Search This Blog

Showing posts with label Backdoor. Show all posts

Large-Scale Malware Campaign Targets Elastix VoIP Systems

 

Threat analysts at Palo Alto Networks' Unit 42 have unearthed a massive campaign targeting Elastix VoIP telephony servers with more than 500,000 malware samples between December 2021 and March 2022. 

Elastix is a unified communications server software, based on projects such as Digium’s Asterisk, FreePBX, and more. 

The hackers' goal was to inject a PHP web shell that could run arbitrary commands on the compromised communications server and exploit a remote code execution (RCE) vulnerability tracked as CVE-2021-45461, with a critical severity rating of 9.8 out of 10. 

The campaign is still active and shares multiple similarities to another operation in 2020 that was reported by researchers at cybersecurity firm Check Point. 

According to the researchers, enterprise servers are sometimes a higher-value target than computers, laptops, or other firm endpoints. Servers are usually more powerful devices and could be exploited, for example, as part of a potent botnet generating thousands of requests per second. 

In this campaign, the researchers spotted two separate attack groups employing initial exploitation scripts to drop a small-size shell script. The script installs an obfuscated PHP backdoor on the web server, manufactures multiple root user accounts, and sets a scheduled task to ensure recurring re-infection of the system. 

"This dropper also tries to blend into the existing environment by spoofing the timestamp of the installed PHP backdoor file to that of a known file already on the system," security researchers explained. 

The IP addresses of the hackers are in the Netherlands, but DNS data points to Russian adult sites. The payload delivery infrastructure is only partially active, at the moment. 

The PHP web shell – which is injected with a random junk string to bypass signature-based defenses –consists of several layers of Base64 encoding and is guarded by a hardcoded “MD5 authentication hash” mapped to the victim’s IP address. 

The web shell also accepts an admin parameter and supports arbitrary commands, along with a series of built-in default commands for file reading, directory listing, and reconnaissance of the Asterisk open-source PBX platform. 

“The strategy of implanting web shells in vulnerable servers is not a new tactic for malicious actors. The only way to catch advanced intrusions is through a defense-in-depth strategy. Only by orchestrating multiple security appliances and applications in a single pane can defenders detect these attacks,” Palo Alto Networks concludes.

Microsoft IIS Servers Targeted by SessionManager Backdoor


Since March 2021, threats on Microsoft IIS Servers have used a new backdoor called "SessionManager," according to Kaspersky Lab researchers. 

Victims of the backdoor

SessionManager, the malicious software that takes advantage of one of the ProxyLogon vulnerabilities in Exchange servers, poses as a module for Internet Information Services (IIS), a virtual server application for Windows systems. 

The 24 different targets were spread over the continents of Africa, South America, Asia, Europe, Russia, and the Middle East. They also included political, military, and industrial institutions. To date, a SessionManager variation has compromised 34 servers in total.

Due to the comparable victims and a widely used OwlProxy variation, the researchers describe the attack as the GELSEMIUM malicious attacker.

Features  supported by SessionManager:
  • On the hacked server, reading, writing to, and deleting arbitrary files is possible.
  • Remote command execution also runs on arbitrary programs from the compromised server.
  • Creating connections to any network endpoints that the hacked server is capable of accessing, as well as reading and writing in those connections.
The backdoor also might serve as a post-deployment tool, enabling operators to spy on the intended environment, collect in-memory passwords, and introduce new malicious payloads.

Elements of  command and control code

Since its initial discovery in March 2021, ProxyLogon has drawn the interest of numerous malicious actors, and the most recent attack chain is no exception. The Gelsemium team took use of the flaws to drop SessionManager, a backdoor designed in C++ to handle HTTP requests submitted to the server.

Once the malicious code receives the carefully constructed HTTP requests from the threat actors, it runs the instructions concealed in the requests before sending them to the server to be handled like any other request.

Additionally, the malware serves as a covert route for spying, collects passwords stored in memory, and distributes other tools like Mimikatz and an Avast memory export application.

Rozena Backdoor Deployed by Abusing the Follina Vulnerability

 

A newly discovered phishing campaign is exploiting the Follina security vulnerability to deploy a private backdoor, named Rozena on the Windows systems. 

"Rozena is a backdoor malware that is capable of injecting a remote shell connection back to the attacker's machine," Cara Lin, a researcher at Fortinet FortiGuard Labs stated in a report published this week. 

Tracked as CVE-2022-30190, the security bug is related to the Microsoft Support Diagnostic Tool (MSDT) that impacts Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, and Windows Server 2022. The vulnerability came to light in late May 2022 but the root cause of the flaw has been known for at least a couple of years. 

The latest attack chain is a weaponized Office document that, when opened, links to a Discord CDN URL to retrieve an HTML file ("index.htm") that, in turn, triggers the diagnostic utility employing a PowerShell command to download next-stage payloads from the same CDN attachment space. 

This includes the Rozena implant ("Word.exe") and a batch file ("cd.bat") that's designed to terminate MSDT processes, establish the backdoor's persistence by means of Windows Registry modification, and download a harmless Word document as a decoy. 

The primary function of the Rozena backdoor is to inject a shellcode that launches a reverse shell to the hacker’s device (“microsofto.duckdns[.]org”), in this way the malicious actor can secure full control of the system. 

