CISA released Security Advisory on MiCODUS MV720 Global Positioning System (GPS) Tracker

by | Jul 19, 2022 | Security, Technology

This article is contributed. See the original author and article here.

CISA has released an Industrial Controls Systems Advisory (ICSA) detailing six vulnerabilities that were discovered in MiCODUS MV720 Global Positioning System Tracker. Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control the global positioning system tracker. These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.

CISA encourages users and technicians to review ICS Advisory ICSA-22-200-01: MiCODUS MV720 GPS Tracker for technical details and mitigations and the Bitsight Report: Critical Vulnerabilities in Widely Used Vehicle GPS Tracker for additional information. 
 

From enabling hybrid work to creating collaborative experiences—here’s what’s new in Microsoft 365

From enabling hybrid work to creating collaborative experiences—here’s what’s new in Microsoft 365

by | Jul 19, 2022 | Azure, Business, Hybrid Work, Microsoft 365, Technology, Viva Goals

This article is contributed. See the original author and article here.

Now that hybrid work is just work, the challenge for organizations is to balance employee demands for flexibility with business needs. This month we made improvements to help employees work smarter and more efficiently, with integrated technology that brings people together across every role and function so they can connect and collaborate effectively in the flow of work.

The post From enabling hybrid work to creating collaborative experiences—here’s what’s new in Microsoft 365 appeared first on Microsoft 365 Blog.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Introducing the Microsoft Digital Contact Center Platform: A comprehensive, flexible customer care solution

Introducing the Microsoft Digital Contact Center Platform: A comprehensive, flexible customer care solution

by | Jul 19, 2022 | Dynamics 365, Microsoft 365, Technology

This article is contributed. See the original author and article here.

In today’s digital world, brand reputation is synonymous with customer experience, including the quality of customer care. Consumers expect effortless, consistent, and secure experiences across any point of contact they choosein fact, their brand perception and customer loyalty depend on it. With the stakes this high, companies need a comprehensive yet flexible solution to modernize their customer care experience.

We are thrilled to introduce the Microsoft Digital Contact Center Platform, an open, extensible, and collaborative contact center solution designed to deliver seamless customer journeys.

Microsoft Digital Contact Center Platform powered with Nuance AI, Teams, and Dynamics 365

With the Microsoft Digital Contact Center Platform, contact centers are equipped with modern digital tools to engage customers across voice, video, and other digital engagement channelspowered by Microsoft Dynamics 365, Microsoft Teams, Microsoft Power Platform, and the newest member of the Microsoft family, Nuance.

The platform brings together a comprehensive yet flexible solution for contact centers, delivering best-in-class AI that powers self-service experiences, live customer engagements, collaborative agent experiences, business process automation, advanced telephony, and fraud prevention capabilities.  

The addition of Nuance brings a new level of conversational AI, security, and automation to the contact center. This gives both customers and agents tools to resolve issues faster and with more personalized service, thus reducing resolution times while improving customer satisfaction. It also enables contact centers to offer targeted incentives to build brand loyalty and upsell opportunities to boost revenue.

We recognize that the complexity and cost of upgrading technology can hold back innovation required to transform customer service from being a cost center to becoming a revenue driver. The open nature of our platform enables companies to build on what they already have and easily add any combination of capabilities they need to take their contact center to the next level. It integrates with a variety of contact center infrastructures and customer relationship management (CRM) systems. Companies can start small or go big, on their terms, and add capabilities at the right time. We are partnering with leaders in contact center infrastructureincluding Accenture-Avanade, Avaya, Genesys, HCL, NICE, and TTECto ensure interoperability and compatibility with contact center systems and components companies use or plan to implement now and in the future.

Enable omnichannel engagement and intelligent self-service

The average consumer uses multiple channels to communicate with a brand. The Microsoft Digital Contact Center Platform makes it easy to meet consumers in the channels they use every dayfrom voice to digital messagingwith secure and protected interactions. With the platform, companies can:

  • Resolve customer needs quickly and easily with customer self-service and automation, enabling scale through automation of repeatable tasks as well as sophisticated transactions.
  • Intelligently connect customers to virtual and live agents with the best-suited skills, experience, capacity, and availability, and provide agents with AI-powered recommendations.
  • Deliver hyper-personalized omnichannel service across voice and digital engagement channels, including support for major social messaging platforms. Provide richer service engagement with Teams voice and video embedded within Dynamics 365 Customer Service.

HP customer service chat on phone with customer asking about warranty coverage.
Figure 1: The Microsoft Digital Contact Center Platform enables automated and live hyper-personalized omnichannel service engagement across voice and digital channels.

