In large companies, as a rule the average employee isn’t often asked for an opinion on their career aspirations, areas of interest, or accomplishments outside their job description. It tends to happen once a year — for the performance review. However, many would like to share their thoughts with management much more often. So, when an invitation to take a self-evaluation lands in the inbox, they jump at the chance without hesitation. And this is what cybercriminals exploit in the latest spear-phishing campaign.
Phishing email with invitation
Seemingly from HR, an email arrives containing an elaborate description of the employee self-evaluation procedure, which “promotes candid dialogue between staff members and their managers/supervisors”. It goes on to say that “you can learn a lot about your strengths and shortcomings … to reflect on your successes, areas for development, and career objectives”. All in all, quite a convincing piece of corporate spiel.
Email to employees inviting them to undergo a self-evaluation
Convincing it may be, but all the same the email does contain a few identifiable red flags regarding phishing. For starters, take a look at the domain name in the sender’s address. That’s right, it doesn’t match the name of the company. Of course, it’s possible that your HR department might be using a contractor unknown to you — but why would “Family Eldercare” be providing such services? Even if you don’t know that this is a non-profit organization that helps families care for elderly relatives, the name should ring an alarm bell.
What’s more, the email says that the survey is “COMPULSORY for EVERYONE”, and must be completed “by End Of Day”. Even if we leave aside the crude and faulty capitalization, the focus on urgency is always a reason to stop and think — and check with the real HR department whether they sent it.
Fake self-evaluation form
Those who miss the flags and click through to the form are faced with a set of questions that may actually have something to do with assessing their performance. But the crux of the phishing operation lies in the last three of those questions — which ask the victim to provide their email address, and enter their password for authentication and then re-enter it for confirmation.
Last three questions of the fake questionnaire
This is actually a smart move on the phishers’ part. Typically, phishing of this type leads straight from the email to a form for entering corporate credentials on a third-party site, which puts many on their guard straight away. Here, however, the request for a password and email address (which commonly doubles up as a username) is disguised as part of the form — and at the very end. By this stage the victim’s vigilance is well and truly lulled.
Also note how the word “password” is written: two letters are replaced with asterisks. This is to bypass automatic filters set to search for “password” as a keyword.
How to stay safe
To stop company employees falling for phishing, keep them informed of all the latest tricks (for example, by forwarding our posts about phishing ploys). If you prefer a more systematic approach, carry out regular trainings and checks, for example with our Kaspersky Automated Security Awareness Platform.
Ideally, employees should never even see most phishing thanks to technical means: install security solutions with anti-phishing technology both at the corporate mail gateway level and on all work devices used for internet access.
“Security” and “overtime” go hand in hand. According to a recent survey, one in five CISOs works 65 hours a week, not the 38 or 40 written in their contract. Average overtime clocks in at 16 hours a week. The same is true for the rank-and-file infosec employees — roughly half complain of burnout due to constant stress and overwork. At the same time, staff shortages and budget constraints make it very hard to do the obvious thing: hire more people. But there are other options! We investigated the most time-consuming tasks faced by security teams, and how to speed them up.
The sure winner in the “timewaster” category is alerts generated by corporate IT and infosec systems. Since these systems often number in the dozens, they produce thousands of events that need to be handled. On average, a security expert has to review 23 alerts an hour — even off the clock. 38% of respondents admitted to having to respond to alerts at night.
What to do
Use more solutions from the same vendor. A centralized management console with an integrated alert system reduces the number of alarms and speeds up their processing.
Implement automation. For example, an XDR solution can automate typical analysis/response scenarios and reduce the number of alerts by combining disparate events into a single incident.
Leverage an MSSP, MDR service or commercial SoC. This is the most efficient way to flexibly scale alert handling. Full-time team members will be able to focus on building overall security and investigating complex incidents.
Emails with warnings
Notices from vendors and regulators and alerts from security systems get sent to the infosec team by email — often to a shared inbox. As a result, the same messages get read by several employees, including the CISO, and the time outlays can run to 5–10 hours a week.
What to do
Offload as many alerts as possible to specialized systems. If security products can send alerts to a SIEM or a dashboard, that’s better than email.
Use automation. Some typical emails can be analyzed using simple scripts and transformed into alerts in the dashboard. Emails that are unsuited to this method should be analyzed, scored for urgency and subject matter, and then moved to a specific folder or assigned to a designated employee. You don’t need an AI bot to complete this task; email-processing rules or simple scripts will do the job.
These approaches dramatically reduce the number of emails that require reading and fully manual processing by multiple experts.
Emails flagged by employees
Let’s end the email topic with a look at one last category of attention-seeking messages. If your company has carried out infosec training or is experiencing a major attack, many employees will consider it their duty to forward any suspicious-looking emails to the infosec team. If you have lots of eagle-eyed colleagues on your staff, your inbox will be overflowing.
What to do
Deploy reliable protection at the mail gateway level — this will significantly reduce the number of genuine phishing emails. With specialized defense mechanisms in place, you’ll defeat sophisticated targeted attacks as well. Of course, this will have no impact on the number of vigilant employees.
If your email security solution allows users to “report a suspicious email”, instruct your colleagues to use it so they don’t have to manually process such alerts.
Set up a separate email address for messages with employees’ suspicions so as to avoid mixing this category of emails with other security alerts.
4. If item 2 is not feasible, focus your efforts on automatically searching for known safe emails among those sent to the address for suspicious messages. These make up a large percentage, so the infosec team will only have to check the truly dangerous ones.
Prohibitions, risk assessments, and risk negotiations
As part of the job, the CISO must strike a delicate balance between information security, operational efficiency, regulatory compliance, and resource limitations. To improve security, infosec teams very often ban certain technologies, online services, data storage methods, etc., in the company. While such bans are inevitable and necessary, it’s important to regularly review how they impact the business and how the business adapts to them. You may find, for example, that an overly strict policy on personal data processing has resulted in that process being outsourced, or that a secure file-sharing service was replaced by something more convenient. As a result, infosec wastes precious time and energy clambering over obstacles: first negotiating the “must-nots” with the business, then discovering workarounds, and then fixing inevitable incidents and problems.
Even if such incidents do not occur, the processes for assessing risks and infosec requirements when launching new initiatives are multi-layered, involve too many people, and consume too much time for both the CISO and their team.
