Humble are running a new bundle of interest to game developers, specifically 2D animators. The Humble Software Bundle: 2D Animation is based around two key pieces of software, Crazytalk 8 Standard and Crazytalk Animator 3 Pro, both from RealIllusion. As always the bundle is broken into tiers, the tiers of this bundle are:
1$
Face Filter 3
Makeup PRO
18$
CrazyTalk 8
Dress Up Show Time
Dress Up Work Wear
Stylized Classic Avatars
Garry Pye’s Comic Faces
25$
CrazyTalk Animator 3 PRO
G3 Animals Dogs
G3 Human Motions – Smooth Moves
G3 Animated Props – Fun Stuff
G3 Elastic Motions – Come and Go
With Humble Bundles you can decide how your funds are distributed, choosing between the developer, Humble, charity and if you so choose (and thanks if you do!) to support GameFromScratch if you purchase using this link. Check out the video below for more details on the bundle. Stay tuned for more hands-on content with CrazyTalk and CrazyTalk Animator in the near future!
This article shows you how to install the software you need to use Cockpit to create and manage virtual machines on Fedora 31. Cockpit is an interactive admin interface that lets you access and manage systems from any supported web browser. With virt-manager being deprecated users are encouraged to use Cockpit instead, which is meant to replace it.
Cockpit is an actively developed project, with many plugins available that extend how it works. For example, one such plugin is “Machines,” which interacts with libvirtd and lets users create and manage virtual machines.
Installing software
The required software prerequisites are libvirt, cockpit and cockpit-machines. To install them on Fedora 31, run the following command from a terminal using sudo:
Cockpit is also included as part of the “Headless Management” package group. This group is useful for a Fedora based server that you only access through a network. In that case, to install it, use this command:
$ sudo dnf groupinstall "Headless Management"
Setting up Cockpit services
After installing the necessary packages it’s time to enable the services. The libvirtd service runs the virtual machines, while Cockpit has a socket activated service to let you access the Web GUI:
This should be enough to run virtual machines and manage them through Cockpit. Optionally, if you want to access and manage your machine from another device on your network, you need to expose the service to the network. To do this, add a new rule in your firewall configuration:
To confirm the services are running and no issues occurred, check the status of the services:
$ sudo systemctl status libvirtd
$ sudo systemctl status cockpit.socket
At this point everything should be working. The Cockpit web GUI should be available at https://localhost:9090 or https://127.0.0.1:9090. Or, enter the local network IP in a web browser on any other device connected to the same network. (Without SSL certificates setup, you may need to allow a connection from your browser.)
Creating and installing a machine
Log into the interface using the user name and password for that system. You can also choose whether to allow your password to be used for administrative tasks in this session.
Select Virtual Machines and then select Create VM to build a new box. The console gives you several options:
Download an OS using Cockpit’s built in library
Use install media already downloaded on the system you’re managing
Enter all the necessary parameters. Then select Create to power up the new virtual machine.
At this point, a graphical console appears. Most modern web browsers let you use your keyboard and mouse to interact with the VM console. Now you can complete your installation and use your new VM, just as you would via virt-manager in the past.
Fangamer’s New Range Of Banjo-Kazooie Merch Is Tough To Resist
Gaming merchandise company Fangamer has unleashed a new set of goodies for its growing Banjo-Kazooie collection, and we’re having a hard time staying away from the ‘buy now’ button.
Perhaps the star of the show is a brand new 4-LP box set of Grant Kirkhope’s magical soundtrack, but you’ll also find a new t-shirt, scarf, Jiggy plush, and more. We’ll give you the link to check out the entire Banjo range (you’ll find that here) and pop a few photos for you below.
Fangamer is based in the US but ships pretty much everywhere, so we’re hopeful you’ll be able to snag yourself an order if you like what you see. While you’re at it, fancy buying us one of those Jiggy plushes?
Feel free to Guh-huh in excitement in the comments below.
