Cisco Talos has disclosed 10 vulnerabilities over the past two weeks, including nine that exist in a popular online PDF reader that offers a browser plugin.

Wednesday, December 6, 2023 13:33

Cisco Talos has disclosed 10 vulnerabilities over the past two weeks, including nine that exist in a popular online PDF reader that offers a browser plugin. 

Attackers could exploit these vulnerabilities in the Foxit PDF Reader to carry out a variety of malicious actions, but most notably could gain the ability to execute arbitrary code on the targeted machine. Foxit aims to have feature parity with Adobe Acrobat Reader, the most popular PDF-reading software currently on the market. The company offers paid versions of its software for a variety of users, including individuals and enterprises. There are also browser plugins of Foxit that run in a variety of web browsers, including Google Chrome and Mozilla Firefox. 

Talos’ Vulnerability Research team also found an integer overflow vulnerability in the GPSd daemon, which is triggered if an attacker sends a specially crafted packet, causing the daemon to crash. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Multiple vulnerabilities in Foxit PDF Reader **

_Discovered by Kamlapati Choubey._ 

Foxit PDF Reader contains multiple vulnerabilities that could lead to remote code execution if exploited correctly.  

TALOS-2023-1837 (CVE-2023-32616) and TALOS-2023-1839 (CVE-2023-38573) can be exploited if an attacker embeds malicious JavaScript into a PDF, and the targeted user opens that PDF in Foxit. These vulnerabilities can trigger the use of a previously freed object, which can lead to memory corruption and arbitrary code execution.  

TALOS-2023-1838 (CVE-2023-41257) works in the same way, but in this case, it is caused by a type confusion vulnerability.  

Three other vulnerabilities could allow an attacker to create arbitrary HTA files in the context application, and eventually gain the ability to execute arbitrary code on the targeted machine. TALOS-2023-1832 (CVE-2023-39542), TALOS-2023-1833 (CVE-2023-40194) and TALOS-2023-1834 (CVE-2023-35985) are all triggered if the targeted user opens a specially crafted file in the Foxit software or browser plugin. 

**GPSd NTRIP Stream Parsing access violation vulnerability **

_Discovered by Dimitrios Tatsis._ 

An integer overflow vulnerability exists in the NTRIP Stream Parsing functionality of GPS daemon, which is used to collect and display GPS information in other software. A specially crafted network packet can lead to memory corruption. An attacker can send a malicious packet to trigger TALOS-2023-1860 (CVE-2023-43628). 

According to GPSd’s website, this service daemon powers the map service on Android mobile devices and is “ubiquitous in drones, robot submarines, and driverless cars.” 

_Discovered by Claudio Bozzato and Francesco Benvenuto._ 

Talos researchers recently found multiple data integrity vulnerabilities in Buildroot, a tool that automates builds of Linux environments for embedded systems. 

An adversary could carry out a man-in-the-middle attack to exploit TALOS-2023-1845 (CVE-2023-43608) and TALOS-2023-1844 (CVE-2023-45842, CVE-2023-45839, CVE-2023-45838, CVE-2023-45840 and CVE-2023-45841) to execute arbitrary code in the builder. 

As a direct consequence, an attacker could then also tamper with any file generated for Buildroot’s targets and hosts. 

**Malformed Excel file could lead to arbitrary code execution in WPS Office **

_Discovered by Marcin “Icewall” Noga._ 

An uninitialized pointer use vulnerability (TALOS-2023-1748/CVE-2023-31275) exists in the functionality of WPS Office, a suite of software for word and data processing, that handles Data elements in an Excel file.  

A specially crafted malformed Excel file can lead to remote code execution. 

WPS Office, previously known as a Kingsoft Office, is a software suite for Microsoft Windows, macOS, Linux, iOS, Android, and HarmonyOS developed by Chinese software developer Kingsoft. It is installed by default on Amazon Fire tablet devices. 

Talos disclosed this vulnerability in November despite no official fix or patch from Kingsoft after the company did not respond to our notification attempts and failed the 90-day deadline as outlined in Cisco’s third-party vendor vulnerability disclosure policy.

Remote code execution vulnerabilities found in Buildroot, Foxit PDF Reader

The team recaps the top malware and attacker trends from 2023, and create a new mascot to save Thanksgiving.

Wednesday, December 6, 2023 05:41

In this episode the Beers with Talos team, led by special guest Dave Liebenberg, set out to save Thanksgiving. The TurkeyLurkey man is the hero that everybody needs, but perhaps don't deserve.

For fans and opposers of Dave's Ranksgiving list, you'll be pleased to know he's back with a whole new order, and some new snackable entrants.

Oh, and if it's security content you're after, we have some! Our 2023 Year in Review is out now, and the team recaps the top malware and attacker trends from the year. We also discussed the recent CNN article and Talos blog on our work to protect Ukraine's power grid.

If you'd like to read more, download the full Talos Year in Review report here.

Subscribe to future episodes of Beers with Talos at your own peril here.

Beers with Talos episode 141: The TurkeyLurkey Man wants YOU to read Talos' Year in Review report

The second annual Cisco Talos Year in Review draws on a massive amount of threat data to analyze the major trends that shaped the threat landscape in 2023.

Tuesday, December 5, 2023 18:25

The 2023 Cisco Talos Year in Review is now available to download. 

Once again, the Talos team has meticulously combed through a massive amount of data to analyze the major trends that have shaped the threat landscape in 2023. Global conflict influenced a lot of these trends, altering the tactics and approaches of many threat actors. In operations ranging from espionage to cybercrime, we’ve seen geopolitical events have a significant impact on the way these are carried out.

At the beginning of the Year in Review is a “Top Trends” section comprised of regional trends over time and the influence of geopolitical events, the CVEs attackers exploited most often, spam tactics, and the top MITRE ATT&CK techniques that have been used within attacks.  The report then deep dives on four topics:  

The evolution of ransomware and extortion. The concerning rate of attacks against network infrastructure devices. The activities of advanced persistent threat (APT) actors in China, Russia, and the Middle East. This section also includes the major threats our Ukraine Task Unit dealt with this year. The shifting activities and impact of commodity loaders. 

