Dotrunpex – Demystifying new virtualized .net injector used in the wild
DotRunpeX injector commonly comes as a second stage of the original infection.
The typical first stages are very different variants of .NET loaders/downloaders.
The first-stage loaders are primarily being delivered via phishing emails as malicious attachments (usually as a part of “.iso”, “.img”, “.zip”, and “.7z”) or via websites masquerading as regular program utilities.
Apart from the most common infection vectors, the customers of dotRunpeX are not ashamed to abuse Google Ads or even target other potential attackers via trojanized malware builders.
All of the trojanized programs contain the main .NET application enlarged with an overlay to avoid scanning with sandboxes very likely.
The .NET applications with overlay are the typical first stages, behaving as dotnet loaders with simple obfuscation.
These different variants of loaders use reflection to load the dotRunpeX injector in the second stage.
Some of them are very simple, and some are more advanced.
Programmatic way of second-stage extraction (dotRunpeX stage) from these kinds of loaders could be simply implemented using AsmResolver and reflection as shown below.
It turned out that during the building process of the Redline, configured to your needs, one will also get another Redline sample, probably the one that you didn’t desire, as a gift embedded in the dotRunpeX.
The new version of dotRunpeX:
Protected by a customized version of the KoiVM virtualizer
Highly configurable (disabling Anti-Malware services, Anti-VM, Anti-Sandbox, persistence settings, key for payload decryption, UAC bypass methods)
More UAC Bypass techniques
Using simple XOR to decrypt the main payload to be injected (omitted in the latest developed versions)
Abusing procexp driver (Sysinternals) to kill protected processes (Anti-Malware services)
Signs of being Russian based – procexp driver name translated as “jesus.sys
🚨
GlobeImposter Ransomware With MedusaLocker Spreading Via RDP
The threat actors are suspected to have brute-forced systems with RDP enabled to gain initial access.
Various tools were used to dump passwords and perform reconnaissance including Mimikatz Advanced Port Scanner and the NirSoft Network Password Recovery tool.
In addition to encrypting files the threat actor installed XMRig to mine for digital assets.
🚨
Sirattacker And ALC Ransomware Analysis
The Sirattacker and ALC ransomware families continue to gain traction and compromise Microsoft Windows devices.
Sirattacker is a variant of Chaos ransomware and is possibly distributed as an Ethereum mining application.
The malware gives the victim 72 hours to purchase the decryption key for $400.00US.
ALC ransomware creates several files on the infected desktop and displays a ransom note demanding $2000.00US for access to the locked files.
The malware does not actually encrypt files but acts more of a scareware to convince the victim to pay the ransom.
🚨
Google Advertising Used To Distribute RedLine Stealer
An unregistered version of .NET Reactor was used to protect the loader malware from debuggers and multiple PowerShell commands were used to download the malware from an external location.
The payload was loaded directly into the memory of a process to avoid detection.
🚨
Microsoft Outlook Elevation of Privilege Vulnerability Exploit
Microsoft has identified a security vulnerability (CVE-2023-23397) in Outlook that allows attackers to gain elevated privileges simply by opening an email message. To address this issue, Microsoft has released several patches for their products.
🚨
ImBetter Information Stealer Targets Cryptocurrency Users
Adversaries are hosting malicious phishing websites that masquerade as crypto-wallets and online file converters to lure victims into downloading and executing the malicious software.
The malware terminates itself if the system belongs to multiple regions including Russian Kazakh Tatar Bashkir Belarusian Yakut or Russian Moldova.
The stealer collects a range of sensitive information and exfiltrates the data to command-and-control servers.
🚨
US Cert Alert – Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server
In addition to CVE-2019-18935, this version (2013.2.717) of Telerik UI for ASP.NET AJAX contains the following known vulnerabilities: CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248.
Analysis suggests that cyber threat actors exploited CVE-2019-18935 in conjunction with either CVE-2017-11357 or CVE-2017-11317.