Hello, and welcome to an oddly early TWAB entry. It’s Tuesday, it’s 10 in the morning, and we might have caught you off guard. This Thursday, we’re celebrating Thanksgiving in the states. It’s a day meant for us to reflect what we’re thankful for while spending time with friends and family.
We couldn’t leave for holiday without mentioning what we’re all incredibly thankful for: you.
Guardians like you inspire us every day, from the stories you’ve shared about the friendships you’ve made, to the tales of how you earned your favorite loot. Thank you to everyone who stopped by to share their stories over not only the last few weeks, but years of Destiny and Destiny 2.
Thank you, dear reader, for being a Guardian.
Now, let’s get on to the news of the week. We have some community spotlight on a few artists, and info on our Black Friday sale, which kicks off later this week!
But Before We Start…
Season of Dawn begins December 10, 2019. We have a bit to talk about between now and then…
Join us on Wednesday December 4, at 10:00 a.m. PT for the reveal of a new season. Dawn is almost upon us.
Holiday Shopping
Thanksgiving dinner is the last thing between you and the Holiday season. Black Friday at Bungie Store begins November 28, at 9 p.m. PT. We have new gear including T-shirts, collectibles, and accessories that make the perfect holiday gifts for the Guardians in your life! Or, you know, perfect gifts for yourself…
Ah, and the sweetest loot of all: Up to 50% off on Black Friday sale merchandise!
Every purchase through December 9, 2019 11:59 p.m. PT will include a free exclusive Destiny 2 emblem. Additionally, any purchases of $50 or more will include a free exclusive limited edition Destiny art print while supplies last.
EU residents shopping on Bungie Store EU will have access to the free emblem with purchase promotion and can expect more extensive product availability before the end of this year.
Artist Alley
We’re pleased to announce the Bungie Store’s Community Artist Series of official merchandise featuring art from the Destiny community!
Please join us in celebrating our creative and talented community with these limited edition collectible products. Each artist receives a share of the revenue from their product sales. The program is currently by invite only and we plan on adding more designs soon.
The first wave of Community Artist Series merchandise will be available for pre-order on November 28, 2019 at 9:00 p.m. PT.
Sergey Parshakov: Vermillion
Hi, this is Seryozha (you can read it if you’ve read Zhalo in D1). A Void Warlock who draws boring, mostly monochrome, pics.
My love for Destiny is based on two things: – An awesome mix of fantasy and sci-fi. – Use of Swiss graphic design traditions & attention to in-game branding (Hakke!).
I’m always searching for details which not everyone notices. I can watch at wall texture for tens of minutes, or how light draws Shrieker’s shape. This inspires me.
I’m convinced that the observing, analyzing & mixing of opposite elements to create something new are the keys to an awesome result.
Brian Moncus: The Last
Hi, my name is Brian Moncus or MrMoncus to some that know me by my social handles. I’m a part time freelance artist and I’ve been creating scribbles since I was a little kid with notebook paper and a No. 2 pencil. Currently I work digitally in Procreate on the Ipad Pro with a much more indirect approach to painting. Most of my work carries a darker vibe to it with influence from traditional charcoal work to iconic classical illustrations from artists such as Frank Frazetta. I love the Destiny universe and the stories within it, so I’m constantly finding inspiration for new works.
Ian Pestridge: Triarchy
After studying Visual Art at University, I now work in the games industry as an Art Director. My inspirations are diverse but notable are Iain McCaig, Katsuhiro Otomo & Gustave Dore. Stylistically my work is tonal, I utilise colour sparingly and purposefully. Detailed work with etch-like hatching and texture along with lighting, composition and mood are key to my style. I create art that excites and challenges me in style and subject, something visually arresting. My art allows me to express my enjoyment of Destiny; my favourite aspect is how creative and supportive the community and devs are.
Holiday Helpers
Even through the holiday, we keep tabs on our services to make sure things keep running. Our Player Support Team will be lively in the forums, leaving no stone unturned as we continue to investigate issues in the live game.
This is their report.
Google Stadia and Chrome Extensions
Last week, Destiny 2: The Collection launched on Google Stadia. Since launch, we’ve been closely monitoring reports for player-impacting issues on our local #Help forum. This week, we’d like to highlight an issue which can emerge when players have Chrome extensions enabled while playing Stadia in their Chrome browser.
