Epsilon Red / Bug in Microsoft PatchGuard / Necro Python bot

Welcome to the Xopero Security Center! What technological news has captured the imagination of IT specialists and geeks around the world? There were quite a few of them, but we have selected four (plus 10 extra) most interesting. Today’s release opens the new strain of Barebones ransomware called Epsilon Red. Marvel’s comic book fans will probably be familiar with this name. What makes this “villain” different from other threats? Namely, the fact that it is basing the attack chain on PowerShell scripts. Another topic concerns vulnerabilities in Microsoft PatchGuard. The newly detected bug allows attackers to load malicious code directly into the Windows kernel. We also describe the changes that took place inside the Necro Python bot. The latest update brings a number of fresh features as well as exploits for 10 applications – including VMware. The last article is about malicious ads visible on the Google network that can be delivered to your computers by the info stealer.

Enough small talk it’s time to check the whole post.

Epsilon Red, the newest Barebones ransomware strain surfaces

Researchers at Sophos Labs have spotted a new  Barebones ransomware strain that stands out from other threats with its pared-down functionality and heavy use of PowerShell scripts to carry out a variety of its malicious functions.

Most of Epsilon Red’s components are PowerShell scripts. The ransomware component itself is a bare-bones 64-bit executable with only one function: to encrypt files on the target system.

What do we know about the Epsilon Red’s attack chain?

The first documented attack appears to have begun with a vulnerable Microsoft Exchange Server. It’s unclear whether the attackers exploited the recently disclosed ProxyLogon vulnerabilities or if they took advantage of other flaws.

From their initial entry point, the attackers used Windows Management Instrumentation (WMI) to install additional software for downloading the ransomware on all other systems they could access from the Exchange Server. During the attack, the threat actors used over a dozen PowerShell scripts – including those for deleting Volume Shadow Copies and for copying the Windows Security Account Management (SAM) so they could retrieve passwords stored on the computer.

Surprisingly the ransomware binary itself doesn’t include a list of targeted files and extensions. Instead, it appears designed to encrypt everything on a target system, including crucial DLLs libraries and extensions required to keep the system functional. Most ransomware operators avoid such scenarios at any cost. Why? Encrypting executables and DLLs is a bad practice for their business affairs. Threat actors usually don’t get paid if nobody can see their ransom note – because the computer is unbootable. Since Epsilon Red doesn’t appear to make that distinction it’s possible that even if the attacker were to deliver a decryption tool, it’s likely the victim would be able to run it on the infected computer.


Bug in Microsoft PatchGuard allows loading unsigned malicious code into the Windows kernel

The PatchGuard, also known as Kernel Patch Protection, is a software protection utility that has been designed to forbid the kernel of 64-bit versions of Windows OS from being patched in order to prevent rootkit infections or the execution of malicious code at the kernel level.

The issue is considered very dangerous because all 64-bit versions of Windows support the PatchGuard feature.

Patching the kernel could allow attackers to run malicious code as kernel mode, which means that malware could run with the highest level of privileges could be undetected by common security solutions.

Is there a chance for a quick fix?

Not likely. Microsoft did not patch any of the PatchGuard vulnerabilities that were reported in the last couple of years. Why such strong objections? According to Microsoft such attacks require that the attackers could run the code with admin privileges. But with this level of permission, it is already possible to take over any Windows system – and even Microsoft’s specialists confirmed it. Still, the vulnerability has yet to be addressed by the company.


Necro Python bot enriched with new VMWare, server exploits

Necro Python (or FreakOut) is not a new threat – the bot has been in development since 2015 and it was documented in 2021. However, recently the developer behind Necro Python has made a number of changes to increase the strength and versatility of the bot… 

For example, exploits for 10 different web applications and the SMB protocol are being weaponized in the bot’s recent campaigns. Oh, and have you already patched VMware vSphere we were urging you to do last week? We ask because exploits are included for vulnerabilities in software such as VMWare vSphere, SCO OpenServer, and the Vesta Control Panel. It also includes exploits for EternalBlue and EternalRomance. 

