Threat actors compromise machines and web servers with Golang-based malware and C2 framework

Adversaries have been attempting to use new file formats to hide themselves or to get around security warnings, from password-protected ZIP files to ISO files or malicious Word and Excel attachments to distribute and install malware. These types of malwares allow threat actors to remotely access a victim’s device to steal files, save browser passwords, take screenshots, and in some cases, even record video using webcams.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. PayPal accounts compromised in large-scale credential stuffing attack

PayPal alerts thousands of compromised accounts via credential stuffing attacks that revealed personal information. Credential stuffing attacks occur when hackers try username/password pairs from data leaks on various websites to access accounts. PayPal reports the attack impacted 34,942 users. The hackers were able to access full names, birthdates, addresses, SSNs, and individual tax identification numbers (ITINs). The attackers did not attempt or were unable to perform any transactions from the breached PayPal accounts.

As part of the steps taken to secure accounts, affected customers will be prompted to establish a new password the next time they log in, ensuring an added layer of security to prevent unauthorized access and protect personal information. PayPal also suggests activating 2FA from ‘Account Settings’ to prevent unauthorized access to accounts, even with valid username and password.

2. Hackers spreading malware via Microsoft OneNote attachments

Threat actors have switched to using a new file format in their malicious spam (malspam) attachments to distribute malware: Microsoft OneNote attachments. Double-clicking these malicious spam attachments automatically launches the script, resulting in the malware from a remote site being downloaded and installed. According to the samples found, the malspam emails pretend to be DHL shipping notifications, invoices, ACH remittance forms, mechanical drawings, and shipping documents.

As Microsoft OneNote is installed by default in all Microsoft Office/365 installations, even if a Windows user does not use the application, it is still available to open the file format. When launching OneNote attachments, the program warns you that doing so can harm your computer and data, but unfortunately, it is commonly observed that these types of prompts are ignored, and users just click the OK button. It is advised to avoid opening email attachments from untrusted sources and do not disregard warnings displayed by the operating system or application.

3. Threat actors turn to Sliver as open-source alternative to popular C2 frameworks

C2 frameworks or Command and Control (C&C) infrastructure are used by security professionals to remotely control compromised machines during security assessments. One such C2 framework named Sliver, a Golang-based cross-platform post-exploitation framework is now gaining more traction due to its plethora of features for adversary simulation.

This makes Sliver an appealing tool for threat actors to use as a second stage to gain elevated access to the target system after compromising a machine using one of the initial intrusion vectors such as spear-phishing or exploitation of unpatched flaws. It was demonstrated that Sliver could be leveraged for privilege escalation, following it up by credential theft and lateral movement to ultimately take over the domain controller for the exfiltration of sensitive data. It is recommended to employ tools that have behavior-based detection capabilities to automatically detect and prevent malware. Additionally, keep the software updated and be wary of files coming from outside sources.

4. VMware patches critical vRealize Log Insight software vulnerabilities

IVMware has recently released software updates to address four security vulnerabilities that have been identified in its vRealize Log Insight software, also known as Aria Operations for Logs. These vulnerabilities have the potential to expose users to remote code execution (RCE) attacks. Among these vulnerabilities, two have been rated as critical.

The two vulnerabilities are directory traversal vulnerability (CVE-2022-31706) and broken access control vulnerability (CVE-2022-31704) with CVSSv3 base score of 9.8. A malicious attacker who is unauthenticated can exploit these vulnerabilities in the impacted appliance by injecting files into the operating system, resulting in remote code execution. This highlights the importance of users to update their software as soon as possible and install the appropriate patches to protect against any potential malicious attacks.

5. DragonSpark attacks employ Golang malware to evade detection

The DragonSpark attacks are carried out by a threat actor who uses malware written in the Golang programming language. This malware can interpret embedded Golang source code during runtime, making it difficult for static analysis to detect. Indicators of the DragonSpark attacks include the compromise of web servers and MySQL database servers that are accessible from the Internet.

Another notable malware used by the DragonSpark group is m6699.exe, which is also written in Golang. This allows it to launch a shellcode loader that can contact the command-and-control server to receive and execute additional payloads. To reduce the attack surface, limit the number of systems exposed to the Internet and ensure that only essential services are accessible from the Internet. It is also recommended to use secure protocols for remote access and implement strong authentication mechanisms, such as multi-factor authentication.