Australian Cyber Security Centre (ACSC) Advisory 2020-004 assesses that exploitation of CVE-2019-18935 is only possible with knowledge of Telerik RadAsyncUpload encryption keys.
Threat actors can obtain these keys through either prior knowledge or exploitation of vulnerabilities—CVE-2017-11357 or CVE-2017-11317—present in older, unpatched versions of Telerik released between 2007 and 2017.
Forensic evidence is not available to definitively confirm exploitation of either CVE-2017-11357 or CVE-2017-11317.
Threat Actor Activity
CISA and authoring organizations observed multiple cyber threat actors, including an APT actor—hereafter referred to as Threat Actor 1 (TA1)—and known cybercriminal actor XE Group—hereafter referred to as Threat Actor 2 (TA2)—conducting reconnaissance and scanning activities [T1595.002] that correlate to the successful exploitation of CVE-2019-18935 in the agency’s IIS server running Telerik UI for ASP.NET AJAX [T1190].
When exploiting the vulnerability, the threat actors uploaded malicious dynamic-link library (DLL) files (some masqueraded as portable network graphics [PNG] files) [T1105] to the C:WindowsTemp directory.
The malicious files were then executed from the C:WindowsTemp directory via the w3wp.exe process—a legitimate process that runs on IIS servers.
This process is routine for handling requests sent to web servers and delivering content.
The review of antivirus logs identified that some DLL files were created [T1055.001] and detected as early as August 2021.
CISA and authoring organizations confirmed that some malicious files dropped on the IIS server are consistent with a previously reported file naming convention that threat actors commonly use when exploiting CVE-2019-18935.
The threat actors name the files in the Unix Epoch time format and use the date and time as recorded on the target system.
The file naming convention follows the pattern [10 digits].[7 digits].dll (e.g., a file created on October 31, 2022, could be 1667203023.5321205.dll).
The names of some of the PNG files were misleading.
For example, file 1596835329.5015914.png, which decodes to August 7, 2020, 21:22:09 UTC, first appeared on October 13, 2022, but the file system shows a creation date of August 7, 2020.
The uncorrelated Unix Epoch time format may indicate that the threat actors used the timestomping [T1070.006] technique.
This file naming convention is a primary IOC used by the threat actors.
In many cases, malicious artifacts were not available for analysis because the threat actors’ malware—that looks for and removes files with the .dll file extension—removed files [T1070.004] from the C:WindowsTemp directory.
Through full packet data capture analysis and reverse engineering of malicious DLL files, no indications of additional malicious activity or sub-processes were found executed by the w3wp.exe process.
CISA observed error messages being sent to the threat actors’ command and control (C2) server when permission restraints prevented the service account from executing the malicious DLLs and writing new files.
Network activity analysis was consistent with the artifacts provided for review.
Analysts did not observe evidence of privilege escalation or lateral movement.
Threat Actor 1
CISA and authoring organizations observed TA1 exploiting CVE-2019-18935 for system enumeration beginning in August 2022.
The vulnerability allows a threat actor to upload malicious DLLs on a target system and execute them by abusing a legitimate process, e.g., the w3wp.exe process.
In this instance, TA1 was able to upload malicious DLL files to the C:WindowsTemp directory and then achieve remote code execution, executing the DLL files via the w3wp.exe process.
At least nine DLL files used for discovery [TA0007], C2 [TA0011], and defense evasion [TA0005].
All of the analyzed samples have network parameters, including host name, domain name, Domain Name System (DNS) server Internet Protocol (IP) address and machine name, Network Basic Input/Output System (NetBIOS) ID, adapter information, IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP) server [T1016].
All analyzed samples communicate this collected data to a C2 server at IP address 137.184.130[.]162 or 45.77.212[.]12.
The C2 traffic to these IP addresses uses a non-application layer protocol [T1095] by leveraging Transmission Control Protocol (TCP) clear text (i.e., unencrypted) over port 443.