The exploitation of the Follina security bug is done by distributing the malware via malicious word documents. The word documents act as a dropper and are distributed through emails that contains a password-encrypted ZIP as an attachment, an HTML file, and a link to download, in the body of the email. Multiple malware such as Emotet, QBot, IcedID, and Bumblebee are then injected into the victim’s device. 

According to researchers, the assaults discovered in early April primarily featured Excel files with XLM macros. Microsoft's decision to block macros by default around the same time is said to have forced the hackers to shift to alternative techniques like HTML smuggling as well as .LNK and .ISO files. 

“CVE-2022-30190 is a high-severity vulnerability that lets a malicious actor deliver malware through an MS Word document. Microsoft already released a patch for it on June 14, 2022. In this blog, we showed how an attacker exploits Follina and included details of Rozena and the SGN ShellCode. Users should apply the patch immediately and also apply FortiGuard protection to avoid the threat,” the researcher concluded.

Chinese Hackers Deploy Shadowpad Backdoor to Target Industrial Control Systems in Asia

 

ShadowPad, a sophisticated and modular backdoor is back in action. Russian cybersecurity firm Kaspersky has unearthed a series of assaults that targeted unpatched Microsoft Exchange servers in multiple Asian nations. 

Researchers initially spotted the ShadowPad backdoor on industrial control systems (ICS) at a telecoms firm in Pakistan, where the hackers targeted engineering computers in building automation systems. Further investigation uncovered wide activity on the network, along with multiple organizations targeted in Pakistan, Afghanistan, and Malaysia. 

"During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems of one of the victims," Kaspersky ICS CERT researcher Kirill Kruglov stated. "By taking control over those systems, the attacker can reach other, even more sensitive systems of the attacked organization." 

"Building automation systems are rare targets for advanced threat actors. However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures." 

Kaspersky, which first detected the activity in mid-October 2021, attributed it to a previously unknown Chinese-speaking threat actor. However, traces of the attacks on compromised devices indicates that the malicious campaign began in March 2021, right around the time the ProxyLogon vulnerabilities in Exchange Servers became public knowledge. 

Besides deploying ShadowPad as "mscoree.dll," an authentic Microsoft .NET Framework component, the attacks also involved the use of Cobalt Strike, a PlugX variant called THOR, and web shells for remote access. Although the ultimate goal of the campaign remains unknown, the hackers are believed to be interested in long-term intelligence gathering. 

ShadowPad, which emerged in 2015 as the successor to PlugX, is a privately sold modular malware platform that has been leveraged by multiple Chinese espionage actors over the years. While its design allows users to remotely deploy additional plugins that can extend its functionality beyond covert data collection, what makes ShadowPad dangerous is the anti-forensic and anti-analysis techniques incorporated into the malware. 

ShadowPad gained popularity in 2017 when it was employed in software supply chain assaults involving CCleaner, NetSarang, and the ASUS Live Update utility. The BRONZE ATLAS threat group was blamed for these campaigns. A Microsoft complaint from 2017 and DOJ indictments published in 2020 provide more insights on ShadowPad's relationship to BRONZE ATLAS.

Novel ToddyCat APT Attacking Microsoft Exchange Servers

 

ToddyCat APT has been targeting Microsoft Exchange servers in enterprises throughout Asia and Europe since at least December 2020. 

The ToddyCat APT  group boosted its attacks in February 2021 and is looking for unpatched Microsoft Exchange servers with ProxyLogon exploits to launch attacks on. A passive backdoor dubbed Samurai and a new Ninja trojan were identified while following the group's activity. Both types of malware take over compromised devices and migrate laterally throughout networks. 

Some of the organisations infiltrated by the gang in three separate countries were hacked at the same time by other Chinese-backed hackers using the FunnyDream backdoor. High-profile organisations from the government and military sectors are the targeted victims. The group appears to be focused on attaining essential goals that are linked with geopolitical objectives. 

Numerous waves of attacks 

The initial wave of strikes began in December 2020 and ended in February 2021. The group was solely targeting a few government entities in Vietnam and Taiwan at the time. Between February and May 2021, the second round of assaults began targeting organisations in a variety of nations, including Iran, Russia, India, and the United Kingdom. 

The group targeted the same set of nations in the following phase, which lasted through February 2022, as well as communities from Uzbekistan, Kyrgyzstan, and Indonesia. ToddyCat Group has expressed interest in the government and military sectors and is expected to continue operations. 

Organizations should employ threat intelligence services to remain up to date on emerging dangers and defend their networks. Additionally, they should utilise the given IOCs to improve threat detection.

China-linked APT Went Under Radar for Decade

 

Researchers have discovered a small but effective China-linked APT that has been operating in Southeast Asia and Australia for more than a decade, running campaigns against government, education, and telecommunications institutions. 

SentinelLabs researchers stated that the APT, dubbed Aoqin Dragon, has been active since at least 2013. According to the report, the APT is "a small Chinese-speaking team with potential association to [an APT called] UNC94." According to researchers, one of Aoqin Dragon's methods and approaches is to use pornographic-themed infected documents as bait to attract victims to download them. 

“Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices,” researchers wrote. The fact that Aoqin Dragon has developed, allowed them to stay under the radar for so long. For example, the APT's technique of infecting target computers has progressed. Aoqin Dragon depended on exploiting old vulnerabilities – especially, CVE-2012-0158 and CVE-2010-3333 – that their targets may not have yet fixed in their early years of operation. 

