00:00:00
in a rare turn of events the
00:00:01
three-letter agencies are actually
00:00:03
recommending that Americans start using
00:00:05
encrypted chat apps because stateb
00:00:07
threat actors have managed to hack the
00:00:09
major Broadband networks in the United
00:00:11
States which is allowing the hackers to
00:00:13
spy on people's phone messages so
00:00:15
obviously the feds are really pissed
00:00:17
because they're usually the only ones
00:00:19
that get to listen to your calls and
00:00:20
read your text messages and if you're
00:00:23
wondering who hijack the telcoms spyware
00:00:25
networks it's of course the United
00:00:27
States's greatest rivals
00:00:30
that's right these hackers have links to
00:00:32
China's Ministry of State security which
00:00:34
is kind of like America's CIA combined
00:00:37
with the FBI and of course Chinese and
00:00:40
this Affiliated hacking group has been
00:00:42
launching a number of cyber attacks
00:00:44
against us infrastructure and the
00:00:46
infrastructure of other countries going
00:00:48
as far back as at least 2020 this is an
00:00:51
advanced persistent threat that's gone
00:00:53
by a lot of names like ghost Emperor
00:00:55
famous Sparrow king of world UNCC 2286
00:01:00
and most recently salt typhoon their
00:01:03
primary goal appears to be intelligence
00:01:05
gathering which is pretty common amongst
00:01:07
Chinese stateb threat actors they'll
00:01:09
hack into the networks of militaries or
00:01:11
private sector companies to steal
00:01:13
research secrets in order for China to
00:01:16
improve their Tech without having to
00:01:18
spend the millions of dollars that other
00:01:20
people did on that research and
00:01:22
development but obviously if these
00:01:24
hackers have persistent access to telom
00:01:26
and Broadband networks that could be
00:01:28
used offensively as as well like if
00:01:31
China decided to invade Taiwan
00:01:33
Communications could be interrupted as
00:01:35
that's happening delaying the military
00:01:38
response we've already seen the complete
00:01:40
blend of traditional and cyber warfare
00:01:42
in the Gaza and Ukraine conflicts except
00:01:45
China spends more on their hacking
00:01:48
program than all of the countries
00:01:50
involved in those conflicts combined so
00:01:53
needless to say these attacks are pretty
00:01:55
sophisticated and the hackers are very
00:01:58
diligent about making sure that the
00:02:00
malware they use isn't detected by
00:02:02
antivirus programs or even forensic
00:02:05
analysis that's done on systems once
00:02:07
they're known to be compromised that's
00:02:10
part of the reason why it's been so
00:02:12
difficult to evict these Hackers from us
00:02:14
telom networks cisa and other security
00:02:17
groups know that they're in there they
00:02:19
just don't know exactly where and it's
00:02:21
currently unknown if the hackers have
00:02:23
just compromise The Edge systems of
00:02:26
specific telecom companies and their wir
00:02:28
tab systems in order to read people's
00:02:30
messages or the core routers that every
00:02:33
phone company in ISP uses to Route
00:02:36
traffic all over the world while
00:02:38
technical details about this most recent
00:02:40
attack have yet to be published there is
00:02:43
a malware analysis report from the
00:02:45
national cyber security Center about
00:02:48
Sparrow door which was a variant of this
00:02:50
hacking group's malware that was
00:02:52
discovered on a UK Network back in
00:02:55
2021 as the name implies Sparrow door is
00:02:59
a persistent back door and loader that
00:03:02
targets Windows systems it communicates
00:03:04
with a command and control server over
00:03:07
https and it supports various automated
00:03:10
commands as well as spawning a reverse
00:03:12
shell that gives hackers realtime remote
00:03:15
access to the infected systems some of
00:03:18
the persistence techniques used by this
00:03:20
malware include creating either a
00:03:23
Windows service of itself or a registry
00:03:26
key in current version SL run which
00:03:28
matches the name of a legitimate Windows
00:03:31
service in order to not raise any
00:03:33
eyeballs when someone spots this process
00:03:35
name using up a lot of their system
00:03:38
resources you might just think that
00:03:40
that's Windows being bloated again the
00:03:42
malware starts off by renaming a
00:03:44
legitimate insigned notepad++ updator to
00:03:48
searchindexer.exe which is the name of a
00:03:52
legitimate Windows File the now renamed
00:03:55
notepad++ updator tries to load the lib
00:03:58
curl. DL Library which is normal
00:04:01
behavior for a process that pulls
00:04:03
updates from the internet but the
00:04:05
malware takes advantage of this by
00:04:08
giving the loader the same name as the
00:04:11
legit lib curl Library so this gets side
00:04:14
loaded by the updator process which
00:04:16
remember has been renamed to
00:04:18
searchindexer.exe
00:04:20
the wind main function inside of this
00:04:23
process gets patched in memory to make a
00:04:25
long jump to a function that's stored
00:04:28
inside of libcurl dll so when wind main
00:04:31
executes it jumps into the loader
00:04:34
function in that dll and from there it
00:04:36
Deus skates and executes the actual back
00:04:39
door which is contained in libh host.
