SISA Weekly Threat Watch – December 26th, 2022

Over the last week, new and re-emerging threat groups have exploited multiple vulnerabilities to carry out malicious attacks or experiment with new and improved tactics. Researchers discovered widespread use of ransomware, malicious PHP scripts, PowerShell backdoors, and botnet malware to breach networks while remaining undetected by organizations’ security teams. The growing number of highly coordinated, planned, and sophisticated cyber-attacks is a major source of concern for organizations all over the world.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Microsoft-signed malicious Windows drivers used in ransomware attacks

In response to drivers signed through their profiles being used in cyber-attacks, including ransomware incidents, Microsoft has terminated many Microsoft hardware developer accounts. Researchers believe that malicious kernel-mode hardware drivers trusted by Microsoft’s Windows Hardware Developer Program’s Authenticode signatures are being used by threat actors. The Microsoft Partner Center was used by several developers to submit malicious device drivers to get a Microsoft signature.

Users of the Cuba ransomware loaded a malicious driver using a driver signed with a Microsoft certificate using the BURNTCIGAR loader tools. A similar Microsoft-signed driver was also used by Hive ransomware against a healthcare facility. New Microsoft Defender signatures (1.377.987.0) have been made available by the firm to help post-exploitation attacks identify legitimately signed drivers. Users are advised to update the signatures as soon as possible and perform a full environment scan to look for any unusual activity.

2. Go-based botnet GoTrim targeting WordPress sites

The self-hosted WordPress websites are being searched online by a new Go-based botnet malware called “GoTrim”, which is attempting to brute force the administrator’s password and take over the website. When a brute-force attack is successful, malicious PHP scripts are used to install a bot client on the newly compromised system. It sends credentials, including a bot ID represented by a freshly created MD5 hash, to the C2 server.

Using either the client mode or the server mode, GoTrim can communicate with its C2. Furthermore, it sends beacon requests to C2 and terminates if it does not get a response after 100 tries. To get past anti-bot protections, malware can imitate legitimate Firefox on 64-bit Windows requests. Users can protect their WordPress sites by using Web Application Firewalls (WAF), obfuscating admin login pages, and using strong passwords. Keeping the CMS software and the plugins up to date can also reduce the risk of malware infection.

3. Trojanized Windows 10 Operating System Installers targeted Ukrainian government

As part of a recent campaign, government organizations in Ukraine were compromised by trojanized installer files for Windows 10. These files were used to carry out post-exploitation operations. Torrent websites in the languages of Ukrainian and Russian were used to distribute the malicious ISO files.  The malware collects data from the compromised system and exfiltrates it after the compromised software is installed.

The ISO file was made to install PowerShell backdoors, stop telemetry data transmission from the infected PC to Microsoft, and prevent automatic updates and licenses verification. Additional implants were later installed in the machines, but only after an initial survey of the compromised environment to see whether it contained any valuable intelligence. To stay protected, block the IOCs in your perimeter and core security devices. It is also recommended to avoid downloading and installing Windows installers from pirated websites.

4. New Agenda ransomware variant, written in Rust, aiming at critical infrastructure

Agenda is a ransomware-as-a-service (RaaS) gang that is credited to an operator by the name of Qilin and has been connected to a string of assaults mostly focusing on the manufacturing and IT sectors across many nations. It is a newly discovered ransomware family written in GoLang. By defining parameters that are used to determine the percentage of file content to be encrypted, Agenda, like Royal ransomware, builds on the concept of partial encryption (also known as intermittent encryption).

 The ransom note is placed into every directory after the encrypted files are given the extension “MmXReVIxLV,” according to an examination of the ransomware code. Additionally, the Rust version of Agenda can end the Windows AppInfo process and turn off User Account Control (UAC), which works to lessen the impact of malware by requiring administrative privileges to start a programme or activity. It is recommended to install updates/patch operating systems, software, and firmware as soon as they are released. It is also a best practice to ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.

5. Glupteba botnet continues to thrive despite Google’s attempts to disrupt it

Glupteba is a modular, blockchain-enabled virus that infects Windows PCs to mine bitcoin, steal user passwords and cookies, and sets up proxies on Windows systems and IoT gadgets. These proxies are eventually offered to other online offenders as “residential proxies.” In order to avoid being disrupted, Glupteba uses the Bitcoin blockchain to obtain up-to-date lists of command-and-control servers it should contact in order to receive commands.

The botnet’s clients use a discover function to locate the C2 server address by listing Bitcoin wallet servers, retrieving their transactions, and parsing them to identify an AES-encrypted address. After analyzing more than 1,500 Glupteba samples submitted to VirusTotal, Nozomi Networks claimed to have discovered 15 wallet addresses used by threat actors as far back as June 19, 2019. To safeguard against a potential Glupteba infection, it is advised to keep an eye on DNS logs and update antivirus software.