AUGUST 2021: A text file can steal all your Information/Secrets

Recently, 360 Security Center’s threat monitoring platform has detected an email phishing attack. This attack uses a secret-stealing Trojan called Poulight. The Poulight Trojan has been put into use since last year and has complete and powerful functions. This attack proved that it has begun to spread and use overseas.

Attack process analysis

The attacker will first drop a phishing file using RLO (Right-to-Left Override) technology. Using RLO technology, the phishing file originally named “ReadMe_txt.lnk.lnk” will be displayed as “ReadMe_knl.txt” on the user’s computer. . At the same time, if the attacker sets the icon of the link file as a notepad icon, it is easy for the user to mistake it for a txt file with no harm, which is extremely confusing.

In this way, the user originally thought to open a txt file, but actually executed the code prepared by the attacker. The system will execute the powershell command according to the content of the “target” customized by the attacker, download the malicious program https[:]//iwillcreatemedia[.]com/build.exe, set it as a hidden attribute, and run it.

After analysis, the downloaded malicious program was compiled with .net and the internal name is Poullight.exe. The developer did not confuse the code.

Code analysis

Operating environment detection

The putty3.exe downloaded to the local will first check whether the current environment is a virtual machine or a virus analysis environment. If it is, it will exit. This action is used to combat some sample analysis sandboxes.

After passing the environmental inspection, the Trojan starts to create threads to execute its real malicious function modules.

First, the Trojan will load its own resources, and Base64 decode them, and finally get the configuration content:

<prog.params>YWRtaW4=|MQ==|MA==</prog.params>

<title>UG91bGlnaHQ=</title>

<cpdata>MHwwfDEyQ051S2tLSzF4TEZvTTlQNTh6V1hrRUxNeDF5NTF6Nll8MTJDTnVLa0tLMXhMRm9NOVA1OHpXWGtFTE14MXk1MXo2WXww</cpdata>

<ulfile>aHR0cDovL3J1LXVpZC01MDczNTI5MjAucHAucnUvZXhhbXBsZS5leGU=</ulfile>

<mutex>PL2d4vFEgVbQddddkms0ZhQiI0I</mutex>

The value of <mutex> is converted to lowercase and “pl2d4vfegvbqddddkms0zhqii0i” is created as the file name under the %TEMP% directory, and the written content is a random value of 8 to 32 bytes. However, analysts found that there seems to be a problem with this part of the code, or that the Trojan horse program we got is still in the pre-test stage, which makes it unable to run normally.

Data theft

In addition to the detection of the operating environment, the Trojan will also record user names, machine names, system names, and other machine information including installed anti-virus products, graphics card labels, and processor labels.

Write all the above data into the file %LocalAppData%\\<8-byte random characters>\\PC-Information.txt. It can be seen from the decompiled code that a lot of Russian descriptions are used in the program.

After that, the Trojan obtains the list of currently active processes and writes it into the file %LocalAppData%\\1z9sq09u\\ProcessList.txt, which will also mark “(Injected)” after the Trojan process name.

Next, get the third element in the item value of <prog.params> in the previously mentioned configuration file to be decoded and perform Base64 decoding again. If the value is “1”, execute the function clipper.Start(). This function will decrypt the resource named “cpp”, the connection string:

<clbase>0|0|12CNuKkKK1xLFoM9P58zWXkELMx1y51z6Y|12CNuKkKK1xLFoM9P58zWXkELMx1y51z6Y|0</clbase>

Write the file %TEMP%\\Windows Defender.exe and execute it (the file does not exist in the test environment). Among them, the value in <clbase> is decoded by Base64 again from the value of <cpdata> decoded in the previous section.

The following is the data stolen by Poulight and its actions:

  • Desktop screenshot?
  • For documents in the following folders, if the file name contains strings such as password, login, account, ???????, ?????, ????, ?????, ?????, site, or the suffix is .txt, .rtf, .log, .doc,. docx, .rdp, .sql files, all copied to the directory “\\Stealer Files\\Disks Files\\”?
    • ? Desktop directory, documents, %AppData%, %LocalAppData%?
    • Except \Windows\, \programdata\, \program files (x86)\, \program files\, \users\, \perflogs\, \????????????\ in the root directory of the disk;
  • Web camera to take pictures;
  • FileZilla server login credentials?FileZilla\recentservers.xml?
  • Pidgin login configuration:.purple\accounts.xml?
  • Discord data storage backup?discord\Local Storage?
  • Telegram data storage files:
  • Telegram Desktop\tdata\D877F783D5D3EF8C1
  • Telegram Desktop\tdata\D877F783D5D3EF8C0
  • Telegram Desktop\tdata\D877F783D5D3EF8C\\map1
  • Telegram Desktop\tdata\D877F783D5D3EF8C\\map0
  • Skype data?Microsoft\\Skype for Desktop\\Local Storage?
  • Stealing steam ssfn authorization files?
  • Stealing various cryptocurrency wallet related documents, including:
  • BTC-BitCoin key data file wallet.dat, including wallet address key pair, wallet transaction and other information?
  • BTC-Bytecoin wallet key file, search with .wallet suffix?
  • BTC-Dash wallet wallet.dat file?
  • All files in the storage directory of BTC-Ethereum wallet key related files under Ethereum\\keystore?
  • BTC-Monero wallet related documents?
  • Steal cookies, access URLs, accounts, passwords, Autofill data, payment card information, etc. of 25 browsers;The file name is searched by wildcard string: “co*es”, “log*ta”, “we*ata”, “loc*ate”, the search scope is three levels of directories starting from the browser directory:

google

yandex

opera software

amigo

orbitum

kometa

maxthon

torch

epic browser

comodo

ucozmedia

centbrowser

go!

sputnik

titan browser

acwebbrowser

vivaldi

flock

srware iron

sleipnir

rockmelt

baidu spark

coolnovo

blackhawk

maplestudio

All the stolen data is stored in the directory %LocalAppData%\\\1z9sq09u\\ (the string “1z9sq09u” is randomly generated).

Afterwards, upload the stolen data to one of two remote C&C servers:

http[:]//poullight[.]ru/handle.php (unused)

http[:]//gfl.com[.]pk/Panel/gate.php.

After the data is encoded, it is uploaded to the server in order. After the remote end returns the string “good”, the subsequent code will be executed. Otherwise, an upload attempt will be made every 2 seconds until it succeeds.

After the above action is over, the Trojan will download the URL resource hxxp://ru-uid-507352920.pp.ru/example.exe and save it as “%LocalAppData%\\<8 bytes random characters 1>\\<8 bytes Random characters 2>.exe”, for example: %LocalAppData%\\en0mp4o4\8ej8q80s.exe.

The main function of the program is also to collect various information on the machine, but after the collection, the folder where it is located is deleted. It is speculated that it is still in the testing stage.

360 Total Security already supports the detection and killing of the virus. infected User is recommended to install from the official website: https://www.360totalsecurity.com.

IOCs

Hash

dcb4dfc4c91e5af6d6465529fefef26f

083119acb60804c6150d895d133c445a

b874da17a923cf367ebb608b129579e1

C2

hxxp://gfl.com.pk/Panel/gate.php 

hxxp://poullight.ru/handle.php ?Unused?

URL

hxxps://iwillcreatemedia.com/build.exe 

hxxp://ru-uid-507352920.pp.ru/example.exe


Compiled by the Technical Support cited from the 360 Security

Read More security,

July 2021: Enable disappearing, self-destruct messages on WhatsApp, Signal and other apps

WhatsApp, Instagram, Telegram, and Signal enable users to tweak the settings to auto-delete messages when they are done with the chats. WhatsApp has a time window of 7 days to delete the messages while Instagram does it immediately. Users can set the self-destructing timer as per their discretion in Signal and Telegram.

It first started with Snapchat, the ability for users to send self-destruct or disappearing messages. As the questions of privacy around apps is growing serious by the day, users who are not keen on keeping chats as a keep safe or for screenshots that would later win them an argument can opt for disappearing or self destruct messages for when they are done with their chats, they are really done with them. WhatsApp, Instagram, Telegram, and Signal enable users to tweak the settings to auto-delete messages. WhatsApp has a time window of 7 days to delete the messages while Instagram does it immediately. Users can set the self-destructing timer as per their discretion in Signal and Telegram. You can follow the given steps to enable disappearing messages.

To enable disappearing messages on WhatsApp for an individual contact:

-- Open WhatsApp.
-- Select the contact where you want to enable disappearing messages.
-- Click on the three dots on the right-hand side.
-- Go to View contact.
-- Tap on Disappearing messages > Select On.

To enable disappearing messages on Signal

-- Open a chat window.
-- Tap on the three dots in the right.
-- Select Disappearing messages.
-- You can set the window from five seconds to one week for the messages to self-destruct.

To send a disappearing or view-once photo on Signal:

-- On Signal iOS or Signal Android, navigate to your group or individual conversation.
-- Select an image or capture a photo or video.
-- Tap the icon with an infinity sign to switch to the view-once icon or 1x.
-- Select Send. The photo or video won't be stored in your Signal conversation history.

Telegram also gives users the option to enable secret chats that let users exchange messages that are entirely end-to-end encrypted. Follow the given steps to enable secret chats with a user.

