we revisit the identical instruction block after executing the primary name, we see a special set of directions. The primary name modifies the subsequent set of directions, which then modifies the subsequent set of directions, and so forth.  

A diagram illustrates how The EDRKillShifter uses self-modifying code to change every subsequent instruction 
The EDRKillShifter makes use of self-modifying code to alter each subsequent instruction

The only objective of the ultimate, decoded layer is to load the ultimate payload dynamically into reminiscence and execute it. 

Evaluation of the final word payload 

The entire samples we analyzed executed a special EDR killer variant in reminiscence. They’re all written in Go and obfuscated (presumably via using an open-source software named gobfuscate). Obfuscators are instruments designed to hinder reverse engineering. There could also be legit causes for software program engineers to obscure the software program, reminiscent of to forestall opponents from stealing mental property. Nonetheless, malware authors additionally use obfuscators to make it tougher for safety researchers to investigate malware. 

Most reverse engineers depend on this obfuscated information when analyzing malware written in Go, however on this case, this key information is obscured within the compiled code. A few of this data contains: 

  • Strings are encrypted. They are going to be decrypted throughout runtime. 
  • The Go model data is gone. Lots of open-source reverse engineering instruments depend on this Go model data to rebuild buildings within the disassembly. 
  • Helpful bundle data, or bundle paths, are encrypted or stripped from the ultimate malware. 

Nonetheless, we have been in a position to extract invaluable data utilizing the GoReSym software from Mandiant. 

 

Similarities between the ultimate payloads 

The entire unpacked EDR killers embed a susceptible driver within the .information part. Their habits is easy, like different EDR killers we’ve analyzed[1][2][3]. The one main distinction between the 2 variants we checked out is the susceptible driver being loaded and exploited. 

Upon execution, each variants purchase the required privileges to load a driver and drop the exploitable sys file into the AppDataLocalTemp folder. The malware generates a random filename for the driving force each time it’s run. 

A Process Monitor log shows the malware dropping the abusable driver into the TEMP folder 
A Course of Monitor log exhibits the malware dropping the abusable driver into the TEMP folder

After the malware creates a brand new service for the driving force, begins the service, and masses the driving force, it enters an countless loop that constantly enumerates the operating processes, terminating processes if their identify seems in a hardcoded checklist of targets. This habits is constant for each variants. 

It is usually price noting that each variants exploit legit (although susceptible) drivers, utilizing proof-of-concept exploits out there on Github. We suspect that the risk actors copied parts of those proofs-of-concept, modified them, and ported the code to the Go language. It is a widespread pattern we’ve additionally noticed in different EDR killers, reminiscent of Terminator 

Similar loader, totally different last payloads 

The pattern with SHA256 451f5aa55eb207e73c5ca53d249b95911d3fad6fe32eee78c58947761336cc60 abuses a susceptible driver that has additionally been seen abused in assaults and calls itself RentDrv2. A proof-of-concept for exploiting this driver is offered on Github 

The variant may also obtain a further command line argument “–checklist”, permitting adversaries to go a further checklist of course of names as targets. 

The first variant can also accept additional command line arguments as input, including a custom list of processes to target. The screenshot shows the program targeting various Sophos tools as well as Notepad and CalculatorApp on Windows.
The primary variant may also settle for further command line arguments as enter, together with a customized checklist of processes to focus on

The variant with SHA256 d0f9eae1776a98c77a6c6d66a3fd32cee7ee6148a7276bc899c1a1376865d9b0 in distinction, abuses a known-vulnerable driver known as ThreatFireMonitor, a element of a deprecated system-monitoring bundle. A proof of idea for this particular driver can also be out there on Github. 

Mapping EDRKillShifter into the bigger risk panorama 

The ultimate payload embedded into the loader adjustments from incident to incident (and, presumably, creator to creator). If we attempt to map EDRKillShifter to the bigger risk panorama, additionally it is believable that the loader and the ultimate payloads are developed by separate risk actors. 

