Search This Blog

Showing posts with label Backdoor. Show all posts

Retail Cybersecurity Threats Analysis


Cybercriminals are increasingly focusing their attention on thriving markets and enterprises, and the retail industry is no exception. Retail is a common target for hackers who want to steal both money and client information.

Customers are directly responsible for the success of any retail firm, and every incident that negatively impacts customers will have an impact on business. Financial stability is a key component of any business's success, and one of the worst effects of cyberattacks is the unpredictability of financial losses. Retailers have unique financial risks, such as the possibility that an attacker will lower the price of pricey items in an online store. The retailer will lose money if the attack is undetected and the products are sold and shipped at a discounted price.

Card skimmers, unprotected point-of-sale (PoS) systems, unprotected or public Wi-Fi networks, USB drives or other physical hacking equipment, unprotected Internet of Things (IoT) devices, social engineering, and insider threats are all ways that threat actors can access companies after physically being present there.

Threat actors can also steal or hack susceptible IoT devices using the default technical information or credentials. Last but not least, there are still more potential entry points for cyber infiltration, including inexperienced staff, social engineering, and insider threats.

Potential Threats

Unsecured Point-of-Sale (PoS) Systems and Card Skimmers: It is possible to physically plant fake card readers, or 'skimmers,' inside a store to copy or skim card data. These can also be used for other smart cards, such as ID cards, although they are frequently used to steal credit card information. In places with poor security, like ATMs or petrol pumps, legitimate card readers might have skimmer attachments. Skimmers are simple to install and use Bluetooth to send the data they collect.

Public or insecure Wi-Fi Networks: Backdoors into a company's systems can be created using rogue networks or access points, which can be put on a network's wired infrastructure without the administrator's knowledge. In order to deceive users into connecting to them and aiding man-in-the-middle attacks, they seem to be legal Wi-Fi networks. Hackers can view all file sharing and traffic sent between a user and a server on a public Wi-Fi network if the facility has an encryption-free connection.

Virus-Carrying USB Devices: Once a USB drive is plugged into a target computer, an attacker can utilize it to deliver and run malware directly on business computers. This can be done manually or automatically. Additionally, malicious USB charging stations and cables have been reported in the past. In one example, a USB charging cable for an electronic cigarette contained a tiny chip that was secretly encased in malware.

Untrained Employees, Social Engineering, & Cyberespionage: Threat actors might work out of physical places to use inexperienced workers to get access to company systems. Employees are frequently duped into giving login passwords, account information, or access to company resources through social engineering.

The transition to e-commerce is generally a positive development for retailers. However, this change of direction also poses a threat to e-commerce cybersecurity.

Hacker Group Cranefly Develops ISS Method

The novel method of reading commands from seemingly innocent Internet Information Services (IIS) logs has been used to install backdoors and other tools by a recently leaked dropper. Cybersecurity experts at Symantec claimed an attacker is utilizing the malware known as Cranefly also known as UNC3524 to install Trojan. Danfuan, another undocumented malware, as well as other tools.

Mandiant reported that Cranefly mainly targeted the emails of individuals who specialized in corporate development, merger and acquisitions, and significant corporate transactions when it was originally founded in May. Mandiant claims that these attackers remained undetected on target networks for at least 18 months by using backdoors on equipment without support for security measures.

One of the main malware strains used by the gang is QUIETEXIT, a backdoor installed on network equipment like cloud services and wireless access point controllers that do not enable antivirus or endpoint monitoring. This allows the attacker to remain undetected for a long time.

Geppei and Danfuan augment Cranefly's arsenal of specialized cyber weapons, with Geppei serving as a dropper by collecting orders from IIS logs that look like normal web access requests delivered to a compromised host.

The most recent Symantec advisory now claims that UNC3524 used Hacktool-based backdoors in some instances. Multiple advanced persistent threat (APT) clusters use the open-source technology Regeorg.
Additionally, Symantec has cautioned that Cranefly is a 'pretty experienced' hacking group as evidenced by the adoption of a new method in conjunction with the bespoke tools and the measures made to conceal their activity.

On its alert and Protection Bulletins website, Symantec lists the indicators of compromise (IoC) for this attack. Polonium is another threat actor that usually focuses on gathering intelligence, and ESET recently saw Polonium utilizing seven different backdoor variants to snoop on Israeli firms.

Cranefly employs this sneaky method to keep a foothold on compromised servers and gather information covertly. As attackers can send commands through various channels, including proxy servers, VPNs, Tor, or online development environments, this method also aids in avoiding detection by investigators and law enforcement.

It is unclear how many systems have been compromised or how often the threat actors may have utilized this technique in ongoing operations.

Irresponsibile Malware Operators Squandered an "Undetectable" Windows Backdoor


Due to the malware operators' careless behaviour, a "completely undetectable" backdoor has been discovered. 

SafeBreach Labs claims to have discovered a brand new PowerShell backdoor that, when properly executed, grants attackers remote access to compromised endpoints. From there, the attackers could launch a variety of stage-two attacks, ranging from data stealers to ransomware (opens in new tab) and everything in between. 

Based on the report, an unknown threat actor created "ApplyForm[.]docm," a weaponized Word document. It contained a macro that, when activated, ran an unknown PowerShell script.