-- Open Telegram
-- Tap on the compose button
-- Select New Secret chat
-- Select contact with whom you want to have an end-to-end encrypted chat.

To enable self destruct timer, on Telegram:

-- Select the three dots on the top right of the contact you have entered a secret chat with.
-- Select Set self-destruct timer.
-- Select the time interval in which you want your messages to be deleted. The function works like disappearing messages and if you were to select the self-destruct time interval as one hour, messages every hour will get deleted.
To disable the self-destruct timer, repeat the same steps, and select ‘Off’ in the self-destruct timer section.

To enable Vanish mode in Instagram:

-- Open the Instagram app on your device.
-- Tap the 'direct or messenger' icon on the top right.
-- Open any chat window you wish to enable the vanish mode for.
-- Swipe up from the bottom of the screen to enable vanish mode.

After you have turned on the Vanish mode, all the read messages will vanish.
If you wish to disable the vanish mode, then open the chat window you have enabled the vanish mode for. Then, swipe up from the bottom screen again or tap 'turn off vanish mode' on the top of the chat window to turn off the vanish mode.

Compiled and approved by the technical support Department

Read More security,

June 2021: five tips to spot fake news online by Google

The internet can present its users with misinformation and fake news on a daily basis but if users do not feel certain about the information being presented to them they can verify it. Google allows users to check for misinformation or fake news online. An article or an image can be verified using Google’s tools. Ahead of International Fact-Checking day which falls on April 2, Google has shared tips on how anyone and not just professional fact-checkers can confirm a piece of information they are not sure or uncertain about.

Alexios Mantzarlis, News and Information Credibility Lead of Google News in a blog post noted that over the past year more than 50,000 new fact checks surfaced on Google Search, with all fact checks receiving more than 2.4 billion impressions in Search in that timeframe.

Google in a separate support page has noted how it determines fact checks. It notes that publishers have to meet certain requirements to be a trusted source of information, which is determined by an algorithm. The content around fact checks must tell you the claims that are being checked, conclusions about these claims, and how they were reached. It also explains citations and primary sources of information.

Here is how you can check for misinformation or fake news online:

-- Find out more about the source: Google notes that users can find out more about the source of an article or website by clicking on three dots on the right of an article, given that the source checks itself out. This tool is available only in the US as of now.

-- Check if an image is authentic: There are multiple photos that are forwarded on WhatsApp and Facebook that are not genuine or tend to mislead people. Google notes that users can check if an image is authentic by right-clicking on a photo and selecting “Search Google for Image.” Mobile users can do the same by touching and holding the image for some time. Google will then check if the image has appeared online before and the context in which it appeared.

-- Look for more than one source: Google notes that users can check for the full coverage of a news piece if they switch to news mode or search for a topic in Google News. Users can click on full coverage to see the news outlets that have covered the news.

-- Use Google’s fact-checker: Google users can type in a keyword and look for claims made by news publications and fact checks listed by Google. Users who wish to look for an elaborate fact check search for a topic in the Fact Check Explorer, which according to Google collects more than 100,000 fact checks from reputable publishers around the world.

-- Confirm if an event is taking place in the said location: Google notes that users can confirm if an event is indeed taking place at a location by checking Google Earth or the Street View of a location on Google Maps.

Compiled and approved by the technical support officer and cited from India Today.

Read More online,

May 2021: Windows sign-in options and account protection

Windows 11Windows 10

To access your sign-in options, go to Start  > Settings  > Accounts  > Sign-in options. On the Sign-in options page, the following sign-in methods are available:

  • Windows Hello Face

  • Windows Hello Fingerprint

  • Windows Hello PIN

  • Security key

  • Password

  • Picture password

You'll also find these settings:

  • Require sign-in—Requires you to sign in to your device after being away.

  • Dynamic lock—automatically locks your device when you're away.

  • Privacy—Shows or hides personal info on the sign-in screen, and allows your device to use your sign-in info to reopen your apps after an update or restart.

Change or manage your password

To change your password, go to Start  > Settings  > Accounts  > Sign-in options. Select Password, and then select Change.

Note: To change your password if you're on a domain, press Ctrl+Alt+Del and then select Change a password.

Windows Hello

Windows Hello lets you sign in to your devices, apps, online services, and networks using your face, iris, fingerprint, or a PIN. Even if your Windows 10 device can use Windows Hello biometrics, you don’t have to. If it’s the right choice for you, you can rest assured that the info that identifies your face, iris, or fingerprint never leaves your device. Windows does not stores pictures of your face, iris, or fingerprint on your device or anywhere else.

What data is collected, and why

When you set up Windows Hello biometrics, it takes the data from the face camera, iris sensor, or fingerprint reader and creates a data representation—or graph—that is then encrypted before it’s stored on your device.