Aoqin Dragon later developed executable files with desktop icons that resembled Windows folders or antivirus software. These programmes were malicious droppers that planted backdoors and then connected to the attackers' command-and-control (C2) servers. Since 2018, the group has used a fraudulent detachable device as an infection vector. 

When a user clicks to view what appears to be a removable device folder, they really start a chain reaction that downloads a backdoor and establishes a C2 connection on their PC. Furthermore, the malware replicates itself to any genuine removable devices attached to the host system in order to move beyond the host and, presumably, onto the target's larger network. Other methods have been used by the group to remain undetected. 

They've exploited DNS tunnelling to get around firewalls by altering the internet's domain name system. Mongall, a backdoor exploit, encrypts communication data between the host and the C2 server. According to the experts, the APT gradually began to use the fake removable disc approach over time. This was done to "improve the malware's resistance to detection and removal by security tools." 

National-State Ties 

Targets have tended to fall into a few categories: government, education, and telecommunications, all in and around Southeast Asia. Researchers assert that “the targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests.” 

A debug log discovered by researchers that contain simplified Chinese characters provides more proof of Chinese influence. Most importantly, the researchers uncovered an overlapping attack on the website of Myanmar's president in 2014. In another case, investigators were able to track the hackers' command-and-control and mail servers all the way back to Beijing. 

With that circumstance, Aoqin Dragon's two primary backdoors have overlapping C2 infrastructure, and the majority of the C2 servers may be ascribed to Chinese-speaking users. Still, "correctly identifying and monitoring State and State-Sponsored threat actors can be challenging," said Mike Parkin, senior technical engineer at Vulcan Cyber. 

“SentinelOne releasing the information now on an APT group that has apparently been active for almost a decade, and doesn’t appear in other lists, shows how hard it can be ‘to be sure when you’re identifying a new threat actor.”

 New Linux Malware Syslogk has a Clever Approach of Staying Undetected

 

Syslogk, a newfound clever form of Linux malware, installs a backdoor that remains hidden on the target device until its controller sends so-called 'magic packets' from anywhere on the internet. It is mostly based on Adore-Ng, a Chinese open-source kernel rootkit for Linux. 

Adore-Ng which has been around since 2004, is a free open-source rootkit, that gives an attacker complete control over an infected system. Syslogk can force-load its packages into the Linux kernel (versions 3. x are supported), hide folders or spoof files and network traffic, and ultimately load a backdoor named 'Rekoobe.' 

How does the malware work?

Syslogk was originally discovered in early 2022, with the sample constructed for a specific kernel version – meaning it could be loaded without being forced – and the payload named PgSD93ql, which disguised it as a PostgreSQL file. 

"Rekoobe is a piece of code that has been placed in genuine servers," according to Avast security researchers. "In this case, it's embedded in a phony SMTP server that, when given a specially designed command, spawns a shell." 

The rootkit was created to hide harmful files, malicious software, and its malicious payload from showing on the list of operating services, to deliver the malicious payload when it received a specially constructed TCP packet, and to halt the payload if the attacker directed it to. 

Rekoobe appears to be a harmless SMTP server, but it is built on an open-source project called Tiny SHell, so it contains a backdoor command for generating a shell that allows it to run arbitrary instructions for data mining. Despite the restricted support for Linux kernel versions, Avast claims that using Syslogk and Rebooke on a bogus SMTP server gives an attacker a strong toolkit. 

The Syslogk rootkit is yet one piece of highly evasive malware for Linux systems, joining the likes of Symbiote and BPFDoor, which both exploit the BPF system to monitor and dynamically change network traffic. Ransomware campaigns, crypto attacks, and other data theft illicit behavior are increasingly being launched against Linux systems and cloud infrastructure making it a vulnerable target. 
 
As in the case of Syslogk, the initiative is in its early stages of development, so it's unclear whether it'll become a wide-scale threat. However, given its secrecy, it will almost certainly continue to release new and improved versions.

Iranian Attackers are Employing a New DNS Hijacking Malware to Target Organizations

 

The Iran-linked Lycaeum cyber espionage group, also known as Hexane or Spilrin, group is employing a new .NET-based DNS backdoor to target firms in the energy and telecommunication sectors.

Lyceum has previously targeted communication service vendors in the Middle East via DNS-tunneling backdoors. 

According to analytics from Zscaler ThreatLabz researchers, the backdoor is based on a DIG.net open-source tool to launch "DNS hijacking" assaults – DNS query manipulation to redirect users to malicious clones of authentic sites – implement commands, drop payloads, and exfiltrate data. 

 Employs Word doc 

The hackers target organizations via macro-laced Microsoft Documents downloaded from a domain named "news-spot[.]live," impersonating a legitimate site. The document is masked as a news report with an Iran Military affairs topic. 

When a victim downloads the file from this site, it asks to enable the macro to view the content. After enabling macros, the DnsSystem.exe backdoor is the DNS backdoor is dropped directly onto the Startup folder for establishing persistence between reboots. 

"The threat actors have customized and appended code that allows them to perform DNS queries for various records onto the custom DNS Server, parse the response of the query to execute system commands remotely, and upload/download files from the Command & Control server by leveraging the DNS protocol." - Zscaler researchers Niraj Shivtarkar and Avinash Kumar explained in a report published last week.

Initially, the malware sets up the DNS hijacking server by securing the IP address of the "cyberclub[.]one" domain and generates an MD5 based on the victim's username to serve as a unique victim ID. Additionally, the malware is well trained to upload and download arbitrary files to and from the remote server as well as implement malicious system commands remotely on the exploited server.

