Early this year I gave you five reasons to avoid desktop versions of messengers. The fact that many such applications use the Electron framework is one of them. This means that such a messenger works as an additional browser in your system, and its updates are quite difficult to control.
But, as I wrote in that post, it has become clear the problem is much more widespread — affecting not only messengers but hundreds of other apps as well. Chances are, because of Electron-based apps, you have a many more browsers than you think in your system this very minute…
What is Electron, and why do application developers want to use it?
Main page of the Electron framework official site. Source
Electron itself is based on the Chromium browser engine, which is responsible for displaying web content within a desktop application. So any Electron application is effectively a single website opened in the Chromium browser.
Users usually have no idea at all how the thing works. From their point of view, an Electron application is just another program you install, run in the usual way, give access to some files, occasionally update to the newest version, and so on.
Why has Electron grown so popular with developers? The idea is mainly this: no matter what digital service one might want to create, a web version is still needed. And the Electron framework allows you to develop just the web version and, based on it, produce full-fledged apps for all the desktop operating systems out there.
Electron’s other convenience features include making installation packages, their diagnostics, publication to app stores, and automatic updates.
Et tu autem, Brute! You can find Electron in apps you least expect to
Summing up, the Electron framework is popular among developers — most particularly as it allows to greatly accelerate and simplify the application development process for all desktop operating systems in one go.
Issues with Electron-based applications
Electron-based applications have a number of drawbacks. The most obvious from the users’ perspective is their sluggishness. Electron-based software is usually resource-intensive and suffers from excessive file size. No wonder: each such app carries its whole home on its back like a snail a full-blown Chromium browser. In effect, it operates through that browser — serving as a sort of intermedium.
Next issue: web browsers are a favorite target of cybercriminals. It’s worth repeating: inside every Electron-based app there’s a separate instance of the Chromium web browser. This means your system may have a dozen additional browsers installed, all of which present a tempting target for criminals.
New, serious vulnerabilities pop up almost weekly in a popular browser like Chrome/Chromium: so far this year more than 70 high, and three critical severity-level vulnerabilities have been found in Chromium as of the time of writing. Worse yet, exploits for the world’s most popular browser’s vulnerabilities appear really quick. This means that a good part of Chrome/Chromium holes are not just abstract bugs you treat as a matter of routine — they’re vulnerabilities that can be used for attacks by cybercriminals out in the wild.
Even in fine print, Chromium vulnerabilities found so far in 2023 take up several screens. Source
For the standalone Chrome browser, this isn’t such a serious problem. Google is very quick to release patches and rather persistent in convincing users to install them and restart their browser (it even thoughtfully re-opens all their precious tabs after restarting so they don’t need to fear updating).
Things are very different for the Electron-based apps. A Chromium browser built into such an app will only get patched if the app’s vendor has released a new version and successfully communicated to users the need to install it.
So it appears that, with a bunch of installed Electron apps, not only do you have multiple browsers installed on your system, but also little to no control over how updated and secure those browsers are, or how many unpatched vulnerabilities they contain.
The framework’s creators know full well about the problem, and strongly recommend that app developers release patches on time. Alas, users can only hope that those recommendations are followed.
And here’s a fresh example: On September 11, Google fixed the CVE-2023-4863 vulnerability in Google Chrome. At that point, it was already actively exploited in the wild. It allows a remote attacker to perform an out of bounds memory write via a crafted HTML page, which can lead to the execution of arbitrary code. Of course, this bug is present in Chromium and all Electron-based applications. So, all companies using it in their applications will have to work on updates.
Which desktop applications are based on Electron?
Not many folks seem to know how incredibly common Electron-based desktop applications are. I’ll bet you are using more than one of them. Check them out yourself:
Visual Studio Code
I personally use around a third of the apps from the list (but, for the record, none of them as desktop applications).
That list is not exhaustive at all though, representing only the most popular Electron-based applications. In total there are several hundred such applications. A more or less complete list of them can be found on a special page on the official website of the framework (but, it seems, not all of them are listed even there).
The list of Electron-based desktop applications comprises several hundred online services, including about 20 really popular ones. Source
So how to avoid the threats posed by uncontrolled browsers that thoughtful developers are now unpredictably embedding into desktop apps? I have three main tips regarding this:
Minimize the number of Electron-based apps as much as possible. It’s not as difficult as it seems: the very fact of using the framework normally suggests that the service has an extremely advanced web version, which is most likely on a par with the desktop application in terms of features and convenience.
Try to inventory all Electron-based apps used by your company’s employees, and prioritize their updates. More often than not, these are collaboration applications of different forms and shades — from Microsoft Teams, Slack, and Asana, to GitHub and Figma.
Use a reliable security solution. It will help you repel attacks in those periods when vulnerabilities are already known and being exploited but the patches haven’t yet been issued. By the way, Kaspersky products have an exploit protection system: it helps our experts detect the exploitation of new, as yet unknown vulnerabilities, and warns the developers of the corresponding programs about these holes.
Let’s be honest, talking to your kids about identity theft isn’t probably top of your list. There’s a long list of topics to cover off when you are a parent. But if you take a minute to picture someone stealing your child’s identity or using their personal information to take out a loan for a shiny new car then you’ll probably want to move it closer to the top of your parenting to-do list!
What Is Identity Theft?
Identity theft occurs when a person’s personal identifying information is used without their permission, usually to commit fraud by making unauthorised purchases or transactions. Identity theft can happen in many ways, but its victims are usually left with significant damage to their finances, credit score, and even their mental health.
Most people associate identity theft with data breaches – think Optus, Latitude Financial and Medibank – however, there are many more ways that scammers can get their hands on your personal identifying details. They can use ‘phishing’ emails to get information from you, do a deep dive on your social media accounts to find identifying information in posts or photos, hack public Wi-Fi to access any information you share or simply, steal your wallet or go through your trash!!
How Big An Issue Is It Really?
In short, it’s a big problem – for both individuals and organisations. And here are the statistics:
76,000 cybercrime reports were made in the 2021/22 financial year, an increase of nearly 13% from the previous year, according to The Annual Cyber Threat Report by The Australian Cyber Security Centre (ACSC).
