Apple Arcade Adds Puzzle Adventure Game ‘Creaks’

Apple Cuts iPhone Trade-In Values as iPhone 12 Launch Nears

With just two months to go until the usual timeframe for Apple’s iPhone launch events, Apple is cutting back on maximum trade-in values of previous-generation iPhones for those looking to upgrade to a new model.
Maximum values on more recent models have dropped by $30–$50, while older models have generally dropped by $5–$20 with a few models seeing no change in value.iPhone XS Max: $500 to…

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Apple Canceling Some Apple Arcade Game Contracts to Focus on Hit Games That Will Draw Subscribers

Apple is shifting its Apple Arcade strategy and canceling contracts for some games while pursuing titles that it thinks will help it better retain subscribers, reports Bloomberg.


Apple earlier this year ended contracts with multiple game studios and let them know about its new approach to choosing games for the service. Some upcoming games Apple had planned to support didn’t have a high enough level of “engagement” as Apple is now looking for games that will “keep users hooked.”

In one call, Apple highlighted Grindstone as the type of game that it wants to see on the platform. Grindstone is a multi-level match-3 puzzle game.


So far, no ‌Apple Arcade‌ games have become major hits, and there’s no word on how well ‌Apple Arcade‌ is doing. Some developers have speculated that Apple’s strategy change indicates subscriber growth is weaker than expected, and Apple also recently began offering some people a second free trial month, which perhaps suggests that users aren’t remaining subscribers for a long enough period of time.

In a statement to Bloomberg, Apple said that its vision has always been to try to “grow and evolve the ‌Apple Arcade‌ catalog” and that it has always planned to make changes to the game lineup based on feedback from subscribers.

“‌Apple Arcade‌ has redefined what a gaming service can be, putting unlimited play at the fingertips of subscribers and their families across all their Apple devices,” Apple said in a statement. “We are proud to have launched the first-ever mobile game subscription service that now features more than 120 games, many of which are award-winning and widely celebrated for their artistry and gameplay. The vision has always been to grow and evolve the ‌Apple Arcade‌ catalog, and we can’t wait for our users to try the games developers are working on now.”

Apple unveiled ‌Apple Arcade‌ in September 2019, pricing it at $4.99 per month. ‌Apple Arcade‌ games are available to all members of a family at that price point, and contain no ads or in-app purchases.

Since ‌Apple Arcade‌ launched, Apple has added new games on a near-weekly basis, and there are now more than 120 titles available. Apple has funded work on many games that have been created for ‌Apple Arcade‌, spending between $1 million and $5 million on several titles so far.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Remote access at risk: Pandemic pulls more cyber‑crooks into the brute‑forcing game – 10 minute mail

Poorly secured remote access attracts mostly ransomware gangs, but can provide access to coin miners and backdoors too

The COVID-19 pandemic has radically changed the nature of everyday work, forcing employees to do large parts of their jobs via remote access. Cybercriminals – especially ransomware operators – are aware of the shift and attempt to exploit the new opportunities and increase their illicit earnings. ESET telemetry confirms this trend in an uptick in the number of unique clients who reported brute-force attack attempts blocked via ESET’s network attack detection technology.

Before the lockdown, most employees worked from the office and used infrastructure monitored and controlled by their IT department. But the coronavirus pandemic has brought a major shift to the status quo. Today, a huge proportion of “office” work occurs via home devices with workers accessing sensitive company systems through Windows’ Remote Desktop Protocol (RDP) – a proprietary solution created by Microsoft to allow connecting to the corporate network from remote computers.

Despite the increasing importance of RDP (as well as other remote access services), organizations often neglect its settings and protection. Employees use easy-to-guess passwords and with no additional layers of authentication or protection, there is little that can stop cybercriminals from compromising an organization’s systems.

That is probably also the reason why RDP has become such a popular attack vector in the past few years, especially among ransomware gangs. These cybercriminals typically brute-force their way into a poorly secured network, elevate their rights to admin level, disable or uninstall security solutions and then run ransomware to encrypt crucial company data.

The growing number of unique clients who have reported an RDP attack attempt is visible in data gathered by ESET telemetry (see Figure 1).

Figure 1. Trend of RDP attack attempts against unique clients (per day), detected by ESET technologies

Brute-force attack protection

To address the growing risks posed by increasing RDP use, ESET researchers have devised a new detection layer that is hidden under the hood of ESET Network Attack Protection and is designed to block incoming brute-force attacks from external IP addresses, covering RDP as well as SMB protocols.

Called ESET Brute-Force Attack Protection, this new layer detects groups of failed login attempts from external environments, which hint at an incoming brute-force attack, and then blocks further attempts. Subsequently, the biggest offenders among these IP addresses are added to a blacklist, which protects millions of devices from future attacks.

The new technology has proven to be effective against both random and targeted attacks. For it to work properly, the RDP option Network Level Authentication (NLA) on server must be enabled.

According to ESET telemetry, most of the blocked IPs in January–May 2020 were seen in the United States, China, Russia, Germany and France (see Figure 2).

Figure 2. Countries with the largest number of all blocked IP addresses (between Jan 1 and May 31, 2020).

Countries that had the largest proportion of targeted IPs were Russia, Germany, Japan, Brazil and Hungary (see Figure 3).

Figure 3. Countries with the most brute-force attacks reported by ESET telemetry (between Jan 1 and May 31, 2020).

How to configure remote access correctly

Yet, even with protective measures such as ESET Brute-Force Attack Protection, organizations need to keep their remote access properly configured:

  • Disable internet-facing RDP. If that is not possible, minimize the number of users allowed to connect directly to the organization’s servers over the internet.
  • Require strong and complex passwords for all accounts that can be logged into via RDP.
  • Use an additional layer of authentication (MFA/2FA).
  • Install a virtual private network (VPN) gateway to broker all RDP connections from outside your local network.
  • At the perimeter firewall, disallow external connections to local machines on port 3389 (TCP/UDP) or any other RDP port.
  • Protect your endpoint security software from tampering or uninstallation by password-protecting its settings.
  • Isolate any insecure or outdated computers that need to be accessed from the internet using RDP and replace them as soon as possible.
  • For a detailed description of how to set up your RDP connection correctly, please refer to this article by ESET Distinguished Researcher Aryeh Goretsky.
  • Most of these best practices apply to FTP, SMB, SSH, SQL, TeamViewer, VNC and other services as well.

Ransomware, coin miners and backdoors

Encryption of data and subsequent extortion is in no way the only scenario that could follow an RDP compromise. Frequently the attackers try to install coin-mining malware or create a backdoor, which can be used in case their unauthorized RDP access has been identified and closed.

Other common scenarios following an RDP compromise can include:

  • clearing of log files, thus removing the evidence of previous malicious activity,
  • downloading and running the attacker’s choice of tools and malware on the compromised system,
  • disabling of scheduled backups and shadow copies or completely erasing them, or
  • exfiltrating data from the server.

Black hats have been trying to exploit RDP for years, as documented by our blogpost from 2013. Steadily growing numbers of RDP attacks over the past few years have become the subject of numerous governmental advisories including the FBI, the UK’s NCSC and Australia’s ACSC.

This only demonstrates how crucial the security of remote access has become, potentially making or breaking a company’s future. And even if the damage to an organization’s reputation can be managed, there are financial losses, stalled operations and expensive recovery efforts that need to be accounted for. This doesn’t consider the additional costs of potential penalties that can be issued by authorities under data-protective legislation such as GDPR (EU), CCPA (California) or NDB (Australia).