Personalize and protect customer interactions

Consumers today expect brands to provide tailored experiences based on their engagement with the company. Delivering personalized experiences starts with using AI to identify and authenticate consumers seamlessly and securely, and requires unlocking the power of data to understand, customize, and optimize customer journeys.

The Microsoft Digital Contact Center Platform uses AI and deep analytics to anticipate customer requests, predict intent, and provide rapid resolution, which streamlines service and increases satisfaction. Customer experiences are protected with integrated biometric identification, authentication, and fraud prevention to build and maintain brand trust. The platform:

  • Uses biometric authentication to authenticate customers in seconds based on inherent biometrics and other factors.
  • Secures every customer and employee interaction, and prevents fraud while uncovering fraud patterns and attack vectors.
  • Provides insights on how consumers interact with the brand throughout their journey with customer journey analytics to improve customer acquisition and tailor personalized offers.
  • Understands why customers are calling and customizes the experience to anticipate their needs with AI intent prediction.

Customer on the phone with virtual agent looking to upgrade their plan. Customer gets verified through biometric authentication.
Figure 2: Biometric authentication capabilities create quick and secure connections for customers.

Improve agent productivity and modernize case management

The Microsoft Digital Contact Center Platform empowers agents to better serve customers by bringing the right information, people, and insights directly into the flow of work with Context IQ. It provides intelligent next-best response recommendations and sentiment analysis to enable fast resolutions. What’s more, this creates a learning loop so automated solutions continually evolve and become smarter. The platform:

  • Provides agents with a 360-degree view of the customer and their journey. Agents can manage customer requests seamlessly from any channel, even while handling multiple sessions at the same time.
  • Empowers agents with personalized conversational intelligence, including sentiment analysis, to truly understand customer emotions and needs. Next-best response and offer recommendations help create valuable upsell and cross-sell opportunities.
  • Assists the agent in identifying the resolution with AI-recommended knowledge articles.
  • Automates how agents quickly and efficiently bring together experts to resolve an open case through intelligent case swarming. With a single click, agents can collaborate with experts matched based on skillset and expertise.

Dynamics 365 agent dashboard showing customer sentiment and suggested actions for the agent to use in conversation with a customer.
Figure 3: Agents can view a real-time call transcript, see the customer’s details, recent cases, and suggested knowledge articles and similar cases to help resolve customer issues more quickly.

Increase customer acquisition and revenue

Rich real-time insights and analytics enable data-driven decisions to improve customer satisfaction, with conversational analytics providing instant visibility into trends across engagement channels. With the Microsoft Digital Contact Center Platform, companies can:

  • Enable agents to increase conversions and drive upsell through real-time offers.
  • Help customers find and select products through personalized offer recommendations, driving upsell and cross-sell revenue.
  • Track user behavior and data to quickly identify and offer optimal engagement opportunities through predictive targeting,thereby improving satisfaction and increasing revenue.
  • Preemptively notify customers of special promotions and updates, which accelerates their purchase intent, and boosts revenue and long-term value.

Drive infrastructure simplicity, flexibility, and innovation

The Microsoft Digital Contact Center Platform simplifies implementation and support of contact center infrastructure, removing complex IT integrations while maintaining flexibility for customers and partners seeking comprehensive Contact Center and Customer Engagement solutions.

Contact center tasks and workflows ranging in complexity from routine conversations to sophisticated transactions can easily be automated using no-code, low-code, or pro-code experiences. Powerful chatbots equipped with conversational AI can be created to converse with customers intelligently and efficiently across engagement channels. Consumers can self-service a wide variety of cases, getting connected with a live agent when needed for support with complex issues.

The platform is also cloud-scale and elastic to accommodate seasonal or surging demand. It automatically adjusts to changes in contact volume, agent counts, wait times, and service levels without performance impact.

Transform the contact center with our extensive partner network

Accenture-Avanade, a customer experience (CX) transformation partner, will deliver its Customer Engagement solutions starting with the Microsoft Digital Contact Center Platform to help customers reimagine their entire customer experience and deliver business results. Additional launch partners include systems integrators EY, HCL, Hitachi, KPMG, PwC, TCS, and TTEC, and ISVs such as Avaya, Genesys, and NICE. With this robust set of launch partners, customers around the globe will be positioned to create new and sophisticated solutions to address specific contact center challenges.

Learn more

Learn more about how to transform customer and agent experiences with the Microsoft Digital Contact Center Platform and explore the full set of capabilities.

Join us at Microsoft Inspire on July 1920 to learn how to unleash customer service innovations with Dynamics 365, Teams, and Nuance.

The post Introducing the Microsoft Digital Contact Center Platform: A comprehensive, flexible customer care solution appeared first on Microsoft Dynamics 365 Blog.

