Red Hat Security Advisory 2024-4249-03 - An update for c-ares is now available for Red Hat Enterprise Linux 8. Issues addressed include an out of bounds read vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4249.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Low: c-ares security updateAdvisory ID:        RHSA-2024:4249-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4249Issue date:         2024-07-02Revision:           03CVE Names:          CVE-2024-25629====================================================================Summary: An update for c-ares is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact ofLow. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.Description:The c-ares C library defines asynchronous DNS (Domain Name System) requests andprovides name resolving API.Security Fix(es):* c-ares: Out of bounds read in ares__read_line() (CVE-2024-25629)For more details about the security issue(s), including the impact, a CVSSscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-25629References:https://access.redhat.com/security/updates/classification/#lowhttps://bugzilla.redhat.com/show_bug.cgi?id=2265713

Red Hat Security Advisory 2024-4249-03

Red Hat Security Advisory 2024-4247-03 - An update for libuv is now available for Red Hat Enterprise Linux 8. Issues addressed include a server-side request forgery vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4247.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: libuv security updateAdvisory ID:        RHSA-2024:4247-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4247Issue date:         2024-07-02Revision:           03CVE Names:          CVE-2024-24806====================================================================Summary: An update for libuv is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:libuv is a multi-platform support library with a focus on asynchronous I/O. Security Fix(es):* libuv: Improper Domain Lookup that potentially leads to SSRF attacks (CVE-2024-24806)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-24806References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2263292

Red Hat Security Advisory 2024-4247-03

Red Hat Security Advisory 2024-4246-03 - An update for container-tools is now available for Red Hat Enterprise Linux 8.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4246.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: container-tools security updateAdvisory ID:        RHSA-2024:4246-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4246Issue date:         2024-07-02Revision:           03CVE Names:          CVE-2024-24786====================================================================Summary: An update for container-tools is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.Security Fix(es):* golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-24786References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2268046

Red Hat Security Advisory 2024-4246-03

Red Hat Security Advisory 2024-4245-03 - An update for python3 is now available for Red Hat Enterprise Linux 8. Issues addressed include a remote SQL injection vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4245.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: python3 security updateAdvisory ID:        RHSA-2024:4245-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4245Issue date:         2024-07-02Revision:           03CVE Names:          CVE-2024-36039====================================================================Summary: An update for python3 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.Security Fix(es):* python-pymysql: SQL injection if used with untrusted JSON input (CVE-2024-36039)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-36039References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2282821

Red Hat Security Advisory 2024-4245-03

Red Hat Security Advisory 2024-4244-03 - An update for python3.11-PyMySQL is now available for Red Hat Enterprise Linux 8. Issues addressed include a remote SQL injection vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4244.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: python3.11-PyMySQL security updateAdvisory ID:        RHSA-2024:4244-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4244Issue date:         2024-07-02Revision:           03CVE Names:          CVE-2024-36039====================================================================Summary: An update for python3.11-PyMySQL is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:This package contains a pure-Python MySQL client library. The goal of PyMySQL is to be a drop-in replacement for MySQLdb and work on CPython, PyPy, IronPython and Jython.Security Fix(es):* python-pymysql: SQL injection if used with untrusted JSON input (CVE-2024-36039)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-36039References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2282821

Red Hat Security Advisory 2024-4244-03

Buy now and pay later provider Affirm has notified the SEC that customer data of its card users was compromised in the Evolve data breach.

‘Buy now, pay later’ payment specialist Affirm has warned that holders of its payment cards had their personal information exposed after a ransomware attack and data breach at Evolve Bank & Trust.

In a form 8-K, submitted to the Securities and Exchange Commission (SEC), Affirm states:

> “Because the Company \[Affirm Holdings, Inc\] shares the Personal Information of Affirm Card users with Evolve to facilitate the issuance and servicing of Affirm Cards, the Company believes that the Personal Information of Affirm Card users was compromised as part of Evolve’s cybersecurity incident.”

According to Evolve, the attack started after “an employee inadvertently clicked on a malicious internet link.” Evolve refused to pay the ransom, and so the attackers leaked the data they downloaded.