What to do
Avoid overly strict prohibitions. The more bans, the more time spent on policing them. 2. Maintain an open dialogue with key customers about how infosec controls impact their processes and performance. Compromise on technologies and procedures to avoid the issues described above. 3. Draw up standard documents and scenarios for recurring business requests (“build a website”, “collect a new type of information from customers”, etc.), giving key departments a simple and predictable way to solve their business problems with full infosec compliance.
Handle these business requests on a case-by-case basis. Teams that show a strong infosec culture can undergo security audits less frequently — only at the most critical phases of a project. This will reduce the time outlays for both the business and the infosec team.
Checklists, reports, and guidance documents
Considerable time is spent on “paper security” — from filling out forms for the audit and compliance departments to reviewing regulatory documents and assessing their applicability in practice. The infosec team may also be asked to provide information to business partners, who are increasingly focused on supply chain risks and demanding robust information security from their counterparties.
What to do
Invest time and effort in creating “reusable” documents, such as a comprehensive security whitepaper, a PCI Report on Compliance, or a SOC2 audit. Having such a document helps not only with regulatory compliance, but also with responding quickly to typical requests from counterparties.
Hire a subspecialist (or train someone from your team). Many infosec practitioners spend a disproportionate amount of time formulating ideas for whitepapers. Better to have them focus on practical tasks and have specially trained people handle the paperwork, checklists, and presentations.
Automate processes — this helps not only to shift routine control operations to machines but to correctly document them. For example, if the regulator requires periodic vulnerability scan reports, a one-off resource investment in an automatic procedure for generating compliant reports would make sense.
Selecting security technologies
New infosec tools appear monthly. Buying as many solutions as possible won’t only balloon the budget and the number of alerts, but also create a need for a separate, labor-intensive process for evaluating and procuring new solutions. Even leaving tenders and paperwork aside, the team will need to conduct market research, evaluate the contenders in depth, and then carry out pilot implementation.
What to do
Try to minimize the number of infosec vendors you use. A single-vendor approach tends to improve performance in the long run. 2. Include system integrators, VARs, or other partners in the evaluation and testing process when purchasing solutions. An experienced partner will help weed out unsuitable solutions at once, reducing the burden on in-house infosec during the pilot implementation.
Although various types of infosec training are mandatory for all employees, their ineffective implementation can overwhelm the infosec team. Typical problems: the entire training is designed and delivered in-house; a simulated phishing attack provokes a wave of panic and calls to infosec; the training isn’t tailored to the employees’ level, potentially leading to an absurd situation where infosec itself undergoes basic training because it’s mandatory for all.
What to do
Use an automated platform for employee training. This will make it easy to customize the content to the industry and the specifics of the department being trained. In terms of complexity, both the training materials and the tests adapt automatically to the employee’s level; and gamification increases the enjoyment factor, raising the successful completion rate.
What can we protect ourselves against?
Let’s make one thing clear: following the tips below isn’t going to protect you from targeted espionage, a participant secretly recording a call, pranks, or uninvited guests joining by using leaked links. We already provided some videoconferencing security tips that can help mitigate those risks. Protecting every participant’s computer and smartphone with comprehensive cybersecurity — such as Kaspersky Premium — is equally important.
Here, we focus on other kinds of threats such as data leaks from the videoconferencing platform, misuse of call data by the platform, and the harvesting of biometric information or conference content. There are two possible engineering solutions to these: (i) hosting the conference entirely on participant computers and servers, or (ii) encrypting it, so that even the host servers have no access to the meeting content. The latter option is known as end-to-end encryption, or E2EE.
Signal: a basic tool for smaller group calls
We have repeatedly described Signal as one of the most secure private instant messaging apps around, but Signal calls are protected with E2EE as well. To host a call, you have to set up a chat group, add everyone you want to call, and tap the videocall button. Group videocalls are limited to 40 participants. Admittedly, you’re not getting any business conveniences such as call recording, screen sharing, or corporate contact-list invitations. Besides, you’ll need to set up a separate group for each meeting, which works well for regular calls with the same people, but not so much if the participants change every time.
Signal lets you set up videoconferences for up to 40 participants in a familiar interface
WhatsApp and Facetime: just as easy — but not without their issues
Both these apps are user-friendly and popular, and both support E2EE for videocalls. They share all the shortcomings of Signal, adding a couple of their own: WhatsApp is owned by Meta, which is a privacy red flag for many, while Facetime calls are only available to Apple users.
Jitsi Meet: self-hosted private videoconferencing
The Jitsi platform is a good choice for large-scale, fully featured, but still private meetings. It can be used for hosting meetings with: dozens to hundreds of participants, screen sharing, chatting and polling, co-editing notes, and more. Jitsi Meet supports E2EE, and the conference itself is created at the moment the first participant joins and self-destructs when the last one disconnects. No chats, polls or any other conference content is logged. Finally, Jitsi Meet is an open-source app.
Jitsi Meet is a user-friendly, cross-platform videoconferencing tool with collaboration options. It can be self-hosted or used for free on the developer’s website
Though the public version can be used for free on the Jitsi Meet website, the developers strongly recommend that organizations deploy a Jitsi server of their own. Paid hosting by Jitsi and major hosting providers is available for those who’d rather avoid spinning up a server.
Matrix and Element: every type of communication — fully encrypted
The Matrix open protocol for encrypted real-time communication and the applications it powers — such as Element — are a fairly powerful system that supports one-on-one chats, private groups and large public discussion channels. The Matrix look-and-feel resembles Discord, Slack and their forerunner, IRC, more than anything else.
Connecting to a Matrix public server is a lot like getting a new email address: you select a user name, register it with one of the available servers, and receive a matrix address formatted as @user:server.name. That allows you to talk freely to other users including those registered with different servers.
Even a public server makes it easy to set up an invitation-only private space with topic-based chats and videocalls.
The settings in Element are slightly more complex, but you get more personalization options: chat visibility, permission levels, and so on. Matrix/Element makes sense if you’re after team communications in various formats, such as chats or calls, and on various topics rather than just a couple of odd calls. If you’re simply looking to host a call from time to time, Jitsi works better — the call feature in Element even uses Jitsi code.