"The macro drops updater.vbs, creates a scheduled task pretending to be part of a Windows update, which will execute the updater.vbs script from a fake update folder under '%appdata%\local\Microsoft\Windows," the researchers explained

Updater.vbs would then execute a PowerShell script, granting the attacker remote access. The malware creates two PowerShell scripts, Script.ps1 and Temp.ps1, before running the scheduled task. The contents are concealed and placed in text boxes within the Word document, which is then saved in the fictitious update directory. As a result, antivirus software fails to identify the file as malicious.

Script.ps1 connects to the command and control server to assign a victim ID and receive additional instructions. Then it executes the Temp.ps1 script, which stores data and executes commands. The attackers made the mistake of issuing victim IDs in a predictable sequence, which allowed researchers to listen in on conversations with the C2 server.

While it is unknown who is behind the attack, the malicious Word document was uploaded from Jordan in late August of this year and has so far compromised approximately one hundred devices, most of which belong to people looking for new jobs. The Register reader described their encounter with the backdoor, offering advice to businesses looking to mitigate the damage that unknown backdoors can cause.

“I run an MSP and we were alerted to this on the 3rd of October. Client was a 330 seat charity and I did not link it to this specific article until I read it this morning."

"They have zero-trust [ZT] and Ringfencing so although the macro ran, it didn't make it outside of Excel,” they said. “A subtle reminder to incorporate a ZT solution in critical environments as it can stop zero-day stuff like this."

Lazarus Hackers Employed Spear-Phishing Campaign to Target European Workers


ESET researchers have spotted the infamous Lazarus APT group installing a Windows rootkit that exploits a Dell hardware driver in a Bring Your Own Vulnerable Driver (BYOVD) attack. 

In a spear-phishing campaign that began in the autumn of 2021 and ran until March 2022, the hackers targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium. 

Exploiting Dell driver for BYOVD assaults 

According to ESET, the malicious campaign was mostly geared toward attacking European contractors with fake job offers. The hackers exploited LinkedIn and WhatsApp by posing as recruiters to deliver malicious components disguised as job descriptions or application forms. 

Upon clicking on these documents, a remote template was downloaded from a hardcoded address, followed by infections involving malware loaders, droppers, custom backdoors, and more. 

The most notable tool delivered in this campaign was a new FudModule rootkit that employs a BYOVD (Bring Your Own Vulnerable Driver) methodology to exploit a security bug in a Dell hardware driver.

The hackers were exploiting the vulnerability tracked CVE-2021-21551 in a Dell hardware driver (“dbutil_2_3.sys”), which corresponds to a set of five flaws that remained susceptible for 12 years before the computer vendor finally published security patches for it. 

The APT group employed Bring Your Own Vulnerable Driver (BYOVD) technique to install authentic, signed drivers in Windows that also contain known vulnerabilities. As the kernel drivers are signed, Windows allowed the driver to be installed in the operating system. However, the hackers can now exploit the driver’s flaws to launch commands with kernel-level privileges. 

Last year in December, Rapid 7 researchers issued a warning regarding this specific driver being a perfect match for BYOVD assaults due to Dell’s inadequate fixes, allowing kernel code execution even on recent, signed versions. It appears that Lazarus was familiar with this potential for exploitation and abused the Dell driver well before threat analysts issued their public warnings. 

“The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing, etc., basically blinding security solutions in a very generic and robust way,” researchers explained. 

The APT group also delivered its trademark custom HTTP(S) backdoor ‘BLINDINGCAN,’ first unearthed by U.S. intelligence in August 2020 and linked to Lazarus by Kaspersky in October last year. Other tools deployed in the spear-phishing campaign are the FudModule Rootkit, an HTTP(S) uploader employed for secure data theft, and multiple trojanized open-source apps like wolfSSL and FingerText.

Middle East Targeted via Steganography

A hacktivist gang that has previously attacked an African country's stock exchange with malware and seized vast amounts of data is now focusing on the governments of several Middle Eastern countries.

ESET, a cybersecurity company, discovered Witchetty also known as LookingFrog for the first time in April 2022. It is thought to be closely associated with the state-sponsored Chinese threat actor APT10 formerly known as Cicada. The gang is also regarded as TA410 personnel, who have previously been connected to strikes against American energy suppliers.

A threat actor identified as Witchetty was seen by Broadcom's Symantec Threat Hunter Team utilizing steganography to conceal an unknown backdoor in a Windows logo.

The new malware uses steganography, a method for hiding a message in an openly available document, to extract dangerous code from a bitmap image of a previous version of the Microsoft Windows logo.

In the campaign that Symantec found, Witchetty is utilizing steganography to conceal backdoor software that is XOR-encrypted in an outdated Windows logo bitmap picture.

"By disguising the payload in this way, the attackers were able to host it on a reliable, cost-free service. Downloads from reputable servers like GitHub are much less likely to cause concern than downloads from a command-and-control (C&C) server that is under the control of an attacker" the researchers stated.

Backdoor employment

The employment of another backdoor known as Stegmap is highlighted in Symantec's most recent investigation of attacks between February and September 2022, when the organization attacked the governments of two Middle Eastern countries as well as the stock exchange of an African nation. 

