February 27, 2024

Cybersecurity Threats Affecting Businesses in February 2024

Cybersecurity Threats Affecting Businesses in February 2024 Cybersecurity & Digital Forensics

The global cyber threat level has continued to increase as a function of general global political unrest around the middle east, Ukraine and China-Taiwan. The number of cybersecurity incidents continues to rise and their impact continues to increase. Organizations of all sizes and in all sectors need to increase their awareness of both the overall threat environment and threats specifically relevant to their organization or industry. Threat hunting, offered as part of Marcum Technology’s Managed Security Services, can help provide this visibility in identifying potential risks to an organization.

Below are the top seven threats that emerged over the past month.

Lumma Stealer

FortiGuard Labs has identified a threat group utilizing YouTube channels to distribute a variant of Lumma Stealer, a malicious software that steals sensitive information. Similar to an attack discovered in March 2023, these YouTube videos offer cracked application content and include malicious URLs, typically shortened by services like TinyURL. The attackers avoid easy detection by using open-source platforms such as GitHub and MediaFire to host their malware instead of their own servers. The links provided in the video descriptions lead to direct downloads of a .NET loader that retrieves the Lumma Stealer malware.

Lumma Stealer has been advertised on the dark web since 2022, with over a dozen command-and-control (C2) servers and several updates. The malware is designed to steal credentials, system information, browser data, and extensions. The attack begins with a breached YouTube account, where the attackers upload videos that appear to share cracked software, but actually contain malicious URLs. The number of downloads indicates that this method is an effective way to spread malware.

The payload is hidden in a ZIP file that triggers a PowerShell download of a .NET executable from a GitHub repository. The .NET loader is obfuscated and performs system checks before executing a PowerShell script. It uses various properties to launch processes discreetly and without raising suspicion.

The PowerShell script retrieves encrypted binary data from selected C2 servers and uses AES CBC and GZip decompression to obtain the DLL file for the next stage. The malware employs anti-VM and anti-debug techniques to avoid detection by security tools and sandboxes. It checks for certain strings, modules, usernames, files, services, and processes that are indicative of a security presence.

After passing the environment checks, the malware decrypts the resource data and prepares for payload injection. Lumma Stealer communicates with a C2 server to receive instructions and exfiltrate stolen data, using obfuscation techniques and HTTPS to evade detection.

This sophisticated attack exploits YouTube channels to spread Lumma Stealer malware through seemingly benign installation guides. The attackers use a private .NET loader with advanced evasion techniques to avoid detection. Thus, the best defense is to advise users to be cautious and only download applications from reputable and secure sources.

AsyncRAT

AsyncRAT is a prolific and powerful Remote Access Tool with capabilities ranging from screen recording to data exfil and even direct control. This month, a campaign spanning 11 months was identified where a threat actor delivered the RAT through an initial JavaScript file in a phishing page. The campaign spans over 100 domains. Once again, the only requirement to fall victim to this campaign is an email inbox and not enough time to check before clicking a link – a situation end-users find themselves in frequently. Phishing remains the easiest, and one of the most effective methods of gaining access to an organization.

There are several stages to this attack, beginning with a phishing email that directs the user to a webpage containing stage 1: injected Javascript. Strangely, despite being obvious scripts, the files contain long commented-out strings that themselves have randomly positioned words within. This obfuscation is highly effective on the script, which also contains functions to move around detectable commands. The URL to the C&C is also hidden in decimal values. Decryption is done with subtraction of a constant against the value which is then converted to ASCII.

The C&C URL is modified occasionally, which again obfuscates the script and C2 network. There is also a randomization feature that attempts to create a completely unique version of the payloads for each victim with randomized names and constants for the decryption.

A GET request downloads Stage 2 which is decrypted and then put into memory as a fileless PowerShell payload. If the payload suspects via a series of checks that it is in a VM, it deploys a decoy RAT with decoy redirections to hinder analysis. Otherwise, a third stage is downloaded that in turn downloads the RAT.

APK Financial Fraud

The infrastructure changes frequently for this campaign, and with the obfuscation and VM-detection functions, this is capable of avoiding both manual analysis and sandbox analysis/detection extremely effectively. As such, the best defense is once again to never fall victim to the phish in the first place.

In the course of ongoing research into threats embedded within legitimate network traffic, a recurrent pattern was detected associated with a particular type of Android Package Kit (APK) files. This investigation led to a deeper exploration of these APK files, unveiling a malicious campaign targeting Chinese users. The malware used spoofs a notification from law enforcement alleging the involvement of the victim’s phone number or bank account in financial fraud, leading to the download of a compromised app which ultimately steals PII.

The malicious APK activity was initially detected in November 2022, with a notable surge in delivery attempts reaching a peak of 717 in September 2023, following a period of dormancy. Analysis of these APK samples suggests that victims likely obtained them from unofficial third-party sources, as they do not adhere to Google Play Store submission policies. The attackers employed social engineering techniques, impersonating law enforcement authorities and enticing victims to download the malicious application, named “安全防护” or “Security Protection” in Mandarin.