Element is a fully featured environment for private conversations, with video chats just one of the available options
Corporations are advised to use the Element enterprise edition, which offers advanced management tools and full support.
Zoom: encryption for the rich
Few know that Zoom, the dominant videoconferencing service, has an E2EE option too. But to enable this feature, you need to additionally purchase the Large Meetings License, which lets you host 500 or 1000 participants for $600–$1080 a year. That makes the price of E2EE at least $50 per month higher than the regular subscription fee.
Zoom supports videoconferencing with E2EE too, but you need an extended license to be able to use it
You can enable encryption for smaller meetings as well, but still only if you have a Large Meeting License. According to the Zoom website, activating E2EE for a meeting disables most familiar features, such as cloud recording, dial-in, polling and others.
Digital wellbeing isn’t just about privacy and protection against online scammers and equipment failure. It’s also about having some level of control over our social networks, our screen time, and what we spend on digital services. These outlays are increasingly taking the form of subscriptions. Sure, recurring payments have long been the standard for cell phone billing, music and video streaming services, watching TV and reading online magazines and newspapers, but these days you can sign up for pretty much anything, including delivery of regular consumer goods — like socks or coffee. In many cases, a subscription is the only way to get hold of apps, games, and other online stuff — ever more services are switching to this model, and the number of subscriptions is snowballing. Even automakers are getting in on the subscription game, and soon it might not be possible to turn on the seat heating or use the sat-nav without subscribing to the respective service.
Almosteveryone underestimates theirsubscription costs. According to this fascinating survey, the average American thinks they spend US$86 per month on subscriptions, when the real figure is a whopping US$219! And besides online, there are other recurring payments: mortgages, loans, utility bills, public transport, gym memberships and the like, all of which need to be budgeted so you don’t suddenly find yourself broke.
Monthly subscription costs: expectation versus reality. (Source)
As trite as it sounds, how to save money couldn’t be simpler: cancel subscriptions you don’t use. No less than 42% of respondents admitted to having stopped using an app or service and then forgetting to stop paying for it. Even active subscriptions, renewed for years without change, become less economical over time: by changing your plan to a newer one, applying a promo code, or looking at competitors, you can save a lot.
But more often there’s another problem: 74% of users forget when payment is due. If the subscription auto-renews, it can burn a large hole in your pocket. If you pay manually, forgetting could result in termination of the service. And that can spell trouble if it’s your phone or something equally important.
Another common way to accidentally fork out is by subscribing to apps and services that offer a free trial period. The service takes your card number on sign-up, but doesn’t charge you. After a week, month or whatever length of trial period, the first payment falls due. If during this time you decide the service is not for you, what are the chances you forget to go into the settings and cancel the subscription? As practice shows — very high. Such user forgetfulness is now being exploited by less-than-squeaky-clean developers who sell apps on the App Store and Google Play with exorbitant monthly fees (for example, US$90 per month for a regular calculator!). Such apps are known as fleeceware.
How to manage subscriptions properly
To get the most out of your subscriptions, plan your outlays carefully, never pay for unnecessary services, and follow a few simple rules:
Make a general list of subscriptions so you know exactly what, when and how much you’re paying.
Update the list as soon as you subscribe to a new service. Bear in mind that renewing a subscription may be cheaper or more expensive than the first payment — check the small print!
Check the list on a regular basis (say, monthly) to plan your spending for the coming month.
Checking regularly will help you remember to cancel subscriptions you don’t wish to renew. Note that to cancel a subscription it’s usually not enough to simply uninstall the app — you need to go to your personal account or to a special subsection of the App Store/Google Play to cancel it.
Keep an eye out for sales and promotions, such as Black Friday. They often give discounts on subscription renewals.
Despite their outward simplicity, all these tips have one major drawback: they require a high level of self-discipline and attentiveness. They involve record-keeping and list-updating, and not everyone will have the time or inclination. But there is an easier, more convenient way — in the shape of a specialized subscription management service. Speaking of which, Kaspersky Product Studio recently released such an app, called SubsCrab.
SubsCrab helps you manage subscriptions and save money
SubsCrab makes it easy to keep a list of subscriptions, remember when and how much to pay, and find ways to economize.
A single glance at the SubsCrab home screen will provide all subscription details for the current month, as well as monthly outlays, due dates, and the cost of each subscription
You can add all your subscriptions to the app in one of two ways:
Manually. You yourself select subscriptions from a long list of paid services and payment plans. There are already more than 4000 subscription services and 11,000 related plans in the database.
Mailbox scan. The app searches your mailbox for emails from all known services, and automatically determines the plan and payment date. Email data is not sent anywhere; all processing takes place on your smartphone.
Adding a new subscription to SubsCrab couldn’t be simpler
Future app updates will add two more methods:
Bank statement scan. This feature will only work in the U.S. and some EU countries using the Open Bank API, which is supported by around 15,000 banks. As with email scanning, subscriptions will be searched for locally, and no transaction data will leave your smartphone.
Screenshot scan of subscription page in the App Store or Google Play.
Thereby, the app also makes it easy to add new subscriptions as soon as they appear.
When all your subscriptions are in SubsCrab, the app will remind you about upcoming payments, show your total spending for the selected month or year, and help with general budget planning.
Never miss a payment with SubsCrab Push notifications
Click or tap on any subscription and you’ll see its current settings, but it’s the bottom of the card that’s the really interesting part. That’s where discount promo codes get published, plus a list of alternative services that do the same job. If you want to cut costs, you can try switching to one of these competitor services or find out how to unsubscribe.
Cards are a handy source of subscription details, alternatives, and promo codes
It might sound odd, but SubsCrab itself is a subscription service. The free version lets you manually enter subscriptions from the database, choose alternative services, and get reminders and statistics.
The paid version of SubsCrab can automatically find subscriptions in your mailbox, as well as maintain and analyze multiple subscription lists — for different family members or different tasks (entertainment, work, health, etc.); only this version gives you access to promo codes for tasty discounts on your favorite subscriptions.
And if all this helps you cut costs and take control of hundreds, perhaps thousands of dollars you spend annually and unaccountably on subscriptions, the juice is worth the squeeze.
