Deceptive Bytes continues to lead the charge in proactive endpoint defense with the launch of three groundbreaking protection engines. These additions supercharge the platform’s ability to outsmart attackers. They deliver tailored protection, browser safeguards, and app-level controls that keep threats at bay across diverse environments.

Customized Protection Engine: Precision Deception at Scale

The star of the update is the Customized Protection engine. It empowers security teams to craft environment-specific defenses like never before. Hide your most critical data and assets while deploying hyper-realistic fake files, folders, processes, and more. All of this is fully customized to your unique environment.

• Cross-platform mastery: Seamless support for Windows, Linux, and macOS
• OS-native flexibility: Leverage files, folders, processes, and other artifacts (OS-dependent)
• Attacker frustration maximized: Turn every endpoint into a maze of misleading traps that expose tactics and waste precious time

This engine transforms passive endpoints into active traps. It gives you the upper hand against ransomware and advanced persistent threats.

Browser Protection Engine: Lock Down Risky Surfing

Browsers remain a prime attack vector, but no longer. The new Browser Protection engine lets administrators enforce granular security and AI policies in Chrome, Microsoft Edge, and Firefox.

Stop risky behaviors in their tracks before phishing, drive-by downloads, or malicious extensions can escalate into full breaches. With intuitive policy controls, maintain productivity while slashing browser-borne vulnerabilities.

Office Apps Protection Engine: Secure Everyday Workflows

Document-based attacks hit hard and often. The Office Apps Protection engine closes this gap by applying robust security and AI policies to Microsoft Office and Adobe Reader (currently for Windows only).

• Neutralize macros, embedded threats, and untrusted content
• Policy-driven safeguards tailored to real-world usage
• Zero disruption to daily operations

Protect where users spend most of their time, without slowing down your team.

Policy Powerhouse: Simplified Management at Scale

The Browser and Office Apps Protection engines take policy management to the next level. They simplify creation and deployment of consistent security rules across thousands of endpoints while enhancing effectiveness through intelligent, adaptive controls. Scale protection effortlessly without complexity, ensuring uniform defense and rapid response organization-wide.

Why These Enhancements Change the Game

In an era of relentless ransomware evolution and sophisticated adversaries, Deceptive Bytes stands out with lightweight, prevention-first defense that adapts to your needs. These new engines deliver:

Deploy faster, scale effortlessly, and stay steps ahead. Ready to fortify your endpoints? 

Contact Deceptive Bytes today to experience the future of active cyber defense.

Recently we on reported on SparkOnSoft which our Active Ransomware Prevention platform prevented in multiple customers’ environments worldwide.
Since then we’ve noticed that not only the campaign continues, it also mutates as new samples use another PDF application signed by a different certificate

Basic Information

The new payload is a PDF application called Proton PDF though the file name starts with ClearEdit and the file was signed with an Extended Validation certificate by Hawk Integrated Inc issued by Sectigo
Interestingly, the payload is a NSIS installer while SparkOnSoft samples, including new ones, still use InnoSetup to create the installers
The new payload is identified as part of the SparkOnSoft campaign according to VirusTotal (see IOCs below)
In addition, since our last post our prevention platform identified more samples which were still being downloaded from sparkonsoft[.]com and are still signed by Mainstay Crypto LLC issued by Microsoft

IOCs

• SHA2: 686d018c86c03165925ebd3773c622f182c93f54b98db9616bae86f5e8684e4c (Proton)
• SHA2: 91e4f66fb2af51fa3b2e0463c8c140e628d5d057cadde3f7d4d4bcb991289a38 (Spark)
• SHA2: 73dbd23bb38472c1a9a3b0fb6f3ed5c9c272204e01de4bd35fed6034bf3c463b (Spark)
• SHA2: 4fa777e1392037fde13b8e93b7d69427926fca5000b816f562e829c9246f46c9 (Spark)
• Compromising websites: hxxps://pdfproton[.]com and hxxps://[*.]getpdfproton[.]com
• Compromised AWS S3: hxxps://internalcomponentspdf[.]s3.us-east-1.amazonaws.com (Spark)

In the past week we’ve seen a surge with new variants of a malware which our Active Ransomware Prevention platform prevented for multiple customers worldwide.
The common thread between all the attacks is the source, all are installations of a supposed PDF application called PDF SparkOnSoft.

