Cyber Threat Breakdown March 2023

Created: April 6, 2023

Updated: July 3, 2023

March 21^st is the beginning of the spring, by cyber attackers did not wait for that date to spring into action.

Here is a summary of March’s main attacks, indexed for easy navigation.

The New

The New Mirai: Evolving Threat in the Wild

The Cymulate research team has identified a new version of the notorious Mirai malware in the wild. The malware originates from the primary IP 171.22.136.15, hosting the payload, which then communicates with 109.206.243.207.

Analyzing the Stealc Information Stealer

The Stealc information stealer was first identified being advertised on the Dark Web in early 2023. The threat actor responsible for this malicious software used the Vidar, Raccoon, Mars, and Redline stealers as a foundation for its development. Stealc, written in pure C, downloads legitimate third-party DLLs, deletes files, and exfiltrates data from a range of sources, including web browsers, web plugins, desktop wallets, and email clients. As the Stealc information stealer continues to pose a threat, organizations and individuals should remain vigilant in protecting their systems and data.

CVE-2023-21716: Microsoft Office Remote Code Execution Vulnerability

CVE-2023-21716 is a critical vulnerability in Microsoft Office’s wwlib library that allows attackers to execute arbitrary code with the privileges of the victim who opens a malicious RTF document. The vulnerability affects multiple Microsoft Office versions, including Office 365, 2016, 2013, 2010, and 2007. While Microsoft Office 2010 and later versions have a Protected View feature to help limit damage from malicious documents, this is insufficient against this vulnerability due to the requirement of an additional sandbox escape vulnerability to gain full privileges. Microsoft has released a security patch to address the vulnerability and urges affected users to install it promptly to prevent exploitation.

Whitesnake Stealer: New Malware Sold via MaaS Model

Cyble has identified a new malware strain called “WhiteSnake” that targets both Windows and Linux operating systems. First discovered on cybercrime forums, the WhiteSnake stealer is offered at various price points, from $120/month to $1,500/lifetime. Researchers note that the stealer’s binary undergoes frequent daily updates, indicating ongoing development.

The cyber-attack chain begins with spam emails containing an executable attachment disguised as a PDF document. This attachment is a BAT file converted to an executable using “Bat2Exe.” Upon execution, it drops another BAT file in a temporary folder, which then spawns a PowerShell to download and execute a file named “build.bat” from a Discord URL. The “build.bat” file contains the WhiteSnake stealer encoded in Base64. Utilizing Certutil, it decodes the stealer, saves it as “build.exe” in a temporary folder, and executes it, completing the deployment.

WhiteSnake is capable of creating mutex to prevent reinfections, anti-forensics with environmental checks, and gathering a wide range of information, including browser cookies, autofills, login data, and web data. It can also steal files from various cryptocurrency wallets and extract sensitive data from messaging applications, email clients, and other specific applications. The collected data is aggregated, encrypted, and exfiltrated through Telegram.

Clasiopa Group Targets Materials Research

A campaign targeting the materials research sector is believed to be related to a recently identified threat group tracked by Symantec as Clasiopa. The group uses custom malware and utilities like Athravan (a custom RAT) and a custom proxy tool, as well as hacking tool Thumbsender and a commodity RAT. The group attempts to evade detection by using Windows binaries and scheduled tasks to list file names. Attribution remains low confidence as analysts continue to analyze the group’s activities

SYS01 Stealer: How It Gets Your Sensitive Facebook Info

Morphisec analysts have been tracking an advanced information stealer named SYS01 Stealer. It employs similar lures and loading techniques as the S1deload stealer, but its payload is different. To evade security vendors, the attacker uses Rust, Python, PHP, and PHP advanced encoders in the delivery chain.

The attack starts by enticing a victim to click on a URL from a fake Facebook profile or advertisement to download a ZIP file pretending to contain an application, game, movie, etc. The infection chain consists of two parts: the loader and the Inno-Setup installer that drops the final payload.