Affirm isn’t the only fintech company affected by the Evolve breach. Business bank Mercury also notified customers that the data stolen from Evolve Bank & Trust included some account numbers, deposit balances, business owner names, and emails associated with Mercury and other fintech accounts.

> “Affected Mercury customers have been notified of the breach and the preventative steps we are taking to keep customer funds secure.”

Money transfer service and payment platform builder Wise also published a statement on its website, informing customers it had shared full names, addresses, contact details, Social Security numbers, and other sensitive information with Evolve as part of a partnership between 2020 and 2023.

So, it’s entirely possible that other financials may come forward with similar notifications. Reportedly, Evolve has active partnerships with multiple fintech companies, including Shopify, Bilt, Plaid, and Stripe.

Keep your eyes and ears open and be wary of phishing attempts related to these breaches.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Check your digital footprint**

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

 Affirm says Evolve Bank data breach also compromised some of its customers 

Recently the Office of the Director of National Intelligence (ODNI) unveiled a new strategy for open-source intelligence (OSINT) and referred to OSINT as the “INT of first resort”. Public and private sector organizations are realizing the value that the discipline can provide but are also finding that the exponential growth of digital data in recent years has overwhelmed many traditional OSINT

OSINT / Artificial Intelligence

Recently the Office of the Director of National Intelligence (ODNI) unveiled a new strategy for open-source intelligence (OSINT) and referred to OSINT as the "INT of first resort". Public and private sector organizations are realizing the value that the discipline can provide but are also finding that the exponential growth of digital data in recent years has overwhelmed many traditional OSINT methods. Thankfully, Artificial Intelligence (AI) and Machine Learning (ML) are starting to provide a transformative impact on the future of information gathering and analysis.

**What is Open-Source Intelligence (OSINT)?**

Open-Source Intelligence refers to the collection and analysis of information from publicly available sources. These sources can include traditional media, social media platforms, academic publications, government reports, and any other data that is openly accessible. The key characteristic of OSINT is that it does not involve covert or clandestine methods of information gathering such as human intelligence or social engineering. If I could have obtained data during my time working for the U.S. Government but I no longer can as a civilian, that isn't OSINT.

Historically, OSINT has been a labor-intensive process involving several key steps:

1.  **Identification of sources:** Analysts determine which public sources are likely to contain relevant information.
2.  **Data collection:** Information is gathered from these sources, often through manual searches or web scraping tools.
3.  **Data processing:** The collected information is organized and structured for analysis.
4.  **Analysis:** Skilled analysts examine the data to identify patterns, trends, and insights.
5.  **Reporting:** Findings are compiled into reports for decision-makers to enable more informed decisions.

While effective, this approach faces limitations with the sheer volume of information available. Human analysts struggle to process everything manually and valuable insights may be hidden in complex patterns that are difficult for humans to detect. This is where AI/ML can provide a tremendous benefit in how information can be collected, processed and analyzed, thus freeing the human analyst to focus on things they are uniquely qualified for such as providing context. As a side benefit, this shift often improves morale as humans spend less time on mundane processing tasks and more time analyzing and reviewing information.

Tasks where AI/ML can provide immediate benefit include:

*   **Handling Massive Data Volumes:** AI systems can process and analyze enormous amounts of data at speeds far beyond human capabilities. This allows OSINT practitioners to cast a much wider net than previously possible and still deal with the results.
*   **Real-time Analysis:** The volume of information flow in today's digital world is staggering. AI-powered OSINT tools can monitor and analyze data streams in real-time, providing up-to-the-minute intelligence and enabling rapid response to emerging situations.
*   **Multilingual and Multimodal Analysis:** AI can break down language barriers by translating and analyzing content in multiple languages simultaneously. Moreover, it can process various data types – text, images, audio, and video – in an integrated manner, providing a more comprehensive intelligence picture. Many of these capabilities such as OpenAI's Whisper can be utilized offline, thus removing any concerns about operational security (OPSEC).
*   **Predictive Analytics:** By analyzing historical data and current trends, AI can help predict future events or behaviors, adding a proactive dimension to OSINT.
*   **Automation of Routine Tasks:** AI can help automate many time-consuming aspects of OSINT, such as data collection and initial filtering, freeing human analysts to focus on higher-level analysis and decision-making. Things that were previously very difficult if not impossible to implement, such as accurate sentiment analysis, are now trivial.