 Evolution of Lyceum 

The Lyceum APT group was first spotted at the beginning of August 2019 attempting to secure access to the organization’s systems via password spraying or brute-force attacks. 

Lyceum primarily focuses on cyber espionage, and this new stealthy and potent backdoor is evidence of its evolution in the field. The Iranian group is expected to continue participating in these data theft campaigns that often include multiple hacking groups from the country. 

"APT threat actors are continuously evolving their tactics and malware to successfully carry out attacks against their targets," the researchers stated. "Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of malware makes the static analysis even more challenging."

Atlassian Patches Confluence Zero-day Vulnerabilities

Atlassian issued security updates for a critical zero-day vulnerability in Confluence Server and Data Center, the flaw was exploited in the wild to backdoor web-exposed servers. The zero-day (CVE-2022-26134) vulnerability impacts all versions that support Confluence Server and Data Center, it allows threat actors to access remote code execution on unpatched servers. As the vulnerability was reported as actively exploited bug, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its "Known Exploited Vulnerabilites Catalog". 

It means federal agencies can block all web traffic to Confluence servers on their networks. Atlassian has released patches and asked its customers to update their devices to versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1, that have been patched for this vulnerability. "We strongly recommend upgrading to a fixed version of Confluence as there are several other security fixes included in the fixed versions of Confluence," it says. 

Users who can't upgrade their Confluence installs for now can use temporary workaround and mitigate the CVE-2022-26134 security vulnerability via upgrading few JAR files on their confluence servers. The flaw was discovered by cybersecurity firm Volexity. During investigation, the firm found that zero-day was used to deploy a BEHINDER JSP web shell, it allowed the hackers to perform remote code execution on the servers. Threat actors also used a China Chopper web shell and a file upload software as backups to keep access to the hacked servers. 

Volexity researchers believe that various hackers from China are using CVE-2022-26134 flaws to gain access into web-exposed and unpatched Confluence servers. "The targeted industries/verticals are quite widespread. This is a free-for-all where the exploitation seems coordinated. It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we have seen so far," said Volexity. 


Corporate Website Contact Forms Used in BazarBackDoor Malware Campaign

 

BazarBackdoor malware is now spreading via website contact forms instead of typical phishing emails to avoid identification by security software. BazarBackdoor is a stealthy malware made by the TrickBot group, currently under development by the Conti ransomware operation. 

The malware offers threat actors remote access to internal devices, the launchpad can use it for further distribution in the network. The malware is usually spread via phishing emails that consist of documents that download and deploy the malware. 

But, safe email gateways are now more advanced in catching these malware droppers, distributers are now finding new ways of distributing the malware. In the latest report by Abnormal Security, analysts reveal that a new malware campaign started last year is targeting corporate victims with BazarBackdoor, the goal is most probably to deploy Cobalt Strike or ransomware payloads. Rather than sending phishing emails to targets, hackers first use corporate contact forms to start the communication. 

For instance, in many cases observed by cybersecurity experts, the hackers disguised as employees at a Canadian construction firm, submitting a request for a product supply quote. When the employees respond to the phishing emails, the threat actors send back a harmful ISO file related to the organization. 

To send these files is impossible as it would trigger security alerts, hackers use file-sharing services like WeTransfer and TransferNow. In a similar case related to the contact form exploit in August, fake DMCA infringement notices were sent via contact forms that installed BazarBackdoor. 

How BazarLoaderMalware Hides

"The ISO archive attachment contains a .lnk file and a .log file. The idea here is to evade AV detection by packing the payloads in the archive and having the user manually extract them after download. The .lnk file contains a command instruction that opens a terminal window using existing Windows binaries and loads the .log file, which is, in reality, a BazarBackdoor DLL," reports Bleeping Computer. Stay connected with CySecurity to know more.

US Defense Contractors Struck by SockDetour Windows backdoor

 

SockDetour, a new custom malware discovered on US defence contractor computers, has been utilised as a backup backdoor to sustain access to hijacked networks. 

The malicious payload was discovered by Unit 42 security researchers, who believe its administrators kept it hidden for a long time because it has been utilised in the open since at least July 2019. The fact that SockDetour "operates filelessly and socketlessly" on compromised Windows servers by hijacking network connections explains its stealthiness, making it much difficult to identify at the host and network levels. 

The connection hijacking is carried out with the help of the official Microsoft Detours library package, which is used for monitoring and instrumenting Windows API calls.

Unit 42 explained, “With such implementation, SockDetour [..] serves as a backup backdoor in case the primary backdoor is detected and removed by defenders." 

The threat actors utilised a very precise delivery server in one of the attacks, QNAP network-attached storage (NAS) device commonly used by small businesses that had earlier been infected with QLocker ransomware — they most likely utilised the same security vulnerability (the CVE-2021-28799 remote code execution bug) to acquire access to the server. 

On July 27, 2021, the researchers discovered the malware on the Windows server of at least one US defence contractor, which led to the identification of three additional defence organisations being attacked by the same group with the same backdoor. 

"Based on Unit 42’s telemetry data and the analysis of the collected samples, we believe the threat actor behind SockDetour has been focused on targeting U.S.-based defence contractors using the tools. Unit 42 has evidence of at least four defence contractors being targeted by this campaign, with a compromise of at least one contractor," researchers explained. 

What is SockDetour?