In some cases, Stadia players have reported that Chrome extensions can interfere with keyboard inputs during Destiny 2 gameplay. If, for example, a player has a Chrome extension which uses the “R” key as a hotkey, the “R” key may be unresponsive during gameplay.
In all cases, we recommend that players remain aware of which Chrome extensions they have enabled, and be prepared to disable them in the event that they interfere with gameplay inputs. Alternatively, players can choose to rebind their keyboard inputs in their Destiny 2 Settings menu. If players encounter other general issues with their keybindings, they should restore them to their defaults and set them again.
For more information on Google Stadia, players should visit our Stadia Guide.
Holiday Support
This Thursday and Friday, Bungie will be closed in observance of the Thanksgiving holiday in the United States. Rest assured, our Bungie Network Operations Center will remain staffed to monitor services across Destiny 1, Destiny 2, and the Destiny Companion app.
In the event of a service interruption, players can receive the latest news by following @BungieHelp on Twitter or monitoring our support feed on help.bungie.net.
Cornucopia
Feast your eyes on this smorgasbord of artisanal treats, stuffed with the finest content our Community Creations page has to offer. Look, I get that this intro went a little overboard on food references. It’s almost Thanksgiving and all I can think about is Turkey. Deal with it.
Movie of the Week: Optimal Damage per Second
Honorable Mention: Thin Line
Honorable Mention: Undying YEET
Editors note: Yes, we see you throwing bosses off of the map. This is an example their revenge.
Honorable Mention: Wait for it…
So, let’s say you’re looking for a new emblem to sport, and you think you have some footage worthy of Movie of the Week. Submit your video to our Community Creations page, and maybe you’ll take home the prize next week.
It’s a bit of a light week, but we’ll be back in just over a week with the reveal of Season of Dawn. We’ll also have a patch note preview for Destiny 2 Update 2.7.0, bringing a few quality of life changes to the fold. I’m looking at you, Escalation Protocol armor.
We know you’re busy and might miss out on all the exciting things we’re talking about on Xbox Wire every week. If you’ve got a few minutes, we can help remedy that. We’ve pared down the past week’s news into one easy-to-digest article for all things Xbox! Or, if you’d rather watch than read, you can feast your eyes on our weekly video show above. Be sure to come back every Friday to find out what’s happening This Week on Xbox!
X019: Yakuza 0, Yakuza Kiwami, and Yakuza Kiwami 2 Coming to Xbox Game Pass in 2020 We’re happy to announce that SEGA / Ryu Ga Gotoku Studio’s Yakuza series is headed to Xbox One and Yakuza 0, Yakuza Kiwami, and Yakuza Kiwami 2 (the first three titles in the series, chronologically) will be available on the Microsoft Store and with…
X019: The Falconeer Soars to Xbox One Next Year The Falconeer, created by independent developer Tomas Sala, will be flying to Xbox One in 2020! We’re excited for fans to experience The Falconeer, a true gem that will set the bar for what indies can offer games. From the beginning, we’ve been enamored with this…
X019: Microsoft Flight Simulator Reveals First Wave of Aircraft Partnerships At X019, we’re thrilled to reveal many of the great aircraft manufacturers we are partnering with to make Microsoft Flight Simulator the most realistic flight simulation yet. As you saw in our new trailer, we have a broad range of aircraft, including commercial…
X019: Classic Games in Kingdom Hearts Saga Come to Xbox One If you’re a fan of Disney, Final Fantasy, or RPGs, get ready – we have a lot of very exciting news to share. Like… a lot. During the Microsoft X019 event in London, we announced that the full Kingdom Hearts saga is making its way to Xbox One in 2020…
X019: CrossfireX: The Journey to Bring One of the World’s Biggest Games to Console At the E3 Media Briefing this year I was surprised to hear Phil Spencer’s announcement about CrossfireX, a first-person shooter coming exclusively to Xbox consoles in 2020 and the first console version of one of the most played PC games in the world…
X019: The Legendary PC Racing Game, KartRider: Drift, Coming Soon to Xbox One When KartRider released in 2004, we hoped it would perform well, but we couldn’t have anticipated what a massive hit it would become. The game has now been around for over 15 years, amassed over 380 million players in Asia, and grown to become an eSports…
