SISA Weekly Threat Watch – August 22nd, 2022

This past week saw threat actors modifying their tactics and strategies to drive targeted attacks on multiple platforms through backdoors, HTTP requests, PowerShell commands, encrypted files and Cryptojacking. While security researchers discovered the emergence of new malicious attack services and zero-day vulnerabilities, they also observed malware developers exploiting much older, unpatched vulnerabilities to navigate themselves across the organizations’ environment.

SISA Weekly Threat Watch – our new weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Woody RAT malware exploits Follina vulnerability

A Microsoft Office document called “aмтка.docx” which was modified to take advantage of the Follina (CVE-2022-30190) vulnerability is being used by a threat actor to drop Woody Rat. The malware communicates with its C2 through HTTP requests and creates a cookie from machine-specific information to uniquely identify each infected machine. To prevent any potential cookie collisions by the malware, eight random bytes are appended to the data acquired from the adapter information, computer name, and volume information.

Along with being able to write arbitrary files to the computer, execute more malware, delete files, enumerate directories, take screenshots, and compile a list of active processes, Woody RAT is also capable of encrypting its connections with a remote server. Two .NET-based libraries that can be used to execute .NET code and PowerShell commands obtained from the server are also found within the malware. To avoid detection by security software installed on the compromised host, the malware uses the process hollowing technique to inject itself into a suspended Notepad process and deletes itself from the system. It is recommended to protect yourself from such attacks by patching the Follina vulnerability and educating users to avoid opening any documents from unknown senders.

2. SmokeLoader actively spreads by exploiting old vulnerabilities

According to researchers, almost five-year-old vulnerabilities – CVE-2017-0199 and CVE-2017-11882 were being widely exploited by threat actors to distribute the malware SmokeLoader. A phishing email encouraging recipients to analyze a purchase order and look for shipment dates is what started the infection chain. An excel file called “Purchase Order FG-20220629.xlsx” was sent via a webmail account that was hosted by a large telecommunications company in Taiwan. These files contain encrypted copies of the exploits for vulnerabilities along with EXE and DLL files to get past the email security protocols.

While Fortinet discovered that the most recent sample left by SmokeLoader was the zgRAT trojan, a report describing the propagation of Amadey malware was included as well. Researchers at AhnLab say that SmokeLoader was used in a recent campaign that used keygen and software crack sites as lures. Whenever these software vulnerabilities were attacked, SmokeLoader was loaded, which eventually distributed a newer version of the Amadey malware. These attacks demonstrate that malware developers rely on older vulnerabilities that have not yet been effectively patched across a broad range of software. In the meantime, SmokeLoader’s reappearance indicates that the malware dropper will be around for a while.

3. Dark Utilities: New C2-as-a-Service

Security researchers have found a new service called Dark Utilities that provides an easy and inexpensive way for cybercriminals to set up a command and control (C2) center for their malicious operations. Threat actors have access to a platform that supports Windows, Linux, and Python-based payloads on the Dark Utilities service, which also takes care of the work needed to set up a C2 communication channel.

The service, which launched in early 2022, offers C2 capability on both Tor and the Clear Web. It stores payloads inside the Interplanetary File System and is compatible with various architectures. Furthermore, the platform now also supports ARMV71/ARM64 architectures, which are ideal for targeting a range of embedded devices, such as phones, IoT devices, and routers. The payload downloaded from the platform can be used to create a Registry key on Windows OS, a Crontab entry on Linux, or a Systemd service on the targeted machine to achieve persistence. Additionally, the platform’s administrator panel has various modules for various attack types, such DDoS and Cryptojacking.

Due to its low prices and minimal effort required to launch an attack, the Dark Utilities service has already amassed thousands of subscribers, and it is expected to continue to attract adversaries. Defense mechanisms must be continuously reviewed and enhanced to keep up with such threats and overcome them.

4. Threat actors use backdoors and malware to target government organizations

A new Windows malware – PortDoor was used in a wide series of attacks that were discovered in January to backdoor government agencies and organizations in the defense industry from several Eastern European nations. The campaign was linked to the Chinese APT group TA428 by Kaspersky, which is known for targeting organizations in Asia and Eastern Europe and focusing on information theft and espionage. The attacker deployed PortDoor by exploiting the CVE-2017-11882 flaw and spear phishing emails loaded with personal data about the selected companies. The new backdoor allows attackers to gather and steal system data from the compromised systems, similar to the other malware families used in this campaign.

Additionally, the threat group had already deployed additional malware (nccTrojan, Logtu, Cotx, and DNSep), as well as a previously unknown threat called CotSam. The attackers took control of the domain by traversing networks laterally using tools such as the Ladon hacking utility (mostly used by Chinese threat actors). Information was then transmitted in encrypted form and ZIP archives to C2 servers distributed across many nations. Additionally, the C2 servers sent all stolen data to a second-stage server with a Chinese IP address. Researchers believe that such threat groups would not stop or slow down their activities any time soon. Hence, it is recommended that organizations deploy sophisticated multi-layered security to stay protected.

Another set of targeted attacks on government organizations has been through modified malware and updated tactics by the DoNot Team APT (also known as APT-C-35). The attackers, that have been active since 2016, are known for targeted attacks against South Asian individuals and organizations. Their new and updated modules include a browser stealer component that has the capability to steal data from Google Chrome and Mozilla Firefox, including login passwords and browser history. In their most recent spear-phishing email attack, the group targeted government departments and was discovered to be using RTF documents. The attack tricks the victim into activating malicious macros that are later used to inject a reverse shell module when a remote template is injected.

It is recommended to use technologies like network firewalls, EDR, and XDR to detect anomalies at the entry stage and patch the gap in the runtime since the group concentrates on critical security gaps that only a few organizations may have plugged in.

5. New Google Chrome zero-day vulnerability being exploited in the wild

Google has released a security update to address one critical vulnerability tracked as CVE-2022-2852 and five other high vulnerabilities that need immediate patching. Google does not typically provide many technical details about the zero-day vulnerabilities they fix until a large number of Chrome users have applied the security update. The most recent one, CVE-2022-2856, is classified as a severe security vulnerability because it “inadequately verifies untrusted input in Intents” – a feature that allows users to launch web services and applications directly from web sites.

Poor input validation in software can open doors to attackers bypassing security measures or going further than the intended functionality, potentially allowing access to buffer overflow, directory traversal, SQL injection, cross-site scripting, null byte injection, and other vulnerabilities. The development marks the fifth zero-day vulnerability in Chrome this year that is actively being exploited by threat actors. To minimize potential threats, it is recommended to update to versions 104.0.5112.101 for macOS and Linux and 104.0.5112.102/101 for Windows. Organizations are advised to review the Chrome Release and apply the necessary updates to Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi.