Chet  Lubowitz

Chet Lubowitz

1595065800

Encryption Utility Firm Accused of Bundling Malware Functions

The increasingly prevalent GuLoader malware has been traced back to a far-reaching encryption service that attempts to pass as above-board.

An Italian company that sells what it describes as a legitimate encryption utility is being used as malware packer for the cloud-delivered malicious GuLoader dropper, claim researchers. The tool, according a recent investigation, creates GuLoader samples and helps the malware avoid antivirus detection.

For its part, the company claims it has taken steps to prevent bad actors from using its wares for ill.

According to researchers at Check Point, the company identified as CloudEyE is looking to take a piece of the traditional packer and crypter market – a thriving arena that caters to malware authors looking for obfuscation for their wares.

GuLoader is a widespread dropper that compromises targets and then delivers second-stage malware. It’s been constantly updated over the course of 2020, according to Check Point, with new binaries sporting sandbox evasion techniques, code randomization features, command-and-control (C2) URL encryption and additional payload encryption.

“As a result, we can reasonably assume that behind GuLoader there is a major new service” providing various forms of encryption, according to the researchers.

#cloud security #malware #check point #cloudeye #crypter #darkeye #encryption #guloader #italian company #malware #malware analysis #packer #securitycode.eu

What is GEEK

Buddha Community

Encryption Utility Firm Accused of Bundling Malware Functions
Chet  Lubowitz

Chet Lubowitz

1595065800

Encryption Utility Firm Accused of Bundling Malware Functions

The increasingly prevalent GuLoader malware has been traced back to a far-reaching encryption service that attempts to pass as above-board.

An Italian company that sells what it describes as a legitimate encryption utility is being used as malware packer for the cloud-delivered malicious GuLoader dropper, claim researchers. The tool, according a recent investigation, creates GuLoader samples and helps the malware avoid antivirus detection.

For its part, the company claims it has taken steps to prevent bad actors from using its wares for ill.

According to researchers at Check Point, the company identified as CloudEyE is looking to take a piece of the traditional packer and crypter market – a thriving arena that caters to malware authors looking for obfuscation for their wares.

GuLoader is a widespread dropper that compromises targets and then delivers second-stage malware. It’s been constantly updated over the course of 2020, according to Check Point, with new binaries sporting sandbox evasion techniques, code randomization features, command-and-control (C2) URL encryption and additional payload encryption.

“As a result, we can reasonably assume that behind GuLoader there is a major new service” providing various forms of encryption, according to the researchers.

#cloud security #malware #check point #cloudeye #crypter #darkeye #encryption #guloader #italian company #malware #malware analysis #packer #securitycode.eu

Vincent Lab

Vincent Lab

1605017502

The Difference Between Regular Functions and Arrow Functions in JavaScript

Other then the syntactical differences. The main difference is the way the this keyword behaves? In an arrow function, the this keyword remains the same throughout the life-cycle of the function and is always bound to the value of this in the closest non-arrow parent function. Arrow functions can never be constructor functions so they can never be invoked with the new keyword. And they can never have duplicate named parameters like a regular function not using strict mode.

Here are a few code examples to show you some of the differences
this.name = "Bob";

const person = {
name: “Jon”,

<span style="color: #008000">// Regular function</span>
func1: <span style="color: #0000ff">function</span> () {
    console.log(<span style="color: #0000ff">this</span>);
},

<span style="color: #008000">// Arrow function</span>
func2: () =&gt; {
    console.log(<span style="color: #0000ff">this</span>);
}

}

person.func1(); // Call the Regular function
// Output: {name:“Jon”, func1:[Function: func1], func2:[Function: func2]}

person.func2(); // Call the Arrow function
// Output: {name:“Bob”}

The new keyword with an arrow function
const person = (name) => console.log("Your name is " + name);
const bob = new person("Bob");
// Uncaught TypeError: person is not a constructor

If you want to see a visual presentation on the differences, then you can see the video below:

#arrow functions #javascript #regular functions #arrow functions vs normal functions #difference between functions and arrow functions

Tia  Gottlieb

Tia Gottlieb

1598258520

Activation Functions, Optimization Techniques, and Loss Functions

Activation Functions:

A significant piece of a neural system Activation function is numerical conditions that decide the yield of a neural system. The capacity is joined to every neuron in the system and decides if it ought to be initiated (“fired”) or not, founded on whether every neuron’s info is applicable for the model’s expectation. Initiation works likewise help standardize the yield of every neuron to a range somewhere in the range of 1 and 0 or between — 1 and 1.

Progressively, neural systems use linear and non-linear activation functions, which can enable the system to learn complex information, figure and adapt practically any capacity speaking to an inquiry, and give precise forecasts.

Linear Activation Functions:

**Step-Up: **Activation functions are dynamic units of neural systems. They figure the net yield of a neural node. In this, Heaviside step work is one of the most widely recognized initiation work in neural systems. The capacity produces paired yield. That is the motivation behind why it is additionally called paired advanced capacity.

The capacity produces 1 (or valid) when info passes edge limit though it produces 0 (or bogus) when information doesn’t pass edge. That is the reason, they are extremely valuable for paired order studies. Every rationale capacity can be actualized by neural systems. In this way, step work is usually utilized in crude neural systems without concealed layer or generally referred to name as single-layer perceptions.