Xbox Game Pass at X019: Announcing Over 50 New Games, and Ultimate Holiday Offer Hi friends! I know we’re not ready for the holidays to be here just yet, but I have been holding this news in for so long that I can’t wait any longer to share it with you. We have so many good games, and some unbelievably amazing partnerships…
New Gamertag Features Come to Xbox One and Mobile Devices At E3 2019, we unveiled new ways to customize gamertags including a new display option and 13 additional alphabets which support over 200 languages worldwide that empower players around the world with more choice in how they represent themselves…
Team RWBY Invades the Battleground of the Gods The huntresses of “RWBY”have entered the MOBA arena of Smite on Xbox One! In this divine crossover event, you can play as all four heroines of Rooster Teeth’s acclaimed animated series. Ruby Rose, Blake Belladonna, Weiss Schnee, and Yang Xiao Long now…
Play Star Wars Jedi: Fallen Order Today on Xbox One One of our most-anticipated adventures of the year is here! Star Wars Jedi: Fallen Order is available now on Xbox One and enhanced for Xbox One X – get it here on the Microsoft Store and start playing today. In Star Wars Jedi: Fallen Order you take on the role…
Master a New Mode in Crash Team Racing Nitro-Fueled Today on Xbox One Ready up for a new way to play in Ring Rally, a timed race that pits players against the clock and themselves! Ring Rally is only one piece of the new content that includes new characters, a new track, and new Pit Stop items from the Neon Circus Grand Prix…
The Biggest Inside Xbox Episode of the Year Will Be at X019 This week, we’ll be kicking off X019, our global celebration of all things Xbox, with a special episode of Inside Xbox live from London on Thursday, November 14, at 12 p.m. PT / 3 p.m. ET / 8 p.m. GMT. We’re incredibly excited to be in London this week with our local…
Disney+ is Available Now for Xbox One The day that Disney fans have been waiting for is finally here: Disney+ is now available on Xbox One! This app, downloadable via the Microsoft Store, offers fans of all ages a new way to experience the unparalleled content from the company’s iconic entertainment brands…
Let Your Imagination Ride the Rails with Tracks – The Train Set Game Did you play with wooden train sets when you were younger? How about making little toy scenes in your living room? Imagination is a key part of everyone’s development as a child, but the fun doesn’t have to stop when you’re grown up. We don’t think the fun…
Minecraft Earth Early Access Available Now in the US It’s been more than two years since we began our journey to make Minecraft Earth a reality. Following a steady rollout in select markets around the world, today we’re thrilled to announce that Minecraft Earth early access can be downloaded on iOS and Android in another…
Tell Surreal Stories in Where the Water Tastes Like Wine, Coming to Xbox One November 29 It’s been a long journey, but I’m happy to announce that Where the Water Tastes Like Wine is coming to Xbox One! This game began on a train in Siberia – a fitting start to a story about traveling, riding the rails, and telling stories. I had spent several months…
“Reverse Horror Experience” Carrion Coming to Xbox One Next Year Phobia Game Studio and our friends at Devolver Digital are thrilled to announce that our “reverse horror” experience Carrion will release on Xbox One when it launches next year! Our little team has been working hard in Poland to create something that we…
Fishing Planet Update: New Motorboats, Waterway, and Fish Big hello from Fishing Planet to all anglers around the world! We’re excited to present you the recent update Fishing Planet had! And we certainly hope that you’ll have immense fun exploring all of the game’s new features that we prepared in this update…
Get Ready to Rumble with Mystic, Now Available in Black Desert on Xbox One Greetings, adventurers! Today, our team has added a new character class to the extensive open world of Black Desert on Xbox One in a free update. Mystic is a brawler who uses her fists to beat enemies with powerful and precise blows. If you have experience…
Experience the Mystic Awakening Event in Black Desert Today on Xbox One Greetings, adventurers! Today, our team has added the Mystic Awakening event, Bartali’s Adventure Log, and new craftable costumes to the world of Black Desert in a free update on Xbox One. Mystic, the master of martial arts, can now achieve her true potential…