Promoting loaders or obfuscators is a profitable enterprise on the darkish internet. Sophos X-Ops suspects that the loader’s sole objective is to deploy the ultimate BYOVD payload, and that it may need been acquired on the darkish internet. The ultimate EDR killer payloads are then merely being delivered by the loader itself, which consists of the layer 1 and a pair of we described in our evaluation above. 

Example of an obfuscator tool advertisement for sale on a dark net criminal forum 
Instance of an obfuscator software commercial on the market on a darkish internet prison discussion board

It’s worthwhile to notice that we’re unable to verify this speculation right now. 

Mitigations and recommendation

Sophos presently detects EDRKillShifter as Troj/KillAV-KG. Moreover, behavioral safety guidelines that defend towards protection evasion and privilege escalation block these system calls from going via. Companies and particular person folks may also take further steps to defend their machines towards driver abuse: 

  • Sophos X-Ops strongly suggests that you just verify whether or not your endpoint safety product implements and allows tamper safety. This function offers a robust layer towards such sort of assaults. For those who use Sophos merchandise however don’t presently have Sophos tamper safety enabled, flip it on immediately. 
  • Apply robust hygiene for Home windows safety roles. This assault is barely potential if the attacker escalates privileges they management, or if they will receive administrator rights. Separation between consumer and admin privileges might help stop attackers from simply loading drivers. 
  • Maintain your system up to date. Since final 12 months, Microsoft has begun to push updates that de-certify signed drivers identified to have been abused prior to now.  

Cloudian Companions with Lenovo for EPYC All-Flash ‘HyperStore’

codesanitize
-
0
Cloudian Companions with Lenovo for EPYC All-Flash ‘HyperStore’


Cloudian and Lenovo at present introduced they’re teaming as much as ship a brand new HyperStore cluster designed to run huge information, AI, and HPC workloads.

Every HyperStore cluster can be composed of six Lenovo ThinkSystem SR635 V3 servers outfitted with AMD EPYC 9454P processors and flash drives. The cluster will come pre-loaded with Cloudian’s S3-comptable object storage system.

The mixture of AMD processors and all-flash storage will enable the HyperStore cluster to learn information at speeds as much as 28.7 GB/s reads and write information at speeds as much as 18.4 GB/s. Based on Cloudian, testing reveals the all-flash setup is 74% extra environment friendly power-wise than an equal HDD setup.

HyperStore can function a knowledge lake to energy next-generation AI and superior analytic workloads working atop distributed architectures resembling PyTorch, TensorFlow, Apache Kafka, and Druid throughout media, finance, and life sciences, Cloudian says.

Lenovo’s EPYC-based processors “completely complement Cloudian’s high-performance information platform software program,” says Cloudian CEO and Co-founder Michael Tso.

“Collectively, they ship the limitlessly scalable, performant, and environment friendly basis that AI and information analytics workloads require,” Tso mentioned in a press launch. “For organizations trying to innovate or drive analysis and discovery with AI, ML, and HPC, this answer guarantees to be transformative.”

Lenovo Common Supervisor Stuart McRae says the mixture of its all-flash EPYC severs with Cloudian’s software program is able to dealing with probably the most demanding AI and analytics workloads. “This partnership allows us to supply our prospects a cutting-edge, scalable, and safe platform that may assist them speed up their AI initiatives and drive innovation,” McRae says in a press launch.

Cloudian, which has greater than 800 prospects, says the HyperStore incorporates military-grade safety and an “object lock” expertise for ransomware safety.

Associated Objects:

Teradata Faucets Cloudian for On-Prem Lakehouse

Cloudian Bolsters Object Retailer with Monitoring and Analytics

Cloudian, Splunk Unchain Compute, Storage

 

1...3,8203,8213,822...3,939Page 3,821 of 3,939

ABOUT US

Welcome to CodeSanitize, your number one source for all things coding and technology. We’re dedicated to providing you the very best of software development tutorials, tips, and resources, with a focus on clarity, practical examples, and up-to-date content.

© Copyright 2024 - codesanitize.com. All rights reserved