Analysis also identified that:
Some of the analyzed samples can load additional libraries; enumerate the system, processes, files, directories [T1083]; and write files.
Other analyzed samples can delete DLL files ending with the .dll extension in the C:WindowsTemp directory on the server.
TA1 may use this capability to hide additional malicious activity on the network.
Threat Actor 2
TA2—identified as likely the cybercriminal actor XE Group—often includes xe[word] nomenclature in original filenames and registered domains.
Volexity lists this naming convention and other observed TTPs as common for this threat actor group.
As early as August 2021, CISA and authoring organizations observed TA2 delivering malicious PNG files that, following analysis, were masqueraded DLL files to avoid detection [T1036.005].
Similar to TA1, TA2 exploited CVE-2019-18935 and was able to upload at least three unique DLL files into the C:WindowsTemp directory that TA2 executed via the w3wp.exe process.
These DLL files drop and execute reverse (remote) shell utilities for unencrypted communication with C2 IP addresses associated with the malicious domains.
Analysis of DLL files determined the files were dropped, decoded, and attempted to connect to the respective malicious domains.
Embedded payloads dropped by the DLL files were observed using the command line utility certutil[.]exe and writing new files as xesvrs[.]exe to invoke reverse shell utilities execution.
When the TA2 malware is executed a DLL file drops an executable (XEReverseShell.exe) that attempts to pull a C2 IP address and port number from xework[.]com or xegroups[.]com.
If no port or IP address is found, the program will exit.
If a port and IP address are found, the program will establish a listener and wait for further commands.
If communication is established between the TA2 malware and the C2:
The malware will identify the operating system (Windows or Linux) and create the appropriate shell (cmd or bash), sending system information back to the C2.
The C2 server may send the command xesetshell, causing the malware to connect to the server and download a file called small.txt—a base64-encoded webshell that the malware decodes and places in the C:WindowsTemp directory.
The C2 server may send the command xequit, causing the malware to sleep for a period of time determined by the threat actors.
The two files xesmartshell.tmp and SortVistaCompat have the capability to drop an Active Server Pages (ASPX) webshell—a base64 encoded text file small.txt decoded [T1140] as small.aspx [T1505.003]—to enumerate drives; to send, receive, and delete files; and to execute incoming commands.
The webshell contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory.
No webshells were observed to be dropped on the target system, likely due to the abused service account having restrictive write permissions.
🚨
Threat Actors Use ParallaxRAT For Targeting Cryptocurrency Entities
Threat actors are targeting organization in the cryptocurrency sector with spam and phishing campaigns that leads to a Parallax RAT malware infection.
Upon the execution of Payload1 its contents are decrypted and Payload2 (Paralax RAT) is created.
The Parallax RAT is then injected into pipanel.exe via process hollowing.
The malware has the capability to steal information such as computer name victim keystrokes OS Details and reading the clipboard etc.
Once successfully compromised the malware establishes communication with the threat actor who makes use of MS notepad to interact with the victim and instructs them to connect with the threat actors via an established Telegram Channel.
🚨
Exposing The Lazarus Arsenal WinorDLL64 Backdoor
Following that discovery recently a payload associated with the Wslink downloader was identified called WinorDLL64 backdoor.
The backdoor collects system information manipulates files is capable of exfiltration overwriting and removing files executing additional commands and communicates via the Wslink established connection.
🚨
Clasiopa New Group Targets Materials Research
Symantec is tracking the group as Clasiopa however attribution appears to be of low confidence as the activities continue to be analyzed.
Custom malware and utilities include Athravan a custom RAT as well as a custom proxy tool used by the group.
Additionally analysis identified a hacking tool called Thumbsender and a commodity RAT were used during the attacks.
The group did attempt to evade detection by using Windows binaries such as wsmprovhost used to launch a remote PowerShell session to remove indicators of compromise and took advantage of Windows scheduled tasks to list file names.