Previous posts in our back-to-school series have covered how to protect your child’s devices and explain the importance of cybersecurity in school. Today we talk about the core, and often unavoidable, apps used in modern education. This means electronic diaries and virtual classrooms, plus videoconferencing for distance learning. They are all insecure.
Electronic study-diaries and virtual classroom websites are used these days to help administer the educational process. Educators use them to share lesson schedules, homework assignments, and announcements. And parents can see their kids’ grades, or even chat with their teachers.
The main problem with such web applications is the substandard protection of personal data that’s provided. In 2020, the attorney general of the U.S. state of New Mexico even filed a lawsuit against Google Classroom, citing the company’s alleged practice of collecting personal data from children and using it for commercial purposes. And in 2022, the Dutch Ministry of Education introduced a number of restrictions on the use of Google services in schools for the exact same reason.
Unfortunately, in most cases parents have no control over what services schools decide to use. The story of Google Classroom is by no means the worst. Issues with the service have been openly discussed for a long time, and Google has been forced to take note and beef up its protection. But, as a father of three, I’ve had the (mis)fortune of seeing other electronic diaries in action, where the situation with personal data storage and transfer is nothing if not murky.
What can parents do about this? Asking the school for all details about privacy and personal data usage in all services you need is a good start. And teach your kid how to leave as little personal data as possible on such sites.
The covid lockdown was a big eye-opener for many kids: turns out you don’t need to go to school! Lessons suddenly became more fun but for the wrong reasons: my daughter chats with her teacher in one window — and watches a movie or plays a game in another (or on a different device).
Such distance “learning” only adds to the worries of parents. Even before covid, we had to monitor what our kids were downloading, since banking Trojans, spyware and ransomware are forever sneaking in under the guise of legal apps — even in Google Play and other official stores. But at least in school they were less exposed to such threats, because internet usage was not generally a part of in-class learning.
With the distance-learning revolution, however, there are now even more apps on our kids’ tablets for us parents to fret about, as well as unlimited internet use for “study” purposes.
And although the lockdowns are long over, many schools continue to practice distance learning for some classes. Meanwhile, Zoom, Teams, and other videoconferencing platforms remain vulnerable to attacks. The most obvious consequence of such attacks, as before, is personal data leakage. But it can get worse: if a malicious third party were to gain access to a virtual classroom, they might show some decidedly “non-kid-suitable” videos.
And even if parents are versed in the safe hosting of video chats, they are unlikely to be able to influence the school’s choice of tools. Here, too, you should ask the school for an explanation as to why an insecure program was chosen.
In addition, you need to teach your kids the basic safety rules of using such apps. In particular, your child should learn to turn off both the microphone and camera when not required, as well as to blur the background and disable screen-sharing by default. And of course, your child should never accept video chat invitations from strangers — or communicate with any if they do show up uninvited to a video conference.
And it goes without saying that all devices your child uses should be protected with a reliable security solution — one that guards against viruses and personal data leaks on computers and mobile devices, and keeps your kid’s privacy intact. Remember that with your free annual subscription to Kaspersky Safe Kids as part of Kaspersky Premium, in addition to total protection for all devices, you get powerful parental controls over your child’s online activity and offline location.
Agent Tesla functions as a Remote Access Trojan (RAT) and an information stealer built on the .NET framework. It is capable of recording keystrokes, extracting clipboard content, and searching the disk for valuable data. The acquired information can be transmitted to its command-and-control server via various channels, including HTTP(S), SMTP, FTP, or even through a Telegram channel.
Generally, Agent Tesla uses deceptive emails to infect victims, disguising as business inquiries or shipment updates. Opening attachments triggers malware installation, concealed through obfuscation. The malware then communicates with a command server to extract compromised data.
The following heat map shows the current prevalence of Agent Tesla on field:
Figure 1: Agent Tesla heat map
McAfee Labs has detected a variation where Agent Tesla was delivered through VBScript (VBS) files, showcasing a departure from its usual methods of distribution. VBS files are script files used in Windows for automating tasks, configuring systems, and performing various actions. They can also be misused by cybercriminals to deliver malicious code and execute harmful actions on computers.
The examined VBS file executed numerous PowerShell commands and then leveraged steganography to perform process injection into RegAsm.exe as shown in Figure 2. Regasm.exe is a Windows command-line utility used to register .NET assemblies as COM components, allowing interoperability between different software. It can also be exploited by malicious actors for purposes like process injection, potentially enabling covert or unauthorized operations.
Figure 2: Infection Chain
VBS needs scripting hosts like wscript.exe to interpret and execute its code, manage interactions with the user, handle output and errors, and provide a runtime environment. When the VBS is executed, wscript invokes the initial PowerShell command.
Figure 3: Process Tree
First PowerShell command
The first PowerShell command is encoded as illustrated here:
Figure 4: Encoded First PowerShell
Obfuscating PowerShell commands serves as a defense mechanism employed by malware authors to make their malicious intentions harder to detect. This technique involves intentionally obfuscating the code by using various tricks, such as encoding, replacing characters, or using convoluted syntax. This runtime decoding is done to hide the true nature of the command from static analysis tools that examine the code without execution. Upon decoding, achieved by substituting occurrences of ‘#@$#’ with ‘A’ and subsequently applying base64-decoding, we successfully retrieved the decrypted PowerShell content as follows:
Figure 5: Decoded content
Second PowerShell Command
The deciphered content serves as the parameter passed to the second instance of PowerShell..
Figure 6: Second PowerShell command
Deconstructing this command line for clearer comprehension:
Figure 7: Disassembled command
As observed, the PowerShell command instructs the download of an image, from the URL that is strore in variable “imageURL.” The downloaded image is 3.50 MB in size and is displayed below:
Figure 8: Downloaded image
This image serves as the canvas for steganography, where attackers have concealed their data. This hidden data is extracted and utilized as the PowerShell commands are executed sequentially. The commands explicitly indicate the presence of two markers, ‘<<BASE64_START>>’ and ‘<<BASE64_END>>’. The length of the data is stored in variable ‘base64Length’. The data enclosed between these markers is stored in ‘base64Command’. The subsequent images illustrate these markers and the content encapsulated between them.
Figure 9: Steganography
After obtaining this data, the malware proceeds with decoding procedures. Upon examination, it becomes apparent that the decrypted data is a .NET DLL file. In the subsequent step, a command is executed to load this DLL file into an assembly.