Cisco’s global presence and Talos’ world-class expertise provided a massive amount of data to research — endpoint detections, incident response engagements, network traffic, email corpus, sandboxes, honeypots and much more. Thankfully, our teammates include subject matter experts from all ends of the cybersecurity space to help us turn this intelligence into actionable information for defenders and users.  

So, what is the main story of the 2023 Year in Review? Despite the accelerated pace of many threat actor campaigns and the geopolitical events that shaped them, the defensive community’s diligence, inventiveness and collaborative efforts are helping to push adversaries back.  

Download the Cisco Talos Year in Review today, and please share it with your colleagues and communities. This report was written by defenders, for defenders, and we hope it proves a useful and insightful resource for you. 

For more Year in Review content, visit the 2023 Year in Review landing page.

The malware, attacker trends and more that shaped the threat landscape in 2023

Project PowerUp is the story of how Cisco Talos worked with a multi-national, multi-company coalition of volunteers and experts to help “keep the lights on” in Ukraine, by injecting a measure of stability in Ukraine’s power transmission grid.

Project PowerUp – Helping to keep the lights on in Ukraine in the face of electronic warfare

Fake Facebook ads seem to be the flavor of the month for scammers.

Thursday, November 30, 2023 14:00

I know I’m a little late to the party to hit the prime SEO for Black Friday, Cyber Monday and holiday shopping. But if I know the readers of this newsletter, everyone is far from done with their holiday shopping already after a few days. 

I also know I’m far from the only person to warn consumers about scams during this season, so I’m trying to split the difference and highlight a few specific scams and spam campaigns that are already circulating in the wild, some of which popped up right on Black Friday, so you don’t get caught in the remaining days leading up to the winter holidays. 

Fake Facebook ads seem to be the flavor of the month for scammers. This is completely anecdotal, but my mom almost got “got” with a fake Facebook post in a group she belongs to claiming to have some great deals on Nintendo Switch games on Amazon that were not actually real (thankfully she hadn’t clicked the link before she asked me if “Mario Odyssey” was a good deal at $15).  

Still, several other reports have shown that scammers are using Facebook ads to advertise a deal for a $19 Stanley cup — these are the water bottles all the influencers are using nowadays and, even when they are on sale, don’t go for any less than about $35. In this case, it looks like the actors are just looking to take your money or credit card information with a fake ordering process and no plans to send you anything. 

Adversaries have also set up fake Facebook pages and web pages disguising themselves as the retailer Big Lots. These fake ads and posts offer vague deals and sales on various products but instead point to typo-squatted Big Lots websites (or URLs that vaguely seem like they could be connected to Big Lots).  

Scammers are also sending mass emails to subscribers of various streaming services like Amazon Prime, Paramount+ and Peacock claiming that their subscription has lapsed, but they can resubscribe for a deeply discounted price, or even free, as part of a Black Friday special.  

Amazon also issued a warning recently that attackers have been sending emails with malicious attachments asking for users' personal information in exchange for having their “accounts” unlocked. 

This is just a sampling of the likely hundreds of different scams and spam campaigns attackers are deploying right now, so in general, when shopping online, here are a few tips: 

*   Only download apps from trusted and official app stores like the Google Play store and iOS App Store. 
*   Look out for apps that ask for suspicious permissions, such as access to your text messages, contacts, stored passwords and administrative features. 
*   Some malicious apps will try to masquerade as a legitimate version of the one you could be searching for. Signs of these apps include poor spelling and grammar in app descriptions and interfaces, lack of high-quality performance and a developer contact that uses a free email service (such as @gmail.com). 
*   Avoid clicking on unsolicited emails. Make sure you purposefully subscribed to any marketing emails you receive from retailers before opening it. 
*   Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalize on shoppers looking for deals. 
*   Try to use payment services such as Google Pay, Samsung Pay and Apple Pay. These services use tokenization instead of the “Primary Account Number” (your credit card number), making your transaction more secure. 
*   Use unique, complex passwords, per site. Attackers commonly reuse passwords to compromise multiple accounts with the same username. Use a password locker if you have a hard time creating and remembering secure passwords. 
*   Manually type in URLs to sites you want to visit rather than clicking on links. 
*   Use multi-factor authentication, such as Cisco Duo, to log into your email account to avoid unauthorized access. 

Next week, Talos will have a holiday special of our own! On Dec. 5, we’ll be launching our second-ever Year in Review report, complete with all new data and insights about the attacks and malware we’ve seen in 2023. Stay tuned to our social media channels or blog for that release.  

**The one big thing **

Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code. 

**Why do I care? **

If infected, SugarGh0st serves as a fully functional backdoor for the adversary that can execute most remote-control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell. SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive, and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services. 

**So now what? **

Since this seems to be an offshoot of GhostRAT, we certainly can’t rule out any other variants that may be floating out there. Talos also has new ClamAV signatures, Snort rules and other Cisco Secure protection to specifically detect and stop SugarGh0st.  

**Top security headlines of the week **

**Cisco Talos and other teams across Cisco recently worked with multiple government partners to help protect the Ukrainian power grid and ensure it runs appropriately.** The effort, spearheaded by Talos’ Joe Marshall, involved creating bespoke hardware for Ukraine’s energy supplier, Ukrenergo, to operate in place of traditional GPS devices that the Ukrainian power grid relies on to keep running on time. GPS satellites and Ukrainian substations have constantly been the target of kinetic and cyber threats during Russia’s invasion of Ukraine. Officials from multiple U.S. government agencies assisted in the project.  The Pentagon set up flights to physically deliver the manipulated switches, the Department of Energy helped coordinate the equipment’s delivery, and, as Ukrenergo told CNN, the Department of Commerce was a part of critical meetings that first outlined this project. Taras Vasyliv, who oversees power dispatching for Ukrenergo, told CNN that the custom-built switches were the equivalent of a “flashlight” for a surgeon who is trying to operate in the dark. (CNN, Business Insider) 