A recent study by The Australian Cybercrime Survey showed that 31% of respondents had experienced identity crime in their lifetime and 20% within the previous 12 months. Just under half of the victims reported that they had noticed suspicious transactions on their bank statements. Although 25% of respondents couldn’t identify how their information was stolen, 16% attributed it to the hacking of a computer or device.
10 million Australians had their personal details stolen in the Optus data breach in September 2022.
7 million Australians also had personal data stolen in the Medibank data breach in October 2022.
14 million Australians had their personal information stolen in the Latitude Financial data breach in March 2023.
How Do You Know If You’re a Victim?
One of the biggest issues with identity theft is that you often don’t immediately know that you’re a victim. In some cases, it might take weeks before you realise that something is awry which unfortunately, gives the thief a lot of time to wreak havoc! Some of the signs that something might be wrong include:
Unfamiliar charges to your bank account
Calls and texts about products or services that you’ve never used
You’re denied credit
Strange emails in your inbox
Not receiving expected mail
Unexpected calls or letters from debt collectors
What To Do If You Think You’re a Victim
The key here is to act as soon as you believe you are affected. Don’t stress that there has been a delay in taking action – just take action now! Here’s what you need to do:
1. Call Your Bank
Your first call should be to your bank so they can block the affected account. The aim here is to prevent the scammer from taking any more money. Also remember to block any cards that are linked to this account, either credit or debit.
2. Change Your Passwords
If your identity has been stolen then it’s highly likely that the scammer knows your passwords so change the passwords for the affected accounts straight away!! And if you have used this same password on any other accounts then change these also. If you can’t remember, you can always reset the passwords on key accounts just to be safe.
3. Report It
It may feel like a waste of time reporting your identity theft, but it is an important step, particularly as your report becomes a formal record – evidence you may need down the track. It may also prevent others from becoming victims by helping authorities identify patterns and hopefully, perpetrators. If you think your personal identifying information has been used, report it to the Australian authorities at ReportCyber.
4. Make a Plan
It’s likely you’re feeling pretty overwhelmed at what to do next to limit the damage from your identity theft – and understandably so! Why not make a contract with IDCARE? It’s a free service dedicated to assisting victims of identity theft – both individuals and organisations – in Australia and New Zealand.
How Do We Talk To Our Kids About It?
If there is one thing I have learned in my 20+ years of parenting, it is this. If you want to get your kids ‘onboard’ with an idea or a plan, you need to take the time to explain the ‘why’. There is absolutely no point in asking or telling them to do something without such an explanation. It is also imperative that you don’t lecture them. And the final ingredient? Some compelling statistics or research – ideally with a diagram – my boys always respond well to a visual!
So, if you haven’t yet had the identity theft chat with your kids then I recommend not delaying it any further. And here’s how I’d approach it.
Firstly, ensure you are familiar with the issue. If you understand everything I’ve detailed above then you’re in good shape.
Secondly, arm yourself with relevant statistics. Check out the ones I have included above. Why not supplement this with a few relevant news stories that may resonate with them? This is your ‘why’.
Thirdly, focus on prevention. This needs to be the key focus. But don’t badger or lecture them. Perhaps tell them what you will be doing to minimise the risk – see below for your key ‘hot tips’ – you’re welcome!
What You Can Do To Manage Identity Theft?
There are a few key things that you can today that will both minimise your risk of becoming a victim and the consequences if you happen to be caught up in a large data breach.
Managing passwords for your online accounts is one of the best risk management strategies for identity theft. I know it’s tedious, but I recommend creating a unique and complex 10+ digit password for each of your online accounts. Tricky passwords make it harder for someone to get access to your account. And, if you use the same log-in details for each of your online accounts – and your details are either leaked in a data breach or stolen – then you could be in a world of pain. So, take the time to get your passwords sorted out.
2. Think Before You Post
Sharing private information about your life on social media makes it much easier for a scammer to steal your identity. Pet names, holiday destination and even special dates can provide clues for passwords. So, lock your social media profiles down and ensure your privacy settings are on.
3. Be Proactive – Monitor Your Identity Online
Imagine how good it would be if you could be alerted when your personal identifying information was found on the Dark Web? Well, this is now a reality! McAfee’s latest security offering entitled McAfee+ will not only protect you against threats but provide 24/7 monitoring of your personal details so it can alert you if your information is found on the Dark Web. And if your details are found, then advice and help may also be provided to remedy the situation. How good!!
4. Using Public Computers and Wi-Fi With Caution
Ensuring you always log out of a shared computer is an essential way of keeping prying eyes away from your personal identifying information. And always be super careful with public Wi-Fi. I only use it if I am desperate and I never conduct any financial transactions, ever! Cybercriminals can ‘snoop’ on public Wi-Fi to see what’s being shared, they can stage ‘Man in The Middle Attacks’ where they eavesdrop on your activity, or they can lure you to use their trustworthy sounding Wi-Fi network – designed purely to extract your private information!
5. Monitor Your Bank Accounts
Why not make a habit of regularly checking your bank accounts? And if you find anything that doesn’t look right contact your bank immediately to clarify. It’s always best to know if there is a problem so you can address it right away.
With so many Aussies affected by data breaches and identity theft, it’s essential that our kids are armed with good information so they can protect themselves as best as possible. Why not use your next family dinner to workshop this issue with them?
Till Next Time
Stay Safe Online
Identity theft protection and privacy for your digital life
After Elon Musk “broke” his Twitter (now known as X) and Mark Zuckerberg released his Threads, there’s been a lot of talk on the internet about something called the Fediverse. Many see it as humanity’s last hope to escape the current social network mess.
In this post, we take look at what this Fediverse is, how it works, what it offers users right now, and what it may change in the near future.
What’s wrong with regular social networks?
Let’s start with why Fediverse is needed in the first place. The main problem with today’s social networks is that they’ve become too closed and self-absorbed (not to mention there are an awful lot of them). Often, you’re not even able to access a significant portion of a social network’s content if you’re not registered on it — and don’t even think about further interactions on the platform.
