Connect with us

Press Release

Microsoft fumbles supply chain and acknowledges signing rootkit malware.

Published

on

Microsoft fumbles supply chain and acknowledges signing rootkit malware.

As of right now, Microsoft has admitted to signing a malicious driver that is disseminated in gaming contexts.

This “Netfilter”-named driver is actually a rootkit that has been seen interacting with Chinese C2 IP addresses.

Last week, the whole infosec. community joined G Data malware specialist Karsten Hahn in tracking down and analysing the malicious drivers that bore the Microsoft logo.

This incident exposed vulnerabilities to software supply-chain security once more, but this time it was caused by a flaw in the code-signing procedure used by Microsoft.

Rootkit “Netfilter” driver is Microsoft-signed.
A Microsoft signed driver dubbed “Netfilter” was detected last week by G Data’s cybersecurity alert systems as what at first glance appeared to be a false positive, but wasn’t.

The driver in question was observed interacting with C&C IPs based in China, which had no valid functionality and raised red flags.

This is when Karsten Hahn, a malware analyst at G Data, disclosed this publicly and contacted Microsoft at the same time:

Since Windows Vista, all code that operates in kernel mode must be tested and certified before being made available to the public in order to maintain the stability of the operating system.

According to Hahn, “Drivers without a Microsoft certificate cannot be deployed by default.”

At that time, BleepingComputer started tracking C2 URL behaviour and approached Microsoft for a comment.

A list of further routes (URLs), denoted by the pipe (“|”) symbol, are returned by the first C2 URL:

Each of these, in Hahn’s opinion, has a function:

The URL that ends in “/p” refers to proxy settings, “/s” offers encoded redirection IPs, “/h?” is for getting CPU-ID, “/c” offered a root certificate, and “/v?” refers to the malware’s self-updating capabilities.
For instance, as observed by BleepingComputer, the malicious Netfilter driver in question (residing at “/d3”) was accessible via the “/v?” path at the following URL:

After thoroughly examining the driver, the G Data researcher came to the conclusion that it was malware.

In a thorough blog post, the researcher examined the driver, its ability to self-update, and Indicators of Compromise (IOCs).

According to Hahn, the sample features a self-update routine that transmits its own MD5 hash to the server via the URL hxxp:/110.42.4.180:2081/v?v=6&m=.

An illustration of a request would be as follows:

hxxp:/110.42.4.180:2081/v?v=6&m=921fa8a5442e9bf3fe727e770cded4ab
“The server then replies with either ‘OK’ if the sample is current or the URL for the most recent sample, such as hxxp:/110.42.4.180:2081/d6. As a result, the malware replaces its own file “further information from the researcher

Other malware specialists like Johann Aydinbas, Takahiro Haruyama, and Florian Roth worked with Hahn during his analysis.

Roth has offered YARA rules for recognising them in your network environments after being able to compile the list of samples in a spreadsheet.

Microsoft is looking at a bad actor who spreads harmful drivers inside of gaming environments.

“In order to be certified by the Windows Hardware Compatibility Program, the actor supplied drivers. A third party created the drivers.”

Microsoft stated yesterday, “We have stopped the account and checked their uploads for additional indicators of malware.”

Microsoft claims that the threat actor primarily targeted the gaming industry in China with these malicious drivers and that there is currently no evidence that enterprise environments have been impacted.

Microsoft is waiting before blaming nation-state actors for this incident.

Sophisticated threat actors may take advantage of falsely signed binaries to help launch extensive software supply-chain attacks.

A well-known event in which code-signing certificates were taken from Realtek and JMicron to assist the comprehensive Stuxnet attack on Iran’s nuclear programme.

However, this specific instance has shown flaws in a reliable code-signing procedure, which threat actors have exploited to obtain Microsoft-signed code without jeopardising any certifications.

Press Release

Rajshree Game Play Result

Published

on

Rajshree Game Play Result

If you are searching to find Play Rajshree Video Game Outcome? After that, you can find several sites here that provide in-depth information.

Results Chart for the Playrajshree Lottery game online
RAJSHREE-J. 09:00 AM: 9033: 9123: 9272: 9389: 9452: 9503: 9671: 9722: 9827: 9948: It is completely forbidden to buy lottery tickets using this website in jurisdictions where lotteries are outlawed. To play the online lottery, you must be at least 18 years old.

http://www.playrajshree.com/QuickLink/ResultChart.aspx
DSDIR, Rajshri Play Game Result
Rajshree Lottery is a fun online game where you can view the results every 15 and 20 minutes as of Mar. 13, 2022. The age requirement to play this game is 18. Good luck today. Any adult can play the online game Rajshree Lottery.

Rajshri Play Game Result


Game Rajashri to play
Welcome to play the Rajashri Lottery at Draw Time: 10:00 AM on Draw Date: 10-03-2022: Golden (GA 60-69) ShubhLaxmi (SA 20-29). The current time is: 07:06:34 PM on 10-03-2022.

https://playrajashrilott.com/
Rajshree Result – DSDIR to play
Results Chart – PLAY ONLINE PLAYRAJSHREE LOTTERY GAME. RAJSHREE-J. Mar. 12, 2022. 09:00 AM: 9033: 9123: 9272: 9389: 9452: 9503: 9671: 9722: 9827: 9948: It is completely forbidden to buy lottery tickets using this website in jurisdictions where lotteries are outlawed.