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

Microsoft Purview Information Protection now includes enhanced security for detection of credentials

Microsoft Purview Information Protection now includes enhanced security for detection of credentials

by | Jul 18, 2022 | Technology

This article is contributed. See the original author and article here.

Hybrid work environments have introduced new vulnerable access points to organizations’ data and credentials, requiring improvements in credential security to help prevent the risk of cyber-attacks. In addition, the associated costs of security incidents that involve remote work are over $1 million more expensive on average than incidents that don’t involve remote work.1 Sixty-one percent of data breaches involve credentials, making them the most compromised data type in breaches.2 Cyber attackers often leverage compromised credentials to access personal data like medical history and banking information, which they can later sell on the “dark web.”


 


At Microsoft, our goal is to provide a built-in, intelligent, unified, and extensible solution to protect sensitive data across your digital estate – in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more. With Microsoft Purview Information Protection, we are building a unified set of capabilities for data classification, labeling, and protection not only in Office Apps, but also in other popular productivity services where information resides (e.g., SharePoint Online, Exchange Online, and Microsoft Teams), as well as endpoint devices.  


 


There are currently over 250 pre-built Sensitive Information Types available (e.g., PII identifiers, social security, credit card, bank account numbers, etc.). We are pleased to announce that we are now starting public preview* of 42 new Sensitive Information Types (SITs) enabling organizations to identify, classify, and protect credentials found in documents across OneDrive, SharePoint, Teams, Office Web Apps, Outlook, Exchange Online, Defender for Cloud Apps, and Windows devices. These credential SITs can be included in information protection auto-labeling and data loss prevention policies to help organizations discover a wide range of digital authentication credential types (aka “secrets”), such as user credentials (username and passwords), default passwords, and Azure cloud resources (e.g., Storage Account Keys, SQL Server Connection Strings, and SAS). Also included are new SITs for Amazon S3 Client Secret Access Key, X.509 Certificate Private Key, GitHub Personal Access Token, ASP.NET Machine Key, Slack Access Token, Google API, Ansible Vault, and more. Note that many of these SITs are credentials that provide access to cloud development and other resources, which have been the target of sophisticated attacks on DevOps pipelines within organizations.


 


List of all 42 new SITs:


 












































































Amazon S3 Client Secret Access Key

Azure Subscription Management Certificate

Azure SQL Connection String

Azure Service Bus Shared Access Signature

Azure Redis Cache Connection String Password

Azure IoT Shared Access Key

Azure Storage Account Shared Access Signature

Azure Storage Account Shared Access Signature for High-Risk Resources

Azure Logic App Shared Access Signature

Azure Storage Account Access Key

Azure COSMOS DB Account Access Key

Azure App Service Deployment Password

Azure DevOps Personal Access Token

Azure DevOps App Secret

Azure Function Master / API Key

Azure Shared Access Key / Web Hook Token

Azure AD Client Access Token

Azure AD User Credentials

Azure AD Client Secret

Azure Bot Service App Secret

Azure Databricks Personal Access Token

Azure Container Registry Access Key

Azure Batch Shared Access Key

Azure SignalR Access Key

Azure EventGrid Access Key

Azure Machine Learning Web Service API Key

Azure Cognitive Search API Key

Azure Cognitive Service Key

Azure Maps Subscription Key

Azure Bot Framework Secret Key

X.509 Certificate Private Key

User Login Credentials

ASP.NET Machine Key

General Password

Http Authorization Header

Client Secret / API Key

General Symmetric Key

GitHub Personal Access Token

Google API key

Microsoft Bing Maps Key

Slack Access Token

SIT that includes all 41 previous SITs

 


New credential SITs key capabilities



  • Within the Microsoft Purview compliance portal, these new credential SITs can be added to auto-labeling and DLP policies to quickly and accurately detect and classify complex digital authentication credentials

  • System administrators can test the accuracy of individual SITs against sample data

  • These new credential SITs will be visible in Content Explorer and Activity Explorer, enabling users to:

    • Locate documents that contain sensitive credentials within their environment

    • Identify activity involving the use of credential data within their environment




Public preview also includes:





































Support for: Microsoft Purview solutions
Sensitivity labels Information Protection
Auto-labeling** Data Loss Prevention (DLP) policies 
Exact Data Match SITs Insider Risk Management
  Data Lifecycle Management
  Records Management
  eDiscovery
  Microsoft Priva

 


*Note: Rollout has begun as of July 18th and is expected to be fully completed within a 24-hour window (July 19th).


**Note: Office client-side labeling is currently not supported, but it will be available sometime in CY22H2. Please stay tuned for additional updates on this capability. 