Figure 10: DLL obtained from steganography
Process Injection into RegAsm.exe
This DLL serves two purposes:
Downloading and decoding the final payload
Injecting it into RegAsm.exe
Figure 11: DLL loaded
In Figure 11, at marker 1, a parameter named ‘QBXtX’ is utilized to accept an argument for the given instruction. As we proceed with the final stage of the PowerShell command shown in Figure 7, the sequence unfolds as follows:
The instruction mandates reversing the content of this parameter and subsequently storing the outcome in the variable named ‘address.’ Upon reversing the argument, it transforms into:
Figure 12: Request for payload
Therefore, it is evident that this DLL is designed to fetch the mentioned text file from the C2 server via the provided URL and save its contents within the variable named “text.” This file is 316 Kb in size. The data within the file remains in an unreadable or unintelligible format.
Figure 13: Downloaded text file
In Figure 11, at marker 2, the contents of the “text” variable are reversed and overwritten in the same variable. Subsequently, at marker 3, the data stored in the “text” variable is subjected to base64 decoding. Following this, we determined that the file is a .NET compiled executable.
Figure 14: Final payload
In Figure 11, another activity is evident at marker 3, where the process path for the upcoming process injection is specified. The designated process path for the process injection is :
Since RegAsm.exe is a legitimate Windows tool, it’s less likely to raise suspicion from security solutions. Injecting .NET samples into it allows attackers to effectively execute their malicious payload within a trusted context, making detection and analysis more challenging.
Process injection involves using Windows API calls to insert code or a payload into the memory space of a running process. This allows the injected code to execute within the context of the target process. Common steps include allocating memory, writing code, creating a remote thread, and executing the injected code. In this context, the DLL performs a sequence of API calls to achieve process injection:
Figure 15: Process Injection
By obscuring the sequence of API calls and their intended actions through obfuscation techniques, attackers aim to evade detection and make it harder for security researchers to unravel the true behavior of the malicious code. The function ‘hU0H4qUiSpCA13feW0’ is used for replacing content. For example,
“kern!”.Replace(“!”, “el32”) à kernel32
Class1.hU0H4qUiSpCA13feW0(“qllocEx”, “q”, “VirtualA”) à VirtualAllocEx
As a result, these functions translate into the subsequent API calls:
CreateProcessA : This API call is typically employed to initiate the creation of a new process, rather than for process injection. In the context of process injection, the focus is generally on targeting an existing process and injecting code into it.
VirtualAllocEx: This is often used in process injection to allocate memory within the target process to host the injected code.
ReadProcessMemory: This is used to read the memory of a target process. It is typically used in reflective DLL injection to read the contents of a DLL from the injector’s memory and write it into the target process.
GetThreadContext: This API is used to retrieve the context (registers, flags, etc.) of a thread within a target process. It’s useful for modifying thread execution flow during injection.
Wow64GetThreadContext: This is like GetThreadContext, but it’s used when dealing with 32-bit processes on a 64-bit system.
SetThreadContext: This API is used to set the context of a thread within a target process. This can be useful for modifying the execution flow.
Wow64SetThreadContext: Like SetThreadContext, but for 32-bit processes on a 64-bit system.
ZwUnmapViewOfSection: This is used to unmap a section of a process’s virtual address space, which could potentially be used to remove a DLL loaded into a target process during injection.
WriteProcessMemory: This is used to write data into the memory of a target process. It’s commonly used for injecting code or data into a remote process.
ResumeThread: This is used to resume the execution of a suspended thread, often after modifying its context or injecting code.
Upon successful injection of the malware into RegAsm.exe, it initiates its intended operations, primarily focused on data theft from the targeted system.
The ultimate executable is heavily obfuscated. It employs an extensive array of switch cases and superfluous code, strategically intended to mislead researchers and complicate analysis. Many of the functions utilize either switch cases or their equivalent constructs, to defend detection. Following snippet of code depicts the same.
Figure 16: Obfuscation
Collection of data:
Agent Tesla collects data from compromised devices to achieve two key objectives: firstly, to mark new infections, and secondly, to establish a unique ‘fingerprint’ of the victim’s system. The collected data encompasses:
Agent Tesla initiates the process of gathering data from various web browsers. It utilizes switch cases to handle different browsers, determined by the parameters passed to it. All of these functions are heavily obscured through obfuscation techniques. The following figures depict the browser data that it attempted to retrieve.
Figure 17: Opera browser
Figure 18: Yandex browser
Figure 19: Iridium browser
Figure 20: Chromium browser
Similarly, it retrieves data from nearly all possible browsers. The captured log below lists all the browsers from which it attempted to retrieve data:
Figure 21: User data retrieval from all browsers -1
Figure 22: User data retrieval from all browsers – 2
Agent Tesla is capable of stealing various sensitive data from email clients. This includes email credentials, message content, contact lists, mail server settings, attachments, cookies, auto-complete data, and message drafts. It can target a range of email services to access and exfiltrate this information. Agent Tesla targets the following email clients to gather data:
Figure 23: Mail clients
Agent Tesla employs significant obfuscation techniques to evade initial static analysis attempts. This strategy conceals its malicious code and actual objectives. Upon successful decoding, we were able to scrutinize its internal operations and functionalities, including the use of SMTP for data exfiltration.
The observed sample utilizes SMTP as its chosen method of exfiltration. This protocol is frequently favored due to its minimal overhead demands on the attacker. SMTP reduces overhead for attackers because it is efficient, widely allowed in networks, uses existing infrastructure, causes minimal anomalies, leverages compromised accounts, and appears less suspicious compared to other protocols. A single compromised email account can be used for exfiltration, streamlining the process, and minimizing the need for complex setups. They can achieve their malicious goals with just a single email account, simplifying their operations.
Figure 24: Function calls made for exfiltration.
This is the procedure by which functions are invoked to facilitate data extraction via SMTP:
A specific value is provided as a parameter, and this value is processed within the functions. As a result, it ultimately determines the port number to be utilized for SMTP communication. In this case, port number 587 is used for communication.
Figure 25: Port number
Next, the malware retrieves the hostname of the email address it intends to utilize i.e., corpsa.net.