Whether or not there’s a pandemic, businesses should manage the risks posed by wide usage of RDP or other similar services by reinforcing their passwords and by adding other protective layers, including multi-factor authentication and a security solution that defends against attacks based on RDP and similar protocols.



Ondrej Kubovič


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Apple Revives and Refreshes Game Center in iOS 14 and macOS Big Sur

Game Center, a feature for tracking game progress and connecting gamers together for multiplayer gameplay experiences, has long been a part of iOS.

Game Center achievements in Settings

The feature was added to iOS 4 in 2010 and was a key part of gaming for a few years, but Apple nixed the Game Center app in 2016 with the release of iOS 10. Game Center has stuck around since then, but as more of a behind the scenes feature.

Apple’s latest software releases revive Game Center, and there’s a redesigned Game Center dashboard available on iOS, tvOS, and macOS that games can take advantage of.

Splash page when starting an Apple Arcade game after downloading iOS 14

Users are able to view their achievements, leaderboards, and Game Center profiles directly within various games through a new in-game dashboard in ‌Apple Arcade‌ games and through the updated Game Center section in the Settings app.


Game Center now offers up recurring leaderboards for current game rankings along with leaderboards for daily, weekly, and monthly competitions, plus a feature that lets users see their friends’ game progress. Apple will also use Game Center in ‌Apple Arcade‌ to let users see what games are popular with their friends.

Game Center in an ‌Apple Arcade‌ game

Apple is encouraging developers to set up leaderboards, add achievements, and opt in to the Game Center challenges feature for their apps.

‌Apple Arcade‌ game in App Store listing available Game Center achievements

‌Apple Arcade‌ is getting other feature updates, such as lists of achievements you can earn in games right on the game page, filters for finding new content, sneak peeks at upcoming games, and a continue playing feature that lets you launch the games you’ve recently played across your devices from the ‌Apple Arcade‌ tab.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Side-Scrolling Adventure Game ‘Little Orpheus’ Now Available on Apple Arcade

Apple Registers Nine Unreleased iPhones and New Mac in Eurasian Database

Apple has registered nine unreleased iPhone models in the Eurasian Economic Commission (EEC) database, according to listings uncovered by MySmartPrice and confirmed by MacRumors.
The new and unannounced iPhones use the previously unknown model identifiers A2176, A2172, A2341, A2342, A2399, A2403, A2407, A2408, and the A2411. Rumors have suggested Apple will complete its transition to an…

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Gamaredon group grows its game – 10 minute mail

Active APT group adds cunning remote template injectors for Word and Excel documents; unique Outlook mass-mailing macro

ESET researchers have discovered several previously undocumented post-compromise tools used by the highly active Gamaredon threat group in various malicious campaigns. One tool, a VBA macro targeting Microsoft Outlook, uses the target’s email account to send spearphishing emails to contacts in the victim’s Microsoft Office address book. We also analyzed further Gamaredon tools that have the ability to inject malicious macros and remote templates into existing Office documents.

Tools linked to Gamaredon and discussed in this blogpost are detected as variants of MSIL/Pterodo, Win32/Pterodo or Win64/Pterodo by ESET’s products.

The Gamaredon group has been active since at least 2013. It has been responsible for a number of attacks, mostly against Ukrainian institutions, as evidenced in several reports from CERT-UA and from other official Ukrainian bodies over time.

In the last few months, there has been an increase in activity from this group, with constant waves of malicious emails hitting their targets’ mailboxes. The attachments to these emails are documents with malicious macros that, when executed, try to download a multitude of different malware variants.

Gamaredon has leveraged many different programming languages in the past few months, ranging from C# to VBScript, batch files and C/C++. The tools used by Gamaredon are very simple and are designed to gather sensitive information from compromised systems and to spread further.

Contrary to other APT groups, the Gamaredon group seems to make no effort in trying to stay under the radar. Even though their tools have the capacity to download and execute arbitrary binaries that could be far stealthier, it seems that this group’s main focus is to spread as far and fast as possible in their target’s network while trying to exfiltrate data. Could we be missing something?

Background

Figure 1 illustrates a typical compromise chain in a Gamaredon campaign.

Figure 1. Typical Gamaredon compromise chain

While most of the recent publications have focused on the spearphishing emails together with the downloaders they contain, this blogpost focuses on the post-compromise tools deployed on these systems.

Outlook VBA module

The Gamaredon group uses a package that includes a custom Microsoft Outlook Visual Basic for Applications (VBA) project. Using Outlook macros to deliver malware is something we rarely see while investigating malicious campaigns.

This bundle of malicious code starts out with a VBScript that first kills the Outlook process if it is running, and then removes security around VBA macro execution in Outlook by changing registry values. It also saves to disk the malicious OTM file (Outlook VBA project) that contains a macro, the malicious email attachment and, in some cases, a list of recipients that the emails should be sent to.

Next, it relaunches Outlook with a special option, /altvba , which loads the Gamaredon VBA project. The malicious code is executed once the Application.Startup event is received. They have been using this module in three different ways to send malicious email to:

  • Everyone in the victim’s address book
  • Everyone within the same organization
  • A predefined list of targets

While abusing a compromised mailbox to send malicious emails without the victim’s consent is not a new technique, we believe this is the first publicly documented case of an attack group using an OTM file and Outlook macro to achieve it.

Figure 2. Outlook VBA script creating the malicious email

Based on the “send to all in contact list” behavior of this malicious VBA code, we believe that this module might have led some organizations to think they were targeted by Gamaredon when they were merely collateral damage. For example, recent samples uploaded to VirusTotal coming from regions that are not traditionally targeted by Gamaredon, such as Japan, could be explained by the actions of this module.

As seen in Figure 2, the VBA code builds the email body and attaches the malicious document to the email. We’ve seen both .docx and .lnk files being used as attachments. These are very similar to the content of the malicious attachments used in Gamaredon’s initial spearphishing campaigns. Figure 3 shows an email generated by this malicious component.

Figure 3. Email generated by the Outlook VBA module with a Word document attachment that contains a remote template

The email contains both English and Russian text. However, as illustrated in Figure 3, there is a problem with the Russian encoding. This was fixed in a later version of this module — another example of the Gamaredon group’s fast development pace and apparent lack of attention to detail.

Office macro injection module – CodeBuilder

We analyzed different variants of malicious modules used by the Gamaredon group to inject malicious macros or remote templates into documents already present on the compromised system. This is a very efficient way of moving laterally within an organization’s network as documents are routinely shared amongst colleagues. Also, as these macros are run when opening the documents, it is a good way to persist on a system as some of these documents are likely to be opened multiple times and at different times.

These macro injection modules also have the functionality to tamper with the Microsoft Office macro security settings. Thus, affected users have no idea that they are again compromising their workstations whenever they open the documents. We have seen this module implemented in two different languages: C# and VBScript.

C#

This module was delivered, like many other tools, in a 7z self-extracting archive. Inside, there was a password-protected RAR archive containing a few files. Notably, there were two text files, one for Word and one for Excel, containing the VBA source code of the malicious macro to be inserted into the targeted documents, and the .NET assembly responsible for finding and compromising existing documents. As illustrated in Figure 4, the assembly name is CodeBuilder.