At SANS Network Security the SEC497 Practical OSINT course and the SEC587 Advanced OSINT course will provide students with hands-on experience utilizing these AI capabilities to not only provide an increase in productivity, but also discover new possibilities.

While no technology is perfect, and we must consider the potential ramifications that a hallucination could cause before we implement AI, key pieces of technology currently being utilized for OSINT include:

1.  **Natural Language Processing (NLP):** NLP allows machines to understand, interpret, and generate human language. In OSINT, NLP is crucial for:
    *   Sentiment analysis of social media posts
    *   Entity recognition to identify people, organizations, and locations in text
    *   Topic modeling to categorize large volumes of text data
    *   Machine translation for multilingual intelligence gathering
2.  **Computer Vision:** This technology enables machines to interpret and analyze visual information. In OSINT, computer vision is used for:
    *   Facial recognition in images and videos
    *   Facial comparisons to identify if the same person is featured in multiple images
    *   Object detection in imagery
    *   Optical character recognition (OCR) to extract text from images
    *   Scene understanding in video footage
3.  **Machine Learning and Data Mining:** How many times have you heard "those who don't know history are doomed to repeat it"? Machine Learning is the personification of that concept as it allows systems to learn from data and improve their performance over time. In OSINT, they are used for:
    *   Predictive analytics to forecast trends or events
    *   Anomaly detection to identify unusual patterns or behaviors
    *   Clustering and classification of data for easier analysis
    *   Network analysis to understand relationships between entities

I've been doing OSINT for almost two decades and this is by far the most dynamic, and exciting time I've seen with new developments in the space literally occurring daily. If you're going to be at Network Security in Las Vegas this September, I look forward to discussing how this capability can improve our effectiveness and efficiency today, as well as what we can expect in the future.

Not yet registered for SANS Network Security? Check out this page to see all that's in store!

**Note:** _This article is expertly written by Matt Edmondson, a SANS Principal Instructor and Principal at Argelius Labs, with a decade of professional OSINT experience._

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Emerging Role of AI in Open-Source Intelligence

Proton is adding an end-to-end encrypted documents editor to its privacy tools, boosting its competition with Google’s suite of productivity apps.

When particle physicist Andy Yen launched the privacy-focused email service Proton Mail as an ambitious crowdfunding campaign in 2014, the ultimate goal was to make it easier for people to be private online. Now, more than a decade on, his Switzerland-based company, Proton, is in the process of taking one of its biggest potential steps to reduce Google’s online dominance.

Today, Proton is launching the ability to create, edit, and collaborate on end-to-end encrypted documents within its online file storage systems. This means that only the creator of a document, and anyone they have shared it with, can view the contents of the file. Nobody else, including Proton, can see what has been written in the documents, according to the company.

The move to add encrypted documents to Proton is a shot at the data-hungry approaches of Google and Microsoft, which both host individual and business cloud services but don’t encrypt files and can also collect vast amounts of data about people. It also makes Proton one of only a handful of businesses providing encrypted documents and editing online.

“One thing that we’ve heard a lot from both businesses and also consumers is that they need a document product, because Google Docs is the reason they stay on Google,” Proton founder and CEO Yen tells WIRED. “It will look and feel a bit like Google Docs, because in fact, it's supposed to be easy for people to adopt. The biggest barrier to privacy has always been user experience.”

Courtesy of Proton

Documents in Proton Drive, which will start rolling out to people today, does look like Google Docs. In screenshots shared by Proton, it appears to be a clean document editor, with many of the standard options you would expect: font and text changes, formatting, adding links, images, and more. The document editor is initially only available on the web and not in app form.