Play Rajshree Result


Goa Lottery Rajshree Results – Lottery Results
Mar. 11, 2022 The Rajshree Lottery is held daily in Goa, and the results are reported below in the table. The top prize-winning ticket and the sum earned are displayed. You can check your tickets here to see if you won the top prize in the Rajshree lottery or any of the other levels. You can also check the top reward for previous drawings.

https://www.lotto.in/goa/rajshree-results
Findings – GOA Star
Summary of the results: Golden A Game, Subhlaxmi A Game, and Rajshree A Game.

https://playrajshreegoa.com/
Results Sheet for Rajshri’s Victory
In the states where lotteries are illegal, buying lottery tickets through our website is strictly forbidden. To play the online lottery, you must be at least 18 years old.

http://playrajshriwin.com/result.php
Results from the Rajshree Lottery
Rajshree Lottery is an online game that you can play for entertainment purposes; the results are updated every 15 and 20 minutes. The age requirement to play this game is 18. Good luck today. Rajshree Lottery is an internet game that any adult can play for free. No upfront payment is necessary.

https://www.rajshreelottery.co.in/
Application Rajshree Lottery Results – Google Play
This Rajshree Lottery Sambad is unofficial and has no affiliation with any State Lottery Result Board as of October 29, 2021. We simply gathered these findings from open-source third-party websites, and we urge you to double-check them against officially released data.

https://play.google.com/store/apps/details?

id=loteryresulraj
Rajshree Outcome
Play the Rajshree lottery, Rajshree lottery, best lottery, lottery, play the Rajshree lottery result, and Rajshree lottery result. Draw time for the Rajshree Sikkim Lottery is today at 3:00 AM.

https://www.rajshree10.com/current-draw.php
The sources mentioned above should be able to provide you with information on the Play Rajshree Game Result. If not, you can contact me through the comments.

Continue Reading

Press Release

You become infected with RedLine malware through fake Windows 11 upgrade installers.

Published

on

You become infected with RedLine malware through fake Windows 11 upgrade installers.

Users of Windows 10 have begun to get phoney Windows 11 upgrade installers, tricking them into downloading and running RedLine stealer software.

The attacks took place at the same time that Microsoft announced the broad deployment phase for Windows 11. As a result, the attackers were well-prepared for this move and waited for the ideal time to maximise the effectiveness of their operation.

As the most extensively used password, browser cookie, credit card, and cryptocurrency wallet information thief at the moment, RedLine stealer infections can have serious negative effects on the victims.

The initiative

The attackers exploited the “windows-upgraded.com” domain for the malware distribution portion of their campaign, according to HP experts who have detected this effort.

When a visitor selected the “Download Now” button on the website, a 1.5 MB ZIP archive with the name “Windows11InstallationAssistant.zip” was downloaded directly from a Discord CDN. The website looks to be an official Microsoft website.

Decompressing the file yields a folder with a size of 753MB and a remarkable compression ratio of 99.8%, which was made possible by the executable’s inclusion of padding.

An encoded parameter starts a PowerShell process when the victim runs the programme in the folder.

A.jpg file is then retrieved from a distant web server when a cmd.exe process with a 21-second timeout has finished running.

The DLL in this file is organised in reverse, maybe to avoid detection and analysis.

The first process then loads the DLL and swaps it out for the current thread context. That DLL is a RedLine stealer payload that uses a TCP connection to communicate with the command-and-control server to receive instructions on what malicious operations should be performed next on the recently compromised system.

Outlook
Nothing prevents the actors from registering a new domain and continuing their campaign even though the distribution site is currently unavailable. In fact, it’s quite likely that this is already taking place in nature.

Due to hardware compatibility issues, many Windows 10 customers are unable to download Windows 11 via the official distribution channels. Malware operators see this as a great opportunity to recruit new victims.

The strategies disclosed by HP are not surprising at this time, as threat actors are also use Windows’ legitimate update clients to execute malicious code on compromised Windows systems, as BleepingComputer discovered in January.

Remember that these risky websites are advertised through forum postings, posts on social media, and instant messages, so only rely on the official Windows upgrade system alerts.

Continue Reading

Press Release

THE ANALYSIS RESULTS THAT THE OPENCV-BASED FACIAL RECOGNITION MODEL AS USED BY EXAM MONITORIO FAILS TO RECOGNIZE BLACK FACES MOST OF THE TIME (TODD FEATHERS/VICE).

Published

on

THE OPENCV-BASED FACIAL RECOGNITION MODEL

Analysis finds that an OpenCV-based facial recognition model used by exam monitoring software Proctorio fails to recognize Black faces more than 50% of the time — A student researcher has reverse-engineered the controversial exam software—and discovered a tool infamous for failing to recognize non-white faces.

Continue Reading

Trending