Like many backdoors, Stegmap includes a wide range of features that enable it to do file manipulation operations, download and run executables, stop processes, and alter the Windows Registry. The hackers updated their toolset for this effort to target the vulnerabilities, and they used steganography to shield their harmful payload from antivirus software.

By taking advantage of the Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) attack chains to drop web shells on susceptible servers, the threat actors acquire initial access to a network and launch the attack. 

According to the chronology of an attack on a Middle Eastern government organization, Witchetty maintained remote access for as long as six months and carried out a variety of post-exploitation activities, such as network enumeration and the installation of custom malware, up to September 1, 2022.

Governments and state institutions around the world, including those in Asia and Africa, continue to face active threats from TA410 and Witchetty. The best defense against such attacks is to implement security upgrades as soon as they are available. In the campaign that Symantec has identified, the hackers depend on last year's flaws to infiltrate the target network and take advantage of the subpar management of publicly accessible servers.

North Korean Hackers Exploit Systems via Deploying PuTTY SSH Tool

An attack using a new spear phishing tactic that makes use of trojanized variants of the PuTTY SSH and Telnet client has been discovered with a North Korea link.

The malicious actors identified by Mandiant as the source of such effort is 'UNC4034', also referred to as Temp.Hermit or Labyrinth Chollima. Mandiant asserted that the UNC4034 technique was currently changing.

UNC4034 made contact with the victim via WhatsApp and tricked them into downloading a malicious ISO package in the form of a bogus job offer. This caused the AIRDRY.V2 backdoor to be installed via a trojanized PuTTY instance. 

As part of a long-running operation called Operation Dream Job, North Korean state-sponsored hackers frequently use fake job lures as a means of spreading malware. One such group is the Lazarus Group. 

The ios file had a bogus amazon job offer which was the entry point for hackers to breach data. After making initial contact via email, the file was exchanged over WhatsApp. 

The archive itself contains a text file with an IP address and login information, as well as a modified version of PuTTY that loads a dropper named DAVESHELL that installs a newer version of a backdoor known as AIRDRY. 

The threat actor probably persuaded the victim to open a PuTTY session and connect to the remote host using the credentials listed in the TXT file, therefore initiating the infection. Once the program has been launched, it makes an effort to persist by adding a new, scheduled task every day at 10:30 a.m. local time.

After a target responds to a fake job lure, the criminals may use a variety of malware delivery methods, according to Mandiant. 

The most recent version of the virus has been found to forego the command-based method in favor of plugins which are downloaded and processed in memory, in contrast to prior versions of the malware that included roughly 30 commands for transferring files, file systems, and command execution.

Several technical indicators are also included in the Mandiant alert to aid businesses in identifying UNC4034-related activities. Days before its publication, US authorities confiscated $30 million in North Korean cryptocurrency that had been stolen.

Experts Discovered TeslaGun Panel Used by TA505 to Manage its ServHelper Backdoor


Cybersecurity researchers have revealed details about a previously unknown software control panel used by TA505, a financially motivated threat group. 

"The group frequently changes its malware attack strategies in response to global cybercrime trends," Swiss cybersecurity firm PRODAFT said in a report shared with The Hacker News. "It opportunistically adopts new technologies in order to gain leverage over victims before the wider cybersecurity industry catches on."

TA505, also known as Evil Corp, Gold Drake, Dudear, Indrik Spider, and SectorJ04, is an aggressive Russian cybercrime syndicate that is responsible for the infamous Dridex banking trojan and has been connected to a number of ransomware campaigns in recent years. It's also linked to the Raspberry Robin attacks, which first surfaced in September 2021, with similarities discovered between the malware and Dridex. Other malware families linked with the group include FlawedAmmyy, the Neutrino botnet, and ServHelper, a backdoor capable of downloading FlawedGrace, a remote access trojan.

The adversary is said to use the TeslaGun control panel to manage the ServHelper implant, acting as a command-and-control (C2) framework to commandeer the compromised machines. Furthermore, the panel allows attackers to issue commands and send a single command to all victim devices in go or configure the panel so that a predefined command is automatically executed when a new victim is added to the panel.

Aside from the panel, threat actors have been observed using a remote desktop protocol (RDP) tool to connect to the targeted systems via RDP tunnels.

"The TeslaGun panel has a pragmatic, minimalist design. The main dashboard only contains infected victim data, a generic comment section for each victim, and several options for filtering victim records," the researchers said.

According to PRODAFT's analysis of TeslaGun victim data, the group's phishing and targeted campaigns have reached at least 8,160 people July 2020. A majority of those victims are located in the U.S. (3,667), followed by Russia (647), Brazil (483), Romania (444), and the U.K. (359).

"It is clear that TA505 is actively looking for online banking or retail users, including crypto-wallets and e-commerce accounts," the researchers noted, citing comments made by the adversarial group in the TeslaGun panel.

The findings also arrive as the US Department of Health and Human Services (HHS) issued a warning about the group's significant threats to the health sector, including data exfiltration attacks aimed at stealing intellectual property and ransomware operations.

The agency's Health Sector Cybersecurity Coordination Center (HC3) said in an advisory published late last month, "Evil Corp has a wide set of highly-capable tools at their disposal. These are developed and maintained in-house, but are often used in conjunction with commodity malware, living-off-the-land techniques and common security tools that were designed for legitimate and lawful security assessments."