Entry Point

In all cases the files were download from online, suggesting the scammers placed malicious ads and/or poisoned chat-based AIs to appear legitimate.

Basic Information

The file is a small installer written with InnoSetup as it contains details related to a PDF app.
The first payload our solution prevented was signed with an Extended Validation certificate by Mainstay Crypto LLC and issued by Sectigo.
The other installers were signed by the same vendor, however, this time the certificate was issued by Microsoft.

The file’s properties indicate that it’s a PDF software and the publisher as Mainstay Crypto.
The version remains 1.0.0.0 between samples as the attackers likely didn’t modify the InnoSetup installer used for building the malicious payload.

Execution

When executed, all the samples first checks if they’re running under WINE, a Windows compatibility-layer that allows Windows PE executables to run under Linux, macOS and other non-Windows operating systems, they do so by checking if the function wine_get_version exists in ntdll.dll, Windows’ Native API dynamic library, as this function only exists in WINE environments
(Microsoft’s ntdll file never had this exported function).

Prevention

Since the above execution is a clear indication of a malicious activity as attackers check for WINE to identify being investigated by security services utilizing WINE for malware analysis, the Deceptive Bytes platform immediately stopped the attack and all the malware samples failed to infect our customers’ machines.

IOCs

• SHA2: 415b6d1bb78cb74a468b29e7af09e885999cfcabf2c413f3bf533c2191d4e626
• SHA2: 4617e321a142d4ed35d71d3532be764deec63dafe8bdec010a8ace4ea5bba5b4
• SHA2: 00f0338e7caa630d10347a5bebed83bb4c11ebce34f4470a213f93828a66addf
• SHA2: 717c2728b957a7faecb7d1ac057bb03053f6397bbc369092c493daf6d45dc67c
• SHA2: c1f686082eb39db8cd58f36247e894b22c95d10672e9d50380b824ab9f2e2f46 (installer payload)
• Imphash: efd455830ba918de67076b7c65d86586
• Certificates: Mainstay Crypto LLC
  • Issuer #1: Sectigo Public Code Signing CA EV R36 (now revoked)
  • Issuer #2: Microsoft ID Verified CS EOC CA 02 (still valid)
• Compromising website: hxxps://sparkonsoft[.]com
• Compromised AWS S3: hxxps://pdfsparkcomponent[.]s3.us-east-2.amazonaws.com

Understanding the Cyber War and the Role of Prevention

The cyber war is a continuous conflict between attackers who seek to exploit vulnerabilities and defenders who aim to safeguard digital assets. Ransomware attacks have grown increasingly sophisticated, using advanced tactics to bypass traditional security measures. Preventative solutions act as a frontline defense, not by merely reacting to threats but by proactively disrupting the attacker’s reconnaissance and execution phases.

One powerful approach is the use of environment distortion techniques. These solutions create controlled, deceptive environments that make it challenging for ransomware to accurately identify key systems or data to target. By providing false indicators about the environment, attackers are misled to terminate their malicious activities, to ultimately failing in deploying their encryption or data exfiltration capabilities.

Distorting Ransomware Perception: A Strategic Advantage

Distortion of perception in cybersecurity means deliberately manipulating how attackers perceive the environment. Ransomware operators rely heavily on accurate intelligence and reconnaissance to identify critical assets. By skewing this intelligence through deception technologies to deter ransomware from operating, defenders gain a strategic advantage.

• Creating False Trails: Providing deceptive signals that confuse automated attack tools and human adversaries alike.
• Dynamic Environment Changes: Continuously altering how the endpoint is perceived to the ransomware and preventing attackers from establishing a reliable map of the target environment.
• Security Manipulation: Creating false indication of various security tools within the environment to confuse ransomware from the real security capabilities available to the organizations, and protecting the use of existing tools from exploitation by threat actors.