For example, to like a post on Twitter or leave a comment on a YouTube video, you have to be registered. When it comes to social networks that are part of Mark Zuckerberg’s empire, it’s even worse: without an account, you usually can’t even get acquainted with the content, let alone like it.
The second major problem with social networks is that they don’t really produce anything themselves. Users create all the content on social networks, which the massive and powerful corporations behind the networks then profit from. And, of course, corporations have absolutely no respect for their users’ privacy — collecting an incredible amount of data about them. This has already led to major scandals in the past, and will most likely result in a whole bunch of problems in the future if nothing changes drastically.
The way things are currently organized, there’s another significant risk associated with the complete lack of user control over the platforms that they are, in fact, creating. Let’s just imagine a huge social network, which just happened to play a significant role in global politics, being taken over by a person with rather peculiar views. Its users are left with no choice but to adapt — or look for another platform with a more reasonable owner.
The Fediverse is designed to solve all these problems of conventional social networks: excessive centralization, complete lack of accountability, content isolation, collection of user data, and violation of user privacy.
The theoretical side: what the Fediverse is, and how it works
The Fediverse (a combination of “federation” and “universe”) is an association of independent social networks, which allows users to interact with each other in much the same way as they would within a single platform. That is — read, subscribe/follow, like, share content, comment, and so on.
And each platform participating in the Fediverse is federated itself: it consists of a community of independent servers (referred to as “instances” within the Fediverse).
An essential feature of the Fediverse is therefore decentralization. Each instance within the Fediverse has its owners (who independently create and maintain the server and bear all expenses for its operation), its own user community, rules, moderation system, and often some sort of theme.
The specially designed ActivityPub protocol is used for interaction among all these independent instances. ActivityPub is developed by the organization that specializes in creating common protocols that the internet runs on — the World Wide Web Consortium (W3C).
Mastodon.social is the largest instance of Mastodon, the largest social network in the Fediverse
Anyone can create their own instance within the Fediverse. All you have to do is:
Rent or set up a server at home;
Install the appropriate server software on it (usually open-source, free);
Connect to the internet;
Pay for the domain;
Create a community, and develop its rules, theme, and so on.
It’s important to note that a significant portion of the Fediverse, at least for now, runs on pure enthusiasm, and sometimes on donations from supporters or some occasional banners. There’s currently no sustainable commercial model here, and it seems that there is no intention to implement one yet.
How the Fediverse works for the average user
From an ordinary user’s perspective, they register on one of the servers that belong to a particular social network that’s part of the Fediverse. Then with this same account they can interact with users from any other servers within the Fediverse network, as if you can use a Twitter account to comment on a YouTube video or follow someone on Instagram. This removes the boundaries between different social networks, along with the need to create separate accounts in each of them.
However, in reality, it’s not as simple as it sounds: Fediverse instances are often quite closed communities, not particularly welcoming to outsiders, and registration can often be inaccessible. Logging into one social network with an account from another is usually not possible at all. Moreover, there’s no way to search across instances in the Fediverse.
So, basically, yes, you can indeed access the content of (almost) any Fediverse user without leaving the instance where you’re registered. You can probably even comment, like, or repost that user’s content, all while staying within the comfort and familiarity of your own instance. But there’s one catch — you need to know the address of that user. And knowing it isn’t so simple because, as mentioned above, there’s no search function in the Fediverse.
Pixelfed — A federated alternative to Instagram
Explaining the Fediverse by analogy
Most people use the analogy of email to explain the Fediverse: it doesn’t matter which server you’re registered with, you can still send an email to anyone; for example, to your mom’s Gmail account from your work address at bigcorp.com. But personally, I think email is not the best analogy here — it’s too simple and uniform. In my opinion, it’s much better to describe the Fediverse in terms of the good old telephone system.
The global telephone system integrates a bunch of different technologies, from rotary dial phones connected to analog switching centers, to smartphones on the cutting-edge 5G network, and from virtual IP telephony numbers to satellite-link communication. For the end user, the technological solution underlying any particular network is completely unimportant. And there can be any number of these networks. They all support a single protocol for basic interaction, making them compatible with each other — you can call any number, whether it’s virtual or satellite.
Similarly, in the Fediverse, whether a platform is primarily text-based, video streaming, or graphic, it can participate in the project and its users can “call” other platforms.
This is how one of the instances of the microblogging platform Pleroma looks. Source
However, the compatibility of telephone networks is far from complete. Each network may have its own special services and features — try sending an emoji to your great-grandmother’s landline phone. And on top of universal addressing (the international phone number format) there are often some local quirks: all those 0s or 00s instead of a normal country code, the possibility of not entering any codes at all when calling within a specific network (such as a city or office network), different formats for recording numbers (various dashes, brackets, and spaces, which can easily confuse people unfamiliar with local rules), and so on.
Again, the same goes for the Fediverse: while its platforms are generally connected and compatible at the top level, the user experience and functionality vary greatly from one platform to another. To figure out how to make long-distance calls perform a certain action on a given service, you often have to delve into the local specifics. It might actually be impossible to “call” certain instances because, while they formally support all the necessary technologies, they’ve decided to isolate themselves from the outside world for some reason.
In general, compared to email, the Fediverse is a much more diverse and less standardized collection of relatively unique instances. But despite this uniqueness, these instances do allow their users to interact with each other to some extent since they all support a common protocol.
Lemmy — one of the Reddit analogs in the Fediverse
The practical side: which services are compatible with the Fediverse now, and which ones will be in the future
Now let’s turn to the practical side of the issue — what social networks are already operating within the Fediverse. Here’s a list of the most significant ones:
Mastodon — The largest and most popular social platform within the Fediverse, accounting for about half of its active users. It’s a microblogging social network — a direct Twitter analogue.
Misskey and Pleroma — Two other microblogging platforms that attract users with their atmosphere and cozy interface. Misskey was created in Japan, which has ensured its high popularity among fans of anime and related topics.