BianLian Ransomware Rising Across Networks

The invasion of command-and-control (C2) infrastructure this month by the developers of the newly discovered cross-platform BianLian ransomware is a sign that the firm's operational pace is picking up.

Researchers at Cyble Research Labs claim that BianLian has grown in popularity since it was originally discovered in mid-July and shared details on their analysis of the ransomware in a blog post last week.

It's important to note that the double extortion ransomware family is unrelated to an Android banking virus of the same name that preys on bitcoin and mobile banking apps to steal sensitive data.

With the unique BianLian virus, threat actors have so far targeted a wide range of businesses, including those in media and entertainment, manufacturing, education, healthcare, banking, financial services, and insurance (BFSI), among other industries.

According to Cyble, the media and entertainment industry has suffered the greatest number of BianLian attacks—25% of victims to date—along with 12.5% each in the professional services, manufacturing, healthcare, energy and utilities, and education industries.

Ransomware operation 

The ProxyShell Microsoft Exchange Server vulnerabilities are successfully exploited to get initial access to victim networks and to drop a web shell or a ngrok payload for subsequent actions.

The BianLian actors' display dwells lengths of up to six weeks between the time of initial access and the actual encryption event, a duration that is significantly longer than the median intruder dwell time of 15 days reported in 2021.

The group is known to use a bespoke implant as a backup method for preserving persistent access to the network in addition to utilizing living-off-the-land (LotL) tactics for network profiling and lateral migration.

The main objective of the backdoor is to download arbitrary payloads from a remote server, load them into memory, and then execute them. Similar to Agenda, BianLian can boot servers in Windows safe mode so that it can run its file-encrypting malware while evading detection by the system's security tools.

According to reports, the first C2 server connected to BianLian became live in December 2021. However, since then, the infrastructure has experienced a troubling expansion, surpassing 30 active IP addresses.

BianLian is also another example of cybercriminals' persistent efforts to use hopping techniques to evade detection. It also increases the threat level associated with the use of the fundamental language Go, giving adversaries the ability to quickly modify a single codebase that can subsequently be produced for several platforms.

Researchers Discovered Counterfeit Phones with Backdoor to Hack WhatsApp Accounts


Budget Android device models that are replicas of popular smartphone brands are infected with numerous trojans devised to target the WhatsApp and WhatsApp Business messaging apps. Doctor Web discovered the malware in the system partitions of at least four different smartphones in July 2022: P48pro, redmi note 8, Note30u, and Mate40. 

The cybersecurity firm said in a report published, "These incidents are united by the fact that the attacked devices were copycats of famous brand-name models. Moreover, instead of having one of the latest OS versions installed on them with the corresponding information displayed in the device details (for example, Android 10), they had the long outdated 4.4.2 version."

The tampering specifically affects two files, "/system/lib/" and "/system/lib/," which have been modified in such a way that when the system library is used by any app, it activates the execution of a trojan embedded in If the apps that use the libraries are WhatsApp and WhatsApp Business, launches a third backdoor whose primary function is to download and install additional plugins from a remote location.

The researchers stated, "The danger of the discovered backdoors and the modules they download is that they operate in such a way that they actually become part of the targeted apps. As a result, they gain access to the attacked apps' files and can read chats, send spam, intercept and listen to phone calls, and execute other malicious actions, depending on the functionality of the downloaded modules." is configured to start a local server that enables connections from a remote or local client via the "mysh" console if the app using the libraries turns out to be wpa supplicant - a system daemon used to manage network connections.

Potential Risks

Based on the discovery of another trojan embedded in the system application responsible for over-the-air (OTA) firmware updates, Doctor Web hypothesised that the system partition implants could be part of the FakeUpdates (aka SocGholish) malware family.

The malicious app, on the other hand, is designed to exfiltrate detailed metadata concerning the infected device as well as download and install other software without the user's knowledge using Lua scripts.

Large-Scale Malware Campaign Targets Elastix VoIP Systems


Threat analysts at Palo Alto Networks' Unit 42 have unearthed a massive campaign targeting Elastix VoIP telephony servers with more than 500,000 malware samples between December 2021 and March 2022. 

Elastix is a unified communications server software, based on projects such as Digium’s Asterisk, FreePBX, and more. 

The hackers' goal was to inject a PHP web shell that could run arbitrary commands on the compromised communications server and exploit a remote code execution (RCE) vulnerability tracked as CVE-2021-45461, with a critical severity rating of 9.8 out of 10. 

The campaign is still active and shares multiple similarities to another operation in 2020 that was reported by researchers at cybersecurity firm Check Point. 

According to the researchers, enterprise servers are sometimes a higher-value target than computers, laptops, or other firm endpoints. Servers are usually more powerful devices and could be exploited, for example, as part of a potent botnet generating thousands of requests per second. 

In this campaign, the researchers spotted two separate attack groups employing initial exploitation scripts to drop a small-size shell script. The script installs an obfuscated PHP backdoor on the web server, manufactures multiple root user accounts, and sets a scheduled task to ensure recurring re-infection of the system. 

"This dropper also tries to blend into the existing environment by spoofing the timestamp of the installed PHP backdoor file to that of a known file already on the system," security researchers explained. 

The IP addresses of the hackers are in the Netherlands, but DNS data points to Russian adult sites. The payload delivery infrastructure is only partially active, at the moment. 