Figure 4. CodeBuilder functions in a version that is not obfuscated

This .NET module first reduces Office macro security settings for various document types by modifying the following registry values:

HKCUSoftwareMicrosoftOfficeSecurityVBAWarnings
HKCUSoftwareMicrosoftOfficeSecurityAccessVBOM

It iterates over all possible Office values for both Word and Excel values. It then scans for documents with valid Word or Excel file extensions on all drives connected to the system. For the drive containing the Windows installation, it scans only specific locations, namely the Desktop and Downloads folders. For the others, it scans the entire drive. The malware moves each located document into the AppData folder, inserts malicious Word or Excel macros into it using a Microsoft.Office.Interop object, and then moves the document back into its original folder. In the samples we analyzed, the injected macros were simple downloaders.

Batch file/VBScript

The VBScript version of this module is similar in behavior to the .NET one. The main difference is that instead of inserting a malicious macro into existing documents, it inserts references to a remote template into them.

Figure 5. VBScript using the Document.AttachedTemplate property to inject a reference to a remote template into existing documents

This VBScript module also comes packaged in a self-extracting archive, containing one batch file and two VBS files responsible for iterating through documents and adding the remote template references to them.

Module updates

Interestingly, some of the custom tools described in Palo Alto Networks’ 2017 blogpost on Gamaredon are still being updated and in use today. Some show significant similarities while others are rewrites in different coding languages. The most prevalent tools downloaded and installed on compromised machines can be broadly grouped into two different categories: downloaders and backdoors.

Downloaders

There are many variations of their downloaders, most of them written in either C# or VBScript. This section will cover only two of their most original variants; the others have not evolved that much and are very simple.

C# compiler module

This .NET executable, similar to many other tools used by the Gamaredon group, uses obfuscation techniques such as junk code insertion and string obfuscation. It contains in its body the base64-encoded source code of a downloader. It decodes that source code and compiles it directly on the system using the built-in Microsoft.CSharp.CSharpCodeProvider class. It places the resulting executable in an existing directory and creates a scheduled task that will launch it every 10 minutes. As can be seen in Figure 6, the decoded source code still has comments in it, illustrating the apparent sloppiness of Gamaredon’s operators.

Figure 6. Part of the C# downloader source code included in the C# compiler module

GitHub project module

As seen in Figure 7, this .NET executable uses a GitHub repository to obtain and execute a downloader. This repository is now gone, but we were able to download a copy of it while it was still available.

Figure 7. .NET module responsible for downloading and executing a payload stored on github.com

The repository contained a single file — readme.txt — that was a base64-encoded .NET downloader executable. The role of the GitHub project module is to download this file, decode it and execute it.

Backdoors – file stealers

While some variations exist in functionalities, the main purpose of these modules is to enumerate all documents on a compromised system and upload them to the C&C server. These file stealers can also download and execute arbitrary code from the C&C server. As with many other tools used by the Gamaredon group, they come in four different coding languages: C/C++, C#, batch file and VBScript.

C/C++

This variant is the successor of the USBStealer module described here. Although the latest versions are now quite different, examining samples of this module throughout its development clearly shows it originates from the same source code.

One sample that illustrates this shift well is a 64-bit DLL with internal name Harvesterx64.dll, compiled in June 2019. It still has most of the strings used in the older variants, but also exhibits two improvements that are still in the newer ones. First, it now resolves Windows APIs via name hashing and second, it uses a basic text file instead of a SQLite database to track which files were already uploaded to the C&C server.

The behavior of this module is quite straightforward: it scans the system for new Microsoft Office documents, both on local and removable drives, and uploads them to the C&C server. To know whether the document is new, the module keeps, in a text file, one MD5 hash per file uploaded to the server. These MD5 hashes are not based on the file content, but rather on a string composed of the file name, its size and its last modified time. The module’s strings are stored in its .data section, encrypted with a simple XOR key. It also has the ability to download and execute arbitrary code from its C&C server.

C#

This is a reimplementation in C# of the C/C++ version. The major difference is that it also takes screenshots of the compromised computer every minute. As seen in Figure 8, the version we analyzed has five different threads with evocative names.

Figure 8. C# backdoor thread creation routine

Batch file/VBScript

This version comprises several scripts, written in both batch file form and VBScript. The ultimate goal is the same, though: scanning the system for sensitive documents. The main mechanism is a batch file that searches for Word documents (*.doc*) on the system and stores their names in a text file (see Figure 9).

Figure 9.Example inject.txt file containing the result of the backdoor’s document file scan

The package also contains encrypted script files named 1.log, 2.log, 3.log, 4.log and 5.log. Once decrypted, these scripts are obfuscated VBScript downloaders that are able to download and execute arbitrary code.

Network infrastructure

The Gamaredon group uses many different domains, both free and paid, for its C&C servers. Free domains are mostly DDNS from No-IP: hopto.org, ddns.net, myftp.biz, while paid domains are registered through the REG.RU registrar and include the .fun, .site, .space, .ru, .website and .xyz TLDs.

They are constantly changing the domains used by their tools, but mostly on a small number of ASNs. Careful analysis suggests they use separate domains for small groups of victims. Please check ESET’s GitHub account for an extensive list of domains used by the Gamaredon group.

Quality of execution

We were able to collect numerous different samples of malicious scripts, executables and documents used by the Gamaredon group throughout their campaigns. We noticed several mistakes in these, especially in scripts. It is of course impossible to know the exact reason behind these bugs or oversights, but the volume of samples the group produces and their rapid development could explain it. The fact that there were comments left in the source code included in some C# compiler module samples or that the Russian encoding was wrong in email generated by the Outlook VBA module shows that there is no stringent review or testing before releasing their many tools and using them in the wild.

However, while these errors might lower their tools’ overall effectiveness, this group’s rapid execution and adaptation also has some advantages. The volume and relentlessness of the attacks can create a state of constant dread in their targets. And although the code is very simple, some techniques, such as script obfuscation, make it hard to fully automate the analysis, making the analyst’s job tedious.

Their GitHub project allowed us a glimpse into the rapid development of their tools. The code that was committed there clearly showed the evolution of the C# downloader. The first versions showed no signs of obfuscation; then the developers added different string obfuscations and junk code to make the analysis harder.

In terms of persistence, several different techniques are used, but the most common ones are scheduled tasks, autorun registry keys and leveraging the Startup folder. Although these techniques are very simple and have been known for a long time, the Gamaredon group’s strategy of trying to install multiple scripts and executables on each system, and constantly updating them, significantly complicates the defender’s lives.

Conclusion

Despite the simplicity of most of their tools, the Gamaredon group also is capable of deploying some novelty, such as their Outlook VBA module. However, as it is far from stealthy, in the long run it is no match for a capable organization. The variety of tools Gamaredon has at its disposal can be very effective at fingerprinting a machine and understanding what sensitive data is available, then spreading throughout the network. Could this just be a way to deploy a much stealthier payload?

Special thanks to ESET Senior Malware Researcher Anton Cherepanov for his help in this research.