 


In-Product Screenshot(s)


 


__________________________0-1656626825649.png


Figure 1: Detection of general passwords using Credential SIT. Note that an E5 or A5 license is required for accessing Credential SITs, which will be in public preview within the next few weeks for commercial cloud customers and government clouds (GCC, GCC-High, Department of Defense).


 


Learn more about Microsoft Purview Information Protection and Credential SITs here. We are constantly extending our product capabilities to help organizations more easily classify and protect sensitive data.


 


Get Started 


We are happy to share that there is now an easier way for you to try Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a trial. By enabling the trial in the Purview compliance portal, you can quickly access the new Credential SITs and Easy Trials, and start using all capabilities of Microsoft Purview, including Insider Risk Management, Records Management, Audit, eDiscovery, Communication Compliance, Information Protection, Data Lifecycle Management, Data Loss Prevention, and Compliance Manager. Visit your Microsoft Purview compliance portal for more details or check out the Microsoft Purview solutions trial (an active M365 E3 subscription is required as a prerequisite).


 


With Information Protection Easy Trials, users can apply default labels and get label recommendations on items containing sensitive data such as credit card numbers and activate features with a single click. System admins can review items containing credit card numbers and decide whether to automatically apply a label to them. Also, get further information on how to set up recommended information protection features and how to create auto-labeling policies.


 


We look forward to hearing your feedback! 



1 IBM Security and Ponemon Institute, “Cost of a Data Breach Report 2021,” July 2021


2 Verizon “2021 Data Breach Investigations Report”, May 2021

MAR-10382580-r2.v1 – RAT

MAR-10382580-r2.v1 – RAT

by | Jul 18, 2022 | Security, Technology

This article is contributed. See the original author and article here.

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Description

This CISA submission included one unique file. This file is a malicious loader that contains an embedded executable. This embedded executable is a Remote Access Tool (RAT) that provides a vast array of Command and Control (C2) capabilities. These C2 capabilities include the ability to remotely monitor a system’s desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The malware can also function as a proxy, allowing a remote operator to pivot to other systems.

For a downloadable copy of IOCs, see: MAR-10382580.r2.v1.WHITE_stix

Submitted Files (1)

4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f (ilasvc.exe)

IPs (1)

151.106.30.120

4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f

Tags

remote-access-trojantrojan

Details
Name ilasvc.exe
Size 1056768 bytes
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 05d38bc82d362dd57190e3cb397f807d
SHA1 52b04d348adf7e42e7c7d6c2ec9aabbcaba07188
SHA256 4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f
SHA512 d03894ad9ce7a5f0e58a5e6385926263507f2571e3cbe60fce1ed5463a77152a7779d8b494ee7a6ff4986de19c0a92cbcc8dae5697d69dc196c474723ee553ef
ssdeep 24576:mStdBO8/kIH46+jHd3JURkxXH3rg9fNJa9y5xmDYzgLu8b7oCK:mST2+qXHbg91Ja9y5MOgL3K
Entropy 7.599564
Antivirus
ESET a variant of Win64/Injector.HA.gen trojan
IKARUS Trojan.Win64.Injector
YARA Rules
  • rule CISA_10382580_03 : loader
    {
       meta:
           Author = “CISA Code & Media Analysis”
           Incident = “10382580”
           Date = “2022-05-02”
           Last_Modified = “20220602_1200”
           Actor = “n/a”
           Category = “Loader”
           Family = “n/a”
           Description = “Detects loader samples”
           MD5_1 = “3764a0f1762a294f662f3bf86bac776f”
           SHA256_1 = “f7f7b059b6a7dbd75b30b685b148025a0d4ceceab405e553ca28cacdeae43fab”
           MD5_2 = “21fa1a043460c14709ef425ce24da4fd”
           SHA256_2 = “66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16”
           MD5_3 = “e9c2b8bd1583baf3493824bf7b3ec51e”
           SHA256_3 = “7ea294d30903c0ab690bc02b64b20af0cfe66a168d4622e55dee4d6233783751”
           MD5_4 = “de0d57bdc10fee1e1e16e225788bb8de”
           SHA256_4 = “33b89b8915aaa59a3c9db23343e8c249b2db260b9b10e88593b6ff2fb5f71d2b”
           MD5_5 = “9b071311ecd1a72bfd715e34dbd1bd77”
           SHA256_5 = “3c2c835042a05f8d974d9b35b994bcf8d5a0ce19128ebb362804c2d0f3eb42c0”
           MD5_6 = “05d38bc82d362dd57190e3cb397f807d”
           SHA256_6 = “4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f”
       strings:
           $s0 = { B8 01 00 00 00 48 6B C0 00 C6 44 04 20 A8 B8 01 }
           $s1 = { 00 00 48 6B C0 01 C6 44 04 20 9A B8 01 00 00 }
           $s2 = { 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 }
           $s3 = { C0 03 C6 44 04 20 9B B8 01 00 00 00 48 6B C0 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2020-04-30 19:43:57-04:00
Import Hash 99197f3296550481a848ea8d4e097487
Company Name Sysinternals – www.sysinternals.com
File Description Flush cached data to disk.
Internal Name Sync
Legal Copyright Copyright (C) 2016 Mark Russinovich
Original Filename Sync.exe
Product Name Sysinternals Sync
Product Version 2.2
PE Sections
MD5 Name Raw Size Entropy
a917582fc3e796bb1d43bfce05c0cfb3 header 1024 3.105665
5fbd29958a5484173910cb06dcfc4e9e .text 310784 6.453454
34b6e6a847957ef90ef9460e0f8dd3d0 .rdata 98304 5.168254
e32c1166142d325350f6e6443db43144 .data 3584 2.609738
ffc4ab2046acad015eba98898e975ad5 .pdata 18432 5.804487
502485fa11633b4eb9eaef15fcb482a5 .rsrc 622080 7.975998
69687e4a3ffbefbe782d13637ce8605a .reloc 2560 4.913641
Relationships
4cd7efdb1a… Connected_To 151.106.30.120
Description