The PHP web shell – which is injected with a random junk string to bypass signature-based defenses –consists of several layers of Base64 encoding and is guarded by a hardcoded “MD5 authentication hash” mapped to the victim’s IP address. 

The web shell also accepts an admin parameter and supports arbitrary commands, along with a series of built-in default commands for file reading, directory listing, and reconnaissance of the Asterisk open-source PBX platform. 

“The strategy of implanting web shells in vulnerable servers is not a new tactic for malicious actors. The only way to catch advanced intrusions is through a defense-in-depth strategy. Only by orchestrating multiple security appliances and applications in a single pane can defenders detect these attacks,” Palo Alto Networks concludes.

Microsoft IIS Servers Targeted by SessionManager Backdoor

Since March 2021, threats on Microsoft IIS Servers have used a new backdoor called "SessionManager," according to Kaspersky Lab researchers. 

Victims of the backdoor

SessionManager, the malicious software that takes advantage of one of the ProxyLogon vulnerabilities in Exchange servers, poses as a module for Internet Information Services (IIS), a virtual server application for Windows systems. 

The 24 different targets were spread over the continents of Africa, South America, Asia, Europe, Russia, and the Middle East. They also included political, military, and industrial institutions. To date, a SessionManager variation has compromised 34 servers in total.

Due to the comparable victims and a widely used OwlProxy variation, the researchers describe the attack as the GELSEMIUM malicious attacker.

Features  supported by SessionManager:
  • On the hacked server, reading, writing to, and deleting arbitrary files is possible.
  • Remote command execution also runs on arbitrary programs from the compromised server.
  • Creating connections to any network endpoints that the hacked server is capable of accessing, as well as reading and writing in those connections.
The backdoor also might serve as a post-deployment tool, enabling operators to spy on the intended environment, collect in-memory passwords, and introduce new malicious payloads.

Elements of  command and control code

Since its initial discovery in March 2021, ProxyLogon has drawn the interest of numerous malicious actors, and the most recent attack chain is no exception. The Gelsemium team took use of the flaws to drop SessionManager, a backdoor designed in C++ to handle HTTP requests submitted to the server.

Once the malicious code receives the carefully constructed HTTP requests from the threat actors, it runs the instructions concealed in the requests before sending them to the server to be handled like any other request.

Additionally, the malware serves as a covert route for spying, collects passwords stored in memory, and distributes other tools like Mimikatz and an Avast memory export application.

Rozena Backdoor Deployed by Abusing the Follina Vulnerability


A newly discovered phishing campaign is exploiting the Follina security vulnerability to deploy a private backdoor, named Rozena on the Windows systems. 

"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Cara Lin, a researcher at Fortinet FortiGuard Labs stated in a report published this week. 

Tracked as CVE-2022-30190, the security bug is related to the Microsoft Support Diagnostic Tool (MSDT) that impacts Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, and Windows Server 2022. The vulnerability came to light in late May 2022 but the root cause of the flaw has been known for at least a couple of years. 

The latest attack chain is a weaponized Office document that, when opened, links to a Discord CDN URL to retrieve an HTML file ("index.htm") that, in turn, triggers the diagnostic utility employing a PowerShell command to download next-stage payloads from the same CDN attachment space. 

This includes the Rozena implant ("Word.exe") and a batch file ("cd.bat") that's designed to terminate MSDT processes, establish the backdoor's persistence by means of Windows Registry modification, and download a harmless Word document as a decoy. 

The primary function of the Rozena backdoor is to inject a shellcode that launches a reverse shell to the hacker’s device (“microsofto.duckdns[.]org”), in this way the malicious actor can secure full control of the system. 

The exploitation of the Follina security bug is done by distributing the malware via malicious word documents. The word documents act as a dropper and are distributed through emails that contains a password-encrypted ZIP as an attachment, an HTML file, and a link to download, in the body of the email. Multiple malware such as Emotet, QBot, IcedID, and Bumblebee are then injected into the victim’s device. 

According to researchers, the assaults discovered in early April primarily featured Excel files with XLM macros. Microsoft's decision to block macros by default around the same time is said to have forced the hackers to shift to alternative techniques like HTML smuggling as well as .LNK and .ISO files. 

“CVE-2022-30190 is a high-severity vulnerability that lets a malicious actor deliver malware through an MS Word document. Microsoft already released a patch for it on June 14, 2022. In this blog, we showed how an attacker exploits Follina and included details of Rozena and the SGN ShellCode. Users should apply the patch immediately and also apply FortiGuard protection to avoid the threat,” the researcher concluded.

Chinese Hackers Deploy Shadowpad Backdoor to Target Industrial Control Systems in Asia


ShadowPad, a sophisticated and modular backdoor is back in action. Russian cybersecurity firm Kaspersky has unearthed a series of assaults that targeted unpatched Microsoft Exchange servers in multiple Asian nations. 

Researchers initially spotted the ShadowPad backdoor on industrial control systems (ICS) at a telecoms firm in Pakistan, where the hackers targeted engineering computers in building automation systems. Further investigation uncovered wide activity on the network, along with multiple organizations targeted in Pakistan, Afghanistan, and Malaysia. 

