Blackrota is a malicious backdoor written in the Go language that exploits a security bug in the Docker Remote API. Obfuscated malware written in Go is rare. What’s more, the obfuscation method of Blackrota creates new challenges for reverse analysis. More information regarding this new threat can be found below.
Blackrota, a new backdoor which is nearly impossible to reverse-analyze
Blackrota is a new backdoor written in the Go programming language (Golang), which stands out due to its heavy level of obfuscation. This time cybercriminals are targeting a security bug in Docker. It exploits an unauthorized-access vulnerability in the Docker Remote API.
Characteristic
Malware got named, due to its command-and-control (C2) domain name – blackrota.ga. It is currently only available for Linux, in Executable and Linkable Format (ELF) file format, and supports both x86/x86-64 CPU architectures. This is a type of beacon used by the malware to communicate with a C2 server, asking for instructions or to exfiltrate collected data.
This beacon implements various key functions for the Blackrota backdoor, allowing it to execute shell commands (CMD_SHELL), upload files (CMD_UPLOAD), download specified files (CMDDOWNLOAD), browse files (CMD_FILE_BROWSE), set a sleep delay time (CMD_SLEEP) and change directories (CMD_CD).
Obfuscation
Blackrota uses extensive anti-detection techniques, which makes the malware extremely difficult to analyze and detect. For one, the malware uses gobfuscate, an open-source tool for Go code, to obfuscate the source code before compiling. It hides various elements of Go source code with random character substitutions – including the package names, global variable names, function names, type names and method names.
Gobfuscate also replaces all strings used in the code with XOR encodings (the XOR cipher is a cryptographic logic operation that compares two input bits and generates one output bit). In this case, each string is assigned an XOR decoding function that dynamically decodes strings during program execution.
Another roadblock for analysis is that the Go language uses fully static links to build binary files – meaning that all of the codes used in standard and third-party libraries are packed into binary files, resulting in very large binary files.
As the Go language becomes more popular, more and more malware like Blackrota will be written in Golang in the future.
New Windows 7 and Windows Server 2008 zero-day were discovered… by accident
By accident means, that it was discovered by french researchers while working on an update to a Windows security tool. This new vulnerability impacts the Windows 7 and Windows Server 2008 R2 operating systems.
The vulnerability resides in two misconfigured registry keys for the RPC Endpoint Mapper and DNSCache services that are part of all Windows installations.
HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache
An attacker that has a foothold on vulnerable systems can modify these registry keys to activate a sub-key usually employed by the Windows Performance Monitoring mechanism. Performance subkeys are usually employed to monitor an app’s performance, and, because of their role, they also allow developers to load their own DLL files to track performance using custom tools.
While on recent versions of Windows, these DLLs are usually restricted and loaded with limited privileges, on Windows 7 and Windows Server 2008, it was still possible to load custom DLLs that ran with SYSTEM-level privileges.
Both Windows 7 and Windows Server 2008 R2 have officially reached end of life (EOL) and Microsoft has stopped providing free security updates. Some security updates are available through the company’s ESU (Extended Support Updates). But it is unclear if Microsoft will patch this new zero-day. However, ACROS Security has already put together a micro-patch, which the company released a few days ago. The micro-patch is installed via the company’s 0patch security software and prevents malicious actors from exploiting the bug through ACROS’ unofficial patch. There is good news, it is available to all 0patch users, including those with a FREE plan.
Watch out, WAPDropper malware could subscribe you to premium services
Security researchers from Check Point have spotted a new malware family dubbed WAPDropper that targets mobile phone users to subscribe them to legitimate premium-rate services.
The malware also acts as a dropper and can deliver second-stage malware, one of its capabilities to bypass image-based CAPTCHA challenges using a machine learning service. By cleverly bypassing CAPTCHAs, it ensures uninterrupted access to targeted systems, allowing attackers to maintain control and deploy additional malicious payloads.
The malicious code is distributed via third-party markets, upon installing the malicious code it contacts the C&C server and receives the payloads to execute. The payload employed in this campaign is the premium dialer module, which opens a tiny web-view, and contacts premium services offered by legitimate telecom companies. Then it almost invisibly loads landing pages for the premium services and completes the subscription.
Then WAPDropper attempts to subscribe the user to premium services, and in case a CAPTCHA step is required to finalize the subscription it uses the ML services of “Super Eagle”, a Chinese company, to solve the challenge.
It is also able to collect details about the infected device, including: device ID, mac address, subscriber ID, list of running services, amount of RAM.
Even if in these attacks WAPDropper drops a premium dialer, in the future, it could be used to deliver any other kind of malicious payload.
So far, the malware was spotted in Thailand and Malaysia.
Bug allowed hackers to get anyone’s email address on Xbox Live
Microsoft has patched a bug in the Xbox website that could have allowed threat actors to link Xbox gamer tags (usernames) to users’ real email addresses.
The security researcher, Joseph “Doc” Harris, who reported the issue to Microsoft, said the bug was located on enforcement.xbox.com, the web portal where Xbox users go to view strikes against their Xbox profile and file appeals if they feel they have been unfairly reprimanded for their behavior on the Xbox network.
After users log in to this website, the Xbox Enforcement site creates a cookie file in their browser with details about their web session, so they won’t have to re-authenticate the next time they visit the site again. This file contained an Xbox user ID (XUID) field that was unencrypted.
Using tools included with all modern browsers, Harris edited the XUID field and replaced it with the XUID of a test account he had created and had used for testing as part of the Xbox bug bounty program. While trying to replace the cookie value and refresh, he suddenly was able to see other users’ emails.
The bug couldn’t be used to hijack Xbox but it could have allowed threat actors to link any Xbox gamer tag to a gamer’s real email address.
Microsoft deployed a patch for this bug last month – it was all about to encrypt XUID. The fix was deployed server-side, and there are no additional steps that users need to take to stay protected.
Do you have thirst for knowledge? There is ten more cybersecurity stories below
1. Passwords exposed for almost 50,000 vulnerable Fortinet VPNs (Bleeping Computer)
2. Home Depot agrees to $17.5 million settlement over 2014 data breach (ZDNet)
3. SSH-backdoor Botnet With ‘Research’ Infection Technique (Security Affairs)
4. cPanel 2FA bypass vulnerability can be exploited through brute force (HelpNetSecurity)
5. Baltimore County Public Schools hit by ransomware attack (Bleeping Computer)
6. Ransomware: This new variant could be the next big malware threat to your business (ZDNet)
7. New malware fraudulently subscribes victims to premium phone services (HackRead)
8. Stantinko’s Linux malware now poses as an Apache web server (ZDNet)
9. Spotify launches ‘rolling reset’ on customer accounts, passwords linked to data leak (ZDNet)
10. Canon publicly confirms August ransomware attack and data breach (Security Affairs)