This malware is a 64-bit Windows loader that contains an embedded encrypted malicious executable. During runtime, this embedded executable is decrypted and loaded into memory, never touching the system’s hard disk. The encrypted executable is similar in functionality to the file 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16, described in report MAR-10382580.r1.v1. The malware embedded within this loader attempts to communicate with the hard-coded C2 Internet Protocol (IP) address 151[.]106[.]30[.]120. This malware provides a vast array of C2 capabilities including the ability to log keystrokes, upload and execute additional payloads, function as a proxy, and have graphical user interface (GUI) access over a target Windows system’s desktop. Many of the structures utilized to implement the C2 capabilities in this malware appear to be derived from the same source code as 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16, however this malware utilizes much more complex obfuscation to hinder the analysis of its code structures. This malware also utilizes a more complex encryption algorithm to secure its network communications.

The malware embedded within this binary utilizes a secure strings scheme based on a rotating XOR cipher (Figure 7). The strings are partially decrypted and listed below with their corresponding approximate memory address locations during runtime — assuming a base address of 0x260000.

–Begin Decoded Strings–

(‘0x264e32’, ‘RegQueryValueExl’)
(‘0x264f58’, ‘RegQueryValueEx’)
(‘0x265325’, ‘GetCurrentProcessId’)
(‘0x265bc9’, ‘GetEnvironmentVariableW’)
(‘0x265cc1’, ‘ShellExecuteExW’)
(‘0x268b20’, ‘GetAdaptersInfo’)
(‘0x268c49’, ‘GetAdaptersInfo’)
(‘0x26a77c’, ‘EnumDependentServicesW’)
(‘0x26a98b’, ‘EnumDependentServi’)
(‘0x26abb9’, ‘ControlService’)
(‘0x26ad5b’, ‘QueryServiceStatus’)
(‘0x26af62’, ‘CloseServiceHandle’)
(‘0x26c3ed’, ‘GetComputerNameW’)
(‘0x277621’, ‘GetEnvironmentVariableW’)
(‘0x27856f’, ‘GetLogicalDriveStringsW’)
(‘0x2788e5’, ‘GetVolumeInformationW’)
(‘0x278f87’, ‘FindFirstFileW’)
(‘0x27a3f3’, ‘GetSystemDirectoryW’)
(‘0x27bf04’, ‘SetFilePointerEx’)
(‘0x27d125’, ‘RemoveDirectoryW’)
(‘0x27daa7’, ‘FindFirstFileW’)