The SockDetour backdoor was earlier linked to attacks exploiting various vulnerabilities in Zoho products, including ManageEngine ADSelfService Plus (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077), by an APT activity cluster tracked by Unit 42 as TiltedTemple. While Unit 42 analysts suspected in November that the TiltedTemple campaign was the work of a Chinese-sponsored threat group known as APT27, the firm did not link the SockDetour malware to a specific hacking group. 

The partial attribution is based on techniques and harmful tools that match APT27's earlier activities, as well as similar cyber espionage targeting of the same industries (e.g., defence, technology, energy, aerospace, government, and manufacturing). TiltedTemple attacks targeting Zoho vulnerabilities resulted in the compromise of critical infrastructure organisations' networks. 

In three separate campaigns in 2021, TiltedTemple assaults targeting Zoho vulnerabilities resulted in the penetration of networks belonging to critical infrastructure organisations around the world, using: 
• an ADSelfService zero-day exploit between early-August and mid-September, 
• an n-day AdSelfService exploit until late October, 
• and a ServiceDesk one starting with October 25.

Researchers Disclosed Details of NSA Equation Group’s Bvp47 Backdoor

 

Pangu Lab researchers have revealed information of a Linux top-tier APT backdoor dubbed as Bvp47, which is linked to the US National Security Agency (NSA) Equation Group. 

The term "Bvp47" is derived from several references to the string "Bvp" and the numerical figure "0x47" used in the encryption algorithm. The Bvp47 backdoor was first identified in 2013 during a forensic examination into a security breach at a Chinese government entity. The backdoor was discovered on Linux computers after an in-depth forensic assessment of a host in a key domestic department, according to the experts. The malware seemed to be a top-tier APT backdoor, but to further investigate the malicious code needed the attacker’s asymmetric encrypted private key to activate the remote control function.

The hacking group, The Shadow Brokers disclosed a trove of data reportedly taken from the Equation Group in 2016 and 2017, including a slew of hacking tools and exploits. The hackers disclosed a new dump at the end of October 2016, this time featuring a list of systems compromised by the NSA-linked Equation Group. The Bvp47 backdoor was identified by Pangu Lab researchers within material exposed by The Shadow Brokers. In ten years, the Equation Group attacked over 287 targets in 45 countries, including Russia, Japan, Spain, Germany, and Italy, according to stolen data. 

Governments, telecommunications, aircraft, energy, financial institutions, nuclear research, oil and gas, military, transportation, and companies researching encryption technologies were among the industries targeted by the group. The attacks involving the Bvp47 backdoor have been termed "Operation Telescreen" by Pangu Lab. The malicious code was created to allow operators to gain long-term control over compromised devices. 

The report published by the experts stated, “The implementation of Bvp47 includes complex code, segment encryption and decryption, Linux multi-version platform adaptation, rich rootkit anti-tracking techniques, and most importantly, it integrates advanced BPF engine used in advanced covert channels, as well as cumbersome communication encryption and decryption process”  

Experts believe there was no security against the backdoor's network attack capacity, which is loaded with zero-day vulnerabilities. The Pangu Lab research covers technical specifics about the backdoor as well as information about the Equation Group's relationship with the US National Security Agency. The Equation Group's engagement is based on exploits found in the encrypted archive file "eqgrp-auction-file.tar.xz.gpg" released by the Shadow Brokers following a failed 2016 auction.

Kimsuky Hackers Employ Commodity RATs with Custom Gold Dragon Backdoor

 

Researchers in South Korea have discovered a fresh wave of activity from the Kimsuky hacking organization, employing commodity open-source remote access tools distributed with their own backdoor, Gold Dragon. Kimsuky, also known as TA406, is a North Korean state-sponsored hacker group that has been actively engaging in cyber-espionage efforts since 2017. The organization has shown amazing operational adaptability and threat activity diversity, participating in malware distribution, phishing, data harvesting, and even cryptocurrency theft. 

Beginning in January 2021, TA406 began delivering malware payloads through phishing emails that led to 7z archives. These archives contained an EXE file with a double extension that made it appear to be a .HTML file. If the file is opened, it will launch a scheduled activity called "Twitter Alarm," which will allow the actors to drop new payloads every 15 minutes. When run, the EXE opens a web browser to a PDF version of a valid NK News item housed on the actor's infrastructure, hoping to fool the victim into thinking they're reading a post on a news site. 

Kimsuky used xRAT in targeted assaults against South Korean entities in the most recent campaign, as discovered by experts at ASEC (AhnLab). The campaign began on January 24, 2022. xRAT is a free and open-source remote access and administration program that may be downloaded from GitHub. Keylogging, remote shell, file manager operations, reverse HTTPS proxy, AES-128 communication, and automated social engineering are among the functions provided by the malware. 

A sophisticated threat actor may choose to deploy commodity RATs for basic reconnaissance activities and do not require much configuration. This enables threat actors to concentrate their efforts on designing later-stage malware that necessitates more specialized functionality dependent on the security tools/practices available on the target. 

Kimsuky often deploys Gold Dragon as a second-stage backdoor after a fileless PowerShell-based first-stage assault that employs steganography. This malware has been recorded in a 2020 report by Cybereason and a 2021 analysis by Cisco Talos researchers, therefore it is not new. However, as ASEC describes in its study, the variation found in this latest campaign has additional functions such as the exfiltration of basic system information. 