This approach not only prevents successful infiltration but also generates valuable intelligence about attacker behavior and tactics. Organizations can then improve their defenses based on real-world attack scenarios, creating a feedback loop that strengthens security over time.

Conclusion

Winning the cyber war against ransomware requires more than reactive defenses – it demands proactive, preventative solutions that distort attackers’ perception of the environment. By leveraging deception technologies and environment distortion, organizations can disrupt ransomware campaigns early, minimize risk, and gain critical intelligence. Ultimately, these strategies are essential for building resilient cyber defenses in an ever-evolving threat landscape.

The Art of Deception in Operation Midnight Hammer

The operation’s planning was a masterclass in strategic deception. As the main B-2 bomber strike group quietly flew east toward Iran, a separate group of bombers headed toward the Pacific, serving as a decoy to mislead Iranian intelligence about the true direction of the attack. This ruse, known only to a handful of planners, was complemented by minimal communications and the use of advanced stealth technology. Just before entering Iranian airspace, the U.S. also launched Tomahawk cruise missiles from a submarine, further confusing Iranian radar operators and diverting attention from the main aerial assault.

The Trump administration’s role in this deception was pivotal. In the days leading up to the strike, President Trump publicly projected an image of indecision, stating that he would wait two weeks before making any determination about bombing Iran—a statement designed to lull both Iranian leaders and the international community into a false sense of security. Behind the scenes, however, Trump had already resolved to carry out the attack, and military preparations were well underway. This political misdirection was reinforced by Trump’s public lunch with a known opponent of military action, further fueling speculation that he might hold off. In reality, less than 30 hours after these statements, he authorized the assault. This deliberate confusion bought precious time for military planners and ensured the element of surprise, allowing the U.S. to execute a complex and highly secretive operation that caught Iran—and much of the world—completely off guard.

Endpoint Deception: The Cybersecurity Parallel

This military deception mirrors the proactive strategies employed in cybersecurity, particularly by companies like Deceptive Bytes. However, while traditional cyber deception often relies on decoys or honeypots, Deceptive Bytes takes a more sophisticated approach: endpoint deception. Rather than setting traps, their technology dynamically creates false information about the actual environment on endpoints. This distorts the perception of ransomware and other malicious actors, confusing them about the true nature of the system they are targeting.

By altering the environment’s apparent characteristics in real time, Deceptive Bytes prevents attackers from accurately mapping or exploiting the system. This not only stops malware and ransomware before they can execute but also reduces the attack surface and improves overall security posture. Attackers are forced to waste resources and often reveal their presence early in the attack chain, giving defenders a critical advantage.

Deception as a Force Multiplier

Just as Operation Midnight Hammer’s decoys and misdirection enabled the U.S. to strike with minimal resistance, Deceptive Bytes’ endpoint deception tactics force cyber attackers to question every move, undermining their confidence and effectiveness. Both strategies demonstrate that in modern warfare—whether kinetic or digital—deception is a powerful tool for gaining the upper hand, neutralizing threats, and protecting critical assets. In a world where the element of surprise can mean the difference between victory and defeat, mastering the art of deception remains as vital as ever.

The Importance of Preemptive Cyber Defense

As cyber threats continue to evolve, organizations must adopt a proactive stance to safeguard their digital assets. Gartner’s report outlines several top use cases in preemptive cyber defense that can significantly enhance security postures:

• Advanced Cyber Deception: Utilizing deceptive tactics to mislead attackers and protect sensitive information.
• Automated Moving Target Defense: This approach involves continuously changing the environment to confuse attackers, making it difficult for them to establish a foothold.
• Predictive Threat Intelligence: Leveraging data analytics to anticipate potential threats before they manifest.
• Network Threat Detection and Observability: Enhancing visibility into network activities to identify and respond to threats in real-time.
• Threat Simulation and Automated Exposure Management: Testing defenses against simulated attacks to identify vulnerabilities.