Figure 26: Domain retrieval
Subsequently, the email address through which communication is intended to occur is revealed.
Figure 27: Email address used
Lastly, the password for that email address is provided, so that attacker can log in and can start sending out the data.
Figure 28: Password
The SMTP process as outlined involves a series of systematic steps. It begins with the processing of a specific parameter value, which subsequently determines the port number for SMTP communication. Following this, the malware retrieves the associated domain of the intended email address, revealing the address itself and ultimately providing the corresponding password. This orchestrated sequence highlights how the malware establishes a connection through SMTP, facilitating its intended operations.
Following these steps, the malware efficiently establishes a login using acquired credentials. Once authenticated, it commences the process of transmitting the harvested data to a designated email address associated with the malware itself.
The infection process of Agent Tesla involves multiple stages. It begins with the initial vector, often using email attachments or other social engineering tactics. Once executed, the malware employs obfuscation to avoid detection during static analysis. The malware then undergoes decoding, revealing its true functionality. It orchestrates a sequence of PowerShell commands to download and process a hidden image containing encoded instructions. These instructions lead to the extraction of a .NET DLL file, which subsequently injects the final payload into the legitimate process ‘RegAsm.exe’ using a series of API calls for process injection. This payload carries out its purpose of data theft, including targeting browsers and email clients for sensitive information. The stolen data is exfiltrated via SMTP communication, providing stealth and leveraging email account. Overall, Agent Tesla’s infection process employs a complex chain of techniques to achieve its data-stealing objectives.
Love it or hate it, ChatGPT has become one of the most talked about tech developments of 2023. Many of us have embraced it with open arms and have put it to work by tasking it to ‘assist’ with assignments, write copy for an ad, or even pen a love letter – yes, it’s a thing. Personally, I have a love/hate relationship with it. As someone who writes for a living, it does ‘grind my gears’ but I am a big fan of its ability to create recipes with whatever I can find in my fridge. But like any new toy, if you don’t use it correctly then there could be issues – which may include your privacy.
ChatGPT – A Quick Recap
ChatGPT is an online software program that uses a new form of artificial intelligence – generative artificial intelligence – to provide human-style responses to a broad array of requests. Think of it as Google on steroids. It can solve maths questions, translate copy, write jokes, develop a resume, write code, or even help you prepare for a job interview. If you want to know more, check out my Parent’s Guide to ChatGPT.
But for ChatGPT to answer tricky questions and be so impressive, it needs a source for its ‘high IQ’. So, it relies on knowledge databases, open data sources and feedback from users. It also uses social media to gather information and a practice known as ‘web scraping’ to gather data from a multitude of sources online. And it is this super powerful combination that allows ChatGPT to ‘almost always’ deliver on tasks.
Why Is ChatGPT A Threat To My Privacy?
Your privacy is affected in several ways by ChatGPT. Some of these ways may not concern you, but I’m quite sure some will. Here’s what you need to know:
1. ChatGPT Uses Your Data Without Your Permission
When ChatGPT absorbed the enormous amount of data it needed to function from the internet, it did so without permission. As data can be used to identify us, our friends and family or even our location, this is clearly a violation of privacy. But not only was the data taken without permission, it was also taken without compensation. Many online news groups have been, understandably, quite upset about this, particularly when ChatGPT is making a handsome profit by offering users a premium package for US$20/month. However, in recent weeks, many online news outlets have blocked OpenAI’s crawler which will limit the ChatGPT’s ability to access their news content.
2. Whatever You Share With ChatGPT Goes Into Its Data Bank
Every time you share a piece of information with ChatGPT, you are adding to its data bank, risking that the information ends up somewhere in the public domain. The Australian Medical Association (AMA) recently issued a mandate for Western Australian doctors not to use ChatGPT after doctors at a Perth hospital used it to write patient notes. These confidential patient notes could be used to not only further train ChatGPT but could also be included in responses to other users.
3. ChatGPT Collects A Lot Of Information About Its Users
4. Risk of a Data Breach
One of the biggest risks to using ChatGPT is the risk that your details will be leaked in a data breach. Between 100,000 ChatGPT accounts credentials were compromised and sold on the Dark Web in a large data beach which happened between June 2022 to May 2023, according to Search Engine Journal.
But here’s the big problem – as ChatGPT users can store conversations, if a hacker gains access to an account, it may mean they also gain access into propriety information, sensitive business information or even confidential personal information.
What’s ChatGPT Doing To Protect Privacy?
Now please don’t misunderstand me, ChatGPT is taking action to protect users however in my opinion these steps are not enough to truly protect your privacy.
ChatGPT does make it very clear that all conversations between a user and ChatGPT are protected by end-to-end encryption. It also outlines that strict access controls are in place so only authorised personnel can access sensitive user data. It also runs a Bug Bounty program which rewards ethical hackers for finding security vulnerabilities. However, in order to remain protected while using the app, I believe the onus is on the user to take additional steps to protect their own privacy.
So, What Can I Do To Protect My Privacy While Using ChatGPT?
As we all know, nothing is guaranteed in life however there are steps you can take to minimise the risk of your privacy being compromised while using ChatGPT. Here are my top tips:
1. Be Careful What You Share With ChatGPT
Never share personal or sensitive information in any of your chats with ChatGPT. By doing so, you increase the risk of sharing confidential data with cybercriminals. If you need a sensitive piece of writing edited, ask a friend!!
2. Consider Deleting Your Chat History
One of the most useful ways of safeguarding your privacy is to avoid saving your chat history. By default, ChatGPT stores all conversations between users and the chatbot with the aim of training OpenAI’s systems. If you do choose not to save your chat history, OpenAI will still you’re your conversations for 30 days. Despite this, it is still one of the best steps you can take to protect yourself.
3. Stay Anonymous
As mentioned above, ChatGPT can collect and process highly sensitive data and associate it with your email address and phone number. So, why not set up a dedicated email just for ChatGPT? And keep your shared personal details to a minimum. That way, the questions you ask or content you share can’t be associated with your identity. And always use a pseudonym to mask your true identity.
4. Commit To Staying Up To Date
Whether it’s ChatGPT or Google’s Bard, it’s imperative that you stay up to date with the company’s privacy and data retention policies, so you understand how your data is managed. Find out how long your conversations will be stored for before they are anonymised or deleted and who your details could potentially be shared with.