The malware no longer leverages system processes for this operation, instead installs the xRAT tool to manually steal the required information. The RAT disguises itself as an executable called cp1093.exe, which copies a regular PowerShell process (powershell_ise.exe) to the “C:\ProgramData\” path and executes via process hollowing.

Hackers Infect macOS with a New Backdoor Known as DazzleSpy

 

A previously unknown cyber-espionage malware targeting Apple's macOS operating system used a Safari web browser exploit as part of a watering hole attack targeting politically engaged, pro-democracy Hong Kong residents. ESET, a Slovak cybersecurity firm, ascribed the infiltration to an actor with "high technical capabilities," noting similarities between the campaign and a similar digital offensive published by Google Threat Analysis Group (TAG) in November 2021. 

Between September 30 and November 4, 2021, the attack chain entailed compromising a legitimate website belonging to D100 Radio, a pro-democracy internet radio station in Hong Kong, in order to inject malicious inline frames (aka iframes). Separately, a bogus website called "fightforhk[.]com" was registered to entice liberation activists. The altered code then served as a conduit to load a Mach-O file by exploiting a remote code execution bug in WebKit, which Apple rectified in February 2021. (CVE-2021-1789). 

"The exploit used to gain code execution in the browser is quite complex and had more than 1,000 lines of code once formatted nicely," ESET researchers said. It's worth noting that some of the code shows that the vulnerability might have been exploited on iOS and even on PAC-enabled (Pointer Authentication Code) devices like the iPhone XS and newer. 

The exploit uses two primitives to gain memory read and write access: one to leak an object's address (addrof) and the other to generate a bogus JavaScript object from a specified memory address (fakeobj). Using these two functions, the attack constructs two arrays of different kinds that overlap in memory, allowing it to set a value in one that is considered as a pointer when accessed with the other. 

The exploit makes use of a side effect generated by altering an object property to make it accessible via a "getter" function while enumerating the object's properties in JIT-compiled code. The JavaScript engine incorrectly assumes that the property value is cached in an array and is not the result of calling the getter function.

The successful execution of the WebKit remote code execution triggers the execution of the intermediate Mach-O binary, which in turn leverages a now-patched local privilege escalation vulnerability in the kernel component (CVE-2021-30869) to run the next stage malware as the root user. 

While Google TAG's infection sequence resulted in the installation of an implant known as MACMA, the malware transmitted to D100 Radio site visitors was a new macOS backdoor known as DazzleSpy, according to ESET. DazzleSpy is a full-featured backdoor that gives attackers a wide range of capabilities for controlling and exfiltrating files from a compromised computer.

Threat Actors Abuse Discord to Push Malware

 

Cybercriminals are using Discord, a popular VoIP, instant chat, and digital distribution network used by 140 million users in 2021, to disseminate malware files. 

Discord servers can be organised into topic-based channels where users can share text or audio files. Within the text-based channels, they can attach any form of material, including photos, document files, and executables. These files are maintained on the Content Delivery Network (CDN) servers of Discord. 

However, many files transferred over the Discord network are malicious, indicating that actors are abusing the site's self-hosted CDN by forming channels with the sole aim of distributing these harmful files. Although Discord was designed for the gaming community initially, many corporations are now adopting it for office communication. Many businesses may be permitting this unwanted traffic onto their network as a result of these malicious code files placed on Discord's CDN. 

Exploiting Discord channels 

RiskIQ researchers looked deeper into how Discord CDN utilises a Discord domain through links that use [hxxps://cdn.discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/{filename}] as the format to discover malware. 

According to the researchers, they spotted links and queried Discord channel IDs used in these links, enabling them to identify domains comprising web pages that connect to a Discord CDN link with a certain channel ID. 

“For example, the RiskIQ platform can query the channel IDs associated with zoom[-]download[.]ml,” researchers explained. “This domain attempts to spoof users into downloading a Zoom plug-in for Microsoft Outlook and instead delivers the Dcstl password stealer hosted on Discord’s CDN.” 

In another case, RiskIQ determined that the channel ID for a URL containing a Raccoon password stealer file returned a domain for Taplink, a  site that offers users micro landing pages to send them to their Instagram and other social media accounts. 

According to the researchers, the approach allowed them to discover the day and time Discord channels were launched, connecting those generated within a few days after the first observation of a file in VirusTotal to channels with the sole purpose of disseminating malware. They eventually discovered and cataloged 27 distinct malware types hosted on Discord's CDN. 

About the malware 

Discord CDN URLs containing.exe, DLL, and different document and compressed files were detected by RiskIQ. It was discovered that more than 100 of the hashes on VirusTotal were transmitting malicious information. 

RiskIQ discovered more than eighty files from seventeen malware families, however, Trojans were the most frequent malware found on Discord's CDN. For most malware found on Discord's CDN, RiskIQ noticed a single file per channel ID. 

According to Microsoft's identification of the files and further research, there are a total of 27 distinct malware families, divided into four types: 
• Backdoors, e.g., AsyncRat 
• Password Stealers, e.g., DarkStealer 
• Spyware, e.g., Raccoon Stealer 
• Trojans, e.g., AgentTesla 

The exploitation of Discord's infrastructure throws light on the rising problem of CDN abuse by malicious attackers across the web. Using internet-wide visibility to identify malware in CDN infrastructure is significant to limiting the damage these valuable malware delivery techniques might have on the firm.