(‘0x284074’, ‘GetClipboardData’)
(‘0x2850d4’, ‘GetForegroundWindow’)
(‘0x28513d’, ‘GetDesktopWindow’)
(‘0x28b443’, ‘GetProcessHeap’)
(‘0x28b533’, ‘CoInitializeEx’)
(‘0x28b655’, ‘StartServiceCtrlDispatch’)
(‘0x28cd63’, ‘GetModuleFileNameW’)
(‘0x2636f3’, ‘UnkownError’)
(‘0x2649f3’, “Display”””)
(‘0x264ab0’, ‘RegOpenKeyExW’)
(‘0x264af0’, ‘ADVAPI32.dll’)
(‘0x264ca0’, ‘RegEnumKeyExW’)
(‘0x264ce0’, ‘ADVAPI32.dll’)
(‘0x264d80’, ‘RegOpenKeyExW’)
(‘0x264dc0’, ‘ADVAPI32.dll’)
(‘0x264e90’, ‘ADVAPI32.dll’)
(‘0x264fb0’, ‘ADVAPI32.dll’)
(‘0x265160’, ‘RegCloseKey’)
(‘0x2651b0’, ‘ADVAPI32.dll’)
(‘0x265390’, ‘KERNEL32.dll’)
(‘0x265c30’, ‘KERNEL32.dll’)
(‘0x265d20’, ‘SHELL32.dll’)
(‘0x266950’, ‘GetVersionExW’)
(‘0x266990’, ‘KERNEL32.dll’)
(‘0x266b63’, ‘CurrentMajorVersionNum’)
(‘0x266c33’, ‘CurrentMajorVersionNum’)
(‘0x268b80’, ‘IPHLPAPI.dll’)
(‘0x268c03’, ‘KERNEL32.dll’)
(‘0x268ca0’, ‘IPHLPAPI.dll’)
(‘0x26a710’, ‘GetTickCount’)
(‘0x26a750’, ‘KERNEL32.dll’)
(‘0x26a7b8’, ‘EnumDepende’)
(‘0x26a7f3’, ‘Advapi32.dll’)
(‘0x26a872’, ‘GetLastError’)
(‘0x26a8b0’, ‘KERNEL32.dll’)
(‘0x26a940’, ‘KERNEL32.dll’)
(‘0x26aa17’, ‘Advapi32.dll’)
(‘0x26aafb’, ‘OpenServiceW’)
(‘0x26ab4b’, ‘Advapi32.dll’)
(‘0x26ac33’, ‘Advapi32.dll’)
(‘0x26acd4’, ‘Sleep’)
(‘0x26ad24’, ‘KERNEL32.dll’)
(‘0x26adea’, ‘Advapi32.dll’)
(‘0x26aeaa’, ‘GetTickCount’)
(‘0x26af03’, ‘KERNEL32.dll’)
(‘0x26afdb’, ‘Advapi32.dll’)
(‘0x26c2e0’, ‘GetUserNameW’)
(‘0x26c320’, ‘Advapi32.dll’)
(‘0x26c450’, ‘KERNEL32.dll’)
(‘0x26cad0’, ‘KERNEL32.dll’)
(‘0x273220’, ‘closesocket’)
(‘0x274a90’, ‘getsockname’)
(‘0x275280’, ‘getsockname’)
(‘0x276583’, ‘Erroroccurswhiles’)
(‘0x276714’, ‘NoTabsinclient.’)
(‘0x2769e3’, ‘NoTabsinclient.’)
(‘0x276b60’, ‘KERNEL32.dll’)
(‘0x277690’, ‘KERNEL32.dll’)
(‘0x2785e0’, ‘KERNEL32.dll’)
(‘0x2786d3’, ‘ErroroccursinGetL’)
(‘0x278950’, ‘KERNEL32.dll’)
(‘0x2789e0’, ‘GetDriveTypeW’)
(‘0x278a20’, ‘KERNEL3’)
(‘0x278f10’, ‘PathCombineW’)
(‘0x278f50’, ‘SHLWAPI.dll’)
(‘0x278fa4’, ‘FindFirstFile’)
(‘0x278fe0’, ‘KERNEL32.dll’)
(‘0x279120’, ‘PathCombineW’)
(‘0x279160’, ‘SHLWAPI.dll’)
(‘0x2791c1’, ‘CreateFileW’)
(‘0x279200’, ‘KERNEL32.dll’)
(‘0x279280’, ‘GetFileTime’)
(‘0x2792c0’, ‘KERNEL32.dll’)
(‘0x279320’, ‘CloseHandle’)
(‘0x279360’, ‘KERNEL32.dll’)