**Leaked government documents show that some local, federal and state law enforcement officers have been able to view the phone records of millions of Americans,** even those who have not been accused or suspected of a crime. The little-known Pentagon program was partially uncovered because of a letter sent from U.S. Sen. Ron Wyden of Oregon to U.S. Attorney General Merrick Garland, in Wyden’s office requested more information on the project and encouraged the federal government to publicly disclose this knowledge. The letter states the White House pays wireless company AT&T to give all federal, state, local, and Tribal law enforcement agencies “the ability to request often-warrantless searches.” Known as the “Hemisphere Project,” this program has apparently been around since 2007 and reported on by the New York Times in 2013 but has largely gone unnoticed since. Wyden is attempting to challenge the legality of the Hemisphere Project. (Wired) 

**Security researchers have found a way to bypass the Microsoft Hello login authentication system** used in many fingerprint readers and face ID scanners on devices from Dell, Lenovo and Microsoft. Researchers hired by Microsoft to test the security of the readers have since informed the company of these vulnerabilities. The attack the researchers outlined could provide access to a stolen laptop or carry out what's called an “evil maid” attack on an unattended device. Microsoft introduced Hello with its Windows 10 operating system, and since then has included fingerprint scanners on all its devices (though in some cases, Microsoft’s own hardware like the Surface tablet did not use Hello). Though the manufacturers are now aware of these vulnerabilities, the variety of attacks means it can be difficult to patch for these issues. However, all the attacks ultimately required physical access to a device. (Ars Technica, The Verge) 

**Can’t get enough Talos? **

*   Tech giant Cisco built special device to help Kyiv ward off cyberattacks on power grid 
*   Cisco whips up modded switch to secure Ukraine grid against Russian cyberattacks 
*   Talos Takes Ep. #163: Why has the Phobos ransomware been working for so long? 
*   The Need to Know: What is threat hunting? 
*   Vulnerability Roundup: Vulnerabilities in Adobe Acrobat, Microsoft Excel could lead to arbitrary code execution 

**Upcoming events where you can find Talos **

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

Virtual (Please note: This presentation will only be given in German) 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**What Threats Kept Us Up in 2023: A Year in Review and a Look Ahead** **(Dec. 13, 11 a.m. PT)** 

Virtual 

> _Each year brings new threats that take advantage of increasingly complex security environments. Whether it’s Volt Typhoon targeting critical infrastructure organizations across the United States or ALPHV launching an attack against casino giant MGM, threat actors are becoming bolder and more evasive. That’s why it’s never been more important to leverage broad telemetry sources, deep network insights and threat intelligence to respond effectively and recover faster from sophisticated attacks. Join Amy Henderson, Director of Strategic Planning and Communications at Cisco Talos and Briana Farro, Director of XDR Product Management at Cisco, as they discuss some of the top threat trends and threats we have seen this past year and how to leverage security technology like XDR and network insights to fight against them._ 

**NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security** **(Jan. 11, 2024, 10 a.m. GMT)** 

Virtual 

> _The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** streamer.exe   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg 

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6   
**MD5:** 22ae85259273bc4ea419584293eda886   
**Typical Filename:** KMSAuto++ x64.exe   
**Claimed Product:** KMSAuto++   
**Detection Name:** Hacktool:PUP.26ld.in14.Talos 

**SHA 256:** 77c2372364b6dd56bc787fda46e6f4240aaa0353ead1e3071224d454038a545e   
**MD5:** 040cd888e971f2872d6d5dafd52e6194   
**Typical Filename:** tmp000c3787   
**Claimed Product:** Ultra Virus Killer   
**Detection Name:** PUA.Win.Virus.Ultra::95.sbx.tg 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

$19 Stanely cups, fake Amazon Prime memberships all part of holiday shopping scams circulating

Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.”

*   Cisco Talos recently discovered a malicious campaign that likely started as early as August 2023, delivering a new remote access trojan (RAT) we dubbed “SugarGh0st.” 
*   We found evidence suggesting the threat actor is targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea. 
*   We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code.
*   We observed two infection chains leveraging Windows Shortcut embedded with malicious JavaScript to deliver the components to drop and launch the SugarGh0st payload.
*   In one infection chain, the actor leverages the DynamixWrapperX tool to enable Windows API function calls in malicious JavaScript for running the shellcode.
*   Talos assesses with low confidence that a Chinese-speaking threat actor is operating this campaign based on the artifacts we found in the attack samples.

**Suspected Chinese Actor targeting Uzbekistan and South Korea**

Talos discovered four samples deployed in this campaign that are likely targeting users in Uzbekistan and South Korea based on the language of the decoy documents, the lure content, and distribution indicators Talos found in the wild. 

One of the samples is sent to users in the Ministry of Foreign Affairs of Uzbekistan. The sample is an archive embedded with a Windows ShortCut LNK file which, upon opening, drops the decoy document “Investment project details.docx'' with Uzbek content about a presidential decree in Uzbekistan focused on enhancing state administration in technical regulation. The lure content of the decoy document was published in multiple Uzbekistan sources in 2021. The initial vector of the campaign is likely a phishing email with an attached malicious RAR archive file sent to an employee of the Ministry of Foreign Affairs.  

Decoy document in Uzbek language.

Besides Uzbekistan, we also observed indications of targets in South Korea. We found three other decoy documents written in Korean dropped by the malicious JavaScript file embedded in the Windows Shortcut, seemingly distributed in South Korea. The decoy document named “Account.pdf” was forged as a Microsoft account security notification for confirming an account registration with a generated password. Another decoy named “MakerDAO MKR approaches highest since August.docx'' uses the copied content from 코인데스크코리아 (CoinDesk Korea, a Korean news outlet that covers the blockchain). The third decoy document, named “Equipment\_Repair\_Guide.docx,” has the lure information with instructions for computer maintenance in an organization. To reinforce our assessment of South Korean targets, we also observed C2 domain requests from IPs originating from South Korea. 

The decoy documents found in the samples collected by Talos.

During our analysis, we observed a couple of artifacts that suggested the actor might be Chinese-speaking. Two of the decoy files we found have the “last modified by” names shown as “浅唱丶低吟” (Sing lightly, croon) and “琴玖辞” (seems to be the name of a Chinese novel author), which are both Simplified Chinese. 

The author and last editor’s information on decoy documents.