Introducing the Red Refuge in TERA on Xbox One Fans of TERA on Xbox One should take notice: the Unmasked content update brings you not only a new dungeon to explore, but also a stat-boosting mask that will compliment any character’s playstyle. Better yet, all this awesomeness comes from one…
Permadeath Comes to Remnant: From the Ashes with Hardcore More If you thought your first playthrough of Remnant: From the Ashes was too easy, boy do we have a treat for you. Introducing, Hardcore mode – a new game mode released today on Xbox One where death is truly the end. It’s going to take everything you’ve got to make…
Next Week on Xbox: New Games for November 19 to 22 Welcome to Next Week on Xbox, where we cover all the new games coming soon to Xbox One! Every week the team at Xbox aims to deliver quality gaming content for you to enjoy on your favorite gaming console. To find out what’s coming soon to Xbox One…
Free Play Days – NASCAR Heat 4 and Contra: Rogue Corps This weekend, it’s all about speed and fast-paced action! Immerse yourself in the world of high-speed racing with NASCAR Heat 4 or save the world from an otherworldy invasion in Contra: Rogue Corps. Jump into this Free Play Days event, which runs from…
Battleborn pulled from digital stores, going offline in 2021
Battleborn publisher 2K Games has announced that Gearbox’s ill-fated hero-shooter will be going offline for good in January 2021, and has already been pulled from digital shelves ahead of the shutdown.
As part of that process, Battleborn players will no longer be able to purchase the game’s premium currency after February 24, 2020, though any purchased prior or earned in-game can be spent as usual until the game goes offline.
After that, the next step sees servers shut down in January 2021, and Battleborn as a whole will be rendered entirely unplayable.
Gearbox launched Battleborn back in 2016, a launch window that saw it going head to head with similarly angled hero-shooters like Blizzard’s Overwatch.
The team had already ended active development as of September 2017. At the time, Gearbox said that Battleborn’s servers would remain up for the “foreseeable future,” a point in time that is now just over a year away.
Whether you’re just starting out, looking for something new, or just seeing what’s out there, the Gamasutra Job Board is the place where game developers move ahead in their careers.
Gamasutra’s Job Board is the most diverse, most active, and most established board of its kind in the video game industry, serving companies of all sizes, from indie to triple-A.
Posted by: xSicKxBot - 11-27-2019, 12:50 PM - Forum: Windows
- No Replies
Insights from 1 year of tracking a polymorphic threat
A little over a year ago, in October 2018, our polymorphic outbreak monitoring system detected a large surge in reports, indicating that a large-scale campaign was unfolding. We observed as the new threat attempted to deploy files that changed every 20-30 minutes on thousands of devices. We gave the threat the name “Dexphot,” based on certain characteristics of the malware code.
The Dexphot attack used a variety of sophisticated methods to evade security solutions. Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. Dexphot then used fileless techniques to run malicious code directly in memory, leaving only a few traces that can be used for forensics. It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot ultimately ran a cryptocurrency miner on the device, with monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware.
In the months that followed, we closely tracked the threat and witnessed the attackers upgrade the malware, target new processes, and work around defensive measures:
While Microsoft Defender Advanced Threat Protection’s pre-execution detection engines blocked Dexphot in most cases, behavior-based machine learning models provided protection for cases where the threat slipped through. Given the threat’s persistence mechanisms, polymorphism, and use of fileless techniques, behavior-based detection was a critical component of the comprehensive protection against this malware and other threats that exhibit similar malicious behaviors.
Microsoft Defender ATP data shows the effectiveness of behavioral blocking and containment capabilities in stopping the Dexphot campaign. Over time, Dexphot-related malicious behavior reports dropped to a low hum, as the threat lost steam.