🚨
New Emotet campaign
Emotet typically spreads through phishing emails that contain malicious attachments or links. When a user opens the attachment or clicks on the link, the malware infects the system and begins to spread to other computers on the network.
Once it has infected a system, Emotet can steal sensitive information such as email credentials, passwords, and financial information. It can also download and install additional malware onto the infected system, which can be used to further compromise the security of the network.
Emotet has been responsible for a number of high-profile attacks on businesses and organizations around the world, and it is considered to be one of the most dangerous types of malware in existence. It is important to take steps to protect your systems against Emotet and other types of malware, such as by keeping your antivirus software up-to-date and educating employees about how to avoid phishing scams.
Emotet emails so far have zip attachments containing inflated Word documents (500+ MB) with macros for Emotet.
The Word macros retrieve zip archives which contain inflated 64-bit DLL files (500+ MB) for Emotet.
Aside from the inflated Word docs and inflated DLL files, the infection patterns are similar to Emotet before its haitus.
INFECTION CHAIN:
– Email –> zip attachment –> 500+ MB Word doc –> enable macros –> download zip –> 500+ MB DLL from zip –> Emotet C
🚨
How sys01 stealer will get your sensitive Facebook info
The attack begins by luring a victim to click on a URL from a fake Facebook profile or advertisement to download a ZIP file that pretends to have an application, game, movie, etc.
The infection chain is divided into two parts: the loader, and the Inno-Setup installer that drops the final payload.
The loader is usually a legitimate C# application susceptible to a side-loading vulnerability that comes with a hidden malicious dynamic link library (DLL) file that’s eventually side-loaded to the application.
This legitimate application drops the Inno-Setup installer that decompresses to a whole PHP application containing malicious scripts.
The PHP scripts are responsible for stealing and exfiltrating information.
The scripts are encoded using different techniques, which makes their analysis and detection harder.
THE LOADER
We’ve seen the payload delivered in diverse ways including DLL side-loading, Rust and Python executables, and many others.
All methods eventually drop an Inno-Setup installer which, at the next stage, drops and executes the PHP information stealer.
In the next sections Analysts elaborate on various delivery techniques and luring themes the attackers use.
Note: these delivery methods are representative samples.
There are many other variations of these methods with minor modifications.
DLL SIDE-LOADING V1
In this method, the victim downloads a zipped folder with different luring themes such as world cup live streaming, free applications, and more that abuse legitimate applications vulnerable to DLL side-loading attack.
The zipped folder usually holds the following file patterns:
Executable.
A benign, legitimate executable abused to side-load the malicious DLL
[A-Z]Data.dat (hidden).
A ZIP or self extracting archive (SFX) containing legitimate HTML webpages used as a decoy
[A-Z]License (hidden).
The Inno-Setup installer to be executed (base64 encoded with some string modifications)
DLL (hidden).
The malicious side loaded DLL
The malicious DLL has two main goals: displaying the decoy to the victim and executing the Inno-Setup installer.
It does this by creating a thread that checks whether the License file exists.
If it doesn’t, it downloads the file from its command and control (C2) server, then decodes and executes it.
In the main thread the SFX/ZIP file is executed/decompressed, and the victim is shown the decoy HTML files.
In some samples Analysts noticed cases where the .dat and License files are not included in the zipped folder.
Instead, they’re downloaded from the C2 using the following pattern:
https:///files/dld?t=wcup.
Downloads the License file
https:///files/dlz?t=wcup.
Downloads the .dat file as a ZIP
dld Download the License (base64 encoded with string replacements)
dlz Download .zip (.dat file with the decoys)
DLL SIDE-LOADING V2
In this method, the victim downloads a ZIP folder that purportedly contains an application or movie etc.
The above image shows an example of Garmin’s ElevatedInstaller.exe being abused to side-load the malicious DLL.