Besides the decoy document metadata, the actor prefers using SugarGh0st, a Gh0st RAT variant. The Gh0st RAT malware is a mainstay in the Chinese threat actors’ arsenal and has been active since at least 2008. Chinese actors also have a history of targeting Uzbekistan. The targeting of the Uzbekistan Ministry of Foreign Affairs also aligns with the scope of Chinese intelligence activity abroad. 

**SugarGh0st is a new Gh0st RAT variant**

Talos discovered a RAT that we call SugarGh0st delivered as a payload in this campaign. Talos assesses with high confidence that SugarGh0st is a customized variant of the Gh0st RAT. Gh0st RAT was developed by a Chinese group called 红狼小组 (C.Rufus Security Team), and its source code was publicly released in 2008. The public release of the source code has made it easy for threat actors to get access to it and tailor it to fulfill their malicious intentions. There are several variants of Gh0st RAT in the threat landscape, and it remains a preferred tool for many Chinese-speaking actors, allowing them to conduct surveillance and espionage attacks.

Compared with the original Gh0st malware, SugarGh0st is equipped with some customized features in its reconnaissance capability in looking for specific Open Database Connectivity (ODBC) registry keys, loading library files with specific file extensions and function name, customized commands to facilitate the remote administration tasks directed by the C2, and to evade earlier detections. The C2 communication protocol is also modified. The first eight bytes of the network packet header are reserved as magic bytes versus the first five in the earlier Gh0st RAT variants. The remaining features, including taking full remote control of the infected machine, providing real-time and offline keylogging, hooks to the webcam of an infected machine, and downloading and running other arbitrary binaries on the infected host are aligned with the features of earlier Gh0st RAT variants. 

**A multi-stage infection chain **

Talos discovered two different infection chains employed by the threat actor to target the victims in this campaign. One of the infection chains decrypts and executes the SugarGh0st RAT payload, the customized variant of the Gh0st RAT. Another infection chain leverages the DynamicWrapperX loader to inject and run the shellcode that decrypts and executes SugarGh0st. 

**Infection Chain No. 1**

The first infection chain starts with a malicious RAR file containing a Windows Shortcut file with a double extension. When a victim opens the shortcut file, it runs a command to drop and execute an embedded JavaScript file. The JavaScript eventually drops a decoy, an encrypted SugarGh0st payload, DLL loader and batch script. Then, the JavaScript executes the batch script to run the dropped DLL loader by sideloading it with a copied rundll32. The DLL loader will decrypt the encrypted SugarGh0st payload in memory and run it reflectively. 

**Shortcut file embedded with malicious JavaScript dropper**

The Windows shortcut file discovered in this attack is embedded with JavaScript and has command line arguments to drop and execute it. Upon the victim opening the LNK file, the command line argument of the LNK file runs to locate and load the JavaScript with the string start of “var onm=” which is the beginning of the JavaScript dropper and drops the JavaScript into the %temp% location. After that, the dropped JavaScript is executed using the living-off-the-land binary (LoLBin) cscript. 

Sample of malicious LNK file.

**JavaScript dropper **

The JavaScript dropper is a heavily obfuscated script embedded with base64 encoded data of the other components of the attack. The JavaScript decodes and drops the embedded files into the %TEMP% folder, including a batch script, a customized DLL loader, an encrypted SugarGh0st payload, and a decoy document. It first opens the decoy document to masquerade as legitimate action, then copies the legitimate rundll32 executable from the “Windows\\SysWow64” folder into the %TEMP% folder. Finally, it executes the batch script loader from the %TEMP% location and runs the customized DLL loader. The JavaScript deleted itself from the file system afterward. 

The JavaScript dropper.

**Batch script loader**

The batch script, in this instance, is named “ctfmon.bat” and has the commands to run the dropped customized DLL loader. When executed, it sideloads the DLL loader with rundll32.exe and executes the function which is DllUnregisterServer, typically used by COM (Component Object Model) DLLs.

The batch script loader.

**DLL Loader decrypts and reflectively loads the SugarGh0st payload**

The customized DLL loader named “MSADOCG.DLL” (name of the DLL associated with Microsoft's ActiveX Data Objects (ADO) technology) is a 32-bit DLL written in C++ and implemented as a COM object component. The loader includes packed code that is unpacked with custom unpacking code. When the DLL is run, it unpacks the code to read the dropped encrypted SugarGh0st payload file named “DPLAY.LIB '' from the %TEMP% location, decrypts it and runs it in the memory. 

Stub code to unpack code.

Function to load the encrypted payload.

**Infection chain No. 2**

Similar to the first infection chain, this attack also starts with a RAR archive file containing a malicious Windows Shortcut file forged as the decoy document. The Windows shortcut file, by executing the embedded commands, drops the JavaScript dropper file into the %TEMP% location and executes it with cscript. The JavaScript in this attack drops a decoy document, a legitimate DynamicWrapperX DLL, and the encrypted SugarGh0st. The JavaScript uses the legitimate DLL to enable running the embedded shellcode for running the SugarGh0st payload. 

**JavaScript leverages DynamicWrapperX to run shellcode that launches SugarGh0st**

The JavaScript used in this infection chain is also heavily obfuscated and is embedded with base64-encoded data of other components of the attack, including a shellcode. When the JavaScript is executed, it drops an encrypted SugarGh0st, a DLL called “libeay32.dll” and the decoy document. The JavaScript opens the decoy document and copies Wscript.exe to the %TEMP% folder as dllhost.exe. It runs the dropped JavaScript again using the dllhost.exe and creates a registry subkey called “CTFMON.exe” in the Run registry key to establish persistence. 

Registry Key

HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

Subkey

CTFMON.exe

Value

“cmd /c start C:\\Users\\user\\AppData\\Local\\Temp\\dllhost.exe C:\\Users\\user\\AppData\\Local\\Temp\\~204158968.js”

The file “libeay32.dll” is a tool called DynamicWrapperX (originally named “dynwrapx.dll”) developed by Yuri Popov. This tool is an ActiveX component that enables Windows API function calls in scripts (JScript, VBScript, etc.). The attacker can use this to run shellcode via the JavaScript dropper. But, they must first run regsvr.exe to install the component. 

