EclecticIQ
nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

nav-solutions

Learn how EclecticIQ can help you address your specific challenges – by team and by need – and improve your overall security posture.

Solutions overview

Our Ecosystem

An ecosystem supporting our customers' intelligence-led proactive cybersecurity needs with collaborative partner programs delivering world-class joint solutions. 

Partner Program

Partner with EclecticIQ to bring valuable and innovative security solutions and services to end users. Open to all partner types, including technology developers, service providers, resellers, and community.

Our Partnerships

We partner with the world's premier technology and solution providers to support all phases of your cybersecurity needs. Explore all our partners' solutions and offerings to build and extend your cyber defense ecosystem.

EclecticIQ Resources

We are committed to increasing the knowledge and capabilities of the cybersecurity community through our research & analysis efforts and open source projects.

Browse Resources

Learn more about our technology, solutions and services, and stay updated on the cyber threat landscape with our research reports, webinars and other information.

Open Source Projects

We are proud to be an active member in the open source community and to help develop and advance progress of security technology. Learn more about contributions or go directly to our GitHub page.

DeFi Hack Recovers Stolen Funds; Blacklotus Bypasses Windows Secure Boot

EclecticIQ analysts examine one of the more notable counter-hacks in recent years in Decentralized Finance to recover funds. The action serves as an important example to end-users regarding implementations, limitations, and possibilities presented as DeFi grows. We also provide context around more accessible recently described rootkit-type malware. While new families described are spreading to more users on internet forums, others have been described with similar capabilities for years. 

EclecticIQ Threat Research Team March 9, 2023

tap-4-2023

Tactics, Techniques, And Procedures Executed in Collaboration Between Jump Crypto and Oasis Networks to Hack Their Own Protocol

The series of tactics, techniques, and procedures involved relies on the fact that a threat actor with access to assets from the Wormhole Bridge cyberattack in February 2022 recently transferred them into Oasis wallets in a possible consolidation or mixing move. The threat actor additionally gave permissions to an automated smart contract, which appears as normal behavior enabling additional functionality. (1) That one contract was vulnerable to collusion by Oasis and Jump. The primary multisig protocol of Jump was modified in a significant manner to take control of the stolen funds. 

The two agencies were able to create another primary signing authority with access to the vault controlling the funds of the threat actor by temporarily modifying the code inside the automated contract attached to the threat actor’s Oasis wallet. A vault in Decentralized Finance is a pooling of many individuals’ funds into an automatic compounding strategy. Two new smart contracts were deployed to initiate the transfer of funds from the targeted vault. Because of the way the decentralized finance protocol was oriented and because of the large amount involved, the new sending smart contract required 78.3M DAI (Ethereum Stablecoin) to close out loans initiated via the newly created smart contracts and transfer stolen funds into a new vault. The agencies burned almost $80M to end up with a net recovery of approximately $140M from the original $225M cyberattack on Wormhole Bridge. The altered code was changed back to its original state within hours.

BlackLotus is The First Publicly-Observed Malware to Bypass Secure Boot Within UEFI

The malware uses CVE-2022-21894 on Windows 11 patched in January 2022 by Microsoft. Like a rootkit, the new malware family contains code able to subvert the normal system boot protocol, loading before the operating system and in doing so, gains widespread access to the target system. The malware still requires an initial delivery vector, like a phishing email, for successful infection.(2) 

Unified Extensible Firmware Interface (UEFI) is a specification within a computer for a software program that connects firmware to its corresponding operating system. Secure Boot is a further mechanism to validate firmware and software running on Windows machines. (3) Rootkits (bootkits, bootloaders) and other malicious firmware-targeting malware is not common, and is associated with advanced threat groups. This class of malware is most beneficial for the targeting of individuals, because development and operation require more advanced skill. 

BlackLotus was observed advertised as malware-as-a-service on a relatively popular forum, and thus enters a large market for commodity malware, making it much more widely available. The greatest risk is the potential pairing of this capability with further malware designed for targeted personally identifiable information collection, malware designed for financial gain, and generally helping less skilled threat actors execute cyberattacks with higher impact. Similar and related capabilities have been reported since at least 2017, (4) and CosmicStrand -a malware family also able to subvert UEFI through Patch Guard- was described this past summer 2022. (5) 

About EclecticIQ Intelligence and Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

Please refer to our support page for guidance on how to access the feeds.

You might also be interested in:

Multi-Year Spearphishing Campaign Targets the Maritime Industry Likely for Financial Gain 

Three Cases of Cyber Attacks on the Security Service of Ukraine and NATO Allies, Likely by Russian State-Sponsored Gamaredon

ESXi Ransomware Updates Counter Recovery Script; Killnet Targets Airports and Hospitals


Appendix

  1. https://www.blockworksresearch.com/research/we-do-a-little-counter-exploit#the-counter-exploit-mechanics/
  2. https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
  3. https://www.techtarget.com/whatis/definition/Unified-Extensible-Firmware-Interface-UEFI
  4. https://bbs.360.cn/thread-14959110-1-1.html
  5. https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/  

Receive all our latest updates

Subscribe to receive the latest EclecticIQ news, event invites, and Threat Intelligence blog posts.

Explore all topics

© 2014 – 2023 EclecticIQ B.V.
EclecticIQ. Intelligence, Hunting, Response.
Get demo