Incorporating these strategies can lead organizations to a more robust security framework.

How Deceptive Bytes Enhances Cyber Resilience

Deceptive Bytes’ Active Endpoint Deception solution is designed to improve an organization’s prevention capabilities. By creating dynamic and deceptive information, this solution interferes with attackers’ attempts to recon the environment, effectively deterring them from executing malicious activities. Key features of this platform include:

• Real-time Threat Prevention: The system operates dynamically, deceiving threats as they evolve.
• High Prevention Rates: It boasts very high prevention rates against unknown malware and ransomware by changing the perceived environment to deter their malicious execution.
• Lightweight Deployment: The solution is easy to deploy, requiring minimal resources (less than 0.01% CPU usage, less than 20MB of RAM) and can be operational within seconds.
• Low False Positive Rate: This ensures that security teams can focus on genuine threats without being overwhelmed by alerts.

By integrating Deceptive Bytes into their security architecture, organizations can shift from a reactive approach—where they respond after an attack—to a proactive stance that prevents attacks before they occur.

Conclusion

As highlighted in Gartner’s research, the need for preemptive cyber defense solutions is more critical than ever. Deceptive Bytes stands out as a formidable option for organizations looking to enhance their cybersecurity posture. By adopting advanced techniques such as endpoint deception, companies can not only protect their assets but also improve their overall resilience against the ever-evolving landscape of cyber threats.

Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Yesterday (September 12th, 2024) our Active Endpoint Deception platform prevented a new variant of Malgent trojan horse that was built just a few hours prior to the attack on one of our customers in Latin America.

Entry Point

The user visited the website of a Mexican medical laboratory which is WordPress-based and was compromised, it displays a banner message to the user that a “Browser update required” (the banner didn’t appear at the time of publishing)

The user clicked on a link which was an AWS S3 hosted executable containing the malware itself and executed it from the browser.

Basic Information

The malware was made to look like a browser installation executable as the file’s attributes and properties indicate:

The file is signed by an Extended Validation certificate of a Chinese vendor to give the impression that the file is legitimate and safe (the certificate was not revoked at the time of the attack). Threat actors steal digital certificates and sign their files to evade detection and operate under reputable disguises

The file’s version is 128, indicating it likely mimicked Chrome or a Chromium-based browser (which is at the time of publishing at version 128 as well) and the file’s description, copyright and other executable properties suggest it’s a “Browser Installer” (without specific branding)

Also note that the file’s size is 111 MB, similar in size to Chrome’s offline installer. Large files are often used by attackers to bypass sandbox environments which are usually configured to run smaller files, even if the actual malicious payload is much smaller

Execution

When executed, the sample first checks if it’s running under WINE, a Windows compatibility-layer that allows Windows PE executables to run under Linux, macOS and other non-Windows operating systems, it does so by checking if the function wine_get_version exists in ntdll.dll, Windows’ Native API dynamic library

Prevention

Since the above execution is a clear indication of a malicious activity as attackers check for WINE to identify being investigated by security services utilizing WINE for malware analysis, the Deceptive Bytes platform immediately stopped the attack and the malware failed to infect the machine

IOCs

• SHA2: a12809c76461d00760bef767c98baf5909a4aed48f2256d3c42eb1ca62835c14
• Imphash: 55052bff3084bf220240d99b2216422e
• Certificate: Hunan Exotic Hotel Management Co., Ltd.
  • Thumbprint: 9ad448726590d64e247266e0b6ff1524fa094a51
  • Issuer: SSL.com EV Code Signing Intermediate CA RSA R3
  • Root CA: SSL.com EV Root Certification Authority RSA R2
• Download URL: hxxps://bbuseruploads.s3.amazonaws[.]com/4c8dba68-b727-403e-8987-df9afd436402/downloads/7074f023-a845-467b-96a5-5cd3d3f69168/Updater.exe (no longer valid)
• Compromised website URL: hxxps://amlaboratorios[.]com

How LLMs are Exploited by Cybercriminals

Automated Phishing Attacks

One of the most significant ways LLMs aid cybercriminals is through the automation of phishing campaigns. LLMs can generate convincing, personalized phishing emails at scale, using natural language processing to mimic legitimate communication. This increases the likelihood of recipients falling for these attacks, as the emails can be tailored to specific industries, organizations, or even individuals.

