>Devices that were infected by the first stage automatically accessed the malicious string at the end of the URL. From there, they were infected with a second stage.
I'm guessing the only reason it is done this way is to make network activity less suspicious than if the device were to connect to some novel 3rd party domain?
It is simply a way for the first stage to keep an updated URL where to download instructions about what to do. Hardcoding URL won’t do it because your URL might be taken down quite quickly.
In my days, this was done by connecting to an IRC room and listening for specific messages. I find this way of doing it way more complicated and prone to errors (an IRC client is quite easy to do and there’s no realistic way to prevent anybody to send a strange message in a given room)
Maybe I'm missing something, but whether the first stage points to Ars/Vimeo or directly to the bad-guys, the URL has to be hardcoded somewhere. I think the comment you replied to is probably on the right track; hiding behind a legit intermediary seems a lot less suspicious if someone inspects the payload on the drive.
The first stage points to arstechnica.com because that’s unlikely to be blocked or attract much attention (your IT guys would probably unblock it). The URL is set on that profile page but the person who controls it can change that any time they want without attracting attention so it’s not hardcoded in the way it would be if it was embedded in the malware executable.
Yeah but a socket connection to an IRC server and port will probably trigger a network monitoring firewall that a computer in the network has been compromised... A connection to arstechnica.com, the IT admin might even think "Cool, I didn't know that Bob from accounting is into tech..."
Most corporate SOCs would probably investigate IRC connections at least briefly, they have a very high signal to noise ratio for compromised devices. Modern security devices do generate a tremendous amount of information, but the security operations industry as a whole and SIEMs in particular were developed to make it feasible to risk score and triage these findings.
A well-configured corporate firewall is going to block anything that looks like an IRC packet, because for the overwhelming majority of users, the probability of that packet being malicious is ~1.
I found it funny how Ars Technica (owned by Condé Nast) had some of the best reporting offering scathing criticism of Reddit (also owned by Condé Nast) while Steve Huffman was destroying the website by killing off the API and leaving volunteer moderators without the tools they need to deal with spam. I'm not sure how common this is, but it was refreshing to see journalists doing their job properly despite being faced with a massive conflict of interest.
There has been a dramatic rise in spam and hate speech, starting the day of the first moderator strikes. This hasn't gone unnoticed by the community, you see this observation being made by people all over the site.
Up to a point Ars does what it takes to generate clicks. I can't tell if they post more nakedly political content now then they used to but whenever I see that sort of thing on the site it depresses me.
Like a picture of scantily glad woman on a link (Will you see more if you click it? Who knows but there's one way to find out for sure ... ) the end result if it delivers or not is a vague feeling of being manipulated. That the editors think less of me then I'd like.
But who knows, certainly the political stuff on it usually doesn't appeal to my politics so maybe it's just unhappiness that they don't share my views.
So in other words, this is harmless unless the target was previously infected with the malware `explore.ps1`. This URL just acts as a trigger to activate the malware? Do I have that somewhat right?
Not a trigger. Just a payload. On a domain the government can’t seize/shutdown. Kinda interesting, but I imagine they can just extract all the target urls from the malware and get hosts to block?
Maybe they're referring to using a prominent website as a C&C server? Wait... no, they've seen that before when they reported, in 2017, on a:
> "backdoor Trojan used comments posted to Britney Spears's official Instagram account to locate the control server that sends instructions and offloads stolen data to and from infected computers." [0]
So they must be talking about the novel use of an image in the staged delivery? Oh... nevermind, that can't be it either because their reporting on VPNFilter in 2018 mentioned:
> "stage 1 relies on a sophisticated mechanism to locate servers where stage 2 and stage 3 payloads were available. The primary method involved downloading images stored on Photobucket.com and extracting an IP address from six integer values used for GPS latitude and longitude stored in the EXIF field of the image." [1]
So yeah, I guess Ars hasn't seen Base64 before it was embedded on their site.
smuggling things past firewalls is trivial. base48 or some other nonsandard scheme or encrypt a zip file and use a bananaphone scheme to make the content look low entropy. No firewall will flag that.
A lot of inspecting transparent TLS firewalls look for high entropy blocks, the idea being to sniff out encrypted exfiltration. Making them low entropy is straightforward, as you say.
Browse news in a throwaway VM instance that doesn't directly have password management. GoogleNews has served me several trojans, because I'm inherently clicking on unknown links. This attack was interesting, because it didn't leave Ars, but I would fear those who target HN with outlinks.
They can serve malware only to targeted domains so you may be the only one hit.
Even more targeted and obscured is to include several keywords in an article of interest that lead to a single controlled page optimized for search engines, which again serves targeted malware.
> GoogleNews has served me several trojans, because I'm inherently clicking on unknown links.
[Citation Needed]
Extraordinary claims require extraordinary evidence, and I find this extremely difficult to believe. No news outlet linked to from Google News is going to send you a "trojan", or any other kind of malware.
You may have misunderstood how the malware described in the article works - simply visiting Ars would not infect you, or anyone.
Thanks for your question. It should be fairly clear that I'm not talking directly about the Ars issue. That isn't about an outlinked article (Ars doesn't aggregate quite that way) the way Google and HN do. However, using a VM separate from the browser sandbox is a nice way to anonymize and prevent any leaks/damage that can occur. I'm interested to know why you think this hasn't happened since most serous compromises are an untrusted link click away (esp in windows).
The first time was in about 2012. There was a news link off of GoogNews (not the site itself obviously, and an outlink as described). The "News" trojan link page seemed to be up for only a short while and then blocked, since later searches for the title were completely missing. I'm guessing Google probably caught it on their end since it was probably infecting everyone who clicked. I only noticed it reasonably quickly due to a rapid change in network activity, but it had already escaped the browser sandbox and was downloading more.
Drive forensics that day didn't show anything obvious on Friday, but the next Monday a trojan was found that had been using a zero-day. Since then I've used a VM for random browsing (it's not a panacea, but it's easy enough to do). If you believe that's ineffective, I'd like to understand more. A couple of times in the 13 years since, the AV in the VM has caught viruses and I don't really browse much except news from Google, Yahoo, HN, Ars, etc in that VM.
Ah, 2012, not surprised. Ad-served malware seemed more common in those days. Even in the early days of reddit, it had an episode where one of their third-party ads infected users. I don't recall it being very malicious but it definitely made me button down on my defense of ad-blockers.
I would be curious to learn more about Google News abuses too. It doesn’t sound completely far fetched. Google search is known to have served up malicious websites masquerading as legitimate ones. For example, here’s one that was disguised as gimp.org:
I think the concern on HN would be targeting to particular IPs or domains, more like spear phishing. Agree it wouldn't last long, but it only takes once.
I'm guessing the only reason it is done this way is to make network activity less suspicious than if the device were to connect to some novel 3rd party domain?