Misskey — microblogging with a Japanese twist
PixelFed — A social networking platform for posting images. It’s a Fediverse version of Instagram but with a focus on landscape photography rather than glamorous golden poolside selfies.
PeerTube — A video streaming service. I’d like to say it’s the local equivalent of YouTube. However, since creating video content is so expensive, this analogy doesn’t completely hold up in reality.
Funkwhale — An audio streaming service. This can be considered a local version of Soundcloud or Spotify — with the same caveat as PeerTube.
Lemmy and Kbin — Social platforms for aggregating links and discussing them on forums. Sounds complicated, but they’re basically federated versions of Reddit.
Of course, these aren’t all the platforms within the Fediverse. You can find a more comprehensive list here.
A glimpse into the global future of the Fediverse
Another service worth mentioning that currently supports the ActivityPub protocol is the content management system WordPress. Some time ago an independent developer created a plugin for WordPress to ensure compatibility with this protocol.
Recently, Automattic, the company that owns both WordPress and Tumblr, acquired the plugin and hired its developer. Meanwhile, at the end of last year, Tumblr also announced future support for ActivityPub. Apparently, Automattic really believes in the potential of the Fediverse. Mozilla, Medium, and Flipboard are also now showing serious interest in the Fediverse.
But the most important — and quite unexpected — development for the federation of decentralized social networks was the promise made by Mark Zuckerberg’s company to add ActivityPub support to the recently launched social network Threads. It’s not yet been specified when exactly this will happen or in what form; however, if or when it does, several hundred million people from Threads/Instagram may suddenly join the existing few million Fediverse users.
What will this sudden popularity lead to? This isn’t such a simple question. Many long-time Fediverse users are visibly concerned about a possible invasion of “tourists”, and how these newcomers — accustomed to the noise of “big” social networks — will impact the communities that have been so carefully cultivated within the project.
How will the Fediverse cope with these sudden changes? Only time will tell. But one thing’s for sure: the further development and evolution of the Fediverse will be very interesting to watch…
The tables have turned. Now you can use AI to spot and block scam texts before they do you harm.
You might have heard how scammers have tapped into the power of AI. It provides them with powerful tools to create convincing-looking scams on a massive scale, which can flood your phone with annoying and malicious texts.
The good news is that we use AI too. And we have for some time to keep you safe. Now, we’ve put AI to use in another powerful way—to put an end to scam texts on your phone.
Our new McAfee Scam Protection automatically identifies and alerts you if it detects a dangerous URL in your texts. No more wondering if a package delivery message or bank notification is real or not. Our patented AI technology instantaneously detects malicious links to stop you before you click by sending an alert. And as a second line of defense, it can block risky sites if you accidentally follow a scam link in a text, email, social media, and more.
Stop scam texts and their malicious links.
The time couldn’t be more right for this kind of protection. Last year, Americans lost $330 million to text scams alone, more than double the previous year, with an average reported loss of $1,000,according to the Federal Trade Commission. The deluge of these new sophisticated AI-generated scams is making it harder than ever to tell what’s real from what’s fake.
Which is where our use of AI comes in. With it, you can turn the table on scammers and their AI tools.
Here’s a closer look at how McAfee Scam Protection works:
Proactive and automatic protection: Get notifications about a scam text before you even open the message. After you grant permission to scan the URLs in your texts, McAfee Scam Protection takes charge and will let you know which texts aren’t safe and shouldn’t be opened.
Patented and powerful AI: McAfee’s AI runs in real-time and is constantly analyzing and processing millions of malicious links from around the world to provide better detection. This means McAfee Scam Protection can protect you from advanced threats including new zero-day threats that haven’t been seen before. McAfee’s AI continually gets smarter to stay ahead of cybercriminals to protect you even better.
Simple and easy to use: When you’re set up, McAfee Scam Protection goes to work immediately. No copying or pasting or checking whether a text or email is a scam. We do the work for you and the feature will alert you if it detects a dangerous link and blocks risky sites in real time if you accidentally click.
How do I get McAfee Scam Protection?
McAfee Scam Protection is free for most existing customers, and free to try for new customers.
Most McAfee customers now have McAfee Scam Protection available. Simply update your app. There’s no need to purchase or download anything separately. Set up McAfee Scam Protection in your mobile app, then enable Safe Browsing for extra protection or download our web protection extension for your PC or Mac from the McAfee Protection Center. Some exclusions apply¹.
For new customers, McAfee Scam Protection is available as part of a free seven-day trial of McAfee Mobile Security. After the trial period, McAfee Mobile Security is $2.99 a month or $29.99 annually for a one-year subscription.
As part of our new Scam Protection, you can benefit from McAfee’s risky link identification on any platform you use. It can block dangerous links should you accidentally click on one, whether that’s through texts, emails, social media, or a browser. It’s powered by AI as well, and you’ll get it by setting up Safe Browsing on your iOS² or Android device—and by using the WebAdvisor extension on PCs, Macs and iOS.
Scan the QR code to download McAfee Scam Protection from the Google App store
Yes, the tables have turned on scammers.
AI works in your favor. Just as it has for some time now if you’ve used McAfee for your online protection. McAfee Scam Protection takes it to a new level. As scammers use AI to create increasingly sophisticated attacks, McAfee Scam Protection can help you tell what’s real and what’s fake.
Customers currently with McAfee+, McAfee Total Protection, McAfee LiveSafe, and McAfee Mobile Security plans have McAfee Scam Protection included in their subscription.
Scamtext filtering is coming to iOS devices in October.
Our young people are always learning. It’s a great time to expand their cyber education to help keep them safe in the classroom.
The school bell rings, kids of all ages take their seats, and there’s an atmosphere of anticipation. Students open their textbooks and laptops, ready to explore language, history, science, and math, and further expand their horizons. Yet, unbeknownst to many, there are people lurking behind the screens in the academic world, actors whose intentions are not at all noble.
