New Code Injection Affects All Windows Versions

This week we hear how about the New Code Injection That Affects All Windows Versions and the Blackgear Espionage Campaign Targets Japan.

Malware

New Code Injection Affects All Windows Versions

Researchers have discovered a new method to inject malicious code into Windows systems that could bypass detection by antivirus software and other endpoint security systems. It’s dubbed “Atombombing,” as it exploits the operating system’s atom tables, underlying the mechanism in Windows operating systems. Depending on the process in which the malicious code is injected, the malicious code could allow attackers to access encrypted passwords, take screenshots, or perform Man in the Browser (MitB) attacks. 

This attack method doesn’t rely on any vulnerability, therefore, there is no way to patch this hole. 

References: 'AtomBombing' Microsoft Windows Via Code Injection | New Windows Code Injection Method Could Let Malware Bypass Detection | New Code Injection Attack Works On All Windows Versions

Mitigation Strategies:

Espionage Campaign

Blackgear Espionage Campaign Targets Japan

Blackgear, an espionage campaign, which has targeted Taiwan for several years, has shifted its focus to the neighboring country, Japan. The campaign employs a three-stage infection method – 1) infect the victim with a “binder” malware through watering hole attacks or spearfishing attacks, 2) download the second malware through a decoy document, called a downloader, and 3) download the full-on backdoor Trojan. After installation, the backdoor Trojan will connect to Blackgear’s command and control (C&C) servers for further instructions. Instead of connecting to the C&C directly, like most espionage attempts, the malware connects online and downloads a series of blog posts. In the blog posts, are where the IP addresses of the C&C servers hide in an encrypted format. This is when the backdoor Trojans decode the address and connect to the server, giving attackers the ability to search and exfiltrate data from infected targets.

References:  Blackgear Espionage Campaign Evolves Adds Japan Target List | Blackgear Cyber-Espionage Campaign Now Targets Japan | Japan Targeted in "Blackgear" Espionage Campaign

Mitigation Strategies:

  • Mail filtration would scan incoming files and hyperlinks of any malicious links or code
  • Web filtration to prevent users from clicking on malicious websites
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • FIM solution would detect any type of file modification or addition
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection. 

Top 20 Malicious IP Addresses

81.183.56.217 118.170.130.207
46.109.168.179 188.118.2.26
114.44.192.128 183.60.48.25
61.240.144.65 96.254.171.2
43.241.222.185 192.169.196.233
221.194.44.209 201.173.154.243
61.240.144.66 112.162.17.103
119.10.30.140 195.68.234.148
14.209.32.157 107.151.199.116
171.8.0.87 199.241.185.53

*IP addresses provided by Recorded Future.