00:04:42
dll and all of this is done in order to
00:04:45
make it appear to security tools that
00:04:48
the malware is actually being loaded by
00:04:51
the signed updator process that has the
00:04:54
same name as a legit Windows File the
00:04:58
malicious lib curl dll is also designed
00:05:02
to not patch the long jump into its
00:05:05
parent executable if it gets loaded by
00:05:09
rundll32.exe and this is likely to
00:05:12
prevent the malware from executing if
00:05:14
it's being run inside of a Sandbox it
00:05:17
also does the classic checks against a
00:05:20
list of known antivirus process names
00:05:23
and limits its activity if any of those
00:05:26
are detected during initialization the
00:05:29
malware injects itself into the SVC
00:05:31
host.exe process to disguise itself as a
00:05:35
legit Windows service and another
00:05:37
interesting evasion technique that this
00:05:39
malware uses is it steals the user
00:05:42
account token that's associated with the
00:05:44
current users explorer.exe process and
00:05:48
it uses that account token whenever the
00:05:51
malware makes Communications over the
00:05:53
network now this is technically a
00:05:56
privileged downgrade since the malware
00:05:58
already has syst system level access
00:06:01
after binding itself to SVC host.exe but
00:06:05
this actually helps the malware to blend
00:06:07
in because most network activity is made
00:06:10
by user processes instead of system ones
00:06:14
so if system was communicating over the
00:06:16
network an abnormal way that might set
00:06:19
off some alarm Bells now when the
00:06:22
malware is connecting back to its
00:06:23
command and control servers it's doing
00:06:26
so over an https connection and it's
00:06:29
using static exor keys to encode the
00:06:32
data that's being sent and received over
00:06:35
that connection and the malware also
00:06:37
uses Windows apis to close its sockets
00:06:40
gracefully as soon as it's done sending
00:06:43
and receiving data to ensure that those
00:06:45
sockets are only used for the minimum
00:06:48
necessary time again making it much
00:06:51
harder to detect this malware on any
00:06:53
given system now since this is an old
00:06:56
version of the malware it's unlikely
00:06:58
that the hackers are going to be using
00:07:00
the same code base right now because
00:07:02
antivirus programs surely have
00:07:05
signatures for these files that I
00:07:07
described but there's a million
00:07:09
different ways that multi-stage malware
00:07:11
loading inovasion techniques can be done
00:07:14
and hell even rewriting the same exact
00:07:17
code in a language like go or rust with
00:07:20
its more complicated memory model
00:07:23
totally changes the signatures of the
00:07:25
malware and makes it much more difficult
00:07:28
to analyze so so it'll probably be a
00:07:30
while before anyone can be certain that
00:07:33
hackers have been removed from us
00:07:35
networks in the meantime you can protect
00:07:37
yourself by using an end to-end
00:07:39
encrypted messaging app like signal
00:07:41
standard SMS messages are only encrypted
00:07:44
over the air meaning your mobile carrier
00:07:47
as well as Chinese hackers and the
00:07:49
police have those decryption keys and
00:07:51
can read your messages whenever they
00:07:53
want the keys for Signal messages
00:07:56
however stay locally on your device
00:07:59
messages are encrypted before they are
00:08:01
sent and can only be decrypted by the
00:08:04
recipient on their device I would also
00:08:07
recommend that you stop using text
00:08:09
messages or phone calls for two-factor
00:08:11
authentication and switch to using an
00:08:14
authenticator app because depending on
00:08:16
what parts of the telom networks have
00:08:18
been compromised the Chinese hackers
00:08:21
could potentially pull off a barrage of
00:08:23
sim swapping attacks where they steal
00:08:26
people's phone numbers in mass in order
00:08:28
to get those two factor or account reset
00:08:31
codes and compromise every online
00:08:34
account that is associated with people's
00:08:36
phone numbers if you enjoyed this video
00:08:39
please like and share it to hack the
00:08:40
algorithm and buy some of my merch from
00:08:42
my website based. win 10% discount
00:08:45
storewide available at checkout when
00:08:47
paying in Monero XMR have a great rest
00:08:50
of your day