Once the executable starts running, it side-loads the malicious DLL that decodes and drops three files to the %temp% folder:
vcruntime140.dll Dependency
rhc.exe (hidec) Executable that accepts an executable as an argument and executes it with hidden console
.exe Rust executable compiled with Cargo
Next, it creates a scheduled task that runs the Rust executable by passing it as an argument to rhc.exe.
Before exiting, it pops up a message box informing the victim that the execution didn’t succeed.
The Rust executable then downloads the next stage-an Inno-Setup installer that deploys the PHP information stealer from /files?t=&tp=d.
We’ve also spotted similar delivery methods that dropped Python executables compiled with Nuitka instead of Rust to drop the next stage Inno-Setup.
DLL SIDE-LOADING V3
Similar to the other delivery methods, in this scenario a victim downloads what seems to be a game, movie, nude album, etc.
All the executables named as image files are in fact the same benign executable-WDSyncService.exe that is abused to side-load a malicious DLL named WDSync.dll.
The WDSyncService.exe file is signed by Western Digital and acts as Western Digital’s sync service, which is written in C#.
Additionally, this executable uses several shared libraries, including WDSync.dll which is hidden in the ZIP file and obfuscated with SmartAssembly.
The rest of the DLLs WDSyncService.exe uses are compressed and encrypted within WDSync.dll using the embedding dependencies feature by SmartAssembly.
Once a victim has executed one of the executables from the ZIP folder, a fake message box pops up and alerts the user to install a “framework” to open the file.
Meanwhile, a thread with malicious logic is executing.
It starts with de-obfuscating the next stage (string replacements + base64 decoding) and writing it to a %tmp% folder under the hardcoded name TS.exe and executing it with “t” as an argument.
Once the execution completes, the file is deleted to leave no evidence on the machine.
The dropped executable (TS.exe) can be executed with one of the following options: t, d
Option t copies the executable to %appdata%PackagesTS.exe and registers a new scheduled task to trigger every day and repeat every hour with option “d” as an argument.
Option d checks if the file %localappdata%m.txt exists.
If it does, the program exits because it means the info stealer is already running on the machine.
If the file does not exist, the executable decodes and drops the next stage Inno-Setup executable to %temp%\ and executes it with /VERYSILENT /SUPPRESSMSGBOXES /NORESTART as arguments.
As before, when the execution finishes the file is deleted to remove evidence from the machine.
INNO-SETUP TO PHP INFORMATION STEALER
Once the Inno-Setup installer executes, it drops a PHP application with additional files, usually to %localappdata[A-Z]{4}.
Between different variants of this information stealer, Analysts saw the following files used to execute the malicious logic:
include.php Responsible for installing persistence via scheduled tasks
index.php Executes the main logic of the stealing act
version.php (embedded in index.php if it does not exist) Holds the stealer version
rhc.exe Hides the console window of started programs (hidec)
rss.txt (other variants have a different name) Base64 encoded string with several string replacements.
Once decoded, this executable, written in Rust and compiled with Cargo, gets the current date and time, and decrypts Chromium-based browsers’ encryption key
In older variants the PHP scripts were not obfuscated in any manner.
In newer variants Analysts noticed commercial encoders ionCube and Zephir, which are self-written extensions that obfuscate the PHP scripts.
After dropping the folder, the Inno-Setup executable executes php.exe include.php, or passes this command line as an argument to rhc.exe.
include.php registers two scheduled tasks:
rhc.exe php.exe include.php
rhc.exe php.exe index.php
rhc.exe php.exe index.php
The first task is triggered at log-on.
The second task is triggered every two minutes.
The attacker must know the time to set it in the scheduled task.
It does this by decoding the rss.txt into an executable, adding a uniquid at the end of the executable, and dropping it to %temp%tmp.exe.
If for some reason the operation fails, this script gets the current date and time running: “wmic os get LocalDateTime /value”.
index.php is the script where the stealing logic takes place.