Indicators of Compromise (IoCs)

SHA-1 ESET detection name Comments
6F75F2490186225C922FE605953038BDEB537FEE DOC/TrojanDownloader.Agent.ARJ Outlook VBA module
DFC941F365E065187B5C4A4BF42E770035920856 Win32/Pterodo.XG.gen C# Office macro injection module
9AFC9D6D72F78B2EB72C5F2B87BDC7D59C1A14ED Win32/Pterodo.ZM Batch file/‌VBScript Office macro injection module
3DD83D7123AEFBE5579C9DC9CF3E68BCAFC9E65E MSIL/Pterodo.CD C# compiler module
941F341770B67F9E8EE811B4B8383101F35B27CD MSIL/Pterodo.CA GitHub project module
DC8BD2F65FD2199CE402C76A632A9743672EFE2D Win32/Pterodo.XC C/C++ backdoor
336C1244674BB378F041E9064EA127E9E077D59D MSIL/Pterodo.DP C# backdoor
5FC1B6A55A9F5A52422872A8E34A284CDBDD0526 Win32/Pterodo.YE Batch file/‌VBScript backdoor

MITRE ATT&CK techniques

Tactic ID Name Description
Initial Access T1193 Spearphishing Attachment Gamaredon group sends emails with malicious attachments to its targets.
T1199 Trusted Relationship Gamaredon group malware abuses a compromised organization’s email accounts to send emails with malicious attachments to the victim’s contacts.
Execution T1064 Scripting Gamaredon group uses scripting heavily, mostly Batch files and VBScript.
T1085 Rundll32 Gamaredon group malware uses rundll32 to launch malicious DLLs, for example the C/C++ backdoor.
T1106 Execution through API Gamaredon group malware uses CreateProcess to launch additional components, for example to execute payloads received from its C&C servers.
T1204 User Execution Initial compromise by the Gamaredon group usually requires the user to execute a malicious email attachment.
Persistence T1053 Scheduled Task Gamaredon group malware registers several of its modules (downloaders, backdoors, etc.) as scheduled tasks.
T1060 Registry Run Keys / Startup Folder Gamaredon group uses Run keys and the Startup folder to ensure its modules are executed at every reboot.
T1137 Office Application Startup Gamaredon group malware inserts malicious macros into existing documents, providing persistence when they are reopened.
Defense Evasion T1027 Obfuscated Files or Information Gamaredon group makes heavy use of compressed archives, some password protected, to deliver its malicious payloads. Strings are routinely obfuscated or encrypted in these malicious modules.
T1112 Modify Registry Gamaredon group malware modifies several registry keys to deactivate security mechanisms in Microsoft Office related to macros.
T1116 Code Signing Gamaredon group uses signed binaries in its malicious campaigns. One notable example is wget samples signed with a valid certificate from Jernej Simončič and available here.
T1140 Deobfuscate/Decode Files or Information Gamaredon group uses simple string deobfuscation and decryption routines in its modules.
T1221 Template Injection Gamaredon group adds remote templates to documents it sends to targets.
T1500 Compile After Delivery Gamaredon group C# compiler module contains an obfuscated downloader that it compiles using csc.exe and then executes.
Discovery T1083 File and Directory Discovery Gamaredon group uses its backdoors to automatically list interesting files (such as Office documents) found on a system for future exfiltration.
Lateral Movement T1080 Taint Shared Content Gamaredon group malware injects malicious macros into all Word and Excel documents reachable by the compromised system.
T1534 Internal Spearphishing Gamaredon group uses its Outlook VBA macro to send email with malicious attachments to other targets within the same organization.
Collection T1005 Data from Local System Gamaredon group malware actively searches for sensitive documents on the local system.
T1025 Data from Removable Media Gamaredon group malware scans all drives for sensitive data and also watches for removable drives being inserted into a system.
T1039 Data from Network Shared Drive Gamaredon group malware scans all drives A: – Z: for sensitive data, so it will scan any network shares mounted as drives.
T1113 Screen Capture Gamaredon group uses a backdoor that takes screenshots every minute.
T1119 Automated Collection Gamaredon group deploys scripts on compromised systems that automatically scan for interesting documents.
Command and Control T1071 Standard Application Layer Protocol Gamaredon group malware uses both HTTP and HTTPS for command and control.
Exfiltration T1020 Automated Exfiltration Gamaredon group uses modules that automatically upload harvested documents to the C&C server.



Jean-Ian Boutin


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

No “Game over” for the Winnti Group – 10 minute mail

The notorious APT group continues to play the video game industry with yet another backdoor

In February 2020, we discovered a new, modular backdoor, which we named PipeMon. Persisting as a Print Processor, it was used by the Winnti Group against several video gaming companies that are based in South Korea and Taiwan and develop MMO (Massively Multiplayer Online) games. Video games developed by these companies are available on popular gaming platforms and have thousands of simultaneous players.

In at least one case, the malware operators compromised a victim’s build system, which could have led to a supply-chain attack, allowing the attackers to trojanize game executables. In another case, the game servers were compromised, which could have allowed the attackers to, for example, manipulate in-game currencies for financial gain.

The Winnti Group, active since at least 2012, is responsible for high-profile supply-chain attacks against the software industry, leading to the distribution of trojanized software (such as CCleaner, ASUS LiveUpdate and multiple video games) that is then used to compromise more victims. Recently, ESET researchers also discovered a campaign of the Winnti Group targeting several Hong Kong universities with ShadowPad and Winnti malware.

About the “Winnti Group” naming:

We have chosen to keep the name “Winnti Group” since it’s the name first used to identify it, in 2013, by Kaspersky. Since Winnti is also a malware family, we always write “Winnti Group” when we refer to the malefactors behind the attacks. Since 2013, it has been demonstrated that Winnti is only one of the many malware families used by the Winnti Group.

Attribution to the Winnti Group

Multiple indicators led us to attribute this campaign to the Winnti Group. Some of the C&C domains used by PipeMon were used by Winnti malware in previous campaigns mentioned in our white paper on the Winnti Group arsenal. Besides, Winnti malware was also found in 2019 at some of the companies that were later compromised with PipeMon.

In addition to Winnti malware, a custom AceHash (a credential harvester) binary found at other victims of the Winnti Group, and signed with a well-known stolen certificate used by the group (Wemade IO), was also used during this campaign.

The certificate used to sign the PipeMon installer, modules and additional tools is linked to a video game company that was compromised in a supply-chain attack in late 2018 by the Winnti Group and was likely stolen at that time.

Interestingly, PipeMon modules are installed in %SYSTEM32%spoolprtprocsx64; this path was also used in the past to drop the second stage of the trojanized CCleaner.

Additionally, compromising a software developer’s build environment to subsequently compromise legitimate application is a known modus operandi of the Winnti Group.

Targeted companies

Companies targeted in this campaign are video game developers, producing MMO games and based in South Korea and Taiwan. In at least one case, the attackers were able to compromise the company’s build orchestration server, allowing them to take control of the automated build systems. This could have allowed the attackers to include arbitrary code of their choice in the video game executables.

ESET contacted the affected companies and provided the necessary information to remediate the compromise.

Technical analysis

Two different variants of PipeMon were found at the targeted companies. Only for the more recent variant were we able to identify the first stage which is responsible for installing and persisting PipeMon.

First stage

PipeMon’s first stage consists of a password-protected RARSFX executable embedded in the .rsrc section of its launcher. The launcher writes the RARSFX to setup0.exe in a directory named with a randomly generated, eight-character, ASCII string located in the directory returned by GetTempPath. Once written to disk, the RARSFX is executed with CreateProcess by providing the decryption password in an argument, as follows:

setup0.exe -p*|T/PMR{|T2^LWJ*

Note that the password is different with each sample.