So, if you’re looking for a recipe for dinner, ideas for an upcoming birthday party or help with a love letter, by all means get ChatGPT working for you. However, use a dedicated email address, don’t store your conversations and NEVER share sensitive information in the chat box. But if you need help with a confidential or sensitive issue, then maybe find another alternative. Why not phone a friend – on an encrypted app, of course!!
Identity theft protection and privacy for your digital life
As of the writing of this article, the height of the pandemic seems like a distant but still vivid dream. Sanitizing packages, sparse grocery shelves, and video conferencing happy hours are things of the past for the majority of the population. Thank goodness.
A “new normal” society is adapting to today’s working culture. The work landscape changed significantly since 2020, and it might never return to what it once was. In 2022, workers spent an average 3.5 days in the office per week, which is 30% below the prepandemic in-office average.1
The work-from-home movement is likely here to stay, to the joy of employees seeking a better work-life balance and flexibility; however, some responsibility does fall upon people like you to secure home offices to protect sensitive company information.
To make sure you’re not the weak cyber link in your company’s security, make sure to follow these three tips for a secure home office.
1. Lock Your Screen, Stow Your Device
When you’re not physically in front of your work computer, best practices dictate that you lock the screen or put your device to sleep. No matter how much you trust your family, roommates, or the trustworthy-looking person seated next to you at a café, your company device houses all kinds of corporate secrets. A stray glance from the wrong person could put that information’s secrecy in jeopardy. Plus, imagine your cat walking across your keyboard or a toddler mashing your mouse, deleting hours’ worth of work. Disastrous.
Then, when you’re done with work for the day, stow your device in a secure location, preferably a drawer with a lock. Even if your work computer is 10 times faster and sleeker than your personal laptop, keep each device in its designated sphere in your life: work devices only for work, personal devices only for personal activities.
2. Secure Your Home Wi-Fi
Wi-Fi networks that are not password protected invite anyone off the street to surf on your network and eavesdrop on your online activities. A stranger sneaking on to your home Wi-Fi could be dangerous to your workplace. There would be very little stopping a stranger from spying on your connected work devices and spreading confidential information onto the dark web or leaking company secrets to the media.
There are a few steps you can take to secure your home office’s internet connection. First, make sure to change the default name and password of your router. Follow password best practices to create a strong first defense. For your router name, choose an obscure inside joke or a random pairing of nouns and adjectives. It’s best to omit your address and your real name as the name of your router, because that could alert a cybercriminal that that network belongs to you. Better yet, you can hide your router completely from strangers and only make it searchable to people who know the exact name of your network.
For an additional layer of protection, connect to a virtual private network (VPN). Your company may offer a corporate VPN. If not, signing up for your own VPN is easy. A VPN encrypts the traffic coming in and going out of your devices making it nearly impossible for a cybercriminal to burst into your online session and see what’s on your screen.
3. Take Your Security Training Seriously
The scenarios outlined in your company’s security training may seem far-fetched, but the concepts of those boring corporate videos actually happen! For example, the huge Colonial Pipeline breach in 2021 originated from one employee who didn’t secure the company’s VPN with multifactor authentication (MFA).2 Cutting small corners like disabling MFA – which is such a basic and easy-to-use security measure – can have dire consequences.
Pay attention to your security training and make sure to follow all company cybersecurity rules and use security tools as your IT team intends. For example, if your company requires that everyone use a password manager, a corporate VPN, and multi-factor authentication, do so! And use them correctly every workday!
Secure Home Office, Secure Home
These tips are essential to a secure home office, but they’re also applicable to when you’re off the clock. Password- or passcode-protecting your personal laptop, smartphone, and tablet keeps prying eyes out of your devices, which actually hold more personally identifiable information (PII) than you may think. Password managers, a secure router, VPNs, and safe browsing habits will go a long way toward maintaining your online privacy.
To fill in the cracks to better protect your home devices and your PII, partner with McAfee+. McAfee+ includes a VPN, safe browsing tool, identity monitoring and remediation services, a password manager, and more for a more secure digital life.
In one global survey, 68% of people prefer hybrid work models, and nearly three-quarters of companies allow employees to work from home some of the time.3,4 The flexibility afforded by hybrid work and 100% work-from-home policies is amazing. Cutting out the time and cost of commuting five days a week is another bonus. Let’s make at-home work a lasting and secure way of professional life!
1McKinsey Global Institute, “How hybrid work has changed the way people work, live, and shop”
Your privacy means everything. And your identity too. The launch of McAfee Privacy & Identity Guard will protect them both.
We’re proud to announce the launch of McAfee Privacy & Identity Guard in partnership with Staples. Through this partnership, McAfee’s Privacy & Identity Guard will be available at select Staples locations across the U.S. and help customers protect their identity and privacy online.
McAfee’s Privacy & Identity Guard will be sold in the travel section of Staples along with other travel benefits such as passport services, TSA PreCheck sign up, and fingerprinting services. McAfee’s Privacy & Identity Guard offers a natural fit for Staples customers who are on the go, particularly as they rely on their laptops and smartphones to get things done while traveling.
And people certainly have concerns about their privacy and identity when they hit the road. McAfee’s recent Safer Summer Report revealed 1 in 3 people have been scammed when booking or taking trips, with a third (34%) of those losing $1,000 or more. This same study found 61% of all adults worry more about digital safety than physical safety when on vacation.
“As Staples exclusive tech services security partner for the last seven years, we’re excited to partner with Staples on the initial launch of McAfee Privacy & Identity Guard in the U.S.,” said Gagan Singh, McAfee’s Executive Vice President, Chief Operating Officer. “This online protection product was designed to address consumers’ key concerns about safeguarding personal information online, something that becomes even more at risk when traveling.”
Key McAfee Privacy & Identity Guard features include:
Identity Monitoring – Monitor personal information with timely alerts.
Proactive and Guided – When a breach is detected McAfee can help guide consumers to take the most effective and simple steps when action is needed.
Extensive Monitoring – Keep tabs on almost 60 unique pieces of your personal info such as your email address, phone number, Social Security number, credit cards, passport information, and bank accounts, to ensure they are secure.
Dedicated Support – McAfee offers friendly 24/7 assistance from security experts available via phone or online.