The bot will first attempt to exploit the aforementioned vulnerabilities on both Linux and Windows-based systems. If successful, the malware uses a JavaScript downloader, Python interpreter and scripts, and executables created with pyinstaller to begin roping the compromised system into the botnet as a slave machine. 

Once Necro Python establishes a connection to the C2 server, it receives commands, to exfiltrate data, or to deploy additional malware payloads. New addition? A cryptocurrency miner, XMRig, used to generate Monero (XMR) by stealing the compromised machine’s computing resources.

Other features include the ability to launch distributed denial-of-service (DDoS) attacks, data exfiltration, and network sniffing. It also installs a user-mode rootkit to establish persistence by ensuring the malware launches whenever a user logs in, and to hide its presence by burying malicious processes and registry entries. 

Another upgrade is Necro Python’s polymorphic abilities. The bot gains a module to allow developers to view code as it would be seen by an interpreter before being compiled to bytecode, and this module has been integrated into an engine that could allow runtime modifications.

This threat shows exactly how important it is to regularly apply security updates to all of the applications, not just operating systems. So…better patch now!


Google PPC ads used to deliver Infostealers

If you want to promote or sell something, you invest in ads, right? So do crooks! They pay top dollar for Google search results for the popular AnyDesk, Dropbox & Telegram apps that lead to a malicious, infostealer-packed website. 

Redline, Taurus, Tesla, and Amadey – all those increasingly prevalent info-stealers are delivered via pay-per-click (PPC) ads in Google’s search results. Once you click, it leads to downloads of malicious AnyDesk, Dropbox, and Telegram packages wrapped as ISO images – according to breach prevention firm Morphisec. 

Example? Morphisec researchers found that a simple search for “anydesk download” led them to three pay-per-click Google ads, all of which led to malicious info-stealers, as shown in the image below. The first two ads lead to a Redline stealer, while the third leads to the Taurus info-stealer.

Malicious Google Ads and Google PPC used to deliver Infostealers
Source: Morphisec

Google says that it uses proprietary technology and malware detection tools to “regularly scan all creatives”, that it forbids ads when they try to call fourth parties or sub-syndication to uncertified advertisers, and of course pulls out ads distributing malware, suspending their authors for min. 3 months.

So how do these bad ads, funded through crooks spending real money on paid advertising, keep popping up at the top of search results?

In a nutshell, according to Morphisec, these attacks have succeeded because crooks spend real money on Google Ads, having figured out how to evade Google’s malvertising screening and having set up a website with a signed, legitimate certificate – as in, a maximum of two weeks old – designed to mislead website visitors.

All of the attacks start with one of a dozen paid Google ads that lead to a website with an ISO image download – one that’s big enough to slip past scanning. But is having a big enough ISO file really all that’s needed to evade detection? If so, that’s a bad look for Google. 

Those businesses that have downloaded and installed a malicious package should do a sweep on their infrastructure to identify any additional backdoor established. They should also monitor any malicious changes that would indicate that an attacker still has access.


Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. A New Bug in Siemens PLCs Could Let Hackers Run Malicious Code Remotely (The Hacker News)
2. Watch out: These unsubscribe emails only lead to further spam (Bleeping Computer)
3. Facefish Backdoor delivers rootkits to Linux x64 systems (Security Affairs)
4. Malware Can Use This Trick to Bypass Ransomware Defense in Antivirus Solutions (The Hacker News)
5.This Android trojan malware is using fake apps to infect smartphones, steal bank details (ZDNet)
6. Poisoned Installers Found in SolarWinds Hackers Toolkit (Security Week)
7. Justice Department seizes domains used in Nobelium-USAID phishing campaign (ZDNet)
8. Fujifilm Shuts Down Servers to Investigate Possible Ransomware Attack (Info Security)
9. ‘Battle for the Galaxy’ Mobile Game Leaks 6M Gamer Profiles (Threat Post)
10. Norton 360 antivirus now lets you mine Ethereum cryptocurrency (Bleeping Computer)