It starts by setting a configuration array with the following information:
version-Stealer version
b-Bot name (SYS01 is the bot name we’ve seen in all the variants Analysts covered, which is why Analysts named the php stealer SYS01)
tmpData-Path for saving temporarily used files
url_endpoint-A list of C2 domains
During each execution, the script shuffles and randomly defines one of the domains to be used as the C2 in the entire script.
Next, the script creates a machine ID associated with the victim and saves it to %localappdata%packagesm.txt for future executions.
The machine ID is constructed by the following: uniqid() + _ + rand(111111, 999999).
Later, it will call the getTask function that constructs the malicious URL
nd issues a GET request to the C2 with information identifying the victim.
The response is a Json object with zero or more tasks in it.
The main script routine goes over each task and acts accordingly.
As seen in the main function there are five task types: get_ck_all, dlAR, upload, r, dl.
get_ck_all Gets all cookies.
Iterating over based_ch, which consists of a list of Chromium-based browser names.
It tries to extract the cookies and login data for each browser name, and after extracting this information checks if the flag sendD (send data) is set to true.
If so, it posts the stolen information to its C2.
The attacker additionally checks whether the user has a Facebook account logged in or not.
It does this by checking if the cookie hostname contains facebook.com and collects the session specific cookies xs and c_user that store the user ID and session secret respectively.
If the victim has a logged in Facebook account (checked with xs name in Facebook’s cookie), and the rs_flag (resource flag) is set to true, the attacker will query Facebook’s graph API using the access token, obtained via Facebook’s graphql API, to steal the victim’s Facebook information and send it back to the C2.
The stolen information is that set as fields in the URL parameter.
dlAR Download and run.
Downloads a file from the given URL and executes it with the given arguments.
At the time of writing, in the given task the downloaded file was an Inno-Setup executable that dropped a legitimate WD Discovery app to side-load the malicious WDLocal.dll.
The side-loaded DLL issues a GET request to one of its hardcoded URLs with parameters stating the old machine ID, new machine ID, and the current version of the information stealer.
The response is a Json object that holds the new version number, URL to download the new version, command to be executed, and arguments.
The response is parsed, and the new stealer is downloaded and executed.
Next, it creates a scheduled task that executes the updated routine, which triggers at log-on and every 30 minutes.
upload Asks for a file to be uploaded to the C2, checks whether the file exists, and uploads it.
“r” Gets a command to run, executes it, and posts the result back to the C2.
“dl” Sends a get request with the parameter “a=update” to the C2 and does the same as the dlAR task.
🚨
New WhiteSnake Stealer Offered For Sale Via MaaS Model
Cyble has identified a new malware strain that targets both Windows and Linux Operating Systems dubbed “WhiteSnake”.
The WhiteSnake stealer was first discovered on cybercrime forums priced at $120/month $300/ 3 months $500/ 6 months $900/ 1 year $1500/ Lifetime.
Researchers noticed that the stealers binary undergoes frequent daily updates suggesting the malware is still under development.
The cyber-attack chain starts with spam emails containing an executable attachment that is disguised as a PDF document.
The attachment is in fact a BAT file that has been converted to an executable using “Bat2Exe”.
When executed it drops another BAT file onto a temporary folder and in turn executes it.
The new BAT file then spawns a PowerShell to download a file named “build.bat” from a discord URL and executes it.
The “build.bat” file contains the WhiteSnake stealer encoded in base64within itself.
It utilizes Certutil to decode the stealer saves it as “build.exe” within a temporary folder and executes it completing the deployment of the stealer.
The WhiteSnake stealer is capable ofcreating mutex to prevent reinfections anti-forensics with environmental checks.
Once it determines its safe to continue it gathers a spectrum of information including browser cookies autofills login Data and Web Data from the most used browsers.
The stealer is also able to steal various important files from various cryptocurrency wallets including from their browser extensions.
Furthermore it can steal sensitive data from messaging applications email clients and other specific applications.
All the data is then aggregated encrypted and finally exfiltrated through telegram.