Social Engineering

LLMs can be used to create highly convincing fake identities on social media, forums, or even in direct communication channels like email or messaging apps. These identities can engage with targets to gain trust or extract sensitive information, which is then used to facilitate further attacks.

Code Generation

Cybercriminals can leverage LLMs to generate malicious code or modify existing malware to evade detection. These models can provide templates for ransomware, obfuscate code to avoid antivirus scans, or even suggest new methods to exploit vulnerabilities. The ability of LLMs to generate code snippets based on simple prompts significantly lowers the barrier for less technically skilled attackers to create or adapt malware.

Reconnaissance and Data Analysis

LLMs can analyze large datasets to identify potential vulnerabilities in a target’s infrastructure. By processing information from public sources or even stolen data, LLMs can help threat actors identify weak points in security that can be exploited.

Data Poisoning

LLMs can be leveraged in data poisoning attacks against defense ML/AI systems by generating subtle yet sophisticated adversarial inputs. These inputs are crafted to manipulate the training data of security tools, causing the model to learn incorrect patterns or classifications. By introducing these tainted data points, an attacker can degrade the performance of defense algorithms, making them less effective at detecting threats. This can lead to bypassing existing security mechanisms, as the poisoned model may fail to recognize malicious activities or misclassify them as benign.

Preventing AI-Enhanced Attacks with Deceptive Bytes

As cyber threats become more sophisticated with the aid of AI, the need for advanced defense mechanisms is more critical than ever. Deceptive Bytes offers a proactive solution to counteract these evolving threats.

Dynamic Deception

Deceptive Bytes’ technology focuses on creating a dynamic environment that continuously changes, making it difficult for malware to execute successfully. By presenting false information about the environment, the solution confuses and misleads malware, rendering traditional and AI-enhanced attack strategies ineffective.

Behavioral Analysis

The platform utilizes real-time behavioral analysis to detect anomalies and potential threats before they can cause harm. By continuously monitoring how software interacts with the system, Deceptive Bytes can identify unusual patterns that might indicate an ongoing attack, including those guided by LLMs.

Proactive Defense

Unlike traditional reactive security measures, Deceptive Bytes takes an active approach by engaging with the threat, causing it to reveal itself. This not only helps in stopping the attack but also gathers valuable intelligence on the tactics being used, which can be crucial in defending against future threats.

Conclusion

The misuse of LLMs by cybercriminals poses a significant challenge to modern cybersecurity. However, solutions like Deceptive Bytes offer an effective countermeasure by employing dynamic deception and proactive defense strategies. As AI continues to evolve, so must our defenses, ensuring that we stay one step ahead in the ever-changing landscape of cybersecurity.

Iran

Iranian cyber threat actors are known for their capabilities in espionage, data destruction, and denial-of-service (DoS) attacks. Groups such as Elfin Team (APT33), Helix Kitten (APT34), and Charming Kitten (APT35) have targeted industries ranging from energy and telecommunications to government and financial services. Their tools and techniques often involve spear-phishing campaigns and the deployment of destructive malware like Shamoon.

Recent Activities and Targets:

• Energy Sector Attacks: Iranian groups have a history of targeting the energy sector, including attacks on oil and gas companies in the Middle East and beyond. These attacks often aim to disrupt operations and cause significant economic damage.
• Government Espionage: Iranian actors have engaged in extensive cyber espionage campaigns against government entities, aiming to gather intelligence and disrupt governmental functions.
• Critical Infrastructure: Attacks on critical infrastructure, including water and transportation systems, highlight the broader strategic objectives of these groups.