Our close monitoring of Dexphot helped us ensure that our customers were protected from the evolving threat. More importantly, one year’s worth of intelligence helped us gain insight not only into the goals and motivations of Dexphot’s authors, but of cybercriminals in general.
Complex attack chain
The early stages of a Dexphot infection involves numerous files and processes. During the execution stage, Dexphot writes five key files to disk:
An installer with two URLs
An MSI package file downloaded from one of the URLs
A password-protected ZIP archive
A loader DLL, which is extracted from the archive
An encrypted data file that holds three additional executables that are loaded into system processes via process hollowing
Except for the installer, the other processes that run during execution are legitimate system processes. This can make detection and remediation more difficult. These legitimate system processes include msiexec.exe (for installing MSI packages), unzip.exe (for extracting files from the password-protected ZIP archive), rundll32.exe (for loading the loader DLL), schtasks.exe (for scheduled tasks), powershell.exe (for forced updates). In later stages, Dexphot targets a few other system processes for process hollowing: svchost.exe, tracert.exe, and setup.exe.
Multiple layers of security evasion
Based on Microsoft Defender ATP signals, SoftwareBundler:Win32/ICLoader and its variants are primarily used to drop and run the Dexphot installer. The installer uses two URLs to download malicious payloads. These are the same two URLs that Dexphot use later to establish persistence, update the malware, and re-infect the device.
The installer downloads an MSI package from one of the two URLs, and then launches msiexec.exe to perform a silent install. This is the first of several instances of Dexphot employing living-off-the-land techniques, the use of legitimate system processes for nefarious purposes.
Dexphot’s package often contains an obfuscated batch script. If the package contains this file, the script is the first thing that msiexec.exe runs when it begins the installation process. The said obfuscated script is designed to check for antivirus products. Dexphot halts the infection process immediately if an antivirus product is found running.
When we first began our research, the batch script only checked for antivirus products from Avast and AVG. Later, Windows Defender Antivirus was added to the checklist.
If the process is not halted, Dexphot decompresses the password-protected ZIP archive from the MSI package. The password to this archive is within the MSI package. Along with the password, the malware’s authors also include a clean version of unzip.exe so that they don’t have to rely on the target system having a ZIP utility. The unzip.exe file in the package is usually named various things, such as z.exe or ex.exe, to avoid scrutiny.
The ZIP archive usually contains three files: the loader DLL, an encrypted data file (usually named bin.dat), and, often, one clean unrelated DLL, which is likely included to mislead detection.
Dexphot usually extracts the decompressed files to the target system’s Favorites folder. The files are given new, random names, which are generated by concatenating words and numbers based on the time of execution (for example, C:\Users\<user>\Favorites\\Res.Center.ponse\<numbers>). The commands to generate the new names are also obfuscated, for example:
Msiexec.exe next calls rundll32.exe, specifying loader DLL (urlmon.7z in the example above) in order to decrypt the data file. The decryption process involves ADD and XOR operations, using a key hardcoded in the binary.
The decrypted data contains three executables. Unlike the files described earlier, these executables are never written to the filesystem. Instead, they exist only in memory, and Dexphot runs them by loading them into other system processes via process hollowing.
Stealthy execution through fileless techniques
Process hollowing is a technique that can hide malware within a legitimate system process. It replaces the contents of the legitimate process with malicious code. Detecting malicious code hidden using this method is not trivial, so process hollowing has become a prevalent technique used by malware today.
This method has the additional benefit of being fileless: the code can be run without actually being saved on the file system. Not only is it harder to detect the malicious code while it’s running, it’s harder to find useful forensics after the process has stopped.
To initiate process hollowing, the loader DLL targets two legitimate system processes, for example svchost.exe or nslookup.exe, and spawns them in a suspended state. The loader DLL replaces the contents of these processes with the first and second decrypted executables. These executables are monitoring services for maintaining Dexphot’s components. The now-malicious processes are released from suspension and run.