The content of the RARSFX is then extracted into %TMP%RarSFX0 and consists of the following files:

  • CrLnc.dat – Encrypted payload
  • Duser.dll – Used for UAC bypass
  • osksupport.dll – Used for UAC bypass
  • PrintDialog.dll – Used for the malicious print processor initialization
  • PrintDialog.exe – Legitimate Windows executable used to load PrintDialog.dll
  • setup.dll – Installation DLL
  • setup.exe – Main executable

Note that in the event of a folder name collision, the number at the end of the RarSFX0 string is incremented until a collision is avoided. Further, not all these files are necessarily present in the archive, depending on the installer.

Once extracted, setup.exe is executed without arguments. Its sole purpose is to load setup.dll using LoadLibraryA. Once loaded, setup.dll checks whether an argument in the format –x:n (where n is an integer) was provided; the mode of operation will be different depending on the presence of n. Supported arguments and their corresponding behavior are shown in Table 1. setup.exe is executed without arguments by the RARSFX, and checks whether it’s running with elevated privileges. If not, it will attempt to obtain such privileges using token impersonation if the version of Windows is below Windows 7 build 7601; otherwise it will attempt different UAC bypass techniques, allowing installation of the payload loader into one of:

  • C:WindowsSystem32spoolprtprocsx64DEment.dll
  • C:WindowsSystem32spoolprtprocsx64EntAppsvc.dll
  • C:WindowsSystem32spoolprtprocsx64Interactive.dll

depending on the variant. Note that we weren’t able to retrieve samples related to Interactive.dll.

Table 1. setup.exe supported arguments and their corresponding behavior.

Command line argument value Behavior
-x:0 Load the payload loader.
-x:1 Attempt to enable SeLoadDriverPrivilege for the current process. If successful, attempt to install the payload loader; otherwise, restart setup.exe with the –x:2 argument using parent process spoofing.
-x:2 Attempt to enable SeLoadDriverPrivilege for the current process. If successful, attempt to install the payload loader.

This loader is stored encrypted within setup.dll, which will decrypt it before writing it to the aforementioned location.

Persistence using Windows Print Processors

The location where the malicious DLL is dropped was not chosen randomly. This is the path where Windows Print Processors are located and setup.dll registers the malicious DLL loader as an alternative Print Processor by setting one of the following registry values:

HKLMSYSTEMControlSet001ControlPrintEnvironmentsWindows x64Print ProcessorsPrintFiiterPipelineSvcDriver = “DEment.dll”

or

HKLMSYSTEMCurrentControlSetControlPrintEnvironmentsWindows x64Print Processorslltdsvc1Driver = “EntAppsvc.dll”

depending on the variant. Note the typo in PrintFiiterPipelineSvc (which has no impact on the Print Processor installation since any name can be used).

After having registered the Print Processor, PipeMon restarts the print spooler service (spoolsv.exe). As a result, the malicious print process is loaded when the spooler service starts. Note that the Print Spooler service starts at each PC startup, which ensures persistence across system resets.

This technique is really similar to the Print Monitor persistence technique (being used by DePriMon, for example) and, to our knowledge, has not been documented previously.

Additionally, the encrypted payload, CrLnc.dat, extracted from the RARSFX is written to the registry at the following location, depending on the installer:

  • HKLMSOFTWAREMicrosoftPrintComponentsDC20FD7E-4B1B-4B88-8172-61F0BED7D9E8
  • HKLMSOFTWAREMicrosoftPrintComponentsA66F35-4164-45FF-9CB4-69ACAA10E52D

This encrypted registry payload is then loaded, decrypted and executed by the previously registered Print Processor library. The whole PipeMon staging and persistence is shown in Figure 1.

Figure 1. PipeMon staging and persistence

PipeMon

We named this new implant PipeMon because it uses multiple named pipes for inter-module communication and according to its PDB path, the name of the Visual Studio project used by its developer is “Monitor”.

As mentioned previously, two different PipeMon variants were found. Considering the first variant, we couldn’t retrieve the installer; thus, we don’t know for sure the persistence technique that was used. But considering that this first variant of PipeMon was also located in the Print Processor directory, it’s likely that the same persistence mechanism was used.

Original variant

PipeMon is a modular backdoor where each module is a single DLL exporting a function called IntelLoader and is loaded using a reflective loading technique. Each module exhibits different functionalities that are shown in Table 2.

The loader, responsible for loading the main modules (ManagerMain and GuardClient) is Win32CmdDll.dll and is located in the Print Processors directory. The modules are stored encrypted on disk at the same location with inoffensive-looking names such as:

  • banner.bmp
  • certificate.cert
  • License.hwp
  • JSONDIU7c9djE
  • D8JNCKS0DJE
  • B0SDFUWEkNCj.logN

Note that .hwp is the extension used by Hangul Word Processor from Hangul Office, which is very popular in South Korea.

The modules are RC4 encrypted and the decryption key Com!123Qasdz is hardcoded into each module. Win32CmDll.dll decrypts and injects the ManagerMain and GuardClient modules. The ManagerMain module is responsible for decrypting and injecting the Communication module, while the GuardClient module will ensure that the Communication module is running and reload it if necessary. An overview of how PipeMon operates is shown in Figure 2.

Win32CmDll.dll first tries to inject the ManagerMain and GuardClient modules into a process with one of the following names: lsass.exe, wininit.exe or lsm.exe. If that fails, it tries to inject into one of the registered windows services processes, excluding processes named spoolsv.exe, ekrn.exe (ESET), avp.exe (Kaspersky) or dllhost.exe. As a last option, if everything else failed, it tries to use the processes taskhost.exe, taskhostw.exe or explorer.exe.

The process candidates for Communication module injection must be in the TCP connection table with either 0.0.0.0 as the local address, or an ESTABLISHED connection and owning a LOCAL SERVICE token. These conditions are likely used to hide the Communication module into a process that is already communicating over the network so that the traffic from the Communication module would seem inconspicuous and possibly also whitelisted in the firewall. If no process meets the previous requirements, the ManagerMain module tries to inject the Communication module into explorer.exe. Processes belonging to the Windows Store Apps and processes named egui.exe (ESET) and avpui.exe (Kaspersky) are ignored from the selection.

Table 2. PipeMon module descriptions and their respective PDB paths

Module Name Description PDB Path
Win32CmdDll Decrypts and loads the ManagerMain and GuardClient modules. S:MonitorMonitor_RAWLauncherx64ReleaseWin32CmdDll.pdb
S:MonitorMonitor_RAWlibsx64ReleaseWin32CmdDll.pdb
GuardClient Periodically checks whether the Communication module is running and loads it if not. S:MonitorMonitor_RAWClientx64ReleaseGuardClient.pdb
ManagerMain Loads Communication module when executed. Contains encrypted C&C domain which is passed to the Communication module via named pipe.
Can execute several commands based on the data received from the Communication module (mostly system information collecting, injecting payloads).
S:MonitorMonitor_RAWClientx64ReleaseManagerMain.pdb
Communication Responsible for managing communication between the C&C server and individual modules via named pipes. S:MonitorMonitor_RAWClientx64ReleaseCommunication.pdb
F:PCCtrunkCommunicationClientx64ReleaseCommunication.pdb

Additional modules can be loaded on-demand using dedicated commands (see below), but unfortunately, we weren’t able to discover any of them. The names of these modules are an educated guess based on the named pipes used to communicate with them:

  • Screen
  • Route
  • CMD
  • InCmd
  • File

Inter-module communication

Inter-module communication is performed via named pipes, using two named pipes per communication channel between each individual module, one for sending and one for receiving. Table 3 lists the communication channels and their corresponding named pipes.