C:\\Windows\\system32\\regsvr32 /i /s C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\libeay32.dll

The DynamicWrapperX DLL registers its member functions in the victim’s machine by creating a registry subkey CLSID with the value “89565275-A714-4a43-912E-978B935EDCCC” in Software\\Classes\\DynamicWrapperX registry key. The JavaScript containing the ActiveX components executes the embedded shellcode using the DynamixWrapperX DLL. 

The shellcode has the API hashes and instructions to load and map to the functions necessary for process injection from Kernel32.dll. It also loads two other DLLs, User32.dll and shlwapi.dll. Then, it loads the encrypted SugarGh0st “libeay32.lib” from the %TEMP% location, decrypts it, and reflectively loads it into the memory space allocated in the dllhost.exe process. 

Shellcode that loads and decrypts the encrypted SugarGh0st. 

**Analysis of SugarGh0st   **

The SugarGh0st sample analyzed by Cisco Talos is a 32-bit dynamic link library in C++ compiled on Aug. 23, 2023. During its initial execution, SugarGh0st creates a mutex on the victim’s machine using the hard-coded C2 domain as an infection marker and starts the keylogging function. The keylogger module creates a folder “WinRAR'' in the location %Program Files% and writes the keylogger file “WinLog.txt.” 

The Keylogging function of SugarGh0st.

SugarGh0st uses “WSAStartup” functions, a hardcoded C2 domain and port to establish the connection to the C2 server. Talos discovered two C2 domains, login\[.\]drive-google-com\[.\]tk and account\[.\]drive-google-com\[.\]tk, used by the threat actor in this campaign.

The C2 communication function of SugarGh0st.

After launching, SugarGh0st attempts to establish the connection to C2 every 10 seconds. If successful, the first outgoing packet always consists of the same eight bytes “0x000011A40100” as a heartbeat. After the heartbeat is successfully sent, SugarGh0st sends the buffer data, which includes the following:

*   Computer name
*   Operating system version 
*   Root and other drive information of victim machine
*   Registry key “HKEY\_LOCAL\_MACHINE\\Software\\ODBC\\H” if exist
*   Campaign codes 1 (Month and Year) and code 2 (in our samples are “default”)
*   Windows version number
*   Root drive’s volume serial number

A sample packet that was sent by SugarGh0st to C2.

SugarGh0st is a fully functional backdoor that can execute most remote control functionalities. It can launch the reverse shell and run the arbitrary commands sent from C2 as strings using the command shell.

The Reverse shell function.

SugarGh0st can collect the victim’s machine hostname, filesystem, logical drive and operating system information. It can access the running process information of the victim’s machine and control the environment by accessing the process information and terminating the process as directed by the C2 server. 

It can also manage the machine’s service manager by accessing the configuration files of the running services and can start, terminate or delete the services.

Function to operate services.

SugarGh0st can take screenshots of the victim machine’s current desktop and switch to multiple windows. It can access the victim’s machine camera to capture the screen and compress the captured data before sending it to the C2 server. SugarGh0st can perform various file operations, including searching, copying, moving and deleting the files on the victim’s machine.

It also clears the machine’s Application, Security and System event logs to hide the malicious operations logged to evade detection. 

Function to clean event logs.

SugarGh0st performs the remote control functionalities, including those discussed earlier, as directed by the C2 server with the four-byte hex commands and accompanying data. 

**Command**

**Action**

0x20000001

Adjust process privilege to “SeShutdownPrivilege” and force shut down the host.

0x20000002

Adjust process privilege to “SeShutdownPrivilege” and force reboot the host.

0x20000003

Adjust process privilege to “SeShutdownPrivilege” and force terminate the processes.

0x20000004

Clear event log

0x20000005

Create register key HKEY\_LOCAL\_MACHINE\\Software\\ODBC\\H

0x20000011

Press a key in the default window 

0x20000012

Release a key in the default window 

0x20000013

Set mouse cursor position

0x20000014

Click mouse left button

0x20000015

Release mouse left button

0x20000016

Double click the mouse left button

0x20000017

Click mouse right button

0x20000018

Release mouse right button

0x20000019

Double click the mouse left button

0x21000002

Get the logical drive information of the victim's machine. 

  

0x21000003

Search files on the victims machine filesystem

0x21000004

Delete files on the victim's machine file system

0x21000005

Moves files to the %TEMP% location 

0x21000006

Runs arbitrary shell commands

0x21000007

Copies files on the victim machine 

0x21000008

Move files on the victim's machine

0x21000009

Sends files to the C2 server 

0x2100000A

Sends the data to the windows socket

0x2100000B

Receives files from the C2 server

0x22000001

Sends the screenshot to the C2 server

0x24000001

Read file %ProgramFiles%/WinRAR/~temp.dat (which is encoded with XOR 0x62)

0x24000002

Delete file %ProgramFiles%/WinRAR/~temp.dat

0x23000000

Provides the reverse shell access to the C2 server 

0x25000000

Gets the process information and terminates the process 

0x25000001

Enumerate process information

0x25000002

Terminate Process

0x25000003

Access the victims machine service manager 

0x25000004

Access the configuration files of the running services

0x25000005

Starting service

0x25000006

Terminating and deleting the services. 

0x25000010

Performs the Windows operations

0x25000011

Get window list

0x25000012

Get message from Window

0x28000000

Capture window and perform a series of Window operations based on the command with SendMessage API.

0x28000002

Find a . OLE file under “%PROGRAMFILES%\\\\Common Files\\\\DESIGNER'' and launch

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat is 62647.

ClamAV detections available for this threat:

Win.Trojan.SugarGh0stRAT-10014937-0

Win.Tool.DynamicWrapperX-10014938-0

Txt.Loader.SugarGh0st\_Bat-10014939-0

Win.Trojan.SugarGh0stRAT-10014940-0

Lnk.Dropper.SugarGh0stRAT-10014941-0

Js.Trojan.SugarGh0stRAT-10014942-1

Win.Loader.Ramnit-10014943-1

Win.Backdoor.SugarGh0stRAT-10014944-0

**Orbital Queries**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries related to this threat, please follow the links:

*   SugarGh0st RAT file detected
*   SugarGh0st RAT Registry key 

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

New SugarGh0st RAT targets Uzbekistan government and South Korea

Many organizations are curious about the idea of threat hunting, but what does this really entail? In this video, four experienced security professionals from across Cisco recently sat down to discuss the basics of threat hunting, and how to go about searching for the unknown.