Russia

Russian cyber operations are among the most sophisticated and aggressive, with notable groups such as Fancy Bear (APT28) and Cozy Bear (APT29) leading the charge. These actors are infamous for their involvement in high-profile incidents, including the NotPetya ransomware attack, SolarWinds supply chain attack, Ukraine’s power grid attacks and various espionage campaigns against NATO countries.

Recent Activities and Targets:

• Election Interference: Russian cyber actors have been implicated in attempts to influence elections in multiple countries, utilizing tactics such as hacking, disinformation, and social media manipulation.
• Ransomware Attacks: The NotPetya ransomware attack, which initially targeted Ukraine, spread globally and caused billions of dollars in damages, showcasing Russia’s ability to launch devastating cyber assaults.
• Espionage Campaigns: Russian groups have conducted extensive espionage operations against government, military, and private sector targets, stealing sensitive information and intellectual property.

North Korea

North Korean cyber actors, such as the Lazarus Group, are notorious for their financially motivated cybercrimes and state-sponsored espionage. Their activities include bank heists (e.g., the Bangladesh Bank heist), cryptocurrency thefts, and disruptive attacks like the WannaCry ransomware outbreak.

Recent Activities and Targets:

• Financial Theft: North Korean groups have successfully stolen hundreds of millions of dollars through cyber attacks on financial institutions, including central banks and cryptocurrency exchanges.
• Ransomware Campaigns: The WannaCry ransomware attack affected hundreds of thousands of computers worldwide, causing widespread disruption and financial losses.
• Espionage and Sabotage: North Korean actors have targeted South Korean infrastructure, military systems, and government networks, aiming to gather intelligence and disrupt operations.

China

Chinese cyber threat actors, such as Red Apollo (APT10) and Double Dragon (APT41), are renowned for their industrial espionage campaigns aimed at stealing intellectual property and sensitive data from companies and government agencies. Their targets are diverse, spanning technology, aerospace, pharmaceuticals, and more.

Recent Activities and Targets:

• Industrial Espionage: Chinese groups have engaged in large-scale theft of intellectual property from Western companies, particularly in the technology and aerospace sectors, to bolster domestic industries.
• Healthcare Data: Chinese cyber actors have targeted healthcare organizations, stealing sensitive patient data and research information, especially during the COVID-19 pandemic.
• Government and Military: Extensive espionage campaigns against government and military organizations aim to gather strategic intelligence and disrupt adversary operations.

Pakistan

Pakistan-based cyber threat actors have been involved in a variety of cyber espionage campaigns, particularly against India and other regional adversaries. These actors often focus on stealing sensitive military and government information to gain strategic advantages.

Syria

Syrian cyber actors, such as the Syrian Electronic Army, have conducted cyber attacks to support the Assad regime. Their activities include defacing websites, spreading propaganda, and disrupting communications of opposition groups and foreign entities critical of the Syrian government.

How to Enrich your Defense Capabilities

Deceptive Bytes employs a proactive approach to cybersecurity by creating a dynamic deception environment within the endpoint. This technology misleads attackers about the real nature of the endpoint, systems, and data. By dynamically responding to threats in real-time and providing false information, Deceptive Bytes can disrupt reconnaissance efforts and delay or prevent attacks, throughout the attack kill chain.

The platform’s adaptive deception technology introduces uncertainty and confusion into attackers’ operations, making it significantly harder for them to achieve their objectives. By creating convincing fake information on the endpoint, Deceptive Bytes prevent access for attackers from real systems, reducing the risk of data exfiltration and financial loss.

Conclusion

Nation state threat actors pose a significant and evolving threat to organizations worldwide. Their sophisticated tactics require equally advanced defense mechanisms. Deceptive Bytes provides a cutting-edge solution by integrating dynamic deception into endpoint security. This proactive approach not only confuses and misleads attackers but also provides organizations with critical insights into emerging threats. By adopting Deceptive Bytes’ technology, organizations can enhance their resilience against APTs and safeguard their valuable assets from nation state cyber threats.