Table 3. PipeMon communication channel and their respective named pipes

Communication channel Named pipe
Communication, Screen \.pipeScreenPipeRead%CNC_DEFINED%
\.pipeScreenPipeWrite%CNC_DEFINED%
Communication, Route \.pipeRoutePipeWriite%B64_TIMESTAMP%
Communication, ManagerMain \.pipeMainPipeWrite%B64_TIMESTAMP%
\.pipeMainPipeRead%B64_TIMESTAMP%
GuardClient, ManagerMain \.pipeMainHeatPipeRead%B64_TIMESTAMP%
Communication, InCmd \.pipeInCmdPipeWrite%B64_TIMESTAMP%
\.pipeInCmdPipeRead%B64_TIMESTAMP%
Communication, File \.pipeFilePipeRead%B64_TIMESTAMP%
\.pipeFilePipeWrite%B64_TIMESTAMP%
GuardClient, Communication \.pipeComHeatPipeRead%B64_TIMESTAMP%
Communication, CMD \.pipeCMDPipeRead
\.pipeCMDPipeWrite

The %CNC_DEFINED% string is received from the C&C server and %B64_TIMESTAMP% variables are base64-encoded timestamps such as the ones shown in Table 4.

Table 4. Example timestamps used with named pipes

%BASE64_TIMESTAMP% Decoded timestamp
MjAxOTAyMjgxMDE1Mzc= 20190228101537
MjAxOTA1MjEyMzU2MjQ= 20190521235624
MjAxOTExMjExMjE2MjY= 20191121121626

Figure 2. PipeMon IPC scheme (original PipeMon variant)

C&C communication

The Communication module is responsible for managing communications between the C&C server and the other modules via named pipes, similar to the PortReuse backdoor documented in our white paper on the Winnti arsenal.

Its C&C address is hardcoded in the ManagerMain module and encrypted using RC4 with the hardcoded key Com!123Qasdz. It is sent to the Communication module through a named pipe.

A separate communication channel is created for each installed module. The communication protocol used is TLS over TCP. The communication is handled with the HP-Socket library. All the messages are RC4 encrypted using the hardcoded key. If the size of the message to be transferred is greater than or equal to 4KB, it is first compressed using zlib’s Deflate implementation.


Figure 3. C&C message and beacon formats

To initiate communication with the C&C server, a beacon message is first sent that contains the following information:

  • OS version
  • physical addresses of connected network adapters concatenated with %B64_TIMESTAMP%
  • victim’s local IP address
  • backdoor version/campaign ID; we’ve observed the following values
    • “1.1.1.4beat”
    • “1.1.1.4Bata”
    • “1.1.1.5”
  • Victim computer name

The information about the victim’s machine is collected by the ManagerMain module and sent to the Communication module via the named pipe. The backdoor version is hardcoded in the Communication module in cleartext.

The format of the beacon message is shown in Figure 3 and the supported commands are shown in Table 5.

Table 5. List of commands

Command type Command argument Description
0x02 0x03 Install the File module
0x03 0x03 Install the CMD module
0x03 0x0B Install the InCmd module
0x04 0x02 Queue command for the Route module
0x04 0x03 Install the Route module
0x05 * Send victim’s RDP information to the C&C server
0x06 0x05 Send OS, CPU, PC and time zone information to the C&C server
0x06 0x06 Send network information to the C&C server
0x06 0x07 Send disk drive information to the C&C server
0x07 * Send running processes information to the C&C server
0x09 * DLL injection
0x0C 0x15 Send names of “InCmd” pipes and events to the C&C server
0x0C 0x16 Send name of “Route” pipe to the C&C server
0x0C 0x17 Send names of “File” pipes to the C&C server

* The argument supplied for this command type is ignored

Updated variant

As mentioned earlier, the attackers also use an updated version of PipeMon for which we were able to retrieve the first stage described above. While exhibiting an architecture highly similar to the original variant, its code was likely rewritten from scratch.

The RC4 code used to decrypt the modules and strings was replaced by a simple XOR with 0x75E8EEAF as the key and all the hardcoded strings were removed. The named pipes used for inter-module communication are now named using random values instead of explicit names and conform to the format \.pipe%rand%, where %rand% is a pseudorandomly generated string of 31 characters containing only mixed case alphabetic characters.

Here, only the main loader (i.e. the malicious DLL installed as a Print Processor) is stored as a file on disk; the modules are stored in the registry by the installer (from the CrLnc.dat file) and are described in Table 6.

Table 6. Updated modules

Module name Description
CoreLnc.dll Loaded by the malicious Print Processor. Responsible only for loading the Core.dll module embedded in its .data section.
Core.dll Loads the Net.dll module embedded in its .data section. Handles commands from the C&C server and communications between individual modules and the C&C server through named pipes.
Net.dll New Communication module. Handles the networking.

Module injection is not performed using the reflective loading technique with an export function anymore; custom loader shellcode is used instead and is injected along with the module to be loaded.

The C&C message format was changed as well, and is shown in Figure 4.


Figure 4. Previous (top) and updated (bottom) C&C message format

Interestingly, the backdoor’s configuration is encrypted and embedded in the loader DLL. The configuration contains:

  • Name of the registry value
  • Campaign identifier
  • C&C IP addresses or domain names
  • Timestamp (in FILETIME format) corresponding to the date from which to start using a second C&C domain marked with ‘#’ in the configuration.

An example of a configuration dump embedded in the loader DLL is shown in Figure 5. Configurations extracted from several loader DLLs are shown in Table 7.

Figure 5. Example of decrypted configuration (with few zero-bytes removed because of image size)

Table 7. Configuration extracted from several loaders

Loader SHA-1 Campaign ID Payload registry name C&C IP/domains Alternative domain activation timestamp
6c97039605f93ccf1afccbab8174d26a43f91b20 KOR2 DC20FD7E-4B1B-4B88-8172-61F0BED7D9E8 154.223.215.116
ssl2.dyn-tracker.com
#client.gnisoft.com
0x01d637a797cf0000 (Monday, June 1, 2020 12:00:00am)
97da4f938166007ce365c29e1d685a1b850c5bb0 KOR DC20FD7E-4B1B-4B88-8172-61F0BED7D9E8 203.86.239.113 ssl2.dyn-tracker.com #client.gnisoft.com 0x01d637a797cf0000 (Monday, June 1, 2020 12:00:00am)
7ca43f3612db0891b2c4c8ccab1543f581d0d10c kor1 DC20FD7E-4B1B-4B88-8172-61F0BED7D9E8 203.86.239.113
www2.dyn.tracker.com (note the typo here: dyn.tracker instead of dyn-tracker) #nmn.nhndesk.com
0x01d61f4b7500c000 (Friday, May 1, 2020 12:00:00am)
b02ad3e8b1cf0b78ad9239374d535a0ac57bf27e tw1 A66F35-4164-45FF-9CB4-69ACAA10E52D ssl.lcrest.com

Stolen code-signing certificate

PipeMon modules and installers are all signed with the same valid code-signing certificate that was likely stolen during a previous campaign of the Winnti Group. The certificate’s owner revoked it as soon as they were notified of the issue.