Agent Tesla functions as a Remote Access Trojan (RAT) and an information stealer built on the .NET framework. It is capable of recording keystrokes, extracting clipboard content, and searching the disk for valuable data. The acquired information can be transmitted to its command-and-control server via various channels, including HTTP(S), SMTP, FTP, or even through a Telegram channel.
Generally, Agent Tesla uses deceptive emails to infect victims, disguising as business inquiries or shipment updates. Opening attachments triggers malware installation, concealed through obfuscation. The malware then communicates with a command server to extract compromised data.
The following heat map shows the current prevalence of Agent Tesla on field:
Figure 1: Agent Tesla heat map
McAfee Labs has detected a variation where Agent Tesla was delivered through VBScript (VBS) files, showcasing a departure from its usual methods of distribution. VBS files are script files used in Windows for automating tasks, configuring systems, and performing various actions. They can also be misused by cybercriminals to deliver malicious code and execute harmful actions on computers.
The examined VBS file executed numerous PowerShell commands and then leveraged steganography to perform process injection into RegAsm.exe as shown in Figure 2. Regasm.exe is a Windows command-line utility used to register .NET assemblies as COM components, allowing interoperability between different software. It can also be exploited by malicious actors for purposes like process injection, potentially enabling covert or unauthorized operations.
Figure 2: Infection Chain
VBS needs scripting hosts like wscript.exe to interpret and execute its code, manage interactions with the user, handle output and errors, and provide a runtime environment. When the VBS is executed, wscript invokes the initial PowerShell command.
Figure 3: Process Tree
First PowerShell command
The first PowerShell command is encoded as illustrated here:
Figure 4: Encoded First PowerShell
Obfuscating PowerShell commands serves as a defense mechanism employed by malware authors to make their malicious intentions harder to detect. This technique involves intentionally obfuscating the code by using various tricks, such as encoding, replacing characters, or using convoluted syntax. This runtime decoding is done to hide the true nature of the command from static analysis tools that examine the code without execution. Upon decoding, achieved by substituting occurrences of ‘#@$#’ with ‘A’ and subsequently applying base64-decoding, we successfully retrieved the decrypted PowerShell content as follows:
Figure 5: Decoded content
Second PowerShell Command
The deciphered content serves as the parameter passed to the second instance of PowerShell..
Figure 6: Second PowerShell command
Deconstructing this command line for clearer comprehension:
Figure 7: Disassembled command
As observed, the PowerShell command instructs the download of an image, from the URL that is strore in variable “imageURL.” The downloaded image is 3.50 MB in size and is displayed below:
Figure 8: Downloaded image
This image serves as the canvas for steganography, where attackers have concealed their data. This hidden data is extracted and utilized as the PowerShell commands are executed sequentially. The commands explicitly indicate the presence of two markers, ‘<<BASE64_START>>’ and ‘<<BASE64_END>>’. The length of the data is stored in variable ‘base64Length’. The data enclosed between these markers is stored in ‘base64Command’. The subsequent images illustrate these markers and the content encapsulated between them.
Figure 9: Steganography
After obtaining this data, the malware proceeds with decoding procedures. Upon examination, it becomes apparent that the decrypted data is a .NET DLL file. In the subsequent step, a command is executed to load this DLL file into an assembly.
Figure 10: DLL obtained from steganography
Process Injection into RegAsm.exe
This DLL serves two purposes:
Downloading and decoding the final payload
Injecting it into RegAsm.exe
Figure 11: DLL loaded
In Figure 11, at marker 1, a parameter named ‘QBXtX’ is utilized to accept an argument for the given instruction. As we proceed with the final stage of the PowerShell command shown in Figure 7, the sequence unfolds as follows:
The instruction mandates reversing the content of this parameter and subsequently storing the outcome in the variable named ‘address.’ Upon reversing the argument, it transforms into:
Figure 12: Request for payload
Therefore, it is evident that this DLL is designed to fetch the mentioned text file from the C2 server via the provided URL and save its contents within the variable named “text.” This file is 316 Kb in size. The data within the file remains in an unreadable or unintelligible format.
Figure 13: Downloaded text file
In Figure 11, at marker 2, the contents of the “text” variable are reversed and overwritten in the same variable. Subsequently, at marker 3, the data stored in the “text” variable is subjected to base64 decoding. Following this, we determined that the file is a .NET compiled executable.
Figure 14: Final payload
In Figure 11, another activity is evident at marker 3, where the process path for the upcoming process injection is specified. The designated process path for the process injection is :
Since RegAsm.exe is a legitimate Windows tool, it’s less likely to raise suspicion from security solutions. Injecting .NET samples into it allows attackers to effectively execute their malicious payload within a trusted context, making detection and analysis more challenging.
Process injection involves using Windows API calls to insert code or a payload into the memory space of a running process. This allows the injected code to execute within the context of the target process. Common steps include allocating memory, writing code, creating a remote thread, and executing the injected code. In this context, the DLL performs a sequence of API calls to achieve process injection:
Figure 15: Process Injection
By obscuring the sequence of API calls and their intended actions through obfuscation techniques, attackers aim to evade detection and make it harder for security researchers to unravel the true behavior of the malicious code. The function ‘hU0H4qUiSpCA13feW0’ is used for replacing content. For example,
“kern!”.Replace(“!”, “el32”) à kernel32
Class1.hU0H4qUiSpCA13feW0(“qllocEx”, “q”, “VirtualA”) à VirtualAllocEx
As a result, these functions translate into the subsequent API calls:
CreateProcessA : This API call is typically employed to initiate the creation of a new process, rather than for process injection. In the context of process injection, the focus is generally on targeting an existing process and injecting code into it.
VirtualAllocEx: This is often used in process injection to allocate memory within the target process to host the injected code.
ReadProcessMemory: This is used to read the memory of a target process. It is typically used in reflective DLL injection to read the contents of a DLL from the injector’s memory and write it into the target process.
GetThreadContext: This API is used to retrieve the context (registers, flags, etc.) of a thread within a target process. It’s useful for modifying thread execution flow during injection.