Identity Restoration – Exclusive to Staples customers, these features offer further peace of mind in the event of identity theft or loss.
Restoration Experts – Identity restoration experts are available 24/7 to help customers take the necessary steps to help repair their identity and credit if they ever need it, including assistance to help prevent or assist with identity fraud of a deceased family member.
Lost Wallet Assistance – If a consumer’s ID, credit, or debit cards are lost or stolen, McAfee will help cancel and replace them.
Privacy Features – Find personal data tied to old, unused online accounts & requests removal of any personal information found on data broker sites.
Online Account Cleanup – This feature runs monthly scans to find customers’ online accounts and shows a risk level to help customers decide which to keep or delete.
Personal Data Cleanup – Removes personal info from sites that buy and sell it. Staples customers get full-service protection that scans more than 40 high-risk data broker sites and automatically requests removal of any personal information found.
Is your email on the dark web?
One sign that your privacy and identity is at risk if your email appears on the dark web. Hackers and scammers post email addresses and other personal and financial information on dark web sites—sometimes offered freely, sometimes offered to other hackers and scammers for sale. You can find out if your email is posted on the dark web by visiting https://www.mcafee.com/idscan-staples.
Identity theft protection and privacy for your digital life
The creators of any website bear the moral and legal responsibility for it during its entire existence. Moreover, few people know that if a corporate web server gets hacked, it’s not only the company and its customers that may suffer; often, a hacked site becomes a platform for launching new cyberattacks, with its owners not even being aware of it.
Why websites get hacked
A website hack can be part of a larger cyberattack, or a standalone operation. By “hack”, we mean making changes to the target site — not to be confused with a DDoS attack. If your company finds itself in the crosshairs of hackers, their goals are usually to:
Exert pressure on the victim organization as part of a ransomware attack, including by making the hack known to customers and partners;
Download valuable information from the site, for example, customer contact details stored in a database;
Distract IT and InfoSec teams from a more serious data theft or sabotage attack occurring at the same time;
Cause reputational damage.
That said, very often hackers don’t need your site in particular. They’ll happily make do with any reputable site they can sneak malicious content onto. Once that’s achieved, they can populate the site with phishing pages, links to spam resources, and pop-up ads. Basically, it turns into a cybercriminal tool. At the same time, the main sections of the site may be unaffected. Customers and employees visiting the home page won’t notice anything different. The malicious content is tucked away in new subfolders to which victims get lured through direct links.
How websites get hacked
Website hacks are normally carried out through vulnerabilities in server applications: web servers, databases, or content management systems and their add-ons. Around 43% of all websites on the internet run on WordPress, so it’s no surprise that hackers pay special attention to this content management system. Vulnerabilities are discovered in WordPress and thousands of add-ons for it regularly, and not all authors get around to fixing their plug-ins. And besides, not all users promptly install updates for their sites.
Attackers can exploit a vulnerability to upload to the web server a so-called web shell; that is, additional files and scripts allowing them to manage site content while bypassing standard administration tools. Next, they place malicious content on the site in subfolders, taking pains not to affect the main pages of the legitimate site.
Another common hacking scenario is to guess the administrator password. This is possible if the administrator uses weak passwords, or the same password on different web resources. In this way, cybercriminals can place malicious content by means of standard administration tools, creating new users on the site, as well as additional subsections or pages. However, this increases the likelihood of detection, so even in this case, attackers prefer to install their own backdoor in the shape of a web shell.
Damage from website hacking
In case of a large case targeted attack, the given company immediately suffers financial and reputational damage. As for opportunistic attacks, the harm is indirect. Website maintenance costs can increase due to spam content and its views. At the same time, the site’s SEO reputation drops, so it gets fewer visitors from search engines. The site may even be flagged as malicious, in which case its traffic drops catastrophically. In practice, however, hackers may go for abandoned sites, so issues with traffic are of no relevance.
How websites get abandoned
The internet has long turned into a website graveyard. According to statistics, there are more than 1.1 billion websites in total, but 82% of them are not updated or maintained. In the case of corporate websites, a number of scenarios can be the cause:
A company ceases to operate, but its website is published on free hosting and keeps running;
The only employee who had access to the site leaves the given small business. Unless the owners take action, the site will remain frozen for months or even years;
A company rebrands or merges, but keeps the old website “temporarily” for customers. The revamped entity then gets a brand-new site, and the “temporary” old one is gradually forgotten;
A dedicated site is launched for a marketing campaign, product line, blog, or side project. When the project is over, the site is no longer updated, but it’s not shut down either.
Signs of website hacking
Since the main pages are often left untouched by hackers, it can be difficult to tell if your site has been compromised. But there are some pointers: the site is running slower than usual; traffic has sharply increased or decreased for no apparent reason; new links or banners have appeared out of nowhere; problems with control panel access; new folders, files, or users can be seen in the control panel. Still, the most obvious sign is if others start bombarding you with complaints about malicious content on your site. To properly diagnose the situation, you need to study the web server logs, but this task is better entrusted to experts. Like pest control, it takes experience to get rid of an infestation — which here means removing the web shell and other backdoors from the site.
How to guard against website hacking
Even small companies without a large cybersecurity budget can implement simple measures that greatly reduce the chances of getting hacked:
Set long, strong passwords for the administration section of your site, and enable two-factor authentication. Each administrator must have their own password;
Never allow just one person to have access to the site (unless the company has just one employee, naturally). Remember to revoke access when employees leave;
Make sure to keep updated all software components of the site, including the operating system, web server, databases, content management system, and add-ons. Install updates as soon as they are released. If your company lacks the time or expertise, better to use professional website hosting where security is in the hands of a dedicated team. For example, for WordPress there are specialized secure hosting platforms, such as WP Engine;
Maintain a registry of all company websites. It should list every site created, even temporary ones set up, say, for a one-month ad campaign;
Each site in the registry should have its software components updated regularly, even if there’s no business need to update the content;
If the site is no longer needed, and the resources are lacking to update it, better to close it down in a tidy manner. Save the data to an archive, then terminate your hosting account. If necessary, you can also cancel the domain delegation. Another way to shut down a subsite is to remove all content from it, disable any software add-ons like WordPress, and set up redirection to the company’s main site.