Figure 6. Code-signing certificate used to sign PipeMon first stage and modules before (top) and after (bottom) revocation.

We found on a sample sharing platform other tools signed with this certificate, such as HTRan, a connection bouncer, the WinEggDrop port scanner, Netcat, and Mimikatz which may have been used by the attackers as well.

Furthermore, a custom AceHash build signed with a Wemade IO stolen certificate already mentioned in our previous white paper and usually used by the Winnti Group was found on some machines compromised with PipeMon.

Conclusion

Once again, the Winnti Group has targeted video game developers in Asia with a new modular backdoor signed with a code-signing certificate likely stolen during a previous campaign and sharing some similarities with the PortReuse backdoor. This new implant shows that the Winnti Group is still actively developing new tools using multiple open source projects; they don’t rely solely on their flagship backdoors, ShadowPad and the Winnti malware.

We will continue to monitor new activities of the Winnti Group and will publish relevant information on our blog. For any inquiries, contact us at [email protected]. The IoCs are also available at our GitHub repository.

Indicators of Compromise

ESET detection names

Win64/PipeMon.A
Win64/PipeMon.B
Win64/PipeMon.C
Win64/PipeMon.D
Win64/PipeMon.E

Filenames

100.exe
103.exe
Slack.exe
setup.exe
%SYSTEM32%spoolprtprocsx64DEment.dll
%SYSTEM32%spoolprtprocsx64EntAppsvc.dll
%SYSTEM32%spoolprtprocsx64Interactive.dll
%SYSTEM32%spoolprtprocsx64banner.bmp
%SYSTEM32%spoolprtprocsx64certificate.cert
%SYSTEM32%spoolprtprocsx64banner.bmp
%SYSTEM32%spoolprtprocsx64License.hwp
%SYSTEM32%spoolprtprocsx64D8JNCKS0DJE
%SYSTEM32%spoolprtprocsx64B0SDFUWEkNCj.log
%SYSTEM32%spoolprtprocsx64K9ds0fhNCisdjf
%SYSTEM32%spoolprtprocsx64JSONDIU7c9djE
%SYSTEM32%spoolprtprocsx64NTFSSSE.log
AceHash64.exe
mz64x.exe

Named pipes

\.pipeScreenPipeRead%CNC_DEFINED%
\.pipeScreenPipeWrite%CNC_DEFINED%
\.pipeRoutePipeWriite%B64_TIMESTAMP%
\.pipeMainPipeWrite%B64_TIMESTAMP%
\.pipeMainPipeRead%B64_TIMESTAMP%
\.pipeMainHeatPipeRead%B64_TIMESTAMP%
\.pipeInCmdPipeWrite%B64_TIMESTAMP%
\.pipeInCmdPipeRead%B64_TIMESTAMP%
\.pipeFilePipeRead%B64_TIMESTAMP%
\.pipeFilePipeWrite%B64_TIMESTAMP%
\.pipeComHeatPipeRead%B64_TIMESTAMP%
\.pipeCMDPipeRead
\.pipeCMDPipeWrite

Registry

HKLMSYSTEMControlSet001ControlPrintEnvironmentsWindows x64Print ProcessorsPrintFiiterPipelineSvcDriver = “DEment.dll”

HKLMSYSTEMCurrentControlSetControlPrintEnvironmentsWindows x64Print Processorslltdsvc1Driver = “EntAppsvc.dll”

HKLMSOFTWAREMicrosoftPrintComponentsDC20FD7E-4B1B-4B88-8172-61F0BED7D9E8
HKLMSOFTWAREMicrosoftPrintComponentsA66F35-4164-45FF-9CB4-69ACAA10E52D

Samples

First stage

4B90E2E2D1DEA7889DC15059E11E11353FA621A6
C7A9DCD4F9B2F26F50E8DD7F96352AEC7C4123FE
3508EB2857E279E0165DE5AD7BBF811422959158
729D526E75462AA8D33A1493B5A77CB28DD654BC
5663AF9295F171FDD41A6D819094A5196920AA4B

PipeMon

23789B2C9F831E385B22942DBC22F085D62B48C7
53C5AE2655808365F1030E1E06982A7A6141E47F
E422CC1D7B2958A59F44EE6D1B4E10B524893E9D
5BB96743FEB1C3375A6E2660B8397C68BEF4AAC2
78F4ACD69DC8F9477CAB9C732C91A92374ADCACD
B56D8F826FA8E073E6AD1B99B433EAF7501F129E
534CD47EB38FEE7093D24BAC66C2CF8DF24C7D03

PipeMon encrypted binaries

168101B9B3B512583B3CE6531CFCE6E5FB581409
C887B35EA883F8622F7C48EC9D0427AFE833BF46
44D0A2A43ECC8619DE8DB99C1465DB4E3C8FF995
E17972F1A3C667EEBB155A228278AA3B5F89F560
C03BE8BB8D03BE24A6C5CF2ED14EDFCEFA8E8429
2B0481C61F367A99987B7EC0ADE4B6995425151C

Additional tools

WinEggDrop

AF9C220D177B0B54A790C6CC135824E7C829B681

Mimikatz

4A240EDEF042AE3CE47E8E42C2395DB43190909D
FD4567BB77F40E62FD11BEBF32F4C9AC00A58D53

Netcat

751A9CBFFEC28B22105CDCAF073A371DE255F176

HTran

48230228B69D764F71A7BF8C08C85436B503109E

AceHash

D24BBB898A4A301870CAB85F836090B0FC968163

Code-signing certificate SHA-1 thumbprints

745EAC99E03232763F98FB6099F575DFC7BDFAA3
2830DE648BF0A521320036B96CE0D82BEF05994C

C&C domains

n8.ahnlabinc[.]com
owa.ahnlabinc[.]com
ssl2.ahnlabinc[.]com
www2.dyn.tracker[.]com
ssl2.dyn-tracker[.]com
client.gnisoft[.]com
nmn.nhndesk[.]com

C&C IP addresses

154.223.215[.]116
203.86.239[.]113

Tactic ID Name Description
Persistence T1013 Port Monitor PipeMon uses a persistence technique similar to Port Monitor based on Print Processors.
Privilege Escalation T1134 Access Token Manipulation The PipeMon installer tries to gain administrative privileges using token impersonation.
T1088 Bypass User Account Control The PipeMon installer uses UAC bypass techniques to install the payload.
T1502 Parent PID Spoofing The PipeMon installer uses parent PID spoofing to elevate privileges.
Defense Evasion T1116 Code Signing PipeMon, its installer and additional tools are signed with stolen code-signing certificates.
T1027 Obfuscate Files or Information PipeMon modules are stored encrypted on disk.
T1112 Modify Registry The PipeMon installer modifies the registry to install PipeMon as a Print Processor.
T1055 Process Injection PipeMon injects its modules into various processes using reflective loading.
Discovery T1057 Process Discovery PipeMon iterates over the running processes to find a suitable injection target.
T1063 Security Software discovery PipeMon checks for the presence of ESET and Kaspersky software.
Collection T1113 Screen Capture One of the PipeMon modules is likely a screenshotter.
Command and Control T1043 Commonly Used Ports PipeMon communicates through port 443.
T1095 Custom Command and Control Protocol PipeMon communication module uses a custom protocol based on TLS over TCP.
T1032 Standard Cryptographic Protocol PipeMon communication is RC4 encrypted.
T1008 Fallback Channels The updated PipeMon version uses a fallback channel once a particular date is reached.