(‘0x2796a0’, ‘FindNextFileW’)
(‘0x2796e0’, ‘KERNEL32.dll’)
(‘0x2797b3’, ‘Cannotaccesstofold’)
(‘0x27a460’, ‘KERNEL32.dll’)
(‘0x27a4e3’, ‘kernel32.dll’)
(‘0x27a540’, ‘PathCombineW’)
(‘0x27a580’, ‘SHLWAPI.dll’)
(‘0x27a5e0’, ‘CreateFileW’)
(‘0x27a620’, ‘KERNEL32.dll’)
(‘0x27a692’, ‘GetFileTime’)
(‘0x27a6d0’, ‘KERNEL32.dll’)
(‘0x27a730’, ‘CloseHandle’)
(‘0x27a770’, ‘KERNEL32.dll’)
(‘0x27acf0’, ‘CreateFileW’)
(‘0x27ad30’, ‘KERNEL32.dll’)
(‘0x27ade0’, ‘GetFileTime’)
(‘0x27ae20’, ‘KERNEL32.dll’)
(‘0x27af80’, ‘GetLastError’)
(‘0x27afc0’, ‘KERNEL32.dll’)
(‘0x27b430’, ‘GetLastError’)
(‘0x27b470’, ‘KERNEL32.dll’)
(‘0x27b932’, ‘CreateFileW’)
(‘0x27b970’, ‘KERNEL32.dll’)
(‘0x27b9f0’, ‘GetLastError’)
(‘0x27ba30’, ‘KERNEL32.dll’)
(‘0x27bf60’, ‘KERNEL32.dll’)
(‘0x27c000’, ‘KERNEL32.dll’)
(‘0x27c080’, ‘KERNEL32.dll’)
(‘0x27c1b0’, ‘CloseHandle’)
(‘0x27c1f0’, ‘KERNEL32.dll’)
(‘0x27c270’, ‘GetLastError’)
(‘0x27c2b0’, ‘KERNEL32.dll’)
(‘0x27c3c3’, ‘Nodescriptorfound.’)
(‘0x27c860’, ‘KERNEL32.dll’)
(‘0x27c950’, ‘CloseHandle’)
(‘0x27c990’, ‘KERNEL32.dll’)
(‘0x27c9f0’, ‘GetLastError’)
(‘0x27ca30’, ‘KERNEL32.dll’)
(‘0x27cb00’, ‘CloseHandle’)
(‘0x27cb40’, ‘KERNEL32.dll’)
(‘0x27cdc0’, ‘CloseHandle’)
(‘0x27ce00’, ‘KERNEL32.dll’)
(‘0x27d180’, ‘KERNEL32.dll’)
(‘0x27d1f0’, ‘DeleteFileW’)
(‘0x27d230’, ‘KERNEL32.dll’)
(‘0x27d290’, ‘GetLastError’)
(‘0x27d2d0’, ‘KERNEL32.dll’)
(‘0x27d3e3’, ‘Deletesuccessed.’)
(‘0x2c3743’, ‘Deletepayloadcorrupt’)
(‘0x27da30’, ‘PathCombineW’)
(‘0x27da70’, ‘SHLWAPI.dll’)
(‘0x27dac4’, ‘FindFirstFile’)
(‘0x27db00’, ‘KERNEL32.dll’)
(‘0x27dc20’, ‘PathCombineW’)
(‘0x27dc60’, ‘SHLWAPI.dll’)
(‘0x27ded1’, ‘FindNex2@x04@%@’)
(‘0x27df10’, ‘KERNEL32.dll’)
(‘0x284030’, ‘OpenClipboard’)
(‘0x284110’, ‘Kernel32.dll’)
(‘0x2841b3’, ‘<CTRL+V>’)
(‘0x284253’, ‘</CTRL+V>’)
(‘0x284fe3’, ‘Composition’)
(‘0x285073’, ‘Sfwrirsfi’)
(‘0x28507c’, ‘otaeMcootW’)
(‘0x285484’, ‘Monitor%d[%d*%d]’)
(‘0x28b280’, ‘DeleteObject’)
(‘0x28b400’, ‘KERNEL32.dll’)
(‘0x28b4a0’, ‘KERNEL32.dll’)
(‘0x28b6d0’, ‘Advapi32.dll’)
(‘0x28cdc0’, ‘KERNEL32.dll’)
(‘0x28d230’, ‘ExitProcess’)
(‘0x28d270’, ‘KERNEL32.dll’)
(‘0x28d3b0’, ‘GetTempPathW’)
(‘0x28d3f0’, ‘KERNEL32.dll’)
(‘0x28d4a0’, ‘PathCombineW’)
(‘0x28d4e0’, ‘SHLWAPI.dll’)