Wow64GetThreadContext: This is like GetThreadContext, but it’s used when dealing with 32-bit processes on a 64-bit system.
SetThreadContext: This API is used to set the context of a thread within a target process. This can be useful for modifying the execution flow.
Wow64SetThreadContext: Like SetThreadContext, but for 32-bit processes on a 64-bit system.
ZwUnmapViewOfSection: This is used to unmap a section of a process’s virtual address space, which could potentially be used to remove a DLL loaded into a target process during injection.
WriteProcessMemory: This is used to write data into the memory of a target process. It’s commonly used for injecting code or data into a remote process.
ResumeThread: This is used to resume the execution of a suspended thread, often after modifying its context or injecting code.
Upon successful injection of the malware into RegAsm.exe, it initiates its intended operations, primarily focused on data theft from the targeted system.
The ultimate executable is heavily obfuscated. It employs an extensive array of switch cases and superfluous code, strategically intended to mislead researchers and complicate analysis. Many of the functions utilize either switch cases or their equivalent constructs, to defend detection. Following snippet of code depicts the same.
Figure 16: Obfuscation
Collection of data:
Agent Tesla collects data from compromised devices to achieve two key objectives: firstly, to mark new infections, and secondly, to establish a unique ‘fingerprint’ of the victim’s system. The collected data encompasses:
Agent Tesla initiates the process of gathering data from various web browsers. It utilizes switch cases to handle different browsers, determined by the parameters passed to it. All of these functions are heavily obscured through obfuscation techniques. The following figures depict the browser data that it attempted to retrieve.
Figure 17: Opera browser
Figure 18: Yandex browser
Figure 19: Iridium browser
Figure 20: Chromium browser
Similarly, it retrieves data from nearly all possible browsers. The captured log below lists all the browsers from which it attempted to retrieve data:
Figure 21: User data retrieval from all browsers -1
Figure 22: User data retrieval from all browsers – 2
Agent Tesla is capable of stealing various sensitive data from email clients. This includes email credentials, message content, contact lists, mail server settings, attachments, cookies, auto-complete data, and message drafts. It can target a range of email services to access and exfiltrate this information. Agent Tesla targets the following email clients to gather data:
Figure 23: Mail clients
Agent Tesla employs significant obfuscation techniques to evade initial static analysis attempts. This strategy conceals its malicious code and actual objectives. Upon successful decoding, we were able to scrutinize its internal operations and functionalities, including the use of SMTP for data exfiltration.
The observed sample utilizes SMTP as its chosen method of exfiltration. This protocol is frequently favored due to its minimal overhead demands on the attacker. SMTP reduces overhead for attackers because it is efficient, widely allowed in networks, uses existing infrastructure, causes minimal anomalies, leverages compromised accounts, and appears less suspicious compared to other protocols. A single compromised email account can be used for exfiltration, streamlining the process, and minimizing the need for complex setups. They can achieve their malicious goals with just a single email account, simplifying their operations.
Figure 24: Function calls made for exfiltration.
This is the procedure by which functions are invoked to facilitate data extraction via SMTP:
A specific value is provided as a parameter, and this value is processed within the functions. As a result, it ultimately determines the port number to be utilized for SMTP communication. In this case, port number 587 is used for communication.
Figure 25: Port number
Next, the malware retrieves the hostname of the email address it intends to utilize i.e., corpsa.net.
Figure 26: Domain retrieval
Subsequently, the email address through which communication is intended to occur is revealed.
Figure 27: Email address used
Lastly, the password for that email address is provided, so that attacker can log in and can start sending out the data.
Figure 28: Password
The SMTP process as outlined involves a series of systematic steps. It begins with the processing of a specific parameter value, which subsequently determines the port number for SMTP communication. Following this, the malware retrieves the associated domain of the intended email address, revealing the address itself and ultimately providing the corresponding password. This orchestrated sequence highlights how the malware establishes a connection through SMTP, facilitating its intended operations.
Following these steps, the malware efficiently establishes a login using acquired credentials. Once authenticated, it commences the process of transmitting the harvested data to a designated email address associated with the malware itself.
The infection process of Agent Tesla involves multiple stages. It begins with the initial vector, often using email attachments or other social engineering tactics. Once executed, the malware employs obfuscation to avoid detection during static analysis. The malware then undergoes decoding, revealing its true functionality. It orchestrates a sequence of PowerShell commands to download and process a hidden image containing encoded instructions. These instructions lead to the extraction of a .NET DLL file, which subsequently injects the final payload into the legitimate process ‘RegAsm.exe’ using a series of API calls for process injection. This payload carries out its purpose of data theft, including targeting browsers and email clients for sensitive information. The stolen data is exfiltrated via SMTP communication, providing stealth and leveraging email account. Overall, Agent Tesla’s infection process employs a complex chain of techniques to achieve its data-stealing objectives.
On 23 August 2023, NIST disclosed a critical RCE vulnerability CVE-2023-38831. It is related to an RCE vulnerability in WinRAR before version 6.23. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the harmless file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file.
Our intelligence shows that this vulnerability is being exploited as early as April 2023. Let’s look at a sample exploiting this vulnerability (Hash: bc15b0264244339c002f83e639c328367efb1d7de1b3b7c483a2e2558b115eaa)
The image below shows that the archive is named trading_system, which hints that it is used to target traders
We can also see that the threat actor can craft the archive so that folder and file names are the same.
This is interesting as Windows doesn’t allow files and folders to have the same name in the same path.
This shows that it was weaponized after creating a regular zip by changing the bytes to make the file and folder name the same.
Also, note there is a trailing space at the end of the file and folder name (in yellow).
When we look inside the folder, we see many files, but the most important file is highlighted, which is a bat file containing a malicious script.
The bat file also has the same name as the benign file outside the folder.
When we check the script, we see it launches cmd in the minimized state, then goes to the temp folder where WinRAR will extract the files, then tries to find the weakicons.com file, which is present inside the folder and executes it using wmic and then exits.
Checking weakicons.com we find that it is a CAB SFX file.
We extract it to check what is inside.