The loader is typically a legitimate C# application with a side-loading vulnerability. It comes with a hidden, malicious dynamic link library (DLL) file, which is eventually side-loaded into the application. This legitimate application then drops the Inno-Setup installer that decompresses into a whole PHP application containing malicious scripts. These PHP scripts steal and exfiltrate information, and are encoded using various techniques, making analysis and detection more difficult.

There are multiple delivery methods, such as DLL side-loading, Rust and Python executables, and others. These methods drop an Inno-Setup installer that deploys the PHP information stealer. The PHP scripts can steal a user’s Facebook information by accessing the victim’s cookies and utilizing Facebook’s Graph API.

US CERT Alert – Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server

ISA and other organizations have assessed that, starting around November 2022, threat actors successfully exploited a .NET deserialization vulnerability (CVE-2019-18935) in an instance of Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency’s Microsoft IIS server. This exploit granted the threat actors interactive access with the web server and allowed them to execute remote code on the vulnerable web server. The agency’s vulnerability scanner failed to detect the vulnerability because the Telerik UI software was installed in a file path it doesn’t typically scan. The same version of Telerik UI for ASP.NET AJAX contains other known vulnerabilities, including CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248. Analysis suggests that cyber threat actors exploited CVE-2019-18935 in conjunction with either CVE-2017-11357 or CVE-2017-11317.

Microsoft Outlook Elevation of Privilege Vulnerability Exploit

Microsoft has identified a security vulnerability (CVE-2023-23397) in Outlook that allows attackers to gain elevated privileges simply by opening an email message. To address this issue, Microsoft has released several patches for their products. CVE-2023-23397 is a critical privilege elevation/authentication bypass vulnerability in Outlook, affecting all versions of Windows Outlook. The vulnerability, which has a 9.8 CVSS rating, is one of two zero-day exploits disclosed on March 14.

DotRunpeX: Unraveling the New Virtualized .NET Injector

DotRunpeX is a recently discovered .NET injector that utilizes the Process Hollowing technique to infect systems with various known malware families. This new injector shares similarities with its older version, indicated by the consistent version information across all samples. DotRunpeX is typically delivered as a second-stage infection following various .NET loaders/downloaders delivered via phishing emails or malicious websites. The injector is protected by a customized version of the KoiVM virtualizer and exhibits several advanced features, including UAC bypass techniques and simple XOR decryption for the main payload. The malware appears to be Russian-based, as indicated by certain elements like the procexp driver name.
Attackers exploit the vulnerability by sending a message to the victim containing an extended MAPI property with a UNC path to a remote attacker-controlled SMB server. The vulnerability is exploited whether the recipient has seen the message or not. When the victim connects to the attacker’s SMB server, the connection sends the user’s NTLM negotiation message automatically, which the attacker can use for authentication against other systems that support NTLM authentication. Threat actors can attempt an NTLM relay attack to gain access to other services or even compromise entire domains if the compromised users are admins.

Google Advertising Used to Distribute Redline Stealer

A malvertising campaign has been discovered that mimics websites belonging to well-known software such as Notepad++ and Blender 3D to drop the RedLine information stealer. An unregistered version of .NET Reactor was used to protect the loader malware from debuggers, and multiple PowerShell commands were used to download the malware from an external location. The payload was loaded directly into the memory of a process to avoid detection.

MacStealer: Newly Identified macOS-Based Stealer Malware

The Uptycs threat research team has discovered a new macOS stealer, dubbed MacStealer, that operates via Telegram. The stealer affects Catalina and later macOS versions on Intel M1 and M2 CPUs. MacStealer is capable of extracting documents, browser cookies, and login information from victims. The malware collects passwords, cookies, and credit card data from Firefox, Google Chrome, and Brave browsers, as well as extracting various file types and the KeyChain database. The malware is distributed via a .DMG file and uses a fake password prompt to gather user credentials. Once the data is collected, the stealer sends it to the command-and-control server and deletes it from the victim’s system.