–End Decoded Strings–

Screenshots

Figure 1 - This screenshot illustrates the malware sending an initial block of data to its hard-coded C2 server. As with the malware sample 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 in MAR-10382580.r1.v1, this malware's initial outbound block contains a chunk of random data and the unicode string "hello".

Figure 1 – This screenshot illustrates the malware sending an initial block of data to its hard-coded C2 server. As with the malware sample 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 in MAR-10382580.r1.v1, this malware’s initial outbound block contains a chunk of random data and the unicode string “hello”.

Figure 2 - This screenshot illustrates the malware's hard-coded cryptographic key it utilizes to encrypt and decrypt its network communications traffic via the algorithm in Figure 4.

Figure 2 – This screenshot illustrates the malware’s hard-coded cryptographic key it utilizes to encrypt and decrypt its network communications traffic via the algorithm in Figure 4.

Figure 3 - This screenshot illustrates the data returned to the remote operator if they simply reply to the malware's initial "hello" packet with their own "hello" packet. This data block contains the compromised system's MAC address, IP address, OS version, processor type, as well as other system specific information. The cryptographic algorithm illustrated in Figure 4 will be utilized to encrypt this data before it is sent to the remote C2 server.

Figure 3 – This screenshot illustrates the data returned to the remote operator if they simply reply to the malware’s initial “hello” packet with their own “hello” packet. This data block contains the compromised system’s MAC address, IP address, OS version, processor type, as well as other system specific information. The cryptographic algorithm illustrated in Figure 4 will be utilized to encrypt this data before it is sent to the remote C2 server.

Figure 4 - This screenshot illustrates code extracted from this malware's primary cryptographic function. This algorithm will be utilized to encrypt and decrypt all network traffic exchanged between this implant and its remote operator. Although the malware does communicate over port 443, this algorithm is utilized rather than SSL. Static analysis indicates a hard-coded 16 byte key is utilized to encrypt and decrypt network traffic. That key can be observed in Figure 2.

Figure 4 – This screenshot illustrates code extracted from this malware’s primary cryptographic function. This algorithm will be utilized to encrypt and decrypt all network traffic exchanged between this implant and its remote operator. Although the malware does communicate over port 443, this algorithm is utilized rather than SSL. Static analysis indicates a hard-coded 16 byte key is utilized to encrypt and decrypt network traffic. That key can be observed in Figure 2.

Figure 5 - This screenshot illustrates the names of various classes utilized by this implant. The class VK1AlgorithmEngine contains the function which is utilized to encrypt and decrypt this malware's network traffic (Figure 4). Notably, the previously analyzed sample 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 utilizes a different class to implement its network traffic encryption. That sample's cryptographic class name is VSimpleXorAlgorithmEngine. This explains why the samples, while structurally and functionally very similar, utilize a different algorithm to secure their network communications.

Figure 5 – This screenshot illustrates the names of various classes utilized by this implant. The class VK1AlgorithmEngine contains the function which is utilized to encrypt and decrypt this malware’s network traffic (Figure 4). Notably, the previously analyzed sample 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 utilizes a different class to implement its network traffic encryption. That sample’s cryptographic class name is VSimpleXorAlgorithmEngine. This explains why the samples, while structurally and functionally very similar, utilize a different algorithm to secure their network communications.

Figure 6 - This screenshot illustrates several malicious classes this malware utilizes. The class VFeatureCmd provides the function which implements the malware's reverse shell capability -- providing the remote hacker direct access to a Windows command shell. The class VFeatureKeylogger provides advanced key logging capabilities. Static analysis indicates the VFeatureSocks and VFeatureTunnel classes implement the malware's TCP proxying capability. And the VFeatureScreen class provides functions which allow the remote operator to monitor victim user's desktop / GUI sessions. These same classes are utilized in malware sample 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 in MAR-10382580.r1.v1.

Figure 6 – This screenshot illustrates several malicious classes this malware utilizes. The class VFeatureCmd provides the function which implements the malware’s reverse shell capability — providing the remote hacker direct access to a Windows command shell. The class VFeatureKeylogger provides advanced key logging capabilities. Static analysis indicates the VFeatureSocks and VFeatureTunnel classes implement the malware’s TCP proxying capability. And the VFeatureScreen class provides functions which allow the remote operator to monitor victim user’s desktop / GUI sessions. These same classes are utilized in malware sample 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 in MAR-10382580.r1.v1.

Figure 7 - This malware sample contains many encoded strings. As illustrated in this screenshot, many of the strings are encoded using an XOR cipher utilizing a single-byte key. A different XOR single-byte key will be used to decode each string.

Figure 7 – This malware sample contains many encoded strings. As illustrated in this screenshot, many of the strings are encoded using an XOR cipher utilizing a single-byte key. A different XOR single-byte key will be used to decode each string.

Figure 8 - his screenshot illustrates a misspelling with the word "modifing" in the malware's source code. This same misspelling can be observed in the plugin embedded within malware sample 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 in MAR-10382580.r1.v1. This piece of information may be useful for attribution purposes.

Figure 8 – his screenshot illustrates a misspelling with the word “modifing” in the malware’s source code. This same misspelling can be observed in the plugin embedded within malware sample 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 in MAR-10382580.r1.v1. This piece of information may be useful for attribution purposes.