Yen says Proton has been internally using the system for the last month and is now ready to roll it out to consumers. “I feel it is relatively polished,” Yen says. To compete with other online document editors, he says, the team also built in collaboration functionality from the beginning. This includes real-time editing by multiple people, commenting, and showing when someone else is viewing the document.

In April, Proton acquired encrypted note-taking app Standard Notes, which is a separate product from Docs. “It's actually not ‘take Standard Notes and stick it into Proton,’” Yen says, adding that the encryption architecture of the two were different, and Proton Docs is “more or less a ground-up, clean build in Proton’s ecosystem on our software stack.” (WIRED was unable to test the Docs before it was launched).

The big difference Proton is adding when compared to Google Docs is the encryption—something that is challenging to do at scale and also harder when a document has multiple people editing it at the same time. Yen says it's not just the contents of documents that are being encrypted, so are other elements like keystrokes, mouse movements, and file names and paths.

The company, which last month announced it is moving toward a nonprofit status, uses open source encryption, and Yen says building the Docs system required encryption key exchange and synchronization to happen across multiple users. Part of this was possible, Yen says, because last year the company added version history for documents stored in its Drive system, which the Docs are built on top of.

There are relatively few—if any—major end-to-end encrypted document editors online. Other existing services, which WIRED has not tried, include CryptPad and various note-taking or notepad-style apps. There are also apps that encrypt files locally on your machine, such as Cryptee and Anytype.

Recently, Proton has been moving quickly to launch new encrypted products—adding cloud storage, a VPN, a password manager, and calendar alongside its original ProtonMail email service. The company has also faced scrutiny over some information it has provided to law enforcement, such as recovery emails that have been added to accounts. It changed some of its policies in 2021 after being ordered to collect some user metadata. While the company is based outside of the US and EU, it still responds to thousands of Swiss law enforcement requests.

Ultimately, Yen says, the company is trying to offer as many private alternatives to Big Tech services, particularly Google, as it can. “Everything Google’s got, we’ve got to build as well. That's the road map. But the challenge, of course, is the order in which you do it,” Yen says. “In some sense, taking privacy to a more mainstream audience also requires going further afield, trying different things, and being a bit more adventurous in the things that we build and things that we launch.”

Proton Is Launching Encrypted Documents to Take On Google Docs

Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S.
"MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems," Fortinet FortiGuard

Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called **MerkSpy** as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S.

"MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems," Fortinet FortiGuard Labs researcher Cara Lin said in a report published last week.

The starting point of the attack chain is a Microsoft Word document that ostensibly contains a job description for a software engineer role.

But opening the file triggers the exploitation of CVE-2021-40444, a high-severity flaw in MSHTML that could result in remote code execution without requiring any user interaction. It was addressed by Microsoft as part of Patch Tuesday updates released in September 2021.

In this case, it paves the way for the download of an HTML file ("olerender.html") from a remote server that, in turn, initiates the execution of an embedded shellcode after checking the operating system version.

"Olerender.html" takes advantage of "'VirtualProtect' to modify memory permissions, allowing the decoded shellcode to be written into memory securely," Lin explained.

"Following this, 'CreateThread' executes the injected shellcode, setting the stage for downloading and executing the next payload from the attacker's server. This process ensures that the malicious code runs seamlessly, facilitating further exploitation."

The shellcode serves as a downloader for a file that's deceptively titled "GoogleUpdate" but, in reality, harbors an injector payload responsible for evading detection by security software and loading MerkSpy into memory.

The spyware establishes persistence on the host through Windows Registry changes such that it's launched automatically upon system startup. It also comes with capabilities to clandestinely capture sensitive information, monitor user activities, and exfiltrate data to external servers under the threat actors' control.

This includes screenshots, keystrokes, login credentials stored in Google Chrome, and data from the MetaMask browser extension. All this information is transmitted to the URL "45.89.53\[.\]46/google/update\[.\]php."