Tuesday, November 28, 2023 08:00

Many organizations are curious about the idea of threat hunting, but what does this really entail?  

What should you be hunting for? And what do you need to put in place to threat hunt properly? 

Four experienced security professionals from across Cisco recently sat down to discuss the basics of threat hunting, and how to go about “searching for the unknown.” In this video, we cover: 

*   The core principles of threat hunting. 
*   What are attackers looking for? And therefore, what should defenders be putting in place? 
*   Stories and experiences of threat hunting. 
*   How to approach failure.  

Talos Incident Response can help organizations review specific areas of your network and its systems for indicators of potential compromise. Threat hunting is hypothesis-driven and backed by the most current threat intelligence available from Talos. 

If you are interested in how Talos Incident Response can help you with your threat hunting goals, or even help you plan a compromise assessment, take a look at the various services our team can help you with.

What is threat hunting?

Adobe recently patched two use-after-free vulnerabilities in its Acrobat PDF reader that Talos discovered, both of which could lead to arbitrary code execution.

Wednesday, November 22, 2023 12:00

Cisco Talos’ Vulnerability Research team recently worked with Adobe and Microsoft to patch multiple vulnerabilities in the Acrobat and Excel software, respectively, that could lead to arbitrary code execution. 

Talos also disclosed six vulnerabilities in the Weston Embedded µC-HTTP HTTP server implementation, some of which could also lead to code execution. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Adobe Acrobat Reader use-after-free vulnerabilities **

_Discovered by Jaewon Min and Aleksandar Nikolic of Cisco Talos._ 

Adobe recently patched two use-after-free vulnerabilities in its Acrobat PDF reader that Talos discovered, both of which could lead to arbitrary code execution. Acrobat is one of the most popular PDF readers currently available, especially in the U.S., and many browsers utilize an Acrobat plugin. This means an attacker could trick a user into opening a specially crafted, malicious file in the browser as a file or tricking them into opening it in the desktop application. 

a TALOS-2023-1794 (CVE-2023-44336) exists in the Thermometer JavaScript object in Acrobat Reader. An attacker who exploits this vulnerability could use specially crafted JavaScript code to cause a use-after-free vulnerability, which can lead to memory corruption and arbitrary code execution. 

TALOS-2023-1842 (CVE-2023-44372) works in the same way, but in this case, the vulnerability affects the page event processing in Acrobat Reader. 

**Arbitrary code execution vulnerability in Microsoft Excel **

_Discovered by Marcin “Icewall” Noga of Cisco Talos._ 

Talos discovered a vulnerability in Microsoft Office Professional Plus 2019 (specifically the spreadsheet creation software Excel) that could lead to arbitrary code execution. 

Microsoft patched this vulnerability, CVE-2023-36041 (TALOS-2023-1835), as part of its monthly security update earlier this month. 

This use-after-free vulnerability exists in the ElementType attribute parsing in Microsoft Office Professional Plus 2019 Excel and could allow an attacker to execute remote code on the targeted machine. An adversary would need to trick the targeted user into opening a specially crafted Excel spreadsheet to exploit this vulnerability. 

**6 vulnerabilities in open-source embedded operating system **

_Discovered by Kelly Patterson of Cisco Talos._ 

Cisco Talos recently discovered multiple vulnerabilities in Weston Embedded µC-HTTP, the open-source embedded HTTP server and client module for µC/TCP-IP. µC/TCP-IP is an embedded operating system first developed by Micrium, and is now maintained by Weston Embedded Solutions. 

TALOS-2023-1732 (CVE-2023-28391), TALOS-2023-1738 (CVE-2023-28379) and TALOS-2023-1746 (CVE-2023-31247) are memory corruption vulnerabilities that could lead to arbitrary code execution on the targeted device. An adversary could exploit these vulnerabilities by sending a specially crafted packet. There are various mitigation options for these issues, as outlined in Talos’ advisories, that can prevent the exploitation of these vulnerabilities. 

TALOS-2023-1726 (CVE-2023-25181) and TALOS-2023-1733 (CVE-2023-27882) both also lead to code execution, but in these cases, are caused by buffer overflows in the operating system triggered by a specially crafted packet. 

There is also TALOS-2023-1725 (CVE-2023-24585), an out-of-bounds write vulnerability that could lead to memory corruption. This vulnerability occurs when parsing the method of an HTTP request and could lead to heap corruption.

Vulnerabilities in Adobe Acrobat, Microsoft Excel could lead to arbitrary code execution

Cisco Talos has recently observed an increase in activity conducted by 8Base, a ransomware group that uses a variant of the Phobos ransomware and other publicly available tools to facilitate their operations.

A deep dive into Phobos ransomware, recently deployed by 8Base group

Cisco Talos identified the most prolific Phobos variants, TTPs and affiliate structure, based on their activity and analysis of over 1,000 samples from VirusTotal dating back to 2019. We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common variants

Friday, November 17, 2023 08:01

*   Cisco Talos recently identified the most prolific Phobos variants, common affiliate tactics, techniques and procedures (TTPs), and characteristics of the Phobos affiliate structure, based on observed Phobos activity and analysis of over 1,000 Phobos samples from VirusTotal dating back to 2019.
*   We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common Phobos variants, as they appeared most frequently across the samples we analyzed. 
*   The affiliates use similar TTPs to deploy Phobos and commonly target high-value servers, likely to pressure victims into paying the ransom. 
*   We assess with moderate confidence that the Phobos ransomware is closely managed by a central authority, as there is only one private key capable of decryption for all campaigns we observed.
*   There are also indications that Phobos may be sold as a ransomware-as-a-service (RaaS). We discovered hundreds of contact emails and IDs associated with Phobos campaigns, indicating the malware has a dispersed affiliate base, which is commonly seen among RaaS affiliates.