IcedID’s New Era: Emergence of New Variants

Researchers have discovered new variants of IcedID malware being used by multiple threat actors. These forked versions removed the banking functionality and may have connections to the Emotet malware family. The initial infection vector involved spam emails with malicious attachments, including some messages containing Microsoft OneNote attachments.

Active Intrusion Campaign Targeting 3CXDesktopApp Customers

CrowdStrike and SentinelOne have observed malicious activity stemming from a legitimate, signed binary, 3CXDesktopApp, a softphone application developed by 3CX. The attack includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and hands-on-keyboard activity in some cases. The multi-stage attack chain unfolds as the 3CXDesktopApp serves as a shellcode loader, with shellcode executed from heap space. This stage downloads icon files from a dedicated GitHub repository, which contain Base64 data appended at the end. The final stage implements infostealer functionality, gathering system information and browser data from Chrome, Edge, Brave, and Firefox browsers.

The Comebacks

Dissecting the DarkCloud Stealer’s Mechanisms

The DarkCloud Stealer, an information-stealing malware first observed in 2022, is designed to extract sensitive data such as credit card details, passwords, social security numbers, and personal information from compromised mobile devices and computer systems. It propagates through phishing campaigns and employs a multi-stage infection process. The exfiltration of sensitive data is conducted via SMTP, Telegram Web Panel, and FTP.

Rig Exploit Kit Expands Its Arsenal

Since its emergence in 2014, the Rig Exploit Kit has continued to pose a threat to the digital landscape. Recently, the kit incorporated new exploits for CVE-2021-26411 and CVE-2020-0674. Successful infections can result in devices being compromised by information stealers, downloaders, backdoors, remote access trojans, and ransomware. Some of the malware variants distributed by the exploit kit include Gozi, Dridex, Racoon Stealer, Redline Stealer, IcedID, Zloader, TrueBot, and Royal Ransomware.

Wip26 Manipulates Cloud Infrastructure in Targeted Telecom Attacks

The WIP26 threat actor has been implicated in targeted attacks against telecommunication providers in the Middle East, utilizing custom backdoors to gain access and exfiltrate sensitive data. To avoid detection and remain inconspicuous, the threat actor leveraged public cloud infrastructure such as Microsoft 365 Mail, Microsoft Azure, Google Firebase, and Dropbox. The malware variants used in these operations, CMD365 and CMDEmber, employed invalid digital signatures for defense evasion and relied on scheduled tasks for persistence.

Iron Tiger’s Sysupdate Returns with Linux Targeting Capabilities

Iron Tiger, an advanced persistent threat (APT) group known for cyberespionage over the past decade, has reemerged with a new version of Sysupdate. The updated malware shares similarities with the 2021 variant, but with two significant changes: the removal of the C++ run-time type information (RTTI) classes previously observed in 2021 and the modification of the code structure to utilize the ASIO C++ asynchronous library. These alterations prolong the reverse engineering process for the samples. Analysts recommend organizations and users in targeted industries to strengthen their security measures against this ongoing campaign.

BlackLotus Malware Bypasses Secure Boot on Windows Machines

BlackLotus, a UEFI bootkit priced at $5,000 on hacking forums, has become the first known malware capable of bypassing Secure Boot on Windows systems. Secure Boot is designed to prevent unauthorized software from running on Microsoft devices. By targeting UEFI, BlackLotus loads before the operating system and security tools, effectively circumventing detection. The malware exploits the CVE-2022-21894 vulnerability, which was fixed by Microsoft in January 2022 but remains exploitable due to the absence of affected signed binaries in the UEFI revocation list. BlackLotus can disable various OS security tools, deploy a kernel driver, and utilize an HTTP downloader, making it a formidable threat.

Operation Silent Watch and OxtaRAT Backdoor

Operation Silent Watch is a cyberespionage campaign conducted by threat actors leveraging the OxtaRAT backdoor for desktop surveillance and remote access to gather information. The targeted victims include independent media, dissidents, and human rights organizations within Azerbaijan. OxtaRAT is a polyglot file that combines AutoIt scripts and images to support its various backdoor features.