The development comes as Symantec detailed a smishing campaign targeting users in the U.S. with sketchy SMS messages that purport to be from Apple and aim to trick them into clicking on bogus credential harvesting pages ("signin.authen-connexion\[.\]info/icloud") in order to continue using the services.

"The malicious website is accessible from both desktop and mobile browsers," the Broadcom-owned company said. "To add a layer of perceived legitimacy, they have implemented a CAPTCHA that users must complete. After this, users are directed to a webpage that mimics an outdated iCloud login template."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool

The loader-as-a-service (LaaS) known as FakeBat has become one of the most widespread loader malware families distributed using the drive-by download technique this year, findings from Sekoia reveal.
"FakeBat primarily aims to download and execute the next-stage payload, such as IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif," the company said in a Tuesday analysis.
Drive-by attacks

The loader-as-a-service (LaaS) known as FakeBat has become one of the most widespread loader malware families distributed using the drive-by download technique this year, findings from Sekoia reveal.

"FakeBat primarily aims to download and execute the next-stage payload, such as IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif," the company said in a Tuesday analysis.

Drive-by attacks entail the use of methods like search engine optimization (SEO) poisoning, malvertising, and nefarious code injections into compromised sites to entice users into downloading bogus software installers or browser updates.

The use of malware loaders over the past few years dovetails with the growing use of landing pages impersonating legitimate software websites by passing them off as legitimate installers. This ties into the larger aspect that phishing and social engineering remain one of the threat actors' main ways to acquire initial access.

FakeBat, also known as EugenLoader and PaykLoader, has been offered to other cybercriminals under a LaaS subscription model on underground forums by a Russian-speaking threat actor named Eugenfest (aka Payk\_34) since at least December 2022.

The loader is designed to bypass security mechanisms and provides customers with options to generate builds using templates to trojanize legitimate software as well as monitor installations over time through an administration panel.

While the earlier versions made use of an MSI format for the malware builds, recent iterations observed since September 2023 have switched to an MSIX format and added a digital signature to the installer with a valid certificate to sidestep Microsoft SmartScreen protections.

The malware is available for $1,000 per week and $2,500 per month for the MSI format, $1,500 per week and $4,000 per month for the MSIX format, and $1,800 per week and $5,000 per month for the combined MSI and signature package.

Sekoia said it detected different activity clusters disseminating FakeBat by three primary approaches: Impersonating popular software through malicious Google ads, fake web browser updates via compromised sites, and social engineering schemes on social networks. This encompasses campaigns likely related to the FIN7 group, Nitrogen, and BATLOADER.

"In addition to hosting payloads, FakeBat \[command-and-control\] servers highly likely filter traffic based on characteristics such as the User-Agent value, the IP address, and the location," Sekoia said. "This enables the distribution of the malware to specific targets."

The disclosure comes as the AhnLab Security Intelligence Center (ASEC) detailed a malware campaign distributing another loader named DBatLoader (aka ModiLoader and NatsoLoader) through invoice-themed phishing emails.

It also follows the discovery of infection chains propagating Hijack Loader (aka DOILoader and IDAT Loader) via pirated movie download sites to ultimately deliver the Lumma information stealer.

"This IDATLOADER campaign is using a complex infection chain containing multiple layers of direct code-based obfuscation alongside innovative tricks to further hide the maliciousness of the code," Kroll researcher Dave Truman said.

"The infection hinged around utilizing Microsoft's mshta.exe to execute code buried deep within a specially crafted file masquerading as a PGP Secret Key. The campaign made use of novel adaptations of common techniques and heavy obfuscation to hide the malicious code from detection."

Phishing campaigns have further been observed delivering Remcos RAT, with a new Eastern European threat actor dubbed Unfurling Hemlock leveraging loaders and emails to drop binary files that act as a "cluster bomb" to spread different malware strains at once.

"The malware being distributed using this technique is mostly comprised of stealers, such as RedLine, RisePro, and Mystic Stealer, and loaders such as Amadey and SmokeLoader," Outpost24 researcher Hector Garcia said.

"Most of the first stages were detected being sent via email to different companies or being dropped from external sites that were contacted by external loaders."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Latest News