To help us keep things working properly, to help detect and prevent fraud, and to continue improving Windows Hello, we collect diagnostic data about how people use Windows Hello. For example, data about whether people sign in with their face, iris, fingerprint, or PIN; the number of times they use it; and whether it works or not is all valuable information that helps us build a better product. The data is pseudonymized, does not include biometric information, and is encrypted before it's transmitted to Microsoft. You can choose to stop sending diagnostic data to Microsoft at any time. Learn more about diagnostic data in Windows 10

To manage Windows Hello

To turn on Windows Hello, go to Start  > Settings  > Accounts  > Sign-in options, select the Windows Hello method that you want to set up, and then select Set up. If you don't see Windows Hello in Sign-in options, then it may not be available for your device.

To remove Windows Hello and any associated biometric identification data from the device, go to Start  > Settings  > Accounts  > Sign-in options. Select the Windows Hello method you want to remove, and then select Remove.

Using a security key

A security key is a hardware device that you can use instead of your user name and password to sign in on the web. Since it's used in addition to a fingerprint or PIN, even if someone has your security key, they won't be able to sign in without the PIN or fingerprint that you create. Security keys are usually available for purchase from retailers that sell computer accessories. Learn more about security keys

To set up a security key, go to Start  > Settings  > Accounts  > Sign-in options, and select Security Key. Select Manage and follow the instructions.

Lock your device

If you're stepping away from your device for a few minutes it's a good idea to lock it so that others can't see what's on your screen, or access anything on it. Press the Windows Logo Key + L to immediately lock in. When you return you'll just need to authenticate and you'll be right where you left off.

Dynamic lock

Windows can use devices that are paired with your PC to help detect when you’re away, and lock your PC shortly after your paired device is out of Bluetooth range. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it.

  1. On your Windows 10 PC, select Start  > Settings  > Accounts  > Sign-in options.

  2. Under Dynamic lock, select the Allow Windows to automatically lock your device when you’re away check box.

  3. Use Bluetooth to pair your phone with your PC. Learn how to pair devices using Bluetooth

Once they’re paired, take your phone with you when you walk away, and your PC will automatically lock a minute or so after you’re out of Bluetooth range. 

Other sign-in options

Manage when you're required to sign in

Go to Start  > Settings  > Accounts  > Sign-in options. Under Require sign-in, select an option for when Windows should require you to sign in again.

To show your account details on the sign-in screen

Go to Start  > Settings  > Accounts  > Sign-in options. Under Privacy, turn the first setting On if you want to show your account details on the sign-in screen.

To automatically finish setup after an update

Go to Start  > Settings  > Accounts  > Sign-in options. Under Privacy, turn the second setting On if you want to use your sign-in info to automatically finish setting up your device after an update or restart.


Approved by the Technical Support Department curated from Microsoft

Read More Computer,

April 2021: An Understanding of What Computer Beep Codes Mean, and What How to Recognise Them

A beep code is an audio signal given out by a computer to announce the result of a short diagnostic testing sequence the computer performs when first powering up, a process called the Power-On-Self-Test( POST). The POST is a small program contained in the computer's Basic Input/Output Operating System (BIOS) that checks to make sure necessary hardware is present and required memory is accessible.

The system BIOS is found on a Read Only Memory (ROM) chip on the motherboard used by the computer during the start-up routine (boot process) to check out the system and prepare to run the hardware tests.  This is because ROM retains information even when no power is being supplied to the computer.

There are several ways to recognize computer beeps when booting/starting your computer, computer beeps can be recognized when you hear one or a more series of computer beeps indicating that your computer had an issue. When you hear one short beep, know that your computer is normal and indicates that your system is booting/starting up. Each series of beeps corresponds to a different issue and points to a different problem area within your computer. Once confirmed, then one can go through with the  troubleshooting steps to diagnose the issue. However, because of the wide variety of different computer manufacturers with this BIOS, the beep codes may vary in the number of times they beep to indicate a problem. If something is wrong, the computer will display an error message on the monitor screen and announce the errors audibly with a series of beeps that vary in pitch, number and duration. This is especially useful when the error exists with the monitor or graphic components. The beeping sequence is a coded message (beep code) designed to tell the user what is wrong with the computer.

The table below shows a few Dells beep codes with their related issue.

Beep codes

Description

1 beep code

The ROM is either corrupted or has failed to work.

2 beep codes

RAM (Read Access Memory) is not detected

3 beep codes

Motherboard Failure

4 beep codes

RAM failure

5 beep codes

CMOS battery failure

6 beep codes

Video card failure

 

 

Read More Computer,