Exposing The Lazarus Arsenal Winordll64 Backdoor

In 2021, researchers discovered and dissected a tool from the Lazarus APTs arsenal named the Wslink downloader. Recently, a payload associated with the Wslink downloader was identified, called the WinorDLL64 backdoor. This backdoor collects system information, manipulates files, and is capable of exfiltration, overwriting, and removing files. It also executes additional commands and communicates via the Wslink established connection.

ImBetter Information Stealer Targets Cryptocurrency Users

Threat actors are targeting cryptocurrency users with the ImBetter information stealer malware. Adversaries are hosting malicious phishing websites that masquerade as crypto-wallets and online file converters to lure victims into downloading and executing the malicious software. The malware terminates itself if the system belongs to multiple regions, including Russian, Kazakh, Tatar, Bashkir, Belarusian, Yakut, or Russian Moldova. The stealer collects a range of sensitive information and exfiltrates the data to command-and-control servers.

GlobeImposter Ransomware Spread via RDP and MedusaLocker

GlobeImposter ransomware campaign has been linked to the attackers behind MedusaLocker. The threat actors are believed to have brute-forced systems with RDP enabled for initial access. They used various tools, such as Mimikatz, Advanced Port Scanner, and NirSoft Network Password Recovery, to dump passwords and perform reconnaissance. In addition to encrypting files, the threat actor also installed XMRig to mine digital assets.

HiatusRAT Targets Business-Grade Routers

Business-grade routers are being targeted by the HiatusRAT Remote Access Trojan, which deploys a variant of tcpdump for packet capturing and a bash script for post-exploitation. The malware opens a listener on port 8816 and sends sensitive information to command-and-control servers. Data collected includes system, network, and file information, as well as details about running processes on the infected device.

MuddyWater Attacks in Israel

Iranian threat actor MuddyWater, affiliated with the Iranian Ministry of Intelligence and Defense (MOIS), has increased its activity against Israeli targets, focusing on government, education, and financial sectors. The group exploits known vulnerabilities like log4j and uses tools like RAT and Syncro RAT for distribution. MuddyWater employs ransomware to impact affected systems, encrypting files using AES and IV keys encrypted by a public RSA key.

The Oldies

Emotet Campaign

A new Emotet campaign has been discovered, spreading through phishing emails containing malicious attachments or links. When a user opens the attachment or clicks the link, the malware infects the system and spreads to other computers on the network. Emotet steals sensitive information such as email credentials, passwords, and financial data, and can also download and install additional malware onto the infected system. To protect against Emotet and other malware, keep your antivirus software updated and educate employees about avoiding phishing scams.

Threat Actors Use ParallaxRAT for Targeting Cryptocurrency Entities

Threat actors are using ParallaxRAT to target organizations in the cryptocurrency sector through spam and phishing campaigns that lead to a Parallax RAT malware infection. When Payload1 is executed, its contents are decrypted and Payload2 (Parallax RAT) is created. The Parallax RAT is then injected into pipanel.exe via process hollowing. This malware can steal information like computer names, victim keystrokes, OS details, and read the clipboard. Once successfully compromised, the malware communicates with the threat actor who uses MS notepad to interact with the victim and instructs them to connect with the threat actors via an established Telegram Channel.

APT36 Targets Indian Defense Research and Development Organization (DRDO)

Buckeye, a cyberespionage group also known as APT3, Gothic Panda, UPS Team, and TG-0110, has shifted its focus from organizations in the US to political entities in Hong Kong since June 2015. A recent APT36 campaign began with a spam email containing a malicious link hosted on a compromised website. The multistage attack employed various techniques, including the use of mshta.exe and a PowerPoint file, to load a DLL file into memory, leading to the final payload of remote access trojans that exfiltrated sensitive information.

That is all for now.

Stay cyber safe!

Star Your Free Trial

Eyal Aharoni

Eyal is the VP of Customer Success at Cymulate. During the last 15 years Eyal performed in a number of critical roles in the information and cyber security fields, providing services for global organizations in a wide range of sectors.