State-Backed Harvester Group is Going After Telecommunications Providers

 

Researchers discovered a previously unidentified state-sponsored actor that appears to be conducting cyberattacks against South Asian telecommunications companies and IT corporations using a unique combination of technologies. The goal of the cybercrime gang is considered to be data collection. They use highly focused espionage efforts that target IT, telecom, and government organizations. Harvester is a new threat actor with no known adversaries, as the attacker's damaging tools have never been encountered before in the wild.

"The Harvester group uses both custom malware and publicly available tools in its attacks, which began in June 2021, with the most recent activity seen in October 2021. Sectors targeted include telecommunications, government, and information technology (IT)," Symantec researchers said. "The capabilities of the tools, their custom development, and the victims targeted, all suggest that Harvester is a nation-state-backed actor."

Backdoor appears to be used by the attackers. Metasploit, Graphon, Custom Downloader, Custom Screenshotter, Cobalt Strike Beacon are some of them. Although Symantec researchers were unable to determine the initial attack vector, evidence of a malicious URL being exploited for that purpose was identified.

By blending command-and-control (C2) communication activity with actual network traffic from CloudFront and Microsoft infrastructure, the Graphon backdoor gives the attackers remote network access and covers their existence. The custom downloader's functionality is impressive, as it can create critical system files, add a registry value for a new load-point, and start an embedded web browser at hxxps:/usedust[.]com.

Despite the fact that it appears to be the Backdoor, the actors are only using the URL as a ruse to create confusion, but Graphon is being retrieved from this address. The custom screenshot application captures screenshots of the desktop and saves them to a password-protected ZIP folder, which Graphon then steals. Each ZIP file is kept for a week before being automatically deleted. 

While there isn't enough proof to link Harvester's activities to a single nation-state, the group's use of custom backdoors, intensive efforts to conceal its harmful activity, and targeting all point to it being a state-sponsored actor, according to Symantec researchers. Given the recent upheaval in Afghanistan, the campaign's targeting of organizations in that nation is also intriguing. Harvester's activities make it evident that the goal of this campaign is espionage, which is a common incentive for nation-state-backed action, the researchers added.

New Trojan Attack Campaign Prompted by Pegasus Spyware

 

An unexplored Sarwent Trojan is being distributed by a threat organization via a bogus Amnesty International website that claims to protect customers from the Pegasus smartphone spyware. 

The operation is intended towards those who feel they have been attacked by the NSO Group's Pegasus spyware and thus are tied to nation-state action, according to Cisco Talos security analysts, but Talos is yet to identify the exact threat actor. 

Pegasus is a piece of spyware created by the Israeli cyber arms firm NSO Group which can be loaded secretly on smartphones (and other devices) running most versions of iOS and Android. According to the disclosures from Project Pegasus 2021, the existing Pegasus program can attack all recent iOS versions up to iOS 14.6. Pegasus could intercept text messages, track calls, gather passwords, monitor position, access the target device's camera and microphone, and collect data from apps as of 2016. 

Despite the claims regarding authorized utilization, Pegasus - a contentious surveillance software technology has been allegedly used by tyrannical governments in operations targeting journalists, human rights activists, as well as other opponents of the state. 

Soon after the release of a comprehensive Amnesty International report on Pegasus in July of this year, as well as Apple's dissemination of updates for the ForcedEntry zero-day exploit, several users started exploring ways of protecting themselves from the spyware that was exploited by adversaries. 

On a bogus website that I identical to Amnesty International, the malicious actors claim to be delivering "Amnesty Anti Pegasus," an anti-virus tool that can allegedly guard against NSO Group's malware. 

Alternatively, customers are given the Sarwent remote access tool (RAT), which allows attackers to easily upload and run payloads on compromised PCs, as well as extract relevant and sensitive data. 

Despite its low intensity, the attack has struck individuals in the United States, the United Kingdom, Colombia, the Czech Republic, India, Romania, Russia, and Ukraine, as per Cisco Talos. 

“Given the current information, we are unsure of the actor’s objectives. The use of Amnesty International’s name, a group whose work frequently puts it at odds with governments around the world, as well as the Pegasus brand, malware that has been used to target dissidents and journalists on behalf of governments, raises questions about who is being targeted and why,” according to Cisco Talo. 

The campaign's adversary seems to be a Russian speaker who has been using Sarwent to target patients from different walks of life all across the globe since at least January 2021. The malicious actors have been using the Trojan and one with a comparable backdoor since 2014, according to security experts.

Nobelium APT Group Uses Custom Backdoor to Target Windows Domains

 

Researchers from Microsoft Threat Intelligence Center (MSTIC) identified FoggyWeb, a new custom malware utilized by the Nobelium APT group to distribute further payloads and steal critical information from Active Directory Federation Services (AD FS) servers. 

FoggyWeb is a post-exploitation backdoor utilized by the APT group to remotely exfiltrate the setup databases of affected Active Directory Federation Services (AD FS) servers, as well as the decrypted token-signing and token-decryption certificates. It also enables threat actors to download and execute additional elements. 

The analysis published by Microsoft stated, “Once NOBELIUM obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.” 

“Use of FoggyWeb has been observed in the wild as early as April 2021.” 

The hackers load FoggyWeb from the encrypted file Windows.Data.TimeZones.zh-PH.pri using the version.dll DLL. The version.dll is loaded by the AD FS service executable 'Microsoft.IdentityServer.ServiceHost.exe' via the DLL search order hijacking approach, which involves the core Common Language Runtime (CLR) DLL files. 