🚨
CVE-2023-21716 Microsoft Office Remote Code Execution Vulnerability
The CVE-2023-21716 vulnerability in Microsoft Office’s wwlib library can lead to remote code execution on the victim’s system with the privileges of the user who opens a malicious RTF document.
The vulnerability affects several versions of Microsoft Office, including the latest Insider Preview of Office 365 and Office 2016, as well as Office 2013, 2010, and 2007.
While Microsoft Office 2010 and later versions have a Protected View feature that can help limit the damage caused by malicious documents, it is not enough to fully protect against this vulnerability as an additional sandbox escape vulnerability is required to gain full privileges.
t is also ineffective to remove the file association for the RTF extension as the vulnerable code can still be reached using the DOC extension.
Microsoft has released a security patch to address this vulnerability and advises all affected users to install it as soon as possible to prevent exploitation by attackers.
🚨
Operation Silent Watch
Threat actors launched Operation Silent Watch utilizing the OxtaRAT backdoor for desktop surveillance and remote access for information gathering.
The threat actor targeted independent media dissidents and human rights organizations within Azerbaijan.
The OxtaRAT backdoor supports multiple features and is a polyglot file that combines both AutoIt scripts and images.
🚨
STEALC INFORMATION STEALER ANALYSIS
The Stealc information stealer was discovered being advertised on the Dark Web in early 2023.
The threat actor behind the malicious software relied on the Vidar Raccoon Mars and Redline stealers to develop the malware.
Stealc is written in pure C downloads legitimate third-party DLLs deletes files and exfiltrates data from multiple web browsers web plugins desktop wallets and email clients.
🚨
IT'S OFFICIAL - BLACKLOTUS MALWARE CAN BYPASS SECURE BOOT ON WINDOWS MACHINES
BlackLotus, a UEFI bootkit that's sold on hacking forums for about $5,000, can now bypass Secure Boot, making it the first known malware to run on Windows systems even with the firmware security feature enabled.
🚨
IRON TIGER'S SYSUPDATE REAPPEARS, ADDS LINUX TARGETING
ron Tiger is an advanced persistent threat (APT) group that has been focused primarily on cyberespionage for more than a decade.
This new version has similar features to the 2021 version, except that the C++ run-time type information (RTTI) classes analysts previously observed in 2021 had been removed, and that the code structure was changed to use the ASIO C++ asynchronous library.
Both changes make reverse engineering the samples longer.
Analysts strongly advise organizations and users in the targeted industries to reinforce their security measures to defend their systems and stored information from this ongoing campaign.
🚨
WIP26 ABUSES CLOUD INFRASTRUCTURE IN TARGETED TELCO ATTACKS
The WIP26 threat actor targeted telecommunication providers in the Middle East with custom backdoors to gain access and exfiltrate sensitive data.
Public Cloud infrastructure including Microsoft 365 Mail Microsoft Azure Google Firebase and Dropbox was used to evade detection and stay under the radar.
The malware used in the operation CMD365 and CMDEmber used invalid digital signatures for defense evasion and scheduled tasks for persistence.
🚨
RIG EXPLOIT KIT ADDS NEW VULNERABILITIES
The Rig Exploit Kit has been on the threat landscape since 2014 and was recently discovered with additional exploits for CVE-2021-26411 and CVE-2020-0674.
Successful infections could result in devices infected with information stealers downloaders backdoors remote access trojans and ransomware.
Malware distributed by the exploit kit includes Gozi Dridex Racoon Stealer Redline Stealer IcedID Zloader TrueBot and Royal Ransomware.
🚨
DECODING THE INNER WORKINGS OF DARKCLOUD STEALER
The DarkCloud Stealer information stealing malware was first spotted in 2022 and gathers sensitive information such as credit card numbers passwords social security numbers and personal data from compromised mobile devices and computer systems.
The malicious software is distributed through phishing campaigns and uses a multi-stage process to carry out the infection.
Sensitive data is exfiltrated via SMTP Telegram Web Panel and FTP.