#machine-learning #activation-functions #loss-function #optimization-algorithms #towards-data-science #function

Houston  Sipes

Houston Sipes

1602723600

APT Attack Injects Malware into Windows Error Reporting

A campaign that injects malware into the Windows Error Reporting (WER) service to evade detection is potentially the work of a Vietnamese APT group, researchers said.

The attack, discovered on Sept. 17 by researchers at Malwarebytes Threat Intelligence Team, lures its victims with a phishing campaign that claims to have important information about workers’ compensation rights, according to a blog post on Tuesday by researchers Hossein Jazi and Jérôme Segura. Instead, it leads them to a malicious website that can load malware that hides in WER, they said.

“The threat actors compromised a website to host its payload and used the CactusTorch framework to perform a fileless attack, followed by several anti-analysis techniques,” researchers wrote.

WER is the crash-reporting tool of the Microsoft Windows OS, introduced in Windows XP. It’s also included in Windows Mobile versions 5.0 and 6.0.

The service runs the WerFault.exe, which is “usually invoked when an error related to the operating system, Windows features or applications happens,” researchers noted. This makes it a good cloaking mechanism for threat actors, as users wouldn’t likely to suspect any nefarious activity if the service is running, they said.

“When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack,” Jazi and Segura wrote.

The use of this evasion tactic is not new, researchers noted, and the technique suggests a connection to the Vietnamese APT32 group, also known as OceanLotus.

“APT32 is one of the actors that is known to use CactusTorch HTA to drop variants of the Denis RAT,” researchers said. Moreover, the domain used to host malicious archives and documents is registered in Ho Chi Minh City, Vietnam, which also points to APT32, researchers noted.

That said, it’s still unclear exactly who is behind the attack because researchers did not access the final payload to examine it extensively, they said.

The attack begins as a ZIP file containing a malicious document, called “Compensation.manual.doc” that threat actors distribute through spear-phishing attacks and which purports to offer information about compensation rights for workers

“Inside we see a malicious macro that uses a modified version of CactusTorch VBA module to execute its shellcode,” researchers wrote. “CactusTorch is leveraging the DotNetToJscript technique to load a .NET compiled binary into memory and execute it from vbscript.”

#malware #web security #apt #apt32 #campaign #cyberattack #detection evasion #fileless malware #injection #kraken #malware #malwarebytes #nation state #oceanlotus #vietnam #vietnamese #windows error reporting #workers's compensation

Juana  O'Keefe

Juana O'Keefe

1597548300

NSA, FBI Warn of Linux Malware Used in Espionage Attacks

A never before seen malware has been used for espionage purposes via Linux systems, warn the NSA and FBI in a joint advisory.

UPDATE

The U.S. government is warning of new malware, dubbed Drovorub, that targets Linux systems. It also claims the malware was developed for a Russian military unit in order to carry out cyber-espionage operations.

The malware, Drovorub, comes with a multitude of espionage capabilities, including stealing files and remotely controlling victims’ computers. The malware is sophisticated and is designed for stealth, leveraging advanced “rootkit” technologies that make detection difficult. According to a Thursday advisory by the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI), the malware especially represents a threat to national security systems such as the Department of Defense and Defense Industrial Base customers that use Linux systems.

“Drovorub is a Linux malware toolset consisting of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server,” according to a 45-page deep-dive analysis of the malware published Thursday [PDF] by the FBI and NSA. “When deployed on a victim machine, the Drovorub implant (client) provides the capability for direct communications with actor controlled C2 infrastructure; file download and upload capabilities; execution of arbitrary commands as ‘root’; and port forwarding of network traffic to other hosts on the network.”

Despite the in-depth report, the FBI and NSA did not detail how the initial attack vector for the malware occurs. The report also does not specify how long the malware has been in action, or how many companies may have been targeted – and whether any attacks have been successful. Authorities didn’t say specify that the malware initially infects victims either. It did say the threat actor behind the malware uses a “wide variety of proprietary and publicly known techniques to target networks and to persist their malware on commercial devices.”

The Malware

Of note, the name “Drovorub” was pulled from a variety of artifacts discovered in Drovorub files, according to the report. The FBI and NSA say this is the name used by the threat actors themselves, and translated, means “woodcutter” or “to split wood.”

Drovorub, refers to a malware suite of four separate components that include an agent, client, server and kernel module. When deployed on a victim’s machine, the Drovorub client is first installed, and then provides the capability for direct communications with an actor-controlled command-and-control (C2) infrastructure.

linux malware

Once the client is in contact with the attacker controlled server, it then uses an agent component to receive commands. Those commands can trigger file download and upload capabilities, execution of arbitrary commands such as “root,” and port forwarding of network traffic to other hosts on the network.

Additionally, the client is packaged with a kernel module that provides rootkit-based stealth functionality to hide the client and kernel module, according to the advisory. The capability of a rootkit, which is a collection of malicious software designed to enable access to a computer, provides an extra layer of stealth for the malware to hide its implant on infected devices. It does so by hiding specific files, modules and network artifacts. The rootkit also has a persistence features that allows malware to remain on infected machines when it is rebooted (unless UEFI secure boot is enabled in “Full” or “Thorough” mode).

#hacks #malware #c2 #drovorub #fbi #hack #linux #linux malware #malware #nsa #rootkit