"During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems of one of the victims," Kaspersky ICS CERT researcher Kirill Kruglov stated. "By taking control over those systems, the attacker can reach other, even more sensitive systems of the attacked organization." 

"Building automation systems are rare targets for advanced threat actors. However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures." 

Kaspersky, which first detected the activity in mid-October 2021, attributed it to a previously unknown Chinese-speaking threat actor. However, traces of the attacks on compromised devices indicates that the malicious campaign began in March 2021, right around the time the ProxyLogon vulnerabilities in Exchange Servers became public knowledge. 

Besides deploying ShadowPad as "mscoree.dll," an authentic Microsoft .NET Framework component, the attacks also involved the use of Cobalt Strike, a PlugX variant called THOR, and web shells for remote access. Although the ultimate goal of the campaign remains unknown, the hackers are believed to be interested in long-term intelligence gathering. 

ShadowPad, which emerged in 2015 as the successor to PlugX, is a privately sold modular malware platform that has been leveraged by multiple Chinese espionage actors over the years. While its design allows users to remotely deploy additional plugins that can extend its functionality beyond covert data collection, what makes ShadowPad dangerous is the anti-forensic and anti-analysis techniques incorporated into the malware. 

ShadowPad gained popularity in 2017 when it was employed in software supply chain assaults involving CCleaner, NetSarang, and the ASUS Live Update utility. The BRONZE ATLAS threat group was blamed for these campaigns. A Microsoft complaint from 2017 and DOJ indictments published in 2020 provide more insights on ShadowPad's relationship to BRONZE ATLAS.

Novel ToddyCat APT Attacking Microsoft Exchange Servers


ToddyCat APT has been targeting Microsoft Exchange servers in enterprises throughout Asia and Europe since at least December 2020. 

The ToddyCat APT  group boosted its attacks in February 2021 and is looking for unpatched Microsoft Exchange servers with ProxyLogon exploits to launch attacks on. A passive backdoor dubbed Samurai and a new Ninja trojan were identified while following the group's activity. Both types of malware take over compromised devices and migrate laterally throughout networks. 

Some of the organisations infiltrated by the gang in three separate countries were hacked at the same time by other Chinese-backed hackers using the FunnyDream backdoor. High-profile organisations from the government and military sectors are the targeted victims. The group appears to be focused on attaining essential goals that are linked with geopolitical objectives. 

Numerous waves of attacks 

The initial wave of strikes began in December 2020 and ended in February 2021. The group was solely targeting a few government entities in Vietnam and Taiwan at the time. Between February and May 2021, the second round of assaults began targeting organisations in a variety of nations, including Iran, Russia, India, and the United Kingdom. 

The group targeted the same set of nations in the following phase, which lasted through February 2022, as well as communities from Uzbekistan, Kyrgyzstan, and Indonesia. ToddyCat Group has expressed interest in the government and military sectors and is expected to continue operations. 

Organizations should employ threat intelligence services to remain up to date on emerging dangers and defend their networks. Additionally, they should utilise the given IOCs to improve threat detection.

China-linked APT Went Under Radar for Decade


Researchers have discovered a small but effective China-linked APT that has been operating in Southeast Asia and Australia for more than a decade, running campaigns against government, education, and telecommunications institutions. 

SentinelLabs researchers stated that the APT, dubbed Aoqin Dragon, has been active since at least 2013. According to the report, the APT is "a small Chinese-speaking team with potential association to [an APT called] UNC94." According to researchers, one of Aoqin Dragon's methods and approaches is to use pornographic-themed infected documents as bait to attract victims to download them. 

“Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,” researchers wrote. The fact that Aoqin Dragon has developed, allowed them to stay under the radar for so long. For example, the APT's technique of infecting target computers has progressed. Aoqin Dragon depended on exploiting old vulnerabilities – especially, CVE-2012-0158 and CVE-2010-3333 – that their targets may not have yet fixed in their early years of operation. 

Aoqin Dragon later developed executable files with desktop icons that resembled Windows folders or antivirus software. These programmes were malicious droppers that planted backdoors and then connected to the attackers' command-and-control (C2) servers. Since 2018, the group has used a fraudulent detachable device as an infection vector. 

When a user clicks to view what appears to be a removable device folder, they really start a chain reaction that downloads a backdoor and establishes a C2 connection on their PC. Furthermore, the malware replicates itself to any genuine removable devices attached to the host system in order to move beyond the host and, presumably, onto the target's larger network. Other methods have been used by the group to remain undetected. 

They've exploited DNS tunnelling to get around firewalls by altering the internet's domain name system. Mongall, a backdoor exploit, encrypts communication data between the host and the C2 server. According to the experts, the APT gradually began to use the fake removable disc approach over time. This was done to "improve the malware's resistance to detection and removal by security tools." 

National-State Ties 

Targets have tended to fall into a few categories: government, education, and telecommunications, all in and around Southeast Asia. Researchers assert that “the targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests.” 

A debug log discovered by researchers that contain simplified Chinese characters provides more proof of Chinese influence. Most importantly, the researchers uncovered an overlapping attack on the website of Myanmar's president in 2014. In another case, investigators were able to track the hackers' command-and-control and mail servers all the way back to Beijing. 