Next, the loader DLL targets the setup.exe file in SysWoW64. It removes setup.exe’s contents and replaces them with the third decrypted executable, a cryptocurrency miner. Although Dexphot always uses a cryptocurrency miner of some kind, it’s not always the same miner. It used different programs like XMRig and JCE Miner over the course of our research.
Persistence through regularly scheduled malware updates
The two monitoring services simultaneously check the status of all three malicious processes. Having dual monitoring services provides redundancy in case one of the monitoring processes is halted. If any of the processes are terminated, the monitors immediately identify the situation, terminate all remaining malicious processes, and re-infect the device. This forced update/re-infection process is started by a PowerShell command similar to the one below:
The monitoring components also detect freshly launched cmd.exe processes and terminate them promptly. As a final fail-safe, Dexphot uses schtasks.exe to create scheduled tasks, with the command below.
The scheduled tasks call msiexec.exe as a proxy to run the malicious code, much like how msiexec.exe was used during installation. Using msiexec.exe, a legitimate system process, can make it harder to trace the source of malicious activity.
Furthermore, the tasks allow Dexphot to conveniently update the payload from the web every time the tasks run. They automatically update all of Dexphot’s components, both upon system reboot as well as every 90 or 110 minutes while the system is running.
Dexphot also generates the names for the tasks at runtime, which means a simple block list of hardcoded task names will not be effective in preventing them from running. The names are usually in a GUID format, although after we released our first round of Dexphot-blocking protections, the threat authors began to use random strings.
The threat authors have one more evasion technique for these scheduled tasks: some Dexphot variants copy msiexec.exe to an arbitrary location and give it a random name, such as %AppData%\<random>.exe. This makes the system process running malicious code a literal moving target.
Polymorphism
Dexphot exhibits multiple layers of polymorphism across the binaries it distributes. For example, the MSI package used in the campaign contains different files, as shown in the table below. The MSI packages generally include a clean version of unzip.exe, a password-protected ZIP file, and a batch file that checks for currently installed antivirus products. However, the batch file is not always present, and the names of the ZIP files and Loader DLLs, as well as the password for extracting the ZIP file, all change from one package to the next.
In addition, the contents of each Loader DLL differs from package to package, as does the encrypted data included in the ZIP file. This leads to the generation of a different ZIP archive and, in turn, a unique MSI package, each time the attacker bundles the files together. Because of these carefully designed layers of polymorphism, a traditional file-based detection approach wouldn’t be effective against Dexphot.
MSI package ID
MSI package contents
Password for ZIP file
Contents of encrypted ZIP
Unzip.exe name
ZIP file name
Batch file name
Loader DLL file name
Encrypted data name
MSI-1
ex.exe
webUI.r0_
f.bat
kjfhwehjkf
IECache.dll
bin.dat
MSI-2
ex.exe
analog.tv
f.bat
ZvDagW
kernel32.bin
bin.dat
MSI-3
z.exe
yandex.zip
f.bat
jeremy
SetupUi.dll
bin.dat
MSI-4
unzip.exe
ERDNT.LOC.zip
iso100
ERDNT.LOC
data.bin
MSI-5
pck.exe
mse.zip
kika
_steam.dll
bin.dat
MSI-6
z.exe
msi.zip
arima
ic64.dll
bin.dat
MSI-7
z.exe
mse.zip
f.bat
kika
_steam.dll
bin.dat
MSI-8
z.exe
mse.zip
kika
_steam.dll
bin.dat
MSI-9
z.exe
yandex.zip
f.bat
jeremy
SetupUi.dll
bin.dat
MSI-10
hf.exe
update.dat
f.bat
namr
x32Frame.dll
data.bin
MSI-11
z.exe
yandex.zip
f.bat
jeremy
SetupUi.dll
bin.dat
MSI-12
unzip.exe
PkgMgr.iso.zip
pack
PkgMgr.iso
data.bin
MSI-13
ex.exe
analog.tv
f.bat
kjfhwefkjwehjkf
urlmon.7z
bin.dat
MSI-14
ex.exe
icon.ico
f.bat
ZDADW
default.ocx
bin.dat
MSI-15
hf.exe
update.dat
namr
AvastFileRep.dll
data.bin
MSI-16
pck.exe
mse.zip
f.bat
kika
_steam.dll
bin.dat
MSI-17
z.exe
mse.zip
f.bat
joft
win2k.wim
bin.dat
MSI-18
ex.exe
plugin.cx
f.bat
ZDW