**Identifying the most prolific Phobos variants**

Phobos ransomware is an evolution of the Dharma/Crysis ransomware and, since it was first observed in 2019, has undergone only minimal developments despite its popularity among cybercriminal groups. This is a continuation of our analysis on Phobos ransomware, previously addressed in a blog on the ransomware group 8Base.

Talos identified five of the most prolific variants of the Phobos ransomware family, based on the volume of samples in VirusTotal. We examined several variations in the malware builder’s configuration settings, as this was the only distinguishing feature among the samples analyzed. The samples all contained the same source code and were configured to avoid encrypting files that other Phobos affiliated already locked, but the configuration changed slightly depending on the variant being deployed. 

For example, a Phobos sample deployed by the 8Base ransomware group contained a list of other Phobos variants that should not be encrypted, as seen below. A common trend for this configuration entry among all samples is that the group behind that specific sample had their name added to the beginning of the list.

__List of file extensions to be ignored by the encryption loop with names of previous campaigns.__

Once we extracted the samples’ configuration settings and identified the Phobos variant, Talos determined the most active Phobos affiliates by matching the most commonly observed variants with the unique IDs associated with each Phobos ransomware campaign. 

*   Eking: Active since at least 2019, usually targets users in the Asia-Pacific region.
*   Eight: Believed to be an older campaign run by the same group running 8Base now.
*   Elbie: Also seen targeting users in the APAC region and active since 2022.
*   Devos: Although this group has been active since 2019, not much has been written about it in terms of victimology or TTPs.
*   Faust: Another variant active since 2022 that does not target specific industries or regions.

The only differences between the samples of each variant are generally the contact email addresses used in the file extension for encrypted files, and the ransom note embedded in one of the settings, with all other settings being the same. The file extension used in all Phobos variants we analyzed follows the same template as the example shown below, where <<ID>> is replaced by the victim’s machine drive serial number. The next number is an identifier for the current campaign, then an email used to contact the ransomware actors is listed, and finally, the extension representing the variant is appended.

.id[<>-3253].[musonn@airmail[.]cc].eking

We defanged the email address for readers’ security, but the remaining square brackets are part of the actual extension used in all variants.

These variants have used hundreds of different contact emails over the past few years, as we can see in the graph below:

__Count of contact emails in use by each Phobos variant over the period of this research.__

These emails are generally created using free or secure email providers, shown below:

__Most common email providers in use for Phobos ransomware.__

In some cases, we have also seen affiliates using instant messaging services such as ICQ, Jabber and QQ to support their operations. The graph below illustrates the different providers chosen by the actors for each variant:

Devos

Eight

Elbie

Eking

Faust

email\[.\]tg

gmx\[.\]com

tutanota\[.\]com

tutanota\[.\]com

gmx\[.\]com

cock\[.\]li

aol\[.\]com

onionmail\[.\]org

airmail\[.\]cc

tutanota\[.\]com

protonmail\[.\]com

protonmail\[.\]com

tuta\[.\]io

aol\[.\]com

onionmail\[.\]org

libertymail\[.\]net

tutanota\[.\]com

techmail\[.\]info

firemail\[.\]cc

waifu\[.\]club

qq\[.\]com

onionmail\[.\]org

cock\[.\]li

tuta\[.\]io

tuta\[.\]io

pressmail\[.\]ch

cock\[.\]li

privatemail\[.\]com

protonmail\[.\]com

gmail\[.\]com

medmail\[.\]ch

keemail\[.\]me

gmail\[.\]com

cock\[.\]li

airmail\[.\]cc

tutanota\[.\]com

mailfence\[.\]com

yandex\[.\]ru

criptext\[.\]com

mailfence\[.\]com

cumallover\[.\]me

zohomail\[.\]eu

msgsafe\[.\]io

ctemplar\[.\]com

xmpp\[.\]jp

airmail\[.\]cc

zohomail\[.\]com

cyberfear\[.\]com

gmx\[.\]com

zohomail\[.\]eu

countermail\[.\]com

ICQ@HONESTHORSE

aol\[.\]com

techmail\[.\]info

cock\[.\]li

mailfence\[.\]com

ICQ@VIRTUALHORSE

  

msgsafe\[.\]io

zohomail\[.\]com

mail\[.\]fr

  

  

  

lenta\[.\]ru

  

  

  

  

proton\[.\]me

  

  

  

  

privatemail\[.\]com

We observed Devos affiliates using QQ\[.\]com, a Chinese instant message application, and eight affiliates using ICQ, an instant message service currently owned by a Russian company. We also saw the use of service providers that are considered to be more secure than others, like Proton Mail. This diversity of providers further supports our assessment that Phobos has a dispersed affiliate base and may be operating as a RaaS. 

Because of the varied use of the email service providers listed above, and the sheer number of different contact emails in use for each variant, Talos assesses with moderate confidence that multiple threat actors are behind each of these variants instead of a single threat actor moving to different providers to avoid being banned.

**Observed tactics, techniques and procedures in Phobos intrusions**

In early 2023, Talos observed an intrusion associated with the “Elbie” variant of Phobos. In this attack, the threat actor targeted the organization’s exchange server and then moved laterally, attempting to compromise additional server-side infrastructure including backup servers, database servers and hypervisor hosts. Rather than attempting to deploy the ransomware to a large number of systems concurrently, the attackers appeared to focus on specific infrastructure and attempted to deploy the ransomware on each system individually. We believe this is because Phobos affiliates usually go after high-value servers in the victim’s network as a way to increase the damage and chance of a payout.

After gaining initial access to the organization’s exchange server, the attackers created a working directory in the compromised user’s Desktop directory and attempted to drop various tools including, but not limited to:

*   Process Hacker: A process visualization tool which also contains a kernel mode driver used by malicious actors sometimes to delete files, services and kill processes.
*   Automim: This toolkit enables automated credential collection on compromised hosts and includes the LaZagne and Mimikatz utilities.
*   IObit File Unlocker: A tool used to remove a lock on files open by other applications, used by malicious actors to increase the chance of encrypting files like databases, open documents and similar files that are usually kept open.
*   Nirsoft Password Recovery Toolkit: A toolkit used to extract passwords for common applications like browsers and email clients.
*   Network Scanner (NS.exe): An executable used to scan the network for open services and move laterally over the network.
*   Angry IP Scanner: A tool used to scan the network for open services and identify network information for the machines found.