We found a PE file, some ActiveX control objects, and two text files.
AMD.exe is a visual basic compiled file whose main job is to extract the dll hidden in a blob of data inside pc.txt and execute the ActiveX controls.
Inside add.txt, we find the registry keys it will try to manipulate
The first control is responsible for registering a COM object in Windows. During registration, registry keys are imported from the “add.txt” file. As a result, a specific COM object with a unique CLSID is registered in the infected system. The default value of the InprocServer32 key is populated with the path to a malicious DLL named “Core.ocx”.
Wmic process executes weakicons.com
AMD.exe extracts the encrypted dll file inside pc.txt and writes it in the romaing\nvidia folder.
Here, we observe AMD.exe calls reg.exe on registry keys inside add.txt
Timeout is also called to slow down the activities of the infection chain.
AMD.exe Calls rundll32 on the clsid that is registered in the registry
We can see successful tcp connection to threat actors C2.( ip 37[.]120[.]158[.]229)
Global Heatmap where this vulnerability is being seen in the wild(based on McAfee telemetry data)
How does the vulnerability work?
Here, we will analyze the issue causing WinRAR to execute the script instead of opening the image.
We will compare how WinRAR behaves when we execute an image file from a weaponized zip vs. a normal zip. So we fire up ProcMon First.
The above image shows that the first logical bug is how WinRAR is extracting files in the temp folder before executing them. In the case of a regular zip, only the clean image file is extracted to the temp folder, whereas in the case of a weaponized zip, even the files present inside the folder are extracted to the temp folder along with the clean image file. This is due to the same file names we have given, which makes WinRAR extract those in temp.
Verifying the same in the temp folder
In Logs, when we dig deep, we can see Winrar searches for our filename with an *, which causes it to iterate over our bat file as it has the same name, which in turn gets executed.
To see what’s happening under the hood, we hook a debugger and launch WinRAR by manipulating the “image file Execution options” registry key.
When we execute the rar file, we see the debugger getting attached to the winrar process so that we can do just-in-time debugging.
We put a breakpoint on the ShellExecuteExW function to see what parameters are passed to it just after clicking the jpeg file.
When we double-click on the image file, we can see the debugger is opened, and after a few clicks, we hit our breakpoint.
In this case, the correct parameter is passed to the ShellExecuteExW function as the file exists at this exact path.
In this case, an incorrect parameter is passed to the ShellExecuteExW function as the parameter contains a trailing space, and such a file does not exist on the disk.
When we dig deep, we find that later, it calls PathUnquoteSpacesA API call, as per MSDN. It “Removes quotes from the beginning and end of a path.”
As quotes are removed from the end of the path, ShellExecuteExW executes “simple_image.jpg .cmd” instead of “simple_image.jpg.”
In large companies, as a rule the average employee isn’t often asked for an opinion on their career aspirations, areas of interest, or accomplishments outside their job description. It tends to happen once a year — for the performance review. However, many would like to share their thoughts with management much more often. So, when an invitation to take a self-evaluation lands in the inbox, they jump at the chance without hesitation. And this is what cybercriminals exploit in the latest spear-phishing campaign.
Phishing email with invitation
Seemingly from HR, an email arrives containing an elaborate description of the employee self-evaluation procedure, which “promotes candid dialogue between staff members and their managers/supervisors”. It goes on to say that “you can learn a lot about your strengths and shortcomings … to reflect on your successes, areas for development, and career objectives”. All in all, quite a convincing piece of corporate spiel.
Email to employees inviting them to undergo a self-evaluation
Convincing it may be, but all the same the email does contain a few identifiable red flags regarding phishing. For starters, take a look at the domain name in the sender’s address. That’s right, it doesn’t match the name of the company. Of course, it’s possible that your HR department might be using a contractor unknown to you — but why would “Family Eldercare” be providing such services? Even if you don’t know that this is a non-profit organization that helps families care for elderly relatives, the name should ring an alarm bell.
What’s more, the email says that the survey is “COMPULSORY for EVERYONE”, and must be completed “by End Of Day”. Even if we leave aside the crude and faulty capitalization, the focus on urgency is always a reason to stop and think — and check with the real HR department whether they sent it.
Fake self-evaluation form
Those who miss the flags and click through to the form are faced with a set of questions that may actually have something to do with assessing their performance. But the crux of the phishing operation lies in the last three of those questions — which ask the victim to provide their email address, and enter their password for authentication and then re-enter it for confirmation.
Last three questions of the fake questionnaire
This is actually a smart move on the phishers’ part. Typically, phishing of this type leads straight from the email to a form for entering corporate credentials on a third-party site, which puts many on their guard straight away. Here, however, the request for a password and email address (which commonly doubles up as a username) is disguised as part of the form — and at the very end. By this stage the victim’s vigilance is well and truly lulled.
Also note how the word “password” is written: two letters are replaced with asterisks. This is to bypass automatic filters set to search for “password” as a keyword.
How to stay safe
To stop company employees falling for phishing, keep them informed of all the latest tricks (for example, by forwarding our posts about phishing ploys). If you prefer a more systematic approach, carry out regular trainings and checks, for example with our Kaspersky Automated Security Awareness Platform.
Ideally, employees should never even see most phishing thanks to technical means: install security solutions with anti-phishing technology both at the corporate mail gateway level and on all work devices used for internet access.
How to make sure your loved ones can access your accounts if you pass away.
It’s not fun to think about: But if you should unexpectedly die, could your spouse, partner, children or other loved ones access your bank accounts, online credit card portals, retirement accounts, and social media accounts?
“Security” and “overtime” go hand in hand. According to a recent survey, one in five CISOs works 65 hours a week, not the 38 or 40 written in their contract. Average overtime clocks in at 16 hours a week. The same is true for the rank-and-file infosec employees — roughly half complain of burnout due to constant stress and overwork. At the same time, staff shortages and budget constraints make it very hard to do the obvious thing: hire more people. But there are other options! We investigated the most time-consuming tasks faced by security teams, and how to speed them up.