Mathieu Tartare and Martin Smolár


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Ubisoft Sues Apple and Google Over Distribution of Alleged ‘Ripoff’ Game

Ubisoft Entertainment this week levied a lawsuit against Apple and Google, accusing them of selling a “ripoff” of its popular video game Tom Clancy’s Rainbow Six: Siege, reports Bloomberg.


Ubisoft filed a complaint in federal court in Los Angeles, claiming that the game “Area F2,” developed by Qookka Games, is a “near carbon copy” of Tom Clancy’s Rainbow Six: Siege, aiming to “piggyback” off its popularity. Ubisoft said that it has notified Apple and Google that Area F2 is infringing its copyrights, but both companies have refused to remove the game from the Google Play and Apple App stores.

As one of Ubisoft’s most valuable intellectual properties, Rainbow Six: Siege is played as a competitive e-sport, has 55 million registered players worldwide, and according to Ubisoft’s copyright infringement claim, is played by more than three million users every day. Ubisoft argues that the lawsuit can’t be “seriously disputed” and that “virtually every aspect of AF2” is copied from Rainbow Six: Siege, “from the operator selection screen to the final scoring screen, and everything in between.”

Ubisoft did not elaborate on why it is suing the app store operators for enabling distribution of the game rather than developer Qookka Games itself for the initial infringement. Qookka Games, owned by Alibaba’s Ejoy, is located in China, potentially making an international copyright claim more difficult. It remains unclear whether Ubisoft plans to file a separate lawsuit against the developer, in addition to app store operators.

Area F2 has over 75,000 reviews on the Google Play Store, and more than 2,000 on Apple’s App Store, and many reviews on both platforms directly note the similarities to Ubisoft’s title. Google and Apple have not yet responded to Bloomberg‘s requests for a comment.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Apple Arcade’s Latest Game Combines Turn-Based RPG With Strategy Board Game

The Label’s “The_Otherside” is this week’s addition to Apple Arcade on the iPhone, iPad, and Apple TV. The game is described as both a turn-based RPG and a strategy board game:

Otherside is a turn based RPG and strategy board game where you will control four survivors who hope to push back the shadowy threat. Make your way through each level solving puzzles, fighting monsters, and destroying the spirit anchors that threaten our dimension.

Do you have what it takes to restore the town back to normal and save the day?

“The_Otherside” is available on the App Store with an Apple Arcade subscription. The service provides iPhone, iPad, Apple TV, and Mac users with access to over 100 games with no in-app purchases or ads for $4.99 per month.

Tag: Apple Arcade

This article, “Apple Arcade’s Latest Game Combines Turn-Based RPG With Strategy Board Game” first appeared on MacRumors.com

Discuss this article in our forums


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

5 of the Best Game Recording Softwares for Windows 10 (LATEST) – 10 minute mail

In Short Hacks: Are you Good at any PC Game? Well, There are lots of ways to make money from gaming. Many gamers know such methods but if you are running a YouTube Channel where you used to upload stuff like Game Plays Recording then undoubtedly this article is just for you. Here we have listed out some of the top-notch Game Recording Softwares for Windows PC, laptops in 2018

Best Game Recording Softwares for Windows
Best Game Recording Softwares for Windows 2018

Nowadays, Gaming is one of the most favorite hobbies of most of the youngsters. This is due to the great development in the field of gameplay and graphics. Games in the earlier years had very less functionality and not so good graphics. But, nowadays there are games which require a lot of strategy and thinking.

Apart from gameplay, the graphics of the latest games like GTA V have developed considerably. People purchase high-end components for their computers, especially for gaming purpose. Windows PC is one platform where you can play almost every game. All you need to do is install that game on your Windows PC and start playing it! Earlier, We have published an article on Top 5 Best Screen Recording Apps Without Root Android 2018

Top Game Recording Softwares 2018: Some people feel the need to record their game when they are playing to either publish it on their YouTube channel or for some other purpose. Whatever, the reason might be, you should be equipped with a useful Game Recording Software on your Windows PC. Thus, here we are with the list of some of the best game recording software for Windows.

Also Read: Top 5 Best Screen Recording Software or Apps for Windows


Let’s have a closer look at all these Free Game Recording Softwares for Windows. By this, you can easily record gameplays on your PC.

#1 Filmora Scrn

Filmora Scrn
Filmora Scrn

Filmora Scrn provides with a number of features along with the basic feature of recording your game on Windows as well as on Mac OS X 10.11 or later PC. These features enhance the user experience and make it convenient to use. It also supports PIP feature in which you can add a second image or video to your main footage, like a facecam for gaming. You can also take screenshots using this software and save them in various formats. There are many more amazing features in its official paid version

#2 Open Broadcaster Software: Game Capture Software

Best Game Recording Softwares for Windows itechhacks
Best Game Recording Softwares for Windows

Open Broadcaster Software which is also known as OBS studio is available for Windows, macOS, and Linux. The installation of this software is very simple! All you need to do is download the required files from its official website and install it on your Windows PC. That’s it! You are all set to start using it. It is an open source website, and its services are available for free! There are numerous features which come along with this software which enhances its basic function of recording the games which you play on your Windows PC.

#3 Windows 10 Game Bar: Game Rec. Apps for Windows 10

Best Game Recording Softwares for Windows itechhacks
Game Rec. for Windows 10

As the name suggests, this software is available only for Windows 10 users. This is an inbuilt software which can be launched on your Windows 10 PC by pressing the Windows key and G simultaneously. Once the Game Bar is launched, You can control it to start and stop recording your game. It only performs the basic function of recording your game and does it efficiently. All the Windows 10 users can resort to this inbuilt software instead of downloading one.

#4 ShadowPlay: Game Recording software Free

Best Game Recording Softwares for Windows itechhacks
ShadowPlay 2018

This Game Recording Software is developed by NVIDIA which is one of the best software development companies in the world! Using this game recording software, you can record and watch instant replays, screenshot anytime between your game and Broadcast it on your social media accounts easily. The quality of the records and screenshots can be as high as 4K. It has many features which enhance the user experience.

#5 Action!: Action Recording Software

Best Game Recording Softwares for Windows itechhacks
Action

This is another useful software which you can use on any Windows version. However, it is not free of cost. You can use the free 30-days trial and then buy it to continue using the services provided by this game recording software. Using this software, you can also live stream your game on websites such as Twitch, YouTube, etc. The price of this software is $29.95 for Home use and $49.95 for Commercial use.

#6 Dxtory:Best Game Recording Softwares for Windows itechhacks

Dxtory provides with a number of features along with the basic feature of recording your game on Windows PC. These features enhance the user experience and make it convenient to use. It also supports Multiple Audio Sources Recording which helps in recording various audios simultaneously and edit them later. You can also take screenshots using this software and save them in various formats.

Also Read: Top 5 Best Free Screen Recorder Apps for Android

Conclusion:

These were some of the best game recording software for your Windows PC. You can now easily record your game using any of the software listed above. There is much such software(s) but, we have provided with the best ones.They will never disappoint you with their performance.

If we have missed out on your favorite game streaming website, then please let us know about it in the comments section below.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.