The attacker also dropped a variety of batch files responsible for various post-compromise activities.

One batch file clears Windows event logs on compromised systems to minimize forensic artifacts and make detection more difficult:

FOR /F "delims=" %%I IN ('WEVTUTIL EL') DO (WEVTUTIL CL "%%I")

Another was responsible for deleting Volume shadow copies, likely to make recovery following Phobos deployment more difficult:

vssadmin delete shadows /all /quiet  
wmic shadowcopy delete  
bcdedit /set {default} bootstatuspolicy ignoreallfailures  
bcdedit /set {default} recoveryenabled no  
wbadmin delete catalog -quiet  
exit

The script above is included in the Phobos configuration as we noted in our previous blog, which is extracted and saved as a temporary .BAT file before the encryption process starts.

Additionally, a batch file was created to configure the Windows Registry keys that enable the accessibility features present on the Windows logon screen to spawn a SYSTEM-level command prompt without requiring previous authentication. This may have been used as a persistence mechanism, allowing the attacker to regain full control of systems via RDP later in the attack. 

First, the script disables User Account Control (UAC) on the system by setting the following Registry entry:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

Next, the script sets the Image File Execution Options debugger entry for various accessibility features to the Windows Command Processor. This allows an attacker to execute an elevated command shell on the system by invoking the accessibility features from the Windows logon screen. Any time one of these applications is launched, the debugging application specified is launched with elevated permissions instead, which in this case, is the Windows command processor. 

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f /v Debugger /t REG_SZ /d "%windir%\system32\cmd.exe"

Finally, the script configures various Registry entries responsible for enabling RDP and disabling network-level authentication. 

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fDenyTSConnections /t REG_DWORD /d "00000000"

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fAllowUnsolicited /t REG_DWORD /d "00000001"

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v UserAuthentication /t REG_DWORD /d "00000000"

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v SecurityLayer /t REG_DWORD /d "00000001"

An additional script dropped by the threat actor was responsible for making the following service configuration changes on compromised systems:

sc config Dnscache start= auto  
net start Dnscache  
sc config SSDPSRV start= auto  
net start SSDPSRV  
sc config FDResPub start= auto  
net start FDResPub  
sc config upnphost start= auto  
net start upnphost

File-sharing was enabled on compromised hosts via the following command execution:

dism /online /enable-feature /featurename:File-Services /NoRestart

The attacker also attempted to uninstall endpoint protection software on compromised hosts to minimize detection of various components used throughout the attack and prevent alerting security staff. 

Once the defenses were disabled and the persistence mechanisms enabled, the threat actor deployed the Phobos ransomware, encrypting the files in the server. In this case, the variant we observed during the infection was part of the “Elbie” campaign and displayed the same behavior we described in our previous blog. At the end of the process, the ransom note “_info.hta_” was dropped to the user’s Desktop with details on how to contact the attacker:

__Example of Phobos info.hta displaying the contact address.__

**Unveiling the developers and affiliates behind Phobos**

Through our analysis of Phobos campaigns and malware samples, we made several discoveries that helped shed light on mysteries surrounding the ransomware’s little-known affiliate structure and developers.

There is some indication that Phobos may be a RaaS, due to the variation in email addresses we observed. Each Phobos variant from VirusTotal was associated with at least a dozen emails that were provided to victims to maintain contact, and some had close to 200 unique email addresses with various domains. In some instances, ICQ and Jabber were used as the main contact address. While it’s possible that there is a single group behind Phobos, it would be uncommon to have a threat actor change their contact email address so often. This would take extra time and effort while many ransomware campaigns very successfully use just a few contact addresses. For example, when we observed the ransomware group 8base using Phobos as described in our other blog, they only used a single contact email, “_support@rexsdata\[.\]pro_”.

We also assess that Phobos is likely closely managed by a central authority that controls the ransomware’s private decryptor key. For each file Phobos decides to encrypt, it generates a random AES key to use in the encryption, then encrypts this key along with some metadata with an RSA key present in the configuration data, and saves this data at the end of the encrypted file. That means in order to decrypt the file, one needs the private key corresponding to that public RSA key.

Every Phobos sample we analyzed contains the same public RSA key in its configuration data, implying there is only one private key capable of decryption. We assess that a single threat actor controls the private key as every single sample we analyzed contains the same public key. It’s possible the Phobos developer offers the decryption service to their affiliates for a cut of their proceedings. 

During our research, we did find variants of these decryptors in the wild, like this sample found in VirusTotal which promises to decrypt samples for the “**_Elbie_**” variant. However, the decryptor needs two pieces of information that are not available in the file itself, so using it to decrypt samples is not possible. 

__Phobos decryption tool screen asks for base64-encoded data.__

The first piece needed seems to be a file with a base64-encoded encrypted blob of data which seems to be the RSA private key used to decrypt the samples. The second piece of information needed is a password which is used to decrypt the content of this blob. So, it may be possible for the RSA private key to be recovered if these two pieces of data are found, shared by a victim who paid for the decryption or leaked it in the wild. 

Further supporting our assessment that Phobos is run by a central authority, is how meticulously the ransomware’s extension block lists are updated. As we stated previously, Phobos avoids encrypting files that were previously locked by other Phobos affiliates. This is based on a file extension block list in the ransomware’s configuration settings. The extension blocklists appear to tell a story of which groups used that same base sample over time. When a malware builder tool usually generates a binary for a campaign, it does so based on a fixed and clean “stub” binary, which is then populated with whatever payload of configuration is necessary for that current build. This is not what happens with Phobos.

The extension block lists found in the many Phobos samples Talos analyzed are continually updated with new files that have been locked in previous Phobos campaigns. This may support the idea that there is a central authority behind the builder who keeps track of who used Phobos in the past. The intent could be to prevent Phobos affiliates from interfering with one another's operations.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

ClamAV detections are available for this threat:

**Win.Packed.Zusy  
Win.Ransomware.8base  
Win.Downloader.Generic  
Win.Ransomware.Ulise**

**IOCs**

Indicators of Compromise associated with this threat can be found here.

Source

TALOS