The sure winner in the “timewaster” category is alerts generated by corporate IT and infosec systems. Since these systems often number in the dozens, they produce thousands of events that need to be handled. On average, a security expert has to review 23 alerts an hour — even off the clock. 38% of respondents admitted to having to respond to alerts at night.
What to do
Use more solutions from the same vendor. A centralized management console with an integrated alert system reduces the number of alarms and speeds up their processing.
Implement automation. For example, an XDR solution can automate typical analysis/response scenarios and reduce the number of alerts by combining disparate events into a single incident.
Leverage an MSSP, MDR service or commercial SoC. This is the most efficient way to flexibly scale alert handling. Full-time team members will be able to focus on building overall security and investigating complex incidents.
Emails with warnings
Notices from vendors and regulators and alerts from security systems get sent to the infosec team by email — often to a shared inbox. As a result, the same messages get read by several employees, including the CISO, and the time outlays can run to 5–10 hours a week.
What to do
Offload as many alerts as possible to specialized systems. If security products can send alerts to a SIEM or a dashboard, that’s better than email.
Use automation. Some typical emails can be analyzed using simple scripts and transformed into alerts in the dashboard. Emails that are unsuited to this method should be analyzed, scored for urgency and subject matter, and then moved to a specific folder or assigned to a designated employee. You don’t need an AI bot to complete this task; email-processing rules or simple scripts will do the job.
These approaches dramatically reduce the number of emails that require reading and fully manual processing by multiple experts.
Emails flagged by employees
Let’s end the email topic with a look at one last category of attention-seeking messages. If your company has carried out infosec training or is experiencing a major attack, many employees will consider it their duty to forward any suspicious-looking emails to the infosec team. If you have lots of eagle-eyed colleagues on your staff, your inbox will be overflowing.
What to do
Deploy reliable protection at the mail gateway level — this will significantly reduce the number of genuine phishing emails. With specialized defense mechanisms in place, you’ll defeat sophisticated targeted attacks as well. Of course, this will have no impact on the number of vigilant employees.
If your email security solution allows users to “report a suspicious email”, instruct your colleagues to use it so they don’t have to manually process such alerts.
Set up a separate email address for messages with employees’ suspicions so as to avoid mixing this category of emails with other security alerts.
4. If item 2 is not feasible, focus your efforts on automatically searching for known safe emails among those sent to the address for suspicious messages. These make up a large percentage, so the infosec team will only have to check the truly dangerous ones.
Prohibitions, risk assessments, and risk negotiations
As part of the job, the CISO must strike a delicate balance between information security, operational efficiency, regulatory compliance, and resource limitations. To improve security, infosec teams very often ban certain technologies, online services, data storage methods, etc., in the company. While such bans are inevitable and necessary, it’s important to regularly review how they impact the business and how the business adapts to them. You may find, for example, that an overly strict policy on personal data processing has resulted in that process being outsourced, or that a secure file-sharing service was replaced by something more convenient. As a result, infosec wastes precious time and energy clambering over obstacles: first negotiating the “must-nots” with the business, then discovering workarounds, and then fixing inevitable incidents and problems.
Even if such incidents do not occur, the processes for assessing risks and infosec requirements when launching new initiatives are multi-layered, involve too many people, and consume too much time for both the CISO and their team.
What to do
Avoid overly strict prohibitions. The more bans, the more time spent on policing them. 2. Maintain an open dialogue with key customers about how infosec controls impact their processes and performance. Compromise on technologies and procedures to avoid the issues described above. 3. Draw up standard documents and scenarios for recurring business requests (“build a website”, “collect a new type of information from customers”, etc.), giving key departments a simple and predictable way to solve their business problems with full infosec compliance.
Handle these business requests on a case-by-case basis. Teams that show a strong infosec culture can undergo security audits less frequently — only at the most critical phases of a project. This will reduce the time outlays for both the business and the infosec team.
Checklists, reports, and guidance documents
Considerable time is spent on “paper security” — from filling out forms for the audit and compliance departments to reviewing regulatory documents and assessing their applicability in practice. The infosec team may also be asked to provide information to business partners, who are increasingly focused on supply chain risks and demanding robust information security from their counterparties.
What to do
Invest time and effort in creating “reusable” documents, such as a comprehensive security whitepaper, a PCI Report on Compliance, or a SOC2 audit. Having such a document helps not only with regulatory compliance, but also with responding quickly to typical requests from counterparties.
Hire a subspecialist (or train someone from your team). Many infosec practitioners spend a disproportionate amount of time formulating ideas for whitepapers. Better to have them focus on practical tasks and have specially trained people handle the paperwork, checklists, and presentations.
Automate processes — this helps not only to shift routine control operations to machines but to correctly document them. For example, if the regulator requires periodic vulnerability scan reports, a one-off resource investment in an automatic procedure for generating compliant reports would make sense.
Selecting security technologies
New infosec tools appear monthly. Buying as many solutions as possible won’t only balloon the budget and the number of alerts, but also create a need for a separate, labor-intensive process for evaluating and procuring new solutions. Even leaving tenders and paperwork aside, the team will need to conduct market research, evaluate the contenders in depth, and then carry out pilot implementation.
What to do
Try to minimize the number of infosec vendors you use. A single-vendor approach tends to improve performance in the long run. 2. Include system integrators, VARs, or other partners in the evaluation and testing process when purchasing solutions. An experienced partner will help weed out unsuitable solutions at once, reducing the burden on in-house infosec during the pilot implementation.
Although various types of infosec training are mandatory for all employees, their ineffective implementation can overwhelm the infosec team. Typical problems: the entire training is designed and delivered in-house; a simulated phishing attack provokes a wave of panic and calls to infosec; the training isn’t tailored to the employees’ level, potentially leading to an absurd situation where infosec itself undergoes basic training because it’s mandatory for all.
What to do
Use an automated platform for employee training. This will make it easy to customize the content to the industry and the specifics of the department being trained. In terms of complexity, both the training materials and the tests adapt automatically to the employee’s level; and gamification increases the enjoyment factor, raising the successful completion rate.