With that circumstance, Aoqin Dragon's two primary backdoors have overlapping C2 infrastructure, and the majority of the C2 servers may be ascribed to Chinese-speaking users. Still, "correctly identifying and monitoring State and State-Sponsored threat actors can be challenging," said Mike Parkin, senior technical engineer at Vulcan Cyber. 

“SentinelOne releasing the information now on an APT group that has apparently been active for almost a decade, and doesn’t appear in other lists, shows how hard it can be ‘to be sure when you’re identifying a new threat actor.”

 New Linux Malware Syslogk has a Clever Approach of Staying Undetected


Syslogk, a newfound clever form of Linux malware, installs a backdoor that remains hidden on the target device until its controller sends so-called 'magic packets' from anywhere on the internet. It is mostly based on Adore-Ng, a Chinese open-source kernel rootkit for Linux. 

Adore-Ng which has been around since 2004, is a free open-source rootkit, that gives an attacker complete control over an infected system. Syslogk can force-load its packages into the Linux kernel (versions 3. x are supported), hide folders or spoof files and network traffic, and ultimately load a backdoor named 'Rekoobe.' 

How does the malware work?

Syslogk was originally discovered in early 2022, with the sample constructed for a specific kernel version – meaning it could be loaded without being forced – and the payload named PgSD93ql, which disguised it as a PostgreSQL file. 

"Rekoobe is a piece of code that has been placed in genuine servers," according to Avast security researchers. "In this case, it's embedded in a phony SMTP server that, when given a specially designed command, spawns a shell." 

The rootkit was created to hide harmful files, malicious software, and its malicious payload from showing on the list of operating services, to deliver the malicious payload when it received a specially constructed TCP packet, and to halt the payload if the attacker directed it to. 

Rekoobe appears to be a harmless SMTP server, but it is built on an open-source project called Tiny SHell, so it contains a backdoor command for generating a shell that allows it to run arbitrary instructions for data mining. Despite the restricted support for Linux kernel versions, Avast claims that using Syslogk and Rebooke on a bogus SMTP server gives an attacker a strong toolkit. 

The Syslogk rootkit is yet one piece of highly evasive malware for Linux systems, joining the likes of Symbiote and BPFDoor, which both exploit the BPF system to monitor and dynamically change network traffic. Ransomware campaigns, crypto attacks, and other data theft illicit behavior are increasingly being launched against Linux systems and cloud infrastructure making it a vulnerable target. 
As in the case of Syslogk, the initiative is in its early stages of development, so it's unclear whether it'll become a wide-scale threat. However, given its secrecy, it will almost certainly continue to release new and improved versions.

Iranian Attackers are Employing a New DNS Hijacking Malware to Target Organizations


The Iran-linked Lycaeum cyber espionage group, also known as Hexane or Spilrin, group is employing a new .NET-based DNS backdoor to target firms in the energy and telecommunication sectors.

Lyceum has previously targeted communication service vendors in the Middle East via DNS-tunneling backdoors. 

According to analytics from Zscaler ThreatLabz researchers, the backdoor is based on a open-source tool to launch "DNS hijacking" assaults – DNS query manipulation to redirect users to malicious clones of authentic sites – implement commands, drop payloads, and exfiltrate data. 

 Employs Word doc 

The hackers target organizations via macro-laced Microsoft Documents downloaded from a domain named "news-spot[.]live," impersonating a legitimate site. The document is masked as a news report with an Iran Military affairs topic. 

When a victim downloads the file from this site, it asks to enable the macro to view the content. After enabling macros, the DnsSystem.exe backdoor is the DNS backdoor is dropped directly onto the Startup folder for establishing persistence between reboots. 

"The threat actors have customized and appended code that allows them to perform DNS queries for various records onto the custom DNS Server, parse the response of the query to execute system commands remotely, and upload/download files from the Command & Control server by leveraging the DNS protocol." - Zscaler researchers Niraj Shivtarkar and Avinash Kumar explained in a report published last week.

Initially, the malware sets up the DNS hijacking server by securing the IP address of the "cyberclub[.]one" domain and generates an MD5 based on the victim's username to serve as a unique victim ID. Additionally, the malware is well trained to upload and download arbitrary files to and from the remote server as well as implement malicious system commands remotely on the exploited server.

 Evolution of Lyceum 

The Lyceum APT group was first spotted at the beginning of August 2019 attempting to secure access to the organization’s systems via password spraying or brute-force attacks. 

Lyceum primarily focuses on cyber espionage, and this new stealthy and potent backdoor is evidence of its evolution in the field. The Iranian group is expected to continue participating in these data theft campaigns that often include multiple hacking groups from the country. 

"APT threat actors are continuously evolving their tactics and malware to successfully carry out attacks against their targets," the researchers stated. "Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of malware makes the static analysis even more challenging."

Atlassian Patches Confluence Zero-day Vulnerabilities

Atlassian issued security updates for a critical zero-day vulnerability in Confluence Server and Data Center, the flaw was exploited in the wild to backdoor web-exposed servers. The zero-day (CVE-2022-26134) vulnerability impacts all versions that support Confluence Server and Data Center, it allows threat actors to access remote code execution on unpatched servers. As the vulnerability was reported as actively exploited bug, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its "Known Exploited Vulnerabilites Catalog". 