To decrypt the backdoor directly in memory, the loader employs a proprietary Lightweight Encryption Algorithm (LEA) function. The backdoor sets up HTTP listeners for actor-defined URIs in order to intercept GET/POST requests to the AD FS server that match the custom URI patterns. 

Microsoft researchers offered the following advice to companies that have been affected or are suspected of being under attack by the group: 
  • Examine your on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and any other modifications made by the actor to retain their access. 
  • Remove user and app access, evaluate each's settings, and re-issue fresh, strong credentials in accordance with established industry best practices. 
  • To prevent the exfiltration of secrets via FoggyWeb, use a hardware security module (HSM), as explained in Securing AD FS servers. 
The NOBELIUM APT is the threat actor behind the SolarWinds supply chain assault, which included various implant families such as the SUNBURST backdoor, TEARDROP malware, GoldMax malware, Sibot, and GoldFinder backdoors. 

NOBELIUM focuses on government agencies, non-governmental organizations (NGOs), think tanks, military, information technology service providers, health technologies and research, and telecommunications providers.

FIN7 Hackers Using 'Windows 11 Alpha' Themed Malicious Documents to Drop JavaScript Backdoor



In a recent wave of the spear-phishing campaign, the FIN7 cybercrime group employed Windows 11 Alpha-themed weaponized word documents to deliver a JavaScript payload with a JavaScript backdoor. 

'Phishing Email Campaign' is the initial attack vector, posing as 'Windows 11 Alpha', it contains an infected Microsoft Word document (.doc). The virus is accompanied by this image which convinces a user to click on 'Enable Editing' and further advance towards the installation process. Once the user enables the content, the VBA macro that is contained in the image begins to come into effect. 

VBA macro is populated with junk data such as comments, it is a common strategy employed by criminals to impede analysis. Once the junk data is being pulled out, all we would be left with is a 'VBA macro'. Upon further analyzing the JavaScript, researchers learned that it contained obfuscated strings along with a deobfuscation function. 

Researchers have found that the threat actors behind the malicious campaign – upon detecting languages of certain countries including Russia, Slovenia, Serbia, Estonia, and Ukraine – call into action the 'me2XKr' function to delete all the tables and then stops running. They do so in order to prevent execution in the aforementioned countries. 

Primarily targeting the U.S.-based telecommunications, education, retail, finance, and hospitality sectors via meticulously crafted attacks, FIN7 has managed to stay ahead of law enforcement by employing novel and advanced techniques to thwart detection from time and again. The threat group, also identified by some as "Carbanak Group", has increasingly diversified its monetization tactics which allowed the gang to widen the impact of their compromise. As a result, the group acquired a competitive advantage and has targeted a wide range of industries. Although FIN7 is characterized by its mass payment card data theft, the ambitions of the threat group are not limited to the theft of payment card data. In scenarios where end-to-end encryption (E2EE) prevented the attackers to obtain card data, they turned to attack the finance departments of the targeted organizations. 

In an analysis dated 02 September 2021, Anomali Threat Research said, "The specified targeting of the Clearmind domain fits well with FIN7's preferred modus operandi." "The group's goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018."

ShadowPad Malware is Being Sold Privately to Chinese Espionage

 

Since 2017, five separate Chinese threat groups have used ShadowPad, an infamous Windows backdoor that allows attackers to download additional harmful modules or steal data. In a detailed overview of the malware, SentinelOne researchers Yi-Jhen Hsieh and Joey Chen said that "adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors," adding that "some threat groups stopped developing their own backdoors after they gained access to ShadowPad." 

ShadowPad was released in 2015 as a replacement for PlugX. However, it wasn't until several well-known supply-chain incidents – CCleaner, NetSarang, and ShadowHammer – that it began to gain considerable public attention. Unlike the publicly available PlugX, ShadowPad is only available to a selected group of people. ShadowPad has been called a "masterpiece of privately sold malware in Chinese espionage" by an American cybersecurity firm. 

ShadowPad is a shellcode-based modular backdoor. A layer of an obfuscated shellcode loader is in charge of decrypting and loading a Root plugin during execution. While the Root plugin's chain of operations decrypts, it loads other shellcode-embedded plugins into memory. To date, at least 22 different plugins have been discovered. 

Additional plugins can be remotely uploaded from the C&C server in addition to the ones included, allowing users to dynamically add functionality that isn't present by default. A Delphi-based controller is in charge of the infected machines, which is used for backdoor communications, upgrading the C2 infrastructure, and controlling the plugins.

"While ShadowPad is well-designed and highly likely to be produced by an experienced malware developer, both its functionalities and its anti-forensics capabilities are under active development," the researchers said. 

ShadowPad-related attacks have lately targeted Hong Kong-based firms as well as key infrastructure in India, Pakistan, and other Central Asian countries. The implant is known to be shared by multiple Chinese espionage actors, including Tick, RedEcho, RedFoxtrot, and clusters dubbed Operation Redbonus, Redkanku, and Fishmonger, although being predominantly attributed to APT41. 

"The threat actor behind Fishmonger is now using it and another backdoor called Spyder as their primary backdoors for long-term monitoring, while they distribute other first-stage backdoors for initial infections including FunnySwitch, BIOPASS RAT, and Cobalt Strike," the researchers said. "The victims include universities, governments, media sector companies, technology companies and health organizations conducting COVID-19 research in Hong Kong, Taiwan, India and the U.S."