_setup.ini
bin.dat
MSI-19
hf.exe
update.dat
namr
AvastFileRep.dll
data.bin
MSI-20
ex.exe
installers.msu
f.bat
000cehjkf
MSE.Engine.dll
bin.dat
MSI-21
z.exe
msi.zip
f.bat
arima
ic64.dll
bin.dat
MSI-22
z.exe
archive00.x
f.bat
00Jmsjeh20
chrome_watcher.dll
bin.dat
A multitude of payload hosts
Besides tracking the files and processes that Dexphot uses to execute an attack, we have also been monitoring the domains used to host malicious payloads. The URLs used for hosting all follow a similar pattern. The domain address usually ends in a .info or .net TLD, while the file name for the actual payload consists of random characters, similar to the randomness previously seen being used to generate file names and scheduled tasks. Some examples from our research are shown in the table below.
Many of the URLs listed were in use for an extended period. However, the MSI packages hosted at each URL are frequently changed or updated. In addition, every few days more domains are generated to host more payloads. After a few months of monitoring, we were able to identify around 200 unique Dexphot domains.
Conclusion: Dynamic, comprehensive protection against increasingly complex everyday threats
Dexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers — yet Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit.
To combat threats, several next-generation protection engines in Microsoft Defender Advanced Threat Protection’s antivirus component detect and stop malicious techniques at multiple points along the attack chain. For Dexphot, machine learning-based detections in the cloud recognize and block the DLLs loaded by rundll32.exe, stopping the attack chain in its early stages. Memory scans detect and terminate the loading of malicious code hidden by process hollowing — including the monitoring processes that attempt to update the malware code and re-infect the machine via PowerShell commands.
Behavioral blocking and containment capabilities are especially effective in defeating Dexphot’s fileless techniques, detection evasion, and persistence mechanisms, including the periodic and boot-time attempts to update the malware via scheduled tasks. As mentioned, given the complexity of the attack chain and of Dexphot’s persistence methods, we released a remediation solution that prevents re-infection by removing artifacts.
The detection, blocking, and remediation of Dexphot on endpoints are exposed in Microsoft Defender Security Center, where Microsoft Defender ATP’s rich capabilities like endpoint detection and response, automated investigation and remediation, and others enable security operations teams to investigate and remediate attacks in enterprise environments. With these capabilities, Microsoft Defender ATP provides comprehensive protection against Dexphot and the countless other complex and evolving threats that we face every day.
Glorious Scans Of A Forgotten 1992 F-Zero Novel Have Surfaced Online
If you’ve missed F-Zero as much as we have for the last 15 years-or-so, then wow do we have a great find for you today.
The images you see before you are reportedly from an F-Zero novel which was released back in February 1992. They were shared online by Twitter user @step70s earlier this year (you’ll have to forgive us for not spotting them sooner), where more details surrounding its release have also been shared.
Step says that the novel, the title of which roughly translates to ‘F-Zero: And then, to the gods of speed’, was part of the Futabasha Fantasy Novel Series released in the ’90s. We did a little more digging and stumbled across an advertisement for the novel, alongside a tease for a Legend of Zelda release. How have we not seen these before?
The F-Zero novel was written by Katsuyuki Ozaki with illustrations by Kagami Yasuhiro (you can actually see Yasuhiro’s portfolio here). @step70s notes that Ozaki’s take on the F-Zero franchise “puts aside the brighter comic book-inspired world for a darker dystopian one”.
Filled with excitement, the Nintendo Life team has been trying to hunt down a copy online since the first moment our eyes met these glorious pages, but we’ve had no luck. If you know anything else about the novel, or perhaps if you even own one yourself, feel free to tell us all about it in the comments.