It means federal agencies can block all web traffic to Confluence servers on their networks. Atlassian has released patches and asked its customers to update their devices to versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1, that have been patched for this vulnerability. "We strongly recommend upgrading to a fixed version of Confluence as there are several other security fixes included in the fixed versions of Confluence," it says. 

Users who can't upgrade their Confluence installs for now can use temporary workaround and mitigate the CVE-2022-26134 security vulnerability via upgrading few JAR files on their confluence servers. The flaw was discovered by cybersecurity firm Volexity. During investigation, the firm found that zero-day was used to deploy a BEHINDER JSP web shell, it allowed the hackers to perform remote code execution on the servers. Threat actors also used a China Chopper web shell and a file upload software as backups to keep access to the hacked servers. 

Volexity researchers believe that various hackers from China are using CVE-2022-26134 flaws to gain access into web-exposed and unpatched Confluence servers. "The targeted industries/verticals are quite widespread. This is a free-for-all where the exploitation seems coordinated. It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we have seen so far," said Volexity. 

Corporate Website Contact Forms Used in BazarBackDoor Malware Campaign


BazarBackdoor malware is now spreading via website contact forms instead of typical phishing emails to avoid identification by security software. BazarBackdoor is a stealthy malware made by the TrickBot group, currently under development by the Conti ransomware operation. 

The malware offers threat actors remote access to internal devices, the launchpad can use it for further distribution in the network. The malware is usually spread via phishing emails that consist of documents that download and deploy the malware. 

But, safe email gateways are now more advanced in catching these malware droppers, distributers are now finding new ways of distributing the malware. In the latest report by Abnormal Security, analysts reveal that a new malware campaign started last year is targeting corporate victims with BazarBackdoor, the goal is most probably to deploy Cobalt Strike or ransomware payloads. Rather than sending phishing emails to targets, hackers first use corporate contact forms to start the communication. 

For instance, in many cases observed by cybersecurity experts, the hackers disguised as employees at a Canadian construction firm, submitting a request for a product supply quote. When the employees respond to the phishing emails, the threat actors send back a harmful ISO file related to the organization. 

To send these files is impossible as it would trigger security alerts, hackers use file-sharing services like WeTransfer and TransferNow. In a similar case related to the contact form exploit in August, fake DMCA infringement notices were sent via contact forms that installed BazarBackdoor. 

How BazarLoaderMalware Hides

"The ISO archive attachment contains a .lnk file and a .log file. The idea here is to evade AV detection by packing the payloads in the archive and having the user manually extract them after download. The .lnk file contains a command instruction that opens a terminal window using existing Windows binaries and loads the .log file, which is, in reality, a BazarBackdoor DLL," reports Bleeping Computer. Stay connected with CySecurity to know more.

US Defense Contractors Struck by SockDetour Windows backdoor


SockDetour, a new custom malware discovered on US defence contractor computers, has been utilised as a backup backdoor to sustain access to hijacked networks. 

The malicious payload was discovered by Unit 42 security researchers, who believe its administrators kept it hidden for a long time because it has been utilised in the open since at least July 2019. The fact that SockDetour "operates filelessly and socketlessly" on compromised Windows servers by hijacking network connections explains its stealthiness, making it much difficult to identify at the host and network levels. 

The connection hijacking is carried out with the help of the official Microsoft Detours library package, which is used for monitoring and instrumenting Windows API calls.

Unit 42 explained, “With such implementation, SockDetour [..] serves as a backup backdoor in case the primary backdoor is detected and removed by defenders." 

The threat actors utilised a very precise delivery server in one of the attacks, QNAP network-attached storage (NAS) device commonly used by small businesses that had earlier been infected with QLocker ransomware — they most likely utilised the same security vulnerability (the CVE-2021-28799 remote code execution bug) to acquire access to the server. 

On July 27, 2021, the researchers discovered the malware on the Windows server of at least one US defence contractor, which led to the identification of three additional defence organisations being attacked by the same group with the same backdoor. 

"Based on Unit 42’s telemetry data and the analysis of the collected samples, we believe the threat actor behind SockDetour has been focused on targeting U.S.-based defence contractors using the tools. Unit 42 has evidence of at least four defence contractors being targeted by this campaign, with a compromise of at least one contractor," researchers explained. 

What is SockDetour?

The SockDetour backdoor was earlier linked to attacks exploiting various vulnerabilities in Zoho products, including ManageEngine ADSelfService Plus (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077), by an APT activity cluster tracked by Unit 42 as TiltedTemple. While Unit 42 analysts suspected in November that the TiltedTemple campaign was the work of a Chinese-sponsored threat group known as APT27, the firm did not link the SockDetour malware to a specific hacking group. 

The partial attribution is based on techniques and harmful tools that match APT27's earlier activities, as well as similar cyber espionage targeting of the same industries (e.g., defence, technology, energy, aerospace, government, and manufacturing). TiltedTemple attacks targeting Zoho vulnerabilities resulted in the compromise of critical infrastructure organisations' networks. 

In three separate campaigns in 2021, TiltedTemple assaults targeting Zoho vulnerabilities resulted in the penetration of networks belonging to critical infrastructure organisations around the world, using: 
• an ADSelfService zero-day exploit between early-August and mid-September, 
• an n-day AdSelfService exploit until late October, 
• and a ServiceDesk one starting with October 25.