The malware, once installed, gains permissions to make phone calls and receive SMS messages, allowing it to block incoming calls and messages. This strategic move prevents victims from receiving alerts about financial fraud from legitimate sources and feeds them fabricated ones. The threat actors manipulate victims into believing the app is legitimate by providing a fake legal case number and generating false legal documents. Victims are then coerced into downloading the next-stage payload under the pretext of investigating bank transactions.

Dynamic analysis logs reveal traces of outgoing HTTP network connections to remote endpoints. While a couple of the domain logs appear legitimate, multiple connections to these IP addresses and domains within a brief timeframe serve as potential indicators of command and control (C2) traffic. This behavior aids in the creation of advanced signatures for detecting malware activities.

In conclusion, attackers exploit information gaps and victims’ fears of legal consequences through sophisticated social engineering attacks to illicitly gain profits. To safeguard against such threats, we strongly advise against downloading third-party applications from untrusted sources and refraining from sharing sensitive information with unknown entities.

Info Stealing Packages in PyPl

PyPI (Python Package Index) is a repository of software packages developed by members of the Python community to help users develop and update applications more quickly. However, recently a malware author by the name of “WS” has been seen uploading malicious packages to PyPI. FortiNet estimates that there may be over 2000 victims of this threat actor from nine packages alone.

The nine packages are “nigpal”, “figflix”, “telerer”, “seGMM”, “fbdebug”, “sGMM”, “myGens”, “NewGends”, and “TestLibs111”. These packages contain malicious code and mirror tactics used in an early 2023 campaign. If the system runs on Windows a Whitesnake PE malware is deployed, and if Linux, a Python script designed to steal information. Although infection of both Windows and Linux is possible, this recent set of packages target Windows environments predominantly. The difference between this and the 2023 campaign is that this malware uses a range of destination IPs rather than a single destination, meaning that if one server fails, data transmission to another is possible.

The PE payloads of “myGens” and “NewGends” are particularly interesting. Upon installation, an invisible cmd.exe window is opened. From there, the malware uses powershell to add itself to the Windows Defender exclusion list, bypassing security measures that would typically detect malware of this sort. After this, a scheduled task is created to run once an hour. This task connects to a malicious IP and attempts to collect user information such as IP address, host credentials, and other sensitive data. Additionally, this payload captures mouse and keyboard interactions and can acquire and transmit wallet/browser data to a remote server.

The PE payload of “TestLibs111” is like the others, but with a few differences. This payload also sends data to a suspicious IP but has a few specific targets. It is possible for it to steal information from different services such as browsers, applications, and crypto sites. In an example infected file, information from Chrome, Discord, FileZilla, and Coinbase was found. After this data is found, it is again sent to one of many IPs with a server connected to collect the data.

All of these malware variants are disguised as helpful components within the Python Package Index repository. However, instead of allowing users to set up applications with Python, they initiate a compromise of the system with the intent of extracting personal and sensitive data. Per usual, the best defense is to remember to download software only from reputable sources, where it can be confirmed as legitimate and safe.

RoundCube Email Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has reported active exploitation of a security vulnerability in Roundcube email software and listed it in its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CVE-2023-43770 with a CVSS score of 6.1, is a cross-site scripting (XSS) flaw resulting from improper processing of linkrefs in plain text emails. This could lead to information disclosure if malicious links are clicked. While the exact exploitation methods are unknown, similar vulnerabilities have been exploited by Russia-linked cyber groups in the past.

Roundcube versions affected include those before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. The Roundcube team has resolved the issue with the release of version 1.6.3 on September 15, 2023. U.S.

Akira Ransomware Exploitation of Cisco

CISA added Cisco’s CVE-2020-3259 flaw to its KEV catalog due to its recent exploitation by Akira ransomware attackers targeting Cisco Anyconnect SSL VPN appliances. This patched an information disclosure issue could let attackers access memory on affected devices. Akira, which is linked to the Conti syndicate, set up a data leak site in 2023 and listed numerous victims. U.S. agencies must address this and similar vulnerabilities by March 7, 2024.

Critical Exchange Server Flaw

Microsoft has confirmed an actively exploited vulnerability in Exchange Server, designated as CVE-2024-21410 with a high severity score of 9.8. The flaw allows attackers to escalate privileges by relaying leaked NTLM credentials to impersonate a user on the Exchange Server. Extended Protection for Authentication has been enabled by default to counteract this issue.

The company also patched other exploited vulnerabilities, including CVE-2024-21351 and CVE-2024-21412, the latter allowing bypassing of Windows SmartScreen and attributed to the Water Hydra group.

Furthermore, a critical Outlook vulnerability, CVE-2024-21413, permits remote code execution and can bypass Protected View by exploiting malformed “file://” hyperlinks.

If you’re facing challenges related to cybersecurity threats, breaches, and bad actors, or are interested in learning more about identifying potential threats to your organization, contact Marcum Technology today.